Debian is a trademark of Software in the Public Interest, Inc. This site is operated independently in the spirit of point three of the Debian Social Contract which tells us We will not hide problems.

Feeds

December 09, 2024

Thorsten Alteholz

My Debian Activities in November 2024

Debian LTS

This was my hundred-twenty-fifth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian. During my allocated time I uploaded or worked on:

  • [DLA 3968-1] netatalk security update to fix four CVEs related to heap buffer overflow and writing arbitrary files. The patches have been prepared by the maintainer.
  • [DLA 3976-1] tgt update to fix one CVE related to not using a propper seed for rand()
  • [DLA 3977-1] xfpt update to fix one CVE related to a stack-based buffer overflow
  • [DLA 3978-1] editorconfig-core update to fix two CVEs related to buffer overflows.

I also continued to work on a fix for glewlwyd, which is more difficult than expected. Besides I started to work on ffmpeg and haproxy.

Last but not least I did a week of FD this month and attended the monthly LTS/ELTS meeting.

Debian ELTS

This month was the seventy-sixth ELTS month. During my allocated time I uploaded or worked on:

  • [ELA-1259-1]editorconfig-core security update for two CVEs in Buster to fix buffer overflows.

I also started to work on a fix for kmail-account-wizzard. Unfortunately preparing a testing environment takes some time and I did not finish testing this month. Besides I started to work on ffmpeg and haproxy.

Last but not least I did a week of FD this month and attended the monthly LTS/ELTS meeting.

Debian Printing

Unfortunately I didn’t found any time to work on this topic.

Debian Matomo

Unfortunately I didn’t found any time to work on this topic.

Debian Astro

This month I uploaded new packages or new upstream or bugfix versions of:

I also sponsored an upload of calceph.

Debian IoT

This month I uploaded new upstream or bugfix versions of:

Debian Mobcom

This month I uploaded new packages or new upstream or bugfix versions of:

misc

This month I uploaded new upstream or bugfix versions of:

I also did some NMU of opensta, kdrill, glosstex, irsim, pagetools, afnix, cpm, to fix some RC bugs.

FTP master

This month I accepted 266 and rejected 16 packages. The overall number of packages that got accepted was 269.

09 December, 2024 06:51PM by alteholz

Paul Wise

FLOSS Activities November 2024

Focus

This month I didn't have any particular focus. I just worked on issues in my info bubble.

Changes

Issues

Review

Communication

  • Respond to queries from Debian users and contributors on IRC

Sponsors

The SWH work was sponsored. All other work was done on a volunteer basis.

09 December, 2024 02:14AM

December 08, 2024

hackergotchi for Dirk Eddelbuettel

Dirk Eddelbuettel

pinp 0.0.11 on CRAN: Maintenance

A new version of our pinp package arrived on CRAN today, and is the first release in four years. The pinp package allows for snazzier one or two column Markdown-based pdf vignettes, and is now used by a few packages. A screenshot of the package vignette can be seen below. Additional screenshots are at the pinp page.

pinp vignette

This release contains no new features or new user-facing changes but reflects the standard package and repository maintenance over the four-year window since the last release: updating of actions, updating of URLs and addressing small packaging changes spotted by ever-more-vigilant R checking code.

The NEWS entry for this release follows.

Changes in pinp version 0.0.11 (2024-12-08)

  • Standard package maintenance for continuous integration, URL updates, and packaging conventions

  • Correct two minor nags in the Rd file

Courtesy of my CRANberries, there is a diffstat report relative to previous release. More detailed information is on the ping page. For questions or comments use the issue tracker off the GitHub repo. If you like this or other open-source work I do, you can sponsor me at GitHub.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

08 December, 2024 09:18PM

Russ Allbery

Review: Why Buildings Fall Down

Review: Why Buildings Fall Down, by Matthys Levy & Mario Salvadori

Illustrator: Kevin Woest
Publisher: W.W. Norton
Copyright: 1992
Printing: 1994
ISBN: 0-393-31152-X
Format: Trade paperback
Pages: 314

Why Buildings Fall Down is a non-fiction survey of the causes of structure collapses, along with some related topics. It is a sequel of sorts to Why Buildings Stand Up by Mario Salvadori, which I have not read. Salvadori was, at the time of writing, Professor Emeritus of Architecture at Columbia University (he died in 1997). Levy is an award-winning architectural engineer, and both authors were principals at the structural engineering firm Weidlinger Associates. There is a revised and updated 2002 edition, but this review is of the original 1992 edition.

This is one of those reviews that comes with a small snapshot of how my brain works. I got fascinated by the analysis of the collapse of Champlain Towers South in Surfside, Florida in 2021, thanks largely to a random YouTube series on the tiny channel of a structural engineer. Somewhere in there (I don't remember where, possibly from that channel, possibly not) I saw a recommendation for this book and grabbed a used copy in 2022 with the intent of reading it while my interest was piqued. The book arrived, I didn't read it right away, I got distracted by other things, and it migrated to my shelves and sat there until I picked it up on an "I haven't read nonfiction in a while" whim.

Two years is a pretty short time frame for a book to sit on my shelf waiting for me to notice it again. The number of books that have been doing that for several decades is, uh, not small.

Why Buildings Fall Down is a non-technical survey of structure failures. These are mostly buildings, but also include dams, bridges, and other structures. It's divided into 18 fairly short chapters, and the discussion of each disaster is brisk and to the point. Most of the structures discussed are relatively recent, but the authors talk about the Meidum Pyramid, the Parthenon (in the chapter on intentional destruction by humans), and the Pavia Civic Tower (in the chapter about building death from old age). If you are someone who has already been down the structural failure rabbit hole, you will find chapters on the expected disasters like the Tacoma Narrows Bridge collapse and the Hyatt Regency walkway collapse, but there are a lot of incidents here, including a short but interesting discussion of the Leaning Tower of Pisa in the chapter on problems caused by soil properties.

What you're going to get, in other words, is a tour of ways in which structures can fail, which is precisely what was promised by the title. This wasn't quite what I was expecting, but now I'm not sure why I was expecting something different. There is no real unifying theme here; sometimes the failure was an oversight, sometimes it was a bad design, sometimes it was a last-minute change, and sometimes it was something unanticipated. There are a lot of factors involved in structure design and any of them can fail. The closest there is to a common pattern is a lack of redundancy and sufficient safety factors, but that lack of redundancy was generally not deliberate and therefore this is not a guide to preventing a collapse. The result is a book that feels a bit like a grab-bag of structural trivia that is individually interesting but only occasionally memorable.

The writing style I suspect will be a matter of taste, but once I got used to it, I rather enjoyed it. In a co-written book, it's hard to separate the voices of the authors, but Salvadori wrote most of the chapter on the law in the first person and he's clearly a character. (That chapter is largely the story of two trials he testified in, which, from his account, involved him verbally fencing with lawyers who attempted to claim his degrees from the University of Rome didn't count as real degrees.) If this translates to his speaking style, I suspect he was a popular lecturer at Columbia.

The explanations of the structural failures are concise and relatively clear, although even with Kevin Woest's diagrams, it's hard to capture the stresses and movement in a written description. (I've found from watching YouTube videos that animations, or even annotations drawn while someone is talking, help a lot.) The framing discussion, well, sometimes that is bombastic in a way that I found amusing:

But we, children of a different era, do not want our lives to be enclosed, to be shielded from the mystery. We are eager to participate in it, to gather with our brothers and sisters in a community of thought that will lift us above the mundane. We need to be together in sorrow and in joy. Thus we rarely build monolithic monuments. Instead, we build domes.

It helps that passages like this are always short and thus don't wear out their welcome. My favorite line in the whole book is a throwaway sentence in a discussion of building failures due to explosions:

With a similar approach, it can be estimated that the chance of an explosion like that at Forty-fifth Street was at most one in thirty million, and probably much less. But this is why life is dangerous and always ends in death.

Going hard, structural engineering book!

It's often appealing to learn about things from their failures because the failures are inherently more dramatic and thus more interesting, but if you were hoping for an introduction to structural engineering, this is probably not the book you want. There is an excellent and surprisingly engaging appendix that covers the basics of structural analysis in 45 pages, but you would probably be better off with Why Buildings Stand Up or another architecture or structural engineering textbook (or maybe a video course). The problem with learning by failure case study is that all the case studies tend to blend together, despite the authors' engaging prose, and nearly every collapse introduces a new structural element with new properties and new failure modes and only the briefest of explanations. This book might make you a slightly more informed consumer of the news, but for most readers I suspect it will be a collection of forgettable trivia told in an occasionally entertaining style.

I think the book I wanted to read was something that went deeper into the process of forensic engineering, not just the outcomes. It's interesting to know what the cause of a failure was, but I'm more interested in how one goes about investigating a failure. What is the process, how do you organize the investigation, and how does the legal system around engineering failures work? There are tidbits and asides here, but this book is primarily focused on the structural analysis and elides most of the work done to arrive at those conclusions.

That said, I was entertained. Why Buildings Fall Down is a bit dated — the opening chapter on airplanes hitting buildings reads much differently now than when it was written in 1992, and I'm sure it was updated in the 2002 edition — but it succeeds in being clear without being soulless or sounding like a textbook. I appreciate an occasional rant about nuclear weapons in a book about architecture. I'm not sure I really recommend this, but I had a good time with it.

Also, I'm now looking for opportunities to say "this is why life is dangerous and always ends in death," so there is that.

Rating: 6 out of 10

08 December, 2024 04:04AM

December 07, 2024

Dominique Dumont

New cme command to update Debian Standards-Version field

Hi

While updating my Debian package, I often have to update a field from debian/control file.

This field is named Standards-Version and it declares which version of Debian policy the package complies to. When updating this field, one must follow the upgrading checklist.

That being said, I maintain a lot of similar package and I often have to update this Standards-Version field.

This field can be updated manually with cme fix dpkg (see Managing Debian packages with cme). But this command may make other changes and does not commit the result.

So I’ve created a new update-standards-version cme script that:

  • udpate Standards-Version field
  • commit the changed

For instance:

$ cme run update-standards-version 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Connecting to api.ftp-master.debian.org to check 31 package versions. Please wait...
Got info from api.ftp-master.debian.org for 31 packages.
Warning in 'source Standards-Version': Current standards version is '4.7.0'. Please read https://www.debian.org/doc/debian-policy/upgrading-checklist.html for the changes that may be needed on your package
to upgrade it from standard version '4.6.2' to '4.7.0'.

Offending value: '4.6.2'

Changes applied to dpkg-control configuration:
- source Standards-Version: '4.6.2' -> '4.7.0'
[master 552862c1] control: declare compliance with Debian policy 4.7.0
 1 file changed, 1 insertion(+), 1 deletion(-)

Here’s the generated commit. Note that the generated log mentions the new policy version:

$ git show
commit 552862c1f24479b1c0c8c35a6289557f65e8ff3b (HEAD -> master)
Author: Dominique Dumont <dod[at]debian.org>
Date:   Sat Dec 7 19:06:14 2024 +0100

    control: declare compliance with Debian policy 4.7.0

diff --git a/debian/control b/debian/control
index cdb41dc0..e888012e 100644
--- a/debian/control
+++ b/debian/control
@@ -48,7 +48,7 @@ Build-Depends-Indep: dh-sequence-bash-completion,
                      libtext-levenshtein-damerau-perl,
                      libyaml-tiny-perl,
                      po-debconf
-Standards-Version: 4.6.2
+Standards-Version: 4.7.0
 Vcs-Browser: https://salsa.debian.org/perl-team/modules/packages/libconfig-model-perl
 Vcs-Git: https://salsa.debian.org/perl-team/modules/packages/libconfig-model-perl.git
 Homepage: https://github.com/dod38fr/config-model/wiki

Notes:

  • this script can run only if there’s not pending change. Please commit or stash these changes before running this script.
  • this script requires:
    • cme >= 1.041
    • libconfig-model-perl >= 2.155
    • libconfig-model-dpkg-perl >= 3.006

I hope this will be useful to all my fellow Debian developers to reduce the boring parts of packaging activities.

All the best

07 December, 2024 05:52PM by dod

Russ Allbery

Review: Dark Minds

Review: Dark Minds, by Michelle Diener

Series: Class 5 #3
Publisher: Eclipse
Copyright: 2016
ISBN: 0-6454658-5-2
Format: Kindle
Pages: 328

Dark Minds is the third book in the self-published Class 5 science-fiction romance series. It is a sequel to Dark Deeds and should not be read out of order, but as with the other books of the series, it follows new protagonists.

Imogen, like another Earth woman before her, was kidnapped by a Class 5 for experimentation by the Tecran. She was subsequently transferred to a research facility and has been held in cages and secret military bases for over three months. As the story opens, she had been imprisoned in a Tecran transport for a couple of weeks when the transport is taken by the Krik who kill all of the Tecran crew. Next stop: another Class 5.

That same Class 5 is where the Krik are taking Camlar Kalor and his team. Cam is a Grih investigator from the United Council, sent to look into reports of a second Earth woman rescued from a Garmman ship. (The series reader will recognize this as the plot of Dark Deeds.) Now he's trapped with the crews of a bunch of other random ships in the cargo hold of a Class 5 with Krik instead of Tecran roaming the halls, apparently at the behest of the ship's banned AI, and a mysterious third Earth woman already appears to be befriending it.

Imogen is the woman Fiona saw signs of in Dark Deeds. She's had a rougher time than the protagonists of the previous two books in this series, and she's been dropped into a less stable situation. The Class 5 she's brought to at the start of the story is far more suspicious (with quite a lot of cause) and somewhat more hostile than the AIs we've encountered previously. The rest of the story formula is roughly the same, though: hunky Grih officer with a personality completely indistinguishable from the hunky Grih officers in the previous two books, an AI with a sketchy concept of morality that desperately needs an ally, the Grih obsession with singing, the eventual discovery of useful armor and weaponry that Imogen can use to surprise people, and more political maneuvering over the Sentient Beings Agreement.

This entry in the series mostly abandons the Grih shock and horror at how badly the Earth women have been treated. This makes sense, given how dangerous Earth women have proven over the course of this series, and I like that Diener is changing the political dynamics as the story develops. I do sometimes miss that appalled anger of Dark Horse, but Dark Minds focuses more on the politics and corridor fighting of a tense multi-sided stand-off.

I found the action more gripping in Dark Minds than in Dark Deeds, and I liked Imogen more as a character than Fiona. She doesn't have the delightfully calm competence of Rose from Dark Horse, but she's a bit more hardened, a bit more canny, and is better at taking control of situations. I also like that Diener avoids simplistically pairing Earth women off with Class 5s. The series plot is progressing faster than I had expected, and that gives this book a somewhat different shape than the previous ones.

Cam is probably the least interesting of the men in this series so far and appears to exist solely to take up the man-shaped hole in the plot. This is not a great series for gender roles; thankfully, the romance is a small part of the plot and largely ignorable. The story is about the women and the AIs, and all of the women and most of the AIs of the previous books make an appearance. It's clear they're forming an alliance whether the Grih like it or not, and that part of the story was very satisfying.

Up to this book, this series had been all feel-good happy endings. I will risk the small spoiler and warn that this is not true to the same degree here, so you may not want to read this one if you want something entirely fluffy, light, and positive (inasmuch as a series involving off-screen experimentation on humans can be fluffy, light, and positive). That caught me by surprise in a way I didn't entirely like, and I wish Diener had stuck with the entirely positive tone.

Other than that, though, this was fun, light, readable entertainment. It's not going to win any literary awards, it's formulaic, the male protagonist comes from central casting, and the emphasis by paragraph break is still a bit grating in places, but I will probably pick up the next book when I'm in the mood for something light. Dark Minds is an improvement over book two, which bodes well for the rest of the series.

Followed by Dark Matters.

Rating: 7 out of 10

07 December, 2024 05:22AM

hackergotchi for Louis-Philippe Véronneau

Louis-Philippe Véronneau

lintian.debian.org: Episode IV – A New Hope

After weeks – dare I say months – of work, it is finally done. lintian.debian.org is back online!

Screenshot of the new lintian.debian.org website

Many, many thanks to everyone who worked hard to make this possible:

  • Thanks to Nicolas Peugnet, the author of lintian-ssg, who handed us this custom static site generator on a silver platter. I'm happy I didn't have to code this myself :)
  • Thanks to Otto Kekäläinen, maintainer of the lintian-ssg package in Debian, who worked in tandem with Nicolas to iron out problems.
  • Thanks to Philipp Kern, who did the work on the DSA side to put the website back online.

All in all, I did very little (mostly coordinating these fine folks) and they should get the credit for this very useful service being back.

07 December, 2024 03:17AM by Louis-Philippe Véronneau

December 06, 2024

hackergotchi for Bálint Réczey

Bálint Réczey

Firebuild 0.8.3 is out with 100+ fixes and experimental macOS support!

The new Firebuild release contains plenty of small fixes and a few notable improvements.

Experimental macOS support

The most frequently asked question from people getting to know Firebuild was if it worked on their Mac and the answer sadly used to be that well, it did, but only in a Linux VM. This was far from what they were looking for. �

Linux and macOS have common UNIX roots, but porting Firebuild to macOS included bigger challenges, like ensuring that dyld(1), macOS’s dynamic loader initializes the preloaded interceptor library early enough to catch all interesting calls, and avoid using anything that uses malloc() or thread local variables which are not yet set up then.

Preloading libraries on Linux is really easy, running LD_PRELOAD=my_lib.so ls just works if the library exports the symbols to be interposed, while macOS employs multiple lines of defense to prevent applications from using unknown libraries. Firebuild’s guide for making DYLD_INSERT_LIBRARIES honored on Macs can be helpful with other projects as well that rely on injecting libraries.

Since GitHub’s Arm64 macOS runners don’t allow intercepting binaries with arm64e ABI yet, Firebuild’s Apple Silicon tests are run at Bitrise, who are proud to be first to provide the latest Xcode stacks and were also quick to make the needed changes to their infrastructure to support Firebuild (thanks! â�¤).

Firebuild on macOS can already accelerate simple projects and rebuild itself with Xcode. Since Xcode introduces a lot of nondeterminism to the build, Firebuild can’t shine in acceleration with Xcode yet, but can provide nice reports to show which part of the build is the most time consuming and how each sub-command is called.

If you would like to try Firebuild on macOS please compile it from the GitHub repository for now. Precompiled binaries will be distributed on the Mac App Store and via CI providers. Contact us to get notified when those channels become available.

Dealing with the ‘Epochalypse’

Glibc’s API provides many functions with time parameters and some of those functions are intercepted by Firebuild. Time parameters used to be passed as 32-bit values on 32-bit systems, preventing them to accurately represent timestamps after year 2038, which is known as the Y2038 problem or the Epochalypse.

To deal with the problem glibc 2.34 started providing new function symbol variants with 64-bit time parameters, e.g clock_gettime64() in addition to clock_gettime(). The new 64-bit variants are used when compiling consumers of the API with _TIME_BITS=64 defined.

Processes intercepted by Firebuild may have been compiled with or without _TIME_BITS=64, thus libfirebuild now provides both variants on affected systems running glibc >= 34 to work safely with binaries using 64-bit and 32-bit time representation.

Many Linux distributions already stopped supporting 32-bit architectures, but Debian and Ubuntu still supports armhf, for example, where the Y2038 problem still applies. Both Debian and Ubuntu performed a transition rebuilding every library (and their reverse dependencies) with -D_FILE_OFFSET_BITS=64 set where the libraries exported symbols that changed when switching to 64-bit time representation (thanks to Steve Langasek for driving this!) . Thanks to the transition most programs are ready for 2038, but interposer libraries are trickier to fix and if you maintain one it might be a good idea to check if it works well both 32-bit and 64-bit libraries. Faketime, for example is not fixed yet, see #1064555.

Select passed through environment variables with regular expressions

Firebuild filters out most of the environment variables set when starting a build to make the build more reproducible and achieve higher cache hit rate. Extra environment variables to pass through can be specified on the command line one by one, but with many similarly named variables this may become hard to maintain. With regular expressions this just became easier:

firebuild -o 'env_vars.pass_through += "MY_VARS_.*"' my_build_command

If you are not interested in acceleration just would like to explore what the build does by generating a report you can simply pass all variables:

firebuild -r -o 'env_vars.pass_through += ".*"' my_build_command

Other highlights from the 0.8.3 release

  • Fixed and nicer report in Chrome and other WebKit based browsers
  • Support GLibc 2.39 by intercepting pidfd_spawn() and pidfd_spawnp()
  • Even faster Rust build acceleration

For all the changes please check out the release page on GitHub! 🚀

(This post is also published on The Firebuild blog.)

06 December, 2024 09:53PM by Réczey Bálint

hackergotchi for Dirk Eddelbuettel

Dirk Eddelbuettel

RcppArmadillo 14.2.2-1 on CRAN: Small Upstream Fixes

armadillo image

Armadillo is a powerful and expressive C++ template library for linear algebra and scientific computing. It aims towards a good balance between speed and ease of use, has a syntax deliberately close to Matlab, and is useful for algorithm development directly in C++, or quick conversion of research code into production environments. RcppArmadillo integrates this library with the R environment and language–and is widely used by (currently) 1197 other packages on CRAN, downloaded 37.5 million times (per the partial logs from the cloud mirrors of CRAN), and the CSDA paper (preprint / vignette) by Conrad and myself has been cited 605 times according to Google Scholar.

Conrad released a minor version 14.2.2 yesterday. This followed a bit of recent work a few of us did in the ensmallen and mlpack repositories following the [14.2.0 release]. Use of (member functions) .min(index) and .max(index) was deprecated in Armadillo in favor of .index_mix() and .index_max(). By now ensmallen and mlpack have been updated at CRAN. To add some spice, CRAN emailed that the (very much unreleased as of now, but coming likely next spring) gcc-15 was unhappy with RcppArmadillo due to some Armadillo code. This likely related to the listed gcc-15 C++ change about “Qualified name lookup failure into the current instantiation”. Anyway, Conrad fixed it within days and that change too is part of this new version (as is a small behaviour normalization between the two indexing methods that matters in case of ties, this was in 14.2.1).

The changes since the last CRAN release are summarised below.

Changes in RcppArmadillo version 14.2.2-1 (2024-12-05)

  • Upgraded to Armadillo release 14.2.2 (Smooth Caffeine)

    • Workarounds for regressions in pre-release versions of GCC 15

    • More selective detection of symmetric/hermitian matrices by various functions

Changes in RcppArmadillo version 14.2.1-1 (2024-11-24) (GitHub Only)

  • Upgraded to Armadillo release 14.2.1 (Smooth Caffeine)

    • Fix for index_min() and index_max() to ensure that the first index of equal extremum values is found

Courtesy of my CRANberries, there is a diffstat report relative to previous release. More detailed information is on the RcppArmadillo page. Questions, comments etc should go to the rcpp-devel mailing list off the Rcpp R-Forge page.

If you like this or other open-source work I do, you can sponsor me at GitHub.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

06 December, 2024 06:34PM

December 05, 2024

Reproducible Builds

Reproducible Builds in November 2024

Welcome to the November 2024 report from the Reproducible Builds project!

Our monthly reports outline what we’ve been up to over the past month and highlight items of news from elsewhere in the world of software supply-chain security where relevant. As ever, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website.

Table of contents:

  1. Reproducible Builds mourns the passing of Lunar
  2. Introducing reproduce.debian.net
  3. New landing page design
  4. SBOMs for Python packages
  5. Debian updates
  6. Reproducible builds by default in Maven 4
  7. PyPI now supports digital attestations
  8. “Dependency Challenges in OSS Package Registries”
  9. Zig programming language demonstrated reproducible
  10. Website updates
  11. Upstream patches
  12. Misc development news
  13. Reproducibility testing framework

Reproducible Builds mourns the passing of Lunar

The Reproducible Builds community sadly announced it has lost its founding member, Lunar. Jérémy Bobbio aka ‘Lunar’ passed away on Friday November 8th in palliative care in Rennes, France.

