In Buildbot, we include specific fingerprints for servers that hg will talk to: https://github.com/mozilla/build-puppet/blob/master/modules/mercurial/templates/hgrc.erb#L32hg.mozilla.org = af:27:b9:34:47:4e:e5:98:01:f6:83:2b:51:c9:aa:d8:df:fb:1a:27 s3-external-1.amazonaws.com = 44:ae:c0:4d:9e:8d:50:13:fc:c3:0c:27:8c:06:f0:53:8a:ad:d2:22 s3-us-west-2.amazonaws.com = ad:ab:0d:1e:fe:1c:78:5b:94:f9:76:b2:5a:12:51:9a:12:7b:66:a2 ftp-ssl.mozilla.org = 9d:8e:3e:7c:4a:33:6f:53:c6:64:a8:48:d3:ea:72:05:f0:73:a4:90 We should do the same in the desktop-build image (even at the expense of failures when one of those fingerprints changes..)
Note that we can ship an update to this much more quickly (in-tree!) than bug 1259457
Currently, hgrc is isntalled in the centos6-build image, but it should instead be installed in the desktop-build image. It should probably have some other things from the hgrc linked in comment 0, too.
Summary: desktop-build should have a secure .hgrc → desktop-build should have a better .hgrc
Greg, have your recent patches fixed this?
This is partially addressed in bug 1247168. However, I removed desktop-build from the scope of that bug because it's a bit of work. Let's keep this bug open for now. It will likely get duped to a to-be-filed bug tracking moving desktop-build off tc-vcs.
Builds now use the fingerprint from secrets.
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.