Fix --preallocate --sparse to actually produce sparse files

rsync.1 says combining --preallocate with --sparse yields sparse blocks wherever the filesystem can punch holes, but since 2019 (commit c2da3809, "keep file-size 0 when possible") it has silently left the file fully allocated. Two problems, both rooted in that commit switching --preallocate / --inplace to fallocate(FALLOC_FL_KEEP_SIZE): * do_fallocate() then returned 0 instead of the reserved length, so the receiver's preallocated_len was 0 and write_sparse() always lseek'd over null runs instead of punching them (and the over-preallocation trim in receiver.c never fired either). * more fundamentally, KEEP_SIZE leaves the file size at 0 while data is written incrementally, so the FALLOC_FL_PUNCH_HOLE call lands on blocks beyond EOF and is a silent no-op -- the reserved blocks are never freed. Fix both: don't request KEEP_SIZE when --sparse is also active, so the file is preallocated at full size and the punch lands within it; and return the reserved length from do_fallocate() so preallocated_len drives the punch decision and the over-allocation trim. --preallocate without --sparse keeps the KEEP_SIZE (file-size-0) behaviour. t_stub.c gains a sparse_files stub since do_fallocate now references it and the test helpers link syscall.o. preallocate_test.py now asserts via st_blocks (where the filesystem can punch holes) that --preallocate --sparse ends up sparse, guarding the regression. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ci: run the OpenBSD --use-tcp test step at -j2
2026-05-25 07:15:35 -04:00 · 2026-05-25 14:03:58 +10:00 · 2026-05-25 07:44:12 +10:00 · 2026-05-25 07:44:12 +10:00 · 2026-05-25 07:44:12 +10:00 · 2026-05-25 07:44:12 +10:00
340 changed files with 28475 additions and 8525 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -1,23 +0,0 @@
-freebsd_task:
-  name: FreeBSD
-  freebsd_instance:
-    image_family: freebsd-13-0
-  env:
-    PATH: /usr/local/bin:$PATH
-  prep_script:
-    - dd if=/dev/zero of=/tmp/zpool bs=1M count=1024
-    - zpool create -m `pwd`/testtmp zpool /tmp/zpool
-    - pkg install -y bash autotools m4 xxhash zstd liblz4 wget
-    - wget -O git-version.h https://gist.githubusercontent.com/WayneD/c11243fa374fc64d4e42f2855c8e3827/raw/rsync-git-version.h
-  configure_script:
-    - CPPFLAGS=-I/usr/local/include/ LDFLAGS=-L/usr/local/lib/ ./configure --disable-md2man
-  make_script:
-    - make
-  install_script:
-    - make install
-  info_script:
-    - rsync --version
-  test_script:
-    - RSYNC_EXPECT_SKIPPED=acls-default,acls,crtimes,protected-regular make check
-  ssl_file_list_script:
-    - rsync-ssl --no-motd download.samba.org::rsyncftp/ || true
--- a/.gitattributes
+++ b/.gitattributes
@@ -1 +1,8 @@
 * text=auto eol=lf
+
+# The rsync-web/ subdirectory holds the project website source content
+# (mirrors what gets pushed to https://rsync.samba.org).  Exclude it from
+# `git archive` output so the release source tarball produced by
+# packaging/release.py step_7_tarball does not bloat with HTML the
+# tarball doesn't need.
+/rsync-web/ export-ignore
--- a/.github/workflows/almalinux-8-build.yml
+++ b/.github/workflows/almalinux-8-build.yml
@@ -0,0 +1,82 @@
+name: Test rsync on AlmaLinux 8
+
+# Older-LTS coverage on the Fedora/RHEL family to help with backporting
+# security fixes. AlmaLinux 8 is the RHEL 8 rebuild and is the oldest
+# active LTS in this family (RHEL 8 full support runs to 2029).
+# GitHub Actions has no native runner for this family, so the job runs
+# inside an almalinux:8 container hosted on ubuntu-latest.
+
+on:
+  push:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/almalinux-8-build.yml'
+  pull_request:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/almalinux-8-build.yml'
+  schedule:
+    - cron: '42 8 * * *'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    container:
+      image: almalinux:8
+    name: Test rsync on AlmaLinux 8
+    steps:
+    - name: install git
+      # actions/checkout needs git in the container before the checkout step.
+      run: dnf -y install git
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: prep
+      # PowerTools is needed for libzstd-devel etc; xxhash and lz4 dev
+      # headers live in EPEL on RHEL 8. The default python3 on RHEL 8
+      # is 3.6, which is too old for runtests.py (uses capture_output=
+      # / text= introduced in 3.7), so install python39 and point
+      # /usr/bin/python3 at it.
+      run: |
+        dnf -y install epel-release
+        dnf config-manager --set-enabled powertools
+        dnf -y install gcc gcc-c++ make autoconf automake m4 \
+            python39 python39-pip diffutils \
+            openssl openssl-devel \
+            attr libattr-devel acl libacl-devel \
+            zstd libzstd-devel \
+            lz4 lz4-devel \
+            xxhash xxhash-devel
+        alternatives --set python3 /usr/bin/python3.9
+        pip3 install commonmark
+    - name: configure
+      run: ./configure --with-rrsync
+    - name: make
+      run: make
+    - name: info
+      run: ./rsync --version
+    - name: check
+      # In the container we already run as root, so no sudo. The
+      # crtimes-not-supported skip matches the other Linux jobs;
+      # daemon-chroot-acl and proxy-response-line-too-long skip because
+      # the default (secure) transport opens no listening socket.
+      run: RSYNC_EXPECT_SKIPPED=crtimes,daemon-access-ip,daemon-chroot-acl,proxy-response-line-too-long make check
+    - name: check (TCP daemon transport)
+      # Second run exercising the real loopback-TCP daemon path.
+      run: ./runtests.py --rsync-bin=`pwd`/rsync --use-tcp -j 8
+    - name: ssl file list
+      run: ./rsync-ssl --no-motd download.samba.org::rsyncftp/ || true
+    - name: save artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: almalinux-8-bin
+        path: |
+          rsync
+          rsync-ssl
+          rsync.1
+          rsync-ssl.1
+          rsyncd.conf.5
+          rrsync.1
+          rrsync
--- a/.github/workflows/android-static-build.yml
+++ b/.github/workflows/android-static-build.yml
@@ -0,0 +1,120 @@
+name: Build static rsync for Android
+
+# Cross-compiles statically-linked rsync binaries with the Android NDK,
+# suitable for dropping onto a phone (adb push / Termux) with no shared
+# libraries. arm64-v8a covers all modern phones; armeabi-v7a covers older
+# 32-bit devices. The binaries are uploaded as workflow artifacts.
+#
+# These are cross-compiled, so the test suite can't run here; we sanity
+# check that each binary is the right architecture, is static, and that
+# it executes (`--version`) under qemu-user.
+
+on:
+  push:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/android-static-build.yml'
+  pull_request:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/android-static-build.yml'
+  schedule:
+    - cron: '42 8 * * *'
+  workflow_dispatch:
+
+env:
+  # Minimum supported API level. 24 (Android 7.0) runs on every modern
+  # phone while keeping broad reach; bump if you need newer Bionic APIs.
+  ANDROID_API: 24
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    name: ${{ matrix.abi }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - abi: arm64-v8a       # modern phones
+            triple: aarch64-linux-android
+            qemu: qemu-aarch64-static
+          - abi: armeabi-v7a     # older 32-bit phones
+            triple: armv7a-linux-androideabi
+            qemu: qemu-arm-static
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install build prerequisites
+        run: sudo apt-get update && sudo apt-get install -y autoconf automake gawk qemu-user-static
+
+      - name: Configure and build (${{ matrix.abi }})
+        shell: bash
+        run: |
+          set -euo pipefail
+          NDK="${ANDROID_NDK_LATEST_HOME:-$ANDROID_NDK_ROOT}"
+          TC="$NDK/toolchains/llvm/prebuilt/linux-x86_64/bin"
+          export CC="$TC/${{ matrix.triple }}${ANDROID_API}-clang"
+          export AR="$TC/llvm-ar" RANLIB="$TC/llvm-ranlib" STRIP="$TC/llvm-strip"
+          export CFLAGS="-O2" LDFLAGS="-static"
+
+          # Bionic doesn't declare lchmod()/lutimes() until API 36, but the
+          # symbols link, so configure mis-detects them -- force them off so
+          # rsync uses its fallbacks. The other cache vars restore values
+          # that configure can't probe when cross-compiling (Android runs a
+          # normal Linux kernel, so these match the native Linux result).
+          export ac_cv_func_lchmod=no ac_cv_func_lutimes=no \
+                 rsync_cv_HAVE_SOCKETPAIR=yes \
+                 rsync_cv_MKNOD_CREATES_FIFOS=yes \
+                 rsync_cv_MKNOD_CREATES_SOCKETS=yes
+
+          # Self-contained build: drop optional external libraries so the
+          # static binary needs nothing at runtime. rsync keeps md5/md4
+          # checksums and its bundled zlib.
+          ./configure --host=${{ matrix.triple }} --build=x86_64-pc-linux-gnu \
+            --enable-ipv6 \
+            --disable-zstd --disable-lz4 --disable-xxhash --disable-openssl \
+            --disable-iconv --disable-iconv-open \
+            --disable-acl-support --disable-xattr-support \
+            --disable-md2man --disable-roll-simd \
+            --with-included-popt --with-included-zlib
+
+          # Generate the awk-built headers serially first so the parallel
+          # build can't race on proto.h <- daemon-parm.h.
+          make proto.h
+          make -j"$(nproc)" rsync
+          "$STRIP" rsync
+
+      - name: Verify binary
+        shell: bash
+        run: |
+          set -euo pipefail
+          file rsync
+          # Gate: must be a statically-linked executable (no interpreter).
+          file rsync | grep -q "statically linked"
+          if file rsync | grep -q "dynamically linked"; then
+            echo "ERROR: binary is not static" >&2; exit 1
+          fi
+          # Best-effort: confirm it actually runs under qemu-user.
+          ${{ matrix.qemu }} ./rsync --version | head -3 || \
+            echo "WARNING: qemu smoke test did not run cleanly (check on a real device)"
+
+      - name: Package
+        shell: bash
+        run: |
+          set -euo pipefail
+          VER=$(sed -n 's/.*RSYNC_VERSION "\([^"]*\)".*/\1/p' version.h)
+          out="rsync-${VER}-android-${{ matrix.abi }}"
+          mkdir -p dist
+          cp rsync "dist/$out"
+          ( cd dist && sha256sum "$out" > "$out.sha256" )
+          echo "ARTIFACT_NAME=rsync-android-${{ matrix.abi }}" >>"$GITHUB_ENV"
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.ARTIFACT_NAME }}
+          path: dist/
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,125 +0,0 @@
-name: build
-
-on:
-  push:
-    branches: [ master ]
-    paths-ignore: [ .cirrus.yml ]
-  pull_request:
-    branches: [ master ]
-    paths-ignore: [ .cirrus.yml ]
-  schedule:
-    - cron: '42 8 * * *'
-
-jobs:
-
-  ubuntu-build:
-    runs-on: ubuntu-20.04
-    steps:
-    - uses: actions/checkout@v2
-    - name: prep
-      run: |
-        sudo apt-get install acl libacl1-dev attr libattr1-dev liblz4-dev libzstd-dev libxxhash-dev python3-cmarkgfm openssl wget
-        wget -O git-version.h https://gist.githubusercontent.com/WayneD/c11243fa374fc64d4e42f2855c8e3827/raw/rsync-git-version.h
-        echo "/usr/local/bin" >>$GITHUB_PATH
-    - name: configure
-      run: ./configure --with-rrsync
-    - name: make
-      run: make
-    - name: install
-      run: sudo make install
-    - name: info
-      run: rsync --version
-    - name: check
-      run: sudo RSYNC_EXPECT_SKIPPED=crtimes make check
-    - name: check30
-      run: sudo RSYNC_EXPECT_SKIPPED=crtimes make check30
-    - name: check29
-      run: sudo RSYNC_EXPECT_SKIPPED=crtimes make check29
-    - name: ssl file list
-      run: rsync-ssl --no-motd download.samba.org::rsyncftp/ || true
-    - name: save artifact
-      uses: actions/upload-artifact@v2
-      with:
-        name: ubuntu-bin
-        path: |
-          rsync
-          rsync-ssl
-          rsync.1
-          rsync-ssl.1
-          rsyncd.conf.5
-          rrsync.1
-          rrsync
-
-  macos-build:
-    runs-on: macos-latest
-    steps:
-    - uses: actions/checkout@v2
-    - name: prep
-      run: |
-        brew install automake openssl xxhash zstd lz4 wget
-        sudo pip3 install commonmark
-        wget -O git-version.h https://gist.githubusercontent.com/WayneD/c11243fa374fc64d4e42f2855c8e3827/raw/rsync-git-version.h
-        echo "/usr/local/bin" >>$GITHUB_PATH
-    - name: configure
-      run: CPPFLAGS=-I/usr/local/opt/openssl/include/ LDFLAGS=-L/usr/local/opt/openssl/lib/ ./configure --with-rrsync
-    - name: make
-      run: make
-    - name: install
-      run: sudo make install
-    - name: info
-      run: rsync --version
-    - name: check
-      run: sudo RSYNC_EXPECT_SKIPPED=acls-default,chmod-temp-dir,chown-fake,devices-fake,dir-sgid,protected-regular,xattrs-hlink,xattrs make check
-    - name: ssl file list
-      run: rsync-ssl --no-motd download.samba.org::rsyncftp/ || true
-    - name: save artifact
-      uses: actions/upload-artifact@v2
-      with:
-        name: macos-bin
-        path: |
-          rsync
-          rsync-ssl
-          rsync.1
-          rsync-ssl.1
-          rsyncd.conf.5
-          rrsync.1
-          rrsync
-
-  cygwin-build:
-    runs-on: windows-2022
-    if: (github.event_name == 'schedule' || contains(github.event.head_commit.message, '[buildall]'))
-    steps:
-    - uses: actions/checkout@v2
-    - name: cygwin
-      run: choco install -y --no-progress cygwin cyg-get
-    - name: prep
-      run: |
-        cyg-get make autoconf automake gcc-core attr libattr-devel python39 python39-pip libzstd-devel liblz4-devel libssl-devel libxxhash0 libxxhash-devel
-        curl.exe -o git-version.h https://gist.githubusercontent.com/WayneD/c11243fa374fc64d4e42f2855c8e3827/raw/rsync-git-version.h
-        echo "C:/tools/cygwin/bin" >>$Env:GITHUB_PATH
-    - name: commonmark
-      run: bash -c 'python3 -mpip install --user commonmark'
-    - name: configure
-      run: bash -c './configure --with-rrsync'
-    - name: make
-      run: bash -c 'make'
-    - name: install
-      run: bash -c 'make install'
-    - name: info
-      run: bash -c '/usr/local/bin/rsync --version'
-    - name: check
-      run: bash -c 'RSYNC_EXPECT_SKIPPED=acls-default,acls,chown,devices,dir-sgid,protected-regular make check'
-    - name: ssl file list
-      run: bash -c 'PATH="/usr/local/bin:$PATH" rsync-ssl --no-motd download.samba.org::rsyncftp/ || true'
-    - name: save artifact
-      uses: actions/upload-artifact@v2
-      with:
-        name: cygwin-bin
-        path: |
-          rsync.exe
-          rsync-ssl
-          rsync.1
-          rsync-ssl.1
-          rsyncd.conf.5
-          rrsync.1
-          rrsync
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@@ -0,0 +1,71 @@
+name: Coverage (Ubuntu)
+
+on:
+  push:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/coverage.yml'
+  pull_request:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/coverage.yml'
+  schedule:
+    - cron: '42 9 * * *'
+  workflow_dispatch:
+
+jobs:
+  coverage:
+    runs-on: ubuntu-latest
+    name: gcov coverage
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: prep
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y acl libacl1-dev attr libattr1-dev liblz4-dev libzstd-dev libxxhash-dev python3-cmarkgfm openssl gcovr
+        echo "/usr/local/bin" >>$GITHUB_PATH
+    - name: configure
+      run: ./configure --enable-coverage --with-rrsync
+    - name: make
+      run: make
+    - name: info
+      run: rsync --version
+    # Two coverage runs: the default pipe transport, then a second pass over a
+    # real loopback rsyncd (--use-tcp) which also exercises the require_tcp-only
+    # tests. gcovr's --print-summary line/branch/decision totals go to the step
+    # log (and the job summary below), so the numbers are visible in CI.
+    # `make coverage` exits with the suite's status, so a regression fails CI.
+    - name: coverage (pipe transport)
+      run: |
+        set -o pipefail
+        sudo make coverage 2>&1 | tee cov-pipe.log
+    - name: coverage (TCP transport)
+      run: |
+        set -o pipefail
+        sudo make coverage-tcp 2>&1 | tee cov-tcp.log
+    - name: coverage summary
+      if: always()
+      run: |
+        {
+          echo "## gcov coverage"
+          echo "### Pipe transport (\`make coverage\`)"
+          echo '```'
+          grep -E '^(lines|functions|branches|decisions):' cov-pipe.log || echo '(no summary -- see step log)'
+          echo '```'
+          echo "### TCP transport (\`make coverage-tcp\`)"
+          echo '```'
+          grep -E '^(lines|functions|branches|decisions):' cov-tcp.log || echo '(no summary -- see step log)'
+          echo '```'
+        } >> "$GITHUB_STEP_SUMMARY"
+    - name: upload HTML reports
+      if: always()
+      uses: actions/upload-artifact@v4
+      with:
+        name: coverage-html
+        path: |
+          coverage
+          coverage-tcp
--- a/.github/workflows/cygwin-build.yml
+++ b/.github/workflows/cygwin-build.yml
@@ -0,0 +1,65 @@
+name: Test rsync on Cygwin
+
+on:
+  push:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/cygwin-build.yml'
+  pull_request:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/cygwin-build.yml'
+  schedule:
+    - cron: '42 8 * * *'
+
+jobs:
+  test:
+    runs-on: windows-2022
+    name: Test rsync on Cygwin
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: cygwin
+      run: choco install -y --no-progress cygwin cyg-get
+    - name: prep
+      run: |
+        cyg-get make autoconf automake gcc-core attr libattr-devel python39 python39-pip libzstd-devel liblz4-devel libssl-devel libxxhash0 libxxhash-devel
+        echo "C:/tools/cygwin/bin" >>$Env:GITHUB_PATH
+    - name: commonmark
+      run: bash -c 'python3 -mpip install --user commonmark'
+    - name: configure
+      run: bash -c './configure --with-rrsync'
+    - name: make
+      run: bash -c 'make'
+    - name: install
+      run: bash -c 'make install'
+    - name: info
+      run: bash -c '/usr/local/bin/rsync --version'
+    - name: check
+      # chown-fake / devices-fake / xattrs / xattrs-hlink now RUN on Cygwin
+      # (rsyncfns.py drives xattrs via getfattr/setfattr from the `attr`
+      # package installed above), verified on a real Cygwin host. The real
+      # chown/devices tests still skip (need root/mknod), as do the
+      # RESOLVE_BENEATH symlink-race tests.
+      run: bash -c 'RSYNC_EXPECT_SKIPPED=acls-default,acls-depth,acls,bare-do-open-symlink-race,chdir-symlink-race,chown,daemon-access-ip,daemon-chroot-acl,devices,dir-sgid,open-noatime,protected-regular,proxy-response-line-too-long,sender-flist-symlink-leak,simd-checksum,symlink-dirlink-basis make check'
+    - name: check (TCP daemon transport)
+      # Second run with daemon tests over a real loopback rsyncd; the default
+      # 'make check' above uses the secure stdio-pipe transport.
+      run: bash -c './runtests.py --rsync-bin=`pwd`/rsync.exe --use-tcp -j 8'
+    - name: ssl file list
+      run: bash -c 'PATH="/usr/local/bin:$PATH" rsync-ssl --no-motd download.samba.org::rsyncftp/ || true'
+    - name: save artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: cygwin-bin
+        path: |
+          rsync.exe
+          rsync-ssl
+          rsync.1
+          rsync-ssl.1
+          rsyncd.conf.5
+          rrsync.1
+          rrsync
--- a/.github/workflows/freebsd-build.yml
+++ b/.github/workflows/freebsd-build.yml
@@ -0,0 +1,51 @@
+name: Test rsync on FreeBSD
+
+on:
+  push:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/freebsd-build.yml'
+  pull_request:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/freebsd-build.yml'
+  schedule:
+    - cron: '42 8 * * *'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    name: Test rsync on FreeBSD
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: Test in FreeBSD VM
+      id: test
+      uses: vmactions/freebsd-vm@v1
+      with:
+        usesh: true
+        prepare: |
+          pkg install -y bash autotools m4 devel/xxhash zstd liblz4 python3 archivers/liblz4 git
+        run: |
+          freebsd-version
+          ./configure --with-rrsync -disable-zstd --disable-md2man --disable-xxhash --disable-lz4
+          make
+          ./rsync --version
+          make check
+          ./runtests.py --rsync-bin=`pwd`/rsync --use-tcp -j 8
+          ./rsync-ssl --no-motd download.samba.org::rsyncftp/ || true
+    - name: save artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: freebsd-bin
+        path: |
+          rsync
+          rsync-ssl
+          rsync.1
+          rsync-ssl.1
+          rsyncd.conf.5
+          rrsync.1
+          rrsync
--- a/.github/workflows/macos-build.yml
+++ b/.github/workflows/macos-build.yml
@@ -0,0 +1,65 @@
+name: Test rsync on macOS
+
+on:
+  push:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/macos-build.yml'
+  pull_request:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/macos-build.yml'
+  schedule:
+    - cron: '42 8 * * *'
+
+jobs:
+  test:
+    runs-on: macos-latest
+    name: Test rsync on macOS
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: prep
+      run: |
+        brew install automake openssl xxhash zstd lz4
+        pip3 install --user --break-system-packages commonmark
+        echo "$(brew --prefix)/bin" >>$GITHUB_PATH
+    - name: configure
+      run: |
+        BREW_PREFIX=$(brew --prefix)
+        OPENSSL_PREFIX=$(brew --prefix openssl)
+        CPPFLAGS="-I${BREW_PREFIX}/include -I${OPENSSL_PREFIX}/include" \
+        LDFLAGS="-L${BREW_PREFIX}/lib -L${OPENSSL_PREFIX}/lib" \
+        ./configure --with-rrsync
+    - name: make
+      run: make
+    - name: install
+      run: sudo make install
+    - name: info
+      run: rsync --version
+    - name: check
+      # chown-fake / devices-fake / xattrs / xattrs-hlink now RUN on macOS
+      # (rsyncfns.py drives xattrs via the `xattr` command), verified on a
+      # real macOS host, so they're no longer in the skip set.
+      run: sudo RSYNC_EXPECT_SKIPPED=acls-default,acls-depth,chmod-temp-dir,daemon-access-ip,daemon-chroot-acl,dir-sgid,open-noatime,preallocate,protected-regular,proxy-response-line-too-long,simd-checksum,sparse make check
+    - name: check (TCP daemon transport)
+      # Second run with daemon tests over a real loopback rsyncd; the default
+      # 'make check' above uses the secure stdio-pipe transport.
+      run: sudo ./runtests.py --rsync-bin=`pwd`/rsync --use-tcp -j 8
+    - name: ssl file list
+      run: rsync-ssl --no-motd download.samba.org::rsyncftp/ || true
+    - name: save artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: macos-bin
+        path: |
+          rsync
+          rsync-ssl
+          rsync.1
+          rsync-ssl.1
+          rsyncd.conf.5
+          rrsync.1
+          rrsync
--- a/.github/workflows/netbsd-build.yml
+++ b/.github/workflows/netbsd-build.yml
@@ -0,0 +1,52 @@
+name: Test rsync on NetBSD
+
+on:
+  push:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/netbsd-build.yml'
+  pull_request:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/netbsd-build.yml'
+  schedule:
+    - cron: '42 8 * * *'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    name: Test rsync on NetBSD
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: Test in NetBSD VM
+      id: test
+      uses: vmactions/netbsd-vm@v1
+      with:
+        usesh: true
+        prepare: |
+          PATH=/usr/sbin:$PATH pkg_add autoconf automake python312
+          ln -sf /usr/pkg/bin/python3.12 /usr/pkg/bin/python3
+        run: |
+          uname -a
+          ./configure --with-rrsync --disable-zstd --disable-md2man --disable-xxhash --disable-lz4
+          make
+          ./rsync --version
+          make check
+          ./runtests.py --rsync-bin=`pwd`/rsync --use-tcp -j 8
+          ./rsync-ssl --no-motd download.samba.org::rsyncftp/ || true
+    - name: save artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: netbsd-bin
+        path: |
+          rsync
+          rsync-ssl
+          rsync.1
+          rsync-ssl.1
+          rsyncd.conf.5
+          rrsync.1
+          rrsync
--- a/.github/workflows/openbsd-build.yml
+++ b/.github/workflows/openbsd-build.yml
@@ -0,0 +1,61 @@
+name: Test rsync on OpenBSD
+
+on:
+  push:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/openbsd-build.yml'
+  pull_request:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/openbsd-build.yml'
+  schedule:
+    - cron: '42 8 * * *'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    name: Test rsync on OpenBSD
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: Test in OpenBSD VM
+      id: test
+      uses: vmactions/openbsd-vm@v1
+      with:
+        usesh: true
+        prepare: |
+          pkg_add -I bash autoconf%2.71 automake%1.16
+        run: |
+          uname -a
+          export AUTOCONF_VERSION=2.71
+          export AUTOMAKE_VERSION=1.16
+          ./configure --with-rrsync --disable-zstd --disable-md2man --disable-xxhash --disable-lz4
+          make
+          ./rsync --version
+          make check
+          # The --use-tcp daemon tests run at -j2 here (vs -j8 elsewhere): this
+          # job runs inside a nested VM, and at -j8 the many concurrent loopback
+          # daemons occasionally lose a connection-handshake timing race under
+          # that resource pressure, hanging one test to the 300s timeout. It is
+          # an environment artifact, not an rsync bug (the handshake is
+          # deadlock-free and unreproducible elsewhere, even pinned to 1 CPU at
+          # -j8); -j2 keeps the VM from over-subscribing. The pipe `make check`
+          # above stays at the default parallelism.
+          ./runtests.py --rsync-bin=`pwd`/rsync --use-tcp -j 2
+          ./rsync-ssl --no-motd download.samba.org::rsyncftp/ || true
+    - name: save artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: openbsd-bin
+        path: |
+          rsync
+          rsync-ssl
+          rsync.1
+          rsync-ssl.1
+          rsyncd.conf.5
+          rrsync.1
+          rrsync
--- a/.github/workflows/solaris-build.yml
+++ b/.github/workflows/solaris-build.yml
@@ -0,0 +1,51 @@
+name: Test rsync on Solaris
+
+on:
+  push:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/solaris-build.yml'
+  pull_request:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/solaris-build.yml'
+  schedule:
+    - cron: '42 8 * * *'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    name: Test rsync on Solaris
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: Test in Solaris VM
+      id: test
+      uses: vmactions/solaris-vm@v1
+      with:
+        usesh: true
+        prepare: |
+          pkg install bash automake gnu-m4 pkg://solaris/runtime/python-35 autoconf gcc git
+        run: |
+          uname -a
+          ./configure --with-rrsync -disable-zstd --disable-md2man --disable-xxhash --disable-lz4
+          make
+          ./rsync --version
+          make check
+          ./runtests.py --rsync-bin=`pwd`/rsync --use-tcp -j 8
+          ./rsync-ssl --no-motd download.samba.org::rsyncftp/ || true
+    - name: save artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: solaris-bin
+        path: |
+          rsync
+          rsync-ssl
+          rsync.1
+          rsync-ssl.1
+          rsyncd.conf.5
+          rrsync.1
+          rrsync
--- a/.github/workflows/ubuntu-22.04-build.yml
+++ b/.github/workflows/ubuntu-22.04-build.yml
@@ -0,0 +1,64 @@
+name: Test rsync on Ubuntu 22.04
+
+# Older-LTS coverage to help with backporting security fixes. ubuntu-22.04
+# is currently the oldest GitHub Actions runner image (20.04 was retired
+# in April 2025).
+
+on:
+  push:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/ubuntu-22.04-build.yml'
+  pull_request:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/ubuntu-22.04-build.yml'
+  schedule:
+    - cron: '42 8 * * *'
+
+jobs:
+  test:
+    runs-on: ubuntu-22.04
+    name: Test rsync on Ubuntu 22.04
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: prep
+      run: |
+        sudo apt-get install acl libacl1-dev attr libattr1-dev liblz4-dev libzstd-dev libxxhash-dev python3-cmarkgfm openssl
+        echo "/usr/local/bin" >>$GITHUB_PATH
+    - name: configure
+      run: ./configure --with-rrsync
+    - name: make
+      run: make
+    - name: install
+      run: sudo make install
+    - name: info
+      run: rsync --version
+    - name: check
+      run: sudo RSYNC_EXPECT_SKIPPED=crtimes,daemon-access-ip,daemon-chroot-acl,proxy-response-line-too-long make check
+    - name: check30
+      run: sudo RSYNC_EXPECT_SKIPPED=crtimes,daemon-access-ip,daemon-chroot-acl,proxy-response-line-too-long make check30
+    - name: check29
+      run: sudo RSYNC_EXPECT_SKIPPED=crtimes,daemon-access-ip,daemon-chroot-acl,proxy-response-line-too-long make check29
+    - name: check (TCP daemon transport)
+      # Second run with daemon tests over a real loopback rsyncd; the default
+      # 'make check' above uses the secure stdio-pipe transport.
+      run: sudo ./runtests.py --rsync-bin=`pwd`/rsync --use-tcp -j 8
+    - name: ssl file list
+      run: rsync-ssl --no-motd download.samba.org::rsyncftp/ || true
+    - name: save artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: ubuntu-22.04-bin
+        path: |
+          rsync
+          rsync-ssl
+          rsync.1
+          rsync-ssl.1
+          rsyncd.conf.5
+          rrsync.1
+          rrsync
--- a/.github/workflows/ubuntu-build.yml
+++ b/.github/workflows/ubuntu-build.yml
@@ -0,0 +1,62 @@
+name: Test rsync on Ubuntu
+
+on:
+  push:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/ubuntu-build.yml'
+  pull_request:
+    branches: [ master ]
+    paths-ignore:
+      - '.github/workflows/*.yml'
+      - '!.github/workflows/ubuntu-build.yml'
+  schedule:
+    - cron: '42 8 * * *'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    name: Test rsync on Ubuntu
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: prep
+      run: |
+        sudo apt-get install acl libacl1-dev attr libattr1-dev liblz4-dev libzstd-dev libxxhash-dev python3-cmarkgfm openssl
+        echo "/usr/local/bin" >>$GITHUB_PATH
+    - name: configure
+      run: ./configure --with-rrsync
+    - name: make
+      run: make
+    - name: install
+      run: sudo make install
+    - name: info
+      run: rsync --version
+    - name: check
+      run: sudo RSYNC_EXPECT_SKIPPED=crtimes,daemon-access-ip,daemon-chroot-acl,proxy-response-line-too-long make check
+    - name: check30
+      run: sudo RSYNC_EXPECT_SKIPPED=crtimes,daemon-access-ip,daemon-chroot-acl,proxy-response-line-too-long make check30
+    - name: check29
+      run: sudo RSYNC_EXPECT_SKIPPED=crtimes,daemon-access-ip,daemon-chroot-acl,proxy-response-line-too-long make check29
+    - name: check (TCP daemon transport)
+      # Second run with daemon tests over a real loopback rsyncd. The default
+      # 'make check' above uses the secure stdio-pipe transport (no listening
+      # sockets); this run exercises the real TCP accept/auth path. Skip-set
+      # is env-dependent here (chroot-acl), so leave RSYNC_EXPECT_SKIPPED unset.
+      run: sudo ./runtests.py --rsync-bin=`pwd`/rsync --use-tcp -j 8
+    - name: ssl file list
+      run: rsync-ssl --no-motd download.samba.org::rsyncftp/ || true
+    - name: save artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: ubuntu-bin
+        path: |
+          rsync
+          rsync-ssl
+          rsync.1
+          rsync-ssl.1
+          rsyncd.conf.5
+          rrsync.1
+          rrsync
--- a/.gitignore
+++ b/.gitignore
@@ -58,3 +58,4 @@ aclocal.m4
 /auto-build-save
 .deps
 /*.exe
+*.dSYM/
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -7,6 +7,22 @@ option to use if you want to just skip that feature.  What follows are various
 support libraries that you may want to install to build rsync with the maximum
 features (the impatient can skip down to the package summary):

+## Ubuntu users: skip the build, use the PPA
+
+If you are on a currently supported Ubuntu series (jammy 22.04 LTS, noble
+24.04 LTS, questing 25.10, resolute 26.04 LTS) and just want the latest
+upstream rsync, the rsync project maintains a Launchpad PPA that tracks
+stable releases:
+
+>     sudo add-apt-repository ppa:rsyncproject/rsync
+>     sudo apt update && sudo apt install rsync
+
+See [the PPA page][ppa] for current build status across architectures.
+
+[ppa]: https://launchpad.net/~rsyncproject/+archive/ubuntu/rsync
+
+The rest of this document covers building from source.
+
 ## The basic setup

 You need to have a C compiler installed and optionally a C++ compiler in order
@@ -26,7 +42,7 @@ build user (after installing python3's pip package):

 You can test if you've got it fixed by running (from the rsync checkout):

->     ./md2man --test rsync-ssl.1.md
+>     ./md-convert --test rsync-ssl.1.md

 Alternately, you can avoid generating the manpages by fetching the very latest
 versions (that match the latest git source) from the [generated-files][6] dir.
@@ -104,6 +120,8 @@ like.
    >     sudo apt install -y liblz4-dev
    >     sudo apt install -y libssl-dev

+Or run support/install_deps_ubuntu.sh
+
 -  For CentOS (use EPEL for python3-pip):

    >     sudo yum -y install epel-release
@@ -230,6 +248,9 @@ not completely implement the "New Sockets" API.
 [This site][5] says that Apple started to support IPv6 in 10.2 (Jaguar).  If
 your build fails, try again after running configure with `--disable-ipv6`.

+Apple Silicon macs may install packages in a slightly different location and require flags.
+CFLAGS="-I /opt/homebrew/include" LDFLAGS="-L /opt/homebrew/lib"
+
 [5]: http://www.ipv6.org/impl/mac.html

 ## IBM AIX notes
--- a/Makefile.in
+++ b/Makefile.in
@@ -49,20 +49,22 @@ OBJS2=options.o io.o compat.o hlink.o token.o uidlist.o socket.o hashtable.o \
 	usage.o fileio.o batch.o clientname.o chmod.o acls.o xattrs.o
 OBJS3=progress.o pipe.o @MD5_ASM@ @ROLL_SIMD@ @ROLL_ASM@
 DAEMON_OBJ = params.o loadparm.o clientserver.o access.o connection.o authenticate.o
-popt_OBJS=popt/findme.o  popt/popt.o  popt/poptconfig.o \
-	popt/popthelp.o popt/poptparse.o
+popt_OBJS= popt/popt.o  popt/poptconfig.o \
+	popt/popthelp.o popt/poptparse.o popt/poptint.o
 OBJS=$(OBJS1) $(OBJS2) $(OBJS3) $(DAEMON_OBJ) $(LIBOBJ) @BUILD_ZLIB@ @BUILD_POPT@

 TLS_OBJ = tls.o syscall.o util2.o t_stub.o lib/compat.o lib/snprintf.o lib/permstring.o lib/sysxattrs.o @BUILD_POPT@

 # Programs we must have to run the test cases
 CHECK_PROGS = rsync$(EXEEXT) tls$(EXEEXT) getgroups$(EXEEXT) getfsdev$(EXEEXT) \
-	testrun$(EXEEXT) trimslash$(EXEEXT) t_unsafe$(EXEEXT) wildtest$(EXEEXT)
+	testrun$(EXEEXT) trimslash$(EXEEXT) t_unsafe$(EXEEXT) t_chmod_secure$(EXEEXT) \
+	t_secure_relpath$(EXEEXT) wildtest$(EXEEXT) simdtest$(EXEEXT)

-CHECK_SYMLINKS = testsuite/chown-fake.test testsuite/devices-fake.test testsuite/xattrs-hlink.test
+CHECK_SYMLINKS = testsuite/chown-fake_test.py testsuite/devices-fake_test.py \
+	testsuite/xattrs-hlink_test.py testsuite/exclude-lsh_test.py

 # Objects for CHECK_PROGS to clean
-CHECK_OBJS=tls.o testrun.o getgroups.o getfsdev.o t_stub.o t_unsafe.o trimslash.o wildtest.o
+CHECK_OBJS=tls.o testrun.o getgroups.o getfsdev.o t_stub.o t_unsafe.o t_chmod_secure.o t_secure_relpath.o trimslash.o wildtest.o

 # note that the -I. is needed to handle config.h when using VPATH
 .c.o:
@@ -70,6 +72,8 @@ CHECK_OBJS=tls.o testrun.o getgroups.o getfsdev.o t_stub.o t_unsafe.o trimslash.
 	$(CC) -I. -I$(srcdir) $(CFLAGS) $(CPPFLAGS) -c $< @CC_SHOBJ_FLAG@
@OBJ_RESTORE@

+# NOTE: consider running "packaging/smart-make" instead of "make" to auto-handle
+# any changes to configure.sh and the main Makefile prior to a "make all".
 all: Makefile rsync$(EXEEXT) stunnel-rsyncd.conf @MAKE_RRSYNC@ @MAKE_MAN@
 .PHONY: all

@@ -176,20 +180,20 @@ T_UNSAFE_OBJ = t_unsafe.o syscall.o util1.o util2.o t_stub.o lib/compat.o lib/sn
 t_unsafe$(EXEEXT): $(T_UNSAFE_OBJ)
 	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(T_UNSAFE_OBJ) $(LIBS)

+T_CHMOD_SECURE_OBJ = t_chmod_secure.o syscall.o util1.o util2.o t_stub.o lib/compat.o lib/snprintf.o lib/wildmatch.o lib/permstring.o
+t_chmod_secure$(EXEEXT): $(T_CHMOD_SECURE_OBJ)
+	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(T_CHMOD_SECURE_OBJ) $(LIBS)
+
+T_SECURE_RELPATH_OBJ = t_secure_relpath.o syscall.o util1.o util2.o t_stub.o lib/compat.o lib/snprintf.o lib/wildmatch.o lib/permstring.o
+t_secure_relpath$(EXEEXT): $(T_SECURE_RELPATH_OBJ)
+	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(T_SECURE_RELPATH_OBJ) $(LIBS)
+
 .PHONY: conf
 conf: configure.sh config.h.in

 .PHONY: gen
 gen: conf proto.h man git-version.h

-.PHONY: gensend
-gensend: gen
-	if ! diff git-version.h $(srcdir)/gists/rsync-git-version.h >/dev/null; then \
-	    ./rsync -ai git-version.h $(srcdir)/gists/rsync-git-version.h && \
-	    (cd $(srcdir)/gists && git commit --allow-empty-message -m '' rsync-git-version.h && git push) ; \
-	fi
-	rsync -aic $(GENFILES) git-version.h $${SAMBA_HOST-samba.org}:/home/ftp/pub/rsync/generated-files/ || true
-
 aclocal.m4: $(srcdir)/m4/*.m4
 	aclocal -I $(srcdir)/m4

@@ -276,6 +280,8 @@ clean: cleantests
 	rm -f *~ $(OBJS) $(CHECK_PROGS) $(CHECK_OBJS) $(CHECK_SYMLINKS) @MAKE_RRSYNC@ \
 		git-version.h rounding rounding.h *.old rsync*.1 rsync*.5 @MAKE_RRSYNC_1@ \
 		*.html daemon-parm.h help-*.h default-*.h proto.h proto.h-tstamp
+	rm -f *.gcno *.gcda lib/*.gcno lib/*.gcda zlib/*.gcno zlib/*.gcda popt/*.gcno popt/*.gcda
+	rm -rf coverage coverage-tcp coverage-all coverage-fallback

 .PHONY: cleantests
 cleantests:
@@ -316,30 +322,133 @@ test: check
 # catch Bash-isms earlier even if we're running on GNU.  Of course, we
 # might lose in the future where POSIX diverges from old sh.

+# `make check` runs tests in parallel by default. Override with
+# `make check CHECK_J=1` (serial) or any other value.
+CHECK_J = 8
+
+# Parallelism for `make coverage`. Defaults to the same as CHECK_J: the
+# coverage build sets -fprofile-update=atomic (atomic in-memory counters) and
+# gcc's libgcov serializes the per-source .gcda read-modify-write merge with a
+# file lock, so concurrent rsync processes (incl. the forked sender/generator/
+# receiver) accumulate exactly -- verified by a count-linearity check (a hot
+# line accumulates identically at -j1 and -P16). Override with
+# `make coverage COVERAGE_J=1` if your libgcov does not lock .gcda merges.
+COVERAGE_J = $(CHECK_J)
+
+# Output directory and extra runtests.py flags for `make coverage`. The
+# `coverage-tcp` target reuses the coverage recipe with --use-tcp (real
+# loopback rsyncd, which exercises the TCP accept/auth path and the
+# require_tcp-only tests) and a separate output directory.
+COVERAGE_DIR = coverage
+COVERAGE_RUNFLAGS =
+
+# Bundled third-party code that rsync ships but does not own; excluded from the
+# coverage report so the percentages reflect rsync's own source. zlib/ and popt/
+# are wholly vendored; the named lib/ files are PostgreSQL (getaddrinfo) and ISC
+# (inet_ntop/inet_pton) / standalone (getpass) imports. The other lib/*.c
+# (md5, mdfour, wildmatch, permstring, pool_alloc, snprintf, sysacls, sysxattrs,
+# compat) are rsync's own and stay in the report.
+COVERAGE_EXCLUDE = -e '(^|/)zlib/' -e '(^|/)popt/' \
+	-e '(^|/)lib/(getaddrinfo|getpass|inet_ntop|inet_pton)\.'
+
 .PHONY: check
 check: all $(CHECK_PROGS) $(CHECK_SYMLINKS)
-	rsync_bin=`pwd`/rsync$(EXEEXT) $(srcdir)/runtests.sh
+	$(srcdir)/runtests.py --rsync-bin=`pwd`/rsync$(EXEEXT) -j $(CHECK_J)

 .PHONY: check29
 check29: all $(CHECK_PROGS) $(CHECK_SYMLINKS)
-	rsync_bin=`pwd`/rsync$(EXEEXT) $(srcdir)/runtests.sh --protocol=29
+	$(srcdir)/runtests.py --rsync-bin=`pwd`/rsync$(EXEEXT) -j $(CHECK_J) --protocol=29

 .PHONY: check30
 check30: all $(CHECK_PROGS) $(CHECK_SYMLINKS)
-	rsync_bin=`pwd`/rsync$(EXEEXT) $(srcdir)/runtests.sh --protocol=30
+	$(srcdir)/runtests.py --rsync-bin=`pwd`/rsync$(EXEEXT) -j $(CHECK_J) --protocol=30
+
+# Whole-suite gcov coverage report (HTML, with branch + decision coverage).
+# Requires a build configured with --enable-coverage and the `gcovr` tool
+# (pip install gcovr). Runs the suite in parallel (COVERAGE_J, default CHECK_J):
+# this is safe because the coverage build uses -fprofile-update=atomic and
+# libgcov locks the per-source .gcda during its merge, so concurrent rsync
+# processes accumulate exactly (see COVERAGE_J above). Use COVERAGE_J=1 if your
+# toolchain's libgcov does not lock .gcda merges.
+.PHONY: coverage
+coverage: all $(CHECK_PROGS) $(CHECK_SYMLINKS)
+	@case '$(CFLAGS)' in *--coverage*) ;; \
+	  *) echo "*** not a coverage build; reconfigure with --enable-coverage"; exit 1 ;; esac
+	@command -v gcovr >/dev/null 2>&1 || { echo "*** gcovr not found (pip install gcovr)"; exit 1; }
+	find . -name '*.gcda' -delete
+	@rc=0; $(srcdir)/runtests.py --rsync-bin=`pwd`/rsync$(EXEEXT) -j $(COVERAGE_J) $(COVERAGE_RUNFLAGS) || rc=$$?; \
+	  rm -rf $(COVERAGE_DIR) && mkdir -p $(COVERAGE_DIR); \
+	  gcovr --root $(srcdir) $(COVERAGE_EXCLUDE) --decisions --print-summary \
+	      --html-details -o $(COVERAGE_DIR)/index.html . || exit $$?; \
+	  echo "Coverage report written to $(COVERAGE_DIR)/index.html"; \
+	  if test $$rc != 0; then \
+	    echo "*** test suite FAILED (status $$rc) -- coverage report still written above"; \
+	  fi; \
+	  exit $$rc
+
+# Same as `make coverage` but with the daemon tests run over a real loopback
+# rsyncd (--use-tcp), into a separate report directory.
+.PHONY: coverage-tcp
+coverage-tcp:
+	$(MAKE) coverage COVERAGE_RUNFLAGS=--use-tcp COVERAGE_DIR=coverage-tcp
+
+# Comprehensive single report: run the suite under several configurations,
+# accumulating into the shared .gcda counters (NOT cleared between runs), then
+# emit one merged, rsync-scoped report. Covers the default (pipe) transport, the
+# protocol-29/30 compat branches, and the real-TCP daemon path (which also runs
+# the require_tcp-only tests). Run under sudo to additionally cover root-only
+# paths (devices, chown, use-chroot, protected-regular). Local target -- CI uses
+# the plain `coverage`/`coverage-tcp` targets.
+.PHONY: coverage-all
+coverage-all: all $(CHECK_PROGS) $(CHECK_SYMLINKS)
+	@case '$(CFLAGS)' in *--coverage*) ;; \
+	  *) echo "*** not a coverage build; reconfigure with --enable-coverage"; exit 1 ;; esac
+	@command -v gcovr >/dev/null 2>&1 || { echo "*** gcovr not found (pip install gcovr)"; exit 1; }
+	find . -name '*.gcda' -delete
+	@rc=0; \
+	  for cfg in '' '--protocol=30' '--protocol=29' '--use-tcp'; do \
+	    echo "===== coverage-all: runtests.py $$cfg ====="; \
+	    $(srcdir)/runtests.py --rsync-bin=`pwd`/rsync$(EXEEXT) -j $(COVERAGE_J) $$cfg || rc=$$?; \
+	  done; \
+	  rm -rf coverage-all && mkdir -p coverage-all; \
+	  gcovr --root $(srcdir) $(COVERAGE_EXCLUDE) --decisions --print-summary \
+	      --html-details -o coverage-all/index.html . || exit $$?; \
+	  echo "Merged coverage report written to coverage-all/index.html"; \
+	  if test $$rc != 0; then \
+	    echo "*** some suite runs FAILED (status $$rc) -- report still written above"; \
+	  fi; \
+	  exit $$rc
+
+# Coverage for the portable (non-openat2) resolver tier. Requires a SEPARATE
+# build configured with --enable-coverage --disable-openat2: its .gcno differ
+# from the openat2 build, so this report cannot be merged with the others.
+.PHONY: coverage-fallback
+coverage-fallback:
+	$(MAKE) coverage COVERAGE_DIR=coverage-fallback

 wildtest.o: wildtest.c t_stub.o lib/wildmatch.c rsync.h config.h
 wildtest$(EXEEXT): wildtest.o lib/compat.o lib/snprintf.o @BUILD_POPT@
 	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ wildtest.o lib/compat.o lib/snprintf.o @BUILD_POPT@ $(LIBS)

-testsuite/chown-fake.test:
-	ln -s chown.test $(srcdir)/testsuite/chown-fake.test
+simdtest$(EXEEXT): simd-checksum-x86_64.cpp $(HEADERS)
+	@if test x"@ROLL_SIMD@" != x; then \
+	    $(CXX) -I. $(CXXFLAGS) $(CPPFLAGS) $(LDFLAGS) -DTEST_SIMD_CHECKSUM1 \
+	        -o $@ $(srcdir)/simd-checksum-x86_64.cpp @ROLL_ASM@ $(LIBS); \
+	else \
+	    touch $@; \
+	fi

-testsuite/devices-fake.test:
-	ln -s devices.test $(srcdir)/testsuite/devices-fake.test
+testsuite/chown-fake_test.py:
+	ln -s chown_test.py $(srcdir)/testsuite/chown-fake_test.py

-testsuite/xattrs-hlink.test:
-	ln -s xattrs.test $(srcdir)/testsuite/xattrs-hlink.test
+testsuite/devices-fake_test.py:
+	ln -s devices_test.py $(srcdir)/testsuite/devices-fake_test.py
+
+testsuite/xattrs-hlink_test.py:
+	ln -s xattrs_test.py $(srcdir)/testsuite/xattrs-hlink_test.py
+
+testsuite/exclude-lsh_test.py:
+	ln -s exclude_test.py $(srcdir)/testsuite/exclude-lsh_test.py

 # This does *not* depend on building or installing: you can use it to
 # check a version installed from a binary or some other source tree,
@@ -347,7 +456,7 @@ testsuite/xattrs-hlink.test:

 .PHONY: installcheck
 installcheck: $(CHECK_PROGS) $(CHECK_SYMLINKS)
-	POSIXLY_CORRECT=1 TOOLDIR=`pwd` rsync_bin="$(bindir)/rsync$(EXEEXT)" srcdir="$(srcdir)" $(srcdir)/runtests.sh
+	$(srcdir)/runtests.py --rsync-bin="$(bindir)/rsync$(EXEEXT)" --srcdir="$(srcdir)" --tooldir=`pwd` -j $(CHECK_J)

 # TODO: Add 'dist' target; need to know which files will be included

@@ -364,4 +473,4 @@ doxygen:
 .PHONY: doxygen-upload
 doxygen-upload:
 	rsync -avzv $(srcdir)/dox/html/ --delete \
-	$${SAMBA_HOST-samba.org}:/home/httpd/html/rsync/doxygen/head/
+	$${RSYNC_SAMBA_HOST-samba.org}:/home/httpd/html/rsync/doxygen/head/
--- a/NEWS.md
+++ b/NEWS.md
@@ -1,4 +1,627 @@
-# NEWS for rsync 3.2.5 (UNRELEASED)
+# NEWS for rsync 3.4.3 (20 May 2026)
+
+## Changes in this version:
+
+### SECURITY FIXES:
+
+Six CVEs are fixed in this release.  All six are assigned by
+VulnCheck as CNA.  Affected versions are 3.4.2 and earlier in every
+case.  Three of the six (CVE-2026-29518, CVE-2026-43617,
+CVE-2026-43619) require non-default daemon configuration to reach:
+the first and third need `use chroot = no` for a module, the second
+needs `daemon chroot = ...` set in rsyncd.conf.  Two (CVE-2026-43618,
+CVE-2026-43620) are reachable from a normal pull or a normal
+authenticated daemon connection.  The sixth (CVE-2026-45232) is
+reachable only when `RSYNC_PROXY` is set and the proxy (or a MITM)
+returns a pathological response.  Many thanks to the external
+researchers who reported these issues.
+
+- CVE-2026-29518 (CVSS v4.0 7.3, HIGH): TOCTOU symlink race condition
+  allowing local privilege escalation in daemon mode without chroot.
+  An rsync daemon configured with "use chroot = no" was exposed to a
+  time-of-check / time-of-use race on parent path components: a local
+  attacker with write access to a module could replace a parent
+  directory component with a symlink between the receiver's check and
+  its open(), redirecting reads (basis-file disclosure) and writes
+  (file overwrite) outside the module.  Default "use chroot = yes" is
+  not exposed.  `secure_relative_open()` (added in 3.4.0 for
+  CVE-2024-12086) was previously unused in the daemon-no-chroot
+  case; the fix enables it there and reroutes the sender's
+  read-path opens through it.  Reported by Nullx3D (Batuhan Sancak),
+  Damien Neil and Michael Stapelberg.
+
+- CVE-2026-43617 (CVSS v3.1 4.8, MEDIUM): Hostname/ACL bypass on an
+  rsync daemon configured with `daemon chroot = /X` in rsyncd.conf
+  when the chroot tree lacks DNS resolution support.  The
+  reverse-DNS lookup of the connecting client was performed *after*
+  the daemon chroot had been entered; if /X did not contain the
+  libc resolver fixtures (`/etc/resolv.conf`, `/etc/nsswitch.conf`,
+  `/etc/hosts`, NSS service modules) the lookup failed and the
+  connecting hostname was set to "UNKNOWN", causing hostname-based
+  deny rules to silently fail open.  IP-based ACLs are unaffected.
+  The per-module `use chroot` setting is unrelated to this issue.
+  The fix performs the lookup before entering the daemon chroot.
+  Reported by MegaManSec.
+
+- CVE-2026-43618 (CVSS v3.1 8.1, HIGH): Integer overflow in the
+  compressed-token decoder enabling remote memory disclosure to an
+  authenticated daemon peer.  The receiver accumulated a 32-bit
+  signed counter without overflow checking; a malicious sender could
+  trigger an overflow that, with careful manipulation, leaked process
+  memory contents to the attacker -- environment variables,
+  passwords, heap and library pointers -- significantly weakening
+  ASLR.  The fix bounds the counter and adds wire-input validation in
+  several adjacent places (defence-in-depth).  Workaround for older
+  releases: `refuse options = compress` in rsyncd.conf.  Reported by
+  Omar Elsayed.
+
+- CVE-2026-43619 (CVSS v3.1 6.3, MEDIUM): Symlink races on path-based
+  system calls in "use chroot = no" daemon mode (generalisation of
+  CVE-2026-29518).  Earlier fixes for symlink races on the receiver's
+  open() call missed the same race class on every other path-based
+  system call: chmod, lchown, utimes, rename, unlink, mkdir, symlink,
+  mknod, link, rmdir and lstat.  The fix routes each affected
+  path-based syscall through a parent dirfd opened under
+  RESOLVE_BENEATH-equivalent kernel-enforced confinement (openat2 on
+  Linux 5.6+, O_RESOLVE_BENEATH on FreeBSD 13+ and macOS 15+,
+  per-component O_NOFOLLOW walk elsewhere).  Default "use chroot =
+  yes" is not exposed.  Reported by Andrew Tridgell as a follow-on
+  audit of CVE-2026-29518.
+
+- CVE-2026-43620 (CVSS v3.1 6.5, MEDIUM): Out-of-bounds read in the
+  receiver's recv_files() enabling remote denial-of-service of any
+  client pulling from a malicious server (incomplete fix of commit
+  797e17f).  The earlier parent_ndx<0 guard added to send_files() was
+  not applied to the visually-identical block in recv_files().  A
+  malicious rsync server can drive any connecting client into a
+  deterministic SIGSEGV by setting CF_INC_RECURSE in the
+  compatibility flags and sending a crafted file list and transfer
+  record.  inc_recurse is the protocol-30+ default, so no special
+  options are required on the victim.  Workaround for older
+  releases: `--no-inc-recursive` on the client.  Reported by Pratham
+  Gupta.
+
+- CVE-2026-45232 (CVSS v3.1 3.1, LOW): Off-by-one out-of-bounds stack
+  write in the rsync client's HTTP CONNECT proxy handler
+  (`establish_proxy_connection()` in `socket.c`).  After issuing the
+  CONNECT request, rsync read the proxy's first response line one
+  byte at a time into a 1024-byte stack buffer with the bound
+  `cp < &buffer[sizeof buffer - 1]`.  If the proxy (or a MITM in
+  front of it) returned 1023+ bytes on that first line without a
+  newline terminator, `cp` exited the loop pointing at a buffer slot
+  the loop never wrote, leaving `*cp` holding stale stack data from
+  the earlier `snprintf()` of the outgoing CONNECT request.  The
+  post-loop logic then wrote a single `\0` one byte past the end of
+  the buffer on the stack.  Reach is client-side only, and only when
+  `RSYNC_PROXY` is set so rsync tunnels an `rsync://` connection
+  through an HTTP CONNECT proxy.  The written byte is always `\0`
+  and the offset is fixed by the buffer size, not attacker-chosen,
+  so this is not an arbitrary-write primitive: practical impact is
+  corruption of one adjacent stack byte and possible later
+  misbehaviour or crash.  The fix detects the "buffer filled without
+  finding `\n`" case explicitly by position and refuses the response
+  with "proxy response line too long".  Reported by Aisle Research
+  via Michal Ruprich (rsync-3.4.1-2.el10 QE).
+
+In addition to the six CVE fixes, this release adds defence-in-depth
+hardening on several adjacent paths: bounded wire-supplied counts and
+lengths in flist/io/acls/xattrs, a guard against length underflow in
+cumulative `snprintf()` callers, a parent block-index bounds check on
+the receiver, a NULL check in `read_delay_line()`, a lower ceiling on
+`MAX_WIRE_DEL_STAT` to avoid signed-int overflow in the
+`read_del_stats()` accumulator, rejection of hyphen-prefixed
+remote-shell hostnames (defence-in-depth against argv-injection in
+tooling that forwards untrusted input into the hostspec position;
+reported by Aisle Research via Michal Ruprich), and a NULL-check on
+`localtime_r()` in `timestring()` to keep a malicious server from
+crashing the client by advertising a file with an out-of-range
+modtime.
+
+### BUG FIXES:
+
+- Fixed a regression introduced by the 3.4.0 secure_relative_open()
+  CVE fix where legitimate directory symlinks on the receiver side
+  (e.g. when using `-K` / `--copy-dirlinks`) caused "failed
+  verification -- update discarded" errors on delta transfers. The
+  old code rejected every symlink in the path with a per-component
+  `O_NOFOLLOW` walk; the receiver now uses kernel-enforced "stay
+  below dirfd" path resolution where available. Fixes #715.
+
+### PORTABILITY / BUILD:
+
+- secure_relative_open() now uses `openat2(RESOLVE_BENEATH |
+  RESOLVE_NO_MAGICLINKS)` on Linux 5.6+, and `openat()` with
+  `O_RESOLVE_BENEATH` on FreeBSD 13+ and macOS 15+ (Sequoia) /
+  iOS 18+. The kernel rejects ".." escapes, absolute symlinks, and
+  symlinks whose target lies outside the starting directory, while
+  still following symlinks that resolve within it -- the same
+  trade-off that fixes the issue #715 regression without weakening
+  the original CVE protection. Other platforms (Solaris, OpenBSD,
+  NetBSD, Cygwin) retain the previous per-component `O_NOFOLLOW`
+  walk; on those platforms the issue #715 regression remains
+  visible.
+
+- testsuite/xattrs: ignore `SUNWattr_*` in the Solaris `xls`
+  helper.
+
+### DEVELOPER RELATED:
+
+- Added testsuite/symlink-dirlink-basis.test (taken from PR #864
+  by Samuel Henrique) covering the issue #715 regression and
+  several edge cases (`--backup`, `--inplace`, `--partial-dir`
+  with protocol < 29, top-level files). The test skips on
+  platforms without a RESOLVE_BENEATH equivalent.
+
+- Added regression tests for the new security fixes:
+  `chmod-symlink-race.test`, `chdir-symlink-race.test`,
+  `bare-do-open-symlink-race.test`, `alt-dest-symlink-race.test`,
+  `copy-dest-source-symlink.test`, `sender-flist-symlink-leak.test`,
+  `secure-relpath-validation.test`, `daemon-chroot-acl.test` and
+  `daemon-refuse-compress.test`. The symlink-race tests skip on
+  Cygwin, Solaris, OpenBSD and NetBSD (no RESOLVE_BENEATH
+  equivalent on those platforms).
+
+- runtests.py now errors early with a clear message when any of
+  the test helper programs (`tls`, `trimslash`, `t_unsafe`,
+  `t_chmod_secure`, `t_secure_relpath`, `wildtest`, `getgroups`,
+  `getfsdev`) are missing, instead of letting many tests fail with
+  confusing "not found" errors.
+
+- Added OpenBSD and NetBSD CI jobs that run `make check` on those
+  platforms.
+
+- Added Ubuntu 22.04 and AlmaLinux 8 CI workflows so future
+  backports to the two mainstream LTS families build and test on
+  the same CI surface as trunk.
+
+- testsuite/protected-regular.test now runs unprivileged via
+  `unshare` with user-namespace UID mapping, falling back to skip
+  if `unshare`/`uidmap` is not available; previously it required
+  real root.
+
+- Added `symlink-dirlink-basis` to the Cygwin CI's expected-skipped
+  list.
+
+- Removed the old release system (replaced by the new release
+  script in 3.4.2).
+
+------------------------------------------------------------------------------
+
+# NEWS for rsync 3.4.2 (28 Apr 2026)
+
+## Changes in this version:
+
+### SECURITY RELATED:
+
+Several security-relevant defects were reported and fixed since 3.4.1.
+None were assigned a CVE — rsync's fork-per-connection design scopes
+the impact of each of these to the attacker's own connection, which is
+equivalent to the client closing the socket itself — but they are
+fixed here as a matter of hygiene and to reduce the chances of a
+future exploitable combination.  Many thanks to the external
+researchers who reported these issues.
+
+- Fixed a signed integer overflow in the PROXY protocol v2 header
+  parser: a negative `len` field could bypass the size check and cause
+  a stack buffer overflow in `read_buf()`.  Reported by John Walker of
+  ZeroPath.
+
+- Fixed an invalid access to the files array.  Reported by Calum
+  Hutton of Rapid7.
+
+- Reject negative token values in the compressed-stream token
+  decoder; a negative value could cause callers to misinterpret a
+  missing data pointer as literal data.  Reported by Will Sergeant.
+
+- Fixed the element count passed to the xattr `qsort()` (see
+  https://www.openwall.com/lists/oss-security/2026/04/16/2).
+
+- Fixed a buffer underflow in `clean_fname()`, and added a regression
+  test.
+
+- Fixed an uninitialized `mul_one` in the AVX2 get_checksum1 path
+  (undefined behaviour), and added a SIMD-checksum self-test that
+  cross-checks SSE2, SSSE3 and AVX2 against the C reference on both
+  aligned and unaligned buffers.
+
+- Fixed an uninitialized `buf1` on the first call to
+  `get_checksum2()` in the MD4 path (fixes #673).
+
+- Zero all new memory from internal allocations: `my_alloc()` now uses
+  `calloc`, and `expand_item_list()` zeros the expanded portion after
+  `realloc`.  This gives more predictable behaviour if stale or
+  uninitialised memory is ever accidentally read.
+
+### BUG FIXES:
+
+- Call `tzset()` before chroot so that log timestamps continue to
+  reflect the configured local timezone after the daemon chroots
+  (glibc needs `/etc/localtime`, which is unreachable post-chroot).
+
+- Use the correct time when writing to the log file.
+
+- Do not clear `DISPLAY` unconditionally.
+
+- Fixed a Y2038 bug in `syscall.c` by replacing the `Int32x32To64`
+  macro (which truncates its arguments to 32 bits) with a plain
+  64-bit multiplication.
+
+- Fixed ACL ID mapping for non-root users (closes #618).
+
+- Fixed handling of objects with many xattrs on FreeBSD.
+
+- Fixed `--open-noatime` not taking effect when opening regular
+  files: `O_NOATIME` is now also passed to `do_open_nofollow()`, which
+  has been used for regular files since the CVE fix "fixed symlink
+  race condition in sender".
+
+- Ignore "directory has vanished" errors.
+
+- Fixed the removal of multiple leading slashes.
+
+- Added the missing `--dirs` long option.
+
+- Fixed a segfault if `poptGetContext()` returns NULL (e.g. under
+  OOM) by not passing NULL to `poptReadDefaultConfig()`.  Reported by
+  Ronnie Sahlberg; found with `malloc-fail-tester`.
+
+- Fixed a build error on ia64 NonStop (which treats missing
+  prototypes as an error, not a warning).
+
+- Fixed a flaky hardlinks test (fixes #735).
+
+### ENHANCEMENTS:
+
+- Added multi-threaded `zstd` compression, gated by a new
+  `--compress-threads=N` option, with validation and man-page
+  coverage.
+
+- Documented the `temp dir` parameter in the rsyncd.conf man page
+  (fixes #820).
+
+- Improved rendering of interior dashes in long-option names in
+  `md-convert` (perhaps fixes #686).
+
+### PORTABILITY / BUILD:
+
+- Fixed glibc 2.43 const-preserving overloads of `strtok()`,
+  `strchr()` etc. by declaring the affected locals with the right
+  constness.  Contributed by Holger Hoffstätte.
+
+- Converted the bundled zlib 1.2.8 from K&R-style function
+  definitions to ANSI prototypes, so it builds with clang 16+.
+
+- Avoid using `bool` as an identifier; it is a keyword in C23.
+
+- `configure.ac`: check for xattr functions in libc first and only
+  fall back to `-lattr`, avoiding spurious overlinking when `-lattr`
+  happens to be installed.  Contributed by Eli Schwartz.
+
+- Made the build reproducible by honouring `SOURCE_DATE_EPOCH` for
+  the manpage date.
+
+- Removed obsolete `popt/findme.c` and `popt/findme.h` that upstream
+  popt 1.14 folded into `popt.c` (fixes #710).  Contributed by Alan
+  Coopersmith.
+
+### INTERNAL:
+
+- Made many module-global variables `const` so they can live in
+  `.rodata` and enable additional compiler optimization.
+
+### DEVELOPER RELATED:
+
+- Replaced `runtests.sh` with `runtests.py`, a Python test runner
+  that supports `--valgrind` (with per-process log files so valgrind
+  output no longer interferes with output comparisons) and
+  `-j/--parallel` execution for roughly a 7× speed-up on typical
+  hardware.
+
+- Added a SIMD checksum self-test and a `clean-fname-underflow`
+  regression test.
+
+- Various CI fixes for macOS and Cygwin (including adding
+  `simd-checksum` to the expected-skipped lists on platforms without
+  SIMD), and tests now run on `ubuntu-latest`.
+
+- removed support for the unmaintained rsync-patches archive
+
+------------------------------------------------------------------------------
+
+# NEWS for rsync 3.4.1 (16 Jan 2025)
+
+Release 3.4.1 is a fix for regressions introduced in 3.4.0
+
+## Changes in this version:
+
+### BUG FIXES:
+
+ - fixed handling of -H flag with conflict in internal flag values
+
+ - fixed a user after free in logging of failed rename
+
+ - fixed build on systems without openat()
+
+ - removed dependency on alloca() in bundled popt
+
+### DEVELOPER RELATED:
+
+ - fix to permissions handling in the developer release script
+
+------------------------------------------------------------------------------
+
+# NEWS for rsync 3.4.0 (15 Jan 2025)
+
+Release 3.4.0 is a security release that fixes a number of important vulnerabilities.
+
+For more details on the vulnerabilities please see the CERT report
+https://kb.cert.org/vuls/id/952657
+
+## Changes in this version:
+
+### PROTOCOL NUMBER:
+
+ - The protocol number was changed to 32 to make it easier for
+   administrators to check their servers have been updated
+
+### SECURITY FIXES:
+
+Many thanks to Simon Scannell, Pedro Gallegos, and Jasiel Spelman at
+Google Cloud Vulnerability Research and Aleksei Gorban (Loqpa) for
+discovering these vulnerabilities and working with the rsync project
+to develop and test fixes.
+
+- CVE-2024-12084 - Heap Buffer Overflow in Checksum Parsing.
+
+- CVE-2024-12085 - Info Leak via uninitialized Stack contents defeats ASLR.
+  
+- CVE-2024-12086 - Server leaks arbitrary client files.
+
+- CVE-2024-12087 - Server can make client write files outside of destination directory using symbolic links.
+
+- CVE-2024-12088 - --safe-links Bypass.
+
+- CVE-2024-12747 - symlink race condition.
+
+### BUG FIXES:
+
+- Fixed the included popt to avoid a memory error on modern gcc versions.
+
+- Fixed an incorrect extern variable's type that caused an ACL issue on macOS.
+
+- Fixed IPv6 configure check
+
+### INTERNAL:
+
+- Updated included popt to version 1.19.
+
+### DEVELOPER RELATED:
+
+- Various improvements to the release scripts and git setup.
+
+- Improved packaging/var-checker to identify variable type issues.
+
+- added FreeBSD and Solaris CI builds
+
+------------------------------------------------------------------------------
+
+# NEWS for rsync 3.3.0 (6 Apr 2024)
+
+## Changes in this version:
+
+### BUG FIXES:
+
+- Fixed a bug with `--sparse --inplace` where a trailing gap in the source
+  file would not clear out the trailing data in the destination file.
+
+- Fixed an buffer overflow in the checksum2 code if SHA1 is being used for
+  the checksum2 algorithm.
+
+- Fixed an issue when rsync is compiled using `_FORTIFY_SOURCE` so that the
+  extra tests don't complain about a strlcpy() limit value (which was too
+  large, even though it wasn't possible for the larger value to cause an
+  overflow).
+
+- Add a backtick to the list of characters that the filename quoting needs to
+  escape using backslashes.
+
+- Fixed a string-comparison issue in the internal handling of `--progress` (a
+  locale such as tr_TR.utf-8 needed the internal triggering of `--info` options
+  to use upper-case flag names to ensure that they match).
+
+- Make sure that a local transfer marks the sender side as trusted.
+
+- Change the argv handling to work with a newer popt library -- one that likes
+  to free more data than it used to.
+
+- Rsync now calls `OpenSSL_add_all_algorithms()` when compiled against an older
+  openssl library.
+
+- Fixed a problem in the daemon auth for older protocols (29 and before) if the
+  openssl library is being used to compute MD4 checksums.
+
+- Fixed `rsync -VV` on Cygwin -- it needed a flush of stdout.
+
+- Fixed an old stats bug that counted devices as symlinks.
+
+### ENHANCEMENTS:
+
+- Enhanced rrsync with the `-no-overwrite` option that allows you to ensure
+  that existing files on your restricted but writable directory can't be
+  modified.
+
+- Enhanced the manpages to mark links with .UR & .UE. If your nroff doesn't
+  support these idioms, touch the file `.md2man-force` in the source directory
+  so that `md-convert` gets called with the `--force-link-text` option, and
+  that should ensure that your manpages are still readable even with the
+  ignored markup.
+
+- Some manpage improvements on the handling of [global] modules.
+
+- Changed the mapfrom & mapto perl scripts (in the support dir) into a single
+  python script named idmap.  Converted a couple more perl scripts into python.
+
+- Changed the mnt-excl perl script (in the support dir) into a python script.
+
+### DEVELOPER RELATED:
+
+ - Updated config.guess (timestamp 2023-01-01) and config.sub (timestamp
+   2023-01-21).
+
+------------------------------------------------------------------------------
+
+# NEWS for rsync 3.2.7 (20 Oct 2022)
+
+## Changes in this version:
+
+### BUG FIXES:
+
+- Fixed the client-side validating of the remote sender's filtering behavior.
+
+- More fixes for the "unrequested file-list name" name, including a copy of
+  "/" with `--relative` enabled and a copy with a lot of related paths with
+  `--relative` enabled (often derived from a `--files-from` list).
+
+- When rsync gets an unpack error on an ACL, mention the filename.
+
+- Avoid over-setting sanitize_paths when a daemon is serving "/" (even if
+  "use chroot" is false).
+
+### ENHANCEMENTS:
+
+- Added negotiated daemon-auth support that allows a stronger checksum digest
+  to be used to validate a user's login to the daemon.  Added SHA512, SHA256,
+  and SHA1 digests to MD5 & MD4.  These new digests are at the highest priority
+  in the new daemon-auth negotiation list.
+
+- Added support for the SHA1 digest in file checksums.  While this tends to be
+  overkill, it is available if someone really needs it.  This overly-long
+  checksum is at the lowest priority in the normal checksum negotiation list.
+  See [`--checksum-choice`](rsync.1#opt) (`--cc`) and the `RSYNC_CHECKSUM_LIST`
+  environment var for how to customize this.
+
+- Improved the xattr hash table to use a 64-bit key without slowing down the
+  key's computation.  This should make extra sure that a hash collision doesn't
+  happen.
+
+- If the `--version` option is repeated (e.g. `-VV`) then the information is
+  output in a (still readable) JSON format.  Client side only.
+
+- The script `support/json-rsync-version` is available to get the JSON style
+  version output from any rsync.  The script accepts either text on stdin
+  **or** an arg that specifies an rsync executable to run with a doubled
+  `--version` option.  If the text we get isn't already in JSON format, it is
+  converted. Newer rsync versions will provide more complete json info than
+  older rsync versions. Various tweaks are made to keep the flag names
+  consistent across versions.
+
+- The [`use chroot`](rsyncd.conf.5#) daemon parameter now defaults to "unset"
+  so that rsync can use chroot when it works and a sanitized copy when chroot
+  is not supported (e.g., for a non-root daemon).  Explicitly setting the
+  parameter to true or false (on or off) behaves the same way as before.
+
+- The `--fuzzy` option was optimized a bit to try to cut down on the amount of
+  computations when considering a big pool of files. The simple heuristic from
+  Kenneth Finnegan resulted in about a 2x speedup.
+
+- If rsync is forced to use protocol 29 or before (perhaps due to talking to an
+  rsync before 3.0.0), the modify time of a file is limited to 4-bytes.  Rsync
+  now interprets this value as an unsigned integer so that a current year past
+  2038 can continue to be represented. This does mean that years prior to 1970
+  cannot be represented in an older protocol, but this trade-off seems like the
+  right choice given that (1) 2038 is very rapidly approaching, and (2) newer
+  protocols support a much wider range of old and new dates.
+
+- The rsync client now treats an empty destination arg as an error, just like
+  it does for an empty source arg. This doesn't affect a `host:` arg (which is
+  treated the same as `host:.`) since the arg is not completely empty.  The use
+  of [`--old-args`](rsync.1#opt) (including via `RSYNC_OLD_ARGS`) allows the
+  prior behavior of treating an empty destination arg as a ".".
+
+### PACKAGING RELATED:
+
+- The checksum code now uses openssl's EVP methods, which gets rid of various
+  deprecation warnings and makes it easy to support more digest methods.  On
+  newer systems, the MD4 digest is marked as legacy in the openssl code, which
+  makes openssl refuse to support it via EVP.  You can choose to ignore this
+  and allow rsync's MD4 code to be used for older rsync connections (when
+  talking to an rsync prior to 3.0.0) or you can choose to configure rsync to
+  tell openssl to enable legacy algorithms (see below).
+
+- A simple openssl config file is supplied that can be installed for rsync to
+  use.  If you install packaging/openssl-rsync.cnf to a public spot (such as
+  `/etc/ssl/openssl-rsync.cnf`) and then run configure with the option
+  `--with-openssl-conf=/path/name.cnf`, this will cause rsync to export the
+  configured path in the OPENSSL_CONF environment variable (when the variable
+  is not already set).  This will enable openssl's MD4 code for rsync to use.
+
+- The packager may wish to include an explicit "use chroot = true" in the top
+  section of their supplied /etc/rsyncd.conf file if the daemon is being
+  installed to run as the root user (though rsync should behave the same even
+  with the value unset, a little extra paranoia doesn't hurt).
+
+- I've noticed that some packagers haven't installed support/nameconvert for
+  users to use in their chrooted rsync configs.  Even if it is not installed
+  as an executable script (to avoid a python3 dependency) it would be good to
+  install it with the other rsync-related support scripts.
+
+- It would be good to add support/json-rsync-version to the list of installed
+  support scripts.
+
+------------------------------------------------------------------------------
+
+# NEWS for rsync 3.2.6 (9 Sep 2022)
+
+## Changes in this version:
+
+### BUG FIXES:
+
+- More path-cleaning improvements in the file-list validation code to avoid
+  rejecting of valid args.
+
+- A file-list validation fix for a [`--files-from`](rsync.1#opt) file that ends
+  without a line-terminating character.
+
+- Added a safety check that prevents the sender from removing destination files
+  when a local copy using [`--remove-source-files`](rsync.1#opt) has some files
+  that are shared between the sending & receiving hierarchies, including the
+  case where the source dir & destination dir are identical.
+
+- Fixed a bug in the internal MD4 checksum code that could cause the digest
+  to be sporadically incorrect (the openssl version was/is fine).
+
+- A minor tweak to rrsync added "copy-devices" to the list of known args, but
+  left it disabled by default.
+
+### ENHANCEMENTS:
+
+- Rename `--protect-args` to [`--secluded-args`](rsync.1#opt) to make it
+  clearer how it differs from the default backslash-escaped arg-protecting
+  behavior of rsync.  The old option names are still accepted.  The
+  environment-variable override did not change its name.
+
+### PACKAGING RELATED:
+
+- The configure option `--with-protected-args` was renamed to
+  `--with-secluded-args`.  This option makes `--secluded-args` the default
+  rsync behavior instead of using backslash escaping for protecting args.
+
+- The mkgitver script now makes sure that a `.git` dir/file is in the top-level
+  source dir before calling `git describe`. It also runs a basic check on the
+  version value. This should avoid using an unrelated git description for
+  rsync's version.
+
+### DEVELOPER RELATED:
+
+- The configure script no longer sets the -pedantic-errors CFLAG (which it
+  used to try to do only for gcc).
+
+- The name_num_obj struct was modified to allow its dynamic name_num_item list
+  to be initialized in a better way.
+
+------------------------------------------------------------------------------
+
+# NEWS for rsync 3.2.5 (14 Aug 2022)

 ## Changes in this version:

@@ -7,24 +630,43 @@
 - Added some file-list safety checking that helps to ensure that a rogue
  sending rsync can't add unrequested top-level names and/or include recursive
  names that should have been excluded by the sender.  These extra safety
-  checks only require the receiver rsync to be udateed.  When dealing with an
+  checks only require the receiver rsync to be updated.  When dealing with an
  untrusted sending host, it is safest to copy into a dedicated destination
  directory for the remote content (i.e. don't copy into a destination
  directory that contains files that aren't from the remote host unless you
  trust the remote host). Fixes CVE-2022-29154.

