edge-control: install.sh seeds empty allowlist — every register breaks until admin populates it, with no install-time warning #1110
Labels
No labels
action
backlog
blocked
bug-report
cannot-reproduce
in-progress
in-triage
needs-triage
prediction/actioned
prediction/dismissed
prediction/unreviewed
priority
rejected
reproduced
tech-debt
underspecified
vision
No milestone
No project
No assignees
2 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: disinto-admin/disinto#1110
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Problem
Follow-up to #833. The allowlist policy is correctly opt-in at the script layer (
register.sh:109-112allows all when the file is missing), butinstall.shunconditionally seeds:This flips the effective default to deny all the moment
install.shruns, and the install summary does not call this out. Two failure modes:install.sh, then attempts the documenteddisinto edge register myproject …smoke test. It fails withname not approvedand there is no breadcrumb in the install output explaining why.if [ ! -f "$ALLOWLIST_FILE" ]guard prevents clobbering, so this is safe only if the file already exists. The first upgrade run after this PR creates the empty allowlist; existing projects cannot re-register or rotate keys until admin retroactively allowlists each one.Either case is a sharp footgun for a feature whose design goal is operator control, not operator surprise.
Proposal
In
install.sh, when seedingallowlist.json:log_warnclearly:"Allowlist seeded empty — no project can register until you add entries to ${ALLOWLIST_FILE}."pubkey_fingerprintbinding — preserves current behavior). Operator can tighten later.Updating
tools/edge-control/README.mdwith the allowlist workflow is part of the same change.Acceptance
Ported from Codeberg https://codeberg.org/johba/disinto/issues/841. Any
#NNNreferences in the body above point to Codeberg issue numbers, not internal Forgejo numbers.Blocked — issue #1110
ci_timeout2026-04-21T12:52:10Z