>> protocol.X.allow = always | user | never > > It sounds like there is interest for this sort of behavior, it would > definitely require a larger change than what I initially proposed. One > problem I see though is that with this we have support for both a > blacklist and a whitelist. Which wins? For the submodule operations we'll use a whitelist, because we want to provide security and for the other case we can offer a blacklist as a bandaid. My opinion on blacklists is roughly aligned with e.g. : https://blog.codinghorror.com/blacklists-dont-work/ http://blog.deepinstinct.com/2016/02/04/when-blacklists-dont-really-work/ So IMHO we could drop the "never" and substitute it with a "warn" or "ask-user", such that this configuration becomes a white list for both cases: protocol.X.allow = always | user | warn > Or do we simply generate a > whitelist of allowed protocols which includes all protocols with allow > set to 'always' and if it is set to 'never' then it just isn't included > in the whitelist? So you're suggesting that setting it to "never" doesn't have any effect except for cluttering the config file? I don't think we should do that; each setting should have an impact. So maybe the "never" would be there to disallow protocols of the hardcoded white list (e.g. http) > > I don't know if I'm sold on a 'user' state just yet, perhaps that's just > because I view a whitelist or blacklist as well black and white and > having this user state adds in a gray area. Well the "user" state is to differentiate between the * "I consciously typed `git clone ...` (and e.g. I know what happens as I know the server admin and they are trustworthy.) * a repository contains a possible hostile .gitmodules file such that I am not aware of the network connection.