Debian is a trademark of Software in the Public Interest, Inc. This site is operated independently in the spirit of point three of the Debian Social Contract which tells us We will not hide problems.

Feeds

April 16, 2026

hackergotchi for Daniel Pocock

Daniel Pocock

ActBlue former IT boss disappearance: Decklin Foster & Debian, Harvard suicide lab, Chris Gleason is wife, whistleblower or both?

ActBlue is the online fundraising platform used by US Democratic party candidates. It is the subject of a major scandal that has gripped the congress. It has been linked to Debianism, another disappearing developer and in a parody of other Debianism scandals, there are possibly two people using the same name, one being the wife of the missing developer and the other being a US Senate candidate who claims to have exposed the ActBlue scandal.

These Github screenshots confirm that Decklin Foster was affiliated with ActBlue and vanished in 2018:

Decklin Foster, ActBlue, Github, disappearance, director of Information Technology

 

Decklin Foster, ActBlue, Github, disappearance, director of Information Technology

 

Accusations have been made about the concealment of illegal foreign donations and deception of Congress.

Chris Gleason has nominated to represent Florida in the US Senate. Gleason registered using a post office box and created a domain name, voteforgleason.com using an anonymous service in Iceland. Gleason's profile on X/Twitter has no photo while their Facebook profile is completely disabled.

Chris Gleason, Florida, Twitter, X, Senate, Republican

 

Chris Gleason, Florida, Facebook, Senate, Republican

 

A similar web site has been created at https://chris4florida.com/

The phone number on voteforgleason.com and chris4florida.com goes to a pharmacy rather than a campaign office.

Nonetheless, I was able to verify Christopher Gleason submitted a nomination that is registered with the state officials.

Gleason's web site tells us:

Chris Gleason built the forensic tools that exposed ActBlue's billion-dollar money laundering operation. His evidence ...

Therefore, the candidate Gleason is not a pharmacist.

So far, Chris appears to be male, intermittently using the name Christopher and the masculin pronouns like His.

At the height of the Debian suicide cluster, shortly before Adrian von Bidder-Senn died on our wedding day ( detailed report), another Debian Developer, Decklin Foster put all his packages up for adoption.

Up to 2016, we can see that Decklin Foster was listed in the public filings of ActBlue Civics, Inc as either a senior engineer or at one point, as Director of Information Technology.

Decklin Foster, ActBlue, Director of Information Technology, disappearance

 

Decklin Foster, ActBlue, Director of Information Technology, disappearance

 

Decklin Foster's activity on their Github profile stops abruptly in May 2018.

ProPublic shows the last salary payment to Decklin Foster's bank account was in July 2018.

Decklin Foster, ActBlue, Director of Information Technology, disappearance, salary

 

Decklin Foster disappeared at almost the exact same time as Arjen Kamphuis, author of the book on Information Security for Investigative Journalists. I was one of the last people to see Arjen before he vanished. Remarkably, Arjen had even asked me for protection.

On 1 January 2015, Decklin Foster's PGP key was removed because it was only 1024 bits. Most developers had created stronger keys before this mass removal of insecure keys took place.

In 2019, the Debian Account Managers asked the keyring managers to completely remove Decklin Foster from the Debian keyring. There was no Statement on Decklin Foster so far.

Decklin Foster, ActBlue, Director of Information Technology, disappearance, Debian keyring

 

Clicking the links to see the statements about the removal does not work. An error message tells us the messages about Decklin Foster's removal from debianism are all private.

Foster's web site address is https://www.red-bean.com/decklin and it is currently reporting "The requested URL was not found on this server.". Thanks to the Wayback Machine we can find a snapshot from 2019 which reveals an inconvenient truth:

If you’re interested in me, I have started using Google Plus. If you’re interested in my work, I’m on Github. I was a Debian developer for some time, but I’ve mostly given that up. I currently work for ActBlue and live in Cambridge, MA with my wife.

Clicking on "my wife", we find the web site of Chris Gleason at http://cgleason.org/.

Reading Gleason's about page, we find the pronoun "they":

chris gleason is a graphic designer, zine creator, and print maker in chicago, illinois. they love ...

Therefore, the Debian Developer ( What is a Debian Developer?) who was Director of Information Technology for ActBlue was married to a female or transgender Chris Gleason. Is this the same person as the elusive male Chris Gleason who is now running for the US Senate in Florida on claims about corruption at ActBlue? Or is it simply a bizarre coincidence that two people so closely connected with this scandal share the same name?

Remember the case of Francois Thiébaud, the pimp who usurped the reputation of the legendary boss of Tissot SA? They both have the same name too but they are different people.

Francois Thiebaud, Tissot, NBA

 

Francois Thiebaud, Tissot, NBA

 

In 2017, the Trans Women Writers Collective published the book Nameless Woman, written by trans women of colour. In the credits, the trans women thank Decklin Foster.

This anthology was made possible by the generous support of hundreds of people. In particular, we would like to thank Annaya Youkai, Kieran Todd, Sadie Laett-Babcock, Adelaida Shelley, Jaime Peschiera, Kai Cheng Thom, Talon Wilde, David Cope, Alex Meginnis, Decklin Foster, and Eli Nelson for their help.

Here are photos from the respective online profiles of Decklin Foster and Chris Gleason.

Decklin Foster

Decklin Foster, ActBlue

 

Decklin Foster, ActBlue

 

Chris Gleason

Chris Gleason, ActBlue

 

Chris Gleason, Florida, Senate, Republican, ActBlue, whistleblower

 

They don't look too similar but who knows. Anything is possible in America today.

In 2017, Bitch Magazine included Decklin Foster in a list of donors.

In 1999, at the time Decklin Foster was recruited by Debianism, they had a home page at http://members.home.com/decklin/.

Shortly after, the page moved to http://www.red-bean.com/~decklin/ and that eventually evolved to http://www.red-bean.com/decklin/. The last good capture of the site at the Wayback machine was 11 October 2019. It looks like they disabled the web site after that date.

On 22 July 1999, Raphael Hertzog, known for the Freexian scandals wrote a message asking people to do unpaid work on orphaned packages in the hope that their application to become a Debian Developer would be approved more quickly:

To: debian-devel-announce@lists.debian.org, debian-devel@lists.debian.org, debian-qa@lists.debian.org, debian-mentors@lists.debian.org
Subject: [New maintainer] Working for Debian and becoming a registered Debian developer
From: Raphael Hertzog <rhertzog@hrnet.fr>
Date: Thu, 22 Jul 1999 18:06:26 +0200

[ Large crosspost to start the discussion, please reply to debian-devel
  only. Simply respect the reply-to. ]

Hello everybody,

you may or not be aware that getting a Debian developer is quite long. I
want to propose a solution to facilitate the integration of new
Debian developers.

It's quite simple. In order to fully learn how Debian works, the best
solution is :
- to adopt orphaned packages and correct their bugs
- that your work should be checked by an official developer (I'll call
  it the sponsor).

Of course, as long you're not a registered Debian developers you cannot
upload your packages. The soluton is that the sponsor will upload the
package you'll do. The official maintainer will be
debian-qa@lists.debian.org. After all when you correct bugs on orphaned
packages, you're doing Quality Assurance.

This does also allow you to get new bugs in your mailbox. You just need
to subscribe to debian-qa@lists.debian.org. You would be allowed to
open/close/set the severity/forward the bugs since all debian-qa members
can do it on debian-qa packages.

If the sponsor finds that you've done a good job with the package, he
will explain that to the new maintainer team in the hope that your
application will be processed faster. And when you'll be
official Debian developper, you'll be able to change the Maintainer field
to your name.

I'll propose myself to be a sponsor. We'll need more sponsor ... any
volunteers ? Hopefully several people from debian-qa will accept to be
sponsor like me ...

All the future Debian developers interested should also reply ...

Any input appreciated !

Cheers,
-- 
Hertzog Raphaël >> 0C4CABF1 >> http://prope.insa-lyon.fr/~rhertzog/

Decklin Foster was one of the people recruited by those tactics.

To: debian-devel@lists.debian.org
Cc: debian-mentors@lists.debian.org
Subject: Re: [New maintainer] Working for Debian and becoming a registered Debian developer
From: Decklin Foster <decklin@home.com>
Date: Thu, 22 Jul 1999 13:39:13 -0400

Raphael Hertzog writes:

> Of course, as long you're not a registered Debian developers you cannot
> upload your packages. The soluton is that the sponsor will upload the
> package you'll do. The official maintainer will be
> debian-qa@lists.debian.org. After all when you correct bugs on orphaned
> packages, you're doing Quality Assurance.

Sounds good, I'll subscribe right after I finish writing this. I'm
also trying to work on non-orphaned backages as well (for example
right now i'm fixing a bug in gsfonts-x11.) So keep in mind that you
can always just send patches :)

-- 
Debian GNU/Linux - http://www.debian.org/
The Web is to graphic design as the fax machine is to literature.

Not only was Decklin under the influence of Hertzog, they were also under the influnce of the Red Hat share offer. This email encourages speculation on the IPO:

To: debian-devel@lists.debian.org
Subject: Re: SPAM from Red Hat
From: Decklin Foster <decklin@home.com>
Date: Wed, 21 Jul 1999 09:57:45 -0400

Martin Bialasinski writes:

> is it only me, or did you also get this spam from Red Hat about stock
> options?
> 
> Oh man - the bigger the company, the less clueful people?

On #debian last night, it was suggested that we use our opportunity to
buy some of this stock and sell it when the price goes up. This money
could then be used to fund Debian, buy new hardware, improve our
network connection, etc. Does anyone else think this is a Good
Idea(TM)? I would be willing to donate as much as I reasonably could.

-- 
Debian GNU/Linux - http://www.debian.org/
The Web is to graphic design as the fax machine is to literature.

Of interest to those watching the ActBlue saga, there is an email about hacking and cracking:

To: debian-devel@lists.debian.org
Subject: Re: [New maintainer] Working for Debian and becoming a registered Debian developer
From: Decklin Foster <decklin@home.com>
Date: Thu, 22 Jul 1999 16:37:40 -0400

Carl Mummert writes:

> Hacking is a serious crime

Cracking is a serious crime. Breaking into computer systems without
permission is a serious crime. Violation of privacy and theft of
confidential information is a serious crime.

Now what does this have to do with hacking?

> The fact remains that the debian policy is to discourage new
> developers by making it slow and difficult to get an account.

I have no problem with waiting, and I'd rather not look bad just
because some people keep speaking badly about the new-maintainer team.
We don't need another flamewar here. People have work to do.

-- 
Debian GNU/Linux - http://www.debian.org/
The Web is to graphic design as the fax machine is to literature.

The New Maintainer report tells us they entered the process in the same month, their application manager was Craig Small and they completed the process in July/August 2000. The advocacies and the application manager (AM) report are all missing from the mailing list archives.

They had a page at https://people.debian.org/~decklin/ but that has been inaccessible ever since the peak of the Debian suicide cluster.

They had a blog on another web site. It is captured in the Wayback machine up to 2012. The last snapshot with the index is here: http://blog.rupamsunyata.org/. The last blog post:

I'm the fuel that fires the engine of Failure

So, the Democrats in my very blue state put up a depressing, entitled, out-of-touch candidate for our vacant senate seat and she lost. The only reason I voted for her was because she wasn't a Republican. Supporting someone you don't even slightly like is psychologically draining.

At this point, I would vote for a Democratic party (or a Republican party!) with the exact same fiscal policy as the current Republicans if they actually made a principled, moral stand on equal protection and civil rights, habeas corpus/due process, and reproductive rights. Those don't cost anything[1].

Maybe they should be solved before the stuff that does cost billions of dollars. As it is my choice is weak, almost grudging support for those rights from people who want to hand the economy over to the government, and disgusting, immoral, vehement opposition to them from people who want to hand the economy over to wealthy corporations.

Neither side is doing anything effective to keep us free, or to keep the market free. Each side says or implies that this is a Christian nation, which it explicitly isn't, while failing to do what's right. Sometimes I want to give up and stop voting.

[1] Conversely, of course, it doesn't cost anything to take people's rights away, or prevent them from getting rights in the first place; I think this is why anti-gay-marriage ballot measures have been more successful in the current recession. Some people get their kicks from the suffering of others.

Accessing the blog from 2013 onwards we can see the front page has been replaced with the message:

This blog is not being updated. Old entries are still around, but I'm turning off the front page for now.

From there, we could find a link to Decklin Foster on LiveJournal. Their profile tells us they like #Debian-women. Don't forget the Debian pregnancy cluster.

There is a link to a Twitter/X account for Decklin Foster.

contributors.debian.org tells us that Decklin Foster stopped contributing in February 2011, immediately before the death of Adrian von Bidder-Senn on our wedding day. Chris Gleason is not on the list at all. If Decklin had abandoned Debianism, why did it take eight years to remove them from the keyring? Reading the full history of the Debian Harassment culture, we can see many other co-authors were removed for purely political reasons and blackmail but keys belonging to the people who had abandoned the project and people who died were left in the keyring for years.

To: debian-devel <debian-devel@lists.debian.org>
Subject: RFA: all my packages
From: Decklin Foster <decklin@red-bean.com>
Date: Thu, 10 Feb 2011 17:11:05 -0500
Message-id: <1297375750-sup-7355@gillespie.rupamsunyata.org>

I'm looking for a new maintainer for, well, any of these. My heart is
not in it anymore and most of them have been neglected for a while.
Recently my free time has been taken up by other things (mainly my job)
and I forsee that continuing.

http://qa.debian.org/developer.php?login=decklin%40red-bean.com

python-beautifulsoup and mpd need attention for proposed-updates; I
missed getting them into Squeeze. rxvt-unicode is a total clusterfuck.

If any desktop-type packages remain I will orphan them, as I am only
running Debian on servers now. Apart from that, perhaps with a greatly
reduced load I can still make a tiny contribution to the community. If
not, I will retire.

-- 
things change.
decklin@red-bean.com

Decklin Foster is on a list of former members of Harvard's Center for Depression, Anxiety and Stress Research. They have a photo of him when he was younger. It appears to be the same person as the Github profile.

Various scholarly articles from Harvard experts on depression have thanked Decklin Foster for their contributions in 2008 and 2009. Decklin Foster was collaborating on this world-class depression research at exactly the same time they were part of the debian-private discussions that precipitated the Debian Day Volunteer Suicide in 2010.

Decklin Foster, Harvard, Mclean, Depression, suicide, Diego Pizzagalli

 

The connection to psychiatric research is a really odd coincidence, given that Decklin sent that RFA (resignation) email immediately before the death of Adrian von Bidder-Senn on our wedding day. The death was discussed like a suicide.

Subject: Re: Death of Adrian von Bidder
Date: Fri, 22 Apr 2011 09:39:49 +0200
From: A Mennucc <mennucc1@debian.org>
To: debian-private@lists.debian.org

Il 19/04/2011 18:17, martin f krafft ha scritto:
> Dear Debian colleagues,
>
> I have the sad task to communicate to you the news of the death of
> Adrian von Bidder (avbidder, cmot), who passed away last Sunday,
> most probably of a heart attack.

I had contacted Adrian regarding the Debian umbrella.
So I had also a chance of seeing a picture of him
http://blog.fortytwo.ch/archives/80-Yay!-Debian-Logo!.html
In that picture he seemed quite happy and young.
His death is quite shocking and sad.

a.

Remember, Debianists admitted the group needed a psychiatrist back in 2006, well before most of the deaths.

Around the same time, a petition about suicide prevention was submitted to the Basel city council and it had the name A. von Bidder at the bottom.

Now Decklin Foster himself is missing.

William Lee Irwin III was another Debian Developer who asked for help and then vanished.

There is a Decklin Foster profile on Youtube that hasn't been used for nine years. There are four subscribers. One of the videos has the comment:

Mixed these together on my show (editsradio.org) this week and really liked the result, so here it is on its own, slowed down and a little extended.

Photo taken at the Wilbur Theater in Boston on 2012-07-31.

The last snapshot of editsradio.org is on 6 April 2015. After that, the content is changed to Arabic. From 15 August 2015, it is redirecting to another site, also in Arabic, at http://www.17serialbaran.org.

Decklin Foster

 

In January 2015, Decklin Foster & Chris Gleason are listed as a couple as new members of the Brattle Theatre, Cambridge, Massachusetts.

Later in 2015, a report from the World Science Fiction Society lists Decklin Foster as a new member.

Spokeo has a report about Christina N Gleason-Foster in Chicago, IL with a former address in Cambridge, MA, the same location as Decklin Foster.

Going back to 2013, when the blog vanished, Universal Hub published a report "House of Blues turns down the heat, adds ice water for electronica shows due to Molly scourge". This is not about Molly de Blanc it is about the Molly pills. Decklin Foster drops a comment in the discussion:

This sounds like a bad idea. You really don't want to give huge amounts of water to MDMA users

In a separate report, I explained how Axel Beckert is/was the boyfriend of Martin Ebnoether, a former colleague. In fact, the firm where Martin Ebnoether worked for sixteen years is owned by one of the richest and most outspoken donors to the Republican party. He lives in Florida, just like Jeremy Bicha but he is only three doors down the road from Mar-a-Lago.

There is a LinkedIn profile for Chris Gleason in Pinellas County, in Florida, not far from the Registered Sex Offender who was invited to speak at DebConf25 in Brest, France. Looking at the photo on LinkedIn, is this an older version of Decklin Foster's wife who has transitioned back to being a man or is it a completely different person?

It would be extremely offensive to ask such a question in any other group of people but in the world of Debianism and Zizian phenomena, there are a disproportionate number of people who are living such lifestyles.

Chris Gleason, Pinellas County, Florida, Republican, Senate

 

Let's not forget the example of another Debianism transgender bedmate with at least five identities, that was Pauline / Maria Climent / Pommeret.

The Republican Chris Gleason has a profile on Ballotpedia where they claim to have come from Massachusetts, the same Democrat state where we found Decklin Foster.

Chris Gleason was born in Lowell, Massachusetts. Gleason's career experience includes working as a technology consultant. He served in the U.S. Army National Guard from 1989 to 1999. Gleason earned a bachelor's degree from the University of Massachusetts, Lowell in 1996. Gleason has been affiliated with Caribbean Christian Center for the Deaf, Michigan -Make-A-Wish, Seniors Helping Seniors.

In the recent UK elections, journalists and researchers found various examples of candidates who didn't really exist. At least one political party was accused of making up fake candidates to make their party look bigger and attract more donations.

I have the impression the Chris Gleason in Florida is a different person but I'm not ruling out the possibility it is a fake profile or an alter-ego of Chris Gleason, wife of Decklin.

The ActBlue crisis is real however. Here is a committee report on the US house web site.

The Committee on House Administration, the Committee on the Judiciary, and the Committee on Oversight and Government Reform are charged with ensuring the integrity of American elections. To that end, the Committees are examining allegations that ActBlue, a leading political fundraising organization, allowed bad actors, including foreign actors, to exploit its online platform to make fraudulent political donations.

There is a profile on Mesh that tells us about Gleason's career and finishes with a paragraph about the election fraud claims:

Chris Gleason

CEO at NextMed Holdings, LLC CEO at Translational Analytics and Statistics, LLC

Chris Gleason is a board member at Our Mayberry, a company focused on revolutionizing charitable giving and fundraising.1 He is a lawyer, entrepreneur, and community philanthropist with multiple leadership roles in charities helping children.3 Gleason has also been involved in various business ventures and has held executive positions in different companies.

In addition to his role at Our Mayberry, Gleason has served as a board member for the Goldwater Institute since 2013.5 He was also recently appointed as the president and CEO of Moximed, a medical device company, in June 2024.2

Gleason has a background in sales leadership, having previously worked as VP of sales at Relievant and VP of sales of interventional urology at Teleflex.2 He has also been involved in political activities, receiving income from Election Watch, a Wisconsin-based group, in 2024.4

It's worth noting that Gleason has recently entered the political arena, running for the position of Pinellas County Supervisor of Elections in Florida for the 2024 election.46 His campaign has been controversial, as he has made unsubstantiated claims about election fraud and criticized the incumbent, Julie Marcus.

On 10 April 2026, Miami Independent published a video where they interview Chris Gleason and Jeff Buongiorno about vote rigging allegations. The CIA is mentioned within the first ninety seconds of the video. I stopped watching at that point.

Chris Gleason, Jeff Buongiorno, ActBlue, Florida, Senate, Republican

 

In the case of another Debian Developer, Paul Tagliamonte, he really was working in the White House and the Pentagon. We have a photo to prove it:

Lisa Disbrow, David L. Goldfein, Chris Lynch, Paul Tagliamonte, Debian, USDS, Rebellion

 

Chris Gleason's campaign web site has the title Whistleblower in big letters. This implies he was an insider or he was connected to an insider, in other words, his claim to be a whistleblower encourages us to ask about the bizarre possibility that he really is or was the transgender wife of ActBlue's missing director of information technology, Decklin Foster.

If that was true, did his/her domestic arrangements give them unauthorized access to servers, laptops or cloud accounts for ActBlue? I was very grateful to receive donations of file servers from the Catholic archdiocese of Melbourne.

Take a side-step and have a look at the other Florida connection with the US Republican party. In the report about Senior management and HR email privacy: Martin Ebnoether (venty), Axel Beckert (xtaran) & Debian abuse in Switzerland, I made the observation that Axel Beckert's boyfriend and I both worked at the same company. The owner of that company is one of the top donors of the US Republican party and he lives three doors away from Mar-a-Lago, the home of current US President Donald Trump. Trump himself was elected for the first time on my birthday and I correctly predicted there would be conflict in the Strait of Hormuz.

Martin Ebnoether, venty, Zurich, Interactive Brokers

 

Decklin was using Gists, they also stopped abruptly in 2017.

The Red-Bean.com web site has a list of people associated with their web site and Decklin's name is not on the list.

Whether they are the same Chris Gleason or not, we can say for sure that the Decklin Foster from Debianism is the same Decklin Foster who became Director of Information Technology for disgraced fundraising platform ActBlue Civics, Inc.

Here is one more interesting leak from the debian-private leaked gossip network. It shows us that Decklin Foster was in favor of the practice of dividing the community and humiliating people. It looks like he supported the humiliation of Sven Luther at the very time he was working in the Harvard Medical School's depression research team. Sven's mother was dying at the time this bun fight erupted.

Subject: Expulsion process: Sven Luther
Date: Thu, 01 Mar 2007 00:00:29 +0100
From: Joerg Jaspert <joerg@debian.org>
Organization: Goliath-BBS
To: debian-private@lists.debian.org

...

Now, the list of people who sent something in for the process:

Anthony - Requestor

Supporters, unordered:

srivasta@debian.org
mbanck@debian.org
tbm@cyrius.com
93sam@debian.org
fs@debian.org
jgoerzen@complete.org
fjp@debian.org
dilinger@debian.org
joeyh@debian.org
liw@iki.fi
stappers@stappers.nl
tolimar@debian.org
jeroen@wolffelaar.nl
tfheen@debian.org
micah@riseup.net
decklin@red-bean.com
tb@becket.net
tytso.mit.edu

The conflict between Sven Luther and Frans Pop appears to be a factor in the eventual suicide of Frans Pop. The whole group failed.

Subject: [Very long] Post-partem rant and retrospective
Date: Thu, 31 May 2007 03:56:11 +0200
From: Frans Pop <elendil@planet.nl>
To: debian-private@lists.debian.org


I've decided to write this in a separate mail because I'm afraid this may get long. Quite a bit of this has been written before, but I hope some of you will bear with me.


[snip]


So, what has made me decide to leave the project. It's a combination of just plain emotional stress over the whole Sven Luther issue, frustration with the inability of the project to deal with that and with some other issues, and frustration with the fact that a fair number of members of the project seem to feel that as long as you don't upload packages with trojans, pretty much anything is OK.

and eventually....

Subject: Resignation
Date: Sun, 15 Aug 2010 21:41:18 +0200
From: Frans Pop <elendil@planet.nl>
To: debian-private@lists.debian.org


It's time to say goodbye. I don't want to say too much about it, except that I've been planning this for a long time.


Participating in Debian has been great.

...

To see all the leaked messages from debian-private, including the history of Decklin Foster, please see my crowdfunding campaign video.

16 April, 2026 08:30PM

April 15, 2026

Terrorism or accident? Geelong Corio refinery fire, drone attack rumours in news vacuum

At 11pm local time in eastern Australia, a huge fire broke out at the Viva Energy refinery in Corio, Geelong.

There has been a near-total news vacuum. This may be deliberate or it may be a consequence of cost-cutting that has replaced many journalists with artificial intelligence. The few human journalists who remain in the profession may have already gone to bed when the fire started.

The national broadcaster, the ABC, was quick to include it in their list of breaking news items but without much detail. About three hours after the fire started, it was present on the web site of 9 News but not visible on the web sites of 7 News, Herald Sun or The Age. About five hours after the fire started, the local newspaper Geelong Advertiser included it in their Facebook account.

The story is newsworthy for a number of reasons. Australia previously had eight refineries but six of them were phased out and never replaced. Australia relies on foreign refineries for over eighty percent of fuel. With the Corio refinery out of action, there is only one domestic refinery left. Therefore, it is surprising the news media have been so slow to pick up the story.

The next big reason it is newsworthy is the war in Iran.

None of the news reports have commented on the fact that Richard Marles, the deputy prime minister and the minister for defence is the local member of parliament for the region where the refinery is located.

In the news vacuum, people have been quick to share rumours on social control media. Some people are speculating about the prospect of a drone attack. In Europe last year there were reports about Russian drones launched from cargo ships in international waters and interfering with European airports. Other reports have speculated about cargo ships using their anchors to sabotage pipelines and communications cables on the sea floor. France intercepted and seized a ship connected with Russia.

Another user on social control media has commented that there was a technical incident at the plant earlier in the day and the fire could be nothing more than an accident.

People would be wise not to jump to conclusions. Even if it is a terror attack, it may not be Iran. In recent news reports, Russia announced they had the right to attack any countries who are sending support to Ukraine. The French company Thales manufacturers the BushMaster armored personnel carriers in Bendigo and the government donated some of them to Ukraine. Low cost cardboard drones manufactured in Australia have also been donated to Ukraine.

