On Mon, Apr 25, 2016 at 05:24:50PM -0400, Jeff King wrote: > It does mean that somebody would be stuck who really wanted to run the > smudge filter in their local repo, but for some reason not in the > subrepos. I am trying to think of a case in which that might be > security-relevant if you didn't trust the sub-repos[1]. But I really > don't see it. The filter is arbitrary code, but that's specified by the > user; we're just feeding it possibly untrusted blobs. I forgot my [1], which was going to be: I wonder if there are any interesting things you can do by feeding git-lfs untrusted content (e.g., convincing it to hit arbitrary URLs). But I don't think so. The URL is derived from the remote, and the LFS pointer files just contain hashes. That's all orthogonal to this thread anyway, though. People using LFS generally have the config in ~/.gitconfig, so they run it for all repos, trusted and untrusted. -Peff -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html