hello darcs developers

I wanted to setup a darcs repo on a server where security is much
emphasized and i did not want to use pushing via email for various
reasons.
Currently, as described in http://wiki.darcs.net/DarcsWiki/RepoViaSSH,
darcs seems to use several commands over ssh: darcs, scp, cd and
sftp-server are "whitelisted" by a perl script. As this script will be
bypassed easily, it is currently not possible to use darcs securely via ssh.

If darcs used only one command (i.e. "darcs"), ssh could be configured
to just allow this one command. This or any other method of offering
darcs rw access without giving out machine accounts would be much
appreciated.

This is useful in a setting where several developers are to be granted
pushing privileges on a repository, but are not trusted enough to be
given full ssh access and using email is not desired.

Thanks,
johann

-----------------

context in #darcs:

18:01 < twb> You can also limit an ssh keys to a single command in
authorized_keys
18:01 < Heffalump> twb: that "obscure perl script" seems to be designed
to do that, I'm not sure why "raw darcs" isn't suitable for that but it
may well not be
18:01 < cupe> Heffalump: i think it's because darcs uses more than one
command
18:02 < cupe> darcs, scp, cd, sftp-server
18:02 < Heffalump> oh, right
18:02 < twb> It does?  That sucks.
18:02 < cupe> if that wasn't the case, i would not have any problems :)
18:02 < cupe> yep
18:03 < twb> IIUC rsync just boots a remote rsync process with a "be a
listener" switch
18:03 < twb> Also, cd is not a command
18:03 < twb> darcs should use darcs --repodir rather than cd'ing
18:04 < twb> Thereby avoiding the need for a shell process.
18:05 < cupe> yep, that would be nice
18:05 < cupe> although there is still scp involved
18:06 < twb> Theoretically there's no reason darcs --server --repodir
couldn't exec scp based on commands it receives from stdin
18:07 < twb> I suggest you file a wishlist bug
18:10 < cupe> i'll do that