On Mon, 1 Feb 2010, Shawn O. Pearce wrote: > Arun Raghavan <ford_prefect@xxxxxxxxxx> wrote: > > This patch set reintroduces the post-upload-pack hook and adds a > > pre-upload-pack hook. These are now only built if 'ALLOW_INSECURE_HOOKS' is set > > at build time. The idea is that only system administrators who need this > > functionality and are sure the potential insecurity is not relevant to their > > system will enable it. > > *sigh* > > I guess this is better, having it off by default, but allowing an > administrator who needs this feature to build a custom package. > > Unfortunately... I'm sure some distro out there is going to think > they know how to compile Git better than we do, and enable this by > default, exposing their users to a security hole. Ask the OpenSSL > project about how well distros package code... :-\ > > I'd like a bit more than just a compile time flag. I think such hooks could be allowed only if triggered explicitly by the upload-pack caller, such as git-daemon. That's probably the only scenario where a useful use case can be justified for them anyway. And of course, to avoid any security problems, the actual hooks must not be provided by the repository owner but provided externally, like from git-daemon, via some upload-pack command line arguments. This way the hooks are really controlled by the system administrator managing git-daemon and not by any random git repository owner. That should be good enough for all the use cases those hooks were originally designed for. Nicolas -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html