15 April, 2026 07:30PM

hackergotchi for Dirk Eddelbuettel

Dirk Eddelbuettel

qlcal 0.1.1 on CRAN: Calendar Updates

The nineteenth release of the qlcal package arrivied at CRAN just now, and has already been built for r2u. This version synchronises with QuantLib 1.42 released this week.

qlcal delivers the calendaring parts of QuantLib. It is provided (for the R package) as a set of included files, so the package is self-contained and does not depend on an external QuantLib library (which can be demanding to build). qlcal covers over sixty country / market calendars and can compute holiday lists, its complement (i.e. business day lists) and much more. Examples are in the README at the repository, the package page, and course at the CRAN package page.

This releases updates to the 2025 holidays for China, Singapore, and Taiwan.

The full details from NEWS.Rd follow.

Changes in version 0.1.1 (2026-04-15)

  • Synchronized with QuantLib 1.42 released two days ago

  • Calendar updates for China, Singapore, Taiwan

Courtesy of my CRANberries, there is a diffstat report for this release. See the project page and package documentation for more details, and more examples.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. If you like this or other open-source work I do, you can sponsor me at GitHub. You can also sponsor my Tour de Shore 2026 ride in support of the Maywood Fine Arts Center.

15 April, 2026 01:07PM

April 14, 2026

hackergotchi for Steinar H. Gunderson

Steinar H. Gunderson

Looking for work

It seems my own plans and life's plans diverged this spring, so I am in the market for a new job. So if you're looking for someone with a long track record making your code go brrr really fast, give me a ping (contact information at my homepage). Working from Oslo (on-site or remote), CV available upon request. No AI boosterism or cryptocurrency grifters, please :-)

14 April, 2026 04:44PM

hackergotchi for Dirk Eddelbuettel

Dirk Eddelbuettel

anytime 0.3.13 on CRAN: Mostly Minor Bugfix

A maintenance release 0.3.13 of the anytime package arrived on CRAN today, sticking with the roughly yearly schedule we have now. Binaries for r2u have been built already. The package is fairly feature-complete, and code and functionality remain mature and stable.

anytime is a very focused package aiming to do just one thing really well: to convert anything in integer, numeric, character, factor, ordered, … input format to either POSIXct (when called as anytime) or Date objects (when called as anydate) – and to do so without requiring a format string as well as accomodating different formats in one input vector. See the anytime page, the GitHub repo for a few examples, the nice pdf vignette, and the beautiful documentation site for all documentation.

This release was triggered by a bizarre bug seen on elementary os 8. For “reason” anytime was taking note on startup where it runs, and used a small and simply piece of code reading /etc/os-release when it exists. We assumed sane content, but this particular operating system and releases managed to have a duplicate entry throwing us spanner. So now this code is robust to duplicates, and no longer executed on each startup but “as needed” which is a net improvement. We also switched the vignette to being deployed by the new Rcpp::asis() driver.

The short list of changes follows.

Changes in anytime version 0.3.13 (2026-04-14)

  • Continuous integration has received minor updates

  • The vignette now use the Rcpp::asis() driver, and references have been refreshed

  • Stateful 'where are we running' detection is now more robust, and has been moved from running on each startup to a cached 'as needed' case

Courtesy of my CRANberries, there is also a diffstat report of changes relative to the previous release. The issue tracker tracker off the GitHub repo can be use for questions and comments. More information about the package is at the package page, the GitHub repo, in the vignette, and at the documentation site.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. If you like this or other open-source work I do, you can now sponsor me at GitHub. You can also sponsor my Tour de Shore 2026 ride in support of the Maywood Fine Arts Center.

14 April, 2026 03:07PM

Russell Coker

Furilabs FLX1s Finally Working

I’ve been using the Furilabs FLX1s phone [1] as my daily driver for 6 weeks, it’s a decent phone, not as good as I hoped but good enough to use every day and rely on for phone calls about job interviews etc. I intend to keep using it as my main phone and as a platform to improve phone software in Debian as you really can’t effectively find bugs unless you use the platform for important tasks.

Support Problems

I previously wrote about the phone after I received it without a SIM caddy on the 13th of Jan. I had a saga with support about this, on the 16th of Jan one support person said that they would ship it immediately but didn’t provide a tracking number or any indication of when it would arrive. On the 5th of Feb I contacted support again and asked how long it would be, the new support person seemed to have no record of my previous communication but said that they would send it. On the 17th of Feb I made another support request including asking for a way of direct communication as the support email came from an address that wouldn’t accept replies, I was asked for a photo showing where the problem is. The support person also said that they might have to send a replacement phone!

The last support request I sent included my disappointment at the time taken to resolve the issue and the proposed solution of replacing the entire phone (why have two international shipments of a fragile and expensive phone when a single letter with a cheap SIM caddy would do?). I didn’t receive a reply but the SIM caddy arrived on the 2nd of Mar. Here is a pic of the SIM caddy and the package it came in:

One thing that should be noted is that some of the support people seemed to be very good at their jobs and they were all friendly. It was the system that failed here, turning a minor issue of a missing part into a 6 week saga.

Furilabs needs to do the following to address this issue:

  1. Make it possible to reply directly to a message from a support person. Accept email with a custom subject to sort it, give a URL for a web form, anything. Collating discussions with a customer allows giving better support while taking less time for the support people.
  2. Have someone monitor every social media address that is used by the company. When someone sends a support request in a public Mastodon post it indicates that something has gone wrong and you want to move quickly to resolve it.
  3. Take care of the little things, like sending a tracking number for every parcel. If it’s something too small for a parcel (the SIM caddy could have fit in a regular letter) then just tell the customer what date it was posted and where it was posted from so they have some idea of when it will arrive.

This is not just a single failure of Furilabs support, it’s a systemic failure of their processes.

Problems I Will Fix – Unless Someone Beats Me to it

Here are some issues I plan to work on.

Smart Watch Support

I need to port one of the smart watch programs to Debian. Also I want to make one of them support the Colmi P80 [2].

A smart watch significantly increases the utility of a phone even though IMHO they aren’t doing nearly all the things that they could and should do. When we get Debian programs talking to the PineTime it will make a good platform for development of new smart phone and OS features.

Nextcloud

I have ongoing issues of my text Nextcloud installation on a Debian VM not allowing connection from the Linux desktop app (as packaged in Debian) and from the Android client (from f-droid). The desktop client works with a friend’s Nextcloud installation on Ubuntu so I may try running it on an Ubuntu VM I run while waiting for the Debian issue to get resolved. There was a bug recently fixed in Nextcloud that appears related so maybe the next release will fix it.

For the moment I’ve been running without these features and I call and SMS people from knowing their number or just returning calls. Phone calls generally aren’t very useful for me nowadays except when applying for jobs. If I could deal with recruiters and hiring managers via video calls then I would consider just not having a phone number.

Wifi IPv6

Periodically IPv6 support just stops working, I can’t ping the gateway. I turn wifi off and on again and it works. This might be an issue with my wifi network configuration. This might be an issue with the way I have configured my IPv6 networking, although that problem doesn’t happen with any of my laptops.

Chatty Sorting

Chatty is the program for SMS that is installed by default (part of the phosh/phoc setup), it also does Jabber. Version 0.8.7 is installed which apparently has some Furios modifications and it doesn’t properly support sorting SMS/Jabber conversations. Version 0.8.9 from Debian sorts in the same way as most SMS and Jabber programs with the most recent at the top. But the Debian version doesn’t support Jabber (only SMS and Matrix). When I went back to the Furilabs version of Chatty it still sorted for a while but then suddenly stopped. Killing Chatty (not just closing the window and reopening it) seems to make it sort the conversations sometimes.

Problems for Others to Fix

Here are the current issues I have starting with the most important.

Important

The following issues seriously reduce the usability of the device.

Hotspot

The Wifi hotspot functionality wasn’t working for a few weeks, this Gitlab issue seems to match it [3]. It started working correctly for a day and I was not sure if an update I applied fixed the bug or if it’s some sort of race condition that worked for this boot and will return next time I reboot it. Later on I rebooted it and found that it’s somewhat random whether it works or now.

Also while it is mostly working it seemed to stop working about every 25 minutes or so and I had to turn it off and on again to get it going.

On another day it went to a stage where it got repeated packet loss when I pinged the phone as a hotspot from my laptop. A pattern of 3 ping responses and 3 “Destination Host Unreachable” messages was often repeated.

I don’t know if this is related to the way Android software is run in a container to access the hardware.

4G Reliability

Sometimes 4G connectivity has just stopped, sometimes I can stop and restart the 4G data through software to fix it and sometimes I need to use the hardware switch. I haven’t noticed this for a week or two so there is a possibility that one fix addressed both Hotspot and 4G.

One thing that I will do is setup monitoring to give an alert on the phone if it can’t connect to the Internet. I don’t want it to just quietly stop doing networking stuff and not tell me!

On-screen Keyboard

The compatibility issues of the GNOME and KDE on-screen keyboards are getting me. I use phosh/phoc as the login environment as I want to stick to defaults at first to not make things any more difficult than they need to be. When I use programs that use QT such as Nheko the keyboard doesn’t always appear when it should and it forgets the setting for “word completion” (which means spelling correction).

The spelling correction system doesn’t suggest replacing “dont” with “don’t” which is really annoying as a major advantage for spelling checkers on touch screens is inserting an apostrophy. An apostrophy takes at least 3* longer than a regular character and saving that delay makes a difference to typing speed.

The spelling correction doesn’t correct two words run together.

Medium Priority

These issues are ongoing annoyances.

Delay on Power Button

In the best case scenario this phone has a much slower response to pressing the power button than the Android phones I tested (Huawei Mate 10 Pro and Samsung Galaxy Note 9) and a much slower response than my recollection of the vast majority of Android phones I’ve ever used. For testing pressing buttons on the phones simultaneously resulted in the Android phone screens lighting up much sooner. Something like 200ms vs 600ms – I don’t have a good setup to time these things but it’s very obvious when I test.

In a less common case scenario (the phone having been unused for some time) the response can be something like 5 seconds. The worst case scenario is something in excess of 20 seconds.

For UI designers, if you get multiple press events from a button that can turn the screen on/off please make your UI leave the screen on and ignore all the stacked events. Having the screen start turning on and off repeatedly when the phone recovers and processes all the button presses isn’t good, especially when each screen flash takes half a second.

Notifications

Touching on a notification for a program often doesn’t bring it to the foreground. I haven’t yet found a connection between when it does and when it doesn’t.

Also the lack of icons in the top bar on the screen to indicate notifications is annoying, but that seems to be an issue of design not the implementation.

Charge Delay

When I connect the phone to a power source there is a delay of about 22 seconds before it starts to charge. Having it miss 22 seconds of charge time is no big deal, having to wait 22 seconds to be sure it’s charging before leaving it is really annoying. Also the phone makes an audible alert when it gets to 0% charge which woke me up one night when I had failed to push the USB-C connector in hard enough. This phone requires a slightly deeper connector than most phones so with some plugs it’s easy to not quite insert them far enough.

Torch aka Flash

The light for the “torch” or flash for camera is not bright at all. In a quick test staring into the light from 40cm away wasn’t unpleasant compared to my Huawei Mate 10 Pro which has a light bright enough that it hurts to look at it from 4 meters away.

Because of this photos at night are not viable, not even when photographing something that’s less than a meter away.

The torch has a brightness setting which doesn’t seem to change the brightness, so it seems likely that this is a software issue and the brightness is set at a low level and the software isn’t changing it.

Audio

When I connect to my car the Lollypop player starts playing before the phone directs audio to the car, so the music starts coming from the phone for about a second. This is an annoying cosmetic error. Sometimes audio playing pauses for no apparent reason.

It doesn’t support the phone profile with Bluetooth so phone calls can’t go through the car audio system. Also it doesn’t always connect to my car when I start driving, sometimes I need to disable and enable Bluetooth to make it connect.

When I initially set the phone up Lollypop would send the track name when playing music through my car (Nissan LEAF) Bluetooth connection, after an update that often doesn’t happen so the car doesn’t display the track name or whether the music is playing but the pause icon works to pause and resume music (sometimes it does work).

About 30 seconds into a phone call it switches to hands-free mode while the icon to indicate hands-free is not highlighted, so I have to press the hands-free button twice to get it back to normal phone mode.

Low Priority

I could live with these things remaining as-is but it’s annoying.

Ticket Mode

There is apparently some code written to display tickets on screen without unlocking. I want to get this working and store screen-caps of the Android barcode screens of the different loyalty cards so I can scan them without unlocking. My threat model does not include someone trying to steal my phone to get a free loaf of bread on the bakery loyalty program.

Camera

The camera app works with both the back and front cameras, which is nice, and sadly based on my experience with other Debian phones it’s noteworthy. The problem is that it takes a long time to take a photo, something like a second after the button is pressed – long enough for you to think that it just silently took a photo and then move the phone.

The UI of the furios-camera app is also a little annoying, when viewing photos there is an icon at the bottom left of the screen for a video camera and an icon at the bottom right with a cross. Which every time makes me think “record videos” and “leave this screen” not “return to taking photos” and “delete current photo”. I can get used to the surprising icons, but being so slow is a real problem.

GUI App Installation

The program for managing software doesn’t work very well. It said that there were two updates for Mesa package needed, but didn’t seem to want to install them. I ran “flatpak update” as root to fix that. The process of selecting software defaults to including non-free, and most of the available apps are for desktop/laptop with no way to search for phone/tablet apps.

Generally I think it’s best to just avoid this and use apt and flatpak directly from the command-line. Being able to ssh to my phone from a desktop or laptop is good!

Android Emulation

The file /home/furios/.local/share/andromeda/data/system/uiderrors.txt is created by the Andromeda system which runs Android apps in a LXC container and appears to grow without end. After using the phone for a month it was 3.5G in size. The disk space usage isn’t directly a problem, out of the 110G storage space only 17G is used and I don’t have a need to put much else on it, even if I wanted to put backups of /home from my laptop on it when travelling that would still leave plenty of free space. But that sort of thing is a problem for backing up the phone and wasting 3.5G out of 110G total is a fairly significant step towards breaking the entire system.

Also having lots of logging messages from a subsystem that isn’t even being used is a bad sign.

I just tried using it and it doesn’t start from either the settings menu or from the f-droid icon. Android isn’t that important to me as I want to get away from the proprietary app space so I won’t bother trying this any more.

Unfixable Problems

Unlocking

After getting used to fingerprint unlocking going back to a password is a pain. I think that the hardware isn’t sufficient for modern quality face recognition that can’t be fooled by a photo and there isn’t fingerprint hardware.

When I first used an Android phone using a pin to unlock didn’t seem like a big deal, but after getting used to fingerprint unlock it’s a real drag to go without. This is a real annoyance when doing things like checking Wikipedia while watching TV.

This phone would be significantly improved with a fingerprint sensor or a camera that worked well enough for face unlock.

Plasma Mobile

According to Reddit Plasma Mobile (KDE for phones) doesn’t support Halium and can never work on this phone because of it [4]. This is one of a number of potential issues with the phone, running on hardware that was never designed for open OSs is always going to have issues.

Wifi MAC Address

The MAC keeps changing on reboot so I can’t assign a permanent IPv4 address to the phone. It appears from the MAC prefix of 00:08:22 that the network hardware is made in InPro Comm which is well known for using random addresses in the products it OEMs. They apparently have one allocation of 2^24 addresses and each device randomly chooses a MAC from that range on boot.

In the settings for a Wifi connection the “Identity” tab has a field named “Cloned Address” which can be set to “Stable for SSID” that prevents it from changing and allows a static IP address allocation from DHCP. It’s not ideal but it works.

Network Manager can be configured to have a permanent assigned MAC address for all connections or for just some connections. In the past for such things I have copied MAC addresses from ethernet devices that were being discarded and used them for such things. For the moment the “Stable for SSID” setting does what I need but I will consider setting a permanent address at some future time.

Docks

Having the ability to connect to a dock is really handy. The PinePhonePro and Librem5 support it and on the proprietary side a lot of Samsung devices do it with a special desktop GUI named Dex and some Huawei devices also have a desktop version of the GUI. It’s unfortunate that this phone can’t do it.

The Good Things

It’s good to be able to ssh in to my phone, even if the on-screen keyboard worked as well as the Android ones it would still be a major pain to use when compared to a real keyboard. The phone doesn’t support connecting to a dock (unlike Samsung phones I’ve used for which I found Dex to be very useful with a 4K monitor and proper keyboard) so ssh is the best way to access it.

This phone has very reliable connections to my home wifi. I’ve had ssh sessions from my desktop to my phone that have remained open for multiple days. I don’t really need this, I’ve just forgotten to logout and noticed days later that the connection is still running. None of the other phones running Debian could do that.

Running the same OS on desktop and phone makes things easier to test and debug.

Having support for all the things that Linux distributions support is good. For example none of the Android music players support all the encodings of audio that comes from YouTube so to play all of my music collection on Android I would need to transcode most of them which means either losing quality, wasting storage space, or both. While Lollypop plays FLAC0, mp3, m4a, mka, webm, ogg, and more.

Conclusion

This is a step towards where I want to go but it’s far from the end goal.

The PinePhonePro and Librem5 are more open hardware platforms which have some significant benefits. But the battery life issues make them unusable for me.

Running Mobian on a OnePlus 6 or Droidian on a Note 9 works well for the small tablet features but without VoLTE. While the telcos have blocked phones without VoLTE data devices still work so if recruiters etc would stop requiring phone calls then I could make one of them an option.

The phone works well enough that it could potentially be used by one of my older relatives. If I could ssh in to my parents phones when they mess things up that would be convenient.

I’ve run this phone as my daily driver since the 3rd of March and it has worked reasonably well. 6 weeks compared to my previous use of the PinePhonePro for 3 days. This is the first time in 15 years that a non-Android phone has worked for me personally. I have briefly used an iPhone 7 for work which basically did what it needed to do, it was at the bottom of the pile of unused phones at work and I didn’t want to take a newer iPhone that could be used by someone who’s doing more than the occasional SMS or Slack message.

So this is better than it might have been, not as good as I hoped, but a decent platform to use it while developing for it.

Related posts:

  1. Furilabs FLX1s The Aim I have just got a Furilabs FLX1s [1]...
  2. My Ideal Mobile Phone Based on my experience testing the IBM Seer software on...
  3. OnePlus 6 Debian I recently got a OnePlus 6 for the purpose of...

14 April, 2026 09:31AM by etbe

April 12, 2026

hackergotchi for Dirk Eddelbuettel

Dirk Eddelbuettel

littler 0.3.23 on CRAN: Mostly Internal Fixes

max-heap image

The twentyfourth release of littler as a CRAN package landed on CRAN just now, following in the now twenty-one year history (!!) as a (initially non-CRAN) package started by Jeff in 2006, and joined by me a few weeks later.

littler is the first command-line interface for R as it predates Rscript. It allows for piping as well for shebang scripting via #!, uses command-line arguments more consistently and still starts faster. It also always loaded the methods package which Rscript only began to do in later years.

littler lives on Linux and Unix, has its difficulties on macOS due to some-braindeadedness there (who ever thought case-insensitive filesystems as a default were a good idea?) and simply does not exist on Windows (yet – the build system could be extended – see RInside for an existence proof, and volunteers are welcome!). See the FAQ vignette on how to add it to your PATH. A few examples are highlighted at the Github repo:, as well as in the examples vignette.

This release, which comes just two months after the previous 0.3.22 release that brought a few new features, is mostly internal. (The previous release erroneously had 0.3.23 in its blog and social media posts, it really was 0.3.22 and this one now is is 0.3.23.) Mattias Ellert address a nag (when building for a distribution) about one example file with a shebang not have excutable modes. I accommodated the ever-changing interface the C API of R (within about twelve hours of being notified). A few other smaller changes were made as well polishing a script or two or usual, see below for more.

The full change description follows.

Changes in littler version 0.3.23 (2026-04-12)

  • Changes in examples scripts

    • Correct spelling in installGithub.r to lower-case h

    • The r2u.r now recognises ‘resolute’ aka 26.06

    • installRub.r can install (more easily) from r-multiverse

    • A file permission was corrected (Mattias Ellert in #131)

  • Changes in package

    • Update script count and examples in README.md

    • Continuous intgegration scripts received minor updates

    • The C level access to the R API was updated to reflect most recent standards (Dirk in #132)

My CRANberries service provides a comparison to the previous release. Full details for the littler release are provided as usual at the ChangeLog page, and also on the package docs website. The code is available via the GitHub repo, from tarballs and now of course also from its CRAN page and via install.packages("littler"). Binary packages are available directly in Debian as well as (in a day or two) Ubuntu binaries at CRAN thanks to the tireless Michael Rutter. Comments and suggestions are welcome at the GitHub repo.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. If you like this or other open-source work I do, you can sponsor me at GitHub. You can also sponsor my Tour de Shore 2026 ride in support of the Maywood Fine Arts Center.

12 April, 2026 02:47PM

hackergotchi for Colin Watson

Colin Watson

Free software activity in March 2026

My Debian contributions this month were all sponsored by Freexian.

You can also support my work directly via Liberapay or GitHub Sponsors.

OpenSSH

I fixed CVE-2026-3497 in unstable, thanks to a fix in Ubuntu by Marc Deslauriers. Relatedly, I applied an Ubuntu patch by Athos Ribeiro to not default to weak GSS-API exchange algorithms.

I’m looking forward to being able to split out GSS-API key exchange support in OpenSSH once Ubuntu 26.04 LTS has been released! This stuff will still be my problem, but at least it won’t be in packages that nearly everyone has installed.

Python packaging

New upstream versions:

  • dill
  • django-modeltranslation
  • isort
  • langtable
  • pathos
  • pendulum
  • pox
  • ppft
  • pydantic-extra-types
  • pytango
  • python-asyncssh
  • python-datamodel-code-generator
  • python-evalidate
  • python-packaging (including fixes for python-hatch-requirements-txt and python-pyproject-examples)
  • python-zxcvbn-rs-py
  • rpds-py
  • smart-open
  • trove-classifiers

I packaged pybind11-stubgen, needed for new upstream versions of pytango. Tests of reproducible builds revealed that it didn’t generate imports in a stable order; I contributed a fix for that upstream.

I worked with the security team to release DSA-6161-1 in multipart, fixing CVE-2026-28356 (upstream discussion). (Most of the work for this was in February, but the vulnerability was still embargoed when I published my last monthly update.)

In trixie-backports, I updated pytest-django to 4.12.0.

I fixed a number of packages to support building with pyo3 0.28:

Other build/test failures:

Rust packaging

New upstream versions:

  • rust-rpds

Other bits and pieces

I upgraded tango to 10.1.2, and yubihsm-shell to 2.7.2.

Code reviews

12 April, 2026 10:13AM by Colin Watson

Russ Allbery

Review: The Teller of Small Fortunes

Review: The Teller of Small Fortunes, by Julie Leong

Publisher: Ace
Copyright: November 2024
ISBN: 0-593-81590-4
Format: Kindle
Pages: 324

The Teller of Small Fortunes is a cozy found-family fantasy with a roughly medieval setting. It was Julie Leong's first novel.

Tao is a traveling teller of small fortunes. In her wagon, pulled by her friendly mule Laohu, she wanders the small villages of Eshtera and reads the trivial fortunes of villagers in the tea leaves. An upcoming injury, a lost ring, a future kiss, a small business deal... she looks around the large lines of fate and finds the small threads. After a few days, she moves on, making her solitary way to another village.

Tao is not originally from Eshtera. She is Shinn, which means she encounters a bit of suspicion and hostility mixed with the fascination of the exotic. (Language and culture clues lead me to think Shinara is intended to be this world's not-China, but it's not a direct mapping.) Tao uses the fascination to help her business; fortune telling is more believable from someone who seems exotic. The hostility she's learned to deflect and ignore. In the worst case, there's always another village.

If you've read any cozy found-family novels, you know roughly what happens next. Tao encounters people on the road and, for various reasons, they decide to travel together. The first two are a massive mercenary (Mash) and a semi-reformed thief (Silt), who join Tao somewhat awkwardly after Tao gives Mash a fortune that is far more significant than she intended. One town later, they pick up an apprentice baker best known for her misshapen pastries. They also collect a stray cat, because of course they do. It's that sort of book.

For me, this sort of novel lives or dies by the characters, so it's good news that I liked Tao and enjoyed spending time with her. She's quiet, resilient, competent, and self-contained, with a difficult past and some mysteries and emotions the others can draw over time. She's also thoughtful and introspective, which means the tight third-person narration that almost always stays on Tao offers emotional growth to mull over. I also liked Kina (the baker) and Mash; they're a bit more obvious and straightforward, but Kina adds irrepressible energy and Mash is a good example of the sometimes-gruff soldier with a soft heart. Silt was a bit more annoying and I never entirely warmed to him, but he's tolerable and does get a bit of much-needed (if superficial) character development.

It takes some time for the reader to learn about the primary conflict of the story (Tao does not give up her secrets quickly), so I won't spoil it, but I thought it worked well. I was momentarily afraid the story would develop a clear villain, but Leong has some satisfying alternate surprises in store. The ending was well-done, although it is very happily-ever-after in a way that may strike some readers as too neat. The Teller of Small Fortunes aims for a quiet and relaxed mood rather than forcing character development through difficult choices; it's a fine aim for a novel, but it won't match everyone's mood.

I liked the world-building, although expect small and somewhat disconnected details rather than an overarching theory of magic. Tao's ability gets the most elaboration, for obvious reasons, and I liked how Leong describes it and explores its consequences. Most of the attention in the setting is on the friction, wistfulness, and small reminders of coming from a different culture than everyone around you, but so long ago that you are not fully a part of either world. This, I thought, was very well-done and is one of the places where the story is comfortable with complex feelings and doesn't try to reach a simplifying conclusion.

There is one bit of the story that felt like it was taken directly out of a Dungeons & Dragons campaign to a degree that felt jarring, but that was the only odd world-building note.

