Received: from gapmx.vk4msl.com (gapmx.vk4msl.com [IPv6:2001:44b8:21ac:70f8::8])
	by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id 01952225896
	for <~alpine/users@lists.alpinelinux.org>; Sun, 31 Mar 2024 01:59:24 +0000 (UTC)
Received: from gapmx.vk4msl.com (gapmx.vk4msl.com [127.0.0.1])
	by gapmx.vk4msl.com (Postfix) with ESMTP id B4623166A7;
	Sun, 31 Mar 2024 11:59:16 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=vk4msl.com; h=message-id
	:date:mime-version:subject:to:cc:references:from:in-reply-to
	:content-type:content-transfer-encoding; s=gapmx; bh=4qiLFVVcwWr
	dDX4sjXCB45WkzPA=; b=Q3oV/uxw5Y6wYVMldOSV5Sz5OHz0M+wnqmWFdx2W2Mc
	L83eCwg4G0QLOLKSC1Q6wIdmJtRvyLkwUbfgx+7oWHCTNSk3na6RO4N4hSRIJ0Uy
	PwU9sWI5QQtzibEV43rSBOJmAebPrdLx4vd3fJQ/wVl0qIBvAjsPbgxP38FGDlBS
	9wQkunLspcPfFlWdKYEgkhXQ9xim3bNAuFG++H3VVjNmc8WzleJmRJOKFcLLJ2pl
	au06T1avtHOwDrFBHIAQg4TBEKt9eayyhSJbeSyGovBCeNPNZkMWpWRd2WFhrnAB
	d5CVuKa1EwawBvf3w/NBhix+zcTiCOzis6Ug33KgX4A/xBAtgeKLl5LjwBEPdG2G
	AElkE9u8qgjYFYvU0BgaJU9+CM1C/0zkSuMZUmCpzyVWxNhzsaeMfKtotmj7ae0I
	Fp2dWh0jzdMDdaeawIdcftH9nkBzTj4raz5sdszx12x17ph0a6HdDJOLCk8dSa2Q
	QJKt6l6PzsJ6X4drN0RAmtyImh9V9HwBA1hocSqVarF2tsyYbwH9CcyELVTer4yZ
	S7lt4TlCWPYoHoB9ILuxaX4zcGYxPynJ8klfu8NlPjaVIx2sq/v1TBRL/JHV2+C8
	/X4zPut5pcDrVYHRXuUdh26swuN5vqVodJjRchkOIEHpApw/AOlQTTANCtSj5Fbc
	=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=vk4msl.com; h=message-id
	:date:mime-version:subject:to:cc:references:from:in-reply-to
	:content-type:content-transfer-encoding; q=dns; s=gapmx; b=FxGZU
	Jp5pZE6+C9CBk9eWy+/IaJLk2fhB7ogdtKU+TSBocdxM/fEM4FpimrVS3GxE+Q4W
	re9Pp7rjrgYuci6rcWBAZmdsBce+Twl51OUtrmnvNCgKJzHgQuL9OsGD9GrEUgMB
	ie8LAOsJcQUgHVcVli6v/ec4chWLIzIaNiP2Q1hfoHwUr/H6/3C25yKRWsXD64Ey
	nlQPdZAh6C7JJGSgXPhTssbWd1V+zz8o6uC+2NGm2tCOxw/bF/5H46NkVh/c901f
	QN3pBoV/fKW8fZs/m/hI+DpI6v5Vd0TcFePQ+DSkqDOS04Eh67Co02Rl63cM/4cN
	rhwt4AuKZVZNjYL3HIomShTlc6rVPtcWZTzz5oBRmZPNmvm6hXkmNnY0bt/NnLgm
	+pTyvIdZGNQlkf2PR3GrxdSz/3VXNWBKml0/ubYBs85wbh7W7a03DPZ4ciXNwgxg
	MtJt37w7VpLBLy4kbTPazire1YNzafn++S7lzJ0vEtChtdv+565q1+N5RwvnFLji
	l6LxBgCLga+berXLjMGXBZWVL/LNwDBQqYH0r7gU4PnTUiID38Qn0v8+fKwljvUr
	/k+itHmvXPvb5fmK8JoDtr4TH9A/gWFPHdDBXP8DgR6mJ98CN55Z3ImwXYYSUuH4
	YEEVzFeMY/MRHrg2vk4fKQicuPHYYu/LcEsxBI=
Received: from [IPV6:2001:44b8:21ac:7053:aae:95fb:832e:84cf] (unknown [IPv6:2001:44b8:21ac:7053:aae:95fb:832e:84cf])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256)
	(No client certificate requested)
	by gapmx.vk4msl.com (Postfix) with ESMTPSA id 85D30166A6;
	Sun, 31 Mar 2024 11:59:07 +1000 (AEST)
Message-ID: <01cfb4da-366a-48ef-a83d-15f350a762ed@vk4msl.com>
Date: Sun, 31 Mar 2024 11:59:28 +1000
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: XZ force downgrade led to removal of many packages
Content-Language: en-AU
To: noloader@gmail.com
Cc: Ralf Mardorf <ralf-mardorf@riseup.net>,
 "~alpine/users@lists.alpinelinux.org" <~alpine/users@lists.alpinelinux.org>
References: <1c614505-92f2-42b4-ba46-b227777e0d5b@lodispoto.com>
 <974c079f-8e90-495c-a9f8-c266eb458f09@vk4msl.com>
 <9950f380892dea7134b69901f5ee5f7c9283ca47.camel@riseup.net>
 <9c66ab07-c48f-4735-a213-ac4935ba3f2e@vk4msl.com>
 <CAH8yC8nq0eaF5mMxTgYYGH4vDj1m4x_f+OYG_1ZzN4Bfkq5aPg@mail.gmail.com>
From: Stuart Longland VK4MSL <me@vk4msl.com>
In-Reply-To: <CAH8yC8nq0eaF5mMxTgYYGH4vDj1m4x_f+OYG_1ZzN4Bfkq5aPg@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

