revsets: passing a set to baseset() is not wrong Since 69c6e9623bdc (revset: force ascending order for baseset initialized from a set, 2016-04-04), it is safe to pass a revset to a baseset.

pyflakes: use pycompat.pickles to prevent error The pyflakes in my test box complain about pickle in pycompat. mercurial/pycompat.py:17: 'pickle' imported but unused

rebase: move local variable 'obsoletenotrebased' to the RR class

rebase: move restorestestatus function to be a method of the RR class

rebase: move local variables related to keeping things unchanged to the RR This commit moves the following variables, local to the rebase function to be fields of the rebaseruntime: -keepf -keepbranchesf -keepopen

rebase: move local variables 'date' and 'extrafns' to the RR class This commit moves the following variables, local to the rebase function to be fields of the rebaseruntime: -date -extrafns

rebase: move collapse-related local variables to the RR class This commit moves the following variables local to the 'rebase' function to be fields of the rebaseruntime class: -collapsef -collapsemsg

rebase: pass repo, ui and opts objects to the RR class constructor

check-code: build translation table for repquote in global for efficiency Rebuilding translation table (256 size) at each repquote() invocations is redundant. For example, this patch decreases user time of command invocation below from 18.297s to 13.445s (about -27%) on a Linux box. This command is main part of test-check-code.t. hg locate | xargs python contrib/check-code.py --warnings --per-file=0 This patch adds "_repquote" prefix to functions and variables factored out from repquote() to avoid conflict of name in the future.

check-code: detect "missing _() in ui message" more exactly Before this patch, "missing _() in ui message" rule overlooks translatable message, which starts with other than alphabet. To detect "missing _() in ui message" more exactly, this patch improves the regexp with assumptions below. - sequence consisting of below might precede "translatable message" in same string token - formatting string, which starts with '%' - escaped character, which starts with 'b' (as replacement of '\\'), or - characters other than '%', 'b' and 'x' (as replacement of alphabet) - any string tokens might precede a string token, which contains "translatable message" This patch builds an input file, which is used to examine "missing _() in ui message" detection, before '"$check_code" stringjoin.py' in test-contrib-check-code.t, because this reduces amount of change churn in subsequent patch. This patch also applies "()" instead of "_()" on messages below to hide false-positives: - messages for ui.debug() or debug commands/tools - contrib/debugshell.py - hgext/win32mbcs.py (ui.write() is used, though) - mercurial/commands.py - _debugchangegroup - debugindex - debuglocks - debugrevlog - debugrevspec - debugtemplate - untranslatable messages - doc/gendoc.py (ReST specific text) - hgext/hgk.py (permission string) - hgext/keyword.py (text written into configuration file) - mercurial/cmdutil.py (formatting strings for JSON)

revlog: add a fast path for "ambiguous identifier" Before fd1bb7c, if the C index.partialmatch raises RevlogError, the Python code raises "ambiguous identifier" error immediately, which is efficient. fd1bb7c took hidden revisions into consideration and forced the slow path enumerating the changelog to double-check hidden revisions. But it's not necessary if we know the revlog has no hidden revisions. This patch adds back the fast path for unfiltered revlogs.

import-checker: ensure cffi is always a system module I've had reports that this is not always happening, so whitelist it the way we whitelist other problem cases.

atomictempfile: add context manager support Close the file (moving it in place) on clean context exit, discard when there has been an exception.

atomictempfile: add read to the supported file operations

atomictempfile: remove test ordering These tests are independent and numbering only makes it harder to add more and logically group them.

atomictempfile: use a tempdir to keep the test environment clean Rather than pre-emptively delete a file, execute the test in a dedicated temporary directory that is removed after each test.

test-revset: show how inconsistent the ordering of compound expressions is This adds mostly broken tests that will be fixed by subsequent patches. We generally don't do that, but this patch series would be hard to review without a set of broken tests. Note that some tests pass thanks to the reordering problem in optimize(). For instance, '2:0 & _intlist(0 1 2)' doesn't fail because it is rewritten as '_intlist(0 1 2) & 2:0'.

