Matt Harbison <matt_harbison@yahoo.com> [Wed, 12 Jul 2017 18:37:13 -0400] rev 33494
sslutil: inform the user about how to fix an incomplete certificate chain
This is a Windows only thing. Unfortunately, the socket is closed at this point
(so the certificate is unavailable to check the chain). That means it's printed
out when verification fails as a guess, on the assumption that 1) most of the
time verification won't fail, and 2) sites using expired or certs that are too
new will be rare. Maybe this is an argument for adding more functionality to
debugssl, to test for problems and print certificate info. Or maybe it's an
argument for bundling certificates with the Windows builds. That idea was set
aside when the enhanced SSL code went in last summer, and it looks like there
were issues with using certifi on Windows anyway[1].
This was tested by deleting the certificate out of certmgr.msc > "Third-Party
Root Certification Authorities" > "Certificates", seeing `hg pull` fail (with
the new message), trying this command, and then successfully performing the pull
command.
[1] https://www.mercurial-scm.org/pipermail/mercurial-devel/2016-October/089573.html
Matt Harbison <matt_harbison@yahoo.com> [Thu, 30 Mar 2017 00:27:46 -0400] rev 33493
debug: add a method to check the state of, and built an SSL cert chain
This is only useful on Windows, and avoids the need to use Internet Explorer to
build the certificate chain. I can see this being extended in the future to
print information about the certificate(s) to help debug issues on any platform.
Maybe even perform some of the python checks listed on the secure connections
wiki page. But for now, all I need is 1) a command that can be invoked in a
setup script to ensure the certificate is installed, and 2) a command that the
user can run if/when a certificate changes in the future.
It would have been nice to leverage the sslutil library to pick up host specific
settings, but attempting to use sslutil.wrapsocket() failed the
'not sslsocket.cipher()' check in it and aborted.
The output is a little more chatty than some commands, but I've seen the update
take 10+ seconds, and this is only a debug command.
Matt Harbison <matt_harbison@yahoo.com> [Wed, 29 Mar 2017 23:45:23 -0400] rev 33492
win32: add a method to trigger the Crypto API to complete a certificate chain
I started a thread[1] on the mailing list awhile ago, but the short version is
that Windows doesn't ship with a full list of certificates[2]. Even if the
server sends the whole chain, if Windows doesn't have the appropriate
certificate pre-installed in its "Third-Party Root Certification Authorities"
store, connections mysteriously fail with:
abort: error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)
Windows expects the application to call the methods invoked here as part of the
certificate verification, triggering a call out to Windows update if necessary,
to complete the trust chain. The python bug to add this support[3] hasn't had
any recent activity, and isn't targeting py27 anyway.
The only work around that I could find (besides figuring out the certificate and
walking through the import wizard) is to browse to the site in Internet
Explorer. Opening the page with FireFox or Chrome didn't work. That's a pretty
obscure way to fix a pretty obscure problem. We go to great lengths to
demystify various SSL errors, but this case is clearly lacking. Let's try to
make things easier to diagnose and fix.
When I had trouble figuring out how to get ctypes to work with all of the API
pointers, I found that there are other python projects[4] using this API to
achieve the same thing.
[1] https://www.mercurial-scm.org/pipermail/mercurial-devel/2017-April/096501.html
[2] https://support.microsoft.com/en-us/help/931125/how-to-get-a-root-certificate-update-for-windows
[3] https://bugs.python.org/
issue20916
[4] https://github.com/nvaccess/nvda/blob/
3b86bce2066b1934df14b96f2e83369900860ecf/source/updateCheck.py#L511
Boris Feld <boris.feld@octobus.net> [Mon, 10 Jul 2017 19:40:23 +0200] rev 33491
bookmarks: use 'applychanges' for bookmark update
There is still some use of 'deletedivergent' bookmark here. They will be taken
care of later. The 'deletedivergent' code needs some rework before fitting in
the new world.
