On 11/04, Stefan Beller wrote: > By default, if unset, ... have a default policy ... > sounds strange. How about just dropping the first 4 words here: > > Known-safe protocols (http, https, git, ssh, file) have a > default policy of `always`, known-dangerous protocols (ext) have a > default policy of `never`, and all other protocols have a default policy > of `user`. Supported policies: > > > What happens if protocol.allow is set to true? That wouldn't be allowed, its an unknown value as the only permitted values are always, never, and user. > > > > > + if unset, known-safe protocols (http, https, git, ssh, file) have a > > + default policy of `always`, known-dangerous protocols (ext) have a > > + default policy of `never`, and all other protocols have a default policy > > + of `user`. Supported policies: > > ++ > > +-- > > + > > +* `always` - protocol is always able to be used. > > + > > +* `never` - protocol is never able to be used. > > + > > +* `user` - protocol is only able to be used when `GIT_PROTOCOL_FROM_USER` is > > + either unset or has a value of 1. This policy should be used when you want a > > + protocol to be usable by the user but don't want it used by commands which > > + execute clone/fetch/pull commands without user input, e.g. recursive > > + submodule initialization. > > + > > +-- > > + > > +protocol.<name>.allow:: > > + Set a policy to be used by protocol <name> with clone/fetch/pull commands. > > How does this interact with protocol.allow? > > When protocol.allow is set, this overrides the specific protocol. > If protocol is not set, it overrides the specific protocol as well(?) protocol.allow is a default for protocols which don't have a specific protocol.<name>.allow entry > > + test_expect_success "clone $desc (disabled)" ' > > + rm -rf tmp.git && > > + test_must_fail git clone --bare "$url" tmp.git > > + ' > > > I could not spot a test for GIT_ALLOW_PROTOCOL overriding > any protocol*allow policy. Is that also worth testing? (for > backwards compatibility of tools that make use of GIT_ALLOW_PROTOCOL > but the user already setup a policy. I can add in one quick test for that. -- Brandon Williams