From: "Ævar Arnfjörð Bjarmason" <avarab@gmail.com>
To: ZheNing Hu <adlternative@gmail.com>
Cc: Git List <git@vger.kernel.org>, Derrick Stolee <stolee@gmail.com>,
Junio C Hamano <gitster@pobox.com>,
Christian Couder <christian.couder@gmail.com>,
Jeff King <peff@peff.net>
Subject: Re: Question: What's the best way to implement directory permission control in git?
Date: Wed, 27 Jul 2022 11:17:44 +0200 [thread overview]
Message-ID: <220727.86mtculxnz.gmgdl@evledraar.gmail.com> (raw)
In-Reply-To: <CAOLTT8QusNzdO1mHqQFPz84pznYSpFWJunroRGXQ7qk6sJjeYg@mail.gmail.com>
On Wed, Jul 27 2022, ZheNing Hu wrote:
> if there is a monorepo such as
> git@github.com:derrickstolee/sparse-checkout-example.git
>
> There are many files and directories:
>
> client/
> android/
> electron/
> iOS/
> service/
> common/
> identity/
> list/
> photos/
> web/
> browser/
> editor/
> friends/
> boostrap.sh
> LICENSE.md
> README.md
>
> Now we can use partial-clone + sparse-checkout to reduce
> the network overhead, and reduce disk storage space size, that's good.
>
> But I also need a ACL to control what directory or file people can fetch/push.
> e.g. I don't want a client fetch the code in "service" or "web".
>
> Now if the user client use "git log -p" or "git sparse-checkout add service"...
> or other git command, git which will download them by
> "git fetch --filter=blob:none --stdin <oid>" automatically.
>
> This means that the git client and server interact with git objects
> (and don't care about path) we cannot simply ban someone download
> a "path" on the server side.
>
> What should I do? You may recommend me to use submodule,
> but due to its complexity, I don't really want to use it :-(
There isn't a way to do this in git.
It's theoretically possible, i.e. a client could be told that the SHA-1
of a directory is XYZ, and construct a commit object with a reference to
it.
But currently a *lot* of things in the client code assume that these
things will be available in one way or another.
The state-of-the-art in the "sparse" code may differ from the above, I
don't know.
Also note that there's a well-known edge case in the git protocol where
it's really incompatible with the notion of "secret" data, i.e. even if
you hide a ref you'll be able to "guess" it by seeing what delta(s) the
server will produce or accept etc.
next prev parent reply other threads:[~2022-07-27 9:20 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-27 8:56 Question: What's the best way to implement directory permission control in git? ZheNing Hu
2022-07-27 9:17 ` Ævar Arnfjörð Bjarmason [this message]
2022-07-28 14:54 ` ZheNing Hu
2022-07-28 15:50 ` Ævar Arnfjörð Bjarmason
2022-07-29 1:48 ` Elijah Newren
2022-07-29 14:22 ` ZheNing Hu
2022-07-29 14:57 ` rsbecker
2022-07-29 13:15 ` ZheNing Hu
2022-07-27 9:24 ` Thomas Guyot
2022-07-29 12:49 ` ZheNing Hu
2022-07-29 23:50 ` Emily Shaffer
2022-07-31 16:15 ` ZheNing Hu
2022-08-01 10:14 ` Han-Wen Nienhuys
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=220727.86mtculxnz.gmgdl@evledraar.gmail.com \
--to=avarab@gmail.com \
--cc=adlternative@gmail.com \
--cc=christian.couder@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=peff@peff.net \
--cc=stolee@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).