From 5d95ac3456f2a572863abdf89a78789290d2687b Mon Sep 17 00:00:00 2001
From: bbhtt <bbhtt.zn0i8@slmail.me>
Date: Sun, 3 Aug 2025 16:52:56 +0530
Subject: [PATCH] builder-source-archive: Switch to bsdunzip

info-zip's unzip is unmaintained and horribly behind security patches
so switch to bsdunzip from libarchive.

See https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/blob/687b07205c02d28622053d419ec0f3c6f0240f5b/elements/components/unzip.bst#L45-68
and https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/issues/1777
---
 .github/workflows/check.yml  | 6 +++---
 README.md                    | 2 +-
 ci/libbuild.sh               | 2 +-
 src/builder-source-archive.c | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
index cedf0ef7..59910211 100644
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -25,7 +25,7 @@ jobs:
         libjson-glib-dev shared-mime-info desktop-file-utils libpolkit-agent-1-dev libpolkit-gobject-1-dev \
         libseccomp-dev libsystemd-dev libxml2-utils libgpgme11-dev gobject-introspection \
         libgirepository1.0-dev libappstream-dev libdconf-dev clang socat flatpak \
-        libcurl4-gnutls-dev libflatpak-dev libyaml-dev elfutils git patch unzip
+        libcurl4-gnutls-dev libflatpak-dev libyaml-dev elfutils git patch libarchive-tools
     - name: Check out flatpak
       uses: actions/checkout@v4
       with:
@@ -58,7 +58,7 @@ jobs:
         libjson-glib-dev shared-mime-info desktop-file-utils libpolkit-agent-1-dev libpolkit-gobject-1-dev \
         libseccomp-dev libsystemd-dev libxml2-utils libgpgme11-dev gobject-introspection \
         libgirepository1.0-dev libappstream-dev libdconf-dev clang flatpak \
-        libcurl4-gnutls-dev libflatpak-dev libyaml-dev elfutils git patch unzip
+        libcurl4-gnutls-dev libflatpak-dev libyaml-dev elfutils git patch libarchive-tools
     - name: Check out flatpak
       uses: actions/checkout@v4
       with:
@@ -132,7 +132,7 @@ jobs:
           patch \
           shared-mime-info \
           socat \
-          unzip
+          libarchive-tools
 
     - name: Check out flatpak-builder
       uses: actions/checkout@v4
diff --git a/README.md b/README.md
index 60ac3495..852cfc7c 100644
--- a/README.md
+++ b/README.md
@@ -40,7 +40,7 @@ Very commonly used:
  * cp
  * git
  * 7z
- * unzip
+ * bsdunzip (libarchive)
 
 Rarely used:
 
diff --git a/ci/libbuild.sh b/ci/libbuild.sh
index be8bea99..77a5fdab 100644
--- a/ci/libbuild.sh
+++ b/ci/libbuild.sh
@@ -50,7 +50,7 @@ pkg_install_builddeps() {
     else
         yum -y install yum-utils
         # Base buildroot, copied from the mock config sadly
-        yum -y install bash bzip2 coreutils cpio diffutils system-release findutils gawk gcc gcc-c++ grep gzip info make patch redhat-rpm-config rpm-build sed shadow-utils tar unzip util-linux which xz
+        yum -y install bash bzip2 coreutils cpio diffutils system-release findutils gawk gcc gcc-c++ grep gzip info make patch redhat-rpm-config rpm-build sed shadow-utils tar libarchive-tools util-linux which xz
     fi
     # builddeps+runtime deps
     pkg_builddep $pkg
diff --git a/src/builder-source-archive.c b/src/builder-source-archive.c
index 71cf5484..eb49eb3f 100644
--- a/src/builder-source-archive.c
+++ b/src/builder-source-archive.c
@@ -507,7 +507,7 @@ unzip (GFile       *dir,
        GError     **error)
 {
   gboolean res;
-  const char *argv[] = { "unzip", "-q", zip_path, NULL };
+  const char *argv[] = { "bsdunzip", "-q", zip_path, NULL };
 
   res = flatpak_spawnv (dir, NULL, 0, error, argv, NULL);