Duplicity FTP method does not allow for secure password transmission
When using the duplicity handler there doesn't currently seem to be a way to securely transmit the FTP password from backupninja to duplicity.
This issue also used to exist between duplicity and ncftp (which duplicity uses for FTP transfers) but has been solved since: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=442840
However, it still exists between backupninja and duplicity. According to man(1) duplicity:
Duplicity can also access a repository via ftp. If a user name is given, the environment variable FTP_PASSWORD is read to determine the password: FTP_PASSWORD=mypassword; duplicity /local/dir ftp://user@other.host/some_dir
As such, the backupninja duplicity handler should be able to prefix duplicity invocations with this environment variable. To achieve this, I suggest it should either interpret an generic 'environment = VAR1=foo VAR2=bar' setting or a dedicated 'ftp_password = my secret password' setting, or both, when such are found in a duplicity action configuration.
I added this as a bug rather than a feature request since I think this could be considered a security issue: the FTP transfer functionality is supported but secure transmission of the FTP password is not, so one could argue that this functionality is implemented in an insecure way - unless I missed something.
(from redmine: created on 2010-04-18, closed on 2010-05-06)