
<p>This change concerns me slightly since it marks all embedded images as trusted, which is a potential relaxation of security.  I can't immediately think of a situation in which a user would want to explicitly imgverify an embedded image, but that doesn't mean that such a situation does not exist.</p>

<p>I would prefer a change with lower impact, such as setting only the selected (i.e. first) image as trusted.  The most obvious place to do this is after the existing call to image_select() has succeeded.</p>

<p>Please use the image_trust() wrapper function to set the flag, since this will guarantee future compatibility with anything else that image_trust() may be updated to do (e.g. generating logging messages).</p>

<p>Lastly, please reword the commit shortlog as e.g. "[image] Implicitly trust first embedded image" (i.e. using the active voice), to match the existing style.</p>

<p>Thanks,</p>

<p>Michael</p>


<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/ipxe/ipxe/pull/100?email_source=notifications&email_token=AAFNGVDNTP4K3GBEVC7POXDQZKIEJA5CNFSM4J3JTV22YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEHHRHDQ#issuecomment-567219086">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AAFNGVCGQ3OQTALFH6TJCNLQZKIEJANCNFSM4J3JTV2Q">unsubscribe</a>.<img src="https://github.com/notifications/beacon/AAFNGVALH4GS5OLFMMS76UDQZKIEJA5CNFSM4J3JTV22YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEHHRHDQ.gif" height="1" width="1" alt="" /></p>

<script type="application/ld+json">[

{

"@context": "http://schema.org",

"@type": "EmailMessage",

"potentialAction": {

"@type": "ViewAction",

"target": "https://github.com/ipxe/ipxe/pull/100?email_source=notifications\u0026email_token=AAFNGVDNTP4K3GBEVC7POXDQZKIEJA5CNFSM4J3JTV22YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEHHRHDQ#issuecomment-567219086",

"url": "https://github.com/ipxe/ipxe/pull/100?email_source=notifications\u0026email_token=AAFNGVDNTP4K3GBEVC7POXDQZKIEJA5CNFSM4J3JTV22YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEHHRHDQ#issuecomment-567219086",

"name": "View Pull Request"

},

"description": "View this Pull Request on GitHub",

"publisher": {

"@type": "Organization",

"name": "GitHub",

"url": "https://github.com"

}

}

]</script>