summary refs log tree commit diff
path: root/gnu
diff options
context:
space:
mode:
Diffstat (limited to 'gnu')
-rw-r--r--gnu/local.mk3
-rw-r--r--gnu/packages/patches/mercurial-openssl-compat.patch89
-rw-r--r--gnu/packages/version-control.scm34
3 files changed, 115 insertions, 11 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index b67dfac4e7..4e872e7cb0 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1510,7 +1510,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/libmemcached-build-with-gcc7.patch	\
   %D%/packages/patches/libmhash-hmac-fix-uaf.patch		\
   %D%/packages/patches/libsigrokdecode-python3.9-fix.patch	\
-  %D%/packages/patches/mercurial-hg-extension-path.patch       \
+  %D%/packages/patches/mercurial-hg-extension-path.patch	\
+  %D%/packages/patches/mercurial-openssl-compat.patch		\
   %D%/packages/patches/mesa-opencl-all-targets.patch		\
   %D%/packages/patches/mesa-skip-tests.patch			\
   %D%/packages/patches/meson-allow-dirs-outside-of-prefix.patch	\
diff --git a/gnu/packages/patches/mercurial-openssl-compat.patch b/gnu/packages/patches/mercurial-openssl-compat.patch
new file mode 100644
index 0000000000..139356f285
--- /dev/null
+++ b/gnu/packages/patches/mercurial-openssl-compat.patch
@@ -0,0 +1,89 @@
+Tweak cipher selection to make TLS < 1.2 work with OpenSSL 3.
+
+Taken from Debian:
+
+  https://salsa.debian.org/python-team/packages/mercurial/-/blob/debian/master/debian/patches/openssl_3_cipher_tlsv1.patch
+
+--- a/mercurial/sslutil.py
++++ b/mercurial/sslutil.py
+@@ -117,17 +117,17 @@ def _hostsettings(ui, hostname):
+     ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers)
+ 
+     # If --insecure is used, we allow the use of TLS 1.0 despite config options.
+     # We always print a "connection security to %s is disabled..." message when
+     # --insecure is used. So no need to print anything more here.
+     if ui.insecureconnections:
+         minimumprotocol = b'tls1.0'
+         if not ciphers:
+-            ciphers = b'DEFAULT'
++            ciphers = b'DEFAULT:@SECLEVEL=0'
+ 
+     s[b'minimumprotocol'] = minimumprotocol
+     s[b'ciphers'] = ciphers
+ 
+     # Look for fingerprints in [hostsecurity] section. Value is a list
+     # of <alg>:<fingerprint> strings.
+     fingerprints = ui.configlist(
+         b'hostsecurity', b'%s:fingerprints' % bhostname
+@@ -621,17 +621,17 @@ def wrapserversocket(
+ 
+     # Improve forward secrecy.
+     sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0)
+     sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0)
+ 
+     # In tests, allow insecure ciphers
+     # Otherwise, use the list of more secure ciphers if found in the ssl module.
+     if exactprotocol:
+-        sslcontext.set_ciphers('DEFAULT')
++        sslcontext.set_ciphers('DEFAULT:@SECLEVEL=0')
+     elif util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'):
+         sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0)
+         # pytype: disable=module-attr
+         sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)
+         # pytype: enable=module-attr
+ 
+     if requireclientcert:
+         sslcontext.verify_mode = ssl.CERT_REQUIRED
+--- a/tests/test-https.t
++++ b/tests/test-https.t
+@@ -356,19 +356,19 @@ Start servers running supported TLS vers
+   $ cat ../hg1.pid >> $DAEMON_PIDS
+   $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
+   > --config devel.serverexactprotocol=tls1.2
+   $ cat ../hg2.pid >> $DAEMON_PIDS
+   $ cd ..
