Sunday, September 06, 2009

A Time Machine time bomb

I finally convinced myself that my new eSATA drivers were working, so I switched my two main external drives back from USB to eSATA. Everything seemed hunky dory, until I noticed that Time Machine was suddenly spinning for an awfully long time. I checked the logs and saw that Time Machine was busily deleting all my old backups. By the time I noticed, I had already lost about a year's worth.

What happened, as it turned out, was that when I unmounted the external drives to switch them back over to the eSATA cables, Time Machine removed those volumes from the exclusion list. It was trying to backup those external drives. To do that it needed about a terabyte of free space, so it was busily deleting all my old backups to make room. If I hadn't stopped it, it would have nuked them all. My backup volume is only 750GB.

IMHO this is a SERIOUS bug in Time Machine, almost bordering on legally actionable negligence on Apple's part. There are apparently people out there who have lost all of their backups because the exact same thing happened to them but they didn't notice in time. Newly mounted external drives should be excluded from backup by default. At the very least, Time Machine should prompt you, or warn you, or something. What any backup program should NOT do under any circumstances (and I would have hoped this would go without saying, but apparently not) is silently delete all of your backups.

UPDATE: There seems to be some confusion on two points. First, there was an option in TM on Leopard to "warn before old backups are deleted." In SL that option has been changed to "notify after old backups are deleted", which seems to me to rather defeat the purpose. Second, in most jurisdictions, if you accept money for a product there are implied warranties of merchantability and fitness for a particular purpose which you cannot disclaim. In this case, TM is advertised as an integral feature of OS X whose purpose is to make backups of your data. If instead it deletes all your data, that *could* be negligence that Apple could not legally disclaim, rather like selling a fire extinguisher that actually set your house on fire. But IANAL, and I didn't suffer any actual damages because I caught it in time, so I will not be putting this theory to the test. But someone who lost all their backups might.

14 comments:

  1. My Leopard's Time Machine preference pane has the option "Warn when old backups are deleted". Wasn't this on by default, or didn't it behave as expected in your case?

    ReplyDelete
  2. In Snow Leopard that option is now "Notify after old backups are deleted." It was turned on, but needless to say it did me no good. It's hard to see how an option like that could possibly do anyone any good. What on earth could they possibly have been thinking?

    ReplyDelete
  3. That's totally mad! What were they smoking? It would be interesting to know if all that changed in SL is the label or if they actually changed the functionality to be this user-unfriendly and counter-intuitive!

    ReplyDelete
  4. I'm on standard Leopard and the label says "Warn when old backups are deleted".

    This states that the user will be 'warned' that their backups are gone which is kind of incorrect language and it implies that the user can do something about it. They are actually 'notifying' that the backups are gone, hence the label change in Snow Leopard.

    To be honest though, not much point in it.

    ReplyDelete
  5. I strongly suggest you seriously consider ditching Time Machine and just go with a regular backup program. That is exactly the kind of thing that scared me away from TM from the beginning. Usually I love the way Apple handles the details, but when it comes to backups, I have had my butt handed to me by details way too many times to trust a big black box like TM.

    I use Chronosync, BTW, as do all my friends. It has been great for us. The company has a pretty lame demo version of the software, though. You have to email them to get an unlocked demo to find out if it even works. When you do that, don't describe their demo policy as "baffling." Believe me.

    Still, it's a great product, asshat-answering-emails aside.

    ReplyDelete
  6. I agree that a warning here would be nice, but I don't see how you can claim data loss here.

    Why is losing a backup an issue at all, if the regular drive is intact? Sure it's nice to have that "safety net" of old files there for possible restoration, but if those files were essential why were they deleted? Your "headline" and write-up make it seem like real data loss occurred.

    ReplyDelete
  7. Deleting old backups makes perfect sense to me - otherwise, where would new data go?

    Also - the EULA (I'm pretty sure) already disclaims any liability for merchantability for the software.

    I do agree that excluding external drives makes sense - but deleting old backups when you run out of space is perfectly logical.

    ReplyDelete
  8. I have to agree with what some others have said, that it's not as bad as you make it sound. It's a problem to be sure, but TL didn't delete your primary data, just the backups. I have had similar issues when either moving to a new machine or getting a logic board replaced. When your computer has a new MAC address it has issues continuing to use your old backups. One time I repaired the permissions and other stuff and kept using my backup. Sometimes I just don't want to be bothered and I nuke the old image and start over. It's not ideal, but I don't feel like I've lost data.

