On 4/26/2022 1:00 PM, Derrick Stolee wrote: > I've been having a few discussions internally and externally with folks > about the 2.35.2 release and the safe.directory config value. After > stumbling a little with a too-technical proposal, I (along with Taylor) > figured out that I was jumping into "solutions" mode without first talking > about the problem and agreeing on common language there. > I'm hoping to start a conversation in this thread about "What is Git's > security boundary?" so we can have an established base to work from for > future security incidents or protections. I'm back from a vacation, and haven't seen any response to this message. I thought this would be an interesting topic that would create a lot of valuable discussion, but that has not happened. I have a few ideas of why that could be: 1. It's long, so readers put if off until it fell off the end of their inboxes. 2. The fixes for 2.36.1 have been taking priority. 3. There are no patches, so I should submit code if I want concrete feedback. 4. I'm so off base that it's not even worth replying. Of course, it could be a combination of these or any number of other things. I'm sending this email as a hopeful ping that this topic could use some feedback. I'm looking forward to your ideas. Thanks, -Stolee
