Thanks for CCing me. I haven't looked at this implementation in detail, but it would be good to move this configuration into the config system because I think we can more easily provide a default safe configuration. It would be nice to use this to introduce a default list of whitelisted protocols that even applies to `git clone`. I strongly think we need to find a way to have git-remote-ext disabled by default. This could be a way to do it. On Wed, Nov 2, 2016 at 7:22 PM, Jonathan Nieder <jrnieder@xxxxxxxxx> wrote: > That reminds me: external tools also set GIT_ALLOW_PROTOCOL when the > user hasn't set it explicitly, like git-submodule.sh does. E.g. > repo <https://gerrit.googlesource.com/git-repo/+/466b8c4e/git_command.py#171>, > mercurial <https://www.mercurial-scm.org/repo/hg/file/b032a7b676c6/mercurial/subrepo.py#l1404>. > Other external tools consume GIT_ALLOW_PROTOCOL, like 'go get' > <https://go.googlesource.com/go/+/55620a0e/src/cmd/go/vcs.go#64>. > Can we make it more convenient for them to support this configuration > too? Most of these are my fault too. I encouraged git-repo and mercurial to use GIT_ALLOW_PROTOCOL to avoid security issues from git-remote-ext. -- Blake Burkhart