i18n: translate abort messages I found a few places where message given to abort is not translated, I don't find any reason to not translate them.

hgweb: display blamed revision once per block in annotate view I.e. when a revision blames a block of source lines, only display the revision link on the first line of the block (this is identified by the "blockhead" key in annotate context). This addresses item "Visual grouping of changesets" of the blame improvements plan (https://www.mercurial-scm.org/wiki/BlamePlan) which states: "Typically there are block of lines all attributed to the same revision. Instead of rendering the revision/changeset for every line, we could only render it once per block."

hgweb: highlight data of the current revision in annotate view * Distinguish the /annotate/<revision>/<file>#<linenumber> link when it would lead to the current page (i.e. <revision> is the current revision) (style it gray and undecorated). This indicates more clearly that this is a "dead-end" in blame navigation. * Display lines changed in current revision in green.

bashcompletion: show available command-line switches for aliases When auto-completing hg commands, aliases are listed, but not the available switches for an alias, because `HGPLAIN=1` filters these out. Add a `HGPLAINEXCEPT=alias` exception to resolve this. We make heavy use of aliases that drive hg log with custom revsets, sorting and the -G switch, but want our users to be able to auto-complete any additional command-line switches.

py3: shift from __future__ import absolute import to beginning (issue5269)

pull: add help information about pulling active bookmark

templates: add support for search webcommand in json style

templates: add support for summary webcommand in json style Change summary webcommand to yield each element of the shortlog instead of the entire list. This makes generated json more readable since each entry can be formatted separately, instead of returning all the shortlog content in a single string.

templates: add support for filerevision webcommand in json style

templates: add support for filelog webcommand in json style Modify changelistentry structure to also deliver phase and branch data and use either 'parents' or 'allparents' depending on what is defined in the view, in order to reuse it in filelog structure.

largefiles: make cloning not ask two times about password (issue4883) Before this commit url.opener overwritten stored password for connection with given url/user even when new password for given connection was not filled. This commit makes opener overwrites saved authentication only when it contains password.

url: remember http password database in ui object This makes http password database stored in ui object. It allows reusing authentication information when we use this database for creating password manager for the new connection.

url: extract password database from password manager So far password manager was keeping authentication information so opening new connection and creating new password manager made all saved authentication information lost. This commit separates password manager and password database to make it possible to reuse saved authentication information. This commit violates code checker because it adds add_password method (name with underscore) to passwordmgr object to provide method required by urllib2.

bookmarks: add 'hg pull -B .' for pulling the active bookmark (issue5258)

demandimport: delay loading for "from a import b" with absolute_import Before this patch, "from a import b" doesn't delay loading module "b", if absolute_import is enabled, even though "from . import b" does. For example: - it is assumed that extension X has "from P import M" for module M under package P with absolute_import feature - if importing module M is already delayed before loading extension X, loading module M in extension X is delayed until actually referring util, cmdutil, scmutil or so of Mercurial itself should be imported by "from . import M" style before loading extension X - otherwise, module M is loaded immediately at loading extension X, even if extension X itself isn't used at that "hg" command invocation Some minor modules (e.g. filemerge or so) of Mercurial itself aren't imported by "from . import M" style before loading extension X. And of course, external libraries aren't, too. This might cause startup performance problem of hg command, because many bundled extensions already enable absolute_import feature. To delay loading module for "from a import b" with absolute_import feature, this patch does below in "from a (or .a) import b" with absolute_import case: 1. import root module of "name" by system built-in __import__ (referred as _origimport) 2. recurse down the module chain for hierarchical "name" This logic can be shared with non absolute_import case. Therefore, this patch also centralizes it into chainmodules(). 3. and fall through to process elements in "fromlist" for the leaf module of "name" Processing elements in "fromlist" is executed in the code path after "if _pypy: .... else: ..." clause. Therefore, this patch replaces "if _pypy:" with "elif _pypy:" to share it. At 4f1144c3c72b introducing original "work around" for "from a import b" case, elements in "fromlist" were imported with "level=level". But "level" might be grater than 1 (e.g. level=2 in "from .. import b" case) at demandimport() invocation, and importing direct sub-module in "fromlist" with level grater than 1 causes unexpected result. IMHO, this seems main reason of "errors for unknown reason" described in 4f1144c3c72b, and we don't have to worry about it, because this issue was already fixed by 78d05778907b. This is reason why this patch removes "errors for unknown reasons" comment.

