##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

sslutil: issue warning when [hostfingerprint] is used...
sslutil: issue warning when [hostfingerprint] is used Mercurial 3.9 added the [hostsecurity] section, which is better than [hostfingerprints] in every way. One of the ways that [hostsecurity] is better is that it supports SHA-256 and SHA-512 fingerprints, not just SHA-1 fingerprints. The world is moving away from SHA-1 because it is borderline secure. Mercurial should be part of that movement. This patch adds a warning when a valid SHA-1 fingerprint from the [hostfingerprints] section is being used. The warning informs users to switch to [hostsecurity]. It even prints the config option they should set. It uses the SHA-256 fingerprint because recommending a SHA-1 fingerprint in 2017 would be ill-advised. The warning will print itself on every connection to a server until it is fixed. There is no way to suppress the warning. I admit this is annoying. But given the security implications of sticking with SHA-1, I think this is justified. If this patch is accepted, I'll likely send a follow-up to start warning on SHA-1 certificates in [hostsecurity] as well. Then sometime down the road, we can drop support for SHA-1 fingerprints. Credit for this idea comes from timeless in issue 5466.
Mads Kiilerich - - Load All Authors

File last commit:

r30180:736f92c4 default
r31290:f819aa9d default
Show More
localstore.py
68 lines | 2.4 KiB | text/x-python | PythonLexer
/ hgext / largefiles / localstore.py
History | Annotation | Raw |Copy content |Copy permalink
# Copyright 2009-2010 Gregory P. Ward
# Copyright 2009-2010 Intelerad Medical Systems Incorporated
# Copyright 2010-2011 Fog Creek Software
# Copyright 2010-2011 Unity Technologies
#
# This software may be used and distributed according to the terms of the
# GNU General Public License version 2 or any later version.
'''store class for local filesystem'''
from __future__ import absolute_import
from mercurial.i18n import _
from mercurial import util
from . import (
basestore,
lfutil,
)
class localstore(basestore.basestore):
'''localstore first attempts to grab files out of the store in the remote
Mercurial repository. Failing that, it attempts to grab the files from
the user cache.'''
def __init__(self, ui, repo, remote):
self.remote = remote.local()
super(localstore, self).__init__(ui, repo, self.remote.url())
def put(self, source, hash):
if lfutil.instore(self.remote, hash):
return
lfutil.link(source, lfutil.storepath(self.remote, hash))
def exists(self, hashes):
retval = {}
for hash in hashes:
retval[hash] = lfutil.instore(self.remote, hash)
return retval
def _getfile(self, tmpfile, filename, hash):
path = lfutil.findfile(self.remote, hash)
if not path:
raise basestore.StoreError(filename, hash, self.url,
_("can't get file locally"))
with open(path, 'rb') as fd:
return lfutil.copyandhash(
util.filechunkiter(fd), tmpfile)
def _verifyfiles(self, contents, filestocheck):
failed = False
for cset, filename, expectedhash in filestocheck:
storepath, exists = lfutil.findstorepath(self.repo, expectedhash)
if not exists:
storepath, exists = lfutil.findstorepath(
self.remote, expectedhash)
if not exists:
self.ui.warn(
_('changeset %s: %s references missing %s\n')
% (cset, filename, storepath))
failed = True
elif contents:
actualhash = lfutil.hashfile(storepath)
if actualhash != expectedhash:
self.ui.warn(
_('changeset %s: %s references corrupted %s\n')
% (cset, filename, storepath))
failed = True
return failed