BorgBackup 2 has no server-side append-only anymore

Original Article ↗ Hacker News Discussion ↗

Context: Removal of Borg 2 “append-only”

  • Original Borg 1.x append-only relied on its log-structured storage format; Borg 2’s new storage (borgstore) no longer “appends” in that sense, so the feature was removed as a misfit.
  • Several commenters initially worried this weakened ransomware protection, since a core goal is that compromised clients cannot delete or corrupt existing backups.

New permissions model in Borg 2

  • Borg 2 introduces server-enforced permissions via borg serve --permissions=… (and env var), with modes like all, no-delete, write-only, read-only.
  • “no-delete” is clarified to block both object deletion and overwriting in the Borg store implementation (posixfs backend), providing at least the same logical protection as old append-only.
  • Actual enforcement still depends on the backing store; Borg’s built-in file:/ssh: backend and borg serve can enforce it, other cloud/object stores must be configured to do so themselves.
  • Some confusion remains about how (or whether) this maps onto generic POSIX filesystems and cloud storage, and docs are seen as sparse/early.

Ransomware protection and alternative strategies

  • Many emphasize that strong backups require that client credentials cannot delete or modify existing snapshots.
  • Common alternatives:
    • ZFS (or btrfs) immutable snapshots and replication (local + off-site, e.g. rsync.net) as primary ransomware protection.
    • Object storage with write-only / no-hard-delete keys (e.g. Backblaze B2, S3 Glacier + lifecycle rules).
    • Read-only ZFS snapshots on backup providers as an additional safety net.
  • Some argue that once you rely heavily on ZFS snapshots/replication, sophisticated tools like Borg add less value (vs simple rsync + snapshots), though others still value Borg’s low-RAM dedupe and robustness.

Comparisons and migration options

  • Multiple users report moving or considering moves to restic, Kopia, duplicacy, rustic, or rsync-based schemes.
  • restic:
    • Has an append-only mode via rest-server --append-only or via rclone+restricted SSH; used successfully in production by several.
    • Its append-only has caveats: metadata pruning by an admin account can still remove historic data indirectly.
    • Praised for single static binary, many backends, but criticized for high memory usage on some large workloads.
  • Kopia:
    • Liked for GUI and speed, especially for non-technical users.
    • Retention policy model is considered confusing or “footgun-like” by some.
  • General sentiment: Borg is solid and battle-tested, but Borg 2’s long beta and shifting features push some toward restic/Kopia, while others are content to wait: release will be “when it’s ready,” with many breaking changes consolidated.