[rdiff-backup-users] critical irresponsible behaviour

[mortee]

Hi,

I just had rdiff-backup erase *all* my backups. That is just plain wrong.

Let me explain. There's no mention whatsoever in the documentation about
the fact that when one restores over an existing directory using the
--force option, RDB would erase any files/directories that exist in the
target directory but don't exist in the backup to be restored. I think
this goes against the whole principle of a backup program, namely
deleting data without prior notice. I hold this despite the requirement
to use --force. One would quite reasonably assume that data covered by
the backup would be overwritten, and anything in excess would be left
alone (possibly warnings might be issued for such items).

This is especially misleading given that when the backup was created,
some parts of the file system were explicitely excluded - for example,
the whole backup were restricted to a single file system. Given this,
one would even more reasonably expect that when restoring from this
backup, paths matching this exclude pattern would be left alone by
default, e.g. data on a different FS volume mounted somewhere under the
target directory.

Finally, RDB should at least take extreme care not to overwrite or
delete the very backup source it is restoring from. Unfortunately, it
doesn't check for this - so it is possible to have it delete the backup
directory from under itself, and then die with a file not found exception.

My actual situation: I had my server's system HDD die on me, so I was
happy to have kept daily backups of it on a separate local disk. I had
another HDD at hand which used to be the system drive of the very same
server up until a few months ago (replaced because it started showing
signs of becoming unreliable). To have my server up temporarily until I
can acquire a real replacement disk, I just put that HDD in, and booted
from it in single user mode. I mounted the backup disk, and (yes, this
is arguably my fault) I haven't paid extra attention to mount it
read-only - I never thought in my worst dreams that a restore operation
on the root partition would ever erase all the valuable data on the
backup disk. So I just launched it targeting the root directory using
--force, and it happily erased anything beyond the mount point, because
that was (of course) excluded from the system backup. Now I'm stuck with
a dead system disk and an empty backup of it - 5 years worth of emails,
system configuration and other stuff are gone in a few minutes. Now I'm
not especially happy.

What I suggest is that this behaviour should at least be stressed in the
software's manual, so that it be obvious to anyone who cares to take a
look at it. Even better would be to make it an explicit option to have
RDB delete anything at restore time which isn't getting actually
overwritten from the backup - or at least provide an option to disable
this (which, if documented, would underline the default behaviour).

thanks for the attention
mortee