The origins.git.trusted_sites setting is not well signposted based on documentation alone.
It would probably help if the error message when publishing fails due to an untrusted origin (currently just error: Origin is hosted on unknown site: <hostname>) had a note to the effect of You may need to update your 'origins.git.trusted_sites' setting. Obviously this should only be shown if --for-private-index is specified, and otherwise perhaps it should include something like Please contact us if you think a site should be allowed. (from here).
As a side note, the description in alr help settings should probably also mention that the restriction is motivated by vulnerabilities in SHA1, so that users understand the implications of changing it.
The
origins.git.trusted_sitessetting is not well signposted based on documentation alone.It would probably help if the error message when publishing fails due to an untrusted origin (currently just
error: Origin is hosted on unknown site: <hostname>) had a note to the effect ofYou may need to update your 'origins.git.trusted_sites' setting. Obviously this should only be shown if--for-private-indexis specified, and otherwise perhaps it should include something likePlease contact us if you think a site should be allowed.(from here).As a side note, the description in
alr help settingsshould probably also mention that the restriction is motivated by vulnerabilities in SHA1, so that users understand the implications of changing it.