============================================================== Guild: RsyncProject Channel: Text channels / general After: 15.01.2025 19:54 ============================================================== [15.01.2025 20:11] andrewtridgell Started a thread. [15.01.2025 21:25] andrewtridgell @everyone rsync 3.4.1 has been released: https://download.samba.org/pub/rsync/NEWS#3.4.1 {Reactions} 💪 👍 [16.01.2025 04:32] andrewtridgell also, if anyone would like to become an rsync maintainer please contact me - we need more people helping [16.01.2025 09:15] sudhackar gonna pull this in to release a regression fix on ubuntu [17.01.2025 09:36] sudhackar was able to do this. But the newer one https://github.com/RsyncProject/rsync/issues/715 will probably need another {Embed} https://github.com/RsyncProject/rsync/issues/715 rsync: failed verification -- update discarded - regression from CV... Hello, We've got the following bug report on Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1093160 Then I was able to repro this regression on both Debian and Amazon Linux. To repro... https://images-ext-1.discordapp.net/external/lQA3GrBHGvKyn7xjUIlPF7IHYWaORP6i0RcJLoxFafA/https/opengraph.githubassets.com/2ada072d1ea166713ebe06b11422749d06a84e2f29093c69709cd5d881c641e1/RsyncProject/rsync/issues/715 [17.01.2025 20:22] andrewtridgell @Wayne I'm looking at https://github.com/RsyncProject/rsync/issues/715 {Embed} https://github.com/RsyncProject/rsync/issues/715 rsync: failed verification -- update discarded - regression from CV... Hello, We've got the following bug report on Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1093160 Then I was able to repro this regression on both Debian and Amazon Linux. To repro... https://images-ext-1.discordapp.net/external/lQA3GrBHGvKyn7xjUIlPF7IHYWaORP6i0RcJLoxFafA/https/opengraph.githubassets.com/2ada072d1ea166713ebe06b11422749d06a84e2f29093c69709cd5d881c641e1/RsyncProject/rsync/issues/715 {Reactions} 👍 [22.01.2025 00:18] samueloph We've got a report of another regression on Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1093696 Unfortunately there's no reproducer yet, so I was unsure on whether I should open a GitHub issue for this. I've decided to at least let you know through this message until we get a way to reproduce. The report contains a stack trace and the reporter did confirm this only happens with the CVE fixes. [22.01.2025 04:59] sudhackar `#2 0x000055918f6912db in skip_matched (fd=fd@entry=3, offset=offset@entry=0, buf=buf@entry=0x0, len=len@entry=4368) at fileio.c:193` Looks like a NULL ptr at ``` if (skip_matched(fd, offset, map, len) < 0) ``` which implies `fd_r` being -1 `#3 0x000055918f667bea in receive_data (f_in=f_in@entry=5, fname_r=fname_r@entry=0x55918f6d2400 "/var/lib/iserv/backup/mnt/sda4/iserv/.rsync-partial/access.log", fd_r=fd_r@entry=-1, size_r=, fname=fname@entry=0x7ffffcfa0be0 "var/log/nginx/access.log", fd=fd@entry=3, file=0x5591affa15b8, inplace_sizing=1) at receiver.c:361 ` which means - either this call failed ``` /* open the file */ fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0); ``` [22.01.2025 05:08] sudhackar I'll try to build a reproducer [22.01.2025 05:24] sudhackar ```bash #!/bin/bash touch /tmp/exclude sudo rm -rf /tmp/partial rsync -e 'ssh -o LogLevel=ERROR -o BatchMode=yes' \ --delete --stats --no-human-readable \ --numeric-ids -aH -A -f 'P /rsync.out' -f 'P /rsync.err' --sparse \ --partial-dir=/tmp/.rsync-partial \ --exclude-from=/tmp/exclude \ --link-dest=/tmp/2025-01-14T20:00:05+00:00 \ sec-noble-server-amd64:/ /tmp/partial/ sudo rm -rf /tmp/partial ``` crashes for me as ``` [66081.662339] rsync[621737]: segfault at 0 ip 0000592b606c0be5 sp 00007ffc9d468200 error 4 in rsync[592b6067a000+5b000] likely on CPU 4 (core 4, socket 0) [66081.662348] Code: c3 0f 1f 40 00 b9 00 04 00 00 4c 89 e8 41 39 cf 41 0f 4e cf 45 31 e4 eb 11 0f 1f 40 00 41 83 c4 01 48 83 c0 01 44 39 e1 74 05 <80> 38 00 74 ee 4c 63 c9 89 ce 31 db 44 29 e6 4d 89 c8 4b 8d 44 0d [66129.199185] rsync[622335]: segfault at 0 ip 00005e50d94ddbe5 sp 00007fff1a8c64c0 error 4 in rsync[5e50d9497000+5b000] likely on CPU 15 (core 15, socket 0) [66129.199195] Code: c3 0f 1f 40 00 b9 00 04 00 00 4c 89 e8 41 39 cf 41 0f 4e