Mercurial vulnerability? CVE-2010-4237
Mads Kiilerich
mads at kiilerich.com
Thu Dec 9 19:17:59 CST 2010
Matt Mackall wrote, On 12/09/2010 06:40 PM:
> On Thu, 2010-12-09 at 18:14 +0100, Mads Kiilerich wrote:
>> On 12/09/2010 04:32 PM, Antoine Pitrou wrote:
>>> Mads Kiilerich<mads<at> kiilerich.com> writes:
>>>> 2. encourage packagers to configure cacerts by default - for Fedora that
>>>> could be by creating a /etc/mercurial/hgrc.d/cacerts.rc with
>>>> '[web]\ncacerts=/etc/pki/tls/certs/ca-bundle.crt'.
>>> How would this work under Windows? I'm not aware that this OS has certificates
>>> in the appropriate format.
>>> If you have a simple solution, Python would be interested :)
>> This is PKI, so nothing is simple and nothing is good. There is no
>> solutions, only ways to make wrong assumptions and make it somebody
>> elses problem. ;-(
>>
>> Which CAs to trust is a policy decision. Mercurial (and Python) _could_
>> distribute a CA list in a format suitable for Pythons OpenSSL, but I
>> don't think we should be the ones to suggest that the user should trust
>> for example both the US, Chinese and Israel governments.
> Indeed. And the process that browser maintainers go through to maintain
> these lists is well beyond the scope we can possibly hope to manage,
> nevermind being largely irrelevant to our project.
>
> We should leave this to packagers.
I assume that means actively encouraging the packagers to do "something"
to provide the best possible web.cacerts for the platform?
Should I update http://mercurial.selenic.com/wiki/Packaging and post to
mercurial-packaging, or would you like to make it more official?
/Mads
More information about the Mercurial-devel
mailing list