Unsorted Notes¶

GitHub¶
Fedora:
sudo dnf install -y hub
Download a pull request:
git checkout -b pr104
git am -3 https://github.com/python/cpython/pull/104
URLs:
- Add
?w=1
in a pull request to ignore whitespace changes - Add
.patch
to a pull request to get the change as an unified diff - In a message,
<details> ... </details>
creates a drop-down
vim for developer¶
In these examples, I’m using Mercurial with the command “hg”. To use git, just replace “hg” with “git”. I prefer the graphical editor gvim. To use the console version, replace “gvim” with “vim”.
View differences:
hg diff | gvim -
Shortcuts:
a/asyncio/events.py
: to open the file, deletea\
, put the cursor on the file type, typevs
for a vertial split, and typegf
(goto file) to open the file%bd
: close all buffers
Python:
[[
,]]
: jump to previous/next of the class or fnuction
Code search¶
Git¶
Remove latest commit¶
git reset --hard HEAD~1
List tags containing a specific commit¶
nova$ git tag --contains 94a3b83f9f1fd52a78b9d49b32ddfae40182f852
12.0.0.0b1
12.0.0a0
2014.2
2014.2.1
2014.2.2
2014.2.3
2014.2.b1
2014.2.b2
2014.2.b3
2014.2.rc1
2014.2.rc2
2015.1.0
2015.1.0b1
2015.1.0b2
2015.1.0b3
2015.1.0rc1
2015.1.0rc2
2015.1.0rc3
Remote branches¶
List remote branches:
git branch -r
Create a new branch
fix_1369426_icehouse
tracking the remote branchorigin/stable/icehouse
:git branch --track fix_1369426_icehouse origin/stable/icehouse
(Track and) Pull a remote branch:
git branch --track NAME_REMOTE_BRANCH git fetch --all # or: git pull --all
Send email¶
First install git send-email
. On Fedora:
yum install -y git-email
Generate a .patch file for a single commit:
git format-patch origin/master
Generate a patch serie for multiple commits:
git format-patch origin/master --cover-letter
Now modify 0000-cover-letter.patch
: replace *** BLURB HERE ***
. By
default, patches create a thread on a mailing list: [PATCH 0/n]
is the top
message, [PATCH 1/n]
, [PATCH 2/n]
, etc. are replied to the top message.
See Message-Id
and In-Reply-To
headers in emails.
To generate a version 2 of a patch (use [PATCH v2]
subject prefix instead
of [PATCH]
):
git format-patch origin/master --subject-prefix 'PATCH v2'
Send patches:
git send-email --to=EMAIL --suppress-cc=all *.patch
For your first try, just send emails to yourself ;-)
OpenStreetMap¶
Map of the town Peypin:
Marseille user group:
- https://wiki.openstreetmap.org/wiki/Marseille#Rencontres_mensuelles
- https://wiki.openstreetmap.org/wiki/Marseille/R%C3%A9unions_2014
- http://listes.openstreetmap.fr/wws/info/local-marseille
Wiki:
Shell script¶
- bash8: A pep8 equivalent for bash scripts
- checkbashisms: static analysis tool for shell scripts. It looks for particular patterns which indicate a script might be relying on /bin/sh being bash.
- shellcheck: static analysis and linting tool for sh/bash scripts
$'...'
interprets escape sequences (like\n
) in'...'
Example:
haypo@selma$ echo $'a\rb'|hexdump -C
00000000 61 0d 62 0a |a.b.|
00000004
Ftrace¶
- LWN articles:
- ftrace - Function Tracer: official documentation from the kernel
- ftrace at elinux.org
- Kernel dynamic memory analysis
- Installing and Using Ftrace
Mercurial¶
bisect with a command¶
Shell script cmd.sh
:
set -e -x
make
./python script.py
where script.py
is the script to reproduce the bug.
Cleanup everything:
hg bisect --reset
hg update -C
We know that the most recent version is bad (./cmd
fails):
./cmd.sh
# cmd.sh failed
hg bisect -b
Find a good revision using a date:
hg up -r "branch(default) and date('May 2015')"
./cmd.sh
# it's still failing, take an older date
hg up -r "branch(default) and date('Jan 2015')"
./cmd.sh
# iterate until the test pass
(...)
hg bisect -g
Ok, we have a good and a bad revision, and a script to automate the bisection:
hg bisect --command ./cmd.sh
# enjoy watching your computer working for you
cannot edit immutable changeset: xxx¶
You can force the phase of a changeset back to draft like so:
hg phase -d -f <changeset_id>
Only do that for private changes!
