What is a backup tool audit?
A backup tool audit is a structured evaluation of backup software against criteria that matter for a specific workload. For developer tools, the relevant criteria are git awareness (understanding the .git object database rather than treating it as a file folder), client-side encryption with user-held keys, capture of uncommitted work (staged changes, stashes, untracked files), restore verification (proving recoverability without a full download), and vendor independence (portable storage with no lock-in). This audit scored 50 tools across five categories and found that no single tool passed all five criteria.
A backup tool audit checks whether the tools you use actually protect your projects. We tested 50 tools that developers trust with their work. Almost none of them passed.
Five things we checked
- Does it understand git?
- Is your data encrypted before upload?
- Does it save unsaved work?
- Can it prove the backup works?
- Can you switch providers?
This audit evaluates 50 backup tools against five failure criteria relevant to automated development environments.
CRITERIAObservable failure signals
- Git object model awareness (not filesystem-level copy)
- Pre-transit encryption with user-held keys
- Uncommitted state capture across 5 namespaces (index, working tree, untracked, stash, operation state)
- Proof-of-restorability without full download
- Portable storage with no vendor lock-in
Methodology
We looked at 50 tools and services that developers use to protect their work. Not all of them are marketed as backup tools. Some are file sync services. Some are version control platforms. Some are scripts developers write themselves. But they all get used as backup, whether they were designed for it or not.
We scored every category against five criteria:
- Git awareness. Does the tool understand that a
.gitdirectory is a database, not a folder of files? Can it create a consistent snapshot of a git repository without corrupting the object store? - Encryption model. Is data encrypted before it leaves your machine? Do you hold the key, or does the provider? Is it end-to-end, or is it "encrypted at rest" (which means the provider can read it)?
- Uncommitted work capture. Can it back up the files you have not committed yet? Staged changes, unstaged modifications, untracked files, stashes, in-progress rebases and merges?
- Restore verification. After backup, can you prove the backup is restorable without downloading and extracting the entire archive? Is there any integrity check beyond "the upload finished"?
- Vendor independence. Can you move your backups to a different provider without re-encrypting, reformatting, or losing history? Do you own the storage, or does the vendor?
These five criteria are not arbitrary. They are the minimum requirements for a developer backup system that actually works. Miss any one of them, and you have a gap that will eventually cost you work.
We looked at 50 tools and scored each one against five questions. These are not nice-to-haves. If a tool fails even one, your work has a gap.
The five questions
- Does the tool understand git projects, or does it just copy files?
- Is your data encrypted on your machine before it goes anywhere?
- Does it capture the work you have not saved yet?
- Can it prove that a backup actually works without downloading everything?
- Can you take your backups to a different service if you want to leave?
Evaluation framework: 50 tools scored across 5 binary criteria. Each criterion maps to a discrete failure mode observable in CI/CD and agent environments.
C1 GIT AWARENESS
Does the tool interact with the git object database, or does it treat .git as a filesystem directory?
C2 ENCRYPTION MODEL
Is data encrypted before transit with user-held keys, or does the provider hold decryption capability?
C3 UNCOMMITTED STATE
Does the tool capture all five namespaces of uncommitted work (index, working tree, untracked, stash, operation state)?
C4 RESTORE VERIFICATION
Can the tool prove restorability without downloading the full archive?
C5 VENDOR INDEPENDENCE
Can backups be moved between S3-compatible providers without re-encryption or format conversion?
Cloud sync: iCloud, Dropbox, OneDrive, Google Drive
This is where most developers lose code, and they do not realize it until it is too late.
Cloud sync services were designed for documents, photos, and spreadsheets. They watch a folder for changes, then sync those changes to a remote server. The problem is that a git repository is not a collection of independent files. It is a database. The .git directory contains interdependent objects, pack files, refs, and index files that must be written atomically. Cloud sync services do not respect those relationships.
iCloud Drive
iCloud Drive will rename files to resolve conflicts. If two processes write to the same file, you get a file named index.lock 2 instead of an error. Git does not know what to do with index.lock 2. The entire index becomes corrupted. Apple's own support documentation for Desktop and Documents sync does not mention git or development workflows at all.