This book felt like a warm cup of tea intended to comfort and relax, without large or complex thoughts about the world. It's not intended to be challenging; there are a few plot twists I didn't anticipate, but nothing that dramatic, and I doubt anyone will be surprised by the conclusions it reaches. It's a pleasant time with some nice people and just enough tension and mystery to add some motivation to find out what happens next. If that's what you're in the mood for, recommended. If you want a book that has Things To Say or will put you on the edge of your seat, maybe save this one for another mood.

All the on-line sources I found for this book call it a standalone, but The Keeper of Magical Things is set in the same world, so I would call it a loose series with different protagonists. The Teller of Small Fortunes is a complete story in one book, though.

Rating: 7 out of 10

12 April, 2026 02:53AM

April 10, 2026

Reproducible Builds

Reproducible Builds in March 2026

Welcome to the March 2026 report from the Reproducible Builds project!

These reports outline what we’ve been up to over the past month, highlighting items of news from elsewhere in the increasingly-important area of software supply-chain security. As ever, if you are interested in contributing to the Reproducible Builds project, please see the Contribute page on our website.

  1. Linux kernel hash-based integrity checking proposed
  2. Distribution work
  3. Tool development
  4. Upstream patches
  5. Documentation updates
  6. Two new academic papers
  7. Misc news

Linux kernel hash-based integrity checking proposed

Eric Biggers posted to the Linux Kernel Mailing List in response to a patch series posted by Thomas Weißschuh to introduce a calculated hash-based system of integrity checking to complement the existing signature-based approach. Thomas’ original post mentions:

The current signature-based module integrity checking has some drawbacks in combination with reproducible builds. Either the module signing key is generated at build time, which makes the build unreproducible, or a static signing key is used, which precludes rebuilds by third parties and makes the whole build and packaging process much more complicated.

However, Eric’s followup message goes further:

I think this actually undersells the feature. It’s also much simpler than the signature-based module authentication. The latter relies on PKCS#7, X.509, ASN.1, OID registry, crypto_sig API, etc in addition to the implementations of the actual signature algorithm (RSA / ECDSA / ML-DSA) and at least one hash algorithm.


Distribution work

In Debian this month,

  • Lucas Nussbaum announced Debaudit, a “new service to verify the reproducibility of Debian source packages”:

    debaudit complements the work of the Reproducible Builds project. While reproduce.debian.net focuses on ensuring that binary packages can be bit-for-bit reproduced from their source packages, debaudit focuses on the preceding step: ensuring that the source package itself is a faithful and reproducible representation of its upstream source or Vcs-Git repository.

  • kpcyrd filed a bug against the librust-const-random-dev package reporting that the compile-time-rng feature of the ahash crate uses the const-random crate in turn, which uses a macro to read/generate a random number generator during the build. This issue was also filed upstream.

  • 60 reviews of Debian packages were added, 4 were updated and 16 were removed this month adding to our knowledge about identified issues. One new issue types was added, pkgjs_lock_json_file_issue.

Lastly, Bernhard M. Wiedemann posted another openSUSE monthly update for their work there.


Tool development

diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made a number of changes, including preparing and uploading versions, 314 and 315 to Debian.

  • Chris Lamb:

    • Don’t run test_code_is_black_clean test in the autopkgtests. (#1130402). []
    • Add some debugging info for PyPI debugging. []

  • Jelle van der Waa:

    • Fix compatibility with LLVM version 22. []
    • Adjust the PGP file detection regular expression. []

  • Michael R. Crusoe:

    • Reformat the source code using Black version 26.1.0 [][]

In addition, Vagrant Cascadian updated diffoscope in GNU Guix to version 315.


rebuilderd, our server designed monitor the official package repositories of Linux distributions and attempt to reproduce the observed results there; it powers, amongst other things, reproduce.debian.net.

A new version, 0.26.0, was released this month, with the following improvements:

  • Much smoother onboarding/installation.
  • Complete database redesign with many improvements.
  • New REST HTTP API.
  • It’s now possible to artificially delay the first reproduce attempt. This gives archive infrastructure more time to catch up.
  • And many, many other changes.


Upstream patches

The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:


Documentation updates

Once again, there were a number of improvements made to our website this month including:

  • kpcyrd:

  • Robin Candau:

    • Add link to the diffoci Arch Linux package on the Tools page. []

  • Timo Pohl:


Two new academic papers

Marc Ohm, Timo Pohl, Ben Swierzy and Michael Meier published a paper on the threat of cache poisoning in the Python ecosystem:

Attacks on software supply chains are on the rise, and attackers are becoming increasingly creative in how they inject malicious code into software components. This paper is the first to investigate Python cache poisoning, which manipulates bytecode cache files to execute malicious code without altering the human-readable source code. We demonstrate a proof of concept, showing that an attacker can inject malicious bytecode into a cache file without failing the Python interpreter’s integrity checks. In a large-scale analysis of the Python Package Index, we find that about 12,500 packages are distributed with cache files. Through manual investigation of cache files that cannot be reproduced automatically from the corresponding source files, we identify classes of reasons for irreproducibility to locate malicious cache files. While we did not identify any malware leveraging this attack vector, we demonstrate that several widespread package managers are vulnerable to such attacks.

A PDF of the paper is available online.


Mario Lins of the University of Linz, Austria, has published their PhD doctoral thesis on the topic of Software supply chain transparency:

We begin by examining threats to the software distribution stage — the point at which artifacts (e.g., mobile apps) are delivered to end users — with an emphasis on mobile ecosystems [and] we next focus on the operating system on mobile devices, with an emphasis on mitigating bootloader-targeted attacks. We demonstrate how to compensate lost security guarantees on devices with an unlocked bootloader. This allows users to flash custom operating systems on devices that no longer receive security updates from the original manufacturer without compromising security. We then move to the source code stage. [Also,] we introduce a new architecture to ensure strong source-to-binary correspondence by leveraging the security guarantees of Confidential Computing technology. Finally, we present The Supply Chain Game, an organizational security approach that enhances standard risk-management methods. We demonstrate how game-theoretic techniques, combined with common risk management practices, can derive new criteria to better support decision makers.

A PDF of the paper is available online.


Misc news

On our mailing list this month:

  • Holger Levsen announced that this year’s Reproducible Builds summit will almost certainly be held in Gothenburg, Sweden, from September 22 until 24, followed by two days of hacking. However, these dates are preliminary and not 100% final — an official announcement is forthcoming.

  • Mark Wielaard posted to our list asking a question on the difference between debugedit and relative debug paths based on a comment on the Build path page: “Have people tried more modern versions of debugedit to get deterministic (absolute) DWARF paths and found issues with it?



Finally, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

10 April, 2026 04:13PM

Jamie McClelland

AI Hacking the Planet

A colleague asked me if we should move all our money to our pillow cases after reading the latest AI editorial from Thomas Friedman. The article reads like a press release from Anthropic, repeating the claim that their latest AI model is so good at finding software vulnerabilities that it is a danger to the world.

I think I now know what it’s like to be a doctor who is forced to watch Gray’s Anatomy.

By now every journalist should be able to recognize the AI publicity playbook:

Step 1: Start with a wildly unsubstantiated claim about how dangerous your product is:

AI will cause human extinction before we have a chance to colonize mars (remember that one? Even Kim Stanley Robinson, author of perhaps the most compelling science fiction on colonizing mars calls bull shit on it).

AI will eliminate all of our jobs (this one was extremely effective at providing cover for software companies laying off staff but it has quickly dawned on people that the companies that did this are living in chaos not humming along happily with functional robots)

AI will discover massive software vulnerabilities allowing bad actors to “hack pretty much every major software system in the world”. (Did Friedman pull that directly from Anthropic’s press release or was that his contribution?)

Step 2: To help stave off human collapse, only release the new version to a vetted group of software companies and developers, preferably ones with big social media followings

Step 3: Wait for the limited release developers to spew unbridled enthusiasm and shocking examples that seem to suggest this new AI produce is truly unbelievable

Step 4: Watch stock prices and valuations soar

Step 5: Release to the world, and experience a steady stream of mockery as people discover how wrong you are

Step 6: Start over

Even if Friedman missed the text book example of the playbook, I have to ask: if you think bad actors compromising software resulting in massive loss of private data, major outages and wasted resources needs to be reported on, then where have you been for the last 10 years? This literally happens on a daily basis due to the fundamentally flawed way capitalism has been writing software even before the invention of AI. A small part of me wonders - maybe AI writing software is not so bad, because how could it be any worse than it is now?

Also, let’s keep in mind that AI’s super ability at finding vulnerable software depends on having access to the software’s source code, which most companies keep locked up tight. That means the owners of the software can use AI to find vulnerabilities and fix them but bad actors can’t.

Oh, but wait, what if a company is so incompetent that they accidentally release their proprietary software to the Internet?

Surely that would allow AI bots to discover their vulnerabilities and destroy the company right? I’m not sure if anyone has discovered world ending vulnerabilities in Anthropic’s Claude code since it was accidentally released, but it is fun to watch people mock software that is clearly written by AI (and spoiler alert, it seems way worse that software written now).

Well… we probably should all be keeping our money in a pillow case anyway.

10 April, 2026 12:27PM

April 09, 2026

Russell Coker

HP Z640 and E5-2696 v4

I recently decided to upgrade the CPU in my workstation, the E5-2696 v3 CPU was OK (passmark 2045 for single thread and 21,380 for multi thread) [1] but I felt like buying something better so I got a E5-2696 v4 (passmark 2115 and 24,643) [2]. I chose the E5-2696 v4 because I was looking for a E5-2699 v4 and found an ebay seller who had them at $140 but was offering the E5-2696 v4 for $99 and the passmark results for the two CPUs are almost identical.

After buying the CPU and waiting for it to be delivered I realised that the Z640 doesn’t include it in the list of supported CPUs and that the maximum TDP of any supported CPU is 145W while according to passmark it has a TDP of 150W. I looked for information about it on Intel ARK (the official site for specs of Intel CPUs) and discovered that “The Intel® Xeon® Processor E5-2696 v4 is designed to be used by system manufacturers (OEMs), and this means they can modify its specifications depending on the system where it will be implemented” and “The processor does not have an ARK page for this reason, since it has no standard specification from Intel, so depending on the original system, it is necessary to contact that system manufacturer for information” [3]. That’s the official response from an Intel employee saying that there are no standard specs for that CPU!!!

Somehow I had used a E5-2696 v3 for 3 years without realising that the same lack of support and specs applies to it [4]!

I installed the new CPU in another Z640 which had a E5-1620 v3 CPU and it worked. I was a little surprised to discover that the hole in the corner is in the bottom right (according to the alignment of the printed text on the top) for all my E5-26xx CPUs while it’s in the top left on the E5-1620 v3. Google searches for things like “e5-2600 e5-1600 difference” and “e5-2600 e5-1600 difference hole in corner” didn’t turn up any useful information. The best information I found was from the Linus Tech Tips forum which says that the hole is to allow gasses to escape when the CPU package is glued together [5] which implies (but doesn’t state) that the location of the hole has no meaning. I had previously thought that the hole was to indicate the location of “pin 1” and was surprised when the new CPU had the hole in the opposite corner. Hopefully in future when people have such concerns they can find this post and not be worried that they are about to destroy their CPU, PC, or both when upgrading the CPU.

The previous Z640 was one I bought from Facebook marketplace for $50 in “unknown condition” in the expectation that I would get at least $50 of parts but it worked perfectly apart from one DIMM socket. The Z640 I’m using now is one I bought from Facebook marketplace for $200 and it’s working perfectly with 4 DIMMs, 128G of RAM, and the E5-2696 v4 CPU. $300 for a workstation with ECC RAM and a 22 core CPU is good value for money!

There are some accounts of the E5-2696 v4 not working on white-box motherboards including a claim that when it was selling for $4000US someone’s motherboard destroyed one. The best plan for such CPUs is to google for someone who’s already got it working in the same machine, which means a name-brand server. That doesn’t guarantee that it will work (Intel refuses to supply specs and states that different items may work differently) but greatly improves the probability.

This system has the HP BIOS version 2.61, note that the Linux fwupd package doesn’t seem to update the BIOS on HP workstations so you need to manually download it and install it. There is a possibility that a Z640 with an older BIOS won’t work with this CPU.

Here is the previous post in my Z640 saga [6].

Related posts:

  1. More About the HP ML110 Gen9 and z640 In May 2021 I bought a ML110 Gen9 to use...
  2. HP z840 Many PCs with DDR4 RAM have started going cheap on...
  3. T320 iDRAC Failure and new HP Z640 The Dell T320 Almost 2 years ago I made a...

09 April, 2026 11:33PM by etbe

April 08, 2026

hackergotchi for Jonathan Dowland

Jonathan Dowland

nvim-µwiki

In January 2025, as a pre-requisite for something else, I published a minimal neovim plugin called nvim-µwiki. It's essentially just the features from vimwiki that I regularly use, which is a small fraction them. I forgot to blog about it. I recently dusted it off and cleaned it up. You can find it here, along with a longer list of its features and how to configure it: https://github.com/jmtd/nvim-microwiki

I had a couple of design goals. I didn't want to define a new filetype, so this is designed to work with the existing markdown one. I'm using neovim, so I wanted to leverage some of its features: this plugin is written in Lua, rather than vimscript. I use the parse trees provided by TreeSitter to navigate the structure of a document. I also decided to "plug into" the existing tag stack navigation, rather than define another dimension of navigation (along with buffers, etc.) to track: Following a wiki-link pushes onto the tag stack, just as if you followed a tag.

This was my first serious bit of Lua programming, as well as my first dive into neovim (or even vim) internals. Lua is quite reasonable. Most of the vim and neovim architecture is reasonable. The emerging conventions about structuring neovim plugins are mostly reasonable. TreeSitter is, well, interesting, but the devil is very much in the details. Somehow all together the experience for me was largely just frustrating, and I didn't really enjoy writing it.

08 April, 2026 08:31PM

April 06, 2026

Thorsten Alteholz

My Debian Activities in March 2026

Debian LTS/ELTS

This was my hundred-forty-first month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

During my allocated time I uploaded or worked on:

  • [DLA 4500-1] gimp security update to fix four CVEs related to denial of service or execution of arbitrary code.
  • [DLA 4503-1] evolution-data-server to fix one CVE related to a missing canonicalization of a file path.
  • [DLA 4512-1] strongswan security update to fix one CVE related to a denial of service.
  • [ELA-1656-1] gimp security update to fix four CVEs in Buster and Stretch related to denial of service or execution of arbitrary code.
  • [ELA-1660-1] evolution-data-server security update to fix one CVE in Buster and Stretch related to a missing canonicalization of a file path.
  • [ELA-1665-1] strongswan security update to fix one CVE in Buster related to a denial of service.
  • [ELA-1666-1] libvpx security update to fix one CVE in Buster and Stretch related to a denial of service or potentially execution of arbitrary code.

I also worked on the check-advisories script and proposed a fix for cases where issues would be assigned to the coordinator instead of the person who forgot doing something. I also did some work for a kernel update and packages snapd and ldx on security-master and attended the monthly LTS/ELTS meeting. Last but not least I started to work on gst-plugins-bad1.0

Debian Printing

This month I uploaded a new upstream versions:

Several packages take care of group lpadmin in their maintainer scripts. With the upload of version 260.1-1 of systemd there is now a central package (systemd | systemd-standalone-sysusers | systemd-sysusers) that takes care of this. Other dependencies like adduser can now be dropped.

This work is generously funded by Freexian!

Debian Lomiri

This month I continued to work on unifying packaging on Debian and Ubuntu. This makes it easier to work on those packages independent of the used platform. I am also able to upload Debian packages to the corresponding Ubuntu PPA now. A small bug had to be fixed in the python script to allow the initial configuration in Launchpad.

This work is generously funded by Fre(i)e Software GmbH!

Debian Astro

This month I uploaded a new upstream version or a bugfix version of:

  • libplayerone to experimental. For a list of other packages please see below.

I also uploaded lots of indi-drivers (libplayerone, libsbig, libricohcamerasdk, indi-asi, indi-eqmod, indi-fishcamp, indi-inovaplx, indi-pentax, indi-playerone, indi-sbig, indi-mi, libahp-xc, indi-aagcloudwatcher, indi-aok, indi-apogee, libapogee3, indi-nightscape, libasi, libinovasdk, libmicam, indi-avalon, indi-beefocus, indi-bresserexos2, indi-dsi, indi-ffmv, indi-fli, indi-gige, info-gphoto, indi-gpsd, indi-gpsnmea, indi-limesdr, indi-maxdomeii, indi-mgen, indi-rtklib, indi-shelyak, indi-starbook, indi-starbookten, indi-talon6, indi-weewx-json, indi-webcam, indi-orion-ssg3, indi-armadillo-playtypus ) to experimental to make progress with the indi-transition. No problems with those drivers appeared and the next step would be the upload of indi version 2.x to unstable. I hope this will happen soon, as new drivers are already waiting in the pipeline. There have been also four packages, that migrated to the official indi package and are no longer needed as 3rdparty drivers (indi-astrolink4, indi-astromechfoc, indi-dreamfocuser, indi-spectracyber).

While working on these packages, I thought about testing them. Unfortunately I don’t have enough hardware to really check out every package, so I can upload most of them only as is. In case anybody is interested in a better testing coverage and me being able to provide upstream patches, I would be very glad about hardware donations.

Debian IoT

This month I uploaded a new upstream version or a bugfix version of:

Debian Mobcom

This month I uploaded a new upstream version or a bugfix version of:

misc

This month I uploaded a new upstream version or a bugfix version of:

I also sponsored the upload of Matomo. Thanks a lot to William for preparing the package.

06 April, 2026 05:45PM by alteholz

April 04, 2026

Dima Kogan

Simple gpx export from ridewithgps

The Tour de Los Padres is coming! The race organizer post the route on ridewithgps. This works, but has convoluted interfaces for people not wanting to use their service. I just wrote a simple script to export their data into a plain .gpx file, including all the waypoints; their exporter omits those.

I've seen two flavors of their data, so here're two flavors of the gpx-from-ridewithgps.py script: 

#!/usr/bin/python3
import sys
import json

def quote_xml(s):
    return s.replace("&", "&amp;").replace("<", "&lt;").replace(">", "&gt;")

print("Reading stdin", file=sys.stderr)
data = json.load(sys.stdin)

print(r"""<?xml version="1.0" encoding="UTF-8"?>
<gpx version="1.1" creator="gpx-from-ridewithgps.py" xmlns="http://www.topografix.com/GPX/1/1">""")

for item in data["extras"]:
    if item["type"] != "point_of_interest":
        continue
    poi = item["point_of_interest"]
    print(f'  <wpt lat="{poi["lat"]}" lon="{poi["lng"]}">')
    print(f'    <name>{quote_xml(poi["name"])}</name>')

    desc = poi.get("description","")
    if len(desc):
        print(f'    <desc>{quote_xml(desc)}</desc>')
    print(f'  </wpt>')

print("  <trk><trkseg>")
for pt in data.get("route", {}).get("track_points", []):
    print(f'    <trkpt lat="{pt["y"]}" lon="{pt["x"]}"><ele>{pt["e"]}</ele></trkpt>')
print("  </trkseg></trk>")

print("</gpx>")

#!/usr/bin/python3
import sys
import json

def quote_xml(s):
    return s.replace("&", "&amp;").replace("<", "&lt;").replace(">", "&gt;")

print("Reading stdin", file=sys.stderr)
data = json.load(sys.stdin)

print(r"""<?xml version="1.0" encoding="UTF-8"?>
<gpx version="1.1" creator="gpx-from-ridewithgps.py" xmlns="http://www.topografix.com/GPX/1/1">""")

for poi in data["points_of_interest"]:
    print(f'  <wpt lat="{poi["lat"]}" lon="{poi["lng"]}">')
    print(f'    <name>{quote_xml(poi["name"])}</name>')

    desc = poi.get("description","")
    if len(desc):
        print(f'    <desc>{quote_xml(desc)}</desc>')
    print(f'  </wpt>')

for poi in data["course_points"]:
    print(f'  <wpt lat="{poi["y"]}" lon="{poi["x"]}">')
    print(f'    <name>{quote_xml(poi["n"])}</name>')
    print(f'  </wpt>')

print("  <trk><trkseg>")
for pt in data['track_points']:
    print(f'    <trkpt lat="{pt["y"]}" lon="{pt["x"]}"><ele>{pt["e"]}</ele></trkpt>')
print("  </trkseg></trk>")

print("</gpx>")

You invoke it by downloading the route and feeding it into the script: 

curl -s https://ridewithgps.com/routes/54493422.json | ./ridewithgps-to-gpx.py > out.gpx

Note that the route number 54493422 is in the url above.

04 April, 2026 05:21PM by Dima Kogan

hackergotchi for Dirk Eddelbuettel

Dirk Eddelbuettel

Sponsor me for Tour de Shore 2026 to support MFA

tour de shore 2026

On June 19 and 20, I will cycle a little over 100 miles from downtown Chicago and its wonderful Millenium Park to New Buffalo, Michigan, as part of the Tour de Shore 2026. The ride passes through northwest Indiana and the extended Indiana Dunes National Park ending the next morning in the southwestern Michigan town of New Buffalo. I rode Tour de Shore once before in 2024 and had a generally wonderful time (even considering some soreness after a century of miles over 1 1/2 days).

Tour de Shore is riding in support of Maywood Fine Arts Center, a local arts and sports center in Maywood, Illinois, a suburb one over from where I live and hence just a few good miles west of downtown. Maywood, Illinois is home to legends such as the late John Prine as well as several NBA players such as player and coach Doc Rivers.

 

tour de shore 2026 donation page

But Maywood, Illinois is also little less well off than other western suburbs. The Maywood Fine Arts Center is simply legendary is what they do for this community (and surrounding communities), and especially the youth support. They can use a dollar a two. Their story about Tour de Shore is worth a read too for background and motivation.

I have bootstrapped my donation page page with a dollar for each mile to be cycled. It would be simply terrific if you could join me. A nickel, a dime, or a quarter per mile cycled would help. Multiples of that help too: More is of course still always better.

Anything you can afford will go a long way towards a worthy goal in a community that could use the help.

Of and if you are local to the area, I believe you can still register for Tour de Shore 2026. So see you out there in June? And if not, maybe help with a dollar or two?

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog.

04 April, 2026 01:08AM

April 02, 2026

Joerg Jaspert

Building a house - 1 year in

Haven’t written here about it, but last March we finally started on our journey to get our own house build, so we can move out of the rented flat here.

That will be a big step, both the actual building, but also the moving - I am living at this one single place for 36 years now.

If you can read german there is a dedicated webpage where I sometimes write about the process. Will have much more details (and way more ramblings) than the following part.

If you can’t read german, a somewhat short summary follows. Yes, still a lot of text, but shortened, still.

What? Why now?

Current flat has 83m² - which simply isn’t enough space. And the number of rooms also doesn’t fit anymore. But it is hard to find a place that fits our requirements (which do include location).

Moving to a different rented place would also mean changed amount of rent. And nowadays that would be huge increase (my current rent is still the price from about 30 years ago!).

So if we go and pay more - we could adjust and pay for something we own instead. And both, my wife and I had changes in our jobs that made it possible for us now, so we started looking.

Market

Brrrr, looking is good, actually finding something that fits - not so. We never found an offer that fit. Space wise, sure. But then location was off, or price was idiotically high. Location fit, but then size was a joke, and guess about the price… Who needs 200 square meters with 3 rooms? Entirely stupid design choices there. Or how about 40 square meters of hallway - with 50m² of tiny rooms around. What are they smoking? Oh, there, useful size, good rooms - but now you want more money than a kidney is worth, or something. Thanks, no.

New place

In February 2025 we finally got lucky and found a (newly opened) area with a large number of places to build a house on. Had multiple talks with someone from on of the companies developing that area (there are two you can select from), then talked with banks and signed a contract in March 2025. We got promised that actual house construction would be first quarter of 2026, finished in second quarter.

House type

There are basically 2 ways of building a new house (that matter here). First is called “Massivhaus”, second is called “Fertighaus” in german, roughly translating to solid and prefabricated. The latter commonly a wood based construction, though it doesn’t need to be. The important part of it is the prefabrication, walls and stuff get assembled in a factory somewhere and then transported to your place, where they play “big kid lego” for a day and suddenly a house is there.

A common thought is “prefabricated” is faster, but that is only a half true. Sure, the actual work on side is way shorter - usually one or two days and the house is done - while a massive construction usually takes weeks to build up. But that is only a tiny part of the time needed, the major part goes of into planning and waiting and in there it doesn’t matter what material you end up with.

Money fun

Last year already wasn’t the best time to start a huge loan - but isn’t it always “a few years ago would have been better”? So we had multiple talks with different banks and specialised consultants until we found something that we thought is good for us.

Thinking about it now - we should have put even more money on top as “reserve”, but who could have thought that 2026 turns into such a shitshow? Does not help at all, quite the contrary. And that damn lotto game always ends up with the wrong numbers, meh.

Plans and plans and more plans - and rules

For whichever reason you can not just go and put something on your ground and be happy. At least not if you are part of the normal people and not enormously rich. There is a large set of rules to follow. Usually that is a good thing, even though some rules are sometimes hard to understand.

In Germany, besides the usual laws, we have something that is called “Bebauungsplan”, which translates to “development plan” (don’t know if that carries the right meaning, it’s a plan on what and how may be build, which can have really detailed specifications in). It basically tells you every aspect on top of the normal law that you have to keep in mind.

In our case we have the requirement of 2 full floors and CAN have a third smaller on top, it limits how high the house can be and also how high our ground floor may be compared to the street. It regulates where on the property we may build and how much ground we may cover with the house, it gives a set of colors we are allowed to use, it demands a flat roof that we must have as a green roof and has a number of things more that aren’t important enough to list here. If you do want to see the full list, my german post on it has all the details that matter to us.

With all that stuff in mind - off to plans. Wouldn’t have believed how many details there are to take in. Room sizes are simple, but how to arrange them for ideal usage of the sun, useful ways inside the house, but also keeping in mind that water needs to flow through and out. Putting a bath room right atop a living room means a water pipe needs to go down there. Switch the bath room side in the house, and it suddenly is above the kitchen - means you can connect the pipes from it to the ones from kitchen, which is much preferred than going through the living room. And lots more such things.

