##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

sslutil: require TLS 1.1+ when supported...
sslutil: require TLS 1.1+ when supported Currently, Mercurial will use TLS 1.0 or newer when connecting to remote servers, selecting the highest TLS version supported by both peers. On older Pythons, only TLS 1.0 is available. On newer Pythons, TLS 1.1 and 1.2 should be available. Security professionals recommend avoiding TLS 1.0 if possible. PCI DSS 3.1 "strongly encourages" the use of TLS 1.2. Known attacks like BEAST and POODLE exist against TLS 1.0 (although mitigations are available and properly configured servers aren't vulnerable). I asked Eric Rescorla - Mozilla's resident crypto expert - whether Mercurial should drop support for TLS 1.0. His response was "if you can get away with it." Essentially, a number of servers on the Internet don't support TLS 1.1+. This is why web browsers continue to support TLS 1.0 despite desires from security experts. This patch changes Mercurial's default behavior on modern Python versions to require TLS 1.1+, thus avoiding known security issues with TLS 1.0 and making Mercurial more secure by default. Rather than drop TLS 1.0 support wholesale, we still allow TLS 1.0 to be used if configured. This is a compromise solution - ideally we'd disallow TLS 1.0. However, since we're not sure how many Mercurial servers don't support TLS 1.1+ and we're not sure how much user inconvenience this change will bring, I think it is prudent to ship an escape hatch that still allows usage of TLS 1.0. In the default case our users get better security. In the worst case, they are no worse off than before this patch. This patch has no effect when running on Python versions that don't support TLS 1.1+. As the added test shows, connecting to a server that doesn't support TLS 1.1+ will display a warning message with a link to our wiki, where we can guide people to configure their client to allow less secure connections.
Gregory Szorc - - Load All Authors

File last commit:

r28523:045fe704 default
r29560:303e9300 default
Show More
requirements.txt
110 lines | 3.4 KiB | text/plain | TextLexer
/ mercurial / help / internals / requirements.txt
History | Annotation | Raw |Copy content |Copy permalink
Requirements
============
Repositories contain a file (``.hg/requires``) containing a list of
features/capabilities that are *required* for clients to interface
with the repository. This file has been present in Mercurial since
version 0.9.2 (released December 2006).
One of the first things clients do when opening a repository is read
``.hg/requires`` and verify that all listed requirements are supported,
aborting if not. Requirements are therefore a strong mechanism to
prevent incompatible clients from reading from unknown repository
formats or even corrupting them by writing to them.
Extensions may add requirements. When they do this, clients not running
an extension will be unable to read from repositories.
The following sections describe the requirements defined by the
Mercurial core distribution.
revlogv1
--------
When present, revlogs are version 1 (RevlogNG). RevlogNG was introduced
in 2006. The ``revlogv1`` requirement has been enabled by default
since the ``requires`` file was introduced in Mercurial 0.9.2.
If this requirement is not present, version 0 revlogs are assumed.
store
-----
The *store* repository layout should be used.
This requirement has been enabled by default since the ``requires`` file
was introduced in Mercurial 0.9.2.
fncache
-------
The *fncache* repository layout should be used.
The *fncache* layout hash encodes filenames with long paths and
encodes reserved filenames.
This requirement is enabled by default when the *store* requirement is
enabled (which is the default behavior). It was introduced in Mercurial
1.1 (released December 2008).
shared
------
Denotes that the store for a repository is shared from another location
(defined by the ``.hg/sharedpath`` file).
This requirement is set when a repository is created via :hg:`share`.
The requirement was added in Mercurial 1.3 (released July 2009).
dotencode
---------
The *dotencode* repository layout should be used.
The *dotencode* layout encodes the first period or space in filenames
to prevent issues on OS X and Windows.
This requirement is enabled by default when the *store* requirement
is enabled (which is the default behavior). It was introduced in
Mercurial 1.7 (released November 2010).
parentdelta
-----------
Denotes a revlog delta encoding format that was experimental and
replaced by *generaldelta*. It should not be seen in the wild because
it was never enabled by default.
This requirement was added in Mercurial 1.7 and removed in Mercurial
1.9.
generaldelta
------------
Revlogs should be created with the *generaldelta* flag enabled. The
generaldelta flag will cause deltas to be encoded against a parent
revision instead of the previous revision in the revlog.
Support for this requirement was added in Mercurial 1.9 (released
July 2011). The requirement was disabled on new repositories by
default until Mercurial 3.7 (released February 2016).
manifestv2
----------
Denotes that version 2 of manifests are being used.
Support for this requirement was added in Mercurial 3.4 (released
May 2015). The requirement is currently experimental and is disabled
by default.
treemanifest
------------
Denotes that tree manifests are being used. Tree manifests are
one manifest per directory (as opposed to a single flat manifest).
Support for this requirement was added in Mercurial 3.4 (released
August 2015). The requirement is currently experimental and is
disabled by default.