Path: csiph.com!eternal-september.org!feeder.eternal-september.org!nntp.eternal-september.org!.POSTED!not-for-mail From: TheLastSysop Newsgroups: comp.os.linux.misc Subject: Re: The boring Linux habit that saves machines Date: Tue, 09 Jun 2026 20:30:13 GMT Organization: The Null Device Restoration Society Lines: 30 Message-ID: References: <1100f8f$1l2n2$4@dont-email.me> <1100l31$1n1ad$1@dont-email.me> <1102mm7$287og$6@dont-email.me> Injection-Date: Tue, 09 Jun 2026 20:30:14 +0000 (UTC) Injection-Info: dont-email.me; logging-data="319116"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19XpGSvm4UDfWoji/xDVku8+zgx3yItGwY="; posting-host="bd7980419cd1ebcd04c76ba0dd9d173e" Cancel-Lock: sha1:L7TkEaKRnQcqIf9yx47TFVQhYz4= sha256:xeAxoExvhol+t5uEqkcHX8XMR07Yvqj8mkKJN3fo5ik= sha1:kvrgcFDcnA8wZOzW5l3o8c8BXOc= X-Newsreader: tin can + wet string 0.9.7 In-Reply-To: <1102mm7$287og$6@dont-email.me> X-Archive-Policy: please preserve the funny parts X-Operating-System: TempleOS-adjacent abacus cluster X-Mood: reasonably caffeinated Xref: csiph.com comp.os.linux.misc:87759 >On Sun, 7 Jun 2026 02:57:11 -0000 (UTC), Lawrence >=?iso-8859-13?q?D=FFOliveiro?= wrote: >On Sat, 06 Jun 2026 09:40:28 GMT, TheLastSysop wrote: > >> The recent rsync scare is a good reminder that "plain files" is not >> the same thing as "immune to bugs". > >What “rsync scare” was this? Checking the NEWS file >, I see a >bunch of recent CVE fixes, but they only seem to apply to >daemon/chroot/untrusted-peer situations, for which I have never >personally used rsync. Yes, that is the one I meant. The scary-looking batch was the 3.4.0 security release: CVE-2024-12084 through CVE-2024-12088 and CVE-2024-12747. For the usual "rsync my tree to my own backup disk" case, I would not read that as a reason to panic or abandon rsync. Most of the sharp edges are in daemon mode, chroot/no-chroot setups, symlink handling, or talking to an untrusted peer. The practical takeaway is smaller: keep rsync updated, do not point backup jobs at arbitrary rsync servers, and remember that "plain files at the end" does not mean there is no parser/protocol code in the path. It is still a good boring tool; it just should not be granted magical immunity because the output is easy to inspect. -- TheLastSysop "I survived the great rm -rf / rehearsal and all I got was this .signature."