It took us until nearly end of October to finalize the plans! And we learned a whole load from it. We started with a lot of wishes. The planner tried to make them work. Then we changed our minds. Plans changed. Minds changed again. Comparing the end result with the first draft we changed most of the ground floor around, with only the stairs and the entrance door at the same position. Less changes for the upper floor, but still enough.

Side quests

The whole year was riddled with something my son named side quests. We visited a construction exhibition near us, we went to the house builders factory and took a look on how they work. We went to many different other companies that do SOME type of work which we need soon, say inside floors, painters, kitchen and more stuff.

Of course the most important side quest was a visit to the notary to finalize the contracts, especially for the plot of land (in Germany you must have a notary for that to get entered into the governments books). Creates lots of fees, of course, for the notary and also the government (both fees and taxes here).

Building permit

We had been lucky and only needed a small change to the plans to get the building permit - and the second part, the wastewater permit (yes, you need a separate one for this) also got through without trouble.

Choices, so many of them

So in January we finally had an appointment for something that’s called “Bemusterung” which badly translates to “Sampling”. Basically two days at the house builders factory to select all of what’s needed for the house that you don’t do in the plans. Doors, inside and out and their type and color and handles. Same things for the windows and the blinds and the protection level you want the windows to have. Decide about stairs, design for the sanitary installations - and also the height of the toilet! - and the tiles to put into the bathrooms. Decisions on all the tech needed (heating system, ventilation and whatnot.

Two days, busy ones - and you can easily spend a lot of extra money here if you aren’t careful. We managed to get “out of it” with only about 4000€ extra, so pretty good.

Electro and automation

Now, here I am special. Back when I was young the job I learned is electrician. So here I have very detailed wishes. I am also running lots of automatism in my current flat - obviously the new house should be better than that. So I have a lot of ideas and thoughts on it, so this is entirely extra and certainly out of the ordinary the house builder usually see.

Which means I do all of that on my own. Well, the planning and some of the work, I must have a company at hand for certain tasks, it is required by some rules. But they will do what I planned, as long as I don’t violate regulations.

Which means the whole electrical installation is … different. Entirely planned for automatisms and using KNX for it. I am so happy to ditch Homeassistant and the load of Homematic, Zigbee and ZWave based wireless things.

Ok, Homeassistant is a nice thing - it can do a lot. And it can bridge between about any system you can find. But it is a central single point of failure. And it is a system that needs constant maintenance. Not touched for a while? Plan for a few hours playing update whack-a-mole. And often enough a component here or there breaks with an update. Can be fixed, but takes another hour or two.

So I change. Away from wireless based stuff. To wires. To a system thats a standard for decades already. And works entirely without a SPOF. (Yes, you can add one here too). And, most important, should I ever die - can easily be maintained by anyone out there dealing with KNX, which is a large number of people and companies. Without digging through dozens of specialised integrations and whatnot.

I may even end up with Homeassistant again - but that will entirely be as a client. It won’t drive automations. It won’t be the central point to do anything for the house. It will be a logging and data collecting thing that enables me to put up easy visualizations. It may be an easy interface for smartphones or tablets to control parts of the house, for those parts where one wants this to happen. Not the usual day-to-day stuff, extras on top.

Actual work happening

Since march there finally is action visible. The base of the house is getting build. Wednesday the 1st April we finally got the base slab poured on the construction site and in another 10 days the house is getting delivered and build up. A 40ton mobile crane will be there.

02 April, 2026 09:23PM

April 01, 2026

hackergotchi for Joey Hess

Joey Hess

banning all Anthropic employees

Per my policies, I need to ban every employee and contractor of Anthropic Inc from ever contributing code to any of my projects. Anyone have a list?

Any project that requires a Developer Certificate of Origin or similar should be doing this, because Anthropic is making tools that explicitly lie about the origin of patches to free software projects.

UNDERCOVER MODE — CRITICAL

You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository. [...] Do not blow your cover.

NEVER include in commit messages or PR descriptions:

[...] The phrase 'Claude Code' or any mention that you are an AI
Co-Authored-By lines or any other attribution

-- via @vedolos

01 April, 2026 04:41PM

hackergotchi for Ben Hutchings

Ben Hutchings

FOSS activity in March 2026

01 April, 2026 03:30PM by Ben Hutchings

hackergotchi for Daniel Pocock

Daniel Pocock

Losing Debian: Sruthi Chandran election flop

The fact that only one candidate is running in the Debianism elections gives a stark reminder about the state of the so-called community. The main reason why other people did not contest the election is because of fear. Fear of a circle of reprisals that began when Adrian von Bidder-Senn died on our wedding day.

When CentOS died, people tried to carry on in various ways. That tells us a lot about human psychology. People knew the game was over but they tried to continue as if it was business as usual, as if the situation could be salvaged, as if it was only a temporary crisis.

Due to years of censorship, including the payment of $120,000 to steal Debian-related domain names, the Debianists have been living in a bubble and deluding themselves. When Sruthi Chandran nominated on Friday 13th, people acted as if this was a good thing.

Now Sruthi has stopped answering questions on the Debian-vote mailing list and it seems reality has started to sink in. People are coming to realize that the position of Debian Project Leader is the interface between Debianism and the outside world. People can fool themselves and use the Code of Conduct gaslighting to blackmail other volunteers to pretend that Sruthi is a great leader. People are coming to realise that these tricks won't work on the wider community. Given that Sruthi would be Debian's interface to the outside world, we can't just ignore how the world views the candidate who is the wife of another developer.

She has ignored the most serious questions on Debian-vote mailing list. A woman trying to run Debian from a social control media account is the death of Debian. Here is a tally of the number of replies she provided each day for those who use email, the mainstay of Debian communication:

DayCount
14 March0
15 March0
16 March0
17 March4
18 March0
19 March0
20 March0
21 March3
22 March1
23 March0
24 March7
25 March0
26 March0
27 March0
28 March0
29 March0
30 March0
31 March0

That is a total of only 15 replies. She has been largely silent for a whole week since 24 March.

Technically, questions and their answers are supposed to be completed before midnight on Friday, 3 April. The most critical questions have not been answered. In her platform, Sruthi Chandran boasts about being the "Chief orga DebConf India 2023" but there has never been an official report about the death of Abraham Raji at the conference.

Voting runs from 4 April to 17 April, which is the 15th anniversary of the day Adrian von Bidder-Senn died on our wedding day. It was discussed like a copy-cat suicide but there was no official report about those deaths either.

Remember the words from Abraham Raji himself:

Everything in Debian is transparent, all forms of official communication are a matter of public record, the amount of unresolved bugs, every step taken by debian as an organization, everything is in the open! I appreciate that from my distribution. There is no room for underhand corporate deals, no unfair treatment behind private mails and everything can be reviewed by the public.

Does Sruthi Chandran spend more time in debian-private (leaked) and WhatsApp groups than the public communication channels that Debian is supposed to be using?

Sruthi Chandran's platform tells us she wants to put diversity ahead of traditional goals like freedom and security. She has been very vague about this. As a consequence, more evidence is going to be published during the voting period to prove that Debian "diversity" means some men who did the real work are not being given credit while some large sums of money were assigned to the wives and girlfriends of cabal members.

Sruthi Chandran, platform, Debian Project Leader, 2026, Abraham Raji

 

I've never stated whether people should vote for Sruthi Chandran or not. Looking at the tone of the discussion, I feel people are coming to realise the way the outside world views candidates like this is not the same way that people view it from inside the bubble.

Consider the irony: they spent all that money in arguments about leaks that are "tarnishing" the trademark. The implication of these arguments about tarnishing is that the way the outside world views Debianism does matter. Can anybody see the risk that Sruthi Chandran and a lop-sided diversity crusade could do far more to tarnish the trademark than any leaks that have appeared up to this moment?

Debian may not die exactly the same way that CentOS died. At some point, as with CentOS, we will go past the point of no return. Maybe we already did. Will people have the courage to ask questions before that threshold is crossed or will they continue acting as if nothing is wrong even long after the life support system has been unplugged from the corpse?

Remember, Debianists gave over $120,000 in kill money to racist Swiss lawyerists to attack my family but they didn't pay Abraham Raji anything for the work he did helping organise DebConf23. When Raji joined the other developers on the day trip, they asked him to contribute some of his own money, he was left behind to swim alone and he drowned. Yet the lawyerists were given $120,000.

The best way to encourage people to nominate for the election will be for the existing leader, Andreas Tille, to withdraw all the privacy attacks, settle the lawsuits proactively and ensure the next leader can walk in and find the desk is clean ready to work on productive things.

Don't hold your breath waiting for transparency about these attacks on my family. There is still time to watch my video and contribute to the crowdfunding campaign.

01 April, 2026 01:30PM

French judgment: parasitisme by FSFE & Matthias Kirschner (CO23.002709)

In previous reports, we've described the tactics of the FSFE misfits using terms like identity fraud and Nigerian fraud.

In the French justice system, they have their own name for this type of scam: parasitisme.

FSFE, judgment, Matthias Kirschner, Galia Mancheva, Jonas Oberg, Elias Diem, Parasitisme, Richard Stallman, FSF, FSFE, John Sullivan, Daniel Pocock, Fellowship

 

Parasitisme is the French legal concept of one person or organisation trying to usurp the reputation of another person or organisation to obtain money or procure the work of volunteers.

As an Australian, the Fellowship elected me on ANZAC Day in 2017 to investigate the FSFE misfits in Berlin. Australians don't know a lot of French but we know parasites.

Is the judgment real or is it just another April fools day joke? The facts and the leaks are certainly real. The French courts really use the word Parasitisme to describe this type of scam. However, some fake judgments are being distributed with the number CO23.002709 and the names of Caroline Kuhnlein-Hofmann and Mélanie Bron. You can recognise the fake judgments because they have the date of the Kristallnacht, 10 November, on the first page.

Click for the parasitisme judgment and punishments:

FSFE, judgment, Matthias Kirschner, Galia Mancheva, Jonas Oberg, Elias Diem, Parasitisme, Richard Stallman, FSF, FSFE, John Sullivan, Daniel Pocock, Fellowship

 

If you want Australians to continue working to put these dangerous pests to rest, please watch my crowdfunding campaign video and discuss it with your community today.

01 April, 2026 09:30AM

Red Hat: Latin-1 character set under threat from Bishop Michael Martin, North Carolina

If religion is a form of social engineering attack, having your own language is the ultimate mind-control trick.

Latin is the language of God - or control.

The Latin-1 character set (ISO 8859-1) is natively supported in the Linux console driver, including Red Hat Linux systems.

On 12 December 1924, Pope Pius XI created the Diocese of Raleigh, North Carolina. In 1971, Pope Paul VI forked the diocese to create a separate Diocese of Charlotte.

Red Hat was founded in Durham. They subsequently relocated to Raleigh and in 2009 they began preaching about the need for Codes of Conduct demagoguery.

From 2009 meeting minutes:

Paul: There are just as many RHT'ers contributing to the negativity as volunteers

In the rival Diocese of Charlotte, Bishop Michael Martin was appointed on 9 April 2024.

In May 2025, a draft Code of Conduct was leaked from Bishop Martin in Charlotte, North Carolina. The document includes harsh new restrictions on the use of practices from the Traditional Latin Mass.

In a report from 31 March 2026:

The Diocese of Charlotte, a focal point of liturgical conflict

The controversy is not new. Since his arrival in the diocese in 2024, following the resignation for health reasons of Bishop Peter Jugis, Michael Martin has been the target of strong criticism from the faithful attached to the traditional liturgy.

The most significant episode occurred in May 2025, when he reduced from four to one the authorized locations for the celebration of the traditional Latin Mass, leaving only one chapel for these celebrations. The measure was presented expressly as part of the application of Traditionis Custodes.

This was followed by leaked diocesan documents that pointed to new restrictions, including possible limits on the use of Latin in the liturgy, certain traditional vestments, and some habitual postures of the faithful at the moment of Communion.

Prohibition of kneelers and Communion rails

The tension increased even further in September 2025, when Martin prohibited the use of an altar rail in a Catholic school in Charlotte.

The fact the 2025 document is a draft should not be understated. It is not unusual for managers to ask their subordinates to write drafts like this full of ideas from brainstorming sessions. The bishop may have asked different subordinates or theology students to write competing drafts with the intention of cherry-picking ideas from each of them rather than using the draft verbatim. Therefore, as one of possibly many drafts, it has no meaning until Bishop Martin decides to make a public statement.

Nonetheless, the leaking of a draft is a great way to get people talking about the Catholic Church. Many companies deliberately leak their own documents to gain attention on social control media.

Here are some of the key points and benefits of the Latin language:

  • Universal - people can attend a Latin mass in any country and it will sound the same, whether they understand it or not
  • The language and the Catholic affinity for Latin have survived much longer than the Roman empire
  • The meaning of any original Latin text is usually more specific and less ambiguous than any translations to English or other modern languages.
  • The Latin calendar of saints, readings and seasons provides structure throughout the calendar year
  • Latin language is also used in medicine, law, our alphabet and many words in European languages

However, Latin has been challenged over the years. English bibles have been around for centuries.

Can you put candles on the altar? The candles are part of the Traditional Latin Mass but there have been arguments about whether they are permitted or even banned in the post-Latin world. My first ever voluntary role was being an altar boy at our local church. Lighting the candles before mass and extinguishing them at the end of the mass were among our responsibilities. Was I breaking the Code of Conduct by lighting these candles for an English-language mass?

In fact, due to the extreme temperatures in Australia, we have many days of the year when all types of fire are banned. If the altar boys still light the candles on one of the total fire ban days, are they simultaneously violating two Codes of Conduct?

Latin was both the language of the empire and the language of the official state religion. Today, English is the language of business, but more people speak Chinese or Spanish. There are many more religions and sects. When children are born into a family that practices the Traditional Latin Mass, they have the opportunity to learn Latin from childhood. When modern day religions and cults recruit adult members who never practiced a religion before, they don't have the same opportunitity to indoctrinate those people into a language.

The use of the Latin language has disadvantages.

  • Many people don't understand Latin, either spoken or written.
  • Latin can be and has been used to fool people. In historic times, the jurists and priests were the only people who could read the Latin texts. They would find some paragraph in the bible to justify their own opinions or decisions and they would pretend to translate and explain it to the lay people.
  • The church parted with it in 1962, new generations abandoned it. For example, very few schools still teach Latin.
  • Compared to other languages, there are very few opportunities to practice speaking and reading in Latin.
  • The Catholic church is now competing with many other Christian religions. The use of the Latin language began at a time when other forms of Christianity did not exist. Moreover, the church is competing in countries without a state religion. Only in Italy and Rome are people ninety-nine percent Catholic.

The Vatican has not completely banned use of the Traditional Latin Mass. They have not completely banned candles and some other traditions that are associated with the Traditional Latin Mass. Nonetheless, there is a Code of Conduct that every modern day diocese is expected to follow and that means the majority of masses should be offered in the local language(s) understood by the congregation.

Related web sites about the Traditional Latin Mass

Related blogs about the church

Related blogs about the death of Adrian von Bidder on Palm Sunday, our wedding day

Catholic.Community

Please follow the Catholic.Community web site and make it your home page.

01 April, 2026 07:00AM

March 31, 2026

hackergotchi for Junichi Uekawa

Junichi Uekawa

April already.

April already. Wondering how bazel update is going in Debian. Seems like a large undertaking.

31 March, 2026 11:27PM by Junichi Uekawa

hackergotchi for Benjamin Mako Hill

Benjamin Mako Hill

Quote #75514

Although I never submitted to it, I made several appearances in the now-defunct quote database on bash.org (QDB). I’m dealing with a broken keyboard now, and went to dig hard to find this classic in the Wayback machine. I thought I would put it back on the web:

<mako> my letter "eye" stopped worng
<luca> k, too?
<mako> yeah
<luca> sounds like a mountain dew spill
<mako> and comma
<mako> those three
<mako> ths s horrble
<luca> tme for a new eyboard
<luca> 've successfully taen my eyboard apart and fxed t by cleanng t wth alcohol
<mako> stop mang fun of me
<mako> ths s a laptop!

It was, in fact, horrble.

31 March, 2026 09:13PM by Benjamin Mako Hill

hackergotchi for C.J. Adams-Collier

C.J. Adams-Collier

Finding: Promoting SeaBIOS Cloud Images to UEFI Secure Boot (Proxmox)

Discovery

Legacy cloud templates often lack the partitioning and bootloader
binaries required for UEFI Secure Boot. Attempting to switch such a VM
to OVMF in Proxmox results in “not a bootable disk.” We discovered that
a surgical promotion is possible by manipulating the block device and
EFI variables from the hypervisor.

The Problem

  1. Protective MBR Flags: Legacy installers often set
    the pmbr_boot flag on the GPT’s protective MBR. Strict UEFI
    implementations (OVMF) will ignore the GPT if this flag is present.
  2. Missing ESP: Cloud images often lack a FAT32 EFI
    System Partition (ESP).
  3. Variable Store: A fresh Proxmox
    efidisk0 is empty and lacks both the trust certificates
    (PK/KEK/db) and the BootOrder entries required for an automated
    boot.

The “Promotion” Rule

To upgrade a SeaBIOS VM to Secure Boot without a full OS reinstall:
1. Surgical Partitioning: Map the disk on the host and
add a FAT32 partition (Type EF00). Clear the
pmbr_boot flag from the MBR. 2. Binary
Preparation: Boot the VM in SeaBIOS mode to install
shim and grub-efi packages. Use
grub2-mkconfig to populate the new ESP. 3. Trust
Injection: Use the virt-fw-vars utility on the
hypervisor to programmatically enroll the Red Hat/Microsoft CA keys and
any custom certificates (e.g., FreeIPA CA) into the VM’s
efidisk. 4. Boot Pinning: Explicitly set
the UEFI BootOrder to point to the shimx64.efi
path via virt-fw-vars --append-boot-filepath.

Solution (Example Command
Sequence)

On the Proxmox Host (root):

# Map and Clean MBR
DEV=$(rbd map pool/disk)
parted -s $DEV disk_set pmbr_boot off

# Inject Trust and Boot Path (VM must be stopped)
virt-fw-vars --inplace /dev/rbd/mapped_efidisk \
  --enroll-redhat \
  --add-db <GUID> /path/to/ipa-ca.crt \
  --append-boot-filepath '\EFI\centos\shimx64.efi' \
  --sb

This workflow enables high-integrity Secure Boot environments using
existing SeaBIOS infrastructure templates.

31 March, 2026 09:03PM by C.J. Collier

hackergotchi for Thomas Lange

Thomas Lange

FAIme using apt-cacher-ng

The FAI.me service has become faster over the past two months.

First, the tool fai-mirror can now download all packages in one go (with all their dependencies) instead of downloading one by one. This helped a lot for the Linux Mint ISO because it uses a long list of packages.

I've also added a local apt cache (using apt-cacher-ng), so the network speed does not matter any more in most cases. This led to the following improvements:

  • Linux Mint install ISOs went from around 6-7 min to now only 2min.
  • Ubuntu install ISO went from average 3min to around 90 seconds.
  • The average time for a Debian Linux install ISO dropped from 2min to 40 seconds.

So far we only had once a problem with apt-cacher-ng, because the underlying partition was full.

Building cloud and live images do not gain that much from the local package cache, because most time is spend in extracting and installing the packages.

31 March, 2026 01:50PM

Russ Allbery

Review: Code Blue—Emergency

Review: Code Blue—Emergency, by James White

Series: Sector General #7
Publisher: Orb
Copyright: 1987
Printing: May 2003
ISBN: 0-7653-0663-8
Format: Trade paperback
Pages: 252

Code Blue—Emergency (annoying em-dash in original title) is the seventh book of James White's Sector General science fiction series about a vast multi-species hospital station. While there are some references to (and spoilers for) earlier books in the series, you don't have to remember the previous books to read this one. I had no trouble despite a nine-year gap.

I read this as part of the Orb General Practice omnibus, which collects this novel and The Genocidal Healer.

Cha Thrat is a Sommaradvan warrior-surgeon, member of a newly-discovered species that is beginning the process of contact with the Federation. She saved a Monitor corps human after an accident on her world, performing some some highly competent surgery on a species she had never seen before. That plus her somewhat outcast status on her own world due to her very traditional attitude towards medical ethics led Sector General to extend an offer of medical internship, and led her to leap into the unknown by accepting. This may have been a mistake; there is a great deal that Sector General does not understand about Sommaradvan medical ethics.

This series entry is another proper (if somewhat episodic) novel and the first book of the series that doesn't primarily focus on Conway. He makes an appearance in his new role as Diagnostician, but only as a supporting character. Code Blue—Emergency is told in the tight third-person perspective of Cha Thrat, an alien who finds many things about Sector General baffling, confusing, and ethically troubling (and who therefore provides a good reader surrogate for reintroducing the basics of how the hospital works).

Using an alien viewpoint is a more sophisticated narrative technique than White has used previously. I'm glad he tried it, and it mostly works, although I have some complaints. Cha Thrat comes from the middle cast of a strictly hierarchical society of three casts, but is also immensely stubborn and used to a medical system in which doctors take sole responsibility for their patients. This creates a lot of cultural conflicts, and I do enjoy science fiction where the human attitudes are portrayed as the strange ones, but the cultural analysis offered by this novel is not very deep.

The pattern of this book is for Cha Thrat to stumble into a successful approach to a problem while being either oblivious to or hostile to the normal hierarchical structure expected of medical trainees. This is believable as far as it goes. She is a skilled and intelligent doctor with some good instincts and a strong commitment to patient care, but is also culturally inclined to not ask for help. It makes sense for that to be a serious problem in a hospital. Unfortunately, no one says this directly. Sector General staff get quite upset in ways that seem more territorial than oriented towards patient safety, no one directly explains to Cha Thrat why following a process is important or shows examples of what could go wrong, and plot armor means that her mistakes usually have positive outcomes. One can extrapolate the reasons why she is not a good medical student, but the reader is forced to do the extrapolation.

This is the sort of book where the narration makes clear there are unresolved cultural clashes that are going to cause problems but hides the details. To Cha Thrat, her perspective is so obvious she never bothers to explain it to the reader, so the specifics come as a surprise. As with the alien perspective, I've seen this technique used with more subtlety and sophistication in other books, but White's version mostly works. Cha Thrat is a sympathetic protagonist because she is truly trying to take the most ethical and empathetic action in every situation and is clearly competent. Most of my frustration as a reader, ironically, lands on the other Sector General doctors who seem to make little to no effort to understand her perspective when she fails to conform to their expectations. This is believable in the abstract, but the whole point of Sector General is that they're supposed to be wiser about interspecies difference than this.

Also, sometimes their reactions just seem petty. Cha Thrat has a very hierarchical concept of medicine that matches the social classes of her culture. For her, the highest tier of doctor are wizards who treat rulers, because the work of rulers is mostly mental and intellectual and therefore the diseases of rulers are treated with magic spells performed with words to reshape their thinking rather than surgery on their bodies. O'Mara and the other Sector General psychologists take great offense at this, muttering about being called witch doctors, which I found completely absurd. This is a comprehensible, if odd, description of psychology from a wholly alien species. Surely one's first reaction should be that words like "wizard" or "magic" are translation errors. Don't get offended; look to see if the underlying substance matches, which it clearly does.

Apart from cultural and psychological clashes, Code Blue—Emergency has the standard episodic Sector General structure of interesting medical mysteries that require lateral thinking. I find this sort of puzzle story satisfying, particularly given the firm belief of every character in an essentially pacifist and empathetic approach to even the most alien of creatures. This determined non-violence is one of the more interesting things about this series, and it continues here.

White does tend towards both biological and gender essentialism for everyone other than the protagonist and main supporting characters, but he seemed to be walking back some of the more outrageous limitations on women that appeared in previous books. There is still some nonsense in here about how females of any species can't be Diagnosticians, but then Cha Thrat, who is female, seems to violate the justification for that rule over the course of this novel (sadly without comment). Perhaps he's setting up for proving Sector General wrong about this prejudice.

I picked this up after reading Elizabeth Bear's Machine, which is essentially a (better written) Sector General novel that got me in the mood for reading more. I wouldn't give Code Blue—Emergency any awards, but it delivered exactly what I was looking for. This series is not as deep or well-written as some more recent SF, but it is reliably itself and reliably entertaining. There are worse things in a series. Recommended if you're in the mood for alien ER in space.

The omnibus edition that I read has an introduction to both novels by John Clute. It does add some interesting insights, but (as is somewhat typical for Clute) it also spoils parts of both books. You may want to read it after you read the novels.

Followed by The Genocidal Healer.

Rating: 7 out of 10

31 March, 2026 03:08AM

March 30, 2026

Jamie McClelland

Mailman3 has 2 databases. Whoops.

At May First we have been carefully planning our migration of about 1200 lists from mailman2 to mailman3 for almost six months now. We did a lot of user communications, had several months of beta testing with a handful of lists ported over, and everything was looking good. So we kicked off the migration!

But, about 15% of the way through I started seeing sqlite lock errors. Wait, what? I carefully re-configured mailman3 to use postgres, not sqlite. Well, yes, but apparently that was for the database managing the email list configuration, not the database powering the django web app, which, incidentally, also includes hundresds of gigabytes of archives. In other words, the one we really need in postgres, not sqlite.

Moving from sqlite to postgres

Well that sucks. We immediately stopped the migration to deal with this.

I noticed that the web is full of useful django instructions on how to migrate your database from one database to antoher. However, if you read the fine print, those convenient looking “dumpdata loaddata” workflows are designed to move the table definitions and a small amount of data. In our case, even after just 15% of our lists moved, our sqlite database was about 30GB.

I considered some of the hacks to manage memory and try to run this via django, but eventually decided that pgloader was a more robust option. This option also allowed me to more easily test things out on a copy of our sqlite database (made while mailman was turned off). This way I could migrate and re-migrate the sqlite database over and over without impacting our live installation until I was satisfied it was all working.

My first decision was to opt out of pgloader’s schema creation. I used django’s schema creation tool by:

  • Turning off mailman3 and mailman3-web and changing the mailman web configuration to use the new postgresql database.
  • Running mailman-web migrate
  • Changing the mailman web configuration back to sqlite and starting everything again.

