Jeff King <peff@xxxxxxxx> writes: > It could be that "clone" should try to avoid a "--local" clone from a > repo with different ownership, if the local hardlink path is more > dangerous. But that distinction is not something upload-pack even knows > about, so the code would have to go into clone. Sounds good. > And then upload-pack > could be free to drop the ownership check. Certainly a lot of people > have complained about it (I had actually thought we reverted it in > v2.45.2, but that was just the extra hooks defense-in-depth; so again, I > may be getting confused about the extra value of the enter_repo() > ownership check that came at the same time). As enter_repo() is about the protocol driver thing and not about normal users working inside a repository, calls to it appear only in receive-pack, upload-pack, upload-archive, http-backend, and daemon. Among them, upload-pack is the only thing we promise that is safe to work even in a hostile repository? If we push into a repository over the local transport, we would trigger post-receive hook as ourselves, which we would probably not want. The same story goes for daemon, http-backend, and upload-archive. So we probably need to add another axis to the "strict" parameter enter_repo() takes to selectively disable the ownership checks only for upload-pack, or something like that. We may want to restrict "tar.<format>.command" only to protected configuration and then we may be able to loosen the ownership check for the upload-archive command. Thanks.