Find tags containing a specific changeset¶
Let’s say that you want to check which versions contains the _FUTURE_CLASSES variable:
$ grep '_FUTURE_CLASSES =' trollius/*.py
trollius/futures.py: _FUTURE_CLASSES = (Future, events.asyncio.Future)
trollius/futures.py: _FUTURE_CLASSES = Future
$ hg blame trollius/futures.py|grep '_FUTURE_CLASSES ='
1712: _FUTURE_CLASSES = (Future, events.asyncio.Future)
1688: _FUTURE_CLASSES = Future
$ hg log -r 1688 --template '{date|isodate}\n'
2014-07-25 10:05 +0200
Ok, so the _FUTURE_CLASSES was added by the changeset 1688
which was made
the 2014-07-25. We pick the oldest changeset, 1712
was probably a fix.
Find the tags which contains the changeset 1688
:
$ hg log -r "reverse(descendants(1688)) and tag()" --template "{tags}\t{rev}:{node|short}\n"
trollius-1.0.2 1767:41ac07cd2d03
trollius-1.0.1 1738:83e574a42e16
$ hg log -r trollius-1.0.1 --template '{date|isodate}\n'
2014-07-30 17:45 +0200
$ hg log -r trollius-1.0.2 --template '{date|isodate}\n'
2014-10-02 16:47 +0200
The _FUTURE_CLASSES was introduced in trollius-1.0.1 which was released the 2014-07-30. The following release trollius-1.0.2 (2014-10-02) also contains it, which is expected since trollius-1.0.2 is based on trollius-1.0.1.
Check versions:
$ hg up trollius-1.0.1
$ grep '_FUTURE_CLASSES =' trollius/*.py
trollius/futures.py: _FUTURE_CLASSES = (Future, events.asyncio.Future)
trollius/futures.py: _FUTURE_CLASSES = Future
$ hg up trollius-1.0
$ grep '_FUTURE_CLASSES =' trollius/*.py
trollius/tasks.py: _FUTURE_CLASSES = (futures.Future, asyncio.Future)
trollius/tasks.py: _FUTURE_CLASSES = futures.Future
Ok, so in fact the variable was moved from the Python module trollius.tasks
to the modle trollius.futures
between versions 1.0 and 1.0.1.
abort: can’t rebase public changeset fb6b735060b5¶
Error:
abort: can't rebase public changeset fb6b735060b5
(see "hg help phases" for details)
Misc¶
- Linux: detect launching of programs (StackOverflow)
- MLVPN - MultiLink Virtual Public Network
- Docker: https://linuxfr.org/news/docker-tutoriel-pour-manipuler-les-conteneurs
- Forensically: tools to check if a photo was modified
- PHP: http://blog.mageekbox.net/
Friends¶
Fun:
getaddrinfo¶
- A surprising discovery on converting IPv6 addresses: we no longer prefer getaddrinfo() (PowerDNS blog, May 2014)
- glibc 2.15 (March 2012): Avoid __check_pf calls in getaddrinfo unless really needed
- Python issue: getaddrinfo is wrongly considered thread safe on linux
- libc6: getaddrinfo() sends DNS queries to random file descriptors (CVE-2013-7423) (glibc 2.13, fixed at least in glibc 2.19)
PostgreSQL¶
Install PostgreSQL server on Fedora 21. Type as root:
yum install postgresql-server
postgresql-setup initdb
Modify /var/lib/pgsql/data/postgresql.conf
to accept connections from
192.168.0.0/24 network, replace:
#listen_addresses = 'localhost' # what IP address(es) to listen on;
...
max_connections = 100 # (change requires restart)
with:
listen_addresses = '*'
...
