On 10.01.24 12:08, Jeff King wrote: > On Mon, Jan 08, 2024 at 10:20:00AM -0800, Junio C Hamano wrote: > >> An obvious alternative is to have .lazygit directory next to .git directory >> which would give you a bigger separation, which can cut both ways. > > Just to spell out one of those ways: unlike ".git", we will happily > check out ".lazygit" from an untrusted remote repository. That may be a > feature if you want to be able to share project-specific config, or it > might be a terrible security vulnerability if lazygit config files can > trigger arbitrary code execution. Unless you don't version it and add it to .gitignore instead, which (I suppose) is what most people do with their .vscode/settings.json, for example. -Stefan
