I personally use this Ansible role [1] to deploy restic and then just configure my buckets with the ACLs described in the README and a lifecycle policy so that an override of a file creates a new version instead. Currently I have it so old versions expire on their own, and no one except the account admin can delete them.
Biggest problem with SSHFS RR is the trustworthiness of DNS to deliver the answer record.
Most everything do not enforce their DNS resolver to only return the DNSSEC-verified Answer RR.
Not that problem at all if you set the resolver to return only the DNSSEC-verified answer RRs; then again, most common websites would then stop working simply because they don’t use or have a proper setup of their DNSSEC overhead.
Most implementation of distribution of the SSH public keys are delivered under cover of TLS, IPSec, or variants of secured tunneling just because … because it IS A metadata.
21yo here, I think Kerberos is bloody awesome, but then I was introduced to it by a somewhat old timer, who showed me its benefits when properly integrated in the company.
I hate the way a lot of tools nowadays assume it's okay to just create a new directory in the user's home. For instance, this tools create ~/.import-cache. Why doesn't it use a subdirectory in ~/.cache? What's the next step? ~/.import-config? And then ~/import-tmp? This is just getting out of hand. There are places where your tool can store config and cache data, use them.
