On 2021-06-23 at 22:58:09, Jonathan Tan wrote:
> > If we do add this feature (which, as I said, I'm opposed to) and we
> > decide to store it in a ref, that ref should not be a normal branch by
> > default (it should be a special one-level ref, like refs/stash or such),
> 
> Any particular reason not to expose it as a branch (besides following
> from your general idea that a user should seek out such a feature and
> not have it presented to them up-front)?

Branches are for the main code of the project.  While it's possible to
have orphan branches that do other things, I think that's in general an
anti-pattern, and using a special ref for things which are separate and
independent from the main code of the repository would be a more elegant
solution.

> > In addition, there should be an advice.* option that allows people to
> > turn this off once and for all, and it should be clearly documented.
> > Ideally it should be off by default.
> 
> I don't think this would be considered "advice" like the other options,
> but having an option to turn this off once and for all makes sense.
> Making it off by default would probably mean that projects that use such
> hooks would recommend cloning with "git -c my-config=1 clone $URL", but
> perhaps that's OK.

Sure, I'm not picky about what it looks like in "advice" vs something
else.  I think forcing projects to explicitly opt-in to this behavior
means that the social engineering and security problems are much
reduced, and while I'm still not wild about the idea, I would feel much
better about it.

> > This also makes me deeply nervous for much of the same reasons.  There
> > are situations where e.g. ignoring whitespace can lead to security
> > problems in code review (think Python), and in general it's hard to
> > reason about all the ways people can do malicious things.  Typically
> > adding untrusted config ends poorly (think of all the modeline
> > vulnerabilities in Vim).
> > 
> > I'd definitely want support for this to be off with no prompting by
> > default.
> 
> To use your example, the model we're proposing is more of only using the
> modelines from sources we trust - as opposed to ensuring that all
> possible options set by modelines are benign. Admittedly, the
> administrator of the source may have difficulty ensuring that bad code
> doesn't slip through code review, for example, but that is a problem
> they already deal with (at least for projects with any form of
> executable code in them, e.g. production code or a build script).

As I think I've previously mentioned, I don't want to receive
configuration of my development environment from sources I trust.  Even
at work, I don't want the repositories I work with to modify my
development environment in this way.  I tend to have a highly customized
configuration that breaks many people's expectations about tooling, so
the cases that this isn't a security problem (in repositories I trust)
can still result in a functionality problem.

Also, since we don't know what repositories the user trusts, the only
safe assumption is that the user trusts nothing unless they explicitly
tell us.
-- 
brian m. carlson (he/him or they/them)
Toronto, Ontario, CA