The eight release of the binb package,
and first in two years, is now on CRAN and in r2u. binb regroups
four rather nice themes for writing LaTeX Beamer
presentations much more easily in (R)Markdown. As a teaser,
a quick demo combining all four themes is
available; documentation and examples are in the package.
This release contains regular internal updates to continuous
integration, URLs reference and switch to Authors@R. The trigger for the
release, though, was a small updated need when very recent
pandoc versions (as shipped with RStudio) are used which
require a new variable declaration in the LaTeX template files in order
to process uncaptioned tables. The summary of changes follows.
Changes in binb
version 0.0.8 (2026-05-01)
Small updates to documentation URLs and continuous
integration
The package now uses Authors@R in DESCRIPTION
Newer pandoc versions are accommodated by adding a required
counter variable in the latex template file
Trigger warning: this is a report about how
Debianism prefers abusers to those who consistently and
compassionately helped victims of abuse.
Those who dare to look up the public court records about
Jeremy Bicha have been shocked and in some cases unable to sleep
after reading how he exploited every bodily orifice of his little sisters
when they were six and nine years old. Yet I feel a possibility that
Jeremy Bicha himself is now being exploited to make us feel
shock and to soften us up for future revelations about unnamed oligarchs
in the open source eco-system. There have been many falsified rumours
about abuse over the years,
such as the conspiracy against Dr Jacob Appelbaum. Whenever we get
to the point that the leader of some so-called community really is
put on trial for real abuse, the victims are unlikely to have suffered as
extensively as
Bicha's little sisters.
I didn't write and publish this report to start a lynching against
Jeremy Bicha himself. He has confessed his crimes which is much more
than can be said for other sex pests. The real reason for the report is
to look at the decisions that organisations have made putting a
registered sex offender on a pedestal but in the case of commercial
rivals or people who made mistakes with pronouns, we are being censored
and harassed by the oligarchs for the most mundane mistakes.
The BBC is in fresh trouble over their pre-existing knowledge of a scandal
involving
Scott Mills. It was a major story in the
UK the week before Easter and then it disappeared. I suspect that sooner
or later we will hear more details.
Almost every day there is a fresh news report about
Jeffrey Epstein. During the trial of
Ghislaine Maxwell, she told us her partner,
Epstein, needed to
be with a woman at least three times per day. People with children or
teenage daughters will feel very uncomfortable about having these men around.
Less than two percent of Debian Developers are female but at
DebConf almost one in three participants is in the
gay/transgender/Zizian set. In the wider population it is only one in
ten people.
These people don't have children. They don't think about having children.
They don't spend a lot of time thinking about the risks. Having a
registered sex offender present at the after-party may be on the
bucket list for some of these people. They are willing to risk other people's
children and tarnish Debian's reputation so they can have something
unusual at the after-party.
For people who do have children, they don't go to the
DebConf orgy groups but they do stay up all night reading through reports
like this to try and work out whether the risk is acceptable or not.
The
Debian Suicide Cluster correlates with a culture of
violence and humiliations. Coincidentally, rape and abuse are also about
violence and humiliation. Adding a
registered sex offender to the group only reinforces those existing
Debian character traits when we need to be looking for the opposite,
people who serve to neutralise those cultural defects.
News that a
Registered Sex Offender(TM) was invited to speak at
DebConf25 in
France is not a random accident. Certain groups like
Debianism have been overcome by fringe diversity movements. Over the years,
we've seen the same people using their authority to humiliate fellow volunteers
in much the same way that paedophiles humiliate children. Statistically,
we can be certain there are similar men in the same group.
Jeremy Bicha was the thin end of the wedge. By putting a known offender
on a pedestal and claiming they are helping him, they are clearing a path for
other more cunning characters to be given a platform.
The people who control
Debianism mailing lists have a nasty habit of censoring any concerns about
the phenomena. They believe everybody agrees with their worldview. They
are living in a bubble. Sooner or later, there will be a person or an
incident that is so bad that it is the end of Debian. Society at large
simply doesn't accept some of the things these people do.
Moreover, certain companies would like to see Debian fail. They will
give enough money to the diversity budget to create a scandal and then
those companies will get out of the way as quickly as possible.
The Debian Social Contract tells us, in point three,
We will not hide problems.
In the case of the
registered sex offender invited to speak at
DebConf25 in
France, all discussion has been deliberately shut down. Video
of the talk is not hosted with video of the other talks. People are
scouring the
official photo gallery to see if
Jeremy Bicha was really there at all and who sat next to him.
This situation and the manner in which
Debianists are hiding it reveals the real definiton of diversity and
the real use of diversity funds.
This resulted in “Jack� ringing me in an extremely distressed state. His
words on the phone were, “I think it would have been better to hear my
mother had died�. He was a relatively early victim of [Fr Kevin] O’Donnell and his
abuse was reported to the Cathedral in 1958. This allegation was
investigated at the time by both the then Vicar-General, Laurie Moran,
and the then Auxiliary Bishop of Melbourne, Arthur Fox. Nothing
eventuated from this investigation.
In 1962, Stanley Kubrick released the controversial film
Lolita.
Charles Manson was using women in his
cult, the Manson Family, to murder people. He hoped that by committing
these violent murders he could start riots, like the modern day phenomena
of #MeToo mobs on
social control media. On 9 August 1969, they killed the actress
Sharon Tate, who was the wife of film director
Roman Polanski.
In the 1970s, Bishop Fox was the Bishop of Sale. On 3 July 1972, when he was
in his early forties, Hourigan wrote to Bishop Fox asking that he be accepted to study
for the priesthood. In the letter Hourigan set out what he said were two ‘flies in the
ointment’. The first related to an issue with Hourigan’s back, and is of little moment.
The second was a disclosure (referred to by the judge as ‘the disclosure’) that on
three separate occasions, occurring at two separate boarding schools in Papua New
Guinea at which he was working, boys in his care who, he said, he had occasion to
punish for misbehaviour, responded by complaining to a priest that he had treated
them harshly and that he was a homosexual. A short time after the second and third
complaints, Hourigan left the second boarding school and returned to Australia.
The implication is that
Bishop Fox had personal knowledge of the disclosure and history of
abuse before he ever ordained
Fr Hourigan.
Britain's National Council for Civil Liberties (NCCL), known today as
Liberty, had a very open attitude to memberships and affiliations.
PIE and many other fringe groups became members of NCCL / Liberty
and regularly attended the annual general meetings where they rubbed shoulders
with lawyers and lobbyists from a range of different movements.
The Conversation tells us the British Communist Party was also affiliated
with NCCL / Liberty. People have been scouring old copies of British
tabloid newspapers to find evidence of similar diversity fringe groups
promoting incest, canabalism and bestiality. NCCL / Liberty was not endorsing
any of these groups and the PIE was no more or less special than
any other diversity fringe group.
The manner in which the paedophile advocacy groups participated in the
NCCL / Liberty and the legal profession can be summarised by the
expression I don't agree with what you say but I will defend to the
death your right to say it.
As the saying goes, all good things must come to an end. By the
1980s, governments around the world had developed strategies to shut down
and outlaw groups like PIE.
The eradication of these groups was significant because it forced
the pro-abuse lobby to look for more discrete ways to achieve their
unholy objectives. In other words, they have to join other groups like
the Catholic Church and the
Debian Project in the hope they will gain credibility, access
to children or both.
Between 1977 and 1978,
Roman Polanski, whose wife had been murdered by the Manson Family
cult, was prosecuted for drugging and raping a 13-year-old girl.
He fled America to live in
France and evade a likely jail sentence.
As he was born in France he can't be extradited to America. He continued
his career in
France and received numerous awards for his work. Many professionals
in the movie industry have publicly indicated support for
Polanski, despite the very serious crime he committed against a child.
Between 1978 and 1982, in another
Catholic abuse situation where the victim agreed to waive anonymity,
David Ridsdale was abused by his uncle, the priest
Gerald Ridsdale. Under Australian law, when the uncle is found
guilty of such an offence, their identity and their conviction can not
be reported in the media as it would compromise the identity of the
victim. Nonetheless,
David Ridsdale waived his right to anonymity and so it could be
reported that
Gerald Ridsdale, who was the worst offender in the country,
had even committed abuse against one of his own relatives.
The media originally obfuscated the name and face of the victim but it
wasn't long before everybody knew. She had created the dossier, started a
conversation with the police and then she committed suicide. Eventually the
Federal Court judges decided to publish everything for the public to make up our
own minds.
I selected those portions of the document to emphasize the striking
similarities between
Katharine Thornton's abuse report and the acts that
Jeremy Bicha admitted inflicting on his sisters.
According to the summary of the complaint on the
Manatee County Courthouse web site, the abuse occurred between 1995 and 1999,
in other words, when
Jeremy Bicha was only between eleven and fifteen years of age himself.
One of his sisters was nine and another was only six when these horrible crimes
took place.
In the court documents,
Jeremy Bicha told prosecutors his parents were very strict and kept all the
siblings together at home. In countries with urban sprawl and a car culture,
which includes
Australia, a teenage boy starting high school has no way to meet friends
of the same age unless an adult is willing to drive him there and bring him
back home. Europeans who live in apartments and terrace houses are much closer
together. Therefore, people who haven't lived in urban sprawl can't fully
appreciate the impact it has on childhood.
In 1997, Adrian Lyne produced a fresh version of the film
Lolita.
Shortly after that, I was photographed in
Australia's Parliament House,
Canberra with
Natasha Stott-Despoja. After leaving her job as a senator,
Natasha was appointed as
Australia's ambassador for women and girls.
She was subsequently appointed to represent
Australia on the UN CEDAW committee. CEDAW is the Convention on the
Elimination of All Forms of Discrimination Against Women. The committee
is one of the most influential international bodies concerned with the
status and wellbeing of women. The photograph was taken during the same
period of time where
Jeremy Bicha admits abusing his little sisters.
In the early days of
Debianism, many young teenage males were exploited. Ringleaders have been
interchangeably presenting
Debianism as a hobby, as a philosophical mission and as an activity that
people undertake while being paid by an external employer like
Freexian. Ringleaders pivot between these
definitions of
Debianism depending upon which definition is most convenient for the
ringleaders themselves in any particular situation or dispute.
They used the appeal of a philosophical mission to recruit numerous teenagers,
mostly boys in their mid-teens, who were starstruck by the names of companies
like
Pixar, where
Bruce Perens worked. These teenagers didn't really appreciate the extent
to which they were working alongside people who were being paid six-figure
salaries to do similar tasks. I'm talking about
Joel "Espy" Klecker,
Shaya Potter and
Chris Rutter. Klecker was doing this unpaid work while he was in bed
dying of a terminal illness
(
detailed report).
Shaya Potter appears to be the first documented case of somebody
expelled after he had already resigned.
Chris Rutter even had servers for unpaid
Debianism work installed at his high school. He was observed
working long hours to meet his obligations to
Debianists shortly before walking in front of a car. These may be
the three most prominent teenagers in the early days of
Debianism and it is disturbing to see that two died while one was
subject to gaslighting and ostracized.
Here is a debian-private leaked message where the underage
phenomena is mentioned explicitly:
Subject: Re: why I want the archives on me (was Re: spotter@debian.org)
Date: Tue, 17 Nov 1998 12:56:41 -0500
From: Shaya Potter <spotter@ymail.yu.edu>
To: joost@pc47.mpn.cp.philips.com
CC: debian-private@lists.debian.org
----- Original Message -----
From: <joost@pc47.mpn.cp.philips.com>
>
>On Tue, 17 Nov 1998, Shaya Potter wrote:
>
>> Now that this is out of the way, I'd like to publicly ask if I can have
an
>> archive of all the communication that went on in regard to me.
>
>Strictly speaking I tend to disagree that you or anybody has an a-priori
>right to know what is being said and told on debian-private. It is simply
>a private list. Things would be different if you were mentioned in a
>public list without being able to respond. But that is in all aspects
>clearly not the current situation.
First, I never said I have a right. In many ways I think i don't have a
right, or even if I did, I don't deserve it. I don't think my statements
have implied that I believe I have a right to demand that it be given to me.
I do have a right to ask that it be done. Debian has a right to say yes or
no.
>
>(Nevertheless, I think that it would be considerate to cc: you in
>any discussion that involves you in a very personal manner - this has
>IMHO until now hardly been the case though.)
It hasn't? Than how did the decision to expell me come about? Who told
people who made the decision what happened? Was this all done in private
mail?
>
>If a non-subscriber of debian-private must share in the conversation on
>debian-private, then this should IMHO be done by adding that person to the
>clearly visible cc: line of the header of any messages to be "published."
>That way, it will be adequately clear that the correspondence leaves the
>realm of debian-private and thus everybody can conclude that normal
>confidentiality can not be expected. AFAIK respect for the confidential
>nature of debian-private is a prerequisite for subscription to this list.
I would have respected the confidentiality, as I have made it known that I
don't want this to spread, as I am embarrased by my actions.
>
>Practically speaking, I disagree that the underlying case generally
>concerns you. What matters here is not who Shaya Potter personally is or
>what particularly Shaya Potter did. The discussion is about how issues
>like the one involving you relate to Debian. This discussion does not
>involve you personally.
I don't want the entire discussion, I just want to see the parts that touch
on me personally. I don't care for the rest, of what about underage
developers and the like....
>
>> I was told that it would not be a star chamber, and that I'd be cc'd in
>> on all the corrospondace. That didn't occur.
>
>There was no "star chamber." You have already been generously cc:'-ed.
I was? The only cc:'s I ever got were in response to me starting a thread.
That implies to me, that acc. to what you were saying, that no discussion
on -private occured that I didn't start. However, I know this not to be the
case, as before I was unsubscribed from -private, I saw a thread or 2
started that dealt with me.
>
>IMHO you do not have a right to be cc:-'ed on the _general_ discussion
>which does not particularly (personally) involve you.
never said I did.
>
>> Also, I really have no idea of what discussion went on, if mistruthes
>> were spread about the incident (as in reality, I'm the only one that
>> knows completely what happened, and no one really ever asked me for the
>> full story).
>
>If this worries you so much, then I seriously wonder why you did not
>immediately relate it to debian-private when the issue arose in the first
>place?
I did apologize on -private right away, however, I didn't want to spread
what I did. I specifically told people that I would rather this not be
discussed on -private and have me showed the door quietly, and told never to
come back. That didn't happen, it was discussed on -private. I don't know
what was discussed in relation to me, so I want to be informed.
>
>Again, the discussion is not yours. Again, you are not personally
>involved. Your only "role" in the discussion is that you have created a
>precedent. I thinks we can all agree that we would rather have had you
>not be a precedent case, but it happened. I'm very sorry, but you'll
>have to blame yourself for that.
Trust me, I've blamed myself a lot for this. If you seen any of my
corrospondance you would know this. I don't blame anyone for my
predicament, but myself.
>Discussion on debian-private does not count as a statement from Debian.
>So there simply were no statements. I'm not really in favor of making any
>strong or overly verbose statements either. If there ever is to be a
>statement from Debian about an issue such as the current one involving
>Shaya, I think that person should be briefed thoroghly beforehand.
I'm not talking about a debian statement. I don't want a public statement,
and I know a lot of people from debian don't want one either (though some
might). What I meant by statements, was statements that individuals made,
that might be incorrect, or inacurate.
>Shaya, can you please just put this to a rest? IMHO it is not very
>productive for anybody. And please take it from me that you have no
>reason to be concerned that you have been in a "star chamber."
I am not worried about a star chamber, I would have prefered it in many
ways. However, at least with a star chamber you usually get to see the case
presented against you, even though you don't have the ability to defend
yourself. As I said many times, my case is indefensable, so that wouldn't
bother me.
Shaya
We find exactly the same phenomena in the
Jeremy Bicha abuse testimony. His sister tells us she was too young
to know the words for what he was doing in her underpants.
