Backups and other things

The announcement of the end of the Obnam project was somewhat disappointing, since it took a while to build a reliable backup system for Freedombone. I've now switched over to using duplicity together with the backup GPG key, and so from a user point of view the way that backups work is the same as it was under Obnam.

Looking back at the logs I can see that I made an initial attempt to implement duplicity for Freedombone backups in 2014 but then switched to Obnam. My thinking at the time was that since the developer of Obnam was resident at the same company where I was then I might as well utilize the proximity to the local talent, but that didn't remain a valid rationale for very long. Even so, Obnam was quite reliable and saved me from corrupted or lost files on a few occasions in the last three years.

In tests duplicity seems to be slightly faster than Obnam, but there's not a lot in it. Freedombone only backs up the data for each app - not the entire drive - and so it's fairly efficient anyway. There's also the possibility that a new maintainer for Obnam might come along, but that remains to be seen. It sometimes happens that open source projects can be abandoned and then picked up again a few years later.

pcDuino

I noticed that FreedomBox now supports pcDuino3 hardware, and so I've also added support for that into the image building utility. Other single board computers might be usable with a fully free software stack, such as Orange Pi, but I don't have the hardware to test it on.

Fixing Tripwire

The Tripwire intrusion detection system was an early addition to Freedombone, but it was always rather erratic. I've improved the configuration and also added a QR code which allows you to check that the tripwire database hasn't changed. The database is what it checks files against to detect differences. If you are highly cautious about security you can now easily reset the tripwire from the administrator control panel and log the QR code with a mobile phone. The database can then later be checked.

While this system isn't infallible (not all files on the system are checked) it should give a greater level of confidence that critical files havn't changed unexpectedly while also not bombarding you with false positives.

USB Canary

For the truly paranoid there is always the eternal question: has anyone tampered with my server while I was out at work/shopping/on holiday? A common way to try to get bad stuff onto a computer if you have physical access to it is via a USB socket with a thumb drive, and so I've added a canary which produces an email whenever a USB drive is plugged in. Possibly other types of warning could be produced, but for now an email is good enough.