On 8/8/25 16:58, Demi Marie Obenour wrote:
> This allows automatically setting up environment variables when entering
> a directory.
On further thought, I'm not sure this is actually a good idea, especially
for anyone (like Alyssa :)) who will reviewing third-party patches.  The
reason is that changes to nix or envrc files will be executed without
confirmation, so the only chance to validate that a patch doesn't contain
malicious code is _before_ it is applied.  That can be more difficult than
reviewing an already-applied (but not built or committed) patch.  One can
mitigate this by using a separate worktree where the envrc files are not
authorized, but that's extra work and more prone to human error.  Not a
good thing for security.

I actually made this mistake by using `b4 shazam -m` instead of
`b4 --offline shazam -m` or `git am`, which will pull patches from
the mailing list if they are newer than the patch in the mbox.
Thankfully no such patch exists on the list and the `b4 shazam`
output made that clear.  Still, it's an easy mistake to make and
the consequences could be very bad.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)