Since I'm looking at the code anyway, I notice that there's a bunch of command execution using qx{} which IIRC is equivalent to backticks, and potentially vulnerable to shell injection. This should probably be replaced with `open` or `system`with arguments passed as an array.
You are right. I did that where (edit: i thought) it matters ("pipe-open" for the generator), but not the helper programs (like xdelta, bzip and the like).
I will do that too.
Rico