|
|
|
|
|
|
by zbentley
14 days ago
|
|
|
Did anyone in that issue thread ever … describe an issue? As in steps-to-reproduce, expected vs. observed behavior, all that? Like, this was posted on an issue tracker. “Your commit messages reference Claude and some guy on bluesky thinks some unspecified issue he had is related to those commits” is not an actionable issue. All the rest of the discussion aside, if this were my project I would close and lock with “not enough info to reproduce”. There are better places for general discussion about AI and forking and emitting rage. |
|
|
* People with linux < 5.6 can't build this from GitHub. This to me seems like a fairly minor regression: people using maintained versions of 5.6 (mostly extended security) will have distro maintainers pick up that the build is failing, allowing for it to be corrected in a timely manner.
* Hardening against path-traversals causes failures for users with: no chroot; using the native rsync protocol. Ironically: chroot = no is deeply discouraged; you shouldn't really be using native rsync in an automated manner (and perhaps it seems I wouldn't advise using it at all); the CVEs the commits fix apply exactly to this use case.
https://www.cve.org/CVERecord?id=CVE-2026-29518
Requires daemon + no chroot. " daemon runs with elevated privileges. This vulnerability can only be triggered if the chroot setting is false."
So the workflows affected are those which are the most vulnerable, and yet people are recommending that people revert versions.
* Furthermore, if a regression test picked this up, it would've been written previously.