I'm considering whether to use the built-in hg serve or to bother with configuring it with apache etc. The mercurial server will be potentially running on either Debian or OS X 10.5
My main consideration is security, not performance nor even authentication.
Mercurial has patched two serious vulnerabilities. So if you have updated sense 2008 then you shouldn't worry. From a security perspective I'd worry about OSX it has a poor track record and its memory protection is very primitive. (Especially its ASLR implementation which is a joke.) The Debian 6 built on the FreeBSD kernel is a very good choice. (The Linux version is good too ;)
I'm not qualified enough to advise on security, but I can say I've been using http://www.lshift.net/mercurial-server.html which relies on SSH keys for read/write access (which you can control in a granular fashion) and that I'm very happy with it. It's not hard to set up.