On macOS, iCloud Drive syncs ~/Desktop and ~/Documents by default. If a developer puts a project on their Desktop, iCloud will sync the .git directory without warning. There is no option to exclude .git from iCloud sync short of moving the project outside those directories entirely or using brctl eviction commands.
Dropbox
Dropbox has a documented history of git corruption. Their support forums contain threads going back to 2015 with users reporting corrupted pack files, missing objects, and ref pointer overwrites. Dropbox's Smart Sync feature can evict .git/objects files to free disk space, leaving behind placeholder files that git cannot read. The repository looks intact in Finder, but git status throws errors about missing objects.
Dropbox does offer selective sync and the ability to set folders as "online-only," but these are manual, per-folder configurations. Nothing in Dropbox detects that a directory contains a git repository and adjusts its behavior accordingly.
OneDrive
OneDrive's Files On-Demand feature has the same eviction problem as Dropbox Smart Sync. On Windows, OneDrive syncs the user's Documents folder by default. OneDrive does not offer per-file-type exclusions. Microsoft's sync documentation covers choosing which folders to sync, not which files within folders to exclude.
Google Drive
Google Drive for Desktop (the successor to Backup and Sync) streams files rather than keeping full local copies by default. This is functionally incompatible with git, which expects all objects to be locally accessible. Google Drive also silently renames conflicting files using a (1) suffix pattern, which corrupts git's ref structure.
Git's own FAQ explicitly warns against this. The git FAQ states: "cloud-based file syncing services...may cause data corruption or loss if used to back up a git repository." This is not a theoretical risk. It is a documented failure mode that git's own maintainers warn about.
Scores: Git awareness: fail. Encryption: provider-held keys (not end-to-end). Uncommitted work: syncs working tree files, but corrupts the repo that gives them meaning. Restore verification: none. Vendor independence: data is in the vendor's format and storage.
iCloud
iCloud will silently break your project.
What happens
When two things write to the same file, iCloud renames one copy to avoid a conflict. Git does not understand renamed files. Your project breaks and you do not get an error message. It just stops working.
Dropbox
Dropbox can delete parts of your project to save space.
What happens
Smart Sync removes files from your disk to free space. It replaces them with placeholders. Git cannot read placeholders. Your project looks fine in Finder but is broken underneath.
OneDrive
OneDrive has the same eviction problem as Dropbox. It removes files to save space and replaces them with placeholders git cannot read.
Google Drive
Google Drive streams files instead of keeping full copies on your machine. Git needs all files locally. Google Drive also renames conflicting files, which breaks git the same way iCloud does.
The good news
You do not have to stop using these services. Just do not put your projects inside their sync folders.
All four cloud sync services fail on the same root cause: they treat .git as a filesystem directory rather than a transactional database.
ICLOUDConflict renaming (index.lock 2) corrupts git index. No .git exclusion mechanism.
DROPBOXSmart Sync evicts .git/objects to placeholder files. git status throws missing-object errors.
ONEDRIVEFiles On-Demand eviction identical to Dropbox. No per-file-type exclusion.
GOOGLE DRIVEStreaming mode incompatible with git's local-object expectation. Conflict renaming breaks refs.
Agent environments: Agent workspaces on cloud-synced paths inherit all four failure modes. If your CI runner or MCP server workspace sits inside ~/Dropbox or ~/Documents (iCloud), corruption is a matter of time.
System backup: Time Machine, Windows Backup
System-level backup tools treat your entire disk as a collection of files. They do not know what a git repository is. They copy bytes.
Time Machine
Time Machine is the most widely used backup tool on macOS. It creates hourly, daily, and weekly snapshots of your filesystem. It can restore individual files or your entire system. For most users, it works well.
