inheritable annex.securehashesonly

* init: When annex.securehashesonly has been set with git-annex config,
  copy that value to the annex.securehashesonly git config.
* config --set: As well as setting value in git-annex branch,
  set local gitconfig. This is needed especially for
  annex.securehashesonly, which is read only from local gitconfig and not
  the git-annex branch.

doc/todo/sha1_collision_embedding_in_git-annex_keys.mdwn has the
rationalle for doing it this way. There's no perfect solution; this
seems to be the least-bad one.

This commit was supported by the NSF-funded DataLad project.

1 files changed, 17 insertions, 0 deletions

diff --git a/doc/git-annex-config.mdwn b/doc/git-annex-config.mdwn
index dd29055b8..8b505cde3 100644
--- a/doc/git-annex-config.mdwn
+++ b/doc/git-annex-config.mdwn
@@ -36,6 +36,23 @@ These settings can be overridden on a per-repository basis using
 
   Set to true to make git-annex sync default to syncing content.
 
+* `annex.securehashesonly`
+
+  Set to true to indicate that the repository should only use
+  cryptographically secure hashes 
+  (SHA2, SHA3) and not insecure hashes (MD5, SHA1) for content.
+
+  When this is set, the contents of files using cryptographically
+  insecure hashes will not be allowed to be added to the repository.
+
+  Also, git-annex fsck` will complain about any files present in
+  the repository that use insecure hashes.
+
+  Note that this is only read from the git-annex branch by
+  `git annex init`, and is copied to the corresponding git config setting. 
+  So, changes to the value in the git-annex branch won't affect a
+  repository once it has been initialized.
+
 # EXAMPLE
 
 Suppose you want to prevent git annex sync from committing changes