[rdiff-backup-users] critical unvary behaviour

[mortee]

Hi,

I just had rdiff-backup erase *all* my backups. That is just plain wrong.

Let me explain. There's no mention whatsoever in the documentation about 
the fact that when one restores over an existing directory using the 
--force option, RDB would erase any files/directories that exist in the 
target directory but don't exist in the backup to be restored. I think 
this goes against the whole principle of a backup program, namely 
deleting data without prior notice. I hold this despite the requirement 
to use --force. One would quite reasonably assume that data covered by 
the backup would be overwritten, and anything in excess would be left 
alone (possibly warnings might be issued for such items).

This is especially misleading given that when the backup was created, 
some parts of the file system were explicitely excluded - for example, 
the whole backup were restricted to a single file system. Given this, 
one would even more reasonably expect that when restoring from this 
backup, paths matching this exclude pattern would be left alone by 
default, e.g. data on a different FS volume mounted somewhere under the 
target directory.

Finally, RDB should at least take extreme care not to overwrite or 
delete the very backup source it is restoring from. Unfortunately, it 
doesn't check for this - so it is possible to have it delete the backup 
directory from under itself, and then die with a file not found exception.

My actual situation: I had my server's system HDD die on me, so I was 
happy to have kept daily backups of it on a separate local disk. I had 
another HDD at hand which used to be the system drive of the very same 
server up until a few months ago (replaced because it started showing 
signs of becoming unreliable). To have my server up temporarily until I 
can acquire a real replacement disk, I just put that HDD in, and booted 
from it in single user mode. I mounted the backup disk, and (yes, this 
is arguably my fault) I haven't paid extra attention to mount it 
read-only - I never thought in my worst dreams that a restore operation 
on the root partition would ever erase all the valuable data on the 
backup disk. So I just launched it targeting the root directory using 
--force, and it happily erased anything beyond the mount point, because 
that was (of course) excluded from the system backup. Now I'm stuck with 
a dead system disk and an empty backup of it - 5 years worth of emails, 
system configuration and other stuff are gone in a few minutes. Now I'm 
not especially happy.

What I suggest is that this behaviour should at least be stressed in the 
software's manual, so that it be obvious to anyone who cares to take a 
look at it. Even better would be to make it an explicit option to have 
RDB delete anything at restore time which isn't getting actually 
overwritten from the backup - or at least provide an option to disable 
this (which, if documented, would underline the default behaviour).

thanks for the attention
mortee