From bc2caf8c4ee4d43db4f1800ae06cdced4b4eafee Mon Sep 17 00:00:00 2001 From: Christian Monch Date: Wed, 18 Dec 2024 08:44:36 +0100 Subject: [PATCH 1/2] fix: warn about incompatible make options This commit extends the `datalad make` docs to describe the irrelevance of a `--allow-trusted-execution` option, if `--prospective-execution` is provided. --- datalad_remake/commands/make_cmd.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/datalad_remake/commands/make_cmd.py b/datalad_remake/commands/make_cmd.py index 148761f..2a98745 100644 --- a/datalad_remake/commands/make_cmd.py +++ b/datalad_remake/commands/make_cmd.py @@ -197,7 +197,8 @@ class Make(ValidatedInterface): doc='Skip commit signature verification before executing code. This ' 'should only be used in a strictly controlled environment with ' 'fully trusted datasets. Trusted dataset means: every commit ' - 'stems from a trusted entity. ' + 'stems from a trusted entity. This option has no effect when ' + 'combined with `--prospective-execution`. ' 'DO NOT USE THIS OPTION, unless you are sure to understand the ' 'consequences. One of which is that arbitrary parties can ' 'execute arbitrary code under your account on your ' @@ -258,6 +259,11 @@ def __call__( ) resolved_output = collect(worktree, ds, output_pattern) else: + if allow_untrusted_execution: + lgr.warning( + '--allow-untrusted-execution has no effect if ' + '--prospective-execution`is provided.' + ) resolved_output = set(output_pattern) initialize_remotes(ds, resolved_output) From 6f7cdf8e676db34520257ef0a7811879fdd86034 Mon Sep 17 00:00:00 2001 From: Christian Monch Date: Wed, 18 Dec 2024 08:59:22 +0100 Subject: [PATCH 2/2] fix: warn about untrusted execution in a remote --- datalad_remake/annexremotes/remake_remote.py | 1 + 1 file changed, 1 insertion(+) diff --git a/datalad_remake/annexremotes/remake_remote.py b/datalad_remake/annexremotes/remake_remote.py index 46ba6e4..b05cf66 100644 --- a/datalad_remake/annexremotes/remake_remote.py +++ b/datalad_remake/annexremotes/remake_remote.py @@ -167,6 +167,7 @@ def transfer_retrieve(self, key: str, file_name: str) -> None: ) if get_allow_untrusted_execution(dataset_id): trusted_key_ids = None + lgr.warning('datalad remake remote performs UNTRUSTED execution') else: trusted_key_ids = get_trusted_keys()