Note: I tried just adding new database settings in the mailman web configuration indexed to ’new’ - django has the ability to define different databases by name, then you can run mailman-web migrate --database new. But, during the migration, I caught django querying the sqlite database for some migrations that required referencing existing fields (specifically hyperkitty’s 0003_thread_starting_email). I didn’t want any of these steps to touch the live database so I opted for the cleaner approach.

Once I had a clean postgres schema, I dumped it so I could easily return to this spot.

Next I started working on our pgloader load file. After a lot of trial and error, I ended with:

LOAD DATABASE
    FROM sqlite:///var/lib/mailman3/sqlite-postgres-migration/mailman3web.clean.backup.db
    INTO postgresql://mailmanweb:xxxxxxxxxxx@localhost:5432/mailmanweb

WITH data only,
    reset sequences,
    include no drop,
    disable triggers,
    create no tables,
    batch size = 5MB,
    batch rows = 500,
    prefetch rows = 50,
    workers = 2,
    concurrency = 1

SET work_mem to '64MB',
    maintenance_work_mem to '512MB'

CAST type datetime to timestamptz drop default drop not null,
    type date to date drop default drop not null,
    type int when (= precision 1) to boolean using tinyint-to-boolean,
    type text to varchar using remove-null-characters;

The batch, prefetch, workers and concurreny settings are all there to ensure memory doesn’t blow up.

I also discovered that I had to make some changes to the schema before loading data. Mostly truncating tables that the django migrate command populated to avoid duplicate key errors:

TRUNCATE TABLE django_migrations CASCADE;
TRUNCATE TABLE django_content_type CASCADE;
TRUNCATE TABLE auth_permission CASCADE;
TRUNCATE TABLE django_site CASCADE;

And also, I had to change a column type. Apparently the mailman import process allowed an attachment file name that exceeds the limit for postgres, but was allowed into sqlite:

ALTER TABLE hyperkitty_attachment ALTER COLUMN name TYPE text

When pgloader runs, we still get a lot of warnings from pgloader, which wants to cast columns differently than django does. These are harmless (I was able to import the data without a problem).

And there are still a lot of warnings along the lines of:

2026-03-30T14:08:01.691990Z WARNING PostgreSQL warning: constraint “hyperkitty_vote_email_id_73a50f4d_fk_hyperkitty_email_id” of relation “hyperkitty_vote” does not exist, skipping

These are harmless as well. They appear because disable triggers disables foreign key constraints. Without it, we wouldn’t be able to load tables that require values in tables that have not yet been populated.

After all the tweaking, the import of our 30GB sqlite database took about 40 minutes.

Final Steps

I think the reset sequences from pgloader should take care of this, but just in case:

mailman-web sqlsequencereset hyperkitty mailman_django auth | mailman-web dbshell

And, just to ensure postgres is optimized, run this in the psql shell:

ANALYZE VERBOSE;

Last thoughts

I understand very well all the decisions the mailman3 devs made in designing the next version of mailman, and if I was in the same place I may have made them the same ones. For example, separating the code running the mailing list from the code managing the archives and the web interface makes perfectly good sense - many people might want to run just the mailing list part without a web interface. And building the web interface in django makes a lot of sense as well - why re-invent the wheel? I’m sure a lot of time and effort was saved by simply using the built in features you get for free with django.

But the unfortunate consequence of these decisions is that sys admins have a much harder time. Almost everyone wants the email lists along with the web interface and the archives. But nobody wants two different configuration files with different syntaxes and logic, not to mention two different command lines to use for maintenance and configuration with completely different APIs. Trying to understand how to change a default template or set list defaults requires a lot of research and usually you have to write a python script to do it.

I have finally come to the conclusion that mailman2 is designed for sys admins, while mailman3 is designed for developers.

Despite these short comings, I am impressed with the community and their quick and friendly responses to the questions of a confused sys admin. That might be more valuable than anything else.

30 March, 2026 12:27PM

Russ Allbery

Review: The Cloak and Its Wizard

Review: The Cloak and Its Wizard, by R.Z. Nicolet

Publisher: UpLit Press
Copyright: February 2026
ISBN: 1-917849-15-X
Format: Kindle
Pages: 423

The Cloak and Its Wizard is a standalone (at least so far) urban fantasy superhero (sort of) novel. R.Z. Nicolet is the marketing pseudonym for Rachel Reddick. This is her first novel.

I'm picky about wizards.

The wizards themselves will complain about that, but of course I'm picky. When I choose a wizard, barring utter abandonment of moral scruples, it's a till-death-do-us-part situation. (Their death, not mine. I'm the next best thing to indestructible.)

The Cloak of Sunset and Starlight is a major artifact, meaning that it has its own preferences and is capable of independent action. It has been sitting in a glass case in the wizards' library for about a hundred years, waiting for someone interesting. (Well, mostly sitting. Occasionally it sneaks out to eavesdrop or move the books around.)

Veronica Noble is interesting. She's older than most initiates, thoughtful, observant, and clearly had some mundane career before joining the Order. Her aura is appealing, and her mental shields and resistance to influence are intriguing. Normally, the Cloak would take its time investigating a new potential wizard, but the Sword was making thoughtful rattling sounds, and no way is the Cloak going to let the Sword claim her first. Time to choose a new wizard!

It was nice, being draped over warm shoulders, and feeling a heartbeat again.

I could tell she closed her eyes without even looking.

She sighed. "I just got picked by the intransigent one, didn't I?"

The last time I picked a book from the Big Idea feature in Scalzi's Whatever blog, it didn't go that well, but if you're going to write a book specifically for me, I'm going to read it. There are very few tropes of SFF that I love more than intelligent companion objects, and Nicolet's introduction to the story was compelling. So I gave this book discovery method another chance.

I'm glad I did, because this was exactly what I was in the mood for and a delight from cover to cover.

Veronica Noble is not a typical wizard. She's a surgeon and was quite happy to be a surgeon until an unexpected encounter with a magical creature killed her brother. The forgetting spell that the wizards who came to handle the Cassandra wyrm didn't work on her, so she was dragged reluctantly into the secret magical world of the Order. This long-lived society of wizards quietly defends the world against magical intrusions from other planes of existence. Now she's a wizard with a magical cloak, which she is not at all sure she wants.

Veronica is not the protagonist, though. The Cloak of Sunset and Starlight is. As far as it is concerned, its job is to assist its wizard, enjoy watching interesting feats of magic, and look fabulous doing so. It's protective, dramatic, rather vain, endlessly curious, easily bored, and intensely loyal. When it becomes clear that the Order has some serious problems, the Cloak knows what side it's on.

This sounds a bit like urban fantasy, so I was surprised when the first superheroes showed up, although given the explicit Doctor Strange inspiration I probably should have expected them. The Order and the superheroes do not mix, at least at the start of the novel. The wizards view the superheroes as a loud and irritating intrusion and hide magical activities from them the same as they do the rest of the world. Veronica's opening opinion on superheroes is based on being a trauma surgeon in a hospital dealing with the aftermath of their fights (which makes me wonder if the author has read Hench, although the idea is older than that book). As with the Order, the role of superheroes in this world gets more complicated as the plot develops.

There is a surprising amount of plot and some very nice world-building here, including multiple twists that I was not expecting. Veronica is the sort of stubborn and deeply ethical person who will not leave a problem alone if she has the ability to fix it, which is a good recipe for getting deeper and deeper into a complex plot. She's believable as a surgeon: somewhat taciturn, calm in emergencies, detail-oriented, methodical, and not at all dramatic. This makes the Cloak a perfect foil and complement. Watching their partnership develop was very satisfying.

This is a sidekick novel, and like the best sidekick novels it makes the not-protagonist more interesting and more relatable by showing them from an outside and skewed perspective. Piecing together what Veronica must be thinking is part of the fun, as is sharing the Cloak's protectiveness towards her as it becomes clear how much she's been through and how good of a person she is. The Cloak's personality was a little too much like a cat for me — I would have preferred a more unique viewpoint, fewer cat-coded shenanigans, and a bit less of the running laundry machine joke. But that's a quibble. Its endless curiosity drives the plot forward and uncovers more of the world-building, and I just love reading stories from the perspective of this sort of loyal and protective magical creature.

I had so much fun with this book. It's a popcorn sort of book, and I thought the ending sputtered a little, but overall it was great. Parts of it could have been designed in a lab to appeal to me specifically, so I'm not sure if other people will enjoy it as much, but its hit rate with my friends so far has been good.

Highly recommended, and I will be watching for any further novels from Nicolet.

The Cloak and Its Wizard reaches a satisfying conclusion and doesn't advertise itself as part of a series, but there is room for a sequel. If Nicolet ever writes one, I'd read it.

Rating: 8 out of 10

30 March, 2026 02:46AM

March 29, 2026

Russell Coker

Ebook Readers in Debian

Laptop

For a while I’ve been using Calibre 8.5.0+ds-1+deb13u1 in Debian/Trixie running KDE for reading ebooks on my laptop, it generally works well and has a large font size. The only downsides of it for that use are taking more RAM than I would prefer (about 780M RSS which seems a lot for a relatively simple task) and having separate windows for the list of books and reading an actual book without any options to just open the last book and not delay me.

I tried Arianna 25.04.0-1 in Debian/Trixie, it has a significantly smaller font size and doesn’t allow high contrast colors as the default is black on gray with the dark theme in KDE. It also only allows left and right arrows for moving through the book while Calibre uses up/down, left/right, or pgup/pgdn so whatever keys seem reasonable to you are going to work. The RSS was 762M which wasn’t great but wasn’t the real problem. Rumours of Arianna using less RAM than Calibre seem exaggerated.

Librem5

On my Librem5 phone with Plasma Mobile Calibre 8.5.0+ds-1+deb13u1 both the initial setup screen and the main screen for selecting a book to read don’t work in the width of portrait view on the phone. After putting it in landscape mode it worked, but I couldn’t touch on a book title to select it I had to touch on the number of the book at the left of the list box. But once it was loaded everything was fine. On the Librem5 Arianna 25.04.0-1 just worked fine, although only using left/right swipes to change pages instead of up/down was annoying.

Furilabs FLX1s

On my Furilabs FLX1s with phosh Arianna 25.04.0-1 and Calibre 8.16.2+ds+~0.10.5-3 both gave the same result of not displaying text or images from the book, I’m not sure if it’s phosh or some other aspect of the FLX1s configuration at fault.

PinePhonePro

On my PinePhonePro running Debian/Testing with Plasma Mobile Arianna 25.12.3-1 worked without any issue and up/down swipes worked. Calibre 9.5.0+ds+~0.10.5-1 had the initial screen work fine in portrait mode but the main screen was too wide and needed landscape. Also the issue of having to touch the number applied.

Laptop running Debian/Unstable

Calibre 9.6.0+ds+~0.10.5-2 and Arianna 25.12.3-1 worked quite nicely on a Thinkpad running Debian/Unstable. One thing I discovered while testing it is that Calibre supports the CTRL-PLUS and CTRL-MINUS key combinations to change font sizes and that also works on the version in Debian/Trixie. Arianna doesn’t support CTRL-PLUS/MINUS.

Conclusion

The problems I had were Arianna on a laptop, everything on the Furilabs FLX1s, and Calibre’s UI not being well adjusted for mobile devices.

Related posts:

  1. encryption speed – Debian vs Fedora I’m in the process of converting my Fedora/rawhide laptop to...
  2. Phone Charging Speeds With Debian/Trixie One of the problems I encountered with the PinePhone Pro...
  3. Furilabs FLX1s The Aim I have just got a Furilabs FLX1s [1]...

29 March, 2026 12:29PM by etbe

Russ Allbery

Review: The Sovereign

Review: The Sovereign, by C.L. Clark

Series: Magic of the Lost #3
Publisher: Orbit
Copyright: September 2025
ISBN: 0-316-54286-5
Format: Kindle
Pages: 575

The Sovereign is the third and concluding book of C.L. Clark's Magic of the Lost high fantasy trilogy. I recommend reading the books of this series close together, since there are a lot of characters and a lot of continuity between books that is helpful to remember, but it was not quite as difficult this time to remember where the story left off.

At the end of The Faithless, the political situation in Balladaire (not-France) was more stable, but the threat of a plague lay on the horizon. That threat arrives in earnest in this book, along with new threats from both Balladaire's former colonial conscript soldiers and from neighboring Taargen (not-Germany, sort of, although the parallel isn't as close). Luca and Touraine have finally admitted that they're deeply in love, but they are still very different people with different goals and ethics. Luca is determined to do anything necessary to save her kingdom, but her definition of her kingdom is sharp and brittle. Touraine is torn between far too many loyalties, plus the lingering worry that her morals and Luca's may not be compatible.

I think the hardest part of this sort of series is finding an ending the reader will find satisfying. This one, unfortunately, did not work for me, but that may be more due to personal preference than objective flaws.

There have been two threads through this series: an improbable romance embedded in a network of complex personal relationships, and a political commentary on colonialism and post-colonial wars. I was enjoying the former, but it was the latter that felt fresh and interesting to me. The plot threads in The Faithless outside of Balladaire expanded that complexity, and I was hoping the final volume would continue in that direction. How could a colonial power atone for its history? How does the former colony establish its own governance? Is there a path to freedom without violence? Are attempts to chart a more moral course doomed to open lines of attack for one's other enemies?

It's clear that Clark was thinking about similar themes, but The Sovereign narrows the field instead of widens it, restricts the political options, and then resolves most questions in a massive war. This is not that surprising of a conclusion, but it's one that I found unsatisfying and, honestly, a little boring. Yes, one way to resolve all the competing tensions is for everyone to try to kill each other and whoever survives wins, and historically that's one of the more likely outcomes, but that ending doesn't wrestle with the politics as much as it collapses them.

Clark instead focuses this concluding volume on the romance, which becomes even more fraught, tragic, and dramatic than it was in previous books (and that's saying something). The hard questions of divided loyalties and moral conflicts are mostly framed by questions about Touraine's loyalty to Luca and Luca's trust of Touraine. This is all very Shakespearean, full of hard choices, sudden reversals, miscommunication, and a very deep conflict between Luca's realpolitik and Touraine's stubborn personal morality. If this is what you were reading the series for, if you were hoping for a maximum-drama sapphic relationship, you may thoroughly enjoy this. I thought it had its moments, but I wish they had been balanced by more moments of cool-headed practicality and creative political ingenuity.

My biggest frustration with this ending is that the characters largely stop doing politics. The political complexity was the strength of both The Unbroken and The Faithless: People who intensely dislike each other negotiate because there is something larger to be gained, personal decisions made without considering the political ramifications have costs, and multiple characters are trying hard to find a way to turn a nasty, exploitative world into something better without simply killing everyone who disagrees. Many of the characters were objectively bad at politics, inexperienced and immature, but they stumbled or dragged or fought their way into political solutions anyway. I thought Clark moved too far away from that in The Sovereign. Everyone goes deep into their own emotions and desire for vengeance or conquest or revolution and stops compromising. To a depressingly large extent, the story is resolved by killing everyone who disagrees. I think the story is poorer for it.

One of the other threads of the series is Balladairan magic, or rather its odd absence. Luca has one understanding of it, the rebels introduced in The Faithless have a different understanding of it, and its pursuit is set up as critical to resolving the threat of a plague. We do get an explanation of sorts, but it's not as complete or as satisfying as I was hoping, and the symbolism of Balladaire's missing magic is left frustratingly murky. For me, this has some of the same problems as the political conclusion: I wanted an intellectual catharsis alongside the emotional catharsis, but that was not the direction Clark was taking the story.

I like reading about these characters. All of Luca, Touraine, and Pruett are complex, comprehensible, flawed, and often intriguing. But my favorite character in the story, the person I latched on to as an emotional path through the story, was Sabine. Her refreshingly straightforward loyalty and lack of drama was a breath of fresh air. She has some great moments in this book, but there too I got wrong-footed by the direction Clark went with her arc and found its conclusion deeply unsatisfying.

I'm not sure how many of these complaints are because of missed opportunities in the novel, how many were due to a mismatch of taste, and how many were due to not being in the right mood to read this conclusion. I'm sure that it didn't help that I read this simultaneous with another novel in which the characters were always miserable, or that I read it in early 2026 with, uh, all that entails. I suspect that if you came away from the first two books invested in the messy romance and wanting MOAR DRAMA, you may get exactly what you were hoping for. That, sadly, was not what I was hoping for.

I can't really recommend this. I thought it dragged in places and didn't deliver the ending I wanted. But it has some great moments, it does wrap up the threads of the trilogy as advertised, and at least the romance gets a dramatic climax worthy of the tension that has been built through the previous books. If that matches what you were enjoying in the previous books, you may well enjoy this more than I did.

Rating: 5 out of 10

29 March, 2026 04:51AM

March 28, 2026

hackergotchi for Evgeni Golov

Evgeni Golov

Converting Dovecot password schemes on the fly without (too much) cursing

I finally upgraded my mail server to Debian 13 and, as expected, the Dovecot part was quite a ride.

The configuration syntax changed between Dovecot 2.3 (Debian 12) and Dovecot 2.4 (Debian 13), so I started first with diffing my configuration against a vanilla Debian 12 one (this setup is slightly old) and then applied the same (logical) changes to a vanilla Debian 13 one. This mostly went well. Mostly because my user database is stored in SQL and while the Dovecot Configuration Upgrader says it can convert old dovecot-auth-sql.conf.ext files to the new syntax, it only does so for the structure, not the SQL queries themselves. While I don't expect it to be able to parse the queries and adopt them correctly, at least a hint that the field names in userdb changed and might require adjustment would've been cool.

Once I got that all sorted, Dovecot would still refuse to let me in:

Error: sql: Invalid password in passdb: Weak password scheme 'MD5-CRYPT' used and refused

Yeah, right. Did I mention that this setup is old?

The quick cure against this is a auth_allow_weak_schemes = yes in /etc/dovecot/conf.d/10-auth.conf, but long term I really should upgrade the password hashes in the database to something more modern.

And this is what this post is about.

My database only contains hashed (and salted) passwords, so I can't just update them without changing the password. And while there are only 9 users in total, I wanted to play nice and professional. (LOL)

There is a Converting Password Schemes howto in the Dovecot documentation, but it uses a rather odd looking PHP script, wrapped in a shell script which leaks the plaintext password to the process list, and I really didn't want to remember how to write PHP to complete this task.

Luckily, I know Python.

The general idea is:

  • As we're using plaintext authentication (auth_mechanisms = plain login), the plaintext password is available during login.
  • After Dovecot's imap-login has verified the password against the old (insecure) hash in the database, we can execute a post-login script, which will connect to the database and update it with a new hash of the plaintext password.

To make the plaintext password available to the post-login script, we add '%{password}' as userdb_plain_pass to the SELECT statement of our passdb query. The original howto also says to add a prefetch userdb, which we do. The sql userdb remains, as otherwise Postfix can't use Dovecot to deliver mail.

Now comes the interesting part. We need to write a script that is executed by Dovecot's script-login and that will update the database for us. Thanks to Python's passlib and mysqlclient, the database and hashing parts are relatively straight forward:

#!/usr/bin/env python3

import os

import MySQLdb
import passlib.hash

DB_SETTINGS = {"host": "127.0.0.1", "user": "user", "password": "password", "database": "mail"}
SELECT_QUERY = "SELECT password_enc FROM mail_users WHERE username=%(username)s"
UPDATE_QUERY = "UPDATE mail_users SET password_enc=%(pwhash)s WHERE username=%(username)s"

SCHEME = "bcrypt"
EXPECTED_PREFIX = "$2b$"


def main():
    # https://doc.dovecot.org/2.4.3/core/config/post_login_scripting.html
    # https://doc.dovecot.org/2.4.3/howto/convert_password_schemes.html
    user = os.environ.get("USER")

    plain_pass = os.environ.get("PLAIN_PASS")
    if plain_pass is not None:
        db = MySQLdb.connect(**DB_SETTINGS)
        cursor = db.cursor()
        cursor.execute(SELECT_QUERY, {"username": user})
        result = cursor.fetchone()
        current_pwhash = result[0]

        if not current_pwhash.startswith(EXPECTED_PREFIX):
            hash_module = getattr(passlib.hash, SCHEME)
            pwhash = hash_module.hash(plain_pass)
            data = {"pwhash": pwhash, "username": user}
            cursor.execute(UPDATE_QUERY, data)
        cursor.close()
        db.close()


if __name__ == "__main__":
    main()

But if we add that as executable = script-login /etc/dovecot/dpsu.py to our imap-postlogin service, as the howto suggests, the users won't be able to login anymore:

Error: Post-login script denied access to user

WAT?

Remember that shell script I wanted to avoid? It ends with exec "$@".

Turns out the script-login "API" is rather interesting. It's not "pass in a list of scripts to call and I'll call all of them". It's "pass a list of scripts, I'll execv the first item and pass the rest as args, and every item is expected to execv the next one again". 🤯

With that (cursed) knowledge, the script becomes:

#!/usr/bin/env python3

import os
import sys

import MySQLdb
import passlib.hash

DB_SETTINGS = {"host": "127.0.0.1", "user": "user", "password": "password", "database": "mail"}
SELECT_QUERY = "SELECT password_enc FROM mail_users WHERE username=%(username)s"
UPDATE_QUERY = "UPDATE mail_users SET password_enc=%(pwhash)s WHERE username=%(username)s"

SCHEME = "bcrypt"
EXPECTED_PREFIX = "$2b$"


def main():
    # https://doc.dovecot.org/2.4.3/core/config/post_login_scripting.html
    # https://doc.dovecot.org/2.4.3/howto/convert_password_schemes.html
    user = os.environ.get("USER")

    plain_pass = os.environ.get("PLAIN_PASS")
    if plain_pass is not None:
        db = MySQLdb.connect(**DB_SETTINGS)
        cursor = db.cursor()
        cursor.execute(SELECT_QUERY, {"username": user})
        result = cursor.fetchone()
        current_pwhash = result[0]

        if not current_pwhash.startswith(EXPECTED_PREFIX):
            hash_module = getattr(passlib.hash, SCHEME)
            pwhash = hash_module.hash(plain_pass)
            data = {"pwhash": pwhash, "username": user}
            cursor.execute(UPDATE_QUERY, data)
        cursor.close()
        db.close()

    os.execv(sys.argv[1], sys.argv[1:])


if __name__ == "__main__":
    main()

And the passwords are getting gradually updated as the users log in. Once all are updated, we can remove the post-login script and drop the auth_allow_weak_schemes = yes.

28 March, 2026 10:11PM by evgeni

Russell Coker

Communication and Hostile AIs

We seem to be entering an “AI” apocalypse of sorts, they aren’t going to kill us or even take our jobs. What they are doing is destroying the Internet commons by filling it with rubbish. This isn’t even real AI, just pattern matching and prediction systems, mostly LLMs.

The Problem

Scott Shambaugh’s saga of being attacked and defamed by an OpenClaw AI bot is interesting and raises some disturbing possibilities for future online discussion [1]. Imagine what it would be like if everyone who was in any way notable for free software work had 100 such bots going after them.

Dania Dumas wrote an insightful blog post about why OpenClaw is impossible to secure and why it won’t go away [2].

Bruce Schneier and Nathan E. Sanders wrote an insightful article about the AI generated text arms race [3] primarily concentrating on situations in which text that was assumed to be written by humans but was actually written in bulk by bots was performing a DOS attack on people who were reviewing it. There are many situations such as book publishing and publishing letters to the editor of newspapers where getting new material from unknown people is an important part of the job but where there are also people making low quality submissions that are almost a DOS attack at the best of times.

Currently the email spam problem continues to get worse and when LLM use increases it will get significantly worse. Email encryption isn’t viable [4]. The PGP web of trust never really worked well as it’s too difficult for most users.

The amount of “AI” generated content that’s being recommended to users on platforms like YouTube and Facebook is steadily increasing and the amount of LLM generated commentary that purports to be from real people on Twitter and Facebook is also increasing. Here’s an informative blog post by Erich Schubert about this [5].

Potential Solutions

Surrender?

One option and possibly the default option is to surrender to this and just let everything we built on the Internet over decades get destroyed. Whether to surrender is a decision that can be made on a per-service basis.

Twitter is pretty much useless anyway, I quit Twitter because Elon deliberately made it suck [6]. In my opinion this is not surrendering to what’s being done there, I’m just stopping wasting time on it and using better options. I used to have about 300 followers on Twitter and I don’t think that many of them would ever choose to stop following me, so I presume that about 1/3 of the people following me have decided to totally quit Twitter and delete their accounts. I also presume that some of the remainder have done the same as me and just kept a mostly inactive account. If Elon suddenly stopped being a stupid asshole it probably wouldn’t change anything as the value of the system was connections to others. Some people will consider my abandonment of Twitter as surrender and I accept that it’s not an unreasonable opinion. I think that the possibly 100 Twitter followers of mine who deleted their accounts surrendered.

Facebook has been becoming a worse service, it’s business model is becoming increasingly exploitative and it’s interface is designed to be addictive. It’s probably best avoided unless you really need it. The only good thing about Facebook at the moment is that Facebook Marketplace doesn’t take a cut on sales and there are some really good deals on computers if you know what to look for. Unfortunately Facebook has a large number of users who are from marginalised communities and have no other alternatives for communication. It would be good to get them migrated to other platforms.

We could just give up on a lot of general communications services and have everyone accept that good content is drowned out by rubbish and have the Internet become divided between people who accept the rubbish and those who cease using large portions of the Internet environment to avoid it.

Using Non Commercial Services

Lemmy is a good FOSS federated alternative to Reddit which also covers some of the uses of Facebook. It needs more users to get critical mass but is still quite usable. A post that might get a dozen comments on Reddit may get 1 comment on Lemmy but that one comment will be a good one. Reddit doesn’t appear to be attacked much by LLM generated content at least not yet. Even if the Reddit model proves to be resilient to LLM attack the Lemmy software can be used to replace some things that are done on Facebook,

Mastodon is a good FOSS federated replacement for Twitter, it has a decent user-base including some VIPs. While it is aimed at the Twitter use case it can also cover a significant part of the Facebook use case.

