On Mon, Oct 05, 2020 at 12:32:02AM -0700, Jonathan Nieder wrote: > Jeff King wrote: > > > About 2 years ago as part of a security release we made it illegal to > > have a symlinked .gitmodules file (refusing it both in the index and via > > fsck). At the time we discussed (on the security list) outlawing > > symlinks for other .git files in the same way, but we decided not to do > > so as part of the security release, as it wasn't strictly necessary. > > > > We publicly revisited the topic in: > > > > https://lore.kernel.org/git/20190114230902.GG162110@xxxxxxxxxx/ > > > > but there were a few fixes needed, and it got forgotten. So here it is > > again, with those fixes: > > Oh! I'm excited --- at $DAYJOB we've been carrying that patch since > then; I'll be happy to drop it. :) Part of my ulterior motive is that we've been carrying a patch at GitHub to pass O_NOFOLLOW when opening in-tree attributes and ignore files (which we don't normally do on our servers, but do for things like GitHub Pages). But I think O_NOFOLLOW isn't perfectly portable (despite being in POSIX), and the patch is rather invasive. I also looked at one point into preventing just out-of-tree symlinks. That helps with out-of-repo reads, but it doesn't change the fact that in-index reads of symlinks are broken. We _could_ change that with a lot of work, but I don't think anybody cares enough about the feature to do so. -Peff