|
|
|
|
|
|
by crote
48 days ago
|
|
|
In one case you are asking Git to run untrusted and unvetted code from a repository of unknown provenance you just cloned - without any kind of branch restrictions or sandboxing. Oh, you clone and check out a branch of some random leftpad fork you come across? Sure, let's immediately run their post-checkout shell script! It's like automatically running "curl | sh" on every random website you visit. In the other case the repo owner itself is asking it to run pre-vetted code in a controlled sandbox - and only for branches where it is explicitly enabled. It's like running "wc -l", in a sandbox, on mostly-trusted input files. |
|
|