TechPulseTechPulse
Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

53% Positive

Analyzed from 2660 words in the discussion.

Trending Topics

#rsync#openrsync#services#more#open#https#software#openbsd#source#don

Discussion (113 Comments)Read Original on HackerNews

Paninoabout 3 hours ago
I've been using openrsync here and there since it was announced and it's definitely improved over time. I'm looking forward to when I can use it exclusively.

The one place in my usage where it doesn't match Samba rsync is with the following:

openrsync --rsync-path=openrsync -av -e ssh /etc/services example.com:/tmp/services

I would expect openrsync to create a remote file /tmp/services, but instead it creates /tmp/services/services.

Normal directory mirroring as in -av -e ssh /path/to/src/ example.com:/path/to/dst/ works as it does with Samba rsync.

wtetzner33 minutes ago
> The one place in my usage where it doesn't match Samba rsync is with the following:

> openrsync --rsync-path=openrsync -av -e ssh /etc/services example.com:/tmp/services

This appears to match "normal" `rsync` behavior as well. I think you need a trailing slash after `services` to sync only the contents.

EDIT: actually my "normal" rsync is openrsync on macOS...

genxyabout 2 hours ago
Was there already a /tmp/services directory on the dest?

One of the biggest points of confusion with rsync is how directories and trailing slashes are handled.

eichin32 minutes ago
It's a big source of confusion with cp. One of the UI reasons to use rsync (for mundane non-remote copying) is that it doesn't do different things based on what's present on the target.
anyfooabout 1 hour ago
I hear that a lot, but I familiarized myself with it once and ever since it makes a lot of sense to me.

Source ending in “/“: You want what’s inside. Source not ending in “/“: You want the thing (i.e. directory itself). For the destination, it does not matter whether it ends in “/“ or not, but for consistency I like adding a “/“ anyway (I want to put thing inside the directory).

Paninoabout 2 hours ago
> Was there already a /tmp/services directory on the dest?

No. And just to make sure, I ran a quick 'rm -rf /tmp/services' on the remote host, then re-ran openrsync on the client. Same result. This is OpenBSD 7.9 on both sides.

And I 100% agree about trailing slashes.

hnarnabout 2 hours ago
> I would expect openrsync to create a remote file /tmp/services, but instead it creates /tmp/services/services.

As someone who has also suffered uncountable years of abuse from rsync, I understand the impulse, but I think it makes a lot more sense (and is a safer default) to create a second ”services”.

If we have a chance to change rsync defaults to something less insane and save future generations from this mess I think we should.

kbensonabout 2 hours ago
We don't, since we're not implementing a UI from scratch, we're matching something else.

Of the two possible worlds where in one this reimplementation matches what some see as annoyances in the interface or in another they mostly match the interface except for a few cases where the purposefully diverge (for no good technical reason), IMO the latter is far worse and causes more enexpected behavior.

At most, add a special flag to opt into different default behavior so nobody is surprised by running the same command on different systems and getting different behavior.

hilsdevabout 1 hour ago
If you use a trailing slash on the source it copies from the directory, if you omit the trailing slash it copies the directory itself. AFAIK this is pretty standard across POSIX tools
denysvitaliabout 4 hours ago
There's also a Go implementation by Michael Stapelberg / the Gokrazy team: https://github.com/gokrazy/rsync
salvesefuabout 3 hours ago
For those needing context for the development of this package; this project is presently being developed as part of a RPKI validator.

https://medium.com/@jobsnijders/a-proposal-for-a-new-rpki-va...

thefilmoreabout 4 hours ago
This is the version used in macOS since 15.0.
mrdomino-about 3 hours ago
Was it 15.0? I seem to recall it coming in one of the minor point releases in the 15.x line - and I remember it breaking some scripts mysteriously.