For developers, it has specific gaps. Time Machine uses a default exclusion list managed by tmutil. While Time Machine does not exclude .git by default, it does skip certain system paths and caches. The real issue is different: Time Machine takes filesystem-level snapshots. If a git operation (like a rebase, merge, or garbage collection) is in progress during the snapshot, Time Machine will capture a partially written state. The backup is internally inconsistent. The .git directory contains half-written pack files or incomplete ref updates.
Time Machine also has no concept of git-specific consistency. It does not verify that the backed-up repository is a valid git object graph. It copies files. If those files happen to form a valid repository, that is incidental.
Finally, Time Machine backs up to a local or network drive. The backup is not encrypted end-to-end unless you enable FileVault on the backup disk (which Apple supports for Time Machine to directly connected external drives, but not for all network targets). You cannot move a Time Machine backup to a different storage provider without the entire infrastructure.
Windows Backup
Windows Backup (the modern version built into Windows 10/11) focuses on OneDrive sync for files and system settings. It is not a full disk image tool. For file backup specifically, it routes through OneDrive, which inherits all the cloud sync problems described above.
The older Windows tool, File History, does take periodic snapshots of user folders. Like Time Machine, it has no git awareness and can capture partially written repository states. It does not encrypt backups by default, and offers no restore verification beyond "the file exists."
Scores: Git awareness: fail. Encryption: partial (available on macOS via FileVault on the backup disk, but not default and not end-to-end; absent on Windows). Uncommitted work: captures working tree files at the filesystem level, but without consistency guarantees. Restore verification: none. Vendor independence: locked to Apple/Microsoft proprietary formats.
Will Time Machine protect your project? Partially. It copies files, but it does not understand git. If a git operation is running when the snapshot happens, the backup is broken.
The risk
Time Machine can capture a half-written project state. When you restore, git may not recognize the project.
System backup tools (Time Machine, Windows Backup/File History) operate at filesystem granularity without transaction awareness.
SNAPSHOT TIMINGFilesystem snapshots during gc produce orphaned pack files and dangling refs. The snapshot captures a transactionally inconsistent state of the .git object database.
Git hosting: GitHub, GitLab, Bitbucket
This is the category developers most commonly mistake for backup. "It's on GitHub" is not the same as "it's backed up."
What git hosting protects
GitHub, GitLab, and Bitbucket store your pushed commits, branches, and tags. They do this reliably. If you push a commit, it is stored across redundant infrastructure. For committed, pushed code, these platforms are excellent.
What git hosting does not protect
- Uncommitted work. Everything in your working tree that you have not committed and pushed does not exist on the remote. Staged changes, unstaged modifications, untracked files, work-in-progress changes. If your local machine dies, these are gone.
- Stashes.
git stashentries are local. They are not pushed to the remote. Many developers use stashes as temporary parking for work in progress. None of that is on GitHub. - Local branches. If you created a branch but never pushed it, it does not exist on the remote.
- In-progress operations. If you are in the middle of a rebase, merge, or cherry-pick, the operation state (stored in
.git/) is local only. - Git configuration. Your
.git/config, hooks in.git/hooks/, and local gitattributes are not pushed.
GitHub's own documentation is clear about this. Their backup documentation describes how to clone or export a repository for backup purposes. The existence of this page is an acknowledgment that GitHub itself is not a backup. If "push to GitHub" were sufficient, they would not need to explain how to back up a repository from GitHub.
GitHub's Terms of Service do not guarantee data durability. Section H.5 states GitHub provides the service "as is" and "as available." They are a code hosting platform, not a backup provider. GitLab and Bitbucket have similar terms.
There is also no client-side encryption. Your code is stored in plaintext on the provider's infrastructure. GitHub can read it. Their employees can access it (subject to internal policies). Government requests can compel disclosure. For proprietary code, this is a real consideration.
Scores: Git awareness: pass (for committed, pushed code). Encryption: provider-held (encrypted at rest on their servers, but they hold the key). Uncommitted work: fail. Restore verification: partial (you can clone and verify, but there is no automated proof-of-restorability). Vendor independence: partial (git is portable, but issues, PRs, actions, wikis, and project settings are not).