Boris Feld <boris.feld@octobus.net> [Mon, 10 Jul 2017 17:46:47 +0200] rev 33490
bookmark: use 'applychanges' in 'repair.strip'
Boris Feld <boris.feld@octobus.net> [Mon, 10 Jul 2017 17:44:25 +0200] rev 33489
bookmark: use 'applychanges' in the mq extension
Boris Feld <boris.feld@octobus.net> [Mon, 10 Jul 2017 17:37:48 +0200] rev 33488
bookmark: use 'applychanges' when stripping
Boris Feld <boris.feld@octobus.net> [Mon, 10 Jul 2017 17:30:20 +0200] rev 33487
bookmark: use 'applychanges' in the convert extension
Boris Feld <boris.feld@octobus.net> [Mon, 10 Jul 2017 17:28:53 +0200] rev 33486
bookmark: use 'applychanges' when updating bookmark in histedit
Boris Feld <boris.feld@octobus.net> [Mon, 10 Jul 2017 17:24:28 +0200] rev 33485
bookmark: use 'applychanges' when updating a bookmark through pushkey
Boris Feld <boris.feld@octobus.net> [Mon, 10 Jul 2017 17:22:17 +0200] rev 33484
bookmark: use 'applychanges' when updating from a remote
Boris Feld <boris.feld@octobus.net> [Mon, 10 Jul 2017 17:10:56 +0200] rev 33483
bookmark: use 'applychanges' for adding new bookmark
Boris Feld <boris.feld@octobus.net> [Mon, 10 Jul 2017 17:08:20 +0200] rev 33482
bookmark: use 'applychanges' for bookmark renaming
Boris Feld <boris.feld@octobus.net> [Mon, 10 Jul 2017 17:04:16 +0200] rev 33481
bookmark: use 'applychanges' for bookmark deletion
Boris Feld <boris.feld@octobus.net> [Mon, 10 Jul 2017 17:01:34 +0200] rev 33480
bookmark: introduce a 'applychanges' function to gather bookmark movement
We want to track bookmark movement within a transaction. For this we need a
more centralized way to update bookmarks.
For this purpose we introduce a new 'applychanges' method that apply a list of
changes encoded as '(name, node)'. We'll cover all bookmark updating code to
this new method in later changesets and add bookmark move in the transaction
when all will be migrated.
Jun Wu <quark@fb.com> [Sat, 03 Jun 2017 21:56:23 -0700] rev 33479
obsstore: keep self._data updated with _addmarkers
This makes sure obsstore._data is still correct with added markers.
The '_data' propertycache was added in
17ce57b7873f.
Durham Goode <durham@fb.com> [Fri, 14 Jul 2017 10:57:36 -0700] rev 33478
match: make base matcher return True for visitdir
If a matcher doesn't implement visitdir, we should be returning True so that
tree traversals are not prematurely pruned. The old value of False would prevent
tree traversals when using any matcher that didn't implement visitdir.
Differential Revision: https://phab.mercurial-scm.org/D83
Martin von Zweigbergk <martinvonz@google.com> [Fri, 14 Jul 2017 10:48:08 -0700] rev 33477
tests: fix an incorrect description in test-ignore.t
Differential Revision: https://phab.mercurial-scm.org/D82
Yuya Nishihara <yuya@tcha.org> [Sat, 15 Jul 2017 00:38:57 +0900] rev 33476
templatekw: hide {peerpaths} keyword for 4.3
Thinking a bit further about list/dict subscript operation (proposed by
issue 5534), I noticed the current data structure, a dict of dicts, might
not be ideal.
For example, if there were "'[' index ']'" and "'.' key" operators,
"{parents[0]}" would return "{p1rev}:{p1node}", and we would probably want to
write "{parents[0].desc}" to get the first element of "{parents % "{desc}"}".
This will basically execute parents[0].makemap()['desc'] in Python.
Given the rule above, "{peerpaths.default.pushurl}" will be translated to
peerpaths['default'].makemap()['pushurl'], which means {peerpaths} should
be a single-level dict and sub-options should be makemap()-ed.
"{peerpaths % "{name} = {url}, {pushurl}, ..."}"
(Well, it could be peerpaths['default']['pushurl'], but in which case,
peerpaths['default'] should be a plain dict, not a hybrid object.)
So, let's mark the current implementation experimental and revisit it later.
