0

I keep my $HOME under version control - to both keep the change history and facilitate config sync between the machines I use.

This includes ~/.hgrc (as well as ~/.bashrc et al).

I was just told that this is a remote security hole.

Why? I am the only person who has access to this repository, so this does not seem applicable.

EDIT: the repo is hosted on my home linux box. I am the admin there. It is used from a few other boxes (linux and otherwise) which I also administer.

Community
  • 1
  • 1
sds
  • 58,617
  • 29
  • 161
  • 278
  • 2
    You were told this on the [Mercurial bug tracker](http://bz.selenic.com/show_bug.cgi?id=3147) so the right place to followup with questions would be mercurial@selenic.com or maybe the bug tracker. – Martin Geisler Oct 14 '13 at 20:36

2 Answers2

1

I can't speak for mpm, but by guess is it's the:

the only person who has access to this repository

part. It's much easier to be confident you're the only person with access to your local machine than it is that you're the only person with access to a remote repository. Certainly if that repository is hosted on a system like bitbucket or a VPS or cloud system like linode or AWS then it's not true.

What you're doing isn't crazy, and plenty of people do it, but mpm just doesn't want the next Ross Ulbricht story to include "federal agents learned his identity when a phone-home command was inserted into his Mercurial startup script" :)

Ry4an Brase
  • 78,112
  • 7
  • 148
  • 169
1

In the general case, it is a security hole because cloning a (potentially untrusted) repository that updates your hgrc can lead to arbitrary remote code execution.

From the hgrc manual:

It is possible to create aliases with the same names as existing commands ... A shell alias is executed with the shell and will let you run arbitrary commands

This may not be applicable in your specific scenario, where the repository is trusted absolutely.

Michael
  • 955
  • 4
  • 12