On 1/13/20 11:23 AM, Christian Hesse wrote:
Hello everybody,
to date we ship rsync with bundled zlib to keep compatibility with rsync up to version 3.1.0 and it's old-style --compress option. This is no longer required with rsync 3.1.1, which was released on 2014-06-22 - nearly six years ago! The bundled zlib carries some security issues, so time to act - one way or another.
Even old-stable Debian Jessie [0] has rsync version 3.1.1. So any concern to finally drop bundled zlib and use system zlib?
Definitely.
I would suggest to post a news item, feel free to give thoughts and feedback.
Not sure... how likely is it that people will be contacting servers which are running a version of rsync even older than Debian Jessie? FWIW, the original bug report: https://bugs.archlinux.org/task/41024 rsync already spits out an error stating the remote machine does not understand the relevant option: "rsync: on remote machine: --new-compress: unknown option" So this seems like an obviously debuggable issue -- and the solution is just "upgrade your remote server". It doesn't stop you from using ssh, scp, or rsync without compression. -- Eli Schwartz Bug Wrangler and Trusted User