Address the threat of an attacker stealthily excluding data using CACHEDIR.TAG
As mentioned in !138 (merged) and documented in !141 (merged), an attacker with access to live data can add a small file, CACHEDIR.TAG, and thus exclude any directory from the backup. This will probably go unnoticed, because it's just a small file, and no files are actually removed from the live data. We allow users to disable CACHEDIR.TAG support, but that's a big hammer. Ideally, we should actively guard against the threat. Some ideas from the CACHEDIR.TAG spec:
To mitigate this risk, backup software should at least inform the user which directories are being omitted due to the presence of cache directory tags. Automatic incremental backup software might maintain a list of "approved" cache directories, and whenever new cache directory tags appear, only heed them after being approved by the system administrator. In short, to maintain robustness of backups in the face of security compromises, cache directory tags should only be treated as hints, never as "the final word" on what should and should not be backed up.