Lunar was instrumental in starting the Reproducible Builds project in 2013 as a loose initiative within the Debian project. He was the author of our earliest status reports and many of our key tools in use today are based on his design. Lunar’s creativity, insight and kindness were often noted.

You can view our full tribute elsewhere on our website. He will be greatly missed.


Introducing reproduce.debian.net

In happier news, this month saw the introduction of reproduce.debian.net. Announced at the recent Debian MiniDebConf in Toulouse, reproduce.debian.net is an instance of rebuilderd operated by the Reproducible Builds project.

rebuilderd is our server designed monitor the official package repositories of Linux distributions and attempts to reproduce the observed results there.

In November, reproduce.debian.net began rebuilding Debian unstable on the amd64 architecture, but throughout the MiniDebConf, it had attempted to rebuild 66% of the official archive. From this, it could be determined that it is currently possible to bit-for-bit reproduce and corroborate approximately 78% of the actual binaries distributed by Debian — that is, using the .buildinfo files hosted by Debian itself.

reproduce.debian.net also contains instructions how to setup one’s own rebuilderd instance, and we very much invite everyone with a machine to spare to setup their own version and to share the results. Whilst rebuilderd is still in development, it has been used to reproduce Arch Linux since 2019. We are especially looking for installations targeting Debian architectures other than i386 and amd64.


New landing page design

As part of a very productive partnership with the Sovereign Tech Fund and Neighbourhoodie, we are pleased to unveil our new homepage/landing page.

We are very happy with our collaboration with both STF and Neighbourhoodie (including many changes not directly related to the website), and look forward to working with them in the future.

SBOMs for Python packages

The Python Software Foundation has announced a new “cross-functional project for SBOMs and Python packages”. Seth Michael Larson writes that the project is “specifically looking to solve these issues”:

  • Enable Python users that require SBOM documents (likely due to regulations like CRA or SSDF) to self-serve using existing SBOM generation tools.
  • Solve the “phantom dependency” problem, where non-Python software is bundled in Python packages but not recorded in any metadata. This makes the job of software composition analysis (SCA) tools difficult or impossible.
  • Make the adoption work by relevant projects such as build backends, auditwheel-esque tools, as minimal as possible. Empower users who are interested in having better SBOM data for the Python projects they are using to be able to contribute engineering time towards that goal.

A GitHub repository for the initiative is available, and there are a number of queries, comments and remarks on Seth’s Discourse forum post.


Debian updates

There was significant development within Debian this month. Firstly, at the recent MiniDebConf in Toulouse, France, Holger Levsen gave a Debian-specific talk on rebuilding packages distributed from ftp.debian.org — that is to say, how to reproduce the results from the official Debian build servers:

Holger described the talk as follows:

For more than ten years, the Reproducible Builds project has worked towards reproducible builds of many projects, and for ten years now we have build Debian packages twice—with maximal variations applied—to see if they can be build reproducible still.

Since about a month, we’ve also been rebuilding trying to exactly match the builds being distributed via ftp.debian.org. This talk will describe the setup and the lessons learned so far, and why the results currently are what they are (spoiler: they are less than 30% reproducible), and what we can do to fix that.

The Debian Project Leader, Andreas Tille, was present at the talk and remarked later in his Bits from the DPL update that:

It might be unfair to single out a specific talk from Toulouse, but I’d like to highlight the one on reproducible builds. Beyond its technical focus, the talk also addressed the recent loss of Lunar, whom we mourn deeply. It served as a tribute to Lunar’s contributions and legacy. Personally, I’ve encountered packages maintained by Lunar and bugs he had filed. I believe that taking over his packages and addressing the bugs he reported is a meaningful way to honor his memory and acknowledge the value of his work.

Holger’s slides and video in .webm format are available.


Next, rebuilderd is the server to monitor package repositories of Linux distributions and attempt to reproduce the observed results. This month, version 0.21.0 released, most notably with improved support for binNMUs by Jochen Sprickerhof and updating the rebuilderd-debian.sh integration to the latest debrebuild version by Holger Levsen. There has also been significant work to get the rebuilderd package into the Debian archive, in particular, both rust-rebuilderd-common version 0.20.0-1 and rust-rust-lzma version 0.6.0-1 were packaged by kpcyrd and uploaded by Holger Levsen.

Related to this, Holger Levsen submitted three additional issues against rebuilderd as well:

  • rebuildctl should be more verbose when encountering issues. []
  • Please add an option to used randomised queues. []
  • Scheduling and re-scheduling multiple packages at once. []

… and lastly, Jochen Sprickerhof submitted one an issue requested that rebuilderd downloads the source package in addition to the .buildinfo file [] and kpcyrd also submitted and fixed an issue surrounding dependencies and clarifying the license []


Separate to this, back in 2018, Chris Lamb filed a bug report against the sphinx-gallery package as it generates unreproducible content in various ways. This month, however, Dmitry Shachnev finally closed the bug, listing the multiple sub-issues that were part of the problem and how they were resolved.


Elsewhere, Roland Clobus posted to our mailing list this month, asking for input on a bug in Debian’s ca-certificates-java package. The issue is that the Java key management tools embed timestamps in its output, and this output ends up in the /etc/ssl/certs/java/cacerts file on the generated ISO images. A discussion resulted from Roland’s post suggesting some short- and medium-term solutions to the problem.


Holger Levsen uploaded some packages with reproducibility-related changes:


Lastly, 12 reviews of Debian packages were added, 5 were updated and 21 were removed this month adding to our knowledge about identified issues in Debian.


Reproducible builds by default in Maven 4

On our mailing list this month, Hervé Boutemy reported the latest release of Maven (4.0.0-beta-5) has reproducible builds enabled by default. In his mailing list post, Hervé mentions that “this story started during our Reproducible Builds summit in Hamburg”, where he created the upstream issue that builds on a “multi-year” effort to have Maven builds configured for reproducibility.


PyPI now supports digital attestations

Elsewhere in the Python ecosystem and as reported on LWN and elsewhere, the Python Package Index (PyPI) has announced that it has finalised support for PEP 740 (“Index support for digital attestations”).

Trail of Bits, who performed much of the development work, has an in-depth blog post about the work and its adoption, as well as what is left undone:

One thing is notably missing from all of this work: downstream verification. […]

This isn’t an acceptable end state (cryptographic attestations have defensive properties only insofar as they’re actually verified), so we’re looking into ways to bring verification to individual installing clients. In particular, we’re currently working on a plugin architecture for pip that will enable users to load verification logic directly into their pip install flows.

There was an in-depth discussion on LWN’s announcement page, as well as on Hacker News.


Dependency Challenges in OSS Package Registries

At BENEVOL, the Belgium-Netherlands Software Evolution workshop in Namur, Belgium, Tom Mens and Alexandre Decan presented their paper, “An Overview and Catalogue of Dependency Challenges in Open Source Software Package Registries”.

The abstract of their paper is as follows:

While open-source software has enabled significant levels of reuse to speed up software development, it has also given rise to the dreadful dependency hell that all software practitioners face on a regular basis. This article provides a catalogue of dependency-related challenges that come with relying on OSS packages or libraries. The catalogue is based on the scientific literature on empirical research that has been conducted to understand, quantify and overcome these challenges. []

A PDF of the paper is available online.


Zig programming language demonstrated reproducible

Motiejus Jakšty posted an interesting and practical blog post on his successful attempt to reproduce the Zig programming language without using the pre-compiled binaries checked into the repository, and despite the circular dependency inherent in its bootstrapping process.

As a summary, Motiejus concludes that:

I can now confidently say (and you can also check, you don’t need to trust me) that there is nothing hiding in zig1.wasm [the checked-in binary] that hasn’t been checked-in as a source file.

The full post is full of practical details, and includes a few open questions.


Website updates

Notwithstanding the significant change to the landing page (screenshot above), there were an enormous number of changes made to our website this month. This included:

  • Alex Feyerke and Mariano Giménez:

  • Bernhard M. Wiedemann:

    • Update the “System images” page to document the e2fsprogs approach. []
  • Chris Lamb:

  • FC (Fay) Stegerman:

    • Replace more inline markdown with HTML on the “Success stories” page. []
    • Add some links, fix some other links and correct some spelling errors on the “Tools” page. []
  • Holger Levsen:

    • Add a historical presentation (“Reproducible builds everywhere eg. in Debian, OpenWrt and LEDE”) from October 2016. []
    • Add jochensp and Oejet to the list of known contributors. [][]
  • Julia Krüger:

  • Ninette Adhikari & hulkoba:

    • Add/rework the list of success stories into a new page that clearly shows milestones in Reproducible Builds. [][][][][][]
  • Philip Rinn:

    • Import 47 historical weekly reports. []
  • hulkoba:

    • Add alt text to almost all images (!). [][]
    • Fix a number of links on the “Talks”. [][]
    • Avoid so-called ‘ghost’ buttons by not using <button> elements as links, as the affordance of a <button> implies an action with (potentially) a side effect. [][]
    • Center the sponsor logos on the homepage. []
    • Move publications and generate them instead from a data.yml file with an improved layout. [][]

    • Make a large number of small but impactful stylisting changes. [][][][]

    • Expand the “Tools” to include a number of missing tools, fix some styling issues and fix a number of stale/broken links. [][][][][][]


Upstream patches

The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:


Misc development news


Reproducibility testing framework

The Reproducible Builds project operates a comprehensive testing framework running primarily at tests.reproducible-builds.org in order to check packages and other artifacts for reproducibility. In November, a number of changes were made by Holger Levsen, including:

  • reproduce.debian.net-related changes:

    • Create and introduce a new reproduce.debian.net service and subdomain []
    • Make a large number of documentation changes relevant to rebuilderd. [][][][][]
    • Explain a temporary workaround for a specific issue in rebuilderd. []
    • Setup another rebuilderd instance on the o4 node and update installation documentation to match. [][]
    • Make a number of helpful/cosmetic changes to the interface, such as clarifying terms and adding links. [][][][][]
    • Deploy configuration to the /opt and /var directories. [][]
    • Add an infancy (or ‘alpha’) disclaimer. [][]
    • Add more notes to the temporary rebuilderd documentation. []
    • Commit an nginx configuration file for reproduce.debian.net’s “Stats” page. []
    • Commit a rebuilder-worker.conf configuration for the o5 node. []
  • Debian-related changes:

    • Grant jspricke and jochensp access to the o5 node. [][]
    • Build the qemu package with the nocheck build flag. []
  • Misc changes:

    • Adapt the update_jdn.sh script for new Debian trixie systems. []
    • Stop installing the PostgreSQL database engine on the o4 and o5 nodes. []
    • Prevent accidental reboots of the o4 node because of a long-running job owned by josch. [][]

In addition, Mattia Rizzolo addressed a number of issues with reproduce.debian.net [][][][]. And lastly, both Holger Levsen [][][][] and Vagrant Cascadian [][][][] performed node maintenance.


If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

05 December, 2024 12:47PM

Russ Allbery

Review: Paladin's Hope

Review: Paladin's Hope, by T. Kingfisher

Series: The Saint of Steel #3
Publisher: Red Wombat Studio
Copyright: 2021
ISBN: 1-61450-613-2
Format: Kindle
Pages: 303

Paladin's Hope is a fantasy romance novel and the third book of The Saint of Steel series. Each book of that series features different protagonists in closer to the romance series style than the fantasy series style and stands alone reasonably well. There are a few spoilers for the previous books here, so you probably want to read the series in order.

Galen is one of the former paladins of the Saint of Steel, left bereft and then adopted by the Temple of the Rat after their god dies. Even more than the paladin protagonists of the previous two books, he reacted very badly to that death and has ongoing problems with nightmares and going into berserker rages when awakened. As the book opens, he's the escort for a lich-doctor named Piper who is examining a corpse found in the river.

The last of the five was the only one who did not share a certain martial quality. He was slim and well-groomed and would be considered handsome, but he was also extraordinarily pale, as if he lived his life underground.

It was this fifth man who nudged the corpse with the toe of his boot and said, "Well, if you want my professional opinion, this great goddamn hole in his chest is probably what killed him."

As it turns out, slim and well-groomed and exceedingly pale is Galen's type.

This is another paladin romance, this time between two men. It's almost all romance; the plot is barely worth mentioning. About half of the book is an exploration of a puzzle dungeon of the sort that might be fun in a video game or tabletop RPG, but that I found rather boring and monotonous in a novel. This creates a lot more room for the yearning and angst.

Kingfisher tends towards slow-burn romances. This romance is a somewhat faster burn than some of her other books, but instead implodes into one of the most egregiously stupid third-act break-ups that I've read in a romance plot. Of all the Kingfisher paladin books, I think this one was hurt the most by my basic difference in taste from the author. Kingfisher finds constant worrying and despair over being good enough for the romantic partner to be an enjoyable element, and I find it incredibly annoying. I think your enjoyment of this book will heavily depend on where you fall on that taste divide.

The saving grace of this book are the gnoles, who are by far the best part of this world. Earstripe, a gnole constable, is the one who found the body that the book opens with and he drives most of the plot, such that it is. He's also the source of the best banter in the book, which is full of pointed and amused gnole observations about humans and their various stupidities. Given that I was also grumbling about human stupidities for most of the book, the gnole viewpoint and I got along rather well.

"God's stripes." Earstripe shook his head in disbelief. "Bone-doctor would save some gnole, yes? If some gnole was hurt."

"Of course," said Piper. "If I could."

"And tomato-man would save some gnole?" He swung his muzzle toward Galen. "If some gnome needed big human with sword?"

"Yes, of course."

Earstripe spread his hands, claws gleaming. "A gnole saves some human. Same thing." He took a deep breath, clearly choosing his words carefully. "A gnole's compassion does not require fur."

We learn a great deal more about gnole culture, all of which I found fascinating, and we get a rather satisfying amount of gnole acerbic commentary. Kingfisher is very good at banter, and dialogue in general, which also smoothes over the paucity of detailed plot. There was no salvaging the romance, at least for me, but I did at least like Piper, and Galen wasn't too bad when he wasn't being annoyingly self-destructive.

I had been wondering a little if gay romance would, like sapphic romance, avoid my dislike of heterosexual gender roles. I think the jury is still out, but it did not work in this book because Galen is so committed to being the self-sacrificing protector who is unable to talk about his feelings that he single-handedly introduced a bunch of annoying pieces of the male gender role anyway. I will have to try that experiment with a book that doesn't involve hard-headed paladins.

I have yet to read a bad T. Kingfisher novel, but I thought this one was on the weaker side. The gnoles are great and kept me reading, but I wish there had been a more robust plot, a lot less of the romance, and no third-act break-up. As is, I recommend the other Saint of Steel books over this one. Ah well.

Followed by Paladin's Faith.

Rating: 6 out of 10

05 December, 2024 03:56AM

December 04, 2024

hackergotchi for Dirk Eddelbuettel

Dirk Eddelbuettel

corels 0.0.5 on CRAN: Maintenance

An updated version of the corels package is now on CRAN! The ‘Certifiably Optimal RulE ListS (Corels)’ learner provides interpretable decision rules with an optimality guarantee—a nice feature which sets it apart in machine learning. You can learn more about corels at its UBC site.

The changes concern mostly maintenance for both the repository (such as continunous integration setup, badges, documentation links, …) and the package level (such as removing the no-longer-requiring C++ compilation standard setter now emitting a NOTE at CRAN.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

04 December, 2024 11:13PM

Antoine Beaupré

Why I should be running Debian unstable right now

So a common theme on the Internet about Debian is so old. And right, I am getting close to the stage that I feel a little laggy: I am using a bunch of backports for packages I need, and I'm missing a bunch of other packages that just landed in unstable and didn't make it to backports for various reasons.

I disagree that "old" is a bad thing: we definitely run Debian stable on a fleet of about 100 servers and can barely keep up, I would make it older. And "old" is a good thing: (port) wine and (any) beer needs time to age properly, and so do humans, although some humans never seem to grow old enough to find wisdom.

But at this point, on my laptop, I am feeling like I'm missing out. This page, therefore, is an evolving document that is a twist on the classic NewIn game. Last time I played seems to be #newinwheezy (2013!), so really, I'm due for an update. (To be fair to myself, I do keep tabs on upgrades quite well at home and work, which do have their share of "new in", just after the fact.)

New packages to explore

Those tools are shiny new things available in unstable or perhaps Trixie (testing) already that I am not using yet, but I find interesting enough to list here.

  • backdown: clever file deduplicator
  • broot: a TUI file manager with ncdu and magit-like features
  • codesearch: search all of Debian's source code (tens of thousands of packages) from the commandline! (see also dcs-cli, not in Debian)
  • dasel: JSON/YML/XML/CSV parser, similar to jq, but different syntax, not sure I'd grow into it, but often need to parse YML like JSON and failing
  • gomuks and ement.el: new Matrix clients
  • fyi: notify-send replacement
  • git-subrepo: git-submodule replacement I am considering
  • gpg-from-sq: Sequoia (Rust!) wrapper for GnuPG, might be able to replace everything but gpg-agent! currently at least missing send-keys, card-status, performance improvements on key listings, and quick-gen-key, but those can all be accessed through the gpg-from-gpg, and all work in progress
  • gtklock: swaylock replacement with bells and whistles, particularly interested in showing time, battery and so on
  • hyprland: possible Sway replacement, but there are rumors of a toxic community (rebuttal, I haven't reviewed either in detail), so approach carefully)
  • kooha: simple screen recorder with audio support, currently using wf-recorder which is a more.. minimalist option
  • linescroll: rate graphs on live logs, mostly useful on servers though
  • memray: Python memory profiler
  • ruff: faster Python formatter and linter, flake8/black/isort replacement, alas not mypy/LSP unfortunately, designed to be ran alongside such a tool, which is not possible in Emacs eglot right now, but is possible in lsp-mode
  • sfwbar: pretty status bar, may replace waybar, which i am somewhat unhappy with (my UTC clock disappears randomly)
  • shoutidjc: streaming workstation, currently using butt but it doesn't support HTTPS correctly (update: not so exciting, no GUI, no great error reporting - failed to fail with incorrect password)
  • spytrap-adb: cool spy gear
  • syslog-summary: log summarizer, one of many of the kind, but made by Lars, so it must be good
  • trippy: trippy network analysis tool, kind of an improved MTR
  • yubikey-touch-detector: notifications for when I need to touch my YubiKey

New packages I won't use

Those are packages that I have tested because I found them interesting, but ended up not using, but I think people could find interesting anyways.

  • kew: surprisingly fast music player, parsed my entire library (which is huge) instantaneously and just started playing (I still use Supersonic, for which I maintain a flatpak on my Navidrome server)
  • mdformat: good markdown formatter, think black or gofmt but for markdown), but it didn't actually do what I needed, and it's not quite as opinionated as it should (or could) be)

Backports already in use

Those are packages I already use regularly, which have backports or that can just be installed from unstable:

  • asn: IP address forensics
  • diffr: improved git diffs - i typically have this in magit, but this is useful when calling git diff directly in a shell, which i still do sometimes - riff is similar but not in Debian. there's also git-delta that's only in trixie, but it also supports ripgrep which is pretty cool
  • markdownlint: markdown linter, I use that a lot
  • poweralertd: pops up "your battery is almost empty" messages
  • sway-notification-center: used as part of my status bar, yet another status bar basically, a little noisy, stuck in a libc dep update
  • tailspin: used to color logs

Out of date packages

Those are packages that are in Debian stable (Bookworm) already, but that are somewhat lacking and could benefit from an upgrade.

Last words

If you know of cool things I'm missing out of, then by all means let me know!

That said, overall, this is a pretty short list! I have most of what I need in stable right now, and if I wasn't a Debian developer, I don't think I'd be doing the jump now. But considering how easier it is to develop Debian (and how important it is to test the next release!), I'll probably upgrade soon.

Previously, I was running Debian testing (which why the slug on that article is why-trixie), but now I'm actually considering just running unstable on my laptop directly anyways. It's been a long time since we had any significant instability there, and I can typically deal with whatever happens, except maybe when I'm traveling, and then it's easy to prepare for that (just pin testing).

04 December, 2024 05:59PM

Sven Hoexter

Looking at x509 Certificate Chains

Sometimes you've to look at the content of x509 certificate chains. Usually one finds them pem encoded and concatenated in a text file.

Since the openssl x509 subcommand only decodes the first certificate it will find in a file, I did something like this:

csplit -z -f 'cert' fullchain.pem '/-----BEGIN CERTIFICATE-----/' '{*}'
for x in cert*; do openssl x509 -in $x -noout -text; done

Apparently that's the "wrong" way and the more appropriate way is using the openssl crl2pkcs7 subcommand albeit we do not try to parse a revocation list here.

  openssl crl2pkcs7 -nocrl -certfile fullchain.pem | \
  openssl pkcs7 -print_certs -noout

Learned that one in a webinar presented by Victor Dukhovni. If you're new to the topic worth watching.

04 December, 2024 05:23PM

Enrico Zini

How to right click

I climbed on top of a mountain with a beautiful view, and when I started readying my new laptop for a work call (as one does on top of mountains), I realised that I couldn't right click and it kind of spoiled the mood.

Clicking on the bottom right corner of my touchpad left-clicked. Clicking with two fingers left-clicked. Alt-clicking, Super-clicking, Control-clicking, left clicked.

Here's there are two ways to simulate mouse buttons with touchpads in Wayland:

  • clicking on different areas at the bottom of the touchpad
  • double or triple-tapping, as long as the fingers are not too far apart

Skippable digression:

I'm not sure why Gnome insists in following Macs for defaults, which is what people with non-Mac hardware are less likely to be used to.

In my experience, Macs are as arbitrarily awkward to use as anything else, but they managed to build a community where if you don't understand how it works you get told you're stupid. All other systems (including Gnome) have communities where instead you get told (as is generally the case) that the system design is stupid, which at least gives you some amount of validation in your suffering.

Oh well.

How to configure right click

Surprisingly, this is not available in Gnome Shell settings. It can be found in gnome-tweaks: under "Keyboard & Mouse", "Mouse Click Emulation", one can choose between "Fingers" or "Area".

I tried both and went for "Area": I use right-drag a lot to resize windows, and I couldn't find a way, at least with this touchpad, to make it work consistently in "Fingers" mode.

04 December, 2024 04:51PM

hackergotchi for Bits from Debian

Bits from Debian

"Ceratopsian" will be the default theme for Debian 13

The theme "Ceratopsian" by Elise Couper has been selected as the default theme for Debian 13 "trixie". The theme is inspired by Trixie's (the fictional character from Toy Story) frill and is also influenced by a previously used theme called "futurePrototype" by Alex Makas.

Ceratopsian wallpaper. Click to see the whole theme proposal

Ceratopsian Website banner. Click to see the whole theme proposal

After the Debian Desktop Team made the call for proposing themes, a total of six choices were submitted. The desktop artwork poll was open to the public, and we received 2817 responses ranking the different choices, of which Ceratopsian has been ranked as the winner among them.

We'd like to thank all the designers that have participated and have submitted their excellent work in the form of wallpapers and artwork for Debian 13.

Congratulations, Elise, and thank you very much for your contribution to Debian!

04 December, 2024 12:30PM by Jonathan Carter

December 03, 2024

Russ Allbery

Review: Astrid Parker Doesn't Fail

Review: Astrid Parker Doesn't Fail, by Ashley Herring Blake

Series: Bright Falls #2
Publisher: Berkley Romance
Copyright: November 2022
ISBN: 0-593-33644-5
Format: Kindle
Pages: 365

Astrid Parker Doesn't Fail is a sapphic romance novel and a sequel to Delilah Green Doesn't Care. This is a romance style of sequel, which means that it spoils the previous book but involves a different set of protagonists, one of whom was a supporting character in the previous novel.

I suppose the title is a minor spoiler for Delilah Green Doesn't Care, but not one that really matters.

Astrid Parker's interior design business is in trouble. The small town of Bright Falls doesn't generate a lot of business, and there are limits to how many dentist office renovations that she's willing to do. The Everwood Inn is her big break: Pru Everwood has finally agreed to remodel and, even better, Innside America wants to feature the project. The show always works with local designers, and that means Astrid. National TV exposure is just what she needs to turn her business around and avoid an unpleasant confrontation with her domineering, perfectionist mother.