import-checker: increase portability for python 2.6.x Before this patch, fromlocalfunc() assumes that "module" attribute of ast.ImportFrom is None for "from . import a", and Python 2.7.x satisfies this assumption. On the other hand, with Python 2.6.x, "module" attribute of ast.ImportFrom is an empty string for "from . import a", and this causes failure of test-check-module-imports.t.

scmutil: allow access to filecache descriptor on class To make it easier to patch the wrapped function, make it possible to access the filecache descriptor directly on the class (rather than have to use ClassObject.__dict__['attributename']). Returning `self` when the first argument to `__get__` is `None` makes the descriptor behave the same way `property` objects do.

rebase: do not abort if all changesets have equivalents in the destination

changegroup: don't send empty subdirectory manifest groups When grafting/rebasing, it is common for multiple changesets to make the same change to a subdirectory. When writing the revlog for the directory, the revlog code already takes care of not writing the entry again. In 0c2a088ffcc5 (changegroup: prune subdirectory dirlogs too, 2016-02-12), I added the corresponding code in changegroup (not sending entries the client already has), but I forgot to avoid sending the entire changegroup if no nodes remained in the pruned set. Although that's harmless besides the wasted network traffic, the receiving side was checking for it (copied from the changegroup code for handling files). This resulted in the client crashing with: abort: received dir revlog group is empty Fix by simply not emitting a changegroup for the directory if there were no changes is it. This matches how files are handled.

chg: ignore SIGINT while waiting pager termination Otherwise the terminal would be left with unclean state. This is what fcc4b55876c3 does.

chg: reset signal handlers to default before waiting pager Our signal handlers forward signals to the server process, but it will disappear soon after hgc_close(). So we should unregister handlers before hgc_close(). Otherwise chg would abort due to kill(perrpid, sig) failure. The problem is spotted by SIGWINCH while waiting pager termination.

help: document that [subpaths] may rewrite relative paths The subpaths substitution logic first attempts to match the absolute repository path, then the relative subrepository path if that failed.

doc: describe detail about checkambig optional argument This is followup for patches below, which add checkambig argument to existing function. - 731ced087a4b - 76f1ea360c7e - ce2d81aafbae - a109bf7e0dc2

ui: provide official way to reset internal state per command This will allow us to clear in-memory password storage per runcommand(). I've updated commandserver to call resetstate() of both ui and repo.ui because they may have different states in theory.

revset: extract function that validates sort() arguments This function will be used in _optimize() to get rid of noop sort() call while validating its arguments.

revset: build dict of extra sort options before evaluating set Prepares for extracting a function that only validates sort options.

revset: build list of (key, reverse) pairs before sorting Prepares for extracting a function that only validates sort options.

revset: fix crash on empty sort key Make it noop as before 2188f170f5b6. We could change it to an error, but allowing empty key makes some sense for scripting that builds a key string programmatically.

rebase: move local variable 'targetancestors' to the RR class

rebase: move local variable 'skipped' to the RR class

rebase: move local variable 'target' to the RR class

rebase: introduce a rebaseruntime (RR) class rebaseruntime is a class that will in future contain all of the state necessary to perform rebase operation and have pieces of rebase logic as its methods. This commit introduces the class and moves the following local variables to be its fields: - originalwd - external - state - activebookmark

chg: change default connect timeout to 60 seconds As discussed at https://www.mercurial-scm.org/pipermail/mercurial-devel/2016-June/085290.html The default 10-second timeout is not enough if the machine is overloaded. Let's increase it to 60 seconds.

