autoenable security for compute special remote

Added annex.security.autoenable-compute-programs and only allow
autoenabling special remotes that use compute programs on that list.

The reason this is needed is a user might have some compute programs
that are less safe to use than others. They might want to use an unsafe
one only with one repository, where they are the only committer or other
committers are trusted. They might be ok with others being used by any
repository, and if so they can add them to the list.

Another reason would be a user who has installed a compute program by
accident. Eg, it might be included with git-annex at some point, or
pulled in by some dependency. That user doesn't necessarily want that
compute program to be used in an autoenabled special remote.

Remote/Compute.hs

@@ -23,6 +23,7 @@ module Remote.Compute (
 ) where
 
 import Annex.Common
+import qualified Annex
 import Types.Remote
 import Types.ProposedAccepted
 import Types.MetaData
@@ -118,8 +119,23 @@ gen r u rc gc rs = case getComputeProgram' rc of
 		}
 
 setupInstance :: SetupStage -> Maybe UUID -> Maybe CredPair -> RemoteConfig -> RemoteGitConfig -> Annex (RemoteConfig, UUID)
-setupInstance _ mu _ c _ = do
+setupInstance ss mu _ c _ = do
 	ComputeProgram program <- either giveup return $ getComputeProgram' c
+	case ss of
+		AutoEnable _ -> do
+			l <- maybe [] words 
+				. annexAutoEnableComputePrograms
+				<$> Annex.getGitConfig
+			unless (program `elem` l) $ do
+				let remotename = fromMaybe "(unknown)" (lookupName c)
+				giveup $ unwords
+					[ "Not auto-enabling compute special remote"
+					, remotename
+					, "because its compute program"
+					, program
+					, " is not listed in annex.security.autoenable-compute-programs"
+					]
+		_ -> noop
 	unlessM (liftIO $ inSearchPath program) $
 		giveup $ "Cannot find " ++ program ++ " in PATH"
 	u <- maybe (liftIO genUUID) return mu