In October 1999 the role of teenagers was back in the spotlight:
Subject: Debian Death March
Date: Thu, 7 Oct 1999 17:41:25 -0700 (PDT)
From: Jonathan Walther <krooger@debian.org>
To: debian-private@lists.debian.org
Guys. Is Debian still the hippest, coolest, happeningest distribution
around, or are we a dinosaur lost in the forest?
The posts I've read on this list today reek of a Death March.
Yes, many of the Debian originals have moved on, retired, or fallen
quiescent. Others of us have had sudden changes in our life; new jobs, loss
of jobs, loss of internet access, newborn infants, need to spend time with
spouses and loved ones.
Many of the rest have gotten tired. The friends they joined this marvelous
big project with are no longer around... The stress of mentoring up a new
generation of package maintainers, and hopefully core developers falls on
their already burdened shoulders, taking away from their time spent coding.
As social scientists know, the future is the children. Or in our case, the
future is the teenage "hackers" getting their first computer, going in their
first irc chatroom, using their first nuker... and realizing there is
something far more interesting, constructive and beautiful beyond the raw
violence of their little world. An ordered system of many parts, of many
people collaborating in peace, cooperating on a scale that they will take
for granted, because we have made it seem so natural, but which makes any
sane adult boggle at our achievement.
[ ... snip ... ]
Given that
Debianism has the exploitation of youth in its DNA, it is really sad
to see that a
registered sex offender and various characters with similar tendencies
were put up on a pedestal in the era of
Chris Lamb.
In 2002, the Boston Globe's Spotlight team published
their reports about the
Catholic abuse crisis. The reports were not simply about the actions
of individual paedophiles. The journalists went to great lengths to examine
how the institution had ordained the wrong people and stonewalled victims.
In the
Debian harassment culture, we see much the same thing. People who ask
questions are censored on the mailing lists. The leaders stonewall and
refuse to answer questions or provide reports about the
Debian suicide cluster and their knowledge of
Jeremy Bicha's history.
Subject: Re: Nut-case of the day - Was: [Fwd: URGENT: This is potentially a threat to your and others personal security]
Date: Tue, 6 Jan 2004 12:53:33 -0700
From: Joel Baker <fenton@debian.org>
To: debian-private@lists.debian.org
On Tue, Jan 06, 2004 at 03:28:03PM +1100, Russell Coker wrote:
> On Tue, 6 Jan 2004 15:23, Joel Baker <fenton@debian.org> wrote:
> > I could probably arrange for Debian to have a TG developer, but somehow,
> > this doesn't seem like a primary qualification; we don't have quotas. :)
>
> If they can code well or can be taught to code well then please get them in!
>
> Especially if they have some skills at kernel coding. I think that we could
> do with having more skilled developers dealing with the kernel patch
> packages.
What I didn't mention is that it would probably involve me bribing her to
deal with it; she doesn't find Debian to be quite worthwhile enough on its
own merits (she likes it, she just likes FreeBSD better, and has little
enough time to spare overall that short of someone making it worth giving
up what else she does, it isn't worth it).
This would be the primary reason she isn't already a DD, since the only
part of NM that would pose any issue at all is the wait (I can sign her
trivially, and passing the requirements is a no-brainer). But we don't
really need another developer not doing much most of the time, and I
have better uses of the money than paying her to work on it. :)
--
Joel Baker <fenton@debian.org> ,''`.
Debian GNU/NetBSD(i386) porter : :' :
`. `'
`-
In 2006,
Red Hat opened their main research site in
Brno, a small city in the
Czech Republic. The
Czech Republic had joined the
European Union (EU) in 2004.
Thanks to the Freedom of Movement policy of EU countries,
Red Hat could employ young male graduates from any other EU country and
bring them to work in
Brno without any uncertainty about residence permits and visas. Over
the years, thousands of young and predominantly male engineers came to work
for various multinational companies in this remote part of the
Czech Republic. At the same time, young women from eastern European
countries were all leaving small cities like
Brno and either moving to the capital,
Prague or moving to other cities like
London,
Paris and
Berlin. These arrangements created a huge imbalance. Thousands of
highly paid young single men found themselves competing for the very
small group of women who decided not to leave. A lot of the companies
started talking about the need for diversity programs. While
nobody says it out loud, it looks like these programs are intended to
increase the size of the dating pool in these offshore centers.
Official statistics tell us that
Brno has the highest suicide rate in the country.
When eastern European countries joined the EU, some of the western
countries like Germany and France introduced a temporary delay on
Freedom of Movement for workers. The delay didn't apply to
Freedom of Movement for wives and girlfriends.
This table shows us that workers from
Czech Republic could go to
the
UK immediately after joining the EU in 2004 but they could not
take jobs in
France until 2008 or
Germany until 2011. As a consequence, young women could use
Freedom of movement to marry somebody in a rich country but
many young men had to stay in the
Czech Republic. The young men who remained found themselves in direct
competition against the
Red Hat workforce for the last girlfriends who remained in
Brno.
During that period, I was living to the north of
London near to
Luton airport. Thousands of people from eastern Europe were arriving
every day on the low cost airlines. It was fairly easy to distinguish
the tourists from the people who were relocating. The people relocating
under Freedom of Movement had typically purchased the maximum
luggage allowance and arrived with their whole life in a suitcase that
was so overloaded it looked like it was about to burst. In particular,
a lot of the women who arrived like this were making the move alone with
no safety net. Their plan was to get off the plane and find a room,
a job and a husband. These are the women who the
Red Hat employees in
Brno missed out on.
In January 2006,
Raphael Hertzog infamously used the debian-devel-announce email
list to promote a message about an external product,
Ubuntu that not everybody is interested in.
Andrew Suffield adapted the subject line of
Hertzog's email to promote lesbians instead of
Ubuntu. Some people speculate
Suffield chose the word lesbian because it looks a little bit
like the word Debian and there are a disproportionate number of
LGBT people lurking in the mailing lists.
To: debian-devel-announce@lists.debian.org
Subject: For those who care about their packages in Ubuntu
From: Raphael Hertzog <hertzog@debian.org>
Date: Fri, 13 Jan 2006 23:35:24 +0100
Hello fellow Debian developers,
let me explain shortly why I'll speak of Ubuntu on a Debian announce
list. I know that many of you do not like the Canonical marketing saying
that "Ubuntu is contributing back" because the most visible official
contribution is scott's patch repository and that all other successful
collaboration has been made at the level of individual developers who are
"friendly to Debian" and not because Canonical's policy ask them to do
so.
[ ... snip ... ]
To: debian-devel-announce@lists.debian.org
Subject: For those who care about lesbians
From: Andrew Suffield <asuffield@debian.org>
Date: Sat, 14 Jan 2006 15:00:40 +0000
Since this sort of thing is apparently okay nowadays, and I know that
a lot of you like looking at lesbians, I'd like to share this with
you:
http://www.flickr.com/photos/63978244@N00/81351129/in/photostream/
[And for the sarcasm-impaired: debian-devel-announce is for Debian
development, not anything that you (or any other group of people)
happen to be interested in. Don't post irrelevant stuff here. It would
be a real shame if the list had to be moderated because people can't
exercise good judgement. Anything sent here should be of interest to
an overwhelming majority of Debian developers, *at least* - if you're
using phrases like "for those who care about X", it belongs somewhere
else, like X-announce.]
--
.''`. ** Debian GNU/Linux ** | Andrew Suffield
: :' : http://www.debian.org/ |
`. `' |
`- -><- |
The message links to this image. It is off-topic but the content is not
illegal in any western countries.
Excuse the pun, the tit-for-tat continued with even more messages
based on the same subject line template:
Not long after that, in May 2006,
DebConf6 took place in
Mexico. One of the candidates in recent
Debianism elections,
Jonathan Walther (Ted), brought a local woman,
Hilda, to the conference dinner. People quickly started the rumour
that
Hilda was a prostitute. Nonetheless, she was the local dentist. To
this day, dozens of messages about the rumour are present online in various
web sites and debian-private archives.
(
more details about the rumours and DebConf6 fight).
To understand why there was so much gossip and aggression at the
DebConf6 dinner, you need to look at who really slept with who
and then
read the story again. The leaked
room list tells us that
Holger was sleeping with
Amaya.
Amaya helped start the rumour and
Holger is the one who ended up exerting physical pressure on the victim,
Jonathan Walther (Ted). When people are sleeping together, they don't
always behave rationally any more.
From: Joerg Jaspert <joerg@debconf.org>
To: rooms@debconf.org
Subject: Re: [Debconf-announce] Room allocation
In-Reply-To: <20060328120500.GA10651@localhost> (Margarita Manterola's message
of "Tue, 28 Mar 2006 09:05:00 -0300")
Organization: Goliath-BBS
[ ... snip ... ]
> * Who you would NOT like to share the room with.
I dont care that much who is in my room, as long as its not
Jonathan/Ted "krooger" Walther or Jeroen van Wolffelaar or Amaya.
[ ... snip ... ]
Date: Fri, 31 Mar 2006 17:39:37 +0200
From: Adeodato =?utf-8?B?U2ltw7M=?= <dato@net.com.org.es>
To: rooms@debconf.org
Cc: Holger Levsen <debian@layer-acht.org>,
Jesus Climent <jesus.climent@hispalinux.es>,
Amaya Rodrigo <amaya@debian.org>,
Alberto =?utf-8?B?R29uesOhbGV6?= Iniesta <agi@inittab.org>,
Marcela Tiznado <mtiznado@linux.org.ar>,
Isaac Clerencia <isaac@debian.org>,
Jacobo =?utf-8?Q?Tarr=C3=ADo?= Barreiro <jacobo@debian.org>,
Javier Fernandez-Sanguino <jfs@computer.org>,
Ana Beatriz Guerrero =?utf-8?B?TMOzcGV6?= <ana@ekaia.org>
Subject: Room preferences for a bunch of ~Spanish people
Hey marga!
Some (mostly) Spanish people have been talking among us, and we'd like
to share room at DebConf. We've thought that it'll be easier for you
if we just write you one mail saying who we are, instead of each of us
mailing you privately with our preferences. :)
So, we'd like:
- a 6-sized room for both DebCamp and DebConf (from 5th to the end)
- a 4-sized room for DebConf only (from 13th to the end)
The involved people (in order of arrival, all of them CC'ed) are:
Holger Levsen <debian@layer-acht.org>
Jesus Climent <jesus.climent@hispalinux.es>
Amaya Rodrigo <amaya@debian.org>
Alberto Gonz=C3=A1lez Iniesta <agi@inittab.org>
Adeodato Sim=C3=B3 <dato@net.com.org.es>
Marcela Tiznado <mtiznado@linux.org.ar>
Isaac Clerencia <isaac@debian.org>
Jacobo Tarr=C3=ADo Barreiro <jacobo@debian.org>
Javier Fernandez-Sanguino <jfs@computer.org>
Ana Beatriz Guerrero L=C3=B3pez <ana@ekaia.org>
Thanks in advance,
In 2006, the
GNOME people created the
Outreach Program for Women (OPW), which was subsequently renamed to
Outreachy. The program pays young female interns to associate with
the developers. The women are not expected and not always trusted to
do development work themselves. Many of the women were offered free trips
to conferences all over the world.
Subject: Total world domination through therapy and free software!
Date: Sun, 31 Dec 2006 13:25:08 +0100
From: Amaya <amaya@debian.org>
Organization: Debian - http://www.debian.org/
To: debian-private@lists.debian.org
Russell Coker wrote:
> True. But we can only change some things and only in some areas.
Sure, we are just humans :)
> I will always have little sympathy for someone who complains bitterly
> about unfairness when by any objective metric they would be regarded
> as being in the most fortunate few percent of the world's population.
Yes, as in having clean tab water. Ack.
> Do you think it might be beneficial to have some group sessions at
> Deb-conf's to help us deal with these things?
I strongly believe in the group sauna effect :)
> Debian has a huge pile of money that is apparently not being spent,
> booking a good psychiatrist for a day for every DebConf would not make
> much of an impact on Debian finances and might have a good impact on
> productivity.
s/psychiatrist/therapist/ Maybe someone that is experienced in large voluntary communities could
give a talk, or workshop, or both.
It would be interesting to know wether anyone knows a person that could
help us this way. I could talk to some people if the idea doesn't look
stupid to the rest you the people reading this.
--
·''`. If I can't dance to it, it's not my revolution
: :' : -- Emma Goldman
`. `' Proudly running Debian GNU/Linux (unstable)
`- www.amayita.com www.malapecora.com www.chicasduras.com
By 2008, they were already talking about how they would recruit people's
teenage children. This was well before the
Debian pregnancy cluster started producing said children.
Subject: Re: [VAC] Going to the chapel ...
Date: Tue, 22 Jul 2008 16:12:29 +0200
From: Lionel Elie Mamane
To: debian-private@lists.debian.org
On Sat, Jun 28, 2008 at 03:29:27PM +1000, Russell Coker wrote:
> On Saturday 28 June 2008 14:32, Benjamin Seidenberg
> wrote:
>> The question is, will we accept parental signatures on the GPG keys?
> Why wouldn't you accept a parental signature? (...)
> Advocacy however is a different matter. We want advocates to not be
> excessively biased, and I'm sure that while growing up we have all
> seen adequate evidence of parents who think that their children are
> angels while everyone else knows the truth...
> Of course if a parent was to quietly encourage the NM people to keep
> their child in the queue for an extra year or two then I think we
> should accept such a recommendation.
I fail to see why this is obviously desirable; parents can also be
biased in the other direction, that is think their late teenage
children are like one-year olds that cannot cross the street without
their supervision.
--
Lionel
Around the same time, in June 2008,
Jeffrey Epstein made a guilty plea on two charges in state court.
He was sentenced to 18 months in a county jail, which is less
onerous than a state prison. He was authorised to participate in a
work release program whereby he could leave the prison for sixteen
hours per day, six days per week. It is rumoured that he was unhappy
with his probation officer and exploited political connections to have the
probation officer moved elsewhere.
Jeffrey Epstein worked as a schoolteacher before getting into finance.
Therefore, he is far more culpable than a twelve-year-old juvenile
offender like
Jeremy Bicha.
"I first met my wife at the “International Conference on OpenSource� 2009 in Taiwan. So OpenSource, Debian and me being some tiny wheel in the system wasn’t entirely news to her."
If any other random developer meets a woman at a conference they are insulted
and told that relationships are a bad thing. Yet for the oligarchs representing
Debian at events, it is open season on women. This relationship helped bootstrap
the Debian pregnancy cluster.
In 2010,
Jeremy Bicha's older sister went to Bob Jones university. The on-campus
therapist gave her bad advice. The sister went to a more victim-oriented
off-campus center,
Julie Valentine Center. After counselling there, the victim and another
sister, who is also a victim, reported the abuse to
police.
US Navy investigators immediately questioned
Jeremy Bicha. He admitted the allegations about his childhood are true.
He was immediately terminated from Navy employment.
In August 2010,
DebConf10 was in New York City. By this stage, we can see
Debianism had well and truly adopted a
cult lifestyle. A group of couples share rooms. They pretend
we have no money while keeping it for themselves. They are pretending that
bringing your wife is diversity.
Shortly after
Adrian von Bidder-Senn died, his wife,
Diana von Bidder-Senn sent an email revealing she was oblivious to
what he was doing on his computer. In hindsight, we can see that both
Adrian and Diana were tricked by
Debianism in different ways:
Subject: Re: condolences for Adrian
Date: Mon, 25 Apr 2011 15:02:18 +0200
From: Diana von Bidder <diana@fortytwo.ch>
To: Stefano Zacchiroli <leader@debian.org>
Dear Stefano
Thank you for your wonderful mail! Yes Debian and people were very
important to Adrian. I was glad that he was not only sitting alone in
front of his computer but to know that there are people out there that
estimate him and are his friends even if most of you did not know each
other personally.
The way you describe him (empathy, calm, insight, ... - just the Adrian
I know) assures me on how good friends of Adrian are out there. And I
will always continue to think of this (in a good way!) when continuing
to use debian (which I became quite fond of because of Adrian).
