Mercurial vulnerability? CVE-2010-4237

Matt Mackall mpm at selenic.com
Thu Dec 9 11:40:25 CST 2010


On Thu, 2010-12-09 at 18:14 +0100, Mads Kiilerich wrote:
> On 12/09/2010 04:32 PM, Antoine Pitrou wrote:
> > Mads Kiilerich<mads<at>  kiilerich.com>  writes:
> >>
> >> 2. encourage packagers to configure cacerts by default - for Fedora that
> >> could be by creating a /etc/mercurial/hgrc.d/cacerts.rc with
> >> '[web]\ncacerts=/etc/pki/tls/certs/ca-bundle.crt'.
> >
> > How would this work under Windows? I'm not aware that this OS has certificates
> > in the appropriate format.
> > If you have a simple solution, Python would be interested :)
> 
> This is PKI, so nothing is simple and nothing is good. There is no 
> solutions, only ways to make wrong assumptions and make it somebody 
> elses problem. ;-(
> 
> Which CAs to trust is a policy decision. Mercurial (and Python) _could_ 
> distribute a CA list in a format suitable for Pythons OpenSSL, but I 
> don't think we should be the ones to suggest that the user should trust 
> for example both the US, Chinese and Israel governments.

Indeed. And the process that browser maintainers go through to maintain
these lists is well beyond the scope we can possibly hope to manage,
nevermind being largely irrelevant to our project.

We should leave this to packagers.

But it's probably is appropriate to warn that no CA information is
configured.

-- 
Mathematics is the supreme nostalgia of our time.




More information about the Mercurial-devel mailing list