Consider bup (with the not-yet-released, but in git master) metadata support. I think remote bup is essentially append-only (due to the nature of git data structures).
I wonder if rdiff-backup in server mode should have a way to invoke it such that it's append-only. Then you could put that in .ssh/authorized_keys. rdiff-backup preserves metadata in separate files so it doesn't need to be root on the storage node. If you can make that work, you can avoid the rsync-to-root and use an rdiff-backup-specific non-root user. If you're that paranoid, you should have removable media and take it ofline and off site. In the old days we'd use tape, and have multiple tapes. The scary risk is silent corruption and losing old backups. So you need to keep periodic backups essentially forever. _______________________________________________ rdiff-backup-users mailing list at rdiff-backup-users@nongnu.org https://lists.nongnu.org/mailman/listinfo/rdiff-backup-users Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki
