Jeff King wrote:
> We could even give it an environment variable, which would allow
> something like:
> tar xf maybe-evil.git.tar
> cd maybe-evil
> export GIT_TRUST_REPO=false
> git log
Interesting idea. Putting it in an envvar means it gets inherited by
child processes, which if I understand you correctly is a good thing.
> 1. We have to manually annotate any "dangerous" code to act more
> safely when it sees the flag. Which means it's highly likely to
> a spot, or to add a new feature which doesn't respect it. And
> suddenly that's a security hole. So I'm concerned it may create a
> false sense of security and actually make things worse.
As an internal implementation detail, this is so obviously fragile
that it wouldn't give me any feeling of security. ;-) So it should be
strictly an improvement.
As a public-facing feature, I suspect it's a bad idea for exactly that
FWIW for pager specifically I am going for a whitelisting approach:
new commands would have to explicitly set ALLOW_PAGER if they want to
respect pager config. That doesn't guarantee people think about it
again as things evolve but it should at least help with getting the
right setting for new plumbing.