Tridgell: rsync and outrage [LWN.net]

Andrew Tridgell has written a blog post responding to complaints that he has begun using LLM tools in his work maintaining rsync:

Like many developers of open source packages I've been hit by a flood of security reports lately in my role as the rsync maintainer. Many of those reports are AI generated (not all though, there are some notable ones with very careful and high quality manual analysis).

As this flood started to get more intense I realised I needed to raise the defences on rsync a lot — we needed much more thorough test suites, code coverage analysis, CI testing on a lot more platforms, deliberate and thorough scanning for possible security issues (so I find at least some of them before other people!) and the addition of a whole lot of defence-in-depth hardening techniques.

[...] Now to the future, because we're not done yet by a long shot. The security reports keep rolling in. I'm working on a bunch of CVEs right now. Luckily I've been joined by some other very good developers with great systems development skills and security knowledge. Some of these people came to my attention partly because of all the rage happening at the moment, so I get some rage storm clouds have silver linings. Watch out for some credits for some great new rsync developers in the next release.

to post comments

Even great programmers can be terribly misguided

Posted Jun 3, 2026 13:20 UTC (Wed) by bignose (subscriber, #40) [Link] (13 responses)

Andrew Tridgell:
> This is all a huge amount of work. I’m retired (though my wife may dispute that!) and I’d rather be out sailing than working on rsync security issues […]

Certainly, it's a huge amount of work, that I wouldn't want anyone to do in a rush. The solution to this is the same as it's been for decades.

Responsible stewardship must include a good succession plan, well ahead of retirement from the project. If you can't keep up with the work, please don't do it badly.

Tridge is no more immune to self-delusion than any other human. His LLM-generated changes resulted in a rash of new regressions. But he insists, in the face of that evidence, that the LLMs helped him do better work.

You did a great thing in starting and basically perfecting this project, Tridge. Please, step away now and let humans do the careful work necessary.

Even great programmers can be terribly misguided

Posted Jun 3, 2026 13:37 UTC (Wed) by alex (subscriber, #1355) [Link] (1 responses)

It's a classic FLOSS problem but there was a succession plan and the previous maintainer retired and handed the reigns back to Tridgell. While there are now people on the brigaded issue trackers offering to take over maintainership I doubt it would be responsible to hand the project over to some random github handle without seeing the quality of their work.

There were a lot of commentators who were sure the reason for the regression was LLM usage but precious few willing to do the work to identify the offending commit or redo the CVE fixes on an "LLM free" branch of the code.

Even great programmers can be terribly misguided

Posted Jun 3, 2026 19:47 UTC (Wed) by raven667 (guest, #5198) [Link]

> It's a classic FLOSS problem but there was a succession plan and the previous maintainer retired and handed the reigns back to Tridgell.

This is the part where I think the most issues are, when big companies ship volunteer-created code (that they found on the Internet) for commercial purposes, then they need to be responsible for the long-term maintenance and security of that code, and can't just defer to the original volunteer maintainer as an accountability sink. "No warranty express or implied for any purpose" is not really ethical for widely-deployed software but no one person can/should be held accountable for all the ways something like rsync is being used, so you can't just forward all CVEs to Tridgell and say "job done", he _can't_ fundamentally accept that responsibility, its too much.

I think it'd be healthy for orgs which ship FOSS to others if they planned on forking and having some vendor consortium to handle maintenance, like Linux Foundation, that might hire the original maintainer, but can also develop a team capable of handling the responsibility incurred when shipping code in products to other people. The idea that major software projects should be organized around individual BDFLs seems crazy to me now that FOSS is such a part of modern infrastructure.

I think there might be some resistance from FOSS maintainers though, a lot of people are attached to the prestige that comes with creating a successful project (eg "my code is interplanetary because it's on the Mars Rover"), but we don't organize other human infrastructure projects around individual engineers, we don't design airplanes or bridges that way, and while small projects the equivalent of building your own garden shed don't require a lot of rules, because the potential harm is low, the more people affected the more responsibility for safety exists and the less its fair to have borne by individuals and should instead be borne by organizations, institutions, culture, etc.

