On Thu, Jan 11, 2024 at 08:17:14AM +0100, Patrick Steinhardt wrote: > > Right, it's not config itself that's unsafe; it's that many options are. > > We could try to annotate them to say "it is OK to parse core.eol but not > > core.pager", presumably with an allow-known-good approach (since so many > > ard bad!). But that feels like an ongoing maintenance headache, and an > > easy way to make a mistake (your mention of terminal sequences makes me > > assume you're thinking of "color.diff.*", etc). A rule like "we do not > > read repo-level config at all" seems easier to explain (to me, anyway). > > With the exemption of the repository format, I assume? We have to parse > things like `core.repositoryFormatVersion` and extensions in order to > figure out how a repository has to be accessed. So I agree that we > should not partition config based on safeness, which is going to be a > headache as you rightly point out. But we can partition based on whether > or not config is required in order to access the repository, where the > set of relevant config keys is a whole lot smaller. Right. See the pseudo-patch I posted earlier. I think we just want to touch do_git_config_sequence(), which leaves repo discovery and stuff like "git config --local" working. -Peff
