packaging: update dulwich to drop the certifi dependency on Windows The presence of `certifi` causes the system certificate store to be ignored, which was reported as a bug against TortoiseHg[1]. It was only pulled in on Windows because of `dulwich`, which was copied from the old TortoiseHg install scripts, in order to support `hg-git`. This version of `dulwich` raises the minimum `urllib3` to a version (1.25) that does certificate verification by default, without the help of `certifi`[2]. We already bundle a newer version of `urllib3`. Note that `certifi` can still be imported from the user site directory, if installed there. But the installer no longer disables the system certificates by default. [1] https://foss.heptapod.net/mercurial/tortoisehg/thg/-/issues/5825 [2] https://github.com/jelmer/dulwich/issues/1025

Address commentary in manifest.excludedmanifestrevlog.add -
specifically we should improve the collaboration with core so that
add() never gets called on an excluded directory and we can improve
the stand-in to raise a ProgrammingError.

Reason more completely about rename-filtering logic in
narrowfilelog. There could be some surprises lurking there.

Formally document the narrowspec format. For bonus points, unify with the
server-specified narrowspec format.

narrowrepo.setnarrowpats() or narrowspec.save() need to make sure
they're holding the wlock.

The follinwg places do an unrestricted dirstate walk (including files outside the
narrowspec). Some of them should perhaps not do that.

 * debugfileset
 * perfwalk
 * sparse (but restricted to sparse config)
 * largefiles