EDIT: ah, fun: they did include it in 15.0, but they decided to save the breaking change that removed backwards compatibility for 15.4. https://apple.stackexchange.com/a/479297

onedognightabout 1 hour ago
They don’t support any recent rsync protocol, so there’s no 64bit timestamp support, so you can never actually sync metadata across newer filesystems.
Benderabout 6 hours ago
The actual work of porting is matching the security features provided by OpenBSD's pledge(2) and unveil(2). These are critical elements to the functionality of the system. Without them, your system accepts arbitrary data from the public network.

https://justine.lol/pledge/

I am not seeing pledge on Alpine Linux in edge. Have people been testing Pledge on Linux? Did I perhaps misunderstand the risk of using Openrsync without pledge? Or is this article just for OpenBSD users?

saidnooneeverabout 3 hours ago
Linux has no such features as pledge or unveil, nor capsicum. it has cgroups, namespaces and a mess ofnother things u need to combine to try and do similar things. (it was built iteratively as many systems interacting and being combined to form 'sandboxing' or isolation/limiting of capabilities rather than specific isolation as an entire concept with specific system calls and kernel paths to enable it).

there might be newer stuff in linux land now i see comments about landlock but i assume those will build on the linux primitives rather than whole new ones. - total assumption there but it would seem logical to reuse rather than make new.

part of likely what they mean by 'mess' is that its all over the place. many different ways to try and lock things down. hard to pick what is best etc. without thoroughly diving into the different subsystems entirely. (as opposed to just have 1 or 2 relatively simple system calls)

thomashabets2about 3 hours ago
No, landlock is a separate thing. It's the first of its kind on Linux that doesn't completely suck, like seccomp does (https://blog.habets.se/2022/03/seccomp-unsafe-at-any-speed.h...).
e12eabout 5 hours ago
From above your quote:

> The only officially-supported operating system is OpenBSD, as this has considerable security features.

And below your quote:

> This is possible (I think?) with FreeBSD's Capsicum, but Linux's security facilities are a mess, and will take an expert hand to properly secure.

It is portable in the sense that it compiles and runs, not in the sense that it has the same security features.

I'd love to see pledge/unveil on (upstream) Linux - but I'm not holding my breath.

papercraneabout 4 hours ago
> I'd love to see pledge/unveil on (upstream) Linux - but I'm not holding my breath

There is Landlock now, I believe it would be possible to implement unveil and pledge on top of that.

isityettime10 minutes ago
One of HN's favorite hackers has done that: https://justine.lol/pledge/

There was a discussion here about it a few years ago: https://news.ycombinator.com/item?id=32096801

Benderabout 5 hours ago
Ok that makes more sense, thankyou.
justinsaccountabout 3 hours ago
that quote seems to be a bit of an oversimplification to the point of being completely wrong.

> Without them, your system accepts arbitrary data from the public network.

Neither of these features change if you are accepting arbitrary data from the public network. They limit what an exploited process can do. It's explained properly in the 'Security' section, so I'm not sure where this came from.

Benderabout 3 hours ago
that quote seems to be a bit of an oversimplification to the point of being completely wrong.

Under Portability [1] I don't have access to update that repo. I deleted my accounts when Microsoft took over.

[1] - https://github.com/kristapsdz/openrsync

skeledrewabout 6 hours ago
This attempt to avoid things that use AI is increasingly looking like some weird kind of reverse whack-a-mole where each targeted hole becomes radioactive after. Just grabbing some popcorn to watch.
reaghsabout 2 hours ago
Thanks for the heads-up! I wasn't aware that Tridge is using Claude. I shall use Openrsync from now on.
ranger_dangerabout 6 hours ago
I feel bad for people with the real name Claude.
xp84about 5 hours ago
Yeah, and we thought the most unlucky people were the ones named Alexa.
SoftTalkerabout 3 hours ago
Or those named Karen...
cozzydabout 2 hours ago
I think it would be funny to have a grad student named Claude for the hilarious ambiguity it would create.
hideout_berlinabout 1 hour ago
i want to name my new born claude
formerly_provenabout 6 hours ago
It took me quite some time to realize what an utterly presumptuous product name Claude Code actually is, but only because Shannon is rarely mentioned with his first name. It's golden calf levels of hubris, even more so if you consider how incapable it was on release. It's like renaming calc.exe Einstein. Incredibly poor taste, but entirely in line with AI tech bro mentality.
kstrauserabout 4 hours ago
That linkage never occurred to me, or, I suspect, them. Claude use to be a reasonably common name. I have an uncle Claude. Why do you believe they named it after Shannon in particular?
1over137about 3 hours ago
Yeah, especially since most Americans don't know how to properly pronounce Claude.
txruabout 3 hours ago
Hmm, Claude Shannon was an American (the model is ostensibly named after him), so maybe how he pronounced it would be the correct pronunciation.