+ - A fix for CVE-2022-37434 in the bundled zlib (buffer overflow issue).
+
 ### BUG FIXES:

+- Fixed the handling of filenames specified with backslash-quoted wildcards
+  when the default remote-arg-escaping is enabled.
+
 - Fixed the configure check for signed char that was causing a host that
  defaults to unsigned characters to generate bogus rolling checksums. This
  made rsync send mostly literal data for a copy instead of finding matching
-  data in the receiver's basis file.
+  data in the receiver's basis file (for a file that contains high-bit
+  characters).

- Lots of manpage improvements, including an attempt to better desdribe how
+- Lots of manpage improvements, including an attempt to better describe how
  include/exclude filters work.

+- If rsync is compiled with an xxhash 0.8 library and then moved to a system
+  with a dynamically linked xxhash 0.7 library, we now detect this and disable
+  the XX3 hashes (since these routines didn't stabilize until 0.8).
+
+### ENHANCEMENTS:
+
+- The [`--trust-sender`](rsync.1#opt) option was added as a way to bypass the
+  extra file-list safety checking (should that be required).
+
 ### PACKAGING RELATED:

+- A note to those wanting to patch older rsync versions: the changes in this
+  release requires the quoted argument change from 3.2.4. Then, you'll want
+  every single code change from 3.2.5 since there is no fluff in this release.
+
 - The build date that goes into the manpages is now based on the developer's
  release date, not on the build's local-timezone interpretation of the date.

@@ -45,11 +687,12 @@
 ### BEHAVIOR CHANGES:

 - A new form of arg protection was added that works similarly to the older
-   [`--protect-args`](rsync.1#opt) (`-s`) option but in a way that avoids
+   `--protect-args` ([`-s`](rsync.1#opt)) option but in a way that avoids
   breaking things like rrsync (the restricted rsync script): rsync now uses
-   backslash escaping for sending "shell-active" characters to the remote
-   shell. This includes spaces, so fetching a remote file via a simple quoted
-   filename value now works by default without any extra quoting:
+   backslash escaping for sending "shell-active" characters to the remote shell
+   (such as `$(){}<>#&` and others). This includes spaces, so fetching a remote
+   file via a quoted filename value now works by default without any extra
+   quoting:

