move untrust forcing from Logs.Trust into Remote

No behavior changes here, but this is groundwork for letting remotes
such as borg vary untrust forcing depending on configuration.

Logs/Trust.hs

@@ -64,22 +64,15 @@ trustMap = maybe trustMapLoad return =<< Annex.getState Annex.trustmap
 {- Loads the map, updating the cache, -}
 trustMapLoad :: Annex TrustMap
 trustMapLoad = do
-	overrides <- Annex.getState Annex.forcetrust
+	forceoverrides <- Annex.getState Annex.forcetrust
 	l <- remoteList
-	-- Export/import remotes are normally untrusted, because they are
-	-- not key/value stores and there are many ways that content stored
-	-- on them can be lost. An exception is ones with versionedExport set.
-	let isexportimport r = Types.Remote.isExportSupported r
-		<||> Types.Remote.isImportSupported r
-	let isuntrustworthy r = isexportimport r
-		<&&> pure (not (Types.Remote.versionedExport (Types.Remote.exportActions r)))
-	untrustworthy <- filterM isuntrustworthy l
-	let trustoverrides = M.fromList $
-		map (\r -> (Types.Remote.uuid r, UnTrusted)) untrustworthy
+	let untrustoverrides = M.fromList $
+		map (\r -> (Types.Remote.uuid r, UnTrusted))
+		(filter Types.Remote.untrustworthy l)
 	logged <- trustMapRaw
 	let configured = M.fromList $ mapMaybe configuredtrust l
-	let m = M.unionWith min trustoverrides $
-		M.union overrides $
+	let m = M.unionWith min untrustoverrides $
+		M.union forceoverrides $
 		M.union configured logged
 	Annex.changeState $ \s -> s { Annex.trustmap = Just m }
 	return m

Remote/Adb.hs

@@ -101,6 +101,7 @@ gen r u rc gc rs = do
 		, availability = LocallyAvailable
 		, readonly = False
 		, appendonly = False
+		, untrustworthy = False
 		, mkUnavailable = return Nothing
 		, getInfo = return
 			[ ("androidserial", fromAndroidSerial serial)

Remote/BitTorrent.hs

@@ -86,6 +86,7 @@ gen r _ rc gc rs = do
 		, getRepo = return r
 		, readonly = True
 		, appendonly = False
+		, untrustworthy = False
 		, availability = GloballyAvailable
 		, remotetype = remote
 		, mkUnavailable = return Nothing

Remote/Borg.hs

@@ -108,6 +108,7 @@ gen r u rc gc rs = do
 		, availability = if borgLocal borgrepo then LocallyAvailable else GloballyAvailable
 		, readonly = False
 		, appendonly = False
+		, untrustworthy = True
 		, mkUnavailable = return Nothing
 		, getInfo = return [("repo", borgrepo)]
 		, claimUrl = Nothing

Remote/Bup.hs

@@ -95,6 +95,7 @@ gen r u rc gc rs = do
 		, availability = if bupLocal buprepo then LocallyAvailable else GloballyAvailable
 		, readonly = False
 		, appendonly = False
+		, untrustworthy = False
 		, mkUnavailable = return Nothing
 		, getInfo = return [("repo", buprepo)]
 		, claimUrl = Nothing

Remote/Ddar.hs

@@ -98,6 +98,7 @@ gen r u rc gc rs = do
 		, availability = if ddarLocal ddarrepo then LocallyAvailable else GloballyAvailable
 		, readonly = False
 		, appendonly = False
+		, untrustworthy = False
 		, mkUnavailable = return Nothing
 		, getInfo = return [("repo", ddarRepoLocation ddarrepo)]
 		, claimUrl = Nothing

Remote/Directory.hs

@@ -115,6 +115,7 @@ gen r u rc gc rs = do
 			, localpath = Just dir'
 			, readonly = False
 			, appendonly = False
+			, untrustworthy = False
 			, availability = LocallyAvailable
 			, remotetype = remote
 			, mkUnavailable = gen r u rc

Remote/External.hs

@@ -144,6 +144,7 @@ gen r u rc gc rs
 			, gitconfig = gc
 			, readonly = False
 			, appendonly = False
+			, untrustworthy = False
 			, availability = avail
 			, remotetype = remote 
 				{ exportSupported = cheapexportsupported }

Remote/GCrypt.hs

@@ -153,6 +153,7 @@ gen' r u c gc rs = do
 		, gitconfig = gc
 		, readonly = Git.repoIsHttp r
 		, appendonly = False
+		, untrustworthy = False
 		, availability = availabilityCalc r
 		, remotetype = remote
 		, mkUnavailable = return Nothing

Remote/Git.hs

@@ -205,6 +205,7 @@ gen r u rc gc rs
 			, gitconfig = gc
 			, readonly = Git.repoIsHttp r
 			, appendonly = False
+			, untrustworthy = False
 			, availability = availabilityCalc r
 			, remotetype = remote
 			, mkUnavailable = unavailable r u rc gc rs

