From 52f51d065a09507e71e21fb814dfb6f22dd31ea8 Mon Sep 17 00:00:00 2001
From: Joey Hess <joeyh@joeyh.name>
Date: Mon, 3 Mar 2025 16:07:04 -0400
Subject: [PATCH] rename config to annex.security.allowed-compute-programs

And require for enable as well as autoenable.

It seemed asking for trouble for `git-annex enable foo` to use whatever
compute program is stored in the git config, without verifying that the
user wants that program to be used.

Note that it would be good to allow `git-annex enable foo program=...`
to be used without the program being in the git config. Not implemented yet
though.
---
 Remote/Compute.hs                | 26 ++++++++++++--------------
 TODO-compute                     |  3 +++
 Types/GitConfig.hs               |  6 +++---
 doc/git-annex.mdwn               |  4 ++--
 doc/special_remotes/compute.mdwn |  9 ++++-----
 5 files changed, 24 insertions(+), 24 deletions(-)

diff --git a/Remote/Compute.hs b/Remote/Compute.hs
index d43e745e95..2903f926b2 100644
--- a/Remote/Compute.hs
+++ b/Remote/Compute.hs
@@ -121,21 +121,19 @@ gen r u rc gc rs = case getComputeProgram' rc of
 setupInstance :: SetupStage -> Maybe UUID -> Maybe CredPair -> RemoteConfig -> RemoteGitConfig -> Annex (RemoteConfig, UUID)
 setupInstance ss mu _ c _ = do
 	ComputeProgram program <- either giveup return $ getComputeProgram' c
+	allowedprograms <- maybe [] words . annexAllowedComputePrograms
+		<$> Annex.getGitConfig
 	case ss of
-		AutoEnable _ -> do
-			l <- maybe [] words 
-				. annexAutoEnableComputePrograms
-				<$> Annex.getGitConfig
-			unless (program `elem` l) $ do
-				let remotename = fromMaybe "(unknown)" (lookupName c)
-				giveup $ unwords
-					[ "Not auto-enabling compute special remote"
-					, remotename
-					, "because its compute program"
-					, program
-					, " is not listed in annex.security.autoenable-compute-programs"
-					]
-		_ -> noop
+		Init -> noop
+		_ -> unless (program `elem` allowedprograms) $ do
+			let remotename = fromMaybe "(unknown)" (lookupName c)
+			giveup $ unwords
+				[ "Not enabling compute special remote"
+				, remotename
+				, "because its compute program"
+				, program
+				, "is not listed in annex.security-allowed-compute-programs"
+				]
 	unlessM (liftIO $ inSearchPath program) $
 		giveup $ "Cannot find " ++ program ++ " in PATH"
 	u <- maybe (liftIO genUUID) return mu
diff --git a/TODO-compute b/TODO-compute
index 547730914e..3d02d9cc00 100644
--- a/TODO-compute
+++ b/TODO-compute
@@ -1,3 +1,6 @@
+* allow git-annex enableremote with program= explicitly specified,
+  without checking annex.security.allowed-compute-programs
+
 * need progress bars for computations and implement PROGRESS message
 
 * get input files for a computation (so `git-annex get .` gets every file,
diff --git a/Types/GitConfig.hs b/Types/GitConfig.hs
index 6ea4503d1a..eeae1a0c7e 100644
--- a/Types/GitConfig.hs
+++ b/Types/GitConfig.hs
@@ -146,7 +146,7 @@ data GitConfig = GitConfig
 	, annexAllowedUrlSchemes :: S.Set Scheme
 	, annexAllowedIPAddresses :: String
 	, annexAllowUnverifiedDownloads :: Bool
-	, annexAutoEnableComputePrograms :: Maybe String
+	, annexAllowedComputePrograms :: Maybe String
 	, annexMaxExtensionLength :: Maybe Int
 	, annexMaxExtensions :: Maybe Int
 	, annexJobs :: Concurrency
@@ -262,8 +262,8 @@ extractGitConfig configsource r = GitConfig
 		getmaybe (annexConfig "security.allowed-http-addresses") -- old name
 	, annexAllowUnverifiedDownloads = (== Just "ACKTHPPT") $
 		getmaybe (annexConfig "security.allow-unverified-downloads")
-	, annexAutoEnableComputePrograms =
-		getmaybe (annexConfig "security.autoenable-compute-programs")
+	, annexAllowedComputePrograms =
+		getmaybe (annexConfig "security.allowed-compute-programs")
 	, annexMaxExtensionLength = getmayberead (annexConfig "maxextensionlength")
 	, annexMaxExtensions = getmayberead (annexConfig "maxextensions")
 	, annexJobs = fromMaybe NonConcurrent $ 
diff --git a/doc/git-annex.mdwn b/doc/git-annex.mdwn
index 2146104456..5a39aa3bfa 100644
--- a/doc/git-annex.mdwn
+++ b/doc/git-annex.mdwn
@@ -2201,12 +2201,12 @@ Remotes are configured using these settings in `.git/config`.
 
   Per-remote configuration of annex.security.allow-unverified-downloads.
 
-* `annex.security.autoenable-compute-programs`
+* `annex.security.allowed-compute-programs`
 
   This is a space separated list of compute programs eg
   "git-annex-compute-foo git-annex-compute-bar". Listing a compute
   program here allows compute special remotes that use that program to be
-  autoenabled.
+  enabled by `git-annex enableremote` or autoenabled.
 
 # CONFIGURATION OF ASSISTANT
 
diff --git a/doc/special_remotes/compute.mdwn b/doc/special_remotes/compute.mdwn
index 811640e2f6..264cec825a 100644
--- a/doc/special_remotes/compute.mdwn
+++ b/doc/special_remotes/compute.mdwn
@@ -15,11 +15,10 @@ program to use to compute the contents of annexed files. It must start with
 "git-annex-compute-". The program needs to be installed somewhere in the
 `PATH`.
 
-The `autoenable` parameter can be set to "true" like with other special
-remotes to make git-annex automatically enable this special remote when
-run in a new clone of the repository. However, for security, autoenabling
-is only done when the git config `annex.security.autoenable-compute-programs`
-includes the name of the compute program.
+Any program can be passed to `git-annex initremote`. However, when enabling
+a compute special remote later with `git-annex enableremote` or due to
+"autoenable=true", the program must be listed in the git config
+`annex.security.allowed-compute-programs`.
 
 All other "field=value" parameters passed to `initremote` will be passed
 to the program when running [[git-annex-addcomputed]]. Note that when the