./devel/py-mercurial, Fast, lightweight source control management system

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 4.6.1, Package name: py27-mercurial-4.6.1, Maintainer: wiz

Mercurial is a free, distributed source control management tool.
It efficiently handles projects of any size and offers an easy and
intuitive interface.

Mercurial efficiently handles projects of any size and kind. Every
clone contains the whole project history, so most actions are local,
fast and convenient. Mercurial supports a multitude of workflows
and you can easily enhance its functionality with extensions.

It is easy to learn: You can follow our simple guide to learn how
to revision your documents with Mercurial, or just use the quick
start to get going instantly. A short overview of Mercurial's
decentralized model is also available.

And it just works: Mercurial strives to deliver on each of its
promises. Most tasks simply work on the first try and without
requiring arcane knowledge.


Required to run:
[devel/py-curses] [lang/python27]

Required to build:
[archivers/unzip] [pkgtools/cwrappers]

Master sites:

SHA1: df2bb1487e6a64c7321a93767baf43c6ca1e9b5f
RMD160: a9dd32a52d7b46f81d27d89625004b8f09c83552
Filesize: 6257.207 KB

Version history: (Expand)


CVS history: (Expand)


   2018-07-03 07:03:44 by Adam Ciarcinski | Files touched by this commit (495)
Log message:
extend PYTHON_VERSIONS_ for Python 3.7
   2018-06-17 13:24:12 by Thomas Klausner | Files touched by this commit (12) | Package removed
Log message:
py-mercurial: update to 4.6.1.

Mercurial 4.6.1 (2018-06-06)

This is a regularly-scheduled bugfix release that also contains security fixes.

1.1. Security Fixes

Multiple issues found in mpatch.c with a fuzzer:

    OVE-20180430-0001
    OVE-20180430-0002
    OVE-20180430-0004

With the following fixes:

    mpatch: be more careful about parsing binary patch data (SEC)
    mpatch: protect against underflow in mpatch_apply (SEC)
    mpatch: ensure fragment start isn't past the end of orig (SEC)
    mpatch: fix UB in int overflows in gather() (SEC)
    mpatch: fix UB integer overflows in discard() (SEC)
    mpatch: avoid integer overflow in mpatch_decode (SEC)
    mpatch: avoid integer overflow in combine() (SEC)

No exploits are known at the time, however, it is highly recommended that all \ 
users upgrade.

1.2. Bug Fixes

Also included in this release are the following,

    zstandard: pull in bug fixes from upstream 0.9.1 (issue5884)
    bundle2: fix old clients from reading newer format (issue5872)
    bdiff: fix xdiff long/int64 conversion (issue5885)
    push: continue without locking on lock failure other than EEXIST (issue5882)
    lfs: fix crash in command server (issue5902)
    hghave: fix deadlock in test runner
    rebase: fix error when computing obsoletenotrebased (issue5907)
    rebase: prioritize indicating an interrupted rebase over update (issue5838)
    revset: pass in lookup function to matchany() (issue5879)
   2018-05-25 15:04:56 by Joerg Sonnenberger | Files touched by this commit (11)
Log message:
Make bundles compatible with older hg versions. Bump revision.
   2018-05-20 12:23:02 by Thomas Klausner | Files touched by this commit (3) | Package updated
Log message:
py-mercurial: update to 4.6.

Mercurial 4.6 release

1. New Features

1.1. pullbundles

Pullbundles allow the server to answer client requests using
pre-built bundles. This is different from the existing clonebundle
feature:

    pullbundles can be used for both the initial clone and later pull operations
    pullbundles can be used incrementally, i.e. to cover the changes up to the \ 
start of the current month as one bundle and the remaining changes as second \ 
bundle
    the bundle is transferred inline as part of the existing connection without \ 
a secondary server

Pullbundles are only used for clients running Mercurial 4.6 as
well.

1.2. push

If 'server.streamunbundle' option is enabled, the server will
directly apply the changes send by the changes. This avoids
potentially large temporary files on the server side. It can also
prevent concurrent pushes.

1.3. notify extension

The 'maxdiffstat' option can be used to truncate long file lists
similar to 'maxdiff' for the patch part of the email.

1.4. hgweb

hgweb now shows date and user for operations that resulted in
obsolete commit(s). For unstable commits, it shows the exact reason
why they are considered unstable.

Server: header is now configurable using web.server-header option.

1.5. templates

A new template keyword 'reporoot' which shows the root directory
of the current repository. A new template function 'mailmap' which
maps author fields based on values in a .mailmap file.

