Michael Haggerty <mhag...@alum.mit.edu> writes:

> While we're at it, I think it would be prudent to ban '-' at the
> beginning of reference name segments.  For example, reference names like
>     refs/heads/--cmd=/sbin/halt
>     refs/tags/--exec=forkbomb(){forkbomb|forkbomb&};forkbomb
> are currently both legal, but I think they shouldn't be.

I think we forbid these at the Porcelain level ("git branch", "git
checkout -b" and "git tag" should not let you create "-aBranch"),
while leaving the plumbing lax to allow people experimenting with
their repositories.

It may be sensible to discuss and agree on what exactly should be
forbidden (we saw "leading dash", "semicolon and dollar anywhere"
so far in the discussion) and plan for transition to forbid them
everywhere in a next big version bump (it is too late for 2.0).
