Here is some good floss drama. Rsync just released an update that broke some stuff. Apparently the reason is that rsync is a single-developer project that has been over run with security issues found by AI-wielding script kiddies. So the developer has resorted to also using vibe coding to keep up with them, which hasn't quite worked out.
The inciting problem is failure with "multiple --compare-dest= arguments" as of 3.4.3 (see below).
thread on !fuck_ai@lemmy.world (instance blocked from hexbear) Rsync is reportedly causing backups to fail since maintainer began AI code experiment
This subthread has the background of what happened. Here is log of the rsync discord log with a bit of commentary:
comment by ChairmanMeow@programming.dev
[30.05.2026 10:05] andrewtridgell I reviewed it. The rsync project has been essentially a single developer project for about 20 years now
[30.05.2026 10:06] andrewtridgell Wayne did it all himself for a long time, now I'm back doing it
[30.05.2026 10:06] realketas why is it one man job, it seems like too complex for that
[30.05.2026 10:06] realketas i can't even imagine
[30.05.2026 10:06] andrewtridgell nobody else volunteers. Its the same story with thousands of open source tools
[30.05.2026 10:07] realketas it runs entire planet, just one man does it eh
[30.05.2026 10:07] realketas sad too
[30.05.2026 10:07] andrewtridgell the linux kernel has thousands of paid full time devs. rsync has zero.
[30.05.2026 10:15] andrewtridgell the most insane part is that security releases can't be community tested. Those security releases are going to be a huge part of lots and lots of open source projects for a while to come yet, just look at the rate of CVEs over the last couple of months, its gone nuts. You can't do a beta release of a security fix as its embargoed. So for the most critical fixes you can't have anyone else look at it. The people reporting the flaws mostly don't have the skills as they used AI to find the bugs. So the maintainer is the sole person to review the most critical security changes, and that is how the madhouse called the internet and IT security is designed. The only defence I have is to build the most comprehensive and accurate test suite I can, so when I need to deal with yet another security report I can at least quickly identify what else the fix breaks. Luckily I can do that work (the dev of the test suite) in public.
[30.05.2026 10:22] andrewtridgell bottom line is if you want to be useful then pick holes in the test suite, find things it doesn't cover, find interactions between options it doesn't pin down, report those and offer fixes for that.
Basically, it's a solo dev being swamped by LLM security reports, and since those are embargoed only maintainers can review them... and since nobody else has volunteered, he has to do it himself.
He primarily used several AIs to rewrite the test suite from shell (slow, lacking coverage) to python (parallelised, improved coverage). He says he's extensively reviewed everything, but I guess the suite doesn't cover everything. And the test suite changes can be community reviewed.
The dev has been actively inviting people to join as a maintainer and poke holes in the test suite, but it seems nobody has stepped up. I can't really blame the dev here, he just seems unable to keep up without others helping him out. He's tried to use AIs as sensibly as he could, and I'm not entirely sure if it's slop fixes that cause the issues (or if an "unassisted" fix would have caught it).
Raised originally by @JeremiahFieldhaven@mastodon.gamedev.place in this mastodon thread
original complaint
So my systems recently updated to rsync 3.4.3, and as soon as that happened my backup system - which does incremental backups using multiple --compare-dest= arguments - started to fail on anything but a full backup.
Revert to 3.4.1 and it works.
So I go look at the source in GitHub to see what might have changed, because there doesn't seem to be anything relevant in the changelog.
Since 3.4.1, 36 commits by "tridge and claude"
Oh for fuck's sakes.
other links:
Thats pretty much the case for most projects. XZ backdoor was the result of a single maintainer being duped into believing some other maintainer could shoulder the burden.
The entire tech industry is standing on load bearing pegs of a guy from Nebraska.
I heard about a project out of a university somewhere who were doing a systematic audit of the whole open source tool chain to identify these and try to offer some support .., at least set it up so someone can get the password when they die or whatever. But can't recall details.