return to table of content

PeaZip: Open-source file compression and encryption software

causality0
14 replies
1d4h

Can anyone explain why this is better than 7zip?

jsheard
4 replies
1d4h

I don't know if this is better, but 7zips developer has an unnerving track record when it comes to security practices. He resisted adopting basic mitigations like DEP and ASLR for a long time, only relenting after a security researcher basically begged him to after finding arbitrary code execution exploits, and he still doesn't want to use any more advanced hardening techniques because they (slightly) bloat the binary size or have a (tiny) performance overhead.

I'm all for lean software but breaking ASLR by stripping the relocation tables, just to shave a few kilobytes off an executable which is primarily intended to parse untrusted files is just reckless.

soraminazuki
1 replies
4h34m

PeaZip appears to rely on 7zip for most of its supported formats. So Peazip isn't really an alternative if you want to avoid 7zip out of security concerns.

7z ... should be placed in (peazip)/res/bin/7z, to manage 7Z files and most of the other supported formats

https://peazip.github.io/peazip-sources.html

I personally like libarchive and its bsdtar CLI, which also supports a wide range of formats. I don't know if there's any popular GUI frontend for it though.

https://libarchive.org

jsheard
0 replies
1h42m

The native archive support that was recently added to Windows itself is backed by libarchive.

lobito14
1 replies
1d4h

Can you please provide the source of this thread?

tux21b
2 replies
1d3h

I hate that PeaZip does not support passwords with a quotation mark (") in the UI. I haven't reviewed the code, but I am assuming that they are neither passing the password via a variable (linked library) nor via an execve call (less secure), but via some sub-shell which is a common attack vector and bad security practice. But as I said, I haven't reviewed the code.

chungy
1 replies
1d2h

I haven't ran nor looked at the code for PeaZip, but the website describes the program as a GUI wrapper around command line utilities. I highly suspect it's the sub-shell thing.

fallingsquirrel
0 replies
1d

That's concerning. What if your archive password is ;rm -rf --no-preserve-root /? There might be an easy CVE for the taking here.

eviks
1 replies
1d4h

Zstd support and x-platform

delfinom
0 replies
1d2h

7zip 24 supports Zstd

canistel
0 replies
1d4h

Cross-platform - works on Linux (with GUI).

Tijdreiziger
0 replies
23h18m

Prettier UI (IMHO)

Sakos
0 replies
1d3h

I've sworn by 7zip since forever and I still use it primarily, but I'd recommend peazip to anybody who wants 7zip but with a better, more convenient GUI (and workflow/behavior). I still think about switching back to peazip (only used it for a few months), but old habits die hard.

theandrewbailey
13 replies
1d5h

I've been using this for over a decade. I keep using it because it extracts files directly where you want them, instead of extracting to a temp folder, then copying to where you want, multiplying IO traffic by up to 2. It also lets me use 7z files with zstd compression, though I'm not sure which other software supports it.

shawnz
10 replies
1d5h

Moving files from one directory to another directory on the same filesystem doesn't actually result in any data getting moved, only the directory entries are changed

bravetraveler
5 replies
1d2h

Let's start slicing the pie, everyone.

On Linux this is becoming a rarity; '/tmp' (the usual $TMPDIR) is mounted using tmpfs, a distinct memory-backed filesystem. Windows on the other hand is happy for this to reside on your physical disk, persistently. I think - this isn't my area.

This almost guarantees your "yes, but" doesn't apply for anyone using Fedora Linux, for example. I dare say nearly any distribution that includes systemd, and probably/consequently, 'tmp.mount'.

While it is memory backed, one can only copy/read from this as fast as the destination can write.

dataflow
2 replies
1d

/tmp is often not tmpfs, in fact. /dev/shm or /var/run are.

bravetraveler
1 replies
1d

Yes, and? It still is very common to find. Turns out things aren't homogeneous. People often both die forever-alone and happily married, too.

I already said it's up to the distribution. I wasn't really interested in splitting it more than I have, I hoped to avoid it... but let's go. It's been upstream over a decade

https://github.com/systemd/systemd/commits/main/units/tmp.mo...

Participation, as always, has been/remains optional. Anything using 'systemd' will likely have this be 'tmpfs', unless 'ConditionPathIsSymbolicLink' is violated.

Anything not using 'systemd' is a niche that most of the industry ignores. See how uninsightful/unhelpful these statements are?

More specifically, this leaves the one directive/condition to consider... and a subset of a subset that's relevant - systems using runit/s6/whatever.

Anyway, that's the fun thing about 'often'. It both often is and isn't. Put simply, word games.

We're both right, '/tmp' often is and isn't 'tmpfs'. It's an implementation detail. It's codified into some standards, and it turns out some distributions are more prepared/cognizant than others.

