Overview

File hg-subrepo-bsc1071715-fix06.patch of Package mercurial.7756

# HG changeset patch
# User Augie Fackler <augie@google.com>
# Date 1509998177 18000
#      Mon Nov 06 14:56:17 2017 -0500
# Branch stable
# Node ID bd725a71f274b37206b0bc776050a4d3336cde30
# Parent  846942fd6d157a6e55783ebf2cf3fccf8cd9528b
config: add some more documentation around why svn and git subrepos are off

---
 mercurial/help/config.txt |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/mercurial/help/config.txt
+++ b/mercurial/help/config.txt
@@ -1791,6 +1791,13 @@ subrepositories feature. See also :hg:`h
 
     When disallowed, any commands including :hg:`update` will fail if
     subrepositories are involved.
+
+    Security note: auditing in Mercurial is known to be insufficient
+    to prevent clone-time code execution with carefully constructed
+    Git subrepos. It is unknown if a similar defect is present in
+    Subversion subrepos, so both are disabled by default out of an
+    abundance of caution. Re-enable such subrepos via this setting
+    with caution.
     (default: `hg`)
 
 ``templatealias``
openSUSE Build Service is sponsored by
Places