On Mon, Jan 08, 2024 at 10:20:00AM -0800, Junio C Hamano wrote: > Stefan Haller <lists@xxxxxxxxxxxxxxxx> writes: > > > Our git client (lazygit) has a need to store per-repo config files that > > override the global one, much like git itself. The easiest way to do > > that is to store those in a .git/lazygit.cfg file, and I'm wondering if > > there's any reason why this is a bad idea? > > An obvious alternative is to have .lazygit directory next to .git directory > which would give you a bigger separation, which can cut both ways. Just to spell out one of those ways: unlike ".git", we will happily check out ".lazygit" from an untrusted remote repository. That may be a feature if you want to be able to share project-specific config, or it might be a terrible security vulnerability if lazygit config files can trigger arbitrary code execution. -Peff