The inconsistency in applying this makes the assertion that lead to this whole thread off base.

edit: I originally mistook the last edit two years ago for the creation time - adjusted. This has been established for ~14 years!

dataflow
0 replies
12h11m

Anything not using 'systemd' is a niche that most of the industry ignores. See how uninsightful/unhelpful these statements are?

Ubuntu uses systemd. And yet it doesn't use tmpfs for /tmp. I literally just even installed 24.04 right now (new LTS from 3 weeks ago!) just to verify this hadn't somehow changed since the last time I had checked, and it still hadn't.

I'm not here to argue or play word games, I was just trying to point out that this isn't some kind of niche setup. The way you make it sound when you talk about Fedora or s6 or whatever gives readers the impression that they can assume /tmp is on tmpfs on anything mainstream & modern, but that's simply not the case -- it's not the case on the second(?) most popular distro.

That's all I was trying to convey.

edflsafoiewq
1 replies
1d2h

You shouldn't use /tmp for that for that reason. aunpack for example extracts into a temp directory in the same directory as the final destination.

bravetraveler
0 replies
1d1h

I'm fine with either, I think you and Andrew at the top of the thread agree - PeaZip does as you suggest.

I'm just piling on :D Things that naively use temporary directories otherwise may run into an extra copy... because it's not necessarily on the same filesystem. It's rare, in fact, on modern Linux

maccard
2 replies
1d4h

You’ve made a big assumption about being on the same file system there. We had a CI job that was spending an awful lot of time in fetching cached artifacts.

We investigated and it turns out that CI was pulling to %TMP%, but we were actual executing the builds on a separate EBS volume meaning we downloaded and wrote to an EBS volume, then had to copy it to another remote volume, it was super easy to spot on windows, but I’m not sure I would have twigged it as easily if we were moving from /tmp to /data/dira

shawnz
1 replies
1d4h

Sure, but you're probably not using PeaZip (which is primarily a GUI front-end for existing compression tools) in CI or containerized environments. For those situations there are specialized tools which are more appropriate.

maccard
0 replies
1d3h

I’m not in this case, but if something writes to /tmp and then copies it to /data, there is no guarantee that they are on the same device or even network.

iwwr
0 replies
1d4h

In some restricted environments (e.g. containers in CI, build servers or AWS Lambda) you may have limited disk space or no write access at all, so it is useful to have a tool that can stream to memory while decompressing on the fly, and discarding what you don't need.

baal80spam
0 replies
1d4h

The trick to do it using the default 7zip file manager is to open the .7z file in the manager (double clicking it, not right clicking it), and extract the archive whenever you want it - it will be extracted straight there with no transition using temporary folder.

Adj_and_Styles
0 replies
11h39m

The atool script is just a wrapper around many compression tools. Try atool -x which creates the temp folder under final destination.

https://www.nongnu.org/atool/

Edit: just noticed it was mentioned in other reply, but as aunpack, a symlink to atool. I got used to the -x|-l|-a|... style and rarely remember the alternative names.

c0l0
11 replies
1d4h

PeaZip is great software, and doubly so because it is written using Lazarus and compiled with Free Pascal. I highly recommend giving it a try, if only to experience that high quality software can be built using tools that lead you somewhat off the beaten path.

Unfortunately, its lead developer has recently posted[0] that he has to undergo what seems to be complicated, major eye surgery, and that he will probably be unable to continue development :(

[0]: https://old.reddit.com/r/PeaZip/comments/1bn7pu0/communicati...

parhamn
3 replies
20h5m

Drag & drop from app to system is certainly a mayor usability boost, but it is not simple to implement as it requires a dedicated solution for each supported OS and desktop environment.

Off topic, but this is why many devs choose electron.

NavinF
2 replies
19h2m

and desktop environment

Off topic, but this is why many devs choose not to support Linux. Every distro is its own special snowflake

patrickaljord
0 replies
18h50m

Off topic, but this is why many devs choose not to support Linux. Every distro is its own special snowflake

most DE use the same standards (dbus etc) so no

arp242
0 replies
16h29m

That's just not true; I've been using the relatively obscure Void Linux for almost 10 years, and rarely have distro-specific issues, including with Linux-native games from gog.com. Nor do people report distro-specific issues in software I develop on Void.

And it's doubly not true for something like drag-and-drop, which exists on the Desktop Environment level rather than distro level.

cxr
0 replies
21h11m

Neither the existence of this link nor anything in it contradicts the developer's earlier post. It looks like the situation was inaccurately summarized by the HN user with the top comment here—the PeaZip developer didn't announce that he or she was going to stop working on PeaZip.

zoom6628
0 replies
17h23m

+100 for Lazarus and FreePascal

deaddodo
0 replies
21h22m

Yeah, PeaZip is the best example of what Lazarus is capable of, if you feel like using it.

