2 username="Ilya_Shlyakhter"
3 avatar="http://cdn.libravatar.org/avatar/1647044369aa7747829c38b9dcc84df0"
4 subject="should import follow symlinks?"
5 date="2022-05-03T19:36:10Z"
7 I meant \"security hole\" more in the sense of the user themselves inadvertently importing (and then sharing) more than they meant to.
8 E.g. I was importing a large subtree created by others, and had no clue it included symlinks outside the subtree; I only noticed this by accident, when the import started taking too long.
10 >git-annex import $dir also follows symlinks inside $dir.
12 In conjunction with the `mv` semantics, this seems risky... had I been using the original directory import, I'd have inadvertently deleted a large dataset (to which there was a symlink in the imported tree) from a place others expect to find it. The unix `mv` command doesn't even have a flag to follow symlinks (nevermind defaulting to that).
14 >It at least seems plausible that there might be users who import from ~/disk which is a symlink to /media/somethinglong, and rely on it following the symlink.
16 It's certainly plausible; question is, should it be the default? It's not the default in `cp` (you have to use `-L`) or in `tar` (have to use `-h`). I think most people assume that importing from a directory remote is akin to doing a `cp -r` or `tar cf` from it.
projects / git-annex.git / blob