Developers’ Weblog

Sponsored by
HostEurope Logo

Developers’ Weblog

All 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35

If you install the xfonts-base package from my APT repository you now not only get the FixedMisc [MirOS] type from The MirOS Project type foundry for the X Window System, but now also for GNU GRUB2:

FixedMisc [MirOS] for GNU GRUB2 – Screenshot

Just add GRUB_FONT=/usr/share/grub/FixedMisc.pf2 to /etc/default/grub, make sure gfxterm is enabled (usually by commenting out GRUB_TERMINAL=console and removing the comment sign before GRUB_GFXMODE=640x480), run sudo update-grub and be happy at the next reboot.

The combining and Katakana characters depicted in the above screenshot are the result of manual grub.cfg editing and for demonstration (bragging) purposes only.

The RSS feed of my APT repository will also contain such news…

My waypoint statistics and supporting scripts ceased to handle Munzee in any way whatsoever. This is because they’re getting ridiculous, especially in amount, and loss of play fun due to a too slow “äpp”. This means that my figure is now much closer to the real geocaching count, and you have to look at two, separate, statpics to get the entire scoop, but then, the separation does make it all clearer ☺

mirabilos’ WaypointsIt’s all about the numbers: Munzee

Oktobr Rain

27.10.2015 by tg@
Tags: fun twitxr

The title is a pun on “November Rain” and “Красный Октябрь” (Red Oktober, or nice october)… as a follow-up on my earlier Sakura weblog entry. Again, small images as links to bigger ones:



Go enjoy shell

27.08.2015 by tg@
Tags: debian fun pcli

Dimitri, I personally enjoy shell…

tglase@tglase:~ $ x=車賈滑豈更串句龜龜契金喇車賈滑豈更串句龜龜契金喇
tglase@tglase:~ $ echo ${x::12}
tglase@tglase:~ $ printf '%s\n' 'import sys' 'print(sys.argv[1][:12])' >
tglase@tglase:~ $ python $x

… much more than Python, actually. (Python is the language in which you do not want to write code dealing with strings, due to UnicodeDecodeError and all; even py3k is not much better.)

I would have commented on your post if it allowed doing so without getting a proprietary Google+ account.

carstenh asked in IRC how to make a shebang for mksh(1) scripts that works on both regular Unix and Android.

This is not as easy as it looks, though. Most Unicēs will have mksh installed, either manually or by means of the native package system, as /bin/mksh. Some put it into package manager-specific directories; I saw /sw/bin/mksh, /usr/local/bin/mksh and /usr/pkg/bin/mksh so far. Some systems have it as /usr/bin/mksh but these are usually those who got poettering’d and have /bin a symlink anyway. Most of these systems also have env(1) as /usr/bin/env.

Android, on the contrary, ships with precisely one shell. This has been mksh for a while, thankfully. There is, however, neither a /bin nor a /usr directory. mksh usually lives as /system/bin/mksh, with /system/bin/sh a symlink(7) to the former location. Some broken Android versions ship the binary in the latter location instead and do not ship anything that matches mksh on the $PATH, but I hope they merge my AOSP patch to revert this bad change (especially as some third-party Android toolkits overwrite /system/bin/sh with busybox sh or GNU bash and you’d lose mksh in the progress). However, on all official Android systems, mksh is the system shell. This will be important later.

The obvious and correct fix is, of course, to chmod -x the scripts and call them explicitly as mksh scriptname. This is not always possible or desirable; sometimes, people will wish it to be in the $PATH and executable, so we need a different solution.

There’s a neat trick with shebangs – the absence of one is handled specifically by most systems in various ways. I remember reading about it, but don’t remember where; I can’t find it on Sven Mascheck’s excellent pages… but: the C shell variants run a script with the Bourne Shell if its first line is a sole colon (‘:’), the Bourne family shells run it with themselves or ${EXECSHELL:-/bin/sh} in those cases, and the kernel with the system shell, AFAIK. So we have a way to get most things that could call the script to interpret it as Bourne/POSIX shell script on most systems. Then we just have to add a Bourne shell scriptlet that switches to mksh iff the current shell isn’t it (lksh, or something totally different). On Android, there is only ever one shell (or the toolkit installer better preserve mksh as mksh), so this doesn’t do anything (I hope – but did not test – that the kernel invokes the system shell correctly despite it not lying under /bin/sh) nor does it need to.

