# HG changeset patch
# User Augie Fackler <augie@google.com>
# Date 1509998177 18000
# Node ID bd725a71f274b37206b0bc776050a4d3336cde30
# Parent  846942fd6d157a6e55783ebf2cf3fccf8cd9528b
config: add some more documentation around why svn and git subrepos are off

diff -r 846942fd6d15 -r bd725a71f274 mercurial/help/config.txt
--- a/mercurial/help/config.txt	Sun Nov 05 21:51:42 2017 +0900
+++ b/mercurial/help/config.txt	Mon Nov 06 14:56:17 2017 -0500
@@ -1905,6 +1905,13 @@
 
     When disallowed, any commands including :hg:`update` will fail if
     subrepositories are involved.
+
+    Security note: auditing in Mercurial is known to be insufficient
+    to prevent clone-time code execution with carefully constructed
+    Git subrepos. It is unknown if a similar defect is present in
+    Subversion subrepos, so both are disabled by default out of an
+    abundance of caution. Re-enable such subrepos via this setting
+    with caution.
     (default: `hg`)
 
 ``templatealias``