Untrusted hgrc files, why report them?

Martin Geisler mg at aragost.com
Fri Feb 25 10:52:49 CST 2011


Matt Mackall <mpm at selenic.com> writes:

> On Fri, 2011-02-25 at 10:40 +0100, Martin Geisler wrote:
>> Hi guys,
>> 
>> It's very rare that I'm working with a repository that I do not
>> completely own, but when I do, it's highly annoying to get the warnings
>> about untrusted config files.
>> 
>> Why do we even issue such warnings? It's not like I would expect my
>> Emacs to read another users's ~/.emacs file if I open a file inside his
>> home directory. So I would also not expect Mercurial to honor a .hg/hgrc
>> file belonging to another user.
>
> That's not an analogous situation: no tilde. The file you're talking
> about is the _repository_ configuration, so I think most people will
> in fact expect it to be honored.

Hmm, I see your point. I guess it's because I never work with a
repository shared like that, so I'm not really sure what I expect in
that situation.

>> I suspect that most of us core developers never see the warning
>> because we always own our repositories. And I also suspect that when
>> users do see the warning, then it's only annoying and strange to
>> them.
>
> Consider which is worse:
>
> - an obnoxious warning
>
> - users who get extremely frustrated trying to figure out why settings
> mysteriously aren't taking effect

Yeah, it's just that I've only seen the warning in situations where it
was annoying and never when it was useful :)

-- 
Martin Geisler

aragost Trifork
Professional Mercurial support
http://aragost.com/en/services/mercurial/blog/


More information about the Mercurial-devel mailing list