provision: don't pin certs, rely on Mercurial being configured correctly Bitbucket already has a trusted, valid certificate. If extra security is needed, it shouldn't be done in user's .hgrc anyway. And since repo is a variable now, it could be on a host that's not in [hostfingerprints].