Yuya Nishihara <yuya@tcha.org> [Mon, 02 May 2016 11:27:26 +0900] rev 29116
revset: unnest isonly() closure from optimize()
There were no variables to be captured.
Gregory Szorc <gregory.szorc@gmail.com> [Thu, 05 May 2016 00:46:31 -0700] rev 29115
sslutil: stop checking for web.cacerts=! (BC)
The previous patch stopped setting web.cacerts=! to indicate
--insecure.
That left user configs as the only source that could introduce
web.cacerts=!.
The practical impact of this patch is we no longer honor
web.cacerts=! in configs. Instead, we always treat web.cacerts
as a path. The patch is therefore technically BC. However,
since I don't believe web.cacerts=! is documented, it should be
safe to remove. a939f08fae9c (which introduced --insecure) has
no indication that web.cacerts=! is anything but an implementation
detail, reinforcing my belief it can be removed without major
debate.
Gregory Szorc <gregory.szorc@gmail.com> [Thu, 05 May 2016 00:40:01 -0700] rev 29114
dispatch: stop setting web.cacerts=! to indicate --insecure
Consumers needing to know if --insecure was used have already
transitioned to using ui.insecureconnections. The previous
patch removed the last meaningful consumer looking for
web.cacerts=!.
Gregory Szorc <gregory.szorc@gmail.com> [Thu, 05 May 2016 00:38:18 -0700] rev 29113
sslutil: use CA loaded state to drive validation logic
Until now, sslkwargs may set web.cacerts=! to indicate
that system certs could not be found. This is really
obtuse because sslkwargs effectively sets state on a global
object which bypasses wrapsocket() and is later consulted
by validator.__call__. This is madness.
This patch introduces an attribute on the wrapped socket
instance indicating whether system CAs were loaded. We
can set this directly inside wrapsocket() because that
function knows everything that sslkwargs() does - and more.
With this attribute set on the socket, we refactor
validator.__call__ to use it.
Since we no longer have a need for setting web.cacerts=!
in sslkwargs, we remove that.
I think the new logic is much easier to understand and will
enable behavior to be changed more easily.
Gregory Szorc <gregory.szorc@gmail.com> [Thu, 05 May 2016 00:37:28 -0700] rev 29112
sslutil: handle ui.insecureconnections in validator
Right now, web.cacerts=! means one of two things:
1) Use of --insecure
2) No CAs could be found and were loaded (see sslkwargs)
This isn't very obvious and makes changing behavior of these
different scenarios independent of the other impossible.
This patch changes the validator code to explicit handle the
case of --insecure being used.
As the inline comment indicates, there is room to possibly change
messaging and logic here. For now, we are backwards compatible.
Gregory Szorc <gregory.szorc@gmail.com> [Thu, 05 May 2016 00:35:45 -0700] rev 29111
sslutil: check for ui.insecureconnections in sslkwargs
The end result of this function is the same. We now have a more
explicit return branch.
We still keep the old code looking at web.cacerts=! a few lines
below because we're still setting web.cacerts=! and need to react
to the variable. This will be removed in an upcoming patch.