Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: upgrade 7zip binaries (breaking/major semver) #27

Closed
wants to merge 5 commits into from

Conversation

mmaietta
Copy link
Collaborator

@mmaietta mmaietta commented Sep 24, 2024

Upgraded 7-Zip precompiled binaries.
PR version: 24.08
Downloaded from https://www.7-zip.org/download.html, each file is console version
Added license files and updated README

New binaries are 7zz (mac), 7zz/7zzs (linux), and 7za.exe (win)
Removed previous (vulnerable/deprecated) 7za binaries
Fixes: #21 #22 #26 electron-userland/electron-builder#8485

Changed vars and API to represent 7z since it's no longer a 7za binary on mac/linux
SZA_PATH -> SZ_PATH
path7za -> path7z

Bumped major semver release to 6.0.0
See README for updated CLI args in changed API of 7zz -h

@mmaietta
Copy link
Collaborator Author

Tested successfully in electron-builder https://github.com/electron-userland/electron-builder/actions/runs/11018477730

All unit tests passing and the needed changes in upstream app-builder-bin released already (https://github.com/develar/app-builder/releases/tag/v5.0.0-alpha.10)

@develar I think this is ready for review 🙃 Let me know if you'd like me to verify anything else!

@mmaietta mmaietta marked this pull request as ready for review September 24, 2024 17:11
@MengLuoRJ
Copy link

MengLuoRJ commented Oct 4, 2024

Thank you and nice to have this awesome PR, but have some problems about it.

1. Different feature supporting between win and linux/mac binaries.

As this repo inactive for so long, I forked this as 7z-bin and did some update, that figured out the 7za is less feature than 7zz.

So after linux and mac binaries bumped to 7zz, the win binaries still stay on 7za, would make the users and projects meet different availability of feature on different paltform.

7za.exe is a standalone console version of 7-Zip with reduced formats support.

7z.exe / 7zz Supported formats:

  • Packing / unpacking: 7z, XZ, BZIP2, GZIP, TAR, ZIP and WIM.
  • Unpacking only: APFS, AR, ARJ, Base64, CAB, CHM, CPIO, CramFS, DMG, EXT, FAT, GPT, HFS, IHEX, ISO, LZH, LZMA, MBR, MSI, NSIS, NTFS, QCOW2, RAR, RPM, SquashFS, UDF, UEFI, VDI, VHD, VHDX, VMDK, XAR, Z and ZSTD.

7za.exe / 7za Supported formats:

  • Packing / unpacking: 7z, xz, ZIP, GZIP, BZIP2 and TAR
  • Unpacking only: lzma, CAB, ZSTD.

Since p7zip (where linux and mac version of 7za came from) is outdated and no longger maintained, linux and mac have to be bumped to 7zz (new code with all changes from latest 7-Zip for Windows), the win binaries should also be bumped to 7z.exe (within 7z.dll) from 7za.exe to make user of this package to have identical and consistent feature ability.

2. Ship only 7zzs binaries for linux and mac, Don't ship both 7zz and 7zzs.

7zz is standalone console version of 7-Zip (version compiled for dynamic system library linking), and 7zzs is standalone console version of 7-Zip (version compiled with static system library linking). That means 7zzs does not use external shared library (".so") files which did by 7zz, the 7zzs bianries already patched up the deficiency of 7zzs in certain system or environment.
And also in the index.js file, the 7zz and 7zzs never would be both pointed.

3. Don't use 7zr.exe since it only support 7z format
7zr (r = reduced) is a "light-version" of 7za that only handles 7z archives.
So it's as the same with why don't use the 7za, it's less feature that 7zz.

@mmaietta
Copy link
Collaborator Author

mmaietta commented Oct 4, 2024

Great feedback! AFAICT, there's no 7za binaries provided for windows standalone console executable (it's a 7zr.exe).
Screenshot 2024-10-04 at 10 49 46 AM
The other "standalone console" binary download didn't work for me from command line as a console executable from my local testing. Where can I find a windows 7za?

