[nextaccountic]

I would really really really like to see all commits by Jia Tan reverted, not only those currently found to be malicious.

Debian and NixOS (and other distros) are already downgrading or discussing to downgrade to versions without those commits.

I think that making a 5.4 or 5.6 release without any of those commits (with stuff reimplemented as needed) would assuage most concerns

[icameron]

Who would do that? The project lacking active contributors is what enabled Jai Tan to get away with it in the first place.

[Affric]

Can’t we migrate to other libraries?

[nextaccountic]

There is a reimplementation of xz here at least https://github.com/gendx/lzma-rs

[cqqxo4zV46cp]

None of these suggestions actually cover the part where someone or someones do a bunch of bloody work.

Again, this is the problem in the first place.

[eigenlicht]

At least in Debian there's already the inevitable discussion about a supposed opportunity for "finally" moving to zstd. Which to me, frankly, feels a bit like getting out of the frying pan and into the fire, or what I think Arch (yuck) did years ago. That's not because I'm so much into xz. It's kind of funny there's a possible Debian connection, of all things, considering that quite a lot authorities and services in areas like China, Russia or Iran are recently migrating, for obvious reasons, from Windows/Mac to more or less home-made (~styled) Linux distributions, that just often happen to be based on Debian. I don't think this is too popular in English speaking countries in particular, but then I really didn't want to chime in on the speculations. ;P

[jwilk]

Where is this discussion happening?