That said, every language on earth will adapt foreign words into its phonology. The alternative would be to adopt the phonology of every language that loaned a word into your language.

einpoklumabout 1 hour ago
How about the attempt to avoid things that use AI promiscuously and start exhibiting bugs? :-(
skeledrew27 minutes ago
Push for better guardrails and QA structures. Avoidance helps nobody in the long run, and isn't possible anyway without going completely cold turkey. Like literally in a few months every project worth using will directly or indirectly involve AI.
SubiculumCodeabout 2 hours ago
I'm going to ask a question. I could ask chatgpt. I could Google it. I am asking a question because it is human to do so.

Ubuntu's packaged rsync, is it Samba rsync? Why reimplement it?

eichin20 minutes ago
it's tridge rsync; samba is another project by the same guy. (rsync was originally a PhD thesis...)
hideout_berlinabout 1 hour ago
samba is different topic
tptacekabout 5 hours ago
rsync has specific running modes for the super-user. It also pumps arbitrary data from the network onto your file-system. openrsync is about 10 000 lines of C code: do you trust me not to make mistakes?

No, but that's why almost nobody runs it outside of strict trust boundaries. This security section would make more sense if rsync was like curl, which routinely deals with hostile counterparties. If the other side of your rsync is hostile, you probably have bigger problems!

(I'm not an rpki person so I don't know if there's some part of that problem domain that changes this equation. I'm not dunking on the project, just saying this snagged me in the README).

cpercivaabout 5 hours ago
No, but that's why almost nobody runs it outside of strict trust boundaries. This security section would make more sense if rsync was like curl, which routinely deals with hostile counterparties. If the other side of your rsync is hostile, you probably have bigger problems!

I disagree. While rsync is most often used to transfer data between "friendly" systems, it's inherently crossing a security boundary. It's important to make sure that an attacker can't leverage it to transform the breach of one system into the breach of multiple systems.

eikenberryabout 1 hour ago
It is almost universally hooked up using ssh tunneling so ssh takes care of the security boundary and ssh is well trusted.
delusionalabout 5 hours ago
> almost nobody runs it outside of strict trust boundaries.

I guess you can define "strict" however you want, but from what I saw ~10 years ago, most linux distros handled mirroring with rsync. That's a lot of usage in a pretty core part of the foundational open source ecosystem.

tptacekabout 4 hours ago
OK, I agree, that's bad.
akerl_about 4 hours ago
Many distros use rsync for that but also support unencrypted HTTP.

They’re layering on checksums and signing such that they mostly don’t think about the trustworthiness of mirrors or the networks between them.

throwaway27448about 1 hour ago
I'm confused. Isn't rsync already free software? What are we doing here. Why are we trying to cuck ourselves for capital.

I like open bsd but this just seems like burning cash

triggisabout 7 hours ago
No-slop version for the sane of us

Context: https://mastodon.gamedev.place/@JeremiahFieldhaven/116654345...

ranger_dangerabout 6 hours ago
https://social.treehouse.systems/@thesamesam/116662824873341...
akerl_about 6 hours ago
+1 to this. Other than people's reflexive anger or fear about AI coming for their code, I don't see anything to suggest that these are bugs that are due to the inclusion of AI vs bugs in a program with a bunch of complex interop with the filesystem and network.
48terryabout 1 hour ago
Yeah, nothing to suggest that here. We went from some commits every so often (because rsync was basically finished software) with a handful of issues a month, to "a bajillion Claude commits then a release" with a pile of issues within weeks, at least one of which is about how the goddamn thing doesn't build.