max_connections = 1000 # (change requires restart)
Modify /var/lib/pgsql/data/pg_hba.conf
to allow login using a password from
192.168.0.0/24 network, replace:
host all all 127.0.0.1/32 ident
with:
host all all 192.168.0.0/24 md5
Start PostgreSQL:
systemctl start postgresql
Switch to the postgres
user (sudo -u postgres -H -s
), open the psql
client (psql
) and type:
CREATE USER bigdata;
ALTER ROLE bigdata WITH CREATEDB;
ALTER USER bigdata WITH ENCRYPTED PASSWORD 'password';
CREATE DATABASE bigdata;
Google¶
What Google knowns on you:
Operating systems¶
macOS | Name | Darwin Version | Release Year |
---|---|---|---|
macOS 10.13 | High Sierra | 17.x | 2017 (June) |
macOS 10.12 | Sierra | 16.x | 2016 |
macOS 10.11 | El Capitan | 15.x | 2015 |
macOS 10.10 | Yosemite | 14.x | 2014 |
macOS 10.9 | Mavericks | 13.x | 2013 |
macOS 10.8 | Mountain Lion | 12.x | 2012 |
macOS 10.7 | Lion | 11.x | 2010 |
macOS 10.6 | Snow Leopard | 10.x | 2008 |
macOS 10.5 | Leopard | 9.x | 2006 |
macOS 10.4 | Tiger | 8.x | 2004 |
Use sw_vers
in the command line to get macOS version.
- Linux kernel versions:
- 4.0: 2015 (under development)
- 3.0: 2011
- 2.6: 2003
- 2.4: 2001
- Ubuntu releases:
- 16.10: Yakkety Yak (not released yet, scheduled for 2016-10-20)
- 16.04 LTS: Xenial Xerus, 2016-04-21
- 15.10: Wily Werewolf, 2015-10-22
- 15.04: Vivid, 2015-04
- 14.10: Utopic, 2014-10
- 14.04 LTS: Trusty, 2014-04
- 12.04 LTS: Precise, 2012-04
- Fedora releases:
- Fedora 24: 2016-06-21
- Fedora 23: 2015-11-03
- Fedora 22: 2015-05-26
- Fedora 21: 2014-12
- Fedora 20: 2013-12, Heisenbug
- Fedora 19: 2013-07, Schrödinger’s Cat
- Debian releases:
- Debian 9 “Stretch”: June 17th, 2017
- Debian 8 “Jessie”: April 26th, 2015
FreeBSD releases, and Unsupported FreeBSD Releases:
FreeBSD | Release | End of life |
---|---|---|
FreeBSD 11.0 | 2016-10 | 2021-09-30 |
FreeBSD 10.0 | 2014-01 | 2018-10-31 |
FreeBSD 9.0 | 2012-01 | 2016-12 |
FreeBSD 8.1 | 2010-07 | 2012-07 |
FreeBSD 7.0 | 2008-02 | 2009-04 |
FreeBSD 6.2 | 2007-01 | 2008-05 |
Microsoft Windows versions (version numbers):
Windows | Version | Release | End of mainstream support | Extended support |
---|---|---|---|---|
Windows 10 | 10.0 | 2015-07 | 2020-10 | 2025-10 |
Windows 8.1 | 6.3 | 2013-10 | 2018-01 | 2023-01 |
Windows 8 | 6.2 | 2012-10 | 2016-01 | 2016-01 |
Windows 7 | 6.1 | 2009-10 | 2015-01 | 2020-01 |
Windows Vista | 6.0 | 2007-01 | 2012-04 | 2017-04 |
Windows XP Professional x64 | 5.2 | 2005-04 | 2009-04 | 2014-04 |
Windows XP | 5.1 | 2001-10 | 2009-04 | 2014-04 |
Note
For applications that have been manifested for Windows 8.1 or Windows 10. Applications not manifested for Windows 8.1 or Windows 10 will return the Windows 8 OS version value (6.2). To manifest your applications for Windows 8.1 or Windows 10, refer to Targeting your application for Windows.
Linux kernel:
Linux kernel | Released | Projected EOL |
---|---|---|
4.14 | 2017-11-12 | 2020-01 |
4.9 | 2016-12-11 | 2019-01 |
4.4 | 2016-01-10 | 2022-02 |
4.1 | 2015-06-21 | 2018-05 |
3.16 | 2014-08-03 | 2020-04 |
3.2 | 2012-01-04 | 2018-05 |
2.6 | 2003-12-17 | 2011-08 |
Programming advices¶
- Coding style: 80 columns, PEP 7 for C, PEP 8 for Python
- Avoid variable globals
- Signal handlers: only use signal-safe functions
Timezones¶
- Debian issue: tzdata: Argentina just decided not to move to DST this Sunday :-
- Python issue: datetime: support leap seconds
rsync¶
Local copy with progress bar and handle sparse files:
rsync -Sav --progress /mnt/vm/images/ /var/lib/libvirt/images/
Thunderbird¶
Checking for new messages in other folders - Thunderbird.
