On August 19, 2020 2:04 PM, Junio C Hamano > To: Lukas Straub <lukasstraub2@xxxxxx> > Cc: git <git@xxxxxxxxxxxxxxx>; Elijah Newren <newren@xxxxxxxxx>; > Brandon Williams <bwilliams.eng@xxxxxxxxx>; Johannes Schindelin > <Johannes.Schindelin@xxxxxx>; Jeff King <peff@xxxxxxxx> > Subject: Re: [RFC PATCH 0/2] Allow adding .git files and directories > > Lukas Straub <lukasstraub2@xxxxxx> writes: > > > These patches allow this and work well in a quick test. Of course some > > tests fail because with this the handling of nested git repos changed. > > In other words, this breaks the workflow existing users rely on, right? I do > not know if such a behaviour ever needs to exist even as an opt-in feature, > but it definitely feels wrong to make the behaviour these patches introduce > the default. I am concerned about broader implications. I might be stating the obvious, but a key security vulnerability that would open up here is to put contents of files like .git/config into a repository. This capability would allow scripts to be introduced without the explicit knowledge of the user. While I'm sure some of the heavy clean/smudge users might appreciate it, this can represent a vector for the introduction of hostile code into an environment. While this enhancement seems like a good idea on the surface, if it goes forward, it should not be the default and should not be under the control of the upstream repository. You would need loads of warnings about potential script hazards at the very least presented to the user, beyond what is already documented in git. This change would not interoperate with JGit - not that that is a huge concern here, but heavy Jenkins and other pipeline users could be significantly impacted. Just putting my CSIO hat on here. We would need a system-wide setting to prohibit users from using this capability. Sincerely, Randall -- Brief whoami: NonStop developer since approximately 211288444200000000 UNIX developer since approximately 421664400 -- In my real life, I talk too much.