tests: increase test-https malform error glob The recently introduced (ecc9b788fd690a0a) test around malformed pem files hard codes an error message which doesn't appear to be cross platform agnostic. On our machines (centos6 if it matters) the test output differs: - abort: error: unknown error* (glob) + abort: error: _ssl.c:330: error:00000000:lib(0):func(0):reason(0) This patch increases the glob to cover the entire error message.

largefiles: make storefactory._openstore public In storefactory opening store is the main functionality, so it shouldn't be marked as private with underscore.

bookmarks: abort 'push -B .' when no active bookmark

transaction: avoid ambiguity of file stat at restoring from backup In some cases below, copying from backup is used to restore original contents of a file, which is backuped via addfilegenerator(). If copying keeps ctime, mtime and size of a file, restoring is overlooked, and old contents cached before restoring isn't invalidated as expected. - failure of transaction (from '.hg/journal.backup.*') - rollback of previous transaction (from '.hg/undo.backup.*') To avoid ambiguity of file stat at restoring, this patch invokes util.copyfile() with checkambig=True. This patch is a part of "Exact Cache Validation Plan": https://www.mercurial-scm.org/wiki/ExactCacheValidationPlan

localrepo: make restoring from backup at rollback avoid ambiguity of file stat Rollback of previous transaction restores contents of files below by renaming from 'undo.*' file. If renaming keeps ctime, mtime and size of a file, restoring is overlooked, and old contents cached before restoring isn't invalidated as expected. - .hg/bookmarks - .hg/phaseroots To avoid ambiguity of file stat at restoring, this patch invokes vfs.rename() with checkambig=True. BTW, .hg/dirstate is also restored at rollback. But it is restored by dirstate.restorebackup(), and previous patch already made it invoke vfs.rename() with checkambig=True. This patch is a part of "Exact Cache Validation Plan": https://www.mercurial-scm.org/wiki/ExactCacheValidationPlan

dirstate: make restoring from backup avoid ambiguity of file stat File .hg/dirstate is restored by renaming from backup in failure inside scopes below. If renaming keeps ctime, mtime and size of a file, restoring is overlooked, and old contents cached before restoring isn't invalidated as expected. - dirstateguard scope (from '.hg/dirstate.SUFFIX') - transaction scope (from '.hg/journal.dirstate') To avoid ambiguity of file stat at restoring, this patch invokes vfs.rename() with checkambig=True. This patch is a part of "Exact Cache Validation Plan": https://www.mercurial-scm.org/wiki/ExactCacheValidationPlan

tests: drop a duplicated instruction

merge with stable

revset: add new topographical sort Sort revisions in reverse revision order but grouped by topographical branches. Visualised as a graph, instead of: o 4 | | o 3 | | | o 2 | | o | 1 |/ o 0 revisions on a 'main' branch are emitted before 'side' branches: o 4 | o 1 | | o 3 | | | o 2 |/ o 0 where what constitutes a 'main' branch is configurable, so the sort could also result in: o 3 | o 2 | | o 4 | | | o 1 |/ o 0 This sort was already available as an experimental option in the graphmod module, from which it is now removed. This sort is best used with hg log -G: $ hg log -G "sort(all(), topo)"

revset: move groupbranchiter over from graphmod This move is to prepare the adaptation of this function into a toposort predicate.

revset: record if a set is in topographical order A later revision adds actual topographical sorting. Recording if a set is in this order allows hg log -G to avoid re-sorting the revset.

chg: make timeout adjustable Before this patch, chg will give up when it cannot connect to the new server within 10 seconds. If the host has high load during that time, 10 seconds is not enough. This patch makes it adjustable using the CHGTIMEOUT environment variable.

