A new home for memory safe Zlib

Josh Aas
Nov 7, 2024

Trifecta Tech Foundation Logo

Today we're pleased to announce that the recently developed open source memory safe implementation of zlibzlib-rs — has a new long-term home at the Trifecta Tech Foundation.

We set out to develop a strategy, raise funds, and select a contractor for a memory safe zlib implementation in 2023. We did this because data compression algorithms, and zlib in particular, are used in a vast number of protocols and file formats throughout all of computing. In the past, compression libraries have encountered memory safety vulnerabilities, a common phenomenon for libraries written in C/C++ and a class of issues that critical system software should not suffer from.

We contracted Tweede golf in December of 2023 for an initial implementation based on zlib-ng, with a focus on maintaining excellent performance while introducing memory safety. The project was made possible through funding provided by Chainguard and a time investment by Tweede golf.

An early release of the zlib-compatible dynamic library is available on crates.io.

New home

Trifecta Tech Foundation is already the long-term home of two other Prossimo initiatives: memory safe NTP and sudo.

When the Tweede golf team suggested having zlib-rs become part of Trifecta Tech Foundation's data compression initiative, it was an easy decision to make on our end. Trifecta Tech Foundation is backed by the team from Tweede golf and we know that they are good stewards of open source while also being leading experts in writing in memory safe languages.

Given the widespread use of zlib across the tech industry, offering a memory safe alternative to C implementations is a huge win. The investment required is tiny compared to the gain, as zlib is relatively small in terms of lines of code. When a memory safe zlib is in place, it allows adding (performance) improvements with confidence; to iterate without breaking things.

Erik Jonkers, chair of Trifecta Tech Foundation and Director of Open source at Tweede golf

Trifecta Tech Foundation aims to mature the zlib-rs project and support its maintainers. Zlib-rs will be part of the Foundation's data compression initiative that includes four compression libraries: zlib, bzip2, zstd and xz.

What's next?

Work on Webassembly optimizations, kindly funded by Devolutions, is underway. A security audit by Prossimo is nearing completion and is expected to be done in November 2024. When successfully finished, the Trifecta Tech Foundation team will continue to work with Mozilla, who are interested in potentially shipping zlib-rs in Firefox.

That said, work on zlib-rs is not yet complete. Trifecta Tech Foundation is seeking funding to make the initial implementation ready for production. Contact Trifecta Tech Foundation if you're interested.