aarch64 binaries aren't shipped with git support

[adriangalilea]

When running eza --git I get:

eza: Options --git and --git-ignore can't be used becausegitfeature was disabled in this build of exa

eza --version output:

./eza
eza - A modern, maintained replacement for ls
v0.18.21 [-git]
https://github.com/eza-community/eza

Installed from /latest release, version:

wget https://github.com/eza-community/eza/releases/download/v0.18.21/eza_aarch64-unknown-linux-gnu.tar.gz && tar -xzvf eza_aarch64-unknown-linux-gnu.tar.gz && sudo cp eza /usr/local/bin/

Shell: /usr/bin/zsh Terminal: xterm-kitty OS: PRETTY_NAME="Debian GNU/Linux 12 (bookworm)" NAME="Debian GNU/Linux" VERSION_ID="12" Hardware=Raspberry pi zero 2 w

Seems inherited from: https://github.com/ogham/exa/issues/978

[cafkafk]

This is because of a security issue with libgit2. We currently aren't aware of a fix to this, and we don't feel comfortable shipping insecure binaries.

That said, it's possible to compile your own version with this flag enabled.

[cafkafk]

Also I should mention this is aarch64 specific, x86_64 is not affected, and we ship binaries with git enabled

[adriangalilea]

This is because of a security issue with libgit2.

Got it, would be great to link to such issue so that when the fix occurs this can be cleared.

[cafkafk]

This is because of a security issue with libgit2.

Got it, would be great to link to such issue so that when the fix occurs this can be cleared.

There isn't a public issue currently afaik, to avoid bringing awareness to how it can be exploited. Best we got right now is to read the libgit2 release notes and see if there is any mentions of it being solved.

[adriangalilea]

@cafkafk I tried compiling on my raspberry pi zero 2 w and it died, I can't fix it, it's probably related to the swap but I'm running it on 8gb so I can't increase it, I also tried cross compiling it from my mac, and I failed several times at it, so I'm giving up on it until this is fixed.

I don't think this issue should be closed really.

[cafkafk]

@cafkafk I tried compiling on my raspberry pi zero 2 w and it died, I can't fix it, it's probably related to the swap but I'm running it on 8gb so I can't increase it, I also tried cross compiling it from my mac, and I failed several times at it, so I'm giving up on it until this is fixed.

I don't think this issue should be closed really.

I see, I can keep it open, and then close it when upstream solves it.

Also after thinking about it, I'd rather distribute binaries I've compiled than have other people share potentially malicious binaries. So I've attached the latest builds with libgit2 enabled here.

---

Aarch64/arm linux binaries

[!CAUTION] eza with libgit2 support on aarch64 and arm is insecure!

This isn't an eza issue, but a libgit2 issue, and so our only option (currently) is to wait for upstream to fix it. Using the git feature is thus unsupported and insecure on aarch64/arm, and only provided here as damage control to prevent distribution of potentially unsafe binaries by bad actors.

In general, this is just not supported in any way, no guarantees etc. Don't make these load bearing. Read https://github.com/eza-community/eza/issues/1023#issuecomment-2171039973. And also, don't make these load bearing. Distros, do not ship these, build them yourself, and inform your users of them being insecure!

eza_aarch64-unknown-linux-gnu.tar.gz eza_aarch64-unknown-linux-gnu.zip eza_arm-unknown-linux-gnueabihf.tar.gz eza_arm-unknown-linux-gnueabihf.zip

These can also be build by running these commands in the eza repo:

just binary eza aarch64-unknown-linux-gnu
just binary eza arm-unknown-linux-gnueabihf

---

Checksums

sha256sum

3e478231c8007feaa4eb459f099eb549115404f24df25a419fb404c2801c8048  ./target/bin-0.18.21/eza_aarch64-unknown-linux-gnu.tar.gz
3259b85cfa31d1f0fc3682c718cf501fdbaa56c97212c8bebe7fe5eff0d2c92b  ./target/bin-0.18.21/eza_aarch64-unknown-linux-gnu.zip
0020907556199b231b6bd75810e88a093605a9a422db302dc45dccc8db89d001  ./target/bin-0.18.21/eza_arm-unknown-linux-gnueabihf.tar.gz
3c059d2c2d0e020ae1bf850f38f50819005f91001005881ec33695f0f4031b9f  ./target/bin-0.18.21/eza_arm-unknown-linux-gnueabihf.zip

md5sum

cbbc021b5adb1d29b83d020fd99f567d  ./target/bin-0.18.21/eza_aarch64-unknown-linux-gnu.tar.gz
681580b6cc50e13af1c6cfe655e7296f  ./target/bin-0.18.21/eza_aarch64-unknown-linux-gnu.zip
56bdd81fdaeb87bda93f97b6f002cd46  ./target/bin-0.18.21/eza_arm-unknown-linux-gnueabihf.tar.gz
8752def0d0db61fadb3d8bfdc602af08  ./target/bin-0.18.21/eza_arm-unknown-linux-gnueabihf.zip

blake3sum

08674cdf4336165bf6caf44a5c614422b61eb42b7a96b556901e1a1731c8f470  ./target/bin-0.18.21/eza_aarch64-unknown-linux-gnu.tar.gz
341e4c02df2201ce68c97f519869e868572241e1babb27bcf159a008fd423b24  ./target/bin-0.18.21/eza_aarch64-unknown-linux-gnu.zip
58b5453196831d18794b664035566ad128130a8404836f9b6d16bec3e86b0636  ./target/bin-0.18.21/eza_arm-unknown-linux-gnueabihf.tar.gz
bce1af14a63622567ed5ae939a3bcc767529b939787e88c5a3b4be043e36ce69  ./target/bin-0.18.21/eza_arm-unknown-linux-gnueabihf.zip

[adriangalilea]

I see, I can keep it open, and then close it when upstream solves it.

Thanks.

just binary eza aarch64-unknown-linux-gnu

rustup target add aarch64-unknown-linux-gnu
info: component 'rust-std' for target 'aarch64-unknown-linux-gnu' is up to date
cross build --release --target aarch64-unknown-linux-gnu
error: error: invalid value '1.77.2_1' for '<toolchain>...': invalid toolchain name: '1.77.2_1'

For more information, try '--help'.
: invalid toolchain name: '1.77.2_1'
Error: 
   0: couldn't install toolchain `1.77.2_1`
   1: `rustup toolchain add 1.77.2_1 --profile minimal` failed with exit status: 1
error: Recipe `binary` failed on line 150 with exit code 1

I may try your binaries next.

EDIT: managed to build it with a bit of help from Claude, many thanks.