On Wed, May 10, 2023 at 4:21 PM Taylor Blau <me@xxxxxxxxxxxx> wrote: > > On Wed, May 10, 2023 at 12:18:15PM -0700, Junio C Hamano wrote: > > "Derrick Stolee via GitGitGadget" <gitgitgadget@xxxxxxxxx> writes: > > > > > This patch was reviewed on the Git security list, but the impact seemed > > > limited to Git forges using merge-ort to create merge commits. The > > > forges represented on the list have deployed versions of this patch and > > > thus are no longer vulnerable. > > > > Let's queue directly on 'next' (unlike 'master', where we want to > > merge only commits that had exposure in 'next' for a week or so, > > there is no formal requirement for topics to enter 'next' before > > spending any time in 'seen') and fast-track to 'master', as I've > > seen it already reviewed adequately over there. > > Agreed. I also participated in the earlier rounds of review and the > resulting patch looks obviously correct to me. I would be happy to see > it merged. > > I added Elijah to the CC list, since he is likely to be interested in > this topic and may have thoughts to share. Thanks. I took a look and left some comments (it looks like the merge machinery already parses _most_ relevant merge-related config unconditionally, each time we set up a merge), but I had more questions than answers. :-)