Set mail.server.default.check_all_folders_for_new=true
in advanced settings
(Edit > Preference > Advanced > General tab > Config editor).
Gnome-Terminal¶
Configure Gnome-Terminal to select a full URL double-click:
dconf write /org/gnome/terminal/legacy/profiles:/:${Profile_ID}/word-char-exceptions '@ms "-,.;/?%&#_=+@~·:"'
Replace ${Profile_ID}
with the profile identifier. To get it:
$ gsettings get org.gnome.Terminal.ProfilesList list
['b1dcc9dd-5262-4d8d-a863-c897e6d979b9']
Example:
dconf write /org/gnome/terminal/legacy/profiles:/:b1dcc9dd-5262-4d8d-a863-c897e6d979b9/word-char-exceptions '@ms "-,.;/?%&#_=+@~·:"'
It looks like you don’t have to restart Gnome-Terminal.
http://fedora.12.x6.nabble.com/gnome-terminal-amp-select-by-word-characters-td5043736.html
Android¶
Samsung S2, delete logs on internal storage:
- dial
*#9900#
- click on: “Delete dumpstate/logcat”
Free space on the 16 GB SD card:
- install CCleaner
- Free space using CCleaner
IRC¶
List operators of channel:
/msg ChanServ access #python-fr list
Give operator permission to someone:
/msg ChanServ flags #python-fr skyice +Aeiortv
#python-dev flags to prevent people who are not logged in to an account from talking:
/mode #python-dev -q $~a
SSH keygen¶
Create an SSH key:
ssh-keygen -t ed25519 -o -a 100 -C "haypo2017" -f ssh_key
-t
: key type, http://ed25519.cr.yp.to/-a 100
: use 100 rounds of the key derivation function for the passphrase, increase resistance to brute-force password cracking-C
: comment-f
: filename-o
: save private keys using the new OpenSSH format, increased resistance to brute-force password cracking (in fact,-t ed25519
already enables this option)
Issues with ed25519:
- Launchpad doesn’t support ed25519: Launchpad is implemented on top of Twisted which doesn’t support ed25519 yet. https://bugs.launchpad.net/launchpad/+bug/1282220
- gnome-keyrign doesn’t support the new SSH key format used by ed25519 by default: https://bugzilla.gnome.org/show_bug.cgi?id=723274 https://bugzilla.gnome.org/show_bug.cgi?id=641082
Links:
- https://stribika.github.io/2015/01/04/secure-secure-shell.html
- https://wiki.archlinux.org/index.php/SSH_keys
SSH agent:
- Modify /etc/pam.d/* to lines containing “pam_gnome_keyring.so”
- Make sure that login still works after the change!!!
Gnome and SSH passphrase:
sudo dnf install -y openssh-askpass
Replace gnome-keyring with ssh-agent to support elliptic curves:
Fedora process:
/usr/bin/gnome-keyring-daemon --daemonize --login
Disable gnome-keyring:
mkdir -p ~/.config/autostart/
cp /etc/xdg/autostart/gnome-keyring-ssh.desktop ~/.config/autostart/
echo "X-GNOME-Autostart-enabled=false" >>~/.config/autostart/gnome-keyring-ssh.desktop
See also https://wiki.archlinux.org/index.php/GNOME/Keyring#Disable_keyring_daemon_components
Enable pam_ssh in PAM config:
(FR) Transport aérien¶
- March 2014: https://fr.wikipedia.org/wiki/Vol_370_Malaysia_Airlines#Hypoth.C3.A8se_d.27un_incident_technique
- April 2016: Batteries lithium-ion interdites dans le transport de fret aérien.
Gnome¶
My CSS theme for window colored borders: https://github.com/vstinner/misc/blob/master/conf/gtk.css
https://wiki.gnome.org/Projects/GnomeShell/CheatSheet
gsettings set org.gnome.desktop.wm.preferences focus-new-windows ‘strict’
Yubikey¶
- Fedora: dnf install -y u2f-hidraw-policy See https://gist.github.com/fntlnz/a4513162960e1e9fdb99
- Firefox: builtin since Firefox 57, see https://www.yubico.com/2017/11/how-to-navigate-fido-u2f-in-firefox-quantum/ For older Firefox, use https://addons.mozilla.org/fr/firefox/addon/u2f-support-add-on/ (proect: https://github.com/prefiks/u2f4moz)
- GitHub: https://github.com/settings/two_factor_authentication/configure click on [Register new device]
- Firefox plugin doesn’t work on Google nor Bitbucket
tmux¶
- tmux attach
- tmux ls
- CTRL+b …
[
: navigation (scroll), ‘q’ to quit navigation moded
: detachc
: new windown
/p
: next/previous window:
: open the command line (“prompt”),
: name the windoww
: window list&
: kill the window
- Command line or “prompt” (opened by CTRL+b :):
- list-sessions
- tmux shortcuts & cheatsheet
Debug Python¶
- Add printf(…) of fprintf(stderr, …)
- Comment, remove code, add #if 0 … #endif
- Run git bisect
- Use my new script to bisect test methods
- gdb
- pdb, pudb
NFS¶
Server side¶
/etc/exports
: list of shared directoriessudo exportfs -af
: reload NFS configuration (like/etc/exports
)
Client side¶
- Mount:
sudo mount -t nfs -o soft smithers:/server/shared/directory /local/mount/point
. Thesoft
option allows NFS to make syscalls failing if the server is no more reachable. - Unmount:
sudo umount -f /local/mount/point
,-f
allows to unmount even if the server is unreachable.
Release a Python software¶
- pip install check-manifest
- pip install prospector[pyroma]; prospector
- zest.releaser
macOS¶
Malware¶
Firefox malware: “Websecure WTC”, system load near 10, CPU usage higher than 99%. Remove manually in Firefox extensions.
Anti-malware: don’t trust the internet, full of crap. Search in AppStore.
Untested yet: free Bitdefender.
Rounding¶
Wikipedia: https://en.wikipedia.org/wiki/Rounding
Rounding modes for floating point numbers:
- ROUND_FLOOR: Round towards minus infinity (-inf).
- C:
floor()
- Python:
math.floor(float)
- Python:
math.floor(-0.1) == -1
- Python:
math.floor(0.9) == 0
- For example, used to read a clock.
- C:
- ROUND_CEILING: Round towards infinity (+inf).
- Python:
math.ceil(float)
- Python:
math.ceil(0.1) == 1
- Python:
math.ceil(-0.1) == 0
- Python:
- ROUND_HALF_EVEN: Round to nearest with ties going to nearest even integer.
- For example, used to round from a Python float.
- Python:
round(float)
- Python:
round(0.5) == 0
- Python:
round(1.5) == 2
- Python:
round(2.5) == 2
- This is the default rounding mode used in IEEE 754 floating-point operations.
- ROUND_UP: Round away from zero.
- For example, used for timeout. ROUND_CEILING rounds -1e-9 to 0 milliseconds which causes bpo-31786 issue. ROUND_UP rounds -1e-9 to -1 millisecond which keeps the timeout sign as expected. select.poll(timeout) must block for negative values.
- ROUND_DOWN: Round towards zero.
- C: (int)double, ex:
(int)0.9 == 0
- Python:
int(float)
- Python:
int(0.9) == 0
- Python:
int(-0.9) == 0
- Python:
float.__trunc__()
- C: (int)double, ex:
Other rounding modes (ex: Python decimal module):
- ROUND_HALF_DOWN: Round to nearest with ties going towards zero.
- ROUND_HALF_UP: Round to nearest with ties going away from zero.
- ROUND_05UP: Round away from zero if last digit after rounding towards zero would have been 0 or 5; otherwise round towards zero.