chg: exec pager in child process Before this patch, chg uses the old pager behavior (pre 369741ef7253), which executes pager in the main process. The user will see the exit code of the pager, instead of the hg command. Like 369741ef7253, this patch fixes the behavior by executing the pager in the child process, and wait for it at the end of the main process.

tests: move chg pager test to test-pager.t The test is valid for both hg and chg. Since we are adding another chg-related pager test, let's put them together.

util: drop local aliases for md5, sha1, sha256, and sha512 This used to be needed to paper over hashlib not being in all Pythons we support, but that's not a problem anymore, so we can simplify things a little bit.

cleanup: replace uses of util.(md5|sha1|sha256|sha512) with hashlib.\1 All versions of Python we support or hope to support make the hash functions available in the same way under the same name, so we may as well drop the util forwards.

pathencode: use hashlib.sha1 directly instead of indirecting through util

revlog: use hashlib.sha1 directly instead of through util Also remove module-local _sha alias, which was barely used.

store: use hashlib.sha1 directly instead of through util Also remove module-local alias to _sha, since it's not used that much.

similar: delete extra newline at EOF Spotted by my emacs config that cleans up extra whitespace.

scmutil: delete extra newline at EOF Spotted by my emacs config that cleans up extra whitespace.

graphmod: avoid sorting when already sorted This is somewhat redundant now, but allows us to add a toposort that should not be re-sorted either.

sslutil: per-host config option to define certificates Recent work has introduced the [hostsecurity] config section for defining per-host security settings. This patch builds on top of this foundation and implements the ability to define a per-host path to a file containing certificates used for verifying the server certificate. It is logically a per-host web.cacerts setting. This patch also introduces a warning when both per-host certificates and fingerprints are defined. These are mutually exclusive for host verification and I think the user should be alerted when security settings are ambiguous because, well, security is important. Tests validating the new behavior have been added. I decided against putting "ca" in the option name because a non-CA certificate can be specified and used to validate the server certificate (commonly this will be the exact public certificate used by the server). It's worth noting that the underlying Python API used is load_verify_locations(cafile=X) and it calls into OpenSSL's SSL_CTX_load_verify_locations(). Even OpenSSL's documentation seems to omit that the file can contain a non-CA certificate if it matches the server's certificate exactly. I thought a CA certificate was a special kind of x509 certificate. Perhaps I'm wrong and any x509 certificate can be used as a CA certificate [as far as OpenSSL is concerned]. In any case, I thought it best to drop "ca" from the name because this reflects reality.

tests: add basic tests for SMTP over SSL SSL handling in mail.py wasn't covered by our test suite, therefore it was sometimes broken. This patch introduces pretty minimal tests that only cover the default path. We can extend it later. Tested with python 2.6.9 and 2.7.11 on Debian sid.

tests: add dummy SMTP daemon for SSL tests Currently it only supports SMTP over SSL since SMTPS should be simpler than handling StartTLS. Since we don't need asynchronous server for our tests, it does TLS handshake in blocking way. But asyncore is required by Python smtpd module.

tests: extract SSL certificates from test-https.t They can be reused in SMTPS tests.

check-code: make 'ls' pattern less invasive I got false positive at "--tls smtps --certificate ...".

largefiles: fix support for local largefiles while using share extension Prior to revision 2a3f24786d09, largefiles were saved in the local repository, even if it was using the share extension. After that change, all largefiles are now stored in the shared repository. However, the backward compatibility for existing largefiles already placed in the local repository was never tested, and has been broken since.

merge with stable

crecord: drop unused "operation" parameter from filterpatch function

patch: define full messages for interactive record/revert Followup 14eee72c8d52 to provide complete context for proper localization. Also update cmdutil.recordfilter docstring to remove recommendation that "operation" argument should be translated. Indeed, for record/revert, we either go to patch.filterpatch or crecord.filterpatch (in curses mode) ; the former now build the full ui message from the operation parameter and the latter does not use this parameter (removing in a followup patch). For shelve, operation is not specified and this thus falls back to "record".

