When a users machine is compromised the black hats can obviously change whatever they want to but the eds.power.on.net/project server is:

1. Not a file server!, you have to access using password authentication via https which is encrypted.
2. Its append only, users from the compromised machine can only add bad data, not remove good data.
3. So we still need to detect the problem and tidy up afterwards but its an improvement over file sharing schemes.

On the user side we use capabilities to limit actions such as editing tickets or changing timelines.

The server itself is backed up in the same manner to another machine and physical backups. And finally the server itself is:

1. Only acessible via https (and http for forwarding) to a fossil server.
2. Runs on a small OpenBSD server which we control. No shared virtual machines.
3. Access to the server is only via ssh from a fixed IP address on the local Network. Everything else goes to the bit bucket.