git-annex 6.20160419 has a rare security fix. A bug made encrypted special remotes that are configured to use chunks accidentally expose the checksums of content that is uploaded to the remote. Such information is supposed to be hidden from the remote's view by the encryption. The same bug also made resuming interrupted uploads to such remotes start over from the beginning.
After releasing that, I've been occupied today with fixing the Android autobuilder, which somehow got its build environment broken (unsure how), and fixing some other dependency issues.
What should the users do to repair this situation? How can the exposed checksums be removed from the remote? Is a
git annex syncenough?Thank you for the timely release!
The exposed information is not stored in the remote. If it's stored anywhere, it would be in a server log, which might log an attempt to access an un-encrypted key filename (which typically includes the checksum and maybe the file's extension).
So on the one hand, you don't need to do anything other than upgrade git-annex to recover from the problem. On the other hand, if the potential that a un-encrypted filename of a git-annex key having leaked into a server log somewhere is a problem, I don't have a solution to the problem.