+ 
+ Clients talking same TLS versions work
+ 
+-  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT/
++  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 id https://localhost:$HGPORT/
+   5fed3813f7f5
+-  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT1/
++  $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 id https://localhost:$HGPORT1/
+   5fed3813f7f5
+   $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
+   5fed3813f7f5
+ 
+ Clients requiring newer TLS version than what server supports fail
+ 
+   $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
+   (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
+@@ -400,17 +400,17 @@ Clients requiring newer TLS version than
+ 
+   $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
+   warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
+   5fed3813f7f5
+ 
+ The per-host config option overrides the default
+ 
+   $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
+-  > --config hostsecurity.ciphers=DEFAULT \
++  > --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 \
+   > --config hostsecurity.minimumprotocol=tls1.2 \
+   > --config hostsecurity.localhost:minimumprotocol=tls1.0
+   5fed3813f7f5
+ 
+ The per-host config option by itself works
+ 
+   $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
+   > --config hostsecurity.localhost:minimumprotocol=tls1.2
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 277ea2835b..cd84dfd0cc 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -1735,15 +1735,16 @@ execution of any hook written in any language before every commit.")
 (define-public mercurial
   (package
     (name "mercurial")
-    (version "5.8.1")
+    (version "6.2.1")
     (source (origin
              (method url-fetch)
              (uri (string-append "https://www.mercurial-scm.org/"
                                  "release/mercurial-" version ".tar.gz"))
-             (patches (search-patches "mercurial-hg-extension-path.patch"))
+             (patches (search-patches "mercurial-hg-extension-path.patch"
+                                      "mercurial-openssl-compat.patch"))
              (sha256
               (base32
-               "16xi4bmjqzi7ig8sfa5mnypfpbbbiyafmmqrs4nxmgc743za7fl1"))))
+               "1nl2726szaxyrxlyssrsir5c6vb4ci0i6g969i6xaahw1nidgica"))))
     (build-system gnu-build-system)
     (arguments
      `(#:make-flags
@@ -1753,13 +1754,11 @@ execution of any hook written in any language before every commit.")
          (delete 'configure)
          (add-after 'unpack 'patch-tests
            (lambda _
-             (substitute* '("tests/test-extdiff.t"
-                            "tests/test-logtoprocess.t"
-                            "tests/test-patchbomb.t"
-                            "tests/test-run-tests.t"
-                            "tests/test-transplant.t")
+             (substitute* (find-files "tests" "\\.(t|py)$")
                (("/bin/sh")
-                (which "sh")))))
+                (which "sh"))
+               (("/usr/bin/env")
+                (which "env")))))
          (replace 'check
            (lambda* (#:key tests? #:allow-other-keys)
              (with-directory-excursion "tests"
@@ -1770,6 +1769,12 @@ execution of any hook written in any language before every commit.")
                            ;; PATH from before (that's why we are building it!)?
                            "test-hghave.t"
 
+                           ;; This test creates a shebang spanning multiple
+                           ;; lines which is difficult to substitute.  It
+                           ;; only tests the test runner itself, which gets
+                           ;; thoroughly tested during the check phase anyway.
+                           "test-run-tests.t"
+
                            ;; These tests fail because the program is not
                            ;; connected to a TTY in the build container.
                            "test-nointerrupt.t"
@@ -1778,6 +1783,15 @@ execution of any hook written in any language before every commit.")
                            ;; FIXME: This gets killed but does not receive an interrupt.
                            "test-commandserver.t"
 
+                           ;; These tests get unexpected warnings about using
+                           ;; deprecated functionality in Python, but otherwise
+                           ;; succeed; try enabling for later Mercurial versions.
+                           "test-demandimport.py"
+                           "test-patchbomb-tls.t"
+                           ;; Similarly, this gets a more informative error
+                           ;; message from Python 3.10 than it expects.
+                           "test-http-bad-server.t"
+
                            ;; Only works when run in a hg-repo, not in an
                            ;; extracted tarball
                            "test-doctest.py"
@@ -1808,7 +1822,7 @@ execution of any hook written in any language before every commit.")
            ;; The following inputs are only needed to run the tests.
            python-nose unzip which))
     (inputs
-     (list python))
+     (list python-wrapper))
     ;; Find third-party extensions.
     (native-search-paths
      (list (search-path-specification