feat(transfer): wire --info=SYMSAFE emission (3.4.1 parity)#4119
Merged
Conversation
SYMSAFE sits at upstream's `INFO_GTE(SYMSAFE, 1)` gate and is part of
`info_verbosity[1]` (options.c:241), so it fires once `-v` (or any
explicit `--info=SYMSAFE`) raises the level above zero. Upstream emits
two distinct messages:
flist.c:217 - `copying unsafe symlink "<path>" -> "<target>"`
fired by `readlink_stat()` when
`copy_unsafe_links && unsafe_symlink(...)` triggers
a dereference into a regular entry.
backup.c:292 - `not backing up unsafe symlink "<fname>" -> "<sl>"`
fired by `make_backup()` when `safe_symlinks &&
unsafe_symlink(...)` refuses to recreate the symlink
at the backup location.
oc-rsync had the flag wired through CLI parsing and the level table
(symsafe=1 at -v) but no producer. The audit doc flagged this as
"Stub" with the note: "Our symlink-safety code in `crates/filters` and
`crates/transfer/src/file_list/*` does not gate on the flag."
Wire three emission sites that cover every transfer mode:
1. crates/transfer/src/generator/file_list/walk.rs - the sender path
for daemon/SSH push. Both `resolve_symlink_metadata` and the
batched-stat fixup in `process_dir_entries_batched` emit the
upstream wording before dereferencing an unsafe symlink.
2. crates/engine/src/local_copy/executor/special/symlink.rs - the
local-copy path. `copy_symlink` emits the same notice when
`copy_unsafe_links_enabled()` triggers the dereference branch.
3. crates/engine/src/local_copy/context_impl/state.rs - the
cross-device backup fallback. `backup_existing_entry` emits the
`not backing up unsafe symlink` notice when `safe_links_enabled()`
refuses to recreate the symlink at the backup location and
bails out (mirroring upstream's `ret = 2`).
Five new tests assert byte-for-byte upstream wording and confirm the
notices are suppressed at the default verbosity. The audit doc rolls
SYMSAFE from Stub to Match and removes it from the parity-gap summary
list.
Closes #2163.
oferchen
added a commit
that referenced
this pull request
May 18, 2026
SYMSAFE sits at upstream's `INFO_GTE(SYMSAFE, 1)` gate and is part of
`info_verbosity[1]` (options.c:241), so it fires once `-v` (or any
explicit `--info=SYMSAFE`) raises the level above zero. Upstream emits
two distinct messages:
flist.c:217 - `copying unsafe symlink "<path>" -> "<target>"`
fired by `readlink_stat()` when
`copy_unsafe_links && unsafe_symlink(...)` triggers
a dereference into a regular entry.
backup.c:292 - `not backing up unsafe symlink "<fname>" -> "<sl>"`
fired by `make_backup()` when `safe_symlinks &&
unsafe_symlink(...)` refuses to recreate the symlink
at the backup location.
oc-rsync had the flag wired through CLI parsing and the level table
(symsafe=1 at -v) but no producer. The audit doc flagged this as
"Stub" with the note: "Our symlink-safety code in `crates/filters` and
`crates/transfer/src/file_list/*` does not gate on the flag."
Wire three emission sites that cover every transfer mode:
1. crates/transfer/src/generator/file_list/walk.rs - the sender path
for daemon/SSH push. Both `resolve_symlink_metadata` and the
batched-stat fixup in `process_dir_entries_batched` emit the
upstream wording before dereferencing an unsafe symlink.
2. crates/engine/src/local_copy/executor/special/symlink.rs - the
local-copy path. `copy_symlink` emits the same notice when
`copy_unsafe_links_enabled()` triggers the dereference branch.
3. crates/engine/src/local_copy/context_impl/state.rs - the
cross-device backup fallback. `backup_existing_entry` emits the
`not backing up unsafe symlink` notice when `safe_links_enabled()`
refuses to recreate the symlink at the backup location and
bails out (mirroring upstream's `ret = 2`).
Five new tests assert byte-for-byte upstream wording and confirm the
notices are suppressed at the default verbosity. The audit doc rolls
SYMSAFE from Stub to Match and removes it from the parity-gap summary
list.
Closes #2163.
oferchen
added a commit
that referenced
this pull request
May 18, 2026
SYMSAFE sits at upstream's `INFO_GTE(SYMSAFE, 1)` gate and is part of
`info_verbosity[1]` (options.c:241), so it fires once `-v` (or any
explicit `--info=SYMSAFE`) raises the level above zero. Upstream emits
two distinct messages:
flist.c:217 - `copying unsafe symlink "<path>" -> "<target>"`
fired by `readlink_stat()` when
`copy_unsafe_links && unsafe_symlink(...)` triggers
a dereference into a regular entry.
backup.c:292 - `not backing up unsafe symlink "<fname>" -> "<sl>"`
fired by `make_backup()` when `safe_symlinks &&
unsafe_symlink(...)` refuses to recreate the symlink
at the backup location.
oc-rsync had the flag wired through CLI parsing and the level table
(symsafe=1 at -v) but no producer. The audit doc flagged this as
"Stub" with the note: "Our symlink-safety code in `crates/filters` and
`crates/transfer/src/file_list/*` does not gate on the flag."
Wire three emission sites that cover every transfer mode:
1. crates/transfer/src/generator/file_list/walk.rs - the sender path
for daemon/SSH push. Both `resolve_symlink_metadata` and the
batched-stat fixup in `process_dir_entries_batched` emit the
upstream wording before dereferencing an unsafe symlink.
2. crates/engine/src/local_copy/executor/special/symlink.rs - the
local-copy path. `copy_symlink` emits the same notice when
`copy_unsafe_links_enabled()` triggers the dereference branch.
3. crates/engine/src/local_copy/context_impl/state.rs - the
cross-device backup fallback. `backup_existing_entry` emits the
`not backing up unsafe symlink` notice when `safe_links_enabled()`
refuses to recreate the symlink at the backup location and
bails out (mirroring upstream's `ret = 2`).
Five new tests assert byte-for-byte upstream wording and confirm the
notices are suppressed at the default verbosity. The audit doc rolls
SYMSAFE from Stub to Match and removes it from the parity-gap summary
list.
Closes #2163.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
--info=SYMSAFEproducer emissions across the sender, local-copy, and cross-device backup paths so the flag finally fires underINFO_GTE(SYMSAFE, 1)(upstreamflist.c:217andbackup.c:292).crates/transfer/src/generator/file_list/walk.rsfor the sender push path,crates/engine/src/local_copy/executor/special/symlink.rsfor the local-copy dereference branch, andcrates/engine/src/local_copy/context_impl/state.rsfor the cross-device backup fallback that refuses to recreate unsafe symlinks under--safe-links.docs/audits/info-flags-audit.mdand remove it from the parity-gap summary.Test plan
cargo nextest run -p transfer --all-features -E 'test(symsafe)'covers the sender-side wording and the gated-when-disabled case.cargo nextest run -p engine --all-features -E 'test(symsafe)'covers both the local-copy--copy-unsafe-linksintegration test (real symlink dereference throughLocalCopyPlan) and the byte-for-byte backup wording test.target/interop/upstream-src/rsync-3.4.1/{flist.c:217,backup.c:292}confirmscopying unsafe symlink "<path>" -> "<target>"andnot backing up unsafe symlink "<dest>" -> "<target>"are emitted exactly.Closes #2163