Mercurial uses the latest version of TLS that is both supported by
Python and the server.
In automation, the servers we care about should all support TLS 1.2.
The Python side is trickier. Modern versions of Python (typically 2.7.9+)
support TLS 1.1 and 1.2. Mercurial will default to allowing TLS 1.1+ -
explicitly disallowing TLS 1.0. However, legacy versions of Python
don't support TLS 1.1+, so Mercurial will allow TLS 1.0+ rather than
prevent connections at all.
TLS 1.0 is borderline secure these days. I think it is a bug for TLS
1.0 to be used anywhere in the Firefox release process. This simple
patch changes our default Mercurial config in TaskCluster to require
TLS 1.2+ for all https:// communications. For modern Python versions,
this effectively prevents potential downgrade attacks to TLS 1.1
(connections before should have negotiated the use of TLS 1.2).
I expect this change to break things. Finding and fixing automation
that isn't capable of speaking TLS 1.1+ should be encouraged.
MozReview-Commit-ID: 876YpL5vB3T
This is a pretty straightforward change. Just bumping package versions
and hashes. Behavior should be almost identical to the previous 4.1.1+
packages.
MozReview-Commit-ID: CaVjM0JHYKi
We've been running Mercurial 3.9 in automation for a while. Mercurial
4.1 is out. It has the usual performance improvements and bug fixes,
making it an attractive upgrade. But what really makes it enticing
is support for zstandard compression over the wire protocol. This will
reduce server-side CPU load and make transfers between 4.1+ servers
faster.
So, let's upgrade to Mercurial 4.1.1.
The produced packages are built from the current tip of the
stable Mercurial branch, not exactly 4.1.1. Specifically, they
correspond to revision ed5b25874d99. I did this because there is
a patch in the stable branch that drastically improves performance
on repos with many heads. When 4.1.2 is released in a few days, we
can upgrade to it and do away with the one-off.
MozReview-Commit-ID: 6BPhVheHQXI
Apply a 2-character indent to in-tree tooltool manifests to make
them easier to read, and to make the formatting more consistent
so automating updates is simpler.
Modern editors will maintain json indentation. The only long
lines we have are already over 80 characters, so the extra space
shouldn't create new long lines.
Also update mercurial installer script to generate json with
the same indentation, even though its output is temporary.
Tooltool itself was updated to generate manifests with this
indentation in Bug 1325225.
MozReview-Commit-ID: DKj6nL9OENv
