[arch-dev-public] rsync & bundled zlib
Hello everybody, to date we ship rsync with bundled zlib to keep compatibility with rsync up to version 3.1.0 and it's old-style --compress option. This is no longer required with rsync 3.1.1, which was released on 2014-06-22 - nearly six years ago! The bundled zlib carries some security issues, so time to act - one way or another. Even old-stable Debian Jessie [0] has rsync version 3.1.1. So any concern to finally drop bundled zlib and use system zlib? I would suggest to post a news item, feel free to give thoughts and feedback. --- >8 --- rsync compatibility Our `rsync` package was shipped with bundled `zlib` to provide compatibility with old-style `--compress` option up to version 3.1.0. Version 3.1.1 was released on 2014-06-22 and is shipped by all major distributions now. So we decided to finally drop the bundled library and ship a package with system `zlib`. Go and blame those running old versions if you encounter errors with `rsync 3.1.3-3`. --- >8 --- [0] https://packages.debian.org/de/jessie/rsync -- main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];) putchar(b-1/(/* Chris cc -ox -xc - && ./x */b/42*2-3)*42);}
+1 to using system zlib. One minor remark on the news draft below. On Mon, 13 Jan 2020 at 17:23:00, Christian Hesse wrote:
--- >8 --- rsync compatibility
Our `rsync` package was shipped with bundled `zlib` to provide compatibility with old-style `--compress` option up to version 3.1.0. Version 3.1.1 was
Missing "the" before "old-style"?
released on 2014-06-22 and is shipped by all major distributions now.
So we decided to finally drop the bundled library and ship a package with system `zlib`. Go and blame those running old versions if you encounter errors with `rsync 3.1.3-3`. --- >8 ---
Looks good to me otherwise, thanks!
On 1/13/20 11:23 AM, Christian Hesse wrote:
Hello everybody,
to date we ship rsync with bundled zlib to keep compatibility with rsync up to version 3.1.0 and it's old-style --compress option. This is no longer required with rsync 3.1.1, which was released on 2014-06-22 - nearly six years ago! The bundled zlib carries some security issues, so time to act - one way or another.
Even old-stable Debian Jessie [0] has rsync version 3.1.1. So any concern to finally drop bundled zlib and use system zlib?
Definitely.
I would suggest to post a news item, feel free to give thoughts and feedback.
Not sure... how likely is it that people will be contacting servers which are running a version of rsync even older than Debian Jessie? FWIW, the original bug report: https://bugs.archlinux.org/task/41024 rsync already spits out an error stating the remote machine does not understand the relevant option: "rsync: on remote machine: --new-compress: unknown option" So this seems like an obviously debuggable issue -- and the solution is just "upgrade your remote server". It doesn't stop you from using ssh, scp, or rsync without compression. -- Eli Schwartz Bug Wrangler and Trusted User
On Mon, Jan 13, 2020, 17:23 Christian Hesse <list@eworm.de> wrote:
Hello everybody,
to date we ship rsync with bundled zlib to keep compatibility with rsync up to version 3.1.0 and it's old-style --compress option. This is no longer required with rsync 3.1.1, which was released on 2014-06-22 - nearly six years ago! The bundled zlib carries some security issues, so time to act - one way or another.
Even old-stable Debian Jessie [0] has rsync version 3.1.1. So any concern to finally drop bundled zlib and use system zlib?
I would suggest to post a news item, feel free to give thoughts and feedback.
--- >8 --- rsync compatibility
Our `rsync` package was shipped with bundled `zlib` to provide compatibility with old-style `--compress` option up to version 3.1.0. Version 3.1.1 was released on 2014-06-22 and is shipped by all major distributions now.
So we decided to finally drop the bundled library and ship a package with system `zlib`. Go and blame those running old versions if you encounter errors with `rsync 3.1.3-3`. --- >8 ---
[0] https://packages.debian.org/de/jessie/rsync -- main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];) putchar(b-1/(/* Chris cc -ox -xc - && ./x */b/42*2-3)*42);}
+1 to idea and +1 to news item. Maybe make users aware of the security implications of the bundled zlib.
Christian Hesse <list@eworm.de> on Mon, 2020/01/13 17:23:
Hello everybody,
to date we ship rsync with bundled zlib to keep compatibility with rsync up to version 3.1.0 and it's old-style --compress option. This is no longer required with rsync 3.1.1, which was released on 2014-06-22 - nearly six years ago! The bundled zlib carries some security issues, so time to act - one way or another.
Even old-stable Debian Jessie [0] has rsync version 3.1.1. So any concern to finally drop bundled zlib and use system zlib?
I pushed the new package to [testing] yesterday.
I would suggest to post a news item, feel free to give thoughts and feedback.
We had just one contra, but even with reasonable error message... I think rsync is hidden in a lot of scripts, crontabs & what not. A short heads-up may be of great help. We had some feedback, so here is the updated proposal: --- >8 --- rsync compatibility Our `rsync` package was shipped with bundled `zlib` to provide compatibility with the old-style `--compress` option up to version 3.1.0. Version 3.1.1 was released on 2014-06-22 and is shipped by all major distributions now. So we decided to finally drop the bundled library and ship a package with system `zlib`. This also fixes security issues, actual ones and in future. Go and blame those running old versions if you encounter errors with `rsync 3.1.3-3`. --- >8 --- -- main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];) putchar(b-1/(/* Chris cc -ox -xc - && ./x */b/42*2-3)*42);}
Christian Hesse <list@eworm.de> on Wed, 2020/01/15 09:17:
We had some feedback, so here is the updated proposal:
--- >8 --- rsync compatibility
Our `rsync` package was shipped with bundled `zlib` to provide compatibility with the old-style `--compress` option up to version 3.1.0. Version 3.1.1 was released on 2014-06-22 and is shipped by all major distributions now.
So we decided to finally drop the bundled library and ship a package with system `zlib`. This also fixes security issues, actual ones and in future. Go and blame those running old versions if you encounter errors with `rsync 3.1.3-3`. --- >8 ---
Posted the news: https://www.archlinux.org/news/rsync-compatibility/ -- main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];) putchar(b-1/(/* Chris cc -ox -xc - && ./x */b/42*2-3)*42);}
participants (4)
-
Christian Hesse
-
Eli Schwartz
-
Lukas Fleischer
-
Sven-Hendrik Haase