aarch64 binaries aren't shipped with git support
adriangalilea opened this issue · 9 comments
When running eza --git
I get:
eza: Options --git and --git-ignore can't be used because
git feature was disabled in this build of exa
eza --version
output:
./eza
eza - A modern, maintained replacement for ls
v0.18.21 [-git]
https://github.com/eza-community/eza
Installed from /latest release, version:
wget https://github.com/eza-community/eza/releases/download/v0.18.21/eza_aarch64-unknown-linux-gnu.tar.gz && tar -xzvf eza_aarch64-unknown-linux-gnu.tar.gz && sudo cp eza /usr/local/bin/
Shell: /usr/bin/zsh
Terminal: xterm-kitty
OS:
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
Hardware=Raspberry pi zero 2 w
Seems inherited from: ogham/exa#978
This is because of a security issue with libgit2. We currently aren't aware of a fix to this, and we don't feel comfortable shipping insecure binaries.
That said, it's possible to compile your own version with this flag enabled.
Also I should mention this is aarch64 specific, x86_64 is not affected, and we ship binaries with git enabled
This is because of a security issue with libgit2.
Got it, would be great to link to such issue so that when the fix occurs this can be cleared.
This is because of a security issue with libgit2.
Got it, would be great to link to such issue so that when the fix occurs this can be cleared.
There isn't a public issue currently afaik, to avoid bringing awareness to how it can be exploited. Best we got right now is to read the libgit2 release notes and see if there is any mentions of it being solved.
@cafkafk I tried compiling on my raspberry pi zero 2 w and it died, I can't fix it, it's probably related to the swap but I'm running it on 8gb so I can't increase it, I also tried cross compiling it from my mac, and I failed several times at it, so I'm giving up on it until this is fixed.
I don't think this issue should be closed really.
@cafkafk I tried compiling on my raspberry pi zero 2 w and it died, I can't fix it, it's probably related to the swap but I'm running it on 8gb so I can't increase it, I also tried cross compiling it from my mac, and I failed several times at it, so I'm giving up on it until this is fixed.
I don't think this issue should be closed really.
I see, I can keep it open, and then close it when upstream solves it.
Also after thinking about it, I'd rather distribute binaries I've compiled than have other people share potentially malicious binaries. So I've attached the latest builds with libgit2 enabled here.
Aarch64/arm
linux binaries
Caution
eza
with libgit2
support on aarch64 and arm is insecure!
This isn't an eza issue, but a libgit2
issue, and so our only option (currently) is to wait for upstream to fix it. Using the git feature is thus unsupported and insecure on aarch64/arm
, and only provided here as damage control to prevent distribution of potentially unsafe binaries by bad actors.
In general, this is just not supported in any way, no guarantees etc. Don't make these load bearing. Read #1023 (comment). And also, don't make these load bearing. Distros, do not ship these, build them yourself, and inform your users of them being insecure!
eza_aarch64-unknown-linux-gnu.tar.gz
eza_aarch64-unknown-linux-gnu.zip
eza_arm-unknown-linux-gnueabihf.tar.gz
eza_arm-unknown-linux-gnueabihf.zip
These can also be build by running these commands in the eza repo:
just binary eza aarch64-unknown-linux-gnu
just binary eza arm-unknown-linux-gnueabihf
Checksums
sha256sum
3e478231c8007feaa4eb459f099eb549115404f24df25a419fb404c2801c8048 ./target/bin-0.18.21/eza_aarch64-unknown-linux-gnu.tar.gz
3259b85cfa31d1f0fc3682c718cf501fdbaa56c97212c8bebe7fe5eff0d2c92b ./target/bin-0.18.21/eza_aarch64-unknown-linux-gnu.zip
0020907556199b231b6bd75810e88a093605a9a422db302dc45dccc8db89d001 ./target/bin-0.18.21/eza_arm-unknown-linux-gnueabihf.tar.gz
3c059d2c2d0e020ae1bf850f38f50819005f91001005881ec33695f0f4031b9f ./target/bin-0.18.21/eza_arm-unknown-linux-gnueabihf.zip
md5sum
cbbc021b5adb1d29b83d020fd99f567d ./target/bin-0.18.21/eza_aarch64-unknown-linux-gnu.tar.gz
681580b6cc50e13af1c6cfe655e7296f ./target/bin-0.18.21/eza_aarch64-unknown-linux-gnu.zip
56bdd81fdaeb87bda93f97b6f002cd46 ./target/bin-0.18.21/eza_arm-unknown-linux-gnueabihf.tar.gz
8752def0d0db61fadb3d8bfdc602af08 ./target/bin-0.18.21/eza_arm-unknown-linux-gnueabihf.zip
blake3sum
08674cdf4336165bf6caf44a5c614422b61eb42b7a96b556901e1a1731c8f470 ./target/bin-0.18.21/eza_aarch64-unknown-linux-gnu.tar.gz
341e4c02df2201ce68c97f519869e868572241e1babb27bcf159a008fd423b24 ./target/bin-0.18.21/eza_aarch64-unknown-linux-gnu.zip
58b5453196831d18794b664035566ad128130a8404836f9b6d16bec3e86b0636 ./target/bin-0.18.21/eza_arm-unknown-linux-gnueabihf.tar.gz
bce1af14a63622567ed5ae939a3bcc767529b939787e88c5a3b4be043e36ce69 ./target/bin-0.18.21/eza_arm-unknown-linux-gnueabihf.zip
I see, I can keep it open, and then close it when upstream solves it.
Thanks.
just binary eza aarch64-unknown-linux-gnu
rustup target add aarch64-unknown-linux-gnu
info: component 'rust-std' for target 'aarch64-unknown-linux-gnu' is up to date
cross build --release --target aarch64-unknown-linux-gnu
error: error: invalid value '1.77.2_1' for '<toolchain>...': invalid toolchain name: '1.77.2_1'
For more information, try '--help'.
: invalid toolchain name: '1.77.2_1'
Error:
0: couldn't install toolchain `1.77.2_1`
1: `rustup toolchain add 1.77.2_1 --profile minimal` failed with exit status: 1
error: Recipe `binary` failed on line 150 with exit code 1
I may try your binaries next.
EDIT: managed to build it with a bit of help from Claude, many thanks.
I wonder if you'd consider adding this to the releases and just note the insecure part there so any new release also have the binaries, maybe append -git-insecure
to the filename or something?
Uhh... okay sure, I'll consider it, feels like upstream is never gonna get to fixing it anyways...
Can you open a separate issue so I don't forget, I wont get to it immediately