upstream/mercurial-mirror Files · mercurial/help/phases.txt

sslutil: require TLS 1.1+ when supported...

sslutil: require TLS 1.1+ when supported Currently, Mercurial will use TLS 1.0 or newer when connecting to remote servers, selecting the highest TLS version supported by both peers. On older Pythons, only TLS 1.0 is available. On newer Pythons, TLS 1.1 and 1.2 should be available. Security professionals recommend avoiding TLS 1.0 if possible. PCI DSS 3.1 "strongly encourages" the use of TLS 1.2. Known attacks like BEAST and POODLE exist against TLS 1.0 (although mitigations are available and properly configured servers aren't vulnerable). I asked Eric Rescorla - Mozilla's resident crypto expert - whether Mercurial should drop support for TLS 1.0. His response was "if you can get away with it." Essentially, a number of servers on the Internet don't support TLS 1.1+. This is why web browsers continue to support TLS 1.0 despite desires from security experts. This patch changes Mercurial's default behavior on modern Python versions to require TLS 1.1+, thus avoiding known security issues with TLS 1.0 and making Mercurial more secure by default. Rather than drop TLS 1.0 support wholesale, we still allow TLS 1.0 to be used if configured. This is a compromise solution - ideally we'd disallow TLS 1.0. However, since we're not sure how many Mercurial servers don't support TLS 1.1+ and we're not sure how much user inconvenience this change will bring, I think it is prudent to ship an escape hatch that still allows usage of TLS 1.0. In the default case our users get better security. In the worst case, they are no worse off than before this patch. This patch has no effect when running on Python versions that don't support TLS 1.1+. As the added test shows, connecting to a server that doesn't support TLS 1.1+ will display a warning message with a link to our wiki, where we can guide people to configure their client to allow less secure connections.

timeless - - Load All Authors

File last commit:

r27514:311edddd default


                r29560:303e9300

default

Download file

             phases.txt
        
                    100 lines
            
             | 3.0 KiB
            
                | text/plain
            
             |
                TextLexer

/ mercurial / help / phases.txt

History | Annotation | Raw |Copy content |Copy permalink

				What are phases?
				================

				Phases are a system for tracking which changesets have been or should
				be shared. This helps prevent common mistakes when modifying history
				(for instance, with the mq or rebase extensions).

				Each changeset in a repository is in one of the following phases:

				- public : changeset is visible on a public server
				- draft : changeset is not yet published
				- secret : changeset should not be pushed, pulled, or cloned

				These phases are ordered (public < draft < secret) and no changeset
				can be in a lower phase than its ancestors. For instance, if a
				changeset is public, all its ancestors are also public. Lastly,
				changeset phases should only be changed towards the public phase.

				How are phases managed?
				=======================

				For the most part, phases should work transparently. By default, a
				changeset is created in the draft phase and is moved into the public
				phase when it is pushed to another repository.

				Once changesets become public, extensions like mq and rebase will
				refuse to operate on them to prevent creating duplicate changesets.
				Phases can also be manually manipulated with the :hg:`phase` command
				if needed. See :hg:`help -v phase` for examples.

				To make yours commits secret by default, put this in your
				configuration file::

				[phases]
				new-commit = secret

				Phases and servers
				==================

				Normally, all servers are ``publishing`` by default. This means::

				- all draft changesets that are pulled or cloned appear in phase
				public on the client

				- all draft changesets that are pushed appear as public on both
				client and server

				- secret changesets are neither pushed, pulled, or cloned

				.. note::

				Pulling a draft changeset from a publishing server does not mark it
				as public on the server side due to the read-only nature of pull.

				Sometimes it may be desirable to push and pull changesets in the draft
				phase to share unfinished work. This can be done by setting a
				repository to disable publishing in its configuration file::

				[phases]
				publish = False

				See :hg:`help config` for more information on configuration files.

				.. note::

				Servers running older versions of Mercurial are treated as
				publishing.

				.. note::

				Changesets in secret phase are not exchanged with the server. This
				applies to their content: file names, file contents, and changeset
				metadata. For technical reasons, the identifier (e.g. d825e4025e39)
				of the secret changeset may be communicated to the server.


				Examples
				========

				- list changesets in draft or secret phase::

				hg log -r "not public()"

				- change all secret changesets to draft::

				hg phase --draft "secret()"

				- forcibly move the current changeset and descendants from public to draft::

				hg phase --force --draft .

				- show a list of changeset revision and phase::

				hg log --template "{rev} {phase}\n"

				- resynchronize draft changesets relative to a remote repository::

				hg phase -fd "outgoing(URL)"

				See :hg:`help phase` for more information on manually manipulating phases.

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages