Apso: Secrecy for Version Control Systems

In Tibet, Lhasa Apso dogs were used as guardians in temples. Abso means "bark lion sentinel dog".

Apso (the software) is a framework for adding secrecy to version control systems. Usually, version control systems support transfer of encrypted data between clients and the server (in centralized systems) or between clients (in distributed systems). This, however, does not help one who needs to store his versioned content in a potentially hostile host or on removable media. Apso makes this possible by creating encrypted versions of version control repositories.

Features

Supported Plugins

Interfaces available for Apso:

I don't have plans to build other interfaces, but you're welcome to do so.

Version control systems currently available for Apso:

Cryptographic plugins available:

There are plans to support Git, Mercurial and Darcs, but not a single line of code was written yet.

Subversion could be supported with a different protocol and some changes in the Subversion client, but I have no plans to personally implement this.

I have no plans to include support for other cryptographic libraries at the moment. I have tried BeeCrypt, libgpgme, Peter Gutmann's CryptLib and Crypto++. I decided to use Nettle, because it was the simplest and easiest to use. The problems I found with other libraries are:

Getting Apso

Savannah link

Apso is hosted at Savannah. Check the page for Apso there!

License

The initial Apso code was written by me (Jerônimo Pellegrini), and released under the GNU General Public License version 2 (or later, at your choice). There are two files that have been contributed by Jan Pfeifer (cctoos.cc and cctools.h) which are released under the GNU Lesser General Public License version 2 (or later, at your choice). Also, the documentation is released under the GNU Free Documentation Licence version 1.2 (or later, at your choice).

Needless to say: THERE IS NO WARRANTY.

If you are wondering why I have decided to distribute this program under the GNU GPL if it will basically just help people keep their source code closed and safe, consider that some people store all kinds of things under version control that are not supposed to be public, like your homework, PhD thesis, config files, and other things.

Current Status

There are now 2.9k lines of C++ code. The problem is that Apso is just a proof of concept, and I had no time to even work on its architecture before I started coding. I'm working on cleaning up the code. The part that works is:

What's not working:

Helping

If you want to help turn this prototype into a real system, please subscribe to apso-devel at Savannah. Also, please download Apso and see the TODO list. I am currently trying to organize the list of bugs so I can transfer them to the bug tracking system at Savannah.

Important notice

BY SENDING ANY KIND OF CONTRIBUTION TO APSO, YOU ARE RELEASING IT UNDER THE GNU GPL, AND YOU CAN ONLY DO THAT IF YOU ARE THE COPYRIGHT HOLDER OF THE INTELLECTUAL WORK YOU PRODUCE. IF YOU WORK FOR A COMPANY THAT CLAIMS OWNERSHIP OVER EVERYTHING YOU DO, THEN YOU ARE NOT SUPPOSE TO CONTRIBUTE, UNLESS THE COMPANY ITSELF IS WILLING TO LICENSE THE WORK UNDER THE GNU GPL.

Before contributing for the first time, please send an email to apso-devel saying who you are (your full name) and stating that you do have legal right to release code under the GNU GPL.

Downloading

Apso is still in its infancy, but you can already download the prototype. The code is still ugly, because it was written in a hurry.

Apso was debianized by Chad Walstrom. Please get the latest version from the Monotone repository, go to the top dir and use "dpkg-buildpackage -rfakeroot" to build the package. Hopefully, someone will step forward and help making rpms too.

Available versions:

These are links to tarballs, sha256 of the tarballs, binary GPG signature of the tarballs, and an amazingly short changelog. BTW, my public key can be found at Savannah. The fingerprint is 32B6 4CC3 26C8 6A46 F94A BAA3 E920 F497 7412 8961. Version 0.0.0 was removed because I don't think it should be distributed. There were problems with the documentation and licence. But if you have it, you can still check the hash and signature.

Since Apso is still a prototype, you may be interested in getting the source from the monotone server.
To sync with the Monotone server, pull the branch from the Monotone database at aleph0.info:
Use monotone version 0.26 or higher (this is NECESSARY) and do the following (you can change "my_database" to some other name that you like):

mtn -d my_database.mtn db init
mtn -d my_database.mtn pull mtn.aleph0.info info.aleph0.apso
mtn -d my_database.mtn co -b info.aleph0.apso info.aleph0.apso
cd info.aleph0.apso

And you are in the source tree.

Compiling

Do whatever you do on your system to install the build dependencies:

It's possible that you already have these on your system. Now just compile:

AUTOMAKE=automake-1.9 ACLOCAL=aclocal-1.9 autoreconf --install
./configure 
make
src/apso

WARNING: There are several things mising at the moment! Apso is not yet fully secure. DO NOT TRUST THIS PROTOTYPE! IT DOES NOT GUARANTEE SECRECY YET!

Documentation

For users: Apso comes with an info file where you can find from the basic concepts to examples of usage. It is compiled automatically when you compile Apso. You can read it with info (or pinfo, which I recommend).

For developers:

This is valid XHTML 1.0 Strict with valid CSS.