On Mon, 2025-03-03 at 10:26 +0100, Julian Andres Klode wrote: > I'm > leaning towards renaming it to `insecure-file` to make users > explictly > (aware of, and) acknowledge the risks.
What about introducing an option instead, that controls whether or not file is allowed, and which eventually defaults to disallow? Or alternatively and perhaps even better: An option that controls how file: works, default would be like copy: ... and an alternative mode would be like the current file: (i.e. no copy), but that being documented as insecure on untrusted sources? Probably that would then again need to be a per repo option, too. The advantage with both would be not to encode a usage warning in the schema name (like we don't use insecure-http://). Th advantage of the 2nd would be that we could use the well recognised file: schema. Cheers, Chris
