Hello Security Team,
On 11/02/2026 13:22, Sylvain Beucler wrote:
On 25/01/2026 12:51, Sylvain Beucler wrote:
On 25/01/2026 01:51, yokota wrote:
You can add more patch that newer 7zip mimics as older p7zip.
7zip text output can be find in "CPP/7zip/UI/Console/*" file.
Patch up 7zip code and output same text as p7zip.
Overall we're leaning towards a different, smoother kind of
transition, where 'p7zip' would remain the 'p7zip' package, but really
would be a minimally-patched, recent '7zip' under the hood.
That might just work.
I've been busy but I'm progressing a bit on this transition.
For bookworm: I considered backporting 7zip-v25/trixie, but the recent
changes mentioned by yokota are quite invasive (ASM support, dh-exec
dependency, but also new binary packages and move to /usr/lib/7z/).
Instead, I imported upstream v25 on top of 7zip-v22/bookworm, and sync'd
most trixie patches.
With this approach, debdiff to either bookworm or trixie is noisy, so
I'm pointing to a few very simple commits for review:
https://salsa.debian.org/beuc/7zip/-/commits/debian/bookworm
mainly:
changelog https://salsa.debian.org/beuc/7zip/-/commit/
ee7c3a4d977daca59c71bd47e7cf2383ba33590e
patch sync https://salsa.debian.org/beuc/7zip/-/
commit/9c05fc10a5b3e09484b1c7413f094ba4f739b9b1
If this sounds good, I intend to try the same approach with p7zip, but
probably next month.
... and this is done!
The updated p7zip is 7zip v25 with 3 compatibility patches (old-style
version output, symlinks default handling with -l support, -[no-]utf16
no-op).
'ark' and 'engrampa' are happy.
The changes (clean commits, as debdiff is too noisy this backport):
https://salsa.debian.org/beuc/p7zip/-/commits/debian/bookworm
https://salsa.debian.org/beuc/p7zip-rar/-/commits/debian/bookworm
p7zip orig.tar.* are identical to the 7zip ones to ease auditing.
Proposed version scheme:
p7zip-16.02+really25.01+dfsg-0+deb12u1
p7zip-16.02+really25.01+dfsg-0+deb11u1
p7zip-rar-16.02+really25.00+ds-0+deb12u1
p7zip-rar-16.02+really25.00+ds-0+deb11u1
...
Is that OK?
If that's OK with you, I'll submit a bookworm SPU (maybe not for the
upcoming March point release, for the next one) so we can provide users
opportunity for testing in bookworm-proposed-updates.
What do you think?
Additional info:
This can easily be backported down to stretch:
https://salsa.debian.org/beuc/p7zip/-/pipelines
https://salsa.debian.org/beuc/p7zip-rar/-/pipelines
(p7zip-rar tests are failing as it requires the new p7zip
but this works in a debusine staging:)
https://debusine.debian.net/debian/developers-beuc-secure7zip/work-request/487491/
I attempted a debusine repository for testing, though non-free is not
available due to various debusine issues, I'll retry from scratch if
there's interest:
https://deb.debusine.debian.net/debian/developers-beuc-secure7zip/
Cheers!
Sylvain Beucler
Debian LTS Team