hgweb: remove unused code in annotate web command

py3: conditionalize cPickle import by adding in util The cPickle is renamed to _pickle in python3 and this C extension is available in pickle which was not included in earlier versions. So imports are conditionalized to import cPickle in py2 and pickle in py3. Moreover the use of pickle in py2 is switched to cPickle as the C extension is faster. The hack is added in util.py and the modules import util.pickle

bdiff: remove effectively dead code Now that we extend matches backwards in the inner loop, the final adjustment has no effect. (A similar extension for the forward direction is trickier and has less benefit.)

bdiff: extend matches across popular lines For very large diffs that have large numbers of identical lines (JSON dumps) that also have large blocks of identical text, bdiff could become confused about which block matches which because it can only match very limited regions. The result is very large diffs for small sets of edits. The earlier recursion rebalancing fix made this behavior more frequent because it's now more prone to match block 1 to block 2. One frequent user of large JSON files reported being unable to pass the resulting diffs through their code review system. Prior to this change, bdiff would calculate the length of a match at (i, j) as 1 + length found at (i-1, j-1). With large number of popular (ignored) lines, this often meant matches couldn't be extended backwards at all and thus all matching regions were very small. Disabling the popularity threshold is not an option because it brings back quadratic behavior. Instead, we extend a match backwards until we either found a previously discovered match or we find a mismatching line. This thus successfully bridges over any popular lines inside and before a matching region. The larger regions then significant reduce the probability of confusion.

test-revset: fix test vector for ordering issue of matching() 592e0beee8b0 fixed matching() to preserve the order of the input set, but the test was incorrect. Given "A and B", "A" should be the input set to "B". But thanks to our optimizer, the test expression was rewritten as "(2 or 3 or 1) and matching(1 or 2 or 3)", therefore it was working well. Since I'm going to fix the overall ordering issue, the test needs to be adjusted to do the right thing.

largefiles: rename match_ to matchmod import in lfutil

largefiles: rename match_ to matchmod import in reposetup

largefiles: rename match_ to matchmod import in overrides

largefiles: rename match_ to matchmod import in lfcommands

py3: make largefiles/wirestore.py use absolute_import

py3: make largefiles/uisetup.py use absolute_import

py3: make largefiles/reposetup.py use absolute_import

py3: make largefiles/remotestore.py use absolute_import

py3: make largefiles/proto.py use absolute_import

py3: make largefiles/overrides.py use absolute_import

py3: make largefiles/localstore.py use absolute_import

py3: make largefiles/lfutil.py use absolute_import

py3: make largefiles/lfcommands.py use absolute_import

py3: make largefiles/basestore.py use absolute_import

py3: make largefiles/__init__.py use absolute_import

largefiles: move basestore._openstore into new module to remove cycle

revset: make filteredset.__nonzero__ respect the order of the filteredset This fix allows __nonzero__ to respect the direction of iteration of the whole filteredset. Here's the case when it matters. Imagine that we have a very large repository and we want to execute a command like: $ hg log --rev '(tip:0) and user(ikostia)' --limit 1 (we want to get the latest commit by me). Mercurial will evaluate a filteredset lazy data structure, an instance of the filteredset class, which will know that it has to iterate in a descending order (isdescending() will return True if called). This means that when some code iterates over the instance of this filteredset, the 'and user(ikostia)' condition will be first checked on the latest revision, then on the second latest and so on, allowing Mercurial to print matches as it founds them. However, cmdutil.getgraphlogrevs contains the following code: revs = _logrevs(repo, opts) if not revs: return revset.baseset(), None, None The "not revs" expression is evaluated by calling filteredset.__nonzero__, which in its current implementation will try to iterate the filteredset in ascending order until it finds a revision that matches the 'and user(..' condition. If the condition is only true on late revisions, a lot of useless iterations will be done. These iterations could be avoided if __nonzero__ followed the order of the filteredset, which in my opinion is a sensible thing to do here. The problem gets even worse when instead of 'user(ikostia)' some more expensive check is performed, like grepping the commit diff. I tested this fix on a very large repo where tip is my commit and my very first commit comes fairly late in the revision history. Results of timing of the above command on that very large repo. -with my fix: real 0m1.795s user 0m1.657s sys 0m0.135s -without my fix: real 1m29.245s user 1m28.223s sys 0m0.929s I understand that this is a very specific kind of problem that presents itself very rarely, only on very big repositories and with expensive checks and so on. But I don't see any disadvantages to this kind of fix either.