I remember back in my Pascal-loving days, especially after the .NET release of VB, looking at PeaZip+Lazarus and being inspired.

Dwedit
8 replies
1d3h

Programs like 7-zip and PeaZip both have an unusual feature: Ability to explore NT paths that Windows Explorer will refuse to load.

You can go to a path like "\\?\Harddisk0Partition2\" in 7-zip file manager or PeaZip. On my PC, that happens to be the EFI partition. (Need to run as Admin before it lets you access the EFI partition)

Sysinternals WinObj will let you see all the paths in the NT Object Namespace. To convert an NT Object Namespace path into a standard Windows path, put "\\?\GLOBALROOT\" at the beginning of the path. Windows Explorer and the File Dialogs will refuse to open such paths, but many Win32 applications will accept those paths as command line arguments.

supriyo-biswas
3 replies
1d3h

TIL, thanks!

To add to this list of unusual features, 7-zip can also parse many self-extracting PE executables and display the executable sections of ELFs and PEs. I'm not sure if this has been documented anywhere, though.

Dwedit
2 replies
23h45m

7-zip version 15.05 will also decompile NSIS scripts (Nullsoft Installation System), but the feature was taken out of newer versions.

ddtaylor
1 replies
7h9m

Why was the feature removed?

Dwedit
0 replies
3h18m

Presumably due to code maintenance issues, they couldn't ensure the installer script decompiler was secure. File extraction from NSIS is still there, just not installer script decompilation.

panzi
1 replies
1d3h

Reminds me of when I used WinZip to copy files from a shared directory that had non-ASCII (non latin even!) characters in the file names over 20 years ago. Windows Explorer refused to do it. Can't remember the error message, WinZip did the job.

NetOpWibby
0 replies
10h9m

To this day I still don’t put special characters in my file names. I’ve been on macOS for years but who knows if I’ll need a Windows machine?

jasomill
0 replies
12h31m

Interesting.

Also note that, while File Explorer and Windows file/open dialog boxes don't accept "\\?"-style paths at all, you can use the "Run" command (Windows Key+R or choose "Run" from the Start Menu) to open any available (connected and online) volume in File Explorer using a path of the form "\\?\Volume{UUID}\"[1], even if it hasn't been assigned a drive letter or mount point.

Note that, if UAC is enabled, this won't work for EFI system partitions unless you're running Explorer elevated, which can be tricky. You used to be able to kill the explorer.exe process and start a new one from an elevated command prompt or Task Manager, but this no longer works in Windows 11 (Explorer starts, but not elevated).

[1] For GPT disks, this UUID is the GPT partition's unique ID.

I have no idea how the ID is calculated for non-GPT disks, though I have noticed a few interesting properties:

• For volumes on MBR-partitioned disks, all but the first eight bytes of the UUID are zero.

• The UUID is not obviously related to a FAT filesystem's serial number.

• UUIDs are assigned to devices with removable media like optical drives and SD card readers even when empty, and do not change when media is inserted or removed.

In any case, the easiest way I know of find this is using PowerShell: use "Get-Disk" to find the disk number (and if this doesn't give you enough information to identify the correct disk, use "Get-Disk | Format-List" for more information), "Get-Partition -DiskNumber n" to find the partition number (if the disk is partitioned), and, finally, "Get-Partition -DiskNumber n -PartitionNumber m | Get-Volume | select Path" to get the desired path.

In the case of non-hard disk devices like optical drives, "Get-Disk" and/or "Get-Partition" may not be available, so use "Get-Disk | Format-List" for detailed information on all available volumes, including all volume paths and, hopefully, enough additional information to identify the volume you want.

You can also find volume paths with WinObj or the fsutil command, but PowerShell provides more useful information to help identify the correct volume.

chungy
0 replies
1d3h

Not so much "refuse", but lacking code to go down those paths. ReactOS includes built-in shell extensions to browse native NT device paths and the registry right in Explorer. Its same shell extensions can even be installed on Windows to achieve the same thing in Microsoft's Windows Explorer :)

sneak
7 replies
1d4h

Offer two factor authentication (password + keyfile) for all formats supporting encryption, to increase security against guessing and dictionary based attacks on weak passwords.

uhhh, that’s not how symmetric encryption works. We have salted password-based (PB) KDFs for exactly this purpose.

