The worst part is to use a closed source proprietary black box software when there are tons of great open source alternatives, such as 7zip or even just plain good old gzip, bzip2, etc.
Just to be clear, 7zip, gzip, bzip2 and others all have their own CVE's with arbitrary code execution. Open source software is not immune from these flaws.
You can argue for your political beliefs, sure, but let's be honest and not claim that there are any security benefits.
Open source does have some security benefits. If billions of (mostly) good people who want to help can read the code, they can find vulnerabilities more easily. Having so many contributors does help.
That is a popular fantasy story. The reality of almost all open source software is that nobody reads the code and the primary author is struggling to find the time to keep up with maintenance.
What's more, doing security review is very hard. You can't just casually read a bit of code. You need to deeply understand the surrounding context. People who have the capability to do that aren't going around providing that service for free.
What if the software is abandoned or badly maintained? It took the company until August to fix it, there's the possibility it would be faster if it was Free software.
There have been a good open alternative for longer than WinRAR have had recovery records. It's called par files and there are implementations for Mac/win/Linux.
> Given its Russian roots, at this point I'm nervous about updating WinRAR or otherwise continuing to use it. I wish I had a day or two to get 7Zip to build.
If you're worried about backdoors, why did it take until this news for you to change your preference?
Also, 7zip is available prebuilt; You don't need to compile it yourself.
I’ve not been able to find a signed distribution of 7-zip, so I imagine they feel safer building the repo locally to make sure they’re at least not running a compromised .exe (not suggesting the code itself is guaranteed to be virus free, but this does feel safer in my mind)
> I’ve not been able to find a signed distribution of 7-zip
Since when would a signed binary help when your "opsec" says it's the software itself that is compromised?
Software can still be compromised if it is compromised before being signed.
Assuming you somehow trust the source code and not the binary, in fact, you're better off compiling it yourself and checking if the non-signed software you get is similar enough to the binary you can get from others - Assuming of course you can actually reach reliable reproducible builds with a Windows build chain, a thing that last time I checked was horrible and flaky.
