On Wed, Jul 16, 2008 at 01:59:55PM -0700, Bill Sommerfeld wrote: > > You can also put: > > [trusted] > > groups=other > > > > in your ~/.hgrc to get that noise to go away > > please don't. > > in my ~/.hgrc, and I do an "hg log" on someone's workspace that's owned > by group other, mercurial could execute arbitrary code based on the > contents of that workspace's hgrc. > > It's better to just ignore the warning.
This is a serious problem with Mercurial, and I don't yet know of a good solution. I don't buy that there's a security problem in the first place. You're either accessing stuff over NFS or via ssh. If you don't trust it, why on earth are you downloading software from it, or letting them run your remote ssh account? In the meantime, without this setting, *none of the hooks run*. That's your gate check hooks, your generate a webrev hooks, etc. We had way too many accidentally-hidden putbacks happen due to this setting not being there. regards john