Even great programmers can be terribly misguided

Posted Jun 3, 2026 13:40 UTC (Wed) by darthcloud (subscriber, #111462) [Link] (2 responses)

I'm not a fan of LLM use, but it's his project, so he get to deside what he does with it. Unhappy? Fork it!

Even great programmers can be terribly misguided

Posted Jun 3, 2026 14:48 UTC (Wed) by rsidd (subscriber, #2582) [Link] (1 responses)

Drew DeVault (who forked Vim recently) has forked it. Or, no, he hasn't. He just says use tar and ssh instead.

Oh, and he says this because "apparently rsync is slop now". Without considering whether someone with Tridge's decades of experience would ever put out "slop".

Even great programmers can be terribly misguided

Posted Jun 3, 2026 20:43 UTC (Wed) by mathstuf (subscriber, #69389) [Link]

Heh. Yeah, we have `rrsync` in use to not allow arbitrary execution on the production host. Authentication is via SSH key which is limited to a single location (so you need multiple keys to access multiple locations). Much more auditable than allowing `tar -C` and symlink considerations.

Really, `rclone` would be the better alternative suggestion (though I'm not aware of its "infection" status with LLM output to know if that is also discounted).

Even great programmers can be terribly misguided

Posted Jun 3, 2026 14:29 UTC (Wed) by nhippi (subscriber, #34640) [Link] (1 responses)

> His LLM-generated changes resulted in a rash of new regressions

More like his security bug fixes (reported with help of LLMs) caused regressions that were not catched by the testsuite despite the testsuite being significantly expanded (with help of LLM).

That is hardly news that closing security holes causes regressions - some because users relied on insecure behavior, some because maintainer went overboard when closing the hole and disabled valid usecases too.

Even great programmers can be terribly misguided

Posted Jun 5, 2026 0:27 UTC (Fri) by cesarb (subscriber, #6266) [Link]

> That is hardly news that closing security holes causes regressions - some because users relied on insecure behavior, some because maintainer went overboard when closing the hole and disabled valid usecases too.

I was hit by one of these recently. A recent CUPS release fixed a bunch of vulnerabilities (https://github.com/OpenPrinting/cups/releases/tag/v2.4.17), and the fix for the first one in that list was so broken that it needed to be repaired not once (https://github.com/OpenPrinting/cups/releases/tag/v2.4.18) but twice (https://github.com/OpenPrinting/cups/releases/tag/v2.4.19). In the middle of tax filling season in my country. And the computer connected to the printer didn't have a user account with the same username as the user account being used to do the taxes on the other computer. The log messages weren't exactly helpful.

(The workaround, once I found https://github.com/OpenPrinting/cups/issues/1557 which explained the issue, was: print to PDF, and copy the file to a user account which has the same username as an account which does exist on that computer connected to the printer. Printing from that user account worked fine, which was really confusing until I found the explanation that the username somehow matters, even though it's not authenticating to the server at all.)

Even great programmers can be terribly misguided

Posted Jun 3, 2026 14:43 UTC (Wed) by nim-nim (subscriber, #34454) [Link] (4 responses)

> Tridge is no more immune to self-delusion than any other human. His LLM-generated changes resulted in a rash of new regressions. But he insists, in the face of that evidence, that the LLMs helped him do better work.

You assume it would have been any better without using LLMs. I doubt it. The way new models find security bugs is forcing hurried rewrites on rsync-like projects, and those have never been regression-safe.

Right now the security researchers are focusing on high-visibility FLOSS projects like curl or rsync, which have first-class maintainers like Tridge. As soon as those projects fix their security debt and it gets harder to earn some quick fame the same tools will be turned on average projects (the ones no one bothered auditing seriously so far because it was too much manual work). And then all hell will break lose.

