NEWS: add entry about disabling wildcard support by default

web/docs/c.md

@@ -11,7 +11,10 @@ With mingw-w64, there are three ways wildcard expansion can be configured:
 
 1. mingw-w64 can be configured at build time to either enable or disable wildcard expansion by default via the `--enable-wildcard` configure flags. This can to be overridden on a per .exe basis by the user.
 
-    Currently wildcard expansion is enabled by default in MSYS2.
+    Wildcard expansion used to be enabeld by default in MSYS2, but it was
+    disabled starting with 2024-11-02. See [the news
+    entry](../news.md#2024-11-02---disabling-mingw-w64-wildcard-support-by-default)
+    for details.
 
 2. You can set `_dowildcard` in your source code to either `0` or `-1` to disable or enable wildcard expansion.
 

web/news.md

@@ -5,6 +5,44 @@ summary: Important events happening.
 
 This page lists important changes or issues affecting MSYS2 users. We also post them to [Twitter](https://twitter.com/msys2org) and [Mastodon](https://fosstodon.org/@msys2org), including some not-so-important things :)
 
+### 2024-11-02 - Disabling mingw-w64 wildcard support by default
+
+For historical reasons MSYS2 enabled wildcard support in mingw-w64 at build
+time. This means that any executable built had wildcard support enabled by
+default unless it explicitly opted out. Wildcard support in this case means that
+program arguments containing `?`and `*` can get expanded to one or more file
+paths if the pattern happens to match paths of files on disk. Note that this
+happens in the target program directly and not in any shell beforehand.
+
+```console
+$ # before this change
+$ python -c 'import sys; print(sys.argv)' '*a.txt'
+['-c', 'a.txt', 'aaaa.txt', 'bla.txt']
+$ # after this change
+$ python -c 'import sys; print(sys.argv)' '*a.txt'
+['-c', '*a.txt']
+```
+
+This expansion has multiple problems:
+
+* It's different behavior as with MSVC built executables
+* It's confusing to users if wildcard handling triggers by accident. For
+  example, passing a regex as an argument to a CLI tool, which starts matching
+  random files, breaking the pattern.
+* It can have security implications if arguments to executables are forwarded
+  from user controlled input, in which case an argument could expand to a
+  different string depending on the files on the filesystem.
+
+Given all that, we have decided to disable wildcard handling by default. This
+means that any package and executable that is built after this change will get
+the new default behavior.
+
+Our hope/guess is that this will not affect many users, since most will depend
+on globbing on a higher level, be it bash, or build systems. If there are any
+issues please let us know. Also see [the
+docs](./docs/c.md#expanding-wildcard-arguments) for how to force-enable wildcard
+handling for your applications even after this change.
+
 ### 2024-09-23 - Starting to drop the CLANG32 environment
 
 9 months ago we started to reduce the number of packages for the 32-bit