blob: 2297c4aca128938ba65d8924bf4fe413650dd6b0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
IA.BAK and another project both need a way to let untrusted clients push
git-annex branch changes to a central server. It's desired to only
let a client make non-malicious pushes; a malicious client could screw
up a lot of info in the branch.
I propose adding a git-annex command that can be used in a git pre-receive
hook to do this. --[[Joey]]
There are two levels of checking it seems such a command could do:
1. Only allow certian files to be changed. For example, maye clients are only
expected to change location tracking files, and the activity.log
file, but not others like trust.log.
2. Only allow moidiciations of data about a specific UUID. The UUID
would be provided to the command (and could be determined based on a
per-client ssh key or etc).
The changes to the branch would be checked, so this needs centralized
knowledge about the format of each file on the branch. I think this
mostly exists already in Logs.hs.
Of these the second seems more likely to be useful, but the first would
be by far the easier to add. So, do both?
This might be too limiting for some situations:
* If someone has 2 clients, that are talking with one-another,
then a push would include changes involving the UUIDs of both clients.
The command could be given multiple UUIDs to allow, to allow
for these kinds of setups.
* A client might add a special remote somewhere, but this would need
changes to remote.log, which the first level of checking would not allow.
And, it would add another UUID, which the second level of checking would
need to be configured to allow.
|
