From e74df22b8b75c6f24343a153534535738fe7f3f1 Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@tailscale.com>
Date: Sat, 3 May 2025 09:08:00 +0200
Subject: [PATCH] Changelog, add ssh section

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---
 CHANGELOG.md | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d4589652..48d11080 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -62,6 +62,20 @@ new policy code passes all of our tests.
     `@` should be appended at the end. For example, if your user is `john`, it
     must be written as `john@` in the policy.
 
+**SSH**
+
+The SSH policy has been reworked to be more consistent with the rest of the
+policy. In addition, several inconsistencies between our implementation and
+Tailscale's upstream has been closed and this might be a breaking change for
+some users. Please refer to the
+[upstream documentation](https://tailscale.com/kb/1337/acl-syntax#tailscale-ssh)
+for more information on which types are allowed in `src`, `dst` and `users`.
+
+There is one large inconsistency left, we allow `*` as a destination as we
+currently do not support `autogroup:self`, `autogroup:member` and
+`autogroup:tagged`. The support for `*` will be removed when we have support for
+the autogroups.
+
 **Current state**
 
 The new policy is passing all tests, both integration and unit tests. This does
@@ -70,8 +84,6 @@ working in v1 and not tested might be broken in v2 (and vice versa).
 
 **We do need help testing this code**
 
-
-
 #### Other breaking changes
 
 - Disallow `server_url` and `base_domain` to be equal