cf 45 31 e4 eb 11 0f 1f 40 00 41 83 c4 01 48 83 c0 01 44 39 e1 74 05 <80> 38 00 74 ee 4c 63 c9 89 ce 31 db 44 29 e6 4d 89 c8 4b 8d 44 0d [66153.498772] rsync[622522]: segfault at 0 ip 000062f3d64eabe5 sp 00007fff3454b200 error 4 in rsync[62f3d64a4000+5b000] likely on CPU 31 (core 15, socket 0) [66153.498783] Code: c3 0f 1f 40 00 b9 00 04 00 00 4c 89 e8 41 39 cf 41 0f 4e cf 45 31 e4 eb 11 0f 1f 40 00 41 83 c4 01 48 83 c0 01 44 39 e1 74 05 <80> 38 00 74 ee 4c 63 c9 89 ce 31 db 44 29 e6 4d 89 c8 4b 8d 44 0d ``` [22.01.2025 05:59] sudhackar Started a thread. [22.01.2025 07:32] sudhackar Its now https://github.com/RsyncProject/rsync/issues/722 {Embed} https://github.com/RsyncProject/rsync/issues/722 segfault in write_sparse · Issue #722 · RsyncProject/rsync From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1093696 and then some analysis on discord simple repro #!/bin/bash rsync -e 'ssh -o LogLevel=ERROR -o BatchMode=yes' -aH -A --sparse -... https://images-ext-1.discordapp.net/external/lIjsk4l6qzE_is0FiayK7fArewcQvGBzabNLJauQvxc/https/opengraph.githubassets.com/aedb95cd5cb35231616742136d81b1bf15596e8808a3f03f33489d368a9373db/RsyncProject/rsync/issues/722 {Reactions} 💯 [22.01.2025 07:48] billchenchina https://lwn.net/Articles/1005302/ [30.01.2025 08:27] rolandcgn sorry, i don‘t want to be offensive or evangelist - but may i ask why some premier opensource project like rsync is using some proprietary , commercially oriented „gamer chat tool“ like discord, where all the collected data may get abused for whatever purpose…. (train AI…) !? i‘m so tired of such discussions - as i know some makerspace in town is also using it and refuses to see the problems with using such proprietary platforms. to be honest - i‘m deeply depressed that even opensource/open minded folks are more and more moving away from opensource. why not using (and supporting) something like zulip , which explicitly has open/free plan tp support opensource projekcts.? i don’t want to force developers changing their favourite tool, but maybe iit’s worth thinking about twice. we are losing freedom. https://80.lv/articles/discord-gets-sued-over-alleged-anti-consumer-practices/ https://www.edpb.europa.eu/news/national-news/2023/french-sa-fines-discord-eur-800000_en {Embed} https://80.lv/articles/discord-gets-sued-over-alleged-anti-consumer-practices/ Discord Gets Sued in a Class-Action Over Its Subscription Practices The plaintiffs claim the platform has intentionally made it overly difficult to cancel subscriptions. https://images-ext-1.discordapp.net/external/lO4lgdyIn6j-OwIjH3ftcJMfMQEGOge5qNJqdtNnbaY/https/cdn.80.lv/api/upload/meta/38728/images/6768edb1daa90/contain_440x220.jpeg [30.01.2025 08:29] sudhackar do we not have similar doubts on github? [30.01.2025 22:39] andrewtridgell @RolandCGN the principal limiting factor in rsync development is maintainer time. I am already using discord for ArduPilot, so using it also for rsync saves me time. Same reason for using github, it saves me time. If someone else becomes the maintainer they can make different choices. {Reactions} 👍 (2) [30.01.2025 22:42] rolandcgn ok, i understand. no problem. i don't want to dictate something to someone, i just wanted to bring that up. thanks for feedback ! {Reactions} 👍 [24.08.2025 21:06] andrewtridgell I'm preparing for a new rsync release at the moment. I have merged quite a few pending PRs and would appreciate it if anyone who can do it does some testing of the master branch to see if any new issues have been introduced. We have quite a good CI suite, but issues can still happen. https://github.com/RsyncProject/rsync {Embed} https://github.com/RsyncProject/rsync GitHub - RsyncProject/rsync: An open source utility that provides f... An open source utility that provides fast incremental file transfer. It also has useful features for backup and restore operations among many other use cases. - RsyncProject/rsync https://images-ext-1.discordapp.net/external/X_sk2mjNuPx2y2iD8MJ_yEavkzqBAl5H3sZuornVVbk/https/opengraph.githubassets.com/9cee7442cb72660354adec21893fe6dc46dcdd686b8222a21c09b234dcfa8353/RsyncProject/rsync [24.08.2025 21:06] andrewtridgell i'm also travelling over the next month, so may be a bit slow