APPROVE COMMIT web Due to a recent upgrade of Mercurial on Alioth, your Mercurial may be complaining about an untrusted hgrc. This is a good thing in general, because any hgrc file can contain executable code. However, in this context, it's mostly an annoyance. This patch describes the issue on the web site, and how to quiet Mercurial (and get the benefits of the hgrc file). Thanks to Mike Sperber for tracking this down and explaining it to me. Index: ChangeLog =================================================================== RCS file: /pack/xemacscvs/XEmacs/xemacsweb/ChangeLog,v retrieving revision 1.285 diff -U0 -r1.285 ChangeLog --- ChangeLog 15 Apr 2009 19:16:01 -0000 1.285 +++ ChangeLog 17 Apr 2009 13:02:37 -0000 ＠＠ -0,0 +1,5 ＠＠ +2009-04-17 Stephen J. Turnbull <stephen(a)xemacs.org&gt; + + * index.content (News): Document Mercurial upgrade and untrusted + user issue. + Index: Develop/ChangeLog =================================================================== RCS file: /pack/xemacscvs/XEmacs/xemacsweb/Develop/ChangeLog,v retrieving revision 1.111 diff -U0 -r1.111 ChangeLog --- Develop/ChangeLog 24 Feb 2009 15:02:34 -0000 1.111 +++ Develop/ChangeLog 17 Apr 2009 13:02:38 -0000 ＠＠ -0,0 +1,4 ＠＠ +2009-04-17 Stephen J. Turnbull <stephen(a)xemacs.org&gt; + + * hgaccess.content (trusted-users): Document issue. + Index: index.content =================================================================== RCS file: /pack/xemacscvs/XEmacs/xemacsweb/index.content,v retrieving revision 1.189 diff -U0 -r1.189 index.content --- index.content 15 Apr 2009 19:16:01 -0000 1.189 +++ index.content 17 Apr 2009 13:02:38 -0000 ＠＠ -111,0 +112,8 ＠＠ + <dt><strong>2008-03-15</strong></dt> + <dd> + <p>Around this date, Debian upgraded Mercurial on Alioth (the + host for hg.xemacs.org), and tightened security somewhat. + <a href="Develop/hgaccess.html#trusted-users">How to tell + Mercurial to trust a developer.</a> + </p> + </dd> Index: Develop/hgaccess.content =================================================================== RCS file: /pack/xemacscvs/XEmacs/xemacsweb/Develop/hgaccess.content,v retrieving revision 1.4 diff -U0 -r1.4 hgaccess.content --- Develop/hgaccess.content 24 Jun 2008 07:03:05 -0000 1.4 +++ Develop/hgaccess.content 17 Apr 2009 13:02:38 -0000 ＠＠ -11,0 +12,4 ＠＠ + <p>Debian has upgraded Mercurial, and security tightened somewhat. + <a href="#trusted-users">How to tell Mercurial to trust a + developer.</a></p> + ＠＠ -40,0 +45,2 ＠＠ + <li><a href="#trusted-users">Trusting other users</a></li> + ＠＠ -299,0 +306,32 ＠＠ + + <h3><a name="trusted-users">Do you have the paranoia blues?</a></h3> + + <p> + Recent versions of Mercurial have had their security + consciousness strengthened. Specifically, when another user has + committed an hgrc to the repository you're pulling from, you may + get a message that looks like + </p> + + <pre> xml:space="preserve"> +remote: not trusting file hg/xemacs/xemacs/.hg/hgrc from untrusted user sperber-guest, group xemacs + </pre> + + <p> + In theory, Mike could cause execution of arbitrary code on your + box. But hey, what's to worry: you're already running Dired and + EFS, aren't you? Mike could have pwnzered you long ago, right? + So if you find that comforting, and you'd like to trust Mike, + run his workspace hgrc file in your xemacs workspace(s), and + incidentally suppress the warning, you can add + </p> + + <pre> xml:space="preserve"> +[trusted] +users = sperber-guest + </pre> + + <p> + to your ~/.hgrc <strong>on alioth.debian.org</strong>. For more + information, see the Mercurial documentation. + </p> _______________________________________________ XEmacs-Patches mailing list XEmacs-Patches(a)xemacs.org http://calypso.tux.org/cgi-bin/mailman/listinfo/xemacs-patches