Adding YOKOTA Hiroshi, maintainer of the new 7zip&7zip-rar packages, to
the discussion, as requested by the security team.
What do you think of this proposal, in particular performing the same
p7zip->7zip transition as trixie in earlier, stable releases?
On 17/01/2026 18:28, Sylvain Beucler wrote:
Hello Security Team,
It is currently difficult to support p7zip/p7zip-rar because:
- p7zip is an old unmaintained fork of 7-zip
- 7-zip has an opaque approach to security & development
(security patches hard/impossible to isolate)
This is described more extensively at:
https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/306
The current issues are not critical but they are piling up:
https://security-tracker.debian.org/tracker/source-package/p7zip
https://security-tracker.debian.org/tracker/source-package/p7zip-rar
7-zip is generally supportable by upgrading to new upstream releases:
https://security-tracker.debian.org/tracker/source-package/7zip
https://security-tracker.debian.org/tracker/source-package/7zip-rar
We're pondering whether to:
- EOL p7zip in bookworm and earlier
(possibly patching rdeps to use unar/zip/unrar-free/etc.)
- replace p7zip by 7zip in bookworm and earlier, as in trixie
(and upgrade bookworm's 7zip, also introducing 7zip-rar)
Do you have an opinion on this?
Would you be open to transitioning from p7zip to 7zip in bookworm?
Cheers!
Sylvain Beucler
Debian LTS Team
(Cc: Robert Luberda who previously maintained the p7zip package)
