[dblitt]

It seems the suggested solution is to use server credentials that lack delete permissions (and use credentials that have delete for compacting the repo), but does that protect against a compromised client simply overriding files without deleting them?

[ThomasWaldmann]

no-delete disallows any kind of deleting information, that includes object deletion and object overwriting.

[throwaway984393]

No. Delete and overwrite are different. You need overwrite protection in addition to delete protection. The solution will vary depending on the storage system and the use case. (The comment in the PR is not an exhaustive description of potential solutions)

[qeternity]

Append-only would imply yes. There is no overwriting in append-only. There is only truncate and append.

[mosselman]

You have misread I think.

There used to be append-only, they've removed it and suggest using a credential that has no 'delete' permission. The question asked here is whether this would protect against data being overwritten instead of deleted.

[ThomasWaldmann]

Yes, it also disallows overwriting.