Sune Foldager <cryo@cyanite.org> [Fri, 14 Jul 2017 13:48:17 +0200] rev 33475
parsers: fix invariant bug in find_deepest (
issue5623)
find_deepest is used to find the "best" ancestors given a list. In the main
loop it keeps an invariant called 'ninteresting' which is supposed to contain
the number of non-zero entries in the 'interesting' array. This invariant is
incorrectly maintained, however, which leads the the algorithm returning an
empty result for certain graphs. This has been fixed.
Also, the 'interesting' array is supposed to fit 2^ancestors values, but is
incorrectly allocated to twice that size. This has been fixed as well.
The tests in test-ancestor.py compare the Python and C versions of the code,
and report the error correctly, since the Python version works correct. Even
so, I have added an additional test against the expected result, in the event
that both algorithms have an identical error in the future.
This fixes
issue5623.
Boris Feld <boris.feld@octobus.net> [Fri, 30 Jun 2017 03:45:57 +0200] rev 33474
configitems: register the 'worker.backgroundclose' config
Boris Feld <boris.feld@octobus.net> [Fri, 30 Jun 2017 03:44:05 +0200] rev 33473
configitems: register the 'progress.width' config
Boris Feld <boris.feld@octobus.net> [Wed, 12 Jul 2017 23:36:28 +0200] rev 33472
configitems: register the 'color.pagermode' config
Boris Feld <boris.feld@octobus.net> [Wed, 12 Jul 2017 23:36:10 +0200] rev 33471
configitems: handle case were the default value is not static
In some case, the default of one value is derived from other value. We add a
way to register them anyway and an associated devel-warning.
The registration is very naive for the moment. We might be able to have a
better way for registering each of these cases but it could be done later.
Boris Feld <boris.feld@octobus.net> [Fri, 14 Jul 2017 16:17:37 +0200] rev 33470
bugzilla: move the default regexp for fix in the config declaration
This mimic the change requested by Yuya for '_default_bug_re'.
Boris Feld <boris.feld@octobus.net> [Fri, 07 Jul 2017 10:04:21 +0200] rev 33469
configitems: register the 'bugzilla.version' config
Boris Feld <boris.feld@octobus.net> [Fri, 07 Jul 2017 10:04:19 +0200] rev 33468
configitems: register the 'bugzilla.usermap' config
Boris Feld <boris.feld@octobus.net> [Fri, 07 Jul 2017 10:04:17 +0200] rev 33467
configitems: register the 'bugzilla.user' config
Boris Feld <boris.feld@octobus.net> [Fri, 07 Jul 2017 10:04:15 +0200] rev 33466
configitems: register the 'bugzilla.timeout' config
Boris Feld <boris.feld@octobus.net> [Fri, 07 Jul 2017 10:04:13 +0200] rev 33465
configitems: register the 'bugzilla.template' config
Boris Feld <boris.feld@octobus.net> [Fri, 07 Jul 2017 10:04:11 +0200] rev 33464
configitems: register the 'bugzilla.style' config
Boris Feld <boris.feld@octobus.net> [Fri, 07 Jul 2017 10:04:09 +0200] rev 33463
configitems: register the 'bugzilla.strip' config
Boris Feld <boris.feld@octobus.net> [Fri, 07 Jul 2017 10:04:07 +0200] rev 33462
configitems: register the 'bugzilla.regexp' config
The default value is moved from the class to the config registration.
Boris Feld <boris.feld@octobus.net> [Thu, 13 Jul 2017 21:08:06 +0200] rev 33461
changegroup: stop returning and recording added nodes in 'cg.apply'
cg.apply used to returns the added nodes. Callers doesn't have a use for it
anymore, remove the added node and stops recording it in the current
operation.
This information was added in the current release cycle so no extensions
breakage should happens.
Boris Feld <boris.feld@octobus.net> [Thu, 13 Jul 2017 21:10:55 +0200] rev 33460
phases: remove trace of addednodes in the 'phase-heads' handling
updatephases have no use of the 'addednodes' parameter since
50243c975fc2.
However caller are still passing it for nothing, remove the parameter and
remove computing of the added nodes in caller.
Boris Feld <boris.feld@octobus.net> [Wed, 12 Jul 2017 22:39:48 +0200] rev 33459
phases: test phases tracking at the transaction level
Now that we have all tracking in place, the data in `tr.changes['phases']`
dictionary should be correct and we should test it.