Will GitHub protect your project? Only the parts you remembered to save. Everything you pushed is safe. Everything you did not push -- unsaved changes, stashes, local branches, in-progress work -- is not on GitHub at all.
GitHub is not a backup
GitHub's own documentation explains how to back up repositories FROM GitHub. If pushing were enough, that page would not exist.
Git hosting platforms provide durability for pushed refs only. Five categories of local state are unprotected.
UNPROTECTED5 local state categories
- Uncommitted working tree changes (staged + unstaged)
- Stash entries (local-only refs)
- Unpushed local branches
- In-progress operation state (rebase, merge, cherry-pick)
- Local git configuration and hooks
Agent environments: For agent environments generating uncommitted artifacts (test outputs, generated configs, MCP tool state), git hosting provides zero coverage.
Dedicated backup: Arq, Backblaze, CrashPlan
These are real backup tools. They are designed to protect data. But they were designed for general-purpose file backup, not specifically for developer workspaces.
Arq Backup
Arq is the strongest option in this category. It offers client-side encryption (AES-256), backs up to user-chosen storage (S3, B2, Google Cloud Storage, local drives), and supports versioned snapshots. You hold the encryption key. The storage provider cannot read your data.
The gap is git awareness. Arq backs up files. It does not understand that a .git directory is a database. It can capture a consistent filesystem snapshot because Arq uses its own snapshot mechanism, but it does not create git-aware snapshots or verify that the backed-up repository is a valid git object graph. It will not catch a partially written pack file. It also does not separately capture uncommitted work in a git-aware way. It will back up the working tree files, but it does not distinguish between staged, unstaged, and untracked changes.
Backblaze
Backblaze Personal Backup is designed for simplicity. It backs up everything on your machine to Backblaze's servers. However, Backblaze maintains a default exclusion list that skips certain file types and directories. While Backblaze does not exclude .git directories by name, it does exclude files matching certain patterns. More importantly, Backblaze B2 (their cloud storage product) and Backblaze Personal Backup are different products with different architectures. Personal Backup encrypts data in transit and at rest, but Backblaze holds the key unless you set a private encryption key. With B2, you bring your own encryption or use their server-side option.
Like Arq, Backblaze is filesystem-level. No git awareness. No uncommitted work distinction. No restore verification beyond downloading your files and checking manually.
CrashPlan
CrashPlan (now focused on small business through CrashPlan Essential and CrashPlan Professional) provides continuous file-level backup. It watches for file changes and backs them up incrementally. This is actually worse for git than scheduled snapshots, because continuous sync means CrashPlan may capture the .git directory mid-write. If git is running gc or repack, CrashPlan will sync partially written pack files. CrashPlan encrypts with AES-256, and you can set a custom key so CrashPlan cannot read your data. But it stores backups exclusively on CrashPlan's infrastructure. No user-owned storage option.
Scores: Git awareness: fail (all three). Encryption: varies (Arq is strong with user-held keys; Backblaze Personal is provider-held by default; CrashPlan supports custom keys). Uncommitted work: partial (captures working tree files, but without git-semantic distinction). Restore verification: none (no tool verifies that the restored files form a valid git repository). Vendor independence: varies (Arq backs up to user-chosen storage; Backblaze and CrashPlan are locked to their infrastructure).
Tools like Arq, Backblaze, and CrashPlan are real backup software. They protect files reliably. But they do not understand git.
The limitation
These tools copy files. They do not know that a .git directory is a database. If git is running when the backup happens, the backup may contain corrupted data.
Closest to good enough
Arq is the strongest in this category. It encrypts with your key, backs up to storage you choose, and supports versioned snapshots. It has no git awareness.
Dedicated backup tools operate at filesystem granularity. None implement git object model awareness.
CRASHPLANContinuous sync is actively hostile to git integrity. File-change watchers trigger on .git/objects writes during gc/repack, syncing partially written pack files.
