From: Job Snijders Subject: rpki-client: exclude hidden files/directories when rsyncing To: tech@openbsd.org Date: Sat, 16 May 2026 11:39:37 +0000 Got a report: On Sat, May 16, 2026 at 11:59:17AM +0100, Ben Cartwright-Cox wrote: > rsync: executing rsync -rtO --no-motd --min-size=100 --max-size=8000000 > --contimeout=15 --timeout=30 --include=*/ --include=*.cer --include=*.crl > --include=*.mft --include=*.roa --include=*.asa --include=*.tak > --include=*.spl --include=*.gbr --exclude=* rsync://rpki-rps.cnnic.cn/repo/ cache/rpki-rps.cnnic.cn/repo > directory has vanished: "A1065585389265289217/0/.~tmp~" (in repo) > file has vanished: "A1065583221972402179/0/.~tmp~/1BF077990B3EF2F79478B657B4C3AF7BDEB8F260.crl" (in repo) > file has vanished: "A1065583221972402179/0/.~tmp~/1BF077990B3EF2F79478B657B4C3AF7BDEB8F260.mft" (in repo) > file has vanished: "A1065583221972402179/0/.~tmp~/3130332e3135322e3138362e302f32332d3233203d3e20313339313339.roa" (in repo) > file has vanished: "A1065583221972402179/0/.~tmp~/3130332e3135322e3138362e302f32332d3233203d3e2034353338.roa" (in repo) > ... > rsync warning: some files vanished before they could be transferred (code 24) at main.c(1852) [generator=3.4.1] Looking at the RPKI standards for guidance on the topic of "dot", according to RFC 9286 section 4.2.2, filenames in the RPKI cannot start with a dot. RFC 6481 section 1.1 describes the concept of a publication point as a "directory in a publicly accessible filesystem". And of course, common sense also suggests that downloading hidden directories is unlikely to spark joy, as evidenced by the above log transcript. I think it would be good to disallow both hidden files and directories earlier on. Perhaps like so? Index: rsync.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/rsync.c,v diff -u -p -r1.60 rsync.c --- rsync.c 13 Nov 2025 15:18:53 -0000 1.60 +++ rsync.c 16 May 2026 11:26:22 -0000 @@ -153,6 +153,7 @@ exec_rsync(const char *prog, const char args[i++] = "--max-size=" STRINGIFY(MAX_FILE_SIZE); args[i++] = "--contimeout=" STRINGIFY(MAX_CONN_TIMEOUT); args[i++] = "--timeout=" STRINGIFY(MAX_IO_TIMEOUT); + args[i++] = "--exclude=.*"; args[i++] = "--include=*/"; args[i++] = "--include=*.cer"; args[i++] = "--include=*.crl";