Per project config options

Matt Mackall mpm at selenic.com
Wed Apr 25 19:08:56 UTC 2012


On Wed, 2012-04-25 at 13:38 -0500, Steve Hoelzer wrote:
> It seems to me that simple per project config files would be a great
> feature. The problem is maintaining security. Here are a couple ideas
> for potential security mechanisms:
> 
> 1. Mercurial has a built-in blacklist of config options not allowed in
> the per project hgrc file. Those options are ignored (and maybe alert
> the user if those options exist).

What would you want in there that wouldn't be blacklisted? Such a black
list would definitely have to include:

- hooks
- aliases
- extensions

..any of which could let any random project you clone off the internet
0wn your machine when you type 'hg log'.

-- 
Mathematics is the supreme nostalgia of our time.





More information about the Mercurial mailing list