Mercurial > hg
view tests/test-excessive-merge.t @ 31290:f819aa9dbbf9
sslutil: issue warning when [hostfingerprint] is used
Mercurial 3.9 added the [hostsecurity] section, which is better
than [hostfingerprints] in every way.
One of the ways that [hostsecurity] is better is that it supports
SHA-256 and SHA-512 fingerprints, not just SHA-1 fingerprints.
The world is moving away from SHA-1 because it is borderline
secure. Mercurial should be part of that movement.
This patch adds a warning when a valid SHA-1 fingerprint from
the [hostfingerprints] section is being used. The warning informs
users to switch to [hostsecurity]. It even prints the config
option they should set. It uses the SHA-256 fingerprint because
recommending a SHA-1 fingerprint in 2017 would be ill-advised.
The warning will print itself on every connection to a server until
it is fixed. There is no way to suppress the warning. I admit this
is annoying. But given the security implications of sticking with
SHA-1, I think this is justified. If this patch is accepted,
I'll likely send a follow-up to start warning on SHA-1
certificates in [hostsecurity] as well. Then sometime down
the road, we can drop support for SHA-1 fingerprints.
Credit for this idea comes from timeless in issue 5466.
author | Gregory Szorc <gregory.szorc@gmail.com> |
---|---|
date | Thu, 09 Mar 2017 20:33:29 -0800 |
parents | b7a966ce89ed |
children | 009d0283de5f |
line wrap: on
line source
$ hg init $ echo foo > a $ echo foo > b $ hg add a b $ hg ci -m "test" $ echo blah > a $ hg ci -m "branch a" $ hg co 0 1 files updated, 0 files merged, 0 files removed, 0 files unresolved $ echo blah > b $ hg ci -m "branch b" created new head $ HGMERGE=true hg merge 1 1 files updated, 0 files merged, 0 files removed, 0 files unresolved (branch merge, don't forget to commit) $ hg ci -m "merge b/a -> blah" $ hg co 1 1 files updated, 0 files merged, 0 files removed, 0 files unresolved $ HGMERGE=true hg merge 2 1 files updated, 0 files merged, 0 files removed, 0 files unresolved (branch merge, don't forget to commit) $ hg ci -m "merge a/b -> blah" created new head $ hg log changeset: 4:2ee31f665a86 tag: tip parent: 1:96155394af80 parent: 2:92cc4c306b19 user: test date: Thu Jan 01 00:00:00 1970 +0000 summary: merge a/b -> blah changeset: 3:e16a66a37edd parent: 2:92cc4c306b19 parent: 1:96155394af80 user: test date: Thu Jan 01 00:00:00 1970 +0000 summary: merge b/a -> blah changeset: 2:92cc4c306b19 parent: 0:5e0375449e74 user: test date: Thu Jan 01 00:00:00 1970 +0000 summary: branch b changeset: 1:96155394af80 user: test date: Thu Jan 01 00:00:00 1970 +0000 summary: branch a changeset: 0:5e0375449e74 user: test date: Thu Jan 01 00:00:00 1970 +0000 summary: test $ hg debugindex --changelog rev offset length ..... linkrev nodeid p1 p2 (re) 0 0 60 ..... 0 5e0375449e74 000000000000 000000000000 (re) 1 60 62 ..... 1 96155394af80 5e0375449e74 000000000000 (re) 2 122 62 ..... 2 92cc4c306b19 5e0375449e74 000000000000 (re) 3 184 69 ..... 3 e16a66a37edd 92cc4c306b19 96155394af80 (re) 4 253 69 ..... 4 2ee31f665a86 96155394af80 92cc4c306b19 (re) revision 1 $ hg manifest --debug 1 79d7492df40aa0fa093ec4209be78043c181f094 644 a 2ed2a3912a0b24502043eae84ee4b279c18b90dd 644 b revision 2 $ hg manifest --debug 2 2ed2a3912a0b24502043eae84ee4b279c18b90dd 644 a 79d7492df40aa0fa093ec4209be78043c181f094 644 b revision 3 $ hg manifest --debug 3 79d7492df40aa0fa093ec4209be78043c181f094 644 a 79d7492df40aa0fa093ec4209be78043c181f094 644 b revision 4 $ hg manifest --debug 4 79d7492df40aa0fa093ec4209be78043c181f094 644 a 79d7492df40aa0fa093ec4209be78043c181f094 644 b $ hg debugindex a rev offset length ..... linkrev nodeid p1 p2 (re) 0 0 5 ..... 0 2ed2a3912a0b 000000000000 000000000000 (re) 1 5 6 ..... 1 79d7492df40a 2ed2a3912a0b 000000000000 (re) $ hg verify checking changesets checking manifests crosschecking files in changesets and manifests checking files 2 files, 5 changesets, 4 total revisions