Question - is opening someone else ddev project on your machine a security risk?

[piotrpog]

It is known that there are dangers in using unverified docker packages.
I was wondering, are there dangers in using someone else ddev projects on your machine? Assuming that whole .ddev directory was directly copied.

[rfay]

Any time you choose to do anything with any code you need to understand it. In general, though, your risks will be from the PHP code you execute, not from docker images or containers.

[GuySartorelli]

You can add hooks in your project's DDEV configuration. Someone could conceivably add some malicious hooks that execute arbitrary code when you start the project, for example.

But as rfay says, you should make sure you understand any code before you run it.

As a general rule it's also good practice to make a risk assessment based on your experience, where the project is coming from, etc... for example I'm much more likely to trust (and do less checking for things like malicious hooks) and run a project a colleague has set up, compared to for example a DDEV project I find on a dodgy USB drive I find outside on the ground.