Encouraging mirrors to inject code is a very bad idea from a security perspective. I agree with Ask that allowing them to inject config is safer but is still a slippery slope.
On Sat, Dec 30, 2017 at 9:58 PM, Ask Bjørn Hansen <a...@perl.org> wrote: > Rather than having it execute javascript that’s locally modified, maybe we > could have it just load some JSON? > > I know that the mirror can technically change anything, so this is not > really a technical argument. > > I think it’s important to maintain a stance that it’s unacceptable to > change anything (other than this…). Changing a bit of meta data (a JSON > file) seems less slippery slope than changing a bit of website code. > > > Ask