Mercurial Mercurial > hg / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | zip | gz | bz2 | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
config: add some more documentation around why svn and git subrepos are off stable
authorAugie Fackler <augie@google.com>
Mon, 06 Nov 2017 14:56:17 -0500
branchstable
changeset 34988 bd725a71f274
parent 34987 846942fd6d15
child 34989 1a314176da9c
config: add some more documentation around why svn and git subrepos are off
mercurial/help/config.txt file | annotate | diff | comparison | revisions 
--- a/mercurial/help/config.txt	Sun Nov 05 21:51:42 2017 +0900
+++ b/mercurial/help/config.txt	Mon Nov 06 14:56:17 2017 -0500
@@ -1905,6 +1905,13 @@
 
     When disallowed, any commands including :hg:`update` will fail if
     subrepositories are involved.
+
+    Security note: auditing in Mercurial is known to be insufficient
+    to prevent clone-time code execution with carefully constructed
+    Git subrepos. It is unknown if a similar defect is present in
+    Subversion subrepos, so both are disabled by default out of an
+    abundance of caution. Re-enable such subrepos via this setting
+    with caution.
     (default: `hg`)
 
 ``templatealias``
Mercurial