Philip Oakley <philipoakley@iee.email> writes: > Can I check that storing bundles (of other repos) within a repository is > considered reasonably safe? I think the threat model we are protecting against is that we shouldn't have to worry about "git clone" and then "cd" into the hierarchy. If you did "make" in there and their Makefile (or "runme.sh" shipped as part of the tree) is malicious, that is not something we can solve. So, I would say it is safe to have a bundle, as in its statinary state it does not actively do anything bad, even when you did "ls" in a directory that stores it. > I have been looking at how Git's documentation could carry with it small > exemplar repositories that cover the commit hierarchies shown in the > various man pages to allow users to see, explore and understand the man > page examples. I'd settled on bundles as a reasonable compromise, with > the exemplar repositories being generated via the test suite > (obviously). With the recent focus on security issues, I thought it > worth asking now. A bundle would be an OK vehicle. This depends on the size of the sample project, but another that may be more suitable may be to create the repository on the fly in the "test suite" you were planning to use to extract from the bundle.
