mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-11-07 07:26:13 -05:00
gnu: mercurial: Update to 6.2.1.
* gnu/packages/version-control.scm (mercurial): Update to 6.2.1. [source](patches): Add patch for compatibility with OpenSSL 3.0. [arguments]: Patch /usr/bin/env and /bin/sh unconditionally in all tests. Disable four more tests. [inputs]: Change from PYTHON to PYTHON-WRAPPER. * gnu/packages/patches/mercurial-openssl-compat.patch: New file. * gnu/local.mk (dist_patch_DATA): Adjust accordingly.
This commit is contained in:
parent
77c07d9a61
commit
997a51bee8
3 changed files with 115 additions and 11 deletions
|
@ -1510,7 +1510,8 @@ dist_patch_DATA = \
|
||||||
%D%/packages/patches/libmemcached-build-with-gcc7.patch \
|
%D%/packages/patches/libmemcached-build-with-gcc7.patch \
|
||||||
%D%/packages/patches/libmhash-hmac-fix-uaf.patch \
|
%D%/packages/patches/libmhash-hmac-fix-uaf.patch \
|
||||||
%D%/packages/patches/libsigrokdecode-python3.9-fix.patch \
|
%D%/packages/patches/libsigrokdecode-python3.9-fix.patch \
|
||||||
%D%/packages/patches/mercurial-hg-extension-path.patch \
|
%D%/packages/patches/mercurial-hg-extension-path.patch \
|
||||||
|
%D%/packages/patches/mercurial-openssl-compat.patch \
|
||||||
%D%/packages/patches/mesa-opencl-all-targets.patch \
|
%D%/packages/patches/mesa-opencl-all-targets.patch \
|
||||||
%D%/packages/patches/mesa-skip-tests.patch \
|
%D%/packages/patches/mesa-skip-tests.patch \
|
||||||
%D%/packages/patches/meson-allow-dirs-outside-of-prefix.patch \
|
%D%/packages/patches/meson-allow-dirs-outside-of-prefix.patch \
|
||||||
|
|
89
gnu/packages/patches/mercurial-openssl-compat.patch
Normal file
89
gnu/packages/patches/mercurial-openssl-compat.patch
Normal file
|
@ -0,0 +1,89 @@
|
||||||
|
Tweak cipher selection to make TLS < 1.2 work with OpenSSL 3.
|
||||||
|
|
||||||
|
Taken from Debian:
|
||||||
|
|
||||||
|
https://salsa.debian.org/python-team/packages/mercurial/-/blob/debian/master/debian/patches/openssl_3_cipher_tlsv1.patch
|
||||||
|
|
||||||
|
--- a/mercurial/sslutil.py
|
||||||
|
+++ b/mercurial/sslutil.py
|
||||||
|
@@ -117,17 +117,17 @@ def _hostsettings(ui, hostname):
|
||||||
|
ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers)
|
||||||
|
|
||||||
|
# If --insecure is used, we allow the use of TLS 1.0 despite config options.
|
||||||
|
# We always print a "connection security to %s is disabled..." message when
|
||||||
|
# --insecure is used. So no need to print anything more here.
|
||||||
|
if ui.insecureconnections:
|
||||||
|
minimumprotocol = b'tls1.0'
|
||||||
|
if not ciphers:
|
||||||
|
- ciphers = b'DEFAULT'
|
||||||
|
+ ciphers = b'DEFAULT:@SECLEVEL=0'
