hook security (was: Re: How to exclude files from merging)
Peter Arrenbrecht
peter.arrenbrecht at gmail.com
Thu Nov 13 01:02:06 CST 2008
On Wed, Nov 12, 2008 at 11:15 PM, Matt Mackall <mpm at selenic.com> wrote:
> On Wed, 2008-11-12 at 16:24 -0500, Doug Philips wrote:
>> On or about Wednesday, November 12, 2008, at 03:12PM, Matt Mackall indited:
>> >The philosophical issue is: we can't trust other users. Config files can
>> >say things like "run 'rm -rf /' whenever you do an hg status". Thus,
>> >it's not a good idea to put this under control of other users. Ever.
>> >
>> >Any technology that doesn't address this very fundamental security issue
>> >is indeed, as you say, moot. And I'm not very apologetic about it.
>>
>> Concrete example:
>
> Yes, we know all about that. In case it hasn't been mentioned yet,
> you're now about a quarter of the way through rehashing the last
> discussion on this topic. See here:
>
> http://mercurial.markmail.org/search/?q=clone+hgrc+date%3A200801
>
> That one had some interesting ideas, but didn't quite find a
> satisfactory solution before running out of steam.
While you didn't like it at the time, maybe the .hg/hgrc.d/* approach
could help here in a safe way. Akin to Doug's `hg config` command,
after cloning he could simply do a:
ln -st .hg/ /central/hgrc.d
or, in case he wants to keep hgrc.d free for linking in other stuff:
mkdir .hg/hgrc.d
ln -st .hg/hgrc.d/ /central/hgrc.d/thefile.hgrc
Since these are symlinks, it would allow him to refer the central
configs to someting pulled from a trusted repo, but it would be his
conscious decision every time to do so.
Maybe we can include this after all? It would be a totally trivial
change, mimicking what Hg already does in /etc/hgrc.d/.
Past discussion: http://mercurial.markmail.org/search/?q=hgrc.d+look+at
Original patch: http://markmail.org/message/y5zedvjd6eadprii
-parren
More information about the Mercurial
mailing list