Taylor Blau <me@xxxxxxxxxxxx> writes: > which points to e0a862fdaf (submodule helper: convert relative URL to > absolute URL if needed, 2018-10-16) as the culprit. Whew, that is fairly ancient. I was afraid if we have another regression, but it does not look that way. Fixing is certainly good and we'd need to eventually get to it, but we have luxury to make sure that the fix is sound without having to rush anything ;-) In the meantime, "if it hurts, don't do it" is what we can say. Telling random users to muck with their config in certain ways that violate the way how the system represents (un-)initialized submodules and then to run certain command to induce a NULL pointer dereference is rather an ineffective social engineering as an attack vector, so this is not urgent in that sense. I am more worried that the original report talked about mucking with the in-tree .gitmodules file affects the result, though. Once a submodule is initialized, what is in the file for that submodule should not affect the working of local Git (otherwise the file can be used as a route to inject stuff to unsuspecting repositories), but in this case apparently it does? Thanks.
