Open khionu opened 6 months ago
The history of the feature seems linked to a cve (https://github.blog/2022-04-12-git-security-vulnerability-announced/#cve-2022-24765) so having something similar sounds good
Oh yikes. I was wondering but I hadn't figured that far into it.
I think this should be implemented, so adjusting accordingly
Related: #1595 (I personally like the idea of optionally disabling in-repo config)
Git has a couple config variables around repositories that aren't owned by the current user. This speaks to a threat model that we should consider.
The main question is, should we mirror/adopt this behaviour?
Update
While we might not run githooks, we might still run into the same security consideration as in the CVE linked below. Ergo, this is a prudent feature to add as a security measure