summaryrefslogtreecommitdiff
path: root/doc/todo/Untrusted_push_in_Monotone.mdwn
blob: a8b1cd7c4da4c60fb7c0148bb6253ff00d0e7eea (plain)

As noted in [[tips/untrusted_git_push]] an untrusted push capability was added recently, but only implemented in git. (See also [[todo/rcs_updates_needed]])

This note describes (but does not implement) an approach for this with the [[rcs/monotone]] rcs backend.


Monotone behaves a little differently to git in its networking. Git allows anyone to try to push, and then check whether it is ok before finally accepting it. Monotone has no way to accept or reject revisions in this way. However, monotone does have the ability to mark revisions, and to ignore unmarked revisions.

This marking capability can be used to achieve a somewhat similar effect to what happens with git. The problem with this is that anyone could put anything into the monotone database, and while this wouldn't affect ikiwiki, it seems bad to leave open, untrusted storage on the web.

The Plan

In the note_netsync_revision_received hook in the monotone server, have the server check to make sure that either a) the revision is signed by someone trusted or, b) the revision is checked using the same hook that git uses in pre-receive. If the revision passes the ikiwiki pre-receive check then the monotone hook signs the revision. This gives that revision the 'ikiwiki seal of approval'.

You'll also want to update the monotone trust hooks to only trust revisions signed by trusted people, or ikiwiki.

Now anyone can upload a revision, but only those signed by a trusted person, or which pass the ikiwiki check and so get signed by the ikiwiki key, will be seen by ikiwiki.