there is a serious vulnerability with rsync. be aware to update rsync to 3.4.0-1.
https://archlinux.org/news/critical-rsync-security-release-340/
a short description from arch:
An attacker only requires anonymous read access to a vulnerable rsync server, such as a public mirror, to execute arbitrary code on the machine the server is running on. Additionally, attackers can take control of an affected server and read/write arbitrary files of any connected client. Sensitive data can be extracted, such as OpenPGP and SSH keys, and malicious code can be executed by overwriting files such as ~/.bashrc
or ~/.popt
.
We highly advise anyone who runs an rsync daemon or client prior to version 3.4.0-1
to upgrade and reboot their systems immediately. As Arch Linux mirrors are mostly synchronized using rsync, we highly advise any mirror administrator to act immediately, even though the hosted package files themselves are cryptographically signed.
All infrastructure servers and mirrors maintained by Arch Linux have already been updated.