   ```shell
       rsync -aiv host:'a simple file.pdf' .
@@ -57,10 +700,14 @@

   Wildcards are not escaped in filename args, but they are escaped in options
   like the [`--suffix`](rsync.1#opt) and [`--usermap`](rsync.1#opt) values.
-   If your rsync script depends on the old arg-splitting behavior, either run
-   it with the [`--old-args`](rsync.1#opt) option or `export RSYNC_OLD_ARGS=1`
-   in the script's environment.  See also the [ADVANCED USAGE](rsync.1#)
-   section of rsync's manpage for how to use a more modern arg style.
+
+   If a script depends on the old arg behavior (perhaps because it quotes or
+   protects the args already, or perhaps because it expects arg splitting),
+   there are two easy ways to get things going with a modern rsync: either
+   `export RSYNC_OLD_ARGS=1` in the script's environment (perhaps in the script
+   itself) or add the option [`--old-args`](rsync.1#opt) to the rsync commands
+   that are run.  See also the [ADVANCED USAGE](rsync.1#) section of rsync's
+   manpage for how to use a more modern arg style.

 - A long-standing bug was preventing rsync from figuring out the current
   locale's decimal point character, which made rsync always output numbers
@@ -149,7 +796,7 @@

 - Fixed a potential issue in git-set-file-times when handling commits with
   high-bit characters in the description & when handling a description that
-   might mimick the git raw-commit deliniators.  (See the support dir.)
+   might mimic the git raw-commit deliniators.  (See the support dir.)

 - The bundled systemd/rsync.service file now includes `Restart=on-failure`.

@@ -4522,7 +5169,14 @@

 | RELEASE DATE | VER.   | DATE OF COMMIT\* | PROTOCOL    |
 |--------------|--------|------------------|-------------|
-| ?? Aug 2022  | 3.2.5  |                  | 31          |
+| 20 May 2026  | 3.4.3  |                  | 32          |
+| 28 Apr 2026  | 3.4.2  |                  | 32          |
+| 16 Jan 2025  | 3.4.1  |                  | 32          |
+| 15 Jan 2025  | 3.4.0  | 15 Jan 2025      | 32          |
+| 06 Apr 2024  | 3.3.0  |                  | 31          |
+| 20 Oct 2022  | 3.2.7  |                  | 31          |
+| 09 Sep 2022  | 3.2.6  |                  | 31          |
+| 14 Aug 2022  | 3.2.5  |                  | 31          |
 | 15 Apr 2022  | 3.2.4  |                  | 31          |
 | 06 Aug 2020  | 3.2.3  |                  | 31          |
 | 04 Jul 2020  | 3.2.2  |                  | 31          |
--- a/README.md
+++ b/README.md
@@ -34,7 +34,7 @@ If you need to build rsync yourself, check out the [INSTALL][1] page for
 information on what libraries and packages you can use to get the maximum
 features in your build.

-[1]: https://github.com/WayneD/rsync/blob/master/INSTALL.md
+[1]: https://github.com/RsyncProject/rsync/blob/master/INSTALL.md

 SETUP
 -----
@@ -93,6 +93,15 @@ details.
 [3]: https://rsync.samba.org/lists.html


+DISCORD
+-------
+
+There is also an rsync [Discord server][d] for real-time chat about rsync
+and its development.
+
+[d]: https://discord.gg/Avfvy9zhdp
+
+
 BUG REPORTS
 -----------

@@ -112,6 +121,7 @@ page of the web site.

 Alternately, email your bug report to <rsync@lists.samba.org>.

+For security issues please email details of the issue to <rsync.project@gmail.com>.

 GIT REPOSITORY
 --------------
@@ -120,7 +130,7 @@ If you want to get the very latest version of rsync direct from the
 source code repository, then you will need to use git.  The git repo
 is hosted [on GitHub][6] and [on Samba's site][7].

-[6]: https://github.com/WayneD/rsync
+[6]: https://github.com/RsyncProject/rsync
 [7]: https://git.samba.org/?p=rsync.git;a=summary

 See [the download page][8] for full details on all the ways to grab the
@@ -132,13 +142,12 @@ source.
 COPYRIGHT
 ---------

-Rsync was originally written by Andrew Tridgell and is currently
-maintained by Wayne Davison.  It has been improved by many developers
-from around the world.
+Rsync was originally written by Andrew Tridgell and Paul Mackerras.  Many
+people from around the world have helped to maintain and improve it.

 Rsync may be used, modified and redistributed only under the terms of
 the GNU General Public License, found in the file [COPYING][9] in this
 distribution, or at [the Free Software Foundation][10].

-[9]: https://github.com/WayneD/rsync/blob/master/COPYING
+[9]: https://github.com/RsyncProject/rsync/blob/master/COPYING
 [10]: https://www.fsf.org/licenses/gpl.html
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -9,4 +9,5 @@ help backporting fixes into an older release, feel free to ask.

 Email your vulnerability information to rsync's maintainer:

-  Wayne Davison <wayne@opencoder.net>
+  Rsync Project <rsync.project@gmail.com>
+
--- a/access.c
+++ b/access.c
@@ -99,7 +99,7 @@ static void make_mask(char *mask, int plen, int addrlen)
 	return;
 }

-static int match_address(const char *addr, const char *tok)
+static int match_address(const char *addr, char *tok)
 {
 	char *p;
 	struct addrinfo hints, *resa, *rest;
--- a/acls.c
+++ b/acls.c
@@ -28,7 +28,7 @@ extern int dry_run;
 extern int am_root;
 extern int read_only;
 extern int list_only;
-extern int orig_umask;
+extern mode_t orig_umask;
 extern int numeric_ids;
 extern int inc_recurse;
 extern int preserve_devices;
@@ -519,6 +519,7 @@ static int get_rsync_acl(const char *fname, rsync_acl *racl,

 		sys_acl_free_acl(sacl);
 		if (!ok) {
+			rsyserr(FERROR_XFER, errno, "get_acl: unpack_smb_acl(%s)", fname);
 			return -1;
 		}
 	} else if (no_acl_syscall_error(errno)) {
@@ -696,7 +697,7 @@ static uint32 recv_acl_access(int f, uchar *name_follows_ptr)
 static uchar recv_ida_entries(int f, ida_entries *ent)
 {
 	uchar computed_mask_bits = 0;
-	int i, count = read_varint(f);
+	int i, count = read_varint_bounded(f, 0, MAX_WIRE_ACL_COUNT, "ACL count");

 	ent->idas = count ? new_array(id_access, count) : NULL;
 	ent->count = count;
@@ -712,7 +713,7 @@ static uchar recv_ida_entries(int f, ida_entries *ent)
 			else
 				id = recv_group_name(f, id, NULL);
 		} else if (access & NAME_IS_USER) {
-			if (inc_recurse && am_root && !numeric_ids)
+			if (inc_recurse && !numeric_ids)
 				id = match_uid(id);
 		} else {
 			if (inc_recurse && (!am_root || !numeric_ids))
@@ -764,6 +765,7 @@ static int recv_rsync_acl(int f, item_list *racl_list, SMB_ACL_TYPE_T type, mode
 	/* If we received a superfluous mask, throw it away. */
 	duo_item->racl.mask_obj = NO_ENTRY;
 	(void)mode;
+	(void)computed_mask_bits;
 #else
 	if (duo_item->racl.names.count && duo_item->racl.mask_obj == NO_ENTRY) {
 		/* Mask must be non-empty with lists. */
@@ -980,7 +982,7 @@ static int set_rsync_acl(const char *fname, acl_duo *duo_item,
 		 && !pack_smb_acl(&duo_item->sacl, &duo_item->racl))
 			return -1;
 #ifdef HAVE_OSX_ACLS
-		mode = 0; /* eliminate compiler warning */
+		(void)mode; /* eliminate compiler warning */
 #else
 		if (type == SMB_ACL_TYPE_ACCESS) {
 			cur_mode = change_sacl_perms(duo_item->sacl, &duo_item->racl, cur_mode, mode);
--- a/authenticate.c
+++ b/authenticate.c
@@ -2,7 +2,7 @@
 * Support rsync daemon authentication.
 *
 * Copyright (C) 1998-2000 Andrew Tridgell
- * Copyright (C) 2002-2020 Wayne Davison
+ * Copyright (C) 2002-2022 Wayne Davison
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -24,6 +24,7 @@

 extern int read_only;
 extern char *password_file;
+extern struct name_num_obj valid_auth_checksums;

 /***************************************************************************
 encode a buffer using base64 - simple and slow algorithm. null terminates
@@ -72,9 +73,9 @@ static void gen_challenge(const char *addr, char *challenge)
 	SIVAL(input, 20, tv.tv_usec);
 	SIVAL(input, 24, getpid());

-	sum_init(-1, 0);
+	len = sum_init(valid_auth_checksums.negotiated_nni, 0);
 	sum_update(input, sizeof input);
-	len = sum_end(digest);
+	sum_end(digest);

 	base64_encode(digest, len, challenge, 0);
 }
@@ -86,10 +87,10 @@ static void generate_hash(const char *in, const char *challenge, char *out)
 	char buf[MAX_DIGEST_LEN];
 	int len;

-	sum_init(-1, 0);
+	len = sum_init(valid_auth_checksums.negotiated_nni, 0);
 	sum_update(in, strlen(in));
 	sum_update(challenge, strlen(challenge));
-	len = sum_end(buf);
+	sum_end(buf);

 	base64_encode(buf, len, out, 0);
 }
@@ -238,6 +239,7 @@ char *auth_server(int f_in, int f_out, int module, const char *host,
 	if (!users || !*users)
 		return "";

+	negotiate_daemon_auth(f_out, 0);
 	gen_challenge(addr, challenge);

 	io_printf(f_out, "%s%s\n", leader, challenge);
@@ -350,6 +352,7 @@ void auth_client(int fd, const char *user, const char *challenge)

 	if (!user || !*user)
 		user = "nobody";
+	negotiate_daemon_auth(-1, 1);

 	if (!(pass = getpassf(password_file))
 	 && !(pass = getenv("RSYNC_PASSWORD"))) {
--- a/backup.c
+++ b/backup.c
@@ -39,7 +39,7 @@ static int validate_backup_dir(void)
 {
 	STRUCT_STAT st;

-	if (do_lstat(backup_dir_buf, &st) < 0) {
+	if (do_lstat_at(backup_dir_buf, &st) < 0) {
 		if (errno == ENOENT)
 			return 0;
 		rsyserr(FERROR, errno, "backup lstat %s failed", backup_dir_buf);
@@ -98,7 +98,7 @@ static BOOL copy_valid_path(const char *fname)
 	for ( ; b; name = b + 1, b = strchr(name, '/')) {
 		*b = '\0';

-		while (do_mkdir(backup_dir_buf, ACCESSPERMS) < 0) {
+		while (do_mkdir_at(backup_dir_buf, ACCESSPERMS) < 0) {
 			if (errno == EEXIST) {
 				val = validate_backup_dir();
 				if (val > 0)
@@ -197,7 +197,7 @@ static inline int link_or_rename(const char *from, const char *to,
 		if (IS_SPECIAL(stp->st_mode) || IS_DEVICE(stp->st_mode))
 			return 0; /* Use copy code. */
 #endif
-		if (do_link(from, to) == 0) {
+		if (do_link_at(from, to) == 0) {
 			if (DEBUG_GTE(BACKUP, 1))
 				rprintf(FINFO, "make_backup: HLINK %s successful.\n", from);
 			return 2;
@@ -207,7 +207,7 @@ static inline int link_or_rename(const char *from, const char *to,
 			return 0;
 	}
 #endif
-	if (do_rename(from, to) == 0) {
+	if (do_rename_at(from, to) == 0) {
 		if (stp->st_nlink > 1 && !S_ISDIR(stp->st_mode)) {
 			/* If someone has hard-linked the file into the backup
 			 * dir, rename() might return success but do nothing! */
@@ -246,7 +246,7 @@ int make_backup(const char *fname, BOOL prefer_rename)
 		goto success;
 	if (errno == EEXIST || errno == EISDIR) {
 		STRUCT_STAT bakst;
-		if (do_lstat(buf, &bakst) == 0) {
+		if (do_lstat_at(buf, &bakst) == 0) {
 			int flags = get_del_for_flag(bakst.st_mode) | DEL_FOR_BACKUP | DEL_RECURSE;
 			if (delete_item(buf, bakst.st_mode, flags) != 0)
 				return 0;
@@ -277,7 +277,7 @@ int make_backup(const char *fname, BOOL prefer_rename)
 	/* Check to see if this is a device file, or link */
 	if ((am_root && preserve_devices && IS_DEVICE(file->mode))
 	 || (preserve_specials && IS_SPECIAL(file->mode))) {
-		if (do_mknod(buf, file->mode, sx.st.st_rdev) < 0)
+		if (do_mknod_at(buf, file->mode, sx.st.st_rdev) < 0)
 			rsyserr(FERROR, errno, "mknod %s failed", full_fname(buf));
 		else if (DEBUG_GTE(BACKUP, 1))
 			rprintf(FINFO, "make_backup: DEVICE %s successful.\n", fname);
@@ -294,7 +294,7 @@ int make_backup(const char *fname, BOOL prefer_rename)
 			}
 			ret = 2;
 		} else {
-			if (do_symlink(sl, buf) < 0)
+			if (do_symlink_at(sl, buf) < 0)
 				rsyserr(FERROR, errno, "link %s -> \"%s\"", full_fname(buf), sl);
 			else if (DEBUG_GTE(BACKUP, 1))
 				rprintf(FINFO, "make_backup: SYMLINK %s successful.\n", fname);
--- a/batch.c
+++ b/batch.c
@@ -3,7 +3,7 @@
 *
 * Copyright (C) 1999 Weiss
 * Copyright (C) 2004 Chris Shoemaker
- * Copyright (C) 2004-2020 Wayne Davison
+ * Copyright (C) 2004-2022 Wayne Davison
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -75,7 +75,7 @@ static int *flag_ptr[] = {
 	NULL
 };

-static char *flag_name[] = {
+static const char *const flag_name[] = {
 	"--recurse (-r)",
 	"--owner (-o)",
 	"--group (-g)",
@@ -194,7 +194,7 @@ static int write_opt(const char *opt, const char *arg)
 {
 	int len = strlen(opt);
 	int err = write(batch_sh_fd, " ", 1) != 1;
-	err = write(batch_sh_fd, opt, len) != len ? 1 : 0; 
+	err = write(batch_sh_fd, opt, len) != len ? 1 : 0;
 	if (arg) {
 		err |= write(batch_sh_fd, "=", 1) != 1;
 		err |= write_arg(arg);
--- a/byteorder.h
+++ b/byteorder.h
@@ -2,7 +2,7 @@
 * Simple byteorder handling.
 *
 * Copyright (C) 1992-1995 Andrew Tridgell
- * Copyright (C) 2007-2020 Wayne Davison
+ * Copyright (C) 2007-2022 Wayne Davison
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -129,4 +129,3 @@ SIVAL(char *buf, int pos, uint32 val)
 {
 	SIVALu((uchar*)buf, pos, val);
 }
-
--- a/checksum.c
+++ b/checksum.c
@@ -3,7 +3,7 @@
 *
 * Copyright (C) 1996 Andrew Tridgell
 * Copyright (C) 1996 Paul Mackerras
- * Copyright (C) 2004-2022 Wayne Davison
+ * Copyright (C) 2004-2023 Wayne Davison
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -42,41 +42,94 @@ extern int protocol_version;
 extern int proper_seed_order;
 extern const char *checksum_choice;

-struct name_num_obj valid_checksums = {
-	"checksum", NULL, NULL, 0, 0, {
+#define NNI_BUILTIN (1<<0)
+#define NNI_EVP (1<<1)
+#define NNI_EVP_OK (1<<2)
+
+struct name_num_item valid_checksums_items[] = {
 #ifdef SUPPORT_XXH3
-		{ CSUM_XXH3_128, "xxh128", NULL },
-		{ CSUM_XXH3_64, "xxh3", NULL },
+	{ CSUM_XXH3_128, 0, "xxh128", NULL },
+	{ CSUM_XXH3_64, 0, "xxh3", NULL },
 #endif
 #ifdef SUPPORT_XXHASH
-		{ CSUM_XXH64, "xxh64", NULL },
-		{ CSUM_XXH64, "xxhash", NULL },
+	{ CSUM_XXH64, 0, "xxh64", NULL },
+	{ CSUM_XXH64, 0, "xxhash", NULL },
 #endif
-		{ CSUM_MD5, "md5", NULL },
-		{ CSUM_MD4, "md4", NULL },
-		{ CSUM_NONE, "none", NULL },
-		{ 0, NULL, NULL }
-	}
+	{ CSUM_MD5, NNI_BUILTIN|NNI_EVP, "md5", NULL },
+	{ CSUM_MD4, NNI_BUILTIN|NNI_EVP, "md4", NULL },
+#ifdef SHA_DIGEST_LENGTH
+	{ CSUM_SHA1, NNI_EVP, "sha1", NULL },
+#endif
+	{ CSUM_NONE, 0, "none", NULL },
+	{ 0, 0, NULL, NULL }
 };

-int xfersum_type = 0; /* used for the file transfer checksums */
-int checksum_type = 0; /* used for the pre-transfer (--checksum) checksums */
+struct name_num_obj valid_checksums = {
+	"checksum", NULL, 0, 0, valid_checksums_items
+};

-int parse_csum_name(const char *name, int len)
+struct name_num_item valid_auth_checksums_items[] = {
+#ifdef SHA512_DIGEST_LENGTH
+	{ CSUM_SHA512, NNI_EVP, "sha512", NULL },
+#endif
+#ifdef SHA256_DIGEST_LENGTH
+	{ CSUM_SHA256, NNI_EVP, "sha256", NULL },
+#endif
+#ifdef SHA_DIGEST_LENGTH
+	{ CSUM_SHA1, NNI_EVP, "sha1", NULL },
+#endif
+	{ CSUM_MD5, NNI_BUILTIN|NNI_EVP, "md5", NULL },
+	{ CSUM_MD4, NNI_BUILTIN|NNI_EVP, "md4", NULL },
+	{ 0, 0, NULL, NULL }
+};
+
+struct name_num_obj valid_auth_checksums = {
+	"daemon auth checksum", NULL, 0, 0, valid_auth_checksums_items
+};
+
+/* These cannot make use of openssl, so they're marked just as built-in */
+struct name_num_item implied_checksum_md4 =
+    { CSUM_MD4, NNI_BUILTIN, "md4", NULL };
+struct name_num_item implied_checksum_md5 =
+    { CSUM_MD5, NNI_BUILTIN, "md5", NULL };
+
+struct name_num_item *xfer_sum_nni; /* used for the transfer checksum2 computations */
+int xfer_sum_len;
+struct name_num_item *file_sum_nni; /* used for the pre-transfer --checksum computations */
+int file_sum_len, file_sum_extra_cnt;
+
+#ifdef USE_OPENSSL
+const EVP_MD *xfer_sum_evp_md;
+const EVP_MD *file_sum_evp_md;
+EVP_MD_CTX *ctx_evp = NULL;
+#endif
+
+static int initialized_choices = 0;
+
+struct name_num_item *parse_csum_name(const char *name, int len)
 {
 	struct name_num_item *nni;

 	if (len < 0 && name)
 		len = strlen(name);

+	init_checksum_choices();
+
 	if (!name || (len == 4 && strncasecmp(name, "auto", 4) == 0)) {
-		if (protocol_version >= 30)
-			return CSUM_MD5;
-		if (protocol_version >= 27)
-			return CSUM_MD4_OLD;
-		if (protocol_version >= 21)
-			return CSUM_MD4_BUSTED;
-		return CSUM_MD4_ARCHAIC;
+		if (protocol_version >= 30) {
+			if (!proper_seed_order)
+				return &implied_checksum_md5;
+			name = "md5";
+			len = 3;
+		} else {
+			if (protocol_version >= 27)
+				implied_checksum_md4.num = CSUM_MD4_OLD;
+			else if (protocol_version >= 21)
+				implied_checksum_md4.num = CSUM_MD4_BUSTED;
+			else
+				implied_checksum_md4.num = CSUM_MD4_ARCHAIC;
+			return &implied_checksum_md4;
+		}
 	}

 	nni = get_nni_by_name(&valid_checksums, name, len);
@@ -86,44 +139,74 @@ int parse_csum_name(const char *name, int len)
 		exit_cleanup(RERR_UNSUPPORTED);
 	}

-	return nni->num;
+	return nni;
 }

-static const char *checksum_name(int num)
+#ifdef USE_OPENSSL
+static const EVP_MD *csum_evp_md(struct name_num_item *nni)
 {
-	struct name_num_item *nni = get_nni_by_num(&valid_checksums, num);
+	const EVP_MD *emd;
+	if (!(nni->flags & NNI_EVP))
+		return NULL;

-	return nni ? nni->name : num < CSUM_MD4 ? "md4" : "UNKNOWN";
+#ifdef USE_MD5_ASM
+	if (nni->num == CSUM_MD5)
+		emd = NULL;
+	else
+#endif
+		emd = EVP_get_digestbyname(nni->name);
+	if (emd && !(nni->flags & NNI_EVP_OK)) { /* Make sure it works before we advertise it */
+		if (!ctx_evp && !(ctx_evp = EVP_MD_CTX_create()))
+			out_of_memory("csum_evp_md");
+		/* Some routines are marked as legacy and are not enabled in the openssl.cnf file.
+		 * If we can't init the emd, we'll fall back to our built-in code. */
+		if (EVP_DigestInit_ex(ctx_evp, emd, NULL) == 0)
+			emd = NULL;
+		else
+			nni->flags = (nni->flags & ~NNI_BUILTIN) | NNI_EVP_OK;
+	}
+	if (!emd)
+		nni->flags &= ~NNI_EVP;
+	return emd;
 }
+#endif

 void parse_checksum_choice(int final_call)
 {
-	if (valid_checksums.negotiated_name)
-		xfersum_type = checksum_type = valid_checksums.negotiated_num;
+	if (valid_checksums.negotiated_nni)
+		xfer_sum_nni = file_sum_nni = valid_checksums.negotiated_nni;
 	else {
-		char *cp = checksum_choice ? strchr(checksum_choice, ',') : NULL;
+		const char *cp = checksum_choice ? strchr(checksum_choice, ',') : NULL;
 		if (cp) {
-			xfersum_type = parse_csum_name(checksum_choice, cp - checksum_choice);
-			checksum_type = parse_csum_name(cp+1, -1);
+			xfer_sum_nni = parse_csum_name(checksum_choice, cp - checksum_choice);
+			file_sum_nni = parse_csum_name(cp+1, -1);
 		} else
-			xfersum_type = checksum_type = parse_csum_name(checksum_choice, -1);
+			xfer_sum_nni = file_sum_nni = parse_csum_name(checksum_choice, -1);
 		if (am_server && checksum_choice)
-			validate_choice_vs_env(NSTR_CHECKSUM, xfersum_type, checksum_type);
+			validate_choice_vs_env(NSTR_CHECKSUM, xfer_sum_nni->num, file_sum_nni->num);
 	}
+	xfer_sum_len = csum_len_for_type(xfer_sum_nni->num, 0);
+	file_sum_len = csum_len_for_type(file_sum_nni->num, 0);
+#ifdef USE_OPENSSL
+	xfer_sum_evp_md = csum_evp_md(xfer_sum_nni);
+	file_sum_evp_md = csum_evp_md(file_sum_nni);
+#endif

-	if (xfersum_type == CSUM_NONE)
+	file_sum_extra_cnt = (file_sum_len + EXTRA_LEN - 1) / EXTRA_LEN;
+
+	if (xfer_sum_nni->num == CSUM_NONE)
 		whole_file = 1;

 	/* Snag the checksum name for both write_batch's option output & the following debug output. */
-	if (valid_checksums.negotiated_name)
-		checksum_choice = valid_checksums.negotiated_name;
+	if (valid_checksums.negotiated_nni)
+		checksum_choice = valid_checksums.negotiated_nni->name;
 	else if (checksum_choice == NULL)
-		checksum_choice = checksum_name(xfersum_type);
+		checksum_choice = xfer_sum_nni->name;

 	if (final_call && DEBUG_GTE(NSTR, am_server ? 3 : 1)) {
 		rprintf(FINFO, "%s%s checksum: %s\n",
 			am_server ? "Server" : "Client",
-			valid_checksums.negotiated_name ? " negotiated" : "",
+			valid_checksums.negotiated_nni ? " negotiated" : "",
 			checksum_choice);
 	}
 }
@@ -143,6 +226,18 @@ int csum_len_for_type(int cst, BOOL flist_csum)
 		return MD4_DIGEST_LEN;
 	  case CSUM_MD5:
 		return MD5_DIGEST_LEN;
+#ifdef SHA_DIGEST_LENGTH
+	  case CSUM_SHA1:
+		return SHA_DIGEST_LENGTH;
+#endif
+#ifdef SHA256_DIGEST_LENGTH
+	  case CSUM_SHA256:
+		return SHA256_DIGEST_LENGTH;
+#endif
+#ifdef SHA512_DIGEST_LENGTH
+	  case CSUM_SHA512:
+		return SHA512_DIGEST_LENGTH;
+#endif
 	  case CSUM_XXH64:
 	  case CSUM_XXH3_64:
 		return 64/8;
@@ -168,6 +263,9 @@ int canonical_checksum(int csum_type)
 		break;
 	  case CSUM_MD4:
 	  case CSUM_MD5:
+	  case CSUM_SHA1:
+	  case CSUM_SHA256:
+	  case CSUM_SHA512:
 		return -1;
 	  case CSUM_XXH64:
 	  case CSUM_XXH3_64:
@@ -202,9 +300,25 @@ uint32 get_checksum1(char *buf1, int32 len)
 }
 #endif

+/* The "sum" buffer must be at least MAX_DIGEST_LEN bytes! */
 void get_checksum2(char *buf, int32 len, char *sum)
 {
-	switch (xfersum_type) {
+#ifdef USE_OPENSSL
+	if (xfer_sum_evp_md) {
+		static EVP_MD_CTX *evp = NULL;
+		uchar seedbuf[4];
+		if (!evp && !(evp = EVP_MD_CTX_create()))
+			out_of_memory("get_checksum2");
+		EVP_DigestInit_ex(evp, xfer_sum_evp_md, NULL);
+		if (checksum_seed) {
+			SIVALu(seedbuf, 0, checksum_seed);
+			EVP_DigestUpdate(evp, seedbuf, 4);
+		}
+		EVP_DigestUpdate(evp, (uchar *)buf, len);
+		EVP_DigestFinal_ex(evp, (uchar *)sum, NULL);
+	} else
+#endif
+	switch (xfer_sum_nni->num) {
 #ifdef SUPPORT_XXHASH
 	  case CSUM_XXH64:
 		SIVAL64(sum, 0, XXH64(buf, len, checksum_seed));
@@ -222,7 +336,7 @@ void get_checksum2(char *buf, int32 len, char *sum)
 	  }
 #endif
 	  case CSUM_MD5: {
-		md5_context m5;
+		md_context m5;
 		uchar seedbuf[4];
 		md5_begin(&m5);
 		if (proper_seed_order) {
@@ -242,20 +356,6 @@ void get_checksum2(char *buf, int32 len, char *sum)
 		break;
 	  }
 	  case CSUM_MD4:
-#ifdef USE_OPENSSL
-	  {
-		MD4_CTX m4;
-		MD4_Init(&m4);
-		MD4_Update(&m4, (uchar *)buf, len);
-		if (checksum_seed) {
-			uchar seedbuf[4];
-			SIVALu(seedbuf, 0, checksum_seed);
-			MD4_Update(&m4, seedbuf, 4);
-		}
-		MD4_Final((uchar *)sum, &m4);
-		break;
-	  }
-#endif
 	  case CSUM_MD4_OLD:
 	  case CSUM_MD4_BUSTED:
 	  case CSUM_MD4_ARCHAIC: {
@@ -266,9 +366,8 @@ void get_checksum2(char *buf, int32 len, char *sum)

 		mdfour_begin(&m);

-		if (len > len1) {
-			if (buf1)
-				free(buf1);
+		if (len > len1 || !buf1) {
+			free(buf1);
 			buf1 = new_array(char, len+4);
 			len1 = len;
 		}
@@ -288,7 +387,7 @@ void get_checksum2(char *buf, int32 len, char *sum)
 		 * are multiples of 64.  This is fixed by calling mdfour_update()
 		 * even when there are no more bytes.
 		 */
-		if (len - i > 0 || xfersum_type > CSUM_MD4_BUSTED)
+		if (len - i > 0 || xfer_sum_nni->num > CSUM_MD4_BUSTED)
 			mdfour_update(&m, (uchar *)(buf1+i), len-i);

 		mdfour_result(&m, (uchar *)sum);
@@ -306,15 +405,33 @@ void file_checksum(const char *fname, const STRUCT_STAT *st_p, char *sum)
 	int32 remainder;
 	int fd;

-	memset(sum, 0, MAX_DIGEST_LEN);
-
-	fd = do_open(fname, O_RDONLY, 0);
-	if (fd == -1)
+	fd = do_open_checklinks(fname);
+	if (fd == -1) {
+		memset(sum, 0, file_sum_len);
 		return;
+	}

 	buf = map_file(fd, len, MAX_MAP_SIZE, CHUNK_SIZE);

-	switch (checksum_type) {
+#ifdef USE_OPENSSL
+	if (file_sum_evp_md) {
+		static EVP_MD_CTX *evp = NULL;
+		if (!evp && !(evp = EVP_MD_CTX_create()))
+			out_of_memory("file_checksum");
+
+		EVP_DigestInit_ex(evp, file_sum_evp_md, NULL);
+
+		for (i = 0; i + CHUNK_SIZE <= len; i += CHUNK_SIZE)
+			EVP_DigestUpdate(evp, (uchar *)map_ptr(buf, i, CHUNK_SIZE), CHUNK_SIZE);
+
+		remainder = (int32)(len - i);
+		if (remainder > 0)
+			EVP_DigestUpdate(evp, (uchar *)map_ptr(buf, i, remainder), remainder);
+
+		EVP_DigestFinal_ex(evp, (uchar *)sum, NULL);
+	} else
+#endif
+	switch (file_sum_nni->num) {
 #ifdef SUPPORT_XXHASH
 	  case CSUM_XXH64: {
 		static XXH64_state_t* state = NULL;
@@ -374,7 +491,7 @@ void file_checksum(const char *fname, const STRUCT_STAT *st_p, char *sum)
 	  }
 #endif
 	  case CSUM_MD5: {
-		md5_context m5;
+		md_context m5;

 		md5_begin(&m5);

@@ -389,23 +506,6 @@ void file_checksum(const char *fname, const STRUCT_STAT *st_p, char *sum)
 		break;
 	  }
 	  case CSUM_MD4:
-#ifdef USE_OPENSSL
-	  {
-		MD4_CTX m4;
-
-		MD4_Init(&m4);
-
-		for (i = 0; i + CHUNK_SIZE <= len; i += CHUNK_SIZE)
-			MD4_Update(&m4, (uchar *)map_ptr(buf, i, CHUNK_SIZE), CHUNK_SIZE);
-
-		remainder = (int32)(len - i);
-		if (remainder > 0)
-			MD4_Update(&m4, (uchar *)map_ptr(buf, i, remainder), remainder);
-
-		MD4_Final((uchar *)sum, &m4);
-		break;
-	  }
-#endif
 	  case CSUM_MD4_OLD:
 	  case CSUM_MD4_BUSTED:
 	  case CSUM_MD4_ARCHAIC: {
@@ -413,15 +513,15 @@ void file_checksum(const char *fname, const STRUCT_STAT *st_p, char *sum)

 		mdfour_begin(&m);

-		for (i = 0; i + CHUNK_SIZE <= len; i += CHUNK_SIZE)
-			mdfour_update(&m, (uchar *)map_ptr(buf, i, CHUNK_SIZE), CHUNK_SIZE);
+		for (i = 0; i + CSUM_CHUNK <= len; i += CSUM_CHUNK)
+			mdfour_update(&m, (uchar *)map_ptr(buf, i, CSUM_CHUNK), CSUM_CHUNK);

 		/* Prior to version 27 an incorrect MD4 checksum was computed
 		 * by failing to call mdfour_tail() for block sizes that
 		 * are multiples of 64.  This is fixed by calling mdfour_update()
 		 * even when there are no more bytes. */
 		remainder = (int32)(len - i);
-		if (remainder > 0 || checksum_type > CSUM_MD4_BUSTED)
+		if (remainder > 0 || file_sum_nni->num > CSUM_MD4_BUSTED)
 			mdfour_update(&m, (uchar *)map_ptr(buf, i, remainder), remainder);

 		mdfour_result(&m, (uchar *)sum);
@@ -429,7 +529,7 @@ void file_checksum(const char *fname, const STRUCT_STAT *st_p, char *sum)
 	  }
 	  default:
 		rprintf(FERROR, "Invalid checksum-choice for --checksum: %s (%d)\n",
-			checksum_name(checksum_type), checksum_type);
+			file_sum_nni->name, file_sum_nni->num);
 		exit_cleanup(RERR_UNSUPPORTED);
 	}

@@ -438,30 +538,43 @@ void file_checksum(const char *fname, const STRUCT_STAT *st_p, char *sum)
 }

 static int32 sumresidue;
-static union {
-	md_context md;
-#ifdef USE_OPENSSL
-	MD4_CTX m4;
-#endif
-	md5_context m5;
-} ctx;
+static md_context ctx_md;
 #ifdef SUPPORT_XXHASH
 static XXH64_state_t* xxh64_state;
 #endif
 #ifdef SUPPORT_XXH3
 static XXH3_state_t* xxh3_state;
 #endif
-static int cursum_type;
+static struct name_num_item *cur_sum_nni;
+int cur_sum_len;

-void sum_init(int csum_type, int seed)
+#ifdef USE_OPENSSL
+static const EVP_MD *cur_sum_evp_md;
+#endif
+
+/* Initialize a hash digest accumulator.  Data is supplied via
+ * sum_update() and the resulting binary digest is retrieved via
+ * sum_end().  This only supports one active sum at a time. */
+int sum_init(struct name_num_item *nni, int seed)
 {
 	char s[4];

-	if (csum_type < 0)
-		csum_type = parse_csum_name(NULL, 0);
-	cursum_type = csum_type;
+	if (!nni)
+		nni = parse_csum_name(NULL, 0);
+	cur_sum_nni = nni;
+	cur_sum_len = csum_len_for_type(nni->num, 0);
+#ifdef USE_OPENSSL
+	cur_sum_evp_md = csum_evp_md(nni);
+#endif

-	switch (csum_type) {
+#ifdef USE_OPENSSL
+	if (cur_sum_evp_md) {
+		if (!ctx_evp && !(ctx_evp = EVP_MD_CTX_create()))
+			out_of_memory("file_checksum");
+		EVP_DigestInit_ex(ctx_evp, cur_sum_evp_md, NULL);
+	} else
+#endif
+	switch (cur_sum_nni->num) {
 #ifdef SUPPORT_XXHASH
 	  case CSUM_XXH64:
 		if (!xxh64_state && !(xxh64_state = XXH64_createState()))
@@ -482,20 +595,16 @@ void sum_init(int csum_type, int seed)
 		break;
 #endif
 	  case CSUM_MD5:
-		md5_begin(&ctx.m5);
+		md5_begin(&ctx_md);
 		break;
 	  case CSUM_MD4:
-#ifdef USE_OPENSSL
-		MD4_Init(&ctx.m4);
-#else
-		mdfour_begin(&ctx.md);
+		mdfour_begin(&ctx_md);
 		sumresidue = 0;
-#endif
 		break;
 	  case CSUM_MD4_OLD:
 	  case CSUM_MD4_BUSTED:
 	  case CSUM_MD4_ARCHAIC:
-		mdfour_begin(&ctx.md);
+		mdfour_begin(&ctx_md);
 		sumresidue = 0;
 		SIVAL(s, 0, seed);
 		sum_update(s, 4);
@@ -505,19 +614,19 @@ void sum_init(int csum_type, int seed)
 	  default: /* paranoia to prevent missing case values */
 		exit_cleanup(RERR_UNSUPPORTED);
 	}
+
+	return cur_sum_len;
 }

-/**
- * Feed data into an MD4 accumulator, md.  The results may be
- * retrieved using sum_end().  md is used for different purposes at
- * different points during execution.
- *
- * @todo Perhaps get rid of md and just pass in the address each time.
- * Very slightly clearer and slower.
- **/
+/* Feed data into a hash digest accumulator. */
 void sum_update(const char *p, int32 len)
 {
-	switch (cursum_type) {
+#ifdef USE_OPENSSL
+	if (cur_sum_evp_md) {
+		EVP_DigestUpdate(ctx_evp, (uchar *)p, len);
+	} else
+#endif
+	switch (cur_sum_nni->num) {
 #ifdef SUPPORT_XXHASH
 	  case CSUM_XXH64:
 		XXH64_update(xxh64_state, p, len);
@@ -532,39 +641,35 @@ void sum_update(const char *p, int32 len)
 		break;
 #endif
 	  case CSUM_MD5:
-		md5_update(&ctx.m5, (uchar *)p, len);
+		md5_update(&ctx_md, (uchar *)p, len);
 		break;
 	  case CSUM_MD4:
-#ifdef USE_OPENSSL
-		MD4_Update(&ctx.m4, (uchar *)p, len);
-		break;
-#endif
 	  case CSUM_MD4_OLD:
 	  case CSUM_MD4_BUSTED:
 	  case CSUM_MD4_ARCHAIC:
 		if (len + sumresidue < CSUM_CHUNK) {
-			memcpy(ctx.md.buffer + sumresidue, p, len);
+			memcpy(ctx_md.buffer + sumresidue, p, len);
 			sumresidue += len;
 			break;
 		}

 		if (sumresidue) {
 			int32 i = CSUM_CHUNK - sumresidue;
-			memcpy(ctx.md.buffer + sumresidue, p, i);
-			mdfour_update(&ctx.md, (uchar *)ctx.md.buffer, CSUM_CHUNK);
+			memcpy(ctx_md.buffer + sumresidue, p, i);
+			mdfour_update(&ctx_md, (uchar *)ctx_md.buffer, CSUM_CHUNK);
 			len -= i;
 			p += i;
 		}

 		while (len >= CSUM_CHUNK) {
-			mdfour_update(&ctx.md, (uchar *)p, CSUM_CHUNK);
+			mdfour_update(&ctx_md, (uchar *)p, CSUM_CHUNK);
 			len -= CSUM_CHUNK;
 			p += CSUM_CHUNK;
 		}

 		sumresidue = len;
 		if (sumresidue)
-			memcpy(ctx.md.buffer, p, sumresidue);
+			memcpy(ctx_md.buffer, p, sumresidue);
 		break;
 	  case CSUM_NONE:
 		break;
@@ -573,13 +678,18 @@ void sum_update(const char *p, int32 len)
 	}
 }

-/* NOTE: all the callers of sum_end() pass in a pointer to a buffer that is
- * MAX_DIGEST_LEN in size, so even if the csum-len is shorter than that (i.e.
- * CSUM_MD4_ARCHAIC), we don't have to worry about limiting the data we write
- * into the "sum" buffer. */
-int sum_end(char *sum)
+/* The sum buffer only needs to be as long as the current checksum's digest
+ * len, not MAX_DIGEST_LEN. Note that for CSUM_MD4_ARCHAIC that is the full
+ * MD4_DIGEST_LEN even if the file-list code is going to ignore all but the
+ * first 2 bytes of it. */
+void sum_end(char *sum)
 {
-	switch (cursum_type) {
+#ifdef USE_OPENSSL
+	if (cur_sum_evp_md) {
+		EVP_DigestFinal_ex(ctx_evp, (uchar *)sum, NULL);
+	} else
+#endif
+	switch (cur_sum_nni->num) {
 #ifdef SUPPORT_XXHASH
 	  case CSUM_XXH64:
 		SIVAL64(sum, 0, XXH64_digest(xxh64_state));
@@ -597,22 +707,18 @@ int sum_end(char *sum)
 	  }
 #endif
 	  case CSUM_MD5:
-		md5_result(&ctx.m5, (uchar *)sum);
+		md5_result(&ctx_md, (uchar *)sum);
 		break;
 	  case CSUM_MD4:
-#ifdef USE_OPENSSL
-		MD4_Final((uchar *)sum, &ctx.m4);
-		break;
-#endif
 	  case CSUM_MD4_OLD:
-		mdfour_update(&ctx.md, (uchar *)ctx.md.buffer, sumresidue);
-		mdfour_result(&ctx.md, (uchar *)sum);
+		mdfour_update(&ctx_md, (uchar *)ctx_md.buffer, sumresidue);
+		mdfour_result(&ctx_md, (uchar *)sum);
 		break;
 	  case CSUM_MD4_BUSTED:
 	  case CSUM_MD4_ARCHAIC:
 		if (sumresidue)
-			mdfour_update(&ctx.md, (uchar *)ctx.md.buffer, sumresidue);
-		mdfour_result(&ctx.md, (uchar *)sum);
+			mdfour_update(&ctx_md, (uchar *)ctx_md.buffer, sumresidue);
+		mdfour_result(&ctx_md, (uchar *)sum);
 		break;
 	  case CSUM_NONE:
 		*sum = '\0';
@@ -620,6 +726,78 @@ int sum_end(char *sum)
 	  default: /* paranoia to prevent missing case values */
 		exit_cleanup(RERR_UNSUPPORTED);
 	}
-
-	return csum_len_for_type(cursum_type, 0);
+}
+
+#if defined SUPPORT_XXH3 || defined USE_OPENSSL
+static void verify_digest(struct name_num_item *nni, BOOL check_auth_list)
+{
+#ifdef SUPPORT_XXH3
+	static int xxh3_result = 0;
+#endif
+#ifdef USE_OPENSSL
+	static int prior_num = 0, prior_flags = 0, prior_result = 0;
+#endif
+
+#ifdef SUPPORT_XXH3
+	if (nni->num == CSUM_XXH3_64 || nni->num == CSUM_XXH3_128) {
+		if (!xxh3_result) {
+			char buf[32816];
+			int j;
+			for (j = 0; j < (int)sizeof buf; j++)
+				buf[j] = ' ' + (j % 96);
+			sum_init(nni, 0);
+			sum_update(buf, 32816);
+			sum_update(buf, 31152);
+			sum_update(buf, 32474);
+			sum_update(buf, 9322);
+			xxh3_result = XXH3_64bits_digest(xxh3_state) != 0xadbcf16d4678d1de ? -1 : 1;
+		}
+		if (xxh3_result < 0)
+			nni->num = CSUM_gone;
+		return;
+	}
+#endif
+
+#ifdef USE_OPENSSL
+	if (BITS_SETnUNSET(nni->flags, NNI_EVP, NNI_BUILTIN|NNI_EVP_OK)) {
+		if (nni->num == prior_num && nni->flags == prior_flags) {
+			nni->flags = prior_result;
+			if (!(nni->flags & NNI_EVP))
+				nni->num = CSUM_gone;
+		} else {
+			prior_num = nni->num;
+			prior_flags = nni->flags;
+			if (!csum_evp_md(nni))
+				nni->num = CSUM_gone;
+			prior_result = nni->flags;
+			if (check_auth_list && (nni = get_nni_by_num(&valid_auth_checksums, prior_num)) != NULL)
+				verify_digest(nni, False);
+		}
+	}
+#endif
+}
+#endif
+
+void init_checksum_choices()
+{
+#if defined SUPPORT_XXH3 || defined USE_OPENSSL
+	struct name_num_item *nni;
+#endif
+
+	if (initialized_choices)
+		return;
+
+#if defined USE_OPENSSL && OPENSSL_VERSION_NUMBER < 0x10100000L
+	OpenSSL_add_all_algorithms();
+#endif
+
+#if defined SUPPORT_XXH3 || defined USE_OPENSSL
+	for (nni = valid_checksums.list; nni->name; nni++)
+		verify_digest(nni, True);
+
+	for (nni = valid_auth_checksums.list; nni->name; nni++)
+		verify_digest(nni, False);
+#endif
+
+	initialized_choices = 1;
 }
--- a/cleanup.c
+++ b/cleanup.c
@@ -198,7 +198,7 @@ NORETURN void _exit_cleanup(int code, const char *file, int line)
 		switch_step++;

 		if (cleanup_fname)
-			do_unlink(cleanup_fname);
+			do_unlink_at(cleanup_fname);
 		if (exit_code)
 			kill_all(SIGUSR1);
 		if (cleanup_pid && cleanup_pid == getpid()) {
@@ -269,8 +269,16 @@ NORETURN void _exit_cleanup(int code, const char *file, int line)
 		break;
 	}

-	if (called_from_signal_handler)
+	if (called_from_signal_handler) {
+#ifdef GCOV_COVERAGE
+		/* _exit() bypasses the gcov atexit flush; rsync's generator (and
+		 * other processes) normally finish via the signal handler, so
+		 * without this they would write no .gcda. Harmless otherwise. */
+		extern void __gcov_dump(void);
+		__gcov_dump();
+#endif
 		_exit(exit_code);
+	}
 	exit(exit_code);
 }

--- a/clientname.c
+++ b/clientname.c
@@ -167,7 +167,7 @@ int read_proxy_protocol_header(int fd)
 			char sig[PROXY_V2_SIG_SIZE];
 			char ver_cmd;
 			char fam;
-			char len[2];
+			unsigned char len[2];
 			union {
 				struct {
 					char src_addr[4];
--- a/clientserver.c
+++ b/clientserver.c
@@ -30,6 +30,7 @@ extern int list_only;
 extern int am_sender;
 extern int am_server;
 extern int am_daemon;
+extern int am_chrooted;
 extern int am_root;
 extern int msgs2stderr;
 extern int rsync_port;
@@ -38,6 +39,7 @@ extern int ignore_errors;
 extern int preserve_xattrs;
 extern int kluge_around_eof;
 extern int munge_symlinks;
+extern int use_secure_symlinks;
 extern int open_noatime;
 extern int sanitize_paths;
 extern int numeric_ids;
@@ -67,6 +69,7 @@ extern uid_t our_uid;
 extern gid_t our_gid;

 char *auth_user;
+char *daemon_auth_choices;
 int read_only = 0;
 int module_id = -1;
 int pid_file_fd = -1;
@@ -149,13 +152,9 @@ int start_socket_client(char *host, int remote_argc, char *remote_argv[],
 static int exchange_protocols(int f_in, int f_out, char *buf, size_t bufsiz, int am_client)
 {
 	int remote_sub = -1;
-#if SUBPROTOCOL_VERSION != 0
-	int our_sub = protocol_version < PROTOCOL_VERSION ? 0 : SUBPROTOCOL_VERSION;
-#else
-	int our_sub = 0;
-#endif
+	int our_sub = get_subprotocol_version();

-	io_printf(f_out, "@RSYNCD: %d.%d\n", protocol_version, our_sub);
+	output_daemon_greeting(f_out, am_client);
 	if (!am_client) {
 		char *motd = lp_motd_file();
 		if (motd && *motd) {
@@ -187,16 +186,30 @@ static int exchange_protocols(int f_in, int f_out, char *buf, size_t bufsiz, int
 	}

 	if (remote_sub < 0) {
-		if (remote_protocol == 30) {
+		if (remote_protocol >= 30) {
 			if (am_client)
-				rprintf(FERROR, "rsync: server is speaking an incompatible beta of protocol 30\n");
+				rprintf(FERROR, "rsync: the server omitted the subprotocol value: %s\n", buf);
 			else
-				io_printf(f_out, "@ERROR: your client is speaking an incompatible beta of protocol 30\n");
+				io_printf(f_out, "@ERROR: your client omitted the subprotocol value: %s\n", buf);
 			return -1;
 		}
 		remote_sub = 0;
 	}

+	daemon_auth_choices = strchr(buf + 9, ' ');
+	if (daemon_auth_choices) {
+		char *cp;
+		daemon_auth_choices = strdup(daemon_auth_choices + 1);
+		if ((cp = strchr(daemon_auth_choices, '\n')) != NULL)
+			*cp = '\0';
+	} else if (remote_protocol > 31) {
+		if (am_client)
+			rprintf(FERROR, "rsync: the server omitted the digest name list: %s\n", buf);
+		else
+			io_printf(f_out, "@ERROR: your client omitted the digest name list: %s\n", buf);
+		return -1;
+	}
+
 	if (protocol_version > remote_protocol) {
 		protocol_version = remote_protocol;
 		if (remote_sub)
@@ -381,7 +394,7 @@ int start_inband_exchange(int f_in, int f_out, const char *user, int argc, char

 	if (rl_nulls) {
 		for (i = 0; i < sargc; i++) {
-			if (!sargs[i]) /* stop at --protect-args NULL */
+			if (!sargs[i]) /* stop at --secluded-args NULL */
 				break;
 			write_sbuf(f_out, sargs[i]);
 			write_byte(f_out, 0);
@@ -429,7 +442,7 @@ static int read_arg_from_pipe(int fd, char *buf, int limit)
 }
 #endif

-static void set_env_str(const char *var, const char *str)
+void set_env_str(const char *var, const char *str)
 {
 #ifdef HAVE_SETENV
 	if (setenv(var, str, 1) < 0)
@@ -690,7 +703,7 @@ static int rsync_module(int f_in, int f_out, int i, const char *addr, const char
 	int set_uid;
 	char *p, *err_msg = NULL;
 	char *name = lp_name(i);
-	int use_chroot = lp_use_chroot(i);
+	int use_chroot = lp_use_chroot(i); /* might be 1 (yes), 0 (no), or -1 (unset) */
 	int ret, pre_exec_arg_fd = -1, pre_exec_error_fd = -1;
 	int save_munge_symlinks;
 	pid_t pre_exec_pid = 0;
@@ -815,6 +828,20 @@ static int rsync_module(int f_in, int f_out, int i, const char *addr, const char
 		io_printf(f_out, "@ERROR: no path setting.\n");
 		return -1;
 	}
+	if (use_chroot < 0) {
+		if (strstr(module_dir, "/./") != NULL)
+			use_chroot = 1; /* The module is expecting a chroot inner & outer path. */
+		else if (chroot("/") < 0) {
+			rprintf(FLOG, "chroot test failed: %s. "
+				      "Switching 'use chroot' from unset to false.\n",
+				      strerror(errno));
+			use_chroot = 0;
+		} else {
+			if (chdir("/") < 0)
+			    rsyserr(FLOG, errno, "chdir(\"/\") failed");
+			use_chroot = 1;
+		}
+	}
 	if (use_chroot) {
 		if ((p = strstr(module_dir, "/./")) != NULL) {
 			*p = '\0'; /* Temporary... */
@@ -951,29 +978,20 @@ static int rsync_module(int f_in, int f_out, int i, const char *addr, const char
 	}

 	if (use_chroot) {
-		/*
-		 * XXX: The 'use chroot' flag is a fairly reliable
-		 * source of confusion, because it fails under two
-		 * important circumstances: running as non-root,
-		 * running on Win32 (or possibly others).  On the
-		 * other hand, if you are running as root, then it
-		 * might be better to always use chroot.
-		 *
-		 * So, perhaps if we can't chroot we should just issue
-		 * a warning, unless a "require chroot" flag is set,
-		 * in which case we fail.
-		 */
+		/* Cache timezone data before chroot makes /etc/localtime inaccessible */
+		tzset();
 		if (chroot(module_chdir)) {
-			rsyserr(FLOG, errno, "chroot %s failed", module_chdir);
+			rsyserr(FLOG, errno, "chroot(\"%s\") failed", module_chdir);
 			io_printf(f_out, "@ERROR: chroot failed\n");
 			return -1;
 		}
+		am_chrooted = 1;
 		module_chdir = module_dir;
 	}

 	if (!change_dir(module_chdir, CD_NORMAL))
 		return path_failure(f_out, module_chdir, True);
-	if (module_dirlen || (!use_chroot && !*lp_daemon_chroot()))
+	if (module_dirlen)
 		sanitize_paths = 1;

 	if ((munge_symlinks = lp_munge_symlinks(module_id)) < 0)
@@ -990,6 +1008,15 @@ static int rsync_module(int f_in, int f_out, int i, const char *addr, const char
 		}
 	}

+	/* Enable secure symlink handling for any non-chrooted daemon module.
+	 * This prevents TOCTOU race attacks where an attacker could switch a
+	 * directory to a symlink between path validation and file open.
+	 * Match the gate used by the do_*_at() wrappers in syscall.c
+	 * (am_daemon && !am_chrooted) -- the protection has nothing to do
+	 * with symlink munging, so a module configured with
+	 * "munge symlinks = false" must still get the secure-open path. */
+	use_secure_symlinks = am_daemon && !am_chrooted;
+
 	if (gid_list.count) {
 		gid_t *gid_array = gid_list.items;
 		if (setgid(gid_array[0])) {
@@ -1285,11 +1312,51 @@ int start_daemon(int f_in, int f_out)
 	if (lp_proxy_protocol() && !read_proxy_protocol_header(f_in))
 		return -1;

+	/* Do reverse DNS lookup before chroot/setuid. The result is cached,
+	 * so the later client_name() call will use this cached value. This
+	 * ensures hostname-based ACLs work even when DNS is unavailable
+	 * after chroot.
+	 *
+	 * "reverse lookup" can be set globally OR per-module, so we also
+	 * scan each module: a deployment with "reverse lookup = no" in the
+	 * global section but "reverse lookup = yes" in a specific module
+	 * still triggers a post-chroot lookup at access-check time
+	 * (rsync_module() in this file), which would also fail in the
+	 * chroot and turn hostname-based deny rules into silent bypasses. */
+	{
+		int need_reverse = lp_reverse_lookup(-1);
+		int j, num_modules = lp_num_modules();
+		for (j = 0; !need_reverse && j < num_modules; j++) {
+			if (lp_reverse_lookup(j))
+				need_reverse = 1;
+		}
+		if (need_reverse)
+			(void)client_name(client_addr(f_in));
+	}
+
 	p = lp_daemon_chroot();
 	if (*p) {
 		log_init(0); /* Make use we've initialized syslog before chrooting. */
-		if (chroot(p) < 0 || chdir("/") < 0) {
-			rsyserr(FLOG, errno, "daemon chroot %s failed", p);
+		tzset();
+		if (chroot(p) < 0) {
+			rsyserr(FLOG, errno, "daemon chroot(\"%s\") failed", p);
+			return -1;
+		}
+		/* Deliberately do NOT set am_chrooted here.  am_chrooted
+		 * gates the per-module symlink-race defenses
+		 * (secure_relative_open() and the do_*_at() wrappers in
+		 * syscall.c) and means "the kernel is enforcing path
+		 * confinement at the module boundary".  The daemon chroot
+		 * confines path resolution to the daemon-chroot directory,
+		 * not to any individual module path -- modules sharing the
+		 * daemon chroot are still distinguishable filesystem
+		 * subtrees and a sender-controlled symlink in module A
+		 * could redirect a syscall to module B (or to other files
+		 * inside the daemon chroot) without the per-module
+		 * defenses.  Leave am_chrooted=0 here so secure_relative_open()
+		 * still fires for "use chroot = no" modules. */
+		if (chdir("/") < 0) {
+			rsyserr(FLOG, errno, "daemon chdir(\"/\") failed");
 			return -1;
 		}
 	}
--- a/compat.c
+++ b/compat.c
@@ -52,6 +52,7 @@ extern int need_messages_from_generator;
 extern int delete_mode, delete_before, delete_during, delete_after;
 extern int do_compression;
 extern int do_compression_level;
+extern int do_compression_threads;
 extern int saw_stderr_opt;
 extern int msgs2stderr;
 extern char *shell_cmd;
@@ -60,13 +61,16 @@ extern char *files_from;
 extern char *filesfrom_host;
 extern const char *checksum_choice;
 extern const char *compress_choice;
+extern char *daemon_auth_choices;
 extern filter_rule_list filter_list;
 extern int need_unsorted_flist;
 #ifdef ICONV_OPTION
 extern iconv_t ic_send, ic_recv;
 extern char *iconv_opt;
 #endif
-extern struct name_num_obj valid_checksums;
+extern struct name_num_obj valid_checksums, valid_auth_checksums;
+
+extern struct name_num_item *xfer_sum_nni;

 int remote_protocol = 0;
 int file_extra_cnt = 0; /* count of file-list extras that everyone gets */
@@ -79,6 +83,9 @@ int inplace_partial = 0;
 int do_negotiated_strings = 0;
 int xmit_id0_names = 0;

+struct name_num_item *xattr_sum_nni;
+int xattr_sum_len = 0;
+
 /* These index values are for the file-list's extra-attribute array. */
 int pathname_ndx, depth_ndx, atimes_ndx, crtimes_ndx, uid_ndx, gid_ndx, acls_ndx, xattrs_ndx, unsort_ndx;

@@ -91,19 +98,21 @@ int filesfrom_convert = 0;

 #define MAX_NSTR_STRLEN 256

-struct name_num_obj valid_compressions = {
-	"compress", NULL, NULL, 0, 0, {
+struct name_num_item valid_compressions_items[] = {
 #ifdef SUPPORT_ZSTD
-		{ CPRES_ZSTD, "zstd", NULL },
+	{ CPRES_ZSTD, 0, "zstd", NULL },
 #endif
 #ifdef SUPPORT_LZ4
-		{ CPRES_LZ4, "lz4", NULL },
+	{ CPRES_LZ4, 0, "lz4", NULL },
 #endif
-		{ CPRES_ZLIBX, "zlibx", NULL },
-		{ CPRES_ZLIB, "zlib", NULL },
-		{ CPRES_NONE, "none", NULL },
-		{ 0, NULL, NULL }
-	}
+	{ CPRES_ZLIBX, 0, "zlibx", NULL },
+	{ CPRES_ZLIB, 0, "zlib", NULL },
+	{ CPRES_NONE, 0, "none", NULL },
+	{ 0, 0, NULL, NULL }
+};
+
+struct name_num_obj valid_compressions = {
+	"compress", NULL, 0, 0, valid_compressions_items
 };

 #define CF_INC_RECURSE	 (1<<0)
@@ -123,13 +132,9 @@ static const char *client_info;
 * of that protocol for it to be advertised as available. */
 static void check_sub_protocol(void)
 {
-	char *dot;
+	const char *dot;
 	int their_protocol, their_sub;
-#if SUBPROTOCOL_VERSION != 0
-	int our_sub = protocol_version < PROTOCOL_VERSION ? 0 : SUBPROTOCOL_VERSION;
-#else
-	int our_sub = 0;
-#endif
+	int our_sub = get_subprotocol_version();

 	/* client_info starts with VER.SUB string if client is a pre-release. */
 	if (!(their_protocol = atoi(client_info))
@@ -176,8 +181,8 @@ void set_allow_inc_recurse(void)

 void parse_compress_choice(int final_call)
 {
-	if (valid_compressions.negotiated_name)
-		do_compression = valid_compressions.negotiated_num;
+	if (valid_compressions.negotiated_nni)
+		do_compression = valid_compressions.negotiated_nni->num;
 	else if (compress_choice) {
 		struct name_num_item *nni = get_nni_by_name(&valid_compressions, compress_choice, -1);
 		if (!nni) {
@@ -199,8 +204,8 @@ void parse_compress_choice(int final_call)
 		compress_choice = NULL;

 	/* Snag the compression name for both write_batch's option output & the following debug output. */
-	if (valid_compressions.negotiated_name)
-		compress_choice = valid_compressions.negotiated_name;
+	if (valid_compressions.negotiated_nni)
+		compress_choice = valid_compressions.negotiated_nni->name;
 	else if (compress_choice == NULL) {
 		struct name_num_item *nni = get_nni_by_num(&valid_compressions, do_compression);
 		compress_choice = nni ? nni->name : "UNKNOWN";
@@ -210,7 +215,7 @@ void parse_compress_choice(int final_call)
 	 && (do_compression != CPRES_NONE || do_compression_level != CLVL_NOT_SPECIFIED)) {
 		rprintf(FINFO, "%s%s compress: %s (level %d)\n",
 			am_server ? "Server" : "Client",
-			valid_compressions.negotiated_name ? " negotiated" : "",
+			valid_compressions.negotiated_nni ? " negotiated" : "",
 			compress_choice, do_compression_level);
 	}
 }
@@ -223,6 +228,8 @@ struct name_num_item *get_nni_by_name(struct name_num_obj *nno, const char *name
 		len = strlen(name);

 	for (nni = nno->list; nni->name; nni++) {
+		if (nni->num == CSUM_gone)
+			continue;
 		if (strncasecmp(name, nni->name, len) == 0 && nni->name[len] == '\0')
 			return nni;
 	}
@@ -257,10 +264,12 @@ static void init_nno_saw(struct name_num_obj *nno, int val)
 	if (!nno->saw) {
 		nno->saw = new_array0(uchar, nno->saw_len);

-		/* We'll take this opportunity to make sure that the main_name values are set right. */
+		/* We'll take this opportunity to set the main_nni values for duplicates. */
 		for (cnt = 1, nni = nno->list; nni->name; nni++, cnt++) {
+			if (nni->num == CSUM_gone)
+				continue;
 			if (nno->saw[nni->num])
-				nni->main_name = nno->list[nno->saw[nni->num]-1].name;
+				nni->main_nni = &nno->list[nno->saw[nni->num]-1];
 			else
 				nno->saw[nni->num] = cnt;
 		}
@@ -286,8 +295,8 @@ static int parse_nni_str(struct name_num_obj *nno, const char *from, char *tobuf
 				struct name_num_item *nni = get_nni_by_name(nno, tok, to - tok);
 				if (nni && !nno->saw[nni->num]) {
 					nno->saw[nni->num] = ++cnt;
-					if (nni->main_name) {
-						to = tok + strlcpy(tok, nni->main_name, tobuf_len - (tok - tobuf));
+					if (nni->main_nni) {
+						to = tok + strlcpy(tok, nni->main_nni->name, tobuf_len - (tok - tobuf));
 						if (to - tobuf >= tobuf_len) {
 							to = tok - 1;
 							break;
@@ -321,13 +330,44 @@ static int parse_nni_str(struct name_num_obj *nno, const char *from, char *tobuf
 	return to - tobuf;
 }

+static int parse_negotiate_str(struct name_num_obj *nno, char *tmpbuf)
+{
+	struct name_num_item *nni, *ret = NULL;
+	int best = nno->saw_len; /* We want best == 1 from the client list, so start with a big number. */
+	char *space, *tok = tmpbuf;
+	while (tok) {
+		while (*tok == ' ') tok++; /* Should be unneeded... */
+		if (!*tok)
+			break;
+		if ((space = strchr(tok, ' ')) != NULL)
+			*space = '\0';
+		nni = get_nni_by_name(nno, tok, -1);
+		if (space) {
+			*space = ' ';
+			tok = space + 1;
+		} else
+			tok = NULL;
+		if (!nni || !nno->saw[nni->num] || best <= nno->saw[nni->num])
+			continue;
+		ret = nni;
+		best = nno->saw[nni->num];
+		if (best == 1 || am_server) /* The server side stops at the first acceptable client choice */
+			break;
+	}
+	if (ret) {
+		free(nno->saw);
+		nno->saw = NULL;
+		nno->negotiated_nni = ret->main_nni ? ret->main_nni : ret;
+		return 1;
+	}
+	return 0;
+}
+
 /* This routine is always called with a tmpbuf of MAX_NSTR_STRLEN length, but the
 * buffer may be pre-populated with a "len" length string to use OR a len of -1
 * to tell us to read a string from the fd. */
 static void recv_negotiate_str(int f_in, struct name_num_obj *nno, char *tmpbuf, int len)
 {
-	struct name_num_item *ret = NULL;
-
 	if (len < 0)
 		len = read_vstring(f_in, tmpbuf, MAX_NSTR_STRLEN);

@@ -338,37 +378,8 @@ static void recv_negotiate_str(int f_in, struct name_num_obj *nno, char *tmpbuf,
 			rprintf(FINFO, "Server %s list (on client): %s\n", nno->type, tmpbuf);
 	}

-	if (len > 0) {
-		struct name_num_item *nni;
-		int best = nno->saw_len; /* We want best == 1 from the client list, so start with a big number. */
-		char *space, *tok = tmpbuf;
-		while (tok) {
-			while (*tok == ' ') tok++; /* Should be unneeded... */
-			if (!*tok)
-				break;
-			if ((space = strchr(tok, ' ')) != NULL)
-				*space = '\0';
-			nni = get_nni_by_name(nno, tok, -1);
-			if (space) {
-				*space = ' ';
-				tok = space + 1;
-			} else
-				tok = NULL;
-			if (!nni || !nno->saw[nni->num] || best <= nno->saw[nni->num])
-				continue;
-			ret = nni;
-			best = nno->saw[nni->num];
-			if (best == 1 || am_server) /* The server side stops at the first acceptable client choice */
-				break;
-		}
-		if (ret) {
-			free(nno->saw);
-			nno->saw = NULL;
-			nno->negotiated_name = ret->main_name ? ret->main_name : ret->name;
-			nno->negotiated_num = ret->num;
-			return;
-		}
-	}
+	if (len > 0 && parse_negotiate_str(nno, tmpbuf))
+		return;

 	if (!am_server || !do_negotiated_strings) {
 		char *cp = tmpbuf;
@@ -400,11 +411,11 @@ static const char *getenv_nstr(int ntype)
 	const char *env_str = getenv(ntype == NSTR_COMPRESS ? "RSYNC_COMPRESS_LIST" : "RSYNC_CHECKSUM_LIST");

 	/* When writing a batch file, we always negotiate an old-style choice. */
-	if (write_batch) 
+	if (write_batch)
 		env_str = ntype == NSTR_COMPRESS ? "zlib" : protocol_version >= 30 ? "md5" : "md4";

 	if (am_server && env_str) {
-		char *cp = strchr(env_str, '&');
+		const char *cp = strchr(env_str, '&');
 		if (cp)
 			env_str = cp + 1;
 	}
@@ -433,7 +444,7 @@ void validate_choice_vs_env(int ntype, int num1, int num2)
 		nno->saw[CSUM_MD4_ARCHAIC] = nno->saw[CSUM_MD4_BUSTED] = nno->saw[CSUM_MD4_OLD] = nno->saw[CSUM_MD4];

 	if (!nno->saw[num1] || (num2 >= 0 && !nno->saw[num2])) {
-		rprintf(FERROR, "Your --%s-choice value (%s) was refused by the server.\n", 
+		rprintf(FERROR, "Your --%s-choice value (%s) was refused by the server.\n",
 			ntype == NSTR_COMPRESS ? "compress" : "checksum",
 			ntype == NSTR_COMPRESS ? compress_choice : checksum_choice);
 		exit_cleanup(RERR_UNSUPPORTED);
@@ -464,8 +475,10 @@ int get_default_nno_list(struct name_num_obj *nno, char *to_buf, int to_buf_len,
 	init_nno_saw(nno, 0);

 	for (nni = nno->list, len = 0; nni->name; nni++) {
-		if (nni->main_name) {
-			if (!dup_markup)
+		if (nni->num == CSUM_gone)
+			continue;
+		if (nni->main_nni) {
+			if (!dup_markup || nni->main_nni->num == CSUM_gone)
 				continue;
 			delim = dup_markup;
 		}
@@ -523,6 +536,8 @@ static void negotiate_the_strings(int f_in, int f_out)
 {
 	/* We send all the negotiation strings before we start to read them to help avoid a slow startup. */

+	init_checksum_choices();
+
 	if (!checksum_choice)
 		send_negotiate_str(f_out, &valid_checksums, NSTR_CHECKSUM);

@@ -552,7 +567,7 @@ static void negotiate_the_strings(int f_in, int f_out)
 	/* If the other side is too old to negotiate, the above steps just made sure that
 	 * the env didn't disallow the old algorithm. Mark things as non-negotiated. */
 	if (!do_negotiated_strings)
-		valid_checksums.negotiated_name = valid_compressions.negotiated_name = NULL;
+		valid_checksums.negotiated_nni = valid_compressions.negotiated_nni = NULL;
 }

 void setup_protocol(int f_out,int f_in)
@@ -801,11 +816,77 @@ void setup_protocol(int f_out,int f_in)
 		checksum_seed = read_int(f_in);
 	}

-	parse_checksum_choice(1); /* Sets checksum_type & xfersum_type */
+	parse_checksum_choice(1); /* Sets file_sum_nni & xfer_sum_nni */
 	parse_compress_choice(1); /* Sets do_compression */

+	/* TODO in the future allow this algorithm to be chosen somehow, but it can't get too
+	 * long or the size starts to cause a problem in the xattr abbrev/non-abbrev code. */
+	xattr_sum_nni = parse_csum_name(NULL, 0);
+	xattr_sum_len = csum_len_for_type(xattr_sum_nni->num, 0);
+
 	if (write_batch && !am_server)
 		write_batch_shell_file();

 	init_flist();
 }
+
+void output_daemon_greeting(int f_out, int am_client)
+{
+	char tmpbuf[MAX_NSTR_STRLEN];
+	int our_sub = get_subprotocol_version();
+
+	init_checksum_choices();
+
+	get_default_nno_list(&valid_auth_checksums, tmpbuf, MAX_NSTR_STRLEN, '\0');
+
+	io_printf(f_out, "@RSYNCD: %d.%d %s\n", protocol_version, our_sub, tmpbuf);
+
+	if (am_client && DEBUG_GTE(NSTR, 2))
+		rprintf(FINFO, "Client %s list (on client): %s\n", valid_auth_checksums.type, tmpbuf);
+}
+
+void negotiate_daemon_auth(int f_out, int am_client)
+{
+	char tmpbuf[MAX_NSTR_STRLEN];
+	int save_am_server = am_server;
+	int md4_is_old = 0;
+
+	if (!am_client)
+		am_server = 1;
+
+	if (daemon_auth_choices)
+		strlcpy(tmpbuf, daemon_auth_choices, MAX_NSTR_STRLEN);
+	else {
+		strlcpy(tmpbuf, protocol_version >= 30 ? "md5" : "md4", MAX_NSTR_STRLEN);
+		md4_is_old = 1;
+	}
+
+	if (am_client) {
+		recv_negotiate_str(-1, &valid_auth_checksums, tmpbuf, strlen(tmpbuf));
+		if (DEBUG_GTE(NSTR, 1)) {
+			rprintf(FINFO, "Client negotiated %s: %s\n", valid_auth_checksums.type,
+				valid_auth_checksums.negotiated_nni->name);
+		}
+	} else {
+		if (!parse_negotiate_str(&valid_auth_checksums, tmpbuf)) {
+			get_default_nno_list(&valid_auth_checksums, tmpbuf, MAX_NSTR_STRLEN, '\0');
+			io_printf(f_out, "@ERROR: your client does not support one of our daemon-auth checksums: %s\n",
+				  tmpbuf);
+			exit_cleanup(RERR_UNSUPPORTED);
+		}
+	}
+	am_server = save_am_server;
+	if (md4_is_old && valid_auth_checksums.negotiated_nni->num == CSUM_MD4) {
+		valid_auth_checksums.negotiated_nni->num = CSUM_MD4_OLD;
+		valid_auth_checksums.negotiated_nni->flags = 0;
+	}
+}
+
+int get_subprotocol_version()
+{
+#if SUBPROTOCOL_VERSION != 0
+	return protocol_version < PROTOCOL_VERSION ? 0 : SUBPROTOCOL_VERSION;
+#else
+	return 0;
+#endif
+}
--- a/config.guess
+++ b/config.guess
--- a/config.sub
+++ b/config.sub
--- a/configure.ac
+++ b/configure.ac
@@ -4,7 +4,6 @@ AC_INIT([rsync],[ ],[https://rsync.samba.org/bug-tracking.html])

 AC_C_BIGENDIAN
 AC_HEADER_DIRENT
-AC_HEADER_TIME
 AC_HEADER_SYS_WAIT
 AC_CHECK_HEADERS(sys/fcntl.h sys/select.h fcntl.h sys/time.h sys/unistd.h \
    unistd.h utime.h compat.h sys/param.h ctype.h sys/wait.h sys/stat.h \
@@ -20,7 +19,7 @@ AC_HEADER_MAJOR_FIXED

 AC_CONFIG_MACRO_DIR([m4])
 AC_CONFIG_SRCDIR([byteorder.h])
-AC_CONFIG_HEADER(config.h)
+AC_CONFIG_HEADERS([config.h])
 AC_PREREQ([2.69])

 PACKAGE_VERSION=`sed -n 's/.*RSYNC_VERSION.*"\(.*\)".*/\1/p' <$srcdir/version.h`
@@ -61,7 +60,6 @@ AC_PROG_AWK
 AC_PROG_EGREP
 AC_PROG_INSTALL
 AC_PROG_MKDIR_P
-AC_PROG_CC_STDC
 AC_SUBST(SHELL)
 AC_PATH_PROG([PERL], [perl])
 AC_PATH_PROG([PYTHON3], [python3])
@@ -84,6 +82,32 @@ if test x"$enable_profile" = x"yes"; then
 	CFLAGS="$CFLAGS -pg"
 fi

+dnl Coverage build (gcov) for `make coverage`. NOTE: --enable-profile above is
+dnl gprof (-pg) and is NOT coverage. -O0 keeps branch coverage meaningful;
+dnl -fprofile-update=atomic keeps the shared .gcda counters correct while the
+dnl suite runs many rsync processes in parallel.
+AC_ARG_ENABLE(coverage,
+	AS_HELP_STRING([--enable-coverage],[build with gcov instrumentation for `make coverage`]))
+if test x"$enable_coverage" = x"yes"; then
+	CFLAGS="$CFLAGS --coverage -fprofile-update=atomic -O0"
+	CXXFLAGS="$CXXFLAGS --coverage -fprofile-update=atomic -O0"
+	LDFLAGS="$LDFLAGS --coverage"
+	AC_DEFINE([GCOV_COVERAGE], 1,
+		[Flush gcov counters at exit_cleanup: rsync's children exit via _exit(), which bypasses the gcov atexit handler, so without this no .gcda is written for the receiver/generator/daemon-worker processes.])
+fi
+
+dnl openat2(RESOLVE_BENEATH) is used on Linux 5.6+ for the secure resolver.
+dnl --disable-openat2 forces the portable per-component O_NOFOLLOW fallback to
+dnl run as the primary resolver on ordinary Linux, so that tier is exercised
+dnl (and coverage-counted) without needing a pre-5.6 kernel. Behaviour-neutral
+dnl by default (the knob only REMOVES a tier when explicitly disabled).
+AC_ARG_ENABLE(openat2,
+	AS_HELP_STRING([--disable-openat2],[do not use Linux openat2(RESOLVE_BENEATH); force the portable resolver (for exercising the fallback tier)]))
+if test x"$enable_openat2" != x"no"; then
+	AC_DEFINE([HAVE_OPENAT2], 1,
+		[Define to use Linux openat2(RESOLVE_BENEATH) in secure_relative_open where available.])
+fi
+
 AC_MSG_CHECKING([if md2man can create manpages])
 if test x"$ac_cv_path_PYTHON3" = x; then
    AC_MSG_RESULT(no - python3 not found)
@@ -136,6 +160,16 @@ if test x"$GCC" = x"yes"; then
 	CFLAGS="$CFLAGS -Wall -W"
 fi

+AC_ARG_WITH(openssl-conf,
+	AS_HELP_STRING([--with-openssl-conf=PATH],[set default OPENSSL_CONF path for rsync]))
+case "$with_openssl_conf" in
+    *[^-/a-zA-Z0-9.,=@+_]*) AC_MSG_ERROR([Invalid path given to --with-openssl-conf]) ;;
+    /*) CFLAGS="$CFLAGS -DSET_OPENSSL_CONF=$with_openssl_conf" ;;
+    no|'') ;;
+    yes) AC_MSG_ERROR([No path given to --with-openssl-conf]) ;;
+    *) AC_MSG_ERROR([Non absolute path given to --with-openssl-conf]) ;;
+esac
+
 AC_ARG_WITH(rrsync,
        AS_HELP_STRING([--with-rrsync],[also install the rrsync script and its manpage]))
 if test x"$with_rrsync" != x"yes"; then
@@ -153,10 +187,10 @@ AC_ARG_WITH(included-popt,
 AC_ARG_WITH(included-zlib,
        AS_HELP_STRING([--with-included-zlib],[use bundled zlib library, not from system]))

-AC_ARG_WITH(protected-args,
-        AS_HELP_STRING([--with-protected-args],[make --protected-args option the default]))
-if test x"$with_protected_args" = x"yes"; then
-	AC_DEFINE_UNQUOTED(RSYNC_USE_PROTECTED_ARGS, 1, [Define to 1 if --protected-args should be the default])
+AC_ARG_WITH(secluded-args,
+        AS_HELP_STRING([--with-secluded-args],[make --secluded-args option the default]))
+if test x"$with_secluded_args" = x"yes"; then
+	AC_DEFINE_UNQUOTED(RSYNC_USE_SECLUDED_ARGS, 1, [Define to 1 if --secluded-args should be the default])
 fi

 AC_ARG_WITH(rsync-path,
@@ -380,22 +414,22 @@ AS_HELP_STRING([--disable-ipv6],[disable to omit ipv6 support]),
 	;;
  esac ],

-  AC_TRY_RUN([ /* AF_INET6 availability check */
+  AC_RUN_IFELSE([AC_LANG_SOURCE([[ /* AF_INET6 availability check */
 #include <stdlib.h>
 #include <sys/types.h>
 #include <sys/socket.h>
-main()
+int main()
 {
   if (socket(AF_INET6, SOCK_STREAM, 0) < 0)
     exit(1);
   else
     exit(0);
 }
-],
-  AC_MSG_RESULT(yes)
-  AC_DEFINE(INET6, 1, [true if you have IPv6]),
-  AC_MSG_RESULT(no),
-  AC_MSG_RESULT(no)
+]])],
+  [AC_MSG_RESULT(yes)
+  AC_DEFINE(INET6, 1, true if you have IPv6)],
+  [AC_MSG_RESULT(no)],
+  [AC_MSG_RESULT(no)]
 ))

 dnl Do you want to disable use of locale functions
@@ -416,6 +450,26 @@ case $host_os in
 	       * ) AC_MSG_RESULT(no);;
 esac

+# We default to using our zlib unless --with-included-zlib=no is given.
+if test x"$with_included_zlib" != x"no"; then
+    with_included_zlib=yes
+elif test x"$ac_cv_header_zlib_h" != x"yes"; then
+    with_included_zlib=yes
+fi
+if test x"$with_included_zlib" != x"yes"; then
+    AC_CHECK_LIB(z, deflateParams, , [with_included_zlib=yes])
+fi
+
+AC_MSG_CHECKING([whether to use included zlib])
+if test x"$with_included_zlib" = x"yes"; then
+    AC_MSG_RESULT($srcdir/zlib)
+    BUILD_ZLIB='$(zlib_OBJS)'
+    CFLAGS="-I$srcdir/zlib $CFLAGS"
+else
+    AC_DEFINE(EXTERNAL_ZLIB, 1, [Define to 1 if using external zlib])
+    AC_MSG_RESULT(no)
+fi
+
 AC_MSG_CHECKING([whether to enable use of openssl crypto library])
 AC_ARG_ENABLE([openssl],
 	AS_HELP_STRING([--disable-openssl],[disable to omit openssl crypto library]))
@@ -424,10 +478,10 @@ AH_TEMPLATE([USE_OPENSSL],
 if test x"$enable_openssl" != x"no"; then
    if test x"$ac_cv_header_openssl_md4_h" = x"yes" && test x"$ac_cv_header_openssl_md5_h" = x"yes"; then
      AC_MSG_RESULT(yes)
-      AC_SEARCH_LIBS(MD5_Init, crypto,
+      AC_SEARCH_LIBS(EVP_MD_CTX_copy, crypto,
          [AC_DEFINE(USE_OPENSSL)
 	   enable_openssl=yes],
-          [err_msg="$err_msg$nl- Failed to find MD5_Init function in openssl crypto lib.";
+          [err_msg="$err_msg$nl- Failed to find EVP_MD_CTX_copy function in openssl crypto lib.";
 	   no_lib="$no_lib openssl"])
    else
        AC_MSG_RESULT(no)
@@ -518,7 +572,7 @@ fi

 AC_MSG_CHECKING([whether to enable zstd compression])
 AC_ARG_ENABLE([zstd],
-        AC_HELP_STRING([--disable-zstd], [disable to omit zstd compression]))
+        AS_HELP_STRING([--disable-zstd], [disable to omit zstd compression]))
 AH_TEMPLATE([SUPPORT_ZSTD],
 [Undefine if you do not want zstd compression.  By default this is defined.])
 if test x"$enable_zstd" != x"no"; then
@@ -539,7 +593,7 @@ fi

 AC_MSG_CHECKING([whether to enable LZ4 compression])
 AC_ARG_ENABLE([lz4],
-        AC_HELP_STRING([--disable-lz4], [disable to omit LZ4 compression]))
+        AS_HELP_STRING([--disable-lz4], [disable to omit LZ4 compression]))
 AH_TEMPLATE([SUPPORT_LZ4],
 [Undefine if you do not want LZ4 compression.  By default this is defined.])
 if test x"$enable_lz4" != x"no"; then
@@ -565,7 +619,7 @@ if test x"$no_lib" != x; then
    echo ""
    echo "See the INSTALL file for hints on how to install the missing libraries and/or"
    echo "how to generate (or fetch) manpages:"
-    echo "    https://github.com/WayneD/rsync/blob/master/INSTALL.md"
+    echo "    https://github.com/RsyncProject/rsync/blob/master/INSTALL.md"
    echo ""
    echo "To disable one or more features, the relevant configure options are:"
    for lib in $no_lib; do
@@ -862,7 +916,7 @@ AC_CHECK_FUNCS(waitpid wait4 getcwd chown chmod lchmod mknod mkfifo \
    fchmod fstat ftruncate strchr readlink link utime utimes lutimes strftime \
    chflags getattrlist mktime innetgr linkat \
    memmove lchown vsnprintf snprintf vasprintf asprintf setsid strpbrk \
-    strlcat strlcpy strtol mallinfo mallinfo2 getgroups setgroups geteuid getegid \
+    strlcat strlcpy stpcpy strtol mallinfo mallinfo2 getgroups setgroups geteuid getegid \
    setlocale setmode open64 lseek64 mkstemp64 mtrace va_copy __va_copy \
    seteuid strerror putenv iconv_open locale_charset nl_langinfo getxattr \
    extattr_get_link sigaction sigprocmask setattrlist getgrouplist \
@@ -1071,26 +1125,13 @@ elif test x"$ac_cv_header_popt_h" != x"yes"; then
    with_included_popt=yes
 fi

-if test x"$GCC" = x"yes"; then
-    if test x"$with_included_popt" != x"yes"; then
-	# Turn pedantic warnings into errors to ensure an array-init overflow is an error.
-	CFLAGS="$CFLAGS -pedantic-errors"
-    else
-	# Our internal popt code cannot be compiled with pedantic warnings as errors, so try to
-	# turn off pedantic warnings (which will not lose the error for array-init overflow).
-	# Older gcc versions don't understand -Wno-pedantic, so check if --help=warnings lists
-	# -Wpedantic and use that as a flag.
-	case `$CC --help=warnings 2>/dev/null | grep Wpedantic` in
-	    *-Wpedantic*) CFLAGS="$CFLAGS -pedantic-errors -Wno-pedantic" ;;
-	esac
-    fi
-fi
-
 AC_MSG_CHECKING([whether to use included libpopt])
 if test x"$with_included_popt" = x"yes"; then
    AC_MSG_RESULT($srcdir/popt)
    BUILD_POPT='$(popt_OBJS)'
    CFLAGS="-I$srcdir/popt $CFLAGS"
+    AC_DEFINE(POPT_SYSCONFDIR, "/etc", [sysconfig dir for popt])
+    AC_DEFINE(PACKAGE, "rsync", [package name for rsync])
    if test x"$ALLOCA" != x
    then
 	# this can be removed when/if we add an included alloca.c;
@@ -1101,26 +1142,6 @@ else
    AC_MSG_RESULT(no)
 fi

-# We default to using our zlib unless --with-included-zlib=no is given.
-if test x"$with_included_zlib" != x"no"; then
-    with_included_zlib=yes
-elif test x"$ac_cv_header_zlib_h" != x"yes"; then
-    with_included_zlib=yes
-fi
-if test x"$with_included_zlib" != x"yes"; then
-    AC_CHECK_LIB(z, deflateParams, , [with_included_zlib=yes])
