Hi there, On Thu, 29 May 2025, Steven Benbow wrote:
We've evaluated BackupPC and have found it to be excellent.We particularly like its approach to pooling data and the ability to use standard protocols (e.g. rsync + ssh) for data transfer.
Same here.
We would like to use it in a commercial setting, but are constrained by having to adhere to information security standards, in particular Cyber Essentials ...
Serious security involves a lot more than telling the boss that you (claim to) adhere to some standard. This isn't the place for a discussion about Cyber Essentials, but I'd say that if the need to adhere to the dictates of some 'policy' is in conflict with your use of a tool whose intelligent use can very much improve your security, then the policy might need another look. My personal feeling is that Cyber Essentials is little more than an exercise in box-ticking and of limited usefulness in the real world. If somebody tried to tell me that I couldn't use BackupPC because some box isn't ticked I'd eject him from the building. I hold a black belt. ;)
This is currently a problem for us, since it would not appear that there has been a BackupPC release since v4.4.0 in June, 2020, and it is not clear that, for example, rsync-bpc has been patched for any security updates for CVEs that may have arisen in rsync since then (e.g. https://ubuntu.com/blog/rsync-remote-code-execution).
https://sourceforge.net/p/backuppc/mailman/message/59118815/
Are there any plans to produce a new release of BackupPC (and rsync-bpc etc.) that pulls in security updates associated with its dependencies?
AFAICT at the moment there's no need. These things all need to be examined both carefully and in context. For example that your *rsync* server might be granted access to something on a client machine to which it should not have access, and that your *backup* server might have such access are very different propositions. You'd expect that the backup server will have access to everything on the machine that it's backing up. You don't give rsync access to just anybody, do you? Getting to specifics, links below are in the page to which you linked (i.e. https://ubuntu.com/blog/rsync-remote-code-execution). https://ubuntu.com/security/CVE-2024-12084 https://ubuntu.com/security/CVE-2024-12085 Vulnerabilities introduced into rsync on Sept 10, 2022. No rsync-bpc version has been affected as (as you pointed out) because of the age of rsync-bpc, no rsync-bpc version was ever based on this vulnerable version of rsync. That might be a valuable lesson - if you 'upgrade' things just because your policy demands it, you might actually end up doing more harm than good. On learning of these vulnerabilities I upgraded rsync on all our machines. I didn't touch rsync-bpc. https://ubuntu.com/security/CVE-2024-12086 See above ("different propositions") and below ("bigger problem"). https://ubuntu.com/security/CVE-2024-12087 BackupPC does not use the --inc-recursive option (and if your BackupPC server is in fact malicious then you have a bigger problem than this:). https://ubuntu.com/security/CVE-2024-12088 BackupPC does not use the --safe-links option (and if your BackupPC server is in fact malicious ... :). Footnote: I'm on record as being willing to support BackupPC: https://sourceforge.net/p/backuppc/mailman/message/58818067/ It's worked for me for almost two decades. As far as I'm concerned, BackupPC will need to be fully operational for at least the next three decades which is realistically the upper limit of the life remaining to me. BackupPC is written in Perl and C; I've been writing Perl code since 1995 and C since ~1980 so I'm confident that this is achievable. Beyond that (a) I doubt that software will look much like it looks now and (b) it's not going to be my problem anyway. Others here no doubt will also be available if necessary, because they use it too. There's a great deal of experience on this mailing list, even if (because most of the time the list is so quiet) it doesn't look that way. I'm sure that the very experienced Mr. Kosowsky won't mind if I quote him: "I find it so stable that one *almost* doesn't need a maintainer..." [https://sourceforge.net/p/backuppc/mailman/message/58818079/] Incidentally I don't use BackupPC to back up things like VM images, log directories, mail stores and database tables - the characteristics of the data you're backing up are very important. We could talk about contracts if it would help you tick the boxes. :) -- 73, Ged. _______________________________________________ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List: https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki: https://github.com/backuppc/backuppc/wiki Project: https://backuppc.github.io/backuppc/
