git-annex/doc/todo/append-only_mode.mdwn

The [[git-annex-shell]] wrapper allows the configuration of a readonly
repository (through the `GIT_ANNEX_READONLY` environment and friends)
but that is useful only when we want users to access the data and not
add to it.

It would be nice to have a *write-only* or "append-only" mode. My use
case is a backup server that would receive git-annex objects and
changes, but would forbid the client from deleting content on the
server. This is to protect contents from being destroyed (or encrypted
as is a common pattern with ransomware) by a compromised client.

There has been some discussions and work done to protect *branches* in
such a way, in
[[todo/git-hook_to_sanity-check_git-annex_branch_pushes]], and that
could help, but even with git hooks, a malicious client could still
drop content.

It seems to me this would require modifications to the
`git-annex-shell` wrapper to forbid certain operations like `dropkey`,
`lockcontent`, or `p2pstdio` although I'm unfamiliar with the last two
so I am not certain they could be harmful. Maybe `p2pstdio` itself
could be somewhat fixed to allow only append commands.

Is it fair to assume that `recvkey` is safe in this context, ie. that
it wouldn't overwrite an existing bit of content without first doing a
checksum?

Thanks! -- [[anarcat]]

> Good idea.. Implemented. 
> 
> I'm not entirely happy with the name, but could not think of
> a better one.
> 
> Yes, `recvkey` will never overwrite content already in the annex,
> and unless you turn off annex.verify, hashes will also be checked
> before letting anything into the annex.
> 
> Of course, if non-hashed keys are used, and an object has not
> reached the repository yet from a trusted source, an attacker
> could slip in something malicious without being noticed.
> Setting annex.securehashesonly would be a good idea to prevent this.
> 
> p2pstdio implements the same security policies as the rest of
> git-annex-shell.
> 
> --[[Joey]]