Moving to HTTPS

2015-05-09  |   |  infrastructure  

I have decided to move this website to HTTPS. Let me know if you see anything fishy, cannot access it or if the RSS feed no longer updates. Why? With my country's government going completely stupid, I decided to play the nut game, I can be pretty stupid too.

In its infinite wisdom, the French government has decided to enable mass surveillance of the French people without oversight of the justice branch. Yes I know WTF?!

Anyways, in order to make things simpler for them, I have decided to move all of my web properties behind HTTPS (HTTP over TLS). Do I have anything to hide? Nope, I just want to increase universe entropy and cracking our communication a bit more challenging.

My certificate fingerprints are:

  • SHA1: 15 3E 2E 67 39 28 20 28 6E F6 CF F5 E1 92 AB 07 72 32 72 90
  • MD5: 0B 2D 49 61 DE EA E1 D7 11 92 BA 3D 4F BD 73 E2

If you see something else then, you are being intercepted. Read more on secure connection fingerprints.

SPF for dummies - how to fight spams

2015-03-26  |   |  infrastructure  

In this post, you will learn everything you need about SPF (Sender Policy Framework), what it means for your emails and how / if to set it up for your domains.

What is it for and should I care?

This is a standard that helps reduce spam. Each domain lists in one DNS record the list of servers that are allowed to send emails for that domain. So when an email provider like Gmail sees an email sent from an address but coming from a server not listed in the SPF record, it knows it is likely a spam.

Conversely, it is important to set such a record to avoid your emails to be considered spam. More and more email providers consider domains without SPF record as more suspicious than others. Even if you domain does not send emails, you should set a SPF record, this will prevent spammers from faking emails from you.

How does it work ?

As owner of a given domain, you will tell the world which servers you will send emails from. That is typically your SMTP server.

In practice, this is a TXT entry in the DNS records of your domain. Something like

"v=spf1 a ip4: -all"

v=spf1 is the protocol, all entries start with this.

a or generally says that all IPs listed in the DNS A record of the domain should be able to send emails for that domain. If the domain is not specified (a), then it is the domain for which the TXT DNS record lives.

ip4: means that IP is allowed to send emails for your domain. You can assign ranges as well. Likewise, there is an ip6 syntax. means that you should consider the SPF rules stored in the DNS entries of This is very useful if you use Google Apps / Gmail or send emails from another domain's SMTP server. Rules can be composed, so you can have explicit ips, a and includes in the same SPF entry.

There are also mx and ptr entries but I won't go into details.

Finally, you need to decide what to do when the rules don't match. That's where the all mechanism comes into play:

  • -all means that servers that do not pass the rules should be considered spammers
  • ~all means that servers that do not pass the rules should be considered spammers but we are not 100% sure so let them pass but be suspicious
  • ?all means that servers that do not pass the rules should be considered neutral (i.e. they may be legit or not)

If your list is exhaustive, use -all to lock things down. If people sending emails from your domain might use their own SMTP server, use ?all. ~all is for chickens ;)

You can get a formal description of all the options at

You can lookup the SPF entries for any domain by typing

nslookup -q=TXT

This is useful before you add an include clause.

A few concrete examples

My domain never sends any email: "v=spf1 -all".

I use Gmail / Google Apps to send emails from that domain: "v=spf1 -all".

I use Gmail and Red Hat's SMTP: "v=spf1 -all".

I use the server hosting and Red Hat's SMTP: "v=spf1 a -all" (this is a short hand for "v=spf1 -all"

People sending email as use various SMTP servers but for sure and it's corresponding IPv6 2001:db8::df4:cd23 and's SMTP servers: "v=spf1 ip4: ip6:2001:db8::df4:cd23 ?all"

A note on TXT DNS entry, to use (I think) the bind syntax, here is how it looks like

# let's say it's the DNS zone of
# some domain
@ 10800 IN A
# some subdomains
awesome 10800 IN CNAME
blog 10800 IN CNAME
# looks like these guys use Google Mail
@ 10800 IN MX 10
awesome 10800 IN MX 10

# Here is our subject
# you need one entry per domain and subdomain sending emails
@ 10800 IN TXT "v=spf1 a -all"
awesome 10800 IN TXT "v=spf1 a -all"
# blog never sends emails
blog 10800 IN TXT "v=spf1 -all"

Conclusion and a few recommendations

I prefer domain names over IPs so I use a or mx entries. As much as I can, I use include and delegate the list to the real guys.