phases: make writing phaseroots file out avoid ambiguity of file stat Cached attribute repo._phasecache uses stat of '.hg/phaseroots' file to examine validity of cached contents. If writing '.hg/phaseroots' file out keeps ctime, mtime and size of it, change is overlooked, and old contents cached before change isn't invalidated as expected. To avoid ambiguity of file stat, this patch writes '.hg/phaseroots' file out with checkambig=True. This patch is a part of "Exact Cache Validation Plan": https://www.mercurial-scm.org/wiki/ExactCacheValidationPlan

dirstate: make writing branch file out avoid ambiguity of file stat Cached attribute dirstate._branch uses stat of '.hg/branch' file to examine validity of cached contents. If writing '.hg/branch' file out keeps ctime, mtime and size of it, change is overlooked, and old contents cached before change isn't invalidated as expected. To avoid ambiguity of file stat, this patch writes '.hg/branch' file out with checkambig=True. This patch is a part of "Exact Cache Validation Plan": https://www.mercurial-scm.org/wiki/ExactCacheValidationPlan

dirstate: make writing dirstate file out avoid ambiguity of file stat Cached attribute repo.dirstate uses stat of '.hg/dirstate' file to examine validity of cached contents. If writing '.hg/dirstate' file out keeps ctime, mtime and size of it, change is overlooked, and old contents cached before change isn't invalidated as expected. To avoid ambiguity of file stat, this patch writes '.hg/dirstate' file out with checkambig=True. The former diff hunk changes the code path for "dirstate.write()", and the latter changes the code path for "dirstate.savebackup()". This patch is a part of "Exact Cache Validation Plan": https://www.mercurial-scm.org/wiki/ExactCacheValidationPlan

bookmarks: make writing files out avoid ambiguity of file stat Cached attribute repo._bookmarks uses stat of '.hg/bookmarks' and '.hg/bookmarks.current' files to examine validity of cached contents. If writing these files out keeps ctime, mtime and size of them, change is overlooked, and old contents cached before change isn't invalidated as expected. To avoid ambiguity of file stat, this patch writes '.hg/bookmarks' and '.hg/bookmarks.current' files out with checkambig=True. This patch is a part of "Exact Cache Validation Plan": https://www.mercurial-scm.org/wiki/ExactCacheValidationPlan

transaction: avoid ambiguity of file stat at closing transaction Files below, which might be changed at closing transaction, are used to examine validity of cached properties. If changing keeps ctime, mtime and size of a file, change is overlooked, and old contents cached before change isn't invalidated as expected. - .hg/bookmarks - .hg/dirstate - .hg/phaseroots To avoid ambiguity of file stat, this patch writes files out with checkambig=True at closing transaction. checkambig becomes True only at closing (= 'not suffix'), because stat information of '.pending' file isn't used to examine validity of cached properties. This patch is a part of "Exact Cache Validation Plan": https://www.mercurial-scm.org/wiki/ExactCacheValidationPlan

util: add __ne__ to filestat class for consistency This is follow up for ca4065028e00, which introduced filestat class.

style: remove namespace class For better or worse, our coding do not use use class for pure namespacing. We remove the class introduced in a5009789960c.

style: don't use capital letter for constant For better or worse, our coding do not use all caps for constants. We rename constant name introduced in a5009789960c.