Jordan Everwood is an out-of-work carpenter and professional fuck-up. Ever since she lost her wife, nothing has gone right either inside or outside of her head. Now her grandmother is renovating the favorite place of her childhood, and her novelist brother had the bright idea of bringing her to Bright Falls to help with the carpentry work. The remodel and the HGTV show are the last chance for the inn to stay in business and stay in the family, and Jordan is terrified that she's going to fuck that up too. And then she dumps coffee all over the expensive dress of a furious woman in a designer dress because she wasn't watching where she was going, and that woman turns out to be the designer of the Everwood Inn renovation. A design that Jordan absolutely loathes.

The reader met Astrid in Delilah Green Doesn't Care (which you definitely want to read first). She's a bit better than she was there, but she's still uptight and unhappy and determined not to think too hard about why. When Jordan spills coffee down her favorite dress in their first encounter, shattering her fragile professional calm, it's not a meet-cute. Astrid is awful to her. Her subsequent regret, combined with immediately having to work with her and the degree to which she finds Jordan surprisingly attractive (surprising in part because Astrid thinks she's straight), slowly crack open Astrid's too-controlled life.

This book was, once again, just compulsively readable. I read most of it the same day that I started it, staying up much too late, and then finished it the next day. It also once again made me laugh in delight at multiple points. I am a sucker for stories about someone learning how to become a better person, particularly when it involves a release of anxiety, and oh my does Blake ever deliver on that. Jordan's arc is more straightforward than Astrid's — she just needs to get her confidence back — but her backstory is a lot more complex than it first appears, including a morally ambiguous character who I would hate in person but who I admired as a deft and tricky bit of characterization.

The characters from Delilah Green Doesn't Care of course play a significant role. Delilah in particular is just as much of a delight here as she was in the first book, and I enjoyed seeing the development of her relationship with her step-sister. But the new characters, both the HGTV film crew and the Everwoods, are also great. I think Blake has a real knack for memorable, distinct supporting characters that add a lot of depth to the main romance plot.

I thought this book was substantially more sex-forward than Delilah Green Doesn't Care, with some lust at first or second sight, a bit more physical description of bodies, and an extended section in the middle of the book that's mostly about sex. If this is or is not your thing in romance novels, you may have a different reaction to this book than the previous one.

There is, unfortunately, another third-act break-up, and this one annoyed me more than the one in Delilah Green Doesn't Care because it felt more unnecessary and openly self-destructive. The characters felt like they were headed towards a more sensible and less dramatic resolution, and then that plot twist caught me by surprise in an unpleasant way. After two books, I'm getting the sense that Blake has a preferred plot arc, at least in this series, and I wish she'd varied the story structure a bit more. Still, the third-act conflict was somewhat believable and the resolution was satisfying enough to salvage it.

If it weren't for some sour feelings about the shape of that plot climax, I would have said that I liked this book even better than Delilah Green Doesn't Care, and that's a high bar. This series is great, and I will definitely be reading the third one. I'm going to be curious how that goes since it's about Iris, who so far has worked better for me as a supporting character than a protagonist. But Blake has delivered compulsively readable and thoroughly enjoyable books twice now, so I'm definitely here for the duration.

If you like this sort of thing, I highly recommend this whole series.

Followed by Iris Kelly Doesn't Date in the romance series sense, but as before this book is a complete story with a satisfying ending.

Rating: 9 out of 10

03 December, 2024 03:26AM

December 02, 2024

hackergotchi for Bits from Debian

Bits from Debian

Bits from the DPL

This is bits from DPL for November.

MiniDebConf Toulouse

I had the pleasure of attending the MiniDebConf in Toulouse, which featured a range of engaging talks, complementing those from the recent MiniDebConf in Cambridge. Both events were preceded by a DebCamp, which provided a valuable opportunity for focused work and collaboration.

DebCamp

During these events, I participated in numerous technical discussions on topics such as maintaining long-neglected packages, team-based maintenance, FTP master policies, Debusine, and strategies for separating maintainer script dependencies from runtime dependencies, among others. I was also fortunate that members of the Publicity Team attended the MiniDebCamp, giving us the opportunity to meet in person and collaborate face-to-face.

Independent of the ongoing lengthy discussion on the Debian Devel mailing list, I encountered the perspective that unifying Git workflows might be more critical than ensuring all packages are managed in Git. While I'm uncertain whether these two questions--adopting Git as a universal development tool and agreeing on a common workflow for its use--can be fully separated, I believe it's worth raising this topic for further consideration.

Attracting newcomers

In my own talk, I regret not leaving enough time for questions--my apologies for this. However, I want to revisit the sole question raised, which essentially asked: Is the documentation for newcomers sufficient to attract new contributors? My immediate response was that this question is best directed to new contributors themselves, as they are in the best position to identify gaps and suggest improvements that could make the documentation more helpful.

That said, I'm personally convinced that our challenges extend beyond just documentation. I don't get the impression that newcomers are lining up to join Debian only to be deterred by inadequate documentation. The issue might be more about fostering interest and engagement in the first place.

My personal impression is that we sometimes fail to convey that Debian is not just a product to download for free but also a technical challenge that warmly invites participation. Everyone who respects our Code of Conduct will find that Debian is a highly diverse community, where joining the project offers not only opportunities for technical contributions but also meaningful social interactions that can make the effort and time truly rewarding.

In several of my previous talks (you can find them on my talks page –just search for "team," and don't be deterred if you see "Debian Med" in the title; it's simply an example), I emphasized that the interaction between a mentor and a mentee often plays a far more significant role than the documentation the mentee has to read. The key to success has always been finding a way to spark the mentee's interest in a specific topic that resonates with their own passions.

Bug of the Day

In my presentation, I provided a brief overview of the Bug of the Day initiative, which was launched with the aim of demonstrating how to fix bugs as an entry point for learning about packaging. While the current level of interest from newcomers seems limited, the initiative has brought several additional benefits.

I must admit that I'm learning quite a bit about Debian myself. I often compare it to exploring a house's cellar with a flashlight –you uncover everything from hidden marvels to things you might prefer to discard. I've also come across traces of incredibly diligent people who have invested their spare time polishing these hidden treasures (what we call NMUs). The janitor, a service in Salsa that automatically updates packages, fits perfectly into this cellar metaphor, symbolizing the ongoing care and maintenance that keep everything in order. I hadn't realized the immense amount of silent work being done behind the scenes--thank you all so much for your invaluable QA efforts.

Reproducible builds

It might be unfair to single out a specific talk from Toulouse, but I'd like to highlight the one on reproducible builds. Beyond its technical focus, the talk also addressed the recent loss of Lunar, whom we mourn deeply. It served as a tribute to Lunar's contributions and legacy. Personally, I've encountered packages maintained by Lunar and bugs he had filed. I believe that taking over his packages and addressing the bugs he reported is a meaningful way to honor his memory and acknowledge the value of his work.

Advent calendar bug squashing

I’d like to promote an idea originally introduced by Thorsten Alteholz, who in 2011 proposed a Bug Squashing Advent Calendar for the Debian Med team. (For those unfamiliar with the concept of an Advent Calendar, you can find an explanation on Wikipedia.) While the original version included a fun graphical element —which we’ve had to set aside due to time constraints (volunteers, anyone?)— we’ve kept the tradition alive by tackling one bug per day from December 1st to 24th each year. This initiative helps clean up issues that have accumulated over the year.

Regardless of whether you celebrate the concept of Advent, I warmly recommend this approach as a form of continuous bug-squashing party for every team. Not only does it contribute to the release readiness of your team’s packages, but it’s also an enjoyable and bonding activity for team members.

Best wishes for a cheerful and productive December

Andreas.

02 December, 2024 11:00PM by Andreas Tille

hackergotchi for Dirk Eddelbuettel

Dirk Eddelbuettel

anytime 0.3.10 on CRAN: Multiple Enhancements

A new release of the anytime package arrived on CRAN today—the first is well over four years. The package is fairly feature-complete, and code and functionality remain mature and stable, of course.

anytime is a very focused package aiming to do just one thing really well: to convert anything in integer, numeric, character, factor, ordered, … input format to either POSIXct (when called as anytime) or Date objects (when called as anydate) – and to do so without requiring a format string as well as accomodating different formats in one input vector. See the anytime page, or the GitHub repo for a few examples, and the beautiful documentation site for all documentation.

This release slowly matured over four years. It combines a number of strictly internal repository maintenance such as changes to continuous integration with small enhancements (adding for example some new formats, responding better to an error condition, dealing with logical input as an error) with a relaxation of the C++ compilation standard. While we once needed C++11, it is now a constraint as as R itself is quite proactive (the last two releases defaulted already to C++17, suitable compiler permitting) we can now relax this constraint. The documentation site is new, as some other small changes. See the full list of changes which follows.

Changes in anytime version 0.3.10 (2024-12-02)

  • A new documentation site was added.

  • Continuous Integration now uses run.sh from r-ci with bspm

  • Logical input vectors are now recognised as an error (#121)

  • Additional dot-separated format '%Y.%m.%d' is supported

  • Other small updates were made throughout the package

  • No longer set a C++ compilation standard as the default choices by R are sufficient for the package

  • Switch Rcpp include file to Rcpp/Lightest

  • We recommend ~/.R/Makevars compiler flag options -Wno-ignored-attributes -Wno-nonnull -Wno-parentheses

  • The tinytest runner was simplified

  • NA values from conversion now trigger a warning

Courtesy of my CRANberries, there is also a diffstat report of changes relative to the previous release. The issue tracker tracker off the GitHub repo can be use for questions and comments. More information about the package is at the package page, the GitHub repo and the documentation site. If you like this or other open-source work I do, you can now sponsor me at GitHub.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

02 December, 2024 10:01PM

hackergotchi for Jonathan Dowland

Jonathan Dowland

jungle/acid/etc

I thought it had been a full year since I last shared a playlist, but it's been two! I had a plan to produce more, but it seems I haven't. Instead here's a few tracks I've discovered recently which share a common theme.

In August I stumbled across a Sound on Sound video interviewing Pete Cannon, who creates authentically old-school Jungle music using tools and techniques from the time, including AKAI samplers and the Commodore Amiga computer.

Here's three tracks that I found since then. Some 8-bit Amiga-jungle,

by

some slower-paced acid house from someone ostensibly based on Whitley Bay,

by

and a darker piece I heard on the radio.

by

02 December, 2024 10:00PM

hackergotchi for Junichi Uekawa

Junichi Uekawa

Graph for my furusato tax.

Graph for my furusato tax. Exceeding 150-man will inevitably exceed 50-man limit for Ichiji-shotoku. So added some rough calculation there. graph.

02 December, 2024 05:39AM by Junichi Uekawa

Russ Allbery

Review: Long Live Evil

Review: Long Live Evil, by Sarah Rees Brennan

Series: Time of Iron #1
Publisher: Orbit
Copyright: July 2024
ISBN: 0-316-56872-4
Format: Kindle
Pages: 433

Long Live Evil is a portal fantasy (or, arguably more precisely, a western take on an isekai villainess fantasy) and the first book of a series. If the author's name sounds familiar, it's possibly because of In Other Lands, which got a bunch of award nominations in 2018, She has also written a lot of other YA fantasy, but this is her first adult epic fantasy novel.

Rae is in the hospital, dying of cancer. Everything about that experience, from the obvious to the collapse of her friendships, absolutely fucking sucks. One of the few bright points is her sister's favorite fantasy series, Time of Iron, which her sister started reading to her during chemo sessions. Rae mostly failed to pay attention until the end of the first book and the rise of the Emperor. She fell in love with the brooding, dangerous anti-hero and devoured the next two books. The first book was still a bit hazy, though, even with the help of a second dramatic reading after she was too sick to read on her own.

This will be important later.

After one of those reading sessions, Rae wakes up to a strange woman in her hospital room who offers her an option. Rather than die a miserable death that bankrupts her family, she can go through a door to Eyam, the world of Time of Iron, and become the character who suits her best. If she can steal the Flower of Life and Death from the imperial greenhouse on the one day a year that it blooms, she will wake up, cured. If not, she will die. Rae of course goes through, and wakes in the body of Lady Rahela, the Beauty Dipped in Blood, the evil stepsister. One of the villains, on the night before she is scheduled to be executed.

Rae's initial panic slowly turns to a desperate glee. She knows all of these characters. She knows how the story will turn out. And she has a healthy body that's not racked with pain. Maybe she's not the heroine, but who cares, the villains are always more interesting anyway. If she's going to be cast as the villain, she's going to play it to the hilt. It's not like any of these characters are real.

Stories in which the protagonists are the villains are not new (Nimona and Hench come to mind just among books I've reviewed), but they are having a moment. Assistant to the Villain by Hannah Nicole Maehrer came out last year, and this book and Django Wexler's How to Become the Dark Lord and Die Trying both came out this year. This batch of villain books all take different angles on the idea, but they lean heavily on humor. In Long Live Evil, that takes the form of Rae's giddy embrace of villainous scheming, flouncing, and blatant plot manipulation, along with her running commentary on the various characters and their in-story fates.

The setup here is great. Rae is not only aware that she's in a story, she knows it's full of cliches and tropes. Some of them she loves, some of them she thinks are ridiculous, and she isn't shy about expressing both of those opinions. Rae is a naturally dramatic person, and it doesn't take her long to lean into the opportunities for making dramatic monologues and villainous quips, most of which involve modern language and pop culture references that the story characters find baffling and disconcerting.

Unfortunately, the base Time of Iron story is, well, bad. It's absurd grimdark epic fantasy with paper-thin characters and angst as a central character trait. This is clearly intentional for both in-story and structural reasons. Rae enjoys it precisely because it's full of blood and battles and over-the-top brooding, malevolent anti-heroes, and Rae's sister likes the impossibly pure heroes who suffer horrible fates while refusing to compromise their ideals. Rae is also about to turn the story on its head and start smashing its structure to try to get herself into position to steal the Flower of Life and Death, and the story has to have a simple enough structure that it doesn't get horribly confusing once smashed. But the original story is such a grimdark parody, and so not my style of fantasy, that I struggled with it at the start of the book.

This does get better eventually, as Rae introduces more and more complications and discovers some surprising things about the other characters. There are several delightful twists concerning the impossibly pure heroine of the original story that I will not spoil but that I thought retroactively made the story far more interesting. But that leads to the other problem: Rae is both not very good at scheming, and is flippant and dismissive of the characters around her. These are both realistic; Rae is a young woman with cancer, not some sort of genius mastermind, and her whole frame for interacting with the story is fandom discussions and arguments with her sister. Early in the book, it's rather funny. But as the characters around her start becoming more fleshed out and complex, Rae's inability to take them seriously starts to grate. The grand revelation to Rae that these people have their own independent existence comes so late in the book that it's arguably a spoiler, but it was painfully obvious to everyone except Rae for hundreds of pages before it got through Rae's skull.

Those are my main complaints, but there was a lot about this book that I liked. The Cobra, who starts off as a minor villain in the story, is by far the best character of the book. He's not only more interesting than Rae, he makes everyone else in the book, including Rae, more interesting characters through their interactions. The twists around the putative heroine, Lady Rahela's stepsister, are a bit too long in coming but are an absolute delight. And Key, the palace guard that Rae befriends at the start of the story, is the one place where Rae's character dynamic unquestionably works. Key anchors a lot of Rae's scenes, giving them a sense of emotional heft that Rae herself would otherwise undermine.

The narrator in this book does not stick with Rae. We also get viewpoint chapters from the Cobra, the Last Hope, and Emer, Lady Rahela's maid. The viewpoints from the Time of Iron characters can be a bit eye-roll-inducing at the start because of how deeply they follow the grimdark aesthetic of the original story, but by the middle of the book I was really enjoying the viewpoint shifts. This story benefited immensely from being seen from more angles than Rae's chaotic manipulation. By the end of the book, I was fully invested in the plot line following Cobra and the Last Hope, to the extent that I was a bit disappointed when the story would switch back to Rae.

I'm not sure this was a great book, but it was fun. It's funny in places, but I ended up preferring the heartfelt parts to the funny parts. It is a fascinating merger of gleeful fandom chaos and rather heavy emotional portrayals of both inequality and the experience of terminal illness. Rees Brennan is a stage four cancer survivor and that really shows; there's a depth, nuance, and internal complexity to Rae's reactions to illness, health, and hope that feels very real. It is the kind of book that can give you emotional whiplash; sometimes it doesn't work, but sometimes it does.

One major warning: this book ends on a ridiculous cliffhanger and does not in any sense resolve its main plot arc. I found this annoying, not so much because of the wait for the second volume, but because I thought this book was about the right length for the amount of time I wanted to spend in this world and wish Rees Brennan had found a way to wrap up the story in one book. Instead, it looks like there will be three books. I'm in for at least one more, since the story was steadily getting better towards the end of Long Live Evil, but I hope the narrative arc survives being stretched out across that many words.

This one's hard to classify, since it's humorous fantasy on the cover and in the marketing, and that element is definitely present, but I thought the best parts of the book were when it finally started taking itself seriously. It's metafictional, trope-subverting portal fantasy full of intentional anachronisms that sometimes fall flat and sometimes work brilliantly. I thought the main appeal of it would be watching Rae embrace being a proper villain, but then the apparent side characters stole the show. Recommended, but you may have to be in just the right mood.

Content notes: Cancer, terminal illness, resurrected corpses, wasting disease, lots of fantasy violence and gore, and a general grimdark aesthetic.

Rating: 7 out of 10

02 December, 2024 05:26AM

December 01, 2024

hackergotchi for Guido Günther

Guido Günther

Free Software Activities November 2024

Another short status update of what happened on my side last month. The larger blocks are the Phosh 0.43 release, the initial file chooser portal, phosh-osk-stub now handling digit, number, phone and PIN input purpose via special layouts as well as Phoc mostly catching up with wlroots 0.18 and the current development version targeting 0.19.

phosh

  • When taking a screenshot via keybinding or power button long press save screenshots to clipboard and disk (MR)
  • Robustify Screenshot CI job (MR)
  • Update CI pipeline (MR)
  • Fix notifications banners that aren't tall enough not being shown (MR). Another 4y old bug hopefully out of the way.
  • Add rfkill mock and docs (MR). Useful for HKS testing.
  • Release 0.43~rc1 and 0.43
  • Drop libsoup workaround (MR)
  • Ensure notification only takes its actual height (MR)

phoc

  • Move wlroots 0.18 update forward (MR). Needs a bit more work before we can make it default.
  • Catch up with wlroots development branch (MR) allowing us to test current wlroots again.
  • Some of the above already applies to main so schedule it for 0.44 (MR)

phosh-mobile-settings

  • Don't mark release notes as translatable to save some i18n effort (MR)
  • Release 0.43~rc1 and 0.43.0

libphosh-rs

phosh-osk-stub

  • Add layouts for PIN, number and phone input purpose (MR)
  • Release 0.43~rc1
  • Ensure translation get picked up, various cleanups and release 0.43.0 (MR)
  • Make desktop file match app-id (MR)

phosh-tour

  • Fix typo and reduce number of strings to translate (MR)
  • Add translator comments (MR). This, the above and additional fixes in p-m-s were prompted by i18n feedback from Alexandre Franke, thanks a lot!
  • Release 0.43.0

pfs

  • Initial version of the adaptive file chooser dialog using gtk-rs. See demo.
  • Allow to activate via double click (for non-touch use) (MR)

xdg-desktop-portal-phosh

  • Use pfs to provide a file chooser portal (MR)

meta-phosh

  • Slightly improve point release handling (MR)
  • Improve string freeze announcements and add phosh-tour (MR)

Debian

  • Upload Phosh 0.43.0~rc1 and 0.43.0 (MR, MR, MR, MR, MR, MR, MR, MR, MR, MR, MR)
  • meta-phosh: Add Recommend: for xdg-desktop-portal-phosh (MR)
  • phosh-osk-data got accepted, create repo, brush up packaging and upload to unstable (MR
  • phosh-osk-stub: Recommend data packager (MR
  • Phosh: drop reverts (MR)
  • varnam-schemes: Fix autopkgtest (MR)
  • varnam-schemes: Improve packaging (MR)
  • Prepare govarnam 1.9.1 (MR)

Calls

  • ussd: Set input purpose and switch to AdwDialog (MR, Screenshot)

libcall-ui

  • Drop libhandy leftover (MR)

git-buildpackage

  • Improve docs and cleanup markdown (MR)
  • Mention gbp push in intro (MR)
  • Use application instead of productname entities to improve reading flow (MR)

wlroots

  • Drop mention of wlr_renderer_begin_with_buffer (MR)

python-dbusmock

  • Add mock for gsd-rfkill (MR)

xdg-spec

  • Sync notification categories with the portal spec (MR)
  • Add categories for SMS (MR)
  • Add a pubdate so it's clear the specs aren't stale (MR) (got fixed in a different and better way, thanks Matthias!)

ashpd

  • Allow to set filters in file chooser portal demo (MR)

govarnam

  • Robustify file generation (MR)

varnam-schemes

  • Unbreak tests on non intel/amd architectures (e.g. arm64) (MR)

Reviews

This is not code by me but reviews I did on other peoples code. The list is incomplete, but I hope to improve on this in the upcoming months. Thanks for the contributions!

  • flathub: livi runtime and gst update (MR)
  • phosh: Split linters into their own test suite (MR)
  • phosh; QuickSettings follow-up (MR)
  • phosh: Accent color fixes (MR)
  • phosh: Notification animation (MR)
  • phosh: end-session dialog timeout fix (MR)
  • phosh: search daemon (MR)
  • phosh-ev: Migrate to newer gtk-rs and async_channel (MR)
  • phosh-mobile-settings: Update gmobile (MR)
  • phosh-mobile-settings: Make panel-switcher scrollable (MR)
  • phosh-mobile-settings: i18n comments (MR)
  • gbp doc updates (MR)
  • gbp handle suite names with number prefix (MR)
  • Debian libvirt dependency changes (MR
  • Chatty: misc improvements (MR
  • iio-sensor-proxy: buffer driver without trigger (MR)
  • gbp doc improvements (MR)
  • gbp: More doc improvements (MR)
  • gbp: Clean on failure (MR)
  • gbp: DEP naming consistency (MR)

Help Development

If you want to support my work see donations. This includes a list of hardware we want to improve support for. Thanks a lot to all current and past donors.

Comments?

Join the Fediverse thread

01 December, 2024 06:55PM

hackergotchi for Colin Watson

Colin Watson

Free software activity in November 2024

Most of my Debian contributions this month were sponsored by Freexian.

You can also support my work directly via Liberapay.

Conferences

I attended MiniDebConf Toulouse 2024, and the MiniDebCamp before it. Most of my time was spent with the Freexian folks working on debusine; Stefano gave a talk about its current status with a live demo (frantically fixed up over the previous couple of days, as is traditional) and with me and others helping to answer questions at the end. I also caught up with some people I haven’t seen in ages, ate a variety of delicious cheeses, and generally had a good time. Many thanks to the organizers and sponsors!

After the conference, Freexian collaborators spent a day and a half doing some planning for next year, and then went for an afternoon visiting the Cité de l’espace.

Rust team

I upgraded these packages to new upstream versions, as part of upgrading pydantic and rpds-py:

  • rust-archery
  • rust-jiter (noticing an upstream test bug in the process)
  • rust-pyo3 (fixing CVE-2024-9979)
  • rust-pyo3-build-config
  • rust-pyo3-ffi
  • rust-pyo3-macros
  • rust-pyo3-macros-backend
  • rust-regex
  • rust-regex-automata
  • rust-regex
  • rust-serde
  • rust-serde-derive
  • rust-serde-json
  • rust-speedate
  • rust-triomphe

Python team

Last month, I mentioned that we still need to work out what to do about the multipart vs. python-multipart name conflict in Debian (#1085728). We eventually managed to come up with an agreed plan; Sandro has uploaded a renamed binary package to experimental, and I’ve begun work on converting reverse-dependencies (asgi-csrf, fastapi, python-curies, and starlette done so far). There’s a bit more still to do, but I expect we can finish it soon.

