alt Hacker NewsHe's always been an odd one, for a long time he refused to enable even basic hardening features like ASLR and DEP because they made the executables slightly larger. He eventually relented on some of those, but last I heard the more advanced mitigations like HE-ASLR, CFG and GS were still disabled.
Even more, there are regularly security vulnerabilities patched in releases that don't get CVEs and don't get any mention in patch notes, there are no incremental commits between releases, just giant code dumps. There's no changelog linked on the 7-zip.org website. There's no auto-update or update check mechanism, which is problematic for a project with regular CVEs whose primary purpose is handling untrusted inputs.
7-zip is not a serious project and its use should be strongly discourged.