Added a comment: should import follow symlinks?

doc/bugs/git-annex-import_imports_outside_of_directory/comment_2_e74c71a5574a8e99503ac83a27d48533._comment

@@ -0,0 +1,17 @@
+[[!comment format=mdwn
+ username="Ilya_Shlyakhter"
+ avatar="http://cdn.libravatar.org/avatar/1647044369aa7747829c38b9dcc84df0"
+ subject="should import follow symlinks?"
+ date="2022-05-03T19:36:10Z"
+ content="""
+I meant \"security hole\" more in the sense of the user themselves inadvertently importing (and then sharing) more than they meant to.
+E.g. I was importing a large subtree created by others, and had no clue it included symlinks outside the subtree; I only noticed this by accident, when the import started taking too long.
+
+>git-annex import $dir also follows symlinks inside $dir.
+
+In conjunction with the `mv` semantics, this seems risky... had I been using the original directory import, I'd have inadvertently deleted a large dataset (to which there was a symlink in the imported tree) from a place others expect to find it.  The unix `mv` command doesn't even have a flag to follow symlinks (nevermind defaulting to that).
+
+>It at least seems plausible that there might be users who import from ~/disk which is a symlink to /media/somethinglong, and rely on it following the symlink.
+
+It's certainly plausible; question is, should it be the default?   It's not the default in `cp` (you have to use `-L`) or in `tar` (have to use `-h`).  I think most people assume that importing from a directory remote is akin to doing a `cp -r` or `tar cf` from it.
+"""]]