With the way things are presently designed, we catch exceptions in main from backup_dataset. This could lead to one destination being ahead of an invalid one. It should fail in a way that leads to subsequent attempts to backup to fail since we percolate the exception up, which leads to the delete not happening. So manual intervention will be required in the event of a misconfiguration. I think this is okay.
With the way things are presently designed, we catch exceptions in main from backup_dataset. This could lead to one destination being ahead of an invalid one. It should fail in a way that leads to subsequent attempts to backup to fail since we percolate the exception up, which leads to the delete not happening. So manual intervention will be required in the event of a misconfiguration. I think this is okay.