to respond [16.04.2026 15:30] billchenchina https://www.openwall.com/lists/oss-security/2026/04/16/2 [16.04.2026 15:31] billchenchina @AndrewTridgell Someone sent a rsync UAF vulnerability report to oss-security, but i havn't seen fixes yet. Have they contacted you before they disclose it? [16.04.2026 15:34] billchenchina I think it's also https://github.com/RsyncProject/rsync/issues/871 {Embed} https://github.com/RsyncProject/rsync/issues/871 SIGSEGV in receive_xattr() on FreeBSD - qsort() called with wrong e... Summary receive_xattr() in xattrs.c calls qsort() with the count of xattr entries received from the wire (count), rather than the count of entries actually added to temp_xattr (temp_xattr.count). W... https://images-ext-1.discordapp.net/external/hDyqAso-WLGdyNj84CQj9ueiAeVsqPVgq8ahL0BtLL0/https/opengraph.githubassets.com/db59d2e10b16d09f518214c7f66efc677053c12f5835df05dbbeffd7bcf7d84d/RsyncProject/rsync/issues/871 [16.04.2026 15:43] hlein The advisory is very AI-smelling but that doesn't necessarily mean it's not valid. "Timeline" is a joke... ...And yeah that issue seems like the same issue. Neither mentions the other. Timezones are hard, which happened first, the oss-security post or the github issue? [16.04.2026 16:08] billchenchina I think the github issue happened first. [16.04.2026 18:52] billchenchina MITRE has assigned CVE-2026-41035 for this https://www.cve.org/CVERecord?id=CVE-2026-41035 [18.04.2026 21:38] andrewtridgell this is rather annoying. I don't see any disclosure to the rsync.project@gmail.com security reporting alias, why is MITRE facilitating public announcement of a bug without even an attempt to contact the maintainer?? [18.04.2026 21:40] andrewtridgell I have another commitments today, but I'll try to look into this one tomorrow. I'm juggling multiple security reports at the moment for the next release. {Reactions} 👍 [18.04.2026 21:40] hlein Ugh, indeed. The "TIMELINE" of the writeup is a joke. Alan Coopersmith called them out on oss-security about upstream notification (https://marc.info/?l=oss-security&m=177635600603437&w=4) and predictably they did not respond. [18.04.2026 21:46] andrewtridgell main thing I need to determine is if this is actually an exploitable issue or if it is yet another way of the client closing the socket to the fork-per-connection process. I get rather a lot of AI generated bug reports that are really non-issues as it is just equivalent to the client closing the socket. [18.04.2026 21:49] andrewtridgell the description and rating look inflated to me. https://www.openwall.com/lists/oss-security/2026/04/16/2 [18.04.2026 21:53] andrewtridgell I'll look at this again later tonight or tomorrow. [18.04.2026 22:40] willsarg our ai overlords agree: The disclosure calls this a UAF (Use-After-Free). It isn't. There's no freed memory being accessed — it's an out-of-bounds read of uninitialized heap memory that reliably produces a SIGSEGV. That's a DoS of the forked receiver process, not a memory corruption primitive for code execution. The trigger conditions also constrain impact significantly: filtering must be active (--filter / --exclude with xattrs, or running as non-root on non-Linux where namespace filtering kicks in on the #else branch), and the sender must be malicious. A malicious sender causing the receiving client to crash is meaningful, but it's not the "critical UAF" the report frames it as. [20.04.2026 06:28] billchenchina fmpov MITRE may assign an CVE id if the issue is public (e.g. on oss-security), so people can track the issue with the CVE id. If the issue is not a real problem, maintainers can dispute and take down that. [20.04.2026 06:30] billchenchina there're examples that maintainer who want to get an CVE id through github security, but MITRE assigned an CVE id ahead of them, which is a bit annoying too. [22.04.2026 04:46] andrewtridgell I'm planning a 3.4.2 release in a few days, review of the changes welcome, and please test https://github.com/RsyncProject/rsync/pull/879 {Embed} https://github.com/RsyncProject/rsync/pull/879 update NEWS.md ready for 3.4.2 by tridge · Pull Request #879 · Rs... will do 3.4.2 in a few days