On Thu, Feb 02, 2012 at 02:57:14AM +0100, demerphq wrote: > > Not really. > > > > I do not think whatever "utility" value outweighs the hassle of having to > > think through the ramifications (including but not limited to security) of > > running arbitrary user command every time a value is looked up. > > Why is that your problem? If I have to enable it then isn't that my choice? >From a security perspective, you want to make sure that people who aren't interested in your feature don't accidentally trigger it. E.g., imagine I currently run a locked-down git repo but execute some commands on your behalf, and I allow you to set a few "known safe" config options like user.email. Even though I am not interested in your feature, respecting "!rm -rf /" in the user.email you give me would be a bad thing. It's not an insurmountable problem. There could be options to turn it on, or turn it off, or whatever. Or we could shrug and say that config is already dangerous to let other people set (which it is already, but only for some options). But those are the sorts of ramifications that need to be thought through. (Another one is that with our current strategy, we actually read and parse the config files multiple times. Should your program get run many times?). -Peff -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html