1<title>Deleting Content From Fossil</title> 2 3<h2>Good Reasons for Removing Content from a Fossil Repository</h2> 4 5Fossil is designed to keep all historical content forever. Fossil 6purposely makes it difficult for users to delete content. Old content 7is part of the project's <i>*ahem*</i> fossil record and should be 8maintained indefinitely to maintain an accurate history of the project. 9 10Nevertheless, there may occasionally arise legitimate reasons for 11deleting content. Such reasons include: 12 13 * Spammers inserted inappropriate content into a wiki page, forum post, 14 or ticket. Fossil lets you easily hide or amend such content, but 15 since it is not a legitimate part of the project's history, there 16 is no value in keeping it, so it is best removed permanently. 17 18 * A file that contains trade secrets or that is under someone else's 19 copyright was accidentally committed and needs to be backed out. 20 21 * A malformed control artifact was inserted and is disrupting the 22 operation of Fossil. 23 24 * A legitimate legal request was received requiring content to 25 be removed. This would most likely be related to the accidental 26 intellectual property error or spam cases listed above. Some countries 27 recognise software patents, and so allow legal claims targetting code 28 commits. Some countries can require publicly-available encryption 29 software to be taken down if it is committed to the DAG without 30 the correct government authorisation. 31 32<h2>Alternatives</h2> 33 34All of these are rare cases: Fossil is [./antibot.wiki | designed to 35foil spammers up front], legally problematic check-ins should range from 36rare to nonexistent, and you have to go way out of your way to force 37Fossil to insert bad control artifacts. Therefore, before we get to 38methods of permanently deleting content from a Fossil repos, let's give 39some alternatives that usually suffice, which don't damage the project's 40fossil record: 41 42<ul> 43 <li><p>When a forum post or wiki article is "deleted," what actually 44 happens is that a new empty version is added to the Fossil repository. 45 The web interface interprets this 46 as "deleted," but the prior version remains available if you go 47 digging for it.</p></li> 48 49 <li><p>When you close a ticket, it's marked in a way that causes it 50 to not show up in the normal ticket reports. You usually want to 51 give it a Resolution such as "Rejected" when this happens, plus 52 possibly a comment explaining why you're closing it. This is all new 53 information added to the ticket, not deletion.</p></li> 54 55 <li><p>When you <tt>fossil rm</tt> a file, a new manifest is 56 checked into the repository with the same file list as for the prior 57 version minus the "removed" file. The file is still present in the 58 repository; it just isn't part of that version forward on that 59 branch.</p></li> 60 61 <li><p>If you make a bad check-in, you can shunt it off to the side 62 by amending it to put it on a different branch, then continuing 63 development on the prior branch: 64 <p> 65 <tt>$ fossil amend abcd1234 --branch BOGUS --hide<br> 66 $ fossil up trunk</tt> 67 <p> 68 The first command moves check-in ID <tt>abcd1234</tt> (and any 69 subsequent check-ins on that branch!) to a branch called 70 <tt>BOGUS</tt>, then hides it so it doesn't show up on the 71 timeline. You can call this branch anything you like, and you can 72 re-use the same name as many times as you like. No content is 73 actually deleted: it's just shunted off to the side and hidden away. 74 You might find it easier to do this from the Fossil web UI in 75 the "edit" function for a check-in. 76 <p> 77 The second command returns to the last good check-in on that branch 78 so you can continue work from that point.</p></li> 79 80 <li><p>When the check-in you want to remove is followed by good 81 check-ins on the same branch, you can't use the previous method, 82 because it will move the good check-ins, too. The solution is: 83 <p> 84 <tt>$ fossil merge --backout abcd1234</tt> 85 <p>That creates a diff in the check-out directory that backs out the 86 bad check-in <tt>abcd1234</tt>. You then fix up any merge conflicts, 87 build, test, etc., then check the reverting change into the 88 repository. Again, nothing is actually deleted; you're just adding 89 more information to the repository which corrects a prior 90 check-in.</p></li> 91</ul> 92 93<h2>Exception: Non-versioned Content</h2> 94 95It is normal and expected to delete data which is not versioned, such as 96usernames and passwords in the user table. The [/help/scrub|fossil scrub] 97command will remove all sensitive non-versioned data from a repository. 98 99The scrub command will remove user 'bertina', along with their password, 100any supplied IP address, any concealed email address etc. However, in the 101DAG, commits by 'bertina' will continue to be visible unchanged even though 102there is no longer any such user in Fossil. 103 104<h2>Shunning</h2> 105 106Fossil provides a mechanism called "shunning" for removing content from 107a repository. 108 109Every Fossil repository maintains a list of the hash names of 110"shunned" artifacts. 111Fossil will refuse to push or pull any shunned artifact. 112Furthermore, all shunned artifacts (but not the shunning list 113itself) are removed from the 114repository whenever the repository is reconstructed using the 115"rebuild" command. 116 117<h3>Shunning lists are local state</h3> 118 119The shunning list is part of the local state of a Fossil repository. 120In other words, shunning does not propagate to a remote repository 121using the normal "sync" mechanism. An artifact can be 122shunned from one repository but be allowed to exist in another. The fact that 123the shunning list does not propagate is a security feature. If the 124shunning list propagated then a malicious user (or 125a bug in the fossil code) might introduce a shun record that would 126propagate through all repositories in a network and permanently 127destroy vital information. By refusing to propagate the shunning list, 128Fossil ensures that no remote user will ever be able to remove 129information from your personal repositories without your permission. 130 131The shunning list does not propagate to a remote repository 132by the normal "sync" mechanism, 133but it is still possible to copy shuns from one repository to another 134using the "configuration" command: 135 136 <b>fossil configuration pull shun</b> <i>remote-url</i><br> 137 <b>fossil configuration push shun</b> <i>remote-url</i> 138 139The two command above will pull or push shunning lists from or to 140the <i>remote-url</i> indicated and merge the lists on the receiving 141end. "Admin" privilege on the remote server is required in order to 142push a shun list. In contrast, the shunning list will be automatically 143received by default as part of a normal client "pull" operation unless 144disabled by the "<tt>auto-shun</tt>" setting. 145 146Note that the shunning list remains in the repository even after the 147shunned artifact has been removed. This is to prevent the artifact 148from being reintroduced into the repository the next time it syncs with 149another repository that has not shunned the artifact. 150 151<h3>Managing the shunning list</h3> 152 153The complete shunning list for a repository can be viewed by a user 154with "admin" privilege on the "/shun" URL of the web interface to Fossil. 155That URL is accessible under the "Admin" button on the default menu 156bar. Items can be added to or removed from the shunning list. "Sync" 157operations are inhibited as soon as the artifact is added to the 158shunning list, but the content of the artifact is not actually removed 159from the repository until the next time the repository is rebuilt. 160 161When viewing individual artifacts with the web interface, "admin" 162users will usually see a "Shun" option in the submenu that will take 163them directly to the shunning page and enable that artifact to be 164shunned with a single additional mouse click. 165