In the macOS 15.4 update released last week, Apple replaced the rsync utility with an alternative implementation of openrsync, developed by the OpenBSD project. The executable file /usr/bin/rsync in macOS now refers to openrsync. The reasons for the replacement are believed to be recently discovered security issues in rsync, work to reduce components under copyleft licenses, and the desire to get rid of an outdated version of rsync, which cannot be updated due to licensing policies.
The key features of openrsync are that it was initially developed with high security in mind, that it is licensed under the permissive ISC (BSD family) license instead of rsync's copyleft GPL license, and that it uses a different internal architecture (one process for sending and receiving data, using an event loop). At the protocol level, openrsync is compatible with rsync, but does not support all command line options, only the most commonly used ones for file synchronization and backup. The lack of support for secondary functions allows the openrsync codebase to be kept under 10 lines of code to reduce the attack surface. For comparison, the latest version of rsync has 62 lines of C code.
Given that macOS has been shipping the outdated rsync 2.6.9, released in November 2006, the replacement will not result in any significant reduction in functionality. rsync 2.6.9 was chosen as the last version distributed under the GPLv2+ license. The next release was rsync 3.0, which was switched to the GPLv3 license, which prohibits tivoization (tying software to hardware).
Source: opennet.ru
