Mercurial > hg
view mercurial/dummycert.pem @ 43913:4b7d5d10c45d
exchange: ensure all outgoing subrepo references are present before pushing
We've run into occasional problems with people committing a repo, and then
amending or rebasing in the subrepo. That makes it so that the revision in the
parent can't be checked out, and the problem gets propagated on push. Mercurial
already tries to defend against this sort of dangling reference by pushing *all*
subrepo revisions first. This reuses the checks that trigger warnings in
`hg verify` to bail on the push unless using `--force`.
I thought about putting this on the server side, but at that point, all of the
data has been transferred, only to bail out. Additionally, SCM Manager hosts
subrepos in a location that isn't nested in the parent, so normal subrepo code
would complain that the subrepo is missing when run on the server.
Because the push command pushes subrepos before calling this exchange code, a
subrepo will be pushed before the parent is verified. Not great, but no
dangling references are exchanged, so it solves the problem. This code isn't in
the loop that pushes the subrepos because:
1) the list of outgoing revisions is needed to limit the scope of the check
2) the loop only accesses the current revision, and therefore can miss
subrepos that were dropped in previous commits
3) this code is called when pushing a subrepo, so the protection is recursive
I'm not sure if there's a cheap check for the list of files in the outgoing
bundle. If there is, that would provide a fast path to bypass this check for
people not using subrepos (or if no subrepo changes were made). There's
probably also room for verifying other references like tags. But since that
doesn't break checkouts, it's much less of a problem.
Differential Revision: https://phab.mercurial-scm.org/D7616
| author | Matt Harbison <matt_harbison@yahoo.com> |
|---|---|
| date | Thu, 12 Dec 2019 12:30:15 -0500 |
| parents | d7f7f1860f00 |
| children |
line wrap: on
line source
A dummy certificate that will make OS X 10.6+ Python use the system CA certificate store: -----BEGIN CERTIFICATE----- MIIBIzCBzgIJANjmj39sb3FmMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNVBAMTDmhn LmV4YW1wbGUuY29tMB4XDTE0MDgzMDA4NDU1OVoXDTE0MDgyOTA4NDU1OVowGTEX MBUGA1UEAxMOaGcuZXhhbXBsZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA mh/ZySGlcq0ALNLmA1gZqt61HruywPrRk6WyrLJRgt+X7OP9FFlEfl2tzHfzqvmK CtSQoPINWOdAJMekBYFgKQIDAQABMA0GCSqGSIb3DQEBBQUAA0EAF9h49LkSqJ6a IlpogZuUHtihXeKZBsiktVIDlDccYsNy0RSh9XxUfhk+XMLw8jBlYvcltSXdJ7We aKdQRekuMQ== -----END CERTIFICATE----- This certificate was generated to be syntactically valid but never be usable; it expired before it became valid. Created as: $ cat > cn.conf << EOT > [req] > distinguished_name = req_distinguished_name > [req_distinguished_name] > commonName = Common Name > commonName_default = no.example.com > EOT $ openssl req -nodes -new -x509 -keyout /dev/null \ > -out dummycert.pem -days -1 -config cn.conf -subj '/CN=hg.example.com' To verify the content of this certificate: $ openssl x509 -in dummycert.pem -noout -text Certificate: Data: Version: 1 (0x0) Serial Number: 15629337334278746470 (0xd8e68f7f6c6f7166) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=hg.example.com Validity Not Before: Aug 30 08:45:59 2014 GMT Not After : Aug 29 08:45:59 2014 GMT Subject: CN=hg.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (512 bit) Modulus: 00:9a:1f:d9:c9:21:a5:72:ad:00:2c:d2:e6:03:58: 19:aa:de:b5:1e:bb:b2:c0:fa:d1:93:a5:b2:ac:b2: 51:82:df:97:ec:e3:fd:14:59:44:7e:5d:ad:cc:77: f3:aa:f9:8a:0a:d4:90:a0:f2:0d:58:e7:40:24:c7: a4:05:81:60:29 Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 17:d8:78:f4:b9:12:a8:9e:9a:22:5a:68:81:9b:94:1e:d8:a1: 5d:e2:99:06:c8:a4:b5:52:03:94:37:1c:62:c3:72:d1:14:a1: f5:7c:54:7e:19:3e:5c:c2:f0:f2:30:65:62:f7:25:b5:25:dd: 27:b5:9e:68:a7:50:45:e9:2e:31