Seems that a fairly common desire in some use cases is to be able to make a
clone of a repository and be able to get files, without updating the
location tracking information. (And without even recording a uuid in the
remote.log.) Use cases include wanting to have temporary
clones without cluttering history, and centralized development where the
developers don't care to know about one-another's systems.

It seems that such an untracked repository would need to automatically
consider itself untrusted. Is that enough to avoid losing data?

> [[done]]; set remote.<name>.annex-readonly=true to prevent
> git-annex from pushing changes to the remote, or modifying the contents
> of the remote in any way.
> 
> Note that I am intentionally not making this feature be about security.
> The remote can still tell if you're connecting to it, and indeed if it
> really wants to, and git-annex-shell is being used on the remote, it can
> determine your local repository's uuid.
> 
> This allows for some complicated setups. For example, a public repository
> P can be a readonly remote of a clone on your laptop L, and L in turn has
> another, non-readonly remote D on a removable drive. This allows L and D
> to keep track of which files one-another have, without leaking this info
> to P. But note that if L adds P as a remote, it also has to mark it
> readonly, to avoid leaking data.
> 
> --[[Joey]]