Subject: Re: anoncvs.netbsd.org
To: None <tls@rek.tjls.com>
From: Greg A. Woods <woods@weird.com>
List: current-users
Date: 02/08/2002 15:06:10
[ On Friday, February 8, 2002 at 11:42:37 (-0500), Thor Lancelot Simon wrote: ]
> Subject: Re: anoncvs.netbsd.org
>
> Unfortunately, the reason anoncvs is broken right now is that the
> maintainers of rsync broke rsync while fixing a security hole.  They
> broke it at least two different ways that I've discovered so far, and
> as yet neither they nor we have fixed it.  Unfortunately, we obviously
> cannot back rsync down to a version with known security problems.

Someone should try to find the LP64 bugs in rsync-2.5.2 instead of
messing around with the maintenance releases.  2.4.8 has some quite
significant unreleased changes as well as the security fixes (there
never was a 2.4.7, only some beta pre-releases of it -- presumably the
2.5.2 work superceded any plans for 2.4.7 until this security bug caused
people to ask for patches to 2.4.6).

On the other hand, does the 2.3.2 release work well enough on the NetBSD
ftp server?  If so then perhaps if the 2.3.3 release were installed
there'd be less likelyhood of the security fixes affecting it's
portability to the target platforms in question.  From what I can see
2.3.3 contains only the security fixes over 2.3.2.

-- 
								Greg A. Woods

+1 416 218-0098;  <gwoods@acm.org>;  <g.a.woods@ieee.org>;  <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>