Linux Firmware Update Utility Fwupd Will Use Zstd Compression for Future Releases

The devs are also considering enforcing signed commits in an attempt to prevent supply chain issues like the XZ backdoor.
Fwupd 1.5.6

Fwupd developer and maintainer Richard Hughes announced today that future releases of the popular Linux firmware updater used by GNU/Linux distributions to update the firmware of various hardware devices are moving away from XZ Utils and will adopt Zstandard (zstd) instead.

After the XZ backdoor fiasco, now open-source developers are looking for an alternative compression utility, and the obvious choice these days is Zstandard (also known as zstd for short), which provides a lossless data compression algorithm that proves to be faster than XZ when decompressing.

Zstandard was developed by Yann Collet at Facebook. Apart from being known for fast compression, it also provides high compression ratios compared to XZ. According to Richard Hughes, the fwupd metadata compressed with zstd is around 3 percent smaller than the one compressed with XZ.

However, the real benefit of using Zstandard for compressing fwupd metadata is that the developers trust it a lot more than XZ now, and this is just the beginning because more and more open-source projects will start adopting zstd to ensure the safety of their users.

“This week we learned that xz wasn’t the kind of thing we want to depend on,” said Richard Hughes. “Out of an abundance of caution (and to be clear — my understanding is there is no fwupd or LVFS security problem of any kind) I’ve switched the LVFS to also generate zstd metadata, make libxmlb no longer hard depend on lzma and switched fwupd to prefer the zstd metadata over the xz metadata.”

Many popular GNU/Linux distributions are already using zstd as the default package compression method for faster installations, including Arch Linux, which adopted the Zstandard method in October 2019 with the release of the Pacman 5.2 package manager and switched from XZ to zstd for all packages in the official repository in January 2020.

In related news, Richard Hughes announced today that he is also considering enforcing signed commits for fwupd in an attempt to prevent supply chain issues like the XZ backdoor. However, this is something that is still being discussed on the project’s GitHub page.

Last updated 2 weeks ago

Buy Me a Coffee at ko-fi.com