It's a pity that he couldn't go to Banja Luca anymore which he did so
much look forward to. Anyway, I wish you all the best and hope you
continue your good work.
- Diana
The family asked for donations to AMICA Schweiz, a charity that
helps women abused during the conflict in the Balkan countries. People
argued about it on debian-private.
Subject: Re: Death of Adrian von Bidder
Date: Thu, 21 Apr 2011 08:56:04 +0200
From: Andreas Tille <andreas@an3as.eu>
To: debian-private@lists.debian.org
Hi,
I admit that e-mails about emotions tend to be turned into flames
and I do not want this here.
On Thu, Apr 21, 2011 at 07:24:59AM +0200, martin f krafft wrote:
> I suggest that we donate 200 CHF from the project (price of a nice
> wreath with writing). If there are other donators, please get in
> touch with me.
The donators of the Debian project intend to spend money for the
development of the Debian project. If we spend Debian money for a
wreath (or any form of replacement donation) this is not related to the
development of Debian. It is rather *us* *people* who say goodby to
a friend. So the money should not come from project funds but rather
from single developers.
Saying this I would like to vote against spending Debian money but
rather doing a separate collection. I could live with some kind of "de
facto" collection like this: I will ask for Debian money for DebConf.
In case Debian project money is really spended for Adrian's funeral I'd
simply ask for 10Euro less than I would have done otherwise.
Please do not get me wrong: I'm in any case for showing that the Debian
community is sad about the dead of Adrian. But I'm not convinced that
this purpose is in the interest of our donators and it finally comes
quite cheap for us individuals to simply spend Debian money.
Kind regards
Andreas.
--
http://fam-tille.de
In December 2011,
Martin Krafft describes
Debianism itself as a teenage culture. His fingers get a mention
in the email signature:
Subject: Mooing solves everything
Date: Wed, 7 Dec 2011 22:14:13 +0100
From: martin f krafft <madduck@debian.org>
Reply-To: madduck@debian.org
Organization: The Debian project
To: debian private list <debian-private@lists.debian.org>
[Writing to -private with Reply-To set, because this is clearly
a classified topic]
We know about super cow powers and swallowed elephants, and the
power of the Mooing.
What I want to do is collect cow-related stories of relevance to our
project, to prevent an inside joke from dying as Debian prepares to
exit teenagehood.
So, please hit me. What does Debian have to do with mooing?
--
.''`. martin f. krafft <madduck@d.o> Related projects:
: :' : proud Debian developer http://debiansystem.info
`. `'` http://people.debian.org/~madduck http://vcs-pkg.org
`- Debian - when you have better things to do than fixing systems
on the other hand, you have different fingers.
At the same time, in December 2011, a young transgender straight out
of an elite French high school was given a paid job in a student-run
Internet Service Provider, the
CR@NS network at
ENS Cachan. One of the older students, Debian Developer
Nicolas Dandrimont, was dating this vulnerable young person at
the same time as paying them and trying to help them
get Outreachy money. Recall the original discussion about offering
money for transgender participation many years prior. Offering
these people moral support may be acceptable but offering large
sums of "diversity" money at a point when they are unsure of their
identity appears to be highly unethical.
Subject: DM application of Jeremy Bicha
Date: Fri, 30 Mar 2012 18:58:41 -0400
From: Jeremy Bicha <jbicha@ubuntu.com>
To: debian-newmaint@lists.debian.org
CC: Jordi Mallach <jordi@debian.org>, Michael Biebl <biebl@debian.org>,
Sebastien Bacher <seb128@debian.org>, Martin Pitt <mpitt@debian.org>
This is my declaration of intent to become a Debian Maintainer
<URL:http://wiki.debian.org/DebianMaintainer>.
I have read the Social Contract, Debian Free Software Guidelines and
Debian Machine Usage Policy and agree with all of them.
Currently, I maintain the package kabikaboo
and I co�maintain the GNOME packages with the Debian GNOME Team.
My GnuPG key EBFE6C7D is signed by the Debian Developer Andres Mejia.
I look forward to becoming a Debian Maintainer. Thanks for your attention.
Jeremy Bicha
--
To UNSUBSCRIBE, email to debian-newmaint-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
Archive: http://lists.debian.org/4F763AA1.1050503@ubuntu.com
Subject: Re: DM application of Jeremy Bicha
Date: Tue, 3 Apr 2012 07:24:13 +0200
From: Martin Pitt <mpitt@debian.org>
To: Jeremy Bicha <jbicha@ubuntu.com>
CC: debian-newmaint@lists.debian.org, Jordi Mallach <jordi@debian.org>, Michael Biebl <biebl@debian.org>, Sebastien Bacher <seb128@debian.org>
Hello Jeremy,
Jeremy Bicha [2012-03-30 18:58 -0400]:
> This is my declaration of intent to become a Debian Maintainer
> <URL:http://wiki.debian.org/DebianMaintainer>.
>
> I have read the Social Contract, Debian Free Software Guidelines and
> Debian Machine Usage Policy and agree with all of them.
>
> Currently, I maintain the package kabikaboo
> and I co�maintain the GNOME packages with the Debian GNOME Team.
I've seen your great activity in both Debian's and Ubuntu's GNOME
team. You have demonstrated the ability to deal with nontrivial
packaging situations, a sustained enthusiasm and dedication, and good
collaboration with upstream as well. I fully support your application
for DM, thanks!
Martin
--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
On 15 May 2012,
minutes of the GNOME Foundation tell us that
Jeremy Bicha was one of six people given voting rights in the foundation.
Many open source developers have never had the right to vote in any of these
incorporated bodies. It appears that
Jeremy Bicha was able to renew his membership and thereby maintain this status
even during his subsequent prison term.
In April 2013, the
Debianists decided to start offering money to young women under the disguise of
Outreach Program for Women (OPW), which was later renamed to
Outreachy. The Debian
constitution explicitly says that contributors must be volunteers. Therefore,
the payments to these young women are illegal under the constitution and may
be illegal in other ways too.
...
3.2. Composition and appointment
Developers are volunteers who agree to further the aims of the Project insofar as they participate in it, and who maintain package(s) for the Project or do other work which the Project Leader's Delegate(s) consider worthwhile.
...
Here is one of the early advertising banners promoting the illegal payment of
$4,500. The
GNOME Foundation logo is on the woman's foot. It is an uncanny coincidence
the logo strongly hints at the unison of male and female genitalia:
In July 2013, I publicly resigned from the
Australian Labor Party (ALP) due to abuse of female
asylum seekers from Iran. In the resignation email,
which was leaked to Australian political news site Crikey,
I compared the scandal
to the Catholic abuse scandal. I think this may be the first time my name
was on the public record as a supporter of victims. This was well before the
Spotlight movie and the #MeToo phenomena, therefore, it
can't be suggested that those latter revelations influenced the strong words
used in my resignation in 2013.
In September 2013,
Jeremy Bicha was convicted and sentenced to three years in a state prison.
The state prison is a far more onerous punishment than the county jail where
Jeffrey Epstein was briefly incarcerated. The duration of
Jeremy Bicha's sentence is double the 18 month sentence imposed on
Epstein.
At the sentencing,
Bicha's defence lawyer asked the judge not to put his name on the list of
registered sex offenders. This is a controversial topic. The
police have also asked the judges not to automatically put every criminal
like this on the list. The more pragmatic police commanders want these lists of
registered sex offenders used for those pathological predators who never
truly change their ways. Looking at the allegations against
Bicha, he personally stopped offending at 15, during his childhood and there
is no evidence he is committing similar crimes as an adult. To put it another
way, if a child goes missing, the local
police want to be looking at a list of the top twenty lifetime sex
offenders who are dangerous enough to deserve a house call. If the police are
confronted with a list of over a thousand
registered sex offenders in their district they have no way to know
which of those people to visit first.
In Australia and other countries, the media is normally prohibited from
publishing the names of juvenile offenders. In a way, the young boys
are considered victims of their parents' failures. On that basis, they
have a right to privacy equivalent to the rights of the abuse victims.
Nonetheless, this type of restriction doesn't appear to be applicable
in the United States. Nonetheless, if the local pastor and schoolteacher
were not part of the story, it is unlikely the newspapers would publish
the story at all.
In November 2013,
Paul Tagliamonte sent the following message to the leaked
debian-private email list. It concerns a young woman who
applied for the
OPW / Outreachy money. Why are these men always thinking about the
age-of-consent when women are mentioned?
Subject: Re: OPW Student in Kingston, Jamaica
Date: Mon, 25 Nov 2013 13:39:12 -0500
From: Paul Tagliamonte <paultag@debian.org>
To: Joachim Breitner <nomeata@debian.org>
CC: debian-private@lists.debian.org
On Mon, Nov 25, 2013 at 06:37:36PM +0000, Joachim Breitner wrote:
> Hi,
>
> Am Montag, den 25.11.2013, 13:18 -0500 schrieb Paul Tagliamonte:
> > She's got a PhD, so I think this could also be a good beersigning, if
> > she drinks.
>
> not having a PhD yet I wonder what expects me: Will I be a better
> drinker after I get the degree? Or a better keysigner? /me is confused.
It simply means she's likely of age in her jurisdiction. All I was
saying is that she's not a high school student.
Cheers,
Paul
--
.''`. Paul Tagliamonte <paultag@debian.org>
: :' : Proud Debian Developer
`. `'` 4096R / 8F04 9AD8 2C92 066C 7352 D28A 7B58 5B30 807C 2A87
`- http://people.debian.org/~paultag
The next time you defend a predator and say,
’Oh, he was just a child,’ remember the faces
of the innocent little ones whose childhood was stolen.
I have mixed feelings about that. It was not "just a child". As the
judge told us, it was the child and the negligent adults together who
left
Jennifer Bicha to suffer this torture. Many other legal cases
have made similar conclusions, including one high profile case where they
recently decided parents were guilty when their child engaged in a schoolyard
shooting spree.
On 3-4 May 2014, the first
OSCAL conference took place in Tirana,
Albania. (
Fedora wiki page). Photos released by the conference organizers suggest
over eighty percent of the participants were young women. In every other
country, we would normally see the gender statistics reversed. In
Albania various theories have appeared about why large numbers of women
came to these events. Some of the women have ended up moving to the city of
Brno in the
Czech Republic.
On 13 July 2014, Italian newspaper La Repubblica publishes a
report about an interview between Pope Francis and editor Eugenio Scalfari.
The late
Pope Francis allegedly told
Eugenio Scalfari that his own advisors have suggested that two percent
is an accurate estimate of the number of priests who are paedophiles. He
deplores their behaviour but on the other hand he insists it is no higher
than the percentage of paedophiles in any other profession.
"Among the 2% who are paedophiles are priests, bishops and cardinals. Others, more numerous, know but keep quiet. They punish without giving the reason,"
"I find this state of affairs intolerable,"
The comment about punishments resonates with many of the
Debianism scandals over the years.
Likewise, the two percent estimate can be applied to large free software
organisations like
Debianism and the
FSFE misfits. These groups typically have a few hundred core participants
and a few thousand loosely affiliated contributors. In the recent
Debianism election, a thousand people were registered to vote. Two percent
of that is twenty paedophiles.
In August 2015, according to reports from the high-profile hush-money trial,
Donald Trump, his lawyer
Michael Cohen and National Enquirer editor
David Pecker had a meeting and agreed on a catch-and-kill plan. It was
alleged that if any woman tried to sell a story about
Donald Trump,
Pecker would buy exclusive rights to the story and then keep the story
hidden until after the election. Similar plots have been created in
open source software communities.
Debianists created the "anti-harassment" team. Fedora has a
"Community Team". These teams pretend to listen to complaints. If a woman
ever makes a complaint about one of the oligarchs or the men employed
by the controlling corporations then the story is covered up.
The woman who made the complaint will receive a polite response but
she will not be invited to any more events. The same theme emerged in the
Harvey Weinsten saga.
Harvey Weinsten's team was afraid some women posed a risk. They
told other movie producers to avoid the women and lock them out of
the industry. Eventually, Lord of the Rings director Peter Jackson
admitted he had excluded some actresses after receiving
Harvey Weinsten's warnings to avoid them. This is the same
phenomena described by
Lunduke in his report
Fedora's Code of Conduct: 200 Day Response Time, Only Protects You if Red Hat
Likes You.
In November 2015,
the movie Spotlight was released in cinemas. It is a biographical film based
on the 2002 Spotlight investigation that exposed the phenomena of
clerical abuse in Boston. A lot of
Catholics and people from other religions have watched the film. In one of the
key scenes in the movie, they discuss the research of
Richard Sipe, who suggests that two percent of men in the general
population are paedophiles but the rate in the
Catholic abuse context is alleged to be six percent. Many people have
speculated whether or not the figure is true and whether the church is
really responsible for it or whether it is some factor out of their
control.
There are approximately one thousand developers in
Debianism today. If two percent are paedophiles that would be twenty
men. We only know the identity of one,
Jeremy Bicha. Who are the other nineteen? We have evidence about
Elio Qoshi's underage girlfriend but in that case,
Qoshi is not a Debian Developer so he is not in the same group for
statistical purposes.
Looking at the culture of
Debianism, it has some awkward similarities to the
Catholic abuse crisis. Therefore, we need to consider the possibility
that the percentage of Debian Developers who are paedophiles, like the
percentage of priests, may be above the two percent average for the
population. If six percent of Debian Developers are paedophiles, that is
sixty paedophiles.
Subject: Jacob Appelbaum and harrassement
Date: Wed, 15 Jun 2016 13:48:53 +0200
From: Mehdi Dogguy <leader@debian.org>
To: debian-private@lists.debian.org
Hi all,
Jacob Appelbaum is currently facing some serious accusations in other
communities, and DAMs are aware of at least two Debian Developers who
have lived and have witnessed situations that are a clear case for
worry.
[ ... snip defamation crap ... ]
None of the emails really tells us what is a "clear case for worry",
to this day, it is still not clear at all.
In contrast, the accusations against
Jeremy Bicha were very clear. He is accused of abusing his little
sisters and at least two other victims. He admitted these accusations
too.
Notice it is a lot like the vendetta against
Ted Walther from
DebConf6. He never committed any crime but after somebody spread a
rumour that his female friend was a prostitute, it took barely one hour
for the whole conference dinner to turn against him and erupt into
violence.
In both the case of
Ted Walther (2006) and
Dr Jacob Appelbaum (2006), the rogue
Debianists have been far too arrogant to admit the rumours were falsified
and give these men and their families the apology they deserve. Yet they are
asking us to ignore the very real abuse convictions against
Jeremy Bicha and welcome him with open arms.
In April 2017,
Chris Lamb was elected for the first time as the leader of
Debianism. One week later, the Fellowship elected me as their
representative to the
FSFE misfits in Berlin. From this point on,
Chris Lamb appeared to be jealous and resentful that another
Debian Developer was in a leadership position in the community.
Today, we see a similar rivalry between the US President
Donald Trump and the other American head of state,
Pope Leo from Chicago.
When women had complaints about certain oligarchs, they had a choice
between going to
Chris Lamb or telling me about it in my capacity as
Fellowship representative.
Women were coming to me with evidence about problems in the community.
Some of the large corporations would have preferred to see those women
reporting problems through channels controlled by the corporations.
To: Jeremy Bicha <jbicha@ubuntu.com>
Cc: debian-newmaint@lists.debian.org, nm@debian.org, archive-184@nm.debian.org
Subject: Re: Jeremy Bicha: Declaration of intent
From: Andreas Henriksson <andreas@fatal.se>
Date: Fri, 12 May 2017 08:55:11 +0200
Hello!
I have personally worked with Jeremy Bicha <jbicha@ubuntu.com> in the
pkg-gnome team where he has been an outstanding contributor for a
sufficiently long time and I know jbicha having full unsupervised
unrestricted upload access to the archive would benefit us in the
team and likely also Debian as a whole on an even wider scale
than before.