From an electron-builder perspective, we only need support for 7z, not any other packaging formats, which is why I opened the PR with differing binaries per OS. (Not sure how to resolve your comment about different binaries since I can't find any 7zz(s) binaries for windows).

Re: 7zz and 7zzs, I'll give 7zzs a test run with electron-builder's CI.

@mmaietta mmaietta marked this pull request as draft October 4, 2024 17:57
@MengLuoRJ
Copy link

Nice to hear your replay!

These problems I raised up, are beacause of that, this 7zip-bin also is a popular 7-Zip binaries/executables shipping package, been recommaned in some 7-Zip wrapper like node-7z and also some tutorials about 7-Zip usage in Node.js.

So I'm curious about the direction of updates, and if this package would going to full focus on serving electron-builder's usage after this breaking change, it would be nice to have a reminder in README.

For linux and mac version, since the new codes of latest version comes with all changes from latest 7-Zip for Windows, its shipping 7zz and 7zzs are always the full version.

For windows usage, there are three different executables, 7z.exe, 7za.exe and 7zr.exe.

Full version of 7-Zip, the 7z.exe, is contained in installer, so download any one installer(exe type one recommanded) and unpackage it, then can see the readme.txt, License.txt, and we needed command line version, 7z.exe and 7z.dll.
Standalone version of 7-Zip, the 7za.exe, is always distributing by 7-Zip Extra archieve, that 7z2408-extra.7z archieve has the 7za.exe executable we needed, 7za.exe doesn't use external DLL files.

@mmaietta
Copy link
Collaborator Author

mmaietta commented Oct 9, 2024

These problems I raised up, are beacause of that, this 7zip-bin also is a popular 7-Zip binaries/executables shipping package, been recommaned in some 7-Zip wrapper like node-7z and also some tutorials about 7-Zip usage in Node.js.
So I'm curious about the direction of updates, and if this package would going to full focus on serving electron-builder's usage after this breaking change, it would be nice to have a reminder in README.

Ahh that makes sense, alright, then I think we should not proceed with this PR without taking the approach you're suggesting. We need to keep this repo generic for all consumers.

Since linux/mac are both now 7zz, does that mean there's no upgraded windows 7zz.exe or is that the 7za.exe in the 7zip-extra zip?
Screenshot 2024-10-09 at 4 40 25 PM

@MengLuoRJ
Copy link

TL;DR, 7z.exe + 7z.dll is corresponded to the new 7zz/7zzs, they both the full feature version.
And you can still get 7z/7za/7zr version only for win. 7z.exe can be extracted from installers, 7za.exe can be download from 7-Zip Extra package.


The 7-Zip executables was following the naming of 7z/7za/7zr.
But since p7zip was inactive and outdated, new verison of linux/mac package now only ships 7zz/7zzs that using new code with all changes from latest 7-Zip for Window.

That means the new version of linux/mac, is always the full feature version, and no longer having "reduced" or "light" version.

The win version is still standing with 7z.exe/7za.exe/7zr.exe version naming.

FYI,

win console verison:

  • 7z.exe, with 7z.dll, the full feature command line version of 7-Zip, could be extraced from installers.
  • 7za.exe, standalone console version of 7-Zip with reduced formats support, doesn't use external DLL files, and shipping by 7-Zip Extra package.
  • 7zr.exe, "light-version" reduced standalone console version that only handles 7z archives.

linux/mac console version

  • 7zz/7zzs, standalone full version of 7-Zip that supports all formats, by 7-Zip for Linux/macOS, with new code with all changes from latest 7-Zip for Windows. 7zzs was compiled for static library linking, and does not use external shared library (".so") files.
  • 7z, 7za, 7zr, by p7zip package, another port of 7-Zip for Linux (Posix), made by an independent developer, that is now inactive and no longer shipping new versions.

@mmaietta mmaietta closed this Oct 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7zip console version security vulnerability 7zip vulnerability Update 7zip bin
2 participants