1. 3

      I tried Duplicity with GPG but sadly I found it lacking, even for rarely looked at archives. I eventually moved to restic and it works splendidly.

      1. 3

        I also do backups using restic against a cloud storage (in my case a Ceph cluster), this has two advantages:

        1. backups are stored redundantly
        2. restic backups against an HTTP endpoint are much faster than over SSH
        1. 2

          My biggest complaints about restic are the lack of access controls and slow pruning of data. Perhaps those may be fixed one day.

          1. 2

            What were you missing from duplicity?

            1. 5

              Not the OP, but the fact that you can’t delete intermediate incremental backups is pretty bad… Pruning is a pretty key aspect of most backup strategies (as I want daily going back N days, weekly going back N weeks, monthly going back N months, etc). Also, duplicity would run out of memory for me (but restic would too – I eventually settled on the free-to-use-but-not-free-software duplicacy, as I wrote about https://dbp.io/essays/2018-01-01-home-backups.html – some more details about the OOM stuff on the lobsters thread https://lobste.rs/s/pee9vl/cheap_home_backups )

              1. 3

                For one, being able to restore single files without scanning through the archive. The duplicity guys do know about the problems with using tar, but I don’t know when they’ll be able to move away from it.

                1. 3

                  Are you sure this is not possible with using –file-to-restore ?

                  1. 2

                    I’m not 100% sure, I’m just going by my limited knowledge of the tar format and what my link says:

                    Not seek()able inside container: Because tar does not support encryption/compression on the inside of archives, tarballs nowadays are usually post-processed with gzip or similar. However, once compressed, the tar archive becomes opaque, and it is impossible to seek around inside. Thus if you want to extract the last file in a huge .tar.gz or .tar.gpg archive, it is necessary to read through all the prior data in the archive and discard it!

                    My guess is that –file-to-restore has to search for the file in the .tar.gz. If you find otherwise, I’d be interested to know!

            1. 5

              I’m mostly using borg for backups, but still use duplicity where I want the backup source to only be capable of encrypting new backups and not decrypting old ones. Is there another backup system, nicer than duplicity, that allows you to make backups using only the public part of a keypair?

              1. 1

                Duplicity can also use your public key. Instead of providing a passphrase you can use the --encrypt-key flag to provide your key’s fingerprint.

                1. 2

                  Exactly, that’s why I’m still using it. But is there a nicer alternative?

                  1. 2

                    Not sure if it’s nicer, but tarsnap does it and hasn’t been mentioned so far

                    1. 2

                      While tarsnap is really cool, the pricing makes it sort of in a different category (i.e., it’s good for backing up important stuff, whereas duplicity, restic, borg, duplicacy, etc, can be affordable to backup everything).

              1. 21

                In that blog post, Mozilla describes RiseUp as “a coordination platform used by activists across the political spectrum”, which I think is disingenuous. They are specifically far-left, and describe themselves as such: “The Riseup Collective is an autonomous body based in Seattle with collective members world wide. Our purpose is to aid in the creation of a free society, a world with freedom from want and freedom of expression, a world without oppression or hierarchy, where power is shared equally. We do this by providing communication and computer resources to allies engaged in struggles against capitalism and other forms of oppression.” (from RiseUp’s about page)

                My own politics are that free societies, freedom from want and freedom of expression are not actually protected particularly well by far-left political structures, even though proponents of these structures claim otherwise, and far-left political structures with real-world power are very capable of oppressing people by means of claiming that certain groups of people are oppressors and therefore deserve violence and repression. So I’m not particularly happy to see Mozilla donating to a group with politics like those of RiseUp.

                That said, I do think “create[ing] revolution and a free society in the here and now by building alternative communication infrastructure designed to oppose and replace the dominant system.” is a good thing, at least with respect to certain definitions of “revolution” and “free society” (ones that I think far left political organizations like RiseUp would disapprove of). But I wish that Mozilla had chosen to support a more politically-neutral organization building alternative communication infrastructure (perhaps the Tor project or OpenWhisper?) to do so.

                1. 12

                  I, personally, find a system which would prevent people from being capitalist if they chose to be morally repugnant, and deeply coercive. I similarly find revolution, meaning violent revolution, to be inherently coercive, by definition.