-fi
-
-AC_MSG_CHECKING([whether to use included zlib])
-if test x"$with_included_zlib" = x"yes"; then
-    AC_MSG_RESULT($srcdir/zlib)
-    BUILD_ZLIB='$(zlib_OBJS)'
-    CFLAGS="-I$srcdir/zlib $CFLAGS"
-else
-    AC_DEFINE(EXTERNAL_ZLIB, 1, [Define to 1 if using external zlib])
-    AC_MSG_RESULT(no)
-fi
-
 AC_CACHE_CHECK([for unsigned char],rsync_cv_SIGNED_CHAR_OK,[
 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[signed char *s = (signed char *)""]])],[rsync_cv_SIGNED_CHAR_OK=yes],[rsync_cv_SIGNED_CHAR_OK=no])])
 if test x"$rsync_cv_SIGNED_CHAR_OK" = x"yes"; then
@@ -1397,7 +1418,7 @@ else
 	AC_DEFINE(HAVE_LINUX_XATTRS, 1, [True if you have Linux xattrs (or equivalent)])
 	AC_DEFINE(SUPPORT_XATTRS, 1)
 	AC_DEFINE(NO_SYMLINK_USER_XATTRS, 1, [True if symlinks do not support user xattrs])
-	AC_CHECK_LIB(attr,getxattr)
+	AC_SEARCH_LIBS(getxattr,attr)
 	;;
    darwin*)
 	AC_MSG_RESULT(Using OS X xattrs)
--- a/csprotocol.txt
+++ b/csprotocol.txt
@@ -7,39 +7,54 @@ basically a summary of clientserver.c and authenticate.c.
 This is the protocol used for rsync --daemon; i.e. connections to port
 873 rather than invocations over a remote shell.

-When the server accepts a connection, it prints a greeting
+When the server accepts a connection, it prints a newline-terminated
+greeting line:

-  @RSYNCD: <version>.<subprotocol>
+  @RSYNCD: <version>.<subprotocol> <digest1> <digestN>

-where <version> is the numeric version (see PROTOCOL_VERSION in rsync.h)
-'.' is a literal period, and <subprotocol> is the numeric subprotocol
-version (see SUBPROTOCOL_VERSION -- it will be 0 for final releases).
-Protocols prior to 30 only output <version> alone.  The daemon expects
-to see a similar greeting back from the client.  For protocols prior to
-30, an absent ".<subprotocol>" value is assumed to be 0.  For protocol
-30, an absent value is a fatal error.  The daemon then follows this line
-with a free-format text message-of-the-day (if any is defined).
+The <version> is the numeric version (see PROTOCOL_VERSION in rsync.h)
+The <subprotocol> is the numeric subprotocol version (which is 0 for a
+final protocol version, as the SUBPROTOCOL_VERSION define discusses).
+The <digestN> names are the authentication digest algorithms that the
+daemon supports, listed in order of preference.
+
+An rsync prior to 3.2.7 omits the digest names.  An rsync prior to 3.0.0
+also omits the period and the <subprotocol> value.  Since a final
+protocol has a subprotocol value of 0, a missing subprotocol value is
+assumed to be 0 for any protocol prior to 30.  It is considered a fatal
+error for protocol 30 and above to omit it.  It is considered a fatal
+error for protocol 32 and above to omit the digest name list (currently
+31 is the newest protocol).
+
+The daemon expects to see a similar greeting line back from the client.
+Once received, the daemon follows the opening line with a free-format
+text message-of-the-day (if any is defined).

 The server is now in the connected state.  The client can either send
-the command
+the command:

  #list

-to get a listing of modules, or the name of a module.  After this, the
+(to get a listing of modules) or the name of a module.  After this, the
 connection is now bound to a particular module.  Access per host for
 this module is now checked, as is per-module connection limits.

-If authentication is required to use this module, the server will say
+If authentication is required to use this module, the server will say:

  @RSYNCD: AUTHREQD <challenge>

 where <challenge> is a random string of base64 characters.  The client
-must respond with
+must respond with:

  <user> <response>

-where <user> is the username they claim to be, and <response> is the
-base64 form of the MD4 hash of challenge+password.
+The <user> is the username they claim to be. The <response> is the
+base64 form of the digest hash of the challenge+password string. The
+chosen digest method is the most preferred client method that is also in
+the server's list.  If no digest list was explicitly provided, the side
+expecting a list assumes the other side provided either the single name
+"md5" (for a negotiated protocol 30 or 31), or the single name "md4"
+(for an older protocol).

 At this point the server applies all remaining constraints before
 handing control to the client, including switching uid/gid, setting up
@@ -76,6 +91,13 @@ stay tuned (or write it yourself!).
 ------------
 Protocol version changes

+31	(2013-09-28, 3.1.0)
+
+	Initial release of protocol 31 had no changes.  Rsync 3.2.7
+	introduced the suffixed list of digest names on the greeting
+	line.  The presence of the list is allowed even if the greeting
+	indicates an older protocol version number.
+
 30	(2007-10-04, 3.0.0pre1)

 	The use of a ".<subprotocol>" number was added to
--- a/daemon-parm.awk
+++ b/daemon-parm.awk
@@ -6,7 +6,7 @@
 BEGIN {
    heading = "/* DO NOT EDIT THIS FILE!  It is auto-generated from a list of values in " ARGV[1] "! */\n\n"
    sect = psect = defines = accessors = prior_ptype = ""
-    parms = "\nstatic struct parm_struct parm_table[] = {"
+    parms = "\nstatic const struct parm_struct parm_table[] = {"
    comment_fmt = "\n/********** %s **********/\n"
    tdstruct = "typedef struct {"
 }
--- a/daemon-parm.txt
+++ b/daemon-parm.txt
@@ -60,9 +60,9 @@ BOOL	read_only		True
 BOOL	reverse_lookup		True
 BOOL	strict_modes		True
 BOOL	transfer_logging	False
-BOOL	use_chroot		True
 BOOL	write_only		False

 BOOL3	munge_symlinks		Unset
 BOOL3	numeric_ids		Unset
 BOOL3	open_noatime		Unset
+BOOL3	use_chroot		Unset
--- a/delete.c
+++ b/delete.c
@@ -4,7 +4,7 @@
 * Copyright (C) 1996-2000 Andrew Tridgell
 * Copyright (C) 1996 Paul Mackerras
 * Copyright (C) 2002 Martin Pool <mbp@samba.org>
- * Copyright (C) 2003-2020 Wayne Davison
+ * Copyright (C) 2003-2024 Wayne Davison
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -98,7 +98,7 @@ static enum delret delete_dir_contents(char *fname, uint16 flags)

 		strlcpy(p, fp->basename, remainder);
 		if (!(fp->mode & S_IWUSR) && !am_root && fp->flags & FLAG_OWNED_BY_US)
-			do_chmod(fname, fp->mode | S_IWUSR);
+			do_chmod_at(fname, fp->mode | S_IWUSR);
 		/* Save stack by recursing to ourself directly. */
 		if (S_ISDIR(fp->mode)) {
 			if (delete_dir_contents(fname, flags | DEL_RECURSE) != DR_SUCCESS)
@@ -139,7 +139,7 @@ enum delret delete_item(char *fbuf, uint16 mode, uint16 flags)
 	}

 	if (flags & DEL_NO_UID_WRITE)
-		do_chmod(fbuf, mode | S_IWUSR);
+		do_chmod_at(fbuf, mode | S_IWUSR);

 	if (S_ISDIR(mode) && !(flags & DEL_DIR_IS_EMPTY)) {
 		/* This only happens on the first call to delete_item() since
@@ -160,7 +160,7 @@ enum delret delete_item(char *fbuf, uint16 mode, uint16 flags)

 	if (S_ISDIR(mode)) {
 		what = "rmdir";
-		ok = do_rmdir(fbuf) == 0;
+		ok = do_rmdir_at(fbuf) == 0;
 	} else {
 		if (make_backups > 0 && !(flags & DEL_FOR_BACKUP) && (backup_dir || !is_backup_file(fbuf))) {
 			what = "make_backup";
@@ -188,7 +188,7 @@ enum delret delete_item(char *fbuf, uint16 mode, uint16 flags)
 				stats.deleted_symlinks++;
 #endif
 			else if (IS_DEVICE(mode))
-				stats.deleted_symlinks++;
+				stats.deleted_devices++;
 			else
 				stats.deleted_specials++;
 		}
--- a/exclude.c
+++ b/exclude.c
@@ -4,7 +4,7 @@
 * Copyright (C) 1996-2001 Andrew Tridgell <tridge@samba.org>
 * Copyright (C) 1996 Paul Mackerras
 * Copyright (C) 2002 Martin Pool
- * Copyright (C) 2003-2022 Wayne Davison
+ * Copyright (C) 2003-2024 Wayne Davison
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -33,17 +33,15 @@ extern int recurse;
 extern int local_server;
 extern int prune_empty_dirs;
 extern int ignore_perishable;
-extern int old_style_args;
 extern int relative_paths;
 extern int delete_mode;
 extern int delete_excluded;
 extern int cvs_exclude;
 extern int sanitize_paths;
 extern int protocol_version;
-extern int list_only;
+extern int trust_sender_args;
 extern int module_id;

-extern char *filesfrom_host;
 extern char curr_dir[MAXPATHLEN];
 extern unsigned int curr_dir_len;
 extern unsigned int module_dirlen;
@@ -54,6 +52,7 @@ filter_rule_list daemon_filter_list = { .debug_type = " [daemon]" };
 filter_rule_list implied_filter_list = { .debug_type = " [implied]" };

 int saw_xattr_filter = 0;
+int trust_sender_args = 0;
 int trust_sender_filter = 0;

 /* Need room enough for ":MODS " prefix plus some room to grow. */
@@ -79,6 +78,10 @@ static filter_rule **mergelist_parents;
 static int mergelist_cnt = 0;
 static int mergelist_size = 0;

+#define LOCAL_RULE   1
+#define REMOTE_RULE  2
+static uchar cur_elide_value = REMOTE_RULE;
+
 /* Each filter_list_struct describes a singly-linked list by keeping track
 * of both the head and tail pointers.  The list is slightly unusual in that
 * a parent-dir's content can be appended to the end of the local list in a
@@ -221,6 +224,7 @@ static void add_rule(filter_rule_list *listp, const char *pat, unsigned int pat_
 				slash_cnt++;
 		}
 	}
+	rule->elide = 0;
 	strlcpy(rule->pattern + pre_len, pat, pat_len + 1);
 	pat_len += pre_len;
 	if (suf_len) {
@@ -301,83 +305,167 @@ static void add_rule(filter_rule_list *listp, const char *pat, unsigned int pat_
 	}
 }

-/* Each arg the client sends to the remote sender turns into an implied include
- * that the receiver uses to validate the file list from the sender. */
-void add_implied_include(const char *arg)
+/* If the wildcards failed, the remote shell might give us a file matching the literal
+ * wildcards.  Since "*" & "?" already match themselves, this just needs to deal with
+ * failed "[foo]" idioms.
+ */
+static void maybe_add_literal_brackets_rule(filter_rule const *based_on, int arg_len)
 {
 	filter_rule *rule;
-	int arg_len, saw_wild = 0, backslash_cnt = 0;
-	int slash_cnt = 1; /* We know we're adding a leading slash. */
+	const char *arg = based_on->pattern, *cp;
+	char *p;
+	int cnt = 0;
+
+	if (arg_len < 0)
+		arg_len = strlen(arg);
+
+	for (cp = arg; *cp; cp++) {
+		if (*cp == '\\' && cp[1]) {
+			cp++;
+		} else if (*cp == '[')
+			cnt++;
+	}
+	if (!cnt)
+		return;
+
+	rule = new0(filter_rule);
+	rule->rflags = based_on->rflags;
+	rule->u.slash_cnt = based_on->u.slash_cnt;
+	p = rule->pattern = new_array(char, arg_len + cnt + 1);
+	for (cp = arg; *cp; ) {
+		if (*cp == '\\' && cp[1]) {
+			*p++ = *cp++;
+		} else if (*cp == '[')
+			*p++ = '\\';
+		*p++ = *cp++;
+	}
+	*p++ = '\0';
+
+	rule->next = implied_filter_list.head;
+	implied_filter_list.head = rule;
+	if (DEBUG_GTE(FILTER, 3)) {
+		rprintf(FINFO, "[%s] add_implied_include(%s%s)\n", who_am_i(), rule->pattern,
+			rule->rflags & FILTRULE_DIRECTORY ? "/" : "");
+	}
+}
+
+static char *partial_string_buf = NULL;
+static int partial_string_len = 0;
+void implied_include_partial_string(const char *s_start, const char *s_end)
+{
+	partial_string_len = s_end - s_start;
+	if (partial_string_len <= 0 || partial_string_len >= MAXPATHLEN) { /* too-large should be impossible... */
+		partial_string_len = 0;
+		return;
+	}
+	if (!partial_string_buf)
+		partial_string_buf = new_array(char, MAXPATHLEN);
+	memcpy(partial_string_buf, s_start, partial_string_len);
+}
+
+void free_implied_include_partial_string()
+{
+	if (partial_string_buf) {
+		if (partial_string_len)
+			add_implied_include("", 0);
+		free(partial_string_buf);
+		partial_string_buf = NULL;
+	}
+	partial_string_len = 0; /* paranoia */
+}
+
+/* Each arg the client sends to the remote sender turns into an implied include
+ * that the receiver uses to validate the file list from the sender. */
+void add_implied_include(const char *arg, int skip_daemon_module)
+{
+	int arg_len, saw_wild = 0, saw_live_open_brkt = 0, backslash_cnt = 0;
+	int slash_cnt = 0;
 	const char *cp;
 	char *p;
-	if (am_server || old_style_args || list_only || filesfrom_host != NULL)
+	if (trust_sender_args)
 		return;
+	if (partial_string_len) {
+		arg_len = strlen(arg);
+		if (partial_string_len + arg_len >= MAXPATHLEN) {
+			partial_string_len = 0;
+			return; /* Should be impossible... */
+		}
+		memcpy(partial_string_buf + partial_string_len, arg, arg_len + 1);
+		partial_string_len = 0;
+		arg = partial_string_buf;
+	}
+	if (skip_daemon_module) {
+		if ((cp = strchr(arg, '/')) != NULL)
+			arg = cp + 1;
+		else
+			arg = "";
+	}
 	if (relative_paths) {
 		if ((cp = strstr(arg, "/./")) != NULL)
 			arg = cp + 3;
-	} else if ((cp = strrchr(arg, '/')) != NULL)
+	} else if ((cp = strrchr(arg, '/')) != NULL) {
 		arg = cp + 1;
+	}
+	if (*arg == '.' && arg[1] == '\0')
+		arg++;
 	arg_len = strlen(arg);
 	if (arg_len) {
+		char *new_pat;
 		if (strpbrk(arg, "*[?")) {
 			/* We need to add room to escape backslashes if wildcard chars are present. */
-			cp = arg;
-			while ((cp = strchr(cp, '\\')) != NULL) {
+			for (cp = arg; (cp = strchr(cp, '\\')) != NULL; cp++)
 				arg_len++;
-				cp++;
-			}
 			saw_wild = 1;
 		}
 		arg_len++; /* Leave room for the prefixed slash */
-		rule = new0(filter_rule);
-		if (!implied_filter_list.head)
-			implied_filter_list.head = implied_filter_list.tail = rule;
-		else {
-			rule->next = implied_filter_list.head;
-			implied_filter_list.head = rule;
-		}
-		rule->rflags = FILTRULE_INCLUDE + (saw_wild ? FILTRULE_WILD : 0);
-		p = rule->pattern = new_array(char, arg_len + 1);
+		p = new_pat = new_array(char, arg_len + 1);
 		*p++ = '/';
-		cp = arg;
-		while (*cp) {
+		slash_cnt++;
+		for (cp = arg; *cp; ) {
 			switch (*cp) {
 			  case '\\':
-				backslash_cnt++;
-				if (saw_wild)
-					*p++ = '\\';
+				if (cp[1] == ']') {
+					if (!saw_wild)
+						cp++; /* A \] in a non-wild filter causes a problem, so drop the \ . */
+				} else if (!strchr("*[?", cp[1])) {
+					backslash_cnt++;
+					if (saw_wild)
+						*p++ = '\\';
+				}
 				*p++ = *cp++;
 				break;
 			  case '/':
-				if (p[-1] == '/') /* This is safe because of the initial slash. */
-					break;
-				if (relative_paths) {
-					filter_rule const *ent;
-					int found = 0;
-					*p = '\0';
-					for (ent = implied_filter_list.head; ent; ent = ent->next) {
-						if (ent != rule && strcmp(ent->pattern, rule->pattern) == 0) {
-							found = 1;
-							break;
-						}
-					}
-					if (!found) {
-						filter_rule *R_rule = new0(filter_rule);
-						R_rule->rflags = FILTRULE_INCLUDE | FILTRULE_DIRECTORY;
-						/* Check if our sub-path has wildcards or escaped backslashes */
-						if (saw_wild && strpbrk(rule->pattern, "*[?\\"))
-							R_rule->rflags |= FILTRULE_WILD;
-						R_rule->pattern = strdup(rule->pattern);
-						R_rule->u.slash_cnt = slash_cnt;
-						R_rule->next = implied_filter_list.head;
-						implied_filter_list.head = R_rule;
-						if (DEBUG_GTE(FILTER, 3)) {
-							rprintf(FINFO, "[%s] add_implied_include(%s/)\n",
-								who_am_i(), rule->pattern);
-						}
+				if (p[-1] == '/') { /* This is safe because of the initial slash. */
+					if (*++cp == '\0') {
+						slash_cnt--;
+						p--;
 					}
+				} else if (cp[1] == '\0') {
+					cp++;
+				} else {
+					slash_cnt++;
+					*p++ = *cp++;
 				}
-				slash_cnt++;
+				break;
+			  case '.':
+				if (p[-1] == '/') {
+					if (cp[1] == '/') {
+						cp += 2;
+						if (!*cp) {
+							slash_cnt--;
+							p--;
+						}
+					} else if (cp[1] == '\0') {
+						cp++;
+						slash_cnt--;
+						p--;
+					} else
+						*p++ = *cp++;
+				} else
+					*p++ = *cp++;
+				break;
+			  case '[':
+				saw_live_open_brkt = 1;
 				*p++ = *cp++;
 				break;
 			  default:
@@ -386,15 +474,68 @@ void add_implied_include(const char *arg)
 			}
 		}
 		*p = '\0';
-		rule->u.slash_cnt = slash_cnt;
-		arg = (const char *)rule->pattern;
-		if (DEBUG_GTE(FILTER, 3))
-			rprintf(FINFO, "[%s] add_implied_include(%s)\n", who_am_i(), rule->pattern);
+		arg_len = p - new_pat;
+		if (!arg_len)
+			free(new_pat);
+		else {
+			filter_rule *rule = new0(filter_rule);
+			rule->rflags = FILTRULE_INCLUDE + (saw_wild ? FILTRULE_WILD : 0);
+			rule->u.slash_cnt = slash_cnt;
+			arg = rule->pattern = new_pat;
+			if (!implied_filter_list.head)
+				implied_filter_list.head = implied_filter_list.tail = rule;
+			else {
+				rule->next = implied_filter_list.head;
+				implied_filter_list.head = rule;
+			}
+			if (DEBUG_GTE(FILTER, 3))
+				rprintf(FINFO, "[%s] add_implied_include(%s)\n", who_am_i(), arg);
+			if (saw_live_open_brkt)
+				maybe_add_literal_brackets_rule(rule, arg_len);
+			if (relative_paths && slash_cnt) {
+				int sub_slash_cnt = slash_cnt;
+				while ((p = strrchr(new_pat, '/')) != NULL && p != new_pat) {
+					filter_rule const *ent;
+					filter_rule *R_rule;
+					int found = 0;
+					*p = '\0';
+					for (ent = implied_filter_list.head; ent; ent = ent->next) {
+						if (ent != rule && strcmp(ent->pattern, new_pat) == 0) {
+							found = 1;
+							break;
+						}
+					}
+					if (found) {
+						*p = '/';
+						break; /* We added all parent dirs already */
+					}
+					R_rule = new0(filter_rule);
+					R_rule->rflags = FILTRULE_INCLUDE | FILTRULE_DIRECTORY;
+					/* Check if our sub-path has wildcards or escaped backslashes */
+					if (saw_wild && strpbrk(new_pat, "*[?\\"))
+						R_rule->rflags |= FILTRULE_WILD;
+					R_rule->pattern = strdup(new_pat);
+					R_rule->u.slash_cnt = --sub_slash_cnt;
+					R_rule->next = implied_filter_list.head;
+					implied_filter_list.head = R_rule;
+					if (DEBUG_GTE(FILTER, 3)) {
+						rprintf(FINFO, "[%s] add_implied_include(%s/)\n",
+							who_am_i(), R_rule->pattern);
+					}
+					if (saw_live_open_brkt)
+						maybe_add_literal_brackets_rule(R_rule, -1);
+				}
+				for (p = new_pat; sub_slash_cnt < slash_cnt; sub_slash_cnt++) {
+					p += strlen(p);
+					*p = '/';
+				}
+			}
+		}
 	}

 	if (recurse || xfer_dirs) {
 		/* Now create a rule with an added "/" & "**" or "*" at the end */
-		rule = new0(filter_rule);
+		filter_rule *rule = new0(filter_rule);
 		rule->rflags = FILTRULE_INCLUDE | FILTRULE_WILD;
 		if (recurse)
 			rule->rflags |= FILTRULE_WILD2;
@@ -402,8 +543,7 @@ void add_implied_include(const char *arg)
 		if (!saw_wild && backslash_cnt) {
 			/* We are appending a wildcard, so now the backslashes need to be escaped. */
 			p = rule->pattern = new_array(char, arg_len + backslash_cnt + 3 + 1);
-			cp = arg;
-			while (*cp) {
+			for (cp = arg; *cp; ) { /* Note that arg_len != 0 because backslash_cnt > 0 */
 				if (*cp == '\\')
 					*p++ = '\\';
 				*p++ = *cp++;
@@ -415,8 +555,7 @@ void add_implied_include(const char *arg)
 				p += arg_len;
 			}
 		}
-		if (p[-1] != '/')
-			*p++ = '/';
+		*p++ = '/';
 		*p++ = '*';
 		if (recurse)
 			*p++ = '*';
@@ -426,6 +565,8 @@ void add_implied_include(const char *arg)
 		implied_filter_list.head = rule;
 		if (DEBUG_GTE(FILTER, 3))
 			rprintf(FINFO, "[%s] add_implied_include(%s)\n", who_am_i(), rule->pattern);
+		if (saw_live_open_brkt)
+			maybe_add_literal_brackets_rule(rule, p - rule->pattern);
 	}
 }

@@ -579,7 +720,8 @@ static BOOL setup_merge_file(int mergelist_num, filter_rule *ex,
 	parent_dirscan = True;
 	while (*y) {
 		char save[MAXPATHLEN];
-		strlcpy(save, y, MAXPATHLEN);
+		/* copylen is strlen(y) which is < MAXPATHLEN. +1 for \0 */
+		size_t copylen = strlcpy(save, y, MAXPATHLEN) + 1;
 		*y = '\0';
 		dirbuf_len = y - dirbuf;
 		strlcpy(x, ex->pattern, MAXPATHLEN - (x - buf));
@@ -593,7 +735,7 @@ static BOOL setup_merge_file(int mergelist_num, filter_rule *ex,
 			lp->head = NULL;
 		}
 		lp->tail = NULL;
-		strlcpy(y, save, MAXPATHLEN);
+		strlcpy(y, save, copylen);
 		while ((*x++ = *y++) != '/') {}
 	}
 	parent_dirscan = False;
@@ -762,11 +904,11 @@ static int rule_matches(const char *fname, filter_rule *ex, int name_flags)
 {
 	int slash_handling, str_cnt = 0, anchored_match = 0;
 	int ret_match = ex->rflags & FILTRULE_NEGATE ? 0 : 1;
-	char *p, *pattern = ex->pattern;
+	const char *p, *pattern = ex->pattern;
 	const char *strings[16]; /* more than enough */
 	const char *name = fname + (*fname == '/');

-	if (!*name)
+	if (!*name || ex->elide == cur_elide_value)
 		return 0;

 	if (!(name_flags & NAME_IS_XATTR) ^ !(ex->rflags & FILTRULE_XATTR))
@@ -882,6 +1024,15 @@ int name_is_excluded(const char *fname, int name_flags, int filter_level)
 	return 0;
 }

+int check_server_filter(filter_rule_list *listp, enum logcode code, const char *name, int name_flags)
+{
+	int ret;
+	cur_elide_value = LOCAL_RULE;
+	ret = check_filter(listp, code, name, name_flags);
+	cur_elide_value = REMOTE_RULE;
+	return ret;
+}
+
 /* Return -1 if file "name" is defined to be excluded by the specified
 * exclude list, 1 if it is included, and 0 if it was not matched. */
 int check_filter(filter_rule_list *listp, enum logcode code,
@@ -1437,7 +1588,7 @@ char *get_rule_prefix(filter_rule *rule, const char *pat, int for_xfer,

 static void send_rules(int f_out, filter_rule_list *flp)
 {
-	filter_rule *ent, *prev = NULL;
+	filter_rule *ent;

 	for (ent = flp->head; ent; ent = ent->next) {
 		unsigned int len, plen, dlen;
@@ -1452,21 +1603,15 @@ static void send_rules(int f_out, filter_rule_list *flp)
 		 * merge files as an optimization (since they can only have
 		 * include/exclude rules). */
 		if (ent->rflags & FILTRULE_SENDER_SIDE)
-			elide = am_sender ? 1 : -1;
+			elide = am_sender ? LOCAL_RULE : REMOTE_RULE;
 		if (ent->rflags & FILTRULE_RECEIVER_SIDE)
-			elide = elide ? 0 : am_sender ? -1 : 1;
+			elide = elide ? 0 : am_sender ? REMOTE_RULE : LOCAL_RULE;
 		else if (delete_excluded && !elide
 		 && (!(ent->rflags & FILTRULE_PERDIR_MERGE)
 		  || ent->rflags & FILTRULE_NO_PREFIXES))
-			elide = am_sender ? 1 : -1;
-		if (elide < 0) {
-			if (prev)
-				prev->next = ent->next;
-			else
-				flp->head = ent->next;
-		} else
-			prev = ent;
-		if (elide > 0)
+			elide = am_sender ? LOCAL_RULE : REMOTE_RULE;
+		ent->elide = elide;
+		if (elide == LOCAL_RULE)
 			continue;
 		if (ent->rflags & FILTRULE_CVS_IGNORE
 		    && !(ent->rflags & FILTRULE_MERGE_FILE)) {
@@ -1494,7 +1639,6 @@ static void send_rules(int f_out, filter_rule_list *flp)
 		if (dlen)
 			write_byte(f_out, '/');
 	}
-	flp->tail = prev;
 }

 /* This is only called by the client. */
--- a/fileio.c
+++ b/fileio.c
@@ -3,7 +3,7 @@
 *
 * Copyright (C) 1998 Andrew Tridgell
 * Copyright (C) 2002 Martin Pool
- * Copyright (C) 2004-2020 Wayne Davison
+ * Copyright (C) 2004-2023 Wayne Davison
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -40,30 +40,34 @@ OFF_T preallocated_len = 0;
 static OFF_T sparse_seek = 0;
 static OFF_T sparse_past_write = 0;

-int sparse_end(int f, OFF_T size)
+int sparse_end(int f, OFF_T size, int updating_basis_or_equiv)
 {
-	int ret;
+	int ret = 0;

-	sparse_past_write = 0;
-
-	if (!sparse_seek)
-		return 0;
-
-#ifdef HAVE_FTRUNCATE
-	ret = do_ftruncate(f, size);
-#else
-	if (do_lseek(f, sparse_seek-1, SEEK_CUR) != size-1)
-		ret = -1;
-	else {
-		do {
-			ret = write(f, "", 1);
-		} while (ret < 0 && errno == EINTR);
-
-		ret = ret <= 0 ? -1 : 0;
-	}
+	if (updating_basis_or_equiv) {
+		if (sparse_seek && do_punch_hole(f, sparse_past_write, sparse_seek) < 0)
+			ret = -1;
+#ifdef HAVE_FTRUNCATE /* A compilation formality -- in-place requires ftruncate() */
+		else /* Just in case the original file was longer */
+			ret = do_ftruncate(f, size);
 #endif
+	} else if (sparse_seek) {
+#ifdef HAVE_FTRUNCATE
+		ret = do_ftruncate(f, size);
+#else
+		if (do_lseek(f, sparse_seek-1, SEEK_CUR) != size-1)
+			ret = -1;
+		else {
+			do {
+				ret = write(f, "", 1);
+			} while (ret < 0 && errno == EINTR);

-	sparse_seek = 0;
+			ret = ret <= 0 ? -1 : 0;
+		}
+#endif
+	}
+
+	sparse_past_write = sparse_seek = 0;

 	return ret;
 }
--- a/flist.c
+++ b/flist.c
@@ -4,7 +4,7 @@
 * Copyright (C) 1996 Andrew Tridgell
 * Copyright (C) 1996 Paul Mackerras
 * Copyright (C) 2001, 2002 Martin Pool <mbp@samba.org>
- * Copyright (C) 2002-2022 Wayne Davison
+ * Copyright (C) 2002-2023 Wayne Davison
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -33,7 +33,6 @@ extern int am_sender;
 extern int am_generator;
 extern int inc_recurse;
 extern int always_checksum;
-extern int checksum_type;
 extern int module_id;
 extern int ignore_errors;
 extern int numeric_ids;
@@ -80,6 +79,8 @@ extern struct stats stats;
 extern char *filesfrom_host;
 extern char *usermap, *groupmap;

+extern struct name_num_item *file_sum_nni;
+
 extern char curr_dir[MAXPATHLEN];

 extern struct chmod_mode_struct *chmod_modes;
@@ -145,7 +146,8 @@ void init_flist(void)
 		rprintf(FINFO, "FILE_STRUCT_LEN=%d, EXTRA_LEN=%d\n",
 			(int)FILE_STRUCT_LEN, (int)EXTRA_LEN);
 	}
-	flist_csum_len = csum_len_for_type(checksum_type, 1);
+	/* Note that this isn't identical to file_sum_len in the case of CSUM_MD4_ARCHAIC: */
+	flist_csum_len = csum_len_for_type(file_sum_nni->num, 1);

 	show_filelist_progress = INFO_GTE(FLIST, 1) && xfer_dirs && !am_server && !inc_recurse;
 }
@@ -754,7 +756,7 @@ static struct file_struct *recv_file_entry(int f, struct file_list *flist, int x
 	if (*thisname
 	 && (clean_fname(thisname, CFN_REFUSE_DOT_DOT_DIRS) < 0 || (!relative_paths && *thisname == '/'))) {
 		rprintf(FERROR, "ABORTING due to unsafe pathname from sender: %s\n", thisname);
-		exit_cleanup(RERR_PROTOCOL);
+		exit_cleanup(RERR_UNSUPPORTED);
 	}

 	if (sanitize_paths)
@@ -834,13 +836,13 @@ static struct file_struct *recv_file_entry(int f, struct file_list *flist, int x
 			}
 #endif
 		} else
-			modtime = read_int(f);
+			modtime = read_uint(f);
 	}
 	if (xflags & XMIT_MOD_NSEC)
 #ifndef CAN_SET_NSEC
-		(void)read_varint(f);
+		(void)read_varint_bounded(f, 0, MAX_WIRE_NSEC, "modtime_nsec");
 #else
-		modtime_nsec = read_varint(f);
+		modtime_nsec = read_varint_bounded(f, 0, MAX_WIRE_NSEC, "modtime_nsec");
 	else
 		modtime_nsec = 0;
 #endif
@@ -859,8 +861,19 @@ static struct file_struct *recv_file_entry(int f, struct file_list *flist, int x
 #endif
 	}
 #endif
-	if (!(xflags & XMIT_SAME_MODE))
+	if (!(xflags & XMIT_SAME_MODE)) {
 		mode = from_wire_mode(read_int(f));
+		/* Reject modes whose type bits are not one of the standard
+		 * file types; otherwise garbage mode values propagate through
+		 * the file-type checks below unpredictably. */
+		if (!S_ISREG(mode) && !S_ISDIR(mode) && !S_ISLNK(mode)
+		 && !S_ISCHR(mode) && !S_ISBLK(mode)
+		 && !S_ISFIFO(mode) && !S_ISSOCK(mode)) {
+			rprintf(FERROR, "invalid file mode 0%o for %s [%s]\n",
+				(unsigned)mode, lastname, who_am_i());
+			exit_cleanup(RERR_PROTOCOL);
+		}
+	}
 	if (atimes_ndx && !S_ISDIR(mode) && !(xflags & XMIT_SAME_ATIME)) {
 		atime = read_varlong(f, 4);
 #if SIZEOF_TIME_T < SIZEOF_INT64
@@ -986,16 +999,16 @@ static struct file_struct *recv_file_entry(int f, struct file_list *flist, int x
 		exit_cleanup(RERR_UNSUPPORTED);
 	}

-	if (*thisname != '.' || thisname[1] != '\0') {
+	if (*thisname == '/' ? thisname[1] != '.' || thisname[2] != '\0' : *thisname != '.' || thisname[1] != '\0') {
 		int filt_flags = S_ISDIR(mode) ? NAME_IS_DIR : NAME_IS_FILE;
 		if (!trust_sender_filter /* a per-dir filter rule means we must trust the sender's filtering */
-		 && filter_list.head && check_filter(&filter_list, FINFO, thisname, filt_flags) < 0) {
+		 && filter_list.head && check_server_filter(&filter_list, FINFO, thisname, filt_flags) < 0) {
 			rprintf(FERROR, "ERROR: rejecting excluded file-list name: %s\n", thisname);
-			exit_cleanup(RERR_PROTOCOL);
+			exit_cleanup(RERR_UNSUPPORTED);
 		}
 		if (implied_filter_list.head && check_filter(&implied_filter_list, FINFO, thisname, filt_flags) <= 0) {
 			rprintf(FERROR, "ERROR: rejecting unrequested file-list name: %s\n", thisname);
-			exit_cleanup(RERR_PROTOCOL);
+			exit_cleanup(RERR_UNSUPPORTED);
 		}
 	}

@@ -1388,7 +1401,7 @@ struct file_struct *make_file(const char *fname, struct file_list *flist,

 	if (copy_devices && am_sender && IS_DEVICE(st.st_mode)) {
 		if (st.st_size == 0) {
-			int fd = do_open(fname, O_RDONLY, 0);
+			int fd = do_open_checklinks(fname);
 			if (fd >= 0) {
 				st.st_size = get_device_size(fd, fname);
 				close(fd);
@@ -2365,7 +2378,7 @@ struct file_list *send_file_list(int f, int argc, char *argv[])
 		}

 		dirlen = dir ? strlen(dir) : 0;
-		if (dirlen != lastdir_len || memcmp(lastdir, dir, dirlen) != 0) {
+		if (dirlen != lastdir_len || (dirlen && memcmp(lastdir, dir, dirlen) != 0)) {
 			if (!change_pathname(NULL, dir, -dirlen))
 				goto bad_path;
 			lastdir = pathname;
@@ -2582,6 +2595,19 @@ struct file_list *recv_file_list(int f, int dir_ndx)
 		init_hard_links();
 #endif

+	if (inc_recurse && dir_ndx >= 0) {
+		if (dir_ndx >= dir_flist->used) {
+			rprintf(FERROR_XFER, "rsync: refusing invalid dir_ndx %u >= %u\n", dir_ndx, dir_flist->used);
+			exit_cleanup(RERR_PROTOCOL);
+		}
+		struct file_struct *file = dir_flist->files[dir_ndx];
+		if (file->flags & FLAG_GOT_DIR_FLIST) {
+			rprintf(FERROR_XFER, "rsync: refusing malicious duplicate flist for dir %d\n", dir_ndx);
+			exit_cleanup(RERR_PROTOCOL);
+		}
+		file->flags |= FLAG_GOT_DIR_FLIST;
+	}
+
 	flist = flist_new(0, "recv_file_list");
 	flist_expand(flist, FLIST_START_LARGE);

@@ -2640,7 +2666,7 @@ struct file_list *recv_file_list(int f, int dir_ndx)
 					rprintf(FERROR,
 						"ABORTING due to invalid path from sender: %s/%s\n",
 						cur_dir, file->basename);
-					exit_cleanup(RERR_PROTOCOL);
+					exit_cleanup(RERR_UNSUPPORTED);
 				}
 				good_dirname = cur_dir;
 			}
@@ -2657,7 +2683,7 @@ struct file_list *recv_file_list(int f, int dir_ndx)
 		} else if (S_ISLNK(file->mode))
 			stats.num_symlinks++;
 		else if (IS_DEVICE(file->mode))
-			stats.num_symlinks++;
+			stats.num_devices++;
 		else
 			stats.num_specials++;

@@ -3152,8 +3178,8 @@ static void output_flist(struct file_list *flist)
 		} else
 			*uidbuf = '\0';
 		if (gid_ndx) {
-			static char parens[] = "(\0)\0\0\0";
-			char *pp = parens + (file->flags & FLAG_SKIP_GROUP ? 0 : 3);
+			static const char parens[] = "(\0)\0\0\0";
+			const char *pp = parens + (file->flags & FLAG_SKIP_GROUP ? 0 : 3);
 			snprintf(gidbuf, sizeof gidbuf, " gid=%s%u%s",
 				 pp, F_GROUP(file), pp + 2);
 		} else
--- a/generator.c
+++ b/generator.c
@@ -4,7 +4,7 @@
 * Copyright (C) 1996-2000 Andrew Tridgell
 * Copyright (C) 1996 Paul Mackerras
 * Copyright (C) 2002 Martin Pool <mbp@samba.org>
- * Copyright (C) 2003-2022 Wayne Davison
+ * Copyright (C) 2003-2023 Wayne Davison
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -229,11 +229,13 @@ static int read_delay_line(char *buf, int *flags_p)
 		*flags_p = 0;

 	if (sscanf(bp, "%x ", &mode) != 1) {
-	  invalid_data:
-		rprintf(FERROR, "ERROR: invalid data in delete-delay file.\n");
-		return -1;
+		goto invalid_data;
 	}
-	past_space = strchr(bp, ' ') + 1;
+	past_space = strchr(bp, ' ');
+	if (!past_space) {
+		goto invalid_data;
+	}
+	past_space++;
 	len = j - read_pos - (past_space - bp) + 1; /* count the '\0' */
 	read_pos = j + 1;

@@ -247,6 +249,10 @@ static int read_delay_line(char *buf, int *flags_p)
 	memcpy(buf, past_space, len);

 	return mode;
+
+invalid_data:
+	rprintf(FERROR, "ERROR: invalid data in delete-delay file.\n");
+	return -1;
 }

 static void do_delayed_deletions(char *delbuf)
@@ -783,7 +789,7 @@ static int generate_and_send_sums(int fd, OFF_T len, int f_out, int f_copy)
 	for (i = 0; i < sum.count; i++) {
 		int32 n1 = (int32)MIN(len, (OFF_T)sum.blength);
 		char *map = map_ptr(mapbuf, offset, n1);
-		char sum2[SUM_LENGTH];
+		char sum2[MAX_DIGEST_LEN];
 		uint32 sum1;

 		len -= n1;
@@ -875,9 +881,12 @@ static struct file_struct *find_fuzzy(struct file_struct *file, struct file_list
 			len = strlen(name);
 			suf = find_filename_suffix(name, len, &suf_len);

-			dist = fuzzy_distance(name, len, fname, fname_len);
-			/* Add some extra weight to how well the suffixes match. */
-			dist += fuzzy_distance(suf, suf_len, fname_suf, fname_suf_len) * 10;
+			dist = fuzzy_distance(name, len, fname, fname_len, lowest_dist);
+			/* Add some extra weight to how well the suffixes match unless we've already disqualified
+			 * this file based on a heuristic. */
+			if (dist < 0xFFFF0000U) {
+				dist += fuzzy_distance(suf, suf_len, fname_suf, fname_suf_len, 0xFFFF0000U) * 10;
+			}
 			if (DEBUG_GTE(FUZZY, 2)) {
 				rprintf(FINFO, "fuzzy distance for %s = %d.%05d\n",
 					f_name(fp, NULL), (int)(dist>>16), (int)(dist&0xFFFF));
@@ -981,7 +990,7 @@ static int try_dests_reg(struct file_struct *file, char *fname, int ndx,
 		if (find_exact_for_existing) {
 			if (alt_dest_type == LINK_DEST && real_st.st_dev == sxp->st.st_dev && real_st.st_ino == sxp->st.st_ino)
 				return -1;
-			if (do_unlink(fname) < 0 && errno != ENOENT)
+			if (do_unlink_at(fname) < 0 && errno != ENOENT)
 				goto got_nothing_for_ya;
 		}
 #ifdef SUPPORT_HARD_LINKS
@@ -1109,7 +1118,7 @@ static int try_dests_non(struct file_struct *file, char *fname, int ndx,
 		 && !IS_SPECIAL(file->mode) && !IS_DEVICE(file->mode)
 #endif
 		 && !S_ISDIR(file->mode)) {
-			if (do_link(cmpbuf, fname) < 0) {
+			if (do_link_at(cmpbuf, fname) < 0) {
 				rsyserr(FERROR_XFER, errno,
 					"failed to hard-link %s with %s",
 					cmpbuf, fname);
@@ -1312,7 +1321,7 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx,
 				}
 			}
 			if (relative_paths && !implied_dirs && file->mode != 0
-			 && do_stat(dn, &sx.st) < 0) {
+			 && do_stat_at(dn, &sx.st) < 0) {
 				if (dry_run)
 					goto parent_is_dry_missing;
 				if (make_path(fname, MKP_DROP_NAME | MKP_SKIP_SLASH) < 0) {
@@ -1424,7 +1433,7 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx,
 			 && (stype == FT_DIR
 			  || delete_item(fname, sx.st.st_mode, del_opts | DEL_FOR_DIR) != 0))
 				goto cleanup; /* Any errors get reported later. */
-			if (do_mkdir(fname, (file->mode|added_perms) & 0700) == 0)
+			if (do_mkdir_at(fname, (file->mode|added_perms) & 0700) == 0)
 				file->flags |= FLAG_DIR_CREATED;
 			goto cleanup;
 		}
@@ -1466,10 +1475,10 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx,
 			itemize(fnamecmp, file, ndx, statret, &sx,
 				statret ? ITEM_LOCAL_CHANGE : 0, 0, NULL);
 		}
-		if (real_ret != 0 && do_mkdir(fname,file->mode|added_perms) < 0 && errno != EEXIST) {
+		if (real_ret != 0 && do_mkdir_at(fname,file->mode|added_perms) < 0 && errno != EEXIST) {
 			if (!relative_paths || errno != ENOENT
 			 || make_path(fname, MKP_DROP_NAME | MKP_SKIP_SLASH) < 0
-			 || (do_mkdir(fname, file->mode|added_perms) < 0 && errno != EEXIST)) {
+			 || (do_mkdir_at(fname, file->mode|added_perms) < 0 && errno != EEXIST)) {
 				rsyserr(FERROR_XFER, errno,
 					"recv_generator: mkdir %s failed",
 					full_fname(fname));
@@ -1496,7 +1505,7 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx,
 #ifdef HAVE_CHMOD
 		if (!am_root && (file->mode & S_IRWXU) != S_IRWXU && dir_tweaking) {
 			mode_t mode = file->mode | S_IRWXU;
-			if (do_chmod(fname, mode) < 0) {
+			if (do_chmod_at(fname, mode) < 0) {
 				rsyserr(FERROR_XFER, errno,
 					"failed to modify permissions on %s",
 					full_fname(fname));
@@ -1795,7 +1804,7 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx,

 	if (write_devices && IS_DEVICE(sx.st.st_mode) && sx.st.st_size == 0) {
 		/* This early open into fd skips the regular open below. */
-		if ((fd = do_open(fnamecmp, O_RDONLY, 0)) >= 0)
+		if ((fd = do_open_nofollow(fnamecmp, O_RDONLY)) >= 0)
 			real_sx.st.st_size = sx.st.st_size = get_device_size(fd, fnamecmp);
 	}

@@ -1805,7 +1814,7 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx,
 		;
 	else if (quick_check_ok(FT_REG, fnamecmp, file, &sx.st)) {
 		if (partialptr) {
-			do_unlink(partialptr);
+			do_unlink_at(partialptr);
 			handle_partial_dir(partialptr, PDIR_DELETE);
 		}
 		set_file_attrs(fname, file, &sx, NULL, maybe_ATTRS_REPORT | maybe_ATTRS_ACCURATE_TIME);
@@ -1819,7 +1828,7 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx,
 			goto cleanup;
 	  return_with_success:
 		if (!dry_run)
-			send_msg_int(MSG_SUCCESS, ndx);
+			send_msg_success(fname, ndx);
 		goto cleanup;
 	}

@@ -1864,7 +1873,7 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx,
 	}

 	/* open the file */
-	if (fd < 0 && (fd = do_open(fnamecmp, O_RDONLY, 0)) < 0) {
+	if (fd < 0 && (fd = do_open_checklinks(fnamecmp)) < 0) {
 		rsyserr(FERROR, errno, "failed to open %s, continuing",
 			full_fname(fnamecmp));
 	  pretend_missing:
@@ -1893,7 +1902,7 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx,
 			back_file = NULL;
 			goto cleanup;
 		}
-		if ((f_copy = do_open(backupptr, O_WRONLY | O_CREAT | O_TRUNC | O_EXCL, 0600)) < 0) {
+		if ((f_copy = do_open_at(backupptr, O_WRONLY | O_CREAT | O_TRUNC | O_EXCL, 0600)) < 0) {
 			rsyserr(FERROR_XFER, errno, "open %s", full_fname(backupptr));
 			unmake_file(back_file);
 			back_file = NULL;
@@ -2013,7 +2022,7 @@ int atomic_create(struct file_struct *file, char *fname, const char *slnk, const

 	if (slnk) {
 #ifdef SUPPORT_LINKS
-		if (do_symlink(slnk, create_name) < 0) {
+		if (do_symlink_at(slnk, create_name) < 0) {
 			rsyserr(FERROR_XFER, errno, "symlink %s -> \"%s\" failed",
 				full_fname(create_name), slnk);
 			return 0;
@@ -2029,7 +2038,7 @@ int atomic_create(struct file_struct *file, char *fname, const char *slnk, const
 		return 0;
 #endif
 	} else {
-		if (do_mknod(create_name, file->mode, rdev) < 0) {
+		if (do_mknod_at(create_name, file->mode, rdev) < 0) {
 			rsyserr(FERROR_XFER, errno, "mknod %s failed",
 				full_fname(create_name));
 			return 0;
@@ -2037,10 +2046,14 @@ int atomic_create(struct file_struct *file, char *fname, const char *slnk, const
 	}

 	if (!skip_atomic) {
-		if (do_rename(tmpname, fname) < 0) {
+		if (do_rename_at(tmpname, fname) < 0) {
+			char *full_tmpname = strdup(full_fname(tmpname));
+			if (full_tmpname == NULL)
+				out_of_memory("atomic_create");
 			rsyserr(FERROR_XFER, errno, "rename %s -> \"%s\" failed",
-				full_fname(tmpname), full_fname(fname));
-			do_unlink(tmpname);
+				full_tmpname, full_fname(fname));
+			free(full_tmpname);
+			do_unlink_at(tmpname);
 			return 0;
 		}
 	}
@@ -2104,7 +2117,7 @@ static void touch_up_dirs(struct file_list *flist, int ndx)
 			continue;
 		fname = f_name(file, NULL);
 		if (fix_dir_perms)
-			do_chmod(fname, file->mode);
+			do_chmod_at(fname, file->mode);
 		if (need_retouch_dir_times) {
 			STRUCT_STAT st;
 			if (link_stat(fname, &st, 0) == 0 && mtime_differs(&st, file)) {
@@ -2139,6 +2152,8 @@ void check_for_finished_files(int itemizing, enum logcode code, int check_redo)
 			if (send_failed)
 				ndx = get_hlink_num();
 			flist = flist_for_ndx(ndx, "check_for_finished_files.1");
+			if (ndx < flist->ndx_start)
+				exit_cleanup(RERR_PROTOCOL);
 			file = flist->files[ndx - flist->ndx_start];
 			assert(file->flags & FLAG_HLINKED);
 			if (send_failed)
@@ -2167,6 +2182,8 @@ void check_for_finished_files(int itemizing, enum logcode code, int check_redo)

 			flist = cur_flist;
 			cur_flist = flist_for_ndx(ndx, "check_for_finished_files.2");
+			if (ndx < cur_flist->ndx_start)
+				exit_cleanup(RERR_PROTOCOL);

 			file = cur_flist->files[ndx - cur_flist->ndx_start];
 			if (solo_file)
--- a/hashtable.c
+++ b/hashtable.c
@@ -1,7 +1,7 @@
 /*
 * Routines to provide a memory-efficient hashtable.
 *
- * Copyright (C) 2007-2020 Wayne Davison
+ * Copyright (C) 2007-2022 Wayne Davison
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -350,6 +350,9 @@ void *hashtable_find(struct hashtable *tbl, int64 key, void *data_when_new)
 -------------------------------------------------------------------------------
 */

+#define NON_ZERO_32(x) ((x) ? (x) : (uint32_t)1)
+#define NON_ZERO_64(x, y) ((x) || (y) ? (y) | (int64)(x) << 32 | (y) : (int64)1)
+
 uint32_t hashlittle(const void *key, size_t length)
 {
  uint32_t a,b,c;                                          /* internal state */
@@ -390,7 +393,7 @@ uint32_t hashlittle(const void *key, size_t length)
    case 3 : a+=((uint32_t)k8[2])<<16;   /* fall through */
    case 2 : a+=((uint32_t)k8[1])<<8;    /* fall through */
    case 1 : a+=k8[0]; break;
-    case 0 : return c;
+    case 0 : return NON_ZERO_32(c);
    }
  } else if (HASH_LITTLE_ENDIAN && ((u.i & 0x1) == 0)) {
    const uint16_t *k = (const uint16_t *)key;         /* read 16-bit chunks */
@@ -436,7 +439,7 @@ uint32_t hashlittle(const void *key, size_t length)
             break;
    case 1 : a+=k8[0];
             break;
-    case 0 : return c;                     /* zero length requires no mixing */
+    case 0 : return NON_ZERO_32(c);         /* zero length requires no mixing */
    }

  } else {                        /* need to read the key one byte at a time */
@@ -489,10 +492,171 @@ uint32_t hashlittle(const void *key, size_t length)
 	     /* FALLTHROUGH */
    case 1 : a+=k[0];
             break;
-    case 0 : return c;
+    case 0 : return NON_ZERO_32(c);
    }
  }

  final(a,b,c);
-  return c;
+  return NON_ZERO_32(c);
 }
+
+#if SIZEOF_INT64 >= 8
+/*
+ * hashlittle2: return 2 32-bit hash values joined into an int64.
+ *
+ * This is identical to hashlittle(), except it returns two 32-bit hash
+ * values instead of just one.  This is good enough for hash table
+ * lookup with 2^^64 buckets, or if you want a second hash if you're not
+ * happy with the first, or if you want a probably-unique 64-bit ID for
+ * the key.  *pc is better mixed than *pb, so use *pc first.  If you want
+ * a 64-bit value do something like "*pc + (((uint64_t)*pb)<<32)".
+ */
+int64 hashlittle2(const void *key, size_t length)
+{
+  uint32_t a,b,c;                                          /* internal state */
+  union { const void *ptr; size_t i; } u;     /* needed for Mac Powerbook G4 */
+
+  /* Set up the internal state */
+  a = b = c = 0xdeadbeef + ((uint32_t)length);
+
+  u.ptr = key;
+  if (HASH_LITTLE_ENDIAN && ((u.i & 0x3) == 0)) {
+    const uint32_t *k = (const uint32_t *)key;         /* read 32-bit chunks */
+    const uint8_t  *k8;
+
+    /*------ all but last block: aligned reads and affect 32 bits of (a,b,c) */
+    while (length > 12)
+    {
+      a += k[0];
+      b += k[1];
+      c += k[2];
+      mix(a,b,c);
+      length -= 12;
+      k += 3;
+    }
+
+    /*----------------------------- handle the last (probably partial) block */
+    k8 = (const uint8_t *)k;
+    switch(length)
+    {
+    case 12: c+=k[2]; b+=k[1]; a+=k[0]; break;
+    case 11: c+=((uint32_t)k8[10])<<16;  /* fall through */
+    case 10: c+=((uint32_t)k8[9])<<8;    /* fall through */
+    case 9 : c+=k8[8];                   /* fall through */
+    case 8 : b+=k[1]; a+=k[0]; break;
+    case 7 : b+=((uint32_t)k8[6])<<16;   /* fall through */
+    case 6 : b+=((uint32_t)k8[5])<<8;    /* fall through */
+    case 5 : b+=k8[4];                   /* fall through */
+    case 4 : a+=k[0]; break;
+    case 3 : a+=((uint32_t)k8[2])<<16;   /* fall through */
+    case 2 : a+=((uint32_t)k8[1])<<8;    /* fall through */
+    case 1 : a+=k8[0]; break;
+    case 0 : return NON_ZERO_64(b, c);
+    }
+  } else if (HASH_LITTLE_ENDIAN && ((u.i & 0x1) == 0)) {
+    const uint16_t *k = (const uint16_t *)key;         /* read 16-bit chunks */
+    const uint8_t  *k8;
+
+    /*--------------- all but last block: aligned reads and different mixing */
+    while (length > 12)
+    {
+      a += k[0] + (((uint32_t)k[1])<<16);
+      b += k[2] + (((uint32_t)k[3])<<16);
+      c += k[4] + (((uint32_t)k[5])<<16);
+      mix(a,b,c);
+      length -= 12;
+      k += 6;
+    }
+
+    /*----------------------------- handle the last (probably partial) block */
+    k8 = (const uint8_t *)k;
+    switch(length)
+    {
+    case 12: c+=k[4]+(((uint32_t)k[5])<<16);
+             b+=k[2]+(((uint32_t)k[3])<<16);
+             a+=k[0]+(((uint32_t)k[1])<<16);
+             break;
+    case 11: c+=((uint32_t)k8[10])<<16;     /* fall through */
+    case 10: c+=k[4];
+             b+=k[2]+(((uint32_t)k[3])<<16);
+             a+=k[0]+(((uint32_t)k[1])<<16);
+             break;
+    case 9 : c+=k8[8];                      /* fall through */
+    case 8 : b+=k[2]+(((uint32_t)k[3])<<16);
+             a+=k[0]+(((uint32_t)k[1])<<16);
+             break;
+    case 7 : b+=((uint32_t)k8[6])<<16;      /* fall through */
+    case 6 : b+=k[2];
+             a+=k[0]+(((uint32_t)k[1])<<16);
+             break;
+    case 5 : b+=k8[4];                      /* fall through */
+    case 4 : a+=k[0]+(((uint32_t)k[1])<<16);
+             break;
+    case 3 : a+=((uint32_t)k8[2])<<16;      /* fall through */
+    case 2 : a+=k[0];
+             break;
+    case 1 : a+=k8[0];
+             break;
+    case 0 : return NON_ZERO_64(b, c);  /* zero length strings require no mixing */
+    }
+
+  } else {                        /* need to read the key one byte at a time */
+    const uint8_t *k = (const uint8_t *)key;
+
+    /*--------------- all but the last block: affect some 32 bits of (a,b,c) */
+    while (length > 12)
+    {
+      a += k[0];
+      a += ((uint32_t)k[1])<<8;
+      a += ((uint32_t)k[2])<<16;
+      a += ((uint32_t)k[3])<<24;
+      b += k[4];
+      b += ((uint32_t)k[5])<<8;
+      b += ((uint32_t)k[6])<<16;
+      b += ((uint32_t)k[7])<<24;
+      c += k[8];
+      c += ((uint32_t)k[9])<<8;
+      c += ((uint32_t)k[10])<<16;
+      c += ((uint32_t)k[11])<<24;
+      mix(a,b,c);
+      length -= 12;
+      k += 12;
+    }
+
+    /*-------------------------------- last block: affect all 32 bits of (c) */
+    switch(length)                   /* all the case statements fall through */
+    {
+    case 12: c+=((uint32_t)k[11])<<24;
+	     /* FALLTHROUGH */
+    case 11: c+=((uint32_t)k[10])<<16;
+	     /* FALLTHROUGH */
+    case 10: c+=((uint32_t)k[9])<<8;
+	     /* FALLTHROUGH */
+    case 9 : c+=k[8];
+	     /* FALLTHROUGH */
+    case 8 : b+=((uint32_t)k[7])<<24;
+	     /* FALLTHROUGH */
+    case 7 : b+=((uint32_t)k[6])<<16;
+	     /* FALLTHROUGH */
+    case 6 : b+=((uint32_t)k[5])<<8;
+	     /* FALLTHROUGH */
+    case 5 : b+=k[4];
+	     /* FALLTHROUGH */
+    case 4 : a+=((uint32_t)k[3])<<24;
+	     /* FALLTHROUGH */
+    case 3 : a+=((uint32_t)k[2])<<16;
+	     /* FALLTHROUGH */
+    case 2 : a+=((uint32_t)k[1])<<8;
+	     /* FALLTHROUGH */
+    case 1 : a+=k[0];
+             break;
+    case 0 : return NON_ZERO_64(b, c);
+    }
+  }
+
+  final(a,b,c);
+  return NON_ZERO_64(b, c);
+}
+#else
+#define hashlittle2(key, len) hashlittle(key, len)
+#endif
--- a/hlink.c
+++ b/hlink.c
@@ -4,7 +4,7 @@
 * Copyright (C) 1996 Andrew Tridgell
 * Copyright (C) 1996 Paul Mackerras
 * Copyright (C) 2002 Martin Pool <mbp@samba.org>
- * Copyright (C) 2004-2020 Wayne Davison
+ * Copyright (C) 2004-2022 Wayne Davison
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -117,7 +117,7 @@ static void match_gnums(int32 *ndx_list, int ndx_count)
 	struct ht_int32_node *node = NULL;
 	int32 gnum, gnum_next;

-	qsort(ndx_list, ndx_count, sizeof ndx_list[0], (int (*)()) hlink_compare_gnum);
+	qsort(ndx_list, ndx_count, sizeof ndx_list[0], (int (*)(const void*, const void*))hlink_compare_gnum);

 	for (from = 0; from < ndx_count; from++) {
 		file = hlink_flist->sorted[ndx_list[from]];
@@ -446,7 +446,7 @@ int hard_link_check(struct file_struct *file, int ndx, char *fname,
 		return -1;

 	if (remove_source_files == 1 && do_xfers)
-		send_msg_int(MSG_SUCCESS, ndx);
+		send_msg_success(fname, ndx);

 	return 1;
 }
@@ -454,7 +454,7 @@ int hard_link_check(struct file_struct *file, int ndx, char *fname,
 int hard_link_one(struct file_struct *file, const char *fname,
 		  const char *oldname, int terse)
 {
-	if (do_link(oldname, fname) < 0) {
+	if (do_link_at(oldname, fname) < 0) {
 		enum logcode code;
 		if (terse) {
 			if (!INFO_GTE(NAME, 1))
@@ -519,7 +519,7 @@ void finish_hard_link(struct file_struct *file, const char *fname, int fin_ndx,
 		if (val < 0)
 			continue;
 		if (remove_source_files == 1 && do_xfers)
-			send_msg_int(MSG_SUCCESS, ndx);
+			send_msg_success(fname, ndx);
 	}

 	if (inc_recurse) {
--- a/io.c
+++ b/io.c
@@ -41,6 +41,7 @@ extern int am_server;
 extern int am_sender;
 extern int am_receiver;
 extern int am_generator;
+extern int local_server;
 extern int msgs2stderr;
 extern int inc_recurse;
 extern int io_error;
@@ -54,6 +55,7 @@ extern int read_batch;
 extern int compat_flags;
 extern int protect_args;
 extern int checksum_seed;
+extern int xfer_sum_len;
 extern int daemon_connection;
 extern int protocol_version;
 extern int remove_source_files;
@@ -84,6 +86,8 @@ int sock_f_out = -1;
 int64 total_data_read = 0;
 int64 total_data_written = 0;

+char num_dev_ino_buf[4 + 8 + 8];
+
 static struct {
 	xbuf in, out, msg;
 	int in_fd;
@@ -113,7 +117,7 @@ static int active_filecnt = 0;
 static OFF_T active_bytecnt = 0;
 static int first_message = 1;

-static char int_byte_extra[64] = {
+static const char int_byte_extra[64] = {
 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* (00 - 3F)/4 */
 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* (40 - 7F)/4 */
 	1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* (80 - BF)/4 */
@@ -376,6 +380,7 @@ static void forward_filesfrom_data(void)
 			free_xbuf(&ff_xb);
 			if (ff_reenable_multiplex >= 0)
 				io_start_multiplex_out(ff_reenable_multiplex);
+			free_implied_include_partial_string();
 		}
 		return;
 	}
@@ -419,7 +424,7 @@ static void forward_filesfrom_data(void)
 		while (s != eob) {
 			if (*s++ == '\0') {
 				ff_xb.len = s - sob - 1;
-				add_implied_include(sob);
+				add_implied_include(sob, 0);
 				if (iconvbufs(ic_send, &ff_xb, &iobuf.out, flags) < 0)
 					exit_cleanup(RERR_PROTOCOL); /* impossible? */
 				write_buf(iobuf.out_fd, s-1, 1); /* Send the '\0'. */
@@ -435,6 +440,7 @@ static void forward_filesfrom_data(void)
 			ff_lastchar = '\0';
 		else {
 			/* Handle a partial string specially, saving any incomplete chars. */
+			implied_include_partial_string(sob, s);
 			flags &= ~ICB_INCLUDE_INCOMPLETE;
 			if (iconvbufs(ic_send, &ff_xb, &iobuf.out, flags) < 0) {
 				if (errno == E2BIG)
@@ -455,12 +461,13 @@ static void forward_filesfrom_data(void)
 		/* Eliminate any multi-'\0' runs. */
 		while (f != eob) {
 			if (!(*t++ = *f++)) {
-				add_implied_include(cur);
+				add_implied_include(cur, 0);
 				cur = t;
 				while (f != eob && *f == '\0')
 					f++;
 			}
 		}
+		implied_include_partial_string(cur, t);
 		ff_lastchar = f[-1];
 		if ((len = t - ff_xb.buf) != 0) {
 			/* This will not circle back to perform_io() because we only get
@@ -1061,10 +1068,31 @@ void send_msg_int(enum msgcode code, int num)
 	send_msg(code, numbuf, 4, -1);
 }

+void send_msg_success(const char *fname, int num)
+{
+	if (local_server) {
+		STRUCT_STAT st;
+
+		if (DEBUG_GTE(IO, 1))
+			rprintf(FINFO, "[%s] send_msg_success(%d)\n", who_am_i(), num);
+
+		if (stat(fname, &st) < 0)
+			memset(&st, 0, sizeof (STRUCT_STAT));
+		SIVAL(num_dev_ino_buf, 0, num);
+		SIVAL64(num_dev_ino_buf, 4, st.st_dev);
+		SIVAL64(num_dev_ino_buf, 4+8, st.st_ino);
+		send_msg(MSG_SUCCESS, num_dev_ino_buf, sizeof num_dev_ino_buf, -1);
+	} else
+		send_msg_int(MSG_SUCCESS, num);
+}
+
 static void got_flist_entry_status(enum festatus status, int ndx)
 {
 	struct file_list *flist = flist_for_ndx(ndx, "got_flist_entry_status");

+	if (ndx < flist->ndx_start)
+		exit_cleanup(RERR_PROTOCOL);
+
 	if (remove_source_files) {
 		active_filecnt--;
 		active_bytecnt -= F_LENGTH(flist->files[ndx - flist->ndx_start]);
@@ -1075,8 +1103,12 @@ static void got_flist_entry_status(enum festatus status, int ndx)

 	switch (status) {
 	case FES_SUCCESS:
-		if (remove_source_files)
-			send_msg_int(MSG_SUCCESS, ndx);
+		if (remove_source_files) {
+			if (local_server)
+				send_msg(MSG_SUCCESS, num_dev_ino_buf, sizeof num_dev_ino_buf, -1);
+			else
+				send_msg_int(MSG_SUCCESS, ndx);
+		}
 		/* FALL THROUGH */
 	case FES_NO_SEND:
 #ifdef SUPPORT_HARD_LINKS
@@ -1129,8 +1161,8 @@ void set_io_timeout(int secs)

 static void check_for_d_option_error(const char *msg)
 {
-	static char rsync263_opts[] = "BCDHIKLPRSTWabceghlnopqrtuvxz";
-	char *colon;
+	static const char rsync263_opts[] = "BCDHIKLPRSTWabceghlnopqrtuvxz";
+	const char *colon;
 	int saw_d = 0;

 	if (*msg != 'r'
@@ -1571,14 +1603,15 @@ static void read_a_msg(void)
 		}
 		break;
 	case MSG_SUCCESS:
-		if (msg_bytes != 4) {
+		if (msg_bytes != (local_server ? 4+8+8 : 4)) {
 		  invalid_msg:
 			rprintf(FERROR, "invalid multi-message %d:%lu [%s%s]\n",
 				tag, (unsigned long)msg_bytes, who_am_i(),
 				inc_recurse ? "/inc" : "");
 			exit_cleanup(RERR_STREAMIO);
 		}
-		val = raw_read_int();
+		raw_read_buf(num_dev_ino_buf, msg_bytes);
+		val = IVAL(num_dev_ino_buf, 0);
 		iobuf.in_multiplexed = 1;
 		if (am_generator)
 			got_flist_entry_status(FES_SUCCESS, val);
@@ -1755,6 +1788,13 @@ int32 read_int(int f)
 	return num;
 }

+uint32 read_uint(int f)
+{
+	char b[4];
+	read_buf(f, b, 4);
+	return IVAL(b, 0);
+}
+
 int32 read_varint(int f)
 {
 	union {
@@ -1828,6 +1868,45 @@ int64 read_varlong(int f, uchar min_bytes)
 	return u.x;
 }

+/* Read an int32 and verify lo <= v <= hi. On out-of-range, abort with a
+ * protocol error naming "what". The bound is co-located with the read so it
+ * cannot be forgotten by a downstream user. */
+int32 read_int_bounded(int f, int32 lo, int32 hi, const char *what)
+{
+	int32 v = read_int(f);
+	if (v < lo || v > hi) {
+		rprintf(FERROR, "wire value %s out of range: %ld not in [%ld,%ld] [%s]\n",
+			what, (long)v, (long)lo, (long)hi, who_am_i());
+		exit_cleanup(RERR_PROTOCOL);
+	}
+	return v;
+}
+
+/* As read_int_bounded but for varint-encoded values. */
+int32 read_varint_bounded(int f, int32 lo, int32 hi, const char *what)
+{
+	int32 v = read_varint(f);
+	if (v < lo || v > hi) {
+		rprintf(FERROR, "wire value %s out of range: %ld not in [%ld,%ld] [%s]\n",
+			what, (long)v, (long)lo, (long)hi, who_am_i());
+		exit_cleanup(RERR_PROTOCOL);
+	}
+	return v;
+}
+
+/* Read a varint that will be used as a size_t. Rejects negative values
+ * (which would wrap to ~SIZE_MAX) and values exceeding the supplied max. */
+size_t read_varint_size(int f, size_t max, const char *what)
+{
+	int32 v = read_varint(f);
+	if (v < 0 || (size_t)v > max) {
+		rprintf(FERROR, "wire size %s out of range: %ld > %lu [%s]\n",
+			what, (long)v, (unsigned long)max, who_am_i());
+		exit_cleanup(RERR_PROTOCOL);
+	}
+	return (size_t)v;
+}
+
 int64 read_longint(int f)
 {
 #if SIZEOF_INT64 >= 8
@@ -1934,6 +2013,21 @@ void read_sum_head(int f, struct sum_struct *sum)
 			(long)sum->count, who_am_i());
 		exit_cleanup(RERR_PROTOCOL);
 	}
+	/* Guard against integer overflow in downstream allocations sized by
+	 * count*element_size. my_alloc uses divide-not-multiply so it is
+	 * already wraparound-safe, but checking here gives a clearer error
+	 * and also covers the (size_t)count * xfer_sum_len arithmetic that
+	 * is performed *before* reaching my_alloc. */
+	if (xfer_sum_len > 0 && (size_t)sum->count > SIZE_MAX / (size_t)xfer_sum_len) {
+		rprintf(FERROR, "Invalid checksum count %ld (too large) [%s]\n",
+			(long)sum->count, who_am_i());
+		exit_cleanup(RERR_PROTOCOL);
+	}
+	if ((size_t)sum->count > SIZE_MAX / sizeof(struct sum_buf)) {
+		rprintf(FERROR, "Invalid checksum count %ld (sum_buf overflow) [%s]\n",
+			(long)sum->count, who_am_i());
+		exit_cleanup(RERR_PROTOCOL);
+	}
 	sum->blength = read_int(f);
 	if (sum->blength < 0 || sum->blength > max_blength) {
 		rprintf(FERROR, "Invalid block length %ld [%s]\n",
@@ -1941,7 +2035,7 @@ void read_sum_head(int f, struct sum_struct *sum)
 		exit_cleanup(RERR_PROTOCOL);
 	}
 	sum->s2length = protocol_version < 27 ? csum_length : (int)read_int(f);
-	if (sum->s2length < 0 || sum->s2length > MAX_DIGEST_LEN) {
+	if (sum->s2length < 0 || sum->s2length > xfer_sum_len) {
 		rprintf(FERROR, "Invalid checksum length %d [%s]\n",
 			sum->s2length, who_am_i());
 		exit_cleanup(RERR_PROTOCOL);
--- a/latest-year.h
+++ b/latest-year.h
@@ -1 +1 @@
-#define LATEST_YEAR "2022"
+#define LATEST_YEAR "2026"
--- a/lib/md-defines.h
+++ b/lib/md-defines.h
@@ -1,11 +1,28 @@
 /* Keep this simple so both C and ASM can use it */

+/* These allow something like CFLAGS=-DDISABLE_SHA512_DIGEST */
+#ifdef DISABLE_SHA256_DIGEST
+#undef SHA256_DIGEST_LENGTH
+#endif
+#ifdef DISABLE_SHA512_DIGEST
+#undef SHA512_DIGEST_LENGTH
+#endif
+
 #define MD4_DIGEST_LEN 16
 #define MD5_DIGEST_LEN 16
+#if defined SHA512_DIGEST_LENGTH
+#define MAX_DIGEST_LEN SHA512_DIGEST_LENGTH
+#elif defined SHA256_DIGEST_LENGTH
+#define MAX_DIGEST_LEN SHA256_DIGEST_LENGTH
+#elif defined SHA_DIGEST_LENGTH
+#define MAX_DIGEST_LEN SHA_DIGEST_LENGTH
+#else
 #define MAX_DIGEST_LEN MD5_DIGEST_LEN
+#endif

 #define CSUM_CHUNK 64

+#define CSUM_gone -1
 #define CSUM_NONE 0
 #define CSUM_MD4_ARCHAIC 1
 #define CSUM_MD4_BUSTED 2
@@ -15,3 +32,6 @@
 #define CSUM_XXH64 6
 #define CSUM_XXH3_64 7
 #define CSUM_XXH3_128 8
+#define CSUM_SHA1 9
+#define CSUM_SHA256 10
+#define CSUM_SHA512 11
--- a/lib/md5.c
+++ b/lib/md5.c
@@ -20,7 +20,6 @@

 #include "rsync.h"

-#if !defined USE_OPENSSL || USE_MD5_ASM /* { */
 void md5_begin(md_context *ctx)
 {
 	ctx->A = 0x67452301;
@@ -198,7 +197,7 @@ void md5_update(md_context *ctx, const uchar *input, uint32 length)
 		memcpy(ctx->buffer + left, input, length);
 }

-static uchar md5_padding[CSUM_CHUNK] = { 0x80 };
+static const uchar md5_padding[CSUM_CHUNK] = { 0x80 };

 void md5_result(md_context *ctx, uchar digest[MD5_DIGEST_LEN])
 {
@@ -224,7 +223,6 @@ void md5_result(md_context *ctx, uchar digest[MD5_DIGEST_LEN])
 	SIVALu(digest, 8, ctx->C);
 	SIVALu(digest, 12, ctx->D);
 }
-#endif /* } */

 #ifdef TEST_MD5 /* { */

--- a/lib/mdigest.h
+++ b/lib/mdigest.h
@@ -1,8 +1,8 @@
 /* The include file for both the MD4 and MD5 routines. */

 #ifdef USE_OPENSSL
-#include "openssl/md4.h"
-#include "openssl/md5.h"
+#include <openssl/sha.h>
+#include <openssl/evp.h>
 #endif
 #include "md-defines.h"

@@ -17,14 +17,6 @@ void mdfour_begin(md_context *md);
 void mdfour_update(md_context *md, const uchar *in, uint32 length);
 void mdfour_result(md_context *md, uchar digest[MD4_DIGEST_LEN]);

-#if defined USE_OPENSSL && !defined USE_MD5_ASM
-#define md5_context MD5_CTX
-#define md5_begin MD5_Init
-#define md5_update MD5_Update
-#define md5_result(cptr, digest) MD5_Final(digest, cptr)
-#else
-#define md5_context md_context
 void md5_begin(md_context *ctx);
 void md5_update(md_context *ctx, const uchar *input, uint32 length);
 void md5_result(md_context *ctx, uchar digest[MD5_DIGEST_LEN]);
-#endif
--- a/lib/pool_alloc.c
+++ b/lib/pool_alloc.c
@@ -9,7 +9,7 @@ struct alloc_pool
 	size_t			size;		/* extent size		*/
 	size_t			quantum;	/* allocation quantum	*/
 	struct pool_extent	*extents;	/* top extent is "live" */
-	void			(*bomb)();	/* called if malloc fails */
+	void			(*bomb)(const char*, const char*, int);	/* called if malloc fails */
 	int			flags;

 	/* statistical data */
@@ -42,6 +42,7 @@ struct align_test {
 /* Temporarily cast a void* var into a char* var when adding an offset (to
 * keep some compilers from complaining about the pointer arithmetic). */
 #define PTR_ADD(b,o)	( (void*) ((char*)(b) + (o)) )
+#define PTR_SUB(b,o)	( (void*) ((char*)(b) - (o)) )

 alloc_pool_t
 pool_create(size_t size, size_t quantum, void (*bomb)(const char*, const char*, int), int flags)
@@ -100,7 +101,7 @@ pool_destroy(alloc_pool_t p)
 	for (cur = pool->extents; cur; cur = next) {
 		next = cur->next;
 		if (pool->flags & POOL_PREPEND)
-			free(PTR_ADD(cur->start, -sizeof (struct pool_extent)));
+			free(PTR_SUB(cur->start, sizeof (struct pool_extent)));
 		else {
 			free(cur->start);
 			free(cur);
@@ -235,7 +236,7 @@ pool_free(alloc_pool_t p, size_t len, void *addr)
 		if (cur->free + cur->bound >= pool->size) {
 			prev->next = cur->next;
 			if (pool->flags & POOL_PREPEND)
-				free(PTR_ADD(cur->start, -sizeof (struct pool_extent)));
+				free(PTR_SUB(cur->start, sizeof (struct pool_extent)));
 			else {
 				free(cur->start);
 				free(cur);
@@ -292,7 +293,7 @@ pool_free_old(alloc_pool_t p, void *addr)
 	while ((cur = next) != NULL) {
 		next = cur->next;
 		if (pool->flags & POOL_PREPEND)
-			free(PTR_ADD(cur->start, -sizeof (struct pool_extent)));
+			free(PTR_SUB(cur->start, sizeof (struct pool_extent)));
 		else {
 			free(cur->start);
 			free(cur);
--- a/lib/sysacls.c
+++ b/lib/sysacls.c
@@ -2,7 +2,7 @@
 * Unix SMB/CIFS implementation.
 * Based on the Samba ACL support code.
 * Copyright (C) Jeremy Allison 2000.
- * Copyright (C) 2007-2020 Wayne Davison
+ * Copyright (C) 2007-2022 Wayne Davison
 *
 * The permission functions have been changed to get/set all bits via
 * one call.  Some functions that rsync doesn't need were also removed.
@@ -175,7 +175,7 @@ int sys_acl_delete_def_file(const char *name)
 	return acl_delete_def_file(name);
 }

-int sys_acl_free_acl(SMB_ACL_T the_acl) 
+int sys_acl_free_acl(SMB_ACL_T the_acl)
 {
 	return acl_free(the_acl);
 }
@@ -185,7 +185,7 @@ int sys_acl_free_acl(SMB_ACL_T the_acl)
 * The interface to DEC/Compaq Tru64 UNIX ACLs
 * is based on Draft 13 of the POSIX spec which is
 * slightly different from the Draft 16 interface.
- * 
+ *
 * Also, some of the permset manipulation functions
 * such as acl_clear_perm() and acl_add_perm() appear
 * to be broken on Tru64 so we have to manipulate
@@ -310,7 +310,7 @@ int sys_acl_delete_def_file(const char *name)
 	return acl_delete_def_file((char *)name);
 }

-int sys_acl_free_acl(SMB_ACL_T the_acl) 
+int sys_acl_free_acl(SMB_ACL_T the_acl)
 {
 	return acl_free(the_acl);
 }
@@ -457,7 +457,7 @@ SMB_ACL_T sys_acl_get_file(const char *path_p, SMB_ACL_TYPE_T type)
 			break;
 	}
 	ndefault = count - naccess;
-	
+
 	/*
 	 * if the caller wants the default ACL we have to copy
 	 * the entries down to the start of the acl[] buffer
@@ -517,7 +517,7 @@ SMB_ACL_T sys_acl_get_fd(int fd)
 		if (acl_d->acl[naccess].a_type & ACL_DEFAULT)
 			break;
 	}
-	
+
 	acl_d->count = naccess;

 	return acl_d;
@@ -532,7 +532,7 @@ int sys_acl_get_info(SMB_ACL_ENTRY_T entry, SMB_ACL_TAG_T *tag_type_p, uint32 *b

 	if (*tag_type_p == SMB_ACL_USER || *tag_type_p == SMB_ACL_GROUP)
 		*u_g_id_p = entry->a_id;
-	
+
 	return 0;
 }

@@ -633,7 +633,7 @@ static int acl_sort(SMB_ACL_T acl_d)
 	}
 	return 0;
 }
- 
+
 int sys_acl_valid(SMB_ACL_T acl_d)
 {
 	return acl_sort(acl_d);
@@ -755,11 +755,11 @@ int sys_acl_delete_def_file(const char *path)
 	ret = acl(path, SETACL, acl_d->count, acl_d->acl);

 	sys_acl_free_acl(acl_d);
-	
+
 	return ret;
 }

-int sys_acl_free_acl(SMB_ACL_T acl_d) 
+int sys_acl_free_acl(SMB_ACL_T acl_d)
 {
 	SAFE_FREE(acl_d);
 	return 0;
@@ -895,10 +895,10 @@ SMB_ACL_T sys_acl_get_file(const char *path_p, SMB_ACL_TYPE_T type)
 	int		ndefault;	/* # of default ACL entries	*/

 	if (hpux_acl_call_presence() == False) {
-		/* Looks like we don't have the acl() system call on HPUX. 
+		/* Looks like we don't have the acl() system call on HPUX.
 		 * May be the system doesn't have the latest version of JFS.
 		 */
-		return NULL; 
+		return NULL;
 	}

 	if (type != SMB_ACL_TYPE_ACCESS && type != SMB_ACL_TYPE_DEFAULT) {
@@ -949,7 +949,7 @@ SMB_ACL_T sys_acl_get_file(const char *path_p, SMB_ACL_TYPE_T type)
 			break;
 	}
 	ndefault = count - naccess;
-	
+
 	/*
 	 * if the caller wants the default ACL we have to copy
 	 * the entries down to the start of the acl[] buffer
@@ -1109,9 +1109,9 @@ struct hpux_acl_types {
 * aclp           - Array of ACL structures.
 * acl_type_count - Pointer to acl_types structure. Should already be
 *                  allocated.
- * Output: 
+ * Output:
 *
- * acl_type_count - This structure is filled up with counts of various 
+ * acl_type_count - This structure is filled up with counts of various
 *                  acl types.
 */

@@ -1123,28 +1123,28 @@ static void hpux_count_obj(int acl_count, struct acl *aclp, struct hpux_acl_type

 	for (i = 0; i < acl_count; i++) {
 		switch (aclp[i].a_type) {
-		case USER: 
+		case USER:
 			acl_type_count->n_user++;
 			break;
-		case USER_OBJ: 
+		case USER_OBJ:
 			acl_type_count->n_user_obj++;
 			break;
-		case DEF_USER_OBJ: 
+		case DEF_USER_OBJ:
 			acl_type_count->n_def_user_obj++;
 			break;
-		case GROUP: 
+		case GROUP:
 			acl_type_count->n_group++;
 			break;
-		case GROUP_OBJ: 
+		case GROUP_OBJ:
 			acl_type_count->n_group_obj++;
 			break;
-		case DEF_GROUP_OBJ: 
+		case DEF_GROUP_OBJ:
 			acl_type_count->n_def_group_obj++;
 			break;
-		case OTHER_OBJ: 
+		case OTHER_OBJ:
 			acl_type_count->n_other_obj++;
 			break;
-		case DEF_OTHER_OBJ: 
+		case DEF_OTHER_OBJ:
 			acl_type_count->n_def_other_obj++;
 			break;
 		case CLASS_OBJ:
@@ -1159,14 +1159,14 @@ static void hpux_count_obj(int acl_count, struct acl *aclp, struct hpux_acl_type
 		case DEF_GROUP:
 			acl_type_count->n_def_group++;
 			break;
-		default: 
+		default:
 			acl_type_count->n_illegal_obj++;
 			break;
 		}
 	}
 }

-/* swap_acl_entries:  Swaps two ACL entries. 
+/* swap_acl_entries:  Swaps two ACL entries.
 *
 * Inputs: aclp0, aclp1 - ACL entries to be swapped.
 */
@@ -1189,25 +1189,25 @@ static void hpux_swap_acl_entries(struct acl *aclp0, struct acl *aclp1)
 }

 /* prohibited_duplicate_type
- * Identifies if given ACL type can have duplicate entries or 
+ * Identifies if given ACL type can have duplicate entries or
 * not.
 *
 * Inputs: acl_type - ACL Type.
 *
- * Outputs: 
+ * Outputs:
 *
- * Return.. 
+ * Return..
 *
 * True - If the ACL type matches any of the prohibited types.
 * False - If the ACL type doesn't match any of the prohibited types.
- */ 
+ */

 static BOOL hpux_prohibited_duplicate_type(int acl_type)
 {
