Untrusted hgrc files, why report them?
Dominik Psenner
dpsenner at gmail.com
Fri Feb 25 04:05:58 CST 2011
Hi,
I would nail it down to following three cases:
1] .hg/hgrc (within repository) owned by someone else
==> the user in front of the keyboard should know that he's working on a
repository owned by someone else - despite he lacks a brain :-P - and
mercurial should use that one without any warnings
2] .hgrc is within my own homedir or /etc
==> all fine in any case, if I have files in my home that are owned by
someone else things are anyway strange and mercurial should just use that
.hgrc without any warnings
3] .hgrc is somewhere else
==> mercurial shouldn't use that one (unless forced to do so), thus in
case it wants to use it and the file is untrusted, mercurial should abort
with a warning
Are there further usecases I didn't cover?
Greetings,
D.
> -----Original Message-----
> From: mercurial-devel-bounces at selenic.com [mailto:mercurial-devel-
> bounces at selenic.com] On Behalf Of Martin Geisler
> Sent: Friday, February 25, 2011 10:41 AM
> To: Mercurial Developers
> Subject: Untrusted hgrc files, why report them?
>
> Hi guys,
>
> It's very rare that I'm working with a repository that I do not
> completely own, but when I do, it's highly annoying to get the warnings
> about untrusted config files.
>
> Why do we even issue such warnings? It's not like I would expect my
> Emacs to read another users's ~/.emacs file if I open a file inside his
> home directory. So I would also not expect Mercurial to honor a .hg/hgrc
> file belonging to another user.
>
> I suspect that most of us core developers never see the warning because
> we always own our repositories. And I also suspect that when users do
> see the warning, then it's only annoying and strange to them.
>
> Is there anybody here who are happy with the warning?
>
> --
> Martin Geisler
>
> aragost Trifork
> Professional Mercurial support
> http://aragost.com/en/services/mercurial/blog/
> _______________________________________________
> Mercurial-devel mailing list
> Mercurial-devel at selenic.com
> http://selenic.com/mailman/listinfo/mercurial-devel
More information about the Mercurial-devel
mailing list