I can't possibly see a correlation.

Weird how 3.4.2. didn't have a similar deluge of issue reports, though.

triggisabout 6 hours ago
In any case, it's important to identify projects that are beginning to actively vibecode and clearly express position on this issue on various platforms so that authors and maintainers receive feedback. Even if this particular bug was not written by LLM in this particular case, it's not a fact that the release does not include other regressions and that subsequent vibecoded versions will not include them & new ones.
Advertisement
jmclnxabout 7 hours ago
I have not checked with OpenBSD 7.9, but as of 7.8 it did not support --exclude or -z. But outside of that openrsync works great.

(EDIT: --exclude is now supported on 7.9. Not sure when that was added, nice!)

But seems avoiding "slop" is getting very hard. I saw postfix now has a bit of AI code in it.

https://mastodon.sdf.org/@mrmasterkeyboard@mastodon.social/1...

nineteen999about 6 hours ago
Somewhat ironic Postfix has a record of no root/RCE in the default install, where opensmptd hasn't (CVE-2020-7247). Time will tell if it stays that way.
agwaabout 6 hours ago
Where do you see that about Postfix? I followed the links and the only thing I see is that AI is being used to find bugs, not write code.
jmclnxabout 5 hours ago
>Claude assisted code found in external/ibm-public/postfix/dist...

That is from the original post in the thread. Is that really due to LLM ? I do not know since I avoid AI as much as I can.

But the person also posted this link too:

https://github.com/NetBSD/src/commit/f764ddf4062e855f73fe2e3...

agwaabout 5 hours ago
Right, I read all that and I didn't see anything to indicate that AI is being used to write code - just one person's unsubstantiated claim.
Benderabout 6 hours ago
Exclude is very commonly used in automation jobs to avoid duplicating big git repos and other big files. I think that would be a show stopper for a number of people.
jmclnxabout 5 hours ago
I just tried openrsync(1) on OpenBSD 7.9, --exclude now works.

I have not tried using exclude in openrsync in a while, but I can see it now works on OpenBSD 7.9!

WD-42about 6 hours ago
What's the deal with the name? Openrsync implies to me that it's an open source alternative to a closed source program. But the original Rsync is GPL? Is this just the pushover license making it "more open"?
jtickleabout 6 hours ago
OpenBSD folks would consider the GPL to be less open due to the requirement to apply the GPL to any derivative works.
ranger_dangerabout 6 hours ago
And GNU folks would say the GPL is actually the more open choice because it forces the project to stay open.

Two different ways of thinking about it I guess... it's nice to have choices and I don't think one is more or less "correct", more a matter of opinion/taste I guess.

isityettime13 minutes ago
GNU folks would probably not say that.

GNU folks would say that the GPL does more to protect the freedom of end users by guaranteeing their right to access the source code, whereas permissive licenses allow users to receive binaries, the source code corresponding to which is unavailable to them.

I'm not trying to be idly pedantic here, but to emphasize one of things I genuinely admire about the FSF, SFC, etc.: while they do have words, concepts, and terms of art they're attached to, they're actually pretty good at always explicitly tying their positions back to a specific and well-articulated vision of software freedom. They don't usually get caught up in pure terminology ("what is maximally open?", "what is really free?"). They tend to be clear about whose rights they aim to promote and protect and why, and the bigger picture that fits into.

Whether you agree with them or not, I think it's a more defensible position than a shallow terminological squabble.

