inheritable annex.securehashesonly
* init: When annex.securehashesonly has been set with git-annex config, copy that value to the annex.securehashesonly git config. * config --set: As well as setting value in git-annex branch, set local gitconfig. This is needed especially for annex.securehashesonly, which is read only from local gitconfig and not the git-annex branch. doc/todo/sha1_collision_embedding_in_git-annex_keys.mdwn has the rationalle for doing it this way. There's no perfect solution; this seems to be the least-bad one. This commit was supported by the NSF-funded DataLad project.
This commit is contained in:
Joey Hess
parent
6e0e7d885c
commit
e53070c1ff
7 changed files with 51 additions and 10 deletions
|
|
@ -12,16 +12,14 @@ You need git-annex 6.20170228. Upgrade if you don't have it.
|
|||
|
||||
git-annex can use many types of [[backends]] and not all of them are
|
||||
secure. So, you need to configure git-annex to only use
|
||||
cryptographically secure hashes. Also, let's make sure annex.verify
|
||||
is set (it is by default, but let's override any global gitconfig setting
|
||||
for it).
|
||||
cryptographically secure hashes.
|
||||
|
||||
git annex config --set annex.securehashesonly true
|
||||
|
||||
Each new clone of the repository will then inherit that configuration.
|
||||
But, any existing clones will not, so this should be run in them:
|
||||
|
||||
git config annex.securehashesonly true
|
||||
git config annex.verify true
|
||||
|
||||
That needs to be run in every clone of the repository. This will prevent
|
||||
any annexed object using an insecure hash from reaching your repository,
|
||||
and it will verify the hashes when transferring objects.
|
||||
|
||||
It's important that all commits to the git repository are signed.
|
||||
Use `git commit --gpg-sign`, or enable the commit.gpgSign configuration.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue