Danoloan <danolo@xxxxxxxxxxx> writes:
> the old one. This is typical when the new URL may be a fork or a mirror
> in another server.
Isn't the flip side of the same coin that you can sneak in a change
to .gitmodules in the superproject ("hey I have this neat fork of
the superproject at this other URL, please pull from me"), so that
it points at a malicious URL? If the end-user is not given a chance
to inspect where the URL moved to and agree (or disagree) to switch
to that other URL, your "recursive" update will end up fetching from
an unverified URL into the submodule without anybody watching, no?
So, I suspect that it is working as a security measure that it does
not blindly sync.
Yes "git clone --recursive" may be looser, but I would actually
consider use of "--recursive" there as a security lapse.
