diff --git a/0001-t0033-add-tests-for-safe.directory.patch b/0001-t0033-add-tests-for-safe.directory.patch
new file mode 100644
index 0000000..6774b37
--- /dev/null
+++ b/0001-t0033-add-tests-for-safe.directory.patch
@@ -0,0 +1,72 @@
+From e47363e5a8bdf5144059d664c45c0975243ef05b Mon Sep 17 00:00:00 2001
+From: Derrick Stolee <derrickstolee@github.com>
+Date: Wed, 13 Apr 2022 15:32:29 +0000
+Subject: [PATCH 1/3] t0033: add tests for safe.directory
+
+It is difficult to change the ownership on a directory in our test
+suite, so insert a new GIT_TEST_ASSUME_DIFFERENT_OWNER environment
+variable to trick Git into thinking we are in a differently-owned
+directory. This allows us to test that the config is parsed correctly.
+
+Signed-off-by: Derrick Stolee <derrickstolee@github.com>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+---
+ setup.c                   |  3 ++-
+ t/t0033-safe-directory.sh | 34 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 36 insertions(+), 1 deletion(-)
+ create mode 100755 t/t0033-safe-directory.sh
+
+diff --git a/setup.c b/setup.c
+index 95d5b00940..3c6ed17af9 100644
+--- a/setup.c
++++ b/setup.c
+@@ -1053,7 +1053,8 @@ static int ensure_valid_ownership(const char *path)
+ {
+ 	struct safe_directory_data data = { .path = path };
+ 
+-	if (is_path_owned_by_current_user(path))
++	if (!git_env_bool("GIT_TEST_ASSUME_DIFFERENT_OWNER", 0) &&
++	    is_path_owned_by_current_user(path))
+ 		return 1;
+ 
+ 	read_very_early_config(safe_directory_cb, &data);
+diff --git a/t/t0033-safe-directory.sh b/t/t0033-safe-directory.sh
+new file mode 100755
+index 0000000000..9380ff3d01
+--- /dev/null
++++ b/t/t0033-safe-directory.sh
+@@ -0,0 +1,34 @@
++#!/bin/sh
++
++test_description='verify safe.directory checks'
++
++. ./test-lib.sh
++
++GIT_TEST_ASSUME_DIFFERENT_OWNER=1
++export GIT_TEST_ASSUME_DIFFERENT_OWNER
++
++expect_rejected_dir () {
++	test_must_fail git status 2>err &&
++	grep "safe.directory" err
++}
++
++test_expect_success 'safe.directory is not set' '
++	expect_rejected_dir
++'
++
++test_expect_success 'safe.directory does not match' '
++	git config --global safe.directory bogus &&
++	expect_rejected_dir
++'
++
++test_expect_success 'safe.directory matches' '
++	git config --global --add safe.directory "$(pwd)" &&
++	git status
++'
++
++test_expect_success 'safe.directory matches, but is reset' '
++	git config --global --add safe.directory "" &&
++	expect_rejected_dir
++'
++
++test_done
diff --git a/0002-setup-fix-safe.directory-key-not-being-checked.patch b/0002-setup-fix-safe.directory-key-not-being-checked.patch
new file mode 100644
index 0000000..d53a5f2
--- /dev/null
+++ b/0002-setup-fix-safe.directory-key-not-being-checked.patch
@@ -0,0 +1,48 @@
+From bb50ec3cc300eeff3aba7a2bea145aabdb477d31 Mon Sep 17 00:00:00 2001
+From: Matheus Valadares <me@m28.io>
+Date: Wed, 13 Apr 2022 15:32:30 +0000
+Subject: [PATCH 2/3] setup: fix safe.directory key not being checked
+
+It seems that nothing is ever checking to make sure the safe directories
+in the configs actually have the key safe.directory, so some unrelated
+config that has a value with a certain directory would also make it a
+safe directory.
+
+Signed-off-by: Matheus Valadares <me@m28.io>
+Signed-off-by: Derrick Stolee <derrickstolee@github.com>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+---
+ setup.c                   | 3 +++
+ t/t0033-safe-directory.sh | 5 +++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/setup.c b/setup.c
+index 3c6ed17af9..4b9f073617 100644
+--- a/setup.c
++++ b/setup.c
+@@ -1034,6 +1034,9 @@ static int safe_directory_cb(const char *key, const char *value, void *d)
+ {
+ 	struct safe_directory_data *data = d;
+ 
++	if (strcmp(key, "safe.directory"))
++		return 0;
++
+ 	if (!value || !*value)
+ 		data->is_safe = 0;
+ 	else {
+diff --git a/t/t0033-safe-directory.sh b/t/t0033-safe-directory.sh
+index 9380ff3d01..6f33c0dfef 100755
+--- a/t/t0033-safe-directory.sh
++++ b/t/t0033-safe-directory.sh
+@@ -21,6 +21,11 @@ test_expect_success 'safe.directory does not match' '
+ 	expect_rejected_dir
+ '
+ 
++test_expect_success 'path exist as different key' '
++	git config --global foo.bar "$(pwd)" &&
++	expect_rejected_dir
++'
++
+ test_expect_success 'safe.directory matches' '
+ 	git config --global --add safe.directory "$(pwd)" &&
+ 	git status
diff --git a/0003-setup-opt-out-of-check-with-safe.directory.patch b/0003-setup-opt-out-of-check-with-safe.directory.patch
new file mode 100644
index 0000000..b734d9e
--- /dev/null
+++ b/0003-setup-opt-out-of-check-with-safe.directory.patch
@@ -0,0 +1,88 @@
+From 0f85c4a30b072a26d74af8bbf63cc8f6a5dfc1b8 Mon Sep 17 00:00:00 2001
+From: Derrick Stolee <derrickstolee@github.com>
+Date: Wed, 13 Apr 2022 15:32:31 +0000
+Subject: [PATCH 3/3] setup: opt-out of check with safe.directory=*
+
+With the addition of the safe.directory in 8959555ce
+(setup_git_directory(): add an owner check for the top-level directory,
+2022-03-02) released in v2.35.2, we are receiving feedback from a
+variety of users about the feature.
+
+Some users have a very large list of shared repositories and find it
+cumbersome to add this config for every one of them.
+
+In a more difficult case, certain workflows involve running Git commands
+within containers. The container boundary prevents any global or system
+config from communicating `safe.directory` values from the host into the
+container. Further, the container almost always runs as a different user
+than the owner of the directory in the host.
+
+To simplify the reactions necessary for these users, extend the
+definition of the safe.directory config value to include a possible '*'
+value. This value implies that all directories are safe, providing a
+single setting to opt-out of this protection.
+
+Note that an empty assignment of safe.directory clears all previous
+values, and this is already the case with the "if (!value || !*value)"
+condition.
+
+Signed-off-by: Derrick Stolee <derrickstolee@github.com>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+---
+ Documentation/config/safe.txt |  7 +++++++
+ setup.c                       |  6 ++++--
+ t/t0033-safe-directory.sh     | 10 ++++++++++
+ 3 files changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/Documentation/config/safe.txt b/Documentation/config/safe.txt
+index 63597b2df8..6d764fe0cc 100644
+--- a/Documentation/config/safe.txt
++++ b/Documentation/config/safe.txt
+@@ -19,3 +19,10 @@ line option `-c safe.directory=<path>`.
+ The value of this setting is interpolated, i.e. `~/<path>` expands to a
+ path relative to the home directory and `%(prefix)/<path>` expands to a
+ path relative to Git's (runtime) prefix.
+++
++To completely opt-out of this security check, set `safe.directory` to the
++string `*`. This will allow all repositories to be treated as if their
++directory was listed in the `safe.directory` list. If `safe.directory=*`
++is set in system config and you want to re-enable this protection, then
++initialize your list with an empty value before listing the repositories
++that you deem safe.
+diff --git a/setup.c b/setup.c
+index 4b9f073617..aad9ace0af 100644
+--- a/setup.c
++++ b/setup.c
+@@ -1037,9 +1037,11 @@ static int safe_directory_cb(const char *key, const char *value, void *d)
+ 	if (strcmp(key, "safe.directory"))
+ 		return 0;
+ 
+-	if (!value || !*value)
++	if (!value || !*value) {
+ 		data->is_safe = 0;
+-	else {
++	} else if (!strcmp(value, "*")) {
++		data->is_safe = 1;
++	} else {
+ 		const char *interpolated = NULL;
+ 
+ 		if (!git_config_pathname(&interpolated, key, value) &&
+diff --git a/t/t0033-safe-directory.sh b/t/t0033-safe-directory.sh
+index 6f33c0dfef..239d93f4d2 100755
+--- a/t/t0033-safe-directory.sh
++++ b/t/t0033-safe-directory.sh
+@@ -36,4 +36,14 @@ test_expect_success 'safe.directory matches, but is reset' '
+ 	expect_rejected_dir
+ '
+ 
++test_expect_success 'safe.directory=*' '
++	git config --global --add safe.directory "*" &&
++	git status
++'
++
++test_expect_success 'safe.directory=*, but is reset' '
++	git config --global --add safe.directory "" &&
++	expect_rejected_dir
++'
++
+ test_done
diff --git a/git.spec b/git.spec
index 16a265a..4060513 100644
--- a/git.spec
+++ b/git.spec
@@ -84,7 +84,7 @@
 
