[gnutls-help] gnutls 3.8.12
Antonio Diaz Diaz
antonio at gnu.org
Wed Feb 11 16:57:05 CET 2026
Alexander Sosedkin wrote:
> We have just released gnutls-3.8.12.
Congratulations on the new release. :-)
> Here are the XZ compressed sources:
Have you considered using any other compressed format? I find it somewhat
odd that a secure communications library is distributed using about the only
format that does not guarantee the integrity of the decompressed data
against decompression errors. See, for example,
http://www.nongnu.org/lzip/xz_inadequate.html#checking . Note that a
cryptographic signature of the compressed file does not protect against
decompression errors caused by faulty RAM or bugs in the decompressor.
Gzip, bzip2, and lzip always check the integrity of the decompressed data,
and therefore would be fine. Zstd may also be adequate in practice because,
even if its integrity checking is optional, I don't know of any zstd
decompressor that does not implement it.
Thanks,
Antonio.
More information about the Gnutls-help
mailing list