Add 'write-only' mode

[dionorgua]

Write-only mode allows only backup. So there is no way to read data from repo (except metadata)

What is the purpose of this change? What does it change?

Currently we've --append-only mode that tries to minimize risks if machine where restic is launched is compromised. Basically it makes sure that attacker can't delete existing data from snapshot.

This adds --write-only mode that also disables 'restore' of existing data from repository. If repository is shared to save space, attacker can't get data that was uploaded from other systems.

I know that restic threat mode assumes that backup host is trusted, but append-only here is in exactly same situation.

Was the change discussed in an issue or in the forum before?

110

Checklist

• [x] I have enabled maintainer edits for this PR
• [x] I have added tests for all changes in this PR
• [ ] I have added documentation for the changes (in the manual)
• [x] There's a new file in changelog/unreleased/ that describes the changes for our users (template here)
• [x] I have run gofmt on the code in all commits
• [x] All commit messages are formatted in the same style as the other commits in the repo
• [ ] I'm done, this Pull Request is ready for review

[dionorgua]

will update docs if accepted

[szenti]

Dear Maintainers,

Is there a way to have this merged? I've opened a pull request for @dionorgua, fixing the lint bug, but he haven't responded yet. I can also see that it currently has conflicts with the main branch. Can I do something to resolve the conflicts?

[dionorgua]

I'm using it locally and I'm happy with it. But it's not very easy to use. The most important thing is that backup to --write-only repository may fail in case of empty local repository cache (because restic may detect parent snapshot and try to download it's trees from repository). As a workaround it's still possible to backup once using --force flag.

PS. I'm ready to resolve conflicts and fix it if it's going to be merged.

[szenti]

Currently this PR not only breaks at the test/lint step, but also conflicts with the main branch.

@dionorgua can you please do a fresh fork and reimplement your changes to it? In my opinion, it would be easier to have it fixed this way rather then fixing the current conflicts with the main branch. Please note that it's just my subjective opinion, I'm not a maintainer. Also, I'm willing to lend my helping hand in having this fixed. I would love if this function could land in a future release.

[dionorgua]

@szenti I'm not sure that it's going to be merged at all due to limitations that I've described in previous comment. There was no feedback from developers about this. And I'm not going to spend more time on it without feedback (unless I decide to update my local rest-serve instance). Feel free to take it if you want :)