Package: tar Version: 1.30+dfsg-5 Severity: normal
Hi. Please do not set a default for --rsh-command, at all. And if this let's tar use some hardcoded default, set something that will fail like /bin/false. The rationale is that most users will typicall not expect tar to be a networking program (which itself isn't) and one has to read rather "deep" into the docs to find out that arguments to --file with a ":" get a ssh like meaning of a remote archive. Take e.g. tar --usage, which just talks about [-f ARCHIVE] but not something that would make it clearer like [-f [REMOTE_HOST:]ARCHIVE] Now you may say scp/ssh does the same,... but I guess it's clear that everyone expects this and the manpage even titles as: scp — secure copy (remote file copy program) so it's clear from the beginning: this may be remote So which bad things can happen with the default? Simple example is an information leak on creating archive. I think it's not so uncommon to use ":" in file names, take the following made up example of a user wanting to create a backup tar (locally) of his private keys to put it later on some USB stick or whatever: tar -c -f 19.04.17.01:keys.tar ~/.ssh ~/.gnupg The user may take this as the first (01) backup made on the 17th of April 2019. Yeah, I know, it's a stupid example but you get the point. Even solving #653044 which suggests replacing rsh with ssh doesn't really help here: ssh just means that the transport is secured, not that the remote end is in any way trusted. So a user could run: tar -c -f backup:keys.tar ~/.ssh ~/.gnupg expecting a local file of that name to be creating, and at the same time he could have an alias for a remote host named backup, maybe from his employee, but clearly he wouldn't want his files to end up there. Obviously the downside of fixing this is possible breakage of existing setups which expect the default set as it is. But a NEWS.Debian + release notes entry could help here and setups depending on the dangerous default would quickly notice the changed default and adapt by setting manually whatever fits... while on the other hand most users will likely never notice that they could easily leak confidential information just by using a ":" in the filename.
