Behavior change: --trust-glacier option no longer overrides trust

Since that can lead to data loss, which should never be enabled by an option other than --force. This commit was sponsored by Jake Vosloo on Patreon.
2021-01-07 10:37:43 -04:00 · 2021-01-07 10:37:43 -04:00 · c8b1fa67b4
commit c8b1fa67b4
parent 2bf34fc17f
5 changed files with 12 additions and 22 deletions
--- a/6
+++ b/6
@ -10,9 +10,9 @@ git-annex (8.20201130) UNRELEASED; urgency=medium
    behavior, mincopies also needs to be set to 0.
  * Behavior change: git-annex trust now needs --force, since unconsidered
    use of trusted repositories can lead to data loss.
-  * Behavior change: --trust option no longer overrides trust, since
-    that can lead to data loss, which should never be enabled by an option
-    other than --force.
+  * Behavior change: --trust and --trust-glacier options no longer overrides
+    trust, since that can lead to data loss, which should never be enabled
+    by an option other than --force.
  * add: Significantly speed up adding lots of non-large files to git,
    by disabling the annex smudge filter when running git add.
  * add --force-small: Run git add rather than updating the index itself,
--- a/CmdLine/GitAnnex/Options.hs
+++ b/CmdLine/GitAnnex/Options.hs
@ -81,9 +81,9 @@ gitAnnexGlobalOptions = commonGlobalOptions ++
 		<> help "override default User-Agent"
 		<> hidden
 		)
-	, globalFlag (Annex.setFlag "trustglacier")
+	, globalFlag (toplevelWarning False "--trust-glacier no longer has any effect")
 		( long "trust-glacier"
-		<> help "Trust Amazon Glacier inventory"
+		<> help "deprecated, does not trust Amazon Glacier inventory"
 		<> hidden
 		)
 	, globalFlag (setdesktopnotify mkNotifyFinish)
--- a/Remote/Glacier.hs
+++ b/Remote/Glacier.hs
@ -1,6 +1,6 @@
 {- Amazon Glacier remotes.
 -
- - Copyright 2012-2020 Joey Hess <id@joeyh.name>
+ - Copyright 2012-2021 Joey Hess <id@joeyh.name>
 -
 - Licensed under the GNU AGPL version 3 or higher.
 -}
@ -23,7 +23,6 @@ import Remote.Helper.ExportImport
 import qualified Remote.Helper.AWS as AWS
 import Creds
 import Utility.Metered
-import qualified Annex
 import Annex.UUID
 import Utility.Env
 import Types.ProposedAccepted
@ -233,8 +232,7 @@ checkKey r k = do
 		s <- liftIO $ readProcessEnv "glacier" (toCommand params) (Just e)
 		let probablypresent = serializeKey k `elem` lines s
 		if probablypresent
-			then ifM (Annex.getFlag "trustglacier")
-				( return True, giveup untrusted )
+			then giveup untrusted
 			else return False

 	params = glacierParams (config r)
@ -248,8 +246,6 @@ checkKey r k = do
 	untrusted = unlines
 			[ "Glacier's inventory says it has a copy."
 			, "However, the inventory could be out of date, if it was recently removed."
-			, "(Use --trust-glacier if you're sure it's still in Glacier.)"
-			, ""
 			]

 glacierAction :: Remote -> [CommandParam] -> Annex Bool
--- a/doc/git-annex.mdwn
+++ b/doc/git-annex.mdwn
@ -813,14 +813,9 @@ may not be explicitly listed on their individual man pages.

 * `--trust-glacier`

-  Amazon Glacier inventories take hours to retrieve, and may not represent
-  the current state of a repository. So git-annex does not trust that
-  files that the inventory claims are in Glacier are really there.
-  This switch can be used to allow it to trust the inventory.
-
-  Be careful using this, especially if you or someone else might have recently
-  removed a file from Glacier. If you try to drop the only other copy of the
-  file, and this switch is enabled, you could lose data!
+  This used to override trust settings for Glacier special remotes,
+  but now will not do so, because it could lead to data loss,
+  and data loss is now only enabled when using the `--force` option.

 * `--backend=name`

--- a/doc/tips/using_Amazon_Glacier.mdwn
+++ b/doc/tips/using_Amazon_Glacier.mdwn
@ -59,13 +59,12 @@ So, git-annex plays it safe, and avoids trusting the inventory:
 	drop important_file (gpg) (checking glacier...)
 	  Glacier's inventory says it has a copy.
 	  However, the inventory could be out of date, if it was recently removed.
-	  (Use --trust-glacier if you're sure it's still in Glacier.)
 	
 	(unsafe) 
 	  Could only verify the existence of 0 out of 1 necessary copies

-Like it says, you can use `--trust-glacier` if you're sure
-Glacier's inventory is correct and up-to-date.
+To avoid this problem, you can either use `git annex move` to move
+content to Glacier, or you can set the remote to be [[trusted]].

 A final potential gotcha with Glacier is that glacier-cli keeps a local
 mapping of file names to Glacier archives. If this cache is lost, or