I doubt the maintainers of projects that relied of the tediousness of manual auditing to ship average code will be able to pull a Tridge and perform a rewrite, complete with test suite rewrite, in a hurry (not to mention how easy it has become to import a babel tower of third-party components, that will need fixing at every level, with the same regression risks).

And the next stage of hell will be when LLM analysis will progress to decompile proprietary code. Those guys definitely have zero plan on how to deal with mass analysis of binary code, and would not know how to ship fixes to their customers if they had to. It’s turtles all the way down, their binary blobs use other people’s binary blobs and they could not fix those even if they wanted to because no source code access and no licensing right even if they wanted to. What happens to security by obscurity when the obscurity gets torn down? No one knows but I guess we’re all going to find out pretty soon.

Even great programmers can be terribly misguided

Posted Jun 3, 2026 19:44 UTC (Wed) by ballombe (subscriber, #9523) [Link] (3 responses)

> You assume it would have been any better without using LLMs. I doubt it. The way new models find security bugs is forcing hurried rewrites on rsync-like projects, and those have never been regression-safe.

If a fraction of the money spent on LLM has been used to pay maintainers of critical project, the situation would be different.
Cue to Ted Tso quote: https://lwn.net/Articles/1074105/

Even great programmers can be terribly misguided

Posted Jun 3, 2026 23:37 UTC (Wed) by jwarnica (subscriber, #27492) [Link]

Ted might very well have been busy making sure some huge insurance companies last print run works on the second try.

Either way, insofar as he isn't living in a box, when he does have free time he can work on his hobby.

The problem is that it is a hobby, not that he can afford to have a hobby

Even great programmers can be terribly misguided

Posted Jun 4, 2026 1:04 UTC (Thu) by AdamW (subscriber, #48457) [Link]

Sure it would. But that being a fact doesn't *help* anybody. Nobody is, in fact, offering to spend all those trillions of dollars on F/OSS maintenance, so we must live in the world as it is.

Even great programmers can be terribly misguided

Posted Jun 4, 2026 8:04 UTC (Thu) by NYKevin (subscriber, #129325) [Link]

If we had some ham, we could have ham and eggs, if we had some eggs.

Even great programmers can be terribly misguided

Posted Jun 3, 2026 20:02 UTC (Wed) by geofft (subscriber, #59789) [Link]

> Responsible stewardship must include a good succession plan, well ahead of retirement from the project. If you can't keep up with the work, please don't do it badly.

The amount of commitment required to "keep up with the work" has skyrocketed out of almost nowhere in the last couple of months. Quite possibly we'll get to a steady state where we've resolved all the bugs that were unintentionally added over the past 30-40 years and we aren't adding new bugs at the same rate (especially for a "done" piece of software like rsync). But I don't think this is a fault of a bad succession plan, any more one can look at the kernel security team or the curl maintainers now drowning in valid bug reports being found by LLMs at a rate much higher than humans reported them, and say this is the fault of a bad non-succession plan.

His only mistake

Posted Jun 3, 2026 13:52 UTC (Wed) by bluca (subscriber, #118303) [Link] (1 responses)

rsync is an amazing utility and I'm happy Andrew has found a way to manage his workload using whichever tools he finds useful and productive. His only mistake was not to immediately close, lock, delete and ban when the bottom feeders got out of their moms basements and started brigading his Github when it got linked in whichever social media open sewer they usually dwell in.

His only mistake

Posted Jun 3, 2026 13:56 UTC (Wed) by corbet (editor, #1) [Link]

If we want a higher level of discourse around these topics, a post like this is not a good way to start. This sort of name-calling is not helpful, please do not do that here.

Tool

Posted Jun 3, 2026 13:57 UTC (Wed) by arekm (guest, #4846) [Link]

LLM is just a tool and like any other tools can be used to get good results and to get bad results.

