Richard Hughes, the developer and maintainer of Fwupd, recently made an announcement that upcoming versions of the widely used Linux firmware updater, responsible for firmware updates of a range of hardware devices in GNU/Linux distributions, will no longer utilize XZ Utils, but will switch to Zstandard (zstd) instead.
The decision to move away from XZ Utils stems from the XZ backdoor problem. This has led open-source developers to begin the search for an alternate compression utility. The obvious choice, for most, seems to be Zstandard (zstd), a lossless data compression algorithm that offers faster decompression than XZ.
Zstandard is the creation of Yann Collet at Facebook. It is not only recognized for its speedy compression capabilities, but also for offering higher compression ratios in comparison to XZ. Richard Hughes shares that zstd compression results in fwupd metadata that is around 3 percent smaller than its XZ-compressed counterpart.
The main advantage of using Zstandard for compression of fwupd metadata, however, lies in the fact that developers place a significantly higher level of trust in it over XZ. This change is just the start, as it is anticipated that an increasing number of open-source projects will begin to adopt zstd to enhance user safety.
“This week we learned that xz wasn’t the kind of thing we want to depend on,” said Richard Hughes. “Out of an abundance of caution (and to be clear — my understanding is there is no fwupd or LVFS security problem of any kind) I’ve switched the LVFS to also generate zstd metadata, make libxmlb no longer hard depend on lzma and switched fwupd to prefer the zstd metadata over the xz metadata.”
Many popular GNU/Linux distributions are already using zstd as the default package compression method for faster installations, including Arch Linux, which adopted the Zstandard method in October 2019 with the release of the Pacman 5.2 package manager and switched from XZ to zstd for all packages in the official repository in January 2020.
In related news, Richard Hughes announced today that he is also considering enforcing signed commits for fwupd in an attempt to prevent supply chain issues like the XZ backdoor. However, this is something that is still being discussed on the project’s GitHub page.
Last updated 1 second ago