quasicomputational
commented
6 years ago Oh, and similarly we allow !include in defaults off Github, with similar objections applying.
Open quasicomputational opened 6 years ago
quasicomputational
commented
6 years ago Oh, and similarly we allow !include in defaults off Github, with similar objections applying.
sol
commented
6 years ago Conceptually this could be a feature. A defaults definition could use this to provide holes that the user can fill with a local file (to work around the fact that defaults currently don't accept arguments).
Example:
-- hspec/hspec@v1
_options: !include hspec-options.yaml
...A user would then create a local file hspec-options.yaml to customize the behavior. Similar stuff could possibly (?) be done with defaults.
However, with our current code this doesn't really work. To make this "useful" we would need to change the existing logic so that:
local defaults change the directory relative to which defaults are resolved, defaults from github don'tFor defaults itself, this would be possible with a minor code change. However !include is always resolved relative to the file that contains the directive (making this more flexible would require changes to yaml).
sol
commented
6 years ago Unless we can identify how this is harmful I would leave the code as it is and instead focus on user features:
We may be able to deprecate !include down the road.
This is weird. Should it be allowed? I remain convinced by the logic in #244 that this isn't a (new) security issue, but I can't imagine that it ever makes sense.