On Wed, Oct 04, 2023 at 06:00:24PM +0200, Lorenz (xha) wrote:
> on second thought, it's probably a good idea to not use a shell script
> but instead something like a simple lua or python script that exec's
> tog.
> 
> it's nice to have some sort of overview if you just want to look into
> what the repository contains.
> 
> so the question is just, is it really safe, just from the perspective of
> tog(1), to provide something like this to the outside world?
 
This is not an easy question to answer. You're asking if there's any
possible way this could go wrong. Whatever answer we give, maybe a clever
anonymous visitor will find another way that wasn't considered by us.

> i have looked into the code of tog and as far as i understand, this
> should be fine?

I would stick to my recommendation of allowing anonymous clones via gotd
and leaving tog for local use. Because gotd was written with this use
case in mind, whereas tog and its dependencies like ncurses were not.