 	switch (acl_type) {
 	case USER:
 	case GROUP:
-	case DEF_USER: 
+	case DEF_USER:
 	case DEF_GROUP:
 		return True;
 	default:
@@ -1217,7 +1217,7 @@ static BOOL hpux_prohibited_duplicate_type(int acl_type)

 /* get_needed_class_perm
 * Returns the permissions of a ACL structure only if the ACL
- * type matches one of the pre-determined types for computing 
+ * type matches one of the pre-determined types for computing
 * CLASS_OBJ permissions.
 *
 * Inputs: aclp - Pointer to ACL structure.
@@ -1226,17 +1226,17 @@ static BOOL hpux_prohibited_duplicate_type(int acl_type)
 static int hpux_get_needed_class_perm(struct acl *aclp)
 {
 	switch (aclp->a_type) {
-	case USER: 
-	case GROUP_OBJ: 
-	case GROUP: 
-	case DEF_USER_OBJ: 
+	case USER:
+	case GROUP_OBJ:
+	case GROUP:
+	case DEF_USER_OBJ:
 	case DEF_USER:
-	case DEF_GROUP_OBJ: 
+	case DEF_GROUP_OBJ:
 	case DEF_GROUP:
 	case DEF_CLASS_OBJ:
-	case DEF_OTHER_OBJ: 
+	case DEF_OTHER_OBJ:
 		return aclp->a_perm;
-	default: 
+	default:
 		return 0;
 	}
 }
@@ -1267,15 +1267,15 @@ static int hpux_acl_sort(int acl_count, int calclass, struct acl *aclp)
 #if !defined(HAVE_HPUX_ACLSORT)
 	/*
 	 * The aclsort() system call is available on the latest HPUX General
-	 * Patch Bundles. So for HPUX, we developed our version of acl_sort 
-	 * function. Because, we don't want to update to a new 
+	 * Patch Bundles. So for HPUX, we developed our version of acl_sort
+	 * function. Because, we don't want to update to a new
 	 * HPUX GR bundle just for aclsort() call.
 	 */

 	struct hpux_acl_types acl_obj_count;
 	int n_class_obj_perm = 0;
 	int i, j;
- 
+
 	if (!acl_count) {
 		DEBUG(10, ("Zero acl count passed. Returning Success\n"));
 		return 0;
@@ -1290,8 +1290,8 @@ static int hpux_acl_sort(int acl_count, int calclass, struct acl *aclp)

 	hpux_count_obj(acl_count, aclp, &acl_obj_count);

-	/* There should be only one entry each of type USER_OBJ, GROUP_OBJ, 
-	 * CLASS_OBJ and OTHER_OBJ 
+	/* There should be only one entry each of type USER_OBJ, GROUP_OBJ,
+	 * CLASS_OBJ and OTHER_OBJ
 	 */

 	if (acl_obj_count.n_user_obj != 1
@@ -1313,15 +1313,15 @@ or DEF_USER_OBJ or DEF_GROUP_OBJ or DEF_OTHER_OBJ\n"));
 		return -1;
 	}

-	/* We now have proper number of OBJ and DEF_OBJ entries. Now sort the acl 
-	 * structures.  
+	/* We now have proper number of OBJ and DEF_OBJ entries. Now sort the acl
+	 * structures.
 	 *
 	 * Sorting crieteria - First sort by ACL type. If there are multiple entries of
 	 * same ACL type, sort by ACL id.
 	 *
-	 * I am using the trivial kind of sorting method here because, performance isn't 
+	 * I am using the trivial kind of sorting method here because, performance isn't
 	 * really effected by the ACLs feature. More over there aren't going to be more
-	 * than 17 entries on HPUX. 
+	 * than 17 entries on HPUX.
 	 */

 	for (i = 0; i < acl_count; i++) {
@@ -1390,7 +1390,7 @@ static int acl_sort(SMB_ACL_T acl_d)
 	}
 	return 0;
 }
- 
+
 int sys_acl_valid(SMB_ACL_T acl_d)
 {
 	return acl_sort(acl_d);
@@ -1405,11 +1405,11 @@ int sys_acl_set_file(const char *name, SMB_ACL_TYPE_T type, SMB_ACL_T acl_d)
 	int		ret;

 	if (hpux_acl_call_presence() == False) {
-		/* Looks like we don't have the acl() system call on HPUX. 
+		/* Looks like we don't have the acl() system call on HPUX.
 		 * May be the system doesn't have the latest version of JFS.
 		 */
 		errno=ENOSYS;
-		return -1; 
+		return -1;
 	}

 	if (type != SMB_ACL_TYPE_ACCESS && type != SMB_ACL_TYPE_DEFAULT) {
@@ -1538,11 +1538,11 @@ int sys_acl_delete_def_file(const char *path)
 	ret = acl(path, ACL_SET, acl_d->count, acl_d->acl);

 	sys_acl_free_acl(acl_d);
-	
+
 	return ret;
 }

-int sys_acl_free_acl(SMB_ACL_T acl_d) 
+int sys_acl_free_acl(SMB_ACL_T acl_d)
 {
 	free(acl_d);
 	return 0;
@@ -1723,7 +1723,7 @@ int sys_acl_delete_def_file(const char *name)
 	return acl_delete_def_file(name);
 }

-int sys_acl_free_acl(SMB_ACL_T acl_d) 
+int sys_acl_free_acl(SMB_ACL_T acl_d)
 {
 	if (acl_d->freeaclp) {
 		acl_free(acl_d->aclp);
@@ -1834,12 +1834,12 @@ SMB_ACL_T sys_acl_get_file(const char *path_p, SMB_ACL_TYPE_T type)
 	}

 	/* Get the acl using statacl */
- 
+
 	DEBUG(10, ("Entering sys_acl_get_file\n"));
 	DEBUG(10, ("path_p is %s\n", path_p));

 	file_acl = (struct acl *)SMB_MALLOC(BUFSIZ);
- 
+
 	if (file_acl == NULL) {
 		errno=ENOMEM;
 		DEBUG(0, ("Error in AIX sys_acl_get_file: %d\n", errno));
@@ -1931,9 +1931,9 @@ SMB_ACL_T sys_acl_get_file(const char *path_p, SMB_ACL_TYPE_T type)
 			 * to be specified but, it's better than leaving it 0 */

 			acl_entry_link->entryp->ace_type = acl_entry->ace_type;
- 
+
 			acl_entry_link->entryp->ace_access = acl_entry->ace_access;
- 
+
 			memcpy(acl_entry_link->entryp->ace_id, idp, sizeof (struct ace_id));

 			/* The access in the acl entries must be left shifted by *
@@ -1962,7 +1962,7 @@ SMB_ACL_T sys_acl_get_file(const char *path_p, SMB_ACL_TYPE_T type)

 			DEBUG(10, ("acl_entry = %d\n", acl_entry));
 			DEBUG(10, ("The ace_type is %d\n", acl_entry->ace_type));
- 
+
 			acl_entry = acl_nxt(acl_entry);
 		}
 	} /* end of if enabled */
@@ -2014,12 +2014,12 @@ SMB_ACL_T sys_acl_get_file(const char *path_p, SMB_ACL_TYPE_T type)
 			new_acl_entry->ace_access = file_acl->o_access << 6;
 			idp->id_type = SMB_ACL_OTHER;
 			break;
- 
+
 		case 1:
 			new_acl_entry->ace_access = file_acl->u_access << 6;
 			idp->id_type = SMB_ACL_USER_OBJ;
 			break;
- 
+
 		default:
 			return NULL;

@@ -2048,7 +2048,7 @@ SMB_ACL_T sys_acl_get_fd(int fd)
 	int rc = 0;

 	/* Get the acl using fstatacl */
-   
+
 	DEBUG(10, ("Entering sys_acl_get_fd\n"));
 	DEBUG(10, ("fd is %d\n", fd));
 	file_acl = (struct acl *)SMB_MALLOC(BUFSIZ);
@@ -2095,12 +2095,12 @@ SMB_ACL_T sys_acl_get_fd(int fd)

 	DEBUG(10, ("acl_entry is %d\n", acl_entry));
 	DEBUG(10, ("acl_last(file_acl) id %d\n", acl_last(file_acl)));
- 
+
 	/* Check if the extended acl bit is on.   *
 	 * If it isn't, do not show the           *
 	 * contents of the acl since AIX intends  *
 	 * the extended info to remain unused     */
- 
+
 	if (file_acl->acl_mode & S_IXACL){
 		/* while we are not pointing to the very end */
 		while (acl_entry < acl_last(file_acl)) {
@@ -2115,7 +2115,7 @@ SMB_ACL_T sys_acl_get_fd(int fd)
 			}

 			idp = acl_entry->ace_id;
- 
+
 			/* Check if this is the first entry in the linked list. *
 			 * The first entry needs to keep prevp pointing to NULL *
 			 * and already has entryp allocated.                 */
@@ -2177,7 +2177,7 @@ SMB_ACL_T sys_acl_get_fd(int fd)

 			DEBUG(10, ("acl_entry = %d\n", acl_entry));
 			DEBUG(10, ("The ace_type is %d\n", acl_entry->ace_type));
- 
+
 			acl_entry = acl_nxt(acl_entry);
 		}
 	} /* end of if enabled */
@@ -2210,43 +2210,43 @@ SMB_ACL_T sys_acl_get_fd(int fd)
 		}

 		acl_entry_link->nextp = NULL;
- 
+
 		new_acl_entry = acl_entry_link->entryp;
 		idp = new_acl_entry->ace_id;
- 
+
 		new_acl_entry->ace_len = sizeof (struct acl_entry);
 		new_acl_entry->ace_type = ACC_PERMIT;
 		idp->id_len = sizeof (struct ace_id);
 		DEBUG(10, ("idp->id_len = %d\n", idp->id_len));
 		memset(idp->id_data, 0, sizeof (uid_t));
- 
+
 		switch (i) {
 		case 2:
 			new_acl_entry->ace_access = file_acl->g_access << 6;
 			idp->id_type = SMB_ACL_GROUP_OBJ;
 			break;
- 
+
 		case 3:
 			new_acl_entry->ace_access = file_acl->o_access << 6;
 			idp->id_type = SMB_ACL_OTHER;
 			break;
- 
+
 		case 1:
 			new_acl_entry->ace_access = file_acl->u_access << 6;
 			idp->id_type = SMB_ACL_USER_OBJ;
 			break;
- 
+
 		default:
 			return NULL;
 		}
- 
+
 		acl_entry_link_head->count++;
 		DEBUG(10, ("new_acl_entry->ace_access = %d\n", new_acl_entry->ace_access));
 	}

 	acl_entry_link_head->count = 0;
 	SAFE_FREE(file_acl);
- 
+
 	return acl_entry_link_head;
 }
 #endif
@@ -2274,7 +2274,7 @@ int sys_acl_get_info(SMB_ACL_ENTRY_T entry, SMB_ACL_TAG_T *tag_type_p, uint32 *b
 SMB_ACL_T sys_acl_init(int count)
 {
 	struct acl_entry_link *theacl = NULL;
- 
+
 	if (count < 0) {
 		errno = EINVAL;
 		return NULL;
@@ -2383,9 +2383,9 @@ int sys_acl_valid(SMB_ACL_T theacl)
 	}

 	DEBUG(10, ("user_obj=%d, group_obj=%d, other_obj=%d\n", user_obj, group_obj, other_obj));
- 
+
 	if (user_obj != 1 || group_obj != 1 || other_obj != 1)
-		return -1; 
+		return -1;

 	return 0;
 }
@@ -2404,7 +2404,7 @@ int sys_acl_set_file(const char *name, SMB_ACL_TYPE_T acltype, SMB_ACL_T theacl)

 	DEBUG(10, ("Entering sys_acl_set_file\n"));
 	DEBUG(10, ("File name is %s\n", name));
- 
+
 	/* AIX has no default ACL */
 	if (acltype == SMB_ACL_TYPE_DEFAULT)
 		return 0;
@@ -2449,7 +2449,7 @@ int sys_acl_set_file(const char *name, SMB_ACL_TYPE_T acltype, SMB_ACL_T theacl)
 				errno = ENOMEM;
 				DEBUG(0, ("Error in sys_acl_set_file is %d\n", errno));
 				return -1;
-			}  
+			}

 			memcpy(file_acl_temp, file_acl, file_acl->acl_len);
 			SAFE_FREE(file_acl);
@@ -2460,15 +2460,15 @@ int sys_acl_set_file(const char *name, SMB_ACL_TYPE_T acltype, SMB_ACL_T theacl)
 		file_acl->acl_len += sizeof (struct acl_entry);
 		acl_entry->ace_len = acl_entry_link->entryp->ace_len;
 		acl_entry->ace_access = acl_entry_link->entryp->ace_access;
- 
+
 		/* In order to use this, we'll need to wait until we can get denies */
 		/* if (!acl_entry->ace_access && acl_entry->ace_type == ACC_PERMIT)
 			acl_entry->ace_type = ACC_SPECIFY; */

 		acl_entry->ace_type = ACC_SPECIFY;
- 
+
 		ace_id = acl_entry->ace_id;
- 
+
 		ace_id->id_type = acl_entry_link->entryp->ace_id->id_type;
 		DEBUG(10, ("The id type is %d\n", ace_id->id_type));
 		ace_id->id_len = acl_entry_link->entryp->ace_id->id_len;
@@ -2496,7 +2496,7 @@ int sys_acl_set_fd(int fd, SMB_ACL_T theacl)
 	uint user_id;
 	uint acl_length;
 	uint rc;
- 
+
 	DEBUG(10, ("Entering sys_acl_set_fd\n"));
 	acl_length = BUFSIZ;
 	file_acl = (struct acl *)SMB_MALLOC(BUFSIZ);
@@ -2508,7 +2508,7 @@ int sys_acl_set_fd(int fd, SMB_ACL_T theacl)
 	}

 	memset(file_acl, 0, BUFSIZ);
- 
+
 	file_acl->acl_len = ACL_SIZ;
 	file_acl->acl_mode = S_IXACL;

@@ -2550,22 +2550,22 @@ int sys_acl_set_fd(int fd, SMB_ACL_T theacl)
 		file_acl->acl_len += sizeof (struct acl_entry);
 		acl_entry->ace_len = acl_entry_link->entryp->ace_len;
 		acl_entry->ace_access = acl_entry_link->entryp->ace_access;
- 
+
 		/* In order to use this, we'll need to wait until we can get denies */
 		/* if (!acl_entry->ace_access && acl_entry->ace_type == ACC_PERMIT)
 			acl_entry->ace_type = ACC_SPECIFY; */
- 
+
 		acl_entry->ace_type = ACC_SPECIFY;
- 
+
 		ace_id = acl_entry->ace_id;
- 
+
 		ace_id->id_type = acl_entry_link->entryp->ace_id->id_type;
 		DEBUG(10, ("The id type is %d\n", ace_id->id_type));
 		ace_id->id_len = acl_entry_link->entryp->ace_id->id_len;
 		memcpy(&user_id, acl_entry_link->entryp->ace_id->id_data, sizeof (uid_t));
 		memcpy(ace_id->id_data, &user_id, sizeof (uid_t));
 	}
- 
+
 	rc = fchacl(fd, file_acl, file_acl->acl_len);
 	DEBUG(10, ("errno is %d\n", errno));
 	DEBUG(10, ("return code is %d\n", rc));
@@ -2594,7 +2594,7 @@ int sys_acl_free_acl(SMB_ACL_T posix_acl)
 	SAFE_FREE(acl_entry_link->prevp);
 	SAFE_FREE(acl_entry_link->entryp);
 	SAFE_FREE(acl_entry_link);
- 
+
 	return 0;
 }

--- a/lib/sysacls.h
+++ b/lib/sysacls.h
@@ -3,7 +3,7 @@
 * Version 2.2.x
 * Portable SMB ACL interface
 * Copyright (C) Jeremy Allison 2000
- * Copyright (C) 2007-2020 Wayne Davison
+ * Copyright (C) 2007-2022 Wayne Davison
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -232,7 +232,7 @@ struct new_acl_entry{

 #define SMB_ACL_ENTRY_T		struct new_acl_entry*
 #define SMB_ACL_T		struct acl_entry_link*
- 
+
 #define SMB_ACL_TAG_T		unsigned short
 #define SMB_ACL_TYPE_T		int

--- a/lib/sysxattrs.c
+++ b/lib/sysxattrs.c
@@ -126,9 +126,18 @@ ssize_t sys_llistxattr(const char *path, char *list, size_t size)
 	unsigned char keylen;
 	ssize_t off, len = extattr_list_link(path, EXTATTR_NAMESPACE_USER, list, size);

-	if (len <= 0 || (size_t)len > size)
+	if (len <= 0 || size == 0)
 		return len;

+	if ((size_t)len >= size) {
+		/* FreeBSD extattr_list_xx() returns 'size' as 'len' in case there are                                                              
+                   more data available, truncating the output, we solve this by signalling                                                          
+                   ERANGE in case len == size so that the code in xattrs.c will retry with                                                          
+                   a bigger buffer */
+		errno = ERANGE;
+		return -1;
+	}
+
 	/* FreeBSD puts a single-byte length before each string, with no '\0'
 	 * terminator.  We need to change this into a series of null-terminted
 	 * strings.  Since the size is the same, we can simply transform the
@@ -136,7 +145,7 @@ ssize_t sys_llistxattr(const char *path, char *list, size_t size)
 	for (off = 0; off < len; off += keylen + 1) {
 		keylen = ((unsigned char*)list)[off];
 		if (off + keylen >= len) {
-			/* Should be impossible, but kernel bugs happen! */
+			/* Should be impossible, but bugs happen! */
 			errno = EINVAL;
 			return -1;
 		}
--- a/loadparm.c
+++ b/loadparm.c
@@ -65,7 +65,7 @@ typedef enum {

 struct enum_list {
 	int value;
-	char *name;
+	const char *name;
 };

 struct parm_struct {
@@ -73,7 +73,7 @@ struct parm_struct {
 	parm_type type;
 	parm_class class;
 	void *ptr;
-	struct enum_list *enum_list;
+	const struct enum_list *enum_list;
 	unsigned flags;
 };

@@ -95,7 +95,7 @@ static item_list section_list = EMPTY_ITEM_LIST;
 static int iSectionIndex = -1;
 static BOOL bInGlobalSection = True;

-static struct enum_list enum_syslog_facility[] = {
+static const struct enum_list enum_syslog_facility[] = {
 #ifdef LOG_AUTH
 	{ LOG_AUTH, "auth" },
 #endif
@@ -178,7 +178,7 @@ static char *expand_vars(const char *str)

 	for (t = buf, f = str; bufsize && *f; ) {
 		if (*f == '%' && isUpper(f+1)) {
-			char *percent = strchr(f+1, '%');
+			const char *percent = strchr(f+1, '%');
 			if (percent && percent - f < bufsize) {
 				char *val;
 				strlcpy(t, f+1, percent - f);
--- a/log.c
+++ b/log.c
@@ -36,8 +36,6 @@ extern int protocol_version;
 extern int always_checksum;
 extern int preserve_mtimes;
 extern int msgs2stderr;
-extern int xfersum_type;
-extern int checksum_type;
 extern int stdout_format_has_i;
 extern int stdout_format_has_o_or_i;
 extern int logfile_format_has_i;
@@ -62,6 +60,8 @@ extern unsigned int module_dirlen;
 extern char sender_file_sum[MAX_DIGEST_LEN];
 extern const char undetermined_hostname[];

+extern struct name_num_item *xfer_sum_nni, *file_sum_nni;
+
 static int log_initialised;
 static int logfile_was_closed;
 static FILE *logfile_fp;
@@ -456,11 +456,17 @@ void rsyserr(enum logcode code, int errcode, const char *format, ...)
 	char buf[BIGPATHBUFLEN];
 	size_t len;

+	/* snprintf returns the would-have-been length on truncation, so
+	 * each cumulative call must be guarded; if not, sizeof buf - len
+	 * can underflow when promoted to size_t and the next call writes
+	 * past the buffer. */
 	len = snprintf(buf, sizeof buf, RSYNC_NAME ": [%s] ", who_am_i());

-	va_start(ap, format);
-	len += vsnprintf(buf + len, sizeof buf - len, format, ap);
-	va_end(ap);
+	if (len < sizeof buf) {
+		va_start(ap, format);
+		len += vsnprintf(buf + len, sizeof buf - len, format, ap);
+		va_end(ap);
+	}

 	if (len < sizeof buf) {
 		len += snprintf(buf + len, sizeof buf - len,
@@ -680,12 +686,12 @@ static void log_formatted(enum logcode code, const char *format, const char *op,
 			n = NULL;
 			if (S_ISREG(file->mode)) {
 				if (always_checksum)
-					n = sum_as_hex(checksum_type, F_SUM(file), 1);
+					n = sum_as_hex(file_sum_nni->num, F_SUM(file), 1);
 				else if (iflags & ITEM_TRANSFER)
-					n = sum_as_hex(xfersum_type, sender_file_sum, 0);
+					n = sum_as_hex(xfer_sum_nni->num, sender_file_sum, 0);
 			}
 			if (!n) {
-				int sum_len = csum_len_for_type(always_checksum ? checksum_type : xfersum_type,
+				int sum_len = csum_len_for_type(always_checksum ? file_sum_nni->num : xfer_sum_nni->num,
 								always_checksum);
 				memset(buf2, ' ', sum_len*2);
 				buf2[sum_len*2] = '\0';
--- a/m4/have_type.m4
+++ b/m4/have_type.m4
@@ -1,6 +1,5 @@
 dnl AC_HAVE_TYPE(TYPE,INCLUDES)
 AC_DEFUN([AC_HAVE_TYPE], [
-AC_REQUIRE([AC_HEADER_STDC])
 cv=`echo "$1" | sed 'y%./+- %__p__%'`
 AC_MSG_CHECKING(for $1)
 AC_CACHE_VAL([ac_cv_type_$cv],
--- a/main.c
+++ b/main.c
@@ -66,7 +66,7 @@ extern int protect_args;
 extern int relative_paths;
 extern int sanitize_paths;
 extern int curr_dir_depth;
-extern int curr_dir_len;
+extern unsigned int curr_dir_len;
 extern int module_id;
 extern int rsync_port;
 extern int whole_file;
@@ -90,6 +90,7 @@ extern int basis_dir_cnt;
 extern int default_af_hint;
 extern int stdout_format_has_i;
 extern int trust_sender_filter;
+extern int trust_sender_args;
 extern struct stats stats;
 extern char *stdout_format;
 extern char *logfile_format;
@@ -238,11 +239,11 @@ void write_del_stats(int f)

 void read_del_stats(int f)
 {
-	stats.deleted_files = read_varint(f);
-	stats.deleted_files += stats.deleted_dirs = read_varint(f);
-	stats.deleted_files += stats.deleted_symlinks = read_varint(f);
-	stats.deleted_files += stats.deleted_devices = read_varint(f);
-	stats.deleted_files += stats.deleted_specials = read_varint(f);
+	stats.deleted_files = read_varint_bounded(f, 0, MAX_WIRE_DEL_STAT, "deleted_files");
+	stats.deleted_files += stats.deleted_dirs = read_varint_bounded(f, 0, MAX_WIRE_DEL_STAT, "deleted_dirs");
+	stats.deleted_files += stats.deleted_symlinks = read_varint_bounded(f, 0, MAX_WIRE_DEL_STAT, "deleted_symlinks");
+	stats.deleted_files += stats.deleted_devices = read_varint_bounded(f, 0, MAX_WIRE_DEL_STAT, "deleted_devices");
+	stats.deleted_files += stats.deleted_specials = read_varint_bounded(f, 0, MAX_WIRE_DEL_STAT, "deleted_specials");
 }

 static void become_copy_as_user()
@@ -385,7 +386,7 @@ static void handle_stats(int f)

 static void output_itemized_counts(const char *prefix, int *counts)
 {
-	static char *labels[] = { "reg", "dir", "link", "dev", "special" };
+	static char *const labels[] = { "reg", "dir", "link", "dev", "special" };
 	char buf[1024], *pre = " (";
 	int j, len = 0;
 	int total = counts[0];
@@ -393,9 +394,18 @@ static void output_itemized_counts(const char *prefix, int *counts)
 		counts[0] -= counts[1] + counts[2] + counts[3] + counts[4];
 		for (j = 0; j < 5; j++) {
 			if (counts[j]) {
+				/* snprintf can return more than its size arg
+				 * on truncation; keep len <= sizeof buf - 2 so
+				 * the closing ')' and trailing NUL always
+				 * have room and the next iteration's
+				 * sizeof buf - len - 2 cannot underflow. */
+				if (len >= (int)sizeof buf - 2)
+					break;
 				len += snprintf(buf+len, sizeof buf - len - 2,
 					"%s%s: %s",
 					pre, labels[j], comma_num(counts[j]));
+				if (len > (int)sizeof buf - 2)
+					len = (int)sizeof buf - 2;
 				pre = ", ";
 			}
 		}
@@ -636,7 +646,6 @@ static pid_t do_cmd(char *cmd, char *machine, char *user, char **remote_argv, in
 #ifdef ICONV_CONST
 		setup_iconv();
 #endif
-		trust_sender_filter = 1;
 	} else if (local_server) {
 		/* If the user didn't request --[no-]whole-file, force
 		 * it on, but only if we're not batch processing. */
@@ -662,6 +671,16 @@ static pid_t do_cmd(char *cmd, char *machine, char *user, char **remote_argv, in
 	return pid;
 }

+/* Older versions turn an empty string as a reference to the current directory.
+ * We now treat this as an error unless --old-args was used. */
+static char *dot_dir_or_error()
+{
+	if (old_style_args || am_server)
+		return ".";
+	rprintf(FERROR, "Empty destination arg specified (use \".\" or see --old-args).\n");
+	exit_cleanup(RERR_SYNTAX);
+}
+
 /* The receiving side operates in one of two modes:
 *
 * 1. it receives any number of files into a destination directory,
@@ -689,9 +708,8 @@ static char *get_local_name(struct file_list *flist, char *dest_path)
 	if (!dest_path || list_only)
 		return NULL;

-	/* Treat an empty string as a copy into the current directory. */
 	if (!*dest_path)
-		dest_path = ".";
+		dest_path = dot_dir_or_error();

 	if (daemon_filter_list.head) {
 		char *slash = strrchr(dest_path, '/');
@@ -1374,15 +1392,6 @@ int client_run(int f_in, int f_out, pid_t pid, int argc, char *argv[])
 	return MAX(exit_code, exit_code2);
 }

-static void dup_argv(char *argv[])
-{
-	int i;
-
-	for (i = 0; argv[i]; i++)
-		argv[i] = strdup(argv[i]);
-}
-
-
 /* Start a client for either type of remote connection.  Work out
 * whether the arguments request a remote shell or rsyncd connection,
 * and call the appropriate connection function, then run_client.
@@ -1398,10 +1407,6 @@ static int start_client(int argc, char *argv[])
 	int ret;
 	pid_t pid;

-	/* Don't clobber argv[] so that ps(1) can still show the right
-	 * command line. */
-	dup_argv(argv);
-
 	if (!read_batch) { /* for read_batch, NO source is specified */
 		char *path = check_for_hostspec(argv[0], &shell_machine, &rsync_port);
 		if (path) { /* source is remote */
@@ -1434,6 +1439,8 @@ static int start_client(int argc, char *argv[])

 			if (argc > 1) {
 				p = argv[--argc];
+				if (!*p)
+					p = dot_dir_or_error();
 				remote_argv = argv + argc;
 			} else {
 				static char *dotarg[1] = { "." };
@@ -1475,8 +1482,10 @@ static int start_client(int argc, char *argv[])
 	}

 	/* A local transfer doesn't unbackslash anything, so leave the args alone. */
-	if (local_server)
+	if (local_server) {
 		old_style_args = 2;
+		trust_sender_args = trust_sender_filter = 1;
+	}

 	if (!rsync_port && remote_argc && !**remote_argv) /* Turn an empty arg into a dot dir. */
 		*remote_argv = ".";
@@ -1504,7 +1513,7 @@ static int start_client(int argc, char *argv[])
 		int dummy_port = rsync_port;
 		int i;
 		if (filesfrom_fd < 0)
-			add_implied_include(remote_argv[0]);
+			add_implied_include(remote_argv[0], daemon_connection);
 		/* For remote source, any extra source args must have either
 		 * the same hostname or an empty hostname. */
 		for (i = 1; i < remote_argc; i++) {
@@ -1528,7 +1537,7 @@ static int start_client(int argc, char *argv[])
 			if (!rsync_port && !*arg) /* Turn an empty arg into a dot dir. */
 				arg = ".";
 			remote_argv[i] = arg;
-			add_implied_include(arg);
+			add_implied_include(arg, daemon_connection);
 		}
 	}

@@ -1559,6 +1568,10 @@ static int start_client(int argc, char *argv[])
 			shell_user = shell_machine;
 			shell_machine = p+1;
 		}
+		if (*shell_machine == '-') {
+			rprintf(FERROR, "Invalid remote host: hostnames may not start with '-'.\n");
+			exit_cleanup(RERR_SYNTAX);
+		}
 	}

 	if (DEBUG_GTE(CMD, 2)) {
@@ -1605,6 +1618,11 @@ static void sigusr2_handler(UNUSED(int val))
 	if (!am_server)
 		output_summary();
 	close_all();
+#ifdef GCOV_COVERAGE
+	/* The receiver child is killed here via SIGUSR2 and exits with _exit(),
+	 * bypassing the gcov atexit flush; without this it writes no .gcda. */
+	{ extern void __gcov_dump(void); __gcov_dump(); }
+#endif
 	if (got_xfer_error)
 		_exit(RERR_PARTIAL);
 	_exit(0);
@@ -1743,7 +1761,20 @@ int main(int argc,char *argv[])
 	our_gid = MY_GID();
 	am_root = our_uid == ROOT_UID;

-	unset_env_var("DISPLAY");
+	// DISPLAY should not be emptied unconditionally
+	if (!getenv("SSH_ASKPASS"))
+		unset_env_var("DISPLAY");
+
+#if defined USE_OPENSSL && defined SET_OPENSSL_CONF
+#define TO_STR2(x) #x
+#define TO_STR(x) TO_STR2(x)
+	/* ./configure --with-openssl-conf=/etc/ssl/openssl-rsync.cnf
+	 * defines SET_OPENSSL_CONF as that unquoted pathname. */
+	if (!getenv("OPENSSL_CONF")) /* Don't override it if it's already set. */
+		set_env_str("OPENSSL_CONF", TO_STR(SET_OPENSSL_CONF));
+#undef TO_STR
+#undef TO_STR2
+#endif

 	memset(&stats, 0, sizeof(stats));

--- a/match.c
+++ b/match.c
@@ -3,7 +3,7 @@
 *
 * Copyright (C) 1996 Andrew Tridgell
 * Copyright (C) 1996 Paul Mackerras
- * Copyright (C) 2003-2020 Wayne Davison
+ * Copyright (C) 2003-2023 Wayne Davison
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -24,7 +24,9 @@

 extern int checksum_seed;
 extern int append_mode;
-extern int xfersum_type;
+
+extern struct name_num_item *xfer_sum_nni;
+extern int xfer_sum_len;

 int updating_basis_file;
 char sender_file_sum[MAX_DIGEST_LEN];
@@ -140,11 +142,14 @@ static void hash_search(int f,struct sum_struct *s,
 {
 	OFF_T offset, aligned_offset, end;
 	int32 k, want_i, aligned_i, backup;
-	char sum2[SUM_LENGTH];
+	char sum2[MAX_DIGEST_LEN];
 	uint32 s1, s2, sum;
 	int more;
 	schar *map;

+	// prevent possible memory leaks
+	memset(sum2, 0, sizeof sum2);
+
 	/* want_i is used to encourage adjacent matches, allowing the RLL
 	 * coding of the output to work more efficiently. */
 	want_i = 0;
@@ -230,7 +235,7 @@ static void hash_search(int f,struct sum_struct *s,
 				done_csum2 = 1;
 			}

-			if (memcmp(sum2,s->sums[i].sum2,s->s2length) != 0) {
+			if (memcmp(sum2, sum2_at(s, i), s->s2length) != 0) {
 				false_alarms++;
 				continue;
 			}
@@ -250,7 +255,7 @@ static void hash_search(int f,struct sum_struct *s,
 					if (i != aligned_i) {
 						if (sum != s->sums[aligned_i].sum1
 						 || l != s->sums[aligned_i].len
-						 || memcmp(sum2, s->sums[aligned_i].sum2, s->s2length) != 0)
+						 || memcmp(sum2, sum2_at(s, aligned_i), s->s2length) != 0)
 							goto check_want_i;
 						i = aligned_i;
 					}
@@ -269,7 +274,7 @@ static void hash_search(int f,struct sum_struct *s,
 						if (sum != s->sums[i].sum1)
 							goto check_want_i;
 						get_checksum2((char *)map, l, sum2);
-						if (memcmp(sum2, s->sums[i].sum2, s->s2length) != 0)
+						if (memcmp(sum2, sum2_at(s, i), s->s2length) != 0)
 							goto check_want_i;
 						/* OK, we have a re-alignment match.  Bump the offset
 						 * forward to the new match point. */
@@ -288,7 +293,7 @@ static void hash_search(int f,struct sum_struct *s,
 			 && (!updating_basis_file || s->sums[want_i].offset >= offset
 			  || s->sums[want_i].flags & SUMFLG_SAME_OFFSET)
 			 && sum == s->sums[want_i].sum1
-			 && memcmp(sum2, s->sums[want_i].sum2, s->s2length) == 0) {
+			 && memcmp(sum2, sum2_at(s, want_i), s->s2length) == 0) {
 				/* we've found an adjacent match - the RLL coder
 				 * will be happy */
 				i = want_i;
@@ -356,15 +361,13 @@ static void hash_search(int f,struct sum_struct *s,
 **/
 void match_sums(int f, struct sum_struct *s, struct map_struct *buf, OFF_T len)
 {
-	int sum_len;
-
 	last_match = 0;
 	false_alarms = 0;
 	hash_hits = 0;
 	matches = 0;
 	data_transfer = 0;

-	sum_init(xfersum_type, checksum_seed);
+	sum_init(xfer_sum_nni, checksum_seed);

 	if (append_mode > 0) {
 		if (append_mode == 2) {
@@ -405,22 +408,22 @@ void match_sums(int f, struct sum_struct *s, struct map_struct *buf, OFF_T len)
 		matched(f, s, buf, len, -1);
 	}

-	sum_len = sum_end(sender_file_sum);
+	sum_end(sender_file_sum);

 	/* If we had a read error, send a bad checksum.  We use all bits
 	 * off as long as the checksum doesn't happen to be that, in
 	 * which case we turn the last 0 bit into a 1. */
 	if (buf && buf->status != 0) {
 		int i;
-		for (i = 0; i < sum_len && sender_file_sum[i] == 0; i++) {}
-		memset(sender_file_sum, 0, sum_len);
-		if (i == sum_len)
+		for (i = 0; i < xfer_sum_len && sender_file_sum[i] == 0; i++) {}
+		memset(sender_file_sum, 0, xfer_sum_len);
+		if (i == xfer_sum_len)
 			sender_file_sum[i-1]++;
 	}

 	if (DEBUG_GTE(DELTASUM, 2))
 		rprintf(FINFO,"sending file_sum\n");
-	write_buf(f, sender_file_sum, sum_len);
+	write_buf(f, sender_file_sum, xfer_sum_len);

 	if (DEBUG_GTE(DELTASUM, 2)) {
 		rprintf(FINFO, "false_alarms=%d hash_hits=%d matches=%d\n",
--- a/9
+++ b/9
@@ -8,6 +8,7 @@ fi
 inname="$1"
 srcdir=`dirname "$0"`
 flagfile="$srcdir/.md2man-works"
+force_flagfile="$srcdir/.md2man-force"

 if [ ! -f "$flagfile" ]; then
    # We test our smallest manpage just to see if the python setup works.
@@ -32,4 +33,10 @@ if [ ! -f "$flagfile" ]; then
    fi
 fi

-"$srcdir/md-convert" "$srcdir/$inname"
+if [ -f "$force_flagfile" ]; then
+    opt='--force-link-text'
+else
+    opt=''
+fi
+
+"$srcdir/md-convert" $opt "$srcdir/$inname"
--- a/47
+++ b/47
@@ -120,6 +120,7 @@ TZ_RE = re.compile(r'^#define\s+MAINTAINER_TZ_OFFSET\s+(-?\d+(\.\d+)?)', re.M)
 VAR_REF_RE = re.compile(r'\$\{(\w+)\}')
 VERSION_RE = re.compile(r' (\d[.\d]+)[, ]')
 BIN_CHARS_RE = re.compile(r'[\1-\7]+')
+LONG_OPT_DASH_RE = re.compile(r'(--\w[-\w]+)')
 SPACE_DOUBLE_DASH_RE = re.compile(r'\s--(\s)')
 NON_SPACE_SINGLE_DASH_RE = re.compile(r'(^|\W)-')
 WHITESPACE_RE = re.compile(r'\s')
@@ -247,6 +248,9 @@ def find_man_substitutions():

    env_subs['date'] = time.strftime('%d %b %Y', time.gmtime(mtime + tz_offset)).lstrip('0')

+    if 'SOURCE_DATE_EPOCH' in os.environ:
+        env_subs['date'] = time.strftime('%d %b %Y', time.gmtime(int(os.environ.get('SOURCE_DATE_EPOCH', time.time()))))
+

 def html_via_commonmark(txt):
    return commonmark.HtmlRenderer().render(commonmark.Parser().parse(txt))
@@ -276,7 +280,10 @@ class TransformHtml(HTMLParser):
                bad_hashtags = set(),
                latest_targets = [ ],
                opt_prefix = 'opt',
+                a_href = None,
+                a_href_external = False,
                a_txt_start = None,
+                after_a_tag = False,
                target_suf = '',
                )

@@ -315,6 +322,13 @@ class TransformHtml(HTMLParser):
        for bad in st.referenced_hashtags - st.created_hashtags:
            warn('Unknown hashtag link in', self.fn + ':', '#' + bad)

+    def handle_UE(self):
+        st = self.state
+        if st.txt.startswith(('.', ',', '!', '?', ';', ':')):
+            st.man_out[-1] = ".UE " + st.txt[0] + "\n"
+            st.txt = st.txt[1:]
+        st.after_a_tag = False
+
    def handle_starttag(self, tag, attrs_list):
        st = self.state
        if args.debug:
@@ -387,13 +401,20 @@ class TransformHtml(HTMLParser):
            for var, val in attrs_list:
                if var == 'href':
                    if val.startswith(('https://', 'http://', 'mailto:', 'ftp:')):
-                        pass # nothing to check
+                        if st.after_a_tag:
+                            self.handle_UE()
+                        st.man_out.append(manify(st.txt.strip()) + "\n")
+                        st.man_out.append(".UR " + val + "\n")
+                        st.txt = ''
+                        st.a_href = val
+                        st.a_href_external = True
                    elif '#' in val:
-                        pg, tgt = val.split('#', 2)
+                        pg, tgt = val.split('#', 1)
                        if pg and pg not in VALID_PAGES or '#' in tgt:
                            st.bad_hashtags.add(val)
                        elif tgt in ('', 'opt', 'dopt'):
                            st.a_href = val
+                            st.a_href_external = False
                        elif pg == '':
                            st.referenced_hashtags.add(tgt)
                            if tgt in st.latest_targets:
@@ -409,6 +430,8 @@ class TransformHtml(HTMLParser):
        st = self.state
        if args.debug:
            self.output_debug('END', (tag,))
+        if st.after_a_tag:
+            self.handle_UE()
        if tag in CONSUMES_TXT or st.dt_from == tag:
            txt = st.txt.strip()
            st.txt = ''
@@ -473,12 +496,20 @@ class TransformHtml(HTMLParser):
        elif tag == 'hr':
            return
        elif tag == 'a':
-            if st.a_href:
+            if st.a_href_external:
+                st.txt = st.txt.strip()
+                if args.force_link_text or st.a_href != st.txt:
+                    st.man_out.append(manify(st.txt) + "\n")
+                st.man_out.append(".UE\n") # This might get replaced with a punctuation version in handle_UE()
+                st.after_a_tag = True
+                st.a_href_external = False
+                st.txt = ''
+            elif st.a_href:
                atxt = st.txt[st.a_txt_start:]
                find = 'href="' + st.a_href + '"'
                for j in range(len(st.html_out)-1, 0, -1):
                    if find in st.html_out[j]:
-                        pg, tgt = st.a_href.split('#', 2)
+                        pg, tgt = st.a_href.split('#', 1)
                        derived = txt2target(atxt, tgt)
                        if pg == '':
                            if derived in st.latest_targets:
@@ -513,6 +544,7 @@ class TransformHtml(HTMLParser):
        if st.in_pre:
            html = htmlify(txt)
        else:
+            txt = LONG_OPT_DASH_RE.sub(lambda x: x.group(1).replace('-', NBR_DASH[0]), txt)
            txt = SPACE_DOUBLE_DASH_RE.sub(NBR_SPACE[0] + r'--\1', txt).replace('--', NBR_DASH[0]*2)
            txt = NON_SPACE_SINGLE_DASH_RE.sub(r'\1' + NBR_DASH[0], txt)
            html = htmlify(txt)
@@ -609,12 +641,13 @@ def die(*msg):


 if __name__ == '__main__':
-    parser = argparse.ArgumentParser(description="Output html and (optionally) nroff for markdown pages.", add_help=False)
+    parser = argparse.ArgumentParser(description="Convert markdown into html and (optionally) nroff. Each input filename must have a .md suffix, which is changed to .html for the output filename. If the input filename ends with .num.md (e.g. foo.1.md) then a nroff file is also output with the input filename's .md suffix removed (e.g. foo.1).", add_help=False)
    parser.add_argument('--test', action='store_true', help="Just test the parsing without outputting any files.")
-    parser.add_argument('--dest', metavar='DIR', help="Put files into DIR instead of the current directory.")
+    parser.add_argument('--dest', metavar='DIR', help="Create files in DIR instead of the current directory.")
+    parser.add_argument('--force-link-text', action='store_true', help="Don't remove the link text if it matches the link href. Useful when nroff doesn't understand .UR and .UE.")
    parser.add_argument('--debug', '-D', action='count', default=0, help='Output copious info on the html parsing. Repeat for even more.')
    parser.add_argument("--help", "-h", action="help", help="Output this help message and exit.")
-    parser.add_argument("mdfiles", nargs='+', help="The source .md files to convert.")
+    parser.add_argument("mdfiles", metavar='FILE.md', nargs='+', help="One or more .md files to convert.")
    args = parser.parse_args()

    try:
--- a/12
+++ b/12
@@ -1,14 +1,16 @@
 #!/bin/sh

 srcdir=`dirname $0`
-gitver=`git describe --abbrev=8 2>/dev/null`

 if [ ! -f git-version.h ]; then
    touch git-version.h
 fi

-case "$gitver" in
-    *.*)
+if test -d "$srcdir/.git" || test -f "$srcdir/.git"; then
+    gitver=`git describe --abbrev=8 2>/dev/null`
+    # NOTE: I'm avoiding "|" in sed since I'm not sure if sed -r is portable and "\|" fails on some OSes.
+    verchk=`echo "$gitver-" | sed -n '/^v3\.[0-9][0-9]*\.[0-9][0-9]*\(pre[0-9]*\)*-/p'`
+    if [ -n "$verchk" ]; then
 	echo "#define RSYNC_GITVER \"$gitver\"" >git-version.h.new
 	if ! diff git-version.h.new git-version.h >/dev/null; then
 	    echo "Updating git-version.h"
@@ -16,5 +18,5 @@ case "$gitver" in
 	else
 	    rm git-version.h.new
 	fi
-	;;
-esac
+    fi
+fi
--- a/options.c
+++ b/options.c
@@ -3,7 +3,7 @@
 *
 * Copyright (C) 1998-2001 Andrew Tridgell <tridge@samba.org>
 * Copyright (C) 2000, 2001, 2002 Martin Pool <mbp@samba.org>
- * Copyright (C) 2002-2022 Wayne Davison
+ * Copyright (C) 2002-2023 Wayne Davison
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -27,6 +27,8 @@
 extern int module_id;
 extern int local_server;
 extern int sanitize_paths;
+extern int trust_sender_args;
+extern int trust_sender_filter;
 extern unsigned int module_dirlen;
 extern filter_rule_list filter_list;
 extern filter_rule_list daemon_filter_list;
@@ -64,6 +66,7 @@ int preserve_atimes = 0;
 int preserve_crtimes = 0;
 int omit_dir_times = 0;
 int omit_link_times = 0;
+int trust_sender = 0;
 int update_only = 0;
 int open_noatime = 0;
 int cvs_exclude = 0;
@@ -83,6 +86,7 @@ int sparse_files = 0;
 int preallocate_files = 0;
 int do_compression = 0;
 int do_compression_level = CLVL_NOT_SPECIFIED;
+int do_compression_threads = 0; /*n = 0 use rsync thread, n >= 1 spawn n threads for compression */
 int am_root = 0; /* 0 = normal, 1 = root, 2 = --super, -1 = --fake-super */
 int am_server = 0;
 int am_sender = 0;
@@ -110,11 +114,20 @@ int mkpath_dest_arg = 0;
 int allow_inc_recurse = 1;
 int xfer_dirs = -1;
 int am_daemon = 0;
+/* Set after a successful per-module chroot ("use chroot = yes") in
+ * clientserver.c. NOT set for the daemon-level "daemon chroot = /X"
+ * chroot: that confines path resolution to /X, but module paths
+ * /X/modA, /X/modB, etc. are not chroot boundaries, so the per-module
+ * symlink-race defenses (secure_relative_open() / do_*_at() in
+ * syscall.c, gated by `am_daemon && !am_chrooted`) must still fire
+ * even when the daemon is inside a daemon chroot. */
+int am_chrooted = 0;
 int connect_timeout = 0;
 int keep_partial = 0;
 int safe_symlinks = 0;
 int copy_unsafe_links = 0;
 int munge_symlinks = 0;
+int use_secure_symlinks = 0;
 int size_only = 0;
 int daemon_bwlimit = 0;
 int bwlimit = 0;
@@ -197,6 +210,7 @@ int remote_option_cnt = 0;
 const char **remote_options = NULL;
 const char *checksum_choice = NULL;
 const char *compress_choice = NULL;
+static const char *empty_argv[1];

 int quiet = 0;
 int output_motd = 1;
@@ -221,7 +235,7 @@ char *iconv_opt =

 struct chmod_mode_struct *chmod_modes = NULL;

-static const char *debug_verbosity[] = {
+static const char *const debug_verbosity[] = {
 	/*0*/ NULL,
 	/*1*/ NULL,
 	/*2*/ "BIND,CMD,CONNECT,DEL,DELTASUM,DUP,FILTER,FLIST,ICONV",
@@ -232,7 +246,7 @@ static const char *debug_verbosity[] = {

 #define MAX_VERBOSITY ((int)(sizeof debug_verbosity / sizeof debug_verbosity[0]) - 1)

-static const char *info_verbosity[1+MAX_VERBOSITY] = {
+static const char *const info_verbosity[1+MAX_VERBOSITY] = {
 	/*0*/ "NONREG",
 	/*1*/ "COPY,DEL,FLIST,MISC,NAME,STATS,SYMSAFE",
 	/*2*/ "BACKUP,MISC2,MOUNT,NAME2,REMOVE,SKIP",
@@ -470,7 +484,7 @@ static void parse_output_words(struct output_struct *words, short *levels, const
 static void output_item_help(struct output_struct *words)
 {
 	short *levels = words == info_words ? info_levels : debug_levels;
-	const char **verbosity = words == info_words ? info_verbosity : debug_verbosity;
+	const char *const*verbosity = words == info_words ? info_verbosity : debug_verbosity;
 	char buf[128], *opt, *fmt = "%-10s %s\n";
 	int j;

@@ -752,6 +766,8 @@ static struct poptOption long_options[] = {
  {"skip-compress",    0,  POPT_ARG_STRING, &skip_compress, 0, 0, 0 },
  {"compress-level",   0,  POPT_ARG_INT,    &do_compression_level, 0, 0, 0 },
  {"zl",               0,  POPT_ARG_INT,    &do_compression_level, 0, 0, 0 },
+  {"compress-threads", 0,  POPT_ARG_INT,    &do_compression_threads, 0, 0, 0 },
+  {"zt",               0,  POPT_ARG_INT,    &do_compression_threads, 0, 0, 0 },
  {0,                 'P', POPT_ARG_NONE,   0, 'P', 0, 0 },
  {"progress",         0,  POPT_ARG_VAL,    &do_progress, 1, 0, 0 },
  {"no-progress",      0,  POPT_ARG_VAL,    &do_progress, 0, 0, 0 },
@@ -785,9 +801,12 @@ static struct poptOption long_options[] = {
  {"no-from0",         0,  POPT_ARG_VAL,    &eol_nulls, 0, 0, 0},
  {"old-args",         0,  POPT_ARG_NONE,   0, OPT_OLD_ARGS, 0, 0},
  {"no-old-args",      0,  POPT_ARG_VAL,    &old_style_args, 0, 0, 0},
-  {"protect-args",    's', POPT_ARG_VAL,    &protect_args, 1, 0, 0},
+  {"secluded-args",   's', POPT_ARG_VAL,    &protect_args, 1, 0, 0},
+  {"no-secluded-args", 0,  POPT_ARG_VAL,    &protect_args, 0, 0, 0},
+  {"protect-args",     0,  POPT_ARG_VAL,    &protect_args, 1, 0, 0},
  {"no-protect-args",  0,  POPT_ARG_VAL,    &protect_args, 0, 0, 0},
  {"no-s",             0,  POPT_ARG_VAL,    &protect_args, 0, 0, 0},
+  {"trust-sender",     0,  POPT_ARG_VAL,    &trust_sender, 1, 0, 0},
  {"numeric-ids",      0,  POPT_ARG_VAL,    &numeric_ids, 1, 0, 0 },
  {"no-numeric-ids",   0,  POPT_ARG_VAL,    &numeric_ids, 0, 0, 0 },
  {"usermap",          0,  POPT_ARG_STRING, 0, OPT_USERMAP, 0, 0 },
@@ -837,7 +856,7 @@ static struct poptOption long_options[] = {
  {0,0,0,0, 0, 0, 0}
 };

-static struct poptOption long_daemon_options[] = {
+static const struct poptOption long_daemon_options[] = {
  /* longName, shortName, argInfo, argPtr, value, descrip, argDesc */
  {"address",          0,  POPT_ARG_STRING, &bind_address, 0, 0, 0 },
  {"bwlimit",          0,  POPT_ARG_INT,    &daemon_bwlimit, 0, 0, 0 },
@@ -946,7 +965,7 @@ static void set_refuse_options(void)
 		if (!am_daemon
 		 || op->shortName == 'e' /* Required for compatibility flags */
 		 || op->shortName == '0' /* --from0 just modifies --files-from, so refuse that instead (or not) */
-		 || op->shortName == 's' /* --protect-args is always OK */
+		 || op->shortName == 's' /* --secluded-args is always OK */
 		 || op->shortName == 'n' /* --dry-run is always OK */
 		 || strcmp("iconv", longName) == 0
 		 || strcmp("no-iconv", longName) == 0
@@ -1149,7 +1168,7 @@ static time_t parse_time(const char *arg)
 {
 	const char *cp;
 	time_t val, now = time(NULL);
-	struct tm t, *today = localtime(&now);
+	struct tm t, tmp, *today = localtime_r(&now, &tmp);
 	int in_date, old_mday, n;

 	memset(&t, 0, sizeof t);
@@ -1341,7 +1360,7 @@ char *alt_dest_opt(int type)
 **/
 int parse_arguments(int *argc_p, const char ***argv_p)
 {
-	static poptContext pc;
+	poptContext pc;
 	const char *arg, **argv = *argv_p;
 	int argc = *argc_p;
 	int opt, want_dest_type;
@@ -1361,11 +1380,11 @@ int parse_arguments(int *argc_p, const char ***argv_p)

 	/* TODO: Call poptReadDefaultConfig; handle errors. */

-	/* The context leaks in case of an error, but if there's a
-	 * problem we always exit anyhow. */
-	if (pc)
-		poptFreeContext(pc);
 	pc = poptGetContext(RSYNC_NAME, argc, argv, long_options, 0);
+	if (pc == NULL) {
+		strlcpy(err_buf, "poptGetContext returned NULL\n", sizeof err_buf);
+		return 0;
+	}
 	if (!am_server) {
 		poptReadDefaultConfig(pc, 0);
 		popt_unalias(pc, "--daemon");
@@ -1407,7 +1426,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 				strlcpy(err_buf,
 					"Attempt to hack rsync thwarted!\n",
 					sizeof err_buf);
-				return 0;
+				goto cleanup;
 			}
 #ifdef ICONV_OPTION
 			iconv_opt = NULL;
@@ -1453,7 +1472,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 			if (tmpdir && strlen(tmpdir) >= MAXPATHLEN - 10) {
 				snprintf(err_buf, sizeof err_buf,
 					 "the --temp-dir path is WAY too long.\n");
-				return 0;
+				goto cleanup;
 			}

 			if (!daemon_opt) {
@@ -1463,8 +1482,16 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 				exit_cleanup(RERR_SYNTAX);
 			}

-			*argv_p = argv = poptGetArgs(pc);
-			*argc_p = argc = count_args(argv);
+			argv = poptGetArgs(pc);
+			argc = count_args(argv);
+			if (!argc) {
+				*argv_p = empty_argv;
+				*argc_p = 0;
+			} else if (poptDupArgv(argc, argv, argc_p, argv_p) != 0)
+				out_of_memory("parse_arguments");
+			argv = *argv_p;
+			poptFreeContext(pc);
+
 			am_starting_up = 0;
 			daemon_opt = 0;
 			am_daemon = 1;
@@ -1519,7 +1546,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 		case 'a':
 			if (refused_archive_part) {
 				create_refuse_error(refused_archive_part);
-				return 0;
+				goto cleanup;
 			}
 			if (!recurse) /* preserve recurse == 2 */
 				recurse = 1;
@@ -1589,7 +1616,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 		case 'P':
 			if (refused_partial || refused_progress) {
 				create_refuse_error(refused_partial ? refused_partial : refused_progress);
-				return 0;
+				goto cleanup;
 			}
 			do_progress = 1;
 			keep_partial = 1;
@@ -1624,7 +1651,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 			if (*arg != '-') {
 				snprintf(err_buf, sizeof err_buf,
 					"Remote option must start with a dash: %s\n", arg);
-				return 0;
+				goto cleanup;
 			}
 			if (remote_option_cnt+2 >= remote_option_alloc) {
 				remote_option_alloc += 16;
@@ -1666,27 +1693,27 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 			ssize_t size;
 			arg = poptGetOptArg(pc);
 			if ((size = parse_size_arg(arg, 'b', "block-size", 0, max_blength, False)) < 0)
-				return 0;
+				goto cleanup;
 			block_size = (int32)size;
 			break;
 		}

 		case OPT_MAX_SIZE:
 			if ((max_size = parse_size_arg(max_size_arg, 'b', "max-size", 0, -1, False)) < 0)
-				return 0;
+				goto cleanup;
 			max_size_arg = strdup(do_big_num(max_size, 0, NULL));
 			break;

 		case OPT_MIN_SIZE:
 			if ((min_size = parse_size_arg(min_size_arg, 'b', "min-size", 0, -1, False)) < 0)
-				return 0;
+				goto cleanup;
 			min_size_arg = strdup(do_big_num(min_size, 0, NULL));
 			break;

 		case OPT_BWLIMIT: {
 			ssize_t size = parse_size_arg(bwlimit_arg, 'K', "bwlimit", 512, -1, True);
 			if (size < 0)
-				return 0;
+				goto cleanup;
 			bwlimit_arg = strdup(do_big_num(size, 0, NULL));
 			bwlimit = (size + 512) / 1024;
 			break;
@@ -1715,7 +1742,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 				snprintf(err_buf, sizeof err_buf,
 					"ERROR: the %s option conflicts with the %s option\n",
 					alt_dest_opt(want_dest_type), alt_dest_opt(0));
-				return 0;
+				goto cleanup;
 			}
 			alt_dest_type = want_dest_type;

@@ -1723,7 +1750,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 				snprintf(err_buf, sizeof err_buf,
 					"ERROR: at most %d %s args may be specified\n",
 					MAX_BASIS_DIRS, alt_dest_opt(0));
-				return 0;
+				goto cleanup;
 			}
 			/* We defer sanitizing this arg until we know what
 			 * our destination directory is going to be. */
@@ -1736,7 +1763,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 				snprintf(err_buf, sizeof err_buf,
 					"Invalid argument passed to --chmod (%s)\n",
 					arg);
-				return 0;
+				goto cleanup;
 			}
 			break;

@@ -1755,11 +1782,11 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 				if (usermap_via_chown) {
 					snprintf(err_buf, sizeof err_buf,
 						"--usermap conflicts with prior --chown.\n");
-					return 0;
+					goto cleanup;
 				}
 				snprintf(err_buf, sizeof err_buf,
 					"You can only specify --usermap once.\n");
-				return 0;
+				goto cleanup;
 			}
 			usermap = (char *)poptGetOptArg(pc);
 			usermap_via_chown = False;
@@ -1771,11 +1798,11 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 				if (groupmap_via_chown) {
 					snprintf(err_buf, sizeof err_buf,
 						"--groupmap conflicts with prior --chown.\n");
-					return 0;
+					goto cleanup;
 				}
 				snprintf(err_buf, sizeof err_buf,
 					"You can only specify --groupmap once.\n");
-				return 0;
+				goto cleanup;
 			}
 			groupmap = (char *)poptGetOptArg(pc);
 			groupmap_via_chown = False;
@@ -1794,11 +1821,11 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 					if (!usermap_via_chown) {
 						snprintf(err_buf, sizeof err_buf,
 							"--chown conflicts with prior --usermap.\n");
-						return 0;
+						goto cleanup;
 					}
 					snprintf(err_buf, sizeof err_buf,
 						"You can only specify a user-affecting --chown once.\n");
-					return 0;
+					goto cleanup;
 				}
 				if (asprintf(&usermap, "*:%.*s", len, chown) < 0)
 					out_of_memory("parse_arguments");
@@ -1810,11 +1837,11 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 					if (!groupmap_via_chown) {
 						snprintf(err_buf, sizeof err_buf,
 							"--chown conflicts with prior --groupmap.\n");
-						return 0;
+						goto cleanup;
 					}
 					snprintf(err_buf, sizeof err_buf,
 						"You can only specify a group-affecting --chown once.\n");
-					return 0;
+					goto cleanup;
 				}
 				if (asprintf(&groupmap, "*:%s", arg) < 0)
 					out_of_memory("parse_arguments");
@@ -1842,7 +1869,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 			snprintf(err_buf,sizeof(err_buf),
 				 "ACLs are not supported on this %s\n",
 				 am_server ? "server" : "client");
-			return 0;
+			goto cleanup;
 #endif

 		case 'X':
@@ -1853,7 +1880,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 			snprintf(err_buf,sizeof(err_buf),
 				 "extended attributes are not supported on this %s\n",
 				 am_server ? "server" : "client");
-			return 0;
+			goto cleanup;
 #endif

 		case OPT_STOP_AFTER: {
@@ -1862,7 +1889,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 			stop_at_utime = time(NULL);
 			if ((val = atol(arg) * 60) <= 0 || LONG_MAX - val < stop_at_utime || (long)(time_t)val != val) {
 				snprintf(err_buf, sizeof err_buf, "invalid --stop-after value: %s\n", arg);
-				return 0;
+				goto cleanup;
 			}
 			stop_at_utime += val;
 			break;
@@ -1873,11 +1900,11 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 			arg = poptGetOptArg(pc);
 			if ((stop_at_utime = parse_time(arg)) == (time_t)-1) {
 				snprintf(err_buf, sizeof err_buf, "invalid --stop-at format: %s\n", arg);
-				return 0;
+				goto cleanup;
 			}
 			if (stop_at_utime <= time(NULL)) {
 				snprintf(err_buf, sizeof err_buf, "--stop-at time is not in the future: %s\n", arg);
-				return 0;
+				goto cleanup;
 			}
 			break;
 #endif
@@ -1895,7 +1922,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 			else {
 				snprintf(err_buf, sizeof err_buf,
 					"--stderr mode \"%s\" is not one of errors, all, or client\n", arg);
-				return 0;
+				goto cleanup;
 			}
 			saw_stderr_opt = 1;
 			break;
@@ -1906,13 +1933,13 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 			 * turned this option off. */
 			if (opt >= OPT_REFUSED_BASE) {
 				create_refuse_error(opt);
-				return 0;
+				goto cleanup;
 			}
 			snprintf(err_buf, sizeof err_buf, "%s%s: %s\n",
 				 am_server ? "on remote machine: " : "",
 				 poptBadOption(pc, POPT_BADOPTION_NOALIAS),
 				 poptStrerror(opt));
-			return 0;
+			goto cleanup;
 		}
 	}

@@ -1920,7 +1947,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 		saw_stderr_opt = 1;

 	if (version_opt_cnt) {
-		print_rsync_version(FINFO);
+		print_rsync_version(version_opt_cnt > 1 && !am_server ? FNONE : FINFO);
 		exit_cleanup(0);
 	}

@@ -1932,9 +1959,11 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 	if (max_alloc_arg) {
 		ssize_t size = parse_size_arg(max_alloc_arg, 'B', "max-alloc", 1024*1024, -1, True);
 		if (size < 0)
-			return 0;
+			goto cleanup;
 		max_alloc = size;
 	}
+	if (!max_alloc)
+		max_alloc = SIZE_MAX;

 	if (old_style_args < 0) {
 		if (!am_server && protect_args <= 0 && (arg = getenv("RSYNC_OLD_ARGS")) != NULL && *arg) {
@@ -1945,8 +1974,8 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 	} else if (old_style_args) {
 		if (protect_args > 0) {
 			snprintf(err_buf, sizeof err_buf,
-				 "--protect-args conflicts with --old-args.\n");
-			return 0;
+				 "--secluded-args conflicts with --old-args.\n");
+			goto cleanup;
 		}
 		protect_args = 0;
 	}
@@ -1957,7 +1986,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 		else if ((arg = getenv("RSYNC_PROTECT_ARGS")) != NULL && *arg)
 			protect_args = atoi(arg) ? 1 : 0;
 		else {
-#ifdef RSYNC_USE_PROTECTED_ARGS
+#ifdef RSYNC_USE_SECLUDED_ARGS
 			protect_args = 1;
 #else
 			protect_args = 0;
@@ -1991,8 +2020,10 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 			do_compression = CPRES_AUTO;
 		if (do_compression && refused_compress) {
 			create_refuse_error(refused_compress);
-			return 0;
+			goto cleanup;
 		}
+		if (do_compression_threads < 0)
+			do_compression_threads = 0;
 	}

 #ifdef HAVE_SETVBUF
@@ -2016,7 +2047,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 		default:
 			snprintf(err_buf, sizeof err_buf,
 				"Invalid --outbuf setting -- specify N, L, or B.\n");
-			return 0;
+			goto cleanup;
 		}
 		setvbuf(stdout, (char *)NULL, mode, 0);
 	}
@@ -2044,7 +2075,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 	}
 	if (refused_no_iconv && !iconv_opt) {
 		create_refuse_error(refused_no_iconv);
-		return 0;
+		goto cleanup;
 	}
 #endif

@@ -2055,18 +2086,30 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 	if (orig_protect_args == 2 && am_server)
 		protect_args = orig_protect_args;

-	if (protect_args == 1 && am_server)
+	if (protect_args == 1 && am_server) {
+		poptFreeContext(pc);
 		return 1;
+	}

-	*argv_p = argv = poptGetArgs(pc);
-	*argc_p = argc = count_args(argv);
+	/* Because popt 1.19 has started to free the returned args data, we now
+	 * make a copy of the array and then do an immediate cleanup. */
+	argv = poptGetArgs(pc);
+	argc = count_args(argv);
+	if (!argc) {
+		*argv_p = empty_argv;
+		*argc_p = 0;
+	} else if (poptDupArgv(argc, argv, argc_p, argv_p) != 0)
+		out_of_memory("parse_arguments");
+	argv = *argv_p;
+	poptFreeContext(pc);
+	pc = NULL;

 #ifndef SUPPORT_LINKS
 	if (preserve_links && !am_sender) {
 		snprintf(err_buf, sizeof err_buf,
 			 "symlinks are not supported on this %s\n",
 			 am_server ? "server" : "client");
-		return 0;
+		goto cleanup;
 	}
 #endif

@@ -2075,7 +2118,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 		snprintf(err_buf, sizeof err_buf,
 			 "hard links are not supported on this %s\n",
 			 am_server ? "server" : "client");
-		return 0;
+		goto cleanup;
 	}
 #endif

@@ -2083,20 +2126,20 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 	if (am_root < 0 && preserve_xattrs > 1) {
 		snprintf(err_buf, sizeof err_buf,
 			 "--fake-super conflicts with -XX\n");
-		return 0;
+		goto cleanup;
 	}
 #else
 	if (am_root < 0) {
 		snprintf(err_buf, sizeof err_buf,
 			 "--fake-super requires an rsync with extended attributes enabled\n");
-		return 0;
+		goto cleanup;
 	}
 #endif

 	if (write_batch && read_batch) {
 		snprintf(err_buf, sizeof err_buf,
 			"--write-batch and --read-batch can not be used together\n");
-		return 0;
+		goto cleanup;
 	}
 	if (write_batch > 0 || read_batch) {
 		if (am_server) {
@@ -2115,25 +2158,25 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 	if (read_batch && files_from) {
 		snprintf(err_buf, sizeof err_buf,
 			"--read-batch cannot be used with --files-from\n");
-		return 0;
+		goto cleanup;
 	}
 	if (read_batch && remove_source_files) {
 		snprintf(err_buf, sizeof err_buf,
 			"--read-batch cannot be used with --remove-%s-files\n",
 			remove_source_files == 1 ? "source" : "sent");
-		return 0;
+		goto cleanup;
 	}
 	if (batch_name && strlen(batch_name) > MAX_BATCH_NAME_LEN) {
 		snprintf(err_buf, sizeof err_buf,
 			"the batch-file name must be %d characters or less.\n",
 			MAX_BATCH_NAME_LEN);
-		return 0;
+		goto cleanup;
 	}

 	if (tmpdir && strlen(tmpdir) >= MAXPATHLEN - 10) {
 		snprintf(err_buf, sizeof err_buf,
 			 "the --temp-dir path is WAY too long.\n");
-		return 0;
+		goto cleanup;
 	}

 	if (max_delete < 0 && max_delete != INT_MIN) {
@@ -2167,7 +2210,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 	if (delete_before + !!delete_during + delete_after > 1) {
 		snprintf(err_buf, sizeof err_buf,
 			"You may not combine multiple --delete-WHEN options.\n");
-		return 0;
+		goto cleanup;
 	}
 	if (delete_before || delete_during || delete_after)
 		delete_mode = 1;
@@ -2178,7 +2221,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 				delete_during = 1;
 			else {
 				create_refuse_error(refused_delete_before);
-				return 0;
+				goto cleanup;
 			}
 		} else if (refused_delete_during)
 			delete_before = 1;
@@ -2187,14 +2230,14 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 	if (!xfer_dirs && delete_mode) {
 		snprintf(err_buf, sizeof err_buf,
 			"--delete does not work without --recursive (-r) or --dirs (-d).\n");
-		return 0;
+		goto cleanup;
 	}

 	if (missing_args == 3) /* simplify if both options were specified */
 		missing_args = 2;
 	if (refused_delete && (delete_mode || missing_args == 2)) {
 		create_refuse_error(refused_delete);
-		return 0;
+		goto cleanup;
 	}

 	if (remove_source_files) {
@@ -2203,7 +2246,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 		 * options. */
 		if (refused_delete && am_sender) {
 			create_refuse_error(refused_delete);
-			return 0;
+			goto cleanup;
 		}
 		need_messages_from_generator = 1;
 	}
@@ -2257,7 +2300,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 		snprintf(err_buf, sizeof err_buf,
 			"--suffix cannot contain slashes: %s\n",
 			backup_suffix);
-		return 0;
+		goto cleanup;
 	}
 	if (backup_dir) {
 		size_t len;
@@ -2270,7 +2313,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 		if (len > sizeof backup_dir_buf - 128) {
 			snprintf(err_buf, sizeof err_buf,
 				"the --backup-dir path is WAY too long.\n");
-			return 0;
+			goto cleanup;
 		}
 		backup_dir_len = (int)len;
 		if (!backup_dir_len) {
@@ -2289,7 +2332,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 			"--suffix cannot be empty %s\n", backup_dir_len < 0
 			? "when --backup-dir is the same as the dest dir"
 			: "without a --backup-dir");
-		return 0;
+		goto cleanup;
 	} else if (make_backups && delete_mode && !delete_excluded && !am_server) {
 		snprintf(backup_dir_buf, sizeof backup_dir_buf,
 			"P *%s", backup_suffix);
@@ -2317,7 +2360,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 	if (do_progress && !am_server) {
 		if (!log_before_transfer && INFO_EQ(NAME, 0))
 			parse_output_words(info_words, info_levels, "name", DEFAULT_PRIORITY);
-		parse_output_words(info_words, info_levels, "flist2,progress", DEFAULT_PRIORITY);
+		parse_output_words(info_words, info_levels, "FLIST2,PROGRESS", DEFAULT_PRIORITY);
 	}

 	if (dry_run)
@@ -2358,11 +2401,11 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 		if (whole_file > 0) {
 			snprintf(err_buf, sizeof err_buf,
 				 "--append cannot be used with --whole-file\n");
-			return 0;
+			goto cleanup;
 		}
 		if (refused_inplace) {
 			create_refuse_error(refused_inplace);
-			return 0;
+			goto cleanup;
 		}
 		inplace = 1;
 	}
@@ -2370,7 +2413,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 	if (write_devices) {
 		if (refused_inplace) {
 			create_refuse_error(refused_inplace);
-			return 0;
+			goto cleanup;
 		}
 		inplace = 1;
 	}
@@ -2385,13 +2428,13 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 				 "--%s cannot be used with --%s\n",
 				 append_mode ? "append" : "inplace",
 				 delay_updates ? "delay-updates" : "partial-dir");
-			return 0;
+			goto cleanup;
 		}
 		/* --inplace implies --partial for refusal purposes, but we
 		 * clear the keep_partial flag for internal logic purposes. */
 		if (refused_partial) {
 			create_refuse_error(refused_partial);
-			return 0;
+			goto cleanup;
 		}
 		keep_partial = 0;
 #else
@@ -2399,7 +2442,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 			 "--%s is not supported on this %s\n",
 			 append_mode ? "append" : "inplace",
 			 am_server ? "server" : "client");
-		return 0;
+		goto cleanup;
 #endif
 	} else {
 		if (keep_partial && !partial_dir && !am_server) {
@@ -2413,7 +2456,7 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 				partial_dir = NULL;
 			if (!partial_dir && refused_partial) {
 				create_refuse_error(refused_partial);
-				return 0;
+				goto cleanup;
 			}
 			keep_partial = 1;
 		}
@@ -2434,14 +2477,14 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 			if (am_server) {
 				snprintf(err_buf, sizeof err_buf,
 					"The --files-from sent to the server cannot specify a host.\n");
-				return 0;
+				goto cleanup;
 			}
 			files_from = p;
 			filesfrom_host = h;
 			if (strcmp(files_from, "-") == 0) {
 				snprintf(err_buf, sizeof err_buf,
 					"Invalid --files-from remote filename\n");
-				return 0;
+				goto cleanup;
 			}
 		} else {
 			if (sanitize_paths)
@@ -2460,11 +2503,16 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 				snprintf(err_buf, sizeof err_buf,
 					"failed to open files-from file %s: %s\n",
 					files_from, strerror(errno));
-				return 0;
+				goto cleanup;
 			}
 		}
 	}

+	if (trust_sender || am_server || read_batch)
+		trust_sender_args = trust_sender_filter = 1;
+	else if (old_style_args || filesfrom_host != NULL)
+		trust_sender_args = 1;
+
 	am_starting_up = 0;

 	return 1;
@@ -2472,6 +2520,9 @@ int parse_arguments(int *argc_p, const char ***argv_p)
  options_rejected:
 	snprintf(err_buf, sizeof err_buf,
 		"Your options have been rejected by the server.\n");
+  cleanup:
+	if (pc)
+		poptFreeContext(pc);
 	return 0;
 }

@@ -2487,17 +2538,24 @@ static char SPLIT_ARG_WHEN_OLD[1];
 **/
 char *safe_arg(const char *opt, const char *arg)
 {
-#define SHELL_CHARS "!#$&;|<>(){}\"' \t\\"
+#define SHELL_CHARS "!#$&;|<>(){}\"'` \t\\"
 #define WILD_CHARS  "*?[]" /* We don't allow remote brace expansion */
 	BOOL is_filename_arg = !opt;
 	char *escapes = is_filename_arg ? SHELL_CHARS : WILD_CHARS SHELL_CHARS;
 	BOOL escape_leading_dash = is_filename_arg && *arg == '-';
+	BOOL escape_leading_tilde = 0;
 	int len1 = opt && *opt ? strlen(opt) + 1 : 0;
 	int len2 = strlen(arg);
 	int extras = escape_leading_dash ? 2 : 0;
 	char *ret;
 	if (!protect_args && old_style_args < 2 && (!old_style_args || (!is_filename_arg && opt != SPLIT_ARG_WHEN_OLD))) {
 		const char *f;
+		if (*arg == '~' && is_filename_arg && !am_sender && !trust_sender_args
+		 && ((relative_paths && !strstr(arg, "/./"))
+		  || !strchr(arg, '/'))) {
+			extras++;
+			escape_leading_tilde = 1;
+		}
 		for (f = arg; *f; f++) {
 			if (strchr(escapes, *f))
 				extras++;
@@ -2520,8 +2578,13 @@ char *safe_arg(const char *opt, const char *arg)
 	else {
 		const char *f = arg;
 		char *t = ret + len1;
+		if (escape_leading_tilde)
+			*t++ = '\\';
 		while (*f) {
-			if (strchr(escapes, *f))
+			if (*f == '\\') {
+				if (!is_filename_arg || !strchr(WILD_CHARS, f[1]))
+					*t++ = '\\';
+			} else if (strchr(escapes, *f))
 				*t++ = '\\';
 			*t++ = *f++;
 		}
--- a/packaging/auto-Makefile
+++ b/packaging/auto-Makefile
@@ -1,4 +1,4 @@
-TARGETS := all install install-ssl-daemon install-all install-strip conf gen gensend reconfigure restatus \
+TARGETS := all install install-ssl-daemon install-all install-strip conf gen reconfigure restatus \
 	proto man clean cleantests distclean test check check29 check30 installcheck splint \
 	doxygen doxygen-upload finddead rrsync

--- a/packaging/branch-from-patch
+++ b/packaging/branch-from-patch
@@ -1,174 +0,0 @@
-#!/usr/bin/env -S python3 -B
-
-# This script turns one or more diff files in the patches dir (which is
-# expected to be a checkout of the rsync-patches git repo) into a branch
-# in the main rsync git checkout. This allows the applied patch to be
-# merged with the latest rsync changes and tested.  To update the diff
-# with the resulting changes, see the patch-update script.
-
-import os, sys, re, argparse, glob
-
-sys.path = ['packaging'] + sys.path
-
-from pkglib import *
-
-def main():
-    global created, info, local_branch
-
-    cur_branch, args.base_branch = check_git_state(args.base_branch, not args.skip_check, args.patches_dir)
-
-    local_branch = get_patch_branches(args.base_branch)
-
-    if args.delete_local_branches:
-        for name in sorted(local_branch):
-            branch = f"patch/{args.base_branch}/{name}"
-            cmd_chk(['git', 'branch', '-D', branch])
-        local_branch = set()
-
-    if args.add_missing:
-        for fn in sorted(glob.glob(f"{args.patches_dir}/*.diff")):
-            name = re.sub(r'\.diff$', '', re.sub(r'.+/', '', fn))
-            if name not in local_branch and fn not in args.patch_files:
-                args.patch_files.append(fn)
-
-    if not args.patch_files:
-        return
-
-    for fn in args.patch_files:
-        if not fn.endswith('.diff'):
-            die(f"Filename is not a .diff file: {fn}")
-        if not os.path.isfile(fn):
-            die(f"File not found: {fn}")
-
-    scanned = set()
-    info = { }
-
-    patch_list = [ ]
-    for fn in args.patch_files:
-        m = re.match(r'^(?P<dir>.*?)(?P<name>[^/]+)\.diff$', fn)
-        patch = argparse.Namespace(**m.groupdict())
-        if patch.name in scanned:
-            continue
-        patch.fn = fn
-
-        lines = [ ]
-        commit_hash = None
-        with open(patch.fn, 'r', encoding='utf-8') as fh:
-            for line in fh:
-                m = re.match(r'^based-on: (\S+)', line)
-                if m:
-                    commit_hash = m[1]
-                    break
-                if (re.match(r'^index .*\.\..* \d', line)
-                 or re.match(r'^diff --git ', line)
-                 or re.match(r'^--- (old|a)/', line)):
-                    break
-                lines.append(re.sub(r'\s*\Z', "\n", line, 1))
-        info_txt = ''.join(lines).strip() + "\n"
-        lines = None
-
-        parent = args.base_branch
-        patches = re.findall(r'patch -p1 <%s/(\S+)\.diff' % args.patches_dir, info_txt)
-        if patches:
-            last = patches.pop()
-            if last != patch.name:
-                warn(f"No identity patch line in {patch.fn}")
-                patches.append(last)
-            if patches:
-                parent = patches.pop()
-                if parent not in scanned:
-                    diff_fn = patch.dir + parent + '.diff'
-                    if not os.path.isfile(diff_fn):
-                        die(f"Failed to find parent of {patch.fn}: {parent}")
-                    # Add parent to args.patch_files so that we will look for the
-                    # parent's parent.  Any duplicates will be ignored.
-                    args.patch_files.append(diff_fn)
-        else:
