[arch-dev-public] rsync & bundled zlib

Sven-Hendrik Haase svenstaro at gmail.com
Mon Jan 13 16:45:43 UTC 2020


On Mon, Jan 13, 2020, 17:23 Christian Hesse <list at eworm.de> wrote:

> Hello everybody,
>
> to date we ship rsync with bundled zlib to keep compatibility with rsync
> up to version 3.1.0 and it's old-style --compress option. This is no longer
> required with rsync 3.1.1, which was released on 2014-06-22 - nearly six
> years ago!
> The bundled zlib carries some security issues, so time to act - one way
> or another.
>
> Even old-stable Debian Jessie [0] has rsync version 3.1.1. So any concern
> to
> finally drop bundled zlib and use system zlib?
>
> I would suggest to post a news item, feel free to give thoughts and
> feedback.
>
> --- >8 ---
> rsync compatibility
>
> Our `rsync` package was shipped with bundled `zlib` to provide
> compatibility
> with old-style `--compress` option up to version 3.1.0. Version 3.1.1 was
> released on 2014-06-22 and is shipped by all major distributions now.
>
> So we decided to finally drop the bundled library and ship a package with
> system `zlib`. Go and blame those running old versions if you encounter
> errors with `rsync 3.1.3-3`.
> --- >8 ---
>
> [0] https://packages.debian.org/de/jessie/rsync
> --
> main(a){char*c=/*    Schoene Gruesse                         */"B?IJj;MEH"
> "CX:;",b;for(a/*    Best regards             my address:    */=0;b=c[a++];)
> putchar(b-1/(/*    Chris            cc -ox -xc - && ./x
> */b/42*2-3)*42);}
>

+1 to idea and +1 to news item. Maybe make users aware of the security
implications of the bundled zlib.

>


More information about the arch-dev-public mailing list