On 4/26/2022 1:00 PM, Derrick Stolee wrote:

I've been having a few discussions internally and externally with folks
about the 2.35.2 release and the safe.directory config value. After
stumbling a little with a too-technical proposal, I (along with Taylor)
figured out that I was jumping into "solutions" mode without first talking
about the problem and agreeing on common language there.

I'm hoping to start a conversation in this thread about "What is Git's
security boundary?" so we can have an established base to work from for
future security incidents or protections.

I'm back from a vacation, and haven't seen any response to this message.

I thought this would be an interesting topic that would create a lot of
valuable discussion, but that has not happened. I have a few ideas of why
that could be:

1. It's long, so readers put if off until it fell off the end of their
   inboxes.

2. The fixes for 2.36.1 have been taking priority.

3. There are no patches, so I should submit code if I want concrete
   feedback.

4. I'm so off base that it's not even worth replying.

Of course, it could be a combination of these or any number of other
things.

I'm sending this email as a hopeful ping that this topic could use some
feedback. I'm looking forward to your ideas.

Thanks,
-Stolee