It is a bit late in the cycle to discuss to add any public API (eg: hooks)
that expose the data to the user, so we just add a small test extension
displaying the data. It is enabled for the phases tests.
New output have been manually checked for consistency.
Boris Feld <boris.feld@octobus.net> [Wed, 12 Jul 2017 20:11:00 +0200] rev 33458
phases: track phase changes from 'retractboundary'
We adds new computation to find and record the revision affected by the
boundary retraction. This add more complication to the function but this seems
fine since it is only used in a couple of rare and explicit cases (`hg phase
--force` and `hg qimport`).
Having strong tracking of phase changes is worth the effort.
Boris Feld <boris.feld@octobus.net> [Wed, 12 Jul 2017 23:15:09 +0200] rev 33457
phases: detect when boundaries has been actually retracted
It is useful to detect noop and avoid expensive operations in this case.
We return the information to inform the caller of a possible update. Top level
function might need to react to the phase update (eg: invalidating some
caches, tracking phase change).
Boris Feld <boris.feld@octobus.net> [Tue, 11 Jul 2017 01:17:36 +0200] rev 33456
phases: rework phase movement code in 'cg.apply' to use 'registernew'
We rework the code to call 'registernew' before any other phase advancement.
This make 'changegroup.apply' register correct phase movement for the added
and bundled nodes.
Boris Feld <boris.feld@octobus.net> [Tue, 11 Jul 2017 00:59:23 +0200] rev 33455
convert: use the new 'phase.registernew' function
Boris Feld <boris.feld@octobus.net> [Tue, 11 Jul 2017 01:05:27 +0200] rev 33454
localrepo: use the 'registernew' function to set the phase of new commit
Boris Feld <boris.feld@octobus.net> [Tue, 11 Jul 2017 03:47:25 +0200] rev 33453
phases: add a 'registernew' method to set new phases
This new function will be used by code that adds new changesets. It ajusts the
phase boundary to make sure added changesets are at least in their target
phase (they end up in an higher phase if their parents are in a higher phase).
Having a dedicated function also simplify the phases tracking. All the new
nodes are passed as argument, so we know that all of them needs to have their
new phase registered. We also know that no other nodes will be affected, so no
extra computation are needed.
This function differ from 'retractboundary' where some nodes might change
phase while some other might not. It can also affect nodes not passed as
parameters.
These simplification also apply to the computation itself. For now we use
'_retractboundary' there by convenience, but we may introduces simpler code
later.
While registering new revisions, we still need to check the actual phases of
the added node because it might be higher than the target phase (eg: target is
draft but parent is secret).
We will migrate users over the next changesets.
Boris Feld <boris.feld@octobus.net> [Mon, 10 Jul 2017 23:50:16 +0200] rev 33452
phases: extract the core of boundary retraction in '_retractboundary'
At the moment the 'retractboundary' function is called for multiple reasons:
First, actually retracting boundaries. There are only two cases for theses:
'hg phase --force' and 'hg qimport'. This will need extra graph computation to
retrieve the phase changes.
Second, setting the phases of newly added changesets. In this case we already
know all the affected nodes and we just needs to register different
information (old phase is None).
Third, when reducing the set of roots when advancing phase. The phase are
already properly tracked so we do not needs anything else in this case.
To deal with this difference in phase tracking, we extract the core logic into
a private method that all three cases can use.
Boris Feld <boris.feld@octobus.net> [Tue, 11 Jul 2017 02:39:52 +0200] rev 33451
phases: track phase movements in 'advanceboundary'
Makes advanceboundary record the phase movement of affected revisions in
tr.changes['phases'].
The tracking is not usable yet because the 'retractboundary' function can also
affect phases.
We'll improve that in the coming changesets.
Boris Feld <boris.feld@octobus.net> [Mon, 10 Jul 2017 22:18:41 +0200] rev 33450
phases: extract the intermediate set of affected revs
When advancing phases, we compute the new roots for the phases above. During
this process, we need to compute all the revisions that change phases (to the
new target phases). Extract these revisions into a separate variable. This
will be useful to record the phase changes in the transaction.