|
||||||
|
|
||||||
|
s[b'minimumprotocol'] = minimumprotocol
|
||||||
|
s[b'ciphers'] = ciphers
|
||||||
|
|
||||||
|
# Look for fingerprints in [hostsecurity] section. Value is a list
|
||||||
|
# of <alg>:<fingerprint> strings.
|
||||||
|
fingerprints = ui.configlist(
|
||||||
|
b'hostsecurity', b'%s:fingerprints' % bhostname
|
||||||
|
@@ -621,17 +621,17 @@ def wrapserversocket(
|
||||||
|
|
||||||
|
# Improve forward secrecy.
|
||||||
|
sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0)
|
||||||
|
sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0)
|
||||||
|
|
||||||
|
# In tests, allow insecure ciphers
|
||||||
|
# Otherwise, use the list of more secure ciphers if found in the ssl module.
|
||||||
|
if exactprotocol:
|
||||||
|
- sslcontext.set_ciphers('DEFAULT')
|
||||||
|
+ sslcontext.set_ciphers('DEFAULT:@SECLEVEL=0')
|
||||||
|
elif util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'):
|
||||||
|
sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0)
|
||||||
|
# pytype: disable=module-attr
|
||||||
|
sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)
|
||||||
|
# pytype: enable=module-attr
|
||||||
|
|
||||||
|
if requireclientcert:
|
||||||
|
sslcontext.verify_mode = ssl.CERT_REQUIRED
|
||||||
|
--- a/tests/test-https.t
|
||||||
|
+++ b/tests/test-https.t
|
||||||
|
@@ -356,19 +356,19 @@ Start servers running supported TLS vers
|
||||||
|
$ cat ../hg1.pid >> $DAEMON_PIDS
|
||||||
|
$ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
|
||||||
|
> --config devel.serverexactprotocol=tls1.2
|
||||||
|
$ cat ../hg2.pid >> $DAEMON_PIDS
|
||||||
|
$ cd ..
|
||||||
|
|
||||||
|
Clients talking same TLS versions work
|
||||||
|
|
||||||
|
- $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT/
|
||||||
|
+ $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 id https://localhost:$HGPORT/
|
||||||
|
5fed3813f7f5
|
||||||
|
- $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT1/
|
||||||
|
+ $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 id https://localhost:$HGPORT1/
|
||||||
|
5fed3813f7f5
|
||||||
|
$ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
|
||||||
|
5fed3813f7f5
|
||||||
|
|
||||||
|
Clients requiring newer TLS version than what server supports fail
|
||||||
|
|
||||||
|
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/
|
||||||
|
(could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
|
||||||
|
@@ -400,17 +400,17 @@ Clients requiring newer TLS version than
|
||||||
|
|
||||||
|
$ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
|
||||||
|
warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
|
||||||
|
5fed3813f7f5
|
||||||
|
|
||||||
|
The per-host config option overrides the default
|
||||||
|
|
||||||
|
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
|
||||||
|
- > --config hostsecurity.ciphers=DEFAULT \
|
||||||
|
+ > --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 \
|
||||||
|
> --config hostsecurity.minimumprotocol=tls1.2 \
|
||||||
|
> --config hostsecurity.localhost:minimumprotocol=tls1.0
|
||||||
|
5fed3813f7f5
|
||||||
|
|
||||||
|
The per-host config option by itself works
|
||||||
|
|
||||||
|
$ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
|
||||||
|
> --config hostsecurity.localhost:minimumprotocol=tls1.2
|
|
@ -1735,15 +1735,16 @@ (define-public pre-commit
|
||||||
(define-public mercurial
|
(define-public mercurial
|
||||||
(package
|
(package
|
||||||
(name "mercurial")
|
(name "mercurial")
|
||||||
(version "5.8.1")
|
(version "6.2.1")
|
||||||
(source (origin
|
(source (origin
|
||||||
(method url-fetch)
|
(method url-fetch)
|
||||||
(uri (string-append "https://www.mercurial-scm.org/"
|
