> A thing has happened; the upstream info-zip team had released a beta
> version of info-zip that has support for AES-128 and AES-256 encrypted
> zip files; however the upstream beta never gets any security fixes.
>
> For that matter, the main upstream package doesn't get security fixes
> either, which is why the version we have already says "by Debian".
>
> Therefore find myself in the unexpected place of having to request
> a backport of the AES support code to Debian's zip 3.0 and unzip 6.0,
> and ultimately I'd prefer for it to use the direct implementation of
> AES rather than take a dependency on libressl; the upstream AES support
> code should be usable with a manual merge.
I'm a member of the upstream infozip team. I can work with you to
backport this feature if needed.
I think that the public beta already has the most up to date code for
the AES support. If not, I can get you the latest changes.
