On Fri, Aug 6, 2010 at 1:13 PM, Greg Hudson <ghud...@mit.edu> wrote: > On Fri, 2010-08-06 at 13:50 -0400, Hyrum K. Wright wrote: >> I'm doing some more thinking about repository-dictated configuration, > > I get nervous when I see people talk about repository-dictated > configuration as an extension of the general configuration framework. > > There are a lot of things a repository should not be able to configure > for trust reasons--in particular, what commands the client runs. When > you check out material from a repository, you are not handing over the > keys to your machine or account, just retrieving content. In fact, I > think there are only a few specific configuration variables which a > repository should be able to influence, such as mime-type recognition.
Agree with the general point, but it raises another point: which values are acceptable for overriding? Are they hardcoded or configurable (if configurable, that kinda defeats the point, since they'd have to be configured locally)? White list? Black list? Would a hard-coded list be something that depends on application (corporate vs. open source vs. some other deployment)? -Hyrum