    ReplyDelete
  9. > Deleting old backups makes perfect sense to me - otherwise, where would new data go?

    Deleting old backups makes sense in general. Deleting ALL the old backups with NO warning to make room for backing up a disk that was on the exclude list in a situation where there wouldn't have been enough room to do the backup anyway does not.

    > it's not as bad as you make it sound

    It ultimately was not catastrophic for me because I caught it in time. But if I had not caught it in time (and there are many reports from people who have had the same experience who did not catch it in time) it would have been much worse. True, my primary data would still have been there. But my ability to easily revert to Leopard would have been gone, and I would have been without a backup, possibly without realizing it. I have no idea what would have happened if I'd let the process run to completion. It's entirely possible that I would have ended up with a TM volume full of data from the media drive, no backup of the primary drive, and no indication that anything was wrong. If my internal drive had crashed at that point, that *would* have been catastrophic.

    And if your response to that is that the chances that of my hard drive crashing at that point are pretty small, then my response is: either you are going to take backup and the prospect of a primary hard drive failure seriously or you aren't. If you aren't then none of this matters. But if you are, then even the possibility of silently getting into a state where you are a single failure away from unrecoverable data loss is very bad.

    The "silently" part is key here. The problem is not so much that TM did what it did, but that it did it WITH NO INDICATION THAT ANYTHING UNUSUAL WAS GOING ON (except for taking longer than usual to complete the backup). *That* is the real problem.

    ReplyDelete
  10. You're right, not having any indication is a big difference in those scenarios. Especially because any amount of time could pass before you noticed and in that time your drive could fail.

    Sorry if I implied that I think you're wrong on the overall point that this is a problem. It does seem like a bigger problem to me now than the new MAC address issue.

    ReplyDelete
  11. This is the result of Apple appealing to the not-to-technically-sophisticated set. TimeMachine is extremely simple to setup, but has very few options. For example, I can't set the times for backing up. (Maybe I only want it once per day).

    TimeMachine's main premise is to be simple and easy. Imagine a standard user who has a 160Gb hard drive and a 500Gb Time Machine drive. In a month, that user will start getting warnings about deleting backups, and in theory could have these warnings every hour. How would that user respond? Wouldn't it start looking like Vista's security warnings that pop up all the time?

    Therefore, Apple decided no warnings of backup deletions. After all, you are probably deleting the very old stuff anyway. I can see why Apple made that decision.

    Maybe what Apple needs to do is some sort of verification on Time Machine drive sizing. Every time Time Machine begins a backup, it looks at the size of your backup drive vs. the size of the data you're actually backing up. If the time machine disk size/actual backup size ratio is too low (let's say below 5:1), Apple should issue a warning.

    Apple should also determine a minimum number of days of snapshots to keep. amd warn the user if it finds itself about to delete those. Something like:

    "Warning: In order for Time Machine to backup your current system, it needs to delete the backups it made from 21 days ago. We highly recommend that you purchase a larger Time Machine drive before allowing Time Machine to continue. Should Time Machine be allowed to delete these backups?"

    And, Time Machine should never delete the last copy of the latest backup under any circumstances.

    Yes, this issue needs to be addressed, but I'm not going to get too upset at Apple right now over this because, as a developer, I can imagine myself making the very same mistake.

    Report it to Apple support as a bug, and see if Apple treats it seriously.

    ReplyDelete
  12. To those who ask why losing incremental backups is a problem, since you still have the current data: the point of incremental backups is the ability to roll back to older versions of files from weeks or months ago, in case you realize you deleted something important from the main drive. Incremental backups are primary data in this sense, so having them unnecessarily deleted is data loss. If losing the incrementals wasn't a problem, you wouldn't be bothering with them in the first place, and might simply keep a mirror.

    ReplyDelete
  13. That's terrible! I had a problem with Time Machine where I found out it was backing up everything BUT my home directory, which was the most important thing of course! It was probably because my setup was peculiar. Because I do worry about losing information from corruption, I had partitioned my disk drive and made a 'home' partition which I would automatically mount under '/Users'. Everything worked fine under Mac OS X, but after using Time Machine for over a year, I started checking out the histories of certain folders and found out that NOTHING in my home folder was backed up. I wrote Apple some feedback on the issue, but I doubt it's been addressed. The backup solution is too scary to screw up so badly, but I will give Apple credit for trying to furnish a workable solution.

    ReplyDelete