This leaves us with the following “shebang”:

	case ${KSH_VERSION-} in
	*MIRBSD\ KSH*) ;;
	*)	# re-run with The MirBSD Korn Shell, this is an mksh-specific script
		test "${ZSH_VERSION+set}" = set && alias -g '${1+"$@"}'='"$@"'
		exec mksh "$0" ${1+"$@"}
		echo >&2 E: mksh re-exec failed, should not happen
		exit 127 ;;

The case argument not only does not need to, but actually should not be quoted; the expansion is a set -u guard; the entire scriptlet is set -e safe as well; comments and expansions are safe. exec shall not return, but if it does (GNU bash violates POSIX that way, for example), we use POSIX’ appropriate errorlevel. zsh is funny with the Bourne shell’s way of using "$@" properly. But this should really be portable. The snippet is both too short and too obvious (“only way to do it”) to be protected by copyright law.

Thanks to carstenh and Ypnose for discussing things like this with us in IRC, sending in bugfixes (and changes we decline, with reason), etc. – it feels like we have a real community, not just consuments ☺

さくら – Kirschblüte

28.04.2015 by tg@
Tags: fun twitxr

I took some photos of the cherry blossoms fading today. As usual, small versions (about five à 100K) inline, linking to bigger versions (over 1 MiB each).






They are published under the terms and conditions of The MirOS Licence. Enjoy.

(I am aware that I missed the Kirschblütenfest. This is a deliberate shot, well five, of the blossoms waning. There is another shot of cherry and apple trees in fuller bloom, though I did not take it and thus cannot licence it.)

Update: follow-up post during Autumn.


18.04.2015 by tg@
Tags: food fun tip

Dies ist ein Rezept für polnische Hefepfannkuchen (Racuchy drożdżowe) mit Äpfeln (z jabłkami). Bei uns zu Hause gab es allerdings auch immer diese Pfannkuchen, nur mit Backpulver statt Hefe. Hefe ist allerdings besser. Das, was man sonst in Deutschland (außer Berlin, da heißen Berliner so, obschon die nicht in der Pfanne zubereitet werden) als Pfannkuchen (oder Eier(pfann)kuchen) kennt heißt bei uns Crêpes (oder Eierkuchen). (Natureshadow und ich haben und jetzt drauf geëinigt, daß der Begriff „Pfannkuchen“ zu überladen ist, und zwischen Pannekōche (wie diese hier, nur mit Backpulver), Hefepfannkuchen (diese hier), Eierkuchen (pfannengroß, ½cm dick, mit Zeug eingebacken), Crêpes (beinahe selber Teig wie Eierkuchen, pfannengroß, deutlich dünner, um Zeug gewickelt) und Berlinern zu unterscheiden.
Die Hefepfannkuchen werden etwas mehr als handtellergroß, sind wunderbar luftig und prall und weich in der Mitte.

Man kann die nicht nur als Apfelpfannkuchen zubereiten, sondern sie schmecken auch mit Erdbeeren total lecker, was allerdings recht matschig ist. Blaubeeren oder Pfirsische bieten sich auch an.

Die Mengenangaben sind für eine Standardfamilie gedacht; auf Arbeit doppeln wir alles, um die halbe Firma satt zu kriegen, und beim Firmenfest haben wir alles vervierfacht; das Rezept skaliert linear sehr gut.


  • 1 Pfund Weizenmehl (½ kg)
  • 1 Prise Salz
  • 50g frische Hefe
  • 3 Eßlöffel Zucker
  • 1½ Tassen Milch auf Zimmertemperatur(!)
  • 1 Ei
  • 3–4 Äpfel (am besten „Topaz“)

Zubereitung: Das Mehl in eine große(!) Schüssel geben (der Teig steigt enorm hoch), das Salz hinzumischen. In die Mitte eine kleine Kuhle machen und dort die Hefe hineingeben und mit dem Zucker überhäufen, danach mit einer halben Tasse Milch übergießen und eine Viertelstunde gehen lassen. Dann das Ei und eine ganze Tasse Milch zugeben, kneten und zugedeckt etwa ein bis zwei Stunden gehen lassen.

Die Äpfel schälen, vierteln und in dünne Scheiben (etwa 2–3 mm dick) schneiden. (Für 16 Äpfel muß man hier über eine Stunde Arbeitszeit einkalkulieren!) Diese nach dem Ziehen dem Teig zugeben und nochmals durchmischen und eine weitere Stunde (im polnischsprachigen Rezept stand 15–20 Minuten, aber wir gehen hier von Erfahrungswerten von Paweł und mir auf Arbeit aus) zugedeckt gehen lassen.

