Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aarch64 binaries aren't shipped with git support #1060

Open
adriangalilea opened this issue Jul 16, 2024 · 9 comments
Open

aarch64 binaries aren't shipped with git support #1060

adriangalilea opened this issue Jul 16, 2024 · 9 comments
Labels
errors Something isn't working

Comments

@adriangalilea
Copy link

adriangalilea commented Jul 16, 2024
edited
Loading

When running eza --git I get:

eza: Options --git and --git-ignore can't be used because git feature was disabled in this build of exa

eza --version output:

./eza
eza - A modern, maintained replacement for ls
v0.18.21 [-git]
https://github.com/eza-community/eza

Installed from /latest release, version:

wget https://github.com/eza-community/eza/releases/download/v0.18.21/eza_aarch64-unknown-linux-gnu.tar.gz && tar -xzvf eza_aarch64-unknown-linux-gnu.tar.gz && sudo cp eza /usr/local/bin/

Shell: /usr/bin/zsh
Terminal: xterm-kitty
OS:
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
Hardware=Raspberry pi zero 2 w

Seems inherited from: ogham/exa#978
@adriangalilea adriangalilea added the errors Something isn't working label Jul 16, 2024
@cafkafk
Copy link
Member

cafkafk commented Jul 16, 2024

This is because of a security issue with libgit2. We currently aren't aware of a fix to this, and we don't feel comfortable shipping insecure binaries.

That said, it's possible to compile your own version with this flag enabled.

@cafkafk cafkafk closed this as completed Jul 16, 2024
@cafkafk
Copy link
Member

cafkafk commented Jul 16, 2024

Also I should mention this is aarch64 specific, x86_64 is not affected, and we ship binaries with git enabled

@cafkafk cafkafk pinned this issue Jul 16, 2024
@cafkafk cafkafk changed the title bug: eza: Options --git and --git-ignore can't be used because git feature was disabled in this build of exa aarch64 binaries aren't shipped with git support Jul 16, 2024
@adriangalilea
Copy link
Author

This is because of a security issue with libgit2.

Got it, would be great to link to such issue so that when the fix occurs this can be cleared.

@cafkafk
Copy link
Member

cafkafk commented Jul 16, 2024

This is because of a security issue with libgit2.

Got it, would be great to link to such issue so that when the fix occurs this can be cleared.

There isn't a public issue currently afaik, to avoid bringing awareness to how it can be exploited. Best we got right now is to read the libgit2 release notes and see if there is any mentions of it being solved.

@adriangalilea
Copy link
Author

@cafkafk I tried compiling on my raspberry pi zero 2 w and it died, I can't fix it, it's probably related to the swap but I'm running it on 8gb so I can't increase it, I also tried cross compiling it from my mac, and I failed several times at it, so I'm giving up on it until this is fixed.

I don't think this issue should be closed really.

@cafkafk
Copy link
Member

cafkafk commented Jul 17, 2024

@cafkafk I tried compiling on my raspberry pi zero 2 w and it died, I can't fix it, it's probably related to the swap but I'm running it on 8gb so I can't increase it, I also tried cross compiling it from my mac, and I failed several times at it, so I'm giving up on it until this is fixed.

I don't think this issue should be closed really.

I see, I can keep it open, and then close it when upstream solves it.

Also after thinking about it, I'd rather distribute binaries I've compiled than have other people share potentially malicious binaries. So I've attached the latest builds with libgit2 enabled here.

Aarch64/arm linux binaries

Caution

eza with libgit2 support on aarch64 and arm is insecure!

This isn't an eza issue, but a libgit2 issue, and so our only option (currently) is to wait for upstream to fix it. Using the git feature is thus unsupported and insecure on aarch64/arm, and only provided here as damage control to prevent distribution of potentially unsafe binaries by bad actors.

