Mercurial > hg
view tests/test-merge-symlinks.t @ 31290:f819aa9dbbf9
sslutil: issue warning when [hostfingerprint] is used
Mercurial 3.9 added the [hostsecurity] section, which is better
than [hostfingerprints] in every way.
One of the ways that [hostsecurity] is better is that it supports
SHA-256 and SHA-512 fingerprints, not just SHA-1 fingerprints.
The world is moving away from SHA-1 because it is borderline
secure. Mercurial should be part of that movement.
This patch adds a warning when a valid SHA-1 fingerprint from
the [hostfingerprints] section is being used. The warning informs
users to switch to [hostsecurity]. It even prints the config
option they should set. It uses the SHA-256 fingerprint because
recommending a SHA-1 fingerprint in 2017 would be ill-advised.
The warning will print itself on every connection to a server until
it is fixed. There is no way to suppress the warning. I admit this
is annoying. But given the security implications of sticking with
SHA-1, I think this is justified. If this patch is accepted,
I'll likely send a follow-up to start warning on SHA-1
certificates in [hostsecurity] as well. Then sometime down
the road, we can drop support for SHA-1 fingerprints.
Credit for this idea comes from timeless in issue 5466.
author | Gregory Szorc <gregory.szorc@gmail.com> |
---|---|
date | Thu, 09 Mar 2017 20:33:29 -0800 |
parents | f2719b387380 |
children | b6776b34e44e |
line wrap: on
line source
$ cat > echo.py <<EOF > #!/usr/bin/env python > import os, sys > try: > import msvcrt > msvcrt.setmode(sys.stdout.fileno(), os.O_BINARY) > msvcrt.setmode(sys.stderr.fileno(), os.O_BINARY) > except ImportError: > pass > > for k in ('HG_FILE', 'HG_MY_ISLINK', 'HG_OTHER_ISLINK', 'HG_BASE_ISLINK'): > print k, os.environ[k] > EOF Create 2 heads containing the same file, once as a file, once as a link. Bundle was generated with: # hg init t # cd t # echo a > a # hg ci -qAm t0 -d '0 0' # echo l > l # hg ci -qAm t1 -d '1 0' # hg up -C 0 # ln -s a l # hg ci -qAm t2 -d '2 0' # echo l2 > l2 # hg ci -qAm t3 -d '3 0' $ hg init t $ cd t $ hg -q pull "$TESTDIR/bundles/test-merge-symlinks.hg" $ hg up -C 3 3 files updated, 0 files merged, 0 files removed, 0 files unresolved Merge them and display *_ISLINK vars merge heads $ hg merge --tool="python ../echo.py" merging l HG_FILE l HG_MY_ISLINK 1 HG_OTHER_ISLINK 0 HG_BASE_ISLINK 0 0 files updated, 1 files merged, 0 files removed, 0 files unresolved (branch merge, don't forget to commit) Test working directory symlink bit calculation wrt copies, especially on non-supporting systems. merge working directory $ hg up -C 2 1 files updated, 0 files merged, 1 files removed, 0 files unresolved $ hg copy l l2 $ HGMERGE="python ../echo.py" hg up 3 merging l2 HG_FILE l2 HG_MY_ISLINK 1 HG_OTHER_ISLINK 0 HG_BASE_ISLINK 0 0 files updated, 1 files merged, 0 files removed, 0 files unresolved $ cd ..