Google and others use special subdomains like to host their SPF rules. This is useful to separate different ruleset but bind them together in your primary domain via an include rule. If you are one of them, you probably don't need my blog entry in the first place :)

Remember that servers now have IPv6 addresses and that Google and other have already IPv6 infrastructures in place. Don't forget them, I had some emails denied because I was missing it and my server communicated with Google from an IPv6.

My take out is simple: if you own a domain and send emails, add a SPF entry. It's relatively simple and the examples I gave you should get you a long way already.

PS: I am relatively new to this domain, feel free to correct me in the comments, if I made a mistake.

Get notified when terminal commands end

2015-03-26  |   |  tool  

Here is a tiny little tool that will speed up the multi-tasking life of terminal users: be notified when a command finishes.

How many times have you started a command in the terminal to realise that it will take a while? How many times did you then move to emails or twitter "in the mean time"? How many times have you forgotten about it and read our twitter feed for 30 minutes aka 25 minutes longer than the actual command?

This small tool solves that problem.

# Notify you when a task is done
# $ notify mvn clean install
# runs 'mvn clean install'
# notify you when it's done
# A notification is sent upon build completion if your OS supports it:
# - on Mac OS, install Growl and grownnotifier
# - on Linux, install send-notify
# Released under the WTFPL license version 2
# Copyright (c) 2010 David Gageot
# Copyright (c) 2011 Sanne Grinovero
# Copyright (c) 2010-2015 Emmanuel Bernard

say() {
    if [ `uname -s` == "Darwin" ]; then 
        # On Mac OS, notify via Growl
        which -s growlnotify && growlnotify --name "Command line" --sticky --message "'$CMD_DISPLAY' has finished - $RESULT"
    if [ `uname -s` == "Linux" ]; then
        # On Linux, notify via notify-send
        which notify-send && notify-send "'$CMD_DISPLAY' has finished" "$RESULT"

if [[ $# -eq 0 ]]; then 
  echo "Usage notify <command to run>"


if [ $EXIT_CODE -eq 0 ]; then
  echo $RESULT    
  echo $RESULT
  exit $EXIT_CODE

When you want to monitor the completion of a command, simply prefix it with notify.

# Longish command you will forget about
rake clean publish

# Longish command you will be notified of upon completion
notify rake clean publish

A few things I particularly like:

  • I can decide which command to monitor
  • it reports the status (success or failure)

No more excuse for Twitter or other time sinkers.

Une place à gagner pour Devoxx France

2015-03-25  |   |  conference  

Devoxx France m'a offert une place suite au travail que j'ai fait dans le comité de sélection. Comme je suis speaker, je n'en ai pas besoin. Donc elle est pour vous.

Aller voir comment la gagner.

Unstuck the unread count of Apple Messages app on Mac OS X

2015-02-20  |   |  apple   Mac OS X  

The text message synchronization between iOS and Mac OS X devices is very useful. That is until one of the unread count is stuck. There is nothing more irritating than a false unread badge.

It has happened to me on Apple Messages (iMessages) in Max OS X Yosemite. The message would "unread" itself in front of my eyes. I deleted the message, that solved that part.

But the unread count remained at 1. I fumed for a couple of days until I found the solution. Open your Terminal application (in Applications/Utilities) and type

killall Dock

The incorrect unread count disappeared. I can sleep now.

One line per idea - the feedback

2014-10-06  |   |  writing  

I wrote a bit more than a year ago on how to wrap lines for markup languages. I promised to give feedback on this experiment and specifically the use of one line per idea or clause.

Remember that to me, using one line per paragraph is problematic:

  • navigating through it is a bit cumbersome
  • reviewing a git diff is annoying when you need to scroll horizontally
  • editing one character leads to the whole paragraph as being seen edited in your favorite diff tool (at least if it is not that smart)

I am sad to say that the one line per idea concept does not work for me despite its big advantages on paper and its elegance. In practice, forcing myself to split each sentence in separate ideas lead to a slight writing slow down and cognitive dissonance. In a nutshell finding the natural split is not as easy as it sounds. And I could not really convince at least some of my colleagues enough of the benefits of this rule.

