Closed eli-schwartz closed 6 months ago
@eli-schwartz thank you for reporting this issue. I think I have addressed the issue you have reported with PR #147. Please let us know if that PR resolves the issue for you or if you have any other suggestions or input, etc.
Thanks. I tried applying the patches from that PR onto the 1.5.3 release and everything compiled fine.
No more commments in particular (though I guess I am a bit surprised that vcpkg hasn't gone and pinned to say an archive.org copy of the tarball for the version they reverted to).
thanks - i agree that the vcpkg thing is a surprise. I think the XV backdoor issue will probably take some time to resolve since the bad actor may have been contributing for a while. Wired has a long piece on it here https://www.wired.com/story/xz-backdoor-everything-you-need-to-know/
FWIW it may not be as bad as all that. The bad actor has been contributing since 2021 but it's only since the beginning of 2024 or thereabouts that the original author's guard was lowered enough to put these pieces into place. Status updates will be at https://tukaani.org/xz-backdoor/ and indicate we may not have to wait too long...
closed by 7133fc29f4057c9d05415097a10a89fc58ecdaf3
I tried to compile with LTO:
-flto=4 -Werror=odr -Werror=lto-type-mismatch -Werror=strict-aliasing
The -Werror=* flags are important to detect cases where the compiler can try to optimize based on assuming UB cannot happen, and miscompile code that has UB in it. strict-aliasing issues are always bad but LTO can make them even worse.
I got this error:
Downtream report: https://bugs.gentoo.org/926823 Full build log: build.log