I'm aware Jeremy is also very active in Ubuntu and GNOME upstream.
I find it that Jeremy is very good at interacting with upstream as
well as avoiding/resolving conflict or disagreeing opinions, which
means he has atleast two skills that I think we should have more
people like in Debian.
For any AM tasked to question Jeremy I would say you can skip
any regular packaging related questions. If you want to give
him some challange you might want to focus on a more complicated
philosophical question or ask him specifically about Debian
infrastructure and procedures related to those (as he mainly
uploads to Ubuntu and AFAIK has only very limited usaged his
DM privilegies because of the pkg-gnome streamlined sponsorship
workflow).
But to be frank, please consider just fast-forwarding jbicha through
the entire process because any potential knowledge-gap he might
have I'm more than sure we can discuss and handle those within
the pkg-gnome team which has many very experienced DDs that would
happily assist jbicha if needed.
Regards,
Andreas Henriksson
Here is the other advocacy:
To: debian-newmaint@lists.debian.org
Cc: Jeremy Bicha <jbicha@ubuntu.com>, nm@debian.org, archive-184@nm.debian.org
Subject: Jeremy Bicha: Advocate
From: Gianfranco Costamagna <locutusofborg@debian.org>
Date: Fri, 12 May 2017 09:25:12 -0000
I support Jeremy Bicha <jbicha@ubuntu.com>'s request to become Debian Developer, uploading.
I have worked with Jeremy Bicha for quite some time, even if I sponsored just a few packages for him (in Debian).
His work is excellent, he really cares about keeping is packages in a good shape, he cares about transitions and he is quick in reacting when problems are found.
Debian will benefit a lot from his work.
I have personally worked with Jeremy Bicha <jbicha@ubuntu.com> (key 4D0BE12F0E4776D8AACE9696E66C775AEBFE6C7D) for X time,
and I know Jeremy Bicha can be trusted to be a full member of Debian, and have unsupervised, unrestricted upload rights, right now.
Thanks Jeremy for finally starting the process!
Gianfranco
Those are very positive things to write about somebody who has just been
released from prison on parole.
On the weekend of 13 and 14 May 2017, the fourth
OSCAL conference took place in Tirana,
Albania. A girl of fifteen or sixteen years of age created an
online profile for herself in the
Discourse forum software used by the Albanian
Open Labs group. We subsequently learnt this was the girlfriend of
Elio Qoshi, one of the
Albanian ringleaders.
At exactly the same time they are processing
Jeremy Bicha's ordination as a Debian Developer, we saw
Dominik George going through exactly the same process. Messages about
Dominik George explicitly refer to children:
To: Dominik George <nik@naturalnet.de>
Cc: debian-newmaint@lists.debian.org, nm@debian.org, archive-175@nm.debian.org
Subject: Re: Dominik George: Declaration of intent
From: Holger Levsen <holger@layer-acht.org>
Date: Mon, 15 May 2017 14:09:15 +0000
Hi,
sorry for the delay in writing this…!
On Mon, Apr 24, 2017 at 06:54:13PM -0000, Dominik George wrote:
> I would like to apply to change my status in Debian to Debian Developer, uploading.
yay, this is pretty good news for Debian and for Debian Edu and probably a
bunch of others! :-)
I've met Dominik the first time for "real" (*) at the Debian Edu gathering
in Oslo in December 2016 where I could see him working & discussing and also
learned a few things he does outside Debian, which also involves computers,
kids & schools.
(*) we've briefly bumped into each other before and said hi or so :)
http://layer-acht.org/thinking/blog/20161221-debian-edu-sprint-in-oslo/
shows him wearing a DebConf15 t-shirt, so you might met him too ;)
Not related to Debian, but very much showing his dedications,
is that he is involved in another project with kids + young adults, which
in the last years brought 20-30 young adults to the chaos communication congress:
https://www.teckids.org/hacknfun_2016_xmas.htm
The technical discussions we had in Oslo, plus the ones I've seen on IRC,
plus the questions he had and the attitudes he showed make me believe that
Dominik will be a great DD and contributor to our project and beyond!
I cannot fully vouch for him technically, as we work on different areas in
Debian Edu and I've only reviewed bits of his work, but I'm confident he'll
manage NM well! So I'm much looking forward to him becoming a DD!
--
cheers,
Holger
I will progress this application and assign an application manager shortly, but the key issues need to be resolved before the application can be finalised. Please work with your AM on that.
Where he writes "key issues", he is referring to issues with the PGP key.
There is no reference to the abuse.
Subject: Jeremy Bicha: Application Manager report
Date: Tue, 08 Aug 2017 21:09:52 -0000
From: Gunnar Wolf <gwolf@gwolf.org>
To: debian-newmaint@lists.debian.org
CC: Jeremy Bicha <jbicha@ubuntu.com>, archive-184@nm.debian.org,
nm@debian.org
I have reviewed Jeremy Bicha's answers for the NM process, and am more
than satisfied by them. I have also been approached in DebConf by his
team mates, who very strongly recommended him as a DD. I am of the
opinion the project will win quite a bit having him as a full DD with
unimpended upload rights.
Gunnar Wolf (via nm.debian.org)
--
https://nm.debian.org/process/184
People are cheering him on:
Subject: Re: Jeremy Bicha: Application Manager report
Date: Tue, 8 Aug 2017 18:17:15 -0400
From: Andrew Shadura <andrew@shadura.me>
To: debian-newmaint@lists.debian.org
CC: Gunnar Wolf <gwolf@gwolf.org>, Jeremy Bicha <jbicha@ubuntu.com>
On 8 August 2017 at 17:09, Gunnar Wolf <gwolf@gwolf.org> wrote:
> I have reviewed Jeremy Bicha's answers for the NM process, and am more
> than satisfied by them. I have also been approached in DebConf by his
> team mates, who very strongly recommended him as a DD. I am of the
> opinion the project will win quite a bit having him as a full DD with
> unimpended upload rights.
Yay! Congrats! :)
--
Cheers,
Andrew
From 14 to 18 July 2017, the
Digital-Born Media Carnival was held in Kotor,
Montenegro. Some of the women from open source software groups in
Kosovo and
Albania attended. Kotor is an ancient seaside village without any
modern high-rise tourist accommodation. Visitors stay in bed and breakfast
accommodation or holiday houses. On the last night of the carnival, there
was a party by the waterside. The next morning, as we were departing, I
saw one of the
Albanian women coming out of a holiday house that had been rented by
a group of men from another country. There was a bit of hand-holding and
a kiss goodbye. Every time the woman is selected for an internship or
a conference speaking opportunity, over and above every other woman in
the community, I remember that last day in Kotor.
If you are involved in a sports club and you observe somebody had
a one night stand with another member you might not feel any need
to mention it or cause embarassment. However, open source software
hobbyists are claiming to be a model of integrity, merit and security.
Social engineering attacks are often rated as the biggest risk
to modern organisations and their IT systems.
Shortly after that, the
Open Labs non-profit in
Albania had their birthday party in the hackerspace. At least two
underage people were there and at least one of the other women identified
them to me. Separately, women had told me that the youngest girl was
dating the co-founder of the group
Elio Qoshi. They told me a lot of things about
Elio Qoshi, I observed some of those things with my own eyes and I
observed written evidence in requests for travel funding that confirmed
what the women had told me in person. Eighty percent of the group were
female but a lot of the money did not go into the non-profit bank account.
The money was managed by an accountant but there were rumours that the
same accountant was also managing the bank accounts for
Elio Qoshi consulting company. The women on the committee had never
seen a balance sheet or a profit & loss statement for the non-profit
entity.
In September 2017, they promoted an event called
FOSSCamp. Instead of organising it in
Albania, they decided to organise it in a more expensive destination,
Greece and they asked bigger organisations to pay the travel
expenses for a group of people, many of them who were simultaneously
members of the non-profit but also employees of
Elio Qoshi's commercial enterprise. Questioning them about the
event budget, we reached the point where
Elio Qoshi admitted that one of the amounts charged to the bigger
organisations like
Debian was really a payment for his effort organising the event.
The women who collaborated on the organisation did not receive any
equivalent payment. Yet each woman was asked to send a request to
Debian,
Mozilla,
Wikimedia and maybe other organisations asking for diversity funds
to pay the bus fares, ferry tickets, accommodation and management fee.
In the photos from the conference in May 2017, we could see over twenty
young female students participating. Yet women told me that access to
the trip to
Greece was more tightly controlled. Women needed to get permission
to join this trip.
Various people noticed that two or three men were acting as gatekeepers
and rationing funding and travel opportunities for all the women.
Chris Lamb and I were both warned that something dishonest was
happening. I asked questions but
Lamb didn't want to spoil whatever was going on there.
Here is an example where one of the men is giving one of the women,
Anisa Kuci, permission to go on the trip to
Greece:
Subject: Re: Debian at FOSScamp - funding request
Date: Sun, 13 Aug 2017 19:01:58 +0300 (EEST)
From: Giannis Konstantinidis <giannis@konstantinidis.cc>
To: Chris Lamb <lamby@debian.org>, Silva Arapi <silva.arapi@gmail.com>
CC: leader@debian.org, treasurer@debian.ch, auditor@debian.org,
daniel@pocock.pro, Redon Skikuli <redon@skikuli.com>, ping@anisakuci.com
Hey everyone,
just wish to inform you that unfortunately, due to unforeseen external
factors, I won't be able to make it. I'd like to thank the Debian
community for the generous support. We will stay in touch.
To make sure Debian makes the maximum possible impact at FOSSCamp, I'd
like to sugggest Anisa Kuci (cc'ed ) takes my place. Anisa has been a
longtime experienced member of Open Labs Hackerspace, co-organized OSCAL
and is very much interested in further contributing to Debian.
Thanks once more. I wish the best success to Debian and your
participation FOSSCamp.
Kind regards,
-Giannis K.
Something was not right about this. It is clear that
Chris Lamb, as the leader of
Debianism, had been informed about it since this moment in time
or earlier.
Some women see this type of thing as a sport and they actively seek to
join organisations where they can take shortcuts. Other women were
attracted by the promise of an educational or philosophical project,
they contributed their time and skill helping one or two events in
Albania and then discovered that to qualify for a trip abroad, they
had to do the same things the girlfriends were willing to do. Some
of the women felt even more strongly about this, as it impacts their
professional relationships and job searching, they feel the male
gatekeepers are blackmailing them for sex.
In September 2017,
Jeremy Bicha introduced himself on the debian-private (leaked)
gossip network. He stated he is from
Florida and presented himself as a victim of a woman called Irma
(the hurricane):
Subject: Re: Irma
Date: Sun, 10 Sep 2017 13:52:08 -0400
From: Jeremy Bicha <jbicha@debian.org>
To: debian-private@lists.debian.org
On Sep 8, 2017 15:55, "Jeremy Bicha" <jbicha@debian.org> wrote:
I intend to follow-up on this list on Monday to let you know I'm ok.
Monday is probably too optimistic because of widespread power outages, but I'll check in when I can.
Jeremy Bicha
Subject: Open Labs / Tirana issues
Date: Thu, 12 Oct 2017 18:15:17 +0200
From: Daniel Pocock <daniel@pocock.pro>
To: Larissa Shapiro <lshapiro@mozilla.com>
CC: Kristi Progri <kristi@kristiprogri.com>
Hi Larissa,
I understand you have received some feedback about issues in Tirana
I was there from 27 September - 5 October and observed some of the
troublesome behavior and the impact on people like Kristi.
The behavior towards Kristi and some of the other women is wrong. I can
also see a danger that challenging the people or their behavior may
split the Open Labs group. Nonetheless, I suggested to Kristi and Anisa
that they should put their own wellbeing first.
I sent a funding request to the Outreachy organizers to sponsor Kristi's
trip to Prishtina where she gave a talk at our Mini DebConf. When I
mentioned this funding in the hackerspace, Redon queried this quite
strongly. I don't feel it is any of his business though if I want to
recommend somebody for funding. The following day, Kristi told me that
Redon had called her and shouted at her. The shouting was apparently
witnessed by other women in the hackerspace with Redon. I reported the fact there are problems in the Debian anti-harassment process.
Various people told me that travel sponsorship should be "shared" and
this attitude seems to be connected with Redon's behavior.
I've told Kristi that she did nothing wrong and did not deserve to be
shouted at.
Another problem that occurred to me is that one person who received
Mozilla travel funding, [ .. redacted ..], is 16 years old and is not
legally an adult.
[ .. redacted .. ]
Regards,
Daniel
The discussion continued. The underage risk was acknowledged on the
Mozilla side:
Subject: Re: Open Labs / Tirana issues
Date: Fri, 13 Oct 2017 23:12:14 +0200
From: Daniel Pocock <daniel@pocock.pro>
To: Emma Irwin <eirwin@mozilla.com>, Larissa Shapiro <lshapiro@mozilla.com>
CC: Kristi Progri <kristi@kristiprogri.com>
[ .. redacted .. ]
> I can comment on under-aged contributors - we do have those from time to
> time, and usually on trips at least parents or chaperon are required.
>
Having underage contributors is not an issue itself and I have no
objection to that.
The issue arises when other groups or businesses align themselves with
local Mozilla groups and seek to benefit from those contributors. I'm
not sure how to deal with that risk completely but there are probably
some things Mozilla could do in that area.
Regards,
Daniel
The discussion about underage continued in more emails:
Subject: Re: Open Labs / Tirana issues
Date: Sat, 14 Oct 2017 08:27:24 +0200
From: Daniel Pocock <daniel@pocock.pro>
To: Larissa Shapiro <lshapiro@mozilla.com>, Emma Irwin <eirwin@mozilla.com>
CC: Kristi Progri <kristi@kristiprogri.com>
On 14/10/17 01:51, Larissa Shapiro wrote:
> I'm not sure, but I can seek legal advice on this matter. In my view,
> there is the potential there for other organizations to take advantage
> of these kids.
>
Even if there is no legal problem (in some countries the laws are very
weak), there is also a risk to the reputation of Mozilla and free
software in general.
I wonder if there are other organizations concerned with children's
safety who can help free software organizations develop a reasonable
approach to this risk?
I realize no organization can stamp this out 100%, but there may also be
some little things that can be done to help reduce risk. E.g. maybe
when Mozilla funds travel, requiring the parents to fill out a chaperon
form that must be submitted with receipts, so Mozilla gets the parent's
contact details and the parents see some child safety text on the form.
Somebody trustworthy could sporadically contact parents and the underage
contributors to sniff out any hints of trouble.
Regards,
Daniel
A few weeks later...
Subject: Re: Open Labs / Tirana issues
Date: Wed, 20 Dec 2017 09:19:39 -0800
From: Emma Irwin <eirwin@mozilla.com>
To: Daniel Pocock <daniel@pocock.pro>
Hi Daniel,
Would you be willing to talk to Marta (HR Investigator) and myself about Redon & Elio and your experiences and what you have witnessed?
Thank you
Having informed at least three other organisations who funded this racket,
including
Debian and
Mozilla, my conscience is clean. Nobody can accuse me of protecting an
abuser.
On 25 February 2018,
Jeremy Bicha submits an advocacy for another
Ubuntu developer,
Tim Lunn to become a Debian Developer:
Subject: Tim Lunn: Advocate
Date: Sun, 25 Feb 2018 15:07:40 -0000
From: Jeremy Bicha <jbicha@debian.org>
To: debian-newmaint@lists.debian.org
CC: Tim Lunn <tim@feathertop.org>, archive-455@nm.debian.org
For https://nm.debian.org/process/455/ on 25 February 2018 :
I support Tim Lunn <tim@feathertop.org>'s request to become Debian
Maintainer.
I first started working with Tim in 2012 on packaging for the Ubuntu GNOME
project. Without Tim, Ubuntu GNOME would not have survived.
Tim and I have been interested for a while in reducing the diff and
duplication of work between Debian and Ubuntu with GNOME packages. Tim
getting upload rights to these packages will help with this goal and will
help make Debian GNOME better for our users.