I settled for the following. One line per sentence. If the sentence is too long, one line per idea. And I won't mind if someones breaks the sentence at "odd" places.

It's one of those nice ideas that are not worth their cost.

I love what my Kindle did to my life

2014-08-29  |   |  book   productivity  

I have been a rather early adopter of ebook readers. The Sony PRS-505. But I gave it to my wife and moved on to read on my iPad instead: The whole buying books and moving them to the device was quite cumbersome and the iPad was good enough especially with the awesome Kindle app.

I physically met my colleagues a few month ago - no it does not happen very often - and two of them told me how they loved their physical Kindle device. I've been pondering the usefulness of yet another device in my life and finally decided to give it a go.

I bought the Amazon Kindle Paperwhite. Why? Well the price was not prohibitive. Why the Paperwhite? I'm a nocturnal beast, more than my wife an any rate. Why a Kindle? Now that gets interesting.

The reason this ebook reader changed my life can be summed up by:

  • I can read and only read on that thing
  • I can get my books instantly and wirelessly
  • I can read my books on multiple devices and they sync with each other
  • I can push non book content to the device wirelessly

Reading without interruption

That's a huge deal and that did bring back my pleasure of reading. An iPad is awesome but you get notified of tweets, facebook zombi parties, emails and all this chatter breaks your reading flow. I know you can disable notifications and put the device in Do Not Disturb.

But it is still oh so easy to jump in your emails for a quick check... and come back to reading 30 mins later having wasted your time. Same for twitter or the internet temptations. Now with the Kindle, you can go to the web but the experience is horrible enough to be a deterrent.

Frictionless book reading

I love DRM free formats. And I make a point of honor to free my encumbered digital assets if I can. And you can on Amazon books.

Still, it is undeniable that Amazon's experience with the Kindle devices, Kindle apps and Kindle shop ecosystem is just too good. No need to plug your device to a computer to get your books. And more importantly, I can stop reading a book on my Kindle, resume it on my iPhone while in the subway and go back to the Kindle in the evening. And the devices put me right where I stopped.

But wait there is more.

Selecting vs consuming

While I browse your twitter feed or whereever, I often see an interesting article that I want to read. But reading it now and stopping what I do long enough to read the article is extremely disruptive.

What I do instead is send to Instapaper articles I want to read. And ask Instapaper to send me a compiled list of unread articles to my Kindle device every day at 19:00 (that's 7:00 PM to our imperial friends). Instapaper integrates with a lot of apps including Twitter and you can use a Bookmarklet to push a page when browsing the web.

Tadaaaa! I have separated the selection process from the consumption process and I can be 100% into what I am doing and not sidetracked by the latest awesomeness the internet produces daily. I have this 20-30 mins of time in the evening (or most evenings at anyrate) when I read my pre-selected articles. The nice thing is that Instapaper inserts links you can use to mark an article as read (they call it archived). If you have not read all articles, they will simply come back the next day in the next compilation.

I'm super happy with my experience and can't recommend it enough. Even the basic WiFi-only will do you good. I had a defect on mine: the lighting was casting visible shadows (1cm by 1.5cm). That is not normal, just ask for a replacement, they are friendly about it.

By the way, I don't need to, but I do pay for the Instapaper service. They are both cheap and awesome.

Fiscalité globale en France

2014-05-17  |   |  francais   economy  

J'ai toujours été intéressé par la répartition de la fiscalité en fonction des revenus en France. Et là vous me dîtes :

Hum quoi?!

Si l'économie et la société ne vous intéresse pas en ce moment, passez votre chemin :)

Le système fiscal français est tellement compliqué qu'il est impossible d'avoir une image claire - sans parler des biais idéologiques. Je suis tombé sur un site qui donne une image plus globale que ce que l'on trouve d'habitude.

