[Koenvh]

Funny, I reported something similar on the rsync mailing list a couple of months ago: https://www.mail-archive.com/rsync@lists.samba.org/msg33452....

Good to see that it will be fixed. Still, rsync is not the right tool for the job if you do not trust the server.

[denton-scratch]

I take it that "server" in this context includes the remote party in a "serverless" transfer. I mean, I take it this isn't particular to the rsync daemon.

It sounds like a very serious defect, very easy to exploit. It needed to be addressed quickly. I'm not surprised they skipped the code review.

[bragr]

>rsync is not the right tool for the job if you do not trust the server

Why would you ever trust the server not to do bad things?

[Koenvh]

I do trust my own server not to misbehave, but I probably would not trust some random server on the internet.

[bragr]

I've had personal servers compromised. I don't unconditionally trust them either.

[ksbrooksjr]

Exactly. I'm usually worried about the opposite scenario (the client infecting the server). If you're copying files from a personal computer it might have all sorts of random software running on it that's accumulated over the years. Whereas on a remote server you tend to have a better security posture, and aren't installing random software and apps. Admittedly, that might just be my personal use case though.

[jwilk]

Or if you can't stand mail-archive.com:

https://lists.samba.org/archive/rsync/2022-March/032769.html