IEEE 754 defines 4 modes:
- ROUND_HALF_EVEN: default mode
- ROUND_FLOOR
- ROUND_CEILING
- ROUND_DOWN
Links:
- https://vstinner.github.io/pytime.html
- “double-rounding” https://bugs.python.org/issue24567
- https://bugs.python.org/issue32956
- double to float rounding on ppc64le: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88892
Linux: follow process execution¶
- execsnoop
- linux process monitoring: NETLINK_CONNECTOR with CN_IDX_PROC and CN_VAL_PROC commands
- exec-notify.c: PROC_EVENT_EXEC reading /proc/pid/cmdline
wget mirror¶
Download a “Index of” Apache listing and subdirectories, but not parents.
wget –mirror –no-parent -e robots=off URL
robots=off is needed to downloda OpenStack CI logs, since the robots.txt disallow everything.
dd¶
Write a raw image to a USB key:
lsblk # check if the USB key is connected
sudo dd if=bios.img of=/dev/disk/by-id/usb-LEXAR_JUMPDRIVE_0A4F1007191812160305-0\:0 status=progress oflag=direct
ssh-agent¶
List keys of ssh-agent:
ssh-add -l
Add a key:
ssh-add ~/.ssh/id_rsa
Remove all keys:
ssh-add -D
stdin, stdout, stderr buffering¶
Unbuffered standard streams with the stdbuf tool:
stdbuf -i0 -o0 -e0 producer | consumer
Line buffering:
stdbuf -oL -eL command
See also unbuffer.
Copy for backup using rsnyc¶
Commands:
$ sudo mount -o uid=haypo,gid=haypo,utf8 /dev/disk/by-label/DataSeagate /mnt/usb/
$ rsync --archive --verbose --progress -r /btrfs/data/videos/ /mnt/usb/videos/
virt-manager: virtual network¶
Enable Router Advertissement on your phyiscal devices.
Create file
/etc/sysctl.d/60-victor-network.conf
:net.ipv6.conf.enp0s31f6.accept_ra = 2 net.ipv6.conf.wlp4s0.accept_ra = 2
where
enp0s31f6
andwlp4s0
are my physical NICs.Run:
sudo systemctl restart systemd-sysctl
Virt-manager, create a network:
- Right click on a domain, Detail: Network, Add a network
- IPv4 Network: 192.168.100.0/24 ; enable DHCP
- IPv6 Network: fd00:e81d:a6d7:5ab8::/64 ; enable DHCPv6
- Give access to any physical NIC
Status pages¶
- Python : https://status.python.org/
- GitHub : https://status.github.com/ and https://twitter.com/githubstatus
- Travis CI : https://www.traviscistatus.com/ and https://twitter.com/traviscistatus
KDE Connect on Fedora¶
Commands:
sudo dnf install kde-connect-nautilus
sudo firewall-cmd --zone=public --permanent --add-port=1714-1764/tcp
sudo firewall-cmd --zone=public --permanent --add-port=1714-1764/udp
sudo systemctl restart firewalld.service
See also https://community.kde.org/KDEConnect
docker¶
sudo docker pull ubuntu:trusty sudo docker run -ti ubuntu:trusty /bin/bash root@xxx# exit sudo docker commit xxx pet sudo docker run -ti pet /bin/bash sudo docker container ps sudo docker container ps -a
SELinux¶
Config file:
[vstinner@fedora27 ~]$ cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Check current SELinux config:
[vstinner@fedora27 ~]$ getenforce
Enforcing
Security¶
Static analyzer vs PHP:
- Fixed bug #55439 (crypt() returns only the salt for MD5). (Stas)
- https://bugs.php.net/bug.php?id=55439
- https://github.com/rflynn/bugs/blob/master/case/php-md5-broken-by-rasmus.json
- https://github.com/php/php-src/commit/97bc4c84032881cd398e46098e8cfbae6f3a9590
OpenSSL vulnerability in RAND_bytes() on Debian:
Shell¶
- sh is supposed to be the minimalist shell (faster, but less feature)
- bash has more feature and is quite common, but not available by default on FreeBSD for example.
- dash is a minimalist shell used as ‘sh’ on Debian
Test:
- [ is a program: /usr/bin/[ on Linux
- man test
- man [ # sometimes display bash manual page
- [[ … ]] is a bash built-in, so specific to bash
Misc:
Debug TLS issue¶
Use OpenSSL client:
openssl s_client -connect bugs.python.org -port 443
See https://github.com/python/psf-infra-meta/issues/4
Dump Python SSLContext configuration:
def dump_context(context):
print("ciphers:", ":".join([cipher['name'] for cipher in context.get_ciphers()]))
print("proto", context.protocol)
print("opts", context.options)
print("opts", context.verify_mode, context.verify_flags)
print("min/max ver", context.minimum_version, context.maximum_version)
print("cert stats", context.cert_store_stats())
On Fedora 29, Python is compiled with ./configure
--with-ssl-default-suites=openssl
: ssl.SSLContext
constructor doesn’t
call SSL_CTX_set_cipher_list()
and so uses OpenSSL default cipher list.
