Roman V. Shaposhnik wrote: > On Thu, 2008-04-17 at 14:09 -0400, Jeremy Maitin-Shepard wrote: >>> And here's one more thing: in-tree .gitconfig and in-tree >>> update-my-git-settings.sh are absolutely identical as far >>> as their security ramifications are concerned. If you really paranoid >>> you have to eyeball either of them. >> >> There is a huge difference: if you allow in-tree .gitconfig by default, >> then git clone <some-repository> becomes an unsafe operation. I can't >> even inspect some arbitrary repository to _see_ if I like the code and >> think it is safe very easily, since I'd normally do that by cloning the >> repository. [...] >> Obviously any configuration option that specifies a shell command to run >> is unsafe to specify in an in-tree .gitconfig. As Junio noted, >> smudge/clean commands are especially unsafe because they will be >> executed even if the user only uses the clone command. > > Are you saying that a *remote* in-tree .gitconfig would be capable of > affecting *local* system before the end of the clone operation? At the end of clone operation you usually do a checkout. clean/smudge commands could wipe out your disk at the end of clone. And one usually does checkout to view contents of repository (alternative is to use plumbing git-cat-file, which does not use .gitattributes). -- Jakub Narebski Warsaw, Poland ShadeHawk on #git -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
