brian m. carlson wrote: > > proposal was to introduce a way to cross-check the SHA-256 of hooks that > > _were_ written during a clone operation against a list of known-good ones. > > Another alternative was to special-case Git LFS by matching the hooks' > > contents against a regular expression that matches Git LFS' current > > hooks'. > > I have replied to those on the security list and to the general idea. I > don't think we should special-case Git LFS here. That's antithetical to > the long-standing ethos of the project. I was surprised today to find that git-annex also triggers the hook problem. In particular, a git clone that uses git-remote-annex can cause several hooks to get created. I think the hook check is already scheduled for reversion, but in case not, here's another data point against hard-coding known-good hooks as a solution. -- see shy jo
Attachment:
signature.asc
Description: PGP signature
