added annex.secure-erase-command config option.

4 files changed, 25 insertions, 2 deletions

diff --git a/Annex/Content.hs b/Annex/Content.hs
index 316f05be0..7cd2fb561 100644
--- a/Annex/Content.hs
+++ b/Annex/Content.hs
@@ -377,6 +377,7 @@ removeAnnex :: Key -> Annex ()
 removeAnnex key = withObjectLoc key remove removedirect
   where
 	remove file = cleanObjectLoc key $ do
+		secureErase file
 		liftIO $ nukeFile file
 		removeInodeCache key
 	removedirect fs = do
@@ -389,8 +390,19 @@ removeAnnex key = withObjectLoc key remove removedirect
 		cwd <- liftIO getCurrentDirectory
 		let top' = fromMaybe top $ absNormPath cwd top
 		let l' = relPathDirToFile top' (fromMaybe l $ absNormPath top' l)
+		secureErase f
 		replaceFile f $ makeAnnexLink l'
 
+{- Runs the secure erase command if set, otherwise does nothing.
+ - File may or may not be deleted at the end; caller is responsible for
+ - making sure it's deleted. -}
+secureErase :: FilePath -> Annex ()
+secureErase file = maybe noop go =<< annexSecureEraseCommand <$> Annex.getGitConfig
+  where
+  	go basecmd = void $ liftIO $
+		boolSystem "sh" [Param "-c", Param $ gencmd basecmd]
+	gencmd = massReplace [ ("%file", shellEscape file) ]
+
 {- Moves a key's file out of .git/annex/objects/ -}
 fromAnnex :: Key -> FilePath -> Annex ()
 fromAnnex key dest = cleanObjectLoc key $ do
diff --git a/Types/GitConfig.hs b/Types/GitConfig.hs
index 148d73b93..fa0fdc65a 100644
--- a/Types/GitConfig.hs
+++ b/Types/GitConfig.hs
@@ -48,6 +48,7 @@ data GitConfig = GitConfig
 	, annexFsckNudge :: Bool
 	, annexAutoUpgrade :: AutoUpgrade
 	, annexExpireUnused :: Maybe (Maybe Duration)
+	, annexSecureEraseCommand :: Maybe String
 	, coreSymlinks :: Bool
 	, gcryptId :: Maybe String
 	}
@@ -79,6 +80,7 @@ extractGitConfig r = GitConfig
 	, annexAutoUpgrade = toAutoUpgrade $ getmaybe (annex "autoupgrade")
 	, annexExpireUnused = maybe Nothing Just . parseDuration
 		<$> getmaybe (annex "expireunused")
+	, annexSecureEraseCommand = getmaybe (annex "secure-erase-command")
 	, coreSymlinks = getbool "core.symlinks" True
 	, gcryptId = getmaybe "core.gcrypt-id"
 	}
diff --git a/debian/changelog b/debian/changelog
index 02624414f..f5a460545 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -29,6 +29,7 @@ git-annex (5.20140118) UNRELEASED; urgency=medium
     contents when a lot of them seem to be piling up in the repository.
   * repair: Check git version at run time.
   * assistant: Run the periodic git gc in batch mode.
+  * added annex.secure-erase-command config option.
   * test suite: Use tasty-rerun, and expose tasty command-line options.
 
  -- Joey Hess <joeyh@debian.org>  Sat, 18 Jan 2014 11:54:17 -0400
diff --git a/doc/git-annex.mdwn b/doc/git-annex.mdwn
index 3e239f7d6..59a322e38 100644
--- a/doc/git-annex.mdwn
+++ b/doc/git-annex.mdwn
@@ -1427,8 +1427,16 @@ Here are all the supported configuration settings.
 
   In the command line, %url is replaced with the url to download,
   and %file is replaced with the file that it should be saved to.
-  Note that both these values will automatically be quoted, since
-  the command is run in a shell.
+
+* `annex.secure-erase-command`
+
+  This can be set to a command that should be run whenever git-annex
+  removes the content of a file from the repository.
+
+  In the command line, %file is replaced with the file that should be
+  erased.
+
+  For example, to use the wipe command, set it to `wipe -f %file`
 
 * `remote.<name>.rsyncurl`