I have personally worked with Tim Lunn <tim@feathertop.org>
(key 0E0880479A6F1063372395275B39C0A1153ACABA) for several years, and I
know Tim Lunn can be trusted to have upload rights for their own packages,
right now.
Thanks,
Jeremy Bicha
In early March 2018, I posted a message in the
Albanian open labs forum asking why some of the money from the non-profit
Open Labs group was being diverted to a private company,
Ura Design, controlled by
Elio Qoshi. I had observed the women were doing all the work for
free in the non-profit association but some of the men were getting
financial benefits out of that work.
The
Albanian ringleader
Elio Qoshi admits complaining to
Chris Lamb, leader of
Debianism, to help cover up the conflicts of interest. In fact,
the relationship between
Open Labs and
Ura Design was analogous to the relationship between
Debian and
Freexian. Although in this case, it was worse, because there was
also the underage problem. Would the leader of
Debianism put the protection of an
Albanian pimp with an underage girlfriend ahead of the work done
by a real Debian Developer?
Subject: [English] FOSScamp 2017 @ Syros, Greece
Date: Mon, 05 Mar 2018 12:16:45 +0000
From: Elio Qoshi <info@openlabs.cc>
Reply-To: Open Labs Hackerspace Forum <forum+ecf37220dfcc7e2ec1a56392b7b00781@openlabs.cc>
To: daniel@pocock.pro
[ ... snip ... ]
I will try to keep this short but I’m not sure how much I will succeed in that, as this will definitely be the last reply from my side here. I have reached out to the Debian Project Leader to close this issue once and for all.
[ ... snip ... ]
On 5 March 2018 I wrote to women from
Albania asking them to share copies of evidence about
Elio Qoshi hurting and exploiting women. The Debianism leader
Chris Lamb immediately barged in with the comments:
Subject: Re: "free travel"
Date: Mon, 05 Mar 2018 16:40:00 +0000
From: Chris Lamb
To: Daniel Pocock , Anisa Kuçi
CC: leader@debian.org, larjona@debian.org, antiharassment@debian.org
[Adding antiharrassment to CC]
Daniel Pocock wrote:
> If Elio or anybody else has made any other comments like this on the
> private members channel or Telegram and you want to discuss them with me
[..]
Anisa, please feel to drop Daniel from any replies you wish to make, if
you even wish to do so.
(Daniel, thank you for your concern but we have got it from this point
onwards. There will be no need for you to reply further on this thread.)
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
This is the catch-and-kill strategy that had been described
earlier. When women had a story about
Donald Trump, they were encouraged to give the story to the
National Enquirer and not talk to anybody else. What we see is the leader of
Debianism knew about
Elio Qoshi and he didn't want me, as the Fellowship representative,
making an independent assessment of the underage scandal.
In the
Catholic abuse crisis many senior cardinals and bishops are alleged
to have known about abuse and failed to protect people. In the
specific case of
Gerald Ridsdale described earlier, one of the victims, his nephew
David Ridsdale told the Royal Commission that the late
Cardinal George Pell had offered him a bribe for silence. The
woman corresponding with
Chris Lamb and I was
Anisa Kuci. She was given a series of free trips around the world,
internships and eventually a job at
GNOME.
At the time of that exchange,
Anisa Kuci ignored
Chris Lamb's condescending words and replied in full:
Subject: Re: "free travel"
Date: Mon, 5 Mar 2018 23:51:28 +0100
From: Anisa Kuci <anisakuci9@gmail.com>
To: larjona@debian.org
CC: Chris Lamb <lamby@debian.org>, Daniel Pocock <daniel@pocock.pro>,
leader@debian.org, antiharassment@debian.org
Hello Chris, Daniel, Laura,
Thank you very much for being so supportive.
I read the comments on the thread and to be honest I am really sad that
Elio [Qoshi] said that. It is not true at all.
They (Elio [Qoshi] & Redon) pretend to support women but on the other hand their
behavior towards many of us shows the opposite.
Daniel I feel bad because you have encouraged and helped not only me,
but so many other people, no matter if they are Open Labs members or
not, and also all the attendees from Kosova to learn new things, to work
and improve their skills and knowledge. They are doubting your good
intentions just to remove the attention from the shady things that they
are doing.
The free travel comment is really offensive to me and i feel it should
be offensive to every woman who is part of the community.
I have been contributing and supporting Open Labs since its early days,
and I have put a lot of effort and time, I do this because I believe in
what it is meant to stand for and without waiting something in exchange,
but the situation lately has been not very positive. Daniel has been
present by chance in few cases where situations have been very hard to
go through.
I would definitely like to talk to any of you and tell you more about
everything that is happening here, its fine to me whether it is a video
call, call or just emails.
Please tell me what would be more convenient to you.
King greetings,
Anisa
In May 2018, immediately after that lunch, the
FSFE misfits modified their constitution to
remove the elections for Fellowship representatives. I was the last
person elected as a Fellowship representative before the democracy was
trashed. The
FSFE misfits count
Google and
Red Hat as significant sponsors and they didn't want the Fellows to
have a voice if that voice may not be identical to the voice of the
corporate overlords.
In June 2018, the women from
Albania were offered sponsorship for travel to
DebConf18 in
Taiwan. For the cost of transporting one woman from
Albania to
Taiwan, you could transport five women from countries that are much
closer in south-east Asia.
Subject: Re: [rt.debian.org #7328] DebConf travel pre-payment requests
From: Martin Michlmayr
Time: Fri Jun 29 08:56:42 2018
* Hector Oron [2018-06-28 10:55]:
> I added Martin to the list, he'll be taking care of flight ticket
> purchase if you send him flight details.
This has been taken care of.
--
Martin Michlmayr
https://www.cyrius.com/
Here is an example from a male intern who was waiting for payment long after
DebConf15 finished:
Subject: Re: [Soc-coordination] DebConf travel / GSoC student payments?
Date: Wed, 25 Nov 2015 00:25:18 +0530
From: Komal Sukhani <komaldsukhani@gmail.com>
To: Michael Schultheiss <schultmc@spi-inc.org>
CC: treasurer@spi-inc.org, soc-coordination@lists.alioth.debian.org
Hi Michael,
I still don't got the DebConf travel reimbursement. Have you made the payment?
Sorry for trouble.
On Mon, Nov 2, 2015 at 9:54 AM, Michael Schultheiss <mailto:schultmc@spi-inc.org> wrote:
Apologies for the delays in payments. I should have the payments processed this week and payments shoud be received in approximately 1-2 weeks.
Pictures appeared during the conference showing us
Lior Kaplan from
Israel with his arm around a young woman. This is the same woman who had
her ticket purchased in advance.
In July 2018
Enrico Zini gave a talk titled "Multiple People" at
DebConf18 in
Taiwan. There have been a series of these talks over the years where
these men seek out introverted young male developers who lack confidence.
Remember the case of the young French transgender
recruited straight out of high school. This slide appears to be
telling us that paedophiles and
registered sex offenders are welcome:
Spectrum (Enrico Zini)
Every color is ok.
Think about who you are,
not about who you should be.
In July 2018,
Debianists were having a discussion about whether the weboob
package should remain in Debian or be removed. Here is one of the private
emails about it. Notice they want to remove the package that makes vague
references to female anatomy but they welcomed the guy who is on parole
for sex crime against his little sisters.
Subject: Re: weboob package
Date: Thu, 12 Jul 2018 16:24:28 +0200
From: Ansgar Burchardt <ansgar@debian.org>
To: debian-private@lists.debian.org
On Thu, 2018-07-12 at 14:48 +0100, Ian Jackson wrote:
> Colin Watson writes ("Re: weboob package"):
> > (I haven't decided what I think should be done about it; certainly
> > if I
> > were the maintainer I'd want to disassociate myself from it as
> > quickly
> > as possible ... but the quoted text is a terrible argument.)
>
> Quite.
>
> What on earth could one do as the maintainer of such a thing ? Write
> some kind of machinery (a git-filter-branch construction maybe) to
> automatically rename all this arseholery ?
Oh, come on. It's not like they liken setting up an interrupt handler
with rape like, for example, Xen does. I would certainly think less of
those who associate themselves with this kind of thing.
There is no incest sex involved either (unlike for example [1]). No
glorification of genocide, ethnical cleansings or such either (same
file as [1]). (Hmm, I wonder what happens when one submits a patch for
that...)
Sadly we are associated with it, by virtue of packaging it, and thus
promoting it. And I'm ashamed and embarrassed to be associated with
such hateful content.
> I also note that the upstream webpage lists the logos of a number of
> companies, which I hope have some kind of corporate
> not-looking-like-a-total-wazzock policy. I CBA to complain to them,
> but maybe someone would like to start a fire on Twitter.
Yes, please go and start a nice shitstorm. A great idea, brilliant.
Ansgar
[1] https://sources.debian.org/src/bible-kjv/4.30/bible.rawtext/#L495
Subject: Re: weboob package
Date: Fri, 13 Jul 2018 14:29:58 +0200
From: Axel Beckert <abe@debian.org> [ ETH Zurich ]
Organization: The Debian Project
To: debian-private@lists.debian.org
Hi,
Jonathan Dowland wrote:
> Yesterday I stumbled across the "weboob" package for the first time,
> which includes a slew of binaries with names similar to the following:
[...]
So what? I don't see any problem with that. (And I don't see why
there's a thread on debian-private about it.)
Regards, Axel
--
,''`. | Axel Beckert <abe@debian.org>, https://people.debian.org/~abe/
: :' : | Debian Develoober, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Jeremy Bicha himself weighed in on the discussion after
Ansgar brought up the incest:
Subject: Re: weboob package
Date: Thu, 12 Jul 2018 10:53:32 -0400
From: Jeremy Bicha <jbicha@debian.org>
To: ansgar@debian.org
CC: debian-private@lists.debian.org
On Thu, Jul 12, 2018 at 10:24 AM Ansgar Burchardt <ansgar@debian.org> wrote:
> There is no incest sex involved either (unlike for example [1]). No
> glorification of genocide, ethnical cleansings or such either (same
> file as [1]). (Hmm, I wonder what happens when one submits a patch for
> that...)
>
> Sadly we are associated with it, by virtue of packaging it, and thus
> promoting it. And I'm ashamed and embarrassed to be associated with
> such hateful content.
Please stop.
At a minimum, if you are serious about removing Bible texts from
Debian, please start a separate thread instead of derailing this
topic. But I think you may have trouble finding consensus for that
viewpoint and I expect it will stir up lots of conflict.
Thanks,
Jeremy Bicha
This is the reality of the so-called diversity in
Debianism: gay male employees in a range of companies and universities
discussing female anatomy with a
registered sex offender during their working hours.
In September 2018, I completely resigned from my role as Fellowship
representative to
the FSFE misfits. I discontinued all involvement with the group and
I encouraged other people to resign too. Therefore, as I resigned and
made the resignation public, there was no way I had any involvement in
the subsequent scandals with women hired in 2019. Those women were only
hired after I resigned. All the complaints made by women concern
psychological abuse from Matthias Kirschner.
In November 2018, the Wayback Machine captured a snapshot of the team in
Elio Qoshi's private company
Ura Design. We can see the underage girl, who may be 17 by this point
in the story, is now being paid to be a
system administrator. System administrators normally have access to all
the data in a company, including the emails of their own bosses and their
colleagues. In small IT companies like this the director normally keeps the
system administrator powers for himself. It is worth remembering the incident
from the team St Kilda in
Australian football. One of the players was dating the woman known as the
St Kilda schoolgirl,
Kimberley Ametoglou (Kim Duthie). Kim was not really from St Kilda,
she was from Frankston, like
Julian Assange. She expertly extracted all the nude photos of the players
from her boyfriend's computer and published them in what came to be known as
dikileaks. It seems highly unlikely
Elio Qoshi was giving his underage girlfriend access to all his files and
emails. In practice, this appears to be a case of privilege escalation.
The men would put the pictures of the young women on a web site like this
to help the women create an online profile. The women would apply to
bigger organisations for travel grants and speaking opportunities at
community conferences.
This is a photo from the
OSCAL conference in
Albania in 2016. There are so many more women than men in the photo.
What is the real reason more women than men were coming to the
OSCAL conferences? Young female students in
Albania earn approximately ten euros per day working in shops and
restaurants. Did somebody pay these girls to attend conferences and make
it look like a real community? One of the women was told that an
Outreachy internship would be too difficult for her but one of the men offered
to help her submit the application if she gave him half the salary.
Even after my lawyer warned him to terminate all attempts to communicate with
me and send someone else to pick up my work laptop, he came in person to my
house, and was very irritated that I was not alone.
What these incidents reveal is the oligarchs in these groups have come
to view the volunteers and the female subordinates as possessions. The
oligarchs feel they have some God-given authority to make decisions about
the lives of those around them.
In late 2018 or early 2019 one of the
Albanian female whistleblowers was given a job at the
GNOME Foundation.
Kristi Progri has been a member of the committee in the non-profit
Open Labs hackerspace in
Albania. She had been one of the organisers of the
OSCAL conferences. She seems to know the identity of every man
who visited
Albania for these conferences. She knows the age of every young
woman who participated in the conferences. Ever since she started
received a salary from
GNOME Foundation, there has been no more evidence about
Elio Qoshi and the underage relationships.
In 2019,
Google decided to reduce the salaries for
Google Summer of Code (GSoC) interns from $6,000 down to as little as
$3,000 based on each intern's country and
a formula for purchasing power parity. However, the parallel
Outreachy internships, which only pay money to single young women and
don't require the women to write any code, have continued increasing their
salaries a little bit almost every year. For example, a slim and attractive
single young woman in Russia, eastern Europe, India or Brazil is offered
$3,000 to participate in
Google Summer of Code but if the same woman wins an
Outreachy
In February 2019, journalist
Frederic Martel released his book
In the Closet of the Vatican. He alleges that eighty percent
of priests in the Vatican are homosexual. In some open source software groups,
including
Debianism, we seem to be looking at a prevelance of homosexuality that
is higher than what is normal for the community at large.
Most gay men are not paedophiles. It is wrong to suggest they would be.
Nonetheless, when a group presents itself as gay-friendly or when a group
provides an opportunity for gay men to gain more respect from society,
as is the case with both the
Catholic church and
Debianism, paedophiles appear to be attracted to the same group.
Therefore, we have to be even more vigilante.
In June 2019, the diversity crowd hijacked the Debian web site and
replaced the logo colours with the colours for Pride month. The majority
of developers did not consent to this:
To: debian-project@lists.debian.org
Subject: Debian supports pridemonth?
From: Gerardo Ballabio <gerardo.ballabio@gmail.com>
Date: Fri, 28 Jun 2019 11:48:18 +0200
Hello all,
I've just seen this on https://micronews.debian.org/ :
"In support of #pridemonth, Debian changes its website logo. The
Debian Project welcomes and encourages participation by everyone
https://www.debian.org/intro/diversity "
May I please ask who decided that and where was it discussed? (I can't
find anything about it at least on -project.)
I do not think that this is appropriate. Welcoming diversity is one
thing, supporting pridemonth is another thing. Pridemonth is a set of
events with a definite political connotation. I don't think that
Debian should take sides on any specific political issues (except of
course issues that have a relation to free software), especially if
that hasn't been discussed at large among project members and there
isn't a clear consensus.
Is it just me (and am I being blatantly wrong, if so please enlighten
me) or do others share my concern?
Thanks
Gerardo
(Not subscribed, please keep me Cc:d)
It feels creepy when these things happen. The people who do these
things don't care about consent. They feel that what is good for them
is good for everybody else too.
In the US Civil Rights movement, there were groups like the
Black Panthers who were very similar to the
Zizian diversity gang in open source software communities. These
people do as they please and they don't care about the law or the
impact on the lives of those they hurt.
Why did they want so many women from
Albania and
Kosovo to visit
DebConf two years in a row? Was it some kind of bribe or hush money
arrangement to prevent further discussion about the former Fedora Ambassador,
who had been photographed with
Chris Lamb in 2017?
