On Wed, Dec 15, 2021 at 7:25 AM Jonathan Tan <jonathantanmy@xxxxxxxxxx> wrote: > > Thanks, everyone, for your comments. I've followed Glen's code > suggestion and Junio's documentation suggestion, as you can see in the > range-diff. So, the basic idea is, in a setting like Google's, you can have users install additional files on their system out-of-band, and have the users specify a simple line in their configuration to make use of those additional files -- or portions thereof. It's a way of easily providing potentially large blocks of pre-vetted configuration for users. Seems to make sense. (and I've read over the code lightly, so feel free to take this as an Acked-by.) But can I back up and comment on a bigger picture item? This mechanism requires somehow getting additional files to the user separately; projects that span companies (git.git, linux.git, etc.) won't likely be able to make use of this. Scalar also has a mechanism for providing potentially large blocks of pre-vetted configuration for users. It does so as part of a new top-level command. And it does so with a very opinionated set of values that are not configurable. Thus, while I'd like to use it, they use a configuration option that would break things badly at my $DAYJOB. (Too many gradle plugins using jgit, which doesn't understand index.version=4 and will blow up with a very suboptimal error message when they see it.) And, it's very specific to scalar; we probably don't want to add a new toplevel command everytime someone wants common configuration to be easily grabbed by some user. It would be nice if we could find some more generic solution. Granted, I can't think of any, and I don't think this comment should block this particular series (nor the scalar one), but I am worrying a little bit that we're getting multiple completely different solutions for the same general problem, and each brings caveats big enough to preclude many (most?) potential users. I don't know what to do about that, especially since configuration that is too easy to propagate comes with big security problems, but I wanted to at least raise the issue and hope others have good ideas. If nothing else, I want to raise awareness to avoid proliferation of similar pre-vetted-configuration-deployment mechanisms. I'm CC'ing a couple scalar folks as well for that point.
