7-Zip's RAR implementation is built on the non-free UnRAR source code;
DOC/License.txt says:
Licenses for files are:
1) CPP/7zip/Compress/Rar* files: GNU LGPL + unRAR restriction
2) All other files: GNU LGPL
The GNU LGPL + unRAR restriction means that you must follow both
GNU LGPL rules and unRAR restriction rules.
...
unRAR restriction
-----------------
The decompression engine for RAR archives was developed using source
code of unRAR program.
All copyrights to original unRAR code are owned by Alexander Roshal.
The license for original unRAR code has the following restriction:
The unRAR sources cannot be used to re-create the RAR compression algorithm,
which is proprietary. Distribution of modified unRAR sources in separate form
or as a part of other software is permitted, provided that it is clearly
stated in the documentation and source comments that the code may
not be used to develop a RAR (WinRAR) compatible archiver.
The unrar licensing is [infamously restrictive and non-free][fedora];
it's inappropriate for us to keep the RAR support while labelling the
package as free software (and indeed there's a commented-out line
pointing out that the current `meta.license` is false). Unfortunately,
the 7-Zip upstream seems uninterested in replacing the code with a
freely-licensed alternative (see [7-Zip ticket #1229][7zip]).
[fedora]: https://fedoraproject.org/wiki/Licensing:Unrar
[7zip]: https://sourceforge.net/p/sevenzip/feature-requests/1229/
An alternative solution would be to mark the p7zip package as non-free
instead; I decided not to because its other functionality (especially
`.7z` support) is freely-licensed and useful, and there are free
software alternatives for extracting RAR files (e.g. in nixpkgs there's
`archiver`, which is written in a memory-safe language, and `unar`,
which at least doesn't have two patches for CVEs that haven't been
addressed upstream...).
I checked that `7z(1)` fails gracefully on `.rar` files now:
emily@renko ~/tmp> curl -L -O https://www.philippwinterberg.com/download/example.rar
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5715k 100 5715k 0 0 6716k 0 --:--:-- --:--:-- --:--:-- 6716k
emily@renko ~/tmp> 7z x example.rar
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_CA.UTF-8,Utf16=on,HugeFiles=on,64 bits,8 CPUs x64)
Scanning the drive for archives:
1 file, 5853119 bytes (5716 KiB)
Extracting archive: example.rar
ERROR: example.rar
Can not open the file as archive
Can't open as archive: 1
Files: 0
Size: 0
Compressed: 0
According to https://repology.org/repository/nix_unstable/problems, we have a
lot of packages that have http links that redirect to https as their homepage.
This commit updates all these packages to use the https links as their
homepage.
The following script was used to make these updates:
```
curl https://repology.org/api/v1/repository/nix_unstable/problems \
| jq '.[] | .problem' -r \
| rg 'Homepage link "(.+)" is a permanent redirect to "(.+)" and should be updated' --replace 's@$1@$2@' \
| sort | uniq > script.sed
find -name '*.nix' | xargs -P4 -- sed -f script.sed -i
```
This reverts commit 0238946872.
This patch broke a number of legitimate zips in the wild, including but
not limited to most luarocks and a number of gradle-produced JARs.
`unrar` is unfree, meaning `unp` cannot be built by default if `unrar`
is in its dependencies.
A simple
env NIXPKGS_ALLOW_UNFREE=1 nix-shell -p unrar
will make `unp` work with .rar files.
In 724e833ea2, I was a little too aggressive in enabling these flags.
Many don’t work in gcc, and we should probably avoid settings them
widely. This makes those flags optional on isclang
These pull in the system CoreFoundation framework for some reason. In
the future, we should figure out a way for it to get these features
from the pure CoreFoundation (they do have the symbol). But right now
this is an issue with sandboxing in gnutar. Fixes#56591.
A few months ago I moved these patches to the new debian alsa instance [1], but
it looks like their `sha256`s on the tag at the remote have changed again.
It doesn't appear that debian's source remote is stable in the way we need it to
be; let's just vendor the patches to avoid future issues.
[1] https://github.com/NixOS/nixpkgs/pull/41769