Arch Linux

zip (Info-ZIP) is a very outdated software (last version from 2008). It only supports one encryption scheme (PKWARE/PKZIP encryption) which is known to be broken since 1994 (see https://link.springer.com/content/pdf/10.1007/3-540-60590-8_12.pdf). This attack was also implemented in a tool called PkCrack (https://www.unix-ag.uni-kl.de/~conrad/krypto/pkcrack.html). Numerous other papers demonstrating the weakness of this scheme can be found using Google Scholar (https://scholar.google.com/scholar?hl=de&as_sdt=0%2C5&q=pkzip+encryption&btnG=).

In the standard for the ZIP format, several encryption schemes like AES are included (next to other schemes like RC4 or DES which are also considered to be weak nowadays). See sections 6 and 7 in the newest standard (https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT) for more details regarding encryption. "zip" (Info-ZIP) only supports the broken PKWARE cipher and does not warn users that they are using a bad encryption scheme.

I know that Arch Linux does not develop the tools itself and only packages and distributes the software, but I would like to suggest a three workarounds for the problem mentioned above (according to Wikipedia, some Linux distributions write patches themselves for Info-ZIP, see https://en.wikipedia.org/wiki/Info-ZIP#Forks_and_patches):

- update the man page and warn users that the encryption is not secure
- implement AES support (if you are looking at the source code of Info-ZIP, it says that they plan to implement AES since March 2005)
- think about replacing Info-ZIP (sadly, I cannot point you to a fork or a re-implementation)


Additional info:
* package version(s): all