Saturday, 12 September 2020

Providing source code when submitting papers: how to give anonymous but protected access

When submitting an academic paper for review, it is often a good idea to provide access to the research code as well. Even if reviewers only rudimentary scroll through the code, it shows you are committed to releasing the code once the paper is published.

The problem is that often you want to provide reviewers anonymous access to your code, but don't want the code to be accessible publicly. In this blog post, I'll explain how to provide read-only (anonymous) access to a GitLab repository. The end result is that you can instruct reviewers to execute the following command:

git clone https://gitlab.com/anongroup/anonproject.git

where they use the token "anonymous" as the username and a generated password. This token provides read-only access and can easily be revoked if needed (this login info isn't a GitLab account). You can easily include these instructions in a paper, giving reviewers access to the code without revealing your GitLab username in the URL, and while protecting access to the code using a password.

How to configure this in practice?

First, to assure the git URL won't contain your username, you have to create a new group on GitLab with an anonymous name. The name of this group will replace "anongroup" in the above example URL.

Second, in this group create a new project (i.e. repository) with an anonymous name. The name of this project will replace "anonproject" in the above example URL. You will now have a git URL containing only anonymous identifiers.

Finally, to provide read-only access to this repository, open the repository, go to Settings, and then to Repository. Then create a Deploy Token and select that the token provides read-only access. For the username we'll pick "anonymous". Then configure when the token expires: make sure it stays valid during the complete review process! Finally, click on "Create deploy token", and GitLab will automatically generate a password for this token.

Viola! The resulting token can only be used to clone the repository. Note that this token cannot be used to log into GitLab and view the repository in a browser. This token can only be used to directly clone the git repository using, for example, the command above.

Remember to create commits under an anonymous identity as well! That can easily be done using:

    git config user.name "Paper 1"
    git config user.email "anon@mail.com"

The configured name and email will only be used in the git repository you are currently in. A final tip is to include a README file in the repository, which can for example be written in Markdown and then converted to HTML.