(uri (string-append "https://www.mercurial-scm.org/"
|
||||||
"release/mercurial-" version ".tar.gz"))
|
"release/mercurial-" version ".tar.gz"))
|
||||||
(patches (search-patches "mercurial-hg-extension-path.patch"))
|
(patches (search-patches "mercurial-hg-extension-path.patch"
|
||||||
|
"mercurial-openssl-compat.patch"))
|
||||||
(sha256
|
(sha256
|
||||||
(base32
|
(base32
|
||||||
"16xi4bmjqzi7ig8sfa5mnypfpbbbiyafmmqrs4nxmgc743za7fl1"))))
|
"1nl2726szaxyrxlyssrsir5c6vb4ci0i6g969i6xaahw1nidgica"))))
|
||||||
(build-system gnu-build-system)
|
(build-system gnu-build-system)
|
||||||
(arguments
|
(arguments
|
||||||
`(#:make-flags
|
`(#:make-flags
|
||||||
|
@ -1753,13 +1754,11 @@ (define-public mercurial
|
||||||
(delete 'configure)
|
(delete 'configure)
|
||||||
(add-after 'unpack 'patch-tests
|
(add-after 'unpack 'patch-tests
|
||||||
(lambda _
|
(lambda _
|
||||||
(substitute* '("tests/test-extdiff.t"
|
(substitute* (find-files "tests" "\\.(t|py)$")
|
||||||
"tests/test-logtoprocess.t"
|
|
||||||
"tests/test-patchbomb.t"
|
|
||||||
"tests/test-run-tests.t"
|
|
||||||
"tests/test-transplant.t")
|
|
||||||
(("/bin/sh")
|
(("/bin/sh")
|
||||||
(which "sh")))))
|
(which "sh"))
|
||||||
|
(("/usr/bin/env")
|
||||||
|
(which "env")))))
|
||||||
(replace 'check
|
(replace 'check
|
||||||
(lambda* (#:key tests? #:allow-other-keys)
|
(lambda* (#:key tests? #:allow-other-keys)
|
||||||
(with-directory-excursion "tests"
|
(with-directory-excursion "tests"
|
||||||
|
@ -1770,6 +1769,12 @@ (define-public mercurial
|
||||||
;; PATH from before (that's why we are building it!)?
|
;; PATH from before (that's why we are building it!)?
|
||||||
"test-hghave.t"
|
"test-hghave.t"
|
||||||
|
|
||||||
|
;; This test creates a shebang spanning multiple
|
||||||
|
;; lines which is difficult to substitute. It
|
||||||
|
;; only tests the test runner itself, which gets
|
||||||
|
;; thoroughly tested during the check phase anyway.
|
||||||
|
"test-run-tests.t"
|
||||||
|
|
||||||
;; These tests fail because the program is not
|
;; These tests fail because the program is not
|
||||||
;; connected to a TTY in the build container.
|
;; connected to a TTY in the build container.
|
||||||
"test-nointerrupt.t"
|
"test-nointerrupt.t"
|
||||||
|
@ -1778,6 +1783,15 @@ (define-public mercurial
|
||||||
;; FIXME: This gets killed but does not receive an interrupt.
|
;; FIXME: This gets killed but does not receive an interrupt.
|
||||||
"test-commandserver.t"
|
"test-commandserver.t"
|
||||||
|
|
||||||
|
;; These tests get unexpected warnings about using
|
||||||
|
;; deprecated functionality in Python, but otherwise
|
||||||
|
;; succeed; try enabling for later Mercurial versions.
|
||||||
|
"test-demandimport.py"
|
||||||
|
"test-patchbomb-tls.t"
|
||||||
|
;; Similarly, this gets a more informative error
|
||||||
|
;; message from Python 3.10 than it expects.
|
||||||
|
"test-http-bad-server.t"
|
||||||
|
|
||||||
;; Only works when run in a hg-repo, not in an
|
;; Only works when run in a hg-repo, not in an
|
||||||
;; extracted tarball
|
;; extracted tarball
|
||||||
"test-doctest.py"
|
"test-doctest.py"
|
||||||
|
@ -1808,7 +1822,7 @@ (define-public mercurial
|
||||||
;; The following inputs are only needed to run the tests.
|
;; The following inputs are only needed to run the tests.
|
||||||
python-nose unzip which))
|
python-nose unzip which))
|
||||||
(inputs
|
(inputs
|
||||||
(list python))
|
(list python-wrapper))
|
||||||
;; Find third-party extensions.
|
;; Find third-party extensions.
|
||||||
(native-search-paths
|
(native-search-paths
|
||||||
(list (search-path-specification
|
(list (search-path-specification
|
||||||
|
|
Loading…
Reference in a new issue