 Name:           git
 Version:        2.36.0
-Release:        0.2%{?rcrev}%{?dist}
+Release:        0.3%{?rcrev}%{?dist}
 Summary:        Fast Version Control System
 License:        GPLv2
 URL:            https://git-scm.com/
@@ -116,6 +116,11 @@ Source99:       print-failed-test-output
 # https://bugzilla.redhat.com/490602
 Patch0:         git-cvsimport-Ignore-cvsps-2.2b1-Branches-output.patch
 
+# Usability improvements on top of CVE-2022-24765
+Patch1:         0001-t0033-add-tests-for-safe.directory.patch
+Patch2:         0002-setup-fix-safe.directory-key-not-being-checked.patch
+Patch3:         0003-setup-opt-out-of-check-with-safe.directory.patch
+
 %if %{with docs}
 # pod2man is needed to build Git.3pm
 BuildRequires:  %{_bindir}/pod2man
@@ -1036,6 +1041,9 @@ rmdir --ignore-fail-on-non-empty "$testdir"
 %{?with_docs:%{_pkgdocdir}/git-svn.html}
 
 %changelog
+* Thu Apr 14 2022 Todd Zullinger <tmz@pobox.com> - 2.36.0-0.3.rc2
+- usability improvements on top of CVE-2022-24765
+
 * Wed Apr 13 2022 Todd Zullinger <tmz@pobox.com> - 2.36.0-0.2.rc2
 - update to 2.36.0-rc2 (CVE-2022-24765)
 - disable failing tests on s390x on EL8