Can I forbid somebody to pull some branch or tag from my repo with git protocol?

Can I forbid somebody to pull some branch or tag from my repo with git protocol?

[Emily Ren]

Hi,
I created a repository, and I don't want somebody to pull some branch
or tag from my repository with git protocol. How can I do ?

Thanks,
Emily

Re: Can I forbid somebody to pull some branch or tag from my repo with git protocol?

[Junio C Hamano]

"Emily Ren" <lingyan.ren@gmail.com> writes:

> I created a repository, and I don't want somebody to pull some branch
> or tag from my repository with git protocol. How can I do ?

By not putting that tag or branch in that repository (note that you can
have a repository only to publish which is different from your main
working repository).
.

Re: Can I forbid somebody to pull some branch or tag from my repo with git protocol?

[Emily Ren]

I want some group can pull these branches or tags from my repo, while
other's can't, Need I maintain two repositories ?

On Wed, Dec 17, 2008 at 5:09 PM, Junio C Hamano <gitster@pobox.com> wrote:
> "Emily Ren" <lingyan.ren@gmail.com> writes:
>
>> I created a repository, and I don't want somebody to pull some branch
>> or tag from my repository with git protocol. How can I do ?
>
> By not putting that tag or branch in that repository (note that you can
> have a repository only to publish which is different from your main
> working repository).
> .
>

Re: Can I forbid somebody to pull some branch or tag from my repo with git protocol?

[Sverre Rabbelier]

On Wed, Dec 17, 2008 at 10:15, Emily Ren <lingyan.ren@gmail.com> wrote:
> I want some group can pull these branches or tags from my repo, while
> other's can't, Need I maintain two repositories ?

I think gitosis should be able to do that? Otherwise you could look
into hosting sites like github or gitorious, I think they have at
least some form of access control, yes?

-- 
Cheers,

Sverre Rabbelier

Re: Can I forbid somebody to pull some branch or tag from my repo with git protocol?

[Johannes Schindelin]

Hi,

On Wed, 17 Dec 2008, Emily Ren wrote:

> I created a repository, and I don't want somebody to pull some branch or 
> tag from my repository with git protocol. How can I do ?

Yes, it is easy: do not push it into that repository.

If you already did, delete it in that repository.

Ciao,
Dscho

Re: Can I forbid somebody to pull some branch or tag from my repo with git protocol?

[Johannes Schindelin]

Hi,

On Wed, 17 Dec 2008, Emily Ren wrote:

> I want some group can pull these branches or tags from my repo, while
> other's can't, Need I maintain two repositories ?

Either that (that would be the easy method, and also the proper one, since 
people would not even know what you hide), but you could patch 
upload-pack so that it runs a hook with the rev-list arguments in 
do_rev_list() in upload-pack.c, and die() if the hook returns non-zero.

Ciao,
Dscho

Re: Can I forbid somebody to pull some branch or tag from my repo with git protocol?

[Emily Ren]

Sverre,
Thank you for your information !
As far as I know, gitosis can control someone readonly/writable to
some repo, it has no access control on branch/tag level. Am I right ?

I'll look at github and gitorious, are they free software ?

Thanks,
Emily


On Wed, Dec 17, 2008 at 7:53 PM, Sverre Rabbelier <srabbelier@gmail.com> wrote:
> On Wed, Dec 17, 2008 at 10:15, Emily Ren <lingyan.ren@gmail.com> wrote:
>> I want some group can pull these branches or tags from my repo, while
>> other's can't, Need I maintain two repositories ?
>
> I think gitosis should be able to do that? Otherwise you could look
> into hosting sites like github or gitorious, I think they have at
> least some form of access control, yes?
>
> --
> Cheers,
>
> Sverre Rabbelier
>

Re: Can I forbid somebody to pull some branch or tag from my repo with git protocol?

[Sverre Rabbelier]

[It is common not to top-post on this list :)]

On Wed, Dec 17, 2008 at 13:35, Emily Ren <lingyan.ren@gmail.com> wrote:
> As far as I know, gitosis can control someone readonly/writable to
> some repo, it has no access control on branch/tag level. Am I right ?

Ah, sorry, I meant to control access to different repo's for different groups.

> I'll look at github and gitorious, are they free software ?

IIRC gitorious is open source, but I just checked and I don't see any
access control there; which leaves github, which is not free software
I'm afraid.

