On Sat, Nov 26, 2011 at 03:47:09PM -0800, Junio C Hamano wrote: > > My point is to make it available, give it safe > > semantics by default, and let people who are running daemon-like service > > (i.e., where the admin controls the daemon and arbitrary users can't > > write into the hooks directory) use it by setting an environment > > variable, rather than patching git. > > I think we re on the same page on that point, and this thread is to find > such a safe default and safe semantics when enabled. > > Unfortunately neither your "trusted" switch nor check the gid of repository > is that safe thing (sane default part is easy; do not allow it by default). Sorry, why is the trusted switch not a sane thing? By turning it on, you are saying "it's OK to run arbitrary code from the repo as the current user". It's _exactly_ what some people are going to want to do[1], regardless of any other heuristics. Sure, maybe it's giving people rope to hang themselves with, but I don't see a problem with that as long as the issues are clearly laid out in the documentation. -Peff [1] An alternate and even more flexible form is to not just say "it's OK to run hooks", but to say "run this particular hook as a pre-upload-hook" without any regard for what's in $GIT_DIR/hooks. It is a superset of the other form, because of course the hook you tell it to run can be "sh $GIT_DIR/hooks/pre-upload-pack". -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html