Summary: I'm comfortable recommending libzip for main
Discussion: While not an exhaustive review, I looked into:
no format string issues or warnings
There is use of strcpy(), but its use is verified as ok
It has some interesting use of umask(), but seems ok
There is what appears to be a potentially dodgy mkstemp implementation, but libzip doesn't compile it in on Ubuntu
I spent a bit of time in one function checking out if a static buffer could be overflowed and verified the signed math is safe, and all appears ok.
The above spot checks along with the good security history and the new compiler hardening options on by default leads me to believe libzip won't be too much trouble.
Summary: I'm comfortable recommending libzip for main
Discussion: While not an exhaustive review, I looked into:
no format string issues or warnings
There is use of strcpy(), but its use is verified as ok
It has some interesting use of umask(), but seems ok
There is what appears to be a potentially dodgy mkstemp implementation, but libzip doesn't compile it in on Ubuntu
I spent a bit of time in one function checking out if a static buffer could be overflowed and verified the signed math is safe, and all appears ok.
The above spot checks along with the good security history and the new compiler hardening options on by default leads me to believe libzip won't be too much trouble.