There are some other FOSS social media programs which could take over other parts of the commercial social media environment.

Generally commercially run Internet services will have a financial incentive to allow the problems to get worse so we need to rely on FOSS software, non-commercial implementations, and government services.

Web Search

For a long time Google has had a monopoly on web search, but now they default to including an “AI Overview” at the start of the results which is sometimes useful but also sometimes very wrong. You can use the search URL “https://www.google.com/search?q=%s&udm=web” to get google results without rubbish. But I presume that they will break that if it gets too popular.

Searxng is a AGPL licensed metasearch engine that aggregates results from other engines, here’s the Searxng source [7] and here’s a list of Searxng instances if you want to try one [8].

Even using meta search engines like Searxng won’t help if the original data is overloaded with spam, but alleviating the problem is a good temporary measure.

Web of Trust for the Web?

I’ve idly considered the possibility of having some sort of rating system for web pages that uses a web of trust so that you can securely use trust ratings of friends of friends etc. But given all the difficulties in using a web of trust for signing GPG key for software developers (the demographic that is most skilled at doing such things) it doesn’t seem viable.

Should we surrender the idea of having a usable public web?

In the early days of the web (before Google) it was standard practice to rely on recommendations from other people or from trusted sites to find other sites, that could be considered to be an informal web of trust. We could go back to that sort of usage pattern if Google and many of the big sites get overwhelmed by LLM generated spam.

Wikipedia

I believe that Wikipedia will be at the front lines of this battle. It’s model has always included anonymous contributions. Benjamin Mako Hill wrote an interesting blog post about research he did with Kaylea Champion into Wikipedia pages on taboo topics which have a larger portion of contributors choosing to be anonymous than non-taboo pages [9]. Wikipedia also has a long history of being abused for various reasons, one that I witnessed was someone putting false content into Wikipedia pages to immediately cite them in support of their facebook arguments. That sort of thing can be dealt with at human scale but a large scale attack by bots is a different problem to solve. Also with the recent developments in AI developing multiple web sites entirely populated for the purpose of supporting one fake entry in Wikipedia is plausible.

The upside of these attacks that I predict is that they will attract the attention of all the people who have skills related to developing counter-measures. While LLM bots are filling the inboxes of publishers with rubbish and messing up the stackoverflow comments section not a lot of people are bothered, but once the attacks on Wikipedia get serious everyone will take notice.

National AI

Bruce Schneier and Nathan E. Sanders wrote an interesting blog post about nationalised public AI [10]. While that won’t directly address this issue it will get the right technology in the hands of people who can use it in the right way.

Conclusion

This is going to be a difficult problem to solve, more difficult than the email spam problem we have been unable to solve after 30 years of working on it.

This is also a very important problem, we are currently in an age where we have access to information that most people couldn’t even dream of 30 years ago. We also have disinformation that combines some of the worst aspects of authoritarian regimes throughout history combined with the worst aspects of cult brainwashing. If we lose access to the information but the disinformation remains (or get worse) then the result will be terrible.

I don’t have great ideas for solving this. I have outlined some small ideas to mitigate things and I hope that others can expand on them.

Please write comments with any good ideas you have, or even ideas that don’t totally suck. A problem this difficult is not going to be solved in a blog comment, but a blog comment might point in the right direction.

Related posts:

  1. Communication Shutdown and Autism The AEIOU Foundation The AEIOU Foundation [1] is a support...
  2. The Death of Twitter At the end of last year I uninstalled the Twitter...
  3. Hostile Web Sites I was asked whether it would be safe to open...

28 March, 2026 03:08PM by etbe

March 27, 2026

hackergotchi for Jonathan Dowland

Jonathan Dowland

Digital gardening

I was reading a post on Alex Chan's website1 that referenced the concept of digital gardens, a concept/analogy for organising information which dates back to the 90s. This old concept is getting new traction today by contrasting the approach with "endless stream" as used and abused by social media, but also how blogs are typically presented.

This site, my homepage, has a blog, and that's the bit that most people who interact with the site will experience. Partly, because it's the bit that gets syndicated out: via feeds; on Planet Debian and downstream from it; once upon a time on Twitter; nowadays on the Fediverse.

However there's more to my homepage than that. The rest of it may be of little interest to anyone beside me, but it's useful to me, at least. So I may switch focus a little bit from mainly writing blog posts, and tend to the rest of the garden a bit more.

Some recent seeding and pruning: Recently my guest status at Newcastle University came up for renewal, so I wrote down my goals in the Historic Computing Committee for the next year or so, and put them here: nuhcc. I've also been pondering what I'm up to in Debian at the moment, so took some time to add my current projects to that page.

  1. I'm reminded that I should really publish a "blog roll" of cool blogs I'm following at the moment, of which Alex Chan's is one.

27 March, 2026 10:05PM

hackergotchi for Bits from Debian

Bits from Debian

New Debian Developers and Maintainers (January and February 2026)

The following contributors got their Debian Developer accounts in the last two months:

  • Jongmin Kim (jmkim)
  • Yifei Zhan (yifei)
  • Sébastien Noel (twolife)

The following contributors were added as Debian Maintainers in the last two months:

  • Andreas Dolp
  • Dandan Zhang
  • M Hickford

Congratulations!

27 March, 2026 10:00PM by Jean-Pierre Giraud

Arturo Borrero González

New job at Chainguard

Chainguard logo

A few months ago, in June 2025, I joined Chainguard, a company focused on software supply chain security. This post is a reflection on how I got here, what I’ve been doing, and why this role feels like a natural fit for my interests in Linux and open source technology.

The company and its mission

Chainguard’s mission is to make the software supply chain secure by default. The company is built around the idea that the software we all depend on — from operating system packages to container base images — carries hidden risk in the form of vulnerabilities, unverified provenance, and untrusted build processes.

The company is perhaps best known for Chainguard Images: a catalog of minimal, hardened container base images that are continuously rebuilt and kept free of known CVEs. Each image is accompanied by a signed SBOM (Software Bill of Materials) and a verifiable provenance attestation, making it possible to cryptographically verify what went into a given image and how it was built.

Chainguard has an extensive catalog of software, and maintaining it up-to-date and CVE-free is a significant engineering challenge.

What I do

I joined the Chainguard Sustaining Engineering team as a Senior Software Engineer. We are responsible for maintaining packages and images in the software catalog up-to-date and CVE-free. The core of the business, basically.

We focus on the horizontal dimension of the catalog (pretty much all packages and images).

With +30,000 packages and +2,000 images, this is indeed an interesting task.

My role as Debian Developer, and my experiencie in the Debian LTS project was extremely valuable when joning this new team.

Looking ahead

Software supply chain is truly a deep topic, gaining more and more relevance every day, especially as new technologies emerge and get adopted everywhere.

Since early in my career, I saw a recurrent problem of how companies, enterprises, or even governments, relate to and consume open source software, in a reliable, secure way. I believe Chainguard is doing the right things in the ecosystem, and I’m happy to be participating in the effort.

27 March, 2026 08:00AM

March 25, 2026

Russell Coker

The Death of Twitter

At the end of last year I uninstalled the Twitter app on my phone.

In the past Twitter used to be very useful for providing feedback to large organisations. I had responses from supermarkets, chain restaurants, online stores, major computer companies, and even the IT department of a court. In recent times I have had less responses from corporations which significantly reduces the value of Twitter to me and to many other users. It seems that Elon’s management style has discouraged not only advertising but also all forms of corporate interaction. Messing up the check mark on accounts to make it harder to work out which is a real corporate

Since Elon bought it Twitter has been increasingly pushing conservative Tweets and has done little to stop bot accounts. The incidence of useful discussions has steadily decreased. I know people who have quit Twitter entirely due to opposition to Elon, I am not doing that. I finally decided to stop using Twitter in any serious way when the notifications on my phone about popular Tweets started only being about Tweets from conservative influencers and Elon. This was obviously not any algorithm based on Tweets I was liking, it was based on political decisions. I didn’t uninstall the app due to political disagreement, I uninstalled it because it was through deliberate design promoting material that any algorithm would know was something I wouldn’t either like or “like”.

I still announce new blog posts on Twitter for my 198 followers at the same time as announcing them on Mastodon and Facebook. I get the most reactions to such announcements on Mastodon, the second most on Facebook, and hardly any on Twitter. I’m wondering how long it will be worth announcing blog posts on Twitter or whether I should stop now.

I am sure that many other people are making similar decisions and this is going to affect Twitter overall.

The web site www.russellcoker.com has information on all the ways of following me.

Related posts:

  1. Elon and Free Speech Elon Musk has made the news for spending billions to...
  2. Web Hosting After Death Steve Kemp writes about his concerns for what happens to...
  3. the death penalty I have just read the news about Saddam finally receiving...

25 March, 2026 05:21AM by etbe

John Goerzen

Artificial Intelligence: Shades of Gray

AI sure is a hot topic right now, and I see a lot of people arguing about it. To a lot of people around here, I’m the “computer person” they know and I get asked a lot about AI.

I’m going to suggest a lot of things can be true at once. For instance:

  • LLMs are changing how we work and will continue to do so.
  • LLMs are vastly over-hyped by vested interests, and may be in a bubble.

Or how about:

  • Huge investment in GenAI is having many negative consequences, ranging from environmental to causing affordability problems in many industries that use hardware (ie, everywhere)
  • Useful results can be had from models that run on local hardware, even battery-powered hardware, which may have negligible harm or even some benefit

And:

  • GenAI is further concentrating wealth and power in megacorps, with the effect of squeezing out the smaller players even more.
  • GenAI is lowering the cost of entry for people without a lot of resources already.

I have sympathy for the naysayers; those that say it’s nothing but a stochastic parrot. But I don’t have a lot of sympathy for the naysayers that deny ever using it; you can’t form a credible argument against something without having an understanding of it informed by experience.

I also have sympathy for the cheerleaders. I have seen some impressive things from AI; for instance, a story from an engineer who has a child with a rare disease without a credible cure. The engineer did a lot of research on it, started feeding research papers into AI to analyze, and the AI started finding correlations between different areas of research that humans hadn’t yet found — leading to a positive result for the child.

To be fair, I have rarely seen an AI deliver a 100% correct answer on anything with any real level of complexity. I have seen it both waste more time than it saves, and save a ton of time.

My point here is: It is neither always fantastic nor always terrible.

Let me talk you through an example.

I am a fan of inbox zero for email. That is, the inbox should be empty. Unfortunately, mine has 8000 messages in it. According to the oldest messages in my inbox, I last had inbox zero 8 years ago. But really, only a handful are older than 2020. I guess something must have happened that year…

I’ve been chipping away at this for quite some time now. The problem is, there are certain emails in there that really do still need some action – maybe it’s photos to save off into our photo collection, for instance. But when looking at things sorted by date or thread, there are old shipping confirmations next to phishing attempts and family photos. One can’t just scan down the list.

I’ve tried all the usual tricks, most of which involve selecting groups of message that are easy to bulk erase, or at least easy to scan visually for the occasional thing worth saving. Sort by sender or subject line, for instance. Then I can, for instance, delete all the old messages from the shopping sites I commonly use all at once. But then they start using different senders and different subject lines and that doesn’t get all of them. I’ve tried keyword searches for this sort of thing too. Still, that got me down to about 8000 messages.

So I thought: why not see if an LLM could help me classify these? Maybe it could categorize them, and then I could look at emails grouped by category.

I have one machine with a discrete GPU, an Nvidia RTX 4070. It’s a desktop machine I don’t use all that often. But I set up Ollama on it, running in a Docker container. Ollama runs models locally.

I should also mention at this point that we are solar-powered, and this time of year is a time of peak production of excess solar, because it is sunny and not much heat or AC is required. So that machine is solar-powered and isn’t causing environmental harm. In any case, charging the EV uses much more power than that GPU.

I figured I would do this in two passes. First, ask the LLM to classify each message (or a sampling of them would probably work too), letting it pick its own categories for each. Then, look at the patterns that emerge and give it a single, much smaller, set of broad categories to use and rerun it over that.

Then I can easily select messages from my Maildirs by category and process them in bulk.

I used open-interpreter pointing to that GPU on my network to help me write the scripts for this. It didn’t get things right on its own; for instance, it didn’t call the Ollama API correctly, and insisted on appending “/cur” to the path to the Maildir (which was not going to fly with Python’s maildir module). It took roughly an hour to classify those 8000 messages (or, as I had it do, the first 2000 characters of them), and then the same to do it a second time. I had it output lines in the form of “filename\tcategory” and hand-wrote the shell script that processed those.

In the end, was it useful? Yes, quite. Its classifications weren’t perfect (and it didn’t even follow my prompt perfectly; sometimes it would give me a long discussion on why it picked a certain category rather than just that category, and occasionally it picked categories not on the list). But then, neither were my manual keyword searches. So far I’ve gotten rid of nearly 1000 more messages. Several categories were a “visual scan for sanity and then delete all” sort of thing.

My emails never left my network. I didn’t rely on a cloud AI to process them. I didn’t contribute to global warming (this may have even been a case of saving energy, since it no doubt will offset quite a bit of manual time that would keep screens and room lights energized and so forth). I used about as much energy as watching a movie on a TV.

Did it complete the task for me entirely autonomously? Also no. AI isn’t a mind reader and it can’t possibly evaluate exactly what my thought process would be for a given task. But it can do a decent enough job to save me some time.

Still, this didn’t require hyperscaler datacenters. AI even runs on-phone (Google Translate being one of the most useful AI-driven apps I’ve ever seen, and it can run on-device).

25 March, 2026 04:12AM by John Goerzen

March 24, 2026

Russ Allbery

Review: A Shadow in Summer

Review: A Shadow in Summer, by Daniel Abraham

Series: Long Price Quartet #1
Publisher: Tor
Copyright: March 2006
ISBN: 0-7653-1340-5
Format: Hardcover
Pages: 331

A Shadow in Summer is a high fantasy novel, the first of (as the name implies) a completed four-book series. Daniel Abraham is perhaps better known as half of the writing pair behind James S.A. Corey, author of the Expanse series. This was his first novel.

Otah was the sixth son of a Khai, sent like many of the unwanted later children of the powerful to learn the secrets of the andat and be trained as a poet. He learned his lessons well enough to reject the school and its teachings and walk away.

Amat Kyaan has worked her way up from nothing to become the senior overseer of the foreign Galtic House Wilsin in the sun-drenched port city of Saraykeht. Liat is her apprentice, distracted by young love. Maati is a new apprentice poet, having endured his training and sent to learn from Heshai how to eventually hold the andat Removing-The-Part-That-Continues, better known as Seedless. None of them know they will find themselves entangled in a plot to destroy the poet of Saraykeht and, through him, the city's most potent economic tool.

A poet in this world is not what we would think of a poet. They are, in essence, magical slave-drivers who capture the essence of an andat, a spirit embodying an idea that is coerced into the prison of volition and obedience by the poet. The andat Seedless, the embodiment of the concept of removing the spark of life, is central to the economic wealth of Saraykeht in a way that is startling in its simplicity: Seedless can remove the seeds from a warehouse full of cotton at a thought. This gives Saraykeht a massive productivity advantage in the cotton trade.

Seedless is also a powerful potential weapon. What he can do to cotton, he could as easily do to any other crop, or to people. The Galts are not fond of the independence and power of Saraykeht, but as long as the city controls a powerful andat, they do not dare to attack it directly. Indirectly, though... that's another matter.

This is one of those fantasy novels with meticulous and thoughtful world-building, careful and evocative prose, and a complex ensemble cast of interesting characters that the novel then attempts to make utterly miserable and complicit in their own misery. There should be a name for this style of writing. It's not tragedy because the ending is not tragic, precisely. It's not magic realism; the andats are openly magical, which makes this clearly high fantasy. But Abraham approaches the story from the type of realist frame that considers the pain and desperation of the characters to be more interesting than their ability to overcome challenges.

Amat starts the story as an admirable, sharp-witted expert manager, so her life is destroyed and she's subjected to sexual violence. Heshai loathes himself and veers between a tragic figure and a wastrel as the story systematically undermines opportunities for redemption. Maati is young and idealistic, so of course every character in the book sets out to crush his idealism under the weight of unforeseen consequences. There is a sad and depressing love triangle, because this is exactly the sort of book that has a sad and depressing love triangle. At the end of the novel, everyone who survives is older and wiser in the sense that some stories seem to think wisdom comes from the accumulation of trauma.

I find books like this so immensely frustrating because their merits are so clear. The world-building is careful and detailed in a way that includes economic systems, unlike so much fantasy. It is full of small, intriguing touches, such as the use of posture and gesture to communicate the emotional valence of one's words. Abraham understands the moral implications of poets and andats and the story tackles them head-on. The writing flows beautifully and gave me a strong sense of the city. I wanted to like this book for the obvious skill that went into it, and sometimes I even managed.

And yet, it's taken me three months to finish A Shadow in Summer because I simply do not want to spend this much time around miserable people. I would get through one or two chapters in a night and then wanted to read something happy or defiant or heroic, rather than watching slow-motion train wrecks intermixed with desperate attempts to navigate stifling layers of immoral systems. It's not that the story lacks a moral compass. The characters are sincerely trying to make the world a better place, with some success. It even delivers a happy ending of sorts. But so much of the journey was watching the lives of the characters fall apart.

I am completely unsurprised that some people loved this book. I'm still intrigued enough by the world-building that I'm half-tempted to try to read the sequel even after having to drag myself through this one. I had a similar reaction to Abraham's The Dragon's Path, though, so I think Abraham is just not for me. I may get back to the Expanse at some point, but having to drag myself through both of his solo novels I've tried, in two different series, probably indicates an incompatibility between author and reader. That's a shame, given the quality of the writing.

Followed by A Betrayal in Winter.

Content notes: Sexual and reproductive violence as significant plot elements.

Rating: 6 out of 10

24 March, 2026 04:40AM

March 23, 2026

hackergotchi for Marco d'Itri

Marco d'Itri

systemd has not implemented age verification

This needs to be clear: systemd is under attack by a trolling campaign orchestrated by fascist elements. Nobody is forced to like or use systemd, but anybody who wants to pick a side should know the facts.

Recently, the free software Nazi bar crowd styling themselves as "concerned citizens" has tried to start a moral panic by saying that systemd is implementing age verification checks or that somehow it will require providing personally identifiable information.

This is a lie: the facts are simply that the systemd users database has gained an optional "date of birth" field, which the desktop environments may use or not as they deem appropriate. Of course there is no "identity verification" or requirements to provide any data, which in any case would not be shared beyond authorized local applications.

While the multiple recent bills proposing that general purpose operating systems implement age verification mechanisms are often concerning, both from a social and technical point of view, this is not the topic being discussed here. They are often suboptimal, but for a long time I have been opposing attempts to implement parental control at the network level and argued that it should be managed locally, by parents on their own machines: I cannot see why I should outright reject an attempt to implement the infrastructure to do that.

If we want to keep age-appropriate controls out of the hands of centralized authorities, the alternative is giving families the means to manage it themselves: this is what this field enables. Whether desktop environments use it for parental controls, for birthday reminders, or for nothing at all, is their users' decision.

By the way, the original UNIX users database has allowed storing PII in the GECOS field since it was invented in the '70s. Similar fields are also specified by many popular LDAP schemes: adding such an optional field is consistent with the UNIX tradition.

And while we are at it, let's also refute the other smear campaign started by the same people: the systemd project is not accepting "AI slop". What happened is that a documentation file for the benefit of coding agents was added to the repository. To be clear: agents still cannot submit merge requests. The file itself remarks that all contributions must be reviewed in detail by humans, and this is basically the same policy used by the Linux kernel.

23 March, 2026 03:47PM

hackergotchi for Benjamin Mako Hill

Benjamin Mako Hill

How taboo shapes knowledge production on Wikipedia

Note: I have not published blog posts about my academic papers over the past few years. To ensure that my blog contains a more comprehensive record of my published papers and to surface them for folks who missed them, I will periodically (re) publish blog posts about some “older” published projects. This post draws material from a previously published post by Kaylea Champion on the Community Data Science Blog.

Taboo subjects—such as sexuality and mental health—are as important to discuss as they are difficult to raise in conversation. Although many people turn to online resources for information on taboo subjects, censorship and low-quality information are common in search results. In two papers I recently published at CSCW—both led by Kaylea Champion—we presented a series of analyses showing how taboo shapes the process of collaborative knowledge building on English Wikipedia.

The first study is a quantitative analysis showing that articles on taboo subjects are much more popular and are the subject of more vandalism than articles on non-taboo topics. In surprising news, we also found that they were edited more often and were of higher quality!

Short video of Kaylea’s presentation of the work given at Wikimania in August 2023.

The first challenge we faced in conducting this work was identifying taboo articles. Kaylea had a brilliant idea for a new computational approach to doing so without relying on our individual intuitions about what qualifies as taboo (something we understood would be highly specific to our own culture, class, etc). Her approach was to make use of an insight from linguistics: people develop euphemisms as ways to talk about taboos (i.e., think about all the euphemisms we’ve devised for death, or sex, or menstruation, or mental health).

We used this insight to build a new machine-learning classifier based on English Wiktionary definitions. If a ‘sense’ of a word was tagged as euphemistic, we treated the words in the definition as indicators of taboo. The end result was a series of words and phrases that most powerfully differentiate taboo from non-taboo. We then did a simple match between those words and phrases and the titles of Wikipedia articles. The topics were taboo enough that we were a little uncomfortable discussing them in our meetings! We built a comparison sample of articles whose titles are words that, like our taboo articles, appear in Wiktionary definitions.

In the first paper, we used this new dataset to test a series of hypotheses about how taboo shapes collaborative production in Wikipedia. Our initial hypotheses were based on the idea that taboo information is often in high demand but that Wikipedians might be reluctant to associate their names (or usernames) with taboo topics. The result, we argued, would be articles that were in high demand but of low quality.

We found that taboo articles are thriving on Wikipedia! In summary, we found that in comparison to non-taboo articles:

  • Taboo articles are more popular (as expected).
  • Taboo articles receive more contributions (contrary to expectations).
  • Taboo articles receive more low-quality contributions (as expected).
  • Taboo articles are higher quality (contrary to expectations).
  • Taboo article contributors are more likely to contribute without an account (as expected), and have less experience (as expected), but that accountholders are more likely to make themselves more identifiable by having a user page, disclosing their gender, and making themselves emailable (all three of these are contrary to expectation!).
Image of the estimated qualiy of articles of the four articles in the second mixed-methods paper. Extreme dips reflect periods of frequent vandalism.

Kaylea attempted to understand these somewhat confusing results by designing a fantastic mixed-methods analysis that sought to unpack some of the nuance missing in the quantitative analysis by delving deep into the “life histories” of four articles on English Wikipedia: two on taboo topics related to women’s anatomy (Clitoris and Menstration) and two nontaboo articles chosen for comparison (Cell membrance and Philip Pullman).

Although the findings from the analysis can be difficult to summarize succinctly (as with many qualitative studies), we showed how the taboo example articles’ success was hard-won amid real challenges and attacks. The paper describes how challenges were overcome through resilient leadership, often provided by a single dedicated individual. The paper provides a template for how taboo can be—and frequently is—overcome by dedicated Wikipedians in ways that provide useful knowledge resources in real demand.

For more details, visualizations, statistics, and more, we hope you’ll take a look at our papers, both linked below.

The full citation for the papers are: (1) Champion, Kaylea, and Benjamin Mako Hill. 2023. “Taboo and Collaborative Knowledge Production: Evidence from Wikipedia.” Proceedings of the ACM on Human-Computer Interaction 7 (CSCW2): 299:1-299:25. https://doi.org/10.1145/3610090. (2) Champion, Kaylea, and Benjamin Mako Hill. 2024. “Life Histories of Taboo Knowledge Artifacts.” Proceedings of the ACM: Human-Computer Interaction 8 (CSCW2): 505:1-505:32. https://doi.org/10.1145/3687044.

We have also released replication materials for the paper, including all the data and code used to conduct the analyses.

This blog post and the paper it describes are collaborative work by Kaylea Champion and Benjamin Mako Hill.

23 March, 2026 09:33AM by Benjamin Mako Hill

March 22, 2026

Vincent Bernat

Calculate “1/(40rods/hogshead) to L/100km” from your Zsh prompt

I often need a quick calculation or a unit conversion. Rather than reaching for a separate tool, a few lines of Zsh configuration turn = into a calculator. Typing = 660km / (2/3)c * 2 -> ms gives me 6.60457 ms1 without leaving my terminal, thanks to the Zsh line editor.

The equal alias

The main idea looks simple: define = as an alias to a calculator command. I prefer Numbat, a scientific calculator that supports unit conversions. Qalculate is a close second.2 If neither is available, we fall back to Zsh’s built-in zcalc module.

As the alias built-in uses = as a separator for name and value, we need to alter the aliases associative array:

if (( $+commands[numbat] )); then
  aliases[=]='numbat -e'
elif (( $+commands[qalc] )); then
  aliases[=]='qalc'
else
  autoload -Uz zcalc
  aliases[=]='zcalc -f -e'
fi

With this in place, = 847/11 becomes numbat -e 847/11.

The quoting problem

The first problem surfaces quickly. Typing = 5 * 3 fails: Zsh expands the * character as a glob pattern before passing it to the calculator. The same issue applies to other characters that Zsh treats specially, such as > or |. You must quote the expression:

$ = '5 * 3'
15

We fix this by hooking into the Zsh line editor to quote the expression before executing it.