Arq's key management model is the closest to zero-trust in this category: user-held AES-256 keys, user-chosen S3-compatible storage. The missing piece is git object model awareness and restore verification against the git object graph.
Manual scripts: cron + rsync + gpg
A significant number of developers build their own backup systems. The typical stack is a cron job that runs rsync or tar, pipes through gpg for encryption, and uploads to S3 or a remote server via scp. Some use git-aware snapshot tools instead of rsync, which is smarter because they produce a portable, consistent snapshot of the repository.
The problem is not capability. A skilled developer can build something that checks all five boxes. The problem is reliability.
#!/bin/bash
# Back up all repos. Runs nightly via cron.
for repo in ~/Projects/*/; do
if [ -d "$repo/.git" ]; then
name=$(basename "$repo")
# create git-aware snapshot of $repo
gpg --symmetric --cipher-algo AES256 "/tmp/$name.snapshot"
aws s3 cp "/tmp/$name.snapshot.gpg" "s3://my-backups/$name/"
rm "/tmp/$name.snapshot" "/tmp/$name.snapshot.gpg"
fi
done
This script is better than most commercial tools. It creates git-aware snapshots. It encrypts with GPG (client-side). It uploads to S3 (user-owned storage). But it has gaps that become visible over time:
- No uncommitted work capture. Standard snapshots capture committed history only. Staged changes, unstaged edits, untracked files, and stashes are missing.
- No restore verification. Nothing checks that the uploaded bundle is actually restorable. The upload succeeded. That is all you know.
- Fragile discovery. The script hardcodes
~/Projects/*/. Repos elsewhere on the machine are not protected. New repos require editing the script. - Silent failure. If GPG prompts for a passphrase and cron cannot provide it, the script fails silently. If AWS credentials expire, it fails silently. If the disk fills up, it fails silently.
- No incremental backup. Every run creates a full bundle. For large repositories, this wastes bandwidth and storage.
- Single maintainer risk. When the developer who wrote the script leaves the team, or changes laptops, or forgets, the backup stops. Nobody notices until they need it.
Manual scripts are the only category where all five criteria can be met. But in practice, they rarely are. The gap between "possible" and "reliable" is where backup fails.
Scores: Git awareness: possible but uncommon (most scripts use rsync, not git-aware tools). Encryption: possible (GPG works, but key management is the developer's problem). Uncommitted work: usually skipped. Restore verification: almost never implemented. Vendor independence: pass (if you use S3-compatible storage).
Some developers write their own backup scripts. A cron job, some commands, encryption, upload. It can work. But it rarely does long-term.
Six problems with DIY scripts
- No unsaved work capture
- No verification that the backup actually works
- Only backs up projects it knows about
- Fails silently when credentials expire
- Full backup every time (wastes bandwidth)
- Stops working when the person who wrote it leaves
Manual backup scripts (cron + tar/rsync + gpg + s3) are the only category where all five criteria CAN be met.
FAILURE PATTERN 1Silent credential expiration. AWS tokens, GPG passphrases, and SSH keys expire. Cron jobs cannot prompt for re-authentication.
FAILURE PATTERN 2Discovery brittleness. Hardcoded paths (~/Projects/*) miss new repositories. No filesystem-level discovery mechanism.
FAILURE PATTERN 3Single-maintainer risk. Script knowledge lives in one person. Laptop migration, team changes, or simple neglect kills the backup.
Agent environments: In agent environments, manual scripts have an additional failure mode: the script assumes human-interactive gpg. Cron jobs cannot provide passphrases. This is the most common reason automated backup scripts fail silently.
The scorecard
Here is every category scored against the five criteria. Green means it meets the requirement. Yellow means partial or conditional. Red means it fails.
| Category | Git Aware | Encryption | Uncommitted | Verify | Vendor Free |
|---|---|---|---|---|---|
| Cloud Sync | Fail | Provider | Corrupts | None | Locked |
| System Backup | Fail | Partial | Filesystem | None | Locked |
| Git Hosting | Pass* | Provider | Fail | Manual | Partial |
| Dedicated Backup | Fail | Varies | Filesystem | None | Varies |
| Manual Scripts | Possible | Possible | Skipped | Rare | Pass |
* Git hosting is git-aware for committed, pushed code only. It has zero awareness of local repository state.
