GIT_ANNEX_SHELL_APPENDONLY

Makes it allow writes, but not deletion of annexed content. Note that securing pushes to the git repository is left up to the user. This commit was sponsored by Jack Hill on Patreon.
2018-05-25 13:17:56 -04:00 · 2018-05-25 13:17:56 -04:00 · 85f9360d9b
commit 85f9360d9b
parent 0003109f5d
7 changed files with 120 additions and 50 deletions
--- a/doc/git-annex-shell.mdwn
+++ b/doc/git-annex-shell.mdwn
@ -139,6 +139,19 @@ changed.

  If set, disallows running git-shell to handle unknown commands.

+* GIT_ANNEX_SHELL_APPENDONLY
+
+  If set, allows data to be written to the git-annex repository,
+  but does not allow data to be removed from it.
+
+  Note that this does not prevent passing commands on to git-shell,
+  so you will have to separately configure git to reject pushes that
+  overwrite branches or are otherwise not appends. The git pre-receive
+  hook may be useful for accomplishing this.
+
+  It's a good idea to enable annex.securehashesonly in a repository
+  that's set up this way.
+
 * GIT_ANNEX_SHELL_DIRECTORY

  If set, git-annex-shell will refuse to run commands that do not operate
--- a/doc/todo/append-only_mode.mdwn
+++ b/doc/todo/append-only_mode.mdwn
@ -26,3 +26,22 @@ it wouldn't overwrite an existing bit of content without first doing a
 checksum?

 Thanks! -- [[anarcat]]
+
+> Good idea.. Implemented. 
+> 
+> I'm not entirely happy with the name, but could not think of
+> a better one.
+> 
+> Yes, `recvkey` will never overwrite content already in the annex,
+> and unless you turn off annex.verify, hashes will also be checked
+> before letting anything into the annex.
+> 
+> Of course, if non-hashed keys are used, and an object has not
+> reached the repository yet from a trusted source, an attacker
+> could slip in something malicious without being noticed.
+> Setting annex.securehashesonly would be a good idea to prevent this.
+> 
+> p2pstdio implements the same security policies as the rest of
+> git-annex-shell.
+> 
+> --[[Joey]]