I fixed problems related to adding Python 3.13 support in:

I fixed some packaging problems that resulted in failures any time we add a new Python version to Debian:

I fixed other build/autopkgtest failures in:

I packaged python-quart-trio, needed for a new upstream version of python-urllib3, and contributed a small packaging tweak upstream.

I backported a twisted fix that caused problems in other packages, including breaking debusine‘s tests.

I disentangled some upstream version confusion in python-catalogue, and upgraded to the current upstream version.

I upgraded these packages to new upstream versions:

Other small fixes

I contributed Incus support to needrestart upstream.

In response to Helmut’s Cross building talk at MiniDebConf Toulouse, I fixed libfilter-perl to support cross-building (5b4c2e10, f9788c27).

I applied a patch to move aliased files from / to /usr in iprutils (#1087733).

I adjusted debconf to use the new /usr/lib/apt/apt-extracttemplates path (#1087523).

I upgraded putty to 0.82.

01 December, 2024 03:00PM by Colin Watson

hackergotchi for Daniel Pocock

Daniel Pocock

Gerry ‘The Monk’ Hutch: criminals vs geeks, multinationals vs Ireland

Looking at the statistics for Dublin Central, there are 7,000 more preference transfers to be distributed and Gerry 'the Monk' Hutch has a lead of 800 votes over the candidate in fifth place. If the Monk gets another 300 votes from the transfers, Sherlock, in fifth place, would need another 1,100 votes to overtake and displace the Monk.

A lot of people don't fill in the whole ballot paper so it is not clear if Sherlock can get enough transfers to catch up.

Why did over 3,000 people give their first vote to a criminal but only 27 people gave their first vote to a software engineer who attempts to answer today's most critical questions about social control media's impact on children and the rise of AI? With so many tech workers in Ireland, why didn't they rally around one of their own?

The question about tech worker votes is easier to answer with facts that can be checked. Quite simply, many of the tech workers are not Irish citizens. They are a combination of European citizens and people from Brazil, India and further afield. The European citizens, for example, from Poland or Spain, are entitled to vote in the European elections but they are not entitled to vote in the national elections. Many people from countries like Brazil or India come to Ireland on a student visa to complete a masters degree, they are living in estates like Citywest on the edge of the city and they end up working as contractors for some of the large multinationals. Some of them are employed directly while many are employed as contractors. This makes it much harder to estimate their role in the economy. For various reasons, including the time they lose commuting, the silos created by their employment, their social circles and the neighborhoods where they live, we don't see these people participating in the open source eco-system or other voluntary pursuits.

On the question of people voting for Gerry 'the Monk' Hutch, this was already hinted at in my previous blog. The Monk received an enormous amount of free publicity due to his criminal record. If I speak to friends from France or other countries, they all seem to know that there is a criminal in the Irish election. International awareness of the Monk's history seems to be far higher than awareness that more significant figures, like the leader of Australia's opposition party, is a former detective and the British Prime Minister is a former Director of the Crown Prosecution Service.

For any Irish police (Gardai) who find this infatuation with a gangster unpalatable, Australia has offered them asylum.

Every few hours, the election officials stand up on a stage and give people an update on the progress of vote counting. As the names of the candidates are read out, their supporters cheer. Each time the name "Hutch, Gerard" is announced, there is silence. Despite spending all Saturday afternoon at the count center, I could not identify one person affiliated with the Monk.

While nobody cheers for him, everybody has something to say about it. His strong performance sends a message. The voters' message is not exactly clear but it is disparaging for everybody else in the room. One interpretation of the message is that Irish voters couldn't tell the difference between a politican and a criminal. Perhaps some people are so unhappy that they think a criminal could do better than the status quo. Or maybe the 3,000 people who voted Monk are all about to leave for Australia or the US anyway and this was their idea of a prank.

Whichever interpretation you choose, I had the perception that many people in Ireland's political elite did feel both insulted and undervalued both from the pro-Monk media bias and the voters' verdict. For some of the other candidates, the thought of finishing on only 27 votes like me would have been more bearable than the fact that they polled lower than the 3,000 votes achieved by the Monk.

From the Monk to the poisoned chalice

About a week ago, I wrote my own observations on the likely impact when US multinationals shift their corporation tax back to the US. On Tuesday, an official from the incoming Trump administration confirmed Ireland is a specific target and on Wednesday, two days before voting, the Irish government admitted that even if only three of the top multinationals stop paying Irish tax, the state will lose ten billion euros in revenue.

Candidates spent three weeks on the campaign trail promising to spend money but in reality, they will have to cut expenditures almost immediately. The promises from the campaign, for example, the cross-party support for the Western rail link are still fresh in the minds of voters.

Given the potential tax revenue shortfalls were announced in the week of the vote, I feel this created a war-time voting mentality. When voters face great uncertainty from things far away, like Ukraine, Gaza, Lebanon and Donald Trump, the voters tend to prefer the status quo and the larger parties.

We can see this in practice in various ways: except for the Monk, the campaigns of other high profile independent candidates generally fizzled out at the ballot box. The same logic explains the decimation of the Greens party. The Greens were a member of the previous coalition, having a minister in the ruling government gave them a lot of publicity but now they have lost almost all their seats. The communist party may win more seats than the Greens. When the country-at-war or world-at-war mentality is at the forefront of voters' minds, they may simply see the eco-policies of the Greens as a luxury that can be put on hold for another five years until the next election.

Yet in this particular case, the crisis Ireland faces is a crisis of having all our eggs in one basket with the corporate tax revenues of multinationals from a single country, the USA. The two large center right parties that Ireland votes for have created that situation and they have been complacent in spending the money year in and year out without working to diversify income streams for the state. Gravitating to the large well-known center right parties feels like a contradiction because it is a reward to the parties who created the problem.

Ironically, the same multinationals in the tech sector who have provided this tax revenue pre-Trump are also responsible for the problems of social control media and fake news that have negatively impacted the very same election campaign.

Looking towards the future: tax will be optional, for some

Wouldn't it be nice if tax was optional?

In fact, such situations do arise and they are not necessarily good for the state.

When paying tax is optional, the very large tax payers can exert even more influence. For example, if a multinational has a choice of paying their taxes in one of three countries and all three countries provide a similar tax rate, the multinational may seek to influence each of those countries to 'win' the taxes. As an example, the countries competing for that revenue may be encouraged to become even more dependent on the multinationals by putting all the state IT infrastructure into cloud services provided by the same companies.

A different type of multinational, Philip Morris, has their international headquarters in Vaud, Switzerland. For some years, they chose to optionally pay the church taxes. At some point they simply changed their mind and stopped paying that tax. It was odd to hear church leaders complaining about the loss of revenue from a tobacco company.

If it comes to pass that Gerry Hutch is elected, will we see him lobbying for the legalization and taxation of any other substances on Irish territory?

01 December, 2024 08:00AM

hackergotchi for Junichi Uekawa

Junichi Uekawa

Lots of travel and back to Tokyo.

Lots of travel and back to Tokyo. Then I got sick. Trying to work on my bass piece, but it's really hard and I am having hard time getting to a reasonable shape. Discussions on Debconf 2026 bid. Hoping it will materialize soon.

01 December, 2024 06:36AM by Junichi Uekawa

hackergotchi for Sandro Knauß

Sandro Knauß

QML Dependency tracking in Debian

Tracking library dependencies work in Debian to resolve from symbols usage to a library and add this to the list of dependencies. That is working for years now. The KDE community nowadays create more and more QML based applications. Unfortunately QML is a interpreted language, this means missing QML dependencies will only be an issue at runtime.

To fix this I created dh_qmldeps, that searches for QML dependencies at build time and will fail if it can't resolve the QML dependency.

Me didn't create an own QML interpreter, just using qmlimportscanner behind the scenes and process the output further to resolve the QML modules to Debian packages.

The workflow is like follows:

The package compiles normally and split to the binary packages. Than dh_qmldeps scans through the package content to find QML content ( .qml files, or qmldirfor QML modules). All founded files will be scanned by qmlimportscanner, the output is a list of depended QML modules. As QML modules have a standardized file path, we can ask the Debian system, which packages ship this file path. We end up with a list of Debian packages in the variable ${qml6:Depends}. This variable can be attached to the list of dependencies of the scanned package. A maintainer can also lower some dependencies to Recommends or Suggest, if needed.

You can find the source code on salsa and usage documentation you can find on https://qt-kde-team.pages.debian.net/dh_qmldeps.html.

The last weeks I now enabled dh_qmldeps for newly every package, that creates a QML6 module package. So the first bugs are solved and it should be usable for more packages.

By scanning with qmlimportscanner trough all code, I found several non-existing QML modules:

  • import QtQuick3DPrivate qt6-multimedia - no Private QML module QTBUG-131753.
  • import QtQuickPrivate qt6-graphs - no Private QML module QTBUG-131754.
  • import QtQuickTimeline qt6-quicktimeline - the correct QML name is QtQuick.Timeline QTBUG-131755.
  • import QtQuickControls2 qt6-webengine - looks like a porting bug as the QML6 modules name is QtQuick.Controls QTBUG-131756.
  • import QtGraphicalEffects kquickimageeditor - the correct name is for QML6 is qt5compat.graphicaleffects, properly as it is an example nobody checks it kquickimageeditor!7.

YEAH - the first milestone is reached. We are able to simply handle QML modules.

But QML applications there is still room for improvement. In apps the QML files are inside the executable. Additionally applications create internal QML modules, that are shipped directly in the same executable. I still search for a good way to analyse an executable to get a list of internal QML modules and a list of included QML files. Any ideas are welcomed :)

As workaround dh_qmldeps scans currently all QML files inside the application source code.

01 December, 2024 12:00AM by Sandro Knauß

November 30, 2024

Dima Kogan

Strava track filtering validation

After years of seeing people's strava tracks, I became convinced that they insufficiently filter the data, resulting in over-estimating the effort. Today I did a bit of lazy analysis, and half-confirmed this: in the one case I looked at, strava reported reasonable elevation gain numbers, but greatly overestimated the distance traveled.

I looked at a single gps track of a long bike ride. This was uploaded to strava manually, as a .gpx file. I can imagine that different things happen if you use the strava app or some device that integrates with the service (the filtering might happen before the data hits the server, and the server could decide to not apply any more filtering).

I processed the data with a simple hysteretic filter, ignoring small changes in position and elevation, trying out different thresholds in the process. I completely ignore the timestamps, and only look at the differences between successive points. This handles the usual GPS noise; it does not handle GPS jumps, which I completely ignore in this analysis. Ignoring these would produce inflated elevation/gain numbers, but I'm working with a looong track, so hopefully this is a small effect.

Clearly this is not scientific, but it's something.

The code

Parsing .gpx is slow (this is a big file), so I cache that into a .vnl:

import sys
import gpxpy

filename_in  = 'INPUT.gpx'
filename_out = 'OUTPUT.gpx'

with open(filename_in, 'r') as f:
    gpx = gpxpy.parse(f)

f_out = open(filename_out, 'w')

tracks = gpx.tracks
if len(tracks) != 1:
    print("I want just one track", file=sys.stderr)
    sys.exit(1)
track = tracks[0]

segments = track.segments
if len(segments) != 1:
    print("I want just one segment", file=sys.stderr)
    sys.exit(1)
segment = segments[0]

time0 = segment.points[0].time
print("# time lat lon ele_m")
for p in segment.points:
    print(f"{(p.time - time0).seconds} {p.latitude} {p.longitude} {p.elevation}",
          file = f_out)

And I process this data with the different filters (this is a silly Python loop, and is slow):

#!/usr/bin/python3

import sys
import numpy as np
import numpysane as nps
import gnuplotlib as gp
import vnlog
import pyproj

geod = None
def dist_ft(lat0,lon0, lat1,lon1):

    global geod
    if geod is None:
        geod = pyproj.Geod(ellps='WGS84')
    return \
        geod.inv(lon0,lat0, lon1,lat1)[2] * 100./2.54/12.




f = 'OUTPUT.gpx'

track,list_keys,dict_key_index = \
    vnlog.slurp(f)

t      = track[:,dict_key_index['time' ]]
lat    = track[:,dict_key_index['lat'  ]]
lon    = track[:,dict_key_index['lon'  ]]
ele_ft = track[:,dict_key_index['ele_m']] * 100./2.54/12.



@nps.broadcast_define( ( (), ()),
                       (2,))
def filter_track(ele_hysteresis_ft,
                 dxy_hysteresis_ft):

    dist        = 0.0
    ele_gain_ft = 0.0

    lon_accepted = None
    lat_accepted = None
    ele_accepted = None

    for i in range(len(lat)):

        if ele_accepted is not None:
            dxy_here  = dist_ft(lat_accepted,lon_accepted, lat[i],lon[i])
            dele_here = np.abs( ele_ft[i] - ele_accepted )

            if dxy_here < dxy_hysteresis_ft and dele_here < ele_hysteresis_ft:
                continue

            if ele_ft[i] > ele_accepted:
                ele_gain_ft += dele_here;

            dist += np.sqrt(dele_here * dele_here +
                            dxy_here  * dxy_here)

        lon_accepted = lon[i]
        lat_accepted = lat[i]
        ele_accepted = ele_ft[i]

    # lose the last point. It simply doesn't matter

    dist_mi = dist / 5280.
    return np.array((ele_gain_ft, dist_mi))




Nele_hysteresis_ft    = 20
ele_hysteresis0_ft    = 5
ele_hysteresis1_ft    = 100
ele_hysteresis_ft_all = np.linspace(ele_hysteresis0_ft,
                                    ele_hysteresis1_ft,
                                    Nele_hysteresis_ft)

Ndxy_hysteresis_ft = 20
dxy_hysteresis0_ft = 5
dxy_hysteresis1_ft = 1000
dxy_hysteresis_ft  = np.linspace(dxy_hysteresis0_ft,
                                 dxy_hysteresis1_ft,
                                 Ndxy_hysteresis_ft)


# shape (Nele,Ndxy,2)
gain,distance = \
    nps.mv( filter_track( nps.dummy(ele_hysteresis_ft_all,-1),
                          dxy_hysteresis_ft),
            -1,0 )


# Stolen from mrcal
def options_heatmap_with_contours( plotoptions, # we update this on output

                                   *,
                                   contour_min           = 0,
                                   contour_max,
                                   contour_increment     = None,
                                   do_contours           = True,
                                   contour_labels_styles = 'boxed',
                                   contour_labels_font   = None):
    r'''Update plotoptions, return curveoptions for a contoured heat map'''

    gp.add_plot_option(plotoptions,
                       'set',
                       ('view equal xy',
                        'view map'))

    if do_contours:
        if contour_increment is None:
            # Compute a "nice" contour increment. I pick a round number that gives
            # me a reasonable number of contours

            Nwant = 10
            increment = (contour_max - contour_min)/Nwant

            # I find the nearest 1eX or 2eX or 5eX
            base10_floor = np.power(10., np.floor(np.log10(increment)))

            # Look through the options, and pick the best one
            m   = np.array((1., 2., 5., 10.))
            err = np.abs(m * base10_floor - increment)
            contour_increment = -m[ np.argmin(err) ] * base10_floor

        gp.add_plot_option(plotoptions,
                           'set',
                           ('key box opaque',
                            'style textbox opaque',
                            'contour base',
                            f'cntrparam levels incremental {contour_max},{contour_increment},{contour_min}'))

        if contour_labels_font is not None:
            gp.add_plot_option(plotoptions,
                               'set',
                               f'cntrlabel format "%d" font "{contour_labels_font}"' )
        else:
            gp.add_plot_option(plotoptions,
                               'set',
                               f'cntrlabel format "%.0f"' )

        plotoptions['cbrange'] = [contour_min, contour_max]

        # I plot 3 times:
        # - to make the heat map
        # - to make the contours
        # - to make the contour labels
        _with = np.array(('image',
                          'lines nosurface',
                          f'labels {contour_labels_styles} nosurface'))
    else:
        gp.add_plot_option(plotoptions, 'unset', 'key')
        _with = 'image'

    using = \
        f'({dxy_hysteresis0_ft}+$1*{float(dxy_hysteresis1_ft-dxy_hysteresis0_ft)/(Ndxy_hysteresis_ft-1)}):' + \
        f'({ele_hysteresis0_ft}+$2*{float(ele_hysteresis1_ft-ele_hysteresis0_ft)/(Nele_hysteresis_ft-1)}):3'
    plotoptions['_3d']     = True
    plotoptions['_xrange'] = [dxy_hysteresis0_ft,dxy_hysteresis1_ft]
    plotoptions['_yrange'] = [ele_hysteresis0_ft,ele_hysteresis1_ft]
    plotoptions['ascii']   = True # needed for using to work

    gp.add_plot_option(plotoptions, 'unset', 'grid')

    return \
        dict( tuplesize=3,
              legend = "", # needed to force contour labels
              using = using,
              _with=_with)




contour_granularity = 1000
plotoptions = dict()
curveoptions = \
    options_heatmap_with_contours( plotoptions, # we update this on output
                                   # round down to the nearest contour_granularity
                                   contour_min = (np.min(gain) // contour_granularity)*contour_granularity,
                                   # round up to the nearest contour_granularity
                                   contour_max = ((np.max(gain) + (contour_granularity-1)) // contour_granularity) * contour_granularity,
                                   do_contours = True)
gp.add_plot_option(plotoptions, 'unset', 'key')
gp.add_plot_option(plotoptions, 'set', 'size square')
gp.plot(gain,
        xlabel  = "Distance hysteresis (ft)",
        ylabel  = "Elevation hysteresis (ft)",
        cblabel = "Elevation gain (ft)",
        wait = True,
        **curveoptions,
        **plotoptions,
        title    = 'Computed gain vs filtering parameters')


contour_granularity = 10
plotoptions = dict()
curveoptions = \
    options_heatmap_with_contours( plotoptions, # we update this on output
                                   # round down to the nearest contour_granularity
                                   contour_min = (np.min(distance) // contour_granularity)*contour_granularity,
                                   # round up to the nearest contour_granularity
                                   contour_max = ((np.max(distance) + (contour_granularity-1)) // contour_granularity) * contour_granularity,
                                   do_contours = True)
gp.add_plot_option(plotoptions, 'unset', 'key')
gp.add_plot_option(plotoptions, 'set', 'size square')
gp.plot(distance,
        xlabel  = "Distance hysteresis (ft)",
        ylabel  = "Elevation hysteresis (ft)",
        cblabel = "Distance (miles)",
        wait = True,
        **curveoptions,
        **plotoptions,
        title    = 'Computed distance vs filtering parameters')

Results: gain

Strava says the gain was 46307ft. The analysis says:

strava-gain.png

strava-gain-zoom.png

These show the filtered gain for different values of the distance and gain hysteresis thresholds. The same data is shown at diffent zoom levels. There's no sweet spot, but we get 46307ft with a reasonable amount of filtering. Maybe 46307ft is a bit low even.

Results: distance

Strava says the distance covered was 322 miles. The analysis says:

strava-distance.png

strava-distance-zoom.png

Once again, there's no sweet spot, but we get 322 miles only if we apply no filtering at all. That's clearly too high, and is not reasonable. From the map (and from other people's strava routes) the true distance is closer to 305 miles. Why those people's strava numbers are more believable is anybody's guess.

30 November, 2024 10:48PM by Dima Kogan

Enrico Zini

New laptop setup

My new laptop Framework (Framework Laptop 13 DIY Edition (AMD Ryzen™ 7040 Series)) arrived, all the hardware works out of the box on Debian Stable, and I'm very happy indeed.

This post has the notes of all the provisioning steps, so that I can replicate them again if needed.

Installing Debian 12

Debian 12's installer just worked, with Secure Boot enabled no less, which was nice.

The only glitch is an argument with the guided partitioner, which was uncooperative: I have been hit before by a /boot partition too small, and I wanted 1G of EFI and 1G of boot, while the partitioner decided that 512Mb were good enough. Frustratingly, there was no way of changing that, nor I found how to get more than 1G of swap, as I wanted enough swap to fit RAM for hybernation.

I let it install the way it pleased, then I booted into grml for a round of gparted.

The tricky part of that was resizing the root btrfs filesystem, which is in an LV, which is in a VG, which is in a PV, which is in LUKS. Here's a cheatsheet.

Shrink partitions:

  • mount the root filesystem in /mnt
  • btrfs filesystem resize 6G /mnt
  • umount the root filesystem
  • lvresize -L 7G vgname/lvname
  • pvresize --setphysicalvolumesize /dev/mapper/pvname 8G
  • cryptsetup resize --device-size 9G name

note that I used an increasing size because I don't trust that each tool has a way of representing sizes that aligns to the byte. I'd be happy to find out that they do, but didn't want to find out the hard way that they didn't.

Resize with gparted:

Move and resize partitions at will. Shrinking first means it all takes a reasonable time, and you won't have to wait almost an hour for a terabyte-sized empty partition to be carefully moved around. Don't ask me why I know.

Regrow partitions:

  • cryptsetup resize name
  • pvresize /dev/mapper/pvname
  • lvresize -L 100% vgname/lvname
  • mount the root filesystem in /mnt
  • btrfs filesystem resize max /mnt
  • umount the root filesystem

Setup gnome

When I get a new laptop I have a tradition of trying to make it work with Gnome and Wayland, which normally ended up in frustration and a swift move to X11 and Xfce: I have a lot of long-time muscle memory involved in how I use a computer, and it needs to fit like prosthetics. I can learn to do a thing or two in a different way, but any papercut that makes me break flow and I cannot fix will soon become a dealbreaker.

This applies to Gnome as present in Debian Stable.

General Gnome settings tips

I can list all available settings with:

gsettings list-recursively

which is handy for grepping things like hotkeys.

I can manually set a value with:

gsettings set <schema> <key> <value>

and I can reset it to its default with:

gsettings reset <schema> <key>

Some applications like Gnome Terminal use "relocatable schemas", and in those cases you also need to specify a path, which can be discovered using dconf-editor:

gsettings set <schema>:<path> <key> <value>

Install appindicators

First thing first: app install gnome-shell-extension-appindicator, log out and in again: the Gnome Extension manager won't see the extension as available until you restart the whole session.

I have no idea why that is so, and I have no idea why a notification area is not present in Gnome by default, but at least now I can get one.

Fix font sizes across monitors

My laptop screen and monitor have significantly different DPIs, so:

gsettings set org.gnome.mutter experimental-features "['scale-monitor-framebuffer']"

And in Settings/Displays, set a reasonable scaling factor for each display.

Disable Alt/Super as hotkey for the Overlay

Seeing all my screen reorganize and reshuffle every time I accidentally press Alt leaves me disoriented and seasick:

gsettings set org.gnome.mutter overlay-key ''

Focus-follows-mouse and Raise-or-lower

My desktop is like my desktop: messy and cluttered. I have lots of overlapping window and I switch between them by moving the focus with the mouse, and when the visible part is not enough I have a handy hotkey mapped to raise-or-lower to bring forward what I need and send back what I don't need anymore.

Thankfully Gnome can be configured that way, with some work:

  • In gnome-shell settings, keyboard, shortcuts, windows, set "Raise window if covered, otherwise lower it" to "Super+Escape"
  • In gnome-tweak-tool, Windows, set "Focus on Hover"

This almost worked, but sometimes it didn't do what I wanted, like I expected to find a window to the front but another window disappeared instead. I eventually figured that by default Gnome delays focus changes by a perceivable amount, which is evidently too slow for the way I move around windows.

The amount cannot be shortened, but it can be removed with:

gsettings set org.gnome.shell.overrides focus-change-on-pointer-rest false

Mouse and keyboard shortcuts

Gnome has lots of preconfigured sounds, shortcuts, animations and other distractions that I do not need. They also either interfere with key combinations I want to use in terminals, or cause accidental window moves or resizes that make me break flow, or otherwise provide sensory overstimulation that really does not work for me.

