On Fri, Nov 25, 2011 at 8:46 AM, Sitaram Chamarty <sitaramc@xxxxxxxxx> wrote: > (...and/or a post-upload hook) > > Has this ever come up? Sorry for the google-fu fail and for replying to my own post. http://git.661346.n2.nabble.com/Removal-of-post-upload-hook-td4394312.html is the longest thread I (later) found. The quick summary, in the words of Jeff (second post in that link) is: "Because [upload]-pack runs as the user who is [fetching], not as the repository owner. So by convincing you to [fetch from] my repository in a multi-user environment, I convince you to run some arbitrary code of mine." My contention (today) is: - you're already taking that risk for push - so this would add a new risk only for people who fetch but don't push - which, I submit, is a very small (if not almost empty) set of people I may be wrong but I imagine shared environments are those where almost everyone will push at least once in a while. It's a closed group of people, probably all developers, etc etc etc... Thanks for listening. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html