On Fri, 21 Aug 2020 22:52:37 +0000 "brian m. carlson" <sandals@xxxxxxxxxxxxxxxxxxxx> wrote: > On 2020-08-21 at 12:39:41, Lukas Straub wrote: > > The downsides we discussed don't apply in this usecase. These are mostly > > personal files, so I wont upload them to any hosting site (not even private > > ones). There is no security impact as I only sync with trusted devices. > > I realize this works for you, but in general Git's security model does > not permit untrusted configuration files or hooks. Configuration can > have numerous different commands that Git may execute and it is not, in > general, safe to share across users. This is why Git does not provide a > way to sync whole repositories, only the objects within them. > > Adding the ability to transport configuration through a repository is a > security problem because it allows an attacker to potentially execute > arbitrary code on the user's machine, and I can tell you that many, many > people do clone untrusted repositories. Just because you are aware of > the risks, are comfortable with them, and are the only user in this > scenario does not mean that this feature is a prudent one to add to Git. > It violates our own security model, and as such, isn't a feature we're > going to want to add. I don't understand. If the attacker gets the user to set git config options, then all hope is lost anyways, no? Regards, Lukas Straub > I want to be clear that it is not that we don't see your use case as > valuable or important, only that we can't see a way to implement it > securely as proposed. Warning users unfortunately isn't sufficient > because users tend not to read documentation. > > Multiple core contributors representing various aspects of the Git > community have weighed in, and it looks like the answer is unanimous. > > Sorry for the bad news.
Attachment:
pgpFjmL1AQZIj.pgp
Description: OpenPGP digital signature
