Hi, I have uploaded a test version of the Mercurial package in the usual location:
https://people.debian.org/~anarcat/debian/wheezy-lts/ The main reason for the update is to fix this: https://security-tracker.debian.org/tracker/CVE-2018-1000132 But there's also a fix to a regression introduced in my previous upload (deb7u5) that broke the test suite non-deterministically. In my tests, the test suite now passes fairly reliably, but I haven't been able to reproduce the failures in the first place, so I am not sure the fix is complete. In particular, the package does not "remove `tests/gpg/random_seed` in clean target" as recommended in dla-needed.txt, as i wasn't sure what that implied. I did try to port the patch provided in those notes, however, which should give better results on that level. This is a test package because it significantly changes the way the Mercurial webserver handles requests, and I am worried it will cause some problems. There *is* some (necessary) backwards-compatibility breakage in the update anyways: extensions will, by default, have the "push" permission which is denied without authentication, unless they override that. I don't think it's impossible to work around that issue while at the same time fixing the security vulnerability. All feedback is welcome, as usual. Thanks! A.
