Docs
Powered by

Trade-offs

Every design decision rules things out. The list below is what Dropbear picked, what it gave up, and the reasoning. None of this is hidden — if a trade-off bites you, you should be able to predict it from this page.

Single human, multiple devices

Picked: one person owns the bucket and writes from every device.

Gave up: real-time collaborative editing, multi-user permissions, presence indicators, shared folders with non-Dropbear users.

Why: collaboration semantics are hard and well-served by other tools (Google Docs, git, CRDTs). Picking "single writer" simplifies the conflict story dramatically — the only collisions are "I edited this file on two of my own devices before they reconciled," not "two users edited this concurrently."

Whole-file hashing

Picked: each file is one SHA-256 blob.

Gave up: efficient handling of large files with small edits. Editing one byte of a 4 GB video re-uploads 4 GB.

Why: simplicity. Whole-file is easy to reason about, easy to verify, easy to implement correctly. Chunked hashing is on the roadmap but is being deferred until the rest of the system is solid. Until then, Dropbear is the wrong tool for "huge files I edit often."

Full-snapshot manifests

Picked: every sync writes a full manifest of every file in the root.

Gave up: manifest size scaling with file count. A root with 100K files has a 100K-entry JSON manifest on every sync.

Why: simple invariants. A manifest is a complete, verifiable snapshot. There's no log replay, no delta merging, no "manifest 6 depends on manifest 3 which I lost." Garbage collection and manifest compaction will both help eventually. In the meantime: large file counts cost manifest bytes, not blob bytes (blobs are deduplicated).

Content-addressed blobs

Picked: the blob's name is its SHA-256.

Gave up: intuitive bucket browsing. The bucket is a sea of hashes; you can't aws s3 ls and see your photos.

Why: dedupe falls out for free (same content under different paths uploads once), rename is free (same hash, new manifest entry), integrity check is free (re-hash on download). The bucket isn't supposed to be human-browsable; the manifest is.

Explicit tombstones over inferred deletes

Picked: deletes are positive information — a tombstone object stating "this path was deleted at this time on this device."

Gave up: simplicity of "absence means deleted."

Why: this is the highest-impact safety property in the project. An unplugged USB drive, a sleeping laptop, a revoked credential, a partial scan — none of these can cause a delete storm. A missing path is treated as deleted only when the root is online, identity validates, a previous scan saw the file, and the file is verifiably absent.

Conflict files, never auto-merge

Picked: when two devices edit the same file before reconciling, write a .conflict-<other-device-id>-<ts> copy alongside the local one and let the human resolve.

Gave up: the magical "it just works" feel of CRDT-backed editors.

Why: text-merge for arbitrary binary files isn't a thing. Even for text, three-way merge requires a common ancestor, which Dropbear's snapshot model doesn't preserve. Conflict files mean nothing is ever destroyed — both versions sit on disk until you decide.

S3-compatible only

Picked: the only backend is "speaks the S3 API."

Gave up: LAN-only mode (no internet), exotic backends (WebDAV, SFTP, IPFS).

Why: every cloud has S3-compatible storage; every self-hoster has access to MinIO or Garage. The protocol is well-understood, widely tested, and the API surface is small enough to keep the backend code simple. If you really want LAN-only: run MinIO on your LAN.

Per-root configuration

Picked: each sync root has its own .dropbear directory with root.toml (identity, remote config) and state.sqlite (local state).

Gave up: a single global config in ~/.config/dropbear/.

Why: roots travel with their files. A USB drive moves between machines and keeps its identity. There's no global registry to corrupt, no ~/.dropbear/ignore overriding per-root rules.

What this means in practice

If you are syncing photo collections, code repos, notes, document folders across your devices, all of these trade-offs are noise. If you are trying to sync a 40 GB virtual machine image you edit daily, almost every trade-off is going to bite you. Pick the right tool.

© Copyright 2026. All rights reserved.