fwupd abandons xz compression for zstd amid security concerns
Following the discovery of malicious code, fwupd, the popular firmware update utility, has decided to transition from xz to zstd compression for its metadata. Richard Hughes, the lead developer behind fwupd, outlined the rationale behind this decision in a recent blog post.
For years, fwupd has relied on compressed metadata to facilitate firmware updates for a wide array of hardware. This metadata, essentially a large XML file, was initially compressed using gzip, resulting in a 1.6MB download for end-users. However, in 2021, the fwupd team switched to xz compression, further reducing the file size to 1.1MB and saving significant bandwidth.
The underlying mechanism involves the libxmlb library, which converts the compressed metadata into a binary blob that fwupd uses to identify new updates for specific hardware. With the introduction of xz support in libxmlb 0.3.3 and subsequently in fwupd 1.8.7, the system favored the xz format over the older gz format.
However, recent developments have cast a shadow over the reliability of xz compression. Hughes mentions that concerns surrounding xz have prompted a reevaluation of its use in fwupd. As a precautionary measure, Hughes has initiated a shift to zstd compression. This change not only addresses security concerns but also offers a slight improvement in compression efficiency, with zstd metadata being approximately 3% smaller and faster to decompress than its xz counterpart.
The transition to zstd involves updating libxmlb to eliminate its hard dependency on lzma (the library behind xz compression) and modifying fwupd to prioritize zstd metadata. Hughes assures users that there is no immediate security threat to fwupd or the Linux Vendor Firmware Service (LVFS) but emphasizes that the move to zstd is a proactive step to ensure the continued security and reliability of the firmware update process.
Users can expect new releases of libxmlb and fwupd next week, incorporating these changes. This swift response highlights the fwupd team’s commitment to maintaining a secure and efficient firmware update ecosystem. As the tech community continues to navigate the complexities of software security, such proactive measures are vital in safeguarding the integrity of essential utilities like fwupd.