Gregory Szorc
unread,Oct 30, 2018, 5:19:52 PM10/30/18You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to dev-platform, Firefox Dev, firef...@mozilla.com, dev-version-control, release-engineering, auto-...@mozilla.com
hg.mozilla.org's x509 server certificate (AKA an "SSL certificate") will
be rotated around 2018-10-31T17:00 UTC (10:00 PDT). That's less than 24
hours from now. Bug 1495464 tracks.
You may have the certificate's fingerprint pinned in your hgrc files.
Automated jobs may pin the fingerprint as well. *If you have the
fingerprint pinned, you will need to take action otherwise Mercurial will
refuse the connect to
hg.mozilla.org once the certificate is swapped.*
The easiest way to ensure your pinned fingerprint is up-to-date is to run
`mach vcs-setup` from a Mercurial checkout (it can be from an old
revision). If running Mercurial 3.9+ (which you should be in order to have
security fixes), both the old and new fingerprints will be pinned and the
transition will "just work." Otherwise you'll need to run `mach vcs-setup`
or take further action after the new certificate is installed. If a new
fingerprint is installed, run `mach vcs-setup` again after the transition
to remove the old fingerprint.
Fingerprints and details of the new certificate (including hgrc config
snippets you can copy) are located at
https://bugzilla.mozilla.org/show_bug.cgi?id=1495464#c6
<
https://bugzilla.mozilla.org/show_bug.cgi?id=1147548#c12>. From a
certificate level, this transition is pretty boring: just a standard
certificate renewal from the same CA.
The IRC channel for this operational change will be #vcs. Fallout in
Firefox CI should be discussed in #ci. Please track any bugs related to
this change against bug 1495464.