Sergey, In light of CVE-2010-0624, I'd like to propose a change of default for tar. Specifically, how about changing the --rsh-command option to have no default? If this option is not given, then the "remote functionality" should be disabled. If a filename looks like it is "remote" and neither the --rsh-command nor the --force-local option is given, then tar should fail with an error.
This will preserve compatibility with those existing scripts that use the --rsh-command option explicitly, as well as indeed with those that don't need the "remote functionality". The few that don't pass --rsh-command, yet rely on being able to access remote servers via tar's compile-time default for the command, will break in a fail-close way. I think that's OK - and is much better than the present situation, where we are exposed to the risk of further "remote" attacks on meant-to-be-local-only invocations of tar. What do you think? Thanks, Alexander