In her talk, she displays a hand-drawn slide where we can see three
selfish people like herself pushing one of the developers. This is how
the selfish people get things without paying for them. They use gossip
and violence, just like the fight at
DebConf6.
Molly de Blanc: Well we can use our collective power to push others
On 10 August 2019,
Jeffrey Epstein committed suicide in his prison cell.
In August 2019, the
GNOME annual conference
GUADEC was organised in the city of Thessaloniki in the north of
Greece. It is very close to
Albania and women from the nearby Balkan countries were brought to the
conference on busses.
On 17 September 2019,
Dr Sally Muytjens
completed her PhD thesis on the topic
An exploration of the existence of clergy child sexual
abuse dark networks within the Victorian Catholic Church. It is extremely
relevant to the phenomena we see today in
Debianism. Various people have publicly praised a
registered sex offender and helped him recycle his reputation at
exactly the same time they are trashing the reputations of honest
developers. The blackmail tactics they use, the games they play with the
vocabulary of abuse and the way they operate in packs to reinforce
their worldview all resonate with the scandals the church has been working
so hard to move away from.
In the context of police corruption networks, this code of silence extended to
“prohibiting disclosing perjury or other misconduct by fellow officers, or even testifying
truthfully if the facts would implicate the conduct of a fellow officer� (Chin and Zhang
2008, 238). Merrington (2017, 61) found that police corruption networks exploit the
light network’s resources to facilitate DN operations. Research on a sports doping
network showed that protecting the network included inflicting harm through bribery,
bullying and threats and enforced a code of silence (USADA 2012 cited in Bell, TenHave and Lauchs 2016, 60). A code of silence or omerta was created by the Italian
mafia and is applied to mafia members and anyone who witnesses mafia criminal
activity to ensure silence regarding their illicit activities (UNODC 2008 cited in Bell,
Ten-Have and Lauchs 2016). Omerta extended to a refusal to give evidence to the
police (Fielding 2017,17). Similar methods were utilised by clergy perpetrator
networks within the Victorian Catholic Church to maintain silence and, hence,
resilience of the network of clergy CSA.
The 80,000 messages on debian-private and similar archives in the
FSFE misfits,
GNOME and
Mozilla are analogous to the code of silence in other institutions.
In the
Albanian scandal, the unpaid female volunteers were asked to sign a
Non-Disclosure Agreement (NDA) even before they were abused. In other contexts,
such agreements only appear after the abuse and during negotiation of the
settlement.
In November 2019,
Anisa Kuci, the
Albanian woman who was seated closest to
Chris Lamb at the
DebConf19 conference dinner was awarded a $6,000
Outreachy internship. The woman had previously worked as a waitress and
had no software development experience.
Remember the teenage boys doing unpaid work to bootstrap
Debianism back in the 1990s.
Joel "Espy" Klecker,
Shaya Potter and
Chris Rutter. They did a huge amount of technical work,
they received no payments and some of them
died. When these women from eastern Europe arrived people started
popping champagne and opening the chequebook:
Matthew Garrett spread dozens of message like this without any evidence:
Subject: Re: expulsions vs Reproducible Builds
Date: Tue, 1 Sep 2020 09:52:17 +0100
From: Matthew Garrett <mjg59@srcf.ucam.org>
Reply-To: discussion@lists.fsfellowship.eu
To: discussion@lists.fsfellowship.eu
On Tue, Sep 01, 2020 at 10:26:40AM +0200, Debian Community News Team wrote:
> a) The different approaches taken to complaints about Appelbaum and
> Lange, even though both complaints arrived at the same time.
One of these complaints involved multiple accusations of rape and sexual assault. The other involved an accusation of aggressive and disrespectful behaviour. Do you believe that these things are equivalent?
--
Matthew Garrett | mjg59@srcf.ucam.org
Subject: Re: expulsions vs Reproducible Builds
Date: Wed, 2 Sep 2020 00:40:21 +0100
From: Matthew Garrett <mjg59@srcf.ucam.org>
Reply-To: discussion@lists.fsfellowship.eu
To: discussion@lists.fsfellowship.eu
On Tue, Sep 01, 2020 at 05:59:46PM -0500, quiliro wrote:
> Matthew Garrett <mjg59@srcf.ucam.org> writes:
> > The Universal Declaration of Human Rights does not require that a
> > volunteer organisation grant membership to a rapist, even if said rapist
> > has not been found guilty in a court of law.
> Are you aserting that Jacob Appelbaum is guilty or are you talking about
> someone else? If you cannot prove something, it is a lie.
I am asserting that he's a rapist, an assertion that is backed up by an array of publicly available evidence.
--
Matthew Garrett | mjg59@srcf.ucam.org
These people think that by forming together like a pack of dogs
and repeating the same rumour over and over again they can trick
the whole world to believe it.
One of the reason dishonest people like
Matthew Garrett make such outrageous lies is to cover up the fact the
"diversity" team was bringing real paedophiles into the world of
open source software. This is a classic trick that every junior
magician knows: make the audience look in some other direction while
you discretely move around the evidence.
At some point in 2021,
Elio Qoshi joined
Canonical Ltd, the company making
Ubuntu, as an employee. It looks like he was employed there for a number
of years but eventually they removed him in about 2025. They didn't make any
comment about why he was terminated. It looks like it happened around the same
time they eventually cut ties with
Jeremy Bicha in 2025. Here is a screenshot
of his LinkedIn profile when he was in
Canonical Ltd:
Why are the companies supporting the
Albanians like this? Quite simply,
Elio Qoshi knows the identity of every male developer who visited
the conferences in
Albania. He knows who they spoke to. Most men who look for a wife in
these countries are looking for an adult. If one or two men were looking
for something less than legal then they may well have asked
Elio Qoshi, who had his own underage girlfriend, to help them find what
they wanted. He is one of the few people who would know who those men are
and what they did. The controlling corporations don't know what he knows and
they probably don't want to know either. But what they do know is that as
long as he is on somebody's payroll, the secrets will stay buried.
Shortly after that,
IBM Red Hat began a legal case to seize the domain name
WeMakeFedora.org. They used my blog
Google, FSFE & Child Labor as their evidence that I was publishing
"critical commentary". The legal panel ruled in my favor and moreover,
ruled that
IBM Red Hat was using the legal process to harass me.
See the legal documents here.
In hindsight,
now that everybody knows the truth about
Elio Qoshi and
Jeremy Bicha, people can see that I had good reason to publish the grave
concerns I have about the
FSFE misfits recruiting children to do unpaid work.
In January 2022,
Canonical, the company of
Mark Shuttleworth, decided to employ
Jeremy Bicha. It is not clear if he was previously being paid as a
subcontractor while in prison or on parole. It appears that the move to
permanent employment coincided with the end of his parole period in 2021.
Did the company know he was on parole while interacting with their
developers?
In February 2022, people noticed the speaker profile for
Elio Qoshi had been
removed from the web site of the
FOSDEM conference. No explanation was given. When
FOSDEM removed him, other volunteers were never officially warned about
the issues with underage girls and harassment.
On 14 June 2022,
Anisa Kuci, the waitress from
Albania who sat next to
Chris Lamb at the
DebConf19 conference dinner is given voting rights in the
GNOME Foundation. Many real developers do not have voting rights in
these associations and foundations. The oligarchs appear to be stacking
the associations with personal friends who will vote for the same oligarchs
to keep their positions on the board every year.
The woman eventually appears to become an employee of the association
as well. However, it is not clear if she was on the payroll at the
time the oligarchs made her
a voting member.
From 20 to 25 July 2022,
GNOME's annual conference
GUADEC is in
Mexico during the same week that
DebConf22 is in
Kosovo. The two women from
Albania could take the bus to
Kosovo for fifteen euros each but somebody buys them tickets for flights from
Albania to
Mexico. The money paid for these flights could have been used to buy bus
tickets for twenty more women from local universities in central American
countries close to
Mexico.
Jeremy is a member of the Debian GNOME and Canonical Desktop teams. He lives in Florida and this will be the first DebConf he has attended. [in the year after his probation finished]
Fact checking, over 20,000 women in
Kosovo reported being victim of rape as a war crime back in the late 1990s.
Many of the young women I met at events in
Kosovo appear to have been born at the time of the war.
Trevor Kitchen, a 41-year-old British citizen resident in Switzerland, was arrested by
police in Chiasso (canton of Ticino) on the morning of 25 December 1992 in connection
with offences of defamation and insults against private individuals. In a letter addressed to
the Head of the Federal Department of Justice and Police in Berne and to the Tribunal in
Bellinzona (Ticino) on 3 June 1993 he alleged that two police officers arrested him in a bar
in Chiasso and, after handcuffing him, accompanied him to their car in the street outside.
They then bent him over the car and hit him around the head approximately seven times
and carried out a body search during which his testicles were squeezed. He claimed he was then punched hard between the shoulder blades several times. He said he offered no
resistance during the arrest.
He was then taken to a police station in Chiasso where he was questioned in Italian (a
language he does not understand) and stated that during the questioning "The same
policeman that arrested me came into the office to shout at me and hit me once again
around the head. Another policeman forced me to remove all of my clothes. I was afraid
that they would use physical force again; they continued to shout at me. The one policeman
was pulling at my clothes and took my trouser belt off and removed my shoe laces. Now I
stood in the middle of an office completely naked (for 10 minutes) with the door wide open
and three policemen staring at me, one of the policemen put on a pair of rubber surgical
gloves and instructed me to crouch into a position so that he could insert his fingers into my
anus, I refused and they all became angry and started shouting and demonstrating to me the
position which they wanted me to take, laughing, all were laughing, these police were having a
good time. They pointed at my penis, making jokes, hurling abuse and insults at me, whilst I
stood completely still and naked. Finally, when they finished laughing, one of the
policemen threw my clothes onto the floor in front of me. I got dressed."
He was transferred to prison some hours later and in his letter claimed that during the
night he started to experience severe pains in his chest, back and arms. He asked a prison
guard if he could see a doctor but the request was refused and he claimed the guard kicked
him. He was released on 30 December 1993. Medical reports indicated that since his
release he had been experiencing recurrent pain in the area of his chest and right shoulder
and had been receiving physiotherapy for an injury to the upper thoracic spine and his right
shoulder girdle.
Volunteers discovered
over $120,000 was taken out of Debian bank accounts and used for legal fees
to try and have me molested or killed. Why did they spend so much money on this
vendetta? They are terrified about people who express concern about abuse. They
paid $120,000 in legal fees because they feel more comfortable with
Jeremy Bicha, the man who raped his little sisters, than with
the independent volunteer elected by the Fellowship in 2017.
Subject: Matthias Geiger: Advocate
Date: Thu, 10 Nov 2022 13:26:16 -0000
From: Jeremy Bicha (via nm.debian.org) <nm@debian.org>
Reply-To: debian-newmaint@lists.debian.org, Matthias Geiger
<matthias.geiger1024@tutanota.de>, archive-1128@nm.debian.org,
Jeremy Bicha <jbicha@debian.org>
To: debian-newmaint@lists.debian.org
CC: Matthias Geiger <matthias.geiger1024@tutanota.de>,
archive-1128@nm.debian.org, Jeremy Bicha <jbicha@debian.org>
For nm.debian.org, at 2022-11-10:
I support Matthias Geiger <matthias.geiger1024@tutanota.de>'s request to
become a Debian Maintainer.
I have sponsored numerous uploads for Matthias including 6 new source
packages. He has prepared many new packages with a particular focus on
GNOME apps and Rust libraries to build GNOME apps. Creating new packages
is one of the more complex packaging tasks for Debian. His work has been
consistently high quality. We have also worked together to improve the
initial packaging.
Beyond packaging skills, Matthias has been pleasant to communicate with.
I have personally worked with Matthias Geiger
<matthias.geiger1024@tutanota.de>
(key C2E1A6CBFDECE511A8A4176D18BD106B3B6C5475) for 7 months, and I know
Matthias Geiger
can be trusted to have upload rights for their own packages, right now.
Jeremy Bicha (via nm.debian.org)
In January 2023, the late
Cardinal George Pell, former treasurer of the
Vatican, appeared in news reports from Rome talking about the death of
Pope Benedict. The news reports prompted me to look at the unredacted
Case Study 35 about the Archdiocese of Melbourne. I was shocked to see
the similarities to the
Debianism culture and
social engineering attacks. I printed a lot of the evidence about
Enrico Zini blackmailing and defaming people over so many years. On
10 January 2023, I drove across the Great St Bernard Pass to Aosta in
Italy. I walked in to the Carabinieri station and explained the
similarities between the exploitation of victims in
Debianism and in the
Catholic abuse crisis. In the same hour that I was in the Carabinieri
station, as a witness to these crimes, unbeknownst to me,
Cardinal George Pell was having surgery in Rome. He died four or
five hours later.
Authorities in
Australia pretended the crisis died with
Cardinal George Pell. He had avoided certain questions and surely there
is nobody else left alive who knows the answers to those questions.
On 1 March 2023,
minutes of a
GNOME Foundation Executive Committee meeting capture the names of
Anisa Kuci and
Sonny Piers together for the first time. At this point, she is not on
the list of people receiving payments from
GNOME Foundation. There are serious ethical concerns when members of
the CoC-committee are physically intimate with the very people
they are making up rumours about. Likewise, there are serious ethical
concerns when staff members are able to intercept and suppress
CoC-committee complaints about their workmates and their own boss.
We already discussed the way these CoC schemes are similar to
the catch-and-kill strategy the National Enquirer used to
purchase and suppress stories about
Donald Trump.
These financial and sexual conflicts of interest are even more disturbing
when the conflicts of interest are totally hidden from the victims of
defamation created by these gangsters.
It appears there are now two women from
Albania who were being paid to work on the organisation of
GUADEC and assist other events like
DebConf. Up to this point, the organisations had always insisted
that if volunteers wanted an event they have to organise it themselves.
Nobody had any public discussion about changing the strategy and having
a mix of volunteers and paid event staff. It is vital to ask the question:
did the oligarchs create these jobs because the community chose to
change the strategy or did these jobs get created because somebody wanted
these two specific girls from
Albania to have jobs?
GNOME hired the first girl at the end of 2018. Some time later, the
other girl went to
Outreachy, then she went to
Wikimedia Italia, an organisation that relies on a lot of volunteers
who don't get paid. A list of her past relationships was circulated and
the people doing unpaid work became upset. Shortly after that, it looks like
GNOME took her on their payroll. The fact that
GNOME has ended up with two girls from the same
Albanian background adds weight to the argument that the jobs were created
for these specific girls rather than to fill some general need.
Remember, in 2018 and 2019, these are the same girls who asked the
Debianists to buy their travel tickets in advance while all the other
young interns had to buy tickets with their own money and wait for
reimbursement.
Why did
Kristi Progri get a big title, Director of Project Management but when
Anisa Kuci joined
GNOME they call her an Administrative Assistant? Both girls
grew up together in the same building. The both joined the
Open Labs group together. Either one job title is being overstated or
the other job title is understated. It looks like the job for the second girl
was only created as part of the catch-and-kill strategy to keep
women on side so they won't repeat the things they told me in 2017 and 2018
about the
Fedora Ambassador
Elio Qoshi.
On 10 May 2023,
Jeremy Bicha writes another advocacy for
Matthias Geiger to be promoted from Debian Maintainer to Debian Developer:
Subject: Matthias Geiger: Advocate
Date: Wed, 10 May 2023 15:06:23 -0000
From: Jeremy Bicha (via nm.debian.org) <nm@debian.org>
Reply-To: debian-newmaint@lists.debian.org,
Matthias Geiger <matthias.geiger1024@tutanota.de>,
archive-1181@nm.debian.org,
Jeremy Bicha <jbicha@debian.org>
To: debian-newmaint@lists.debian.org
CC: Matthias Geiger <matthias.geiger1024@tutanota.de>,
archive-1181@nm.debian.org,
Jeremy Bicha <jbicha@debian.org>
For nm.debian.org, at 2023-05-10:
I support Matthias Geiger <matthias.geiger1024@tutanota.de>'s request to
become a Debian Developer, uploading.