Automatic quoting with ZLE

Zsh calls the line-finish widget before submitting a command. We hook a function that detects the = prefix and quotes the expression:

_vbe_calc_quote() {
  case $BUFFER in
    "="*)
      typeset -g _vbe_calc_expr=$BUFFER # not used yet
      BUFFER="= ${(q-)${${BUFFER#=}# }}"
      ;;
  esac
}
add-zle-hook-widget line-finish _vbe_calc_quote

When you type = 5 * 3 and press ↲, _vbe_calc_quote strips the = prefix, quotes the remainder with the (q-) parameter expansion flag, and rewrites the buffer to = '5 * 3' before Zsh submits the command. As a bonus, you can save a few keystrokes with =5*3! 🚀

You can now compute math expressions and convert units directly from your shell. Zsh automatically quotes your expressions:

$ = '1 + 2'
3
$ = 'pi/3 + pi |> cos'
-0.5
$ = '17 USD -> EUR'
14.7122 €
$ = '180*500mg -> g'
90 g
$ = '5 gigabytes / (2 minutes + 17 seconds) -> megabits/s'
291.971 Mbit/s
$ = 'now() -> tz("Asia/Tokyo")'
2026-03-22 22:00:03 JST (UTC +09), Asia/Tokyo
$ = '1 / (40 rods / hogshead) -> L / 100km'
118548 × 0.01 l/km
“That's the way I like it!� says Grampa Simpson
The metric system is the tool of the devil! My car gets forty rods to the hogshead, and that's the way I like it! ― Grampa Simpson, A Star Is Burns

Storing unquoted history

As is, Zsh records the quoted expression in history. You must unquote it before submitting it again. Otherwise, the ZLE widget quotes it a second time. Bart Schaefer provided a solution to store the original version:

_vbe_calc_history() {
  return ${+_vbe_calc_expr}
}
add-zsh-hook zshaddhistory _vbe_calc_history

_vbe_calc_preexec() {
  (( ${+_vbe_calc_expr} )) && print -s $_vbe_calc_expr
  unset _vbe_calc_expr
  return 0
}
add-zsh-hook preexec _vbe_calc_preexec

The zshaddhistory hook returns 1 if we are evaluating an expression, telling Zsh not to record the command. The preexec hook then adds the original, unquoted command with print -s.

The complete code is available in my zshrc. A common alternative is the noglob precommand modifier. If you stick with to instead of -> for unit conversion, it covers 90% of use cases. For a related Zsh line editor trick, see how I use auto-expanding aliases to fix common typos.

  1. This is the fastest a packet can travel back and forth between Paris and Marseille over optical fiber. ↩�

  2. Qalculate is less understanding with units. For example, it parses “Mbps� as megabarn per picosecond: ☢�

    $ numbat -e '5 MB/s -> Mbps'
40 Mbps
$ qalc 5 MB/s to Mbps
5 megabytes/second = 0.000005 B/ps

    ↩�

22 March, 2026 01:37PM by Vincent Bernat

March 21, 2026

hackergotchi for Jonathan Dowland

Jonathan Dowland

Ladytron

I saw Ladytron perform in Digital, Newcastle last night. The last time I saw them was, I think, at the same venue, 18 years ago. Time flies!

Photo of the trio performing on stage

Back in the day (perhaps their heyday, perhaps not!) Ladytron ploughed a particular sonic furrow and did it very well. Going into the gig I had set my expectations that, should they play just these hits, I'd have a good time.

The gig exceeded my expectations. The setlist very much did not lean into their best-known period: the more recent few albums were very well represented and to me this felt very confident. The lead singer, Helen Marnie, demonstrated some excellent range, particularly on some of the new songs. Daniel Hunt did a lot of backing vocals and they were really complementary to Helen's: underscoring but not overpowering. I enjoyed nerding out watching Mira Ayoro's excellent wrangling of her Korg MS-20. One highlight was an encore performance of Light & Magic, which was arguably the "alternate version" as available on the expanded versions of that album or the Remixed and Rare companion.

I thought I'd try to put together a 5-track playlist for a friend who attended the gig but isn't super familiar with them. As usual this is hard. I'm going to avoid the obvious hits, try to represent their whole career and try to ensure the current trio each get a vocal turn in the selection.

They actually released their latest album, Paradises, yesterday as well. One track from it is in the list below.

I'm Not Scared by Ladytron Kingdom Undersea by Ladytron Blue Jeans by Ladytron He took her to a movie by Ladytron Transparent Days by Ladytron

(If you can't see anything, the bandcamp embeds have been stripped out by whatever you are viewing this with)

21 March, 2026 10:18PM

hackergotchi for Steinar H. Gunderson

Steinar H. Gunderson

A286874(16) >= 48

Following up on the previous post, here are some heuristic results:

First, if restricting oneself to 5-uniform values (all values have exactly five bits set), the best 15-bit code one can make is indeed 42 elements, and there are two distinct solutions: {31, 227, 364, 692, 1240, 1577, 1606, 2353, 3008, 3205, 3338, 4434, 4746, 4869, 5536, 6182, 6217, 7696, 8582, 8984, 9266, 9537, 10324, 10408, 10755, 12433, 12896, 13324, 16777, 16977, 17186, 17684, 18578, 18956, 19552, 20536, 20676, 21507, 24613, 24650, 26240, 30976} and {31, 227, 364, 692, 849, 906, 1240, 2354, 3206, 3337, 3680, 4485, 5169, 5442, 5644, 6228, 6312, 6659, 8745, 9285, 9632, 9746, 10314, 10385, 11012, 12326, 12568, 12992, 16966, 17450, 17684, 18049, 18469, 18880, 18968, 20553, 20626, 21280, 24688, 24716, 24835, 31744}. This supports, but does not prove, the conjecture that A286874(15) = 42.

Second, A286874(16) >= 48 (the best previously known bound was 45), since this is a valid 48-element solution:

0000000000011111
0000000011100011
0000000101101100
0000001010110100
0000010011011000
0000011100000011
0000100100110001
0000101000101010
0000101111000000
0001000110001001
0001010000110010
0001011000001100
0001100100000110
0001110001000001
0010000110010010
0010010010000101
0010011001100000
0010100001010100
0010110100001000
0011000001001010
0011001000010001
0011100010100000
0100001001001001
0100010001000110
0100010110100000
0100100010001100
0100111000010000
0101000000100101
0101000101010000
0101001010000010
0110000000111000
0110001100000100
0110100000000011
1000001001010010
1000010000101001
1000010100010100
1000101000000101
1000110010000010
1001000011000100
1001001100100000
1001100000011000
1010000000100110
1010000101000001
1010001010001000
1100000010010001
1100000100001010
1100100001100000
1111010000000000

I won't be sweeping all of the 15- or 16-bit spaces.

21 March, 2026 03:19PM

hackergotchi for C.J. Adams-Collier

C.J. Adams-Collier

The WWW::Mechanize::Chrome Saga: A Comprehensive Narrative of PR #104

The
WWW::Mechanize::Chrome Saga: A Comprehensive Narrative of PR #104

This document synthesizes the extensive work performed from March
13th to March 20th, 2026, to harden, stabilize, and refactor the
WWW::Mechanize::Chrome library and its test suite. This
effort involved deep dives into asynchronous programming,
platform-specific bug hunting, and strategic architectural
decisions.

Part I:
The Quest for Cross-Platform Stability (March 13 – 16)

The initial phase of work focused on achieving a “green” test suite
across a variety of Linux distributions and preparing for a new release.
This involved significant hardening of the library to account for
different browser versions, OS-level security restrictions, and
filesystem differences.

Key Milestones &
Engineering Decisions:

  • Fedora & RHEL-family Success: A major effort
    was undertaken to achieve a 100% pass rate on modern Fedora 43 and
    CentOS Stream 10. This required several key engineering decisions to
    handle modern browser behavior:

    • Decision: Implement Asynchronous DOM Serialization
      Fallback.       Synchronous fallbacks in an async context are
      dangerous. To prevent Resource was not cached errors during
      saveResources, we implemented a fully asynchronous fallback
      in _saveResourceTree. By chaining
      _cached_document with DOM.getOuterHTML
      messages, we can reconstruct document content without blocking the event
      loop, even if Chromium has evicted the resource from its cache. This
      also proved resilient against Fedora’s security policies, which often
      block file:// access.
    • Decision: Truncate Filenames for Cross-Platform
      Safety.       To avoid File name too long errors,
      especially on Windows where the MAX_PATH limit is 260
      characters, filenameFromUrl was hardened. The filename
      truncation was reduced to a more conservative 150
      characters      , leaving ample headroom for deeply nested CI
      temporary directories. Logic was also added to preserve file extensions
      during truncation and to sanitize backslashes from URI paths.
    • Decision: Expand Browser Discovery Paths. To
      support RHEL-based systems out-of-the-box, the
      default_executable_names was expanded to include
      headless_shell and search paths were updated to include
      /usr/lib64/chromium-browser/.
    • Decision: Mitigate Race Conditions with Stabilization Waits
      and Resilient Fetching.       On fast systems,
      DOM.documentUpdated events could invalidate
      nodeIds immediately after navigation, causing XPath queries
      to fail with “Could not find node with given id”. A small stabilization
      sleep(0.25s) was added after page loads to ensure the DOM
      is settled. Furthermore, the asynchronous DOM fetching loop was hardened
      to gracefully handle these errors by catching protocol errors and
      returning an empty string for any node that was invalidated during
      serialization, ensuring the overall process could complete.
  • Windows Hardening:
    • Decision: Adopt Platform-Aware Watchdogs. The test
      suite’s reliance on ualarm was a blocker for Windows, where
      it is not implemented. The t::helper::set_watchdog function
      was refactored to use standard alarm() (seconds) on Windows
      and ualarm (microseconds) on Unix-like systems, enabling
      consistent test-level timeout enforcement.
  • Version 0.77 Release:
    • Decision: Adopt SOP for Version Synchronization.
      The project maintains duplicate version strings across 24+ files. A
      Standard Operating Procedure was adopted to use a batch-replacement tool
      to update all sub-modules in lib/ and to always run
      make clean and perl Makefile.PL to ensure
      META.json and META.yml reflect the new
      version. After achieving stability on Linux, the project version was
      bumped to 0.77.
  • Infrastructure & Strategic Work:
    • The ad2 Windows Server 2025 instance was restored and
      optimized, with Active Directory demoted and disk I/O performance
      improved.
    • A strategic proposal for the Heterogeneous Directory
      Replication Protocol (HDRP)       was drafted and published.

Part II: The
Great Async Refactor (March 17 – 18)

Despite success on Linux, tests on the slow ad2 Windows
host were still plagued by intermittent, indefinite hangs. This
triggered a fundamental architectural shift to move the library’s core
from a mix of synchronous and asynchronous code to a fully non-blocking
internal API.

Key Milestones &
Engineering Decisions:

  • Decision: Expose a _future API.
    Instead of hardcoding timeouts in the library, the core strategy was to
    refactor all blocking methods (xpath, field,
    get, etc.) into thin wrappers around new non-blocking
    ..._future counterparts. This moved timeout management to
    the test harness, allowing for flexible and explicit handling of
    stalls.

    # Example library implementation
sub xpath($self, $query, %options) {
    return $self->xpath_future($query, %options)->get;
}

sub xpath_future($self, $query, %options) {
    # Async implementation using $self->target->send_message(...)
}

  • Decision: Centralize Test Hardening in a Helper.
    A dedicated test library, t/lib/t/helper.pm, was created to
    contain all stabilization logic. “Safe” wrappers (safe_get,
    safe_xpath) were implemented there, using
    Future->wait_any to race asynchronous operations against
    a timeout, preventing tests from hanging.

    # Example test helper implementation
sub safe_xpath {
    my ($mech, $query, %options) = @_;
    my $timeout = delete $options{timeout} || 5;
    my $call_f = $mech->xpath_future($query, %options);
    my $timeout_f = $mech->sleep_future($timeout)->then(sub { Future->fail("Timeout") });
    return Future->wait_any($call_f, $timeout_f)->get;
}

  • Decision: Refactor Node Attribute Cache.
    Investigations into flaky checkbox tests (t/50-tick.t)
    revealed that WWW::Mechanize::Chrome::Node was storing
    attributes as a flat list ([key, val, key, val]), which was
    inefficient for lookups and individual updates. The cache was refactored
    to definitively use a HashRef, providing O(1) lookups
    and enabling atomic dual-updates where both the browser property (via
    JS) and the internal library attribute are synchronized
    simultaneously.

  • Decision: Implement Self-Cancelling Socket
    Watchdog.     On Windows, traditional watchdog processes often
    failed to detect parent termination, leading to 60-second hangs after
    successful tests. We implemented a new socket-based watchdog in
    t::helper that listens on an ephemeral port; the background
    process terminates immediately when the parent socket closes,
    eliminating these cumulative delays.

  • Decision: Deep Recursive Refactoring & Form
    Selection.     To make the API truly non-blocking, the entire
    internal call stack had to be refactored. For example, making
    get_set_value_future non-blocking required first making its
    dependency, _field_by_name, asynchronous. This culminated
    in refactoring the entire form selection API (form_name,
    form_id, etc.) to use the new asynchronous
    _future lookups, which was a key step in mitigating the
    Windows deadlocks.

  • Decision: Fix Critical Regressions & Memory
    Cycles.

    • Evaluation Normalization: Implemented a
      _process_eval_result helper to centralize the parsing of
      results from Runtime.evaluate. This ensures consistent
      handling of return values and exceptions between synchronous
      (eval_in_page) and asynchronous (eval_future)
      calls.

    • Memory Cycle Mitigation: A significant memory
      leak was discovered where closures attached to CDP event futures (like
      for asynchronous body retrieval) would capture strong references to
      $self and the $response object, creating a
      circular reference. The established rule is to now always use
      Scalar::Util::weaken on both $self and any
      other relevant objects before they are used inside a
      ->then block that is stored on an object.

    • Context Propagation (wantarray): A
      major regression was discovered where Perl’s wantarray
      context, which distinguishes between scalar and list context, was lost
      inside asynchronous Future->then blocks. This caused
      methods like xpath to return incorrect results (e.g., a
      count instead of a list of nodes). The solution was to adopt the “Async
      Context Pattern”: capture wantarray in the synchronous
      wrapper, pass it as an option to the _future method, and
      then use that captured value inside the future’s final resolution
      block.

      # Synchronous Wrapper
sub xpath($self, $query, %options) {
    $options{ wantarray } = wantarray; # 1. Capture
    return $self->xpath_future($query, %options)->get; # 2. Pass
}

# Asynchronous Implementation
sub xpath_future($self, $query, %options) {
    my $wantarray = delete $options{ wantarray }; # 3. Retrieve
    # ... async logic ...
    return $doc->then(sub {
        if ($wantarray) { # 4. Respect
            return Future->done(@results);
        } else {
            return Future->done($results[0]);
        }
    });
}

    • Asynchronous Body Retrieval & Robust Content
      Fallbacks:       Fixed a bug where decoded_content()
      would return empty strings by ensuring it awaited a
      __body_future. This was implemented by storing the
      retrieval future directly on the response object
      ($response->{__body_future}). To make this more robust,
      a tiered strategy was implemented: first try to get the content from the
      network response, but if that fails (e.g., for about:blank
      or due to cache eviction), fall back to a JavaScript
      XMLSerializer to get the live DOM content.

    • Signature Hardening: Fixed “Too few arguments”
      errors when using modern Perl signatures with
      Future->then. Callbacks were updated to use optional
      parameters (sub($result = undef) { ... }) to gracefully
      handle futures that resolve with no value.

    • XHTML “Split-Brain” Bug: Resolved a
      long-standing Chromium bug (40130141) where content provided via
      setDocumentContent is parsed differently than content
      loaded from a URL. A workaround was implemented: for XHTML documents,
      WMC now uses a JavaScript-based XPath evaluation
      (document.evaluate) against the live DOM, bypassing the
      broken CDP search mechanism.

Derived Architectural Rules
& SOPs:

  • Rule: Always provide _future variants.
    Every library method that interacts with the browser via CDP must have a
    non-blocking asynchronous counterpart.
  • Rule: Centralize stabilization in the test layer.
    All timeout and retry logic should reside in the test harness
    (t/lib/t/helper.pm), not in the core library.
  • Rule: Explicitly propagate wantarray
    context.     Synchronous wrappers must capture the caller’s context
    and pass it down the Future chain to ensure correct
    scalar/list behavior.
  • Rule: The entire call chain must be asynchronous.
    To enable non-blocking timeouts, even a single “hidden” blocking call in
    an otherwise asynchronous method will cause a stall.
  • SOP: Reduce Library Noise. Diagnostic messages
    (warn, note, diag) should be
    removed from library code before commits. All such messages should be
    converted to use the internal $self->log('debug', ...)
    mechanism, ensuring a clean TAP output for CI systems.

Part III: The
MutationObserver Saga (March 19)

With most of the library refactored to be asynchronous, one stubborn
test, t/65-is_visible.t, continued to fail with timeouts.
This led to an ambitious, but ultimately unsuccessful, attempt to
replace the wait_until_visible polling logic with a more
“modern” MutationObserver.

Key Milestones & Challenges:

  • The Theory: The goal was to replace an inefficient
    repeat { sleep } loop with an event-driven
    MutationObserver in JavaScript that would notify Perl
    immediately when an element’s visibility changed.
  • Implementation & Cascade Failure: The
    implementation proved incredibly difficult and introduced a series of
    new, hard-to-diagnose bugs:

    1. An incorrect function signature for
      callFunctionOn_future.
    2. A critical unit mismatch, passing seconds from Perl to JavaScript’s
      setTimeout, which expected milliseconds.
    3. A fundamental hang where the MutationObserver’s
      JavaScript Promise would never resolve, even after the
      underlying DOM element changed.
  • Debugging Maze: Multiple attempts to fix the
    checkVisibility JavaScript logic inside the observer
    callback, including making it more robust by adding DOM tree traversal
    and extensive console.log tracing, failed to resolve the
    hang. This highlighted the opacity and difficulty of debugging complex,
    cross-language asynchronous interactions, especially when dealing with
    low-level browser APIs.

Procedural Learning:
Granular Edits

The effort was plagued by procedural missteps in using automated
file-editing tools. Initial attempts to replace large code blocks in a
single operation led to accidental code loss and match failures.

  • Decision: Adopt “Delete, then Add” Workflow.
    Following forceful user correction, a new SOP was established for all
    future modifications:

    1. Isolate: Break the file into small, manageable
      chunks (e.g., 250 lines).
    2. Delete: Perform a “delete” operation by replacing
      the old code block with an empty string.
    3. Add: Perform an “add” operation by inserting the
      new code into the empty space.
    4. Verify: Verifying each atomic step before
      proceeding. This granular process, while slower, ensured surgical
      precision and regained technical control over the large
      Chrome.pm module.

The consistent failure of the MutationObserver approach
eventually led to the decision to abandon it in favor of stabilizing the
original, more transparent implementation.

Part IV:
Reversion and Final Stabilization (March 20)

After exhausting all reasonable attempts to fix the
MutationObserver, a strategic decision was made to revert
to the simpler, more transparent polling implementation and fix it
correctly. This proved to be the correct path to a stable solution.

Key Milestones &
Engineering Decisions:

  • Decision: Perform Strategic Reversion. The
    MutationObserver implementation, when integrated via
    callFunctionOn_future with awaitPromise,
    proved fundamentally unstable. Its JavaScript promise would consistently
    fail to resolve, causing indefinite hangs. A decision was made to
    revert all MutationObserver code from
    WWW::Mechanize::Chrome.pm and restore the original
    repeat { sleep } polling mechanism. A stable,
    understandable solution was prioritized over an elegant but broken
    one.
  • Decision: Correct Timeout Delegation in the
    Harness.     The root cause of the original timeout failure was
    identified as a race condition in the t/lib/t/helper.pm
    test harness. The safe_wait_until_* wrappers were
    implementing their own timeout (via wait_any and
    sleep_future) that raced against the underlying polling
    function’s internal timeout. This led to intermittent failures on slow
    machines. The helpers were refactored to delegate all timeout
    management to the library’s polling functions    , ensuring a
    single, authoritative timer controlled the operation.
  • Decision: Optimize Polling Performance. At the
    user’s request, the polling interval was reduced from 300ms to
    150ms. This modest performance improvement reduced the
    test suite’s wallclock execution time by over a second while maintaining
    stability.
  • Decision: Tune Test Watchdogs. The global watchdog
    timeout was adjusted to 12 seconds, specifically calculated as 1.5x the
    observed real execution time of the optimized test. This provides a
    data-driven safety margin for CI.

Part
V: The Last Bug – A Platform-Specific Memory Leak (March 20)

With all other tests passing, a single memory leak failure in
t/78-memleak.t persisted, but only on the Windows
ad2 environment. This required a different approach than
the timeout fixes.

Key Milestones:

  • The Bug: A strong reference cycle involving the
    on_dialog event listener was not being broken on Windows,
    despite multiple attempts to fix it. Fixes that worked on Linux (such as
    calling on_dialog(undef) in DESTROY) were not
    sufficient on the Windows host.
  • The Diagnosis: The issue was determined to be a
    deep, platform-specific interaction between Perl’s garbage collector,
    the IO::Async event loop implementation on Windows, and the
    Test::Memory::Cycle module. The cycle report was identical
    on both platforms, but the cleanup behavior was different.
  • Failed Attempts: A series of increasingly
    aggressive fixes were attempted to break the cycle, including:

    1. Moving the on_dialog(undef) call from
      close() to DESTROY().
    2. Explicitly deleteing the listener and callback
      properties from the object hash in DESTROY.
    3. Swapping between $self->remove_listener and
      $self->target->unlisten in a mistaken attempt to find
      the correct un-registration method.
  • Pragmatic Solution: After exhausting all reasonable
    code-level fixes without a resolution on Windows, the user opted to mark
    the failing test as a known issue for that specific platform.
  • Final Fix: The single failing test in
    t/78-memleak.t was wrapped in a conditional
    TODO block that only executes on Windows
    (if ($^O =~ /MSWin32/i)), formally acknowledging the bug
    without blocking the build. This allows the test suite to pass in CI
    environments while flagging the issue for future, deeper
    investigation.

Part VI: CI Hardening (March
20)

A final failure in the GitHub Actions CI environment revealed one
last configuration flaw.

Key Milestones:

  • The Bug: The CI was running
    prove --nocount --jobs 3 -I local/ -bl xt t directly. This
    command was missing the crucial -It/lib include path, which
    is necessary for test files to locate the t::helper module.
    This resulted in nearly all tests failing with
    Can't locate t/helper.pm in @INC.
  • The Investigation: An analysis of
    Makefile.PL revealed a custom MY::test block
    specifically designed to inject the -It/lib flag into the
    make test command. This confirmed that
    make test is the correct, canonical way to run the test
    suite for this project.
  • The Fix: The
    .github/workflows/linux.yml file was modified to replace
    the direct prove call with make test in the
    Run Tests step. This ensures the CI environment runs the
    tests in the exact same way as a local developer, with all necessary
    include paths correctly configured by the project’s build system.

Final Outcome

After this long and arduous journey, the
WWW::Mechanize::Chrome test suite is now stable and
passing on all targeted platforms, with known
platform-specific issues clearly documented in the code. The project is
in a vastly more robust and reliable state.

21 March, 2026 01:52AM by C.J. Collier

March 20, 2026

hackergotchi for Dirk Eddelbuettel

Dirk Eddelbuettel

RcppSpdlog 0.0.28 on CRAN: Micro-Maintenance

Version 0.0.28 of RcppSpdlog arrived on CRAN today, has been uploaded to Debian and built for r2u. The (nice) documentation site has been refreshed too. RcppSpdlog bundles spdlog, a wonderful header-only C++ logging library with all the bells and whistles you would want that was written by Gabi Melman, and also includes fmt by Victor Zverovich. You can learn more at the nice package documention site.

This release contains a rebuild RcppExports.cpp to aid Rcpp in the transition towards Rcpp::stop() and away from Rf_error() in its user packages. No othe

The NEWS entry for this release follows.

Changes in RcppSpdlog version 0.0.28 (2026-03-19)

  • Regenerate RcppExports.cpp to switch to (Rf_error) aiding in Rcpp transition to Rcpp::stop()

Courtesy of my CRANberries, there is also a diffstat report detailing changes. More detailed information is on the RcppSpdlog page, or the package documention site.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. If you like this or other open-source work I do, you can sponsor me at GitHub.

20 March, 2026 09:47PM

March 18, 2026

hackergotchi for Bits from Debian

Bits from Debian

Debian pt_BR localization team and UFABC's mentoring program

Between July and November 2025, the Debian pt_BR translation team received five students for an online mentoring program. The initiative was carried out in partnership with the Federal University of ABC through the extension project "Immersion in Free Software", coordinated by professors Suzana Santos and Miguel Vieira.

During the mentorship the mentees acted on several of the team's translation efforts and joined presentations about the Debian Project and its community given by the mentors. We thank the dedication and contributions of Ana Parra, Bruno Freitas, Henrique Barbosa, Raul Banzatto and Vitoria Cordeiro. And we also thank the members of the team who have reviewed the work of the mentees, specially the ones who were designated as official mentors, namely Allythy Rennan, Daniel Lenharo, Thiago Pezzo, and Victor Marinho.

Results:

  • Package descriptions, translations: 27
  • Package descriptions, revisions: 190
  • Web pages: 11
  • Revisions to the Debian Administrator's Handbook
  • Revisions to the Debian Edu documentation

We hope that this experience will inspire new paths and that you continue to contribute to Free Software – especially to Debian.

18 March, 2026 04:45PM by Thiago Pezzo, Daniel Lenharo

Sven Hoexter

container image with ECH enabled curl

As an opportunity to rewire my brain from "docker" to "podman" and "buildah" I started to create an image build with an ECH enabled curl at https://gitlab.com/hoexter/ech.

Not sure if it helps anyone, but setup should be like this:

git clone https://gitlab.com/hoexter-experiments/ech
cd ech
buildah build --layers -f Dockerfile -t echtest
podman run -ti echtest /usr/local/bin/curl \
  --ech true --doh-url https://one.one.one.one/dns-query \
  https://crypto.cloudflare.com/cdn-cgi/trace.cgi
fl=48f121
h=crypto.cloudflare.com
ip=2.205.251.187
ts=1773410985.168
visit_scheme=https
uag=curl/8.19.0
colo=DUS
sliver=none
http=http/2
loc=DE
tls=TLSv1.3
sni=encrypted
warp=off
gateway=off
rbi=off
kex=X25519

It also builds nginx and you can use that for a local test within the image. More details in the README.