In general, this is just not supported in any way, no guarantees etc. Don't make these load bearing. Read #1023 (comment). And also, don't make these load bearing. Distros, do not ship these, build them yourself, and inform your users of them being insecure!

eza_aarch64-unknown-linux-gnu.tar.gz
eza_aarch64-unknown-linux-gnu.zip
eza_arm-unknown-linux-gnueabihf.tar.gz
eza_arm-unknown-linux-gnueabihf.zip

These can also be build by running these commands in the eza repo:

just binary eza aarch64-unknown-linux-gnu
just binary eza arm-unknown-linux-gnueabihf

Checksums

sha256sum

3e478231c8007feaa4eb459f099eb549115404f24df25a419fb404c2801c8048  ./target/bin-0.18.21/eza_aarch64-unknown-linux-gnu.tar.gz
3259b85cfa31d1f0fc3682c718cf501fdbaa56c97212c8bebe7fe5eff0d2c92b  ./target/bin-0.18.21/eza_aarch64-unknown-linux-gnu.zip
0020907556199b231b6bd75810e88a093605a9a422db302dc45dccc8db89d001  ./target/bin-0.18.21/eza_arm-unknown-linux-gnueabihf.tar.gz
3c059d2c2d0e020ae1bf850f38f50819005f91001005881ec33695f0f4031b9f  ./target/bin-0.18.21/eza_arm-unknown-linux-gnueabihf.zip

md5sum

cbbc021b5adb1d29b83d020fd99f567d  ./target/bin-0.18.21/eza_aarch64-unknown-linux-gnu.tar.gz
681580b6cc50e13af1c6cfe655e7296f  ./target/bin-0.18.21/eza_aarch64-unknown-linux-gnu.zip
56bdd81fdaeb87bda93f97b6f002cd46  ./target/bin-0.18.21/eza_arm-unknown-linux-gnueabihf.tar.gz
8752def0d0db61fadb3d8bfdc602af08  ./target/bin-0.18.21/eza_arm-unknown-linux-gnueabihf.zip

blake3sum

08674cdf4336165bf6caf44a5c614422b61eb42b7a96b556901e1a1731c8f470  ./target/bin-0.18.21/eza_aarch64-unknown-linux-gnu.tar.gz
341e4c02df2201ce68c97f519869e868572241e1babb27bcf159a008fd423b24  ./target/bin-0.18.21/eza_aarch64-unknown-linux-gnu.zip
58b5453196831d18794b664035566ad128130a8404836f9b6d16bec3e86b0636  ./target/bin-0.18.21/eza_arm-unknown-linux-gnueabihf.tar.gz
bce1af14a63622567ed5ae939a3bcc767529b939787e88c5a3b4be043e36ce69  ./target/bin-0.18.21/eza_arm-unknown-linux-gnueabihf.zip

@cafkafk cafkafk reopened this Jul 17, 2024
@adriangalilea
Copy link
Author

adriangalilea commented Jul 17, 2024
edited
Loading

I see, I can keep it open, and then close it when upstream solves it.

Thanks.

just binary eza aarch64-unknown-linux-gnu

rustup target add aarch64-unknown-linux-gnu
info: component 'rust-std' for target 'aarch64-unknown-linux-gnu' is up to date
cross build --release --target aarch64-unknown-linux-gnu
error: error: invalid value '1.77.2_1' for '<toolchain>...': invalid toolchain name: '1.77.2_1'

For more information, try '--help'.
: invalid toolchain name: '1.77.2_1'
Error: 
   0: couldn't install toolchain `1.77.2_1`
   1: `rustup toolchain add 1.77.2_1 --profile minimal` failed with exit status: 1
error: Recipe `binary` failed on line 150 with exit code 1

I may try your binaries next.

EDIT: managed to build it with a bit of help from Claude, many thanks.

@hanoii
Copy link

hanoii commented Sep 12, 2024

I wonder if you'd consider adding this to the releases and just note the insecure part there so any new release also have the binaries, maybe append -git-insecure to the filename or something?

@cafkafk
Copy link
Member

cafkafk commented Sep 12, 2024

Uhh... okay sure, I'll consider it, feels like upstream is never gonna get to fixing it anyways...

Can you open a separate issue so I don't forget, I wont get to it immediately

@hanoii hanoii mentioned this issue Sep 20, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
errors Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hanoii @cafkafk @adriangalilea