Closed Dreista closed 3 weeks ago
gpertea
commented
3 weeks ago Thank you for pointing this out! Weird, that v5.2.5 link was from way before the backdoor issue, not sure why it was taken away. I'm switching to github release links (which I prefer over sourceforge), using the 5.4.7 old stable seems safe. Addressed this via b4366c5.
Dreista
commented
3 weeks ago My bad, I just confirmed that the issue is unrelated to xz incident. I did remember something were taken down from the author's domain, but https://tukaani.org/xz/xz-5.2.5.tar.gz was never hosted on the website directly. It has always been redirected to SourceForge.
An old wayback machine record shows that Old versions of XZ Utils redirects the link based on User-Agent (so wget and curl works), however, SourceForge stopped doing that at some point.
The maintainer of xz project removed this sentence after the change.
To be honest I was thinking about if I should change the link to GitHub release as well, but GitHub releases were added since 5.2.10 and I shouldn't bump version and break things potentially. I should have asked you before making that PR.
The old link no longer works, likely due to xz backdoor.