The safety of fat-store directory using git-fat

[pengyu]

How secure is it to use git-fat with other people to manage the repository. In particular, it seems that everybody should have write access to the some fat-store directory. So anyone is able to delete something from fat-store? Is there something like pull request that allows each person has it own fat-store directory, yet allow pulling changes from others' fat-store directories?

[jedbrown]

This is a filesystem issue, not a git-fat issue. (From a security perspective, it doesn't matter whether git-fat has an interface, it matters whether the underlying protocol and permissions system supports that operation.) If you would like to prevent other people from deleting your files, you can set the sticky bit. I don't want git-fat to need a custom server (too complicated and more surface area to secure).

[pengyu]

Would it be better to somehow allow something like pull request so that each one has its own fat-store repository? If everyone relies on a central fat-store repository, this sounds like not consistent with git's decentralization philosophy. Since git-fat is closely related with git, it is better to make it consistent with git in this aspect.

[jedbrown]

This is a separate issue and the reason I want git-fat to have named remotes. We have discussed it a few times.

[pengyu]

OK. When do you think the named remote feature will be added?

[jedbrown]

I can't promise a date, but see PR #28 for recent discussion.