← Back to Home

Community Mirrors

If you’re setting something up which will automatically download Zig, like CI, you might be interested in using community mirrors instead of downloading from ziglang.org.

The ziglang.org website does not offer any uptime or speed guarantees, meaning that your CI will sporadically fail or have slower runs if it hardcodes it as a download URL. In fact, configuring your CI to fetch from ziglang.org directly contributes to uptime and speed issues, because this site is intentionally hosted on a simple one-computer configuration. Instead, it is often a good idea to fetch Zig from one of many community-maintained mirrors. These mirrors are not officially endorsed by the Zig Software Foundation, but they can be used without security risks thanks to our signing of archives. While no individual mirror has an uptime or speed guarantee, configuring your automation to cycle through the list of available mirrors can effectively guarantee high uptime in practice.

Security Notice

Community mirrors are not officially trusted or endorsed by the Zig Software Foundation, and could in theory serve malicious binaries. If you are using them, you must make sure to validate the minisign signature for every tarball you download against the ZSF’s public key, available on the download page.

GitHub Actions

If you are setting up an automation using GitHub Actions, you may be interested in the mlugg/setup-zig Action (note that this is not an official ZSF project). Not only does it install a Zig version of your choice from a community mirror, but it also saves your Zig cache directory between workflow runs, allowing for faster rebuilds.

Using Mirrors

The list of community mirrors is available in a newline-separated ASCII text file at https://ziglang.org/download/community-mirrors.txt. Tooling is recommended to fetch this list and try mirrors in a randomized order (to avoid putting excessive load on any one mirror, as this slows it down for everyone).

Every Zig tarball is associated with a minisign signature file, which can also be downloaded from mirrors. When you download a tarball from a mirror, you must also download its associated signature and verify the tarball against it. Failing to check the signature could theoretically leave you vulnerable to malicious mirrors hosting modified tarballs.

Put simply, the recommended strategy is approximately this pseudocode:

pubkey = "(copy this from https://ziglang.org/download)"
tarball_name = "zig-x86_64-linux-0.14.1.tar.xz"
# To improve uptime, optionally cache this GET:
mirrors = http_get("https://ziglang.org/download/community-mirrors.txt")
# ASCII-encoded, one mirror per line, newlines are LF, there is a trailing newline.
shuffled = shuffle_lines(mirrors)
for mirror_url in shuffled:
    tarball = http_get(f"{mirror_url}/{tarball_name}?source=my_automation_name")
    if success:
        # NEVER SKIP THIS STEP. The signature must be verified before the tarball is deemed safe.
        signature = http_get(f"{mirror_url}/{tarball_name}.minisig?source=my_automation_name")
        if success and minisign_verify(tarball, signature, pubkey):
            print("Successfully fetched Zig 0.14.1!")

Because ziglang.org does not have guaranteed uptime, the community-mirrors.txt file may at times become inaccessible. For this reason, you may wish to consider caching its contents to prevent disruption in the event that ziglang.org encounters downtime. The recommended refetch interval is approximately once per day. At this point in time, mirrors may be added or removed on a monthly basis as the ecosystem evolves, so periodic re-fetching is essential.

Written more precisely, here is the key information and recommend workflow for downloading Zig tarballs:

Hosting a Mirror

If you are interested in hosting a mirror, please consult the documentation in the www.ziglang.org repository. Thank you for helping to improve and decentralize the Zig ecosystem!