Mercurial vulnerability? CVE-2010-4237
Matt Mackall
mpm at selenic.com
Thu Dec 9 20:44:02 CST 2010
On Fri, 2010-12-10 at 02:17 +0100, Mads Kiilerich wrote:
> Matt Mackall wrote, On 12/09/2010 06:40 PM:
> > On Thu, 2010-12-09 at 18:14 +0100, Mads Kiilerich wrote:
> >> On 12/09/2010 04:32 PM, Antoine Pitrou wrote:
> >>> Mads Kiilerich<mads<at> kiilerich.com> writes:
> >>>> 2. encourage packagers to configure cacerts by default - for Fedora that
> >>>> could be by creating a /etc/mercurial/hgrc.d/cacerts.rc with
> >>>> '[web]\ncacerts=/etc/pki/tls/certs/ca-bundle.crt'.
> >>> How would this work under Windows? I'm not aware that this OS has certificates
> >>> in the appropriate format.
> >>> If you have a simple solution, Python would be interested :)
> >> This is PKI, so nothing is simple and nothing is good. There is no
> >> solutions, only ways to make wrong assumptions and make it somebody
> >> elses problem. ;-(
> >>
> >> Which CAs to trust is a policy decision. Mercurial (and Python) _could_
> >> distribute a CA list in a format suitable for Pythons OpenSSL, but I
> >> don't think we should be the ones to suggest that the user should trust
> >> for example both the US, Chinese and Israel governments.
> > Indeed. And the process that browser maintainers go through to maintain
> > these lists is well beyond the scope we can possibly hope to manage,
> > nevermind being largely irrelevant to our project.
> >
> > We should leave this to packagers.
>
> I assume that means actively encouraging the packagers to do "something"
> to provide the best possible web.cacerts for the platform?
>
> Should I update http://mercurial.selenic.com/wiki/Packaging and post to
> mercurial-packaging, or would you like to make it more official?
Sounds like a good start.
--
Mathematics is the supreme nostalgia of our time.
More information about the Mercurial-devel
mailing list