It was a lot of work, and these are the steps I used to get rid of most of them.

Disable Super+N combinations that accidentally launch a questionable choice of programs:

for i in `seq 1 9`; do gsettings set org.gnome.shell.keybindings switch-to-application-$i '[]'; done

Gnome-Shell settings:

  • Multitasking:
    • disable hot corner
    • disable active edges
    • set a fixed number of workspaces
    • workspaces on all displays
    • switching includes apps from current workspace only
  • Sound:
    • disable system sounds
  • Keyboard
    • Compose Key set to Caps Lock
    • View and Customize Shortcuts:
      • Launchers
        • launch help browser: remove
      • Navigation
        • move to workspace on the left: Super+Left
        • move to workspace on the right: Super+Right
        • move window one monitor …: remove
        • move window one workspace to the left: Shift+Super+Left
        • move window one workspace to the right: Shift+Super+Right
        • move window to …: remove
        • switch system …: remove
        • switch to …: remove
        • switch windows …: disabled
      • Screenshots
        • Record a screenshot interactively: Super+Print
        • Take a screenshot interactively: Print
        • Disable everything else
      • System
        • Focus the active notification: remove
        • Open the applcation menu: remove
        • Restore the keyboard shortctus: remove
        • Show all applications: remove
        • Show the notification list: remove
        • Show the overvire: remove
        • Show the run command prompt: remove (the default Gnome launcher is not for me) Super+F2 (or remove to leave it to the terminal)
      • Windows
        • Close window: remove
        • Hide window: remove
        • Maximize window: remove
        • Move window: remove
        • Raise window if covered, otherwise lower it: Super+Escape
        • Resize window: remove
        • Restore window: remove
        • Toggle maximization state: remove
    • Custom shortcuts
      • xfrun4, launching xfrun4, bound to Super+F2
  • Accessibility:
    • disable "Enable animations"

gnome-tweak-tool settings:

  • Keyboard & Mouse
    • Overview shortcut: Right Super. This cannot be disabled, but since my keyboard doesn't have a Right Super button, that's good enough for me. Oddly, I cannot find this in gsettings.
  • Window titlebars
    • Double-Click: Toggle-Maximize
    • Middle-Click: Lower
    • Secondary-Click: Menu
  • Windows
    • Resize with secondary click

Gnome Terminal settings:

Thankfully 10 years ago I took notes on how to customize Gnome Terminal, and they're still mostly valid:

  • Shortcuts

    • New tab: Super+T
    • New window: Super+N
    • Close tab: disabled
    • Close window: disabled
    • Copy: Super+C
    • Paste: Super+V
    • Search: all disabled
    • Previous tab: Super+Page Up
    • Next tab: Super+Page Down
    • Move tab…: Disabled
    • Switch to tab N: Super+Fn (only available after disabling overview)
    • Switch to tab N with Alt+Fn cannot be configured in the UI: Alt+Fn is detected as simply Fn. It can however be set with gsettings:

      sh for i in `seq 1 12`; do gsettings set org.gnome.Terminal.Legacy.Keybindings:/org/gnome/terminal/legacy/keybindings/ switch-to-tab-$i "<Alt>F$i"; done

  • Profile

    • Text
      • Sound: disable terminal bell

Other hotkeys that got in my way and had to disable the hard way:

for n in `seq 1 12`; do gsettings set org.gnome.mutter.wayland.keybindings switch-to-session-$n '[]'; done
gsettings set org.gnome.desktop.wm.keybindings move-to-workspace-down '[]'
gsettings set org.gnome.desktop.wm.keybindings move-to-workspace-up '[]'
gsettings set org.gnome.desktop.wm.keybindings panel-main-menu '[]'
gsettings set org.gnome.desktop.interface menubar-accel '[]'

Note that even after removing F10 from being bound to menubar-accel, and after having to gsetting binding to F10 as is:

$ gsettings list-recursively|grep F10
org.gnome.Terminal.Legacy.Keybindings switch-to-tab-10 '<Alt>F10'

I still cannot quit Midnight Commander using F10 in a terminal, as that moves the focus in the window title bar. This looks like a Gnome bug, and a very frustrating one for me.

Appearance

Gnome-Shell settings:

  • Appearance:
    • dark mode

gnome-tweak-tool settings:

  • Fonts
    • Antialiasing: Subpixel
  • Top Bar
    • Clock/Weekday: enable (why is this not a default?)

Gnome Terminal settings:

  • General
    • Theme variant: Dark (somehow it wasn't picked by up from the system settings)
  • Profile
    • Colors
      • Background: #000

Other decluttering and tweaks

Gnome Shell Settings:

  • Search
    • disable application search
  • Removable media
    • set everything to "ask what to do"
  • Default applications
    • Web: Chromium
    • Mail: mutt
    • Calendar: khal is not sadly an option
    • Video: mpv
    • Photos: Geequie

Set a delay between screen blank and lock: when the screen goes blank, it is important for me to be able to say "nope, don't blank yet!", and maybe switch on caffeine mode during a presentation without needing to type my password in front of cameras. No UI for this, but at least gsettings has it:

gsettings set org.gnome.desktop.screensaver lock-delay 30

Extensions

I enabled the Applications Menu extension, since it's impossible to find less famous applications in the Overview without knowing in advance how they're named in the desktop. This stole a precious hotkey, which I had to disable in gsettings:

gsettings set org.gnome.shell.extensions.apps-menu apps-menu-toggle-menu '[]'

I also enabled:

  • Removable Drive Menu: why is this not on by default?
  • Workspace Indicator
  • Ubuntu Appindicators (apt install gnome-shell-extension-appindicator and restart Gnome)

I didn't go and look for Gnome Shell extentions outside what is packaged in Debian, as I'm very wary about running JavaScript code randomly downloaded from the internet with full access over my data and desktop interaction.

I also took care of checking that the Gnome Shell Extensions web page complains about the lacking "GNOME Shell integration" browser extension, because the web browser shouldn't be allowed to download random JavaScript from the internet and run it with full local access.

Yuck.

Run program dialog

The default run program dialog is almost, but not quite, totally useless to me, as it does not provide completion, not even just for executable names in path, and so it ends up being faster to open a new terminal window and type in there.

It's possible, in Gnome Shell settings, to bind a custom command to a key. The resulting keybinding will now show up in gsettings, though it can be located in a more circuitous way by grepping first, and then looking up the resulting path in dconf-editor:

gsettings list-recursively|grep custom-key
org.gnome.settings-daemon.plugins.media-keys custom-keybindings ['/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0/']

I tried out several run dialogs present in Debian, with sad results, possibly due to most of them not being tested on wayland:

  • fuzzel does not start
  • gmrun is gtk2, last updated in 2016, but works fine
  • kupfer segfaults as I type
  • rofi shows, but can't get keboard input
  • shellex shows a white bar at top of the screen and lots of errors on stderr
  • superkb wants to grab the screen for hotkeys
  • synapse searched news on the internet as I typed, which is a big no for me
  • trabucco crashes on startup
  • wofi works but looks like very much an acquired taste, though it has some completion that makes it more useful than Gnome's run dialog
  • xfrun4 (package xfce4-appfinder) struggles on wayland, being unable to center its window and with the pulldown appearing elsewhere in the screen, but it otherwise works

Both gmrun and xfrun4 seem like workable options, with xfrun4 being customizable with convenient shortcut prefixes, so xfrun4 it is.

TODO

  • Figure out what is still binding F10 to menu, and what I can do about it
  • Figure out how to reduce the size of window titlebars, which to my taste should be unobtrusive and not take 2.7% of vertical screen size each. There's a minwaita theme which isn't packaged in Debian. There's a User Theme extension, and then the whole theming can of worms to open. For another day.
  • Figure out if Gnome can be convinced to resize popup windows? Take the Gnome Terminal shortcut preferences for example: it takes ⅓ of the vertical screen and can only display ¼ of all available shortcuts, and I cannot find a valid reason why I shouldn't be allowed to enlarge it vertically.
  • Figure out if I can place shortcut launcher icons in the top panel, and how

I'll try to update these notes as I investigate.

Conclusion so far

I now have something that seems to work for me. A few papercuts to figure out still, but they seem manageable.

It all feels a lot harder than it should be: for something intended to be minimal, Gnome defaults feel horribly cluttered and noisy to me, continuosly getting in the way of getting things done until tamed into being out of the way unless called for. It felt like a device that boots into flashy demo mode, which needs to be switched off before actual use.

Thankfully it can be switched off, and now I have notes to do it again if needed.

gsettings oddly feels to me like a better UI than the interactive settings managers: it's more comprehensive, more discoverable, more scriptable, and more stable across releases. Most of the Q&A I found on the internet with guidance given on the UI was obsolete, while when given with gsettings command lines it kept being relevant. I also have the feeling that these notes would be easier to understand and follow if given as gsettings invocations instead of descriptions of UI navigation paths.

At some point I'll upgrade to Trixie and reevaluate things, and these notes will be a useful checklist for that.

Fingers crossed that this time I'll manage to stay on Wayland. If not, I know that Xfce is still there for me, and I can trust it to be both helpful and good at not getting in the way of my work.

30 November, 2024 08:13PM

hackergotchi for Daniel Pocock

Daniel Pocock

Understanding Irish general election 2024 results Dublin Bay South

Counting staff have conducted initial tallies of the ballot papers and these confirm my predictions from the blog post yesterday.

Personally, I'm not in contention to win a place in the Dáil. The big positive outcome for my campaign is the increased interest in my blogs about the adverse impact of social control media and some of the other things that are going wrong at the intersection of technology and society. Unlike last time I ran for public office, it does not look like I finished last again.

Yesterday I commented on one of the minor candidates from the communist-trotskyist PBP. Many people were amused that I frustrated the campaign of a communist. Nonetheless, that was not my intention. My only intention was to demonstrate the hypocrisy of communists using social control media platforms that enrich billionaires in a foreign country. Nonetheless, it is interesting to see that the communist increased her share of the votes from three percent to four percent. At the same time, the Green party vote fell as they were running with a different candidate. In general, the left votes were divided and fighting against each other and none of them appear to be able win a seat. That is a loss for the left as one seat was previously held by the Greens.

Kate O'Connell previously served as a local representative for the party Fine Gael and this time she ran as an independent. The media showed a big interest in her campaign. Her previous status and her media profile haven't helped her attain the number of first preference votes required to be in contention for one of the four seats.

Nonetheless, Kate achieved about 4.5% of the vote and this demonstrates how much harder it was for other independents who have little or no public profile at all.

Many people have commented on my €17,000 electricity bill. This is the type of scandal that is so unusual that it would normally appear in a news report even if there was not an election in progress. The media have known about the bill for a week but chosen not to report on it. This adds to the perception of many people that the media has been very selective in reporting on the existing political parties and not providing any space for new candidates and the issues we raise.

One of the issues people raised with me during the campaign was the status of the Sandymount Baths. Despite Dublin's incredible shoreline, the Baths have been derelict for over 100 years. Coincidentally, many people comment that the same two parties have taken turns to govern Ireland over the same period of 100 years.

The only independent candidate who did get significant media attention for free is the high profile bank robber Gerry Hutch. He is in fourth position after the first tally and this means there is a real possibility that he will win a seat. He could miss out on the seat if the preference transfers from other candidates all work against him to help one of the candidates in fifth or sixth positions to rise up into the fourth position and displace him. If that happens, he may miss out on the seat by a very slim margin. It may come down to just one hundred votes. People who acquired Gerry 'The Monk' Hutch domain names may share some of the responsibility if he misses out on a seat by such a small margin.

The election created a huge interest in my blog posts about inconvenient truths in the days before voting. It is interesting to see that the heightened interest in my blog has continued in the time since the polls closed.

30 November, 2024 03:30PM

Russell Coker

November 29, 2024

hackergotchi for Dirk Eddelbuettel

Dirk Eddelbuettel

RcppAPT 0.0.10: Maintenance

A new version of the RcppAPT package arrived on CRAN earlier today. RcppAPT connects R to the C++ library behind the awesome apt, apt-get, apt-cache, … commands (and their cache) which powering Debian, Ubuntu and other derivative distributions.

RcppAPT allows you to query the (Debian or Ubuntu) package dependency graph at will, with build-dependencies (if you have deb-src entries), reverse dependencies, and all other goodies. See the vignette and examples for illustrations.

This release moves the C++ compilation standard from C++11 to C++17. I had removed the setting for C++11 last year as compilation ‘by compiler default’ worked well enough. But the version at CRAN still carried, which started to lead to build failures on Debian unstable so it was time for an update. And rather than implicitly relying on C++17 as selected by the last two R releases, we made it explicit. Otherwise a few of the regular package and repository updates have been made, but no new code or features were added The NEWS entries follow.

Changes in version 0.0.10 (2024-11-29)

  • Package maintenance updating continuous integration script versions as well as coverage link from README, and switching to Authors@R

  • C++ compilation standards updated to C++17 to comply with libapt-pkg

Courtesy of my CRANberries, there is also a diffstat report for this release. A bit more information about the package is available here as well as at the GitHub repo. If you like this or other open-source work I do, you can now sponsor me at GitHub.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

29 November, 2024 08:19PM

hackergotchi for Daniel Pocock

Daniel Pocock

Watching Irish general election 2024 results

As an independent candidate I'm not expecting to get too many votes. Ireland is a country where traditions are very strong and people gravitate to the parties and candidates they grew up with. On top of that, my campaign was subject to distortion and obfuscation in Google search results. I will be happy if I get more than 5 votes but even that is not certain. In the last election, some independent candidates only got 23 votes each.

There is still time for people to go and vote now before the polling stations close.

The candidates with fewer votes are eliminated in earlier rounds of counting. Counting begins at 9am on Saturday, 30 November and the first eliminations will become clear some time around lunchtime.

The most interesting results to look for

One of the hot topics in the news was the candidacy of Gerry 'the Monk' Hutch. Being famous can sometimes be a good thing in elections. The jockey Nina Carberry won a seat in the European Parliament on her first attempt due to her high profile sporting career.

Voters may have sympathy for the Monk after I registered all his most likely domain names, along with those of other candidates. On the other hand, if the Monk misses out on a seat in the Dáil by only a small number of votes, for example, if he is 10 votes below the candidate who takes the final seat, people may attribute the loss to the fact that he could not get those domain names for himself.

Fortunately I know some good hideouts in Australia.

In the movie Mad Max, organized crime gangs ride around on motorcycles and the police unit responsible for catching them is the Main Force Patrol (MFP). The MFP car park in the movie is actually the University of Melbourne's South Lawn Car Park. The adjacent buildings are Electrical Engineering and Law.

Mad Max at University of Melbourne

 

Mad Max

 

Mad Max

 

Win or lose, I'm glad that my campaign prompted some discussions about the role of the Internet and social control media in society.

Please Vote [1] Daniel POCOCK

 

Daniel Pocock

 

Daniel Pocock

 

Vote [1] Daniel POCOCK

Gerry Hutch, the Monk

29 November, 2024 05:00PM

Brigid Purcell (PBP): generation Z, unteachable children, how will they govern in ten years?

After securing the domain names of some of my rivals in Dublin Bay South, I tried to contact each of them and reassure them that they would not have a big problem getting them at the end of the voting and using them in future.

Elections are a stressful time for everybody and I wanted to demonstrate good sportsmanship and not see rivals losing sleep over this particular issue.

Personally, I used each of the domains to make some political points about social control media and hypocrisy but the domains have no long term value for me. I cancel the auto-renewal on them and 12 months after the registration date, each domain will expire and then whoever acts fastest can register them.

Out of all the rival candidates I contacted, they were all quite happy to find out that they could get a domain name without being blackmailed by anonymous cybersquatters, except for one person who didn't demonstrate any patience whatsoever.

Brigid Purcell, from the socialist-communist PBP went to all her social media accounts to complain about "middle aged men". I'm ignoring everything else in the discussion except that phrase. When a candidate makes a generalization like that it will be noticed by all the other middle-aged men who are deciding how to vote.

Young women from the same background as Brigid get excited and side with her. But those women were going to vote for Brigid anyway. I'm sure she would do a good job of talking about the problems they experience in life but that is only half the job of being an elected representative. What about all the other 70,000 people who live in Dublin Bay South? What Brigid has demonstrated illustrates how generation-Z have been raised in social media silos. Social media silos have not prepared these people for some of the situations they will face in real life. Employers complain about very talented people from generation Z who come to a job interview and do everything correctly up to the point where, out of habit, they take out their mobile phone and start trying to look something up or ask their friends.

I met another woman the same age as Brigid recently. She had graduated as a teacher, worked as a teacher for one year and then quit. She summarized her decision with one word: "unteachable". She mentioned that the children of today are being raised by social media rather than parents.

Older generations of school teachers are saying the same thing. They are quitting, whether it is in Ireland or in Australia. Here is a quote from the Australian case study:

During her time as a relief teacher in 2022, she noticed more boys talking about Andrew Tate in class.

Shaming by either gender is a big factor. Brigid has chosen to give me a put-down in front of her fans without even finding out what I might have to say. Andrew Tate's generalizations about women and Brigid's generalization about middle-aged men feel like opposite sides of the same coin. The problem is not the age or gender, the problem is the manner in which people rush to their social media account to shame somebody they never met.

During my time in student politics, I met many socialist-communists like Brigid so I know that it is unlikely she has any money and I would be wasting my time if I tried to blackmail her. When I contacted her like all the other candidates, I was simply going to give her the domains for free when we meet at the count center on Saturday.

If I sent the domain transfer passwords to a stranger by email there is a big risk they could end up in the hands of her boyfriend or a volunteer. Many women believe they own their domain names right up to the day they break up with their boyfriend. Then they find out that the domain names are managed through a foreign company in the US and there is nothing that they can do. In these situations, where the woman has spent time building a business on the domain name, the now ex-boyfriend really can do some blackmail before handing it over.

Having heard of many cases like this, I always want to do proper due-diligence, for example, to speak to the new owner of a domain in person or by telephone and make sure they understand the value of the domain transfer key at the moment I hand it over. Brigid rushed to judge me based on my age and gender and so she did not gain anything from my prior experience on the topic.

The other group of middle-aged men we need to worry about are the public servants, heads of government departments and agencies who have to come in to Leinster House from time to time and sit in a room with politicians posing tricky questions. Some of the public service bosses are middle-aged women but in general they are middle-aged men. When more people from Generation Z are elected into public office, I really hope they don't make the same mistake as Brigid. If they refuse to talk to people from older generations or if they humiliate public servants in front of their social media fans we can expect a lot of the public servants will quit, just like the school teachers who are quitting today. The Government will have to offer even higher salary packages for replacements to take leadership roles in the public service.

Fact checking

Take a look at the statistics from previous elections. If previous statistics are anything to go by, neither Brigid or I have a very high chance of being elected. In the 2021 by-election, Brigid had less than a thousand votes, about three percent.

Therefore, fighting with each other is rather pointless and a waste of time. Brigid would increase her chance of election if she focused on the issues that differentiate her party from Hazel Chu, the female candidate for the Greens.

She could gain votes by asking other minor candidates to support her as a second preference.

However, other candidates will be afraid to discuss preference-swapping with somebody if they feel that every attempt at negotiation will be leaked on social media.

29 November, 2024 03:00PM

hackergotchi for Bits from Debian

Bits from Debian

Debian welcomes its new Outreachy interns

Outreachy logo

Debian continues participating in Outreachy, and we're excited to announce that Debian has selected two interns for the Outreachy December 2024 - March 2025 round.

Patrick Noblet Appiah will work on Automatic Indi-3rd-party driver update, mentored by Thorsten Alteholz.

Divine Attah-Ohiemi will work on Making the Debian main website more attractive by switching to HuGo as site generator, mentored by Carsten Schoenert, Subin Siby and Thomas Lange.


Congratulations and welcome Patrick Noblet Appiah and Divine Attah-Ohiemi!

From the official website: Outreachy provides three-month internships for people from groups traditionally underrepresented in tech. Interns work remotely with mentors from Free and Open Source Software (FOSS) communities on projects ranging from programming, user experience, documentation, illustration and graphical design, to data science.

The Outreachy programme is possible in Debian thanks to the efforts of Debian developers and contributors who dedicate their free time to mentor students and outreach tasks, and the Software Freedom Conservancy's administrative support, as well as the continued support of Debian's donors, who provide funding for the internships.

Join us and help extend Debian! You can follow the work of the Outreachy interns reading their blogs (they are syndicated in Planet Debian), and chat with us in the #debian-outreach IRC channel and mailing list.

29 November, 2024 12:22PM by Nilesh Patra

Debian welcomes its new Outreachy interns

Outreachy logo

Debian continues participating in Outreachy, and we're excited to announce that Debian has selected two interns for the Outreachy December 2024 - March 2025 round.

Patrick Noblet Appiah will work on Automatic Indi-3rd-party driver update, mentored by Thorsten Alteholz.

Divine Attah-Ohiemi will work on Making the Debian main website more attractive by switching to HuGo as site generator, mentored by Carsten Schoenert, Subin Siby and Thomas Lange.


Congratulations and welcome Patrick Noblet Appiah and Divine Attah-Ohiemi!

From the official website: Outreachy provides three-month internships for people from groups traditionally underrepresented in tech. Interns work remotely with mentors from Free and Open Source Software (FOSS) communities on projects ranging from programming, user experience, documentation, illustration and graphical design, to data science.

The Outreachy programme is possible in Debian thanks to the efforts of Debian developers and contributors who dedicate their free time to mentor students and outreach tasks, and the Software Freedom Conservancy's administrative support, as well as the continued support of Debian's donors, who provide funding for the internships.

Join us and help extend Debian! You can follow the work of the Outreachy interns reading their blogs (they are syndicated in Planet Debian), and chat with us in the #debian-outreach IRC channel and mailing list.

29 November, 2024 09:00AM by Nilesh Patra

November 28, 2024

hackergotchi for Daniel Pocock

Daniel Pocock

Why you should follow my RSS or Atom feed, Irish elections, everybody wins

When it comes to politics, the journey is important too, even if the outcome is unpredictable and sometimes utterly dismal.

The campaign has served its purpose already though. We have fresh evidence about censorship. People have been taking screenshots of the Google search results. You can't look at these search results and not feel that they have been hand-crafted by somebody who resents the prospect of people voting for me.

The word "ELIMINATED" has appeared in capital letters high in the search results, but that actually refers to the process of eliminating candidates one-by-one during counting in the last elections. No candidates have been eliminated in this election.

One of the main highlights of this campaign was the distribution of a leaflet to every home in the region. Forty thousand households received the leaflet. Several people have spoken to me about electricity bills but not one has a bill as big as mine, €17,000.

Regardless of whether I win or lose, in the next few days I'm going to publish fresh details about the secret expulsions in GNOME Foundation and more about the social engineering attacks in Debian, especially the cases where some kind of privilege escalation has been successful.

To make sure you don't miss key stories like this, if you want to bypass the social media filtering and advertising, please use an RSS or Atom feed reader to follow blogs like this.

Vote [1] Daniel POCOCK

Daniel Pocock

 

If you care about democracy, don't let yourself be fooled by Google and the lawyerstalking.

Please Vote [1] Daniel POCOCK

 

Daniel Pocock

 

Daniel Pocock

 

Vote [1] Daniel POCOCK

28 November, 2024 08:00PM

hackergotchi for Bits from Debian

Bits from Debian

New Debian Developers and Maintainers (September and October 2024)

The following contributors got their Debian Developer accounts in the last two months:

  • Joachim Bauch (fancycode)
  • Alexander Kjäll (capitol)
  • Jan Mojžíš (janmojzis)
  • Xiao Sheng Wen (atzlinux)

The following contributors were added as Debian Maintainers in the last two months:

  • Alberto Bertogli
  • Alexis Murzeau
  • David Heilderberg
  • Xiyue Deng
  • Kathara Sasikumar
  • Philippe Swartvagher

Congratulations!

