Bug 1231192 - Only install host fingerprints if not running secure Python+hg; r=smacleod
authorGregory Szorc <gps@mozilla.com>
Mon, 07 Dec 2015 13:15:24 -0800
changeset 310129 093210ae72ecead5c6c9387da8ca87a4883d2f0a
parent 310128 4b0aa51b8b602b349f149c156d92c0561318bec2
child 310130 119258fe0dd6c8d3dac9c7c72c75d17d95ce9ea6
push id5513
push userraliiev@mozilla.com
push dateMon, 25 Jan 2016 13:55:34 +0000
treeherdermozilla-beta@5ee97dd05b5c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssmacleod
bugs1231192
milestone45.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1231192 - Only install host fingerprints if not running secure Python+hg; r=smacleod See inline comment.
tools/mercurial/hgsetup/wizard.py
--- a/tools/mercurial/hgsetup/wizard.py
+++ b/tools/mercurial/hgsetup/wizard.py
@@ -3,16 +3,17 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 from __future__ import unicode_literals
 
 import difflib
 import errno
 import os
 import shutil
+import ssl
 import stat
 import sys
 import subprocess
 
 from distutils.version import LooseVersion
 
 from configobj import ConfigObjError
 from StringIO import StringIO
@@ -461,17 +462,25 @@ class MercurialSetupWizard(object):
         for ext in {'bzexport', 'qimportbz', 'mqext'}:
             path = os.path.join(self.ext_dir, ext)
             if os.path.exists(path):
                 if self._prompt_yn('Would you like to remove the old and no '
                     'longer referenced repository at %s' % path):
                     print('Cleaning up old repository: %s' % path)
                     shutil.rmtree(path)
 
-        c.add_mozilla_host_fingerprints()
+        # Python + Mercurial didn't have terrific TLS handling until Python
+        # 2.7.9 and Mercurial 3.4. For this reason, it was recommended to pin
+        # certificates in Mercurial config files. In modern versions of
+        # Mercurial, the system CA store is used and old, legacy TLS protocols
+        # are disabled. The default connection/security setting should
+        # be sufficient and pinning certificates is no longer needed.
+        have_modern_ssl = hasattr(ssl.SSLContext, 'load_default_certs')
+        if hg_version < LooseVersion('3.4') or not have_modern_ssl:
+            c.add_mozilla_host_fingerprints()
 
         # References to multiple version-control-tools checkouts can confuse
         # version-control-tools, since various Mercurial extensions resolve
         # dependencies via __file__ and repos could reference another copy.
         seen_vct = set()
         for k, v in c.config.get('extensions', {}).items():
             if 'version-control-tools' not in v:
                 continue