-            warn(f"No patch lines found in {patch.fn}")
-
-        info[patch.name] = [ parent, info_txt, commit_hash ]
-
-        patch_list.append(patch)
-
-    created = set()
-    for patch in patch_list:
-        create_branch(patch)
-
-    cmd_chk(['git', 'checkout', args.base_branch])
-
-
-def create_branch(patch):
-    if patch.name in created:
-        return
-    created.add(patch.name)
-
-    parent, info_txt, commit_hash = info[patch.name]
-    parent = argparse.Namespace(dir=patch.dir, name=parent, fn=patch.dir + parent + '.diff')
-
-    if parent.name == args.base_branch:
-        parent_branch = commit_hash if commit_hash else args.base_branch
-    else:
-        create_branch(parent)
-        parent_branch = '/'.join(['patch', args.base_branch, parent.name])
-
-    branch = '/'.join(['patch', args.base_branch, patch.name])
-    print("\n" + '=' * 64)
-    print(f"Processing {branch} ({parent_branch})")
-
-    if patch.name in local_branch:
-        cmd_chk(['git', 'branch', '-D', branch])
-
-    cmd_chk(['git', 'checkout', '-b', branch, parent_branch])
-
-    info_fn = 'PATCH.' + patch.name
-    with open(info_fn, 'w', encoding='utf-8') as fh:
-        fh.write(info_txt)
-    cmd_chk(['git', 'add', info_fn])
-
-    with open(patch.fn, 'r', encoding='utf-8') as fh:
-        patch_txt = fh.read()
-
-    cmd_run('patch -p1'.split(), input=patch_txt)
-
-    for fn in glob.glob('*.orig') + glob.glob('*/*.orig'):
-        os.unlink(fn)
-
-    pos = 0
-    new_file_re = re.compile(r'\nnew file mode (?P<mode>\d+)\s+--- /dev/null\s+\+\+\+ b/(?P<fn>.+)')
-    while True:
-        m = new_file_re.search(patch_txt, pos)
-        if not m:
-            break
-        os.chmod(m['fn'], int(m['mode'], 8))
-        cmd_chk(['git', 'add', m['fn']])
-        pos = m.end()
-
-    while True:
-        cmd_chk('git status'.split())
-        ans = input('Press Enter to commit, Ctrl-C to abort, or type a wild-name to add a new file: ')
-        if ans == '':
-            break
-        cmd_chk("git add " + ans, shell=True)
-
-    while True:
-        s = cmd_run(['git', 'commit', '-a', '-m', f"Creating branch from {patch.name}.diff."])
-        if not s.returncode:
-            break
-        s = cmd_run(['/bin/zsh'])
-        if s.returncode:
-            die('Aborting due to shell error code')
-
-
-if __name__ == '__main__':
-    parser = argparse.ArgumentParser(description="Create a git patch branch from an rsync patch file.", add_help=False)
-    parser.add_argument('--branch', '-b', dest='base_branch', metavar='BASE_BRANCH', default='master', help="The branch the patch is based on. Default: master.")
-    parser.add_argument('--add-missing', '-a', action='store_true', help="Add a branch for every patches/*.diff that doesn't have a branch.")
-    parser.add_argument('--skip-check', action='store_true', help="Skip the check that ensures starting with a clean branch.")
-    parser.add_argument('--delete', dest='delete_local_branches', action='store_true', help="Delete all the local patch/BASE/* branches, not just the ones that are being recreated.")
-    parser.add_argument('--patches-dir', '-p', metavar='DIR', default='patches', help="Override the location of the rsync-patches dir. Default: patches.")
-    parser.add_argument('patch_files', metavar='patches/DIFF_FILE', nargs='*', help="Specify what patch diff files to process. Default: all of them.")
-    parser.add_argument("--help", "-h", action="help", help="Output this help message and exit.")
-    args = parser.parse_args()
-    main()
-
-# vim: sw=4 et ft=python
--- a/packaging/cull-options
+++ b/packaging/cull-options
@@ -27,6 +27,7 @@ long_opts = { # These include some extra long-args that BackupPC uses:
        'recursive': 0,
        'stderr': 1,
        'times': 0,
+        'copy-devices': -1,
        'write-devices': -1,
        }

--- a/packaging/ftp.filt
+++ b/packaging/ftp.filt
@@ -0,0 +1,2 @@
+- /generated-files/
+- /binaries/
--- a/packaging/lsb/rsync.spec
+++ b/packaging/lsb/rsync.spec
@@ -1,9 +1,9 @@
 Summary: A fast, versatile, remote (and local) file-copying tool
 Name: rsync
-Version: 3.2.5
-%define fullversion %{version}pre1
-Release: 0.1.pre1
-%define srcdir src-previews
+Version: 3.4.3
+%define fullversion %{version}
+Release: 1
+%define srcdir src
 Group: Applications/Internet
 License: GPL
 Source0: https://rsync.samba.org/ftp/rsync/%{srcdir}/rsync-%{fullversion}.tar.gz
@@ -79,9 +79,5 @@ rm -rf $RPM_BUILD_ROOT
 %dir /etc/rsync-ssl/certs

 %changelog
-* Mon Aug 01 2022 Wayne Davison <wayne@opencoder.net>
-Released 3.2.5pre1.
-
-* Fri Mar 21 2008 Wayne Davison <wayne@opencoder.net>
-Added installation of /etc/xinetd.d/rsync file and some commented-out
-lines that demonstrate how to use the rsync-patches tar file.
+* Wed May 20 2026 Rsync Project <rsync.project@gmail.com>
+Released 3.4.3.
--- a/packaging/openssl-rsync.cnf
+++ b/packaging/openssl-rsync.cnf
@@ -0,0 +1,18 @@
+# This config file can be used with rsync to enable legacy digests
+# (such as MD4) by using the OPENSSL_CONF environment variable.
+# See rsync's configure --with-openssl-conf=/path/name option.
+
+openssl_conf = openssl_init
+
+[openssl_init]
+providers = provider_sect
+
+[provider_sect]
+default = default_sect
+legacy = legacy_sect
+
+[default_sect]
+activate = 1
+
+[legacy_sect]
+activate = 1
--- a/packaging/patch-update
+++ b/packaging/patch-update
@@ -1,244 +0,0 @@
-#!/usr/bin/env -S python3 -B
-
-# This script is used to turn one or more of the "patch/BASE/*" branches
-# into one or more diffs in the "patches" directory.  Pass the option
-# --gen if you want generated files in the diffs.  Pass the name of
-# one or more diffs if you want to just update a subset of all the
-# diffs.
-
-import os, sys, re, argparse, time, shutil
-
-sys.path = ['packaging'] + sys.path
-
-from pkglib import *
-
-MAKE_GEN_CMDS = [
-        './prepare-source'.split(),
-        'cd build && if test -f config.status ; then ./config.status ; else ../configure ; fi',
-        'make -C build gen'.split(),
-        ]
-TMP_DIR = "patches.gen"
-
-os.environ['GIT_MERGE_AUTOEDIT'] = 'no'
-
-def main():
-    global master_commit, parent_patch, description, completed, last_touch
-
-    if not os.path.isdir(args.patches_dir):
-        die(f'No "{args.patches_dir}" directory was found.')
-    if not os.path.isdir('.git'):
-        die('No ".git" directory present in the current dir.')
-
-    starting_branch, args.base_branch = check_git_state(args.base_branch, not args.skip_check, args.patches_dir)
-
-    master_commit = latest_git_hash(args.base_branch)
-
-    if cmd_txt_chk(['packaging/prep-auto-dir']).out == '':
-        die('You must setup an auto-build-save dir to use this script.')
-
-    if args.gen:
-        if os.path.lexists(TMP_DIR):
-            die(f'"{TMP_DIR}" must not exist in the current directory.')
-        gen_files = get_gen_files()
-        os.mkdir(TMP_DIR, 0o700)
-        for cmd in MAKE_GEN_CMDS:
-            cmd_chk(cmd)
-        cmd_chk(['rsync', '-a', *gen_files, f'{TMP_DIR}/master/'])
-
-    last_touch = int(time.time())
-
-    # Start by finding all patches so that we can load all possible parents.
-    patches = sorted(list(get_patch_branches(args.base_branch)))
-
-    parent_patch = { }
-    description = { }
-
-    for patch in patches:
-        branch = f"patch/{args.base_branch}/{patch}"
-        desc = ''
-        proc = cmd_pipe(['git', 'diff', '-U1000', f"{args.base_branch}...{branch}", '--', f"PATCH.{patch}"])
-        in_diff = False
-        for line in proc.stdout:
-            if in_diff:
-                if not re.match(r'^[ +]', line):
-                    continue
-                line = line[1:]
-                m = re.search(r'patch -p1 <patches/(\S+)\.diff', line)
-                if m and m[1] != patch:
-                    parpat = parent_patch[patch] = m[1]
-                    if not parpat in patches:
-                        die(f"Parent of {patch} is not a local branch: {parpat}")
-                desc += line
-            elif re.match(r'^@@ ', line):
-                in_diff = True
-        description[patch] = desc
-        proc.communicate()
-
-    if args.patch_files: # Limit the list of patches to actually process
-        valid_patches = patches
-        patches = [ ]
-        for fn in args.patch_files:
-            name = re.sub(r'\.diff$', '', re.sub(r'.+/', '', fn))
-            if name not in valid_patches:
-                die(f"Local branch not available for patch: {name}")
-            patches.append(name)
-
-    completed = set()
-
-    for patch in patches:
-        if patch in completed:
-            continue
-        if not update_patch(patch):
-            break
-
-    if args.gen:
-        shutil.rmtree(TMP_DIR)
-
-    while last_touch >= int(time.time()):
-        time.sleep(1)
-    cmd_chk(['git', 'checkout', starting_branch])
-    cmd_chk(['packaging/prep-auto-dir'], discard='output')
-
-
-def update_patch(patch):
-    global last_touch
-
-    completed.add(patch) # Mark it as completed early to short-circuit any (bogus) dependency loops.
-
-    parent = parent_patch.get(patch, None)
-    if parent:
-        if parent not in completed:
-            if not update_patch(parent):
-                return 0
-        based_on = parent = f"patch/{args.base_branch}/{parent}"
-    else:
-        parent = args.base_branch
-        based_on = master_commit
-
-    print(f"======== {patch} ========")
-
-    while args.gen and last_touch >= int(time.time()):
-        time.sleep(1)
-
-    branch = f"patch/{args.base_branch}/{patch}"
-    s = cmd_run(['git', 'checkout', branch])
-    if s.returncode != 0:
-        return 0
-
-    s = cmd_run(['git', 'merge', based_on])
-    ok = s.returncode == 0
-    skip_shell = False
-    if not ok or args.cmd or args.make or args.shell:
-        cmd_chk(['packaging/prep-auto-dir'], discard='output')
-    if not ok:
-        print(f'"git merge {based_on}" incomplete -- please fix.')
-        if not run_a_shell(parent, patch):
-            return 0
-        if not args.make and not args.cmd:
-            skip_shell = True
-    if args.make:
-        if cmd_run(['packaging/smart-make']).returncode != 0:
-            if not run_a_shell(parent, patch):
-                return 0
-            if not args.cmd:
-                skip_shell = True
-    if args.cmd:
-        if cmd_run(args.cmd).returncode != 0:
-            if not run_a_shell(parent, patch):
-                return 0
-            skip_shell = True
-    if args.shell and not skip_shell:
-        if not run_a_shell(parent, patch):
-            return 0
-
-    with open(f"{args.patches_dir}/{patch}.diff", 'w', encoding='utf-8') as fh:
-        fh.write(description[patch])
-        fh.write(f"\nbased-on: {based_on}\n")
-
-        if args.gen:
-            gen_files = get_gen_files()
-            for cmd in MAKE_GEN_CMDS:
-                cmd_chk(cmd)
-            cmd_chk(['rsync', '-a', *gen_files, f"{TMP_DIR}/{patch}/"])
-        else:
-            gen_files = [ ]
-        last_touch = int(time.time())
-
-        proc = cmd_pipe(['git', 'diff', based_on])
-        skipping = False
-        for line in proc.stdout:
-            if skipping:
-                if not re.match(r'^diff --git a/', line):
-                    continue
-                skipping = False
-            elif re.match(r'^diff --git a/PATCH', line):
-                skipping = True
-                continue
-            if not re.match(r'^index ', line):
-                fh.write(line)
-        proc.communicate()
-
-        if args.gen:
-            e_tmp_dir = re.escape(TMP_DIR)
-            diff_re  = re.compile(r'^(diff -Nurp) %s/[^/]+/(.*?) %s/[^/]+/(.*)' % (e_tmp_dir, e_tmp_dir))
-            minus_re = re.compile(r'^\-\-\- %s/[^/]+/([^\t]+)\t.*' % e_tmp_dir)
-            plus_re  = re.compile(r'^\+\+\+ %s/[^/]+/([^\t]+)\t.*' % e_tmp_dir)
-
-            if parent == args.base_branch:
-                parent_dir = 'master'
-            else:
-                m = re.search(r'([^/]+)$', parent)
-                parent_dir = m[1]
-
-            proc = cmd_pipe(['diff', '-Nurp', f"{TMP_DIR}/{parent_dir}", f"{TMP_DIR}/{patch}"])
-            for line in proc.stdout:
-                line = diff_re.sub(r'\1 a/\2 b/\3', line)
-                line = minus_re.sub(r'--- a/\1', line)
-                line =  plus_re.sub(r'+++ b/\1', line)
-                fh.write(line)
-            proc.communicate()
-
-    return 1
-
-
-def run_a_shell(parent, patch):
-    m = re.search(r'([^/]+)$', parent)
-    parent_dir = m[1]
-    os.environ['PS1'] = f"[{parent_dir}] {patch}: "
-
-    while True:
-        s = cmd_run([os.environ.get('SHELL', '/bin/sh')])
-        if s.returncode != 0:
-            ans = input("Abort? [n/y] ")
-            if re.match(r'^y', ans, flags=re.I):
-                return False
-            continue
-        cur_branch, is_clean, status_txt = check_git_status(0)
-        if is_clean:
-            break
-        print(status_txt, end='')
-
-    cmd_run('rm -f build/*.o build/*/*.o')
-
-    return True
-
-
-if __name__ == '__main__':
-    parser = argparse.ArgumentParser(description="Turn a git branch back into a diff files in the patches dir.", add_help=False)
-    parser.add_argument('--branch', '-b', dest='base_branch', metavar='BASE_BRANCH', default='master', help="The branch the patch is based on. Default: master.")
-    parser.add_argument('--skip-check', action='store_true', help="Skip the check that ensures starting with a clean branch.")
-    parser.add_argument('--make', '-m', action='store_true', help="Run the smart-make script in every patch branch.")
-    parser.add_argument('--cmd', '-c', help="Run a command in every patch branch.")
-    parser.add_argument('--shell', '-s', action='store_true', help="Launch a shell for every patch/BASE/* branch updated, not just when a conflict occurs.")
-    parser.add_argument('--gen', metavar='DIR', nargs='?', const='', help='Include generated files. Optional DIR value overrides the default of using the "patches" dir.')
-    parser.add_argument('--patches-dir', '-p', metavar='DIR', default='patches', help="Override the location of the rsync-patches dir. Default: patches.")
-    parser.add_argument('patch_files', metavar='patches/DIFF_FILE', nargs='*', help="Specify what patch diff files to process. Default: all of them.")
-    parser.add_argument("--help", "-h", action="help", help="Output this help message and exit.")
-    args = parser.parse_args()
-    if args.gen == '':
-        args.gen = args.patches_dir
-    elif args.gen is not None:
-        args.patches_dir = args.gen
-    main()
-
-# vim: sw=4 et ft=python
--- a/packaging/pkglib.py
+++ b/packaging/pkglib.py
@@ -32,7 +32,7 @@ def _tweak_opts(cmd, opts, **maybe_set_args):
    opts = opts.copy()
    _maybe_set(opts, **maybe_set_args)

-    if type(cmd) == str:
+    if isinstance(cmd, str):
        _maybe_set(opts, shell=True)

    want_raw = opts.pop('raw', False)
@@ -170,17 +170,6 @@ def get_patch_branches(base_branch):
    return branches


-def mandate_gensend_hook():
-    hook = '.git/hooks/pre-push'
-    if not os.path.exists(hook):
-        print('Creating hook file:', hook)
-        cmd_chk(['./rsync', '-a', 'packaging/pre-push', hook])
-    else:
-        ct = cmd_txt(['fgrep', 'make gensend', hook], discard='output')
-        if ct.rc:
-            die('Please add a "make gensend" into your', hook, 'script.')
-
-
 # Snag the GENFILES values out of the Makefile file and return them as a list.
 def get_gen_files(want_dir_plus_list=False):
    cont_re = re.compile(r'\\\n')
--- a/packaging/pre-push
+++ b/packaging/pre-push
@@ -1,16 +0,0 @@
-#!/bin/bash -e
-
-cat >/dev/null # Just discard stdin data
-
-if [[ -f /proc/$PPID/cmdline ]]; then
-    while read -d $'\0' arg ; do
-	if [[ "$arg" == '--tags' ]] ; then
-	    exit 0
-	fi
-    done </proc/$PPID/cmdline
-fi
-
-branch=`git rev-parse --abbrev-ref HEAD`
-if [[ "$branch" = master && "$*" == *github* ]]; then
-    make gensend
-fi
--- a/packaging/release-rsync
+++ b/packaging/release-rsync
@@ -1,397 +0,0 @@
-#!/usr/bin/env -S python3 -B
-
-# This script expects the directory ~/samba-rsync-ftp to exist and to be a
-# copy of the /home/ftp/pub/rsync dir on samba.org.  When the script is done,
-# the git repository in the current directory will be updated, and the local
-# ~/samba-rsync-ftp dir will be ready to be rsynced to samba.org.
-
-import os, sys, re, argparse, glob, shutil, signal
-from datetime import datetime
-from getpass import getpass
-
-sys.path = ['packaging'] + sys.path
-
-from pkglib import *
-
-os.environ['LESS'] = 'mqeiXR'; # Make sure that -F is turned off and -R is turned on.
-dest = os.environ['HOME'] + '/samba-rsync-ftp'
-ORIGINAL_PATH = os.environ['PATH']
-
-def main():
-    if not os.path.isfile('packaging/release-rsync'):
-        die('You must run this script from the top of your rsync checkout.')
-
-    now = datetime.now()
-    cl_today = now.strftime('* %a %b %d %Y')
-    year = now.strftime('%Y')
-    ztoday = now.strftime('%d %b %Y')
-    today = ztoday.lstrip('0')
-
-    mandate_gensend_hook()
-
-    curdir = os.getcwd()
-
-    signal.signal(signal.SIGINT, signal_handler)
-
-    if cmd_txt_chk(['packaging/prep-auto-dir']).out == '':
-        die('You must setup an auto-build-save dir to use this script.');
-
-    auto_dir, gen_files = get_gen_files(True)
-    gen_pathnames = [ os.path.join(auto_dir, fn) for fn in gen_files ]
-
-    dash_line = '=' * 74
-
-    print(f"""\
-{dash_line}
-== This will release a new version of rsync onto an unsuspecting world. ==
-{dash_line}
-""")
-
-    with open('build/rsync.1') as fh:
-        for line in fh:
-            if line.startswith(r'.\" prefix='):
-                doc_prefix = line.split('=')[1].strip()
-                if doc_prefix != '/usr':
-                    warn(f"*** The documentation was built with prefix {doc_prefix} instead of /usr ***")
-                    die("*** Read the md2man script for a way to override this. ***")
-                break
-            if line.startswith('.P'):
-                die("Failed to find the prefix comment at the start of the rsync.1 manpage.")
-
-    if not os.path.isdir(dest):
-        die(dest, "dest does not exist")
-    if not os.path.isdir('.git'):
-        die("There is no .git dir in the current directory.")
-    if os.path.lexists('a'):
-        die('"a" must not exist in the current directory.')
-    if os.path.lexists('b'):
-        die('"b" must not exist in the current directory.')
-    if os.path.lexists('patches.gen'):
-        die('"patches.gen" must not exist in the current directory.')
-
-    check_git_state(args.master_branch, True, 'patches')
-
-    curversion = get_rsync_version()
-
-    # All version values are strings!
-    lastversion, last_protocol_version, pdate = get_NEWS_version_info()
-    protocol_version, subprotocol_version = get_protocol_versions()
-
-    version = curversion
-    m = re.search(r'pre(\d+)', version)
-    if m:
-        version = re.sub(r'pre\d+', 'pre' + str(int(m[1]) + 1), version)
-    else:
-        version = version.replace('dev', 'pre1')
-
-    ans = input(f"Please enter the version number of this release: [{version}] ")
-    if ans == '.':
-        version = re.sub(r'pre\d+', '', version)
-    elif ans != '':
-        version = ans
-    if not re.match(r'^[\d.]+(pre\d+)?$', version):
-        die(f'Invalid version: "{version}"')
-
-    v_ver = 'v' + version
-    rsync_ver = 'rsync-' + version
-
-    if os.path.lexists(rsync_ver):
-        die(f'"{rsync_ver}" must not exist in the current directory.')
-
-    out = cmd_txt_chk(['git', 'tag', '-l', v_ver]).out
-    if out != '':
-        print(f"Tag {v_ver} already exists.")
-        ans = input("\nDelete tag or quit? [Q/del] ")
-        if not re.match(r'^del', ans, flags=re.I):
-            die("Aborted")
-        cmd_chk(['git', 'tag', '-d', v_ver])
-
-    version = re.sub(r'[-.]*pre[-.]*', 'pre', version)
-    if 'pre' in version and not curversion.endswith('dev'):
-        lastversion = curversion
-
-    ans = input(f"Enter the previous version to produce a patch against: [{lastversion}] ")
-    if ans != '':
-        lastversion = ans
-    lastversion = re.sub(r'[-.]*pre[-.]*', 'pre', lastversion)
-
-    rsync_lastver = 'rsync-' + lastversion
-    if os.path.lexists(rsync_lastver):
-        die(f'"{rsync_lastver}" must not exist in the current directory.')
-
-    m = re.search(r'(pre\d+)', version)
-    pre = m[1] if m else ''
-
-    release = '0.1' if pre else '1'
-    ans = input(f"Please enter the RPM release number of this release: [{release}] ")
-    if ans != '':
-        release = ans
-    if pre:
-        release += '.' + pre
-
-    finalversion = re.sub(r'pre\d+', '', version)
-    proto_changed = protocol_version != last_protocol_version
-    if proto_changed:
-        if finalversion in pdate:
-            proto_change_date = pdate[finalversion]
-        else:
-            while True:
-                ans = input("On what date did the protocol change to {protocol_version} get checked in? (dd Mmm yyyy) ")
-                if re.match(r'^\d\d \w\w\w \d\d\d\d$', ans):
-                    break
-            proto_change_date = ans
-    else:
-        proto_change_date = ' ' * 11
-
-    if 'pre' in lastversion:
-        if not pre:
-            die("You should not diff a release version against a pre-release version.")
-        srcdir = srcdiffdir = lastsrcdir = 'src-previews'
-        skipping = ' ** SKIPPING **'
-    elif pre:
-        srcdir = srcdiffdir = 'src-previews'
-        lastsrcdir = 'src'
-        skipping = ' ** SKIPPING **'
-    else:
-        srcdir = lastsrcdir = 'src'
-        srcdiffdir = 'src-diffs'
-        skipping = ''
-
-    print(f"""
-{dash_line}
-version is "{version}"
-lastversion is "{lastversion}"
-dest is "{dest}"
-curdir is "{curdir}"
-srcdir is "{srcdir}"
-srcdiffdir is "{srcdiffdir}"
-lastsrcdir is "{lastsrcdir}"
-release is "{release}"
-
-About to:
-    - tweak SUBPROTOCOL_VERSION in rsync.h, if needed
-    - tweak the version in version.h and the spec files
-    - tweak NEWS.md to ensure header values are correct
-    - generate configure.sh, config.h.in, and proto.h
-    - page through the differences
-""")
-    ans = input("<Press Enter to continue> ")
-
-    specvars = {
-        'Version:': finalversion,
-        'Release:': release,
-        '%define fullversion': f'%{{version}}{pre}',
-        'Released': version + '.',
-        '%define srcdir': srcdir,
-        }
-
-    tweak_files = 'version.h rsync.h NEWS.md'.split()
-    tweak_files += glob.glob('packaging/*.spec')
-    tweak_files += glob.glob('packaging/*/*.spec')
-
-    for fn in tweak_files:
-        with open(fn, 'r', encoding='utf-8') as fh:
-            old_txt = txt = fh.read()
-        if fn == 'version.h':
-            x_re = re.compile(r'^(#define RSYNC_VERSION).*', re.M)
-            msg = f"Unable to update RSYNC_VERSION in {fn}"
-            txt = replace_or_die(x_re, r'\1 "%s"' % version, txt, msg)
-        elif '.spec' in fn:
-            for var, val in specvars.items():
-                x_re = re.compile(r'^%s .*' % re.escape(var), re.M)
-                txt = replace_or_die(x_re, var + ' ' + val, txt, f"Unable to update {var} in {fn}")
-            x_re = re.compile(r'^\* \w\w\w \w\w\w \d\d \d\d\d\d (.*)', re.M)
-            txt = replace_or_die(x_re, r'%s \1' % cl_today, txt, f"Unable to update ChangeLog header in {fn}")
-        elif fn == 'rsync.h':
-            x_re = re.compile('(#define\s+SUBPROTOCOL_VERSION)\s+(\d+)')
-            repl = lambda m: m[1] + ' ' + ('0' if not pre or not proto_changed else '1' if m[2] == '0' else m[2])
-            txt = replace_or_die(x_re, repl, txt, f"Unable to find SUBPROTOCOL_VERSION define in {fn}")
-        elif fn == 'NEWS.md':
-            efv = re.escape(finalversion)
-            x_re = re.compile(r'^# NEWS for rsync %s \(UNRELEASED\)\s+## Changes in this version:\n' % efv
-                    + r'(\n### PROTOCOL NUMBER:\s+- The protocol number was changed to \d+\.\n)?')
-            rel_day = 'UNRELEASED' if pre else today
-            repl = (f'# NEWS for rsync {finalversion} ({rel_day})\n\n'
-                + '## Changes in this version:\n')
-            if proto_changed:
-                repl += f'\n### PROTOCOL NUMBER:\n\n - The protocol number was changed to {protocol_version}.\n'
-            good_top = re.sub(r'\(.*?\)', '(UNRELEASED)', repl, 1)
-            msg = f"The top lines of {fn} are not in the right format.  It should be:\n" + good_top
-            txt = replace_or_die(x_re, repl, txt, msg)
-            x_re = re.compile(r'^(\| )(\S{2} \S{3} \d{4})(\s+\|\s+%s\s+\| ).{11}(\s+\| )\S{2}(\s+\|+)$' % efv, re.M)
-            repl = lambda m: m[1] + (m[2] if pre else ztoday) + m[3] + proto_change_date + m[4] + protocol_version + m[5]
-            txt = replace_or_die(x_re, repl, txt, f'Unable to find "| ?? ??? {year} | {finalversion} | ... |" line in {fn}')
-        else:
-            die(f"Unrecognized file in tweak_files: {fn}")
-
-        if txt != old_txt:
-            print(f"Updating {fn}")
-            with open(fn, 'w', encoding='utf-8') as fh:
-                fh.write(txt)
-
-    cmd_chk(['packaging/year-tweak'])
-
-    print(dash_line)
-    cmd_run("git diff")
-
-    srctar_name = f"{rsync_ver}.tar.gz"
-    pattar_name = f"rsync-patches-{version}.tar.gz"
-    diff_name = f"{rsync_lastver}-{version}.diffs.gz"
-    srctar_file = os.path.join(dest, srcdir, srctar_name)
-    pattar_file = os.path.join(dest, srcdir, pattar_name)
-    diff_file = os.path.join(dest, srcdiffdir, diff_name)
-    lasttar_file = os.path.join(dest, lastsrcdir, rsync_lastver + '.tar.gz')
-
-    print(f"""\
-{dash_line}
-
-About to:
-    - git commit all changes
-    - generate the manpages
-    - merge the {args.master_branch} branch into the patch/{args.master_branch}/* branches
-    - update the files in the "patches" dir and OPTIONALLY (if you type 'y') to
-      run patch-update with the --make option (which opens a shell on error)
-""")
-    ans = input("<Press Enter OR 'y' to continue> ")
-
-    s = cmd_run(['git', 'commit', '-a', '-m', f'Preparing for release of {version}'])
-    if s.returncode:
-        die('Aborting')
-
-    cmd_chk('make gen')
-
-    print(f'Creating any missing patch branches.')
-    s = cmd_run(f'packaging/branch-from-patch --branch={args.master_branch} --add-missing')
-    if s.returncode:
-        die('Aborting')
-
-    print('Updating files in "patches" dir ...')
-    s = cmd_run(f'packaging/patch-update --branch={args.master_branch}')
-    if s.returncode:
-        die('Aborting')
-
-    if re.match(r'^y', ans, re.I):
-        print(f'\nRunning smart-make on all "patch/{args.master_branch}/*" branches ...')
-        cmd_run(f"packaging/patch-update --branch={args.master_branch} --skip-check --make")
-
-    if os.path.isdir('patches/.git'):
-        s = cmd_run(f"cd patches && git commit -a -m 'The patches for {version}.'")
-        if s.returncode:
-            die('Aborting')
-
-    print(f"""\
-{dash_line}
-
-About to:
-    - create signed tag for this release: {v_ver}
-    - create release diffs, "{diff_name}"
-    - create release tar, "{srctar_name}"
-    - generate {rsync_ver}/patches/* files
-    - create patches tar, "{pattar_name}"
-    - update top-level README.md, NEWS.md, TODO, and ChangeLog
-    - update top-level rsync*.html manpages
-    - gpg-sign the release files
-    - update hard-linked top-level release files{skipping}
-""")
-    ans = input("<Press Enter to continue> ")
-
-    # TODO: is there a better way to ensure that our passphrase is in the agent?
-    cmd_run("touch TeMp; gpg --sign TeMp; rm TeMp*")
-
-    out = cmd_txt(f"git tag -s -m 'Version {version}.' {v_ver}", capture='combined').out
-    print(out, end='')
-    if 'bad passphrase' in out or 'failed' in out:
-        die('Aborting')
-
-    if os.path.isdir('patches/.git'):
-        out = cmd_txt(f"cd patches && git tag -s -m 'Version {version}.' {v_ver}", capture='combined').out
-        print(out, end='')
-        if 'bad passphrase' in out or 'failed' in out:
-            die('Aborting')
-
-    os.environ['PATH'] = ORIGINAL_PATH
-
-    # Extract the generated files from the old tar.
-    tweaked_gen_files = [ os.path.join(rsync_lastver, fn) for fn in gen_files ]
-    cmd_run(['tar', 'xzf', lasttar_file, *tweaked_gen_files])
-    os.rename(rsync_lastver, 'a')
-
-    print(f"Creating {diff_file} ...")
-    cmd_chk(['rsync', '-a', *gen_pathnames, 'b/'])
-
-    sed_script = r's:^((---|\+\+\+) [ab]/[^\t]+)\t.*:\1:' # CAUTION: must not contain any single quotes!
-    cmd_chk(f"(git diff v{lastversion} {v_ver} -- ':!.github'; diff -upN a b | sed -r '{sed_script}') | gzip -9 >{diff_file}")
-    shutil.rmtree('a')
-    os.rename('b', rsync_ver)
-
-    print(f"Creating {srctar_file} ...")
-    cmd_chk(f"git archive --format=tar --prefix={rsync_ver}/ {v_ver} | tar xf -")
-    cmd_chk(f"support/git-set-file-times --quiet --prefix={rsync_ver}/")
-    cmd_chk(['fakeroot', 'tar', 'czf', srctar_file, '--exclude=.github', rsync_ver])
-    shutil.rmtree(rsync_ver)
-
-    print(f'Updating files in "{rsync_ver}/patches" dir ...')
-    os.mkdir(rsync_ver, 0o755)
-    os.mkdir(f"{rsync_ver}/patches", 0o755)
-    cmd_chk(f"packaging/patch-update --skip-check --branch={args.master_branch} --gen={rsync_ver}/patches".split())
-
-    print(f"Creating {pattar_file} ...")
-    cmd_chk(['fakeroot', 'tar', 'chzf', pattar_file, rsync_ver + '/patches'])
-    shutil.rmtree(rsync_ver)
-
-    print(f"Updating the other files in {dest} ...")
-    md_files = 'README.md NEWS.md INSTALL.md'.split()
-    html_files = [ fn for fn in gen_pathnames if fn.endswith('.html') ]
-    cmd_chk(['rsync', '-a', *md_files, *html_files, dest])
-    cmd_chk(["./md-convert", "--dest", dest, *md_files])
-
-    cmd_chk(f"git log --name-status | gzip -9 >{dest}/ChangeLog.gz")
-
-    for fn in (srctar_file, pattar_file, diff_file):
-        asc_fn = fn + '.asc'
-        if os.path.lexists(asc_fn):
-            os.unlink(asc_fn)
-        res = cmd_run(['gpg', '--batch', '-ba', fn])
-        if res.returncode != 0 and res.returncode != 2:
-            die("gpg signing failed")
-
-    if not pre:
-        for find in f'{dest}/rsync-*.gz {dest}/rsync-*.asc {dest}/src-previews/rsync-*diffs.gz*'.split():
-            for fn in glob.glob(find):
-                os.unlink(fn)
-        top_link = [
-                srctar_file, f"{srctar_file}.asc",
-                pattar_file, f"{pattar_file}.asc",
-                diff_file, f"{diff_file}.asc",
-                ]
-        for fn in top_link:
-            os.link(fn, re.sub(r'/src(-\w+)?/', '/', fn))
-
-    print(f"""\
-{dash_line}
-
-Local changes are done.  When you're satisfied, push the git repository
-and rsync the release files.  Remember to announce the release on *BOTH*
-rsync-announce@lists.samba.org and rsync@lists.samba.org (and the web)!
-""")
-
-
-def replace_or_die(regex, repl, txt, die_msg):
-    m = regex.search(txt)
-    if not m:
-        die(die_msg)
-    return regex.sub(repl, txt, 1)
-
-
-def signal_handler(sig, frame):
-    die("\nAborting due to SIGINT.")
-
-
-if __name__ == '__main__':
-    parser = argparse.ArgumentParser(description="Prepare a new release of rsync in the git repo & ftp dir.", add_help=False)
-    parser.add_argument('--branch', '-b', dest='master_branch', default='master', help="The branch to release. Default: master.")
-    parser.add_argument("--help", "-h", action="help", help="Output this help message and exit.")
-    args = parser.parse_args()
-    main()
-
-# vim: sw=4 et ft=python
--- a/packaging/release.py
+++ b/packaging/release.py
@@ -0,0 +1,705 @@
+#!/usr/bin/env python3
+
+# Step-based release script for rsync.  Each step is a separate invocation
+# selected by a --step-N-XX option, so the maintainer drives the release
+# manually one piece at a time.
+#
+# All persistent state and working files live in ../release/ (a sibling of
+# the rsync git checkout):
+#
+#   ../release/rsync-ftp/       mirror of samba.org:/home/ftp/pub/rsync
+#   ../release/rsync-html/      release-time snapshot of the html site
+#   ../release/work/            scratch space for tarball / diff staging
+#   ../release/release-state.json   info shared between steps
+#
+# The rsync-patches archive is no longer maintained and has been dropped.
+#
+# Run "packaging/release.py --list" to see the step list.
+
+import os, sys, re, argparse, glob, shutil, json, signal, subprocess
+from datetime import datetime
+
+sys.path = ['packaging'] + sys.path
+
+from pkglib import (
+    warn, die, cmd_run, cmd_chk, cmd_txt, cmd_txt_chk, cmd_pipe,
+    check_git_state, get_rsync_version,
+    get_NEWS_version_info, get_protocol_versions,
+)
+
+# ---------- Paths ----------
+
+RELEASE_DIR = os.path.realpath('../release')
+FTP_DIR     = os.path.join(RELEASE_DIR, 'rsync-ftp')
+HTML_DIR    = os.path.join(RELEASE_DIR, 'rsync-html')
+WORK_DIR    = os.path.join(RELEASE_DIR, 'work')
+STATE_FILE  = os.path.join(RELEASE_DIR, 'release-state.json')
+
+# The rsync-web/ subdirectory in the rsync source tree is the source-of-truth
+# for the git-tracked html content.  step-1-fetch snapshots it into HTML_DIR
+# for the release flow, where it can be edited or augmented with server-side
+# content before step-11-push-html sends it to samba.org.
+HTML_SRC = os.path.realpath('rsync-web')
+
+FTP_REMOTE_PATH  = '/home/ftp/pub/rsync'
+HTML_REMOTE_PATH = '/home/httpd/html/rsync'
+
+# Files that ./configure + make produce and that the release tarball / diff
+# need to bundle alongside the git-tracked source.  Mirrors the GENFILES
+# definition in Makefile.in (with rrsync.1{,.html} since we always configure
+# --with-rrsync in --step-4-build).
+GEN_FILES = [
+    'configure.sh',
+    'aclocal.m4',
+    'config.h.in',
+    'rsync.1',     'rsync.1.html',
+    'rsync-ssl.1', 'rsync-ssl.1.html',
+    'rsyncd.conf.5', 'rsyncd.conf.5.html',
+    'rrsync.1',    'rrsync.1.html',
+]
+
+# ---------- Step registry ----------
+
+STEPS = [
+    ('step-1-fetch',       'mirror ../release/rsync-ftp from samba.org and snapshot ../release/rsync-html from rsync-web/'),
+    ('step-2-prepare',     'gather release info interactively and write release-state.json'),
+    ('step-3-tweak',       'update version.h, rsync.h, NEWS.md, and packaging/*.spec'),
+    ('step-4-build',       'run smart-make + make gen'),
+    ('step-5-commit',      'git commit -a (commit the prepared release changes)'),
+    ('step-6-tag',         'create the gpg-signed git tag'),
+    ('step-7-tarball',     'build the source tarball and diffs.gz against the previous release'),
+    ('step-8-update-ftp',  'refresh README/NEWS/INSTALL/html in the ftp dir, regen ChangeLog.gz, gpg-sign tarballs'),
+    ('step-9-toplinks',    'hard-link top-level release files (final releases only)'),
+    ('step-10-push-ftp',   'rsync ../release/rsync-ftp/ to samba.org'),
+    ('step-11-push-html',  'rsync ../release/rsync-html/ to samba.org (after any manual edits)'),
+    ('step-12-push-git',   'print the git push commands for you to run'),
+]
+STEP_FLAGS = [s[0] for s in STEPS]
+
+DASH_LINE = '=' * 74
+
+# ---------- State helpers ----------
+
+def load_state():
+    if not os.path.isfile(STATE_FILE):
+        die(f"{STATE_FILE} not found.  Run --step-2-prepare first.")
+    with open(STATE_FILE, 'r', encoding='utf-8') as fh:
+        return json.load(fh)
+
+
+def save_state(state):
+    os.makedirs(RELEASE_DIR, exist_ok=True)
+    with open(STATE_FILE, 'w', encoding='utf-8') as fh:
+        json.dump(state, fh, indent=2, sort_keys=True)
+        fh.write('\n')
+
+
+def require_samba_host():
+    host = os.environ.get('RSYNC_SAMBA_HOST', '')
+    if not host.endswith('.samba.org'):
+        die("Set RSYNC_SAMBA_HOST in your environment to the samba hostname (e.g. hr3.samba.org).")
+    return host
+
+
+def require_top_of_checkout():
+    if not os.path.isfile('packaging/release.py'):
+        die("Run this script from the top of your rsync checkout.")
+    if not os.path.isdir('.git'):
+        die("There is no .git dir in the current directory.")
+
+
+def replace_or_die(regex, repl, txt, die_msg):
+    m = regex.search(txt)
+    if not m:
+        die(die_msg)
+    return regex.sub(repl, txt, 1)
+
+
+def section(title):
+    print(f"\n{DASH_LINE}\n== {title}\n{DASH_LINE}")
+
+
+def confirm(prompt, default_no=True):
+    suffix = '[n] ' if default_no else '[y] '
+    ans = input(f"{prompt} {suffix}").strip().lower()
+    if default_no:
+        return ans.startswith('y')
+    return ans == '' or ans.startswith('y')
+
+
+# ---------- Step 1: fetch ftp + html ----------
+
+def step_1_fetch(args):
+    host = require_samba_host()
+    os.makedirs(RELEASE_DIR, exist_ok=True)
+    os.makedirs(WORK_DIR, exist_ok=True)
+
+    section(f"Fetching ftp dir into {FTP_DIR}")
+    if not os.path.isdir(FTP_DIR):
+        os.makedirs(FTP_DIR)
+    # packaging/ftp.filt is the authoritative copy of the .filt filter file
+    # that controls which subtrees rsync excludes from the FTP mirror.
+    # Seed FTP_DIR/.filt from it so the bundled version is what step-1's
+    # rsync uses here, and so step-10-push-ftp propagates it back to the
+    # server.  --exclude=/.filt below stops the server's copy from
+    # overwriting our bundled one on the way down.
+    filt = os.path.join(FTP_DIR, '.filt')
+    bundled_filt = os.path.realpath('packaging/ftp.filt')
+    if not os.path.isfile(bundled_filt):
+        die(f"{bundled_filt} not found; cannot seed .filt for the FTP pull.")
+    shutil.copyfile(bundled_filt, filt)
+    cmd_chk(['rsync', '-aivOHP', f'-f:_{filt}', '--exclude=/.filt',
+             f'{host}:{FTP_REMOTE_PATH}/', f'{FTP_DIR}/'])
+
+    section(f"Snapshotting html dir from {HTML_SRC} into {HTML_DIR}")
+    if not os.path.isdir(HTML_SRC):
+        die(f"{HTML_SRC} not found.  This should be the in-tree rsync-web/ "
+            f"subdirectory; something is wrong with your checkout.")
+    os.makedirs(HTML_DIR, exist_ok=True)
+    cmd_chk(['rsync', '-aiv', f'{HTML_SRC}/', f'{HTML_DIR}/'])
+
+    # Then mirror non-git html content from the server, skipping files that
+    # the html git already provides (driven by the 'filt' file in HTML_DIR).
+    filt = os.path.join(HTML_DIR, 'filt')
+    if os.path.exists(filt):
+        tmp_filt = os.path.join(HTML_DIR, 'tmp-filt')
+        cmd_chk(f"sed -n -e 's/[-P]/H/p' '{filt}' >'{tmp_filt}'")
+        cmd_chk(['rsync', '-aivOHP', f'-f._{tmp_filt}',
+                 f'{host}:{HTML_REMOTE_PATH}/', f'{HTML_DIR}/'])
+        os.unlink(tmp_filt)
+
+    print(f"\nFetch complete.  Local dirs are now in {RELEASE_DIR}.")
+
+
+# ---------- Step 2: prepare ----------
+
+def step_2_prepare(args):
+    require_top_of_checkout()
+    os.makedirs(RELEASE_DIR, exist_ok=True)
+
+    if not os.path.isdir(FTP_DIR):
+        die(f"{FTP_DIR} does not exist.  Run --step-1-fetch first.")
+
+    now = datetime.now().astimezone()
+    cl_today = now.strftime('* %a %b %d %Y')
+    year     = now.strftime('%Y')
+    ztoday   = now.strftime('%d %b %Y')
+    today    = ztoday.lstrip('0')
+    tz_now   = now.strftime('%z')
+    tz_num   = tz_now[0:1].replace('+', '') + str(float(tz_now[1:3]) + float(tz_now[3:]) / 60)
+
+    curversion = get_rsync_version()
+    lastversion, last_protocol_version, pdate = get_NEWS_version_info()
+    protocol_version, subprotocol_version    = get_protocol_versions()
+
+    # Default next version: bump preN, or move dev -> pre1.
+    version = curversion
+    m = re.search(r'pre(\d+)', version)
+    if m:
+        version = re.sub(r'pre\d+', 'pre' + str(int(m[1]) + 1), version)
+    else:
+        version = version.replace('dev', 'pre1')
+
+    print(f"\nCurrent version (version.h): {curversion}")
+    print(f"Last released version (NEWS.md): {lastversion}")
+    print(f"Current protocol version: {protocol_version}  (last released: {last_protocol_version})")
+
+    ans = input(f"\nVersion to release [{version}, '.' to drop the preN suffix]: ").strip()
+    if ans == '.':
+        version = re.sub(r'pre\d+', '', version)
+    elif ans:
+        version = ans
+    if not re.match(r'^[\d.]+(pre\d+)?$', version):
+        die(f'Invalid version: "{version}"')
+    version = re.sub(r'[-.]*pre[-.]*', 'pre', version)
+
+    if 'pre' in version and not curversion.endswith('dev'):
+        lastversion = curversion
+
+    ans = input(f"Previous version to diff against [{lastversion}]: ").strip()
+    if ans:
+        lastversion = ans
+    lastversion = re.sub(r'[-.]*pre[-.]*', 'pre', lastversion)
+
+    m = re.search(r'(pre\d+)', version)
+    pre = m[1] if m else ''
+    finalversion = re.sub(r'pre\d+', '', version)
+
+    release = '0.1' if pre else '1'
+    ans = input(f"RPM release number [{release}]: ").strip()
+    if ans:
+        release = ans
+    if pre:
+        release += '.' + pre
+
+    proto_changed = protocol_version != last_protocol_version
+    if proto_changed:
+        if finalversion in pdate:
+            proto_change_date = pdate[finalversion]
+        else:
+            while True:
+                ans = input(f"Date the protocol changed to {protocol_version} (dd Mmm yyyy): ").strip()
+                if re.match(r'^\d\d \w\w\w \d\d\d\d$', ans):
+                    break
+            proto_change_date = ans
+    else:
+        proto_change_date = ' ' * 11
+
+    if 'pre' in lastversion:
+        if not pre:
+            die("Refusing to diff a release version against a pre-release version.")
+        srcdir = srcdiffdir = lastsrcdir = 'src-previews'
+    elif pre:
+        srcdir = srcdiffdir = 'src-previews'
+        lastsrcdir = 'src'
+    else:
+        srcdir = lastsrcdir = 'src'
+        srcdiffdir = 'src-diffs'
+
+    state = {
+        'version':            version,
+        'lastversion':        lastversion,
+        'finalversion':       finalversion,
+        'pre':                pre,
+        'release':            release,
+        'protocol_version':   protocol_version,
+        'subprotocol_version': subprotocol_version,
+        'proto_changed':      proto_changed,
+        'proto_change_date':  proto_change_date,
+        'srcdir':             srcdir,
+        'srcdiffdir':         srcdiffdir,
+        'lastsrcdir':         lastsrcdir,
+        'today':              today,
+        'ztoday':             ztoday,
+        'cl_today':           cl_today,
+        'year':               year,
+        'tz_num':             tz_num,
+        'master_branch':      args.master_branch,
+    }
+    save_state(state)
+
+    section("Release info")
+    for k in ('version', 'lastversion', 'release', 'srcdir', 'srcdiffdir', 'lastsrcdir',
+              'protocol_version', 'proto_changed', 'proto_change_date'):
+        print(f"  {k}: {state[k]}")
+    print(f"\nWrote {STATE_FILE}.  Re-run --step-2-prepare to change anything.")
+
+
+# ---------- Step 3: tweak version files ----------
+
+def step_3_tweak(args):
+    require_top_of_checkout()
+    state = load_state()
+
+    version          = state['version']
+    finalversion     = state['finalversion']
+    pre              = state['pre']
+    release          = state['release']
+    today            = state['today']
+    ztoday           = state['ztoday']
+    cl_today         = state['cl_today']
+    year             = state['year']
+    tz_num           = state['tz_num']
+    proto_changed    = state['proto_changed']
+    proto_change_date = state['proto_change_date']
+    protocol_version  = state['protocol_version']
+    srcdir           = state['srcdir']
+
+    specvars = {
+        'Version:':           finalversion,
+        'Release:':           release,
+        '%define fullversion': f'%{{version}}{pre}',
+        'Released':           version + '.',
+        '%define srcdir':     srcdir,
+    }
+
+    tweak_files = ['version.h', 'rsync.h', 'NEWS.md']
+    tweak_files += glob.glob('packaging/*.spec')
+    tweak_files += glob.glob('packaging/*/*.spec')
+
+    for fn in tweak_files:
+        with open(fn, 'r', encoding='utf-8') as fh:
+            old_txt = txt = fh.read()
+        if fn == 'version.h':
+            x_re = re.compile(r'^(#define RSYNC_VERSION).*', re.M)
+            txt = replace_or_die(x_re, r'\1 "%s"' % version, txt,
+                                 f"Unable to update RSYNC_VERSION in {fn}")
+            x_re = re.compile(r'^(#define MAINTAINER_TZ_OFFSET).*', re.M)
+            txt = replace_or_die(x_re, r'\1 ' + tz_num, txt,
+                                 f"Unable to update MAINTAINER_TZ_OFFSET in {fn}")
+        elif fn == 'rsync.h':
+            x_re = re.compile(r'(#define\s+SUBPROTOCOL_VERSION)\s+(\d+)')
+            repl = lambda m: m[1] + ' ' + (
+                '0' if not pre or not proto_changed
+                else '1' if m[2] == '0'
+                else m[2])
+            txt = replace_or_die(x_re, repl, txt,
+                                 f"Unable to find SUBPROTOCOL_VERSION in {fn}")
+        elif fn == 'NEWS.md':
+            efv = re.escape(finalversion)
+            x_re = re.compile(
+                r'^# NEWS for rsync %s \(UNRELEASED\)\s+## Changes in this version:\n' % efv
+                + r'(\n### PROTOCOL NUMBER:\s+- The protocol number was changed to \d+\.\n)?')
+            rel_day = 'UNRELEASED' if pre else today
+            repl = (f'# NEWS for rsync {finalversion} ({rel_day})\n\n'
+                    + '## Changes in this version:\n')
+            if proto_changed:
+                repl += f'\n### PROTOCOL NUMBER:\n\n - The protocol number was changed to {protocol_version}.\n'
+            good_top = re.sub(r'\(.*?\)', '(UNRELEASED)', repl, 1)
+            msg = (f"The top of {fn} is not in the right format.  It should be:\n" + good_top)
+            txt = replace_or_die(x_re, repl, txt, msg)
+            x_re = re.compile(
+                r'^(\| )(\S{2} \S{3} \d{4})(\s+\|\s+%s\s+\| ).{11}(\s+\| )\S{2}(\s+\|+)$' % efv,
+                re.M)
+            repl = lambda m: (m[1] + (m[2] if pre else ztoday) + m[3]
+                              + proto_change_date + m[4] + protocol_version + m[5])
+            txt = replace_or_die(x_re, repl, txt,
+                                 f'Unable to find "| ?? ??? {year} | {finalversion} | ... |" line in {fn}')
+        elif '.spec' in fn:
+            for var, val in specvars.items():
+                x_re = re.compile(r'^%s .*' % re.escape(var), re.M)
+                txt = replace_or_die(x_re, var + ' ' + val, txt,
+                                     f"Unable to update {var} in {fn}")
+            x_re = re.compile(r'^\* \w\w\w \w\w\w \d\d \d\d\d\d (.*)', re.M)
+            txt = replace_or_die(x_re, r'%s \1' % cl_today, txt,
+                                 f"Unable to update ChangeLog header in {fn}")
+        else:
+            die(f"Unrecognized file in tweak_files: {fn}")
+
+        if txt != old_txt:
+            print(f"Updating {fn}")
+            with open(fn, 'w', encoding='utf-8') as fh:
+                fh.write(txt)
+
+    cmd_chk(['packaging/year-tweak'])
+
+    section("git diff after tweaks")
+    cmd_run(['git', '--no-pager', 'diff'])
+
+
+# ---------- Step 4: build ----------
+
+def step_4_build(args):
+    require_top_of_checkout()
+    load_state()  # just to ensure we've prepared
+
+    section("Running prepare-source + configure --prefix=/usr --with-rrsync + make + make gen")
+    # Always re-prepare so configure.sh is current; we run configure ourselves
+    # with the release-required flags rather than relying on the cached
+    # config.status (which may have been produced with different options).
+    if os.path.isfile('.fetch'):
+        cmd_chk(['./prepare-source', 'fetch'])
+    else:
+        cmd_chk(['./prepare-source'])
+
+    cmd_chk(['./configure', '--prefix=/usr', '--with-rrsync'])
+    cmd_chk(['make'])
+    cmd_chk(['make', 'gen'])
+
+
+# ---------- Step 5: commit ----------
+
+def step_5_commit(args):
+    require_top_of_checkout()
+    state = load_state()
+    version = state['version']
+
+    section("git status")
+    cmd_run(['git', 'status'])
+    if not confirm("Commit all current changes with the release message?"):
+        die("Aborted.")
+    cmd_chk(['git', 'commit', '-a', '-m', f'Preparing for release of {version} [buildall]'])
+
+
+# ---------- Step 6: tag ----------
+
+def step_6_tag(args):
+    require_top_of_checkout()
+    state = load_state()
+    version = state['version']
+    v_ver = 'v' + version
+
+    out = cmd_txt_chk(['git', 'tag', '-l', v_ver]).out
+    if out.strip():
+        if not confirm(f"Tag {v_ver} already exists.  Delete and recreate?"):
+            die("Aborted.")
+        cmd_chk(['git', 'tag', '-d', v_ver])
+
+    # Prime the gpg agent so the actual tag signing won't prompt.
+    section("Priming gpg agent")
+    cmd_run("touch TeMp; gpg --sign TeMp; rm -f TeMp TeMp.gpg")
+
+    section(f"Creating signed tag {v_ver}")
+    out = cmd_txt(['git', 'tag', '-s', '-m', f'Version {version}.', v_ver],
+                  capture='combined').out
+    print(out, end='')
+    if 'bad passphrase' in out.lower() or 'failed' in out.lower():
+        die("Tag creation failed.")
+
+
+# ---------- Step 7: tarball + diff ----------
+
+def step_7_tarball(args):
+    require_top_of_checkout()
+    state = load_state()
+
+    version      = state['version']
+    lastversion  = state['lastversion']
+    pre          = state['pre']
+    srcdir       = state['srcdir']
+    srcdiffdir   = state['srcdiffdir']
+    lastsrcdir   = state['lastsrcdir']
+
+    rsync_ver     = 'rsync-' + version
+    rsync_lastver = 'rsync-' + lastversion
+    v_ver         = 'v' + version
+
+    srctar_name = f"{rsync_ver}.tar.gz"
+    diff_name   = f"{rsync_lastver}-{version}.diffs.gz"
+
+    srctar_file = os.path.join(FTP_DIR, srcdir, srctar_name)
+    diff_file   = os.path.join(FTP_DIR, srcdiffdir, diff_name)
+    lasttar_file = os.path.join(FTP_DIR, lastsrcdir, rsync_lastver + '.tar.gz')
+
+    for d in (os.path.dirname(srctar_file), os.path.dirname(diff_file)):
+        os.makedirs(d, exist_ok=True)
+    if not os.path.isfile(lasttar_file):
+        die(f"Previous tarball not found: {lasttar_file}")
+
+    # Stage in ../release/work to keep the source checkout clean.
+    if os.path.isdir(WORK_DIR):
+        shutil.rmtree(WORK_DIR)
+    os.makedirs(WORK_DIR)
+
+    a_dir = os.path.join(WORK_DIR, 'a')
+    b_dir = os.path.join(WORK_DIR, 'b')
+
+    # Extract gen files from the previous tarball into work/a/.
+    tweaked_gen_files = [os.path.join(rsync_lastver, fn) for fn in GEN_FILES]
+    cmd_chk(['tar', '-C', WORK_DIR, '-xzf', lasttar_file, *tweaked_gen_files])
+    os.rename(os.path.join(WORK_DIR, rsync_lastver), a_dir)
+
+    # Copy current gen files (built in the top-level checkout) into work/b/.
+    os.makedirs(b_dir)
+    cmd_chk(['rsync', '-a', *GEN_FILES, b_dir + '/'])
+
+    section(f"Creating {diff_file}")
+    sed_script = r's:^((---|\+\+\+) [ab]/[^\t]+)\t.*:\1:'  # no single quotes!
+    cmd_chk(
+        f"(git diff v{lastversion} {v_ver} -- ':!.github'; "
+        f"diff -upN {a_dir} {b_dir} | sed -r '{sed_script}') | gzip -9 >{diff_file}")
+
+    section(f"Creating {srctar_file}")
+    # Reuse work/b/ (which already holds the fresh gen files) as the release
+    # staging dir, then let "git archive" overlay the git-tracked source files
+    # on top.  That way the tarball ends up with both gen files and source.
+    rsync_ver_dir = os.path.join(WORK_DIR, rsync_ver)
+    shutil.rmtree(a_dir)
+    os.rename(b_dir, rsync_ver_dir)
+    cmd_chk(f"git archive --format=tar --prefix={rsync_ver}/ {v_ver} | "
+            f"tar -C {WORK_DIR} -xf -")
+    cmd_chk(f"support/git-set-file-times --quiet --prefix={rsync_ver_dir}/")
+    cmd_chk(['fakeroot', 'tar', '-C', WORK_DIR, '-czf', srctar_file,
+             '--exclude=.github', rsync_ver])
+
+    # Leave staging in place; --step-8-update-ftp does its own thing.
+    print(f"\nCreated:\n  {srctar_file}\n  {diff_file}")
+
+
+# ---------- Step 8: update ftp ----------
+
+def step_8_update_ftp(args):
+    require_top_of_checkout()
+    state = load_state()
+
+    version     = state['version']
+    lastversion = state['lastversion']
+    srcdir      = state['srcdir']
+    srcdiffdir  = state['srcdiffdir']
+
+    rsync_ver     = 'rsync-' + version
+    rsync_lastver = 'rsync-' + lastversion
+    srctar_file   = os.path.join(FTP_DIR, srcdir, f"{rsync_ver}.tar.gz")
+    diff_file     = os.path.join(FTP_DIR, srcdiffdir,
+                                 f"{rsync_lastver}-{version}.diffs.gz")
+
+    section(f"Refreshing top-of-tree files in {FTP_DIR}")
+    md_files = ['README.md', 'NEWS.md', 'INSTALL.md']
+    html_files = [fn for fn in GEN_FILES if fn.endswith('.html')]
+    cmd_chk(['rsync', '-a', *md_files, *html_files, FTP_DIR + '/'])
+    cmd_chk(['./md-convert', '--dest', FTP_DIR, *md_files])
+
+    section(f"Regenerating {FTP_DIR}/ChangeLog.gz")
+    cmd_chk(f"git log --name-status | gzip -9 >{FTP_DIR}/ChangeLog.gz")
+
+    # Prime gpg agent and then sign the tar + diff.
+    section("Priming gpg agent")
+    cmd_run("touch TeMp; gpg --sign TeMp; rm -f TeMp TeMp.gpg")
+
+    for fn in (srctar_file, diff_file):
+        if not os.path.isfile(fn):
+            die(f"Missing file to sign: {fn}.  Did --step-7-tarball run successfully?")
+        asc_fn = fn + '.asc'
+        if os.path.lexists(asc_fn):
+            os.unlink(asc_fn)
+        section(f"GPG-signing {fn}")
+        res = cmd_run(['gpg', '--batch', '-ba', fn])
+        if res.returncode not in (0, 2):
+            die("gpg signing failed.")
+
+
+# ---------- Step 9: top-level hard links ----------
+
+def step_9_toplinks(args):
+    require_top_of_checkout()
+    state = load_state()
+
+    pre = state['pre']
+    if pre:
+        print("Skipping: pre-releases do not get top-level hard links.")
+        return
+
+    version     = state['version']
+    lastversion = state['lastversion']
+    srcdir      = state['srcdir']
+    srcdiffdir  = state['srcdiffdir']
+
+    rsync_ver     = 'rsync-' + version
+    rsync_lastver = 'rsync-' + lastversion
+    srctar_file = os.path.join(FTP_DIR, srcdir, f"{rsync_ver}.tar.gz")
+    diff_file   = os.path.join(FTP_DIR, srcdiffdir,
+                               f"{rsync_lastver}-{version}.diffs.gz")
+
+    section("Removing stale top-level rsync-* files")
+    for find in [f'{FTP_DIR}/rsync-*.gz',
+                 f'{FTP_DIR}/rsync-*.asc',
+                 f'{FTP_DIR}/src-previews/rsync-*diffs.gz*']:
+        for fn in glob.glob(find):
+            os.unlink(fn)
+
+    top_link = [
+        srctar_file, srctar_file + '.asc',
+        diff_file,   diff_file + '.asc',
+    ]
+    for fn in top_link:
+        target = re.sub(r'/src(-\w+)?/', '/', fn)
+        if os.path.lexists(target):
+            os.unlink(target)
+        os.link(fn, target)
+        print(f"  linked {target}")
+
+
+# ---------- Step 10: push ftp ----------
+
+def step_10_push_ftp(args):
+    host = require_samba_host()
+    if not os.path.isdir(FTP_DIR):
+        die(f"{FTP_DIR} does not exist.  Run --step-1-fetch first.")
+    section(f"rsync ftp dir to {host}")
+    rsync_with_confirm(['-aivOHP', '--chown=:rsync', '--del',
+                        f'-f._{os.path.join(FTP_DIR, ".filt")}',
+                        f'{FTP_DIR}/', f'{host}:{FTP_REMOTE_PATH}/'])
+
+
+# ---------- Step 11: push html ----------
+
+def step_11_push_html(args):
+    host = require_samba_host()
+    if not os.path.isdir(HTML_DIR):
+        die(f"{HTML_DIR} does not exist.  Run --step-1-fetch first.")
+    section(f"rsync html dir to {host}")
+    filt = os.path.join(HTML_DIR, 'filt')
+    rsync_with_confirm(['-aivOHP', '--chown=:rsync', '--del',
+                        f'-f._{filt}',
+                        f'{HTML_DIR}/', f'{host}:{HTML_REMOTE_PATH}/'])
+
+
+# ---------- Step 12: print push-git instructions ----------
+
+def step_12_push_git(args):
+    state = load_state()
+    version = state['version']
+    master_branch = state['master_branch']
+    v_ver = 'v' + version
+
+    print(f"""\
+{DASH_LINE}
+Run these from the rsync-git checkout (this script does not push for you):
+
+    git push origin {master_branch}
+    git push origin {v_ver}
+
+If you have a 'samba' remote configured (git.samba.org:/data/git/rsync.git):
+
+    git push samba {master_branch}
+    git push samba {v_ver}
+
+Then upload the tarball + .asc to the GitHub release for {v_ver},
+and announce on rsync-announce@, rsync@, and Discord.
+""")
+
+
+# ---------- shared rsync-with-confirm ----------
+
+def rsync_with_confirm(rsync_args):
+    """Run an rsync command in dry-run mode, then ask before running for real."""
+    cmd_run(['rsync', '--dry-run', *rsync_args])
+    if confirm("Run without --dry-run?"):
+        cmd_run(['rsync', *rsync_args])
+
+
+# ---------- dispatch ----------
+
+STEP_FUNCS = {
+    'step-1-fetch':       step_1_fetch,
+    'step-2-prepare':     step_2_prepare,
+    'step-3-tweak':       step_3_tweak,
+    'step-4-build':       step_4_build,
+    'step-5-commit':      step_5_commit,
+    'step-6-tag':         step_6_tag,
+    'step-7-tarball':     step_7_tarball,
+    'step-8-update-ftp':  step_8_update_ftp,
+    'step-9-toplinks':    step_9_toplinks,
+    'step-10-push-ftp':   step_10_push_ftp,
+    'step-11-push-html':  step_11_push_html,
+    'step-12-push-git':   step_12_push_git,
+}
+
+
+def signal_handler(sig, frame):
+    die("\nAborting due to SIGINT.")
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="Step-based release script for rsync.",
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+        epilog="Run --list to see the steps.  Each invocation runs exactly one --step-* option.")
+    parser.add_argument('--branch', '-b', dest='master_branch', default='master',
+                        help="The branch to release (default: master).")
+    parser.add_argument('--list', action='store_true',
+                        help="List all release steps and exit.")
+    grp = parser.add_mutually_exclusive_group()
+    for flag, descr in STEPS:
+        grp.add_argument('--' + flag, dest='step', action='store_const',
+                         const=flag, help=descr)
+    args = parser.parse_args()
+
+    if args.list:
+        print("Release steps:")
+        for flag, descr in STEPS:
+            print(f"  --{flag:18s} {descr}")
+        return
+
+    if not args.step:
+        parser.error("pick one --step-N-XX option (or --list to see them).")
+
+    signal.signal(signal.SIGINT, signal_handler)
+    os.environ['LESS'] = 'mqeiXR'
+    STEP_FUNCS[args.step](args)
+
+
+if __name__ == '__main__':
+    main()
+
+# vim: sw=4 et ft=python
--- a/packaging/var-checker
+++ b/packaging/var-checker
@@ -6,9 +6,10 @@

 import os, sys, re, argparse, glob

-VARS_RE = re.compile(r'^(?!(?:extern|enum)\s)([a-zA-Z]\S*\s+.*);', re.M)
+VARS_RE = re.compile(r'^(?!(?:extern|enum)\s)([a-zA-Z][^ \n\t:]*\s+.*);', re.M)
 EXTERNS_RE = re.compile(r'^extern\s+(.*);', re.M)

+types = { }
 sizes = { }

 def main():
@@ -68,19 +69,44 @@ def parse_vars(fn, lines):
    for line in lines:
        line = re.sub(r'\s*\{.*\}', '', line)
        line = re.sub(r'\s*\(.*\)', '', line)
-        for item in re.split(r'\s*,\s*', line):
-            item = re.sub(r'\s*=.*', '', item)
-            m = re.search(r'(?P<var>\w+)(?P<sz>\[.*?\])?$', item)
+        line = re.sub(r'\s*=\s*[^,]*', '', line)
+        m = re.search(r'^(?:(?:static|extern)\s+)?(?P<type>[^\[,]+?)(?P<vars>\w+([\[,].+)?)$', line)
+        if not m:
+            print(f"Bogus match? ({line})")
+            continue
+        items = m['vars']
+        main_type = m['type'].strip()
+        mt_len = len(main_type)
+        main_type = main_type.rstrip('*')
+        first_stars = '*' * (mt_len - len(main_type))
+        if first_stars:
+            main_type = main_type.rstrip()
+            items = first_stars + items
+        for item in re.split(r'\s*,\s*', items):
+            m = re.search(r'(?P<stars>\*+\s*)?(?P<var>\w+)(?P<sz>\[.*?\])?$', item)
            if not m:
                print(f"Bogus match? ({item})")
                continue
-            if m['sz']:
-                if m['var'] in sizes:
-                    if sizes[m['var']] != m['sz']:
+            typ = main_type
+            if m['stars']:
+                typ = typ + m['stars'].strip()
+            chk = [
+                    'type', typ, types,
+                    'size', m['sz'], sizes,
+                    ]
+            while chk:
+                label = chk.pop(0)
+                new = chk.pop(0)
+                lst = chk.pop(0)
+                if label == 'type':
+                    new = ' '.join(new.split()).replace(' *', '*')
+                if m['var'] in lst:
+                    old = lst[m['var']]
+                    if new != old:
                        var = m['var']
-                        print(fn, f'has inconsistent size for "{var}":', m['sz'], 'vs', sizes[var])
+                        print(fn, f'has inconsistent {label} for "{var}":', new, 'vs', old)
                else:
-                    sizes[m['var']] = m['sz']
+                    lst[m['var']] = new
            ret.append(m['var'])
    return ret

--- a/packaging/year-tweak
+++ b/packaging/year-tweak
@@ -7,9 +7,6 @@
 import sys, os, re, argparse, subprocess
 from datetime import datetime

-MAINTAINER_NAME = 'Wayne Davison'
-MAINTAINER_SUF = ' ' + MAINTAINER_NAME + "\n"
-
 def main():
    latest_year = '2000'

@@ -22,10 +19,6 @@ def main():
        m = argparse.Namespace(**m.groupdict())
        if m.year > latest_year:
            latest_year = m.year
-        if m.fn.startswith('zlib/') or m.fn.startswith('popt/'):
-            continue
-        if re.search(r'\.(c|h|sh|test)$', m.fn):
-            maybe_edit_copyright_year(m.fn, m.year)
    proc.communicate()

    fn = 'latest-year.h'
@@ -39,55 +32,8 @@ def main():
            fh.write(txt)


-def maybe_edit_copyright_year(fn, year):
-    opening_lines = [ ]
-    copyright_line = None
-
-    with open(fn, 'r', encoding='utf-8') as fh:
-        for lineno, line in enumerate(fh):
-            opening_lines.append(line)
-            if lineno > 3 and not re.search(r'\S', line):
-                break
-            m = re.match(r'^(?P<pre>.*Copyright\s+\S+\s+)(?P<year>\d\d\d\d(?:-\d\d\d\d)?(,\s+\d\d\d\d)*)(?P<suf>.+)', line)
-            if not m:
-                continue
-            copyright_line = argparse.Namespace(**m.groupdict())
-            copyright_line.lineno = len(opening_lines)
-            copyright_line.is_maintainer_line = MAINTAINER_NAME in copyright_line.suf
-            copyright_line.txt = line
-            if copyright_line.is_maintainer_line:
-                break
-
-        if not copyright_line:
-            return
-
-        if copyright_line.is_maintainer_line:
-            cyears = copyright_line.year.split('-')
-            if year == cyears[0]:
-                cyears = [ year ]
-            else:
-                cyears = [ cyears[0], year ]
-            txt = copyright_line.pre + '-'.join(cyears) + MAINTAINER_SUF
-            if txt == copyright_line.txt:
-                return
-            opening_lines[copyright_line.lineno - 1] = txt
-        else:
-            if fn.startswith('lib/') or fn.startswith('testsuite/'):
-                return
-            txt = copyright_line.pre + year + MAINTAINER_SUF
-            opening_lines[copyright_line.lineno - 1] += txt
-
-        remaining_txt = fh.read()
-
-    print(f"Updating {fn} with year {year}")
-
-    with open(fn, 'w', encoding='utf-8') as fh:
-        fh.write(''.join(opening_lines))
-        fh.write(remaining_txt)
-
-
 if __name__ == '__main__':
-    parser = argparse.ArgumentParser(description="Grab the year of last mod for our c & h files and make sure the Copyright comment is up-to-date.")
+    parser = argparse.ArgumentParser(description="Grab the year of the last mod for our c & h files and make sure the LATEST_YEAR value is accurate.")
    args = parser.parse_args()
    main()

--- a/popt/findme.c
+++ b/popt/findme.c
@@ -1,55 +0,0 @@
-/** \ingroup popt
- * \file popt/findme.c
- */
-
-/* (C) 1998-2002 Red Hat, Inc. -- Licensing details are in the COPYING
-   file accompanying popt source distributions, available from 
-   ftp://ftp.rpm.org/pub/rpm/dist. */
-
-#include "system.h"
-#include "findme.h"
-
-const char * findProgramPath(const char * argv0)
-{
-    char * path = getenv("PATH");
-    char * pathbuf;
-    char * start, * chptr;
-    char * buf;
-    size_t bufsize;
-
-    if (argv0 == NULL) return NULL;	/* XXX can't happen */
-    /* If there is a / in the argv[0], it has to be an absolute path */
-    if (strchr(argv0, '/'))
-	return xstrdup(argv0);
-
-    if (path == NULL) return NULL;
-
-    bufsize = strlen(path) + 1;
-    start = pathbuf = alloca(bufsize);
-    if (pathbuf == NULL) return NULL;	/* XXX can't happen */
-    strlcpy(pathbuf, path, bufsize);
-    bufsize += sizeof "/" - 1 + strlen(argv0);
-    buf = malloc(bufsize);