And so far most of bugs and regressions were caused by humans...

Keep up the good work

Posted Jun 3, 2026 14:07 UTC (Wed) by rbranco (subscriber, #129813) [Link]

We all make mistakes. LLMs came here to stay. Haters gonna hate but clankers gotta clank.

LLMs are just tools

Posted Jun 4, 2026 0:31 UTC (Thu) by gerdesj (subscriber, #5446) [Link] (3 responses)

I think LLMs can be useful but not in the way that the likes of MS n that would like.

The sheer cost of running a fully tooled up LLM that knows "everything" and thinking you can sell it to everyone at cost plus margin is as daft as thinking you can sell an encyclopedia to every household.

The real utility (I think) of these beasts is in smaller, focused efforts. Qwen 3.6 35B (quantized to 4 bit) can run on an elderly NVIDIA RTX A4000 with 16GB of GPU RAM using llama.cpp. I found another use for my Veeam and others backup boxes - RAM etc was rather cheaper a few years back!

I treat it exactly the same as I do carpentry. I can cut a 10' line through, say, 18mm plywood to within better than a 1mm (0.5mm either side) tolerance with a panel saw, if I am careful. With a table saw I can do better but the cut will be wider and with a rotary saw I will generally want a long guide and it will also be wider. The table saw and rotary saw will always best me for vertical, when set correctly. I do my best - I use my dominant eye to sight and I set myself physically as "square" as possible to the work piece. A panel saw is pretty good at staying square - if it starts to flex then you are going off track!

Hopefully the analogy is not lost on anyone.

When you use a tool you need to know how to get the best out of it. Ignore "magic" thinking (prompt optimisation and other wankery) and instead accept that the answers you get back might be a bit wrong.

LLMs are just tools

Posted Jun 4, 2026 4:28 UTC (Thu) by szm (guest, #100120) [Link] (2 responses)

Thank you for your very level-headed comment, I really like your tool analogy!

The way I see it, wide-scale, heavily subsidized and somewhat naive[1] use of LLMs has removed all of a sudden a lot of friction from within systems and processes. Removing friction sounds great if you want to move faster and get things done more quickly. But try walking without friction. Heck, try stopping without friction, it can be exhilarating. Or terrifying, depending on how much you prefer not to break your limbs. A few months ago, I suddenly noticed that the street where I live is actually quite steeply sloped downhill. Coincidentally, I arrived at this conclusion while trying to cross it when there was suddenly a lot of black ice covering it end to end. Never had to do the kind of "swing-by a lamp post and use the neighbors trashcan as a sort of angular momentum barrier" maneuver before. And I hope to not have to do it again. It made me appreciate friction a lot more.

The habits, processes, systems, and culture we are living with and in to create the things that are important to us have been established over a long period of time when friction was there. For better or worse, we have actually built the stuff we rely on with the inherent friction in mind. It is kinda insane (and frankly bewildering) to me that we expect systems that have been calibrated with and around friction to suddenly adapt to environments with a lot less friction involved. It is also somewhat sad to see people denying that there are downsides of suddenly switching it effectively off (or replacing it with frictions that are different, like "I can't justify the expenses of buying computer hardware to hack anymore because the world has gone crazy, so some projects I wanted to do are now on the back-burner") and pretending that there is no moral or ethical component to the wide scale shifting of habits, processes, systems, and culture. :shrug:, I guess?

Cheers,
szm

[1] As in "build unfathomable capacity with no regard for economic sense, ecological restrictions, ethical concerns and other "boring" things that start with the letter e; unleash it on society without discussion and deliberation or even a plan except to somehow either brute force your way to something akin to "AGI" and/or to maximise profits" naive.

LLMs are just tools

Posted Jun 4, 2026 14:17 UTC (Thu) by Kluge (subscriber, #2881) [Link] (1 responses)

This is an excellent analogy.

