"brian m. carlson" <sandals@xxxxxxxxxxxxxxxxxxxx> writes: > ... We've seen security > problems in the past with .gitmodules multiple times because it's > server-sent config (in the repository). Exactly. For some reason some people still seem to think that it is wasteful that we force users to approve/reject copying from .gitmodules to .git/config and push to read and use settings directly from the former---I think it is a huge mistake. > As a result, I'm very much opposed to allowing any config options to be > copied from the server. +1. > It's also the standard approach that every project uses already, and it > has the benefit that the user can inspect it at their leisure before > running it. +100 ;-)