No category passes all five. The closest is manual scripts, but only if the developer writes a script that addresses all five criteria and maintains it indefinitely. In practice, nobody does.
Most developers use a combination: GitHub for pushed code, Time Machine for filesystem-level recovery, maybe Dropbox for file sync. Each tool covers a different piece. None of them cover the full developer workspace. And the combination creates its own risks. Dropbox corrupts the repository that Time Machine backs up, and GitHub only has what you remembered to push.
Cloud Sync (iCloud, Dropbox, OneDrive, Google Drive)
Fails everything. Corrupts your projects.
System Backup (Time Machine, Windows Backup)
Copies files, does not understand git. No encryption by default.
Git Hosting (GitHub, GitLab, Bitbucket)
Protects pushed code. Does not protect anything else.
Dedicated Backup (Arq, Backblaze, CrashPlan)
Real backup software, but no git awareness.
Manual Scripts (cron + rsync + gpg)
Can pass everything, but rarely does in practice.
No category passes all five criteria.
CLOUD SYNC0/5 -- Actively corrupts git repositories
SYSTEM BACKUP0/5 -- Filesystem-level copy, no transaction awareness
GIT HOSTING1/5 -- Pushed refs only, zero local state coverage
DEDICATED BACKUP0-2/5 -- Arq closest (encryption + storage), no git awareness
MANUAL SCRIPTS1-5/5 -- Theoretically complete, practically unreliable
Systemic gap: The scorecard reveals a systemic gap: git awareness and uncommitted state capture are absent from every commercial category. Only manual scripts can theoretically cover all five criteria, but reliability and maintainability failures make this non-viable for production environments.
The gap
The finding from this audit is not that existing tools are bad at what they do. Backblaze is good at filesystem backup. GitHub is good at code hosting. Time Machine is good at system recovery. The finding is that none of them were built for the specific problem of protecting a developer's workspace.
A developer's workspace is not a folder of files. It is a git object database, plus a working tree with uncommitted changes, plus stashes, plus local branches, plus configuration. Protecting it requires understanding all of those components and treating them as a unit.
The five criteria from this audit describe a tool that does not exist in the current landscape:
- Git-aware: understands the object model, creates consistent snapshots, never corrupts the repository.
- Client-side encrypted: data is encrypted before it leaves your machine, and you hold the only key.
- Captures uncommitted work: staged changes, unstaged edits, untracked files, stashes, in-progress operations.
- Verified restores: after backup, proves the backup is restorable without trusting the storage provider.
- Vendor independent: backs up to storage you own and control, in a format you can move between providers.
That is the gap. It is not a feature request. It is a category that does not exist yet.
This is the problem DevSafe was built to solve. See how we approach it on the architecture page.
Until a tool covers all five criteria, developers are assembling their own backup strategy from pieces that were not designed to work together. Some of those pieces actively conflict with each other. And the gaps between them are exactly where work gets lost.
The finding is not that these tools are bad. They are good at what they do. The finding is that none of them were built for the specific problem of protecting a developer's workspace.
The missing tool would:
- Understand git projects, not just copy files
- Encrypt your data on your machine before it goes anywhere
- Capture unsaved work automatically
- Prove the backup works without downloading everything
- Let you store backups wherever you want and switch anytime
The result
That tool does not exist yet. That is the gap this audit found.
This audit identifies a categorical gap in the backup tool landscape: no commercial tool addresses the developer workspace as a composite artifact.