In einer Pfanne (bei doppelter oder gar vierfacher Menge besser in drei Pfannen zu zweit gleichzeitig) Öl mit einem Klecks Butter heißwerden lassen und dann mit einem großen Eßlöffel oder, besser, einem Salatbestecklöffel, drei bis vier Kleckse des Teigs (separat) in die Pfanne geben; nach kurzer Zeit (wenn der Boden und die Ränder schon etwas fest sind) mit einem Pfannenwender umdrehen und leicht obendrauf drücken, dann braten lassen und noch 3–4 Mal wenden, bis sie auf beiden Seiten goldbraun (oft auch etwas mehr als das…) und in der Mitte durch sind, dann auf einen Teller geben, der mit zwei Lagen Zewa ausgelegt wurde, um das überschüssige Fett aufzusaugen. Dann die nächsten Pfannkuchen machen und auf den Teller (oder einen neuen) stapeln. Zielgröße ist etwas mehr als handtellergroß und mehrere Zentimeter dick.

Heiß servieren. Kann man so (sind mir süß genug) oder mit Puderzucker bestreut (mag Paweł lieber) oder mit Marmelade essen. (Wenn man die vierfache Menge für die ganze Firma macht sollte man bereits während des Bratens ab und zu selber einen essen, weil man sonst nix mehr bekommt, weil das so lecker riecht, daß die Kollegen einen belagern…)

tbd: Photo. Kommt, wenn wir die ’s nächste Mal machen.

For these who similarily suffer from having to use Googlemail at work. If anyone else has more of these, please do share.

Deactivate the spamfilter

The site admins can do that. Otherwise, you will have work-relevant eMails, for example from your own OTRS system, end up in Spam (where you don’t see it, as their IMAP sucks) and deleted without asking 30 days later. (AIUI, the only way to get eMails actually deleted from Google…)

Do not use their SMTP service

Use your own outgoing MTA. This brings back the, well, not feature but should-have-been-granted-but-Google-doesn’t-do-it-anyway that, when you write to a mailing list, you also get your own messages into your own INBOX.


I have no solutions for this. I stopped using the Googlemail calendars because they didn’t think it a problem that, when I accept an invitation in Kontact (KDEPIM as packaged in Debian sid), the organiser of the calendar item in the sender’s calendar (for which I do not have write permissions) changes to me (so the actual meeting organiser cannot change anything afterwards) and/or calendar items get doubled. I now run a local uw-imapd (forward-ported to sid by means of a binNMU) for sent-mail folders etc. and a local iCalendar directory for calendars.

mksh R50f coming soon

11.04.2015 by tg@
Tags: mksh pcli

Please test mksh-current from CVS (or the inofficial git mirror)! There are security-related fixes I’ll MFC in a few days, for which I’d prefer for them (and the other changes) to not introduce any regressions. Thanks!

exciting news, or so

07.04.2015 by tg@
Tags: debian event fun geocache mksh news personal pkgsrc plan rant security work

I implemented <? support (including <?php…) script embedding support for *.inc in MirWebseite today; the specific syntax was explicitely requested by Natureshadow. Ugh.

My own hacking activities are progressing, even if slowly. I do some other interesting, funny, social, beneficial, etc. stuff in between, though. I’ll even have to get some of my DD buddies to sponsor me some QA uploads of packages I formerly maintained, whereever changes are queued up… such as better old-format repo compatibility in cvs(GNU) ☺ Though some of the stuff I do at work is currently done only there… sorry.

Also: prepare to be fully enlightened about just what evil (nice picture) Docker is. I especially liked the comparison of containers to a herd of cattle, mere numbers, replaceable, whereas VMs are cats, each with their individual name, lovely petted each day, etc.

ObHint: Some may have noticed I do have a Twitter account now. I do not really use it much. I got it because I wanted to rant at someone who only gave Twitter as means to contact them (a European company running a lottery for USA citizens only). But I found one nice thing: @HourlyCats (though @FacesPics and @BahnAnsagen are funny too, and the Postillon anyway). The internet is there for cat content, anyway.
Ahem. Do not contact me there, use IRC, more specifically, the Freenode network, and possibly memoserv to mirabilos instead, I can’t fit things into 140 chars, that’s just ridiculous. Also, don’t follow me. It may contain rants, it’s NSFW, and I’m not censoring there. As I said: I do not use it. So should you. (But kudos for having a mostly functional “fallback” site (the “mobile” one), which even works in PocketIE (Windows Mobile) and Opera 9, though not so much lynx(1)…)

odc (from #!/bin/mksh on IRC) is hacking support to use mksh instead of GNU bash for bootstrapping pkgsrc® (e.g. on Solaris). Nice! Good luck!

… à propos mksh(1), dear Debian armel and armhf buildd maintainer colleagues, pretty please with strawberries and chocolate ice on top (I just had that on waffles at my favourite ice salon, so I may be biased), do like s390x and update your chroots and wanna-build give-back mksh, as we requested, so the privacy fix makes it into jessie. Thanks in advance!

