From 21a819ef4a0a810241be188fe60e684e3eba6489 Mon Sep 17 00:00:00 2001
From: Thomas Waldmann <tw@waldmann-edv.de>
Date: Mon, 10 Jun 2019 21:39:35 +0200
Subject: [PATCH 1/3] extract: document limitation "needs empty destination",
 fixes #4598

---
 docs/faq.rst | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docs/faq.rst b/docs/faq.rst
index 363d35644..972e56c40 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -103,6 +103,11 @@ Are there other known limitations?
 
   :ref:`borg_info` shows how large (relative to the maximum size) existing
   archives are.
+- borg extract only supports restoring into an empty destination. After that,
+  the destination will exactly have the contents of the extracted archive.
+  If you extract into a non-empty destination, borg will (for example) not
+  remove files which are in the destination, but not in the archive.
+  See :issue:`4598` for a workaround and more details.
 
 .. _checkpoints_parts:
 

From 4b97d80f9ba10a9335e93906c9f726c9d6208b43 Mon Sep 17 00:00:00 2001
From: Thomas Waldmann <tw@waldmann-edv.de>
Date: Mon, 10 Jun 2019 22:31:29 +0200
Subject: [PATCH 2/3] how to supply a passphrase, use crypto devices, fixes
 #4549

---
 docs/quickstart.rst | 48 ++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 45 insertions(+), 3 deletions(-)

diff --git a/docs/quickstart.rst b/docs/quickstart.rst
index d5fbe0416..84def60f2 100644
--- a/docs/quickstart.rst
+++ b/docs/quickstart.rst
@@ -170,10 +170,8 @@ backed up and that the ``prune`` command is keeping and deleting the correct bac
     # Setting this, so the repo does not need to be given on the commandline:
     export BORG_REPO=ssh://username@example.com:2022/~/backup/main
 
-    # Setting this, so you won't be asked for your repository passphrase:
+    # See the section "Passphrase notes" for more infos.
     export BORG_PASSPHRASE='XYZl0ngandsecurepa_55_phrasea&&123'
-    # or this to ask an external program to supply the passphrase:
-    export BORG_PASSCOMMAND='pass show backup'
 
     # some helpers and error handling:
     info() { printf "\n%s %s\n\n" "$( date )" "$*" >&2; }
@@ -261,6 +259,50 @@ the sudoers(5) man page.
     To debug what your borg process is actually seeing, find its PID
     (``ps aux|grep borg``) and then look into ``/proc/<PID>/environ``.
 
+.. passphrase_notes:
+
+Passphrase notes
+----------------
+
+If you use encryption (or authentication), Borg will interactively ask you
+for a passphrase to encrypt/decrypt the keyfile / repokey.
+
+A passphrase should be a single line of text, a trailing linefeed will be
+stripped.
+
+For your own safety, you maybe want to avoid empty passphrases as well
+extremely long passphrase (much more than 256 bits of entropy).
+
+Also avoid passphrases containing non-ASCII characters.
+Borg is technically able to process all unicode text, but you might get into
+trouble reproducing the same encoded utf-8 bytes or with keyboard layouts,
+so better just avoid non-ASCII stuff.
+
+If you want to automate, you can alternatively supply the passphrase
+directly or indirectly using some environment variables.
+
+You can directly give a passphrase::
+
+    # use this passphrase (use safe permissions on the script!):
+    export BORG_PASSPHRASE='my super secret passphrase'
+
+Or ask an external program to supply the passphrase::
+
+    # use the "pass" password manager to get the passphrase:
+    export BORG_PASSCOMMAND='pass show backup'
+
+    # use GPG to get the passphrase contained in a gpg-encrypted file:
+    export BORG_PASSCOMMAND='gpg --decrypt borg-passphrase.gpg'
+
+Or read the passphrase from an open file descriptor::
+
+    export BORG_PASSPHRASE_FD=42
+
+Using hardware crypto devices (like Nitrokey, Yubikey and others) is not
+directly supported by borg, but you can use these indirectly.
+E.g. if your crypto device supports GPG and borg calls ``gpg`` via
+``BORG_PASSCOMMAND``, it should just work.
+
 .. backup_compression:
 
 Backup compression

From b324f46aa180bb40276cd587c1d4665497a21c4f Mon Sep 17 00:00:00 2001
From: Thomas Waldmann <tw@waldmann-edv.de>
Date: Mon, 17 Jun 2019 02:37:06 +0200
Subject: [PATCH 3/3] vagrant: add up-to-date openindiana box (py35, openssl10)

---
 Vagrantfile | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/Vagrantfile b/Vagrantfile
index 474ddf83a..f4770f9d3 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -146,10 +146,13 @@ end
 
 def packages_openindiana
   return <<-EOF
-    #pkg update  # XXX needs separate provisioning step + reboot
-    pkg install python-34 clang-40 lz4 git
-    python3 -m ensurepip
-    pip3 install -U setuptools pip wheel virtualenv
+    # needs separate provisioning step + reboot:
+    #pkg update
+    # already installed:
+    #pkg install python-35 virtualenv-35 pip-35 clang-40 lz4 zstd git
+    ln -sf /usr/bin/python3.5 /usr/bin/pyton3
+    ln -sf /usr/bin/virtualenv-3.5 /usr/bin/virtualenv
+    ln -sf /usr/bin/pip-3.5 /usr/bin/pip
   EOF
 end
 
@@ -565,7 +568,7 @@ Vagrant.configure(2) do |config|
   # rsync on openindiana has troubles, does not set correct owner for /vagrant/borg and thus gives lots of
   # permission errors. can be manually fixed in the VM by: sudo chown -R vagrant /vagrant/borg ; then rsync again.
   config.vm.define "openindiana64" do |b|
-    b.vm.box = "openindiana-64"
+    b.vm.box = "openindiana"
     b.vm.provider :virtualbox do |v|
       v.memory = 1536 + $wmem
     end