LLMs are just tools

Posted Jun 4, 2026 21:38 UTC (Thu) by sionescu (subscriber, #59410) [Link]

And wrong, as is all thinking by analogy.

Not in the conversastion: Artists used to have apprentices complete scut-work

Posted Jun 4, 2026 8:23 UTC (Thu) by k3ninho (subscriber, #50375) [Link]

We used to have prestigious artisanal work completed by a team, the apprentices having a role of 'amanuensis' under the reputation of their master -- so here I trust Tridge to use digital amenuenses (the plural of amenuensis) to complete scut-work, while doing the design thinking and building a plan from his experience.

Other colleagues and friends asked to spend tokens for their day jobs have been doing this, too, taking on the critical work and using the GenAI tools to speed up the validation, correctness, documentation and merge-request stages.

K3n.

People should RTFL

Posted Jun 4, 2026 9:40 UTC (Thu) by rbranco (subscriber, #129813) [Link] (6 responses)

People should actually read the license text and stop behaving like entitled brats.

In the case of rsync, the GPLv3 states that:

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

If they don't like them clankers and want OpenRsync, then it's the BSD license:

THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

People should RTFL

Posted Jun 4, 2026 13:38 UTC (Thu) by tcabot (subscriber, #6656) [Link] (5 responses)

> People should actually read the license text and stop behaving like entitled brats.

You were asked by this site's owner to stop "This sort of name-calling". Please respect that request.

People should RTFL

Posted Jun 4, 2026 13:41 UTC (Thu) by jzb (editor, #7867) [Link] (4 responses)

I think that was directed at a different site user, but the point still stands. That kind of thing isn't necessary, helpful, or likely to generate useful discussion.

People should RTFL

Posted Jun 4, 2026 21:39 UTC (Thu) by sionescu (subscriber, #59410) [Link] (3 responses)

We need the ability to block users here, not just "mute". There are certain people I don't wish to see at all.

People should RTFL

Posted Jun 5, 2026 1:49 UTC (Fri) by mathstuf (subscriber, #69389) [Link] (2 responses)

There is https://lwn.net/MyAccount/commfilters/ for those with a suitable subscription level (Professional?).

People should RTFL

Posted Jun 5, 2026 3:25 UTC (Fri) by sionescu (subscriber, #59410) [Link] (1 responses)

Not quite: I can still see their messages and they can see mine. I want total erasure.

People should RTFL

Posted Jun 5, 2026 3:38 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

Ask an LLM to write a Greasemonkey script for you.

Rsync and AI

Posted Jun 4, 2026 10:24 UTC (Thu) by amacater (subscriber, #790) [Link] (2 responses)

I think the blog post from Tridge is very clear and outlines the competing pressures. LWN has another golden quote in today's Brief quotes.

This is *hard* - the oss-security mailing list is currently tearing itself into pieces over what to do about AI bug reports and the fact that many of them are scatter-gun and pull up irrelevancies. The push to use AI for everything doesn't help but "AI slop" isn't an unconditional dismissal that will make what AI has uncovered irrelevant or unworthy of discussion.

This is the Internet's "eternal September" all over again: the people who don't yet understand the need for doing things one way get criticised by everyone else for not following the one way and not wanting to understand ... Understanding by humans on all sides would be helpful here but the last 30 years of Internet history don't make me optimistic :)

Rsync and AI

Posted Jun 4, 2026 16:25 UTC (Thu) by NYKevin (subscriber, #129325) [Link] (1 responses)

My fear is that we end up with some obnoxious policy like "you must own or contribute to GitHub projects worth a total of at least N stars to file or comment on bugs, except for bugs on projects you own or contribute to." Which, y'know, would probably *work,* at least to some extent, but have a ton of unwanted side effects:

* People looking to move from closed source to FOSS, or start in FOSS, will find it more difficult because they have no established history.
* Somebody will create a Hello World project whose sole purpose is to collect stars and grant contributor status to as many people as possible. GitHub will have to do something about that, and all options are bad in one way or another.
* Real projects will get more bad pull requests from people who don't know what they're doing.

