Hi Bengt! sex 08 jul 2022 às 12:17:59 (1657293479), b...@bokr.com enviou: > Have you seen this[1] re nested git tricks? > > [1]: <https://lwn.net/Articles/848935/>
No, I had missed that, thanks for pointing that out! > i.e., are you sure not to be used by some such attack? However I think this git issue is orthogonal to the current one. First, inits, clones and checkouts are key git features, so it's up to git to make sure its subcommands will not execute code by mistake. Second, to exploit it, the attacker would have to make themselves very visible by maintaining a public malicious repo which would be bound to be flagged. And lastly, guile-git uses libgit2, which is a different beast that actually auto initializes submodules when updating, contrary to my mistaken assumption to which you've replied. I thought initialization implied directory creation, but it actually doesn't. Cheers!