See also Python SSL and TLS security.
test_asyncio fails on RHEL8, or on Fedora using NEXT security policy. Fedora and RHEL have a
update-crypto-policies
system command to change the crypto policy
Python can now use OpenSSL default cipher list: TLS cipher suite compile time
option for downstream, creation of
./configure --with-ssl-default-suites=openssl
option (enabled on Fedora).
Use nmap to scan for ciphers: https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html
By default, OpenSSL reads configuration files for TLS:
$ ls -l /etc/crypto-policies/back-ends/openssl*.config
/etc/crypto-policies/back-ends/opensslcnf.config -> /usr/share/crypto-policies/DEFAULT/opensslcnf.txt
/etc/crypto-policies/back-ends/openssl.config -> /usr/share/crypto-policies/DEFAULT/openssl.txt
$ cat /etc/crypto-policies/back-ends/openssl.config
@SECLEVEL=1:kEECDH:-kRSA:kEDH:-AES-128-GCM:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
$ cat /etc/crypto-policies/back-ends/opensslcnf.config
CipherString = @SECLEVEL=1:kEECDH:-kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
MinProtocol = TLSv1
posix_spawn¶
Python issues:
- expose posix_spawn(p)
- Support POSIX_SPAWN_USEVFORK flag in posix_spawn
- subprocess uses os.posix_spawn in some cases
vfork:
Performance:
Matrix¶
- https://riot.im/app/
- Freenode IRC server
- Join IRC Freenode channel XXX: /join #freenode_#XXX:matrix.org
- In Riot.im, click on the Person icon (bottom left) to start a private chat with @appservice-irc:matrix.org: type
- https://github.com/matrix-org/matrix-appservice-irc/blob/master/HOWTO.md#changing-nicks
git¶
Error:
$ git gc
fatal: impossible de lire
378a172cc98d7bc8dc5b6a304ec47cf4f24276ca
fatal: failed to run repack
$ git fsck --connectivity-only
broken link from tree 30d4ac5eb9e7bbc9104e0b8117c7eccf0ca7d68c
to blob 378a172cc98d7bc8dc5b6a304ec47cf4f24276ca
...
Fix:
git -c gc.reflogExpire=0 -c gc.reflogExpireUnreachable=0 -c gc.rerereresolved=0 -c gc.rerereunresolved=0 -c gc.pruneExpire=now gc
Try also:
git reflog expire --expire-unreachable=now --all
git gc --prune=now
Check:
git fsck --connectivity-only
Debug network issue to a website¶
If https://github.com looks down:
- Test network connectivity using ICMP:
ping github.com
traceroute github.com
mtr github.com
- Test HTTPS:
time curl --verbose https://github.com/
time wget -O- https://github.com/
- TLS v1.0:
time curl --tlsv1.0 --verbose https://github.com/
- HTTP2:
time curl --http2 --verbose https://github.com/
- Test SSL/TLS handshake:
time openssl s_client -connect github.com:443
- SSLv3:
time openssl s_client -connect github.com:443 -ssl3
- TLS v1.0:
time openssl s_client -connect github.com:443 -tls1_0
- TLS v1.1:
time openssl s_client -connect github.com:443 -tls1_1
- TLS v1.2:
time openssl s_client -connect github.com:443 -tls1_2
Valgrind¶
Search for memory leak: malloc() not followed by free(), limit the call stack to 20 frames:
PYTHONMALLOC=malloc valgrind --leak-check=full --num-callers=20 ./python x.py
Valgrind with gdb server to inspect a bug in gdb:
# First terminal
valgrind --vgdb=yes --vgdb-error=0 program [arg1 arg2 ...]
# Second terminal
gdb
# then type in gdb:
# (gdb) target remote | vgdb
Generate a suppression for a false alarm:
--gen-suppressions=yes
Python issues related to Valgrind:
Bash¶
Replace name.py
string with name
, remove .py
suffix:
script="name.py"
# display "name"
echo ${script:0:-3}