Boris Feld <boris.feld@octobus.net> [Mon, 10 Jul 2017 22:22:42 +0200] rev 33449
phase: put retractboundary out of the loop in advanceboundary
It seems that we were calling retractboundary for each phases to process.
Putting the retractboundary out of the loop reduce the number of calls,
helping tracking the phases changes.
Martin von Zweigbergk <martinvonz@google.com> [Tue, 11 Jul 2017 10:46:10 -0700] rev 33448
match: make unionmatcher a proper matcher
unionmatcher is currently used where only a limited subset of its
functions will be called. Specifically, visitdir() is never
called. The next patch will pass it to dirstate.walk() where it will
matter that visitdir() is correctly implemented, so let's fix
that. Also add the explicitdir etc that will also be assumed by
dirstate.walk() to exist on a matcher.
Differential Revision: https://phab.mercurial-scm.org/D58
Martin von Zweigbergk <martinvonz@google.com> [Fri, 07 Jul 2017 14:39:59 -0700] rev 33447
match: write forceincludematcher using unionmatcher
The forceincludematcher is simply a unionmatcher of a includematcher
(matching paths recursively) with the given matcher. Since the
forceincludematcher is only used by sparse, move it there.
I don't have a good sparse repo setup to test performance impact on.
Differential Revision: https://phab.mercurial-scm.org/D57
Martin von Zweigbergk <martinvonz@google.com> [Wed, 12 Jul 2017 13:57:03 -0700] rev 33446
histedit: extract InterventionRequired transaction handling to utils
rebase will have similar logic, so let's extract it. Besides, it makes
the histedit code more readable.
We may want to parametrize acceptintervention() by the exception(s)
that should result in transaction close.
Differential Revision: https://phab.mercurial-scm.org/D66
Martin von Zweigbergk <martinvonz@google.com> [Wed, 12 Jul 2017 13:17:49 -0700] rev 33445
histedit: create transaction outside of try
Just a little refactoring to simplify the next patch.
Differential Revision: https://phab.mercurial-scm.org/D65
Martin von Zweigbergk <martinvonz@google.com> [Wed, 12 Jul 2017 11:18:02 -0700] rev 33444
histedit: remove transaction from state object
The transaction is only used within a single function, so no need to
store it on the state object.
Differential Revision: https://phab.mercurial-scm.org/D64
Jun Wu <quark@fb.com> [Tue, 11 Jul 2017 08:17:29 -0700] rev 33443
phabricator: verify local tags before trusting them
Previously we trust local tags blindly and that could cause wrong
Differential Revision to be updated, when people switch between Phabricator
instances.
This patch adds verification logic to detect such issue and remove
problematic tags. For example, a tag "D19" was on node "X", the code will
fetch all diffs attached to D19, and check if nodes server-side overlaps
with nodes in precursors. If they do not overlap, create a new Differential
Revision.
Test Plan:
Use a test Phabricator instance, send patches using `hg phabsend`, then
change the local tag manually to a wrong Differential Revision number.
Amend the patch and send again. Make sure the tag gets ignored and deleted.
Differential Revision: https://phab.mercurial-scm.org/D36
Jun Wu <quark@fb.com> [Mon, 10 Jul 2017 13:50:50 -0700] rev 33442
phabricator: finding old nodes in batch
This allows us to do extra sanity checks using batch APIs to prevent
updating a wrong revision, which could happen when people switch Phabricator
instances and having stale tags living in the repo.
Differential Revision: https://phab.mercurial-scm.org/D34
Jun Wu <quark@fb.com> [Mon, 10 Jul 2017 22:37:33 -0700] rev 33441
phabricator: respect metadata sent by arc
Previously we only respect hg:meta sent by phabsend. This patch makes it
respect local:commits sent by arc as well. This avoids issues where phabread
could lose the author information.
Test Plan:
Commit using a customized user, send the patch using arc to a test
Phabricator instance, and then read the patch using phabread. Make sure it
preserves the user information.
Differential Revision: https://phab.mercurial-scm.org/D33
Adam Simpkins <simpkins@fb.com> [Wed, 12 Jul 2017 15:24:07 -0700] rev 33440
dirstate: update backup functions to take full backup filename
Update the dirstate functions so that the caller supplies the full backup
filename rather than just a prefix and suffix.
