Some daemon security improvements, including the new parameters

[rsync/rsync.git] / NEWS

NEWS for rsync 3.0.0 (UNRELEASED)
Protocol: 30 (changed)
Changes since 2.6.9:

  NOTABLE CHANGES IN BEHAVIOR:

    - The handling of implied directories when using --relative has changed to
      send them as directories (e.g. no implied dir is ever sent as a symlink).
      This avoids unexpected behavior and should not adversely affect most
      people.  If you're one of those rare individuals who relied upon having
      an implied dir be duplicated as a symlink, you should specify the
      transfer of the symlink and the transfer of the referent directory as
      separate args.  (See also --keep-dirlinks and --no-implied-dirs.)
      Also, exclude rules no longer have a partial effect on implied dirs.

    - Requesting a remote file list without specifying -r (--recursive) now
      sends the -d (--dirs) option to the remote rsync rather than sending -r
      along with an extra exclude of /*/*.  If the remote rsync does not
      understand the -d option (i.e. it is 2.6.3 or older), you will need to
      either turn off -d (--no-d), or specify  -r --exclude='/*/*'  manually.

    - In --dry-run mode, the last line of the verbose summary text is output
      with a "(DRY RUN)" suffix to help remind you that no updates were made.
      Similarly, --only-write-batch outputs "(BATCH ONLY)".

    - A writable rsync daemon with "use chroot" disabled now defaults to a
      symlink-munging behavior designed to make symlinks safer while also
      allowing absolute symlinks to be stored and retrieved.  This also has
      the effect of making symlinks unusable while they're in the daemon's
      hierarchy.  See the daemon's "munge symlinks" parameter for details.

  BUG FIXES:

    - A daemon with "use chroot = no" and excluded items listed in the daemon
      config file now properly checks an absolute-path arg specified for these
      options:  --compare-dest, --link-dest, --copy-dest, --partial-dir,
      --backup-dir, --temp-dir, and --files-from.

    - A daemon can now be told to disable all user- and group-name translation
      on a per-module basis.  This avoids a potential problem with a writable
      daemon module that has "use chroot" enabled -- if precautions weren't
      taken, a user could try to add a missing library and get rsync to use
      it.  This makes rsync safer by default, and more configurable when id-
      translation is not desired.  See the daemon's "numeric ids" parameter
      for full details.

    - If a file's data arrived successfully on the receiving side but the
      rename of the temporary file to the destination file failed AND the
      --remove-source-files (or the deprecated --remove-sent-files) option
      was specified, rsync no longer erroneously removes the associated
      source file.

    - Fixed the output of -ii when combined with one of the --*-dest options:
      it now itemizes all the items, not just the changed ones.

    - Made the output of all file types consistent when using a --*-dest
      option.  Prior versions would output too many creation events for
      matching items.

    - The code that waits for a child pid now handles being interrupted by a
      signal.  This fixes a problem with the pre-xfer exec function not being
      able to get the exit status from the script.

    - A negated filter rule (i.e. with a '!' modifier) no longer loses the
      negation when sending the filter rules to the remote rsync.

    - Fixed a problem with the --out-format (aka --log-format) option %f:  it
      no longer outputs superfluous directory info for a non-daemon rsync.

    - Fixed a problem with -vv (double --verbose) and --stats when "pushing"
      files (which includes local copies).  Version 2.6.9 would complete the
      copy, but exit with an error when the receiver output its memory stats.

    - If --password-file is used on a non-daemon transfer, rsync now complains
      and exits.  This should help users figure out that they can't use this
      option to control a remote shell's password prompt.

    - Make sure that directory permissions of a newly-created destination
      directory are handled right when --perms is left off.

    - The itemized output of a newly-created destination directory is now
      output as a creation event, not a change event.

    - Improved --hard-link so that more corner cases are handled correctly
      when combined with options such as --link-dest and/or --ignore-existing.

    - The --append option no longer updates a file that has the same size.

    - Fixed a bug when combining --backup and --backup-dir with --inplace:
      any missing backup directories are now created.

    - Fixed a bug when using --backup and --inplace with --whole-file or
      --read-batch: backup files are actually created now.

    - Starting up an extra copy of an rsync daemon will not clobber the pidfile
      for the running daemon -- if the pidfile exists, the new daemon will exit
      with an error.

    - The daemon pidfile is checked and created sooner in the startup sequence.

    - If a daemon module's "path" value is not an absolute pathname, the code
      now makes it absolute internally (making it work properly).

    - Ensure that a temporary file always has owner-write permission while we
      are writing to it.  This avoids problems with some network filesystems.

