Is there some way to verify downloads of the mercurial software? The website provides no checksums or signatures, nor does it provide the ability to use https to download the software. Here's the link to the page where I downloaded the software from.
Update: Mercurial now lives at https://www.mercurial-scm.org.
Previously:
You need to download the full repository (from http://selenic.com/hg).
Matt Mackall, the author and maintainer signs releases with his pgp key. selenic.com is also a domain he owns and has been using since more than a decade.
Related
I know it is not possible to create Mercurial repositories remotely using HTTP(S), for instance:
$ hg init https://host.org/repos/project
or
$ hg clone /path/to/local/project https://host.org/repos/project
But, what's the reason? Security issues? No need for it? Simply because nobody has implemented it yet?
Rationale for this question: In my company we share most resources via HTTPS, i.e. access permissions are managed by Apache only and regular users cannot login via SSH on the server. That's just perfect as long as repositories need to be served only (for that purpose we are happy with hgwebdir.cgi). However, we also want to allow the remote creation of repos, without the need to maintain additional/patched scripts on the server and extra tools on clients.
To be clear: This question does not ask for solutions to our particular problem but for the reason why Mercurial does not support this feature itself.
UPDATE
Here's a more technical description of the situation I'm thinking of. Supposed hgwebdir.cgi serves a collection of repositories in /path/to/repos at https://.../repos (with pushing enabled). Every user allowed to access this URL (as configured in Apache) may pull and push changesets, effectively this means that hgwebdir.cgi (and thus hg) edits and creates files below /path/to/repos. Now, what's the barrier in letting hgwebdir.cgi also create new repositories below /path/to/repos?
I think the reason is that adding support for creating repositories will bring in a fair amount of baggage:
if you can create repositories you would expect to be able to delete them. While that might seem simple, it would be a big step away from the safe manner in which Mercurial normally works -- there is no destructive commands in standard Mercurial.
people would also want to edit the .hg/hgrc files to set the description and contact information -- standard Mercurial never changes the config files, so this would again be a new thing.
people would also want to manage users' access to the new repositories -- this means editing .htaccess files or the equivalent for other webservers.
... and so on. Implementing this "little" feature will open up for a lot of extra feature requests and we only have a few Mercurial developers that are also sawy web developers.
However, there is now an excellent open source solution: Kallithea gives you a "mini-Bitbucket" that you can deploy on your own server. It will do all of the above. I would install that on my server if I needed something more powerful than plain hgweb.cgi. It supports both Mercurial and Git.
As far as I know, none of the SCM alternatives allow the creation of remote repositories natively. SVN, CVS, Git, et al.
That's usually the job of a hosting provider: SourceForge, Google Code, BitBucket. All of them implement the repository creation on top of their authetication infrastructure.
For example, Debian's Mercurial hosting is limited to Debian Developers, and to create a new repository you need to login via SSH to the server and create the repository on your local home folder, much like Apache's public_html directory.
Various answers (including your own) give some pretty good reasons why the functionality isn't there (separation of concerns mostly), but if you really want to add it you could do so with just a line or two of shell. Here's a hideously unsafe example I gave quite a while ago showing how to add that funcionality in high trust environments: Remote Repository Creation in Mercurial over HTTP
At the company where I work we are using hg as (d)vcs.
Most of the repositories in use are kept in a cenralized space and served via hgweb.
For ease of use and better user experiance (and overview) I like to have something like gitorious (github, bitbucket).
It should allow
hg as backend (or else I'd install gitorious...)
local installation (not per developer, but locally on our site / not hosted)
easy (web-based) repository-creation
personal forking (cloning, but keeping the new repo physically on the same server)
merge requests
A good tool is RhodeCode that serves Mercurial. It looks really good, has user management, grouping, LDAP integration hook control and some graphing options.
The current release (1.3.x) supports git repositories.
You should make this decision looking at the PublishingRepositories wiki page.
My preferred solution is to use the hg-ssh script that already comes with your mercurial install. It makes it very easy to give multiple people ssh access without creating a separate system account for each, and without giving them shell access. It's very easily configured in the .ssh/authorized_keys file of the single shared user.
Repository creation isn't web-based, but it's very easy and personal forking is completely supported:
hg clone ssh://shared#server/main/repo ssh://shared#server/my-personal/repo
I then set up the hgweb script that comes with mercurial to provide a read-only view, and rely on ssh:// for all writes (though hgweb also does writes / push just fine).
