[Bug 2028810] Re: rsync 3.1.3 performance regression

[Robie Basak]

As one member of the SRU team, I think that adding the --trust-sender
feature in an SRU is acceptable in principle, provided that the patch is
trivial and low risk, in order to mitigate the (required) security
performance regression. So it looks like this should be fine, but I
defer a final decision to a deeper review which we can do once the fix
is tested in Lena's PPA.

Note however that this would requiring adding the option to every
subsequent still-supported stable release that does not already have it
to ensure that users don't face a regression when the upgrade to a newer
release.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rsync in Ubuntu.
https://bugs.launchpad.net/bugs/2028810

Title:
  rsync 3.1.3 performance regression

Status in rsync package in Ubuntu:
  Fix Released
Status in rsync source package in Focal:
  Incomplete

Bug description:
  OS: Ubuntu 20.04 Focal
  Package: rsync 3.1.3-8ubuntu0.5

  rsync's performance was regressed by ~7x amount after some security
  patch (debian/patches/CVE-2022-29154-*) was applied to the package,
  and introduced a list of filters that iterate on every file being
  transferred. We think that was where the performance regression came
  from.

  A Jammy version of the package (3.2.5) introduced a new flag "--trust-
  sender" that allowed user to avoid the expensive client-side filtering
  introduced by those security patches. After pulling this change
  (https://github.com/WayneD/rsync/commit/cff8f044776c5143a5b270969d4bb0f1fea8b017)
  from rsync ourselves and applied it to the Focal version, the
  performance regression went away.

  The patch we used to backport our Focal rsync is attached in this
  thread. Can you please backport it too?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsync/+bug/2028810/+subscriptions