default to not using youtube-dl, for security

Pity, but same reasoning as curl applies to it.

This commit was sponsored by Peter on Patreon.

doc/git-annex-addurl.mdwn

@@ -10,9 +10,12 @@ git annex addurl `[url ...]`
 
 Downloads each url to its own file, which is added to the annex.
 
-When `youtube-dl` is installed, it's used to check for a video embedded in 
-a web page at the url, and that is added to the annex instead.
-  
+When `youtube-dl` is installed, it can be used to check for a video
+embedded in  a web page at the url, and that is added to the annex instead.
+(However, this is disabled by default as it can be a security risk. 
+See the documentation of annex.security.allowed-http-addresses
+in [[git-annex]](1) for details.)
+
 Urls to torrent files (including magnet links) will cause the content of
 the torrent to be downloaded, using `aria2c`.
 

doc/git-annex-importfeed.mdwn

@@ -13,8 +13,11 @@ content has not already been added to the repository before, so you can
 delete, rename, etc the resulting files and repeated runs won't duplicate
 them.
 
-When `youtube-dl` is installed, it's used to download links in the feed.
+When `youtube-dl` is installed, it can be used to download links in the feed.
 This allows importing e.g., YouTube playlists.
+(However, this is disabled by default as it can be a security risk. 
+See the documentation of annex.security.allowed-http-addresses
+in [[git-annex]](1) for details.)
 
 To make the import process add metadata to the imported files from the feed,
 `git config annex.genmetadata true`

doc/git-annex.mdwn

@@ -1421,9 +1421,9 @@ Here are all the supported configuration settings.
   causing it to be downloaded into your repository transferred to
   other remotes, exposing its content.
 
-  Note that, since curl's interface does not allow these IP address
-  restrictions to be enforced, any configuration that enables use of curl
-  will be ignored unless annex.security.allowed-http-addresses=all.
+  Note that, since the interfaces of curl and youtube-dl do not allow
+  these IP address restrictions to be enforced, curl and youtube-dl will
+  never be used unless annex.security.allowed-http-addresses=all.
 
 * `annex.secure-erase-command`
 

doc/tips/downloading_podcasts.mdwn

@@ -84,6 +84,10 @@ manually. For a channel url like
 "https://www.youtube.com/channel/$foo", the
 feed is "https://www.youtube.com/feeds/videos.xml?channel_id=$foo"
 
+Use of youtube-dl is disabled by default as it can be a security risk. 
+See the documentation of annex.security.allowed-http-addresses
+in [[git-annex]] for details.)
+
 ## metadata
 
 As well as storing the urls for items imported from a feed, git-annex can

doc/tips/using_the_web_as_a_special_remote.mdwn

@@ -78,6 +78,10 @@ When you have youtube-dl installed, you can just
 `git annex addurl http://youtube.com/foo` and it will detect that
 it is a video and download the video content for offline viewing.
 
+(However, this is disabled by default as it can be a security risk. 
+See the documentation of annex.security.allowed-http-addresses
+in [[git-annex]] for details.)
+
 Later, in another clone of the repository, you can run `git annex get` on
 the file and it will also be downloaded with youtube-dl. This works
 even if the video host has transcoded or otherwise changed the video