inheritable annex.securehashesonly

* init: When annex.securehashesonly has been set with git-annex config,
  copy that value to the annex.securehashesonly git config.
* config --set: As well as setting value in git-annex branch,
  set local gitconfig. This is needed especially for
  annex.securehashesonly, which is read only from local gitconfig and not
  the git-annex branch.

doc/todo/sha1_collision_embedding_in_git-annex_keys.mdwn has the
rationalle for doing it this way. There's no perfect solution; this
seems to be the least-bad one.

This commit was supported by the NSF-funded DataLad project.

1 files changed, 6 insertions, 8 deletions

diff --git a/doc/tips/using_signed_git_commits.mdwn b/doc/tips/using_signed_git_commits.mdwn
index 7b1c07edf..c02d2cbac 100644
--- a/doc/tips/using_signed_git_commits.mdwn
+++ b/doc/tips/using_signed_git_commits.mdwn
@@ -12,16 +12,14 @@ You need git-annex 6.20170228. Upgrade if you don't have it.
 
 git-annex can use many types of [[backends]] and not all of them are
 secure. So, you need to configure git-annex to only use
-cryptographically secure hashes. Also, let's make sure annex.verify
-is set (it is by default, but let's override any global gitconfig setting
-for it).
+cryptographically secure hashes.
 
-	git config annex.securehashesonly true
-	git config annex.verify true
+	git annex config --set annex.securehashesonly true
+
+Each new clone of the repository will then inherit that configuration.
+But, any existing clones will not, so this should be run in them:
 
-That needs to be run in every clone of the repository. This will prevent
-any annexed object using an insecure hash from reaching your repository,
-and it will verify the hashes when transferring objects.
+	git config annex.securehashesonly true
 
 It's important that all commits to the git repository are signed.
 Use `git commit --gpg-sign`, or enable the commit.gpgSign configuration.