Why Some Users Are Boycotting 7‑Zip: Open‑Source Limits and Security Concerns

A author named Paul published a post urging a boycott of the well‑known compression software 7‑Zip. 7‑Zip, created by Russian developer Igor Pavlov and released in 1999, hosts its source code on SourceForge; most of it is under the GNU LGPL license, while the unRAR component uses a mixed LGPL + unRAR restriction.

Paul argues that 7‑Zip is "limited" open source because its code is not hosted on public platforms like GitHub or GitLab, existing only as a src.7z archive on SourceForge with no commit history, contributors list, documentation, or clear version control.

He cites a 2010 discussion highlighting the difficulty of building 7‑Zip from source, noting that inevitable "tweaks" are required and questioning why such tweaks are needed without a commit history. He suggests this obscures potential telemetry or backdoors.

Paul also criticizes SourceForge’s reputation for bundling spyware in Windows executables and self‑extracting archives, lists several security vulnerabilities in 7‑Zip, and cites the Russia‑Ukraine conflict as a key reason to avoid Russian‑origin software, claiming it may pose advanced security risks.

The article mentions alternative compression tools, including Nanazip (a 7‑Zip fork) and PeaZip, which is based on FreePascal.

Reddit users responded, with many disagreeing with Paul’s stance. User qvop refuted his points, and others such as JonnyRocks, bemenaker, boom_bap_bnc, and atoponce offered counterarguments, emphasizing that 7‑Zip is open source, that source code and changelogs do exist, that there is no evidence of intentional backdoors, and that boycotting software based on the developer’s nationality is unreasonable.

7‑Zip is open source (ignoring the unRAR license part); there is no rule requiring open‑source code to be hosted on a specific platform, and the issues lie with Paul’s claims. There are indeed some files containing update logs and build instructions, but the rest is not required for open‑source distribution, especially when the developer works alone. Allegations of hidden backdoors resemble conspiracy theory; there is no concrete evidence that developers deliberately add "special bugs" or hide telemetry. Boycotting software solely because of the developer’s nationality is a misguided approach, especially when the team has not taken a political stance.

Related links: https://sourceforge.net/p/sevenzip/discussion/45797/thread/239638cc/ and https://www.reddit.com/r/opensource/comments/vkjl80/boycott_7zip_limited_open_source_security_issues/.