28 November, 2024 05:00PM by Jean-Pierre Giraud

not Gerry 'The Monk' Hutch

8GB Swiss Archive offered to Irish voters by Dáil candidate

Swiss women Pascale Koster and Albane de Ziegler at law firm Walder Wyss signed a document demanding that an open source software volunteer publish self-deprecating insults on his blog. Moreover, the rude women made this demand after the volunteer's father died. Mr Pocock doesn't take orders from cyberbullies like that. Instead of publishing the insults they wrote for him, he is publishing an 8GB archive from Switzerland for Irish voters to consider as they go to the polls tomorrow. The link is below.

By way of background, the volunteer Daniel Pocock is a highly respected Debian Developer. In 2017, on the anniversary of the Easter rising, the Free Software Fellowship elected Mr Pocock as their representative. Yet a subgroup of German and Swiss fellows became incredibly frustrated with Mr Pocock's success and attack him ever since then.

Mr Pocock made a number of blog posts exposing corruption and modern slavery when multinationals penetrate volunteer communities.

Two judicial processes have found that Mr Pocock and his family were victims of harassment. The Zurich black cat trial in 2018 gave Mr Pocock's family CHF 10,000 (equivalent to EUR 10,000) and the WeMakeFedora dispute in 2022 found Mr Pocock was a victim of harassment.

The multinationals failed to listen to these verdicts and keep throwing more and more money at corrupt lawyers and judges to attack volunteers.

Mr Pocock simply started writing blogs about the corrupt lawyers and judges, the Swiss JuristGate affair.

The racist lawyers Pascale Koster and Albane de Ziegler signed this document insisting that Mr Pocock publish self-deprecating insults after his father died. Instead, he is publishing the 8GB archive.

Pascale Koster, Albane de Ziegler

 

Pascale Koster, Albane de Ziegler

 

If people have concerns about what is in this 8GB archive, ask the racist Swiss women why they are lawyerstalking a volunteer after the death of his father.

Access the 8GB archive using IPFS

IPFS was used to share information about the referendum in Catalonia and it is being used again today to support Irish democracy.

Please download the IPFS Desktop software.

For background information about the IPFS peer-to-peer network please see the InterPlanetary File System (IPFS) page on Wikipedia.

After installing the IPFS desktop, simply cut and paste or click the Content ID (CID) to access the 8GB archive from Switzerland.

Click to Download 8GB Swiss_Archive.7z (encrypted) with IPFS Desktop

Content ID: [ QmastD22PqBw6m2Q3VHiyKP5DCnijPURjudeWg8guBvJKi ] (to copy and paste into IPFS Desktop)

Inside the IPFS desktop software, right click the folder and select the option to Pin important file-sharing content like this so that it is forced to keep a local copy on your hard disk even when you are offline.

Release of the encryption key on 5 December 2024

If you want this to happen, please Vote [1] Daniel POCOCK

If the Irish people choose to elect Mr Pocock to the Dáil, Mr Pocock will release the encryption key for the 8GB Swiss Archive on International Volunteer Day, 5 December 2024.

The opening of the archive, like the opening of a Christmas present, will be celebrated with ceremonies around Ireland and around the world. If you would like to organize an event in a local pub, community center or campus environment, please promote your event using whichever online platforms you prefer and use the words Debian Swiss Archive in the title of your event. People can use these keywords to search for events nearby.

Googlists undermining Mr Pocock's campaign

Google search results are wrongly suggesting that Mr Pocock was eliminated. In fact, no candidates have been eliminated. This is more proof that multinationals are interfering in our democracy.

 

Daniel Pocock

 

If you care about democracy, don't let yourself be fooled by Google and the lawyerstalking. Please Vote [1] Daniel POCOCK

Respect for volunteers

Mr Pocock has been doing voluntary work with amateur radio and free, open source software since he was 14 years old. Sinister people on social media who try to steal the reputation of a volunteer are stealing that person's life. Their gossip campaigns, theft of reputations are far worse than the sinister men who steal money from banks. Here is the certificate from Mr Pocock's amateur radio license, he started doing voluntary work when he was 14.

Daniel Pocock, radio amateur

Vote [1] Daniel POCOCK

Please remember to discuss the Pocock campaign with your friends and promote it widely.

Mr Pocock's nomination page gives a lot of detail about his policies, unique skills and experience so you are voting for a lot more than what is hidden in this 8GB Swiss Archive.

Vote [1] Daniel POCOCK

 

Daniel Pocock

 

Daniel Pocock

 

Vote [1] Daniel POCOCK

28 November, 2024 11:30AM

November 26, 2024

Swiss JuristGate

GCHQ puzzles & FINMA Swiss secrets solved by the Irish

Each year the British spies at GCHQ share a puzzle in a Christmas card.

In 2016, an Irishman called David McBryan found the solution to the British puzzle.

In Septmeber 2023, FINMA, the Swiss financial regulator, published a dossier about the JuristGate affair. They redacted the names of the enterprises. They redacted the dates in the dossier.

When Gaelle Jeanmonod published the document, she wrote "PTP" in the filename:

FINMA filename

The CLB used the acronym "PTP" in their filename too.

Daniel Pocock, Irish-Swiss-Australian found the link between the dossier and the JuristGate scandal. He published the first detailed blog about the scandal.

FINMA filename

 

Julie Krattinger

26 November, 2024 11:00AM

Conférence latine des Batonniers warned lawyers in Cantonal bar associations FR, BE, GE, JU, NE, TI, VD and VS

We found a document in the Wayback Machine.

According to the file, Julie Krattinger (ODA VD) created the document 28 april 2021.

She wrote the acronym "PTP" in the filename. Parreaux, Thiébaud & Partners = PTP

Nicolas Gillard, President of the Conférence latine des Batonniers signed the document.

The bar association of Canton Geneva published the document on their web site and then it disappeared. Why?

We found the proof thanks to the Wayback Machine.

After several years of free publicity in the French side of Switzerland (Romandy), the name of Parreaux, Thiébaud & Partners was well known in the region of Romandy.

Communication to members of bar associations

To all members of cantonal bar associations in FR, BE, GE, JU, NE, TI, VD et VS

Parreaux, Thiébaud & Partners

Dear sisters, Dear brothers,

Various members of the bar associations have contacted us because of the company Parreaux, Thiébaud & Partners and informed us that said company has approached them.

The Geneva Bar Association has already taken legal action against this company.

Parreaux, Thiébaud & Partners presents itself as a law firm, claiming to be a “law firm”. It is not a law firm. This company also claims to be “the best legal protection in Switzerland”. It is not legal protection insurance and this company is not on the list of insurance companies authorised by FINMA.

We would like to draw your attention to the fact that a partnership with a company giving the appearance that the lawyer is practising as such within it may pose problems with regard to the duty of structural independence within the meaning of Art. 8 para. 1 let. d LLCA (ATF 145 II 229 c. 6). Furthermore, partnering with a company that advertises beyond objective facts, in order to indirectly benefit from this advertising, could also pose problems with regard to professional rules (art. 12 let. d LLCA).

For these reasons, we therefore recommend that you do not respond to requests from Parreaux, Thiébaud & Partners.

With lawyerly hugs and kisses,

For the Conférence latine des Bâtonniers

Julie Krattinger Julie Krattinger

26 November, 2024 10:00AM

hackergotchi for Sandro Knauß

Sandro Knauß

Akademy 2024 in Würzburg

In order to prepare for the Akademy I started some days before to give my Librem 5 ( an Open Hardware Phone) another try and ended up with a non starting Plasma 6. Actually this issue was known already, but hasn't been addressed. In the end I reached the Akademy with my Librem 5 having phosh installed (which is Gnome based), in order to have something working.

I met Bushan and Bart who took care and the issue was fixed two days later I could finally install Plasma 6 on it. The last time I tested my Librem 5 with Plasma 5 it felt sluggish and not well working. But this time I was impressed how well the system reacts. Sure there are some things here and there, but in the bigger picture it is quite useable. One annoying issue is that the camera is only working with one app and the other issue is the battery capacity, you have to charge it once a day. Because of missing a QR reader that can use the camera, getting data to the phone was quite challenging. Unfortunately the conference Wifi separated the devices and I couldn't use KDE Connect to transfer data. In the end the only way to import data was taking five photos from the QR Code to import my D-Ticket to Itinerary.

With a device with Plasma Mobile, it directly was used for a experiment: How well does Dolphin works on a Plasma Mobile device. Together with Felix Ernst we tried it out and were quite impressed, that Dolphin does work very well on Plasma Mobile, after some simple modifications on the UI. That resulted in a patch to add a mobile UI for Dolphin !826.

With more time to play with my Librem 5 I also found an bug in KWeather, that is missing a Refresh option, when used in a Plasma Mobile environment #493656.

Akademy is a good place to identify and solve some issues. It is always like that, you chat with someone and they can tell you who to ask to answer the concrete question and in the end you can solve things, that seems unsolvable in the beginning.

There was also time to look into the travelling app Itinerary. A lot people are faced with a lot of real world issues, when not in their home town. Itinerary is the best traveling apps I know about. It can import nearly every ticket you have and can get location information from restaurant websites and allow routing to that place. It does add many useful information, while traveling like current delays, platform changes, live updates for elevator, weather information at the destination, a station map and all those features with strong focus on privacy.

In detail I found some small things to improve:

  • If you search for a bus ride and enter the correct name for the bus stop, it will still add some walk from and to the station. The issue here is that we use different backends and not all backends share the same geo coordinate. That's why Itinerary needs to add some heuristics to delete those paths. walk to and from the bus stop

  • Instead of displaying just a small station map of one bus stop in the inner city, it showed complete W端rzburg inner city, as there is one big park around the inner city (named "Ringpark").

  • W端rzburg has a quite big bus station but the platform information were missing in the map, so we tweaked the CSS to display the platform. To be sure, that we don't fix only W端rzburg, we also looked at Greifswald and Aix-en-Provence if they are following the same name scheme.

I additionally learned that it has a lot of details that helps people who have special needs. That is the reason why Daniel Kraut wants to get Itinerary available for iOS. As spoken out, that Daniel wants to reach this goal, others already started to implement the first steps to build apps for iOS.

This year I was volunteering in helping out at Akademy. For me it was a lot of fun to meet everyone at the infodesk or help the speakers setup the beamer and microphone. It is also a good opportunity to meet many new faces and get in contact with them. I see also room for improvement. As we were quite busy at the Welcome Event to get out the badges to everyone, I couldn't answer the questions from newcomers, as the queue was too long. I propose that some people volunteer to be available for questions from newcomers. Often it is hard for newcomers to get their first contact(s) in a new community. There is a lot of space for improvement to make it easier for newcomers to join. Some ideas in my head are: Make an event for the newcomers to get them some links into the community and show that everyone is friendly. The tables at the BoFs should make a circle, so everyone can see each other. It was also hard for me to understand everyone as they mostly spoken towards the front. And then BoFs are sometimes full of very specific words and if you are not already deep in the topic you are lost. I can see the problem, on the one side BoFs are also the place where the person that knows the topic already wants to get things done. On the other side new comers join BoFs, are overwhelmed by to many new words get frustrated and think, that they are not welcome. Maybe at least everyone should present itself with name and ask new faces, why they joined the BoF to help them joining.

I'm happy, that the food provided for the attendees was very delicious and that I'm not the only one mostly vegetarian with a big amount to be vegan.

At the conference the KDE Eco initiation really caught me, as I see a lot of new possibilities in giving more reasons to switch to an Open Source system. The talk from Natalie was great to see how pupils get excited about Open Source and also help their grandparents to move to a Linux system. As I also will start to work as a teacher, I really got ideas what I can do at school. Together with Joseph and Nicole, we finally started to think about how to drive an exploration on what kind of old hardware is still KDE software running. The ones with the oldest hardware will get an old KDE shirt. For more information see #40.

The conference was very motivating for me, I also had still energy at the evening to do some Debian packaging and finally pushed kweathercore to Debian and started to work on KWeather. Now I'm even more interested in the KDE apps focusing the mobile world, as I now have some hardware that can actually use those apps.

I really enjoyed the workshop how to contribute to Qt by Volker Hilsheimer, especially the way how Volker explained things in a very friendly way, answered every question, sometime postponed some questions but came back to them later. All in all I now have a good overview how Qt is doing development and how I can fix bugs.

The daytrip to Rothenburg ob der Tauber was very interesting for me. It was the first time I visited the village. But in my memory it feels like I know the village already. I grew up with reading a lot of comic albums including the good SiFi comic album series "Yoku Tsuno" created by the Belgian writer Roger Leloup. Yoku Tsuno is an electronics engineer, raised in Japan but now living in Belgium. In "On the edge of life" she helps her friend Ingard, who actually lives in Rothenburg. Leloup invested a lot of time to travel to make the make his drawings as accurate as possible.

a comic page with Yoko Tsuno in Rothenburg ob der Tauber

In order to not have a hard cut from Akademy to normal life, I had a lunch with Carlos, to discuss KDE Neon and how we can improve the interaction with Debian. In the future this should have less friction and make both communities work together more smoothly. Additionally as I used to develop on KDEPIM with the help of Docker images based on Neon I ask for a meta kf6 dev meta package. That should help to get rid of most hand written lists of dev packages in the Docker file in order to make it more simple for new contributors to start hacking on KDEPIM.

The rest of the day I finally found time to do the normal tourist stuff: Going to the Wine bridge and having a walk to the castle of W端rzburg. Unfortunately you hear a lot of car noises up there, but I could finally relaxe in a Japanese designed garden.

Finally at Saturday I started my trip back. The trains towards Eberswalde are broken and I needed to find alternative routing. I got a little bit nervous, as it was the first time I travelled with my Librem 5 and Itinerary only and needed to reach the next train in less than two mins. With the indoor maps provided, I could prepare my run through the train station so I reached successfully my next train.

By the way, also if you only only use KDE software, I would recommend everyone to join Akademy ;)

26 November, 2024 12:00AM by Sandro Knauß

November 25, 2024

Michael McGrath

Cybertorture in Ireland and the European Union

In February 2020, The Guardian reported on work undertaken by Prof Nils Melzer, United Nations Special Rapporteur on Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment concerning the subject of Cybertorture.

People were quick to prove the phenomena is real by creating fake web sites to mock the term cybertorture.

Mr Pocock, on the other hand, began meticulously researching the evidence in distributed online communities, such as the open source developer community creating the Debian GNU/Linux software. Mr Pocock has created a detailed index of the incidents in the high-stress Debianist environment.

Based on this research, Mr Pocock is creating a series of blog posts to explore the cybertorture phenomena in general terms.

Mr Pocock elaborates on the experience his family suffered:

Carla began cutting herself and suffered from an eating disorder at the age of 14 years.

A significant percentage of women with these challenges have been victims of harassment or abuse during adolescence.

In 2018, rogue participants in the Debian ecosystem began spreading rumors of harassment and abuse around our family. Neither of us consented to those public references to harassment and abuse.

They have clearly taken something that would be very painful for any family and twisted it inside out to cause extreme distress.

Some of these Debianist cyberbullies engage in these attacks for sadistic pleasure. Other members of the group do this for political reasons.

The evidence is clear, they wanted to block my candidacy in the election of the Debian Project Leader so they had to make up a story that sounded really horrible. The online lynch mobs followed the gossip blindly. There is no collective conscience in groups like this. It is like gang rape with words.

Given the nature of such problems that traverse multiple family members, it is impossible for the victims of these gossip campaigns to defend ourselves publicly without also compromising the privacy of family members. Effectively, by creating malicious gossip about harassment and paying dishonest and racist women to sook, they are blackmailing me to reveal that Carla suffers from this since adolescence.

The evidence shows that Google has knowingly funded groups that behave like this and Google employees are active in the vendettas.

In the UK, which has left the European Union, the parliament at Westminster described these people as digital gangsters. The Irish Times poses the question: "Are Digital Gangsters damaging Ireland Inc's reputation?". Clearly, they damage the reputations of anybody who refuses to roll over for them.

25 November, 2024 11:15PM

November 24, 2024

hackergotchi for Steinar H. Gunderson

Steinar H. Gunderson

plocate 1.1.23 released

I've just released version 1.1.23 of plocate, almost a year after 1.1.22. The changes are mostly around the systemd unit this time, but perhaps more interestingly is that this is the first release where I don't have the majority of patches; in fact, I don't have any patches at all. All of them came from contributors, many of them through the “just do git push to send me a patch email” interface.

I guess this means that I'll need to actually start streamlining my “git am” workflow… it gets me every time. :-)

24 November, 2024 10:27PM

November 22, 2024

hackergotchi for Matthew Palmer

Matthew Palmer

Your Release Process Sucks

For the past decade-plus, every piece of software I write has had one of two release processes.

Software that gets deployed directly onto servers (websites, mostly, but also the infrastructure that runs Pwnedkeys, for example) is deployed with nothing more than git push prod main. I’ll talk more about that some other day.

Today is about the release process for everything else I maintain – Rust / Ruby libraries, standalone programs, and so forth. To release those, I use the following, extremely intricate process:

  1. Create an annotated git tag, where the name of the tag is the software version I’m releasing, and the annotation is the release notes for that version.

  2. Run git release in the repository.

  3. There is no step 3.

Yes, it absolutely is that simple. And if your release process is any more complicated than that, then you are suffering unnecessarily.

But don’t worry. I’m from the Internet, and I’m here to help.

Sidebar: “annotated what-now?!?”

The annotated tag is one git’s best-kept secrets. They’ve been available in git for practically forever (I’ve been using them since at least 2014, which is “practically forever” in software development), yet almost everyone I mention them to has never heard of them.

A “tag”, in git parlance, is a repository-unique named label that points to a single commit (as identified by the commit’s SHA1 hash). Annotating a tag is simply associating a block of free-form text with that tag.

Creating an annotated tag is simple-sauce: git tag -a tagname will open up an editor window where you can enter your annotation, and git tag -a -m "some annotation" tagname will create the tag with the annotation “some annotation”. Retrieving the annotation for a tag is straightforward, too: git show tagname will display the annotation along with all the other tag-related information.

Now that we know all about annotated tags, let’s talk about how to use them to make software releases freaking awesome.

Step 1: Create the Annotated Git Tag

As I just mentioned, creating an annotated git tag is pretty simple: just add a -a (or --annotate, if you enjoy typing) to your git tag command, and WHAM! annotation achieved.

Releases, though, typically have unique and ever-increasing version numbers, which we want to encode in the tag name. Rather than having to look at the existing tags and figure out the next version number ourselves, we can have software do the hard work for us.

Enter: git-version-bump. This straightforward program takes one mandatory argument: major, minor, or patch, and bumps the corresponding version number component in line with Semantic Versioning principles. If you pass it -n, it opens an editor for you to enter the release notes, and when you save out, the tag is automagically created with the appropriate name.

Because the program is called git-version-bump, you can call it as a git command: git version-bump. Also, because version-bump is long and unwieldy, I have it aliased to vb, with the following entry in my ~/.gitconfig:

[alias]
    vb = version-bump -n

Of course, you don’t have to use git-version-bump if you don’t want to (although why wouldn’t you?). The important thing is that the only step you take to go from “here is our current codebase in main” to “everything as of this commit is version X.Y.Z of this software”, is the creation of an annotated tag that records the version number being released, and the metadata that goes along with that release.

Step 2: Run git release

As I said earlier, I’ve been using this release process for over a decade now. So long, in fact, that when I started, GitHub Actions didn’t exist, and so a lot of the things you’d delegate to a CI runner these days had to be done locally, or in a more ad-hoc manner on a server somewhere.

This is why step 2 in the release process is “run git release”. It’s because historically, you can’t do everything in a CI run. Nowadays, most of my repositories have this in the .git/config:

[alias]
    release = push --tags

Older repositories which, for one reason or another, haven’t been updated to the new hawtness, have various other aliases defined, which run more specialised scripts (usually just rake release, for Ruby libraries), but they’re slowly dying out.

The reason why I still have this alias, though, is that it standardises the release process. Whether it’s a Ruby gem, a Rust crate, a bunch of protobuf definitions, or whatever else, I run the same command to trigger a release going out. It means I don’t have to think about how I do it for this project, because every project does it exactly the same way.

The Wiring Behind the Button

It wasn’t the button that was the problem. It was the miles of wiring, the hundreds of miles of cables, the circuits, the relays, the machinery. The engine was a massive, sprawling, complex, mind-bending nightmare of levers and dials and buttons and switches. You couldn’t just slap a button on the wall and expect it to work. But there should be a button. A big, fat button that you could press and everything would be fine again. Just press it, and everything would be back to normal.

  • Red Dwarf: Better Than Life

Once you’ve accepted that your release process should be as simple as creating an annotated tag and running one command, you do need to consider what happens afterwards. These days, with the near-universal availability of CI runners that can do anything you need in an isolated, reproducible environment, the work required to go from “annotated tag” to “release artifacts” can be scripted up and left to do its thing.

What that looks like, of course, will probably vary greatly depending on what you’re releasing. I can’t really give universally-applicable guidance, since I don’t know your situation. All I can do is provide some of my open source work as inspirational examples.

For starters, let’s look at a simple Rust crate I’ve written, called strong-box. It’s a straightforward crate, that provides ergonomic and secure cryptographic functionality inspired by the likes of NaCl. As it’s just a crate, its release script is very straightforward. Most of the complexity is working around Cargo’s inelegant mandate that crate version numbers are specified in a TOML file. Apart from that, it’s just a matter of building and uploading the crate. Easy!

Slightly more complicated is action-validator. This is a Rust CLI tool which validates GitHub Actions and Workflows (how very meta) against a published JSON schema, to make sure you haven’t got any syntax or structural errors. As not everyone has a Rust toolchain on their local box, the release process helpfully build binaries for several common OSes and CPU architectures that people can download if they choose. The release process in this case is somewhat larger, but not particularly complicated. Almost half of it is actually scaffolding to build an experimental WASM/NPM build of the code, because someone seemed rather keen on that.

Moving away from Rust, and stepping up the meta another notch, we can take a look at the release process for git-version-bump itself, my Ruby library and associated CLI tool which started me down the “Just Tag It Already” rabbit hole many years ago. In this case, since gemspecs are very amenable to programmatic definition, the release process is practically trivial. Remove the boilerplate and workarounds for GitHub Actions bugs, and you’re left with about three lines of actual commands.

These approaches can certainly scale to larger, more complicated processes. I’ve recently implemented annotated-tag-based releases in a proprietary software product, that produces Debian/Ubuntu, RedHat, and Windows packages, as well as Docker images, and it takes all of the information it needs from the annotated tag. I’m confident that this approach will successfully serve them as they expand out to build AMIs, GCP machine images, and whatever else they need in their release processes in the future.

Objection, Your Honour!

I can hear the howl of the “but, actuallys” coming over the horizon even as I type. People have a lot of Big Feelings about why this release process won’t work for them. Rather than overload this article with them, I’ve created a companion article that enumerates the objections I’ve come across, and answers them. I’m also available for consulting if you’d like a personalised, professional opinion on your specific circumstances.

DVD Bonus Feature: Pre-releases

Unless you’re addicted to surprises, it’s good to get early feedback about new features and bugfixes before they make it into an official, general-purpose release. For this, you can’t go past the pre-release.

The major blocker to widespread use of pre-releases is that cutting a release is usually a pain in the behind. If you’ve got to edit changelogs, and modify version numbers in a dozen places, then you’re entirely justified in thinking that cutting a pre-release for a customer to test that bugfix that only occurs in their environment is too much of a hassle.

The thing is, once you’ve got releases building from annotated tags, making pre-releases on every push to main becomes practically trivial. This is mostly due to another fantastic and underused Git command: git describe.

How git describe works is, basically, that it finds the most recent commit that has an associated annotated tag, and then generates a string that contains that tag’s name, plus the number of commits between that tag and the current commit, with the current commit’s hash included, as a bonus. That is, imagine that three commits ago, you created an annotated release tag named v4.2.0. If you run git describe now, it will print out v4.2.0-3-g04f5a6f (assuming that the current commit’s SHA starts with 04f5a6f).

