RFC: snapshot tarball information in refs/notes/snapshots

[Konstantin Ryabitsev]

On Wed, Mar 21, 2018 at 09:38:02AM -0300, Jason A. Donenfeld wrote:
>That sounds like a potentially good idea. Though it does point to the
>larger question: should notes be used in general for configuring more
>parts of cgit in an ad-hoc manner? Is there a useful generalization of
>this mechanism we should consider? We already have four different
>configuration mechanisms (cgitrc global, cgitrc local,
>.git/config/[gitweb], .git/config/[cgit]). The advantage of this one
>is that it's configurable from git itself, which makes it quite
>convenient. On the other hand, should it be too general, there are
>security concerns to consider.

Yeah, it's something I would entirely welcome, because it would allow
people to control a lot of aspects for which we use various kludges
right now. Perhaps a subset of repo settings, like:

repo.*-sort
repo.defbranch
repo.desc
repo.ignore
repo.hide
repo.logo*
repo.owner
repo.readme
repo.snapshots

The latter only to specify a subset of snapshots allowed globally, or to
turn them off entirely. E.g. if global cgitrc allows "tar.gz zip" then
the repo can only use either of those or "none", but not add anything
not in global.

Basically, everything that affects how the repository is presented, but
not how it's processed. Definitely not filters nor things that would
significantly impact server performance should they be turned on.

It would be easy to load and parse refs/notes/cgitrc, and the security
implications shouldn't be much different than loading the same from
gitconfig.

Best,
-K