Forbid drop operation from symlink'ed annex (e.g. due to being cloned with --reckless=ephemeral) to prevent data-loss

[mih]

This is a blunt, but effective measure to prevent a data security issue,
where dropping annex keys from 'here' is actually also dropping them
from 'origin' -- thereby potentially deleting the last existing copy.

Even once a more elegant error anticipation and handling is implemented,
it should be kept for safety reasons.

Closes #6948

PS: I will be working on a more elegant wrapping of this fix. But given the severity, this should be merged and released ASAP. #4750 continues to remain as a reminder.

I came to the conclusion that it might be best to remove the entire feature. I filed #6961

Spellchecker errors are addressed in #6956

[adswa]

But given the severity, this should be merged and released ASAP.

I agree

[codecov]

Codecov Report

Merging #6959 (df38f9e) into maint (5f0b28d) will increase coverage by 0.98%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##            maint    #6959      +/-   ##
==========================================
+ Coverage   89.97%   90.96%   +0.98%     
==========================================
  Files         354      354              
  Lines       46259    46290      +31     
==========================================
+ Hits        41622    42108     +486     
+ Misses       4637     4182     -455     

Impacted Files	Coverage Δ
datalad/distributed/drop.py	97.70% <100.00%> (+0.02%)	⬆️
datalad/distributed/tests/test_drop.py	100.00% <100.00%> (ø)
datalad/_version.py	45.68% <0.00%> (-0.28%)	⬇️
datalad/tests/test_config.py	99.73% <0.00%> (+<0.01%)	⬆️
datalad/config.py	97.26% <0.00%> (+<0.01%)	⬆️
datalad/tests/utils.py	65.10% <0.00%> (+11.03%)	⬆️
datalad/tests/test_tests_utils.py	92.34% <0.00%> (+92.34%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[yarikoptic]

Crippledfs where no symlinjs supported failure is relevant

[yarikoptic]

In general I am good with such a stop gap feature (after testing is fixed up on crippled fs). But also such message could confuse some naive user a little. We might better rely first on

[datalad "clone"]
	reckless = ephemeral

being present in repo.config -- and inform user that dropping in ephemeral clone (the term they must have heard about since they had to use it to get here) is not supported. But indeed checking for symlink is more robust and could be the 2nd line of defense if so desired.

[mih]

I disagree. Whether or not this config item is still set makes little difference re the outcome -- it remains data loss.

This conclusion matches the outcome of #4750

I don't understand what "2nd line of defense if so desired" wants to say.

[adswa]

If I decode @yarikoptic's comment correctly, its about rewording the message under certain circumstances:
1: Check if the config item about an ephemeral clone
2: If it is present, reword the warning to talk about "ephemeral clone" instead of "symlinked annex"
The symlink check and warning would co-exist and catch a symlinked annex even without the ephemeral config.
Is that interpretation correct?

[yarikoptic]

yes @adswa , thank you!

[yarikoptic]

For now let's just merge, and if @mih decides to improve UX, could be in a follow up PR.

[yarikoptic]

I will adjust the title to be little more "obvious" and reflective of the change.