https://images-ext-1.discordapp.net/external/UQLjbeVNYm1pLNdOFcV_B1E5BAKpSvGHZjIb-wdzqz0/https/opengraph.githubassets.com/babbe41170d69e39a75b3609dc9897408a6c4439716b9961cd623ce5b1f454d7/RsyncProject/rsync/pull/879 {Reactions} 👍 (3) [28.04.2026 04:55] andrewtridgell rsync 3.4.2 is released on rsync.samba.org and in github releases {Reactions} ❤️ (4) [20.05.2026 00:29] andrewtridgell @everyone I've just released rsync 3.4.3 which is a major security update fixing 6 CVEs. I worked with the distros mailing list to notify vendors so I hope that vendor packages will be available shortly. See https://rsync.samba.org/ for details. {Reactions} 💪 (2) [20.05.2026 04:44] andrewtridgell we now have an ubuntu PPA for rsync stable releases. I may do a 'latest' release PPA too at some stage. See https://rsync.samba.org/download.html {Reactions} ❤️ (2) [22.05.2026 05:09] realketas oooh [22.05.2026 05:14] realketas the hell is that bug anyway [22.05.2026 05:21] realketas @AndrewTridgell [22.05.2026 05:54] andrewtridgell @ketas hi, which bug are you referring to? [22.05.2026 05:56] realketas the termux one [22.05.2026 05:56] andrewtridgell ahh, you are Sulev from the mailing list? [22.05.2026 05:57] realketas looks like i'm not the only rsyncer on android [22.05.2026 05:57] realketas yes [22.05.2026 05:57] andrewtridgell ok, I'll create a thread to discuss [22.05.2026 05:57] realketas i think i'm always madis tho [22.05.2026 05:57] andrewtridgell Started a thread. [27.05.2026 22:22] andrewtridgell @alexandre we started using mknodat() as part of the security fixes in rsync 3.4.3. It works fine on my mac mini (25.3.0 kernel) [27.05.2026 22:22] bootnet So it’s a new addition? [27.05.2026 22:22] andrewtridgell yes, we might need a separate build for older systems [27.05.2026 22:30] bootnet apologies if this is too offtopic, I’m not well-versed in this stuff [27.05.2026 22:36] bootnet I seem to be incorrect with the version number. Is 3.4.1 the version preceding 3.4.3? [27.05.2026 22:37] andrewtridgell sorry, I'm not a macos export, I have a mac mini I use for development testing, but don't use brew much [27.05.2026 22:40] bootnet Thank you for the answer either way, I appreciate it! I shall try to build the previous version from the github repo, though I feel like this will be a futile effort for a noob. [27.05.2026 22:43] bootnet Could you please confirm that I’m at least looking at the right branch to clone (I want to try the version preceding the mknodat adoption): https://github.com/RsyncProject/rsync/tree/v3.4.1-sec-patches [28.05.2026 01:25] andrewtridgell That branch uses mknodat [28.05.2026 01:26] bootnet What about the previous major version - 2.x.x? [28.05.2026 01:29] bootnet I have discovered source tarballs from the project’s homepage in the meantime but I can’t really figure out which one will relieve me of the mknodat error. [28.05.2026 19:02] _quags Hello. I have a few users that have sent an error related to '--link-dest /failed verification -- update discarded' for some backups, and the backup vendor is suggesting to downgrade rsync as a fix - the systems are running the ppa 3.4.3 so the suggestion seems to be a poor suggestion to start. Is there some known issue with the latest cve fixes that are causing this error? [29.05.2026 02:00] billchenchina I think it's https://github.com/RsyncProject/rsync/issues/915 {Embed} https://github.com/RsyncProject/rsync/issues/915 Security fix breaks --link-dest via rsync daemon · Issue #915 · R... I usually perform backups via rsync daemon or to local disks, maintaining a history with hard links. With the latest security backports in version 3.2.7 (3.2.7-0ubuntu0.22.04.6 on Ubuntu 22.04.5 LT... https://images-ext-1.discordapp.net/external/5Hzdo9sgWv-8X72P2e93BSTGK1hKlmxqGyKaYd3gbd8/https/opengraph.githubassets.com/022d3f4fd1bc8ddac97a9a9fc701ba75df165eb02521d86858829f7093108f34/RsyncProject/rsync/issues/915 [29.05.2026 10:31] _quags Thanks that is the same issue I’m seeing. I’ll folllow that report. [29.05.2026 15:11] trs80 https://mastodon.gamedev.place/@JeremiahFieldhaven/116654345332213390 {Embed} Jeremiah Fieldhaven (@JeremiahFieldhaven@mastodon.gamedev.place) https://mastodon.gamedev.place/@JeremiahFieldhaven/116654345332213390 So my systems recently updated to rsync 