You might be starting to see where this is going. With a bit of light massaging (essentially, removing the leading v and replacing the -s with .s), that string can be converted into a version number which, in most sane environments, is considered “newer” than the official 4.2.0 release, but will be superceded by the next actual release (say, 4.2.1 or 4.3.0). If you’re already injecting version numbers into the release build process, injecting a slightly different version number is no work at all.

Then, you can easily build release artifacts for every commit to main, and make them available somewhere they won’t get in the way of the “official” releases. For example, in the proprietary product I mentioned previously, this involves uploading the Debian packages to a separate component (prerelease instead of main), so that users that want to opt-in to the prerelease channel simply modify their sources.list to change main to prerelease. Management have been extremely pleased with the easy availability of pre-release packages; they’ve been gleefully installing them willy-nilly for testing purposes since I rolled them out.

In fact, even while I’ve been writing this article, I was asked to add some debug logging to help track down a particularly pernicious bug. I added the few lines of code, committed, pushed, and went back to writing. A few minutes later (next week’s job is to cut that in-process time by at least half), the person who asked for the extra logging ran apt update; apt upgrade, which installed the newly-built package, and was able to progress in their debugging adventure.

Continuous Delivery: It’s Not Just For Hipsters.

“+1, Informative”

Hopefully, this has spurred you to commit your immortal soul to the Church of the Annotated Tag. You may tithe by buying me a refreshing beverage. Alternately, if you’re really keen to adopt more streamlined release management processes, I’m available for consulting engagements.

22 November, 2024 09:25PM by Matt Palmer (mpalmer@hezmatt.org)

Invalid Excuses for Why Your Release Process Sucks

In my companion article, I made the bold claim that your release process should consist of no more than two steps:

  1. Create an annotated Git tag;

  2. Run a single command to trigger the release pipeline.

As I have been on the Internet for more than five minutes, I’m aware that a great many people will have a great many objections to this simple and straightforward idea. In the interests of saving them a lot of wear and tear on their keyboards, I present this list of common reasons why these objections are invalid.

If you have an objection I don’t cover here, the comment box is down the bottom of the article. If you think you’ve got a real stumper, I’m available for consulting engagements, and if you turn out to have a release process which cannot feasibly be reduced to the above two steps for legitimate technical reasons, I’ll waive my fees.

“But I automatically generate my release notes from commit messages!”

This one is really easy to solve: have the release note generation tool feed directly into the annotation. Boom! Headshot.

“But all these files need to be edited to make a release!”

No, they absolutely don’t. But I can see why you might think you do, given how inflexible some packaging environments can seem, and since “that’s how we’ve always done it”.

Language Packages

Most languages require you to encode the version of the library or binary in a file that you want to revision control. This is teh suck, but I’m yet to encounter a situation that can’t be worked around some way or another.

In Ruby, for instance, gemspec files are actually executable Ruby code, so I call code (that’s part of git-version-bump, as an aside) to calculate the version number from the git tags. The Rust build tool, Cargo, uses a TOML file, which isn’t as easy, but a small amount of release automation is used to take care of that.

Distribution Packages

If you’re building Linux distribution packages, you can easily apply similar automation faffery. For example, Debian packages take their metadata from the debian/changelog file in the build directory. Don’t keep that file in revision control, though: build it at release time. Everything you need to construct a Debian (or RPM) changelog is in the tag – version numbers, dates, times, authors, release notes. Use it for much good.

The Dreaded Changelog

Finally, there’s the CHANGELOG file. If it’s maintained during the development process, it typically has an archive of all the release notes, under version numbers, with an “Unreleased” heading at the top. It’s one more place to remember to have to edit when making that “preparing release X.Y.Z” commit, and it is a gift to the Demon of Spurious Merge Conflicts if you follow the policy of “every commit must add a changelog entry”.

My solution: just burn it to the ground. Add a line to the top with a link to wherever the contents of annotated tags get published (such as GitHub Releases, if that’s your bag) and never open it ever again.

“But I need to know other things about my release, too!”

For some reason, you might think you need some other metadata about your releases. You’re probably wrong – it’s amazing how much information you can obtain or derive from the humble tag – so think creatively about your situation before you start making unnecessary complexity for yourself.

But, on the off chance you’re in a situation that legitimately needs some extra release-related information, here’s the secret: structured annotation. The annotation on a tag can be literally any sequence of octets you like. How that data is interpreted is up to you.

So, require that annotations on release tags use some sort of structured data format (say YAML or TOML – or even XML if you hate your release manager), and mandate that it contain whatever information you need. You can make sure that the annotation has a valid structure and contains all the information you need with an update hook, which can reject the tag push if it doesn’t meet the requirements, and you’re sorted.

“But I have multiple packages in my repo, with different release cadences and versions!”

This one is common enough that I just refer to it as “the monorepo drama”. Personally, I’m not a huge fan of monorepos, but you do you, boo. Annotated tags can still handle it just fine.

The trick is to include the package name being released in the tag name. So rather than a release tag being named vX.Y.Z, you use foo/vX.Y.Z, bar/vX.Y.Z, and baz/vX.Y.Z. The release automation for each package just triggers on tags that match the pattern for that particular package, and limits itself to those tags when figuring out what the version number is.

“But we don’t semver our releases!”

Oh, that’s easy. The tag pattern that marks a release doesn’t have to be vX.Y.Z. It can be anything you want.

Relatedly, there is a (rare, but existent) need for packages that don’t really have a conception of “releases” in the traditional sense. The example I’ve hit most often is automatically generated “bindings” packages, such as protobuf definitions. The source of truth for these is a bunch of .proto files, but to be useful, they need to be packaged into code for the various language(s) you’re using. But those packages need versions, and while someone could manually make releases, the best option is to build new per-language packages automatically every time any of those definitions change.

The versions of those packages, then, can be datestamps (I like something like YYYY.MM.DD.N, where N starts at 0 each day and increments if there are multiple releases in a single day).

This process allows all the code that needs the definitions to declare the minimum version of the definitions that it relies on, and everything is kept in sync and tracked almost like magic.

Th-th-th-th-that’s all, folks!

I hope you’ve enjoyed this bit of mild debunking. Show your gratitude by buying me a refreshing beverage, or purchase my professional expertise and I’ll answer all of your questions and write all your CI jobs.

22 November, 2024 09:25PM by Matt Palmer (mpalmer@hezmatt.org)

not Gerry 'The Monk' Hutch

Who snatched GerryHutch.com, GerryHutch.ie & TheMonk.ie?

When Gerry Hutch released his video this week, he wasn't able to publish it on a web site bearing his own domain name. These names were all proactively registered by Daniel Pocock, a candidate for Dublin Bay South who has worked as a consultant for a number of banks. Pocock wants to promote the work of HUTCH Hussein, who is a leading figure in Australian politics.

The domain names / web sites concerned are GerryHutch.com, GerryHutch.ie, GerardHutch.com, GerardHutch.ie and TheMonk.ie. TheMonk.com was already taken by a business in another country.

Oddly enough, Mr Pocock has also collected the domain name AlanShatter.com, the high-profile independent Alan Shatter who formerly served as Minister for Defence and Minister for Justice. Will we see a class action law suit in the UDRP where Ireland's most notorious criminal teams up with a former justice minister to get their respective names back?

Daniel Pocock is a Debian Developer. What is a Debian Developer?

The Monk started his career doing jumpovers, robbing banks and stores by jumping over the counter. Mr Pocock has run steeplechases in athletics.

Daniel Pocock, London

Mr Hutch arrived at the office of the returning officer on a scooter. Daniel Pocock arrived the next day on a BMW Motorrad F800 GT and parked in the same place:

Gerry Hutch, the Monk

 

Daniel Pocock

 

Daniel Pocock

 

The frugal lifestyle helped Mr Hutch gain the nickname Monk.

Nobody is more concerned with the safety and security of Dublin's citizens than Mr Pocock.

In this section of an interview with Ali Bracken from the Independent, the Monk talks about cleaning up Dublin and they finish with a comment about Donald Trump:

 

Daniel Pocock is sincere about cleaning up Dublin. He was in the middle of the Dublin riots of November 2023 and he posted a detailed report with photos. Today, he goes one step further publishing videos. This was recorded in Parliament Street. We can see the riot police advancing south towards the Dublin Castle, reclaiming sections of the city fifty meters at a time and putting out spot fires as they proceed.

 

Here is another video:

 

Similarities between murder of David Byrne and the GNOME Foundation attack on Sonny Piers

The wikipedia page about David Byrne tells us the following:

At the weigh-in there was an organised armed attack; the match was cancelled after the shooting. There were at least four attackers with masks, army-style helmets and flak jackets, two of whom were disguised as members of the Garda Emergency Response Unit and armed with AK-47 assault rifles. An associate of the Kinahan cartel, David Byrne (34) was shot dead; security sources said that the gang had intended to kill others.

Earlier this year, some masked employees of the GNOME Foundation created an anonymous account in the GNOME Foundation Discourse forum and used it to anonymously post a character assassin hit on Sonny Piers, an elected volunteer. The kill:

The GNOME Foundation Board voted to remove Sonny Piers as a member of the Board of Directors for cause, at a Special Meeting on May 17th, 2024, following the procedure outlined in the GNOME Bylaws, and remove him from all committees. Effective May 25th, 2024, his seat is now vacant, and in accordance with the Bylaws will be filled for the remainder of its term by an appointment made by the Board.

A Code of Conduct complaint was also made against Sonny Piers. The Foundation is engaged in a mediation process with him, which is still ongoing and so we are unable to share more information at this time.

The assassins disguised as members of the Garda Emergency Response Unit remind us of people in free / open source software organizations who give themselves big titles, pretending to be police so they can denounce their political rivals.

We can see that Gerry 'The Monk' Hutch had a very public trial by jury. Sonny Piers was subject to a secret trial, with secret evidence for secret crimes. In Debian, we've seen people can be punished like this simply for using a word like "wayward".

The Universal Declaration of Human Rights, point 1 tells us that everybody is equal. Why do some people get such extraordinary punishments for using the wrong word but Ireland's most notorious criminal can run for the Dáil?

Social control media companies have been described as digital gangsters. The Irish Times poses the question:

Are 'digital gangsters' damaging Ireland Inc's reputation?

Daniel Pocock believes in equality. If elected, he will show equal concern about traditional Irish gangstering and digital gangstering.

Here is that video of Daniel Pocock at the United Nations Forum on Business and Human Rights, it is recorded in 2018 and he correctly anticipated the risk of somebody like Elon Musk taking over Twitter:

Garda have suggested people ask the Monk where he got the funds to pay for his campaign. Pocock admits getting his first file server from a Cardinal.

Garda have been watching the Monk since he was ten years old. Pocock used to row every morning with one of the most distinguished members of Victoria Police sitting in the seat behind him and watching his every move:

Daniel Pocock

Vote [1] Daniel POCOCK

Voters have a choice. If you would like to vote for a professional who can think about the things that mainstream candidates overlook Vote [1] DANIEL POCOCK and remember to follow Daniel Pocock's blog at DanielPOCOCK.com

Daniel Pocock, Dublin Bay South

Vote [1] Daniel POCOCK

22 November, 2024 09:00PM

Gerry 'The Monk' Hutch

The Hutch: there can be only one

Luke "Ming" Flanagan is one of Ireland's most successful independent candidates ever. Ming regularly shares advice with those who want to follow in his footsteps. He recently told The Irish Times:

‘The one thing you’ve got to do is be remembered in politics’

When news reports appeared about Gerry Hutch, a.k.a. The Monk entering politics, Daniel Pocock, candidate for Dublin Bay South remembered his old friend Hutch Hussein, formerly President of the Victorian state branch of the Australian Labor Party.

Is there room for two Hutches in the world of politics?

Putting it in the context of Ming's advice, Hutch's wikipedia entry captures the things Hutch Hussein is remembered for:

Hatice "Hutch" Hussein is an Australian feminist, activist, and social worker. She served as the elected State President of the Victorian branch of the Australian Labor Party (ALP) between 2016 and 2019. Upon taking this role, she became the first President in the party's 125-year history to be from an ethnic minority background, from a Muslim background, and from the LGBT community.

Another wikipedia page reminds us that the Hutch-Kinahan feud is an "ongoing" feud and that:

Special Crime Task Force was created within the national Drugs and Organised Crime Bureau (DOCB) to combat crime gangs, especially the Kinahan and Hutch gangs. Manned by at least 10 gardaí and three sergeants, the task force was scheduled to close in 2021; however, despite at least 18 people being killed in the feud, their success in preventing 50 other murder attempts means it will continue operating.

What are friends for? Daniel Pocock has registered all permutations of Hutch domains like GerryHutch.com and GerryHutch.ie to uphold the good name of Hutch Hussein.

For those who want to know more about The Monk, Mr Pocock has registered TheMonk.ie for good measure. Don't forget to read it before you vote on 29 November 2024.

Here are some videos of Hutch Hussein and Daniel Pocock:

Hutch Hussein speaks to Australian Fabian Society, June 2018

Daniel Pocock at the UN Forum on Business and Human Rights, November 2018

Mr Pocock makes the point that social control media gives activists like Hutch Hussein a false sense of empowerment. People have come to see the truth in this during 2024 as Elon Musk's Twitter / X appeared to help one US election candidate more than the other. The Guardian newspaper recently decided to stop using the Twitter / X platform.

Mr Pocock's point is equally valid for all enterprises, whether they be political parties, non-profits, small businesses or whatever.

Let's not forget Operation Trojan Shield, whereby the secure messaging app ANOM was really controlled by the FBI and Australian Federal Police (AFP). Social control media is really not much better than this and unlike an app operated by the police, social control media can sell information about their users to just about anybody.

Read more about TheMonk.ie and then remember to ...

Vote [1] Daniel POCOCK

Voters have a choice. If you would like to vote for a professional who can think about the things that mainstream candidates overlook Vote [1] DANIEL POCOCK and remember to follow Daniel Pocock's blog at DanielPOCOCK.com

Daniel Pocock, Dublin Bay South

Vote [1] Daniel POCOCK

22 November, 2024 03:30PM

Alan Shatter

Dual citizens, Alan Shatter, Michael Danby & Israel

Alan Shatter resigned from the party Fine Gael some years ago and is making a return as an independent candidate for Dublin Rathdown.

Like candidates in neighboring Dublin Bay South, Mr Shatter wasn't fast enough to recover his old domain names. The domain name AlanShatter.ie has been taken by cybersquatters and they are trying to sell it to the highest bidder.

Somehow the cybersquatters lost interest in Mr Shatter's original domain name AlanShatter.com and it has been secured by Daniel Pocock, independent candidate for Dublin Bay South. The original Alan Shatter web site can be viewed here.

Mr Shatter is the only political leader who has simultaneously served as Ireland's Minister of Defence and Minister of Justice. Ironically, Mr Pocock used to be in the committee of the Elwood branch of the Australian Labor Party. The local member of federal parliament was Michael Danby.

Ireland's political system is very permissive of dual citizens while Australia's system requires dual citizens to renounce any additional citizenships if they are elected to public office. Everybody who identifies as Jewish is entitled to citizenship of Israel. It is interesting to note that while Michael Danby was in the Australian parliament for twenty one years, he was never accepted as a minister, as a member of the cabinet.

Danby had been editor of the Australia-Israel Review and after leaving parliament, he took another job with a Jewish cultural organization in Israel. This emphasizes the challenges that dual-citizens face when they are stretched between multiple communities.

Danby's father was a German Jew who fled to Australia after the Kristallnacht. Coincidentally, Daniel Pocock's birthday, 9 November, is the anniversary of the Kristallnacht and Pocock is sympathetic to all victims of totalitarianism, wherever they are.

Alan Shatter is a lawyer and so he has a much deeper understanding than most of us when it comes to some of the more significant legal questions about Israel and Palestine. It would be interesting to hear his feedback on these topics during the campaign:

On 22 May 2024, the Irish state formally recognized the State of Palestine. This is a dramatic change from the time when Mr Shatter was chariperson of the Irish Parliaments Foreign Affairs Committee.

On 24 May 2024, the International Court of Justice made an order against Israel with reference to genocide.

On 26 May 2024, the first pro-Israel rally took place in Dublin and Shatter was pictured speaking in front of the Israeli flag:

Alan Shatter, Israel, Ireland

On 21 November 2024, the International Criminal Court issued a warrant for the arrest of leadership figures on both sides of the dispute, both the Israeli president and the Hamas leadership.

Decisions like these stand a head and shoulders above many of the other day-to-day stories of tragedy that appear in the news.

More significantly, Irish troops are currently stationed in Lebanon as peacekeepers and Israel ordered them to leave. Where does Mr Shatter stand in a situation like that? It is not an easy situation for any Irish-Israeli citizen.

During the MEP election campaign period in April and May 2024, Mr Pocock was fortunate to meet some of the Irish servicemen and their families having their leaving drinks before deployment to Lebanon. For the safety of the men and the families, the photo has been redacted. These were the drinks:

Irish peacekeepers, Lebanon

 

 

Ask the right questions

Daniel Pocock, Dublin Bay South

Vote [1] Daniel POCOCK

Daniel Pocock is ready to ask the difficult questions.

Pocock is not a dual-citizen any more. He acquired a third citizenship.

Activists on all sides of the dispute, whether they are supporters of Palestine or supporters of Israel, would be wise to contemplate Mr Pocock's concern about social control media giving them a false sense of empowerment:

Daniel Pocock is ready to ask the difficult questions.

Vote [1] Daniel POCOCK

22 November, 2024 12:00PM

Kate O'Connell

Gloves are off in Dublin Bay South

Kate O'Connell was a member of Fine Gael for many years. In 2016 she was the Fine Gael candidate and she won a seat. In the 2020 election Fine Gael fielded two candidates and O'Connell just missed out on winning one of the four seats. Kate subsequently graduated from Fine Gael and now she is running as an independent in 2024.

The domain name KateOConnell.com has been taken by cybersquatters and they are offering it for sale at a price of $4,999. The domain name KateOConnell.ie was available and obtained by rival candidate Daniel Pocock for €15.

Every candidate who receives a vote of more than one quarter of the quota is entitled to have their campaign expenses reimbursed, up to a certain limit. Therefore, if Kate has the cash to pay the expense and if she is confident of getting enough votes then she could give the $4,999 ransom to the blackmailer selling kateoconnell.com and reclaim the expense from public funds. The blackmailer wins and the taxpayer loses.

Kate O'Connell

While Daniel Pocock was busy submitting his nomination Kate, who runs a small business, demonstrated her entrepreneurial side by making off with Pocock's motorbike:

Kate O'Connell

When Gerry Hutch, a.k.a. The Monk submitted his nomination, news reports showed him parking his scooter in the same place the day before and putting a lock on it. Why do you need to lock your vehicle when you are a crime boss and everybody is supposed to be afraid of you? Surely people know that scooter belongs to the leader of the Hutch Gang and nobody touches it. Nonetheless, Mr Hutch locks the scooter, even when it is parked outside the office of the sheriff.

Gerry Hutch, The Monk, Scooter, nomination

Kate O'Connell's wikipedia page goes into more detail about her interactions with her former party, Fine Gael and also the Catholic Church:

In October 2016 O'Connell responded to comments by the Archbishop of Dublin Diarmuid Martin that TDs should remember their faith when legislating for abortion in Ireland by stating "I don't see why the archbishop's views are in any way relevant. I don't see why Archbishop Martin should be getting involved in women's health issues. It is the same as asking my four-year-old. They [the Church] are entitled to their opinion, but I don't put any weight in them. I don't see what involvement the Catholic Church should have in women's health issues".

In the world of open source / free software, we would say that this is a woman who doesn't obey the Code of Conduct and the cool kids would go off and have a big sook about "harassment" every time she opens her mouth.

Mr Pocock was a mentor in programs like Outreach Program for Women (Outreachy) and he admitted hoping to find talented female candidates who would also be willing to speak their mind. In 2017 he awarded such an internship to Renata D'Avila from Brazil. While most of the interns were in their first job, Renata had formerly worked as a school teacher and then re-trained as a software developer. Being about 30 years old, she was no longer as naive as the 20 year-olds Debian was hoping to recruit in the program. Renata came to the mini-DebConf in Brazil and spoke to the Debian men the same way she would speak to naughty schoolchildren:

After having met some of the candidates, Mr Pocock has made the following observations about Kate O'Connell:

I don't know everything that Kate stands for and I suspect I may not even agree with her on everything. However, she was the only other candidate who immediately asked for my number [2] vote when she realized I was running against her.

Donald Trump told us clearly that American companies in Ireland will be asked to pay their taxes in America at a lower tax rate. Many Irish politicians will be taken by surprise when the revenue they took for granted just disappears. Read the hard facts about this lost revenue on my blog.

We need a new generation of TDs who can think on our feet. Kate, a small business owner, demonstrated with her immediate request for my number [2] vote the same lightning reflexes that helped me seize her domain, along with the domains of our rivals.

Kate demonstrated an outspoken response to the role of men in women's lives. The role of social control media is far worse than anything the church has ever done. Therefore, the fact that she has made social control media a key part of her campaign, without even creating a normal website, demonstrates that she is selling her soul and the souls of her supporters to the clerics of Silicon Valley. These platforms are designed to give strong female leaders like Kate a false sense of empowerment. Artificial intelligence and algorithms will always be one step ahead of her.

Mr Pocock has been consistent in sharing this message with independent leaders around the world. Here is the video from the UN Forum on Business and Human Rights. Ever since then, Mr Pocock's family was subject to stalking and gossip campaigns from the social control media cliques:

Good news, Pocock knew just where to find his motorbike again, right outside Kate's pharmacy:

Kate O'Connell, Daniel Pocock

Look at all the bikes. Bike sheds are a major issue in Dublin right now.

Kate has used her business premises to display election advertising. Mr Pocock wants to ban the election posters but such a ban wouldn't apply to private premises like this. Kate appears a little bit smarter than the FG and FF candidates who put their posters on the ESB poles.

Voters have a choice. If you would like to vote for a professional who can think about the things that mainstream candidates overlook Vote [1] DANIEL POCOCK and remember to follow Daniel Pocock's blog at DanielPOCOCK.com

Daniel Pocock, Dublin Bay South

Vote [1] Daniel POCOCK

22 November, 2024 11:00AM

hackergotchi for Norbert Preining

Norbert Preining

CafeOBJ 1.6.2 released

We have released version 1.6.2 of CafeOBJ, an algebraic specification and verification language.
cafeobj-logo

It has been a long time since we made a formal release. There has been an internal release that really never got published, and just to rectify this, plus a few changes, a new release was made.

In this release, we also switched away from providing ACL based builds, since the SBCL based builds are more stable and completely open-source based. Furthermore, 32bit builds for Windows and Linux are also now stopped.

Detailed changes:

  • make a public release of the internal version 1.6.1
  • change grouping of operators.
  • :init makes a new goal
  • Optimize introduced axiom
  • :init command behaves like :defined one
  • Fix wrong contradiction check
  • Fix :init as <Label> causes exception
  • Fix diagnostic messages of regularity check.

Please see the download page for the source release, binary packages, and installation instructions.

To quote from our README:

CafeOBJ is a new generation algebraic specification and programming language. As a direct successor of OBJ, it inherits all its features (flexible mix-fix syntax, powerful typing system with sub-types, and sophisticated module composition system featuring various kinds of imports, parameterised modules, views for instantiating the parameters, module expressions, etc.) but it also implements new paradigms such as rewriting logic and hidden algebra, as well as their combination.

Availability

Binary packages for Linux, MacOS, and Windows are already available, in 64 bit and based on SBCL. All downloads can be found at the CafeOBJ download page. The source code can also be found on the download page, or directly from here: cafeobj-1.6.2.tar.gz.

Homebrew already carries the most recent version, as does the Arch Linux AUR cafeobj package. Updates to the Macports will probably stop.

Bug reports

If you find a bug, have suggestions, or complains, please open an issue at the Github issue page.

