Philippe Blain <levraiphilippeblain@xxxxxxxxx> writes:
> This is quite a big behaviour change for some environments [1], so
> I would think maybe it deserves to be fully spelled out in the
> release notes for 2.36.0, instead of just referring readers to the
> release notes for the maintenance release, where they can read a
> full description only in the release notes for 2.30.3 ?
Makes sense. Here is my quick-and-dirty first draft, based on the
design of the new escape hatch done by Derrick today.
diff --git c/Documentation/RelNotes/2.36.0.txt w/Documentation/RelNotes/2.36.0.txt
index 9f6dd3d868..f4c5e691bb 100644
--- c/Documentation/RelNotes/2.36.0.txt
+++ w/Documentation/RelNotes/2.36.0.txt
@@ -13,6 +13,15 @@ Backward compatibility warts
top-level a partial clone, while submodules are fully cloned. This
behaviour is changed to pass the same filter down to the submodules.
+ * With the fixes for CVE-2022-24765 that are common with versions of
+ Git 2.30.4, 2.31.3, 2.32.2, 2.33.3, 2.34.3, and 2.35.3, Git has
+ been taught not to recognise repositories owned by other users, in
+ order to avoid getting affected by their config files and hooks.
+ You can list the path to the safe/trusted repositories that may be
+ owned by others on a multi-valued configuration variable
+ `safe.directory` to override this behaviour, or use '*' to declare
+ that you trust anything.
+
Note to those who build from the source
@@ -397,8 +406,6 @@ Fixes since v2.35
entry it moved.
(merge b7f9130a06 vd/mv-refresh-stat later to maint).
- * Fix for CVE-2022-24765 has been merged up from 2.35.2 and others.
-
* Other code cleanup, docfix, build fix, etc.
(merge cfc5cf428b jc/find-header later to maint).
(merge 40e7cfdd46 jh/p4-fix-use-of-process-error-exception later to maint).
