[Zlib-devel] zlib and LZMA
Greg Roelofs
newt at pobox.com
Mon Jul 17 14:51:49 EDT 2006
> Good point. However I wonder if the whole secrecy thing really works
> anyway. The zlib security vulnerabilities were posted initially on
> publicly available forums.
It's an issue that's actively debated, and there are intelligent people
on both sides. And either side might bend a bit depending on the scale
of the vulnerability. zlib is possibly the biggest software monoculture
in the world right now (recall that it's included both in Windows and
in the Linux kernel, not to mention thousands of apps), so I personally
would tend to err on the side of caution. But I agree with the full-
disclosure folks that long embargos help no one but lazy proprietary
vendors... Somewhere between one week and one month might be reasonable.
YMMV.
> We will not be using the current LZMA SDK. We will be working with
> Igor on the code and license we will actually be using in zlib.
Ah, very good.
>> I think you need to be a little careful about the ramifications.
> Indeed. I expect that these sort of discussions will be more work
> than the actual development and integration of the code ...
That is usually the case, yes. :-(
Greg
More information about the Zlib-devel
mailing list