Remote/GitLFS.hs

@@ -133,6 +133,7 @@ gen r u rc gc rs = do
 		, readonly = False
 		-- content cannot be removed from a git-lfs repo
 		, appendonly = True
+		, untrustworthy = False
 		, mkUnavailable = return Nothing
 		, getInfo = gitRepoInfo (this c cst h)
 		, claimUrl = Nothing

Remote/Glacier.hs

@@ -99,6 +99,7 @@ gen r u rc gc rs = new
 			, localpath = Nothing
 			, readonly = False
 			, appendonly = False
+			, untrustworthy = False
 			, availability = GloballyAvailable
 			, remotetype = remote
 			, mkUnavailable = return Nothing

Remote/Helper/ExportImport.hs

@@ -204,6 +204,16 @@ adjustExportImport' isexport isimport r rs = do
 		-- in confusing ways when there's an export
 		-- conflict (or an import conflict).
 		, checkPresentCheap = False
+		-- Export/import remotes can lose content stored on them in
+		-- many ways. This is not a problem with versioned
+		-- ones though, since they still allow accessing by Key.
+		-- And for thirdPartyPopulated, it depends on how the
+		-- content gets actually stored in the remote, so
+		-- is not overriddden here.
+		, untrustworthy =
+			if versioned || thirdPartyPopulated (remotetype r)
+				then untrustworthy r
+				else False
 		-- git-annex testremote cannot be used to test
 		-- import/export since it stores keys.
 		, mkUnavailable = return Nothing

Remote/Hook.hs

@@ -80,6 +80,7 @@ gen r u rc gc rs = do
 			, gitconfig = gc
 			, readonly = False
 			, appendonly = False
+			, untrustworthy = False
 			, availability = GloballyAvailable
 			, remotetype = remote
 			, mkUnavailable = gen r u rc

Remote/HttpAlso.hs

@@ -88,6 +88,7 @@ gen r u rc gc rs = do
 		, getRepo = return r
 		, readonly = True
 		, appendonly = False
+		, untrustworthy = False
 		, availability = GloballyAvailable
 		, remotetype = remote
 		, mkUnavailable = return Nothing

Remote/P2P.hs

@@ -74,6 +74,7 @@ chainGen addr r u rc gc rs = do
 		, gitconfig = gc
 		, readonly = False
 		, appendonly = False
+		, untrustworthy = False
 		, availability = GloballyAvailable
 		, remotetype = remote
 		, mkUnavailable = return Nothing

Remote/Rsync.hs

@@ -118,6 +118,7 @@ gen r u rc gc rs = do
 				else Nothing
 			, readonly = False
 			, appendonly = False
+			, untrustworthy = False
 			, availability = if islocal then LocallyAvailable else GloballyAvailable
 			, remotetype = remote
 			, mkUnavailable = return Nothing

Remote/S3.hs

@@ -234,6 +234,7 @@ gen r u rc gc rs = do
 			, localpath = Nothing
 			, readonly = False
 			, appendonly = False
+			, untrustworthy = False
 			, availability = GloballyAvailable
 			, remotetype = remote
 			, mkUnavailable = gen r u (M.insert hostField (Proposed "!dne!") rc) gc rs

Remote/Tahoe.hs

@@ -107,6 +107,7 @@ gen r u rc gc rs = do
 		, localpath = Nothing
 		, readonly = False
 		, appendonly = False
+		, untrustworthy = False
 		, availability = GloballyAvailable
 		, remotetype = remote
 		, mkUnavailable = return Nothing

Remote/Web.hs

@@ -72,6 +72,7 @@ gen r _ rc gc rs = do
 		, getRepo = return r
 		, readonly = True
 		, appendonly = False
+		, untrustworthy = False
 		, availability = GloballyAvailable
 		, remotetype = remote
 		, mkUnavailable = return Nothing

Remote/WebDAV.hs

@@ -115,6 +115,7 @@ gen r u rc gc rs = do
 			, localpath = Nothing
 			, readonly = False
 			, appendonly = False
+			, untrustworthy = False
 			, availability = GloballyAvailable
 			, remotetype = remote
 			, mkUnavailable = gen r u (M.insert urlField (Proposed "http://!dne!/") rc) gc rs

Types/Remote.hs

@@ -143,6 +143,13 @@ data RemoteA a = Remote
 	-- a Remote can allow writes but not have a way to delete content
 	-- from it.
 	, appendonly :: Bool
+	-- Set if a remote cannot be trusted to continue to contain the
+	-- contents of files stored there. Notably, most export/import
+	-- remotes are untrustworthy because they are not key/value stores.
+	-- Since this prevents the user from adjusting a remote's trust
+	-- level, it's often better not not set it and instead let the user
+	-- decide.
+	, untrustworthy :: Bool
 	-- a Remote can be globally available. (Ie, "in the cloud".)
 	, availability :: Availability
 	-- the type of the remote