Locking + append-only mode

rest-server and rclone both support an append-only mode, but for obvious reasons, it’s still allowed to remove locks from the repo. I’m wondering what is the worst case scenario in case a malicious client forcefully unlocks the repository in a loop so that effectively no locking happens any more?

I think it should be safe if there are only append-only clients accessing the repo, maybe a check will fail because something changed unexpectedly but the data should be safe. But what happens if there is some trusted client with full access to the repo that for example forgets old snapshots and prunes the repo?

Thinking about this again, I think there is the problem that an attacker could flood the repo with empty snapshots for past timestamps so that restic forget with a policy would remove all the snapshots that actually contain data. Is this indeed correct?

See this thread: