No, but that's why almost nobody runs it outside of strict trust boundaries. This security section would make more sense if rsync was like curl, which routinely deals with hostile counterparties. If the other side of your rsync is hostile, you probably have bigger problems!
replyI disagree. While rsync is most often used to transfer data between "friendly" systems, it's inherently crossing a security boundary. It's important to make sure that an attacker can't leverage it to transform the breach of one system into the breach of multiple systems.
> almost nobody runs it outside of strict trust boundaries.
replyI guess you can define "strict" however you want, but from what I saw ~10 years ago, most linux distros handled mirroring with rsync. That's a lot of usage in a pretty core part of the foundational open source ecosystem.
OK, I agree, that's bad.
replyMany distros use rsync for that but also support unencrypted HTTP.
replyThey’re layering on checksums and signing such that they mostly don’t think about the trustworthiness of mirrors or the networks between them.