On Fri, Jan 27, 2012 at 11:01:00AM +0700, Nguyen Thai Ngoc Duy wrote: > On Thu, Jan 26, 2012 at 2:42 PM, Jeff King <peff@xxxxxxxx> wrote: > > +Security Considerations > > +~~~~~~~~~~~~~~~~~~~~~~~ > > + > > +Because git configuration may cause git to execute arbitrary shell > > +commands, it is important to verify any configuration you receive over > > +the network. In particular, it is not a good idea to point `include.ref` > > +directly at a remote tracking branch like `origin/master:shared-config`. > > +After a fetch, you have no way of inspecting the shared-config you have > > +just received without running git (and thus respecting the downloaded > > +config). Instead, you can create a local tag representing the last > > +verified version of the config, and only update the tag after inspecting > > +any new content. > > It may be a good idea to tell users the ref include.ref points to has > been updated at the end of git-fetch. Showing a diff is even better. I really didn't want to have to let other parts of git know or care about this mechanism. At least not for now. In the long run, I have no problem with some porcelain growing up around the feature to make it simpler to use. But I'd really rather focus on the bare-bones functionality for now, see how people use it, and then find ways to address deficiencies in their workflows once we have data. -Peff -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html