-    if (buf == NULL) return NULL;	/* XXX can't happen */
-
-    chptr = NULL;
-    /*@-branchstate@*/
-    do {
-	if ((chptr = strchr(start, ':')))
-	    *chptr = '\0';
-	snprintf(buf, bufsize, "%s/%s", start, argv0);
-
-	if (!access(buf, X_OK))
-	    return buf;
-
-	if (chptr) 
-	    start = chptr + 1;
-	else
-	    start = NULL;
-    } while (start && *start);
-    /*@=branchstate@*/
-
-    free(buf);
-
-    return NULL;
-}
--- a/popt/findme.h
+++ b/popt/findme.h
@@ -1,20 +0,0 @@
-/** \ingroup popt
- * \file popt/findme.h
- */
-
-/* (C) 1998-2000 Red Hat, Inc. -- Licensing details are in the COPYING
-   file accompanying popt source distributions, available from 
-   ftp://ftp.rpm.org/pub/rpm/dist. */
-
-#ifndef H_FINDME
-#define H_FINDME
-
-/**
- * Return absolute path to executable by searching PATH.
- * @param argv0		name of executable
- * @return		(malloc'd) absolute path to executable (or NULL)
- */
-/*@null@*/ const char * findProgramPath(/*@null@*/ const char * argv0)
-	/*@*/;
-
-#endif
--- a/popt/lookup3.c
+++ b/popt/lookup3.c
@@ -0,0 +1,959 @@
+/* -------------------------------------------------------------------- */
+/*
+ * lookup3.c, by Bob Jenkins, May 2006, Public Domain.
+ * 
+ * These are functions for producing 32-bit hashes for hash table lookup.
+ * jlu32w(), jlu32l(), jlu32lpair(), jlu32b(), _JLU3_MIX(), and _JLU3_FINAL() 
+ * are externally useful functions.  Routines to test the hash are included 
+ * if SELF_TEST is defined.  You can use this free for any purpose.  It's in
+ * the public domain.  It has no warranty.
+ * 
+ * You probably want to use jlu32l().  jlu32l() and jlu32b()
+ * hash byte arrays.  jlu32l() is is faster than jlu32b() on
+ * little-endian machines.  Intel and AMD are little-endian machines.
+ * On second thought, you probably want jlu32lpair(), which is identical to
+ * jlu32l() except it returns two 32-bit hashes for the price of one.  
+ * You could implement jlu32bpair() if you wanted but I haven't bothered here.
+ * 
+ * If you want to find a hash of, say, exactly 7 integers, do
+ *   a = i1;  b = i2;  c = i3;
+ *   _JLU3_MIX(a,b,c);
+ *   a += i4; b += i5; c += i6;
+ *   _JLU3_MIX(a,b,c);
+ *   a += i7;
+ *   _JLU3_FINAL(a,b,c);
+ * then use c as the hash value.  If you have a variable size array of
+ * 4-byte integers to hash, use jlu32w().  If you have a byte array (like
+ * a character string), use jlu32l().  If you have several byte arrays, or
+ * a mix of things, see the comments above jlu32l().  
+ * 
+ * Why is this so big?  I read 12 bytes at a time into 3 4-byte integers, 
+ * then mix those integers.  This is fast (you can do a lot more thorough
+ * mixing with 12*3 instructions on 3 integers than you can with 3 instructions
+ * on 1 byte), but shoehorning those bytes into integers efficiently is messy.
+*/
+/* -------------------------------------------------------------------- */
+
+#include <stdint.h>
+
+#if defined(_JLU3_SELFTEST)
+# define _JLU3_jlu32w		1
+# define _JLU3_jlu32l		1
+# define _JLU3_jlu32lpair	1
+# define _JLU3_jlu32b		1
+#endif
+
+static const union _dbswap {
+    const uint32_t ui;
+    const unsigned char uc[4];
+} endian = { .ui = 0x11223344 };
+# define HASH_LITTLE_ENDIAN	(endian.uc[0] == (unsigned char) 0x44)
+# define HASH_BIG_ENDIAN	(endian.uc[0] == (unsigned char) 0x11)
+
+#ifndef ROTL32
+# define ROTL32(x, s) (((x) << (s)) | ((x) >> (32 - (s))))
+#endif
+
+/* NOTE: The _size parameter should be in bytes. */
+#define	_JLU3_INIT(_h, _size)	(0xdeadbeef + ((uint32_t)(_size)) + (_h))
+
+/* -------------------------------------------------------------------- */
+/*
+ * _JLU3_MIX -- mix 3 32-bit values reversibly.
+ * 
+ * This is reversible, so any information in (a,b,c) before _JLU3_MIX() is
+ * still in (a,b,c) after _JLU3_MIX().
+ * 
+ * If four pairs of (a,b,c) inputs are run through _JLU3_MIX(), or through
+ * _JLU3_MIX() in reverse, there are at least 32 bits of the output that
+ * are sometimes the same for one pair and different for another pair.
+ * This was tested for:
+ * * pairs that differed by one bit, by two bits, in any combination
+ *   of top bits of (a,b,c), or in any combination of bottom bits of
+ *   (a,b,c).
+ * * "differ" is defined as +, -, ^, or ~^.  For + and -, I transformed
+ *   the output delta to a Gray code (a^(a>>1)) so a string of 1's (as
+ *   is commonly produced by subtraction) look like a single 1-bit
+ *   difference.
+ * * the base values were pseudorandom, all zero but one bit set, or 
+ *   all zero plus a counter that starts at zero.
+ * 
+ * Some k values for my "a-=c; a^=ROTL32(c,k); c+=b;" arrangement that
+ * satisfy this are
+ *     4  6  8 16 19  4
+ *     9 15  3 18 27 15
+ *    14  9  3  7 17  3
+ * Well, "9 15 3 18 27 15" didn't quite get 32 bits diffing
+ * for "differ" defined as + with a one-bit base and a two-bit delta.  I
+ * used http://burtleburtle.net/bob/hash/avalanche.html to choose 
+ * the operations, constants, and arrangements of the variables.
+ * 
+ * This does not achieve avalanche.  There are input bits of (a,b,c)
+ * that fail to affect some output bits of (a,b,c), especially of a.  The
+ * most thoroughly mixed value is c, but it doesn't really even achieve
+ * avalanche in c.
+ * 
+ * This allows some parallelism.  Read-after-writes are good at doubling
+ * the number of bits affected, so the goal of mixing pulls in the opposite
+ * direction as the goal of parallelism.  I did what I could.  Rotates
+ * seem to cost as much as shifts on every machine I could lay my hands
+ * on, and rotates are much kinder to the top and bottom bits, so I used
+ * rotates.
+ */
+/* -------------------------------------------------------------------- */
+#define _JLU3_MIX(a,b,c) \
+{ \
+  a -= c;  a ^= ROTL32(c, 4);  c += b; \
+  b -= a;  b ^= ROTL32(a, 6);  a += c; \
+  c -= b;  c ^= ROTL32(b, 8);  b += a; \
+  a -= c;  a ^= ROTL32(c,16);  c += b; \
+  b -= a;  b ^= ROTL32(a,19);  a += c; \
+  c -= b;  c ^= ROTL32(b, 4);  b += a; \
+}
+
+/* -------------------------------------------------------------------- */
+/**
+ * _JLU3_FINAL -- final mixing of 3 32-bit values (a,b,c) into c
+ * 
+ * Pairs of (a,b,c) values differing in only a few bits will usually
+ * produce values of c that look totally different.  This was tested for
+ * * pairs that differed by one bit, by two bits, in any combination
+ *   of top bits of (a,b,c), or in any combination of bottom bits of
+ *   (a,b,c).
+ * * "differ" is defined as +, -, ^, or ~^.  For + and -, I transformed
+ *   the output delta to a Gray code (a^(a>>1)) so a string of 1's (as
+ *   is commonly produced by subtraction) look like a single 1-bit
+ *   difference.
+ * * the base values were pseudorandom, all zero but one bit set, or 
+ *   all zero plus a counter that starts at zero.
+ * 
+ * These constants passed:
+ *  14 11 25 16 4 14 24
+ *  12 14 25 16 4 14 24
+ * and these came close:
+ *   4  8 15 26 3 22 24
+ *  10  8 15 26 3 22 24
+ *  11  8 15 26 3 22 24
+ */
+/* -------------------------------------------------------------------- */
+#define _JLU3_FINAL(a,b,c) \
+{ \
+  c ^= b; c -= ROTL32(b,14); \
+  a ^= c; a -= ROTL32(c,11); \
+  b ^= a; b -= ROTL32(a,25); \
+  c ^= b; c -= ROTL32(b,16); \
+  a ^= c; a -= ROTL32(c,4);  \
+  b ^= a; b -= ROTL32(a,14); \
+  c ^= b; c -= ROTL32(b,24); \
+}
+
+#if defined(_JLU3_jlu32w)
+uint32_t jlu32w(uint32_t h, const uint32_t *k, size_t size);
+/* -------------------------------------------------------------------- */
+/**
+ *  This works on all machines.  To be useful, it requires
+ *  -- that the key be an array of uint32_t's, and
+ *  -- that the size be the number of uint32_t's in the key
+ * 
+ *  The function jlu32w() is identical to jlu32l() on little-endian
+ *  machines, and identical to jlu32b() on big-endian machines,
+ *  except that the size has to be measured in uint32_ts rather than in
+ *  bytes.  jlu32l() is more complicated than jlu32w() only because
+ *  jlu32l() has to dance around fitting the key bytes into registers.
+ *
+ * @param h		the previous hash, or an arbitrary value
+ * @param *k		the key, an array of uint32_t values
+ * @param size		the size of the key, in uint32_ts
+ * @return		the lookup3 hash
+ */
+/* -------------------------------------------------------------------- */
+uint32_t jlu32w(uint32_t h, const uint32_t *k, size_t size)
+{
+    uint32_t a = _JLU3_INIT(h, (size * sizeof(*k)));
+    uint32_t b = a;
+    uint32_t c = a;
+
+    if (k == NULL)
+	goto exit;
+
+    /*----------------------------------------------- handle most of the key */
+    while (size > 3) {
+	a += k[0];
+	b += k[1];
+	c += k[2];
+	_JLU3_MIX(a,b,c);
+	size -= 3;
+	k += 3;
+    }
+
+    /*----------------------------------------- handle the last 3 uint32_t's */
+    switch (size) {
+    case 3 : c+=k[2];
+    case 2 : b+=k[1];
+    case 1 : a+=k[0];
+	_JLU3_FINAL(a,b,c);
+	/* fallthrough */
+    case 0:
+	break;
+    }
+    /*---------------------------------------------------- report the result */
+exit:
+    return c;
+}
+#endif	/* defined(_JLU3_jlu32w) */
+
+#if defined(_JLU3_jlu32l)
+uint32_t jlu32l(uint32_t h, const void *key, size_t size);
+/* -------------------------------------------------------------------- */
+/*
+ * jlu32l() -- hash a variable-length key into a 32-bit value
+ *   h       : can be any 4-byte value
+ *   k       : the key (the unaligned variable-length array of bytes)
+ *   size    : the size of the key, counting by bytes
+ * Returns a 32-bit value.  Every bit of the key affects every bit of
+ * the return value.  Two keys differing by one or two bits will have
+ * totally different hash values.
+ * 
+ * The best hash table sizes are powers of 2.  There is no need to do
+ * mod a prime (mod is sooo slow!).  If you need less than 32 bits,
+ * use a bitmask.  For example, if you need only 10 bits, do
+ *   h = (h & hashmask(10));
+ * In which case, the hash table should have hashsize(10) elements.
+ * 
+ * If you are hashing n strings (uint8_t **)k, do it like this:
+ *   for (i=0, h=0; i<n; ++i) h = jlu32l(h, k[i], len[i]);
+ * 
+ * By Bob Jenkins, 2006.  bob_jenkins@burtleburtle.net.  You may use this
+ * code any way you wish, private, educational, or commercial.  It's free.
+ * 
+ * Use for hash table lookup, or anything where one collision in 2^^32 is
+ * acceptable.  Do NOT use for cryptographic purposes.
+ *
+ * @param h		the previous hash, or an arbitrary value
+ * @param *k		the key, an array of uint8_t values
+ * @param size		the size of the key
+ * @return		the lookup3 hash
+ */
+/* -------------------------------------------------------------------- */
+uint32_t jlu32l(uint32_t h, const void *key, size_t size)
+{
+    union { const void *ptr; size_t i; } u;
+    uint32_t a = _JLU3_INIT(h, size);
+    uint32_t b = a;
+    uint32_t c = a;
+
+    if (key == NULL)
+	goto exit;
+
+    u.ptr = key;
+    if (HASH_LITTLE_ENDIAN && ((u.i & 0x3) == 0)) {
+	const uint32_t *k = (const uint32_t *)key;	/* read 32-bit chunks */
+#ifdef	VALGRIND
+	const uint8_t  *k8;
+#endif
+
+    /*------ all but last block: aligned reads and affect 32 bits of (a,b,c) */
+	while (size > 12) {
+	    a += k[0];
+	    b += k[1];
+	    c += k[2];
+	    _JLU3_MIX(a,b,c);
+	    size -= 12;
+	    k += 3;
+	}
+
+	/*------------------------- handle the last (probably partial) block */
+	/* 
+	 * "k[2]&0xffffff" actually reads beyond the end of the string, but
+	 * then masks off the part it's not allowed to read.  Because the
+	 * string is aligned, the masked-off tail is in the same word as the
+	 * rest of the string.  Every machine with memory protection I've seen
+	 * does it on word boundaries, so is OK with this.  But VALGRIND will
+	 * still catch it and complain.  The masking trick does make the hash
+	 * noticeably faster for short strings (like English words).
+	 */
+#ifndef VALGRIND
+
+	switch (size) {
+	case 12:	c += k[2]; b+=k[1]; a+=k[0]; break;
+	case 11:	c += k[2]&0xffffff; b+=k[1]; a+=k[0]; break;
+	case 10:	c += k[2]&0xffff; b+=k[1]; a+=k[0]; break;
+	case  9:	c += k[2]&0xff; b+=k[1]; a+=k[0]; break;
+	case  8:	b += k[1]; a+=k[0]; break;
+	case  7:	b += k[1]&0xffffff; a+=k[0]; break;
+	case  6:	b += k[1]&0xffff; a+=k[0]; break;
+	case  5:	b += k[1]&0xff; a+=k[0]; break;
+	case  4:	a += k[0]; break;
+	case  3:	a += k[0]&0xffffff; break;
+	case  2:	a += k[0]&0xffff; break;
+	case  1:	a += k[0]&0xff; break;
+	case  0:	goto exit;
+	}
+
+#else /* make valgrind happy */
+
+	k8 = (const uint8_t *)k;
+	switch (size) {
+	case 12:	c += k[2]; b+=k[1]; a+=k[0]	break;
+	case 11:	c += ((uint32_t)k8[10])<<16;	/* fallthrough */
+	case 10:	c += ((uint32_t)k8[9])<<8;	/* fallthrough */
+	case  9:	c += k8[8];			/* fallthrough */
+	case  8:	b += k[1]; a+=k[0];		break;
+	case  7:	b += ((uint32_t)k8[6])<<16;	/* fallthrough */
+	case  6:	b += ((uint32_t)k8[5])<<8;	/* fallthrough */
+	case  5:	b += k8[4];			/* fallthrough */
+	case  4:	a += k[0];			break;
+	case  3:	a += ((uint32_t)k8[2])<<16;	/* fallthrough */
+	case  2:	a += ((uint32_t)k8[1])<<8;	/* fallthrough */
+	case  1:	a += k8[0];			break;
+	case  0:	goto exit;
+	}
+
+#endif /* !valgrind */
+
+    } else if (HASH_LITTLE_ENDIAN && ((u.i & 0x1) == 0)) {
+	const uint16_t *k = (const uint16_t *)key;	/* read 16-bit chunks */
+	const uint8_t  *k8;
+
+	/*----------- all but last block: aligned reads and different mixing */
+	while (size > 12) {
+	    a += k[0] + (((uint32_t)k[1])<<16);
+	    b += k[2] + (((uint32_t)k[3])<<16);
+	    c += k[4] + (((uint32_t)k[5])<<16);
+	    _JLU3_MIX(a,b,c);
+	    size -= 12;
+	    k += 6;
+	}
+
+	/*------------------------- handle the last (probably partial) block */
+	k8 = (const uint8_t *)k;
+	switch (size) {
+	case 12:
+	    c += k[4]+(((uint32_t)k[5])<<16);
+	    b += k[2]+(((uint32_t)k[3])<<16);
+	    a += k[0]+(((uint32_t)k[1])<<16);
+	    break;
+	case 11:
+	    c += ((uint32_t)k8[10])<<16;
+	    /* fallthrough */
+	case 10:
+	    c += (uint32_t)k[4];
+	    b += k[2]+(((uint32_t)k[3])<<16);
+	    a += k[0]+(((uint32_t)k[1])<<16);
+	    break;
+	case  9:
+	    c += (uint32_t)k8[8];
+	    /* fallthrough */
+	case  8:
+	    b += k[2]+(((uint32_t)k[3])<<16);
+	    a += k[0]+(((uint32_t)k[1])<<16);
+	    break;
+	case  7:
+	    b += ((uint32_t)k8[6])<<16;
+	    /* fallthrough */
+	case  6:
+	    b += (uint32_t)k[2];
+	    a += k[0]+(((uint32_t)k[1])<<16);
+	    break;
+	case  5:
+	    b += (uint32_t)k8[4];
+	    /* fallthrough */
+	case  4:
+	    a += k[0]+(((uint32_t)k[1])<<16);
+	    break;
+	case  3:
+	    a += ((uint32_t)k8[2])<<16;
+	    /* fallthrough */
+	case  2:
+	    a += (uint32_t)k[0];
+	    break;
+	case  1:
+	    a += (uint32_t)k8[0];
+	    break;
+	case  0:
+	    goto exit;
+	}
+
+    } else {		/* need to read the key one byte at a time */
+	const uint8_t *k = (const uint8_t *)key;
+
+	/*----------- all but the last block: affect some 32 bits of (a,b,c) */
+	while (size > 12) {
+	    a += (uint32_t)k[0];
+	    a += ((uint32_t)k[1])<<8;
+	    a += ((uint32_t)k[2])<<16;
+	    a += ((uint32_t)k[3])<<24;
+	    b += (uint32_t)k[4];
+	    b += ((uint32_t)k[5])<<8;
+	    b += ((uint32_t)k[6])<<16;
+	    b += ((uint32_t)k[7])<<24;
+	    c += (uint32_t)k[8];
+	    c += ((uint32_t)k[9])<<8;
+	    c += ((uint32_t)k[10])<<16;
+	    c += ((uint32_t)k[11])<<24;
+	    _JLU3_MIX(a,b,c);
+	    size -= 12;
+	    k += 12;
+	}
+
+	/*---------------------------- last block: affect all 32 bits of (c) */
+	switch (size) {
+	case 12:	c += ((uint32_t)k[11])<<24;	/* fallthrough */
+	case 11:	c += ((uint32_t)k[10])<<16;	/* fallthrough */
+	case 10:	c += ((uint32_t)k[9])<<8;	/* fallthrough */
+	case  9:	c += (uint32_t)k[8];		/* fallthrough */
+	case  8:	b += ((uint32_t)k[7])<<24;	/* fallthrough */
+	case  7:	b += ((uint32_t)k[6])<<16;	/* fallthrough */
+	case  6:	b += ((uint32_t)k[5])<<8;	/* fallthrough */
+	case  5:	b += (uint32_t)k[4];		/* fallthrough */
+	case  4:	a += ((uint32_t)k[3])<<24;	/* fallthrough */
+	case  3:	a += ((uint32_t)k[2])<<16;	/* fallthrough */
+	case  2:	a += ((uint32_t)k[1])<<8;	/* fallthrough */
+	case  1:	a += (uint32_t)k[0];
+	    break;
+	case  0:
+	    goto exit;
+	}
+    }
+
+    _JLU3_FINAL(a,b,c);
+
+exit:
+    return c;
+}
+#endif	/* defined(_JLU3_jlu32l) */
+
+#if defined(_JLU3_jlu32lpair)
+/**
+ * jlu32lpair: return 2 32-bit hash values.
+ *
+ * This is identical to jlu32l(), except it returns two 32-bit hash
+ * values instead of just one.  This is good enough for hash table
+ * lookup with 2^^64 buckets, or if you want a second hash if you're not
+ * happy with the first, or if you want a probably-unique 64-bit ID for
+ * the key.  *pc is better mixed than *pb, so use *pc first.  If you want
+ * a 64-bit value do something like "*pc + (((uint64_t)*pb)<<32)".
+ *
+ * @param h		the previous hash, or an arbitrary value
+ * @param *key		the key, an array of uint8_t values
+ * @param size		the size of the key in bytes
+ * @retval *pc,		IN: primary initval, OUT: primary hash
+ * *retval *pb		IN: secondary initval, OUT: secondary hash
+ */
+void jlu32lpair(const void *key, size_t size, uint32_t *pc, uint32_t *pb)
+{
+    union { const void *ptr; size_t i; } u;
+    uint32_t a = _JLU3_INIT(*pc, size);
+    uint32_t b = a;
+    uint32_t c = a;
+
+    if (key == NULL)
+	goto exit;
+
+    c += *pb;	/* Add the secondary hash. */
+
+    u.ptr = key;
+    if (HASH_LITTLE_ENDIAN && ((u.i & 0x3) == 0)) {
+	const uint32_t *k = (const uint32_t *)key;	/* read 32-bit chunks */
+#ifdef	VALGRIND
+	const uint8_t  *k8;
+#endif
+
+	/*-- all but last block: aligned reads and affect 32 bits of (a,b,c) */
+	while (size > (size_t)12) {
+	    a += k[0];
+	    b += k[1];
+	    c += k[2];
+	    _JLU3_MIX(a,b,c);
+	    size -= 12;
+	    k += 3;
+	}
+	/*------------------------- handle the last (probably partial) block */
+	/* 
+	 * "k[2]&0xffffff" actually reads beyond the end of the string, but
+	 * then masks off the part it's not allowed to read.  Because the
+	 * string is aligned, the masked-off tail is in the same word as the
+	 * rest of the string.  Every machine with memory protection I've seen
+	 * does it on word boundaries, so is OK with this.  But VALGRIND will
+	 * still catch it and complain.  The masking trick does make the hash
+	 * noticeably faster for short strings (like English words).
+	 */
+#ifndef VALGRIND
+
+	switch (size) {
+	case 12:	c += k[2]; b+=k[1]; a+=k[0]; break;
+	case 11:	c += k[2]&0xffffff; b+=k[1]; a+=k[0]; break;
+	case 10:	c += k[2]&0xffff; b+=k[1]; a+=k[0]; break;
+	case  9:	c += k[2]&0xff; b+=k[1]; a+=k[0]; break;
+	case  8:	b += k[1]; a+=k[0]; break;
+	case  7:	b += k[1]&0xffffff; a+=k[0]; break;
+	case  6:	b += k[1]&0xffff; a+=k[0]; break;
+	case  5:	b += k[1]&0xff; a+=k[0]; break;
+	case  4:	a += k[0]; break;
+	case  3:	a += k[0]&0xffffff; break;
+	case  2:	a += k[0]&0xffff; break;
+	case  1:	a += k[0]&0xff; break;
+	case  0:	goto exit;
+	}
+
+#else /* make valgrind happy */
+
+	k8 = (const uint8_t *)k;
+	switch (size) {
+	case 12:	c += k[2]; b+=k[1]; a+=k[0];	break;
+	case 11:	c += ((uint32_t)k8[10])<<16;	/* fallthrough */
+	case 10:	c += ((uint32_t)k8[9])<<8;	/* fallthrough */
+	case  9:	c += k8[8];			/* fallthrough */
+	case  8:	b += k[1]; a+=k[0];		break;
+	case  7:	b += ((uint32_t)k8[6])<<16;	/* fallthrough */
+	case  6:	b += ((uint32_t)k8[5])<<8;	/* fallthrough */
+	case  5:	b += k8[4];			/* fallthrough */
+	case  4:	a += k[0];			break;
+	case  3:	a += ((uint32_t)k8[2])<<16;	/* fallthrough */
+	case  2:	a += ((uint32_t)k8[1])<<8;	/* fallthrough */
+	case  1:	a += k8[0];			break;
+	case  0:	goto exit;
+	}
+
+#endif /* !valgrind */
+
+    } else if (HASH_LITTLE_ENDIAN && ((u.i & 0x1) == 0)) {
+	const uint16_t *k = (const uint16_t *)key;	/* read 16-bit chunks */
+	const uint8_t  *k8;
+
+	/*----------- all but last block: aligned reads and different mixing */
+	while (size > (size_t)12) {
+	    a += k[0] + (((uint32_t)k[1])<<16);
+	    b += k[2] + (((uint32_t)k[3])<<16);
+	    c += k[4] + (((uint32_t)k[5])<<16);
+	    _JLU3_MIX(a,b,c);
+	    size -= 12;
+	    k += 6;
+	}
+
+	/*------------------------- handle the last (probably partial) block */
+	k8 = (const uint8_t *)k;
+	switch (size) {
+	case 12:
+	    c += k[4]+(((uint32_t)k[5])<<16);
+	    b += k[2]+(((uint32_t)k[3])<<16);
+	    a += k[0]+(((uint32_t)k[1])<<16);
+	    break;
+	case 11:
+	    c += ((uint32_t)k8[10])<<16;
+	    /* fallthrough */
+	case 10:
+	    c += k[4];
+	    b += k[2]+(((uint32_t)k[3])<<16);
+	    a += k[0]+(((uint32_t)k[1])<<16);
+	    break;
+	case  9:
+	    c += k8[8];
+	    /* fallthrough */
+	case  8:
+	    b += k[2]+(((uint32_t)k[3])<<16);
+	    a += k[0]+(((uint32_t)k[1])<<16);
+	    break;
+	case  7:
+	    b += ((uint32_t)k8[6])<<16;
+	    /* fallthrough */
+	case  6:
+	    b += k[2];
+	    a += k[0]+(((uint32_t)k[1])<<16);
+	    break;
+	case  5:
+	    b += k8[4];
+	    /* fallthrough */
+	case  4:
+	    a += k[0]+(((uint32_t)k[1])<<16);
+	    break;
+	case  3:
+	    a += ((uint32_t)k8[2])<<16;
+	    /* fallthrough */
+	case  2:
+	    a += k[0];
+	    break;
+	case  1:
+	    a += k8[0];
+	    break;
+	case  0:
+	    goto exit;
+	}
+
+    } else {		/* need to read the key one byte at a time */
+	const uint8_t *k = (const uint8_t *)key;
+
+	/*----------- all but the last block: affect some 32 bits of (a,b,c) */
+	while (size > (size_t)12) {
+	    a += k[0];
+	    a += ((uint32_t)k[1])<<8;
+	    a += ((uint32_t)k[2])<<16;
+	    a += ((uint32_t)k[3])<<24;
+	    b += k[4];
+	    b += ((uint32_t)k[5])<<8;
+	    b += ((uint32_t)k[6])<<16;
+	    b += ((uint32_t)k[7])<<24;
+	    c += k[8];
+	    c += ((uint32_t)k[9])<<8;
+	    c += ((uint32_t)k[10])<<16;
+	    c += ((uint32_t)k[11])<<24;
+	    _JLU3_MIX(a,b,c);
+	    size -= 12;
+	    k += 12;
+	}
+
+	/*---------------------------- last block: affect all 32 bits of (c) */
+	switch (size) {
+	case 12:	c += ((uint32_t)k[11])<<24;	/* fallthrough */
+	case 11:	c += ((uint32_t)k[10])<<16;	/* fallthrough */
+	case 10:	c += ((uint32_t)k[9])<<8;	/* fallthrough */
+	case  9:	c += k[8];			/* fallthrough */
+	case  8:	b += ((uint32_t)k[7])<<24;	/* fallthrough */
+	case  7:	b += ((uint32_t)k[6])<<16;	/* fallthrough */
+	case  6:	b += ((uint32_t)k[5])<<8;	/* fallthrough */
+	case  5:	b += k[4];			/* fallthrough */
+	case  4:	a += ((uint32_t)k[3])<<24;	/* fallthrough */
+	case  3:	a += ((uint32_t)k[2])<<16;	/* fallthrough */
+	case  2:	a += ((uint32_t)k[1])<<8;	/* fallthrough */
+	case  1:	a += k[0];
+	    break;
+	case  0:
+	    goto exit;
+	}
+    }
+
+    _JLU3_FINAL(a,b,c);
+
+exit:
+    *pc = c;
+    *pb = b;
+    return;
+}
+#endif	/* defined(_JLU3_jlu32lpair) */
+
+#if defined(_JLU3_jlu32b)
+uint32_t jlu32b(uint32_t h, const void *key, size_t size);
+/*
+ * jlu32b():
+ * This is the same as jlu32w() on big-endian machines.  It is different
+ * from jlu32l() on all machines.  jlu32b() takes advantage of
+ * big-endian byte ordering. 
+ *
+ * @param h		the previous hash, or an arbitrary value
+ * @param *k		the key, an array of uint8_t values
+ * @param size		the size of the key
+ * @return		the lookup3 hash
+ */
+uint32_t jlu32b(uint32_t h, const void *key, size_t size)
+{
+    union { const void *ptr; size_t i; } u;
+    uint32_t a = _JLU3_INIT(h, size);
+    uint32_t b = a;
+    uint32_t c = a;
+
+    if (key == NULL)
+	return h;
+
+    u.ptr = key;
+    if (HASH_BIG_ENDIAN && ((u.i & 0x3) == 0)) {
+	const uint32_t *k = (const uint32_t *)key;	/* read 32-bit chunks */
+#ifdef	VALGRIND
+	const uint8_t  *k8;
+#endif
+
+	/*-- all but last block: aligned reads and affect 32 bits of (a,b,c) */
+	while (size > 12) {
+	    a += k[0];
+	    b += k[1];
+	    c += k[2];
+	    _JLU3_MIX(a,b,c);
+	    size -= 12;
+	    k += 3;
+	}
+
+	/*------------------------- handle the last (probably partial) block */
+	/* 
+	 * "k[2]<<8" actually reads beyond the end of the string, but
+	 * then shifts out the part it's not allowed to read.  Because the
+	 * string is aligned, the illegal read is in the same word as the
+	 * rest of the string.  Every machine with memory protection I've seen
+	 * does it on word boundaries, so is OK with this.  But VALGRIND will
+	 * still catch it and complain.  The masking trick does make the hash
+	 * noticeably faster for short strings (like English words).
+	 */
+#ifndef VALGRIND
+
+	switch (size) {
+	case 12:	c += k[2]; b+=k[1]; a+=k[0]; break;
+	case 11:	c += k[2]&0xffffff00; b+=k[1]; a+=k[0]; break;
+	case 10:	c += k[2]&0xffff0000; b+=k[1]; a+=k[0]; break;
+	case  9:	c += k[2]&0xff000000; b+=k[1]; a+=k[0]; break;
+	case  8:	b += k[1]; a+=k[0]; break;
+	case  7:	b += k[1]&0xffffff00; a+=k[0]; break;
+	case  6:	b += k[1]&0xffff0000; a+=k[0]; break;
+	case  5:	b += k[1]&0xff000000; a+=k[0]; break;
+	case  4:	a += k[0]; break;
+	case  3:	a += k[0]&0xffffff00; break;
+	case  2:	a += k[0]&0xffff0000; break;
+	case  1:	a += k[0]&0xff000000; break;
+	case  0:	goto exit;
+    }
+
+#else  /* make valgrind happy */
+
+	k8 = (const uint8_t *)k;
+	switch (size) {	/* all the case statements fall through */
+	case 12:	c += k[2]; b+=k[1]; a+=k[0];	break;
+	case 11:	c += ((uint32_t)k8[10])<<8;	/* fallthrough */
+	case 10:	c += ((uint32_t)k8[9])<<16;	/* fallthrough */
+	case  9:	c += ((uint32_t)k8[8])<<24;	/* fallthrough */
+	case  8:	b += k[1]; a+=k[0];		break;
+	case  7:	b += ((uint32_t)k8[6])<<8;	/* fallthrough */
+	case  6:	b += ((uint32_t)k8[5])<<16;	/* fallthrough */
+	case  5:	b += ((uint32_t)k8[4])<<24;	/* fallthrough */
+	case  4:	a += k[0];			break;
+	case  3:	a += ((uint32_t)k8[2])<<8;	/* fallthrough */
+	case  2:	a += ((uint32_t)k8[1])<<16;	/* fallthrough */
+	case  1:	a += ((uint32_t)k8[0])<<24;	break;
+	case  0:	goto exit;
+    }
+
+#endif /* !VALGRIND */
+
+    } else {                        /* need to read the key one byte at a time */
+	const uint8_t *k = (const uint8_t *)key;
+
+	/*----------- all but the last block: affect some 32 bits of (a,b,c) */
+	while (size > 12) {
+	    a += ((uint32_t)k[0])<<24;
+	    a += ((uint32_t)k[1])<<16;
+	    a += ((uint32_t)k[2])<<8;
+	    a += ((uint32_t)k[3]);
+	    b += ((uint32_t)k[4])<<24;
+	    b += ((uint32_t)k[5])<<16;
+	    b += ((uint32_t)k[6])<<8;
+	    b += ((uint32_t)k[7]);
+	    c += ((uint32_t)k[8])<<24;
+	    c += ((uint32_t)k[9])<<16;
+	    c += ((uint32_t)k[10])<<8;
+	    c += ((uint32_t)k[11]);
+	    _JLU3_MIX(a,b,c);
+	    size -= 12;
+	    k += 12;
+	}
+
+	/*---------------------------- last block: affect all 32 bits of (c) */
+	switch (size) {	/* all the case statements fall through */
+	case 12:	c += k[11];			/* fallthrough */
+	case 11:	c += ((uint32_t)k[10])<<8;	/* fallthrough */
+	case 10:	c += ((uint32_t)k[9])<<16;	/* fallthrough */
+	case  9:	c += ((uint32_t)k[8])<<24;	/* fallthrough */
+	case  8:	b += k[7];			/* fallthrough */
+	case  7:	b += ((uint32_t)k[6])<<8;	/* fallthrough */
+	case  6:	b += ((uint32_t)k[5])<<16;	/* fallthrough */
+	case  5:	b += ((uint32_t)k[4])<<24;	/* fallthrough */
+	case  4:	a += k[3];			/* fallthrough */
+	case  3:	a += ((uint32_t)k[2])<<8;	/* fallthrough */
+	case  2:	a += ((uint32_t)k[1])<<16;	/* fallthrough */
+	case  1:	a += ((uint32_t)k[0])<<24;	/* fallthrough */
+	    break;
+	case  0:
+	    goto exit;
+	}
+    }
+
+    _JLU3_FINAL(a,b,c);
+
+exit:
+    return c;
+}
+#endif	/* defined(_JLU3_jlu32b) */
+
+#if defined(_JLU3_SELFTEST)
+
+/* used for timings */
+static void driver1(void)
+{
+    uint8_t buf[256];
+    uint32_t i;
+    uint32_t h=0;
+    time_t a,z;
+
+    time(&a);
+    for (i=0; i<256; ++i) buf[i] = 'x';
+    for (i=0; i<1; ++i) {
+	h = jlu32l(h, &buf[0], sizeof(buf[0]));
+    }
+    time(&z);
+    if (z-a > 0) printf("time %d %.8x\n", (int)(z-a), h);
+}
+
+/* check that every input bit changes every output bit half the time */
+#define HASHSTATE 1
+#define HASHLEN   1
+#define MAXPAIR 60
+#define MAXLEN  70
+static void driver2(void)
+{
+    uint8_t qa[MAXLEN+1], qb[MAXLEN+2], *a = &qa[0], *b = &qb[1];
+    uint32_t c[HASHSTATE], d[HASHSTATE], i=0, j=0, k, l, m=0, z;
+    uint32_t e[HASHSTATE],f[HASHSTATE],g[HASHSTATE],h[HASHSTATE];
+    uint32_t x[HASHSTATE],y[HASHSTATE];
+    uint32_t hlen;
+
+    printf("No more than %d trials should ever be needed \n",MAXPAIR/2);
+    for (hlen=0; hlen < MAXLEN; ++hlen) {
+	z=0;
+	for (i=0; i<hlen; ++i) {	/*-------------- for each input byte, */
+	    for (j=0; j<8; ++j) {	/*--------------- for each input bit, */
+		for (m=1; m<8; ++m) {	/*---- for several possible initvals, */
+		    for (l=0; l<HASHSTATE; ++l)
+			e[l]=f[l]=g[l]=h[l]=x[l]=y[l]=~((uint32_t)0);
+
+		    /* check that every output bit is affected by that input bit */
+		    for (k=0; k<MAXPAIR; k+=2) { 
+			uint32_t finished=1;
+			/* keys have one bit different */
+			for (l=0; l<hlen+1; ++l) {a[l] = b[l] = (uint8_t)0;}
+			/* have a and b be two keys differing in only one bit */
+			a[i] ^= (k<<j);
+			a[i] ^= (k>>(8-j));
+			c[0] = jlu32l(m, a, hlen);
+			b[i] ^= ((k+1)<<j);
+			b[i] ^= ((k+1)>>(8-j));
+			d[0] = jlu32l(m, b, hlen);
+			/* check every bit is 1, 0, set, and not set at least once */
+			for (l=0; l<HASHSTATE; ++l) {
+			    e[l] &= (c[l]^d[l]);
+			    f[l] &= ~(c[l]^d[l]);
+			    g[l] &= c[l];
+			    h[l] &= ~c[l];
+			    x[l] &= d[l];
+			    y[l] &= ~d[l];
+			    if (e[l]|f[l]|g[l]|h[l]|x[l]|y[l]) finished=0;
+			}
+			if (finished) break;
+		    }
+		    if (k>z) z=k;
+		    if (k == MAXPAIR) {
+			printf("Some bit didn't change: ");
+			printf("%.8x %.8x %.8x %.8x %.8x %.8x  ",
+				e[0],f[0],g[0],h[0],x[0],y[0]);
+			printf("i %u j %u m %u len %u\n", i, j, m, hlen);
+		    }
+		    if (z == MAXPAIR) goto done;
+		}
+	    }
+	}
+   done:
+	if (z < MAXPAIR) {
+	    printf("Mix success  %2u bytes  %2u initvals  ",i,m);
+	    printf("required  %u  trials\n", z/2);
+	}
+    }
+    printf("\n");
+}
+
+/* Check for reading beyond the end of the buffer and alignment problems */
+static void driver3(void)
+{
+    uint8_t buf[MAXLEN+20], *b;
+    uint32_t len;
+    uint8_t q[] = "This is the time for all good men to come to the aid of their country...";
+    uint32_t h;
+    uint8_t qq[] = "xThis is the time for all good men to come to the aid of their country...";
+    uint32_t i;
+    uint8_t qqq[] = "xxThis is the time for all good men to come to the aid of their country...";
+    uint32_t j;
+    uint8_t qqqq[] = "xxxThis is the time for all good men to come to the aid of their country...";
+    uint32_t ref,x,y;
+    uint8_t *p;
+    uint32_t m = 13;
+
+    printf("Endianness.  These lines should all be the same (for values filled in):\n");
+    printf("%.8x                            %.8x                            %.8x\n",
+	jlu32w(m, (const uint32_t *)q, (sizeof(q)-1)/4),
+	jlu32w(m, (const uint32_t *)q, (sizeof(q)-5)/4),
+	jlu32w(m, (const uint32_t *)q, (sizeof(q)-9)/4));
+    p = q;
+    printf("%.8x %.8x %.8x %.8x %.8x %.8x %.8x %.8x %.8x %.8x %.8x %.8x\n",
+	jlu32l(m, p, sizeof(q)-1), jlu32l(m, p, sizeof(q)-2),
+	jlu32l(m, p, sizeof(q)-3), jlu32l(m, p, sizeof(q)-4),
+	jlu32l(m, p, sizeof(q)-5), jlu32l(m, p, sizeof(q)-6),
+	jlu32l(m, p, sizeof(q)-7), jlu32l(m, p, sizeof(q)-8),
+	jlu32l(m, p, sizeof(q)-9), jlu32l(m, p, sizeof(q)-10),
+	jlu32l(m, p, sizeof(q)-11), jlu32l(m, p, sizeof(q)-12));
+    p = &qq[1];
+    printf("%.8x %.8x %.8x %.8x %.8x %.8x %.8x %.8x %.8x %.8x %.8x %.8x\n",
+	jlu32l(m, p, sizeof(q)-1), jlu32l(m, p, sizeof(q)-2),
+	jlu32l(m, p, sizeof(q)-3), jlu32l(m, p, sizeof(q)-4),
+	jlu32l(m, p, sizeof(q)-5), jlu32l(m, p, sizeof(q)-6),
+	jlu32l(m, p, sizeof(q)-7), jlu32l(m, p, sizeof(q)-8),
+	jlu32l(m, p, sizeof(q)-9), jlu32l(m, p, sizeof(q)-10),
+	jlu32l(m, p, sizeof(q)-11), jlu32l(m, p, sizeof(q)-12));
+    p = &qqq[2];
+    printf("%.8x %.8x %.8x %.8x %.8x %.8x %.8x %.8x %.8x %.8x %.8x %.8x\n",
+	jlu32l(m, p, sizeof(q)-1), jlu32l(m, p, sizeof(q)-2),
+	jlu32l(m, p, sizeof(q)-3), jlu32l(m, p, sizeof(q)-4),
+	jlu32l(m, p, sizeof(q)-5), jlu32l(m, p, sizeof(q)-6),
+	jlu32l(m, p, sizeof(q)-7), jlu32l(m, p, sizeof(q)-8),
+	jlu32l(m, p, sizeof(q)-9), jlu32l(m, p, sizeof(q)-10),
+	jlu32l(m, p, sizeof(q)-11), jlu32l(m, p, sizeof(q)-12));
+    p = &qqqq[3];
+    printf("%.8x %.8x %.8x %.8x %.8x %.8x %.8x %.8x %.8x %.8x %.8x %.8x\n",
+	jlu32l(m, p, sizeof(q)-1), jlu32l(m, p, sizeof(q)-2),
+	jlu32l(m, p, sizeof(q)-3), jlu32l(m, p, sizeof(q)-4),
+	jlu32l(m, p, sizeof(q)-5), jlu32l(m, p, sizeof(q)-6),
+	jlu32l(m, p, sizeof(q)-7), jlu32l(m, p, sizeof(q)-8),
+	jlu32l(m, p, sizeof(q)-9), jlu32l(m, p, sizeof(q)-10),
+	jlu32l(m, p, sizeof(q)-11), jlu32l(m, p, sizeof(q)-12));
+    printf("\n");
+    for (h=0, b=buf+1; h<8; ++h, ++b) {
+	for (i=0; i<MAXLEN; ++i) {
+	    len = i;
+	    for (j=0; j<i; ++j)
+		*(b+j)=0;
+
+	    /* these should all be equal */
+	    m = 1;
+	    ref = jlu32l(m, b, len);
+	    *(b+i)=(uint8_t)~0;
+	    *(b-1)=(uint8_t)~0;
+	    x = jlu32l(m, b, len);
+	    y = jlu32l(m, b, len);
+	    if ((ref != x) || (ref != y)) 
+		printf("alignment error: %.8x %.8x %.8x %u %u\n",ref,x,y, h, i);
+	}
+    }
+}
+
+/* check for problems with nulls */
+static void driver4(void)
+{
+    uint8_t buf[1];
+    uint32_t h;
+    uint32_t i;
+    uint32_t state[HASHSTATE];
+
+    buf[0] = ~0;
+    for (i=0; i<HASHSTATE; ++i)
+	state[i] = 1;
+    printf("These should all be different\n");
+    h = 0;
+    for (i=0; i<8; ++i) {
+	h = jlu32l(h, buf, 0);
+	printf("%2ld  0-byte strings, hash is  %.8x\n", (long)i, h);
+    }
+}
+
+
+int main(int argc, char ** argv)
+{
+    driver1();	/* test that the key is hashed: used for timings */
+    driver2();	/* test that whole key is hashed thoroughly */
+    driver3();	/* test that nothing but the key is hashed */
+    driver4();	/* test hashing multiple buffers (all buffers are null) */
+    return 1;
+}
+
+#endif  /* _JLU3_SELFTEST */
--- a/popt/popt.c
+++ b/popt/popt.c
--- a/popt/popt.h
+++ b/popt/popt.h
@@ -1,5 +1,4 @@
-/** \file popt/popt.h
- * \ingroup popt
+/** @file
 */

 /* (C) 1998-2000 Red Hat, Inc. -- Licensing details are in the COPYING
@@ -13,45 +12,49 @@

 #define POPT_OPTION_DEPTH	10

-/** \ingroup popt
+/**
 * \name Arg type identifiers
 */
-/*@{*/
-#define POPT_ARG_NONE		0	/*!< no arg */
-#define POPT_ARG_STRING		1	/*!< arg will be saved as string */
-#define POPT_ARG_INT		2	/*!< arg will be converted to int */
-#define POPT_ARG_LONG		3	/*!< arg will be converted to long */
-#define POPT_ARG_INCLUDE_TABLE	4	/*!< arg points to table */
-#define POPT_ARG_CALLBACK	5	/*!< table-wide callback... must be
+#define POPT_ARG_NONE		 0U	/*!< no arg */
+#define POPT_ARG_STRING		 1U	/*!< arg will be saved as string */
+#define POPT_ARG_INT		 2U	/*!< arg ==> int */
+#define POPT_ARG_LONG		 3U	/*!< arg ==> long */
+#define POPT_ARG_INCLUDE_TABLE	 4U	/*!< arg points to table */
+#define POPT_ARG_CALLBACK	 5U	/*!< table-wide callback... must be
 					   set first in table; arg points 
 					   to callback, descrip points to 
 					   callback data to pass */
-#define POPT_ARG_INTL_DOMAIN    6       /*!< set the translation domain
+#define POPT_ARG_INTL_DOMAIN     6U	/*!< set the translation domain
 					   for this table and any
 					   included tables; arg points
 					   to the domain string */
-#define POPT_ARG_VAL		7	/*!< arg should take value val */
-#define	POPT_ARG_FLOAT		8	/*!< arg will be converted to float */
-#define	POPT_ARG_DOUBLE		9	/*!< arg will be converted to double */
+#define POPT_ARG_VAL		 7U	/*!< arg should take value val */
+#define	POPT_ARG_FLOAT		 8U	/*!< arg ==> float */
+#define	POPT_ARG_DOUBLE		 9U	/*!< arg ==> double */
+#define	POPT_ARG_LONGLONG	 10U	/*!< arg ==> long long */

-#define POPT_ARG_MASK		0x0000FFFF
-/*@}*/
+#define POPT_ARG_MAINCALL	(16U+11U)	/*!< EXPERIMENTAL: return (*arg) (argc, argv) */
+#define	POPT_ARG_ARGV		12U	/*!< dupe'd arg appended to realloc'd argv array. */
+#define	POPT_ARG_SHORT		13U	/*!< arg ==> short */
+#define	POPT_ARG_BITSET		(16U+14U)	/*!< arg ==> bit set */

-/** \ingroup popt
+#define POPT_ARG_MASK		0x000000FFU
+#define POPT_GROUP_MASK		0x0000FF00U
+
+/**
 * \name Arg modifiers
 */
-/*@{*/
-#define POPT_ARGFLAG_ONEDASH	0x80000000  /*!< allow -longoption */
-#define POPT_ARGFLAG_DOC_HIDDEN 0x40000000  /*!< don't show in help/usage */
-#define POPT_ARGFLAG_STRIP	0x20000000  /*!< strip this arg from argv(only applies to long args) */
-#define	POPT_ARGFLAG_OPTIONAL	0x10000000  /*!< arg may be missing */
+#define POPT_ARGFLAG_ONEDASH	0x80000000U  /*!< allow -longoption */
+#define POPT_ARGFLAG_DOC_HIDDEN 0x40000000U  /*!< don't show in help/usage */
+#define POPT_ARGFLAG_STRIP	0x20000000U  /*!< strip this arg from argv(only applies to long args) */
+#define	POPT_ARGFLAG_OPTIONAL	0x10000000U  /*!< arg may be missing */

-#define	POPT_ARGFLAG_OR		0x08000000  /*!< arg will be or'ed */
-#define	POPT_ARGFLAG_NOR	0x09000000  /*!< arg will be nor'ed */
-#define	POPT_ARGFLAG_AND	0x04000000  /*!< arg will be and'ed */
-#define	POPT_ARGFLAG_NAND	0x05000000  /*!< arg will be nand'ed */
-#define	POPT_ARGFLAG_XOR	0x02000000  /*!< arg will be xor'ed */
-#define	POPT_ARGFLAG_NOT	0x01000000  /*!< arg will be negated */
+#define	POPT_ARGFLAG_OR		0x08000000U  /*!< arg will be or'ed */
+#define	POPT_ARGFLAG_NOR	0x09000000U  /*!< arg will be nor'ed */
+#define	POPT_ARGFLAG_AND	0x04000000U  /*!< arg will be and'ed */
+#define	POPT_ARGFLAG_NAND	0x05000000U  /*!< arg will be nand'ed */
+#define	POPT_ARGFLAG_XOR	0x02000000U  /*!< arg will be xor'ed */
+#define	POPT_ARGFLAG_NOT	0x01000000U  /*!< arg will be negated */
 #define POPT_ARGFLAG_LOGICALOPS \
        (POPT_ARGFLAG_OR|POPT_ARGFLAG_AND|POPT_ARGFLAG_XOR)

@@ -60,158 +63,126 @@
 #define	POPT_BIT_CLR	(POPT_ARG_VAL|POPT_ARGFLAG_NAND)
 					/*!< clear arg bit(s) */

-#define	POPT_ARGFLAG_SHOW_DEFAULT 0x00800000 /*!< show default value in --help */
+#define	POPT_ARGFLAG_SHOW_DEFAULT 0x00800000U /*!< show default value in --help */
+#define	POPT_ARGFLAG_RANDOM	0x00400000U  /*!< random value in [1,arg] */
+#define	POPT_ARGFLAG_TOGGLE	0x00200000U  /*!< permit --[no]opt prefix toggle */

-/*@}*/
-
-/** \ingroup popt
+/**
 * \name Callback modifiers
 */
-/*@{*/
-#define POPT_CBFLAG_PRE		0x80000000  /*!< call the callback before parse */
-#define POPT_CBFLAG_POST	0x40000000  /*!< call the callback after parse */
-#define POPT_CBFLAG_INC_DATA	0x20000000  /*!< use data from the include line,
+#define POPT_CBFLAG_PRE		0x80000000U  /*!< call the callback before parse */
+#define POPT_CBFLAG_POST	0x40000000U  /*!< call the callback after parse */
+#define POPT_CBFLAG_INC_DATA	0x20000000U  /*!< use data from the include line,
 					       not the subtable */
-#define POPT_CBFLAG_SKIPOPTION	0x10000000  /*!< don't callback with option */
-#define POPT_CBFLAG_CONTINUE	0x08000000  /*!< continue callbacks with option */
-/*@}*/
+#define POPT_CBFLAG_SKIPOPTION	0x10000000U  /*!< don't callback with option */
+#define POPT_CBFLAG_CONTINUE	0x08000000U  /*!< continue callbacks with option */

-/** \ingroup popt
+/**
 * \name Error return values
 */
-/*@{*/
 #define POPT_ERROR_NOARG	-10	/*!< missing argument */
 #define POPT_ERROR_BADOPT	-11	/*!< unknown option */
 #define POPT_ERROR_UNWANTEDARG	-12	/*!< option does not take an argument */
 #define POPT_ERROR_OPTSTOODEEP	-13	/*!< aliases nested too deeply */
-#define POPT_ERROR_BADQUOTE	-15	/*!< error in paramter quoting */
+#define POPT_ERROR_BADQUOTE	-15	/*!< error in parameter quoting */
 #define POPT_ERROR_ERRNO	-16	/*!< errno set, use strerror(errno) */
 #define POPT_ERROR_BADNUMBER	-17	/*!< invalid numeric value */
 #define POPT_ERROR_OVERFLOW	-18	/*!< number too large or too small */
 #define	POPT_ERROR_BADOPERATION	-19	/*!< mutually exclusive logical operations requested */
 #define	POPT_ERROR_NULLARG	-20	/*!< opt->arg should not be NULL */
 #define	POPT_ERROR_MALLOC	-21	/*!< memory allocation failed */
-/*@}*/
+#define	POPT_ERROR_BADCONFIG	-22	/*!< config file failed sanity test */

-/** \ingroup popt
+/**
 * \name poptBadOption() flags
 */
-/*@{*/
-#define POPT_BADOPTION_NOALIAS  (1 << 0)  /*!< don't go into an alias */
-/*@}*/
+#define POPT_BADOPTION_NOALIAS  (1U << 0)  /*!< don't go into an alias */

-/** \ingroup popt
+/**
 * \name poptGetContext() flags
 */
-/*@{*/
-#define POPT_CONTEXT_NO_EXEC	(1 << 0)  /*!< ignore exec expansions */
-#define POPT_CONTEXT_KEEP_FIRST	(1 << 1)  /*!< pay attention to argv[0] */
-#define POPT_CONTEXT_POSIXMEHARDER (1 << 2) /*!< options can't follow args */
-#define POPT_CONTEXT_ARG_OPTS	(1 << 4) /*!< return args as options with value 0 */
-/*@}*/
+#define POPT_CONTEXT_NO_EXEC	(1U << 0)  /*!< ignore exec expansions */
+#define POPT_CONTEXT_KEEP_FIRST	(1U << 1)  /*!< pay attention to argv[0] */
+#define POPT_CONTEXT_POSIXMEHARDER (1U << 2) /*!< options can't follow args */
+#define POPT_CONTEXT_ARG_OPTS	(1U << 4) /*!< return args as options with value 0 */

-/** \ingroup popt
+/**
 */
 struct poptOption {
-/*@observer@*/ /*@null@*/
    const char * longName;	/*!< may be NULL */
-    char shortName;		/*!< may be NUL */
-    int argInfo;
-/*@shared@*/ /*@null@*/
+    char shortName;		/*!< may be '\0' */
+    unsigned int argInfo;	/*!< type of argument expected after the option */
    void * arg;			/*!< depends on argInfo */
-    int val;			/*!< 0 means don't return, just update flag */
-/*@observer@*/ /*@null@*/
+    int val;			/*!< 0 means don't return, just update arg */
    const char * descrip;	/*!< description for autohelp -- may be NULL */
-/*@observer@*/ /*@null@*/
-    const char * argDescrip;	/*!< argument description for autohelp */
+    const char * argDescrip;	/*!< argument description for autohelp -- may be NULL */
 };

-/** \ingroup popt
+/**
 * A popt alias argument for poptAddAlias().
 */
 struct poptAlias {
-/*@owned@*/ /*@null@*/
    const char * longName;	/*!< may be NULL */
    char shortName;		/*!< may be NUL */
    int argc;
-/*@owned@*/
    const char ** argv;		/*!< must be free()able */
 };

-/** \ingroup popt
+/**
 * A popt alias or exec argument for poptAddItem().
 */
-/*@-exporttype@*/
 typedef struct poptItem_s {
    struct poptOption option;	/*!< alias/exec name(s) and description. */
    int argc;			/*!< (alias) no. of args. */
-/*@owned@*/
    const char ** argv;		/*!< (alias) args, must be free()able. */
 } * poptItem;
-/*@=exporttype@*/

-/** \ingroup popt
+/**
 * \name Auto-generated help/usage
 */
-/*@{*/

 /**
 * Empty table marker to enable displaying popt alias/exec options.
 */
-/*@-exportvar@*/
-/*@unchecked@*/ /*@observer@*/
 extern struct poptOption poptAliasOptions[];
-/*@=exportvar@*/
 #define POPT_AUTOALIAS { NULL, '\0', POPT_ARG_INCLUDE_TABLE, poptAliasOptions, \
 			0, "Options implemented via popt alias/exec:", NULL },

 /**
 * Auto help table options.
 */
-/*@-exportvar@*/
-/*@unchecked@*/ /*@observer@*/
 extern struct poptOption poptHelpOptions[];
-/*@=exportvar@*/

-/*@-exportvar@*/
-/*@unchecked@*/ /*@observer@*/
 extern struct poptOption * poptHelpOptionsI18N;
-/*@=exportvar@*/

 #define POPT_AUTOHELP { NULL, '\0', POPT_ARG_INCLUDE_TABLE, poptHelpOptions, \
 			0, "Help options:", NULL },

-#define POPT_TABLEEND { NULL, '\0', 0, 0, 0, NULL, NULL }
-/*@}*/
+#define POPT_TABLEEND { NULL, '\0', 0, NULL, 0, NULL, NULL }

-/** \ingroup popt
+/**
 */
-/*@-exporttype@*/
-typedef /*@abstract@*/ struct poptContext_s * poptContext;
-/*@=exporttype@*/
+typedef struct poptContext_s * poptContext;

-/** \ingroup popt
+/**
 */
 #ifndef __cplusplus
-/*@-exporttype -typeuse@*/
 typedef struct poptOption * poptOption;
-/*@=exporttype =typeuse@*/
 #endif

-/*@-exportconst@*/
+/**
+ */
 enum poptCallbackReason {
    POPT_CALLBACK_REASON_PRE	= 0, 
    POPT_CALLBACK_REASON_POST	= 1,
    POPT_CALLBACK_REASON_OPTION = 2
 };
-/*@=exportconst@*/

 #ifdef __cplusplus
 extern "C" {
 #endif
-/*@-type@*/

-/** \ingroup popt
+/**
 * Table callback prototype.
 * @param con		context
 * @param reason	reason for callback
@@ -221,13 +192,18 @@ extern "C" {
 */
 typedef void (*poptCallbackType) (poptContext con, 
 		enum poptCallbackReason reason,
-		/*@null@*/ const struct poptOption * opt,
-		/*@null@*/ const char * arg,
-		/*@null@*/ const void * data)
-	/*@globals internalState @*/
-	/*@modifies internalState @*/;
+		const struct poptOption * opt,
+		const char * arg,
+		const void * data);

-/** \ingroup popt
+/**
+ * Destroy context.
+ * @param con		context
+ * @return		NULL always
+ */
+poptContext poptFreeContext( poptContext con);
+
+/**
 * Initialize popt context.
 * @param name		context name (usually argv[0] program name)
 * @param argc		no. of arguments
@@ -236,97 +212,90 @@ typedef void (*poptCallbackType) (poptContext con,
 * @param flags		or'd POPT_CONTEXT_* bits
 * @return		initialized popt context
 */
-/*@only@*/ /*@null@*/
 poptContext poptGetContext(
-		/*@dependent@*/ /*@keep@*/ const char * name,
-		int argc, /*@dependent@*/ /*@keep@*/ const char ** argv,
-		/*@dependent@*/ /*@keep@*/ const struct poptOption * options,
-		int flags)
-	/*@*/;
+		const char * name,
+		int argc, const char ** argv,
+		const struct poptOption * options,
+		unsigned int flags);

-/** \ingroup popt
+/**
+ * Destroy context (alternative implementation).
+ * @param con		context
+ * @return		NULL always
+ */
+poptContext poptFini( poptContext con);
+
+/**
+ * Initialize popt context (alternative implementation).
+ * This routine does poptGetContext() and then poptReadConfigFiles().
+ * @param argc		no. of arguments
+ * @param argv		argument array
+ * @param options	address of popt option table
+ * @param configPaths	colon separated file path(s) to read.
+ * @return		initialized popt context (NULL on error).
+ */
+poptContext poptInit(int argc, const char ** argv,
+		const struct poptOption * options,
+		const char * configPaths);
+
+/**
 * Reinitialize popt context.
 * @param con		context
 */
-/*@unused@*/
-void poptResetContext(/*@null@*/poptContext con)
-	/*@modifies con @*/;
+void poptResetContext(poptContext con);

-/** \ingroup popt
+/**
 * Return value of next option found.
 * @param con		context
 * @return		next option val, -1 on last item, POPT_ERROR_* on error
 */
-int poptGetNextOpt(/*@null@*/poptContext con)
-	/*@globals fileSystem, internalState @*/
-	/*@modifies con, fileSystem, internalState @*/;
+int poptGetNextOpt(poptContext con);

-/** \ingroup popt
+/**
 * Return next option argument (if any).
 * @param con		context
 * @return		option argument, NULL if no argument is available
 */
-/*@observer@*/ /*@null@*/ /*@unused@*/
-const char * poptGetOptArg(/*@null@*/poptContext con)
-	/*@modifies con @*/;
+char * poptGetOptArg(poptContext con);

-/** \ingroup popt
+/**
 * Return next argument.
 * @param con		context
 * @return		next argument, NULL if no argument is available
 */
-/*@observer@*/ /*@null@*/ /*@unused@*/
-const char * poptGetArg(/*@null@*/poptContext con)
-	/*@modifies con @*/;
+const char * poptGetArg(poptContext con);

-/** \ingroup popt
+/**
 * Peek at current argument.
 * @param con		context
 * @return		current argument, NULL if no argument is available
 */
-/*@observer@*/ /*@null@*/ /*@unused@*/
-const char * poptPeekArg(/*@null@*/poptContext con)
-	/*@*/;
+const char * poptPeekArg(poptContext con);

-/** \ingroup popt
+/**
 * Return remaining arguments.
 * @param con		context
 * @return		argument array, NULL terminated
 */
-/*@observer@*/ /*@null@*/
-const char ** poptGetArgs(/*@null@*/poptContext con)
-	/*@modifies con @*/;
+const char ** poptGetArgs(poptContext con);

-/** \ingroup popt
+/**
 * Return the option which caused the most recent error.
 * @param con		context
 * @param flags
 * @return		offending option
 */
-/*@observer@*/
-const char * poptBadOption(/*@null@*/poptContext con, int flags)
-	/*@*/;
+const char * poptBadOption(poptContext con, unsigned int flags);

-/** \ingroup popt
- * Destroy context.
- * @param con		context
- * @return		NULL always
- */
-/*@null@*/
-poptContext poptFreeContext( /*@only@*/ /*@null@*/ poptContext con)
-	/*@modifies con @*/;
-
-/** \ingroup popt
+/**
 * Add arguments to context.
 * @param con		context
 * @param argv		argument array, NULL terminated
 * @return		0 on success, POPT_ERROR_OPTSTOODEEP on failure
 */
-/*@unused@*/
-int poptStuffArgs(poptContext con, /*@keep@*/ const char ** argv)
-	/*@modifies con @*/;
+int poptStuffArgs(poptContext con, const char ** argv);

-/** \ingroup popt
+/**
 * Add alias to context.
 * @todo Pass alias by reference, not value.
 * @deprecated Use poptAddItem instead.
@@ -335,44 +304,64 @@ int poptStuffArgs(poptContext con, /*@keep@*/ const char ** argv)
 * @param flags		(unused)
 * @return		0 on success
 */
-/*@unused@*/
-int poptAddAlias(poptContext con, struct poptAlias alias, int flags)
-	/*@modifies con @*/;
+int poptAddAlias(poptContext con, struct poptAlias alias, int flags);

-/** \ingroup popt
+/**
 * Add alias/exec item to context.
 * @param con		context
 * @param newItem	alias/exec item to add
 * @param flags		0 for alias, 1 for exec
 * @return		0 on success
 */
-int poptAddItem(poptContext con, poptItem newItem, int flags)
-	/*@modifies con @*/;
+int poptAddItem(poptContext con, poptItem newItem, int flags);

-/** \ingroup popt
+/**
+ * Test path/file for config file sanity (regular file, permissions etc)
+ * @param fn		file name
+ * @return		1 on OK, 0 on NOTOK.
+ */
+int poptSaneFile(const char * fn);
+
+/**
+ * Read a file into a buffer.
+ * @param fn		file name
+ * @retval *bp		buffer (malloc'd) (or NULL)
+ * @retval *nbp		no. of bytes in buffer (including final NUL) (or NULL)
+ * @param flags		1 to trim escaped newlines
+ * return		0 on success
+ */
+int poptReadFile(const char * fn, char ** bp,
+		size_t * nbp, int flags);
+#define	POPT_READFILE_TRIMNEWLINES	1
+
+/**
 * Read configuration file.
 * @param con		context
 * @param fn		file name to read
 * @return		0 on success, POPT_ERROR_ERRNO on failure
 */
-int poptReadConfigFile(poptContext con, const char * fn)
-	/*@globals errno, fileSystem, internalState @*/
-	/*@modifies con->execs, con->numExecs,
-		errno, fileSystem, internalState @*/;
+int poptReadConfigFile(poptContext con, const char * fn);

-/** \ingroup popt
+/**
+ * Read configuration file(s).
+ * Colon separated files to read, looping over poptReadConfigFile().
+ * Note that an '@' character preceding a path in the list will
+ * also perform additional sanity checks on the file before reading.
+ * @param con		context
+ * @param paths		colon separated file name(s) to read
+ * @return		0 on success, POPT_ERROR_BADCONFIG on failure
+ */
+int poptReadConfigFiles(poptContext con, const char * paths);
+
+/**
 * Read default configuration from /etc/popt and $HOME/.popt.
 * @param con		context
 * @param useEnv	(unused)
 * @return		0 on success, POPT_ERROR_ERRNO on failure
 */
-/*@unused@*/
-int poptReadDefaultConfig(poptContext con, /*@unused@*/ int useEnv)
-	/*@globals fileSystem, internalState @*/
-	/*@modifies con->execs, con->numExecs,
-		fileSystem, internalState @*/;
+int poptReadDefaultConfig(poptContext con, int useEnv);

-/** \ingroup popt
+/**
 * Duplicate an argument array.
 * @note: The argument array is malloc'd as a single area, so only argv must
 * be free'd.
@@ -383,12 +372,11 @@ int poptReadDefaultConfig(poptContext con, /*@unused@*/ int useEnv)
 * @retval argvPtr	address of returned argument array
 * @return		0 on success, POPT_ERROR_NOARG on failure
 */
-int poptDupArgv(int argc, /*@null@*/ const char **argv,
-		/*@null@*/ /*@out@*/ int * argcPtr,
-		/*@null@*/ /*@out@*/ const char *** argvPtr)
-	/*@modifies *argcPtr, *argvPtr @*/;
+int poptDupArgv(int argc, const char **argv,
+		int * argcPtr,
+		const char *** argvPtr);

-/** \ingroup popt
+/**
 * Parse a string into an argument array.
 * The parse allows ', ", and \ quoting, but ' is treated the same as " and
 * both may include \ quotes.
@@ -400,10 +388,9 @@ int poptDupArgv(int argc, /*@null@*/ const char **argv,
 * @retval argvPtr	address of returned argument array
 */
 int poptParseArgvString(const char * s,
-		/*@out@*/ int * argcPtr, /*@out@*/ const char *** argvPtr)
-	/*@modifies *argcPtr, *argvPtr @*/;
+		int * argcPtr, const char *** argvPtr);

-/** \ingroup popt
+/**
 * Parses an input configuration file and returns an string that is a 
 * command line.  For use with popt.  You must free the return value when done.
 *
@@ -418,8 +405,8 @@ bla=bla

 this_is   =   fdsafdas
     bad_line=        
-  reall bad line  
-  reall bad line  = again
+  really bad line
+  really bad line  = again
 5555=   55555   
  test = with lots of spaces
 \endverbatim
@@ -449,83 +436,82 @@ this_is   =   fdsafdas
 * @return		0 on success
 * @see			poptParseArgvString
 */
-/*@-fcnuse@*/
-int poptConfigFileToString(FILE *fp, /*@out@*/ char ** argstrp, int flags)
-	/*@globals fileSystem @*/
-	/*@modifies *fp, *argstrp, fileSystem @*/;
-/*@=fcnuse@*/
+int poptConfigFileToString(FILE *fp, char ** argstrp, int flags);

-/** \ingroup popt
+/**
 * Return formatted error string for popt failure.
 * @param error		popt error
 * @return		error string
 */
-/*@observer@*/
-const char * poptStrerror(const int error)
-	/*@*/;
+const char * poptStrerror(const int error);

-/** \ingroup popt
+/**
 * Limit search for executables.
 * @param con		context
 * @param path		single path to search for executables
 * @param allowAbsolute	absolute paths only?
 */
-/*@unused@*/
-void poptSetExecPath(poptContext con, const char * path, int allowAbsolute)
-	/*@modifies con @*/;
+void poptSetExecPath(poptContext con, const char * path, int allowAbsolute);

-/** \ingroup popt
+/**
 * Print detailed description of options.
 * @param con		context
- * @param fp		ouput file handle
+ * @param fp		output file handle
 * @param flags		(unused)
 */
-void poptPrintHelp(poptContext con, FILE * fp, /*@unused@*/ int flags)
-	/*@globals fileSystem @*/
-	/*@modifies *fp, fileSystem @*/;
+void poptPrintHelp(poptContext con, FILE * fp, int flags);

-/** \ingroup popt
+/**
 * Print terse description of options.
 * @param con		context
- * @param fp		ouput file handle
+ * @param fp		output file handle
 * @param flags		(unused)
 */
-void poptPrintUsage(poptContext con, FILE * fp, /*@unused@*/ int flags)
-	/*@globals fileSystem @*/
-	/*@modifies *fp, fileSystem @*/;
+void poptPrintUsage(poptContext con, FILE * fp, int flags);

-/** \ingroup popt
+/**
 * Provide text to replace default "[OPTION...]" in help/usage output.
 * @param con		context
 * @param text		replacement text
 */
-/*@-fcnuse@*/
-void poptSetOtherOptionHelp(poptContext con, const char * text)
-	/*@modifies con @*/;
-/*@=fcnuse@*/
+void poptSetOtherOptionHelp(poptContext con, const char * text);

-/** \ingroup popt
+/**
 * Return argv[0] from context.
 * @param con		context
 * @return		argv[0]
 */
-/*@-fcnuse@*/
-/*@observer@*/
-const char * poptGetInvocationName(poptContext con)
-	/*@*/;
-/*@=fcnuse@*/
+const char * poptGetInvocationName(poptContext con);

-/** \ingroup popt
+/**
 * Shuffle argv pointers to remove stripped args, returns new argc.
 * @param con		context
 * @param argc		no. of args
 * @param argv		arg vector
 * @return		new argc
 */
-/*@-fcnuse@*/
-int poptStrippedArgv(poptContext con, int argc, char ** argv)
-	/*@modifies *argv @*/;
-/*@=fcnuse@*/
+int poptStrippedArgv(poptContext con, int argc, char ** argv);
+
+/**
+ * Add a string to an argv array.
+ * @retval *argvp	argv array
+ * @param argInfo	(unused)
+ * @param val		string arg to add (using strdup)
+ * @return		0 on success, POPT_ERROR_NULLARG/POPT_ERROR_BADOPERATION
+ */
+int poptSaveString(const char *** argvp, unsigned int argInfo,
+		const char * val);
+
+/**
+ * Save a long long, performing logical operation with value.
+ * @warning Alignment check may be too strict on certain platorms.
+ * @param arg		integer pointer, aligned on int boundary.
+ * @param argInfo	logical operation (see POPT_ARGFLAG_*)
+ * @param aLongLong	value to use
+ * @return		0 on success, POPT_ERROR_NULLARG/POPT_ERROR_BADOPERATION
+ */
+int poptSaveLongLong(long long * arg, unsigned int argInfo,
+		long long aLongLong);

 /**
 * Save a long, performing logical operation with value.
@@ -535,12 +521,17 @@ int poptStrippedArgv(poptContext con, int argc, char ** argv)
 * @param aLong		value to use
 * @return		0 on success, POPT_ERROR_NULLARG/POPT_ERROR_BADOPERATION
 */
-/*@-incondefs@*/
-/*@unused@*/
-int poptSaveLong(/*@null@*/ long * arg, int argInfo, long aLong)
-	/*@modifies *arg @*/
-	/*@requires maxSet(arg) >= 0 /\ maxRead(arg) == 0 @*/;
-/*@=incondefs@*/
+int poptSaveLong(long * arg, unsigned int argInfo, long aLong);
+
+/**
+ * Save a short integer, performing logical operation with value.
+ * @warning Alignment check may be too strict on certain platorms.
+ * @param arg		short pointer, aligned on short boundary.
+ * @param argInfo	logical operation (see POPT_ARGFLAG_*)
+ * @param aLong		value to use
+ * @return		0 on success, POPT_ERROR_NULLARG/POPT_ERROR_BADOPERATION
+ */
+int poptSaveShort(short * arg, unsigned int argInfo, long aLong);

 /**
 * Save an integer, performing logical operation with value.
@@ -550,14 +541,40 @@ int poptSaveLong(/*@null@*/ long * arg, int argInfo, long aLong)
 * @param aLong		value to use
 * @return		0 on success, POPT_ERROR_NULLARG/POPT_ERROR_BADOPERATION
 */
-/*@-incondefs@*/
-/*@unused@*/
-int poptSaveInt(/*@null@*/ int * arg, int argInfo, long aLong)
-	/*@modifies *arg @*/
-	/*@requires maxSet(arg) >= 0 /\ maxRead(arg) == 0 @*/;
-/*@=incondefs@*/
+int poptSaveInt(int * arg, unsigned int argInfo, long aLong);
+
+/* The bit set typedef. */
+typedef struct poptBits_s {
+    unsigned int bits[1];
+} * poptBits;
+
+#define _POPT_BITS_N    1024U	/*!< estimated population */
+#define _POPT_BITS_M    ((3U * _POPT_BITS_N) / 2U)
+#define _POPT_BITS_K    16U	/*!< no. of linear hash combinations */
+
+extern unsigned int _poptBitsN;
+extern  unsigned int _poptBitsM;
+extern  unsigned int _poptBitsK;
+
+int poptBitsAdd(poptBits bits, const char * s);
+int poptBitsChk(poptBits bits, const char * s);
+int poptBitsClr(poptBits bits);
+int poptBitsDel(poptBits bits, const char * s);
+int poptBitsIntersect(poptBits * ap, const poptBits b);
+int poptBitsUnion(poptBits * ap, const poptBits b);
+int poptBitsArgs(poptContext con, poptBits * ap);
+
+/**
+ * Save a string into a bit set (experimental).
+ * @retval *bits	bit set (lazily malloc'd if NULL)
+ * @param argInfo	logical operation (see POPT_ARGFLAG_*)
+ * @param s		string to add to bit set
+ * @return		0 on success, POPT_ERROR_NULLARG/POPT_ERROR_BADOPERATION
+ */
+int poptSaveBits(poptBits * bitsp, unsigned int argInfo,
+		const char * s);
+

-/*@=type@*/
 #ifdef  __cplusplus
 }
 #endif
--- a/popt/poptconfig.c
+++ b/popt/poptconfig.c
@@ -1,5 +1,5 @@
 /** \ingroup popt
- * \file popt/poptconfig.c
+ * @file
 */

 /* (C) 1998-2002 Red Hat, Inc. -- Licensing details are in the COPYING
@@ -8,54 +8,300 @@

 #include "system.h"
 #include "poptint.h"
-/*@access poptContext @*/
+#include <sys/stat.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>

-/*@-compmempass@*/	/* FIX: item->option.longName kept, not dependent. */
-static void configLine(poptContext con, char * line)
-	/*@modifies con @*/
+#if defined(HAVE_FNMATCH_H)
+#include <fnmatch.h>
+
+#endif
+
+#if defined(HAVE_GLOB_H)
+#include <glob.h>
+
+#if !defined(HAVE_GLOB_PATTERN_P)
+/* Return nonzero if PATTERN contains any metacharacters.
+   Metacharacters can be quoted with backslashes if QUOTE is nonzero.  */
+static int
+glob_pattern_p (const char * pattern, int quote)
 {
-    size_t nameLength;
+    const char * p;
+    int open = 0;
+
+    for (p = pattern; *p != '\0'; ++p)
+    switch (*p) {
+    case '?':
+    case '*':
+	return 1;
+	break;
+    case '\\':
+	if (quote && p[1] != '\0')
+	  ++p;
+	break;
+    case '[':
+	open = 1;
+	break;
+    case ']':
+	if (open)
+	  return 1;
+	break;
+    }
+    return 0;
+}
+#endif	/* !defined(__GLIBC__) */
+
+static int poptGlobFlags = 0;
+
+static int poptGlob_error(UNUSED(const char * epath),
+		UNUSED(int eerrno))
+{
+    return 1;
+}
+#endif	/* HAVE_GLOB_H */
+
+/**
+ * Return path(s) from a glob pattern.
+ * @param con		context
+ * @param pattern	glob pattern
+ * @retval *acp		no. of paths
+ * @retval *avp		array of paths
+ * @return		0 on success
+ */
+static int poptGlob(UNUSED(poptContext con), const char * pattern,
+		int * acp, const char *** avp)
+{
+    const char * pat = pattern;
+    int rc = 0;		/* assume success */
+
+#if defined(HAVE_GLOB_H)
+    if (glob_pattern_p(pat, 0)) {
+	glob_t _g, *pglob = &_g;
+
+	if (!(rc = glob(pat, poptGlobFlags, poptGlob_error, pglob))) {
+	    if (acp) {
+		*acp = (int) pglob->gl_pathc;
+		pglob->gl_pathc = 0;
+	    }
+	    if (avp) {
+		*avp = (const char **) pglob->gl_pathv;
+		pglob->gl_pathv = NULL;
+	    }
+	    globfree(pglob);
+	} else if (rc == GLOB_NOMATCH) {
+	    *avp = NULL;
+	    *acp = 0;
+	    rc = 0;
+	} else
+	    rc = POPT_ERROR_ERRNO;
+    } else
+#endif	/* HAVE_GLOB_H */
+    {
+	if (acp)
+	    *acp = 1;
+	if (avp && (*avp = calloc((size_t)(1 + 1), sizeof (**avp))) != NULL)
+	    (*avp)[0] = xstrdup(pat);
+    }
+
+    return rc;
+}
+
+
+int poptSaneFile(const char * fn)
+{
+    struct stat sb;
+
+    if (fn == NULL || strstr(fn, ".rpmnew") || strstr(fn, ".rpmsave"))
+	return 0;
+    if (stat(fn, &sb) == -1)
+	return 0;
+    if (!S_ISREG(sb.st_mode))
+	return 0;
+    if (sb.st_mode & (S_IXUSR|S_IXGRP|S_IXOTH))
+	return 0;
+    return 1;
+}
+
+int poptReadFile(const char * fn, char ** bp, size_t * nbp, int flags)
+{
+    int fdno;
+    char * b = NULL;
+    off_t nb = 0;
+    char * s, * t, * se;
+    int rc = POPT_ERROR_ERRNO;	/* assume failure */
+
+    fdno = open(fn, O_RDONLY);
+    if (fdno < 0)
+	goto exit;
+
+    if ((nb = lseek(fdno, 0, SEEK_END)) == (off_t)-1
+     || (uintmax_t)nb >= SIZE_MAX
+     || lseek(fdno, 0, SEEK_SET) == (off_t)-1
+     || (b = calloc(sizeof(*b), (size_t)nb + 1)) == NULL
+     || read(fdno, (char *)b, (size_t)nb) != (ssize_t)nb)
+    {
+	int oerrno = errno;
+	(void) close(fdno);
+	if (nb != (off_t)-1 && (uintmax_t)nb >= SIZE_MAX)
+	    errno = -EOVERFLOW;
+	else
+	    errno = oerrno;
+	goto exit;
+    }
+    if (close(fdno) == -1)
+	goto exit;
+    if (b == NULL) {
+	rc = POPT_ERROR_MALLOC;
+	goto exit;
+    }
+    rc = 0;
+
+   /* Trim out escaped newlines. */
+    if (flags & POPT_READFILE_TRIMNEWLINES)
+    {
+	for (t = b, s = b, se = b + nb; *s && s < se; s++) {
+	    switch (*s) {
+	    case '\\':
+		if (s[1] == '\n') {
+		    s++;
+		    continue;
+		}
+		/* fallthrough */
+	    default:
+		*t++ = *s;
+		break;
+	    }
+	}
+	*t++ = '\0';
+	nb = (off_t)(t - b);
+    }
+
+exit:
+    if (rc != 0) {
+	if (b)
+	    free(b);
+	b = NULL;
+	nb = 0;
+    }
+    if (bp)
+	*bp = b;
+    else if (b)
+	free(b);
+    if (nbp)
+	*nbp = (size_t)nb;
+    return rc;
+}
+
+/**
+ * Check for application match.
+ * @param con		context
+ * @param s		config application name
+ * return		0 if config application matches
+ */
+static int configAppMatch(poptContext con, const char * s)
+{
+    int rc = 1;
+
+    if (con->appName == NULL)	/* XXX can't happen. */
+	return rc;
+
+#if defined(HAVE_GLOB_H) && defined(HAVE_FNMATCH_H)
+    if (glob_pattern_p(s, 1)) {
+	static int flags = FNM_PATHNAME | FNM_PERIOD;
+#ifdef FNM_EXTMATCH
+	flags |= FNM_EXTMATCH;
+#endif
+	rc = fnmatch(s, con->appName, flags);
+    } else
+#endif
+	rc = strcmp(s, con->appName);
+    return rc;
+}
+
+static int poptConfigLine(poptContext con, char * line)
+{
+    char *b = NULL;
+    size_t nb = 0;
+    char * se = line;
+    const char * appName;
    const char * entryType;
    const char * opt;
-    poptItem item = (poptItem) alloca(sizeof(*item));
+    struct poptItem_s item_buf;
+    poptItem item = &item_buf;
    int i, j;
+    int rc = POPT_ERROR_BADCONFIG;

    if (con->appName == NULL)
-	return;
-    nameLength = strlen(con->appName);
+	goto exit;
    
-/*@-boundswrite@*/
    memset(item, 0, sizeof(*item));

-    if (strncmp(line, con->appName, nameLength)) return;
+    appName = se;
+    while (*se != '\0' && !_isspaceptr(se)) se++;
+    if (*se == '\0')
+	goto exit;
+    else
+	*se++ = '\0';

-    line += nameLength;
-    if (*line == '\0' || !isSpace(line)) return;
+    if (configAppMatch(con, appName)) goto exit;

-    while (*line != '\0' && isSpace(line)) line++;
-    entryType = line;
-    while (*line == '\0' || !isSpace(line)) line++;
-    *line++ = '\0';
+    while (*se != '\0' && _isspaceptr(se)) se++;
+    entryType = se;
+    while (*se != '\0' && !_isspaceptr(se)) se++;
+    if (*se != '\0') *se++ = '\0';

-    while (*line != '\0' && isSpace(line)) line++;
-    if (*line == '\0') return;
-    opt = line;
-    while (*line == '\0' || !isSpace(line)) line++;
-    *line++ = '\0';
+    while (*se != '\0' && _isspaceptr(se)) se++;
+    if (*se == '\0') goto exit;
+    opt = se;
+    while (*se != '\0' && !_isspaceptr(se)) se++;
+    if (opt[0] == '-' && *se == '\0') goto exit;
+    if (*se != '\0') *se++ = '\0';

-    while (*line != '\0' && isSpace(line)) line++;
-    if (*line == '\0') return;
+    while (*se != '\0' && _isspaceptr(se)) se++;
+    if (opt[0] == '-' && *se == '\0') goto exit;

-    /*@-temptrans@*/ /* FIX: line alias is saved */
    if (opt[0] == '-' && opt[1] == '-')
 	item->option.longName = opt + 2;
    else if (opt[0] == '-' && opt[2] == '\0')
 	item->option.shortName = opt[1];
-    /*@=temptrans@*/
+    else {
+	const char * fn = opt;

-    if (poptParseArgvString(line, &item->argc, &item->argv)) return;