Ils prennent en compte:

  • l'impôt sur le revenu (dont la CSG / CRDS)
  • l'impôt sur le capital (impôt sur les sociétés, taxe foncière, ISF et droits de successions)
  • l'impôt sur la consommation (TVA principalement)
  • cotisations sociales et autres taxes sur les salaires + taxe d'habitation

Malheureusement les années Sarko et Hollande sont passées par là et les données sont assez obsolètes. Mais ce que montre leurs données, c'est que l'imposition globale est:

  • progressive jusqu'àu 50 ème percentile de revenu
  • plate du 50 ème au 99 ème percentile
  • franchement régréssive au delà

Si on exclut le dernier percentile, le système français serait assez proche de la "flat tax" avec une imposition globale entre 40 et 50% - sans les bénéfices de la flat tax correspondant à la simplicité :)

Imposition de la population française

Il faut s'entendre sur progressif / régressif. Ici ils en parlent en pourcentage du revenu et non pas en valeur absolue des impôts acquittés.

Ils proposent une alternative que je vous laisse découvrir à travers ces quelques pointeurs:

Sans rentrer dans le débat, le site est bien fait tant sur les chiffres existants que sur leurs propositions. Je vous encourage à aussi lire leur FAQ qui contient des infos supplémentaires ainsi que la section détracteurs sur leur page média.

J'ai quelques remarques cependant.

Chômeurs et retraités

Les chiffres mis en avant sur le site ne prennent pas en compte les chômeurs et retraités. Le système Français est alors "en moyenne" beaucoup plus progressif. J'imagine qu'ils voulaient montrer les inégalités en situation nominale de travail.

Niches fiscales

Leur nouvel impôt sur le revenu élimine les niches fiscales. Or ces niches fiscales ont en général un but : faire financer par les particuliers des objectifs de l'état - dons à des œuvres caritatives, investissement dans les zones défavorisées ou en manque d'investissement (DOM, TPE), construction immobilière dans les zones considérées en manque, réduction du travail non déclaré dit "travaux à domicile", etc. J'exclus ici les niches corporatistes - les niches c'est comme les chasseurs, y en a des bonnes et des mauvaises.

L'alternative est 1. une augmentation des impôts 2. une centralisation des décisions et des investissements par l'état qui devrait de fait grossir encore. Je préfère faire jouer le marcher et laisser ces décisions d'investissement aux millions de mains de la population.

Revenus et bénéfices?

Malheureusement, le revenu est considéré comme la somme du revenu salarial et patrimonial. Ce qui manque sont les aides indirectes dont les percentiles les plus défavorisés peuvent bénéficier - aides, gratuités - mais aussi les bénéfices des élus etc. Je ne sais pas si les revenus directs de type RSA sont inclus.

Coût de la vie

La disparité du coût de la vie entre les régions n'est pas pris en compte. Il est plus cher de vivre en Ile-de-France que dans le Limousin. Je n'ai jamais trouvé d'analyse assez fines qui combine:

  • le coût de la vie en proportion du revenu par géographie
  • le revenu net (apres impôts mais incluant toutes les aides y compris indirectes)

Revenus du capital

Mais le problème le plus important pour moi dans leur proposition est que le revenu du capital est taxé comme le revenu du travail. Ces deux types de revenus sont fondamentalement différents. Le risque de perte pour le capital est plus élevé et pas protégé par la société. La perte de capital veut dire la perte de générer ce fameux revenu. En poussant le bouchon, c'est l'équivalent de l'incapacité de travail sans les indemnités et sans le drame humain derrière bien sûr. François Saint-Cast et Bernard Zimmern appellent cela l'impôt-risque. Or c'est lui qui lance des idées, monte des boites et génère des emplois.

A noter que certains estiment que la taxation du revenu du capital revient à taxer le même argent plusieurs fois pour la même personne.

Il est loin d'être certain qu'une taxation similaire entre les revenus du travail et du capital soient une bonne idée.

So what ?

Bref, je trouve ce site intéressant pour son image de la fiscalité actuelle. Si vous avez d'autres sources sur ce sujet, laisser un commentaire.


2014-04-17  |   |  francais   change  

J'ai eu la chance d'interviewer Tariq Krim pour les cast codeurs et j'ai attrapé un peu de son virus / engouement pour changer les choses. Je suis très content qu'il ait lancé son initiative parce que c'est quelque chose qui me trottait dans la tête depuis l'interview.

Code for France, c'est quoi ?

