On Tue, Aug 24, 2010 at 12:01:27AM -0500, Jonathan Nieder wrote: > > Which does bring up one interesting boundary. If I run: > > > > git -c receive.denyDeletes=false git push > > > > what should happen? Obviously with cross-server communication the > > environment won't get passed. I am inclined to say that even for local > > cases, receive-pack should clear the string. > > Sticky. I agree with you that that would follow the principle of > least surprise. > > On the other hand if I use > > git push --receive-pack='git -c receive.denyDeletes=false receive-pack' > > then I would expect it to work. I don't think this is a security > problem because I already could have set the remote $GIT_CONFIG just > as easily. Yeah, I think you are right. Anybody who was trying to cross a setuid boundary with receive-pack is already screwed unless they are cleansing the environment. And I would hope that any such cleansing would be allow-known-good, so the new variable would be blocked along with GIT_CONFIG. So I doubt we are making anything worse, security-wise. I do think we should still remove the variable in the local transport for the sake of least surprise, and I agree that your example above should work. -Peff -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html