##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

sslutil: abort when unable to verify peer connection (BC)...
sslutil: abort when unable to verify peer connection (BC) Previously, when we connected to a server and were unable to verify its certificate against a trusted certificate authority we would issue a warning and continue to connect. This is obviously not great behavior because the x509 certificate model is based upon trust of specific CAs. Failure to enforce that trust erodes security. This behavior was defined several years ago when Python did not support loading the system trusted CA store (Python 2.7.9's backports of Python 3's improvements to the "ssl" module enabled this). This commit changes behavior when connecting to abort if the peer certificate can't be validated. With an empty/default Mercurial configuration, the peer certificate can be validated if Python is able to load the system trusted CA store. Environments able to load the system trusted CA store include: * Python 2.7.9+ on most platforms and installations * Python 2.7 distributions with a modern ssl module (e.g. RHEL7's patched 2.7.5 package) * Python shipped on OS X Environments unable to load the system trusted CA store include: * Python 2.6 * Python 2.7 on many existing Linux installs (because they don't ship 2.7.9+ or haven't backported modern ssl module) * Python 2.7.9+ on some installs where Python is unable to locate the system CA store (this is hopefully rare) Users of these Pythongs will need to configure Mercurial to load the system CA store using web.cacerts. This should ideally be performed by packagers (by setting web.cacerts in the global/system hgrc file). Where Mercurial packagers aren't setting this, the linked URL in the new abort message can contain instructions for users. In the future, we may want to add more code for finding the system CA store. For example, many Linux distributions have the CA store at well-known locations (such as /etc/ssl/certs/ca-certificates.crt in the case of Ubuntu). This will enable CA loading to "just work" on more Python configurations and will be best for our users since they won't have to change anything after upgrading to a Mercurial with this patch. We may also want to consider distributing a trusted CA store with Mercurial. Although we should think long and hard about that because most systems have a global CA store and Mercurial should almost certainly use the same store used by everything else on the system.
timeless - - Load All Authors

File last commit:

r27514:311edddd default
r29411:e1778b9c default
Show More
phases.txt
100 lines | 3.0 KiB | text/plain | TextLexer
/ mercurial / help / phases.txt
History | Annotation | Raw |Copy content |Copy permalink
What are phases?
================
Phases are a system for tracking which changesets have been or should
be shared. This helps prevent common mistakes when modifying history
(for instance, with the mq or rebase extensions).
Each changeset in a repository is in one of the following phases:
- public : changeset is visible on a public server
- draft : changeset is not yet published
- secret : changeset should not be pushed, pulled, or cloned
These phases are ordered (public < draft < secret) and no changeset
can be in a lower phase than its ancestors. For instance, if a
changeset is public, all its ancestors are also public. Lastly,
changeset phases should only be changed towards the public phase.
How are phases managed?
=======================
For the most part, phases should work transparently. By default, a
changeset is created in the draft phase and is moved into the public
phase when it is pushed to another repository.
Once changesets become public, extensions like mq and rebase will
refuse to operate on them to prevent creating duplicate changesets.
Phases can also be manually manipulated with the :hg:`phase` command
if needed. See :hg:`help -v phase` for examples.
To make yours commits secret by default, put this in your
configuration file::
[phases]
new-commit = secret
Phases and servers
==================
Normally, all servers are ``publishing`` by default. This means::
- all draft changesets that are pulled or cloned appear in phase
public on the client
- all draft changesets that are pushed appear as public on both
client and server
- secret changesets are neither pushed, pulled, or cloned
.. note::
Pulling a draft changeset from a publishing server does not mark it
as public on the server side due to the read-only nature of pull.
Sometimes it may be desirable to push and pull changesets in the draft
phase to share unfinished work. This can be done by setting a
repository to disable publishing in its configuration file::
[phases]
publish = False
See :hg:`help config` for more information on configuration files.
.. note::
Servers running older versions of Mercurial are treated as
publishing.
.. note::
Changesets in secret phase are not exchanged with the server. This
applies to their content: file names, file contents, and changeset
metadata. For technical reasons, the identifier (e.g. d825e4025e39)
of the secret changeset may be communicated to the server.
Examples
========
- list changesets in draft or secret phase::
hg log -r "not public()"
- change all secret changesets to draft::
hg phase --draft "secret()"
- forcibly move the current changeset and descendants from public to draft::
hg phase --force --draft .
- show a list of changeset revision and phase::
hg log --template "{rev} {phase}\n"
- resynchronize draft changesets relative to a remote repository::
hg phase -fd "outgoing(URL)"
See :hg:`help phase` for more information on manually manipulating phases.