[arch-dev-public] rsync & bundled zlib

Wed Jan 15 08:17:45 UTC 2020

Christian Hesse <list at eworm.de> on Mon, 2020/01/13 17:23:
> Hello everybody,
> 
> to date we ship rsync with bundled zlib to keep compatibility with rsync
> up to version 3.1.0 and it's old-style --compress option. This is no longer
> required with rsync 3.1.1, which was released on 2014-06-22 - nearly six
> years ago!
> The bundled zlib carries some security issues, so time to act - one way
> or another.
> 
> Even old-stable Debian Jessie [0] has rsync version 3.1.1. So any concern to
> finally drop bundled zlib and use system zlib?

I pushed the new package to [testing] yesterday.

> I would suggest to post a news item, feel free to give thoughts and
> feedback.

We had just one contra, but even with reasonable error message... I think
rsync is hidden in a lot of scripts, crontabs & what not. A short heads-up
may be of great help.

We had some feedback, so here is the updated proposal:

--- >8 ---  
rsync compatibility

Our `rsync` package was shipped with bundled `zlib` to provide compatibility
with the old-style `--compress` option up to version 3.1.0. Version 3.1.1 was
released on 2014-06-22 and is shipped by all major distributions now.

So we decided to finally drop the bundled library and ship a package with
system `zlib`. This also fixes security issues, actual ones and in future. Go
and blame those running old versions if you encounter errors with `rsync
3.1.3-3`.
--- >8 ---  
-- 
main(a){char*c=/*    Schoene Gruesse                         */"B?IJj;MEH"
"CX:;",b;for(a/*    Best regards             my address:    */=0;b=c[a++];)
putchar(b-1/(/*    Chris            cc -ox -xc - && ./x    */b/42*2-3)*42);}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20200115/7ced3988/attachment.sig>