Jonathan Tan <jonathantanmy@xxxxxxxxxx> writes: > "Glen Choo via GitGitGadget" <gitgitgadget@xxxxxxxxx> writes: >> From: Glen Choo <chooglen@xxxxxxxxxx> >> >> For security reasons, there are config variables that are only trusted >> when they are specified in extra-trustworthy configuration scopes, which > > Probably better to delete "extra-trustworthy", or at least "extra-" - > it's better to explain why and how they're trustworthy, which you have > already done in the commit message. Hm, do you find it superfluous, misleading or something else entirely? The use of "extra-" was quite intentional. I'm afraid that if we describe protected config as "trustworthy", we insinuate that local/worktree config is "untrustworthy" (but of course this isn't always true, Git usually uses repo config.) >> diff --git a/Documentation/git-config.txt b/Documentation/git-config.txt >> index 5e4c95f2423..2b4334faec9 100644 >> --- a/Documentation/git-config.txt >> +++ b/Documentation/git-config.txt > > [snip] > >> +Protected config refers to the 'system', 'global', and 'command' scopes. Git >> +considers these scopes to be especially trustworthy because they are likely >> +to be controlled by the user or a trusted administrator. An attacker who >> +controls these scopes can do substantial harm without using Git, so it is >> +assumed that the user's environment protects these scopes against attackers. >> + >> +For security reasons, certain options are only respected when they are >> +specified in protected config, and ignored otherwise. > > Also "especially trustworthy" here.
