Now that restic has compression, I am considering to add restic to my backup stack. I wish restic had a GUI, but so be it. The only thing holding me back is, I cannot seem to find any information at all about the main developers behind restic.
I know Alexander Neumann (@fd0) started and maintains restic and @MichaelEischer is now heavily involved as well. But… who are they (and anyone else that has write-access to restic’s github)? I googled around and cannot find anything substantive about either Alexander or Michael.
You may ask, why does this matter, restic is free and open source, you can just go and look at the source code if you want to, who cares who wrote it. Well, it matters for two reasons:
Being open source does not automatically mean safe and secure. Open source-based security is predicated on the notion that many eyes have reviewed (and will continue to review) the open source code. While it is likely that a security hole would be identified in restic given how popular it is, that is not guaranteed, and there has been no third-party review of restic code beyond a blog post by a former Google engineer about restic’s encryption.
Without guaranteed code review, the reputation of the devs maintaining the FOSS project is critical. Knowing who the developers are builds trust that they will not sneak some feature into restic that will compromise security. For example, it is quite easy to find out information about the main developer behind Kopia and rclone, but not so much for the devs behind restic.
First I’d like to make a comment that should be obvious to anyone, but still; There are numerous contributors to restic. Alex and Michael are two of the more prominent ones for obvious reasons, but there’s a whole lot of other people who contributed a lot of code and much of it has been incredibly important and substantial contributions. Some made a big difference, e.g. adding huge features or optimizations, and some were minor but still very very important to wrap it all up into what restic is today. This really cannot be stressed enough - there’s credit and kudos to be given to so many people in this project and the community. I would love to mention some of them, but I’d just feel bad over forgetting some of them, so I won’t
Anyway, I understand you have good intentions with your concern, and it’s nothing to dismiss either. But at the same time I’m not sure what actual answer you’re looking for. It would of course be awesome if someone were to perform a completely external security audit. I know Filippo looked into it a few years ago, but that’s of course not very recent: restic cryptography
Regardless, I’d say that Alexander has been quite open with who he is as the author of restic - he has not in any way tried to be anonymous, and he’s been presenting and such. At the same time he hasn’t actively provided any personal details, which is understandable - just because you wrote a piece of software that then became a successful open source project doesn’t mean anyone has any more right to your personal life than otherwise. Same goes for Michael of course, and everyone else for that matter.
So, as a third party I’d ask anyone to please respect that everyone involved in this project has a personal life and that the boundary between that and the project itself is basically their contributions - they are what they have chosen to share, and that’s what we have to respect. Of course being curious and looking up who is who is one thing, but going on a detective spree would be crossing the line.
No offense, but that’s a pretty hard copout. I never asked for personal details. I just want to know who are the authors. Googling “Alexander Neumann” and “Michael Eischer” brings up nothing substantive. They are, in effect, anonymous as far as I can tell. Others may be okay with that. I am not.
Who the authors are? Answer: Alexander Neumann and Michael Eischer. There’s nothing more anonymous about that than any other person you look at. This is exactly why I wrote that I’m not sure what answer you’re actually looking for.
You link to Nick’s website’s personal section, and to Jarek’s LinkedIn profile. They both put that up themselves, by their own choice. If something like that doesn’t happen to exist for other people, that’s because they didn’t put that up. If that is not enough in your eyes, then well, you simply have to live with it, I guess?
It’s really this simple: If anyone wanted to tell the world more about themselves, they would have done so, like Nick and Jarek above. If they haven’t, we all just have to respect that.
No wonder Based on what you write there, you seemingly haven’t even tried! I think that if you just take the time to Google a bit, you will move quite a bit beyond thinking there is no information at all about these two gentlemen. It literally took me less than one minute on DDG to find where Alex talks a little bit about his background.
None taken, but I just Googled what “copout” means (since english isn’t my native language) and think you’re terribly mistaken. I didn’t mean to “cop out” anyone, if that is what you are implying. I was asking that people respect other people’s right to privacy and that they do not mistake contributions to an open source software for a desire to be investigated more than any other person in this world. That’s all.
Im not sure why you are getting so riled up. I never said they HAVE to tell us about themselves. If they want to stay anonymous, that is their choice. I posted here to see if there was any information about them that I missed, because knowing who is developing restic is important to me before I put it on my machine (and, frankly, it should be important to anyone that cares about opsec).
I wouldn’t consider myself particularly anonymous. Just search my name (tested with DuckDuckGo and a few different location settings) and I’ll reliably end up on the first page. And all information necessary to tell which of these Michaels is me, has been hidden in plain sight in my Github profile for years (true, you’d have to spend a few minutes looking through my profile or use git to look at my restic commits). To make it a bit easier, I live in Erlangen in Germany.
With that information it shouldn’t be too hard to guess why contributing to a system-related software with distributed system aspects (yep, that’s restic) aligns quite well with my interests.
Posting links to other peoples profiles and asking “who are the developers behind restic” came across more like a demand, not an open-ended question.
What can you learn about someone’s future behavior from their profile page that you can’t already extrapolate from years of work on a project? And how would you be able to tell if someone had malicious intents? (Short answer: I don’t think you can. And no, I’m not planing anything )
I’m quite aware that the question of trustworthyness of open source projects has become much more pressing over the last years. From my impression a lot of the practical problems have revolved around ensuring that released versions of a project actually match the project’s source code. For restic this is simple: our released binaries are reproducible, just grab the source code and follow the steps at Developer Information — restic 0.16.3 documentation . For the last few times we’ve updated dependencies, I’ve also scrolled through the source changes in the dependencies to check whether something looks suspicious (excluding repositories from some well known large companies).
First, it’s pretty rude to demand anything about others privacy-related topics when your own name is pretty random.
Second, as @MichaelEischer already stated - what good does it do to you when you know someone’s past behavior. There’s no guarantees about the future. Even if you trust the person itself then how do you know that his/her account has not been compromised in some way? Only way to be actually sure is to read the code and build binaries yourself. There’s no other way. In every other way you’re just building a fake security for yourself. If security is really important to you (I mean, really and not just about writing forum posts like this in here), then there’s no other way. Otherwise you’re just being naive and might as well stop wasting your time on writing posts like these.
First, one can’t demand that the developers provide details about themselves. The software is free and is considered to be high quality (you may browse through). You may find a presentation by Alex on restic in YouTube. But by now there many developers. I don’t know their level of involvement, but I imagine an obvious vulnerability will be seen by them sooner or later.
More generally, the security of open source software has recently become quite important. There have been attacks through dependencies and supply chain. It’s a concern for all backup software. I personally never trust closed source proprietary back up software.
I should say Rclone codebase is much larger and messier than restic’s. There was a vulnerability in rclone few years ago, with weak passwords, where you could decrypt data with tens of hours using a laptop.
I think we need a security audit, funded by users. Does anyone know how much does it cost? Any plan? Of course, it’s not a sure proof but it helps.
Based on what you write there, you seemingly haven’t even tried! I think that if you just take the time to Google a bit, you will move quite a bit beyond thinking there is no information at all about these two gentlemen. It literally took me less than one minute on DDG to find where Alex talks a little bit about his background.