Mercurial vulnerability? CVE-2010-4237

Mads Kiilerich mads at
Thu Dec 9 19:17:59 CST 2010

Matt Mackall wrote, On 12/09/2010 06:40 PM:
> On Thu, 2010-12-09 at 18:14 +0100, Mads Kiilerich wrote:
>> On 12/09/2010 04:32 PM, Antoine Pitrou wrote:
>>> Mads Kiilerich<mads<at>>   writes:
>>>> 2. encourage packagers to configure cacerts by default - for Fedora that
>>>> could be by creating a /etc/mercurial/hgrc.d/cacerts.rc with
>>>> '[web]\ncacerts=/etc/pki/tls/certs/ca-bundle.crt'.
>>> How would this work under Windows? I'm not aware that this OS has certificates
>>> in the appropriate format.
>>> If you have a simple solution, Python would be interested :)
>> This is PKI, so nothing is simple and nothing is good. There is no
>> solutions, only ways to make wrong assumptions and make it somebody
>> elses problem. ;-(
>> Which CAs to trust is a policy decision. Mercurial (and Python) _could_
>> distribute a CA list in a format suitable for Pythons OpenSSL, but I
>> don't think we should be the ones to suggest that the user should trust
>> for example both the US, Chinese and Israel governments.
> Indeed. And the process that browser maintainers go through to maintain
> these lists is well beyond the scope we can possibly hope to manage,
> nevermind being largely irrelevant to our project.
> We should leave this to packagers.

I assume that means actively encouraging the packagers to do "something" 
to provide the best possible web.cacerts for the platform?

Should I update and post to 
mercurial-packaging, or would you like to make it more official?


More information about the Mercurial-devel mailing list