3\.4\.3, and as soon as that happened my backup system \- which does incremental backups using multiple \-\-compare\-dest= arguments \- started to fail on anything but a full backup\. Revert to 3\.4\.1 and it works\. So I go look at the source in GitHub to see what might have changed, because there doesn't seem to be anything relevant in the changelog\. Since 3\.4\.1, 36 commits by "tridge and claude" Oh for fuck's sakes\. Reblogs 845 Favorites 764 Gamedev Mastodon {Reactions} 😢 (2) [30.05.2026 06:39] segagamer It looks like Tridge used Claude to rewrite the entire test suite from shell code to python in this commit; https://github.com/RsyncProject/rsync/commit/1f689ec0c21b7c2eaa9add1958d2c7ed280aac3e But I'm sure that doesn't have anything to do with the regressions that slipped in 🤦‍♂️ Like damnit dude, a doctorate in comp sci and pulling stunts like this committing straight to master... These are rookie errors that I'd expect juniors to do. It's like messing up bash or vi. {Embed} https://github.com/RsyncProject/rsync/commit/1f689ec0c21b7c2eaa9add1958d2c7ed280aac3e testsuite: rewrite the shell testsuite in Python · RsyncProject/rs... Replace the entire shell-based testsuite with Python. runtests.py already drove the suite (it had replaced runtests.sh earlier); this converts all 60 test scripts from *.test shell to *_test.py and... https://images-ext-1.discordapp.net/external/ulTOldGGD3xJuuKfuLch6fE4_r86euK0gb9nHzXkh1M/https/opengraph.githubassets.com/185363b1bd5b9942df47d516793fdcb5d7ef34f3a0d168216041143b9f8493f6/RsyncProject/rsync/commit/1f689ec0c21b7c2eaa9add1958d2c7ed280aac3e [30.05.2026 06:41] segagamer Actually that's unfair. Rookies would probably be too scared to touch master of such a core utility without someone checking first. This is just incompetence. [30.05.2026 06:42] trs80 who tests the test suite? [30.05.2026 06:44] segagamer Who knows. Looking at the github issues, one might suspect there are no integration tests, or they aren't being run. You shouldn't be able to break this many things at once on a master branch. [30.05.2026 06:47] segagamer I'm pinning our Samba version as well just in case Tridge messes with that in weird and wonderful ways. [30.05.2026 09:50] realketas quite sad to get broken rsync yeah [30.05.2026 09:52] realketas i've always been scared of complex tool like rsync once shooting me [30.05.2026 09:53] willsarg I can’t speak for Tridge, but please let me know what github issues correlate to the bugs/errors you’re finding so I can try to take a look. [30.05.2026 09:54] andrewtridgell good evening [30.05.2026 09:54] willsarg Speaking of 🤣 [30.05.2026 09:54] andrewtridgell the --link-dest issue is fixed in master. It will be in the next release [30.05.2026 09:55] andrewtridgell I redid the test suite in python so we get much greater coverage and parallelism in the testing. The shell script test suite was holding back the project a lot {Reactions} 👍 [30.05.2026 09:56] realketas i hope it was reviewed well... [30.05.2026 09:57] andrewtridgell that type of mass shell -> python rewrite is exactly what AIs are good for. I've been testing it extensivly, plus of course didn't use a single AI, it's all checked by 3 AIs plus me (I use claude, codex and gemini to cross check work like this) {Reactions} 👍 [30.05.2026 09:57] realketas i have used ai, i tried [30.05.2026 09:57] andrewtridgell now if someone else actually wanted to help with reviewing changes like this then that would be great, but seems unlikely [30.05.2026 09:58] andrewtridgell one of the main things I did was ensure that every single feature in rsync is tested, and not just that it appears in a test, but it looks specifically for the behaviour promised in the docs [30.05.2026 09:59] andrewtridgell previously a lot of the tests would pass even if the feature didn't work at all [30.05.2026 09:59] realketas hmm [30.05.2026 09:59] andrewtridgell basically I'm tring to get rsync into a state where we can withstand the storm of AI generated security reports {Reactions} 👍 [30.05.2026 10:00] andrewtridgell the so called "AI apocolypse" of security [30.05.2026 10:00] realketas that's all fine [30.05.2026 10:00] andrewtridgell to stand a chance we need to be able to