How My minimal, memory-safe Go rsync steers clear of vulnerabilities
The article discusses the author's implementation of a minimal, memory-safe version of rsync in Go, aimed at addressing security vulnerabilities found in the original software. It highlights the discovery of multiple vulnerabilities in rsync and evaluates whether using Go mitigates these risks. The author provides insights into the effectiveness of their implementation compared to traditional versions and outlines necessary updates for users.
- ▪Multiple security vulnerabilities were discovered in rsync, some allowing arbitrary code execution and file leaks.
- ▪The author's implementation in Go aims to provide a minimal and memory-safe alternative to traditional rsync.
- ▪Users are advised to upgrade to newer versions of both upstream rsync and gokrazy/rsync to ensure security.
Opening excerpt (first ~120 words) tap to expand
How my minimal, memory-safe Go rsync steers clear of vulnerabilities published 2026-05-24 in tags golang rsync .TableOfContents > ul, .TableOfContents > ul > li > ul { list-style: none; margin: 0; padding: 0; } .TableOfContents > ul > li > ul { margin: 1em; } .TableOfContents li { margin-bottom: 1rem; } Table of contents Context: My own rsync Security Vulnerabilities January 2025 batch May 2026 batch Go verdict gokrazy/rsync verdict Imprecise terminology Comparison with OpenBSD’s openrsync (C) Defense in depth Linux mount namespaces systemd hardening Linux Landlock Go’s os.Root Conclusion Back in January 2025, multiple different security researchers published a total of 6 security vulnerabilities in rsync, some of which allow arbitrary code execution and file leaks, so naturally I was…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Michael Stapelberg.
Discussion
0 commentsMore from Michael Stapelberg