Encryption probably doesn’t belong in the compression container format.

lucb1e
4 replies
1d2h

The quote is correct. It does not say they're not using a KDF or salting, which you seem to read into it? The keyfile is the "something you have" and the password "something you know", so two-factor checks out, even if it's not a time-based token that people expect nowadays (though TOTP is essentially the same but on another device, extracting time-based short codes from the long key to make it convenient to type over). No matter how good your KDF, a weak or reused password can still be crackable, so a key file can make sense even if you use a salted KDF

sneak
3 replies
1d1h

How is this different from just a keyfile?

gkbrk
2 replies
23h31m

Someone with the keyfile but without the password cannot decrypt?

sneak
1 replies
19h49m

Do people usually store key material without encryption at rest?

You're not writing the naked bytes of the key directly in a file.

Anyway, authentication refers to communication between systems. That's not what this is. Decryption is not authentication (except perhaps of the decrypted plaintext, which is not what we are discussing).

rakoo
0 replies
15h25m

Do people usually store key material without encryption at rest?

As usual, depending on the threat model, yes, it can be very valid to store key material on a disk without encryption. Not everyone is Snowden.

Retr0id
1 replies
1d4h

PeaZip also uses a PBKDF (PBKDF2). No longer the latest and greatest, but fine.

lucb1e
0 replies
1d2h

I guess I agree with calling PBKDF2 fine, but it may be good to know the caveats:

- Just because it says it uses PBKDF2 doesn't mean it is strong. The strength fully depends on the number of rounds it uses, and especially in legacy (>10 years old) software I see it a lot that some amount of rounds are hardcoded which can now be computed in a few milliseconds on a CPU

- PBKDF2 gives the attacker a ~1000x speedup. If your CPU spends 2 seconds on computing the hash every time, an attacker with a run-of-the-mill GPU spends 2 milliseconds per guess (500 guesses per second). Using something like Bcrypt or Argon2, that speedup gets to iirc "only" 12x (so if you spend 2 seconds, the attacker spends ~170 milliseconds or 6 guesses per second). Iirc this speedup is due to GPU RAM being faster than the main RAM. So while PBKDF2 isn't great, it's also not like it's broken: this has been a known property since forever and it's still orders of magnitude better than a plain hash

hgyjnbdet
4 replies
22h5m

Genuine question: why would I use this over 7zip?

recursive
0 replies
1h33m

Why use 7zip over this?

pennybanks
0 replies
13h39m

doesnt windows now have all the similar tools default?

ies7
0 replies
18h32m

I really don't remember well, long long time ago in Window (XP?) either you can select multiple folders and zip each of them separately and/or you can select multiple zip files and extract them to separate folders within a single context menu

UberFly
0 replies
20h13m

No reason to if you like 7zip. They all do the same thing just look different for the most part.

croemer
2 replies
18h25m

Nitpicks:

1. Command to unquarantine in docs is wrong. It should be `xattr -d com.apple.quarantine /Applications/peazip.app` not `xattr -dr com.apple.quarantine /Applications/peazip.app`

2. Not available via homebrew

3. Can't open issues, neither on Github nor sourceforge

sigzero
0 replies
16h52m

There is noting wrong and it is probably better to use 'xattr -d -r' since an .app file is just a directory structure.

synergy20
1 replies
23h32m

how is the GUI done for cross platform? not familiar with Pascal ecosystem

gattilorenz
0 replies
20h22m

Lazarus/FreePascal compile to a native binary for more platforms than you will realistically need

teo_zero
0 replies
19h33m

The fact that GTK3 is considered the new thing still in alpha is a red flag for me.

tahoeskibum
0 replies
23h40m

Can't wait to see an irreverent logo

seam_carver
0 replies
22h16m

If your needs are basic I just use tar. It's built into macOS and Windows 10. It even supports rar!

lucifer153
0 replies
6h19m

I was surprised that the software was written in Pascal which is the dead language

jojohohanon
0 replies
21h40m

It blends the CLI by incorporating scripting engine?! That’s not what mean by cli friendly.

exposition
0 replies
23h38m

There’s also pzip[1], which lets you create zip files and extract them in parallel.

[1] https://github.com/ybirader/pzip

Disclaimer: I’m the author

bobbob1921
0 replies
1d1h

LOVE peaZip! What I especially like about it is in my experience it’s been very portable on linux, and the gui has always been portable as well. (it works on Tails - so it’s great for putting onto a USB stick that contains encrypted zip / veracrypt archives for when you need to access those on an air gap d machine.)

aquova
0 replies
23h48m

I've been using Ark on Linux for some time now, but have always heard people sing PeaZip's praises, curious if anyone has any experience or preference between the two.

Qem
0 replies
1d3h

Currently using it under Linux because it's able to extract the malformed large zip files generated by onedrive, that give a corrupted file error when you try to open them using the native file extractor. See https://www.bitsgalore.org/2020/03/11/does-microsoft-onedriv...