Sergey, This is in addition to my previous response. We have decided to make this change in Owl anyway, and in fact we already made it:
http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/tar/ (it's tar-1.23-owl-rsh-command.diff right now). In case you find it convincing, this change (making --rsh-command have no default) is consistent with the behavior of cpio, which has an option by the same name (without a default). So right now tar's behavior is inconsistent with cpio's, and we're proposing to make it consistent (and this is also desirable for security). I proposed: > In light of CVE-2010-0624, I'd like to propose a change of default for > tar. Specifically, how about changing the --rsh-command option to have > no default? Alexander
