Urgh ... one of the required patches includes a binary for the test suite. So, that's going to be fun to include. However, I don't see any (simple) way around it given current versions of mercurial apparently don't even produce the type of changelog necessary to demonstrate the corruption.
** Description changed: + [ Impact ] + + The version of mercurial currently in noble includes a serious + regression that is capable of corrupting a repository. + + [ Test Plan ] + + This utilizes the inlined changelog example from the test suite because + current versions of mercurial do not produce inlined changelogs, hence + this is the simplest means of verifying the fix. + + On a fully updated noble instance: + + * sudo apt install mercurial + * wget https://repo.mercurial-scm.org/hg/raw-file/3cf9e52f5e27/tests/bundles/inlined-changelog.tar + * tar xf inlined-changelog.tar + * cd inlined-changelog + * cat > .hg/hgrc << EOF + [hooks] + pretxnclose=hg log -r tip -T "pre-txn tip rev: {rev}\n" + EOF + * touch foo + * hg add foo + * hg commit -m foo + * hg verify + + At this point, hg verify should show "3 integrity errors encountered!" + in its output. + + Now update to the version of mercurial in -proposed and repeat the + procedure above. This time, hg verify should output no indications of + corruption. + + [ Regression Potential ] + + The patches included in the upload are only those required to fix the + regression, and to handle compatibility with Python 3.12.5 (see LP: + #2076152). The patches include a good test suite, parts of which are + referenced in the test plan above which includes before and after + versions to demonstrate we are actually fixing something. The patches + are directly from upstream and already incorporated into future versions + (which already exist in the development series). + + Regressions are still possible, but the comprehensive test suite + included in the package, and the test plan above, should give us some + confidence. + + [ Original Description ] + From mailing list [email protected]: Hello all, Monday evening we got a report from a user about a critical bug that can destroy the changelog of repositories. The bug is in Mercurial 6.7 only and affects repositories with low number of revisions that currently have an inlined changelog and are configured with some pretxn hooks. We will try yank releases 6.7.1, 6.7.2 and 6.7.3 from Pypi as soon as possible and have published a 6.7.4 that addresses this issue. Since this is the packaging list, I urge you to also remove those versions from your package builds and switch to 6.7.4. You can find more info in the release notes and the changesets mentioned: https://wiki.mercurial-scm.org/Release6.7 If you were affected by this bug, there is a chance that you can recover your lost index by restoring it from undo.backup.00changelog.i.bck. Thank you and sorry for the trouble, Raphaël Please update package soon as possible! Affected: Ubuntu 24.04+ These issues are fixed in 24.10. SRU: We backport the 6.7.4 release to 24.04. - * SRU: LP: #2076152 - * Backport the upstream .3 and .4 bug fix releases to 24.04 LTS. - LP: #2070443. - * Add threading and _weakrefset to the list of modules which can't be - lazy imported. Fixes startup in Python 3.12.5 and 3.13.0rc1. - * Skip test for hg serve profiling, broken with python 3.12. - * Adjust test-lfs-serve-access.t expected output to account to new - variation. + * SRU: LP: #2076152 + * Backport the upstream .3 and .4 bug fix releases to 24.04 LTS. + LP: #2070443. + * Add threading and _weakrefset to the list of modules which can't be + lazy imported. Fixes startup in Python 3.12.5 and 3.13.0rc1. + * Skip test for hg serve profiling, broken with python 3.12. + * Adjust test-lfs-serve-access.t expected output to account to new + variation. All changes in the packaging are already in 24.10. Validation: the package builds (succeeding all tests), and the autopkg tests succeed). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2070443 Title: SRU: Fix critical regression in Mercurial 6.7.x < 6.7.4 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mercurial/+bug/2070443/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
