sslutil: issue warning when [hostfingerprint] is used
Mercurial 3.9 added the [hostsecurity] section, which is better
than [hostfingerprints] in every way.
One of the ways that [hostsecurity] is better is that it supports
SHA-256 and SHA-512 fingerprints, not just SHA-1 fingerprints.
The world is moving away from SHA-1 because it is borderline
secure. Mercurial should be part of that movement.
This patch adds a warning when a valid SHA-1 fingerprint from
the [hostfingerprints] section is being used. The warning informs
users to switch to [hostsecurity]. It even prints the config
option they should set. It uses the SHA-256 fingerprint because
recommending a SHA-1 fingerprint in 2017 would be ill-advised.
The warning will print itself on every connection to a server until
it is fixed. There is no way to suppress the warning. I admit this
is annoying. But given the security implications of sticking with
SHA-1, I think this is justified. If this patch is accepted,
I'll likely send a follow-up to start warning on SHA-1
certificates in [hostsecurity] as well. Then sometime down
the road, we can drop support for SHA-1 fingerprints.
Credit for this idea comes from timeless in issue 5466.
Revert interactive tests
1 add and commit file f
2 add commit file folder1/g
3 add and commit file folder2/h
4 add and commit file folder1/i
5 commit change to file f
6 commit changes to files folder1/g folder2/h
7 commit changes to files folder1/g folder2/h
8 revert interactive to commit id 2 (line 3 above), check that folder1/i is removed and
9 make workdir match 7
10 run the same test than 8 from within folder1 and check same expectations
$ cat <<EOF >> $HGRCPATH
> [ui]
> interactive = true
> [extensions]
> record =
> purge =
> EOF
$ mkdir -p a/folder1 a/folder2
$ cd a
$ hg init
>>> open('f', 'wb').write("1\n2\n3\n4\n5\n")
$ hg add f ; hg commit -m "adding f"
$ cat f > folder1/g ; hg add folder1/g ; hg commit -m "adding folder1/g"
$ cat f > folder2/h ; hg add folder2/h ; hg commit -m "adding folder2/h"
$ cat f > folder1/i ; hg add folder1/i ; hg commit -m "adding folder1/i"
>>> open('f', 'wb').write("a\n1\n2\n3\n4\n5\nb\n")
$ hg commit -m "modifying f"
>>> open('folder1/g', 'wb').write("c\n1\n2\n3\n4\n5\nd\n")
$ hg commit -m "modifying folder1/g"
>>> open('folder2/h', 'wb').write("e\n1\n2\n3\n4\n5\nf\n")
$ hg commit -m "modifying folder2/h"
$ hg tip
changeset: 6:59dd6e4ab63a
tag: tip
user: test
date: Thu Jan 01 00:00:00 1970 +0000
summary: modifying folder2/h
$ hg revert -i -r 2 --all -- << EOF
> y
> y
> y
> y
> y
> y
> n
> n
> EOF
reverting f
reverting folder1/g (glob)
removing folder1/i (glob)
reverting folder2/h (glob)
remove added file folder1/i (Yn)? y
diff --git a/f b/f
2 hunks, 2 lines changed
examine changes to 'f'? [Ynesfdaq?] y
@@ -1,5 +1,6 @@
+a
1
2
3
4
5
revert change 1/6 to 'f'? [Ynesfdaq?] y
@@ -1,5 +2,6 @@
1
2
3
4
5
+b
revert change 2/6 to 'f'? [Ynesfdaq?] y
diff --git a/folder1/g b/folder1/g
2 hunks, 2 lines changed
examine changes to 'folder1/g'? [Ynesfdaq?] y
@@ -1,5 +1,6 @@
+c
1
2
3
4
5
revert change 3/6 to 'folder1/g'? [Ynesfdaq?] y
@@ -1,5 +2,6 @@
1
2
3
4
5
+d
revert change 4/6 to 'folder1/g'? [Ynesfdaq?] n
diff --git a/folder2/h b/folder2/h
2 hunks, 2 lines changed
examine changes to 'folder2/h'? [Ynesfdaq?] n
$ cat f
1
2
3
4
5
$ cat folder1/g
1
2
3
4
5
d
$ cat folder2/h
e
1
2
3
4
5
f
Test that --interactive lift the need for --all
$ echo q | hg revert -i -r 2
reverting folder1/g (glob)
reverting folder2/h (glob)
diff --git a/folder1/g b/folder1/g
1 hunks, 1 lines changed
examine changes to 'folder1/g'? [Ynesfdaq?] q
abort: user quit
[255]
$ ls folder1/
g
Test that a noop revert doesn't do an unnecessary backup
$ (echo y; echo n) | hg revert -i -r 2 folder1/g
diff --git a/folder1/g b/folder1/g
1 hunks, 1 lines changed
examine changes to 'folder1/g'? [Ynesfdaq?] y
@@ -3,3 +3,4 @@
3
4
5
+d
revert this change to 'folder1/g'? [Ynesfdaq?] n
$ ls folder1/
g
Test --no-backup
$ (echo y; echo y) | hg revert -i -C -r 2 folder1/g
diff --git a/folder1/g b/folder1/g
1 hunks, 1 lines changed
examine changes to 'folder1/g'? [Ynesfdaq?] y
@@ -3,3 +3,4 @@
3
4
5
+d
revert this change to 'folder1/g'? [Ynesfdaq?] y
$ ls folder1/
g
>>> open('folder1/g', 'wb').write("1\n2\n3\n4\n5\nd\n")
$ hg update -C 6
3 files updated, 0 files merged, 0 files removed, 0 files unresolved
$ hg revert -i -r 2 --all -- << EOF
> n
> y
> y
> y
> y
> y
> n
> n
> EOF
reverting f
reverting folder1/g (glob)
removing folder1/i (glob)
reverting folder2/h (glob)
remove added file folder1/i (Yn)? n
diff --git a/f b/f
2 hunks, 2 lines changed
examine changes to 'f'? [Ynesfdaq?] y
@@ -1,5 +1,6 @@
+a
1
2
3
4
5
revert change 1/6 to 'f'? [Ynesfdaq?] y
@@ -1,5 +2,6 @@
1
2
3
4
5
+b
revert change 2/6 to 'f'? [Ynesfdaq?] y
diff --git a/folder1/g b/folder1/g
2 hunks, 2 lines changed
examine changes to 'folder1/g'? [Ynesfdaq?] y
@@ -1,5 +1,6 @@
+c
1
2
3
4
5
revert change 3/6 to 'folder1/g'? [Ynesfdaq?] y
@@ -1,5 +2,6 @@
1
2
3
4
5
+d
revert change 4/6 to 'folder1/g'? [Ynesfdaq?] n
diff --git a/folder2/h b/folder2/h
2 hunks, 2 lines changed
examine changes to 'folder2/h'? [Ynesfdaq?] n
$ cat f
1
2
3
4
5
$ cat folder1/g
1
2
3
4
5
d
$ cat folder2/h
e
1
2
3
4
5
f
$ hg st
M f
M folder1/g
$ hg revert --interactive f << EOF
> y
> y
> n
> n
> EOF
diff --git a/f b/f
2 hunks, 2 lines changed
examine changes to 'f'? [Ynesfdaq?] y
@@ -1,6 +1,5 @@
-a
1
2
3
4
5
discard change 1/2 to 'f'? [Ynesfdaq?] y
@@ -2,6 +1,5 @@
1
2
3
4
5
-b
discard change 2/2 to 'f'? [Ynesfdaq?] n
$ hg st
M f
M folder1/g
? f.orig
$ cat f
a
1
2
3
4
5
$ cat f.orig
1
2
3
4
5
$ rm f.orig
$ hg update -C .
2 files updated, 0 files merged, 0 files removed, 0 files unresolved
Check editing files newly added by a revert
1) Create a dummy editor changing 1 to 42
$ cat > $TESTTMP/editor.sh << '__EOF__'
> cat "$1" | sed "s/1/42/g" > tt
> mv tt "$1"
> __EOF__
2) Add k
$ printf "1\n" > k
$ hg add k
$ hg commit -m "add k"
3) Use interactive revert with editing (replacing +1 with +42):
$ printf "0\n2\n" > k
$ HGEDITOR="\"sh\" \"${TESTTMP}/editor.sh\"" hg revert -i <<EOF
> y
> e
> EOF
reverting k
diff --git a/k b/k
1 hunks, 2 lines changed
examine changes to 'k'? [Ynesfdaq?] y
@@ -1,1 +1,2 @@
-1
+0
+2
discard this change to 'k'? [Ynesfdaq?] e
$ cat k
42
Check the experimental config to invert the selection:
$ cat <<EOF >> $HGRCPATH
> [experimental]
> revertalternateinteractivemode=False
> EOF
$ hg up -C .
1 files updated, 0 files merged, 0 files removed, 0 files unresolved
$ printf 'firstline\nc\n1\n2\n3\n 3\n5\nd\nlastline\n' > folder1/g
$ hg diff --nodates
diff -r a3d963a027aa folder1/g
--- a/folder1/g
+++ b/folder1/g
@@ -1,7 +1,9 @@
+firstline
c
1
2
3
-4
+ 3
5
d
+lastline
$ hg revert -i <<EOF
> y
> y
> y
> n
> EOF
reverting folder1/g (glob)
diff --git a/folder1/g b/folder1/g
3 hunks, 3 lines changed
examine changes to 'folder1/g'? [Ynesfdaq?] y
@@ -1,4 +1,5 @@
+firstline
c
1
2
3
discard change 1/3 to 'folder1/g'? [Ynesfdaq?] y
@@ -1,7 +2,7 @@
c
1
2
3
-4
+ 3
5
d
discard change 2/3 to 'folder1/g'? [Ynesfdaq?] y
@@ -6,2 +7,3 @@
5
d
+lastline
discard change 3/3 to 'folder1/g'? [Ynesfdaq?] n
$ hg diff --nodates
diff -r a3d963a027aa folder1/g
--- a/folder1/g
+++ b/folder1/g
@@ -5,3 +5,4 @@
4
5
d
+lastline
$ hg update -C .
1 files updated, 0 files merged, 0 files removed, 0 files unresolved
$ hg purge
$ touch newfile
$ hg add newfile
$ hg status
A newfile
$ hg revert -i <<EOF
> n
> EOF
forgetting newfile
forget added file newfile (Yn)? n
$ hg status
A newfile
$ hg revert -i <<EOF
> y
> EOF
forgetting newfile
forget added file newfile (Yn)? y
$ hg status
? newfile