`mach mercurial-setup` does an `hg pull` from hg.mozilla.org to obtain the version-control-tools repository, which is where most of the logic for `mach mercurial-setup` lives (because we have a nice testing harness in version-control-tools). `mach mercurial-setup` doesn't pin the hash when invoking `hg pull` because to do so would require vendoring the hash in the repo and that means if you ran `mach mercurial-setup` on an old revision, the pinned hash would be guaranteed to be incorrect and the connection would always fail. We /could/ hardcode the certificate expiration date and refuse to pin when it is known expired. But if we rotate the cert early, you're back to a pinned cert failure. Security is hard.
As of a week ago, `mach mercurial-setup` doesn't pin certs if Python + Mercurial is secure, where "secure" means Mercurial 3.9 and a Python that can speak modern TLS foo (which sadly many Python installations do not support, including the system Python on OS X). So unless you are the super paranoid type who doesn't trust your trusted CA bundle, you can delete the pinned fingerprints from your hgrc. If `mach mercurial-setup` thinks your Python+Mercurial is insecure, it will re-add them. On Fri, Sep 30, 2016 at 12:23 PM, Ralph Giles <gi...@mozilla.com> wrote: > The change was announced here and on firefox-dev a few weeks ago. See > for example https://groups.google.com/d/msg/mozilla.dev.platform/ > LOC83qKUPfk/cZtmaEbOAwAJ > > It might be nice if `mach mercurial-setup` did this kind of update? > > -r > > On Fri, Sep 30, 2016 at 12:18 PM, ISHIKAWA,chiaki <ishik...@yk.rim.or.jp> > wrote: > > In the last few days, hg.mozilla.org certificate fingerprint seems to > have > > changed. > > I noticed this because the trial to update local copy of mozilla-central > > repository within C-C repository failed due to > > > > m-central/mozilla', 'https://hg.mozilla.org/mozilla-central/'] > > pulling from https://hg.mozilla.org/mozilla-central/ > > abort: certificate for hg.mozilla.org has unexpected fingerprint > > 73:7f:ef:ab:68:0f:49:3f:88:91:f0:b7:06:69:fd:8f:f2:55:c9:56 > > (check hostfingerprint configuration) > > > > But I did not see any announcement of this change. > > (It is possible that I missed it during a hectic schedule during a trip). > > > > However, it is great to see a posting of such major infra change in > advace, > > especially security-related one. > > > > Finally, I bit the bullet and changed it, but checked bugzilla > > just in case, and found > > https://bugzilla.mozilla.org/show_bug.cgi?id=1305909 > > which seems to be related. > > > > Automation is nice, but I still would like to see an announcement of > server > > certificate change in advance. > > > > TIA > > > > > > _______________________________________________ > > dev-platform mailing list > > dev-platform@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