tests-subrepo-git: use "f" to dump pwned.txt, for portability Rather than sometimes using a complicated shell construct to dump pwned.txt (if it wasn't expected to exist, but might, if something were broken) or just cat (if it was expected to exist), just use the "f" utility, which will be consistent in its behavior across different platforms. Also make sure that *something* gets put into pwned.txt, even if we ended up typoing the message variable.

bundle2: don't assume ordering of heads checked after push Usually, the heads will have the same ordering in handlecheckheads. Insisting on the same ordering is however an unnecessary constraint that in some custom cases can cause pushes to fail even though the actual heads didn't change. This caused production issues for us in combination with the current version of https://bitbucket.org/Unity-Technologies/hgwebcachingproxy/ .

sslutil: print the fingerprint from the last hash used Before, we would always print the unprefixed SHA-1 fingerprint when fingerprint comparison failed. Now, we print the fingerprint of the last hash used, including the prefix if necessary. This helps ensure that the printed hash type matches what is in the user configuration. There are still some cases where this can print a mismatched hash type. e.g. if there are both SHA-1 and SHA-256 fingerprints in the config, we could print a SHA-1 hash if it comes after the SHA-256 hash. But I'm inclined to ignore this edge case. While I was here, the "section" variable assignment has been moved to just above where it is used because it is now only needed for this error message and it makes the code easier to read.

sslutil: make cert fingerprints messages more actionable The previous warning and abort messages were difficult to understand. This patch makes them slightly better. I think there is still room to tweak the messaging. And as we adopt new security defaults, these messages will certainly change again. But at least this takes us a step in the right direction. References to "section" have been removed because if no fingerprint is defined, "section" can never be "hostfingerprints." So just print "hostsecurity" every time.

sslutil: refactor code for fingerprint matching We didn't need to use a temporary variable to indicate success because we just return anyway. This refactor makes the code simpler. While we're here, we also call into formatfingerprint() to ensure the fingerprint from the proper hashing algorithm is logged.

sslutil: print SHA-256 fingerprint by default The world is starting to move on from SHA-1. A few commits ago, we gained the ability to define certificate fingerprints using SHA-256 and SHA-512. Let's start printing the SHA-256 fingerprint instead of the SHA-1 fingerprint to encourage people to pin with a more secure hashing algorithm. There is still a bit of work to be done around the fingerprint messaging. This will be addressed in subsequent commits.

sslutil: move and change warning when cert verification is disabled A short time ago, validatesocket() didn't know the reasons why cert verification was disabled. Multiple code paths could lead to cert verification being disabled. e.g. --insecure and lack of loaded CAs. With the recent refactorings to sslutil.py, we now know the reasons behind security settings. This means we can recognize when the user requested security be disabled (as opposed to being unable to provide certificate verification due to lack of CAs). This patch moves the check for certificate verification being disabled and changes the wording to distinguish it from other states. The warning message is purposefully more dangerous sounding in order to help discourage people from disabling security outright. We may want to add a URL or hint to this message. I'm going to wait until additional changes to security defaults before committing to something.

sslutil: add devel.disableloaddefaultcerts to disable CA loading There are various tests for behavior when CA certs aren't loaded. Previously, we would pass --insecure to disable loading of CA certs. This has worked up to this point because the error message for --insecure and no CAs loaded is the same. Upcoming commits will change the error message for --insecure and will change behavior when CAs aren't loaded. This commit introduces the ability to disable loading of CA certs by setting devel.disableloaddefaultcerts. This allows a testing backdoor to disable loading of CA certs even if system/default CA certs are available. The flag is purposefully not exposed to end-users because there should not be a need for this in the wild: certificate pinning and --insecure provide workarounds to disable cert loading/validation. Tests have been updated to use the new method. The variable used to disable CA certs has been renamed because the method is not OS X specific.

sslutil: store flag for whether cert verification is disabled This patch effectively moves the ui.insecureconnections check to _hostsettings(). After this patch, validatesocket() no longer uses the ui instance for anything except writing messages. This patch also enables us to introduce a per-host config option for disabling certificate verification.