Rsync and AI

Posted Jun 5, 2026 1:51 UTC (Fri) by mathstuf (subscriber, #69389) [Link]

Stars are already gamed, so I put them more on the "noise" than "signal" side of the equation. Personally, I use them as pseudo-bookmarks (the categorization thing is something I requested years ago).

corrections and release plan

Posted Jun 4, 2026 22:46 UTC (Thu) by tridge (subscriber, #26906) [Link] (3 responses)

A few corrections for some mis-conceptions
- the regressions in 3.4.3 were not due to my use of AI, the regressions were entirely my fault and stemmed from the low coverage test suite and the fact that you can't do a beta release of a security fix. I didn't create the new greatly expanded testsuite till after I released 3.4.3.
- all the regressions I am aware of are fixed in master now

To make this less likely to happen in the future I am planning on creating a rsync security mailing list. It will be private, and I will invite some of the people who reported regressions to join. Those on the list will have access to future security releases before release. The tricky part will be avoiding getting someone on the list who decides to just publish while we're in embargo or is an active bad actor. The xz/Jia Tan episode is a clear warning.
If you think you would be a good candidate to be on this list then get in touch via rsync.project@gmail.com. Then we'll need to work out how to vet you. I will likely want to do a video call and if possible get someone I know and trust to vouch for you. The old days of gpg key signing parties come to mind, I haven't done one of those for over 20 years ...

corrections and release plan

Posted Jun 5, 2026 6:49 UTC (Fri) by rrolls (subscriber, #151126) [Link] (1 responses)

Hi tridge,

I am a long time rsync user - I thank you for the hard work you've put into this over the last 30 years. It is my go-to tool, not just for copying between hosts over SSH, but also copying recursively on a single host (rsync -rlpt sourcedir/. destdir/. always "just works").

From my perspective what matters is being able to "trust" that rsync will work correctly - and not contain malware.

I have three actual concerns at the moment:

1. Replacing the test suite all at once removes an old, stood-the-test-of-time test suite with one that merely has to be trusted to be correct and hasn't yet achieved that status. If I wanted to change a project's testing framework, I'd do it like this: create the new framework, but leave existing tests in the old one; then, moving forward, add all _new_ tests to the new framework, and when actively changing a test (as part of actively changing some behavior), take that moment to move that test on its own to the new framework. Then, ensure that "running tests" runs both old and new. After some years, there will eventually come a point where the remaining old tests are a small enough fraction of the total that moving them over all at once is not such a risk. Why has rsync not kept the old framework as well as adding the new one? and/or, would it be realistic now to reintroduce the old framework exactly as it was (in such a way that a git diff tells you the old one is unchanged) and run both in parallel for some time?

2. Binaries have been committed into the repo. These are purportedly old versions of rsync for the purposes of testing, and, my hope and expectation would be that they actually are. However; this is a red flag. Binaries are where one can easily hide malware. Ideally, a repo should not contain binaries; if the test framework needs such binaries it should compile them on the fly from what's in the repo, and any number of caching techniques can be used to avoid this compilation having to happen over and over again. Why have binaries been introduced in this case in preference to caching? and/or, would it be realistic now to remove them and switch to a caching technique?

3. When one looks at the history, one sees a flurry of activity over the last two months, compared to relatively slow activity before that. Why was this sudden speedup in development necessary? rsync is mature software; one would expect it should not need anything other than targeted security fixes.

While I would like to think that the user called "tridge" on GitHub is indeed the same person they have always been (and is, presumably, you!), I don't know that person; I don't know that the account hasn't been compromised; I don't know that they haven't been socially engineered. You mention the Jia Tan episode - the parallel to what happened there is now both worrying and ironic. Personally, I don't really care directly about the involvement of claude - what I'd like to see is that, whether or not AI is involved, diffs remain small and targeted, and thus more visibly trustworthy.

