inheritable annex.securehashesonly

* init: When annex.securehashesonly has been set with git-annex config,
  copy that value to the annex.securehashesonly git config.
* config --set: As well as setting value in git-annex branch,
  set local gitconfig. This is needed especially for
  annex.securehashesonly, which is read only from local gitconfig and not
  the git-annex branch.

doc/todo/sha1_collision_embedding_in_git-annex_keys.mdwn has the
rationalle for doing it this way. There's no perfect solution; this
seems to be the least-bad one.

This commit was supported by the NSF-funded DataLad project.

7 files changed, 51 insertions, 10 deletions

diff --git a/Annex/Init.hs b/Annex/Init.hs
index 3427c0049..53fbe35f2 100644
--- a/Annex/Init.hs
+++ b/Annex/Init.hs
@@ -1,6 +1,6 @@
 {- git-annex repository initialization
  -
- - Copyright 2011-2016 Joey Hess <id@joeyh.name>
+ - Copyright 2011-2017 Joey Hess <id@joeyh.name>
  -
  - Licensed under the GNU GPL version 3 or higher.
  -}
@@ -26,6 +26,7 @@ import qualified Git.Objects
 import qualified Annex.Branch
 import Logs.UUID
 import Logs.Trust.Basic
+import Logs.Config
 import Types.TrustLevel
 import Annex.Version
 import Annex.Difference
@@ -110,6 +111,7 @@ initialize' mversion = do
 				, unlessM isBareRepo
 					switchHEADBack
 				)
+	propigateSecureHashesOnly
 	createInodeSentinalFile False
 
 uninitialize :: Annex ()
@@ -257,3 +259,12 @@ initSharedClone True = do
 	u <- getUUID
 	trustSet u UnTrusted
 	setConfig (annexConfig "hardlink") (Git.Config.boolConfig True)
+
+{- Propigate annex.securehashesonly from then global config to local
+ - config. This makes a clone inherit a parent's setting, but once
+ - a repository has a local setting, changes to the global config won't
+ - affect it. -}
+propigateSecureHashesOnly :: Annex ()
+propigateSecureHashesOnly =
+	maybe noop (setConfig (ConfigKey "annex.securehashesonly"))
+		=<< getGlobalConfig "annex.securehashesonly"
diff --git a/CHANGELOG b/CHANGELOG
index d301db75f..c7b3b9723 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -12,6 +12,8 @@ git-annex (6.20170215) UNRELEASED; urgency=medium
     backend.
   * fsck: Warn about any files whose content is present, that don't
     use secure hashes, when annex.securehashesonly is set.
+  * init: When annex.securehashesonly has been set with git-annex config,
+    copy that value to the annex.securehashesonly git config.
   * Added --securehash option to match files using a secure hash function,
     and corresponding securehash preferred content expression.
   * sync, merge: Fail when the current branch has no commits yet, instead
@@ -50,6 +52,10 @@ git-annex (6.20170215) UNRELEASED; urgency=medium
   * Removed support for building with the old cryptohash library.
     Building with that library made git-annex not support SHA3; it's time
     for that to always be supported in case SHA2 dominoes.
+  * config --set: As well as setting value in git-annex branch,
+    set local gitconfig. This is needed especially for
+    annex.securehashesonly, which is read only from local gitconfig and not
+    the git-annex branch.
 
  -- Joey Hess <id@joeyh.name>  Tue, 14 Feb 2017 15:54:25 -0400
 
diff --git a/Command/Config.hs b/Command/Config.hs
index c9b6a7b0b..5da196044 100644
--- a/Command/Config.hs
+++ b/Command/Config.hs
@@ -9,6 +9,7 @@ module Command.Config where
 
 import Command
 import Logs.Config
+import Config
 
 cmd :: Command
 cmd = noMessages $ command "config" SectionSetup
@@ -52,12 +53,14 @@ seek (SetConfig name val) = commandAction $ do
 	showStart name val
 	next $ next $ do
 		setGlobalConfig name val
+		setConfig (ConfigKey name) val
 		return True
 seek (UnsetConfig name) = commandAction $ do
 	allowMessages
 	showStart name "unset"
 	next $ next $ do
 		unsetGlobalConfig name
+		unsetConfig (ConfigKey name)
 		return True
 seek (GetConfig name) = commandAction $ do
 	mv <- getGlobalConfig name
diff --git a/doc/git-annex-config.mdwn b/doc/git-annex-config.mdwn
index dd29055b8..8b505cde3 100644
--- a/doc/git-annex-config.mdwn
+++ b/doc/git-annex-config.mdwn
@@ -36,6 +36,23 @@ These settings can be overridden on a per-repository basis using
 
   Set to true to make git-annex sync default to syncing content.
 
