[Bug 3453] New: Trust the operating system's CA certificates by default

bugzilla-daemon at bz.selenic.com bugzilla-daemon at bz.selenic.com
Tue May 15 04:27:55 CDT 2012


http://bz.selenic.com/show_bug.cgi?id=3453

          Priority: meh
            Bug ID: 3453
                CC: mercurial-devel at selenic.com
          Assignee: bugzilla at selenic.com
           Summary: Trust the operating system's CA certificates by
                    default
          Severity: bug
    Classification: Unclassified
                OS: Linux
          Reporter: dtn-hgbugs at corefiling.co.uk
          Hardware: PC
            Status: UNCONFIRMED
           Version: unspecified
         Component: Mercurial
           Product: Mercurial

http://mercurial.selenic.com/wiki/CACertificates explains that Mercurial does
not trust any CAs by default.

I think this is the wrong decision, for the following reasons:

1) It encourages users to blindly whitelist the fingerprint of each certificate
they encounter without checking it, thus providing a lower level of security
than trusting the same set of root certificates as the OS or a browser

2) It means that non-interactive checkouts (e.g. on a farm of machines doing
automated builds) are prone to fail without configuration being rolled out to
Mercurial on all machines involved.

Please consider trusting the OS's set of root certificates by default.

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the Mercurial-devel mailing list