Re: [PATCH 11/11] xz: Adjust arch-specific options for better kernel compression

From: Lasse Collin
Date: Wed Apr 03 2024 - 16:00:14 EST

Next message: Andrew Morton: "Re: [PATCH 0/1] kgdb: Handle HAS_IOPORT dependencies"
Previous message: Abhinav Kumar: "Re: [PATCH v3] phy/qcom-qmp-combo: propagate correct return value at phy_power_on()"
Next in thread: Lasse Collin: "Re: [PATCH 11/11] xz: Adjust arch-specific options for better kernel compression"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2024-03-31 angel.lkml@xxxxxxxxxx wrote:
> Under the light of the recent xz backdoor, I should note that this
> patch (patch 11) does:
>
> > +# Set XZ_VERSION (and LIBLZMA_VERSION). This is needed to disable
> > features +# that aren't available in old XZ Utils versions.
> > +eval "$($XZ --robot --version)" || exit

The eval method has been on the xz man page for a very long time but I
agree that due to the recent events the above method is not ideal.

It can break also if XZ_OPT or XZ_DEFAULTS contains something that they
usually shouldn't. For example, XZ_OPT=--help would make the above eval
method run the output of $XZ --help.

> So, in the spirit of keeping a fair amount of paranoia, and since it
> doesn't do any harm, any such code should be failproofed to ensure it
> can only import the expected shell variables with the right format[3]:
>
> eval "$($XZ --robot --version | grep '^$XZ\|LIBLZMA$_VERSION=[0-9]*$')" || exit

I would rather get rid of eval. I committed the following to the
upstream repository:

XZ_VERSION=$($XZ --robot --version | sed -n 's/^XZ_VERSION=//p') || exit

Thanks!

--
Lasse Collin

Next message: Andrew Morton: "Re: [PATCH 0/1] kgdb: Handle HAS_IOPORT dependencies"
Previous message: Abhinav Kumar: "Re: [PATCH v3] phy/qcom-qmp-combo: propagate correct return value at phy_power_on()"
Next in thread: Lasse Collin: "Re: [PATCH 11/11] xz: Adjust arch-specific options for better kernel compression"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]