[Klasiaster]

Not turning on standard mitigation techniques because of binary size is one of the strangest reasons I've heard. And then still programming in an unsafe language, quite self-confident for a "humble programmer".

https://www.cs.utexas.edu/~EWD/transcriptions/EWD03xx/EWD340... It has already taught us a few lessons, and the one I have chosen to stress in this talk is the following. We shall do a much better programming job, provided that we approach the task with a full appreciation of its tremendous difficulty, provided that we stick to modest and elegant programming languages, provided that we respect the intrinsic limitations of the human mind and approach the task as Very Humble Programmers.

[withinrafael]

He won't go https, sign his binaries, or enable mark-of-web either. It's strange to see people still playing small binary golf in 2018.

[vocatus_gate]

Oh wow, I always assumed he just defaulted to HTTP version of the site, but HTTPS was an option. But nope, there isn't even a version of the site served over HTTPS. In the year 2018.

[Ajedi32]

Yeah, that's pretty terrible. Seems like the only secure way to get a copy of 7-zip is to install it via Chocolatey or Sourceforge.

[dogma1138]

Since they get theirs from an insecure source it really isnt.

[icebraining]

No, you can get them from the official Sourceforge project over HTTPS: https://sourceforge.net/projects/sevenzip/

[leeter]

Or use a newer toolset than VC6 apparently. Honestly at this point there needs to be an intervention.

[askvictor]

It's open source; feel free to fork.

[leeter]

sigh already downloaded the source, trying to convince myself I need to do this. The code is pretty much pure C++98 along with all the pain that comes with that.

[exikyut]

"Secure 7-Zip" even sounds like a good name.

[rootw0rm]

Agreed.

[chrisper]

Is there a good alternative to 7-zip?

[rurban]

I also lost my trust into zlib recently, given that the current released version is full of bugs, and the current master is written horribly. Not as bad as openssl, but close. E.g. they are still using K&R sigs, wrong casts, and have several copy&paste bugs which you only detect with a stricter c++ compiler.

[Hello71]

for just decompression, unarchiver has free software implementation of unrar. for compression, use command line (tar -J, zip, whatever) or file roller.

[nbsd4lyfe]

Libarchive (sometimes known as bsdtar) supports 7z with an independent implementation.

[pmorici]

I think he means an open source unarchiver that works on windows. Obviously Linux and bad have tar/gz/bz2 etc

[askvictor]

What are your criteria? I moved to Bandizip a few months back and it covers all of my requirements quite well.

[skrowl]

PeaZip is pretty good and is FOSS

[mmozeiko]

> PeaZip is free file archiver utility, based on Open Source technologies of 7-Zip, p7zip, FreeArc, PAQ, and PEA projects.

It seems to use 7-Zip and/or p7zip binaries.

[skrowl]

p7zip was also patched. 18.00 doesn't have the bug, but it looks like Peazip hasn't been updated with it.

I'm not sure what other FOSS alternative to use. BandiZip is free (as in beer) but doesn't seem to have an update since Sept, so if it uses p7zip under the hood for 7z, it's also vulnerable.

[userbinator]

On the other hand, Dijkstra also has this quote which suggests he is not too fond of "mitigation" either:

"If you want more effective programmers, you will discover that they should not waste their time debugging, they should not introduce the bugs to start with."

[Klasiaster]

Yes, that's why the quote was already suggesting to use better languages, but mainly it's about attitude and being aware that things go wrong, so you should turn on what you can you responsibly decided to stick to C.