3
5
Fork 0
mirror of git://git.savannah.gnu.org/guix.git synced 2023-12-14 03:33:07 +01:00

gnu: mercurial: Update to 6.2.1.

* gnu/packages/version-control.scm (mercurial): Update to 6.2.1.
[source](patches): Add patch for compatibility with OpenSSL 3.0.
[arguments]: Patch /usr/bin/env and /bin/sh unconditionally in all tests.
Disable four more tests.
[inputs]: Change from PYTHON to PYTHON-WRAPPER.
* gnu/packages/patches/mercurial-openssl-compat.patch: New file.
* gnu/local.mk (dist_patch_DATA): Adjust accordingly.
This commit is contained in:
Marius Bakke 2022-08-30 14:13:32 +02:00
parent 77c07d9a61
commit 997a51bee8
No known key found for this signature in database
GPG key ID: A2A06DF2A33A54FA
3 changed files with 115 additions and 11 deletions

View file

@ -1510,7 +1510,8 @@ dist_patch_DATA = \
%D%/packages/patches/libmemcached-build-with-gcc7.patch \
%D%/packages/patches/libmhash-hmac-fix-uaf.patch \
%D%/packages/patches/libsigrokdecode-python3.9-fix.patch \
%D%/packages/patches/mercurial-hg-extension-path.patch \
%D%/packages/patches/mercurial-hg-extension-path.patch \
%D%/packages/patches/mercurial-openssl-compat.patch \
%D%/packages/patches/mesa-opencl-all-targets.patch \
%D%/packages/patches/mesa-skip-tests.patch \
%D%/packages/patches/meson-allow-dirs-outside-of-prefix.patch \

View file

@ -0,0 +1,89 @@
Tweak cipher selection to make TLS < 1.2 work with OpenSSL 3.
Taken from Debian:
https://salsa.debian.org/python-team/packages/mercurial/-/blob/debian/master/debian/patches/openssl_3_cipher_tlsv1.patch
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -117,17 +117,17 @@ def _hostsettings(ui, hostname):
ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers)
# If --insecure is used, we allow the use of TLS 1.0 despite config options.
# We always print a "connection security to %s is disabled..." message when
# --insecure is used. So no need to print anything more here.
if ui.insecureconnections:
minimumprotocol = b'tls1.0'
if not ciphers:
- ciphers = b'DEFAULT'
+ ciphers = b'DEFAULT:@SECLEVEL=0'
s[b'minimumprotocol'] = minimumprotocol
s[b'ciphers'] = ciphers
# Look for fingerprints in [hostsecurity] section. Value is a list
# of <alg>:<fingerprint> strings.
fingerprints = ui.configlist(
b'hostsecurity', b'%s:fingerprints' % bhostname
@@ -621,17 +621,17 @@ def wrapserversocket(
# Improve forward secrecy.
sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0)
sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0)
# In tests, allow insecure ciphers
# Otherwise, use the list of more secure ciphers if found in the ssl module.
if exactprotocol:
- sslcontext.set_ciphers('DEFAULT')
+ sslcontext.set_ciphers('DEFAULT:@SECLEVEL=0')
elif util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'):
sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0)
# pytype: disable=module-attr
sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)
# pytype: enable=module-attr
if requireclientcert:
sslcontext.verify_mode = ssl.CERT_REQUIRED
--- a/tests/test-https.t
+++ b/tests/test-https.t
@@ -356,19 +356,19 @@ Start servers running supported TLS vers
$ cat ../hg1.pid >> $DAEMON_PIDS
$ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
> --config devel.serverexactprotocol=tls1.2
$ cat ../hg2.pid >> $DAEMON_PIDS
$ cd ..
Clients talking same TLS versions work
- $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT/
+ $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 id https://localhost:$HGPORT/
5fed3813f7f5
- $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT1/
+ $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 id https://localhost:$HGPORT1/
5fed3813f7f5
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
5fed3813f7f5
Clients requiring newer TLS version than what server supports fail
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/
(could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
@@ -400,17 +400,17 @@ Clients requiring newer TLS version than
$ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
5fed3813f7f5
The per-host config option overrides the default
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
- > --config hostsecurity.ciphers=DEFAULT \
+ > --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 \
> --config hostsecurity.minimumprotocol=tls1.2 \
> --config hostsecurity.localhost:minimumprotocol=tls1.0
5fed3813f7f5
The per-host config option by itself works
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
> --config hostsecurity.localhost:minimumprotocol=tls1.2

View file

@ -1735,15 +1735,16 @@ execution of any hook written in any language before every commit.")
(define-public mercurial
(package
(name "mercurial")
(version "5.8.1")
(version "6.2.1")
(source (origin
(method url-fetch)
(uri (string-append "https://www.mercurial-scm.org/"
"release/mercurial-" version ".tar.gz"))
(patches (search-patches "mercurial-hg-extension-path.patch"))
(patches (search-patches "mercurial-hg-extension-path.patch"
"mercurial-openssl-compat.patch"))
(sha256
(base32
"16xi4bmjqzi7ig8sfa5mnypfpbbbiyafmmqrs4nxmgc743za7fl1"))))
"1nl2726szaxyrxlyssrsir5c6vb4ci0i6g969i6xaahw1nidgica"))))
(build-system gnu-build-system)
(arguments
`(#:make-flags
@ -1753,13 +1754,11 @@ execution of any hook written in any language before every commit.")
(delete 'configure)
(add-after 'unpack 'patch-tests
(lambda _
(substitute* '("tests/test-extdiff.t"
"tests/test-logtoprocess.t"
"tests/test-patchbomb.t"
"tests/test-run-tests.t"
"tests/test-transplant.t")
(substitute* (find-files "tests" "\\.(t|py)$")
(("/bin/sh")
(which "sh")))))
(which "sh"))
(("/usr/bin/env")
(which "env")))))
(replace 'check
(lambda* (#:key tests? #:allow-other-keys)
(with-directory-excursion "tests"
@ -1770,6 +1769,12 @@ execution of any hook written in any language before every commit.")
;; PATH from before (that's why we are building it!)?
"test-hghave.t"
;; This test creates a shebang spanning multiple
;; lines which is difficult to substitute. It
;; only tests the test runner itself, which gets
;; thoroughly tested during the check phase anyway.
"test-run-tests.t"
;; These tests fail because the program is not
;; connected to a TTY in the build container.
"test-nointerrupt.t"
@ -1778,6 +1783,15 @@ execution of any hook written in any language before every commit.")
;; FIXME: This gets killed but does not receive an interrupt.
"test-commandserver.t"
;; These tests get unexpected warnings about using
;; deprecated functionality in Python, but otherwise
;; succeed; try enabling for later Mercurial versions.
"test-demandimport.py"
"test-patchbomb-tls.t"
;; Similarly, this gets a more informative error
;; message from Python 3.10 than it expects.
"test-http-bad-server.t"
;; Only works when run in a hg-repo, not in an
;; extracted tarball
"test-doctest.py"
@ -1808,7 +1822,7 @@ execution of any hook written in any language before every commit.")
;; The following inputs are only needed to run the tests.
python-nose unzip which))
(inputs
(list python))
(list python-wrapper))
;; Find third-party extensions.
(native-search-paths
(list (search-path-specification