+* `annex.securehashesonly`
+
+  Set to true to indicate that the repository should only use
+  cryptographically secure hashes 
+  (SHA2, SHA3) and not insecure hashes (MD5, SHA1) for content.
+
+  When this is set, the contents of files using cryptographically
+  insecure hashes will not be allowed to be added to the repository.
+
+  Also, git-annex fsck` will complain about any files present in
+  the repository that use insecure hashes.
+
+  Note that this is only read from the git-annex branch by
+  `git annex init`, and is copied to the corresponding git config setting. 
+  So, changes to the value in the git-annex branch won't affect a
+  repository once it has been initialized.
+
 # EXAMPLE
 
 Suppose you want to prevent git annex sync from committing changes
diff --git a/doc/git-annex.mdwn b/doc/git-annex.mdwn
index 2f7635f41..e38d31eaa 100644
--- a/doc/git-annex.mdwn
+++ b/doc/git-annex.mdwn
@@ -840,6 +840,9 @@ Here are all the supported configuration settings.
   
   Also, git-annex fsck` will complain about any files present in
   the repository that use insecure hashes.
+  
+  To configure the behavior in new clones of the repository,
+  this can be set in [[git-annex-config]].
 
 * `annex.diskreserve`
 
diff --git a/doc/tips/using_signed_git_commits.mdwn b/doc/tips/using_signed_git_commits.mdwn
index 7b1c07edf..c02d2cbac 100644
--- a/doc/tips/using_signed_git_commits.mdwn
+++ b/doc/tips/using_signed_git_commits.mdwn
@@ -12,16 +12,14 @@ You need git-annex 6.20170228. Upgrade if you don't have it.
 
 git-annex can use many types of [[backends]] and not all of them are
 secure. So, you need to configure git-annex to only use
-cryptographically secure hashes. Also, let's make sure annex.verify
-is set (it is by default, but let's override any global gitconfig setting
-for it).
+cryptographically secure hashes.
 
-	git config annex.securehashesonly true
-	git config annex.verify true
+	git annex config --set annex.securehashesonly true
+
+Each new clone of the repository will then inherit that configuration.
+But, any existing clones will not, so this should be run in them:
 
-That needs to be run in every clone of the repository. This will prevent
-any annexed object using an insecure hash from reaching your repository,
-and it will verify the hashes when transferring objects.
+	git config annex.securehashesonly true
 
 It's important that all commits to the git repository are signed.
 Use `git commit --gpg-sign`, or enable the commit.gpgSign configuration.
diff --git a/doc/todo/sha1_collision_embedding_in_git-annex_keys.mdwn b/doc/todo/sha1_collision_embedding_in_git-annex_keys.mdwn
index 2f345a088..37da39a8d 100644
--- a/doc/todo/sha1_collision_embedding_in_git-annex_keys.mdwn
+++ b/doc/todo/sha1_collision_embedding_in_git-annex_keys.mdwn
@@ -3,6 +3,8 @@ that it could be used for a SHA1 collision attack. So, a signed git commit
 could point to a tree with such a key in it, and the blob for the key could
 have two versions with the same SHA1.
 
+> All issues below are [[done]] --[[Joey]]
+
 Users who want to use git-annex with signed commits to mitigate git's own
 SHA1 insecurities would like at least a way to disable the insecure
 git-annex backends:
@@ -82,7 +84,8 @@ Or, we can document this gotcha.
 > > change their behavior, although new ones will.  That's a mixed
 > > blessing; it makes it harder to switch an existing repo to disallowing
 > > SHA1/URL/WORM, but an accidental/malicious re-enabling won't affect
-> > clones made while it was disabled.
+> > clones made while it was disabled. 
+> > > This is done now.
 > > 
 > > Could a repository be configured to either always disallow
 > > SHA1/URL/WORM, or always allow them, and then not let that be changed?