MISSING TOOL PROPERTIES
- Git object model awareness with atomic snapshot creation
- Pre-transit AEAD encryption with user-held key hierarchy
- Five-namespace uncommitted state capture (index, working tree, untracked, stash, operation state)
- Proof-of-restorability without full archive download
- S3-compatible portable storage with no vendor lock-in
Agent environments: For AI engineering teams running agent fleets, this gap is acute. Every agent workspace contains uncommitted state that no existing backup tool captures. The gap between "pushed to remote" and "total workspace state" is where agent work product lives.
Frequently asked questions
Which backup tools are git-aware?
Of the 50 tools audited, git hosting platforms (GitHub, GitLab, Bitbucket) are git-aware for committed data but do not capture uncommitted work. Cloud sync services, system backup tools, and dedicated backup software treat repositories as flat files with no understanding of the git object database. No single tool scored a pass on all five criteria: git awareness, encryption, uncommitted work capture, restore verification, and vendor independence.
Does iCloud or Dropbox safely back up git repositories?
No. Cloud sync services like iCloud, Dropbox, OneDrive, and Google Drive treat git repositories as folders of independent files. They do not understand the interdependent structure of the .git directory. iCloud renames lock files to resolve conflicts, corrupting the index. Dropbox Smart Sync can evict .git/objects files. Both can cause silent repository corruption that only surfaces when you try to run git commands.
What five criteria should a developer backup tool meet?
A developer backup tool should meet five criteria: (1) git awareness, meaning it understands the .git directory is a database, not a folder; (2) client-side encryption with user-held keys; (3) uncommitted work capture including staged changes, unstaged modifications, untracked files, and stashes; (4) restore verification that proves the backup is restorable without downloading the entire archive; and (5) vendor independence so backups can move between storage providers.
Which backup tools are git-aware?
Of the 50 tools audited, git hosting platforms (GitHub, GitLab, Bitbucket) are git-aware for committed data but do not capture uncommitted work. Cloud sync services, system backup tools, and dedicated backup software treat repositories as flat files with no understanding of the git object database. No single tool scored a pass on all five criteria: git awareness, encryption, uncommitted work capture, restore verification, and vendor independence.
Does iCloud or Dropbox safely back up git repositories?
No. Cloud sync services like iCloud, Dropbox, OneDrive, and Google Drive treat git repositories as folders of independent files. They do not understand the interdependent structure of the .git directory. iCloud renames lock files to resolve conflicts, corrupting the index. Dropbox Smart Sync can evict .git/objects files. Both can cause silent repository corruption that only surfaces when you try to run git commands.
What five criteria should a developer backup tool meet?
A developer backup tool should meet five criteria: (1) git awareness, meaning it understands the .git directory is a database, not a folder; (2) client-side encryption with user-held keys; (3) uncommitted work capture including staged changes, unstaged modifications, untracked files, and stashes; (4) restore verification that proves the backup is restorable without downloading the entire archive; and (5) vendor independence so backups can move between storage providers.
Which backup tools are git-aware?
Of the 50 tools audited, git hosting platforms (GitHub, GitLab, Bitbucket) are git-aware for committed data but do not capture uncommitted work. Cloud sync services, system backup tools, and dedicated backup software treat repositories as flat files with no understanding of the git object database. No single tool scored a pass on all five criteria: git awareness, encryption, uncommitted work capture, restore verification, and vendor independence.
Does iCloud or Dropbox safely back up git repositories?
No. Cloud sync services like iCloud, Dropbox, OneDrive, and Google Drive treat git repositories as folders of independent files. They do not understand the interdependent structure of the .git directory. iCloud renames lock files to resolve conflicts, corrupting the index. Dropbox Smart Sync can evict .git/objects files. Both can cause silent repository corruption that only surfaces when you try to run git commands.
What five criteria should a developer backup tool meet?
A developer backup tool should meet five criteria: (1) git awareness, meaning it understands the .git directory is a database, not a folder; (2) client-side encryption with user-held keys; (3) uncommitted work capture including staged changes, unstaged modifications, untracked files, and stashes; (4) restore verification that proves the backup is restorable without downloading the entire archive; and (5) vendor independence so backups can move between storage providers.