close

1 files changed, 18 insertions, 0 deletions

diff --git a/doc/todo/untracked_remotes.mdwn b/doc/todo/untracked_remotes.mdwn
index 883b5acff..f538c7560 100644
--- a/doc/todo/untracked_remotes.mdwn
+++ b/doc/todo/untracked_remotes.mdwn
@@ -7,3 +7,21 @@ developers don't care to know about one-another's systems.
 
 It seems that such an untracked repository would need to automatically
 consider itself untrusted. Is that enough to avoid losing data?
+
+> [[done]]; set remote.<name>.annex-readonly=true to prevent
+> git-annex from pushing changes to the remote, or modifying the contents
+> of the remote in any way.
+> 
+> Note that I am intentionally not making this feature be about security.
+> The remote can still tell if you're connecting to it, and indeed if it
+> really wants to, and git-annex-shell is being used on the remote, it can
+> determine your local repository's uuid.
+> 
+> This allows for some complicated setups. For example, a public repository
+> P can be a readonly remote of a clone on your laptop L, and L in turn has
+> another, non-readonly remote D on a removable drive. This allows L and D
+> to keep track of which files one-another have, without leaking this info
+> to P. But note that if L adds P as a remote, it also has to mark it
+> readonly, to avoid leaking data.
+> 
+> --[[Joey]]