Junio C Hamano <gitster@xxxxxxxxx> writes: > When you are using "--no-local" on the same machine, I do not think > there is any guarantee that "upload-pack" side is safe. And that is > where the safe.directory thing needs to kick in. Ah, I take it back. packObjectsHook won't run based on what the untrusted source repository configures, so at least we have been aware of the fact that upload-pack must be more careful than other stuff.