Oh, and Y_Plentyn and I both have been putting more and updated packages into my APT repository. XTaran held a talk at CLT 2015 mentioning it… maybe I should write up some docs about how to use it for which purposes (e.g. how to avoid systemd but not get the other packages from it, or how to use it with systemd (trivial but has to be stated, it’s freedom of choice after all), etc.)?

Besides decent fanfiction (the stories in the Uzumaki Naruto universe seem, on average, to be much longer than those in the Harry Potter one), the weather is becoming good, so I’ve already been enjoying going out for some geocaching and will have the bike fixed at the shop RSN (it suffers a bit each winter, as it stands outside, since our basement is mouldy, which is worse than a bit of rust IMHO) to get more activity in. Also planning to head to the GPS Maze in Mainz and, besides what time FrOSCon (including preparation) allows, heading to DebConf for a while.

mirabilos’ Waypoints

… to my shame I must admit I fucked up, and we still do not have support in libssl for SHA2-signed X.509 certificates. Also, StartSSL fucked up, so currently https for is toast.

Also more on the rant side, services offered by web-based platforms, be they web (e.g. Groundspeak’s GC.COM) or not (Googlemail, which $orkplace switched to against my express veto some time ago) are getting worse and worse over time. I had hoped they realise that and improve, especially when seeing small signs (such as GC.COM pages shrinking to 20% of the formerly served bloat) but… no.

After seeing what the Wildfly (formerly JBoss AS) and Liferay combo does to /tmp, and somewhat attempting to fix it, I saw JVM_TMP in the Debian tomcat7 init script and thought, oh no, not another one.

Is that even safe, what they do here, or is that a possibility to instantly pwn?

The net is full of literature for how to obtain temporary files and directories, but there is nothing about how to reliably obtain paths under /tmp or, more generally, directories not just writable for one single user (think the g+w thing that got FusionForge CVE-2013-1423).

The scenario here is: I am root, and I want to start something as another user, and pass it a stable path, such as /tmp/liferay. So I can just mkdir /tmp/liferay || die; chown thatuser /tmp/liferay and, in the “stop” process, rm -rf /tmp/liferay, right? (Of course not. Also, bad example, as the liferay thing can also be started as thatuser, and our devs regularily need to do that, the init script is there just for the admin convenience and reboot-safety. But I still am interested if there is a secure way to achieve this.)

The tomcat7 scenario is “trivial”: on That Other Init System™, it would just get its private /tmp declared in the .service file, and good is, no more hassle. That's one I have to give you. (No idea if this is actually shipped in jessie. Our production systems run wheezy anyway, so there is not even the slightest bit of temptation. Plus, it would not solve the liferay issue, see above. Still, a point for going into the right direction.)

The idea here is the same. It creates a directory on start and tears it down on stop. If there was nothing to do on start, the init script could just use mktemp -d. Heck, maybe it still should, but it would need to note down, and communicate to the stop instance, the actual name used. What a drag…

This is something I see popping up from time to time. I want to use stable paths for SSH session multiplexing control sockets in my ssh_config(5) file, but have them on tmpfs (Linux) or mfs (BSD) so they get properly removed on reboot. No Unix traditionally has per-user temporary directories that are clean and created after reboot. (Adjusting the paths is trivial once you have them.) Android has it worse, what with not having a world-writable tmp directory, which the shell needs e.g. for here documents; there are two components here, to have a directory the current user can write to, and to know its location. Some fail at the first, some at the second, some at both, and the classic /tmp is not the cure, as we have seen. (But if you ever see mksh erroring out due to lack of write permissions somewhere (including /sqlite_stmt_journals which used to be it) as non-root on Android, or even as root, set TMPDIR to something writable; it's tracked, so the change gets active immediately.)

TIL: the encoding of the catalina.out file is dependent on the system locale, using standard Debian wheezy tomcat7 package.

Fix for ‘?’ instead of umlauts in it:

cat >>/etc/default/tomcat7 <<EOF
export LC_CTYPE

My “problem” here is that I have the system locale be the “C” locale, to get predictable behaviour; applications that need it can set a locale by themselves. (Many don’t bother with POSIX locales and use different/separate means of determining especially encoding, but possibly also i18n/l10n. But it seems the POSIX locales are getting more and more used.)

Update: There is also adding -Dfile.encoding=UTF-8 to $JAVA_OPTS which seems to be more promising: no fiddling with locales, no breakage if someone defined LC_ALL already, and it sets precisely what it should set (the encoding) and nothing else (since the encoding does not need to correlate to any locale setting, why should it).

All 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35

MirOS Logo