    - Any errors output about password-file reading no longer cause an error at
      the end of the run about a partial transfer.

    - The --read-batch option for protocol 30 now ensures that several more
      options are set correctly for the current batch file:  --iconv, --acls,
      --xattrs, --inplace, --append, and --append-verify.

    - Using --only-write-batch to a daemon receiver now work properly (older
      versions would update some files while writing the batch).

    - Avoid outputting a "file has vanished" message when the file is a broken
      symlink and --copy-unsafe-links or --copy-dirlinks are used (the code
      already handled this for --copy-links).

    - Fixed the combination of --only-write-batch and --dry-run.

  ENHANCEMENTS:

    - A new incremental-recursion algorithm is now used when rsync is talking
      to another 3.x version.  This starts the transfer going more quickly
      (before all the files have been found), and requires much less memory.
      See the --recursive option in the manpage for some restrictions.

    - Lowered memory use in the non-incremental-recursion algorithm for typical
      option values (usually saving from 21-29 bytes per file).

    - The default --delete algorithm is now --delete-during when talking to a
      3.x rsync.  This is a faster scan than using --delete-before (which is
      the default when talking to older rsync versions), and is compatible with
      the new incremental recursion mode.

    - Rsync now allows multiple remote-source args to be specified rather than
      having to rely on a special space-splitting side-effect of the remote-
      shell.  Additional remote args must specify the same host or an empty one
      (e.g. empty:  :file1  or  ::module/file2).  This means that local use of
      brace expansion now works:  rsync -av host:dir/{f1,f2} .

    - Added the --protect-args (-s) option, that tells rsync to send most of
      the command-line args at the start of the transfer rather than as args
      to the remote-shell command.  This protects them from space-splitting,
      and only interprets basic wildcard special shell characters (*?[).

    - Added the --delete-delay option, which is a more efficient way to delete
      files at the end of the transfer without needing a separate delete pass.

    - Added the --acls (-A) option to preserve Access Control Lists.  This is
      an improved version of the prior patch that was available, and it even
      supports OS X ACLs.  If you need to have backward compatibility with old,
      ACL-patched versions of rsync, apply the acls.diff file from the patches
      dir.

    - Added the --xattrs (-X) option to preserver extended attributes.  This is
      an improved version of the prior patch that was available, and it even
      supports OS X xattrs (which includes their resource fork data).  If you
      need to have backward compatibility with old, xattr-patched versions of
      rsync, apply the xattrs.diff file from the patches dir.

    - Added the --fake-super option that allows a non-super user to preserve
      all attributes of a file by using a special extended-attribute idiom.
      It even supports the storing of foreign ACL data on your backup server.
      There is also an analogous "fake super" parameter for an rsync daemon.

    - Added the --iconv option, which allows rsync to convert filenames from
      one character-set to another during the transfer.  The default is to make
      this feature available as long as your system has iconv_open().  If
      compilation fails, specify --disable-iconv to configure, and then
      rebuild.  If you want rsync to perform character-set conversions by
      default, you can specify --enable-iconv=CONVERT_STRING with the default
      value for the --iconv option that you wish to use.  For example,
      "--enable-iconv=." is a good choice.  See the rsync manpage for an
      explanation of the --iconv option's settings.

    - A new daemon config parameter, "charset", lets you control the character-
      set that is used during an --iconv transfer to/from a daemon module.

    - Added the --skip-compress=LIST option to override the default list of
      file suffixes that will not be compressed when using --compress.

    - The daemon's default for "dont compress" was extended to include:
	  *.7z *.mp[34] *.mov *.avi *.ogg *.jpg *.jpeg
      The matching routine was also optimized to run more quickly.

    - The --max-delete option now outputs a warning if it skipped any file
      deletions, including a count of how many deletions were skipped.  (Older
      versions just silently stopped deleting things.)

    - You may specify --max-delete=0 to a 3.0.0 client to request that it warn
      about extraneous files without deleting anything.  If you're not sure
      what version the client is, you can use the less-obvious --max-delete=-1,
      as both old and new versions will treat that as the same request (though
      older versions don't warn).

    - The --hard-link option now uses less memory on both the sending and
      receiving side for all protocol versions.  For protocol 30, the use of a
      hashtable on the sending side allows us to more efficiently convey to the
      receiver what files are linked together.  This reduces the amount of data
      sent over the socket by a considerable margin (rather than adding more
      data), and limits the in-memory storage of the device+inode information
      to just the sending side for the new protocol 30, or to the receiving
      side when speaking an older protocol (note that older rsync versions kept
      the device+inode information on both sides).

