[arch-dev-public] rsync & bundled zlib

Eli Schwartz eschwartz at archlinux.org
Mon Jan 13 16:42:47 UTC 2020

On 1/13/20 11:23 AM, Christian Hesse wrote:
> Hello everybody,
> to date we ship rsync with bundled zlib to keep compatibility with rsync
> up to version 3.1.0 and it's old-style --compress option. This is no longer
> required with rsync 3.1.1, which was released on 2014-06-22 - nearly six
> years ago!
> The bundled zlib carries some security issues, so time to act - one way
> or another.
> Even old-stable Debian Jessie [0] has rsync version 3.1.1. So any concern to
> finally drop bundled zlib and use system zlib?


> I would suggest to post a news item, feel free to give thoughts and feedback.

Not sure... how likely is it that people will be contacting servers
which are running a version of rsync even older than Debian Jessie?

FWIW, the original bug report: https://bugs.archlinux.org/task/41024

rsync already spits out an error stating the remote machine does not
understand the relevant option:

 "rsync: on remote machine: --new-compress: unknown option"

So this seems like an obviously debuggable issue -- and the solution is
just "upgrade your remote server". It doesn't stop you from using ssh,
scp, or rsync without compression.

Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1601 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20200113/1db57a15/attachment.sig>

More information about the arch-dev-public mailing list