On Tue, Apr 26, 2022 at 05:41:36PM +0200, Johannes Schindelin wrote: > This idea to disable "just the unsafe parts" has come up before, and I do > not really like it. It would change Git's behavior in inconsistent, > hard-to-explain ways. For example, we would have to disable clean/smudge > filters, which would then break, say, Git LFS. I share your sentiment on the "don't read the unsafe parts" bit. I think replacing our behavior from 2.35.2 from "bail on every execution of Git in an unowned directory not listed in safe.directory" to "emit a warning and don't read config/hooks in an unowned [...]" is a little friendlier in the sense that it would avoid breaking too many workflows without opening us up to the attack described and mitigate by that release. A warning is definitely appropriate to tell users when we are and aren't reading config. I strongly dislike "read some parts of config and not others" though, since it seems (a) even harder to explain and inconsistent than this, and (b) extremely error prone and fragile in the sense that we are unlikely to completely enumerate every possible config -> execution path in git-config(1). Thanks, Taylor
