I'm planning to have multiple servers back up to the same repository, and I want to think through what could go wrong if one of the servers is compromised. One thing I've thought of is that server Foo, which is being backed up with the hostname=Foo tag, could instead decide to use hostname=Bar, making it difficult to tell which backups actually belong to Bar and which ones are from the compromised Foo.

One way to prevent this would be to allow bupstash serve to override a specific tag, which in conjunction with a separate ssh ForceCommand for each server would prevent Foo from altering the hostname tag.

Definitely an interesting request - this does pose a problem because tags are encrypted and the server cannot read them currently. Key reuse across servers gives you deduplication - but introduces problems like this.

🤦 Right, I should have realized that. It's obvious in hindsight since serve doesn't even take a key argument, and since bupstash works so hard to make sure the repository host doesn't have to be trusted to do anything other than store the data. Maybe I'll just use the same key for less important servers but a separate key for the really important ones.