If you really think web based repo creation is easier than one-line ssh-based creation I've previously written a stupidly simple script to do so:
http://ry4an.org/unblog/UnBlog/2009-09-17
Someone is going to suggest "mercurial server", and I'd recommend against it. It's not current and never added much value over ssh.
BitBucket.
They are the official HG host, and are actually very good.
I'm completely biased, since I'm a developer on it, but Kiln does a very good job helping you create and manage repositories. It also has code reviews and is commercially supported. You can install on your own server, or Fog Creek will host it for you.
I'm trying to propose switching from CVS and SVN to Mercurial at work. Before I do, I'd like to have any foreseeable questions answered.
How can I set up a repository to allow push and authenticate users?
I'm more familiar with administering SVN, and in SVN it was just a few lines like:
[users]
userA = passwordA
userB = passwordB
And then for permissions it was like:
[general]
userA = write
userB = read
I would really like something like svnserve that allowed me to circumvent using a full-blown apache, since all I need is a central location for pushing change sets. I know that Mercurial doesn't necessarily require a central location, but I think it would be convenient in my workplace.
Thanks!
Try using SCM Manager. It works well for Mercurial. It has a built-in HTTP/HTTPS server and allows you to manage authentication. The only requirement is Java.
http://www.scm-manager.org
https://bitbucket.org/sdorra/scm-manager
Briefly, to setup Mercurial with authentication:
Follow the Getting Started Guide here. If you're using Windows, be sure to use
scm-server\bin\scm-server.bat
to start SCM Manager.
Click on Repository Types > Mercurial Settings > Start Configuration Wizard > Select: Download and Install to install the Mercurial plugin for SCM Manager.
Be patient, downloading takes a while.
When it's finished installing, the screen will go back to the Repository Config window. Restart SCM Manager. After you restart and you should now be able to create and host Mercurial repositories over HTTP.
Double check security: General > Config and uncheck Allow Anonymous Access.Security > Users and deactivate anonymous.
You can also use SCM Manager to host Git and SVN repositories as well.
Mercurial Server is an awesome solution, which I've used on a few occasions.
As #nlucaroni mentioned in the comment, one option is using SSH authentication. It allows authenticated pull and push. We use it in our company together with Apache-hosted HTTP access for anonymous pull-only repositories. See the "ssh" solution at the Publishing Mercurial Repositories.
You can try the textauth extension. Please give it a go and send some feedback to Mercurial mailing list, then perhaps you will see it integrated into a coming release of Mercurial.
I would like to have a mercurial repository on my website so that I can push/pull as I make updates to it, but I do not have SSH access, only HTTP or FTP.
Can this be done?
I suspect no, since I would not be able to run hg on the server, so I would only be able to clone it.
Yeah, this can definitely be done. You don't need ssh access to install mercurial or to access it. You compile it on your own system and then FTP up the resulting file. The only real requirement is that the website to which you upload it allow CGI applications to run. Without that you're limited to the static-http repositories, which don't support pushing.
You're correct. If you can't install software, you could use the static-http option, but it only supports cloning/pulling. See the comparison of publishing mechanisms.
You can setup hgweb to allow pushes.
I'm also using only FTP to update my site, but I keep all the files in a local Mercurial repo (you could use a repository on bitbucket - they have a free plan that includes 1 private repo and 1 GB of available space). When you need to add/update something, apply the
changes locally, update the Mercurial repo, and then use FTP to update the website.
I'm setting up a centrally hosted Mercurial repository. I would like to be able to define only a small set of users that are able to access that repository (maybe 3 or 4) - what do I need to write in the .hg/hgrc file that in order to make it work like this?
thanks, P
Mercurial doesn't provide a user authentication system -- that has to come from something else. However, it does provide an authorization system that uses the "who" answer from the external authentication system to decide what that "who" can do.
Popular external authentication systems include:
HTTP authentication as provided by your web server (Apache, etc.)
SSH authentication as provided by sshd
file system level user authentication as provided by your operating system
Note: hg serve does not have an authentication system, so it's not usable w/ per-user access controls
Accessing mercurial (either its web interface or its command line interface) through one of those systems, properly configured, provided mercurial with the answer to "who?".
Once Mercurial learns who is making the request then the allow_push and allow_read settings in the repository's .hg/hgrc file will determine what that who can do.
So the how of setting this up depends on what means of access you're using, which is what Callahad was asking.
If you are sharing the repository through the Mercurial web interface, then read the Web interface configuration section of the hgrc man page.