2. Backwards Compatibility Changes

    Support for connecting to Mercurial servers older than 0.9.1 has been removed.
    Working-directory commands now respect "-X PATTERN" no matter if \ 
PATTERN matches explicitly-specified FILEs. For example, "hg add foo -X \ 
foo" no longer add the file "foo".
    Support for the experimental manifestv2 format has been removed, as it was \ 
never completed and failed to meet expectations.
    '{' in output filename passed to archive/cat/export is taken as a start of a \ 
template expression.
    The HTTP wire protocol server no longer accepts the "cmd" argument \ 
to control which command to run via HTTP POST bodies. The "cmd" \ 
argument must be specified on the URL query string.
    Hgweb no longer reads form data in POST requests from multipart/form-data \ 
and application/x-www-form-urlencoded requests. Arguments should be specified as \ 
URL path components or in the query string in the URL instead.
    Query string shorts in hgweb like "?cs=@" have been removed. Use \ 
URLs of the form "/:cmd" instead.
    The HTTP client no longer accepts text/plain and application/hg-changegroup \ 
Content-Type values as a valid Mercurial command response. These should only be \ 
encountered on pre 1.0 Mercurial servers.

3. Performance Improvements

    'hg manifest --all' is likely slower due to changing its implementation to \ 
respect storage interface boundaries. If you are impacted by this regression in \ 
a meaningful way, please make noise on the development mailing list and it can \ 
be dealt with.
    'hg diff' is much faster for larger repositories. 40% improvements have been \ 
reported. Other operations using diffs like hgweb also benefit.

4. Bug Fixes

    grep: fixes erroneous output of grep in forward order (issue3885)
    dirstate: drop explicit files that shouldn't match (BC) (issue4679)
    procutil: rewrite popen() as a subprocess.Popen wrapper (issue4746) (API)
    bookmarks: test for exchanging long bookmark names (issue5165)
    templater: drop symbols which should be overridden by new 'ctx' (issue5612)
    clone: updates the help text for hg clone -{r,b} (issue5654)
    bundle: updates the help text for hg bundle (issue5744)
    histedit: make histedit's commands accept revsets (issue5746)
    releasenotes: replace abort with warning while parsing (issue5775)
    context: skip path conflicts by default when clearing unknown file (issue5776)
    templatekw: switch most of showlist template keywords to new API (issue5779)
    rebase: do not consider extincts for divergence detection (issue5782)
    revert: use an exact matcher in interactive diff selection (issue5789)
    subrepo: don't attempt to share remote sources (issue5793)
    lfs: respect narrowmatcher when testing to add 'lfs' requirement (issue5794)
    showconfig: allow multiple section.name selectors (issue5797)
    annotate: do not poorly split lines at CR (issue5798)
    convert: avoid closing ui.fout in subversion code (issue5807)
    setdiscovery: back out changeset 5cfdf6137af8 (issue5809)
    fsmonitor: layer on another hack in bser.c for os.stat() compat (issue5811)
    notify: access the initial revision on an unfiltered repository (issue5821)
    rebase: fix issue 5494 also with --collapse
    date: fixed a bug in parsing months like 'Feb 2018', 'Apr 2018'
    diffhelper: rename module to avoid conflicts with ancient C module (issue5846)
    infinitepush: ensure fileindex bookmarks use '/' separators (issue5840)
    import: fix crash on --exact check of empty commit (issue5702)
    hgweb: reuse body file object when hgwebdir calls hgweb (issue5851)
    debugcolor: fix crash by empty styles (issue5856)
    hgweb: discard Content-Type header for 304 responses (issue5844)
    hgweb: allow Content-Security-Policy header on 304 responses (issue5844)
    paper: don't register click handlers with inline javascript (issue5812)
    httppeer: detect redirect to URL without query string (issue5860)
    filelog: don't crash on invalid copy metadata (issue5748)

5. New experimental features

Each release there are lot of new features added which are hidden
under the EXPERIMENTAL tag as the behavior may change in future or
the feature is not complete yet. The experimental features added
in this cycle are:

5.1. narrow extension

Allows to create clones which fetch history data for only a subset
of files. This experimental extension is now distributed with
Mercurial.

5.2. remotenames extension

Shows remotebookmarks and remotebranches in the UI. This experimental
extension is now distributed with Mercurial.

5.3. infinitepush extension

Allows to store some pushes in a remote blob store on the server
and to serve commits from remote blob store. The revisions are
stored on disk or in everstore, the metadata are stored in sql or
on disk. This experimental extension is now distributed with
Mercurial.

5.4. fix extension

Allows to rewrite file content in changesets or working copy. For
example, automatically applying formatting fixes to modified lines
of code. This experimental extension is now distributed with
Mercurial.

6. Other notable features

    revset: parse error now shows a hint where the error occurred
    templates: parse error now shows a hint where the error occured
    forget: new '--dry-run' and '--interactive' flags
    copyfile: preserve stat info (mtime, etc.) when doing copies/renames
    bundle2 format is documented and can be found using 'hg help internals.bundle2'
   2018-04-17 13:31:00 by Thomas Klausner | Files touched by this commit (2) | Package updated
Log message:
py-mercurial: update to 4.5.3.

This is a regularly-scheduled bugfix release.

