On Thu, Nov 03, 2016 at 10:51:31AM -0700, Brandon Williams wrote: > > > I don't know if I'm sold on a 'user' state just yet, perhaps that's just > > > because I view a whitelist or blacklist as well black and white and > > > having this user state adds in a gray area. > > > > Well the "user" state is to differentiate between the > > * "I consciously typed `git clone ...` (and e.g. I know what happens as > > I know the server admin and they are trustworthy.) > > * a repository contains a possible hostile .gitmodules file such > > that I am not aware of the network connection. > > This is still a gray area to me. I think that if we have a whitelist of > protocols then it should be a true whitelist and not have some means of > going around it. It just seems like something that could be exploited. How do you implement: git clone --recursive trusted:foo.git and use your ssh keys for the "trusted" server, but not for any servers mentioned in .gitmodules? You need some way of distinguishing between the two contexts (and setting policy for each). -Peff