For other inquiries, please use info@cafeobj.org

22 November, 2024 08:55AM by Norbert Preining

November 21, 2024

Chris Andrews

Brigid Purcell

Socialism with a touch of communism

Brigid Purcell is a woman and she is one of the youngest candidates but that doesn't exclude her from the same scrutiny as her competitors. Feedback can only help a candidate improve both now and in future elections.

Purcell has a few videos and here are the key points. People Before Profit present themselves as socialists but some of their ideas are veering on communism, like this comment about a state-owned construction company:

Brigid contested the by-election in 2021 and therefore she could have been more well prepared and registered her domain name long ago. She failed to take the key domain names BrigidPurcell.com and BrigidPurcell.ie and now Daniel Pocock, a rival candidate, has got them.

Like other candidates, Brigid hopes to claim public funds to pay for the posters she is putting up all over Dublin Bay South. The posters promote social control media accounts, therefore, People Before Profit add to the net worth of Silicon Valley billionaires. That is a huge contradiction.

Here Brigid talks about being a minimum wage worker and I'm sure these comments resonate with every minimum wage worker throughout Ireland:

Check out Daniel Pocock's recordings of such behavior in voluntary organizations affiliated to Google and other difficult environments.

Nonetheless, by using social control media for her campaign Brigid is giving power to billionaires in Silicon Valley. Brigid is giving power to a lot of privileged white men who work in the social control media ecosystem. Every minute Brigid spends on social control media is unpaid work adding to the share price of Meta and X. Every friend she connects with through these platforms increases the value of those networks and their share prices based on the theory proposed by Metcalfe's law.

Therefore, by building up social control media, People Before Profit are augmenting the capital accounts of billionaires. Those same billionaires have the power to manipulate their message in very subtle ways or in a very big way at any time. Artificial Intelligence is only going to make it more difficult.

Daniel Pocock is the only candidate building a campaign without social control media. Vote [1] Daniel POCOCK.

Brigid goes on to ask more young people to register to vote in the region where they live and not where their parents live:

Mr Pocock encourages young people to go a step further beyond enrolling to vote: it is vital for young people to get involved in election campaigns, to attending hustings, to organize events for the candidates on campus, to invite the more unusual candidates, to attend party branch meetings as guests and ask the candidates difficult questions. Don't rely on the reports that appear on the television, news web sites and social control media as all of those things are very carefully scripted by public relations experts.

Here we can see Mr Pocock at the UN Forum on Business and Human Rights in 2018. He speaks about social control media giving people like Brigid Purcell a false sense of empowerment:

Pocock is willing to go to the Dáil and ask the difficult questions about artificial intelligence, the economy and jobs. To solve housing problems in Dublin, we need to find win-win situations where landlords and tenants both have some positive outcomes.

The two main questions people ask Mr Pocock when he is canvassing are "are you related to the rugby player, Senator David Pocock?" and ...

you asked: "when are the posters coming down?"

Daniel Pocock, David Pocock

Vast sums of public money are wasted on these posters which encourage people to visit social control media pages controlled by foreign billionaires.

Voters have a choice. If you would like to vote for original ideas to manage the rules of engagement between artificial intelligence, our businesses and our jobs then please Vote [1] DANIEL POCOCK and remember to follow Daniel Pocock's blog at DanielPOCOCK.com

Daniel Pocock, Dublin Bay South

Vote [1] Daniel POCOCK

21 November, 2024 07:30PM

Nick Delehanty

Dog age my web site

Nick Delehanty is a corporate lawyer who worked inside the state system, left to set up a dog day care business, Barkleys Doggie Daycare and wants to change the system that he formerly worked in.

It looks like a dog ate Nick's web site and the domain name has been taken over by rival candidate Daniel Pocock. Coincidentally, Pocock worked at the other Barclays in Canary Wharf.

The domain name NickDelehanty.com is run by somebody else and has no relation to the Nick Delehanty competing in the Irish general election. Therefore, it was crucial for Nick to secure NickDelehanty.ie and he failed to do so.

Many candidates, like Nick, want to change the system. Many candidates simultaneously promise to get social control media under control and protect the children. But you can't always change the system from within, whether it is the state or the menace of social control media, candidates who want to change these things need to break out of them first.

Candidates who try to run their entire campaign within social control media and without a web site are only advancing the cause of the billionaires who run those platforms.

The Guardian learnt that the hard way. After the election of Donald Trump, The Guardian newspaper declared they will no longer post on Elon Musk's X / Twitter platform. But it was too little, too late.

Daniel Pocock is the only candidate who is competing without any social control media accounts. If you want something a bit different, you have to vote for it.

Vote [1] Daniel POCOCK

Visit the blog of Daniel Pocock for more details about policy and how you can help.

Nick has spent a lot of time and money putting up posters. Like most candidates, he will try to reclaim the cost of posters from public funds.

The two main questions people ask Mr Pocock when he is canvassing are "are you related to the rugby player, Senator David Pocock?" and ...

you asked: "when are the posters coming down?"

Daniel Pocock, David Pocock

Daniel Pocock wants to ban the posters.

Vote [1] Daniel POCOCK

The tech industry, globally, is having a huge impact on our salaries, our savings, our small businesses and our national economy. Pocock is one of the few people from the industry who can see the big picture and wants to work on your side as your TD for Dublin Bay South.

Visit the blog of Daniel Pocock for more details about policy and how you can help.

Daniel Pocock, Dublin Bay South

Vote [1] Daniel POCOCK for Dublin Bay South

21 November, 2024 05:00PM

Alan Shatter

Inheritance Tax Reform Campaign in Ireland

On 17 September 2024, the Irish Times reported Alan Shatter hasn’t “given thought” to election bid as he seeks revolt over inheritance tax.

There are many things that can be said for and against each type of tax.

Four days later, on 21 September 2024, The Journal used a loaded question in a headline, asking FactCheck: Is it true that only about 3% of people pay tax on inheritance in Ireland?

The Journal’s article does not mention the word inflation even once.

Some of the big concerns about inheritance tax:

  • the threshold doesn’t automatically increase with inflation
  • the privacy of a testator’s will means that beneficiaries do not always have a lot of certainty about their inheritance, therefore, they can not fully plan their affairs around it
  • in most cases, the time of death will not be known very clearly in advance and this also makes it difficult for beneficiaries to plan their affairs around the tax. Example: parent dies unexpectedly aged 50 and their daughter, who has just had a baby, has committed all their cash to extending their home so they have no disposable cash to pay the inheritance tax bill.
  • parents who die in unforeseen circumstances at a young age may not have had the opportunity to transfer assets pre-emptively to children who are still very young
  • while some taxes, like USC, are earmarked for specific services and we can measure how well the government provides those services, it is harder to state whether the government is efficient in their use of funds from inheritance tax

21 November, 2024 04:00PM

Jim O'Callaghan

Fine Gael & Fianna Fáil in power again

Emma Blain, Jim O'Callaghan, James Geoghegan

At each election, the ESB sends a kind warning to all the candidates and political parties reminding them that risky behavior, like erecting signs on the power poles, is not safe for volunteers.

With so many poles in the streets, how can we recognize the poles to avoid?

There are three clues: a yellow warning triangle, a Fine Gael poster and a Fianna Fáil poster. If you see those three things together, it is definitely the wrong pole.

While Fine Gael & Fianna Fáil were barking up the wrong ESB pole, Daniel Pocock registered their Internet domain names.

The domain names for Emma Blain (.com), Fine Gael, Emma Blain (.ie), Fine Gael and Jim O'Callaghan (.ie), Fianna Fáil are now operated by an independent candidate.

Daniel Pocock supports the abolition of election posters in future elections.

The two main questions people ask Mr Pocock when he is canvassing are "are you related to the rugby player, Senator David Pocock?" and ...

you asked: "when are the posters coming down?"

Daniel Pocock, David Pocock

Vast sums of public money are wasted on these posters which encourage people to visit social control media pages controlled by foreign billionaires.

If they spend so much public money and volunteer time on erecting these posters, why didn't they even bother to put a website address on them?

Checking the whois records, we can see that Mr Pocock only acquired the domains after the close of nominations. That is well after these parties had chosen their candidates. Mr Pocock did not prevent them registering the domains themselves. Mrs Blain, who is already a council member, didn't attempt to register the domain and Mr O'Callaghan previously owned the domain jimocallaghan.ie and failed to renew it.

If they can't renew an Internet domain, how can they protect your kids from Google? Do you really want both of these parties in power together again? (excuse the pun) Or do you want independent candidates in the Dáil who can look over their shoulders and help them do better?

Voters have a choice. If you would like to vote for a professional who can think about the things that mainstream candidates overlook Vote [1] DANIEL POCOCK and remember to follow Daniel Pocock's blog at DanielPOCOCK.com

Daniel Pocock, Dublin Bay South

Vote [1] Daniel POCOCK

21 November, 2024 01:00PM

Emma Blain

Barking up the wrong ESB pole

Emma Blain, Jim O'Callaghan, James Geoghegan

At each election, the ESB sends a kind warning to all the candidates and political parties reminding them that risky behavior, like erecting signs on the power poles, is not safe for volunteers.

With so many poles in the streets, how can we recognize the poles to avoid?

There are three clues: a yellow warning triangle, a Fine Gael poster and a Fianna Fáil poster. If you see those three things together, it is definitely the wrong pole.

While Fine Gael & Fianna Fáil were barking up the wrong ESB pole, Daniel Pocock registered their Internet domain names.

The domain names for Emma Blain (.com), Fine Gael, Emma Blain (.ie), Fine Gael and Jim O'Callaghan (.ie), Fianna Fáil are now operated by an independent candidate.

Daniel Pocock supports the abolition of election posters in future elections.

The two main questions people ask Mr Pocock when he is canvassing are "are you related to the rugby player, Senator David Pocock?" and ...

you asked: "when are the posters coming down?"

Daniel Pocock, David Pocock

Vast sums of public money are wasted on these posters which encourage people to visit social control media pages controlled by foreign billionaires.

If they spend so much public money and volunteer time on erecting these posters, why didn't they even bother to put a web site address on them?

Checking the whois records, we can see that Mr Pocock only acquired the domains after the close of nominations. That is well after these parties had chosen their candidates. Mr Pocock did not prevent them registering the domains themselves. Mrs Blain, who is already a council member, didn't attempt to register the domain and Mr O'Callaghan previously owned the domain jimocallaghan.ie and failed to renew it.

If they can't renew an Internet domain, how can they protect your kids from Google? Do you really want both of these parties in power together again? (excuse the pun) Or do you want independent candidates in the Dáil who can look over their shoulders and help them do better?

Voters have a choice. If you would like to vote for a professional who can think about the things that mainstream candidates overlook Vote [1] DANIEL POCOCK and remember to follow Daniel Pocock's blog at DanielPOCOCK.com

Daniel Pocock, Dublin Bay South

Vote [1] Daniel POCOCK

21 November, 2024 01:00PM

November 20, 2024

Ian Jackson

The Rust Foundation's 2nd bad draft trademark policy

tl;dr: The Rust Foundation’s new trademark policy still forbids unapproved modifications: this would forbid both the Rust Community’s own development work(!) and normal Free Software distribution practices.

Background

In April 2023 I wrote about the Rust Foundation’s ham-fisted and misguided attempts to update the Rust trademark policy. This turned into drama.

The new draft

Recently, the Foundation published a new draft. It’s considerably less bad, but the most serious problem, which I identified last year, remains.

It prevents redistribution of modified versions of Rust, without pre-approval from the Rust Foundation. (Subject to some limited exceptions.) The people who wrote this evidently haven’t realised that distributing modified versions is how free software development works. Ie, the draft Rust trademark policy even forbids making a github branch for an MR to contribute to Rust!

It’s also very likely unacceptable to Debian. Rust is still on track to repeat the Firefox/Iceweasel debacle.

Below is a copy of my formal response to the consultation. The consultation closes at 07:59:00 UTC tomorrow (21st November), ie, at the end of today (Wednesday) US Pacific time, so if you want to reply, do so quickly.

My consultation response

Hi. My name is Ian Jackson. I write as a Rust contributor and as a Debian Developer with first-hand experience of Debian’s approach to trademarks. (But I am not a member of the Debian Rust Packaging Team.)

Your form invites me to state any blocking concerns. I’m afraid I have one:

PROBLEM

The policy on distributing modified versions of Rust (page 4, 8th bullet) is far too restrictive.

PROBLEM - ASPECT 1

On its face the policy forbids making a clone of the Rust repositories on a git forge, and pushing a modified branch there. That is publicly distributing a modified version of Rust.

I.e., the current policy forbids the Rust’s community’s own development workflow!

PROBLEM - ASPECT 2

The policy also does not meet the needs of Software-Freedom-respecting downstreams, including community Linux distributions such as Debian.

There are two scenarios (fuzzy, and overlapping) which provide a convenient framing to discuss this:

Firstly, in practical terms, Debian may need to backport bugfixes, or sometimes other changes. Sometimes Debian will want to pre-apply bugfixes or changes that have been contributed by users, and are intended eventually to go upstream, but are not included upstream in official Rust yet. This is a routine activity for a distribution. The policy, however, forbids it.

Secondly, Debian, as a point of principle, requires the ability to diverge from upstream if and when Debian decides that this is the right choice for Debian’s users. The freedom to modify is a key principle of Free Software. This includes making changes that the upstream project disapproves of. Some examples of this, where Debian has made changes, that upstream do not approve of, have included things like: removing user-tracking code, or disabling obsolescence “timebombs” that stop a particular version working after a certain date.

Overall, while alignment in values between Debian and Rust seems to be very good right now, modifiability it is a matter of non-negotiable principle for Debian. The 8th bullet point on page 4 of the PDF does not give Debian (and Debian’s users) these freedoms.

POSSIBLE SOLUTIONS

Other formulations, or an additional permission, seem like they would be able to meet the needs of both Debian and Rust.

The first thing to recognise is that forbidding modified versions is probably not necessary to prevent language ecosystem fragmentation. Many other programming languages are distributed under fully Free Software licences without such restrictive trademark policies. (For example, Python; I’m sure a thorough survey would find many others.)

The scenario that would be most worrying for Rust would be “embrace - extend - extinguish”. In projects with a copyleft licence, this is not a concern, but Rust is permissively licenced. However, one way to address this would be to add an additional permission for modification that permits distribution of modified versions without permission, but if the modified source code is also provided, under the original Rust licence.

I suggest therefore adding the following 2nd sub-bullet point to the 8th bullet on page 4:

  • changes which are shared, in source code form, with all recipients of the modified software, and publicly licenced under the same licence as the official materials.

This means that downstreams who fear copyleft have the option of taking Rust’s permissive copyright licence at face value, but are limited in the modifications they may make, unless they rename. Conversely downstreams such as Debian who wish to operate as part of the Free Software ecosystem can freely make modifications.

It also, obviously, covers the Rust Community’s own development work.

NON-SOLUTIONS

Some upstreams, faced with this problem, have offered Debian a special permission: ie, said that it would be OK for Debian to make modifications that Debian wants to. But Debian will not accept any Debian-specific permissions.

Debian could of course rename their Rust compiler. Debian has chosen to rename in the past: infamously, a similar policy by Mozilla resulted in Debian distributing Firefox under the name Iceweasel for many years. This is a PR problem for everyone involved, and results in a good deal of technical inconvenience and makework.

“Debian could seek approval for changes, and the Rust Foundation would grant that approval quickly”. This is unworkable on a practical level - requests for permission do not fit into Debian’s workflow, and the resulting delays would be unacceptable. But, more fundamentally, Debian rightly insists that it must have the freedom to make changes that the Foundation do not approve of. (For example, if a future Rust shipped with telemetry features Debian objected to.)

“Debian and Rust could compromise”. However, Debian is an ideological as well as technological project. The principles I have set out are part of Debian’s Foundation Documents - they are core values for Debian. When Debian makes compromises, it does so very slowly and with great deliberation, using its slowest and most heavyweight constitutional governance processes. Debian is not likely to want to engage in such a process for the benefit of one programming language.

“Users will get Rust from upstream”. This is currently often the case. Right now, Rust is moving very quickly, and by Debian standards is very new. As Rust becomes more widely used, more stable, and more part of the infrastructure of the software world, it will need to become part of standard, stable, reliable, software distributions. That means Debian.

(The consultation was a Google Forms page with a single text field, so the formatting isn’t great. I have edited the formatting very lightly to avoid rendering bugs here on my blog.)



comment count unavailable comments

20 November, 2024 12:50PM

Russell Coker

Solving Spam and Phishing for Corporations

Centralisation and Corporations

An advantage of a medium to large company is that it permits specialisation. For example I’m currently working in the IT department of a medium sized company and because we have standardised hardware (Dell Latitude and Precision laptops, Dell Precision Tower workstations, and Dell PowerEdge servers) and I am involved in fixing all Linux compatibility issues on that I can fix most problems in a small fraction of the time that I would take to fix on a random computer. There is scope for a lot of debate about the extent to which companies should standardise and centralise things. But for computer problems which can escalate quickly from minor to serious if not approached in the correct manner it’s clear that a good deal of centralisation is appropriate.

For people doing technical computer work such as programming there’s a large portion of the employees who are computer hobbyists who like to fiddle with computers. But if the support system is run well even they will appreciate having computers just work most of the time and for a large portion of the failures having someone immediately recognise the problem, like the issues with NVidia drivers that I have documented so that first line support can implement workarounds without the need for a lengthy investigation.

A big problem with email in the modern Internet is the prevalence of Phishing scams. The current corporate approach to this is to send out test Phishing email to people and then force computer security training on everyone who clicks on them. One problem with this is that attackers only need to fool one person on one occasion and when you have hundreds of people doing something on rare occasions that’s not part of their core work they will periodically get it wrong. When every test Phishing run finds several people who need extra training it seems obvious to me that this isn’t a solution that’s working well. I will concede that the majority of people who click on the test Phishing email would probably realise their mistake if asked to enter the password for the corporate email system, but I think it’s still clear that this isn’t a great solution.

Let’s imagine for the sake of discussion that everyone in a company was 100% accurate at identifying Phishing email and other scam email, if that was the case would the problem be solved? I believe that even in that hypothetical case it would not be a solved problem due to the wasted time and concentration. People can spend minutes determining if a single email is legitimate. On many occasions I have had relatives and clients forward me email because they are unsure if it’s valid, it’s great that they seek expert advice when they are unsure about things but it would be better if they didn’t have to go to that effort. What we ideally want to do is centralise the anti-Phishing and anti-spam work to a small group of people who are actually good at it and who can recognise patterns by seeing larger quantities of spam. When a spam or Phishing message is sent to 600 people in a company you don’t want 600 people to individually consider it, you want one person to recognise it and delete/block all 600. If 600 people each spend one minute considering the matter then that’s 10 work hours wasted!

The Rationale for Human Filtering

For personal email human filtering usually isn’t viable because people want privacy. But corporate email isn’t private, it’s expected that the company can read it under certain circumstances (in most jurisdictions) and having email open in public areas of the office where colleagues might see it is expected. You can visit gmail.com on your lunch break to read personal email but every company policy (and common sense) says to not have actually private correspondence on company systems.

The amount of time spent by reception staff in sorting out such email would be less than that taken by individuals. When someone sends a spam to everyone in the company instead of 500 people each spending a couple of minutes working out whether it’s legit you have one person who’s good at recognising spam (because it’s their job) who clicks on a “remove mail from this sender from all mailboxes” button and 500 messages are deleted and the sender is blocked.

Delaying email would be a concern. It’s standard practice for CEOs (and C*Os at larger companies) to have a PA receive their email and forward the ones that need their attention. So human vetting of email can work without unreasonable delays. If we had someone checking all email for the entire company probably email to the senior people would never get noticeably delayed and while people like me would get their mail delayed on occasion people doing technical work generally don’t have notifications turned on for email because it’s a distraction and a fast response isn’t needed. There are a few senders where fast response is required, which is mostly corporations sending a “click this link within 10 minutes to confirm your password change” email. Setting up rules for all such senders that are relevant to work wouldn’t be difficult to do.

How to Solve This

Spam and Phishing became serious problems over 20 years ago and we have had 20 years of evolution of email filtering which still hasn’t solved the problem. The vast majority of email addresses in use are run by major managed service providers and they haven’t managed to filter out spam/phishing mail effectively so I think we should assume that it’s not going to be solved by filtering. There is talk about what “AI” technology might do for filtering spam/phishing but that same technology can product better crafted hostile email to avoid filters.

An additional complication for corporate email filtering is that some criteria that are used to filter personal email don’t apply to corporate mail. If someone sends email to me personally about millions of dollars then it’s obviously not legit. If someone sends email to a company then it could be legit. Companies routinely have people emailing potential clients about how their products can save millions of dollars and make purchases over a million dollars. This is not a problem that’s impossible to solve, it’s just an extra difficulty that reduces the efficiency of filters.

It seems to me that the best solution to the problem involves having all mail filtered by a human. A company could configure their mail server to not accept direct external mail for any employee’s address. Then people could email files to colleagues etc without any restriction but spam and phishing wouldn’t be a problem. The issue is how to manage inbound mail. One possibility is to have addresses of the form it+russell.coker@example.com (for me as an employee in the IT department) and you would have a team of people who would read those mailboxes and forward mail to the right people if it seemed legit. Having addresses like it+russell.coker means that all mail to the IT department would be received into folders of the same account and they could be filtered by someone with suitable security level and not require any special configuration of the mail server. So the person who read the is mailbox would have a folder named russell.coker receiving mail addressed to me. The system could be configured to automate the processing of mail from known good addresses (and even domains), so they could just put in a rule saying that when Dell sends DMARC authenticated mail to is+$USER it gets immediately directed to $USER. This is the sort of thing that can be automated in the email client (mail filtering is becoming a common feature in MUAs).

For a FOSS implementation of such things the server side of it (including extracting account data from a directory to determine which department a user is in) would be about a day’s work and then an option would be to modify a webmail program to have extra functionality for approving senders and sending change requests to the server to automatically direct future mail from the same sender. As an aside I have previously worked on a project that had a modified version of the Horde webmail system to do this sort of thing for challenge-response email and adding certain automated messages to the allow-list.

The Change

One of the first things to do is configuring the system to add every recipient of an outbound message to the allow list for receiving a reply. Having a script go through the sent-mail folders of all accounts and adding the recipients to the allow lists would be easy and catch the common cases.

But even with processing the sent mail folders going from a working system without such things to a system like this will take some time for the initial work of adding addresses to the allow lists, particularly for domain wide additions of all the sites that send password confirmation messages. You would need rules to direct inbound mail to the old addresses to the new style and then address a huge amount of mail that needs to be categorised. If you have 600 employees and the average amount of time taken on the first day is 10 minutes per user then that’s 100 hours of work, 12 work days. If you had everyone from the IT department, reception, and executive assistants working on it that would be viable. After about a week there wouldn’t be much work involved in maintaining it. Then after that it would be a net win for the company.

The Benefits

If the average employee spends one minute a day dealing with spam and phishing email then with 600 employees that’s 10 hours of wasted time per day. Effectively wasting one employee’s work! I’m sure that’s the low end of the range, 5 minutes average per day doesn’t seem unreasonable especially when people are unsure about phishing email and send it to Slack so multiple employees spend time analysing it. So you could have 5 employees being wasted by hostile email and avoiding that would take a fraction of the time of a few people adding up to less than an hour of total work per day.

Then there’s the training time for phishing mail. Instead of having every employee spend half an hour doing email security training every few months (that’s 300 hours or 7.5 working weeks every time you do it) you just train the few experts.

In addition to saving time there are significant security benefits to having experts deal with possibly hostile email. Someone who deals with a lot of phishing email is much less likely to be tricked.

Will They Do It?

They probably won’t do it any time soon. I don’t think it’s expensive enough for companies yet. Maybe government agencies already have equivalent measures in place, but for regular corporations it’s probably regarded as too difficult to change anything and the costs aren’t obvious. I have been unsuccessful in suggesting that managers spend slightly more on computer hardware to save significant amounts of worker time for 30 years.

20 November, 2024 05:22AM by etbe