chg: extract the logic of setting FD_CLOEXEC to a utility function Setting FD_CLOEXEC is useful for other fds such like lockfd and sockdirfd, move the logic from hgc_open to util.

chg: add fchdirx as a utility function As part of the series to support long socket paths, we need to use fchdir and check its result in several places. Make it a utility function.

chg: check lockfd at freecmdserveropts We check for sockdirfd at freecmdserveropts but not lockfd, which is a bit strange to people new to the code. Add a comment and an assert to make it clear that lockfd should be closed earlier.

chg: add sockdirfd to cmdserveropts As part of the series to support long socket paths, we need to add the fd of the directory to the cmdserveropts structure so we can use basenames instead of full paths for sockname, redirectsockname, and lockfile.

chg: fix spelling in the error message about error waiting for cmdserver This is a trivial spelling and grammar fix.

sslutil: document and slightly refactor validation logic This main purpose of this patch is to make it clearer that fingerprint pinning takes precedence over CA verification. This will make subsequent refactoring to the validation code easier to read.

sslutil: require a server hostname when wrapping sockets (API) All callers appear to be passing the hostname. So this shouldn't break anything. By specifying the hostname, more validation options from the ssl module are available to us. Although this patch stops short of using them.

sslutil: move and document verify_mode assignment Consolidating all the SSLContext options setting makes the code a bit easier to read.

tests: use --insecure instead of web.cacerts=! --insecure is the proper and documented way to do this. The end result is the same: dispatch will set web.cacerts to ! when --insecure is passed. This patch is necessary to refactor handling of web.cacerts in upcoming patches.

help: remove references to "Python 2.6 or later" We require Python 2.6. So there is no value to these docs.