I think, as Johannes said, keeping two seperate repo's and using some
form of access control on those would be best.

-- 
Cheers,

Sverre Rabbelier

Re: Can I forbid somebody to pull some branch or tag from my repo with git protocol?

[Emily Ren]

Sverre, Johannes,

Thank you very much for sharing your good idea ! Yes, maintaining two
separate rep maybe best.

Johannes,
Does your second suggestion mean that I need to write a script and use
git hook to enable it ?

Thanks,
Emily


On Wed, Dec 17, 2008 at 8:47 PM, Sverre Rabbelier <srabbelier@gmail.com> wrote:
> [It is common not to top-post on this list :)]
>
> On Wed, Dec 17, 2008 at 13:35, Emily Ren <lingyan.ren@gmail.com> wrote:
>> As far as I know, gitosis can control someone readonly/writable to
>> some repo, it has no access control on branch/tag level. Am I right ?
>
> Ah, sorry, I meant to control access to different repo's for different groups.
>
>> I'll look at github and gitorious, are they free software ?
>
> IIRC gitorious is open source, but I just checked and I don't see any
> access control there; which leaves github, which is not free software
> I'm afraid.
>
> I think, as Johannes said, keeping two seperate repo's and using some
> form of access control on those would be best.
>
> --
> Cheers,
>
> Sverre Rabbelier
>

Re: Can I forbid somebody to pull some branch or tag from my repo with git protocol?

[Junio C Hamano]

Johannes Schindelin <Johannes.Schindelin@gmx.de> writes:

> On Wed, 17 Dec 2008, Emily Ren wrote:
>
>> I want some group can pull these branches or tags from my repo, while
>> other's can't, Need I maintain two repositories ?
>
> Either that (that would be the easy method, and also the proper one, since 
> people would not even know what you hide), but you could patch 
> upload-pack so that it runs a hook with the rev-list arguments in 
> do_rev_list() in upload-pack.c, and die() if the hook returns non-zero.

I do not think that would work very well as you expect.  Two branches can
be pointing at the same commit, and Emily may want to hide one but not the
other.  The time you obtain from "want" is too late.

If you were to extend upload-pack, the place to narrow would be the
initial "here are the refs and the objects they point at" announcement
that is done at the very beginning.  You would do something like the
pseudo patch attached at the end.

read_set_of_exposed_refs_from_hook() should return, depending on who the
user is (which is obviously not available if this connection is over the
anonymous git-daemon service, but local and usual ssh connection you could
do whoami, and on gitosis there would be some environment variable to
distinguish who you are that you can use), the set of refs that the user
is allowed to see.

diff --git i/upload-pack.c w/upload-pack.c
index e5adbc0..129aa1e 100644
--- i/upload-pack.c
+++ w/upload-pack.c
@@ -10,6 +10,10 @@
 #include "revision.h"
 #include "list-objects.h"
 #include "run-command.h"
+#include "string-list.h"
+
+static int use_ref_limiting;
+static struct string_list exposed_refs;
 
 static const char upload_pack_usage[] = "git-upload-pack [--strict] [--timeout=nn] <dir>";
 
@@ -574,8 +578,14 @@ static int send_ref(const char *refname, const unsigned char *sha1, int flag, vo
 	static const char *capabilities = "multi_ack thin-pack side-band"
 		" side-band-64k ofs-delta shallow no-progress"
 		" include-tag";
-	struct object *o = parse_object(sha1);
+	struct object *o;
+
+	if (use_ref_limiting && !string_list_has_string(&exposed_refs, refname)) {
+		/* The downloader is not allowed to know the presense of this ref */
+		return 0;
+	}
 
+	o = parse_object(sha1);
 	if (!o)
 		die("git upload-pack: cannot find object %s:", sha1_to_hex(sha1));
 
@@ -600,6 +610,12 @@ static int send_ref(const char *refname, const unsigned char *sha1, int flag, vo
 static void upload_pack(void)
 {
 	reset_timeout();
+
+	if ("limit exposed refs" hook is available) {
+		use_ref_limiting = 1;
+		read_set_of_exposed_refs_from_hook(&exposed_refs);
+	}
+
 	head_ref(send_ref, NULL);
 	for_each_ref(send_ref, NULL);
 	packet_flush(1);