Behavior change: git-annex trust now needs --force

Since unconsidered use of trusted repositories can lead to data loss.

Trusted has always been this way, but it used to be acceptable for
git-annex to be set up so that data could be lost without using --force,
and most or all other ways that can happen have already been eliminated.

This commit was sponsored by Mark Reidenbach on Patreon.

CHANGELOG

@@ -8,6 +8,8 @@ git-annex (8.20201130) UNRELEASED; urgency=medium
   * Behavior change: When numcopies is set to 0, git-annex used to drop
     content without requiring any copies. Now to get that (highly unsafe)
     behavior, mincopies also needs to be set to 0.
+  * Behavior change: git-annex trust now needs --force, since unconsidered
+    use of trusted repositories can lead to data loss.
   * add: Significantly speed up adding lots of non-large files to git,
     by disabling the annex smudge filter when running git add.
   * add --force-small: Run git add rather than updating the index itself,

Command/Trust.hs

@@ -1,6 +1,6 @@
 {- git-annex command
  -
- - Copyright 2010, 2014 Joey Hess <id@joeyh.name>
+ - Copyright 2010-2021 Joey Hess <id@joeyh.name>
  -
  - Licensed under the GNU AGPL version 3 or higher.
  -}
@@ -9,6 +9,7 @@ module Command.Trust where
 
 import Command
 import qualified Remote
+import qualified Annex
 import Types.TrustLevel
 import Logs.Trust
 import Logs.Group
@@ -29,8 +30,11 @@ trustCommand c level = withWords (commandAction . start)
 		let name = unwords ws
 		u <- Remote.nameToUUID name
 		let si = SeekInput ws
-		starting c (ActionItemOther (Just name)) si (perform u)
-	perform uuid = do
+		starting c (ActionItemOther (Just name)) si (perform name u)
+	perform name uuid = do
+		when (level >= Trusted) $
+			unlessM (Annex.getState Annex.force) $
+				giveup $ trustedNeedsForce name
 		trustSet uuid level
 		when (level == DeadTrusted) $
 			groupSet uuid S.empty
@@ -38,3 +42,14 @@ trustCommand c level = withWords (commandAction . start)
 		when (l /= level) $
 			warning $ "This remote's trust level is overridden to " ++ showTrustLevel l ++ "."
 		next $ return True
+
+trustedNeedsForce :: String -> String
+trustedNeedsForce name = unlines
+	[ "Trusting a repository can lead to data loss."
+	, ""
+	, "If you're sure you know what you're doing, use --force to"
+	, "make this take effect."
+	, ""
+	, "If you choose to do so, bear in mind that any time you drop"
+	, "content from " ++ name ++ ", you will risk losing data."
+	]

doc/git-annex-trust.mdwn

@@ -14,6 +14,13 @@ content. Use with care.
 Repositories can be specified using their remote name, their
 description, or their UUID. To trust the current repository, use "here".
 
+Before trusting a repository, consider this scenario. Repository A
+is trusted and B is not; both contain the same content. `git-annex drop`
+is run on repository A, which checks that B still contains the content,
+and so the drop proceeds. Then `git-annex drop` is run on repository B,
+which trusts A to still contain the content, so the drop succeeds. Now
+the content has been lost.
+
 # SEE ALSO
 
 [[git-annex]](1)