On 31/3/24 10:48, Jeffrey Walton wrote:
>> If possible.  Now, if you're running 3.19, according to
>> pkgs.alpinelinux.org, the latest release of xz is 5.4.5:
>>
>> https://pkgs.alpinelinux.org/packages?name=xz*&branch=v3.19&repo=&arch=&maintainer=
> Jia Tan started contributing to xz circa the development version 5.3.
> To get untainted code, you have to go back to version 5.2. But rolling
> back to version 5.2 means ABI and symbol breaks. If you don't want to
> go back to 5.2, then it means you have to audit over 700 commits in
> xz. Also see<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024#5>.

Exactly, which is why those of us who are unable to assist in that 
audit, should wait before rushing off to do things.

To quote that link:
> Note that reverted to such an old version will break packages that use
> new symbols introduced since then. From a quick look, this is at least:
> - dpkg
> - erofs-utils
> - kmod
> 
> Having dpkg in that list means that such downgrade has to be planned
> carefully.

If I check `kmod` on AlpineLinux:
> gapmx:~# ldd /bin/kmod 
>         /lib/ld-musl-x86_64.so.1 (0x7f5dbc5ab000)
>         libzstd.so.1 => /usr/lib/libzstd.so.1 (0x7f5dbc4db000)
>         liblzma.so.5 => /usr/lib/liblzma.so.5 (0x7f5dbc4a4000)
>         libz.so.1 => /lib/libz.so.1 (0x7f5dbc48a000)
>         libcrypto.so.3 => /lib/libcrypto.so.3 (0x7f5dbc000000)
>         libc.musl-x86_64.so.1 => /lib/ld-musl-x86_64.so.1 (0x7f5dbc5ab000)

The same "careful planning" applies here too.
-- 
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...
   ...it's backed up on a tape somewhere.