# People who administer the repository system.

@admins = sra randy sra@hactrn.net randy@psg.com

# For now we use user group @all to mean the cryptech core group.  If
# we ever have committers who are not core, we'll likely need a @core
# group here, and perhaps other groups.

# GPG signature hook.  Don't mess with this.

repo @all
  - VREF/gpg-check = @all

# Gitolite control repository.  Write restricted to sysadmins, since
# the VREF above is a form of access control we don't want bypassed,
# but allow any authorized user to read the config if they like.

repo gitolite-admin
    RW+ = @admins
    R	= @all

# Everything but the gitolite-admin repository is currently set up for
# "wild repositories" (http://sitaramc.github.com/gitolite/wild.html).
#
# In theory, this lets authenticated users create their own
# repositories without needing to touch this file.
# 
# In all of these, we allow read permission to @all, on the theory
# that it doesn't make much sense to restrict read via SSH while
# allowing it via plain HTTP.  So we have no current use for the
# READERS role.  Add it back if we ever find a use for it.

# Principal of Least Astonishment says that users should create
# repositories that look like they belong to other users.

repo users?/CREATOR/..*
    C   = @all
    RW+ = CREATOR
    RW  = WRITERS
    R   = @all

# Other wild repositories.  Might consider restricting top-level to
# enforce a particular hierarchy, ask the users what they want.

repo [a-zA-Z0-9].*
    C   = @all
    RW+	= CREATOR
    RW	= WRITERS
    R   = @all