Closing this hole to make security more consistent is fair enough... however, in the case of git-http-backend the "safe directory" method doesn't work at all! Is this an accurate summary of the situation? As an aside, do you know why this security mechanism blocks ALL access, and not just the execution of hooks? - my mirrors don't have any hook-scripts, and as long as I give them read access at the unix level, why are they still blocked from doing things like "git log" on a repo without having to first mark it as safe? Cheers, Jamie