I've seen some of the commentary on GitHub and it's absolutely vile and very much not the right way of going about things, and I'm sorry that you have to put up with all that. But at the moment, from a logical/objective perspective my intuition is, due to the sudden change in development methodology, very much aligned with the camp of "don't upgrade past 3.4.1 and hope for a serious fork of that version that gets small, targeted security fixes moving forward" - and it would be, I am a Debian user, currently still Debian 12 at that :). I believe others may share my concerns, but in what I've read, amidst all the shouting about LLMs, I haven't seen them clearly enunciated.

corrections and release plan

Posted Jun 5, 2026 9:32 UTC (Fri) by tridge (subscriber, #26906) [Link]

Hi rrols,
Good questions delivered without vitriol, thank you!
The old test suite was unfortunately not fit for purpose. It was OK when rsync was developing slowly and not dealing with the mass influx of issues that the AI scanners have generated. It was quickly becoming a hindrance to me. For a start it did a poor job of checking that the result of an rsync operation was exactly what was expected. It is quite hard in shell syntax to check things that carefully but easy in python. It was also slow, and I'm running the test suite many hundreds of times a day now, across a fleet of VMs at home plus in CI. The new test suite is designed from the ground up to be parallel, and on my 24 core laptop I can run many instances of it at once when validating different trees.
The first cut of the test suite was a faithful translation from shell to python of the old tests, including all of its issues. Since then I've built on it a lot, driven by gcov coverage and ensuring that every single option in rsync and rsyncd.conf is tested. Keeping the old suite around would have been quite painful for development.
One thing the community is not seeing is the huge number of pending issues I'm still working on. The CVEs in 3.4.3 was just the tip of the iceberg. At the time of release it covered every security issue I knew of. I now pine for those days as I see the much larger pile of issues that have flowed in over the last couple of weeks.
The old binaries in the tree are something I've wanted to do for a while now. The previous approach to tacking the issue of backwards compatibility with an eclectic (to put it politely) protocol like rsync is to ask the new version to use an old protocol revision. That helps, but it isn't really the solid evidence that the new version does work with an old build that we want. The binaries are only used in the CI tests (you can easily verify this for yourself with a quick git grep) so there is no way that they can introduce issues outside of that simple CI test. Rebuilding the old binaries is quite tricky due to changes in compilers, libraries etc, and doing that in each build would be a pain and just wouldn't win anything.
As to why the sudden jump in development, it's all down to the AI security scanners. Most people who use LLMs casually have no idea what is actually happening in the world of AI for security. The little chat prompts one has with chatgpt or claude are a joke compared to true AI driven security scans. I just ran a scan on rsync master that took over 6 hours of continuous running and produced an enormous report that I am still working my way through. If you have experience with AIs in "normal" use then I'm afraid that gives you not the slightest inkling of what the new security scan systems are doing now. All of this only became possible in the last few weeks. We're on a different planet now when it comes to IT security and people like me are learning to adapt quickly.
As to validating who I am, you could trust the lwn.net login system I suppose! Surely that is utterly reliable :-)
Or you could send me an email at rsync.project@gmail.com and ask me to send a reply signed with the GPG key that is linked back a long way and co-signed by people who know me.
Cheers, Tridge

corrections and release plan

Posted Jun 8, 2026 9:02 UTC (Mon) by jamesh (guest, #1159) [Link]

I wonder if some of the pushback you've received comes from the two different ways people might use rsync?

If someone is accessing public rsync servers, where each endpoint is controlled by a different party, the protocol is an important security boundary. In the other case of running rsync over an authenticated ssh transport, the protocol is less of an issue, since the user has the same privileges on the remote system as the rsync instance.

I'd score the vulnerabilities quite differently for those two use cases, and for the second use case I can see why regressions outweighed the benefits of the security fixes.