backups fail since latest rsync security update

Hello,

and thanks for reporting.

Did you use Back In Time version "1.2.1-3ubuntu0.1" ? Did I get that right from your attachments?

Of course this can't work. When using a new rsync (which make the "new argument protection" the default behavior) you need minimally BIT 1.3.4.
It seems to me that you are using "Ubuntu 22.04".

That Ubuntu 22.04 now ships with rsync 3.2.7 which is "to new" and incompatible with backintime 1.2.1.

I don't understand why they updated the rsync version. They have done definitely more than just backporting security fixes. They where lazy and just updated rsync. That is not an elegant solution. Report this as a bug to rsync. The key fact is that the security fix of rsync made the "new argument protection" the default behavior.

Keep in mind that this Bug Tracker here is related to the PPA. I assume we won't invest time to fix something that was broken by Ubuntu.

Ubuntu itself doesn't have an official backintime package. They only provide one in the universe repo which is maintained by the community without getting paid.

You can ask Ubuntu to officially get BackInTime in the main repo.

You can ask the universe maintainer to create a jammy-backport for backintime.

Or you can switch to a different GNU/Linux distribution.

Please link the rsync bug in this tracker.

I opened a "question" at the rsync package
https://answers.launchpad.net/ubuntu/+source/rsync/+question/705772

And I also informed the rsync upstream maintainer about the situation.

As a workaround until Ubuntu fixed the rsync-update-bug I would advice to use Back In Time from upstream (GitHub repo) or using the PPA.
https://github.com/bit-team/backintime#installation

Hi @agateau,

I have uploaded fixed backintime packages for jammy and kinetic to the security team PPA here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Once they are finished building, could you give them a try? If they work correctly, I will release them.

Thanks!

I'm not happy about the situation. But maybe I'm to conservative about it.

There is no known security problem with BIT. So you shouldn't use the security repo to update it.

Some users only have the -security pocket enabled, and not -updates, so when a fix is required for a regression introduced by a security update, it needs to go to the -security pocket. It doesn't in any way mean BIT had a security issue.

Dear Marc,
thanks for explaining and your patience.

I think I'm a bit blinded here because of my "Debian stable" experience. I also mixed up the terms "stable" and "LTS" which seems not to be the same.

Hi Mark,

I just tested it. Unfortunately the package fails to install:

```
Preparing to unpack .../backintime-common_1.2.1-3ubuntu0.2_all.deb ...
Unpacking backintime-common (1.2.1-3ubuntu0.2) over (1.2.1-3ubuntu0.2) ...
Preparing to unpack .../backintime-qt_1.2.1-3ubuntu0.2_all.deb ...
Unpacking backintime-qt (1.2.1-3ubuntu0.2) over (1.2.1-3ubuntu0.2) ...
Setting up backintime-common (1.2.1-3ubuntu0.2) ...
  File "/usr/share/backintime/common/snapshots.py", line 596
    sid.path(use_mode = ['ssh', 'ssh_encfs'])
    ^^^^^
SyntaxError: invalid syntax. Perhaps you forgot a comma?
dpkg: error processing package backintime-common (--install):
 installed backintime-common package post-installation script subprocess returned error exit status 1
dpkg: dependency problems prevent configuration of backintime-qt:
 backintime-qt depends on backintime-common (= 1.2.1-3ubuntu0.2); however:
  Package backintime-common is not configured yet.
```

After looking at the code, I think line 596 is indeed missing a comma at the end.

Oh whoops, sorry about that, I'll upload a fixed version first thing tomorrow (after at least installing it this time).

I have fixed the typo, and have uploaded new packages to the PPA listed above. I've run a successful backup with them on both jammy and kinetic.

Could you please confirm they fix the issue for you? Thanks!

Looks good now, works for me on jammy. Thanks!

Great, I'll release the updates monday morning. Thanks for testing!

This bug was fixed in the package backintime - 1.3.2-0.1ubuntu0.2

---------------
backintime (1.3.2-0.1ubuntu0.2) kinetic-security; urgency=medium

  * Fix compatibility with rsync security update (LP: #2009756)
    - debian/patches/rsync_compat.patch: fix changes to argument protection
      in common/config.py, common/snapshots.py, common/sshtools.py,
      common/test/test_sshtools.py, common/test/test_takeSnapshot.py,
      common/tools.py.

 -- Marc Deslauriers <email address hidden> Thu, 09 Mar 2023 07:41:05 -0500

This bug was fixed in the package backintime - 1.2.1-3ubuntu0.3

---------------
backintime (1.2.1-3ubuntu0.3) jammy-security; urgency=medium

  * Fix compatibility with rsync security update (LP: #2009756)
    - debian/patches/rsync_compat.patch: fix changes to argument protection
      in common/config.py, common/snapshots.py, common/sshtools.py,
      common/test/test_sshtools.py, common/test/test_takeSnapshot.py,
      common/tools.py.

 -- Marc Deslauriers <email address hidden> Thu, 09 Mar 2023 08:02:57 -0500