Misguided call for a 7-Zip boycott brings attention to FOSS archiving tools
It's good to highlight some alternatives, but security issues are overblown
Analysis A blog post calling for a boycott of the well-known 7-Zip compression app is attracting some discussion on Reddit.
However, it seems criticism for Igor Pavlov and his FOSS compression app 7-Zip is somewhat overblown and may reflect the anti-Russian sentiment of the times.
7-Zip has been around since 1999 and during that two-decade span there have been more widely used Windows compression tools (WinZip and WinRAR, in particular) they are shareware, so try-before-you-buy versus free.
There's absolutely nothing wrong with the shareware model. It has been around longer than the modern FOSS ecosystem, and there are some excellent shareware tools. However, a lot of people aren't really trying before a potential purchase: they never intend to pay. And if that's the case, then you might as well use free software and avoid nag screens.
Let's dissect the critical points around 7-Zip. The blogger, identified only as Paul, claims that 7-Zip isn't really open source because the code isn't on "Github, Gitlab, nor any public code hosting". That is not a requirement of the open source definition. 7-Zip's source is available on Sourceforge and is licensed under the GNU Lesser GPL.
- SpiralLinux: Anonymous creator of GeckoLinux puts out new Debian remix
- Only Microsoft can give open-source the gift of NTFS. Only Microsoft needs to
- 'Now' would be the right time to patch Ubuntu container hosts and ditch 21.04 thanks to heap buffer overflow bug
- The year ahead in technology fail: You knew they were bad, now they're going to prove it
There is no need to use Git source code management if you don't need it. Git's a complicated tool, which is why Linus Torvalds gave it the name: it's British English for a hostile or uncooperative person. 7-Zip has a single author, Igor Pavlov, and if he doesn't want to use Git, The Reg FOSS desk doesn't blame him. The author has used Git professionally for many years, cordially loathes it, and strongly suspects he is not alone in this.
As evidence of the difficulty of building 7-Zip from source, "Paul" links to a discussion from 2010. The counter-evidence that it's possible is that there is at least one fork of 7-Zip out there: NanaZip, which claims better Windows 10/11 integration.
"Paul" also points out to security vulnerabilities in the app. This is true, it occasionally does have some, as the Reg has discussed in the past. The latest one is described mostly in Turkish, but discussion on HackerNews suggests it is somewhat arcane, and whether it allows privilege escalation is disputed.
To its credit, the blog also points out some alternatives to 7-Zip, including its Nanazip fork and the FreePascal-based PeaZip.
PeaZip does have a significant bonus for Linux users: it boasts a full GUI, whereas 7-Zip only provides command-line tools for Linux. We installed the Flatpak package to have a look, and while it works fine, it does pull in a whopping two-thirds of a gigabyte of KDE dependencies to do it, so for now, we'll stick to Engrampa.
Nix Sanctuary also condemns 7-Zip simply because it is Russian, due to the ongoing invasion of Ukraine. We certainly have sympathy for that: the Reg FOSS desk is relatively close, in purely geographical terms. Russian developers with professional GitHub accounts already face sanctions, and of course there have been other anti-war actions on the site. Without evidence of any personal complicity from Gospodin Pavlov, that seems a step too far for us.
We suspect that Nix Sanctuary may invoke the Streisand Effect on 7-Zip, which for now will remain the Reg Zip-management tool of choice on Windows. ®
- Advanced persistent threat
- Black Hat
- Bug Bounty
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Remote Access Trojan
- RSA Conference
- Trusted Platform Module
- Zero trust