+	/* XXX handle globs and directories in fn? */
+	if ((rc = poptReadFile(fn, &b, &nb, POPT_READFILE_TRIMNEWLINES)) != 0)
+	    goto exit;
+	if (b == NULL || nb == 0)
+	    goto exit;
+
+	/* Append remaining text to the interpolated file option text. */
+	if (*se != '\0') {
+	    size_t nse = strlen(se) + 1;
+	    if ((b = realloc(b, (nb + nse))) == NULL)	/* XXX can't happen */
+		goto exit;
+	    (void) stpcpy( stpcpy(&b[nb-1], " "), se);
+	    nb += nse;
+	}
+	se = b;
+
+	/* Use the basename of the path as the long option name. */
+	{   const char * longName = strrchr(fn, '/');
+	    if (longName != NULL)
+		longName++;
+	    else
+		longName = fn;
+	    if (longName == NULL)	/* XXX can't happen. */
+		goto exit;
+	    /* Single character basenames are treated as short options. */
+	    if (longName[1] != '\0')
+		item->option.longName = longName;
+	    else
+		item->option.shortName = longName[0];
+	}
+    }
+
+    if (poptParseArgvString(se, &item->argc, &item->argv)) goto exit;

-    /*@-modobserver@*/
    item->option.argInfo = POPT_ARGFLAG_DOC_HIDDEN;
    for (i = 0, j = 0; i < item->argc; i++, j++) {
 	const char * f;
@@ -81,103 +327,183 @@ static void configLine(poptContext con, char * line)
 	item->argv[j] = NULL;
 	item->argc = j;
    }
-    /*@=modobserver@*/
-/*@=boundswrite@*/
 	
-    /*@-nullstate@*/ /* FIX: item->argv[] may be NULL */
    if (!strcmp(entryType, "alias"))
-	(void) poptAddItem(con, item, 0);
+	rc = poptAddItem(con, item, 0);
    else if (!strcmp(entryType, "exec"))
-	(void) poptAddItem(con, item, 1);
-    /*@=nullstate@*/
+	rc = poptAddItem(con, item, 1);
+exit:
+    rc = 0;	/* XXX for now, always return success */
+    if (b)
+	free(b);
+    return rc;
 }
-/*@=compmempass@*/

 int poptReadConfigFile(poptContext con, const char * fn)
 {
-    const char * file, * chptr, * end;
-    char * buf;
-/*@dependent@*/ char * dst;
-    int fd, rc;
-    off_t fileLength;
-
-    fd = open(fn, O_RDONLY);
-    if (fd < 0)
-	return (errno == ENOENT ? 0 : POPT_ERROR_ERRNO);
-
-    fileLength = lseek(fd, 0, SEEK_END);
-    if (fileLength == -1 || lseek(fd, 0, 0) == -1) {
-	rc = errno;
-	(void) close(fd);
-	errno = rc;
-	return POPT_ERROR_ERRNO;
-    }
-
-    file = alloca(fileLength + 1);
-    if (read(fd, (char *)file, fileLength) != fileLength) {
-	rc = errno;
-	(void) close(fd);
-	errno = rc;
-	return POPT_ERROR_ERRNO;
-    }
-    if (close(fd) == -1)
-	return POPT_ERROR_ERRNO;
-
-/*@-boundswrite@*/
-    dst = buf = alloca(fileLength + 1);
-
-    chptr = file;
-    end = (file + fileLength);
-    /*@-infloops@*/	/* LCL: can't detect chptr++ */
-    while (chptr < end) {
-	switch (*chptr) {
-	  case '\n':
-	    *dst = '\0';
-	    dst = buf;
-	    while (*dst && isSpace(dst)) dst++;
-	    if (*dst && *dst != '#')
-		configLine(con, dst);
-	    chptr++;
-	    /*@switchbreak@*/ break;
-	  case '\\':
-	    *dst++ = *chptr++;
-	    if (chptr < end) {
-		if (*chptr == '\n') 
-		    dst--, chptr++;	
-		    /* \ at the end of a line does not insert a \n */
-		else
-		    *dst++ = *chptr++;
-	    }
-	    /*@switchbreak@*/ break;
-	  default:
-	    *dst++ = *chptr++;
-	    /*@switchbreak@*/ break;
-	}
-    }
-    /*@=infloops@*/
-/*@=boundswrite@*/
-
-    return 0;
-}
-
-int poptReadDefaultConfig(poptContext con, /*@unused@*/ UNUSED(int useEnv))
-{
-    char * fn, * home;
+    char * b = NULL, *be;
+    size_t nb = 0;
+    const char *se;
+    char *t = NULL, *te;
    int rc;

-    if (con->appName == NULL) return 0;
-
-    rc = poptReadConfigFile(con, "/etc/popt");
-    if (rc) return rc;
-
-    if ((home = getenv("HOME"))) {
-	size_t bufsize = strlen(home) + 20;
-	fn = alloca(bufsize);
-	if (fn == NULL) return 0;
-	snprintf(fn, bufsize, "%s/.popt", home);
-	rc = poptReadConfigFile(con, fn);
-	if (rc) return rc;
+    if ((rc = poptReadFile(fn, &b, &nb, POPT_READFILE_TRIMNEWLINES)) != 0)
+	return (errno == ENOENT ? 0 : rc);
+    if (b == NULL || nb == 0) {
+	rc = POPT_ERROR_BADCONFIG;
+	goto exit;
    }

-    return 0;
+    if ((t = malloc(nb + 1)) == NULL)
+	goto exit;
+    te = t;
+
+    be = (b + nb);
+    for (se = b; se < be; se++) {
+	switch (*se) {
+	  case '\n':
+	    *te = '\0';
+	    te = t;
+	    while (*te && _isspaceptr(te)) te++;
+	    if (*te && *te != '#')
+		if ((rc = poptConfigLine(con, te)) != 0)
+		    goto exit;
+	    break;
+	  case '\\':
+	    *te = *se++;
+	    /* \ at the end of a line does not insert a \n */
+	    if (se < be && *se != '\n') {
+		te++;
+		*te++ = *se;
+	    }
+	    break;
+	  default:
+	    *te++ = *se;
+	    break;
+	}
+    }
+    rc = 0;
+
+exit:
+    free(t);
+    if (b)
+	free(b);
+    return rc;
+}
+
+int poptReadConfigFiles(poptContext con, const char * paths)
+{
+    char * buf = (paths ? xstrdup(paths) : NULL);
+    const char * p;
+    char * pe;
+    int rc = 0;		/* assume success */
+
+    for (p = buf; p != NULL && *p != '\0'; p = pe) {
+	const char ** av = NULL;
+	int ac = 0;
+	int i;
+	int xx;
+
+	/* locate start of next path element */
+	pe = strchr(p, ':');
+	if (pe != NULL && *pe == ':')
+	    *pe++ = '\0';
+	else
+	    pe = (char *) (p + strlen(p));
+
+	xx = poptGlob(con, p, &ac, &av);
+
+	/* work-off each resulting file from the path element */
+	for (i = 0; i < ac; i++) {
+	    const char * fn = av[i];
+	    if (!poptSaneFile(fn))
+		continue;
+	    xx = poptReadConfigFile(con, fn);
+	    if (xx && rc == 0)
+		rc = xx;
+	    free((void *)av[i]);
+	    av[i] = NULL;
+	}
+	free(av);
+	av = NULL;
+    }
+
+    if (buf)
+	free(buf);
+
+    return rc;
+}
+
+int poptReadDefaultConfig(poptContext con, UNUSED(int useEnv))
+{
+    char * home;
+    struct stat sb;
+    int rc = 0;		/* assume success */
+
+    if (con->appName == NULL) goto exit;
+
+    rc = poptReadConfigFile(con, POPT_SYSCONFDIR "/popt");
+    if (rc) goto exit;
+
+#if defined(HAVE_GLOB_H)
+    if (!stat(POPT_SYSCONFDIR "/popt.d", &sb) && S_ISDIR(sb.st_mode)) {
+	const char ** av = NULL;
+	int ac = 0;
+	int i;
+
+	if ((rc = poptGlob(con, POPT_SYSCONFDIR "/popt.d/*", &ac, &av)) == 0) {
+	    for (i = 0; rc == 0 && i < ac; i++) {
+		const char * fn = av[i];
+		if (!poptSaneFile(fn))
+		    continue;
+		rc = poptReadConfigFile(con, fn);
+		free((void *)av[i]);
+		av[i] = NULL;
+	    }
+	    free(av);
+	    av = NULL;
+	}
+    }
+    if (rc) goto exit;
+#endif
+
+    if ((home = getenv("HOME"))) {
+	char * fn = malloc(strlen(home) + 20);
+	if (fn != NULL) {
+	    (void) stpcpy(stpcpy(fn, home), "/.popt");
+	    rc = poptReadConfigFile(con, fn);
+	    free(fn);
+	} else
+	    rc = POPT_ERROR_ERRNO;
+	if (rc) goto exit;
+    }
+
+exit:
+    return rc;
+}
+
+poptContext
+poptFini(poptContext con)
+{
+    return poptFreeContext(con);
+}
+
+poptContext
+poptInit(int argc, const char ** argv,
+		const struct poptOption * options, const char * configPaths)
+{
+    poptContext con = NULL;
+    const char * argv0;
+
+    if (argv == NULL || argv[0] == NULL || options == NULL)
+	return con;
+
+    if ((argv0 = strrchr(argv[0], '/')) != NULL) argv0++;
+    else argv0 = argv[0];
+   
+    con = poptGetContext(argv0, argc, (const char **)argv, options, 0);
+    if (con != NULL&& poptReadConfigFiles(con, configPaths))
+	con = poptFini(con);
+
+    return con;
 }
--- a/popt/popthelp.c
+++ b/popt/popthelp.c
--- a/popt/poptint.c
+++ b/popt/poptint.c
@@ -0,0 +1,194 @@
+#include "system.h"
+#include <stdarg.h>
+#include <errno.h>
+#ifdef HAVE_LANGINFO_H
+#include <langinfo.h>
+#endif
+#include "poptint.h"
+
+/* Any pair of 32 bit hashes can be used. lookup3.c generates pairs, will do. */
+#define _JLU3_jlu32lpair        1
+#define	jlu32lpair	poptJlu32lpair
+#include "lookup3.c"
+
+const char *
+POPT_prev_char (const char *str)
+{
+    const char *p = str;
+
+    while (1) {
+	p--;
+	if (((unsigned)*p & 0xc0) != (unsigned)0x80)
+	    return p;
+    }
+}
+
+const char *
+POPT_next_char (const char *str)
+{
+    const char *p = str;
+
+    while (*p != '\0') {
+	p++;
+	if (((unsigned)*p & 0xc0) != (unsigned)0x80)
+	    break;
+    }
+    return p;
+}
+
+#if !defined(POPT_fprintf)	/* XXX lose all the goop ... */
+
+#if defined(ENABLE_NLS) && defined(HAVE_LIBINTL_H) && defined(HAVE_DCGETTEXT)
+/*
+ * Rebind a "UTF-8" codeset for popt's internal use.
+ */
+char *
+POPT_dgettext(const char * dom, const char * str)
+{
+    char * codeset = NULL;
+    char * retval = NULL;
+
+    if (!dom) 
+	dom = textdomain(NULL);
+    codeset = bind_textdomain_codeset(dom, NULL);
+    bind_textdomain_codeset(dom, "UTF-8");
+    retval = dgettext(dom, str);
+    bind_textdomain_codeset(dom, codeset);
+
+    return retval;
+}
+#endif
+
+#ifdef HAVE_ICONV
+/**
+ * Return malloc'd string converted from UTF-8 to current locale.
+ * @param istr		input string (UTF-8 encoding assumed)
+ * @return		localized string
+ */
+static char *
+strdup_locale_from_utf8 (char * istr)
+{
+    char * codeset = NULL;
+    char * ostr = NULL;
+    iconv_t cd;
+
+    if (istr == NULL)
+	return NULL;
+
+#ifdef HAVE_LANGINFO_H
+    codeset = nl_langinfo ((nl_item)CODESET);
+#endif
+
+    if (codeset != NULL && strcmp(codeset, "UTF-8") != 0
+     && (cd = iconv_open(codeset, "UTF-8")) != (iconv_t)-1)
+    {
+	char * shift_pin = NULL;
+	size_t db = strlen(istr);
+	char * dstr = malloc((db + 1) * sizeof(*dstr));
+	char * dstr_tmp;
+	char * pin = istr;
+	char * pout = dstr;
+	size_t ib = db;
+	size_t ob = db;
+	size_t err;
+
+	if (dstr == NULL) {
+	    (void) iconv_close(cd);
+	    return NULL;
+	}
+	err = iconv(cd, NULL, NULL, NULL, NULL);
+	while (1) {
+	    *pout = '\0';
+	    err = iconv(cd, &pin, &ib, &pout, &ob);
+	    if (err != (size_t)-1) {
+		if (shift_pin == NULL) {
+		    shift_pin = pin;
+		    pin = NULL;
+		    ib = 0;
+		    continue;
+		}
+	    } else
+	    switch (errno) {
+	    case E2BIG:
+	    {	size_t used = (size_t)(pout - dstr);
+		db *= 2;
+		dstr_tmp = realloc(dstr, (db + 1) * sizeof(*dstr));
+		if (dstr_tmp == NULL) {
+		    free(dstr);
+		    (void) iconv_close(cd);
+		    return NULL;
+		}
+		dstr = dstr_tmp;
+		pout = dstr + used;
+		ob = db - used;
+		continue;
+	    }   break;
+	    case EINVAL:
+	    case EILSEQ:
+	    default:
+		break;
+	    }
+	    break;
+	}
+	(void) iconv_close(cd);
+	*pout = '\0';
+	ostr = xstrdup(dstr);
+	free(dstr);
+    } else
+	ostr = xstrdup(istr);
+
+    return ostr;
+}
+#endif
+
+int
+POPT_fprintf (FILE * stream, const char * format, ...)
+{
+    char * b = NULL, * ob = NULL;
+    int rc;
+    va_list ap;
+
+#if defined(HAVE_VASPRINTF)
+    va_start(ap, format);
+    if ((rc = vasprintf(&b, format, ap)) < 0)
+	b = NULL;
+    va_end(ap);
+#else
+    size_t nb = (size_t)1;
+
+    /* HACK: add +1 to the realloc no. of bytes "just in case". */
+    /* XXX Likely unneeded, the issues wrto vsnprintf(3) return b0rkage have
+     * to do with whether the final '\0' is counted (or not). The code
+     * below already adds +1 for the (possibly already counted) trailing NUL.
+     */
+    while ((b = realloc(b, nb+1)) != NULL) {
+	va_start(ap, format);
+	rc = vsnprintf(b, nb, format, ap);
+	va_end(ap);
+	if (rc > -1) {	/* glibc 2.1 */
+	    if ((size_t)rc < nb)
+		break;
+	    nb = (size_t)(rc + 1);	/* precise buffer length known */
+	} else 		/* glibc 2.0 */
+	    nb += (nb < (size_t)100 ? (size_t)100 : nb);
+	ob = b;
+    }
+#endif
+
+    rc = 0;
+    if (b != NULL) {
+#ifdef HAVE_ICONV
+	ob = strdup_locale_from_utf8(b);
+	if (ob != NULL) {
+	    rc = fprintf(stream, "%s", ob);
+	    free(ob);
+	} else
+#endif
+	    rc = fprintf(stream, "%s", b);
+	free (b);
+    }
+
+    return rc;
+}
+
+#endif	/* !defined(POPT_fprintf) */
--- a/popt/poptint.h
+++ b/popt/poptint.h
@@ -1,5 +1,5 @@
 /** \ingroup popt
- * \file popt/poptint.h
+ * @file
 */

 /* (C) 1998-2000 Red Hat, Inc. -- Licensing details are in the COPYING
@@ -9,108 +9,145 @@
 #ifndef H_POPTINT
 #define H_POPTINT

+#include <stdint.h>
+
 /**
 * Wrapper to free(3), hides const compilation noise, permit NULL, return NULL.
 * @param p		memory to free
 * @retval		NULL always
 */
-/*@unused@*/ static inline /*@null@*/ void *
-_free(/*@only@*/ /*@null@*/ const void * p)
-	/*@modifies p @*/
+static inline void *
+_free(const void * p)
 {
    if (p != NULL)	free((void *)p);
    return NULL;
 }

-static inline int
-isSpace(const char *ptr)
-{
-    return isspace(*(unsigned char *)ptr);
-}
-
 /* Bit mask macros. */
-/*@-exporttype -redef @*/
 typedef	unsigned int __pbm_bits;
-/*@=exporttype =redef @*/
 #define	__PBM_NBITS		(8 * sizeof (__pbm_bits))
 #define	__PBM_IX(d)		((d) / __PBM_NBITS)
 #define __PBM_MASK(d)		((__pbm_bits) 1 << (((unsigned)(d)) % __PBM_NBITS))
-/*@-exporttype -redef @*/
 typedef struct {
    __pbm_bits bits[1];
 } pbm_set;
-/*@=exporttype =redef @*/
 #define	__PBM_BITS(set)	((set)->bits)

-#define	PBM_ALLOC(d)	calloc(__PBM_IX (d) + 1, sizeof(__pbm_bits))
+#define	PBM_ALLOC(d)	calloc(__PBM_IX (d) + 1, sizeof(pbm_set))
 #define	PBM_FREE(s)	_free(s);
 #define PBM_SET(d, s)   (__PBM_BITS (s)[__PBM_IX (d)] |= __PBM_MASK (d))
 #define PBM_CLR(d, s)   (__PBM_BITS (s)[__PBM_IX (d)] &= ~__PBM_MASK (d))
 #define PBM_ISSET(d, s) ((__PBM_BITS (s)[__PBM_IX (d)] & __PBM_MASK (d)) != 0)

+extern void poptJlu32lpair(const void *key, size_t size,
+                uint32_t *pc, uint32_t *pb);
+
+/** \ingroup popt
+ * Typedef's for string and array of strings.
+ */
+typedef const char * poptString;
+typedef poptString * poptArgv;
+
+/** \ingroup popt
+ * A union to simplify opt->arg access without casting.
+ */
+typedef union poptArg_u {
+    void * ptr;
+    int * intp;
+    short * shortp;
+    long * longp;
+    long long * longlongp;
+    float * floatp;
+    double * doublep;
+    const char ** argv;
+    poptCallbackType cb;
+    poptOption opt;
+} poptArg;
+
+extern unsigned int _poptArgMask;
+extern unsigned int _poptGroupMask;
+
+#define	poptArgType(_opt)	((_opt)->argInfo & _poptArgMask)
+#define	poptGroup(_opt)		((_opt)->argInfo & _poptGroupMask)
+
+#define	F_ISSET(_opt, _FLAG)	((_opt)->argInfo & POPT_ARGFLAG_##_FLAG)
+#define	LF_ISSET(_FLAG)		(argInfo & POPT_ARGFLAG_##_FLAG)
+#define	CBF_ISSET(_opt, _FLAG)	((_opt)->argInfo & POPT_CBFLAG_##_FLAG)
+
+/* XXX sick hack to preserve pretense of a popt-1.x ABI. */
+#define	poptSubstituteHelpI18N(opt) \
+  { if ((opt) == poptHelpOptions) (opt) = poptHelpOptionsI18N; }
+
 struct optionStackEntry {
    int argc;
-/*@only@*/ /*@null@*/
-    const char ** argv;
-/*@only@*/ /*@null@*/
+    poptArgv argv;
    pbm_set * argb;
    int next;
-/*@only@*/ /*@null@*/
-    const char * nextArg;
-/*@observer@*/ /*@null@*/
+    char * nextArg;
    const char * nextCharArg;
-/*@dependent@*/ /*@null@*/
    poptItem currAlias;
    int stuffed;
 };

 struct poptContext_s {
    struct optionStackEntry optionStack[POPT_OPTION_DEPTH];
-/*@dependent@*/
    struct optionStackEntry * os;
-/*@owned@*/ /*@null@*/
-    const char ** leftovers;
+    poptArgv leftovers;
    int numLeftovers;
+    int allocLeftovers;
    int nextLeftover;
-/*@keep@*/
    const struct poptOption * options;
    int restLeftover;
-/*@only@*/ /*@null@*/
    const char * appName;
-/*@only@*/ /*@null@*/
    poptItem aliases;
    int numAliases;
-    int flags;
-/*@owned@*/ /*@null@*/
+    unsigned int flags;
    poptItem execs;
    int numExecs;
-/*@only@*/ /*@null@*/
-    const char ** finalArgv;
+    char * execFail;
+    poptArgv finalArgv;
    int finalArgvCount;
    int finalArgvAlloced;
-/*@dependent@*/ /*@null@*/
+    int (*maincall) (int argc, const char **argv);
    poptItem doExec;
-/*@only@*/
    const char * execPath;
    int execAbsolute;
-/*@only@*/ /*@relnull@*/
    const char * otherHelp;
-/*@null@*/
    pbm_set * arg_strip;
 };

-#ifdef HAVE_LIBINTL_H
+#if defined(POPT_fprintf)
+#define	POPT_dgettext	dgettext
+#else
+#ifdef HAVE_ICONV
+#include <iconv.h>
+#endif
+
+#if defined(HAVE_DCGETTEXT)
+char *POPT_dgettext(const char * dom, const char * str);
+#endif
+
+FORMAT(printf, 2, 3)
+int   POPT_fprintf (FILE* stream, const char *format, ...);
+#endif	/* !defined(POPT_fprintf) */
+
+const char *POPT_prev_char (const char *str);
+const char *POPT_next_char (const char *str);
+
+#endif
+
+#if defined(ENABLE_NLS) && defined(HAVE_LIBINTL_H)
 #include <libintl.h>
 #endif

-#if defined(HAVE_GETTEXT) && !defined(__LCLINT__)
+#if defined(ENABLE_NLS) && defined(HAVE_GETTEXT)
 #define _(foo) gettext(foo)
 #else
 #define _(foo) foo
 #endif

-#if defined(HAVE_DCGETTEXT) && !defined(__LCLINT__)
-#define D_(dom, str) dgettext(dom, str)
+#if defined(ENABLE_NLS) && defined(HAVE_LIBINTL_H) && defined(HAVE_DCGETTEXT)
+#define D_(dom, str) POPT_dgettext(dom, str)
 #define POPT_(foo) D_("popt", foo)
 #else
 #define D_(dom, str) str
@@ -119,4 +156,3 @@ struct poptContext_s {

 #define N_(foo) foo

-#endif
--- a/popt/poptparse.c
+++ b/popt/poptparse.c
@@ -1,5 +1,5 @@
 /** \ingroup popt
- * \file popt/poptparse.c
+ * @file
 */

 /* (C) 1998-2002 Red Hat, Inc. -- Licensing details are in the COPYING
@@ -8,11 +8,8 @@

 #include "system.h"

-#include "poptint.h"
-
 #define POPT_ARGV_ARRAY_GROW_DELTA 5

-/*@-boundswrite@*/
 int poptDupArgv(int argc, const char **argv,
 		int * argcPtr, const char *** argvPtr)
 {
@@ -34,13 +31,13 @@ int poptDupArgv(int argc, const char **argv,
 	return POPT_ERROR_MALLOC;
    argv2 = (void *) dst;
    dst += (argc + 1) * sizeof(*argv);
+    *dst = '\0';

-    /*@-branchstate@*/
    for (i = 0; i < argc; i++) {
 	argv2[i] = dst;
-	dst += strlcpy(dst, argv[i], nb) + 1;
+	dst = stpcpy(dst, argv[i]);
+	dst++;	/* trailing NUL */
    }
-    /*@=branchstate@*/
    argv2[argc] = NULL;

    if (argvPtr) {
@@ -53,21 +50,25 @@ int poptDupArgv(int argc, const char **argv,
 	*argcPtr = argc;
    return 0;
 }
-/*@=boundswrite@*/

-/*@-bounds@*/
 int poptParseArgvString(const char * s, int * argcPtr, const char *** argvPtr)
 {
    const char * src;
    char quote = '\0';
    int argvAlloced = POPT_ARGV_ARRAY_GROW_DELTA;
    const char ** argv = malloc(sizeof(*argv) * argvAlloced);
+    const char ** argv_tmp;
    int argc = 0;
-    int buflen = strlen(s) + 1;
-    char * buf = memset(alloca(buflen), 0, buflen);
+    size_t buflen = strlen(s) + 1;
+    char * buf, * bufOrig = NULL;
    int rc = POPT_ERROR_MALLOC;

    if (argv == NULL) return rc;
+    buf = bufOrig = calloc((size_t)1, buflen);
+    if (buf == NULL) {
+	free(argv);
+	return rc;
+    }
    argv[argc] = buf;

    for (src = s; *src != '\0'; src++) {
@@ -83,13 +84,14 @@ int poptParseArgvString(const char * s, int * argcPtr, const char *** argvPtr)
 		if (*src != quote) *buf++ = '\\';
 	    }
 	    *buf++ = *src;
-	} else if (isSpace(src)) {
+	} else if (_isspaceptr(src)) {
 	    if (*argv[argc] != '\0') {
 		buf++, argc++;
 		if (argc == argvAlloced) {
 		    argvAlloced += POPT_ARGV_ARRAY_GROW_DELTA;
-		    argv = realloc(argv, sizeof(*argv) * argvAlloced);
-		    if (argv == NULL) goto exit;
+		    argv_tmp = realloc(argv, sizeof(*argv) * argvAlloced);
+		    if (argv_tmp == NULL) goto exit;
+		    argv = argv_tmp;
 		}
 		argv[argc] = buf;
 	    }
@@ -97,17 +99,17 @@ int poptParseArgvString(const char * s, int * argcPtr, const char *** argvPtr)
 	  case '"':
 	  case '\'':
 	    quote = *src;
-	    /*@switchbreak@*/ break;
+	    break;
 	  case '\\':
 	    src++;
 	    if (!*src) {
 		rc = POPT_ERROR_BADQUOTE;
 		goto exit;
 	    }
-	    /*@fallthrough@*/
+	    /* fallthrough */
 	  default:
 	    *buf++ = *src;
-	    /*@switchbreak@*/ break;
+	    break;
 	}
    }

@@ -118,29 +120,30 @@ int poptParseArgvString(const char * s, int * argcPtr, const char *** argvPtr)
    rc = poptDupArgv(argc, argv, argcPtr, argvPtr);

 exit:
+    if (bufOrig) free(bufOrig);
    if (argv) free(argv);
    return rc;
 }
-/*@=bounds@*/

 /* still in the dev stage.
- * return values, perhaps 1== file erro
+ * return values, perhaps 1== file error
 * 2== line to long
 * 3== umm.... more?
 */
-int poptConfigFileToString(FILE *fp, char ** argstrp, /*@unused@*/ UNUSED(int flags))
+int poptConfigFileToString(FILE *fp, char ** argstrp,
+		UNUSED(int flags))
 {
    char line[999];
    char * argstr;
+    char * argstr_tmp;
    char * p;
    char * q;
    char * x;
-    int t;
-    int argvlen = 0;
+    size_t t;
+    size_t argvlen = 0;
    size_t maxlinelen = sizeof(line);
    size_t linelen;
-    int maxargvlen = 480;
-    int linenum = 0;
+    size_t maxargvlen = (size_t)480;

    *argstrp = NULL;

@@ -155,11 +158,10 @@ int poptConfigFileToString(FILE *fp, char ** argstrp, /*@unused@*/ UNUSED(int fl
    if (argstr == NULL) return POPT_ERROR_MALLOC;

    while (fgets(line, (int)maxlinelen, fp) != NULL) {
-	linenum++;
 	p = line;

 	/* loop until first non-space char or EOL */
-	while( *p != '\0' && isSpace(p) )
+	while( *p != '\0' && _isspaceptr(p) )
 	    p++;

 	linelen = strlen(p);
@@ -173,25 +175,29 @@ int poptConfigFileToString(FILE *fp, char ** argstrp, /*@unused@*/ UNUSED(int fl

 	q = p;

-	while (*q != '\0' && (!isSpace(q)) && *q != '=')
+	while (*q != '\0' && (!_isspaceptr(q)) && *q != '=')
 	    q++;

-	if (isSpace(q)) {
+	if (_isspaceptr(q)) {
 	    /* a space after the name, find next non space */
 	    *q++='\0';
-	    while( *q != '\0' && isSpace(q) ) q++;
+	    while( *q != '\0' && _isspaceptr(q) ) q++;
 	}
 	if (*q == '\0') {
 	    /* single command line option (ie, no name=val, just name) */
 	    q[-1] = '\0';		/* kill off newline from fgets() call */
-	    argvlen += (t = q - p) + (sizeof(" --")-1);
+	    argvlen += (t = (size_t)(q - p)) + (sizeof(" --")-1);
 	    if (argvlen >= maxargvlen) {
 		maxargvlen = (t > maxargvlen) ? t*2 : maxargvlen*2;
-		argstr = realloc(argstr, maxargvlen);
-		if (argstr == NULL) return POPT_ERROR_MALLOC;
+		argstr_tmp = realloc(argstr, maxargvlen);
+		if (argstr_tmp == NULL) {
+		    free(argstr);
+		    return POPT_ERROR_MALLOC;
+		}
+		argstr = argstr_tmp;
 	    }
-	    strlcat(argstr, " --", maxargvlen);
-	    strlcat(argstr, p, maxargvlen);
+	    strcat(argstr, " --");
+	    strcat(argstr, p);
 	    continue;
 	}
 	if (*q != '=')
@@ -201,29 +207,33 @@ int poptConfigFileToString(FILE *fp, char ** argstrp, /*@unused@*/ UNUSED(int fl
 	*q++ = '\0';

 	/* find next non-space letter of value */
-	while (*q != '\0' && isSpace(q))
+	while (*q != '\0' && _isspaceptr(q))
 	    q++;
 	if (*q == '\0')
 	    continue;	/* XXX silently ignore missing value */

 	/* now, loop and strip all ending whitespace */
 	x = p + linelen;
-	while (isSpace(--x))
-	    *x = 0;	/* null out last char if space (including fgets() NL) */
+	while (_isspaceptr(--x))
+	    *x = '\0';	/* null out last char if space (including fgets() NL) */

 	/* rest of line accept */
-	t = x - p;
+	t = (size_t)(x - p);
 	argvlen += t + (sizeof("' --='")-1);
 	if (argvlen >= maxargvlen) {
 	    maxargvlen = (t > maxargvlen) ? t*2 : maxargvlen*2;
-	    argstr = realloc(argstr, maxargvlen);
-	    if (argstr == NULL) return POPT_ERROR_MALLOC;
+	    argstr_tmp = realloc(argstr, maxargvlen);
+	    if (argstr_tmp == NULL) {
+		free(argstr);
+		return POPT_ERROR_MALLOC;
+	    }
+	    argstr = argstr_tmp;
 	}
-	strlcat(argstr, " --", maxargvlen);
-	strlcat(argstr, p, maxargvlen);
-	strlcat(argstr, "=\"", maxargvlen);
-	strlcat(argstr, q, maxargvlen);
-	strlcat(argstr, "\"", maxargvlen);
+	strcat(argstr, " --");
+	strcat(argstr, p);
+	strcat(argstr, "=\"");
+	strcat(argstr, q);
+	strcat(argstr, "\"");
    }

    *argstrp = argstr;
--- a/popt/system.h
+++ b/popt/system.h
@@ -1,134 +1,70 @@
+/**
+ * @file
+ */
+
 #ifdef HAVE_CONFIG_H
 #include "config.h"
 #endif

-#if defined (__GLIBC__) && defined(__LCLINT__)
-/*@-declundef@*/
-/*@unchecked@*/
-extern __const __int32_t *__ctype_tolower;
-/*@unchecked@*/
-extern __const __int32_t *__ctype_toupper;
-/*@=declundef@*/
-#endif
-
-#ifdef __TANDEM
-# include <floss.h(floss_execvp,floss_read)>
-#endif
-
 #include <ctype.h>

-#include <errno.h>
-#include <fcntl.h>
-#include <limits.h>
+/* XXX isspace(3) has i18n encoding signedness issues on Solaris. */
+#define	_isspaceptr(_chp)	isspace((int)(*(unsigned const char *)(_chp)))

-#if HAVE_MCHECK_H 
+#ifdef HAVE_MCHECK_H
 #include <mcheck.h>
 #endif

-#include <stdio.h>
-#ifdef HAVE_SYS_TYPES_H
-# include <sys/types.h>
-#endif
-#ifdef STDC_HEADERS
-# include <stdlib.h>
-# include <stddef.h>
-#else
-# ifdef HAVE_STDLIB_H
-#  include <stdlib.h>
-# endif
-#endif
-#ifdef HAVE_STRING_H
-# if !defined STDC_HEADERS && defined HAVE_MEMORY_H
-#  include <memory.h>
-# endif
-# include <string.h>
-#endif
-#ifdef HAVE_STRINGS_H
-# include <strings.h>
-#endif
-#ifdef HAVE_UNISTD_H
-# include <unistd.h>
-#endif
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>

-#ifndef __GNUC__
-#define __attribute__(x) 
-#endif
+void * xmalloc (size_t size);

-#ifdef __NeXT
-/* access macros are not declared in non posix mode in unistd.h -
- don't try to use posix on NeXTstep 3.3 ! */
-#include <libc.h>
-#endif
+void * xcalloc (size_t nmemb, size_t size);

-#if defined(__LCLINT__)
-/*@-declundef -incondefs @*/ /* LCL: missing annotation */
-/*@only@*/ /*@out@*/
-void * alloca (size_t __size)
-	/*@ensures MaxSet(result) == (__size - 1) @*/
-	/*@*/;
-/*@=declundef =incondefs @*/
-#endif
+void * xrealloc (void * ptr, size_t size);

-/* AIX requires this to be the first thing in the file.  */ 
-#ifndef __GNUC__
-# if HAVE_ALLOCA_H
-#  include <alloca.h>
-# else
-#  ifdef _AIX
-#pragma alloca
-#  else
-#   ifdef HAVE_ALLOCA
-#    ifndef alloca /* predefined by HP cc +Olibcalls */
-char *alloca(size_t size);
-#    endif
-#   else
-#    ifdef alloca
-#     undef alloca
-#    endif
-#    define alloca(sz) malloc(sz) /* Kludge this for now */
-#   endif
-#  endif
-# endif
-#elif !defined(alloca)
-#define alloca __builtin_alloca
-#endif
+char * xstrdup (const char *str);

-#ifndef HAVE_STRLCPY
-size_t strlcpy(char *d, const char *s, size_t bufsize);
-#endif
+#if !defined(HAVE_STPCPY)
+/* Copy SRC to DEST, returning the address of the terminating '\0' in DEST.  */
+static inline char * stpcpy (char *dest, const char * src) {
+    register char *d = dest;
+    register const char *s = src;

-#ifndef HAVE_STRLCAT
-size_t strlcat(char *d, const char *s, size_t bufsize);
-#endif
-
-#if HAVE_MCHECK_H && defined(__GNUC__)
-static inline char *
-xstrdup(const char *s)
-{
-    size_t memsize = strlen(s) + 1;
-    char *ptr = malloc(memsize);
-    if (!ptr) {
-	fprintf(stderr, "virtual memory exhausted.\n");
-	exit(EXIT_FAILURE);
-    }
-    strlcpy(ptr, s, memsize);
-    return ptr;
+    do
+	*d++ = *s;
+    while (*s++ != '\0');
+    return d - 1;
 }
-#else
-#define	xstrdup(_str)	strdup(_str)
-#endif  /* HAVE_MCHECK_H && defined(__GNUC__) */
+#endif

-#if HAVE___SECURE_GETENV && !defined(__LCLINT__)
+/* Memory allocation via macro defs to get meaningful locations from mtrace() */
+#if defined(HAVE_MCHECK_H) && defined(__GNUC__)
+#define	vmefail()	(fprintf(stderr, "virtual memory exhausted.\n"), exit(EXIT_FAILURE), NULL)
+#define	xmalloc(_size) 		(malloc(_size) ? : vmefail())
+#define	xcalloc(_nmemb, _size)	(calloc((_nmemb), (_size)) ? : vmefail())
+#define	xrealloc(_ptr, _size)	(realloc((_ptr), (_size)) ? : vmefail())
+#define xstrdup(_str)   (strcpy((malloc(strlen(_str)+1) ? : vmefail()), (_str)))
+#else
+#define	xmalloc(_size) 		malloc(_size)
+#define	xcalloc(_nmemb, _size)	calloc((_nmemb), (_size))
+#define	xrealloc(_ptr, _size)	realloc((_ptr), (_size))
+#define	xstrdup(_str)	strdup(_str)
+#endif  /* defined(HAVE_MCHECK_H) && defined(__GNUC__) */
+
+#if defined(HAVE_SECURE_GETENV)
+#define getenv(_s)	secure_getenv(_s)
+#elif defined(HAVE___SECURE_GETENV)
 #define	getenv(_s)	__secure_getenv(_s)
 #endif

-#if !defined HAVE_SNPRINTF || !defined HAVE_C99_VSNPRINTF
-#define snprintf rsync_snprintf
-int snprintf(char *str,size_t count,const char *fmt,...);
+#if !defined(__GNUC__) && !defined(__attribute__)
+#define __attribute__(x) 
 #endif
-
 #define UNUSED(x) x __attribute__((__unused__))
-
-#define PACKAGE "rsync"
+#define FORMAT(a, b, c) __attribute__((__format__ (a, b, c)))
+#define NORETURN __attribute__((__noreturn__))

 #include "popt.h"
--- a/receiver.c
+++ b/receiver.c
@@ -3,7 +3,7 @@
 *
 * Copyright (C) 1996-2000 Andrew Tridgell
 * Copyright (C) 1996 Paul Mackerras
- * Copyright (C) 2003-2022 Wayne Davison
+ * Copyright (C) 2003-2023 Wayne Davison
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -56,7 +56,6 @@ extern int inplace;
 extern int inplace_partial;
 extern int allowed_lull;
 extern int delay_updates;
-extern int xfersum_type;
 extern BOOL want_progress_now;
 extern mode_t orig_umask;
 extern struct stats stats;
@@ -67,6 +66,11 @@ extern char sender_file_sum[MAX_DIGEST_LEN];
 extern struct file_list *cur_flist, *first_flist, *dir_flist;
 extern filter_rule_list daemon_filter_list;
 extern OFF_T preallocated_len;
+extern int fuzzy_basis;
+
+extern struct name_num_item *xfer_sum_nni;
+extern int xfer_sum_len;
+extern int use_secure_symlinks;

 static struct bitbag *delayed_bits = NULL;
 static int phase = 0, redoing = 0;
@@ -79,6 +83,44 @@ static int updating_basis_or_equiv;
 #define MAX_UNIQUE_NUMBER 999999
 #define MAX_UNIQUE_LOOP 100

+/* Open a basis/output path that may legitimately be an operator-trusted
+ * ABSOLUTE path -- e.g. an absolute --partial-dir ("a directory reserved for
+ * partial-dir work") or --backup-dir. secure_relative_open() deliberately
+ * rejects an absolute relpath, so feeding it the whole absolute partialptr
+ * (with a NULL basedir) returns EINVAL: the basis fd is then -1, no basis is
+ * mapped, and receive_data() omits every matched block from the whole-file
+ * verification checksum -> a spurious "failed verification" that strands the
+ * (correct) data in the partial-dir forever.
+ *
+ * The operator's directory is trusted; only the leaf basename is peer-supplied.
+ * So when basedir is NULL and relpath is absolute, split it into its directory
+ * (trusted) and leaf and confine just the leaf -- exactly how secure_relative_
+ * open already trusts an absolute basedir while O_NOFOLLOW-confining the leaf.
+ * Anything else is a straight pass-through that preserves the strict contract. */
+static int secure_basis_open(const char *basedir, const char *relpath, int flags, mode_t mode)
+{
+	if (!basedir && relpath && *relpath == '/') {
+		const char *slash = strrchr(relpath, '/');
+		const char *leaf = slash + 1;
+		char dirbuf[MAXPATHLEN];
+		const char *dir;
+		if (slash == relpath)
+			dir = "/";
+		else {
+			size_t dlen = slash - relpath;
+			if (dlen >= sizeof dirbuf) {
+				errno = ENAMETOOLONG;
+				return -1;
+			}
+			memcpy(dirbuf, relpath, dlen);
+			dirbuf[dlen] = '\0';
+			dir = dirbuf;
+		}
+		return secure_relative_open(dir, leaf, flags, mode);
+	}
+	return secure_relative_open(basedir, relpath, flags, mode);
+}
+
 /* get_tmpname() - create a tmp filename for a given filename
 *
 * If a tmpdir is defined, use that as the directory to put it in.  Otherwise,
@@ -211,7 +253,12 @@ int open_tmpfile(char *fnametmp, const char *fname, struct file_struct *file)
 	 * access to ensure that there is no race condition.  They will be
 	 * correctly updated after the right owner and group info is set.
 	 * (Thanks to snabb@epipe.fi for pointing this out.) */
-	fd = do_mkstemp(fnametmp, (file->mode|added_perms) & INITACCESSPERMS);
+	/* When use_secure_symlinks is on (non-chroot daemon with munge_symlinks),
+	 * use secure_mkstemp to prevent symlink race attacks on parent directories. */
+	if (use_secure_symlinks)
+		fd = secure_mkstemp(fnametmp, (file->mode|added_perms) & INITACCESSPERMS);
+	else
+		fd = do_mkstemp(fnametmp, (file->mode|added_perms) & INITACCESSPERMS);

 #if 0
 	/* In most cases parent directories will already exist because their
@@ -240,7 +287,6 @@ static int receive_data(int f_in, char *fname_r, int fd_r, OFF_T size_r,
 	static char file_sum1[MAX_DIGEST_LEN];
 	struct map_struct *mapbuf;
 	struct sum_struct sum;
-	int sum_len;
 	int32 len;
 	OFF_T total_size = F_LENGTH(file);
 	OFF_T offset = 0;
@@ -280,7 +326,7 @@ static int receive_data(int f_in, char *fname_r, int fd_r, OFF_T size_r,
 	} else
 		mapbuf = NULL;

-	sum_init(xfersum_type, checksum_seed);
+	sum_init(xfer_sum_nni, checksum_seed);

 	if (append_mode > 0) {
 		OFF_T j;
@@ -310,7 +356,12 @@ static int receive_data(int f_in, char *fname_r, int fd_r, OFF_T size_r,
 		}
 	}

-	while ((i = recv_token(f_in, &data)) != 0) {
+	while (1) {
+		data = NULL;
+		i = recv_token(f_in, &data);
+		if (i == 0)
+			break;
+
 		if (INFO_GTE(PROGRESS, 1))
 			show_progress(offset, total_size);

@@ -318,6 +369,10 @@ static int receive_data(int f_in, char *fname_r, int fd_r, OFF_T size_r,
 			maybe_send_keepalive(time(NULL), MSK_ALLOW_FLUSH | MSK_ACTIVE_RECEIVER);

 		if (i > 0) {
+			if (!data) {
+				rprintf(FERROR, "Invalid literal token with no data [%s]\n", who_am_i());
+				exit_cleanup(RERR_PROTOCOL);
+			}
 			if (DEBUG_GTE(DELTASUM, 3)) {
 				rprintf(FINFO,"data recv %d at %s\n",
 					i, big_num(offset));
@@ -335,6 +390,11 @@ static int receive_data(int f_in, char *fname_r, int fd_r, OFF_T size_r,
 		}

 		i = -(i+1);
+		if (i < 0 || i >= sum.count) {
+			rprintf(FERROR, "Invalid block index %d (count=%ld) [%s]\n",
+				i, (long)sum.count, who_am_i());
+			exit_cleanup(RERR_PROTOCOL);
+		}
 		offset2 = i * (OFF_T)sum.blength;
 		len = sum.blength;
 		if (i == (int)sum.count-1 && sum.remainder != 0)
@@ -342,6 +402,18 @@ static int receive_data(int f_in, char *fname_r, int fd_r, OFF_T size_r,

 		stats.matched_data += len;

+		/* A block match can only be honored if we actually mapped the
+		 * basis. If we didn't (basis open failed), the sender should
+		 * never have been told a basis existed -- treat it as a protocol
+		 * inconsistency rather than silently omitting these bytes from
+		 * the verification checksum (which yields a spurious failure) or
+		 * leaving a hole in the output. */
+		if (!mapbuf) {
+			rprintf(FERROR, "got a block match with no basis file for %s [%s]\n",
+				full_fname(fname), who_am_i());
+			exit_cleanup(RERR_PROTOCOL);
+		}
+
 		if (DEBUG_GTE(DELTASUM, 3)) {
 			rprintf(FINFO,
 				"chunk[%d] of size %ld at %s offset=%s%s\n",
@@ -371,7 +443,7 @@ static int receive_data(int f_in, char *fname_r, int fd_r, OFF_T size_r,

 	if (fd != -1 && offset > 0) {
 		if (sparse_files > 0) {
-			if (sparse_end(fd, offset) != 0)
+			if (sparse_end(fd, offset, updating_basis_or_equiv) != 0)
 				goto report_write_error;
 		} else if (flush_write_file(fd) < 0) {
 		    report_write_error:
@@ -393,7 +465,7 @@ static int receive_data(int f_in, char *fname_r, int fd_r, OFF_T size_r,
 	if (INFO_GTE(PROGRESS, 1))
 		end_progress(total_size);

-	sum_len = sum_end(file_sum1);
+	sum_end(file_sum1);

 	if (do_fsync && fd != -1 && fsync(fd) != 0) {
 		rsyserr(FERROR, errno, "fsync failed on %s", full_fname(fname));
@@ -403,10 +475,10 @@ static int receive_data(int f_in, char *fname_r, int fd_r, OFF_T size_r,
 	if (mapbuf)
 		unmap_file(mapbuf);

-	read_buf(f_in, sender_file_sum, sum_len);
+	read_buf(f_in, sender_file_sum, xfer_sum_len);
 	if (DEBUG_GTE(DELTASUM, 2))
 		rprintf(FINFO,"got file_sum\n");
-	if (fd != -1 && memcmp(file_sum1, sender_file_sum, sum_len) != 0)
+	if (fd != -1 && memcmp(file_sum1, sender_file_sum, xfer_sum_len) != 0)
 		return 0;
 	return 1;
 }
@@ -434,14 +506,13 @@ static void handle_delayed_updates(char *local_name)
 			}
 			/* We don't use robust_rename() here because the
 			 * partial-dir must be on the same drive. */
-			if (do_rename(partialptr, fname) < 0) {
+			if (do_rename_at(partialptr, fname) < 0) {
 				rsyserr(FERROR_XFER, errno,
 					"rename failed for %s (from %s)",
 					full_fname(fname), partialptr);
 			} else {
-				if (remove_source_files
-				 || (preserve_hard_links && F_IS_HLINKED(file)))
-					send_msg_int(MSG_SUCCESS, ndx);
+				if (remove_source_files || (preserve_hard_links && F_IS_HLINKED(file)))
+					send_msg_success(fname, ndx);
 				handle_partial_dir(partialptr, PDIR_DELETE);
 			}
 		}
@@ -451,7 +522,10 @@ static void handle_delayed_updates(char *local_name)
 static void no_batched_update(int ndx, BOOL is_redo)
 {
 	struct file_list *flist = flist_for_ndx(ndx, "no_batched_update");
-	struct file_struct *file = flist->files[ndx - flist->ndx_start];
+	struct file_struct *file;
+	if (ndx < flist->ndx_start)
+		exit_cleanup(RERR_PROTOCOL);
+	file = flist->files[ndx - flist->ndx_start];

 	rprintf(FERROR_XFER, "(No batched update for%s \"%s\")\n",
 		is_redo ? " resend of" : "", f_name(file, NULL));
@@ -551,6 +625,8 @@ int recv_files(int f_in, int f_out, char *local_name)
 	progress_init();

 	while (1) {
+		const char *basedir = NULL;
+
 		cleanup_disable();

 		/* This call also sets cur_flist. */
@@ -586,6 +662,8 @@ int recv_files(int f_in, int f_out, char *local_name)

 		if (ndx - cur_flist->ndx_start >= 0)
 			file = cur_flist->files[ndx - cur_flist->ndx_start];
+		else if (cur_flist->parent_ndx < 0)
+			exit_cleanup(RERR_PROTOCOL);
 		else
 			file = dir_flist->files[cur_flist->parent_ndx];
 		fname = local_name ? local_name : f_name(file, fbuf);
@@ -698,7 +776,7 @@ int recv_files(int f_in, int f_out, char *local_name)
 			if (!am_server)
 				discard_receive_data(f_in, file);
 			if (inc_recurse)
-				send_msg_int(MSG_SUCCESS, ndx);
+				send_msg_success(fname, ndx);
 			continue;
 		}

@@ -716,28 +794,34 @@ int recv_files(int f_in, int f_out, char *local_name)
 				fnamecmp = get_backup_name(fname);
 				break;
 			case FNAMECMP_FUZZY:
+				if (fuzzy_basis == 0) {
+					rprintf(FERROR_XFER, "rsync: refusing malicious fuzzy operation for %s\n", xname);
+					exit_cleanup(RERR_PROTOCOL);
+				}
 				if (file->dirname) {
-					pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, file->dirname, xname);
-					fnamecmp = fnamecmpbuf;
-				} else
-					fnamecmp = xname;
+					basedir = file->dirname;
+				}
+				fnamecmp = xname;
 				break;
 			default:
 				if (fnamecmp_type > FNAMECMP_FUZZY && fnamecmp_type-FNAMECMP_FUZZY <= basis_dir_cnt) {
 					fnamecmp_type -= FNAMECMP_FUZZY + 1;
 					if (file->dirname) {
-						stringjoin(fnamecmpbuf, sizeof fnamecmpbuf,
-							   basis_dir[fnamecmp_type], "/", file->dirname, "/", xname, NULL);
-					} else
-						pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], xname);
+						pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], file->dirname);
+						basedir = fnamecmpbuf;
+					} else {
+						basedir = basis_dir[fnamecmp_type];
+					}
+					fnamecmp = xname;
 				} else if (fnamecmp_type >= basis_dir_cnt) {
 					rprintf(FERROR,
 						"invalid basis_dir index: %d.\n",
 						fnamecmp_type);
 					exit_cleanup(RERR_PROTOCOL);
-				} else
-					pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], fname);
-				fnamecmp = fnamecmpbuf;
+				} else {
+					basedir = basis_dir[fnamecmp_type];
+					fnamecmp = fname;
+				}
 				break;
 			}
 			if (!fnamecmp || (daemon_filter_list.head
@@ -759,26 +843,33 @@ int recv_files(int f_in, int f_out, char *local_name)
 				fnamecmp = fname;
 		}

-		/* open the file */
-		fd1 = do_open(fnamecmp, O_RDONLY, 0);
+		/* open the file (secure_basis_open tolerates an operator-trusted
+		 * absolute fnamecmp, e.g. an absolute --partial-dir basis) */
+		fd1 = secure_basis_open(basedir, fnamecmp, O_RDONLY, 0);

 		if (fd1 == -1 && protocol_version < 29) {
 			if (fnamecmp != fname) {
 				fnamecmp = fname;
 				fnamecmp_type = FNAMECMP_FNAME;
-				fd1 = do_open(fnamecmp, O_RDONLY, 0);
+				fd1 = do_open_nofollow(fnamecmp, O_RDONLY);
 			}

 			if (fd1 == -1 && basis_dir[0]) {
 				/* pre-29 allowed only one alternate basis */
-				pathjoin(fnamecmpbuf, sizeof fnamecmpbuf,
-					 basis_dir[0], fname);
-				fnamecmp = fnamecmpbuf;
+				basedir = basis_dir[0];
+				fnamecmp = fname;
 				fnamecmp_type = FNAMECMP_BASIS_DIR_LOW;
-				fd1 = do_open(fnamecmp, O_RDONLY, 0);
+				fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0);
 			}
 		}

+		if (basedir) {
+			// for the following code we need the full
+			// path name as a single string
+			pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basedir, fnamecmp);
+			fnamecmp = fnamecmpbuf;
+		}
+
 		one_inplace = inplace_partial && fnamecmp_type == FNAMECMP_PARTIAL_DIR;
 		updating_basis_or_equiv = one_inplace
 		    || (inplace && (fnamecmp == fname || fnamecmp_type == FNAMECMP_BACKUP));
@@ -839,11 +930,21 @@ int recv_files(int f_in, int f_out, char *local_name)
 		/* We now check to see if we are writing the file "inplace" */
 		if (inplace || one_inplace)  {
 			fnametmp = one_inplace ? partialptr : fname;
-			fd2 = do_open(fnametmp, O_WRONLY|O_CREAT, 0600);
+			/* When use_secure_symlinks is on (non-chroot daemon),
+			 * use secure open to prevent symlink race attacks where an
+			 * attacker could switch a directory to a symlink between
+			 * path validation and file open. */
+			if (use_secure_symlinks)
+				fd2 = secure_basis_open(NULL, fnametmp, O_WRONLY|O_CREAT, 0600);
+			else
+				fd2 = do_open(fnametmp, O_WRONLY|O_CREAT, 0600);
 #ifdef linux
 			if (fd2 == -1 && errno == EACCES) {
 				/* Maybe the error was due to protected_regular setting? */
-				fd2 = do_open(fname, O_WRONLY, 0600);
+				if (use_secure_symlinks)
+					fd2 = secure_relative_open(NULL, fname, O_WRONLY, 0600);
+				else
+					fd2 = do_open(fname, O_WRONLY, 0600);
 			}
 #endif
 			if (fd2 == -1) {
@@ -895,7 +996,7 @@ int recv_files(int f_in, int f_out, char *local_name)
 				recv_ok = -1;
 			else if (fnamecmp == partialptr) {
 				if (!one_inplace)
-					do_unlink(partialptr);
+					do_unlink_at(partialptr);
 				handle_partial_dir(partialptr, PDIR_DELETE);
 			}
 		} else if (keep_partial && partialptr && (!one_inplace || delay_updates)) {
@@ -904,7 +1005,7 @@ int recv_files(int f_in, int f_out, char *local_name)
 					"Unable to create partial-dir for %s -- discarding %s.\n",
 					local_name ? local_name : f_name(file, NULL),
 					recv_ok ? "completed file" : "partial file");
-				do_unlink(fnametmp);
+				do_unlink_at(fnametmp);
 				recv_ok = -1;
 			} else if (!finish_transfer(partialptr, fnametmp, fnamecmp, NULL,
 						    file, recv_ok, !partial_dir))
@@ -915,7 +1016,7 @@ int recv_files(int f_in, int f_out, char *local_name)
 			} else
 				partialptr = NULL;
 		} else if (!one_inplace)
-			do_unlink(fnametmp);
+			do_unlink_at(fnametmp);

 		cleanup_disable();

@@ -926,9 +1027,8 @@ int recv_files(int f_in, int f_out, char *local_name)
 		case 2:
 			break;
 		case 1:
-			if (remove_source_files || inc_recurse
-			 || (preserve_hard_links && F_IS_HLINKED(file)))
-				send_msg_int(MSG_SUCCESS, ndx);
+			if (remove_source_files || inc_recurse || (preserve_hard_links && F_IS_HLINKED(file)))
+				send_msg_success(fname, ndx);
 			break;
 		case 0: {
 			enum logcode msgtype = redoing ? FERROR_XFER : FWARNING;
--- a/rsync-web/.gitignore
+++ b/rsync-web/.gitignore
@@ -0,0 +1,11 @@
+/.xvpics
+/doxygen/
+/tech_report/IMG_PARAMS.dir
+/tech_report/IMG_PARAMS.pag
+/upload
+/netware
+/pre-change
+/index.html-*
+/rsync-and-debian/rsync-and-debian.html
+/rsync-and-debian/rsync-and-debian.ps
+/badge.svg
--- a/rsync-web/COPYING.html
+++ b/rsync-web/COPYING.html
@@ -0,0 +1,674 @@
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. &lt;<a href="https://fsf.org/">https://fsf.org/</a>&gt;
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU General Public License is a free, copyleft license for
+software and other kinds of works.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+the GNU General Public License is intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.  We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors.  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights.  Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received.  You must make sure that they, too, receive
+or can get the source code.  And you must show them these terms so they
+know their rights.
+
+  Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+  For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software.  For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+  Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so.  This is fundamentally incompatible with the aim of
+protecting users' freedom to change the software.  The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable.  Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products.  If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+  Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary.  To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Use with the GNU Affero General Public License.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    &lt;one line to give the program's name and a brief idea of what it does.&gt;
+    Copyright (C) &lt;year&gt;  &lt;name of author&gt;
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see &lt;<a href="https://www.gnu.org/licenses/">https://www.gnu.org/licenses/</a>&gt;.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+    &lt;program&gt;  Copyright (C) &lt;year&gt;  &lt;name of author&gt;
+    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, your program's commands
+might be different; for a GUI interface, you would use an "about box".
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU GPL, see
+&lt;<a href="https://www.gnu.org/licenses/">https://www.gnu.org/licenses/</a>&gt;.
+
+  The GNU General Public License does not permit incorporating your program
+into proprietary programs.  If your program is a subroutine library, you
+may consider it more useful to permit linking proprietary applications with
+the library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.  But first, please read
+&lt;<a href="https://www.gnu.org/philosophy/why-not-lgpl.html">https://www.gnu.org/philosophy/why-not-lgpl.html</a>&gt;.
--- a/rsync-web/COPYING2.html
+++ b/rsync-web/COPYING2.html
@@ -0,0 +1,340 @@
+		    GNU GENERAL PUBLIC LICENSE
+		       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+     51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA.
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+			    Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+<hr>
+		    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+<hr>
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+<hr>
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+<hr>
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+			    NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+		     END OF TERMS AND CONDITIONS
+<hr>
+	    How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    &lt;one line to give the program's name and a brief idea of what it does.&gt;
+    Copyright (C) &lt;year&gt;  &lt;name of author&gt;
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) year  name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  &lt;signature of Ty Coon&gt;, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Library General
+Public License instead of this License.
--- a/rsync-web/FAQ.html
+++ b/rsync-web/FAQ.html
@@ -0,0 +1,284 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
+<HTML>
+<HEAD>
+<TITLE>rsync FAQ</TITLE>
+</HEAD>
+<!--#include virtual="header.html" -->
+
+<H2 align="center">Frequently Asked Questions</H2>
+
+<table><tr valign=top><td><ul>
+<li><a href="#1">the transfer fails to finish</a><br>
+<li><a href="#2">rsync recopies the same files</a><br>
+<li><a href="#3">is your shell clean</a><br>
+<li><a href="#4">memory usage</a><br>
+<li><a href="#5">out of memory</a><br>
+<li><a href="#6">rsync through a firewall</a><br>
+<li><a href="#7">rsync and cron</a><br>
+</ul></td><td>&nbsp;&nbsp;&nbsp;&nbsp;</td><td><ul>
+<li><a href="#8">rsync: Command not found</a><br>
+<li><a href="#9">spaces in filenames</a><br>
+<li><a href="#10">ignore "vanished files" warning</a><br>
+<li><a href="#11">read-only file system</a><br>
+<li><a href="#12">multiplexing overflow 101:7104843</a><br>
+<li><a href="#13">inflate (token) returned -5</a><br>
+</ul></td></tr></table>
+
+<hr>
+<h3><a name=1>the transfer fails to finish</a></h3>
+
+<p>If you get an error like one of these:
+
+<pre>rsync: error writing 4 unbuffered bytes - exiting: Broken pipe
+rsync error: error in rsync protocol data stream (code 12) at io.c(463)
+</pre>
+
+<p>or
+
+<pre>rsync: connection unexpectedly closed (24 bytes read so far)
+rsync error: error in rsync protocol data stream (code 12) at io.c(342)
+</pre>
+
+<p>please read the <a href="issues.html">issues and debugging page</a>
+for details on how you can try to figure out what is going wrong.
+
+<hr>
+<h3><a name=2>rsync recopies the same files</a></h3>
+
+<p>Some people occasionally report that rsync copies too many files when
+they expect it to copy only a few. In most cases the explanation is
+that you forgot to include the --times (-t) option in the original copy,
+so rsync is forced to (efficiently) transfer every file that differs in
+its modified time to discover what data (if any) has changed.
+
+<p>Another common cause involves sending files to an Microsoft filesystem:
+if the file's modified time is an odd value but the receiving filesystem
+can only store even values, then rsync will re-transfer too many files.
+You can avoid this by specifying the --modify-window=1 option.
+
+<p>Yet another periodic case can happen when daylight-savings time
+changes if your OS+filesystem saves file times in local time instead of
+UTC.  For a full explanation of this and some suggestions on how to
+avoid them problem, see <a href="daylight-savings.html">this document</a>.
+
+<p>Something else that can trip up rsync is a filesystem changeing the
+filename behind the scenes.  This can happen when a filesystem changes
+an all-uppercase name into lowercase, or when it decomposes UTF-8 behind
+your back.
+
+<blockquote>
+
+<p>An example of the latter can occur with HFS+ on Mac OS X:  if you
+copy a directory with a file that has a UTF-8 character sequence in it,
+say a 2-byte umlaut-u (\0303\0274), the file will get that character
+stored by the filesystem using 3 bytes (\0165\0314\0210), and rsync will
+not know that these differing filenames are the same file (it will, in
+fact, remove a prior copy of the file if --delete is enabled, and then
+recreate it).
+
+<p>You can avoid a charset problem by passing an appropriate --iconv
+option to rsync that tells it what character-set the source files are,
+and what character-set the destination files get stored in.  For
+instance, the above Mac OS X problem would be dealt with by using
+--iconv=UTF-8,UTF8-MAC (UTF8-MAC is a pseudo-charset recognized by Mac
+OS X iconv in which all characters are decomposed).
+
+</blockquote>
+
+<p>If you think that rsync is copying too many files, look at the
+itemized output (-i) to see why rsync is doing the update (e.g. the 't'
+flag indicates that the time differs, or all pluses indicates that rsync
+thinks the file doesn't exist).  You can also look at the stats produced
+with -v and see if rsync is really sending all the data.  See also the
+--checksum (-c) option for one way to avoid the extra copying of files
+that don't have synchronized modified times (but keep in mind that the
+-c option eats lots of disk I/O, and can be rather slow).
+
+<hr>
+<h3><a name=3>is your shell clean</a></h3>
+
+<p>The "is your shell clean" message and the "protocol mismatch" message
+are usually caused by having some sort of program in your .cshrc, .profile,
+.bashrc or equivalent file that writes a message every time you connect
+using a remote-shell program (such as ssh or rsh).  Data written in this
+way corrupts the rsync data stream. rsync detects this at startup and
+produces those error messages.  However, if you are using rsync-daemon
+syntax (host::path or rsync://) without using a remote-shell program (no
+--rsh or -e option), there is not remote-shell program involved, and the
+problem is probably caused by an error on the daemon side (so check the
+daemon logs).
+
+<p>A good way to test if your remote-shell connection is clean is to try
+something like this (use ssh or rsh, as appropriate):
+
+<blockquote><pre>ssh remotesystem /bin/true &gt; test.dat</pre></blockquote>
+
+<p>That should create a file called test.dat with nothing in it. If
+test.dat is not of zero length then your shell is not clean.  Look at the
+contents of test.dat to see what was sent. Look at all the startup files on
+remotesystem to try and find the problem.
+
+<hr>
+<h3><a name=4>memory usage</a></h3>
+
+<p>Rsync versions before 3.0.0 always build the entire list of files to be
+transferred at the beginning and hold it in memory for the entire run.  Rsync
+needs about 100 bytes to store all the relevant information for one file,
+so (for example) a run with 800,000 files would consume about 80M of
+memory.  -H and --delete increase the memory usage further.
+
+<p>Version 3.0.0 slightly reduced the memory used per file by not storing fields
+not needed for a particular file.  It also introduced an incremental recursion
+mode that builds the file list in chunks and holds each chunk in memory only as
+long as it is needed.  This mode dramatically reduces memory usage, but it
+only works provided that both sides are 3.0.0 or newer and certain options that
+rsync currently can't handle in this mode are not being used.
+
+<hr>
+<h3><a name=5>out of memory</a></h3>
+
+<p>The usual reason for "out of memory" when running rsync is that you are
+transferring a _very_ large number of files.  The size of the files doesn't
+matter, only the total number of files.  If memory is a problem, first try to
+use the incremental recursion mode: upgrade both sides to rsync 3.0.0 or
+newer and avoid options that disable incremental recursion (e.g., use
+<tt>--delete-delay</tt> instead of <tt>--delete-after</tt>).  If this is not
+possible, you can break the rsync run into smaller chunks operating on
+individual subdirectories using <tt>--relative</tt> and/or exclude rules.
+
+<hr>
+<h3><a name=6>rsync through a firewall</a></h3>
+
+<p>If you have a setup where there is no way to directly connect two
+systems for an rsync transfer, there are several ways to get a firewall
+system to act as an intermediary in the transfer.  You'll find full details
+on the <a href="firewall.html">firewall methods</a> page.
+
+<hr>
+<h3><a name=7>rsync and cron</a></h3>
+
+<p>On some systems (notably SunOS4) cron supplies what looks like a socket
+to rsync, so rsync thinks that stdin is a socket. This means that if you
+start rsync with the --daemon switch from a cron job you end up rsync
+thinking it has been started from inetd. The fix is simple&mdash;just
+redirect stdin from /dev/null in your cron job.
+
+<hr>
+<h3><a name=8>rsync: Command not found</a></h3>
+
+<p>This error is produced when the remote shell is unable to locate the rsync
+binary in your path. There are 3 possible solutions:
+
+<ol>
+
+<li>install rsync in a "standard" location that is in your remote path. 
+
+<li>modify your .cshrc, .bashrc etc on the remote system to include the path
+that rsync is in
+
+<li>use the --rsync-path option to explicitly specify the path on the
+remote system where rsync is installed
+
+</ol>
+
+<p>You may echo find the command:
+
+<blockquote><pre>ssh host 'echo $PATH'</pre></blockquote>
+
+<p>for determining what your remote path is.
+
+<hr>
+<h3><a name=9>spaces in filenames</a></h3>
+
+<p>Can rsync copy files with spaces in them?
+
+<p>Short answer: Yes, rsync can handle filenames with spaces.
+
+<p>Long answer: 
+
+<p>Rsync handles spaces just like any other unix command line application.
+Within the code spaces are treated just like any other character so a
+filename with a space is no different from a filename with any other
+character in it.
+
+<p>The problem of spaces is in the argv processing done to interpret the
+command line.  As with any other unix application you have to escape spaces
+in some way on the command line or they will be used to separate arguments. 
+
+<p>It is slightly trickier in rsync (and other remote-copy programs like
+scp) because rsync sends a command line to the remote system to launch the
+peer copy of rsync (this assumes that we're not talking about daemon mode,
+which is not affected by this problem because no remote shell is involved
+in the reception of the filenames).  The command line is interpreted by the
+remote shell and thus the spaces need to arrive on the remote system
+escaped so that the shell doesn't split such filenames into multiple
+arguments.
+
+<p>For example:
+
+<blockquote><pre>rsync -av host:'a long filename' /tmp/</pre></blockquote>
+
+<p>This is usually a request for rsync to copy 3 files from the remote
+system, "a", "long", and "filename" (the only exception to this is for a
+system running a shell that does not word-split arguments in its commands,
+and that is exceedingly rare).  If you wanted to request a single file with
+spaces, you need to get some kind of space-quoting characters to the remote
+shell that is running the remote rsync command.  The following commands
+should all work:
+
+<blockquote><pre>rsync -av host:'"a long filename"' /tmp/
+rsync -av host:'a\ long\ filename' /tmp/
+rsync -av host:a\\\ long\\\ filename /tmp/</pre></blockquote>
+
+<p>You might also like to use a '?' in place of a space as long as there
+are no other matching filenames than the one with spaces (since '?' matches
+any character):
+
+<blockquote><pre>rsync -av host:a?long?filename /tmp/</pre></blockquote>
+
+<p>As long as you know that the remote filenames on the command line
+are interpreted by the remote shell then it all works fine. 
+
+<hr>
+<h3><a name=10>ignore "vanished files" warning</a></h3>
+
+<p>Some folks would like to ignore the "vanished files" warning, which
+manifests as an exit-code 24.  The easiest way to do this is to create
+a shell script wrapper.  For instance, name this something like
+"rsync-no24":
+
+<blockquote><pre>#!/bin/sh
+rsync "$@"
+e=$?
+if test $e = 24; then
+    exit 0
+fi
+exit $e</pre></blockquote>
+
+<hr>
+<h3><a name=11>read-only file system</a></h3>
+
+<p>If you get "Read-only file system" as an error when sending to a rsync
+daemon then you probably forgot to set "read only = no" for that module.
+
+<hr>
+<h3><a name=12>multiplexing overflow 101:7104843</a></h3>
+
+<p>This mysterious error, or the similar "invalid message 101:7104843", can
+happen if one of the rsync processes is killed for some reason and a message
+beginning with the four characters "Kill" gets inserted into the protocol
+stream as a result.  To solve the problem, you'll need to figure out why rsync
+is being killed.
+
+<hr>
+<h3><a name=13>inflate (token) returned -5</a></h3>
+
+This error means that rsync failed to handle an expected error from the
+compression code for a file that happened to be transferred with a block size
+of 32816 bytes.  You can avoid this issue for the affected file by transferring
+it with a manually-set block size (e.g. --block-size=33000), or by upgrading
+the receiving side to rsync 3.0.7.
+
+<hr>
+
+<!--#include virtual="footer.html" -->
--- a/rsync-web/GPL.html
+++ b/rsync-web/GPL.html
@@ -0,0 +1,16 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
+<HTML>
+<HEAD>
+<TITLE>rsync's license</TITLE>
+</HEAD>
+<!--#include virtual="header.html" -->
+
+Beginning with 3.0.0, rsync is available under the <b>GNU General Public
+License version 3</b>. <i>(Older releases were available under the
+<a href="GPL2.html">GPL version 2</a>.)</i>
+
+<pre><small>
+<!--#include virtual="COPYING.html" -->
+</small></pre>
+
+<!--#include virtual="footer.html" -->
--- a/rsync-web/GPL2.html
+++ b/rsync-web/GPL2.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
+<HTML>
+<HEAD>
+<TITLE>rsync's license</TITLE>
+</HEAD>
+<!--#include virtual="header.html" -->
+
+Releases <b>prior</b> to 3.0.0 were released under the
+<b>GNU General Public License version 2</b>:
+
+<pre><small>
+<!--#include virtual="COPYING2.html" -->
+</small></pre>
+
+<!--#include virtual="footer.html" -->
--- a/rsync-web/backup.txt
+++ b/rsync-web/backup.txt
@@ -0,0 +1,36 @@
+#!/bin/sh
+
+# This script does personal backups to a rsync backup server. You will end up
+# with a 7 day rotating incremental backup. The incrementals will go
+# into subdirectories named after the day of the week, and the current
+# full backup goes into a directory called "current"
+# tridge@linuxcare.com
+
+# directory to backup
+BDIR=/home/$USER
+
+# excludes file - this contains a wildcard pattern per line of files to exclude
+EXCLUDES=$HOME/cron/excludes
+
+# the name of the backup machine
+BSERVER=owl
+
+# your password on the backup server
+export RSYNC_PASSWORD=XXXXXX
+
+
+########################################################################
+
+BACKUPDIR=`date +%A`
+OPTS="--force --ignore-errors --delete-excluded --exclude-from=$EXCLUDES 
+      --delete --backup --backup-dir=/$BACKUPDIR -a"
+
+export PATH=$PATH:/bin:/usr/bin:/usr/local/bin
+
+# the following line clears the last weeks incremental directory
+[ -d $HOME/emptydir ] || mkdir $HOME/emptydir
+rsync --delete -a $HOME/emptydir/ $BSERVER::$USER/$BACKUPDIR/
+rmdir $HOME/emptydir
+
+# now the actual transfer
+rsync $OPTS $BDIR $BSERVER::$USER/current
--- a/rsync-web/bar1.jpg
+++ b/rsync-web/bar1.jpg
--- a/rsync-web/bin/badge-update
+++ b/rsync-web/bin/badge-update
@@ -0,0 +1,4 @@
+#!/bin/sh
+rm -f badge.svg
+wget https://github.com/RsyncProject/rsync/workflows/build/badge.svg
+rsync -aiic --inplace --remove-source-files badge.svg $SAMBA_HOST:/home/httpd/html/rsync/
--- a/rsync-web/bin/upload
+++ b/rsync-web/bin/upload
@@ -0,0 +1,7 @@
+#!/bin/sh
+if [ -d rsync-and-debian ]; then
+    rsync -aviOHFFc --del -f._filt . $SAMBA_HOST:/home/httpd/html/rsync/ "${@}"
+else
+    echo "Run this from the root of the html hierarchy."
+    exit 1
+fi
--- a/rsync-web/bug-tracking.html
+++ b/rsync-web/bug-tracking.html
@@ -0,0 +1,69 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
+<HTML>
+<HEAD>
+<TITLE>rsync bug-tracking</TITLE>
+</HEAD>
+<!--#include virtual="header.html" -->
+
+<H2 align="center">rsync bug-tracking</H2>
+
+<p> Please use this checklist combined with the help on the
+<a href="issues.html">issues and debugging</a> page before
+reporting a bug.  Thanks!
+
+<ul>
+
+<li> If you're not using the latest released version, please upgrade before
+reporting a bug.
+
+<li> If you're using the latest released version, consult the
+<a href="https://github.com/RsyncProject/rsync/blob/master/NEWS.md">NEWS file from the git repository</a> to see if what
+you're seeing has already been handled in the version under development.
+
+<li> It is also helpful to search the bug reports at the
+<a href="https://github.com/RsyncProject/rsync/issues?q=is%3Aissue">GitHub issues tracker</a>
+to see if the problem is already known.
+
+<li> See also the <a href="issues.html">issues and debugging</a> page to
+help you figure out if what you're seeing is a known bug and perhaps to
+help diagnose what is going wrong.
+
+<li> Discuss the bug on the
+<a href="https://lists.samba.org/mailman/listinfo/rsync">rsync mailing list</a>
+(which is at <tt>rsync@lists.samba.org</tt>) to help you figure out if what
+you're seeing is really a bug or a mistake.
+
+<li>There are several patches for features that are under consideration that
+can be found in the <a href="https://github.com/RsyncProject/rsync-patches">rsync-patches repo</a>.
+
+<li> If you haven't already done so, please take a couple of minutes to read Simon Tatham's
+<a href="https://www.chiark.greenend.org.uk/~sgtatham/bugs.html">advice on how to report bugs</a>.
+
+</ul>
+
+<p> To report a bug or make suggestions, use one of these methods:
+
+<ul>
+
+<li> The mailing list (mentioned above) is a good resource for discussing
+bugs and suggesting new features.  It accepts patches (typically as MIME
+attachments), but for fixes is often easier to attach a patch to an
+appropriate GitHub issue report or use a pull request.  Note that there is
+no mandate to use pull requests for patches, as that can be a pretty high
+bar of git know-how that not everyone needs to be familiar with.
+
+<li> If you'd like to see a bug-report or feature-request get officially noted,
+<a href="https://github.com/RsyncProject/rsync/issues">create an issue on GitHub</a>
+(this does require that you have created a GitHub account).  If you want to
+stay abreast of what's going on with the issues, make use of the GitHub
+subscriptions to pick and choose what kind of notifications you want to
+receive (e.g. just a single issue, all issues, all rsync activity, etc.).
+
+<li>For security issues please send email
+  to <a href="mailto:rsync.project@gmail.com">rsync.project@gmail.com</a>
+  with details of the issue
+</ul>
+
+<p> Thanks for helping out!
+
+<!--#include virtual="footer.html" -->
--- a/rsync-web/bugtracking.html
+++ b/rsync-web/bugtracking.html
@@ -0,0 +1,7 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
+<HTML>
+<HEAD>
+<TITLE>rsync bug-tracking</TITLE>
+</HEAD>
+
+<meta http-equiv="refresh" content="0;URL='https://rsync.samba.org/bug-tracking.html'" />
--- a/rsync-web/bugzilla.html
+++ b/rsync-web/bugzilla.html
@@ -0,0 +1,7 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
+<HTML>
+<HEAD>
+<TITLE>rsync bug-tracking</TITLE>
+</HEAD>
+
+<meta http-equiv="refresh" content="0;URL='https://rsync.samba.org/bug-tracking.html'" />
--- a/Show More
+++ b/Show More