make and properly test changes, across a code base with a huge number of subtly interacting options [30.05.2026 10:01] andrewtridgell and it needs to work on lots of different OSes, all with different semantics [30.05.2026 10:01] realketas the problem is that https://www.reddit.com/r/stupidAI/comments/1tph40q/goople/ can happen {Embed} r/stupidAI https://www.reddit.com/r/stupidAI/comments/1tph40q/goople/ Goople https://images-ext-1.discordapp.net/external/dw64znhROCXsUNS9FX8UAtSibmn2uePn7w2yCZ0qzYA/https/share.redd.it/preview/post/1tph40q Reddit [30.05.2026 10:01] realketas :/ [30.05.2026 10:02] andrewtridgell I know the AI risks, I'm not driving them blind. If you have an issue with a specific piece of code that has gone into master then please let me know. If you're just complaining about how I do the development then not so useful {Reactions} 👍 [30.05.2026 10:04] segagamer Good for is a stretch, and clearly wasn't "good enough". Linus Torvalds himself warned everyone recently about using AI to rewrite code like this. Additionally it seems like you used AI to build the test? https://github.com/RsyncProject/rsync/commit/0d4fb1bc890573c930daa6630bf9b15e447549b8 Something like this and something that *many* people have relied upon should absolutely be reviewed thoroughly by a human. Now, unfortunately, trust has been broken. {Embed} https://github.com/RsyncProject/rsync/commit/0d4fb1bc890573c930daa6630bf9b15e447549b8 testsuite: cover more path/file-operation code (syscall.c, util1.c,... …elete.c) Target previously-uncovered functions in the path/file-operation files the resolver restructure touches, confirmed hit under coverage: preallocate --preallocate (syscall.c do_falloc... https://images-ext-1.discordapp.net/external/ZGz6gEzR1XCAog9dhE4rJpVR5d-M8LKhQTNalRwAFlU/https/opengraph.githubassets.com/374f218daf4536543659158c65aab1657f284e4ca7a3a421305be1e84db00c6d/RsyncProject/rsync/commit/0d4fb1bc890573c930daa6630bf9b15e447549b8 [30.05.2026 10:05] andrewtridgell I reviewed it. The rsync project has been essentially a single developer project for about 20 years now [30.05.2026 10:06] andrewtridgell Wayne did it all himself for a long time, now I'm back doing it [30.05.2026 10:06] realketas why is it one man job, it seems like too complex for that [30.05.2026 10:06] realketas i can't even imagine [30.05.2026 10:06] andrewtridgell nobody else volunteers. Its the same story with thousands of open source tools [30.05.2026 10:07] realketas it runs entire planet, just one man does it eh [30.05.2026 10:07] realketas sad too [30.05.2026 10:07] andrewtridgell the linux kernel has thousands of paid full time devs. rsync has zero. [30.05.2026 10:15] andrewtridgell the most insane part is that security releases can't be community tested. Those security releases are going to be a huge part of lots and lots of open source projects for a while to come yet, just look at the rate of CVEs over the last couple of months, its gone nuts. You can't do a beta release of a security fix as its embargoed. So for the most critical fixes you *can't* have anyone else look at it. The people reporting the flaws mostly don't have the skills as they used AI to find the bugs. So the maintainer is the sole person to review the most critical security changes, and that is how the madhouse called the internet and IT security is designed. The only defence I have is to build the most comprehensive and accurate test suite I can, so when I need to deal with yet another security report I can at least quickly identify what else the fix breaks. Luckily I can do that work (the dev of the test suite) in public. [30.05.2026 10:22] andrewtridgell bottom line is if you want to be useful then pick holes in the test suite, find things it doesn't cover, find interactions between options it doesn't pin down, report those and offer fixes for that. [30.05.2026 10:22] willsarg Also I just saw Linus in person speaking at the Linux Summit. He uses AI, and he is supportive of Kernel devs using it. The world is changing. We need to be less jaded and more forgiving. ============================================================== Exported 103 message(s) ==============================================================