[PATCH 1 of 4] schemas: add schemas to repositories

Fri Aug 9 11:56:56 CDT 2013

On Aug 9, 2013 5:04 PM, "Augie Fackler" <raf at durin42.com> wrote:
>
> On Thu, Aug 08, 2013 at 08:36:29AM +0200, Angel Ezquerra wrote:
> > On Thu, Aug 8, 2013 at 1:43 AM, Durham Goode <durham at fb.com> wrote:
> > > On 8/7/13 4:23 PM, "Angel Ezquerra" <angel.ezquerra at gmail.com> wrote:
> > >
> > >>
> > >>On Aug 8, 2013 12:40 AM, "Durham Goode" <durham at fb.com> wrote:
> > >>>
> > >>>I wasn't aware of the projrc extension, but I did discuss that
concept
> > >>> internally and with Matt. I think the problem is that it just isn't
> > >>>secure
> > >>> enough.  If one of our users is dumb and sets up "servers = *,
include =
> > >>> *", they could execute arbitrary code from bitbucket within our
network.
> > >>>
> > >>> Durham
> > >>I understand your concern but the extension does not blindly accept
new
> > >>configurations. In fact I think it is actually pretty safe and it has
> > >>been developed to be as safe as possible. In particular by default the
> > >>extension requires confirmation
> > >> whenever the projrc file changes. Currently it does not show which
> > >>settings changed but it could do so. It could also require explicit
> > >>confirmation before accepting changes to the "dangerous" sections.
> > >>Additionally the extension could be tweaked to be even safer. For
example
> > >>the extension could be changed so that it would only accept projrc
> > >>settings from your internal servers. Another option would be to make
it
> > >>necessary to explicitly include
> > >> dangerous settings such as hooks and extensions (i.e. include = *
would
> > >>only include safe settings).
> > >>On the other hand I feel that your proposed schemas functionality is a
> > >>bit narrow to be included as part of mercurial core. Distributing a
> > >>common mercurial config is a common problem. IMHO it would be nice if
> > >>mercurial offered a generic solution
> > >> to that problem. I don't think your proposal is such a solution.
> > >>Angel
> > >
> > >
> > > It's totally possible the schema stuff isn't appropriate for upstream
> > > core. I'm open to that response from the community.
> >
> > Maybe I was too categorical. What I meant to say is that your proposal
> > seems a bit too narrow in scope. It would be nice if mercurial had a
> > built-in, secure way to distribute (default) settings.
>
> The difficulty here is that many config knobs can lead to arbitrary
> code exection (eg [alias] stuff).
>
> >
> > That being said to a certain extent this is already the case for many
> > users, since TortoiseHg bundles the projrc extension.
>
> It's off by default, right?
>

Like mercurial, every extension we ship is off by default.

Cheers,

Angel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://selenic.com/pipermail/mercurial-devel/attachments/20130809/056f8ea4/attachment.html>