Ævar Arnfjörð Bjarmason <ava...@gmail.com> writes:
> The genreal ways I see forward from that are:
>
> A) Say that v2 has a security issue and that this is a feature that
> works in some circumstances, but given Jeff's explanation here we
> should at least improve our "SECURITY" docs to be less handwaivy.
>
> B) Improve security docs, turn uploadpack.allowAnySHA1InWant=true on by
> default, allow people to turn it off.
>
> C) Like B) but deprecate
> uploadpack.allow{Tip,Reachable,Any}SHA1InWant=false. This is my
> patch upthread
>
> D-Z) ???
>
>
> I'm not set on C), and yeah it's probably overzelous to just rip the
> thing out, but then what should we do?
Hmph. The other overzealous thing you could do is to strenthen A
and "fix" the security issue in v2? Which letter comes before A in
the alphabet? ;-)
