In Buildbot, we include specific fingerprints for servers that hg will talk to: https://github.com/mozilla/build-puppet/blob/master/modules/mercurial/templates/hgrc.erb#L32hg.mozilla.org = af:27:b9:34:47:4e:e5:98:01:f6:83:2b:51:c9:aa:d8:df:fb:1a:27 s3-external-1.amazonaws.com = 44:ae:c0:4d:9e:8d:50:13:fc:c3:0c:27:8c:06:f0:53:8a:ad:d2:22 s3-us-west-2.amazonaws.com = ad:ab:0d:1e:fe:1c:78:5b:94:f9:76:b2:5a:12:51:9a:12:7b:66:a2 ftp-ssl.mozilla.org = 9d:8e:3e:7c:4a:33:6f:53:c6:64:a8:48:d3:ea:72:05:f0:73:a4:90 We should do the same in the desktop-build image (even at the expense of failures when one of those fingerprints changes..)
Note that we can ship an update to this much more quickly (in-tree!) than bug 1259457
Currently, hgrc is isntalled in the centos6-build image, but it should instead be installed in the desktop-build image. It should probably have some other things from the hgrc linked in comment 0, too.
Greg, have your recent patches fixed this?
This is partially addressed in bug 1247168. However, I removed desktop-build from the scope of that bug because it's a bit of work. Let's keep this bug open for now. It will likely get duped to a to-be-filed bug tracking moving desktop-build off tc-vcs.
Builds now use the fingerprint from secrets.