    - The filter rules now support a perishable ("p") modifier that marks rules
      that should not have an effect in a directory that is being deleted.  e.g.
      -f '-p .svn/' would only affect "live" .svn directories.

    - Rsync checks all the alternate-destination args for validity (e.g.
      --link-dest).  This lets the user know when they specified a directory
      that does not exist.

    - If we get an error setting the time on a symlink, we don't complain about
      it anymore (since some operating systems don't support that, and it's not
      that important).

    - Protocol 30 now uses MD5 checksums instead of MD4.

    - Changed the --append option to not checksum the existing data in the
      destination file, which speeds up file appending.

    - Added the --append-verify option, which works like the older --append
      option (verifying the existing data in the destination file).  For
      compatibility with older rsync versions, any use of --append that is
      talking protocol 29 or older will revert to the --append-verify method.

    - Added the --contimeout=SECONDS option that lets the user specify a
      connection timeout for rsync daemon access.

    - Documented and extended the support for the RSYNC_CONNECT_PROG variable
      that can be used to enhance the client side of a daemon connection.

    - Improved the dashes and double-quotes in the nroff manpage output.

    - We now support a lot more --no-OPTION override options.

  INTERNAL:

    - The file-list sorting algorithm now uses a sort that keeps any same-
      named items in the same order as they were specified.  This allows
      rsync to always ensure that the first of the duplicates is the one
      that will be included in the copy.  The new sort was also faster
      than the glibc version of qsort() and mergesort() in my testing.

    - Rsync now supports the transfer of 64-bit timestamps (time_t values).

    - Made the file-deletion code use a little less stack when recursing
      through a directory hierarchy of extraneous files.

    - Fixed a build problem with older (2.x) versions of gcc.

    - Added some isType() functions that make dealing with signed characters
      easier without forcing variables via casts.

    - Changed strcat/strcpy/sprintf function calls to use safer versions.

    - Upgraded the included popt version to 1.10.2 and improved its use of
      string-handling functions.

    - Added missing prototypes for compatibility functions from the lib dir.

    - Configure determines if iconv() has a const arg, allowing us to avoid a
      compiler warning.

    - Made the sending of some numbers more efficient for protocol 30.

    - Make sure that a daemon process doesn't mind if the client was weird and
      omitted the --server option.

    - There are more internal logging categories available in protocol 30 than
      the age-old FINFO and FERROR, including FERROR_XFER and FWARN.  These new
      categories allow some errors and warnings to go to stderr without causing
      an erroneous end-of-run warning about some files not being able to be
      transferred.

    - Improved the use of "const" on pointers.

    - Improved J.W.'s pool_alloc routines to add a way of freeing older
      sections of a pool's memory.

    - The getaddrinfo.c compatibility code in the "lib" dir was replaced with
      some new code (derived from samba, derived from PostgreSQL) that has a
      better license than the old code.

  DEVELOPER RELATED:

    - Rsync is now licensed under the GPLv3 or later.

    - Rsync is now being maintained in a "git" repository instead of CVS
      (though the old CVS repository still exists).  Several maintenance
      scripts were updated to work with git.

    - Generated files are no longer committed into the source repository.  The
      autoconf and autoheader commands are now automatically run during the
      normal use of "configure" and "make".  The latest dev versions of all
      generated files can also be copied from the samba.org web site (see the
      "magic" configure script that now comes with rsync for its location).

    - The "patches" directory of diff files is now built from branches in the
      rsync git repository (branch patch/FOO creates file patches/FOO.diff).

    - The proto.h file is now built using a simple perl script rather than a
      complex awk script, which proved to be more widely compatible.

    - When running the tests, we now put our per-test temp dirs into a sub-
      directory named testtmp (which is created, if missing).  This allows
      someone to symlink the testtmp directory to another filesystem (which is
      useful if the build dir's filesystem does not support ACLs and xattrs,
      but another file system does).

    - Rsync now has a way of handling protocol-version changes during the
      development of a new protocol version.  This causes any out-of-sync
      versions to speak an older protocol rather than fail in a cryptic manner.
      This addition makes it safe to deploy a pre-release version that may
      interact with the public.  This new exchange of sub-version info does not
      interfere with the {MIN,MAX}_PROTOCOL_VERSION checking algorithm (which
      does not have enough range to allow the main protocol number to be
      incremented for every minor tweak in that happens during development).

    - The csprotocol.txt file was updated to mention the daemon protocol change
      in the 3.0.0 release.