18 March, 2026 09:32AM

March 16, 2026

hackergotchi for Jonathan Dowland

Jonathan Dowland

My Prusa Mini+ is broken

my prints kept turning into gunge

my prints kept turning into gunge

View of heatblock, with snapped nozzle

View of heatblock, with snapped nozzle

Oh dear! I've been suffering print reliability issues on my Prusa Mini+ for quite a while, roughly since they introduced Input Shaping (although that might not be the culprit). Whilst trying different things to resolve it, I managed to sheer off the brass nozzle within the heatblock. I now have half the nozzle stuck in the ratchet spanner, and half in the heatblock.

What to do next?

I can try and get the nozzle out of the heatblock, by screwing something into it or using an extraction screw. I've been warned this could be messy and dangerous. Less risky might be to change out the whole heatblock. They don't seem to be expensive.

Back in FOSDEM I asked the Prusa folks what cool projects I could do with the Mini+… they looked a little blank (I think the Mini+ is now a somewhat forgotten product) but they did say somebody had managed to port over the "Nextruder" from the more recent Prusa XL/MK4. I could take a look at that.

Another thing I've always wanted to explore (although I had intended it to be temporary/reversible) was converting it into a plotter, for plotter art.

Somehow this is my first 3d printing blog post in over a year. The printables.com feed I linked to is still going, I'm happy to report (as is the one I wrote but didn't publish, slightly more surprisingly)

16 March, 2026 08:45PM

hackergotchi for Phil Hands

Phil Hands

Mathilda Hands: lost Lenovo X230 Laptop

On our way to Austria last week, on March 6th, we left my daughter's laptop on a train: ICE 1201 (Hamburg-Harburg to Bludenz).

The laptop is a Lenovo X230 notebook. The most obvious distinguishing feature is a Mathilda Hands sticker in the middle of the lid:

Mathilda Hands sticker

I seem to remember that it also has some hexagonal stickers, one probably being one of these:

hexagonal, black and white, Phosh sticker

The keyboard layout is British (with a £ above the 3).

It was left in coach 24 of ICE 1201, next to seats 51-54, in the luggage gap between the seats, on the floor.

My hope is that whoever found it will end up searching for Mathilda Hands and see this. If that's how you got here, please email me: phil-lostlaptop2026@hands.com - doing so will make Mathilda (and me) most cheerful.

16 March, 2026 07:55AM

Dimitri John Ledkov

Security-only OpenSSL tarball releases for CVE-2026-2673

On Friday May the 13th OpenSSL project has published advisory details for CVE-2026-2673. The CVE is treated as non-important by the project. The patches are only provided as commits on the stable branches. No git tag, no precise fixed version, and no source tarballs provided.

The patches that were merged to openssl-3.5 and openssl-3.6 branches were not based on top of the last stable point release and did not split code changes & documentation updates. It means that cherry-picking the commits referenced in the advisory will always lead to conflicts requiring manual resolution. It is not clear if support is provided for snapshot builds off the openssl-3.5 and openssl-3.6 branches. As the builds from the stable branches declare themselves as dev builds of the next unreleased point release. For example, in contrast to projects such as vim and glibc, with every commit to stable branches explicitly recommended for distributors to ship and is supported.

I have requested OpenSSL upstream in the past for the security fixes to branch off the last point release, commit code changes separate from the NEWS.md / CHANGES.md updates, and then merge that into the stable branches. This way the advisory that recommends cherry-picking individual commits, would actually apply conflict free - at no additional maintenance burden to the OpenSSL project and everyone who has to cherry-pick these updates. There is a wide support voiced for such strategy by the OpenSSL distributors and the OpenSSL Corporation. But this is not something that OpenSSL Project is yet choosing to provide.

To avoid duplication of work, I am starting to provide stable OpenSSL re-releases of the last upstream tagged stable point release with security only patches split into code-change only; documentation update; version update to create security only source tarball releases that are easy to build; easy to identify by the security scanners; and which cherry-pick changes without conflicts. The first two releases are published on GitHub as immutable releases with attestations:

If there are any other branches, CVEs, point releases that would be useful for similar style releases, do open discussion on the GitHub Project.

If you find these releases useful, do star the project and download these releases. If this project gets popular, I hope that OpenSSL upstream will reconsider their releases strategy for all security releases. If you have support contracts with OpenSSL - please request OpenSSL corporation to release tagged releases and versioned tarballs.

16 March, 2026 02:11AM by Dimitri John Ledkov (noreply@blogger.com)

March 15, 2026

hackergotchi for Marco d'Itri

Marco d'Itri

Bypassing deep packet inspection with socat and HTTPS tunnels

Recently I found myself with a few hours to kill, but with the only available connectivity provided by an annoying firewall which would normally allow requests only to a few very specific web sites. This post shows how to work around this kind of restrictions by hiding SSH in an HTTPS connection, which then can be used as a SOCKS proxy to allow general connectivity. socat does all the hard work.

First, create two self-signed RSA keys pairs, one for the client (bongo) and one for the server (attila):

domain=bongo.example.net
openssl req -x509 -newkey rsa:2048 -days 7300 \
  -subj /CN=$domain -addext "subjectAltName = DNS:$domain" \
  -keyout socat.key -nodes \
  -out socat.pem

Then, concatenate the public and private keys to create the file provided to the cert option, and use the public key as the file for the cafile option on the other side.

On the client side, if you normally would connect to attila.example.net then you can add something like this to ~/.ssh/config:

Host httpstunnel-attila.example.net
 ProxyCommand socat --statistics STDIO OPENSSL:attila.example.net:443,↩️
   cert=$HOME/.ssh/socat-bongo.pem,cafile=$HOME/.ssh/socat-attila.pem,↩️
   snihost=${SOCAT_SNI:-x.com}
 DynamicForward 1080
 Compression yes
 HostKeyAlias attila.example.net
 ControlMaster yes
 ControlPath ~/.ssh/.control_attila.example.net_22_%r

The ProxyCommand directive uses socat to provide the connectivity which ssh will use over stdio instead of connecting to port 22 of the server.

The snihost option is enough to make many firewalls believe that this is an authorized HTTPS request.

On the server side we use a simple systemd unit to start a forking instance of socat, which will accept and process requests from the client (and from random crawlers on the Internet: expect a lot of cruft in that log...):

[Unit]
Description=socat tunnel
After=network.target

[Service]
Type=exec
ExecStart=socat -ly OPENSSL-LISTEN:443,fork,reuseaddr,↩️
  cert=%d/tlskey,cafile=%d/tlsca TCP:localhost:22
SuccessExitStatus=143
LoadCredential=tlskey:/etc/ssh/socat-attila.pem
LoadCredential=tlsca:/etc/ssh/socat-bongo.pem
Restart=on-abnormal
RestartSec=5s
DynamicUser=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
SystemCallFilter=~@resources
SystemCallFilter=~@privileged

[Install]
WantedBy=multi-user.target

Strong sandboxing is enabled, so the socat instance is confined with very limited privileges. An interesting point is the use of systemd credentials to provide the cryptographic keys, since it allows to store them in a part of the file system which would not be accessible to the program. Advanced users can use this method to provide the keys from secure storage.

15 March, 2026 01:45PM

March 13, 2026

hackergotchi for Jonathan Dowland

Jonathan Dowland

debian swirl font glyph

When I wrote about the redhat logo in a shell prompt, a commenter said it would be nice to achieve something similar for Debian, and suggested "�" (U+1F365 FISH CAKE WITH SWIRL DESIGN) which, in some renderings, looks to have a red swirl on top. This is not bad, but I thought we could do better.

On Apple systems, the character "" (U+F8FF) displays as the corporate Apple logo. That particular unicode code point is reserved: systems are free to use it for something private and internal, but other systems won't use it for the same thing. So if an Apple user tries to send a document with that character in it to someone else, they won't see the Apple unless they are also viewing it on an Apple computer. (Some folks use it for Klingon).

Here's a font that maps the Debian swirl to the same code point. It's covered by the Debian logo license terms.

Nerd Font maps the Debian swirl logo to codepoints e77d, f306, ebc5 and f08da (all of which are also in the Private Use Area). I've gone ahead and mapped it to all those points but the last one (simply because I couldn't find it in FontForge.)

Note that, unless your recipients have this font, or the Nerd Font, or similar set up, they aren't going to see the swirl. But enjoy it for private use. Getting your system to actually use the font is, I'm afraid, left as an exercise for the reader (but feel free to leave comments)

Thanks to mirabilos for chatting to me about this back in 2019. It's taken me that long to get this blog post out of draft!

13 March, 2026 10:11PM

Sven Hoexter

RFC 9849 - Encrypted Client Hello

Now that ECH is standardized I started to look into it to understand what's coming. While generally desirable to not leak the SNI information, I'm not sure if it will ever make it to the masses of (web)servers outside of big CDNs.

Beside of the extension of the TLS protocol to have an inner and outer ClientHello, you also need (frequent) updates to your HTTPS/SVCB DNS records. The idea is to rotate the key quickly, the OpenSSL APIs document talks about hourly rotation. Which means you've to have encrypted DNS in place (I guess these days DNSoverHTTPS is the most common case), and you need to be able to distribute the private key between all involved hosts + update DNS records in time. In addition to that you can also use a "shared mode" where you handle the outer ClientHello (the one using the public key from DNS) centrally and the inner ClientHello on your backend servers. I'm not yet sure if that makes it easier or even harder to get it right.

That all makes sense, and is feasible for setups like those at Cloudflare where the common case is that they provide you NS servers for your domain, and terminate your HTTPS connections. But for the average webserver setup I guess we will not see a huge adoption rate. Or we soon see something like a Caddy webserver on steroids which integrates a DNS server for DoH with not only automatic certificate renewal build in, but also automatic ECHConfig updates.

If you want to read up yourself here are my starting points:

RFC 9849 TLS Encrypted Client Hello

RFC 9848 Bootstrapping TLS Encrypted ClientHello with DNS Service Bindings

RFC 9934 Privacy-Enhanced Mail (PEM) File Format for Encrypted ClientHello (ECH)

OpenSSL 4.0 ECH APIs

curl ECH Support

nginx ECH Support

Cloudflare Good-bye ESNI, hello ECH!

If you're looking for a test endpoint, I see one hosted by Cloudflare:

$ dig +short IN HTTPS cloudflare-ech.com
1 . alpn="h3,h2" ipv4hint=104.18.10.118,104.18.11.118 ech=AEX+DQBBFQAgACDBFqmr34YRf/8Ymf+N5ZJCtNkLm3qnjylCCLZc8rUZcwAEAAEAAQASY2xvdWRmbGFyZS1lY2guY29tAAA= ipv6hint=2606:4700::6812:a76,2606:4700::6812:b76

13 March, 2026 09:49AM

March 12, 2026

Reproducible Builds

Reproducible Builds in February 2026

Welcome to the February 2026 report from the Reproducible Builds project!

These reports outline what we’ve been up to over the past month, highlighting items of news from elsewhere in the increasingly-important area of software supply-chain security. As ever, if you are interested in contributing to the Reproducible Builds project, please see the Contribute page on our website.

  1. reproduce.debian.net
  2. Tool development
  3. Distribution work
  4. Miscellaneous news
  5. Upstream patches
  6. Documentation updates
  7. Four new academic papers

reproduce.debian.net

The last year has seen the introduction, development and deployment of reproduce.debian.net. In technical terms, this is an instance of rebuilderd, our server designed monitor the official package repositories of Linux distributions and attempt to reproduce the observed results there.

This month, however, Holger Levsen added suite-based navigation (eg. Debian trixie vs forky) to the service (in addition to the already existing architecture based navigation) which can be observed on, for instance, the Debian trixie-backports or trixie-security pages.


Tool development

diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made a number of changes, including preparing and uploading versions, 312 and 313 to Debian.

In particular, Chris updated the post-release deployment pipeline to ensure that the pipeline does not fail if the automatic deployment to PyPI fails []. In addition, Vagrant Cascadian updated an external reference for the 7z tool for GNU Guix. []. Vagrant Cascadian also updated diffoscope in GNU Guix to version 312 and 313.


Distribution work

In Debian this month:

  • 26 reviews of Debian packages were added, 5 were updated and 19 were removed this month adding to our extensive knowledge about identified issues.

  • A new debsbom package was uploaded to unstable. According to the package description, this package “generates SBOMs (Software Bill of Materials) for distributions based on Debian in the two standard formats, SPDX and CycloneDX. The generated SBOM includes all installed binary packages and also contains Debian Source packages.”

  • In addition, a sbom-toolkit package was uploaded, which “provides a collection of scripts for generating SBOM. This is the tooling used in Apertis to generate the Licenses SBOM and the Build Dependency SBOM. It also includes dh-setup-copyright, a Debhelper addon to generate SBOMs from DWARF debug information, which are “extracted from DWARF debug information by running dwarf2sources on every ELF binaries in the package and saving the output.”

Lastly, Bernhard M. Wiedemann posted another openSUSE monthly update for their work there.


Miscellaneous news


Upstream patches

The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:


Documentation updates

Once again, there were a number of improvements made to our website this month including:


Four new academic papers

Julien Malka and Arnout Engelen published a paper titled Lila: Decentralized Build Reproducibility Monitoring for the Functional Package Management Model:

[While] recent studies have shown that high reproducibility rates are achievable at scale — demonstrated by the Nix ecosystem achieving over 90% reproducibility on more than 80,000 packages — the problem of effective reproducibility monitoring remains largely unsolved. In this work, we address the reproducibility monitoring challenge by introducing Lila, a decentralized system for reproducibility assessment tailored to the functional package management model. Lila enables distributed reporting of build results and aggregation into a reproducibility database […].

A PDF of their paper is available online.


Javier Ron and Martin Monperrus of KTH Royal Institute of Technology, Sweden, also published a paper, titled Verifiable Provenance of Software Artifacts with Zero-Knowledge Compilation:

Verifying that a compiled binary originates from its claimed source code is a fundamental security requirement, called source code provenance. Achieving verifiable source code provenance in practice remains challenging. The most popular technique, called reproducible builds, requires difficult matching and reexecution of build toolchains and environments. We propose a novel approach to verifiable provenance based on compiling software with zero-knowledge virtual machines (zkVMs). By executing a compiler within a zkVM, our system produces both the compiled output and a cryptographic proof attesting that the compilation was performed on the claimed source code with the claimed compiler. […]

A PDF of the paper is available online.


Oreofe Solarin of Department of Computer and Data Sciences, Case Western Reserve University, Cleveland, Ohio, USA, published It’s Not Just Timestamps: A Study on Docker Reproducibility:

Reproducible container builds promise a simple integrity check for software supply chains: rebuild an image from its Dockerfile and compare hashes. We built a Docker measurement pipeline and apply it to a stratified sample of 2,000 GitHub repositories that contained a Dockerfile. We found that only 56% produce any buildable image, and just 2.7% of those are bitwise reproducible without any infrastructure configurations. After modifying infrastructure configurations, we raise bitwise reproducibility by 18.6%, but 78.7% of buildable Dockerfiles remain non-reproducible.

A PDF of Oreofe’s paper is available online.


Lastly, Jens Dietrich and Behnaz Hassanshahi published On the Variability of Source Code in Maven Package Rebuilds:

[In] this paper we test the assumption that the same source code is being used [by] alternative builds. To study this, we compare the sources released with packages on Maven Central, with the sources associated with independently built packages from Google’s Assured Open Source and Oracle’s Build-from-Source projects. […]

A PDF of their paper is available online.



Finally, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

12 March, 2026 07:08PM

hackergotchi for Mike Gabriel

Mike Gabriel

Debian Lomiri Tablets 2025-2027 - Project Report (Q4/2025)

On 25th Oct 2025, I announced via my personal blog and on Mastodon that Fre(i)e Software GmbH was hiring. The hiring process was a mix of asking developers I know and waiting for new people to apply.

At the beginning of November 2025 / in mid November 2025, we started with 13 developers (all part-time) to work on various topics around Lomiri (upstream and downstream). Note that the below achievements don't document the overall activity in the Lomiri project, but that part that our team at Fre(i)e Software GmbH contributed to.

Organizational Achievements

  • Setup management board for Qt6 migration in Lomiri [1]
  • Setup management board for salsa2ubports package syncing [2]
  • Bootstrap Qt 6.8 in UBports APT repository
  • Bootstrap Qt 6.8 in Lomiri PPA
  • Fix Salsa CI for all Lomiri-related Debian packages
  • Facilitate contributor's project around XDG Desktop Portal support for Lomiri.
  • Plan how to bring DeltaTouch and DeltaChat core to Debian

Maintenance Development

  • Replace libofono-qt by libqofono in telepathy-ofono
  • Rework unit tests in telepathy-ofono utilizing ofone-phonesim
  • Obsolete not-used-anymore u1db-qt
  • Fixing wrong bin:pkg names regarding snapd-glib's QML module

Qt6 Porting

  • qmake -> CMake porting (if needed) and Qt6 porting of shared libraries and QML modules consumed by Lomiri shell and Lomiri apps:
    • biometryd
    • libqofono
    • libqofonoext
    • libqtdbusmock
    • lomiri-account-polld
    • lomiri-action-api
    • lomiri-api
    • lomiri-download-manager
    • lomiri-location-service
    • lomiri-online-accounts
    • lomiri-push-qml
    • lomiri-push-service
    • maliit-framework
    • mediascanner2
    • qtlomiri-appmenutheme
    • qtpim (started, work in progress)
    • qwebdavlib
    • signond (flaws spotted in Debian's porting of signond to Qt6)

Feature Development

  • Continuing with Morph Browser Qt6 / LUITK
    • Build, run and fix LUITK unit tests for Qt6
    • various bug fixes and improvements for Morph Qt6
  • Add mbim modem support to ofono upstream
  • Improve ofono support in Network Manager
  • Improve mbim modem support in lomiri-indicator-network
  • Package kazv (convergent Matrix client) and dependencies for Debian
  • Provide Lomiri images for Mobian

Research

  • Research on fuse-based caching Webdav client for lomiri-cloudsync-app.
  • Research on alternative ORM instead of QDjango in libusermetrics

[1] https://gitlab.com/groups/ubports/development/-/boards/9895029?label_name%5B%5D=Topic%3A%20Qt%206
[2] https://gitlab.com/groups/ubports/development/-/boards/10037876?label_name[]=Topic%3A%20salsa2ubports%20DEB%20syncing

12 March, 2026 08:59AM by sunweaver

March 11, 2026

Swiss JuristGate

Suicide of disgruntled employee? Bus fire at Kerzers / Chiètres, Switzerland, at least six dead

News reports have appeared about a bus catching fire in Kerzers, Switzerland, which is also known as Chiètres in French. Reports suggest one person doused himself in fire. Police confirm it was deliberate and they say it is not a terrorist. The possibility that remains for us to contemplate is that it was somebody who has been humiliated by their employer or the jurists in a tribunal.

This web site has gone to great lengths to reveal the extent to which jurists take money from people and then fail to provide any solution to the needs of their clients. In many cases, the jurists make disputes even worse in the hope that parties on both sides of the dispute, or their insurers, will end up paying even more legal fees.

When employers make somebody redundant in Switzerland, they normally have to give the workers three to six months notice or a lump sum payment, sometimes both. To avoid making these payments, some employers and some of the agencies responsible for contract employees will try to blame one of the workers. Many of these disputes are settled by a tribunal. Both the employer and employee want to save face and so the judgments are kept totally secret.

There are parallel cases in Germany. Galia Mancheva's abuse report describes her experience of taking the FSFE misfits to an employment tribunal. The tribunal forced her to listen to lies from the men and then they humiliated her by telling her she can't have justice because she had been in the job for less than twelve months.

Due to the JuristGate scandal, when the illegal legal fees insurance scheme vanished overnight, up to 20,000 clients suddenly found themselves without a lawyer. Some of those people were in the middle of legal disputes with employers or employees. Some of those disputes involve sensitive matters, such as accusations of sexual impropriety and employee illness. FINMA has not made any comment on how these case files were protected or compromised. Matthieu Parreaux, the founder of the rogue firm, suggested that all the case files have fallen into the hands of other lawyers.

When we began examining the Adrian von Bidder death in Basel, where his wife subsequently became the mayor, we looked at a petition to the Basel Kanton about the way they are hiding the number of suicides and the reasons for them. We were shocked to find the name A. von Bidder on the petition shortly before Adrian von Bidder-Senn died at age 32. No official reasons have been given. The only fact we know is that he died eight months after the Debian Day volunteer suicide and people discussed it like a copy-cat suicide. Nonetheless, if Debianism was not the only influence in his death, we need to start asking if he had simultaneously been the victim of rogue employment practices or incompetence by jurists.

As noted in the Basel Kanton suicide petition, many of these cases involve total secrecy and the employment tribunals also operate in secrecy. From time to time, news reports appear about cases where multiple people are attacked or killed, for example, a chainsaw attack at the office of CSS insurance in Kanton Schaffhausen. I went to some detail to explain the incompetence, corruption and racism we encountered when somebody fell on Carla at a Zurich yoga studio and the people at the accident insurance spent two years giving us excuses.

Police confirm the Postbus fire occurred deliberately. It happened at peak hour when the bus had the maximum number of passengers. The victim chose to die in a Postbus. These buses are iconic of Swiss rural life and the tourism industry. Did the victim of this suicide intend to send some kind of signal, like the distinctive three-tone horn of the bus itself?

Swiss Postbus

 

Will the victims of this tragedy spend two years waiting for an answer or will they never get answers at all?

Read more about JuristGate, the illegal legal insurance that Swiss regulator FINMA knew about for five years.

11 March, 2026 07:30AM

hackergotchi for Bits from Debian

Bits from Debian

Infomaniak Platinum Sponsor of DebConf26

infomaniak-logo

We are pleased to announce that Infomaniak has committed to sponsor DebConf26 as a Platinum Sponsor.

Infomaniak is an independent, employee-owned Swiss technology company that designs, develops, and operates its own cloud infrastructure and digital services entirely in Switzerland. With over 300 employees — more than 70% engineers and developers — the company reinvests all profits into R&D. Its public cloud is built on OpenStack, with managed Kubernetes, Database as a Service, object storage, and sovereign AI services accessible via OpenAI- compatible APIs, all running on its own Swiss infrastructure. Infomaniak also develops a sovereign collaborative suite — messaging, email, storage, online office tools, videoconferencing, and a built-in AI assistant — developed in- house and as a privacy-respecting solution to proprietary platforms. Open source is central to how Infomaniak operates. Its latest data center (D4) runs on 100% renewable energy and uses no traditional cooling: all the heat generated by its servers is captured and fed into Geneva's district heating network, supplying up to 6,000 homes in winter and hot water year-round. The entire project has been documented and open-sourced at d4project.org.

With this commitment as Platinum Sponsor, Infomaniak is contributing to the Debian annual Developers' conference, directly supporting the progress of Debian and Free Software. Infomaniak contributes to strengthen the community that collaborates on Debian projects from all around the world throughout all of the year.

Thank you very much, Infomaniak, for your support of DebConf26!

Become a sponsor too!

DebConf26 will take place from 20th to July 25th 2026 in Santa Fe, Argentina, and will be preceded by DebCamp, from 13th to 19th July 2026.

DebConf26 is accepting sponsors! Interested companies and organizations may contact the DebConf team through sponsors@debconf.org, and visit the DebConf26 website at https://debconf26.debconf.org/sponsors/become-a-sponsor/.

11 March, 2026 12:12AM by Sahil Dhiman

March 10, 2026

Sven Hoexter

debian/watch version 5 is a beauty

Kudos to yadd@ (and who else was involved to make that happen), for the new watch file v5 format. Especially templates for the big git hoster make it much nicer. Prepared two of my packages to switch on the next upload, exfatprogs tracking github releases and pflogsumm scraping a web page. That is much easier to read and less error prone.

Update 2026-03-10: Realized that the github template is not useful if you need to pull maintainer created release tarballs from GitHub. The best I could come up so far is:

Version: 5
Search-Mode: plain
Pgp-Mode: auto
Source: https://api.github.com/repos/<user or org>/@PACKAGE@/releases?per_page=50
Matching-Pattern: https://github.com/[^/]+/[^/]+/releases/download/(?:[\d\.]+)/@PACKAGE@@ANY_VERSION@@ARCHIVE_EXT

That pulls the download information from the API endpoint and preferes .xz over .gz when available.

10 March, 2026 06:54PM

March 09, 2026

hackergotchi for Colin Watson

Colin Watson

Free software activity in February 2026

My Debian contributions this month were all sponsored by Freexian.

You can also support my work directly via Liberapay or GitHub Sponsors.

OpenSSH

I released bookworm and trixie fixes for CVE-2025-61984 and CVE-2025-61985, both allowing code execution via ProxyCommand in some cases. The trixie update also included a fix for openssh-server: refuses further connections after having handled PerSourceMaxStartups connections.

bugs.debian.org administration

Gioele Barabucci reported that some messages to the bug tracking system generated by the bts command were being discarded. While the regression here was on the client side, I found and fixed a typo in our SpamAssassin configuration that was failing to apply a bonus specifically to forwarded commands, mitigating the problem.

Python packaging

New upstream versions:

  • aiosmtplib
  • bitstruct
  • diff-cover
  • django-q
  • isort
  • multipart
  • poetry (adding support for Dulwich >= 0.25)
  • poetry-core
  • pydantic-settings
  • python-build
  • python-certifi
  • python-datamodel-code-generator
  • python-flatdict
  • python-holidays
  • python-maggma
  • python-pytokens
  • python-scruffy
  • python-urllib3 (fixing CVE-2025-66471 and a chunked decoding bug)
  • responses
  • yarsync
  • zope.component
  • zope.deferredimport

Porting away from the deprecated (and now removed from upstream setuptools) pkg_resources:

Other build/test failures:

Other bugs:

I added a manual page symlink to make the documentation for Testsuite: autopkgtest-pkg-pybuild easier to find.

I backported python-pytest-unmagic, a more recent version of pytest-django, and a more recent version of django-cte to trixie for use in Debusine.

Rust packaging

I also packaged rust-garde and rust-garde-derive, which are part of the pile of work needed to get the ruff packaging back in shape (which is a project I haven’t decided if I’m going to take on for real, but I thought I’d at least chip away at a bit of it).

Other bits and pieces

Code reviews

09 March, 2026 12:22PM by Colin Watson