I have worked with Matthias Geiger on GNOME packages since March 2022.
Matthias has created new Debian packages
for several GNOME related apps and libraries and maintained them well
ever since.
Matthias has been very instrumental in doing the major prerequisite work
to get newer GNOME apps written in Rust
into Debian Trixie. This is very complicated but important work.
I have personally worked with Matthias Geiger
<matthias.geiger1024@tutanota.de>
(key C2E1A6CBFDECE511A8A4176D18BD106B3B6C5475) for 14 months, and I know
Matthias Geiger
can be trusted to be a full member of Debian, and have unsupervised,
unrestricted upload rights, right now.
Jeremy Bicha (via nm.debian.org)
Matthias Geiger is a very common name.
Jeremy Bicha has vouched for him but neither of them have told us if they
have any conflicts of interest, for example, if they both work for the same
employer,
Canonical Ltd or if they ever shared a prison cell together.
On 11 September 2023,
Jeremy Bicha writes an advocacy for
Amin Bandali. This time he reveals that they are both working at the same
company,
Canonical Ltd, the maker of
Ubuntu. Some people have serious ethical concerns about
Ubuntu developers and co-workers writing references for each other like
this because they are under pressure to serve the needs of their company
rather than being objective about Debian.
Subject: Amin Bandali: Advocate
Date: Mon, 11 Sep 2023 14:15:25 -0000
From: Jeremy Bicha (via nm.debian.org) <nm@debian.org>
Reply-To: debian-newmaint@lists.debian.org,
Amin Bandali <bandali@gnu.org>,
archive-1211@nm.debian.org,
Jeremy Bicha <jbicha@debian.org>
To: debian-newmaint@lists.debian.org
CC: Amin Bandali <bandali@gnu.org>,
archive-1211@nm.debian.org,
Jeremy Bicha <jbicha@debian.org>
For nm.debian.org, at 2023-09-11:
I support Amin Bandali <bandali@gnu.org>'s request to become a Debian
Developer, uploading.
I have personally worked with Amin Bandali <bandali@gnu.org>
(key BE6273738E616D6D1B3A08E8A21A020248816103) on the Debian GNOME team
since the end of 2022. He has packaged updates for a variety of GNOME
packages. Earlier this year, he officially joined the Debian GNOME team
and has been entrusted with DM upload rights to several packages. He has
used those upload rights well.
Amin Bandali also has interest and skill with troubleshooting build
issues on non-amd64 architectures which is why he is not just a DM, but
a "DM with guest account".
Amin Bandali is a coworker with me at Canonical since late 2022. His
primary job duties are not .deb packaging for Debian and he was already
maintaining packages in Debian before joining Canonical.
I firmly believe that the Debian Project will benefit from granting
Debian Developer, uploading status to Amin Bandali. I know Amin Bandali
can be trusted to be a full member of Debian, and have unsupervised,
unrestricted upload rights, right now.
Jeremy Bicha (via nm.debian.org)
Oddly enough, those messages were exchanged at the same time as
DebConf23 in
India. On 9 September 2023, I sent the coroner for Cambridgeshire a
written warning about the risk for health and safety in
Debianism, with a reference to the culture and the blackmail behaviour:
Subject: Re: Inquest Christopher Rutter - Information Request
Date: Sat, 9 Sep 2023 18:59:26 +0200
From: Daniel Pocock <daniel@pocock.pro>
To: Coroners <Coroners@cambridgeshire.gov.uk>
Hi [redacted],
I've updated the document with some extra email evidence and two more
deaths, both of those being under management from a doctoral candidate
at Cambridge.
Based on my own experience of both Debian culture, the Pell situation
and the evidence in these emails, I feel that there is an ongoing risk
to the health of people who engage with this culture.
Please kindly confirm if the coroner can escalate this to the relevant
people or whether you need somebody to present the document in person.
Regards,
Daniel
Abraham Raji died three days later. It is the first case of somebody dying at
DebConf. It was anticipated, therefore, it was avoidable.
During 2023, there was a high profile underage rape and incest prosecution in
South Australia. A bakery on the Eyre Peninsula had recruited
fifteen-year-old girls to do some baking, smile at the customers and help
the owner have more children. The man in charge and his wife were both
convicted. Three children were born in one seven month period. The baker's
father had shared one of the girls. There are thirteen children and they
need to make DNA tests to verify which man is responsible for each of them.
Newspapers described it as a
cult-like living arrangement but it is not uncommon for workers to live
with their boss when in a remote location like this. When you look at the
remoteness of the location and the nature of such jobs where the young girls
are living at their workplace, it has some similarity to the situation where
Jeremy Bicha and his little sisters were living a life that was isolated
from other children.
Also in May 2024, minutes of the
GNOME Foundation board have been redacted to hide discussions about
Sonny Piers and the "staffing", which really means the hush money being
paid to the
Albanian female whistleblowers.
Sonny Piers was secretly expelled at this point but it is redacted in
the minutes.
On 18 July 2024, immediately after they shut down the
Open Labs web site and discussion forum in
Albania, an anonymous account is created in the
GNOME Foundation forum on
Discourse. The account is used to post a hideous defamation about
Sonny Piers, who they had expelled with a secret trial in May. Dozens of
discussions and news reports appear about
Sonny Piers being banned from
GNOME. The girls are insisting that everybody should know they
decided to humiliate
Sonny but nobody is allowed to ask why the girls are obsessed
with humiliating him. Whenever messages like this appear, they always hint
at some sort of bad sexual etiquette. As we saw with every other case,
such as
Ted Walther in 2006 and
Dr Jacob Appelbaum in 2016, these rumours are not only false but
they have been deliberately fabricated by some chronically dishonest people
intent on harming male volunteers and our families.
The defamation message about
Sonny Piers explicitly mentions "Code of Conduct" but what they
really mean is "Code of Silence". They are doing all this to stop
Sonny Piers talking about payments to one of the
Albanian girls or something similar to that.
I am no longer a member of the board of directors of the GNOME Foundation since May 2024. The process and decision shocked me. I know people are looking for answers, but I want to protect people involved and the project/foundation. It was never an interpersonal conflict for me.
Remember,
Sonny Piers has been doing voluntary work for twenty years and he
contributed substantial intellectual property. The Albanian girls who
were secretly added to the
GNOME payroll only work when they receive money
and they only go to events when somebody, usually the male oligarchs,
buy the tickets for them.
The community had elected
Sonny Piers to the board. As a member of the board it is absolutely
certain he saw privileged information about the payments to
Albanian female whistleblowers. However, he may not have been told
the real reason for those payments. He may have asked questions about
why the same girls are selected for every diversity grant. All this
happened in
GNOME Foundation immediately after the controlling corporations
shut down the
Open Labs group in
Albania. Follow the money / girls.
The
GNOME Foundation hired two girls from
Albania. Now we see the policies of
Enver Hoxha and totalitarianism being reincarnated in a non-profit
voluntary organisation. History is repeating itself.
Jeremy Bicha had engaged in real abuse of his little sisters when they
were six and nine years old. As a voting member of the
GNOME Foundation and a member of the Release Team he has a higher
status than
Sonny Piers. Why can people go to the web site of the
Manatee County Court and read all the details about real abuse of the
little sisters but we are not allowed to know anything about the questions
Sonny Piers was asking at board meetings?
Here is an example of the things
Jeremy Bicha was convicted for:
Reading comments like that reminded me of the way misfits on
debian-private (leaked) discussed the words used by
the parents of
Frans Pop after he committed suicide:
Subject: Re: Death of Frans Pop
Date: Sat, 21 Aug 2010 13:39:21 +0100
From: Colin Watson <cjwatson@debian.org>
To: debian-private@lists.debian.org
On Sat, Aug 21, 2010 at 01:52:33PM +0200, Ludovic Brenta wrote:
> Steve McIntyre <steve@einval.com> writes:
> > "Yesterday morning our son Frans Pop has died. He took his own life,
> > in a well-considered, courageous, and considerate manner. During the
> > last years his main concern was his work for Debian. I would like to
> > ask you to inform those members of the Debian community who knew him
> > well."
>
> Does that imply he took his own life *because* of Debian, which was "his
> main concern"?
This is probably the wrong thread for linguistics, but that phrase would
normally just indicate that Debian was his main interest. In
http://oxforddictionaries.com/view/entry/m_en_gb0169810 under "noun",
this would be sense 2 rather than sense 1.
--
Colin Watson [cjwatson@debian.org]
What is so much more sensitive about the
Sonny Piers drama that
GNOME will not tell us? Did he do something that is even worse than
raping a little girl? Or did he stumble onto an inconvenient truth about
Albanian girls that must be hidden from the community at all costs?
My suspicion is that this is more than somebody's sex life at stake.
It is not unusual for people to hook up with their colleagues in student unions
and open source software conferences. Some of the women have told me they
were under pressure to lie. Paying women to create or repeat a lie,
knowing it is a lie, undermines trust in the whole organisation that
paid for those lies.
Software producers are particularly keen to maintain the trust of the
community. The moment people stop trusting the
GNOME developers everybody will abandon the project. How could we
trust these developers if they used the foundation's funds to make
payments to a woman who spread a lie or defamation?
After you pay a woman to lie, you can't sack that woman. You have to
keep her on the payroll until she's ready to have children and become
a stay-home mother.
I suspect that is why
Anisa Kuci was immediately given a job at
GNOME after the end of her relationship with
Wikimedia Italia. Somebody didn't want to see her join some random
employer where random developers will ask her to disclose details about
the conspiracies at
DebConf19.
It is important to reflect on these secrecy tactics. These tactics
create the type of environment where real abusers can thrive.
I've nominated Jeremy BÃcha to GNOME Advisory Board. Jeremy has volunteered to represent Debian at GUADEC in Denver.
Sonny Piers, like other victims, was censored and humiliated indefinitely
while the
registered sex offender is put up on a pedestal to supposedly be the
representative of the rest of us. I certainly didn't consent to him speaking
for me.
Furthermore, how can a
Canonical Ltd employee be representing the interests of both
Debianism and
the
Ubuntu misfits at the GNOME Advisory Board? The conflict of interest
is enormous. It isn't possible for him to do both at the same time.
In March 2025, shortly before
DebConf25, we saw
Jeremy Bicha began contributing to the
Debian-Edu project. That is the derivative of Debian created to
meet the needs of the education industry. Why does he have schools on his mind?
Jeremy Bicha's status as a
registered sex offender is intended to prevent him being employed
inside a school. By collaborating on
Debian-Edu, he gains credibility that allows him to interact with
schools as a volunteer. This looks like privilege escalation. He was
engaged in this while he was an employee of
Canonical Ltd and
Ubuntu.
At
DebConf25 in Brest,
France, the
GNOME
talk from
Jeremy Bicha was scheduled for 14 July, the French national holiday. In
France, the day normally starts with parades by the military and the
emergency services, including the police. Therefore, people were asked to
choose between applauding the
police as they marched through Brest or watching a
registered sex offender giving a talk in the university campus.
Putting this type of diversity on display at a prominent event feels like
the thin end of the wedge. Brest is a city known for its strong naval history.
Jeremy Bicha had been discharged from the US Navy after they found out.
Like the rogue
Russian spy-ships who periodically sail the English channel,
Debianists have decided to test the waters of diversity by putting this
man on display. They wanted to see how the public reacts. They want us to
know this is the new normal. The victims were only six and nine years old.
On the scale of sexual offences, these were some of the worst. By
putting this out in the open, they make it easier to bring in offenders
who have less serious crimes.
Back in the 1970s, people like this tried to create organizations
like the
Paedophile Information Exchange (PIE) where their cause was published
in broad daylight. Within a few years these organisations had been
outlawed. The lesson they have learnt from those prosecutions is the
need to affiliate themselves with more general causes like diversity
and then expand the definition of diversity to include, by stealth, all
kinds of people who are irreconcilably incompatible with the rest of us.
We already looked at the prosecution of
Matthias Kirschner for the
psychological abuse of
Galia Mancheva. Sooner or later another oligarch will face one of these
prosecutions. If it is somebody the cabal wants to protect, they can remind
us how
Jeremy Bicha came to
DebConf25 and it didn't kill anybody. They will remind us the diversity
statement says anybody is welcome as long as you display total
submission to their
CoC.
This time, instead of using an anonymous account,
Robert McQueen has written the post under his own name. He tells us the
punishment has been reduced:
The Board is providing this information to clarify the decisions made in this case, and to eliminate any uncertainty within the GNOME community about the matter.
In fact, the very long post does not include any example of the questions
Sonny Piers asked about the
Albanian women. Therefore, we all remain totally in the dark.
the Board also voted that Sonny will not be eligible for appointment in any position of authority within the Foundation, or to act as an agent on behalf of the organization, or to have paid work with the GNOME Foundation. This means that he will be unable to be a committee member, director, officer, staff member or contractor, or officially represent the GNOME Foundation to other entities. The Board resolution put these restrictions in place on an indefinite basis.
Turn that statement on its head: why does
Robert McQueen feel more comfortable with the Ubuntu man who
popped the cherry of a six year old than he does with an
independent developer who the community voted onto the board?
On 4 April 2026,
Oscar Langley asked about it in the election discussion for the next leader
of
Debianism. None of the candidates would reply to questions about child
safety.
Subject: DebConf25 decisions affecting Child Safety and talk scheduling
Date: Sat, 4 Apr 2026 11:01:37 +0000
From: Oscar Langley <oscar.langley@hotmail.com>
To: debian-vote@lists.debian.org <debian-vote@lists.debian.org>
I understand this topic may be somewhat tangential to the election mailing list, but I reviewed the list of voters in this year's DPL election and discovered that Jeremy Bicha is a Debian developer who cast a ballot: https://vote.debian.org/~secretary/leader2026/voters.txt
If you search up his name on Google, the very first result is his profile on Florida's Sexual Offender and Predator System, as he molested multiple preteen girls throughout the 1990's and confessed to all this in court.
https://offender.fdle.state.fl.us/offender/sops/flyer.jsf?personId=85068
https://wng.org/articles/the-high-cost-of-negligence-1617309216
Being a child molester is most likely a violation of the Debian Code of Conduct, and if it is not, it is reprehensible enough to call into question his continued status as a member of the project.
Additionally, there are two more important questions about Bicha's relationship with the Debian Project that have yet to be answered. Bicha was due to speak at DebConf25 last year, an event that children were permitted to attend. The livestream also experienced technical issues when his talk was about to start, leaving it unclear whether he actually spoke.
The two questions are:
1. What factors led to the decision to allow children in the presence of Bicha?
2. Was Bicha' talk was canceled, or did it indeed take place but was simply never streamed?
And a third question is begged:
3. Why hasn't the Debian Project cut ties with Bicha?
but one person made a reply praising the extreme definition of diversity:
Subject: Wasn't sure where to send but thank you...
Date: Wed, 8 Apr 2026 12:08:58 -0400
From: Star Light Catcher <catcherstarlight@gmail.com>
To: debian-project@lists.debian.org
I would just like to say, I would sometimes browse the reddits for Linux and in the general Linux reddit I saw someone saying the project was "in trouble" and worried I went to the Debian reddit to look into it... And what I'm very sad to say I found was people being very cruel and closed minded about the fact that the project seems to be valuing inclusion and bringing in new voices and talents to the FOSS community and the Debian project... So, I no longer really read reddit for Linux news but I very much wanted to say how much I've adored using Debian these past 8 months since switching to Linux. It's been rock solid, my best experience on Linux ever (and despite only switching 8 months ago I had tried Linux many times since 2010! Tons of different distros!) Debian has been genuinely an oasis from so much of what is wrong about modern tech, all while being built on what is obviously such a solid foundation I can't see myself switching back to Distros which genuinely often seemed to nuke themselves with little cause from me, and I've done plenty of things to ride my installs of Debian hard and it's never faltered at all.
