mercurial update ready for testing

To: debian-lts@lists.debian.org
Subject: mercurial update ready for testing
From: Antoine Beaupré <anarcat@orangeseeds.org>
Date: Tue, 27 Mar 2018 20:29:12 -0400
Message-id: <[🔎] 87h8p1f3fr.fsf@curie.anarc.at>

Hi,

I have uploaded a test version of the Mercurial package in the usual
location:

https://people.debian.org/~anarcat/debian/wheezy-lts/

The main reason for the update is to fix this:

https://security-tracker.debian.org/tracker/CVE-2018-1000132

But there's also a fix to a regression introduced in my previous upload
(deb7u5) that broke the test suite non-deterministically. In my tests,
the test suite now passes fairly reliably, but I haven't been able to
reproduce the failures in the first place, so I am not sure the fix is
complete. In particular, the package does not "remove
`tests/gpg/random_seed` in clean target" as recommended in
dla-needed.txt, as i wasn't sure what that implied. I did try to port
the patch provided in those notes, however, which should give better
results on that level.

This is a test package because it significantly changes the way the
Mercurial webserver handles requests, and I am worried it will cause
some problems. There *is* some (necessary) backwards-compatibility
breakage in the update anyways: extensions will, by default, have the
"push" permission which is denied without authentication, unless they
override that. I don't think it's impossible to work around that issue
while at the same time fixing the security vulnerability.

All feedback is welcome, as usual.

Thanks!

A.

Reply to:

Follow-Ups:
- Re: mercurial update ready for testing
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

Prev by Date: Re: "highly critical" DRUPAL-PSA-2018-001
Next by Date: Re: "highly critical" DRUPAL-PSA-2018-001
Previous by thread: Re: "highly critical" DRUPAL-PSA-2018-001
Next by thread: Re: mercurial update ready for testing
Index(es):
- Date
- Thread