Trent from msg8043:
> I'm happy with WONTFIXing this (and the other) gaping security holes
> if we document VERY explicitly that you cannot give darcs push access
> to a user without also giving them a full shell.
>
> I'm not sure where this caveat should be tacked on; certainly darcs
> help should mention it, but in which command?
>
> I'd also very much like a detailed list of known exposures on a wiki
> page, so that anyone who thinks "pshaw, I can lock down darcs apply!"
> will have a checklist of things to address.
|