You basically substituted both the link and the title to a completely different one after long time people discussing that specific link and title. Now half of the comments don't really make sense at the first glance.
Yeah, that happens sometimes, but if the second link is more suitable then the discussion eventually adapts for the better. So the only real question is which link is more suitable.
One principle I like to use is to assume readers are smart—e.g. in this case, that readers are smart enough to figure out that there are two relevant links to the comments. Of course randomness is also a factor, but it mostly all works out.
The original link barely made any sense and many of those comments were comments without the useful context. The root cause here is the iffy submission, not the outdated comments or the change to a more meaningful link.
The original title was "Git 2.30.3 will not operate in non-owned directories" which makes perfect sense to me, and the link provides a good explanation of the security problem. What barely makes any sense about it?
It's a made-up title linking to some random commit. The new link tells you it's a fix for a vulnerability, the details, its CVE, affected platforms and use cases, etc, etc. The other thing doesn't.
The title was "made up", I'll give you that, but it's a pretty good paraphrase of the commit title to add context.
The old link also tells you it's a fix for a vulnerability, and also explains how it affects all platforms, and also talks about the use cases etc etc.
The only thing it doesn't have is a CVE number, which I don't think is all that important.
The official announcement tells your that there's a vuln, it's considered important enough to break things and that it's out right now. The other thing tells you someone committed something a few weeks ago. The missing context also helps drive a lot of under-informed grumpy threads, rather than bettter-informed grumpy comments/threads. There'd have probably been fewer grumpy threads with the better link.
They both say right at the top that it's a vulnerability, and the old title put the breakage front and center. So I don't know what you mean by missing context.
The context of one is 'someone committed a thing a few weeks ago and it does a thing, according to someone posting to HN'. The context of the other is 'one of the biggest git users on the planet tells you there's git vuln, fix out right now'.
I don't know, it really doesn't sound like a real CVE - maybe add some setting I guess for those worried? Others bring up good points, if your attacker can write to C:\ you probably have other issues.
On top of that, it breaks completely valid functionality - someones 'bug' is someone elses feature.
I feel like title doesn't really focus on the specific behaviour change (not operating in a non-owned directories) that will be affecting a lot of CI/CD, which is what I was interesting in seeing discussion on.
