Rsync 3.4.3 Breaks Incremental Backups – Community Reacts to Unexpected Regression

The problem

Jeremiah Fieldhaven, a maintainer of an incremental backup system that relies on a chain of --compare-dest= arguments, reported that after moving from rsync 3.4.1 to 3.4.3 his backups stopped working unless he performed a full copy. The failure manifested only on incremental runs, suggesting a subtle change in how rsync evaluates destination directories.

What changed in rsync 3.4.3?

The official changelog for the 3.4.3 release lists a handful of security patches and bug fixes, but none that directly mention --compare-dest. A quick look at the commit history shows 36 commits between 3.4.1 and 3.4.3, authored mainly by tridge and claude. One of those commits is referenced in the community thread as issue #915 on the rsync GitHub repository. The issue notes that a recent change to the handling of symbolic links and file‑mode checks could affect scripts that depend on exact timestamp preservation – a core assumption in many incremental backup setups.

Community response

The Mastodon thread quickly turned into a broader conversation about the health of open‑source maintenance:

• Leah Neukirchen linked to the GitHub issue, pointing out that the regression is likely tied to the security‑focused changes.
• Cap Ybarra suggested that the project may need new caretakers if the current maintainers cannot keep the code stable for production use.
• Alien software, human hardware warned that freezing updates on critical systems may become a common coping strategy, even though it leaves security holes unpatched.
• Several participants, including Mike Ely and Carl Gustav Ju, expressed disappointment that a tool with a reputation for reliability is now being altered by contributors who appear to be using AI‑assisted code generation. The sentiment was that AI‑generated patches can introduce “slop” when not carefully reviewed.
• Erik Johnson and Christopher Snowhill expanded the debate to the larger question of whether developers should trust AI‑produced code at all, especially in safety‑critical contexts.

Why this matters for developers

Rsync is a cornerstone of many backup, deployment, and synchronization pipelines. A regression that silently breaks incremental logic can lead to:

1. Data loss risk – if only full backups succeed, storage costs rise and the window for recovery narrows.
2. Operational friction – teams may need to roll back updates, add manual verification steps, or switch to alternative tools like rclone or ZFS send/receive.
3. Security‑reliability trade‑off – staying on an older version avoids the bug but leaves known vulnerabilities unpatched, exposing systems to potential attacks.

Possible work‑arounds

Until the upstream issue is resolved, practitioners have a few options:

• Pin rsync to 3.4.1 in deployment scripts and monitor the security advisory list for any critical CVEs that affect that version.
• Switch to a different sync engine for incremental backups, such as rdiff-backup or bup, which implement similar --compare-dest semantics but have separate maintenance tracks.
• Patch locally – clone the rsync repository, revert the specific commit that introduced the regression (identified in issue #915), and build a custom binary. This approach requires a solid understanding of the code base and may not be feasible for all teams.

Looking ahead

The conversation underscores a growing tension in the open‑source ecosystem: the need for rapid security updates versus the expectation of rock‑solid stability for core utilities. As more contributors rely on AI‑assisted coding, projects may need stricter review pipelines to catch regressions that affect downstream users.

For now, anyone experiencing similar breakage should check the rsync issue tracker for updates, consider the work‑arounds above, and keep an eye on the discussion around AI‑generated patches in critical infrastructure.