Re: encrypted repositories?

["Matthias Andree" <matthias.andree@gmx.de>]

Am 17.07.2009, 21:38 Uhr, schrieb Linus Torvalds  
<torvalds@linux-foundation.org>:

>
>
> On Fri, 17 Jul 2009, Matthias Andree wrote:
>>
>> Assume you have a repository where you want to work on embargoed  
>> information,
>> so that not even system administrators of the server you're pushing to  
>> can get
>> a hold of the cleartext data.
>
> If the server can't ever read it, you're basically limited to just one
> story:
>
>  - use rsync-like "stupid" transports to upload and download things.
>
>  - a "smart" git server (eg the native git:// style protocol is not going
>    to be possible)

I don't know all its features, apparently it's online recompression - this  
is no longer going to be available.

> and you strictly speaking need no real git changes, because you might as
> well just do it by uploading an encrypted tar-file of the .git directory.
> And there is literally no upside in doing anything else - any native git
> support is almost entirely pointless.
>
> You could make it a _bit_ more useful perhaps by adding some helper
> wrappers, probably by just implementing a new transport name (ie instead
> of using "rsync://", you'd just use "crypt-tgz://" or something).
>
> Now, that said, there are probably situations where maybe you'd allow the
> server to decrypt things _temporarily_, but you don't want to be  
> encrypted
> on disk, and no persistent keys on the server, then that would open up a
> lot more possibilities.

> Of course, that still does require that you trust the server admin to
> _some_ degree - anybody who has root would be able to get the keys by
> running a debugger on the git upload/download sequence when you do a
> upload or download.
>
> Maybe that kind of security is still acceptable to you, though?

No, the server can't be allowed access to the keys or decrypted data.

I'm not sure about the graph, and if I should be concerned. Exposing the  
DAG might be in order.

It would be ok if the disk storage and the over-the-wire format cannot use  
delta compression then. It would suffice to just send a set of objects  
efficiently - and perhaps smaller revisions can be delta-compressed by the  
clients when pushing.

I admit haven't checked how the current git:// over-the-wire protocol[s]  
work[s]. I think client-side delta compression may require limiting the  
graph depths or delta size (when exceeded, the client must send the  
standalone self-contained object rather than a delta), so that the server  
can refuse patches when the delta nesting or size gets too deep/big.

I think this would generate the git server to something like a storage  
device for objects, perhaps with the DAG if exposed.


On a more general note, is someone looking into improving the http://  
efficiency?  Perhaps there are synergies between my plan of (a) encryption  
and (b) more efficient "dumb" (http/rsync/...) protocol use.

-- 
Matthias Andree