As someone that is somewhat aligned with those groups, I also want to say this: licenses are just tools for promoting freedom. It's a question of strategy and tactics. All permissively licensed free software is still free software, and the vast majority of it undeniably contributes positively to software freedom on the whole. (The only concrete exceptions I can think of are uses of permissively licensed free software code to implement things like Intel's Management Engine, DRM, maybe some Trusted Computing stuff.) OpenBSD is free software and it's good shit. We should think of licensing questions like this as a friendly dispute among people who have all given generously to support software freedom.

gblarggabout 4 hours ago
It kind of reminds me of the equality of opportunity people versus the equality of outcome people. One sets the starting conditions for developers, the other the ending conditions for users.
thayneabout 1 hour ago
I don't think the FSF would say that. They prefer the GPL, because it prevents someone from making a closed derivative, but I haven't seen them ever claim it is more open than "permissive" licenses.
gilrainabout 6 hours ago
> more open choice because it forces the project

A true morality must be based on consent, not coercion. Humanity may not be there yet, and therein lies the argument for force (and thus copyleft); but the ultimate goal should always be to reduce its necessity.

ranger_dangerabout 6 hours ago
Many projects closely associated with OpenBSD start with "open"... openssh, openbgpd, openntpd, opensmtpd etc.
SoftTalkerabout 3 hours ago
Notable exception, OpenSSL already had the Open prefix so the OpenBSD project is called LibreSSL.
hamdingersabout 6 hours ago
Not many are reimplementations of existing, much more popular, already open source projects.
throw0101aabout 6 hours ago
OpenSSH was a 'reaction' to the original SSH(.com) code getting closed source:

> OpenSSH originated in 1999 as a fork of Björn Grönvall's OSSH, which derived from Tatu Ylönen's original SSH 1.2.12 release, the last version distributed under a license permitting open-source redistribution before Ylönen's subsequent software became proprietary under SSH Communications Security.[4]

* https://en.wikipedia.org/wiki/OpenSSH

It was probably the second thing with the Open— prefix by this group of developers, OpenBSD itself being the first. They simply ran with the naming convention. OpenBGP/OSPF were developed as alternatives to Quagga (GPL).

gpvosabout 5 hours ago
Which aren't? It seems all (or most) are.
chasilabout 3 hours ago
There is also a (stub) web page:

https://www.openrsync.org/

The problem with this fragmentation of rsync is that Apple and Android will prefer it, but the Linux and greater GPL world will adhere to the original implantation due to inertia. Power users will just have to know the quirks of each version.

The only way to stop this is for the original author(s) to release this under a BSD license.

Edit: For those assuming equivalent/identical behavior, study these words carefully: "accepts only a subset of rsync's command-line arguments."

yjftsjthsd-habout 2 hours ago
> The only way to stop this is for the original author(s) to release this under a BSD license.

Would that stop it? My understanding was that at least OpenBSD tended do redo things for technical reasons, not just licensing

eikenberryabout 1 hour ago
The only option should not to be to take away user freedoms. BSD licenses are popular with proprietary software writers because they can use it without any of the restrictions that seek to preserve the rights of the end user. Instead you get proprietary software stacks like Apple and Android that seek to lock the users out of anything not granted by the company.

The correct way to stop this is to file bugs against the software for not matching the de-facto standard of the copied software.

spauldoabout 3 hours ago
It's really no different than every other BSD utility (and SysV utility, if you're running one of those) being different than the GNU ones. We've coped with it for fifty years at this point.
asveikauabout 2 hours ago
> Apple and Android will prefer it,

My thought upon reading this is why would Apple or Android bother including rsync? I've noticed that I've needed to install it manually on fresh installs of Debian, FreeBSD...

But then, I just checked a recent Mac that I don't use much and haven't put much on, and it's installed.

qalmakkaabout 3 hours ago
Basically like GNU Tar/CPIO and BSD Tar/CPIO. I've largely standardised towards using the bsd variant everywhere (especially since now even Windows ships it and it handles lots of other archive formats using the `tar` command) but it's always a pain to install it everywhere
yjftsjthsd-habout 2 hours ago
Yeah, I'm leaning towards strongly preferring bsdtar since it's happy to work on e.g. zip files:) Does it have any real downsides?