Mercurial > hg
view mercurial/revlogutils/__init__.py @ 52292:085cc409847d
sslutil: bump the default minimum TLS version of the client to 1.2 (BC)
TLS v1.0 and v1.1 are deprecated by RFC8996[1]:
These versions lack support for current and recommended cryptographic
algorithms and mechanisms, and various government and industry profiles of
applications using TLS now mandate avoiding these old TLS versions.
TLS version 1.2 became the recommended version for IETF protocols in
2008 (subsequently being obsoleted by TLS version 1.3 in 2018)...
Various browsers have disabled or removed it[2][3][4], as have various internet
services, and Windows 11 has it disabled by default[5]. We should move on too.
(We should also bump it on the server side, as this config only affects clients
not allowing a server to negotiate down. But the only server-side config is a
`devel` option to pick exactly one protocol version and is commented as a
footgun, so I'm hesitant to touch that. See 7dec5e441bf7 for details, which
states that using `hg serve` directly isn't expected for a web service.)
I'm not knowledgeable enough in this area to know if we should follow up with
disabling certain ciphers too. But this should provide better security on its
own.
[1] https://datatracker.ietf.org/doc/rfc8996/
[2] https://learn.microsoft.com/en-us/DeployEdge/microsoft-edge-policies#sslversionmin
[3] https://hacks.mozilla.org/2020/02/its-the-boot-for-tls-1-0-and-tls-1-1/
[4] https://security.googleblog.com/2018/10/modernizing-transport-security.html
[5] https://techcommunity.microsoft.com/blog/windows-itpro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/3887947
| author | Matt Harbison <matt_harbison@yahoo.com> |
|---|---|
| date | Mon, 11 Nov 2024 21:25:03 -0500 |
| parents | f4733654f144 |
| children |
line wrap: on
line source
# mercurial.revlogutils -- basic utilities for revlog # # Copyright 2019 Pierre-Yves David <pierre-yves.david@octobus.net> # # This software may be used and distributed according to the terms of the # GNU General Public License version 2 or any later version. from __future__ import annotations import typing from ..thirdparty import attr # Force pytype to use the non-vendored package if typing.TYPE_CHECKING: # noinspection PyPackageRequirements import attr from ..interfaces import repository # See mercurial.revlogutils.constants for doc COMP_MODE_INLINE = 2 RANK_UNKNOWN = -1 def offset_type(offset, type): if (type & ~repository.REVISION_FLAGS_KNOWN) != 0: raise ValueError(b'unknown revlog index flags: %d' % type) return int(int(offset) << 16 | type) def entry( data_offset, data_compressed_length, data_delta_base, link_rev, parent_rev_1, parent_rev_2, node_id, flags=0, data_uncompressed_length=-1, data_compression_mode=COMP_MODE_INLINE, sidedata_offset=0, sidedata_compressed_length=0, sidedata_compression_mode=COMP_MODE_INLINE, rank=RANK_UNKNOWN, ): """Build one entry from symbolic name This is useful to abstract the actual detail of how we build the entry tuple for caller who don't care about it. This should always be called using keyword arguments. Some arguments have default value, this match the value used by index version that does not store such data. """ return ( offset_type(data_offset, flags), data_compressed_length, data_uncompressed_length, data_delta_base, link_rev, parent_rev_1, parent_rev_2, node_id, sidedata_offset, sidedata_compressed_length, data_compression_mode, sidedata_compression_mode, rank, ) @attr.s(slots=True, frozen=True) class revisioninfo: """Information about a revision that allows building its fulltext node: expected hash of the revision p1, p2: parent revs of the revision (as node) btext: built text cache consisting of a one-element list cachedelta: (baserev, uncompressed_delta, usage_mode) or None flags: flags associated to the revision storage One of btext[0] or cachedelta must be set. """ node = attr.ib() p1 = attr.ib() p2 = attr.ib() btext = attr.ib() textlen = attr.ib() cachedelta = attr.ib() flags = attr.ib()