Configuring Mercurial Trust

1. Why am I getting this "not trusting file" message?

If you've seen a message like this, you're in the right place: 

Not trusting file /home/alice/repo/.hg/hgrc from untrusted user alice, group users

For security reasons, Mercurial only trusts hgrc files owned by the user running Mercurial. Settings from untrusted files will generally be ignored.

2. Why is this a security issue?

Imagine the following scenario:

If Bob's hg command trusted Alice's .hg/hgrc, then it could be tricked into loading and running whatever hooks, extensions, and so forth that Alice had configured. If Alice was malicious, she could set up a hook to give her access to Bob's account, read his mail, personal files, etc.

Instead, Mercurial ignores these settings, which means that hooks and extensions (malicious or not!) that Alice has enabled will be ignored.

3. What if I think Alice is trustworthy?

Users can add settings to their $HOME/hgrc to tell Mercurial to trust other users. For instance, if Bob has decided he can trust Alice not to try to delete his files when he looks at her repository, he could add: 

[trusted]
users = alice, carl, dan

Alternately, Bob can decide to trust a group of people (as specified in an operating system group) 

[trusted]
groups = dev-team

/!\ Only Bob can make Bob's Mercurial trust Alice. If Alice adds "users = alice" to her .hg/hgrc file, Bob's Mercurial will naturally ignore it as it doesn't trust those settings already.

/!\ Bob shouldn't do this unless he actually trusts Alice!

More info can be found in hgrc manpage.

4. I'm still confused, I'm getting this message in my webserver logs?

In this case, the user running your Apache server (such as apache, daemon, nobody or www-data) is Bob in our example and the user who owns the repository is Alice. In other words, the web server user doesn't trust the repository owner.

Once you've understood the security implications above, there are several possibilities for fixing this: