shuppy (@delan) [archived]

--i-am-a-cron-job-fuck-me-up-and-delete-without-asking

screenshot of github commit titled “zfs-sync-snapshots: rename --delete-yes and update sync scripts” diff of the script, showing a “--delete” option accepting values “none”, “old”, “all”, or “this”, a mandatory “dry” or “wet” argument, and a “--delete-yes” option being renamed to “--i-am-a-cron-job-fuck-me-up-and-delete-without-asking”

[sheldon smith voice] shuppyco had multiple safeguards in place that could have prevented a data loss incident, such as a dry-and-wet-run system and a safer deletion interface that prompts the operator to confirm each snapshot slated for deletion.

the csb found that delan, the operator on shift at the time, systematically disabled each of those safeguards, citing the pedestrian and familiar nature of the task at hand. it said, “priming my incremental backups is simple, i’ve done this countless times!”

unfortunately, this time it was not simple.

the csb concludes that shuppyco should (a) make the consequences of disabling key data loss safeguards impossible for operators to miss, (b) design and implement a process safety management system,