Ben on ne sait pas trop vraiment. L'idée est probablement un mélange de:

  • Hacker la France pour la mettre à jour.
  • Code for America: aider les administrations et villes à corriger leur problèmes de code.
  • l'idée d'un répertoire de code où les administrations partageraient du code et des améliorations
  • proposer son aide en tant que citoyen
  • Bouger les frontières établies

Mais au fond, on s'en fout ce de que c'est aujourd'hui. Parce que ce que cela va être au final sera fait de ce que ce que les gens apporteront.

C'est pas un peu naïf ?

Totalement. Mais c'est justement ça qui est important !

Parce que l'attitude qui ne fonctionne pas c'est "ça ne marchera jamais", "qu'est-ce que tu veux que j'y fasse", "codeforfrance c'est même pas un titre en Français".

L'attitude qui fonctionne c'est "pourquoi pas". Il y a de plus en plus d'initiatives pourquoi pas en France (Programmatoo / devoxx4kids, les jduchesses, Devoxx). Et lancer une initiative un peu plus folle, un peu plus ambitieuse, un peu plus globale n'est que l'étape supérieure.

Et toi tu vas faire quoi ?

  1. Je me suis inscris.
  2. Je vais relayer ce lancement.
  3. Je propose mon savoir de constructeur de communautés (de code-urs).
  4. On verra après.

J'ai eu la chance de tomber dans l'open source, le communautaire et le partage de code quand j'étais petit. Je pense le comprendre de manière plus viscérale que la plupart. Si cela peut être utile, j'aiderai cette initiative avec mon expérience.

Moi aussi je veux faire ma part de citoyen et hacker la France. Ça use de se plaindre sans essayer de changer les choses.

C'est naïf ? Oui. Et ? Chiche.

Y'en a qu'on pas essayé. Ils ont eu des problèmes !

Aller sur

Split a commit in two with Git

2014-04-14  |   |  tool   git  

Ever wanted a commit was actually made of two? Read on.

There are several reasons why you could wish a commit was actually made of several distinct ones:

  • because it makes the history more readable
  • because you are trying to reorder some commits and it creates nasty conflicts
  • just because

Merging two commits into one is easy: look for squashing for more info. While I am relatively versed in Git, I never knew how to efficiently do the opposite - splitting commits - until today.

Split a commit in two for the busy ones

Let's see the sequence first before explaining it

git rebase -i <oldsha1>
# mark the expected commit as `edit` (replace pick in front of the line), save and close
git reset HEAD^
git add ...
git commit -m "First part"
git add ...
git commit -m "Second part"
git rebase --continue

What did we do?

A detailed explanation

Interactive rebase

git rebase -i <oldsha1> opens a list of commits from oldsha1 to the latest commit in the branch. You can:

  • reorder them,
  • change the commit message of some,
  • squash (merge) two commits together,
  • and edit a commit.

We use edit in our case as we want to change the commit. Simply replace the pick word with edit on the line of the commit you want to split. When you save and close this "file", you will be placed at that commit in the command line.

Undo the actual commit

If you do a git status or a git diff, you will see that git places you right after the commit. What we want is to undo the commit and place the changes in our working area.

This is what git reset HEAD^ does: reset the state to the second last commit and leave the changes of the last commit in the working area. HEAD^ means the commit at HEAD minus 1.

Create the two commits

Next is simple gittery where you add changes and commit them the way you wish you had.

Finish the interactive rebasing

Make sure to finish the rebase by calling git rebase --continue. Hopefully, there won't be any conflicts and your history will contain the new commits.

A few more tips

This tip becomes much more powerful when you know how to add to the staging area parts of a file changes - instead of all the file changes that is.

The magic tool for that is git add -p myfile but it is quite arid. I recommend you use either GitX (Mac OS X, GUI) or tig (CLI). They offer a more friendly interactive way to add chunks of changes (up to line by line additions).

Another interesting tip for people that work on topic branches forked off master. You can do git rebase -i master which will list the commits between master and your branch. See my previous post on the subject for more info.

Name: Emmanuel Bernard
Bio tags: French, Open Source actor, Hibernate, (No)SQL, JCP, JBoss, Snowboard, Economy
Employer: JBoss by Red Hat
Resume: LinkedIn
Team blog:
Personal blog: No relation to
Microblog: Twitter, Google+
Geoloc: Paris, France