context: introduce the nullsub() method Ultimately, this will be used by scmutil. The subrepo module already imports it, so it can't import the subrepo module to access the underlying method.

subrepo: introduce the nullsubrepo() method This will be used in an upcoming patch. It's a one-off use, but seems better to be contained in the subrepo module, than for the next patch to overwrite the _ctx and _state fields in another module. '' is used as the default revision in subrepo.state() if it can't be found, so it seems like a safe choice.

ssl: prompt passphrase of client key file via ui.getpass() (issue4648) This is necessary to communicate with third-party tools through command-server channel. This requires SSLContext backported to Python 2.7.9+. It doesn't look nice to pass ui by sslkwargs, but I think it is the only way to do without touching various client codes including httpclient (aka http2). ui is mandatory if certfile is specified, so it has no default value. BTW, test-check-commit-hg.t complains that ssl_wrap_socket() has foo_bar naming. Should I bulk-replace it to sslwrapsocket() ?

https: do not inherit httplib.HTTPSConnection that creates unused SSLContext HTTPSConnection of Python 2.7.9 creates SSLContext in __init__, which involves a password prompt for decrypting the private key. This means the password was asked twice, one for unused SSLContext, and next for our ssl function. Because our httpsconnection replaces connect() method at all, we can simply drop httplib.HTTPSConnection. Instead, class and instance attributes are copied from it. HTTPSConnection of Python 2.7.8 and 2.6.9 seem to have no such problem. https://hg.python.org/cpython/file/v2.7.9/Lib/httplib.py#l1183

test-https: test basic functions of client certificate authentication Because hgweb doesn't support client certificates, I just patched it to require client certificates that are signed and verified by the server certificate. This won't be ideal for production servers, but should be okay for the test. The encrypted key file will be used by future patches. I couldn't figure out a way to redirect a password prompt provided by OpenSSL, so it isn't tested for now.

phases: add `hg help phases` hint to failures to edit public commits There were a couple of locations that were missing this hint after an edition of some kind failed due to the public phase.

phases: rewrite "immutable changeset" to "public changeset" The phrase "cannot edit immutable changeset" is kind of tautological. Of course unchangeable things can't be changed. We instead mention "public" and provide a hint so that we can point to the actual problem. Even in cases where some operation other than edition cannot be performed, "public" gives the root cause that results in the "immutable" effect. There is a precedent for saying "public" instead of "immutable", for example, in `hg commit --amend`.

revlog: raise an exception earlier if an entry is too large (issue4675) Before we were relying on _pack to error out when trying to pass an integer that was too large for the "i" format specifier. Now we check this earlier so we can form a better error message. The error message unfortunately must exclude the filename at this level of the call stack. The problem is that this name is not available here, and the error can be triggered by a large manifest or by a large file itself. Although perhaps we could provide the name of a revlog index file (from the revlog object, instead of the revlogio object), this seems like too much leakage of internal data structures. It's not ideal already that an error message even mentions revlogs, but this does seem unavoidable here.