On Wed, Jul 27 2022, ZheNing Hu wrote: > if there is a monorepo such as > git@xxxxxxxxxx:derrickstolee/sparse-checkout-example.git > > There are many files and directories: > > client/ > android/ > electron/ > iOS/ > service/ > common/ > identity/ > list/ > photos/ > web/ > browser/ > editor/ > friends/ > boostrap.sh > LICENSE.md > README.md > > Now we can use partial-clone + sparse-checkout to reduce > the network overhead, and reduce disk storage space size, that's good. > > But I also need a ACL to control what directory or file people can fetch/push. > e.g. I don't want a client fetch the code in "service" or "web". > > Now if the user client use "git log -p" or "git sparse-checkout add service"... > or other git command, git which will download them by > "git fetch --filter=blob:none --stdin <oid>" automatically. > > This means that the git client and server interact with git objects > (and don't care about path) we cannot simply ban someone download > a "path" on the server side. > > What should I do? You may recommend me to use submodule, > but due to its complexity, I don't really want to use it :-( There isn't a way to do this in git. It's theoretically possible, i.e. a client could be told that the SHA-1 of a directory is XYZ, and construct a commit object with a reference to it. But currently a *lot* of things in the client code assume that these things will be available in one way or another. The state-of-the-art in the "sparse" code may differ from the above, I don't know. Also note that there's a well-known edge case in the git protocol where it's really incompatible with the notion of "secret" data, i.e. even if you hide a ref you'll be able to "guess" it by seeing what delta(s) the server will produce or accept etc.
