GPL violation by Synology
jorrit.jongma+rsync at gmail.com
Mon May 18 21:29:23 UTC 2020
Synology ( https://www.synology.com/en-global ) is one of best selling
brands of consumer/prosumer/SMB NASes, with revenue estimated to be in
the $100M+ range.
Several of their NAS backup options use rsync either explicitly or
under the hood (NAS-to-Remote-NAS backup, Shared-Folder-Sync), and
they run the rsync daemon (under File Services). rsync is an integral
part of their solution.
They use a modified build of rsync (seemingly 3.0.9 + cherrypicked CVE
fixes) for which they do provide some sources (see
and search for "rsync"), and if you spend your afternoon tracking down
all the needed packages/downloads and reconcile the missing headers,
it builds "something".
However, this "something" is not the rsync they ship on the boxes or
provide in their updates. They add their own authentication code to
rsync as well as add several options. This is all fine by itself, but
you can't properly compile their code. Both the modifications to rsync
as well as their own library headers are littered with #ifdef's, but
they've scrubbed all of them and replaced them with names such as
MY_ABC_HERE and MY_DEF_HERE. As all defines are replaced by the same
values, you get nested #ifdef's referring to the same value, and your
options become to turn them all off (which doesn't work out), turn
them all on (which doesn't work out), or manually wrestle through
every line of code and try to figure out what's what.
This does not satisfy releasing the "complete corresponding source
code" as required per the GPL and this prevents users from keeping
rsync on their Synology NASes updated or to push their own
License violation aside, Synology's rsync build is almost twice as slow
as a master branch build, I'm not the only one who would love to
update it. But replacing their build with a normal rsync build breaks
all manner of things. As Synology will soon release a new version of
their OS (DSM 7) which will leave many of their older NAS models
without further updates, getting them to release proper sources for
their GPL components is their users' only hope for updates.
I ask (urge, beg) anyone here who has authored any code on the rsync
master branch <= v3.0.9 or patches that fixed a CVE afterward (it is
hard to figure out which commits they copied, though) to complain to
Synology and demand a proper release of the rsync sources they use.
I've found that licence violations for Samba are being acted upon by
the Software Freedom Conservancy, but it was unclear to me whether
that includes rsync or not, hence my message here.
More information about the rsync