Index | Thread | Search

From:
Job Snijders <job@bsd.nl>
Subject:
rpki-client: exclude hidden files/directories when rsyncing
To:
tech@openbsd.org
Date:
Sat, 16 May 2026 11:39:37 +0000

Download raw body.

Thread 
Got a report:

On Sat, May 16, 2026 at 11:59:17AM +0100, Ben Cartwright-Cox wrote:
> rsync: executing rsync -rtO --no-motd --min-size=100 --max-size=8000000
> --contimeout=15 --timeout=30 --include=*/ --include=*.cer --include=*.crl
> --include=*.mft --include=*.roa --include=*.asa --include=*.tak
> --include=*.spl --include=*.gbr --exclude=* rsync://rpki-rps.cnnic.cn/repo/ cache/rpki-rps.cnnic.cn/repo
> directory has vanished: "A1065585389265289217/0/.~tmp~" (in repo)
> file has vanished: "A1065583221972402179/0/.~tmp~/1BF077990B3EF2F79478B657B4C3AF7BDEB8F260.crl" (in repo)
> file has vanished: "A1065583221972402179/0/.~tmp~/1BF077990B3EF2F79478B657B4C3AF7BDEB8F260.mft" (in repo)
> file has vanished: "A1065583221972402179/0/.~tmp~/3130332e3135322e3138362e302f32332d3233203d3e20313339313339.roa" (in repo)
> file has vanished: "A1065583221972402179/0/.~tmp~/3130332e3135322e3138362e302f32332d3233203d3e2034353338.roa" (in repo)
> ...
> rsync warning: some files vanished before they could be transferred (code 24) at main.c(1852) [generator=3.4.1]

Looking at the RPKI standards for guidance on the topic of "dot",
according to RFC 9286 section 4.2.2, filenames in the RPKI cannot start
with a dot. RFC 6481 section 1.1 describes the concept of a publication
point as a "directory in a publicly accessible filesystem". And of
course, common sense also suggests that downloading hidden directories
is unlikely to spark joy, as evidenced by the above log transcript.

I think it would be good to disallow both hidden files and directories
earlier on. Perhaps like so?

Index: rsync.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/rsync.c,v
diff -u -p -r1.60 rsync.c
--- rsync.c	13 Nov 2025 15:18:53 -0000	1.60
+++ rsync.c	16 May 2026 11:26:22 -0000
@@ -153,6 +153,7 @@ exec_rsync(const char *prog, const char 
 		args[i++] = "--max-size=" STRINGIFY(MAX_FILE_SIZE);
 		args[i++] = "--contimeout=" STRINGIFY(MAX_CONN_TIMEOUT);
 		args[i++] = "--timeout=" STRINGIFY(MAX_IO_TIMEOUT);
+		args[i++] = "--exclude=.*";
 		args[i++] = "--include=*/";
 		args[i++] = "--include=*.cer";
 		args[i++] = "--include=*.crl";