                  Finally, non-hierarchical systems are simply systems which do not acknowledge their hierarchies, and are therefore politically incapable of fixing them or preventing them from being abusive. In a system with no acknowledged hierarchies, the despised minorities, the minority groups the majority wants to marginalize and, possibly, destroy, have no recourse when they’re being oppressed. The two options open to them, fight back or leave, are hardly options; the first leads to destructive, genocidal reprisals, the second, to dispossessed refugees. An acknowledged hierarchy, with a rule-based code of laws and accountability, at least has a chance at preventing those things.

                  1. 7

                    They are seriously leftist.

                    1. 4

                      Regardless of how RiseUp describes itself, it is a platform used by activists across the political spectrum. So regardless if you/me agree with RiseUp politics they do maintain a platform for people who are potential surveillance and censorship targets. Since you self-identify as pro-freedom I’m sure you agree on how much important is this and why we need more platforms like RiseUp.

                      1. 4

                        Does RiseUp police the people who are allowed to use it? Can certain groups be banned from RiseUp?

                        1. 12

                          Termination: Your account may be deleted without warning if you: send unsolicited bulk commercial or activist email (spam); or fail to log in for an extended period of time; or use your account to contribute to the harm and abuse of other people.

                          I’m going to go out on a limb and say that if you’re a pro-free market group using their platform (assuming you can get an invitation code from a current organizer) then this clause will be used to close your account.

                          1. 6

                            That’s a really good question! I would definitely feel a lot better about the donation if RiseUp was technologically incapable of banning from their platform political activism organizations with political goals contradictory to those of the far left. As far as I can tell though, it’s just an ordinary webmail/VPN service run by volunteers with a stated political objective. If it was widely known that anti-leftist political actors were using RiseUp email addresses or RiseUp VPNs, I don’t know what would prevent the volunteers running the service from banning those accounts.

                      1. 6

                        This is what happens when people don’t want to pay for software. It’s much clearer, fairer, and transparent when you ask for money in exchange for a license.

                        1. 5

                          Yeah, because proprietary software never spies on you. It’s much clearer, fairer, and transparent when you ask for money in exchange for services, not software.

                          1. 1

                            Proprietary and paid are different categories (although I’m sure the overlap is significant). I’ve also never said that proprietary software doesn’t spy on you.

                            My point: if you write software as part of a business then you expect to have a ROI. You can ask for money from people who directly benefit from the software (i.e. users). Or you can give the software for “free” and look for roundabout ways of earning a profit. I’m also curious what percentage of proprietary software that’s spying on its users is “free”.

                            @comzeradd, I noticed you’re wearing the Mozilla Engineer hat. What do you think about the way the Mozilla Foundation is financed? (This is a genuine question, not criticism) The bulk of money comes from Google for making it the default search engine.

                            Someone marked my comment as trolling (sic!).

                            1. 4

                              Yes, because he wasn’t wearing that hat when he posted. We don’t normally call people out on their hats unless they’re wearing them.

                              1. 0

                                I apologize if I that looked mean. That wasn’t my intent at all. I’m simply curious what @comzeradd thinks about that as an insider.

                              2. 2

                                My “sarcasm”‘s point was to emphasize that it sounds harsh and unfair to pick one business model (selling license) as being more fair or more transparent. If this is what you want to do, that’s totally fine. But there are many developers or orgs out there that have found other ways of funding.

                                Re: Mozilla. The bulk amount of money doesn’t come from Google at this point, but indeed it comes from search engine deals. It’s not the only source of income, but it is the biggest one. My personal take on this is the same as it is for most open source non-profits out there. it’s transparent (eg. public annual fiscal reports) and its goal is to serve the mission and not make people rich (eg. non-profit status).

                                1. 1

                                  Free software/culture has yet to find it’s model the best example is wikipedia but it relies mainly on gratis labor for it’s main part.

                                  1. 1

                                    Or Redhat

                                2. 2

                                  if you write software as part of a business then you expect to have a ROI

                                  For something like a text editor, the ROI is usually “this improvement will allow me to get my work done more effectively”, and that has sufficed perfectly well for decades.

                                3. 1

                                  There’s nothing wrong with charging for software. Not everything fits the service model. And not all services have users’ best interests at heart.

                                4. 2

                                  if a single example is going to be extrapolated to a generic observation, I’ll bring up that I’ve been using vi / vim and a whole pile of plugins for free for a decade or two and have never seen an ad and it all seems quite clear, fair, and transparent.