| ▲ | jdxcode 6 hours ago | |||||||
the second the hooks modify the code they've broken your sandbox I think wasi is a cool way to handle this problem. I don't think security is a reason though. | ||||||||
| ▲ | timhh 4 hours ago | parent | next [-] | |||||||
> the second the hooks modify the code they've broken your sandbox Changes to code would obviously need to be reviewed before they are committed. That's still much better than with pre-commit, where e.g. to do simple things like banning tabs you pretty much give some guy you don't know full access to your machine. Even worse - almost everyone that uses pre-commit also uses tags instead of commit hashes so the hook can be modified retroactively. One interesting attack would be for a hook to modify e.g. `.vscode/settings.json`... I should probably make the default config exclude those files. Is that what you meant? Even without that it's a lot more secure than pre-commit. | ||||||||
| ||||||||
| ▲ | accelbred 4 hours ago | parent | prev [-] | |||||||
I wouldn't want hooks modifying the code. They should be only approve/reject. Ideally landlock rules would give them only ro access to repo dir | ||||||||