Re: [tlug] Dealing with software with wide attack surface

["Stephen J. Turnbull" <stephenjturnbull@example.com>]

Jens John writes:

 > This type of stuff needs to be shipped off of the online system to
 > a backup location that is write-only excluding overwrites from the
 > source system or completely disconnected, like offline backups.

That reminds me: one thing that I do in several contexts (and would
use for security if I were concerned with preserving backups) is to
use a content-addressed append-only backing store.  I use git which
allows giving multiple names to the same object, and is easy for me to
use in this application because I use it heavily as a source code
manager.

The point of "content-addressed" is that it automatically handles
duplicates, and of append-only is that content can't be overwritten.[1]
They're closely related in git because it preserves old blobs as long
as they're eventually pointed to by some ref (or if you never ever run
git-gc :-), but conceptually they're different.

Footnotes: 
[1]  Oops, just noticed that Jens already specified "no overwrites".
But if you're doing something like Giphy you're likely to get multiple
uploads of the same meme, so content-addressing is also useful.