upstream/mercurial-mirror Files · mercurial/help/phases.txt

sslutil: abort when unable to verify peer connection (BC)...

sslutil: abort when unable to verify peer connection (BC) Previously, when we connected to a server and were unable to verify its certificate against a trusted certificate authority we would issue a warning and continue to connect. This is obviously not great behavior because the x509 certificate model is based upon trust of specific CAs. Failure to enforce that trust erodes security. This behavior was defined several years ago when Python did not support loading the system trusted CA store (Python 2.7.9's backports of Python 3's improvements to the "ssl" module enabled this). This commit changes behavior when connecting to abort if the peer certificate can't be validated. With an empty/default Mercurial configuration, the peer certificate can be validated if Python is able to load the system trusted CA store. Environments able to load the system trusted CA store include: * Python 2.7.9+ on most platforms and installations * Python 2.7 distributions with a modern ssl module (e.g. RHEL7's patched 2.7.5 package) * Python shipped on OS X Environments unable to load the system trusted CA store include: * Python 2.6 * Python 2.7 on many existing Linux installs (because they don't ship 2.7.9+ or haven't backported modern ssl module) * Python 2.7.9+ on some installs where Python is unable to locate the system CA store (this is hopefully rare) Users of these Pythongs will need to configure Mercurial to load the system CA store using web.cacerts. This should ideally be performed by packagers (by setting web.cacerts in the global/system hgrc file). Where Mercurial packagers aren't setting this, the linked URL in the new abort message can contain instructions for users. In the future, we may want to add more code for finding the system CA store. For example, many Linux distributions have the CA store at well-known locations (such as /etc/ssl/certs/ca-certificates.crt in the case of Ubuntu). This will enable CA loading to "just work" on more Python configurations and will be best for our users since they won't have to change anything after upgrading to a Mercurial with this patch. We may also want to consider distributing a trusted CA store with Mercurial. Although we should think long and hard about that because most systems have a global CA store and Mercurial should almost certainly use the same store used by everything else on the system.

timeless - - Load All Authors

File last commit:

r27514:311edddd default


                r29411:e1778b9c

default

Download file

             phases.txt
        
                    100 lines
            
             | 3.0 KiB
            
                | text/plain
            
             |
                TextLexer

/ mercurial / help / phases.txt

History | Source | Raw |Copy content |Copy permalink

Matt Mackall help: add phases topic	r15996	What are phases?
FUJIWARA Katsunori doc: unify section level between help topics...	r17267	================
Matt Mackall help: add phases topic	r15996
		Phases are a system for tracking which changesets have been or should
		be shared. This helps prevent common mistakes when modifying history
		(for instance, with the mq or rebase extensions).

		Each changeset in a repository is in one of the following phases:

		- public : changeset is visible on a public server
		- draft : changeset is not yet published
		- secret : changeset should not be pushed, pulled, or cloned

		These phases are ordered (public < draft < secret) and no changeset
		can be in a lower phase than its ancestors. For instance, if a
		changeset is public, all its ancestors are also public. Lastly,
Johan Samyn help: add verb to sentence in phases.txt	r16244	changeset phases should only be changed towards the public phase.
Matt Mackall help: add phases topic	r15996
		How are phases managed?
FUJIWARA Katsunori doc: unify section level between help topics...	r17267	=======================
Matt Mackall help: add phases topic	r15996
		For the most part, phases should work transparently. By default, a
		changeset is created in the draft phase and is moved into the public
		phase when it is pushed to another repository.

		Once changesets become public, extensions like mq and rebase will
		refuse to operate on them to prevent creating duplicate changesets.
		Phases can also be manually manipulated with the :hg:`phase` command
		if needed. See :hg:`help -v phase` for examples.

timeless phases: mention how to make secret commits in help	r27514	To make yours commits secret by default, put this in your
		configuration file::

		[phases]
		new-commit = secret

Matt Mackall help: add phases topic	r15996	Phases and servers
FUJIWARA Katsunori doc: unify section level between help topics...	r17267	==================
Matt Mackall help: add phases topic	r15996
		Normally, all servers are ``publishing`` by default. This means::

		- all draft changesets that are pulled or cloned appear in phase
		public on the client

		- all draft changesets that are pushed appear as public on both
		client and server

		- secret changesets are neither pushed, pulled, or cloned

		.. note::
Simon Heimberg help: remove last occurrences of ".. note::" without two newlines...	r20532
Matt Mackall help: add phases topic	r15996	Pulling a draft changeset from a publishing server does not mark it
		as public on the server side due to the read-only nature of pull.

		Sometimes it may be desirable to push and pull changesets in the draft
		phase to share unfinished work. This can be done by setting a
		repository to disable publishing in its configuration file::

		[phases]
Matt Mackall help: fix publish option spelling in phases topic	r16000	publish = False
Wagner Bruna help/phases: remove trailing whitespace	r15998
Jordi Gutiérrez Hermoso doc: reword "config file" to "configuration file"...	r19295	See :hg:`help config` for more information on configuration files.
Matt Mackall help: add phases topic	r15996
		.. note::
Simon Heimberg help: remove last occurrences of ".. note::" without two newlines...	r20532
Matt Mackall help: add phases topic	r15996	Servers running older versions of Mercurial are treated as
		publishing.

Pierre-Yves David phases: add a formal note that hash of secret changeset may leak out...	r20299	.. note::
Simon Heimberg help: remove last occurrences of ".. note::" without two newlines...	r20532
Pierre-Yves David phases: add a formal note that hash of secret changeset may leak out...	r20299	Changesets in secret phase are not exchanged with the server. This
		applies to their content: file names, file contents, and changeset
		metadata. For technical reasons, the identifier (e.g. d825e4025e39)
		of the secret changeset may be communicated to the server.


Matt Mackall help: add examples to phases topic	r16011	Examples
FUJIWARA Katsunori doc: unify section level between help topics...	r17267	========
Matt Mackall help: add examples to phases topic	r16011
		- list changesets in draft or secret phase::

		hg log -r "not public()"

		- change all secret changesets to draft::

		hg phase --draft "secret()"

		- forcibly move the current changeset and descendants from public to draft::

		hg phase --force --draft .

		- show a list of changeset revision and phase::

		hg log --template "{rev} {phase}\n"

Matt Mackall phases: add resync example to help topic	r16041	- resynchronize draft changesets relative to a remote repository::

FUJIWARA Katsunori doc: use double quotation mark to quote arguments in examples for Windows users...	r19959	hg phase -fd "outgoing(URL)"
Matt Mackall phases: add resync example to help topic	r16041
Matt Mackall help: add examples to phases topic	r16011	See :hg:`help phase` for more information on manually manipulating phases.

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages