Borg: Organize a security audit

Yup, maybe when 1.2 goes beta would be a good time as crypto and multithreading changes are planned.

How do you plan to finance it?

Audits are quite expensive and can cover very different levels of scrutiny. Some audits just look at specification or design documents (which largely don't exist for Borg), while you are probably thinking of some folks poking the code base. Given the cost there is also the latent question whether it's worth it, or if Borg is maybe not the correct target. E.g. we use msgpack a lot, which has neither been fuzzed nor audited to the best of my knowledge. Auditing Borg but then having, say, holes in msgpack would be a lot of effort for nothing :)

From my PoV it would seem to make the most sense to mainly look at two different areas: (1) Crypto code, and especially the planned changes there (2) Filesystem code. The latter will of course have issues, that's just the nature of the thing — it's just not possible to make a race-condition free backup of a live file system.

In the meantime this might be an interesting read: https://borgbackup.readthedocs.io/en/latest/internals/security.html

IMHO it's also important to check borg itself. I think some audits also cover the dependents of the projects, at least sometimes.
Also, nowadays there are many actors sponsoring audits for FLOSS software, such as Mozilla, Google or the European Union.
If borg would be a ransomware it would likely get these audits for free, easily… :wink:

I'm afraid Borg is a bit too heavy in deployment to be used effectively for ransomware 😉

This is an interesting read: https://guidovranken.wordpress.com/
also https://guidovranken.wordpress.com/2017/07/06/which-software-should-i-audit-next/ (probably not relevant for borg, which has few C/C++ code).

And just as we're talking GitHub also announced something. The problem of course is, borg does not belong to critical infrastructure for the whole web (yet…), so make sure big companies start to use it as their backup tool… :wink: