# HG changeset patch
# User Augie Fackler <augie@google.com>
# Date 1509998177 18000
# Mon Nov 06 14:56:17 2017 -0500
# Branch stable
# Node ID bd725a71f274b37206b0bc776050a4d3336cde30
# Parent 846942fd6d157a6e55783ebf2cf3fccf8cd9528b
config: add some more documentation around why svn and git subrepos are off
---
mercurial/help/config.txt | 7 +++++++
1 file changed, 7 insertions(+)
--- a/mercurial/help/config.txt
+++ b/mercurial/help/config.txt
@@ -1791,6 +1791,13 @@ subrepositories feature. See also :hg:`h
When disallowed, any commands including :hg:`update` will fail if
subrepositories are involved.
+
+ Security note: auditing in Mercurial is known to be insufficient
+ to prevent clone-time code execution with carefully constructed
+ Git subrepos. It is unknown if a similar defect is present in
+ Subversion subrepos, so both are disabled by default out of an
+ abundance of caution. Re-enable such subrepos via this setting
+ with caution.
(default: `hg`)
``templatealias``
distrib
>
Mageia
>
6
>
armv7hl
>
media
>
core-updates-src
>
by-pkgid
>
41c8e355a9bd3d5f7cc6c68d108cb600
>
files
>
7
