added annex.secure-erase-command config option.

Annex/Content.hs

@@ -377,6 +377,7 @@ removeAnnex :: Key -> Annex ()
 removeAnnex key = withObjectLoc key remove removedirect
   where
 	remove file = cleanObjectLoc key $ do
+		secureErase file
 		liftIO $ nukeFile file
 		removeInodeCache key
 	removedirect fs = do
@@ -389,8 +390,19 @@ removeAnnex key = withObjectLoc key remove removedirect
 		cwd <- liftIO getCurrentDirectory
 		let top' = fromMaybe top $ absNormPath cwd top
 		let l' = relPathDirToFile top' (fromMaybe l $ absNormPath top' l)
+		secureErase f
 		replaceFile f $ makeAnnexLink l'
 
+{- Runs the secure erase command if set, otherwise does nothing.
+ - File may or may not be deleted at the end; caller is responsible for
+ - making sure it's deleted. -}
+secureErase :: FilePath -> Annex ()
+secureErase file = maybe noop go =<< annexSecureEraseCommand <$> Annex.getGitConfig
+  where
+  	go basecmd = void $ liftIO $
+		boolSystem "sh" [Param "-c", Param $ gencmd basecmd]
+	gencmd = massReplace [ ("%file", shellEscape file) ]
+
 {- Moves a key's file out of .git/annex/objects/ -}
 fromAnnex :: Key -> FilePath -> Annex ()
 fromAnnex key dest = cleanObjectLoc key $ do

Types/GitConfig.hs

@@ -48,6 +48,7 @@ data GitConfig = GitConfig
 	, annexFsckNudge :: Bool
 	, annexAutoUpgrade :: AutoUpgrade
 	, annexExpireUnused :: Maybe (Maybe Duration)
+	, annexSecureEraseCommand :: Maybe String
 	, coreSymlinks :: Bool
 	, gcryptId :: Maybe String
 	}
@@ -79,6 +80,7 @@ extractGitConfig r = GitConfig
 	, annexAutoUpgrade = toAutoUpgrade $ getmaybe (annex "autoupgrade")
 	, annexExpireUnused = maybe Nothing Just . parseDuration
 		<$> getmaybe (annex "expireunused")
+	, annexSecureEraseCommand = getmaybe (annex "secure-erase-command")
 	, coreSymlinks = getbool "core.symlinks" True
 	, gcryptId = getmaybe "core.gcrypt-id"
 	}

debian/changelog

@@ -29,6 +29,7 @@ git-annex (5.20140118) UNRELEASED; urgency=medium
     contents when a lot of them seem to be piling up in the repository.
   * repair: Check git version at run time.
   * assistant: Run the periodic git gc in batch mode.
+  * added annex.secure-erase-command config option.
   * test suite: Use tasty-rerun, and expose tasty command-line options.
 
  -- Joey Hess <joeyh@debian.org>  Sat, 18 Jan 2014 11:54:17 -0400

doc/git-annex.mdwn

@@ -1427,8 +1427,16 @@ Here are all the supported configuration settings.
 
   In the command line, %url is replaced with the url to download,
   and %file is replaced with the file that it should be saved to.
-  Note that both these values will automatically be quoted, since
-  the command is run in a shell.
+
+* `annex.secure-erase-command`
+
+  This can be set to a command that should be run whenever git-annex
+  removes the content of a file from the repository.
+
+  In the command line, %file is replaced with the file that should be
+  erased.
+
+  For example, to use the wipe command, set it to `wipe -f %file`
 
 * `remote.<name>.rsyncurl`