I had started writing a patch to allow configuring an editor via
got.conf. But then I realized that this does not seem safe.

The editor is an arbitrary command and neither pledge nor unveil can
impose any restrictions on it. If a repository is shared between users
then arbitrary command execution as one of the other users would be
possible by configuring a malicous editor command in the repository's
got.conf file.

So instead of implementing this feature I would like to document
why it is being rejected.

Am I being too paranoid?

diff 46215d2a90d69074a235db573e8d851eff0aa424 /home/stsp/src/got
blob - 09df173f44966dfcc1a7f9dec3259ba5af9837d9
file + got/got.conf.5
--- got/got.conf.5
+++ got/got.conf.5
@@ -177,3 +177,19 @@ file.
 .Xr got 1 ,
 .Xr git-repository 5 ,
 .Xr got-worktree 5
+.Sh CAVEATS
+.Nm
+offers no way to configure the editor spawned by
+.Cm got commit ,
+.Cm got histedit ,
+.Cm got import ,
+or
+.Cm got tag .
+This is deliberate and prevents potential arbitrary command execution
+as another user when repositories are shared between users.
+Users should set their
+.Ev VISUAL
+or
+.Ev EDITOR
+environment variables instead.
+