1.1. Bug Fixes

    rebase: on abort, don't strip commits that didn't need to be rebased (issue5822)
    hgweb: garbage collect on every request
    amend: abort if unresolved merge conflicts found (issue5805)
   2018-03-25 10:02:47 by Thomas Klausner | Files touched by this commit (2) | Package updated
Log message:
py-mercurial: update to 4.5.2.

Mercurial 4.5.1 / 4.5.2 (2018-03-06)

(4.5.2 was released immediately after 4.5.1 to fix a release
oversight.)

This is a regularly-scheduled bugfix release.

1.1. Security Fixes

All versions of Mercurial prior to 4.5.2 have vulnerabilities in
the HTTP server that allow permissions bypass to:

    Perform writes on repositories that should be read-only
    Perform reads on repositories that shouldn't allow read access

The nature of the vulnerabilities is:

    Wire protocol commands that didn't explicitly declare their
    permissions had no permissions checking done. The web.{allow-pull,
    allow-push, deny_read, etc} config options governing access
    control were never consulted when running these commands. This
    allowed permissions bypass for impacted commands.

    The batch wire protocol command did not list its permission
    requirements nor did it enforce permissions on individual
    sub-commands.

The implication of these vulnerabilities is that no permissions
checking was performed on commands and this could lead to accessing
data that web.* config options were supposed to prevent access to
or modifying data (via wire protocol commands that can mutate data)
without authorization. A Mercurial HTTP server in its default
configuration is supposed to be read-only. However, a well-crafted
batch command could invoke commands that perform writes.

The batch write permissions bypass has been present since Mercurial
1.9. The flaw of not checking permissions for wire protocol commands
that don't declare their needed permissions has been present since
Mercurial 1.0.

Assuming you are running a server without any custom commands
provided by extensions, your exposure is unauthorized data access
(if relying on the web.* config options to limit access) and
unauthorized data mutation via the batch command.

Server operators can detect unauthorized use of the batch command
by looking for requests to URLs of the form repo?cmd=batch with
arguments containing pushkey or unbundle. This may produce false
positives. A more comprehensive check would decode the argument
string and verify that pushkey or unbundle are command names (not
values). The arguments specified via x-hgarg-<N> request headers
can span multiple headers. So advanced attackers could hide the
vulnerability by splitting a pushkey or unbundle string across
multiple headers. So the only reliable way to detect if this
vulnerability is being exploited is to decode these headers like
Mercurial does. The format for specifying arguments is documented
at
https://www.mercurial-scm.org/repo/hg/f … l.txt#l26.
Python code for decoding headers is at
https://www.mercurial-scm.org/repo/hg/f … ol.py#l70.

Mercurial 4.5.2 fixes these vulnerabilities by:

    Performing permissions checking on all wire protocol commands,
    not just commands that list their permissions.

    Checking permissions on sub-commands issued to the batch command.

Wire protocol commands not declaring wire protocol permissions will
be assumed to be read-write commands and a server in its default
configuration (which only allows read-only access), will refuse to
execute these commands.

For package maintainers needing to backport the fixes, the relevant
changesets from 4.5.2 are 2c647da851ed::2ecb0fc535b1. These can be
viewed online at e.g.
https://www.mercurial-scm.org/repo/hg/rev/2ecb0fc535b1. The author
of these commits has backports to 4.4 and 4.3 on a personal fork
at https://hg.mozilla.org/users/gszorc_mozilla.com/hg. The backports
for 4.4 are a4843835c835::7cf827e5f8af and for 4.3 are
db527ae12671::86f9a022ccb8. To obtain these changesets, run e.g.
hg pull -r 7cf827e5f8af https://hg.mozilla.org/users/gszorc_mozilla.com/hg.

1.2. Backwards Compatibility Changes

    The "batch" wire protocol command now enforces permissions of
    each invoked sub-command. Wire protocol commands must define
    their operation type or the "batch" command will assume they
    can write data and will prevent their execution on HTTP servers
    unless the HTTP request method is POST, the server is configured
    to allow pushes, and the (possibly authenticated) HTTP user is
    authorized to perform a push.
    Wire protocol commands not defining their operation type in
    "wireproto.PERMISSIONS" are now assumed to be used for "push"
    operations and access control to run those commands is now
    enforced accordingly.

1.3. Bug Fixes

    fileset: don't abort when running copied() on a revision with a removed file
    date: fix parsing months

    setup: only allow Python 3 from a source checkout (issue5804)

    annotate: do not poorly split lines at CR (issue5798)

    subrepo: don't attempt to share remote sources (issue5793)
    subrepo: activate clone pooling to enable sharing with remote URLs
    changegroup: do not delta lfs revisions
    revlog: do not use delta for lfs revisions
    revlog: resolve lfs rawtext to vanilla rawtext before applying delta
   2018-03-14 18:42:28 by Thomas Klausner | Files touched by this commit (2)
Log message:
py-mercurial: revert unintended commit
   2018-03-14 18:41:28 by Thomas Klausner | Files touched by this commit (2)
Log message:
devel/Makefile: + p5-PerlX-Maybe