Jeff King wrote: > We could even give it an environment variable, which would allow > something like: > > tar xf maybe-evil.git.tar > cd maybe-evil > export GIT_TRUST_REPO=false > git log Interesting idea. Putting it in an envvar means it gets inherited by child processes, which if I understand you correctly is a good thing. [...] > 1. We have to manually annotate any "dangerous" code to act more > safely when it sees the flag. Which means it's highly likely to > a spot, or to add a new feature which doesn't respect it. And > suddenly that's a security hole. So I'm concerned it may create a > false sense of security and actually make things worse. As an internal implementation detail, this is so obviously fragile that it wouldn't give me any feeling of security. ;-) So it should be strictly an improvement. As a public-facing feature, I suspect it's a bad idea for exactly that reason. FWIW for pager specifically I am going for a whitelisting approach: new commands would have to explicitly set ALLOW_PAGER if they want to respect pager config. That doesn't guarantee people think about it again as things evolve but it should at least help with getting the right setting for new plumbing. Thanks, Jonathan