The localrepo code was already hard-coding the fact that the backup name must
be (exactly prefix + "dirstate" + suffix): it relied on this in _journalfiles()
and undofiles(). Making the caller responsible for specifying the full backup
name removes the need for the localrepo code to assume that dirstate._filename
is always "dirstate".
Differential Revision: https://phab.mercurial-scm.org/D68
Martin von Zweigbergk <martinvonz@google.com> [Thu, 13 Jul 2017 09:51:50 -0700] rev 33439
util: remove unused ctxmanager
This was meant as a substitute for Python's "with" with multiple
context managers before we moved to Python 2.7. We're now on 2.7, so
we should have no reason to keep ctxmanager. "hg grep --all
ctxmanager" says that it was never used anyway.
Differential Revision: https://phab.mercurial-scm.org/D73
Jun Wu <quark@fb.com> [Thu, 13 Jul 2017 18:31:35 -0700] rev 33438
codemod: simplify nested withs
This is the result of running:
python codemod_nestedwith.py **/*.py
where codemod_nestedwith.py looks like this:
#!/usr/bin/env python
# codemod_nestedwith.py - codemod tool to rewrite nested with
#
# Copyright 2017 Facebook, Inc.
#
# This software may be used and distributed according to the terms of the
# GNU General Public License version 2 or any later version.
from __future__ import absolute_import, print_function
import sys
import redbaron
def readpath(path):
with open(path) as f:
return f.read()
def writepath(path, content):
with open(path, 'w') as f:
f.write(content)
def main(argv):
if not argv:
print('Usage: codemod_nestedwith.py FILES')
for i, path in enumerate(argv):
print('(%d/%d) scanning %s' % (i + 1, len(argv), path))
changed = False
red = redbaron.RedBaron(readpath(path))
processed = set()
for node in red.find_all('with'):
if node in processed or node.type != 'with':
continue
top = node
child = top[0]
while True:
if len(top) > 1 or child.type != 'with':
break
# estimate line length after merging two "with"s
new = '%swith %s:' % (top.indentation, top.contexts.dumps())
new += ', %s' % child.contexts.dumps()
# only do the rewrite if the end result is within 80 chars
if len(new) > 80:
break
processed.add(child)
top.contexts.extend(child.contexts)
top.value = child.value
top.value.decrease_indentation(4)
child = child[0]
changed = True
if changed:
print('updating %s' % path)
writepath(path, red.dumps())
if __name__ == "__main__":
sys.exit(main(sys.argv[1:]))
Differential Revision: https://phab.mercurial-scm.org/D77
Boris Feld <boris.feld@octobus.net> [Mon, 08 Aug 2016 18:14:42 +0200] rev 33437
reposvfs: add a ward to check if locks are properly taken
we wrap 'repo.svfs.audit' to check for the store lock when accessing file in
'.hg/store' for writing. This caught a couple of instance where the transaction
was released after the lock, we should probably have a dedicated checker for
that case.
Boris Feld <boris.feld@octobus.net> [Tue, 11 Jul 2017 12:38:17 +0200] rev 33436
repovfs: add a ward to check if locks are properly taken
When the appropriate developer warnings are enabled, We wrap 'repo.vfs.audit' to
check for locks when accessing file in '.hg' for writing. Another changeset will
add a 'ward' for the store vfs (svfs).
This check system has caught a handful of locking issues that have been fixed
in previous series (mostly in 4.0). I expect another batch to be caught in third
party extensions.
We introduce two real exceptions from extensions 'blackbox.log' (because a lot of
read-only operations add entry to it), and 'last-email.txt' (because 'hg email'
is currently a read only operation and there is value to keep it this way).
In addition we are currently allowing bisect to operate outside of the lock
because the current code is a bit hard to get properly locked for now. Multiple
clean up have been made but there is still a couple of them to do and the freeze
is coming.
Boris Feld <boris.feld@octobus.net> [Tue, 11 Jul 2017 12:27:58 +0200] rev 33435
vfs: allow to pass more argument to audit
We want to be able to do more precise check when auditing a path depending of
the intend of the file access (eg read versus write). So we now pass the 'mode'
value to 'audit' and update the audit function to accept them.
This will be put to use in the next changeset.