And about the people behind the Debian project... In a time of increasing authoritarianism and such a huge increase to push minorities even further to the fringes... Debian embracing diversity during all of this... It warms this trans woman's heart who has felt such a sense of dread at the way the world is going. So thank y'all genuinely. Linux users are known to distrohop but... I can't imagine ever needing anything but the Universal Operating System ever again 🫂 and what brings me such joy is that it feels that it's not just universal, as in, for all devices, but universal, as in /for everyone/. 💜
Thank you for all you do, I plan to up my donation when I can,
Star Elizabeth Wilkerson 🦄â�ï¸�
Ben Carroll is the Deputy Premier and Education Minister for the
State of Victoria. On Mother's Day in 2024, he posted a picture
of himself with his local priest, who I'll simply refer to as Father X:
In 1994, the Archdiocese of Melbourne had to exfiltrate another priest,
Fr Barry Robinson, from
Boston. Father X was tasked with the mission. In particular, the scope of
his mission was far bigger than the exfiltration. Father X was also asked to
look at the crisis in
Boston and report back to his superiors in
Australia. This was eight years before the Spotlight news
reports raised public awareness of the scandal. The priest who gives
communion to
Victoria's Education minister had himself learnt about the extent of
the global crisis and expressed concern about warehousing paedophiles:
After returning from
Boston,
Fr Barry Robinson had lived in the same house as Father X while
the US authorities continued their investigation.
Fr Barry Robinson had admitted abuse but they decided not to
prosecute him at all. The church decided to ignore his admission and
put him back into practice:
In 2024, another lawsuit cast attention on
the use of scholarships for the two children of a victim. People gain
status in society through attending these elite high schools. There is a risk
that this perpetuates the culture of silence. It is analogous to the
manner in which some open source software organisations are giving people
internships, big titles and speaking opportunities so they will stay
silent about abuse in
Albania
Here is the redacted deed that mentions scholarships:
In February 2025, The Monthly published and then almost immediately
took down an article by
Louise Milligan titled The True Legacy of the Rapist George Pell.
The late Cardinal Pell had been successful in his appeal and the conviction
had been overturned by the High Court. Therefore, calling him a rapist is
a very strong defamation. Nonetheless, copies of the article are easily found
online.
The Debian Diversity statement tells us the definition of diversity
is very large. A lot like to National Council of Civil Liberties in
the 1970s, the Diversity Statement say anyone is welcome
(up to the day when you ask an ethical question). At
DebConf25, they demonstrated the definition of anyone includes
registered sex offenders. He is not the only one and he won't be
the last one.
If I had been patient, it would have saved me time. One such instance
is following.
From my early blogs, you might know I am using mutt to do email. Just
after I get along with mutt, I started using notmuch. Because limit
search in mutt is always a pain when you have multiple folders. And
what better tool out there than notmuch-mutt to bind both these.
One for search, one for reconstructing threads and one for
manipulating tags, which I missed.
Now my impatient part. I have already mapped f6 for my folder
movements and in my initial days of notmuch, I only use just search.
So I never cared about the f6 macro provided by notmuch-mutt. As time
goes by I got very comfortable with notmuch. I was stretching my
notmuch legs. I started to live more on notmuch search results
date:today tag:unread than more on the mutt index. To the problem,
since notmuch-mutt dump all results to a temp maildir location, can’t
perform flag changes back to the original maildir which was annoying,
because we need to distinguish what mail you read and what not when
you subscribed to most of all debian mailing list.
I was under the impression that, the notmuch-mutt is not capable of
doing so and I just went like that without checking docs. I started
doing all crazy hack to sync these maildirs.
I even started reading notmuch-mutt codebase.
Later, I settled on notmuch-vim. Cause I can manipulate flags sync
back from notmuch to maildir.
And while searching for something, I accidentally revisited the the
the notmuch-mutt macro page and saw the tag manipulation. I was like
:( .
If I read about the third macro patiently when added that to config,
I could’ve saved time by not doing ugly hacks around it.
Educators throughout the world are tasked with the difficult requirement of
evaluating students’ works, making sure the grades meaningfully reflect the
students’ understanding of the subject, and that a graded assignment maps
to the relevant work invested in solving it. After the irruption of
Large-Language Models in late 2023, this task became obviously much harder:
if a widely available computer program is able to solve an assignment in a
way that resembles a human-generated response, how can educators
meaningfully grade their groups?
As it has been the case with different innovations over time (such as with
the appearance of electronic calculators or the mass availability of
digital encyclopedias), the first reactions were of prohibition and denial:
students who use the new tool in question are to be disqualified or somehow
punished. It is only some time after the innovation in question settles
that teachers find a way to properly weigh, integrate and accept its use.
The authors of this position article present several arguments as to why it
is impossible, unethical and unadvisable to use automated AI detection
systems to process student assignments. The first argument is whether it is
at all possible to reliably differentiate human-written essays from
LLM-generated artifacts. The first criticism is that AI detectors are,
themselves, LLMs trained on human-generated texts (negative) and
LLM-generated texts (positive). However, the only way to assert the
training material is not noisy is to use pre-2020 text as human-generated —
but natural ways of writing are influenced by what people read, and the
authors quote studies pointing out that human language, particularly in the
scholarly fields, has incorporated terms and constructions that were used
as LLM markers. Quoting the authors, «As exposure to AI-generated material
becomes increasingly widespread, it is reasonable to expect that the
linguistic patterns of human writing will shift, reflecting the influence
of AI-assisted texts encountered across education, media, and everyday
communication». Stylistic elements and other such markers are being adopted
back into regular speech at a high rate.
Then, the aspect of ethics comes into play as well. While it is expected
that teachers should demand intellectual integrity from students, and
plagiarism detectors have been widely accepted into the workflow of
academics, the accusation of presenting LLM output as own work is
necessarily an uphill battle: the accused party is tasked with providing
proof of innocence based on nebulous, probabilistic accusations. The
authors argue, once an accusation of turning in a LLM-generated text is
made on a student, the onus on proving innocence lies with the accused.
The authors review and argue against a series of techniques that have been
presented in literature to aid teachers in detecting LLM abuse, such as
linguistic markers, single or multiple AI detectors, the use of false
references, hidden adversarial prompts, arguing in all cases the techniques
fail to be trustable enough and highlighting the probability of both false
positives and negatives. They also present AI detection as a false
dichotomy: many works presented are not 100% human generated nor 100%
LLM-generated, but some pertinent LLM-generated paragraphs are presented
mixed with human-generated content, in a positive, critical AI use
(“Students’ work is frequently created with, not by, generative AI”).
The article closes by reiterating the authors’ position: “AI detection in
education is not merely flawed; it is conceptually unsound”. they call upon
institutions to accept the use of generative LLMs cannot be “solved through
surveillance and punishment”, but has to be tackled by an “assessment
design that recognizes AI’s role in learning”.
This article’s position is very strong and well argued, and although it
will surely meet with ample opposition, it surely poses an important, very
current problematic. As a teacher, I found it a very enlightening read.
Yesterday, I had to add support for running KVM virtual machines inside an LXC container. More as a reminder to myself, in case I ever have to do this again, here the simple recipe:
LXC Container Config Adjustment
Enable lxc.autodev and execute hook script to be executed after initial /dev creation (updated 20260428: lxc.cgroup2.* instead of lxc.cgroup.*):
[...]
# Auto-create /dev nodes and add native KVM support to the LXC container
lxc.autodev = 1
lxc.hook.autodev = /var/lib/lxc/.hooks/lxc-hook.kvm-support
lxc.cgroup2.devices.allow = c 10:232 rwm
lxc.cgroup2.devices.allow = c 10:238 rwm
lxc.cgroup2.devices.allow = c 10:241 rwm
[...]
[added 20260408] On the internet, you can find a recipe that simply bind-mounts /dev/kvm from the host in to the LXC container. However, this fails if group ID of POSIX group kvm differs between host and container.
LXC Hook Script for KVM Support Enablement
The following script I placed at /var/lib/lxc/.hooks/lxc-hook.kvm-support (on the LXC host!):
#!/bin/sh
# set up native KVM support in LXC container
mknod -m 0660 ${LXC_ROOTFS_MOUNT}/dev/kvm c 10 232
chown :kvm ${LXC_ROOTFS_MOUNT}/dev/kvm
mknod -m 0660 ${LXC_ROOTFS_MOUNT}/dev/vhost-net c 10 238
chown :kvm ${LXC_ROOTFS_MOUNT}/dev/vhost-net
mknod -m 0660 ${LXC_ROOTFS_MOUNT}/dev/vhost-vsock c 10 241
chown :kvm ${LXC_ROOTFS_MOUNT}/dev/vhost-vsock
What We Are Seeking is a bit hard to classify beyond science
fiction. I think I would call it anthropological science fiction, but it's
also a first contact story and a planetary colony story. It is a
standalone novel (well, so far as I know; see later in the review for
caveats). This is Cameron Reed's second novel after the excellent and
memorable cyberpunk novel The Fortunate
Fall, first published in 1996 under Reed's former name of Raphael
Carter.
John Maraintha is a doctor from the world of Essius. He took what he
thought was a temporary job on the Free Ship Edgar's Folly, where
he's endured considerable culture shock. As the novel opens, John learns
that the colonists on Scythia have requested a translator to talk to one
of the native life forms, and a doctor since they're down to only one.
John will be that doctor. The captain has decided, and by the rules of the
free ships, John does not get a choice in the matter.
The Scythian colony is about four hundred people, now located in a desert
climate since the complex native life forms destroyed their previous
settlement. The colonists are a split between Ischnurans and Zandaheans,
two other human civilizations from the scatter of colony worlds left after
Earth embraced AIs (aiyis here) and turned inward. Both of those groups
marry, something John considers a moral abomination. Neither of them seem
likely to understand Essian sexual ethics. More devastatingly, John had
intended to spend some time as a ship doctor and then return home to a new
place in Essian society. Once he lands on Scythia, the chances of that are
gone; it is highly unlikely any ship would pick him up again and take him
home.
I have been trying to find the right books to compare What We Are
Seeking with ever since I read it. The best I've come up with are Ursula
K. Le Guin (particularly The
Dispossessed), Eleanor Arnason's A Woman
of the Iron People, and Becky Chambers's To Be Taught, If Fortunate. The start of the book felt like an
intentional revisiting of an earlier era of science fiction, with somewhat
updated science and politics, but the last half of the book, where the
action picks up considerably, is a meditation on gender, social systems,
religion, and small-group politics. All of that is mixed with biological
exploration and a first-contact story with some quite-alien aliens.
This is the sort of novel where the protagonist's culture is as foreign to
the reader as any of the other cultures he counters, so the reader is
assembling several jigsaw puzzles at once. John is dropped into an
established colony with its own social norms and established hierarchies.
The one other outsider, the translator Sudharma Jain, is, as his name
implies, a Jain who keeps very strict religious observances. Half of the
colony is from something akin to a fundamentalist Christian religious sect
that practices patriarchy and strict marriage codes. The other half is
more gently sexist (but still sexist) and has its own tradition of a third
gender that becomes central to the story. John, meanwhile, is a strong
believer in the Essian approach to social organization: Any two partners
of any gender freely have sex by mutual consent and without obligation,
and family is based solely on blood relations. These beliefs do not fit
comfortably together, even when people are trying (as they mostly do) to
be welcoming.
The first half of this book is very slow. This gives all of the characters
space to breathe and become comfortable, and the characterization is
superb, but it is a book to start when you're in the mood for something
slow and observational. There is a plot that gradually becomes apparent,
or rather there are several plots that are intertwined, but tension and
urgency are mostly reserved for the second half of the book. Instead, the
book opens with a lot of close observation of alien flora and fauna and
the untangling of subtle social dynamics among the Scythians.
There is also a visitor from earth, much to the distress of the Scythians.
Earth presence means the ships will not return and the colony may be cut
off from any sort of technological resupply. Despite speaking a common
language, that visitor is as mutually alien to the other groups as they
are to the native flora. Her life is fully integrated with aiyis, giving
her essentially godlike powers and the ability to turn off inconvenient
emotions and disregard anything she doesn't want to see. What she and the
Earth aiyis are doing on the planet is one of the early mysteries.
The dialogue in this book is truly excellent. Each characters has their
own voice, there are fascinating digressions on different words that lead
to tidbits of world-building, and some of the culture-specific idioms are
delightful.
"I'm making a mess of this. None of that matters. Let me fall out the
window and come in the door again. This is how my story ought to
start:"
The challenges for the characters in this story are slow but deep ones:
belonging and self-definition, the conflict between cultural tradition and
personal circumstance, and the sacrifices required to live with small
groups in situations where civil war is viscerally attractive. It has one
of the most comprehensive and fascinating treatments of transgender issues
that I've read in science fiction. Its commentary on current politics is
subtle and estranged in the way that science fiction does best, but still
pointed and satisfying. And, well, there are passages like this that I
absolutely adore:
"I wouldn't go that far. It could be they are right, the universe we
see exists because a mind like ours created it — at least, a mind
enough like ours that we can say it wants one thing and not another,
and when it acts it does so with intent. That's as good an idea as
any. But it is certainly not plausible that such a being believes that
people everywhere should marry, or that men should never visit men, or
no one should become a jess. Look at what they have created. The
universe could have been nothing at all, or one atom of hydrogen
floating in a void, or a diamond crystal infinite in all directions,
if their mind cared for simplicity or tidiness. Instead we have stars
and planets and black holes and nebulas. It could have all been cold
and dead, but there is life. They could have made one species for each
world, or just a few, which could have stayed the same forever, but
instead we have millions and millions, all of which are changing every
moment, varying among themselves and boiling off in all directions.
Such a god is like an artist who fills up a library of sketchbooks
with their drawings of strange creatures, and when every scrap of
paper in the place is used up, goes back with a different color ink
and scribbles over them again. They are obsessed with variation — they
gorge themselves with it and never grow full. Do you really think a
mind like that could want us all to live in the same way?"
I had one problem with this book, though, and for me it was a big one:
There is no ending. Reed effectively builds tension, gets me caring about
all of the characters, sets up several problems, starts down a path
towards resolution, and then the book just... ends.
Long-time readers of my reviews will know that I'm a denouement fanatic. I
want the scouring of the shire, I want the chapter set in the happily ever
after, I want the catharsis of an ending. This made me so grumpy!
To be clear, this is not sequel bait (at least so far as I can tell). I
can write a philosophical defense of the ending. The types of problems and
lives that Reed set up don't have clear endings; this is, to some extent,
the point. We muddle through, and then those who come after us muddle
through some more, and the cumulative effect is called human civilization.
And there is some denouement; Reed doesn't leave the reader at a
cliffhanger or anything that egregious.
But still, I wanted the happy ending, even though that was unrealistic for
the style of story this is, because I'm a happy ending reader. This is not
an ending sort of book; it's the sort of book where I get a sinking
feeling at the 95% mark because there aren't enough pages left for the
number of remaining unresolved problems. I've gotten less annoyed in the
days since I finished the book, and I can appreciate the thematic point
made by how the book ends, but I still feel like it's worth an advance
warning if you're a reader like I am.
I would be delighted by a sequel, but it didn't feel like that was the
intent.
Apart from that, this was both excellent and rather unlike a lot of
current science fiction. I think the closest comparison I can make among
recent novels I've read is Sue Burke's Semiosis. What We Are Seeking has a similar sort of
world-building, but I liked these characters so much more. It felt like a
classic literary science fiction novel, but very much written in 2026.
Highly recommended, just beware of the lack of closure.
Content notes: Sexism, homophobia, stomach illness, and some religious
abuse.
A new maintenance release 0.4.27 of RProtoBuf
arrived on CRAN today. RProtoBuf
provides R with bindings for the
Google Protocol Buffers
(“ProtoBuf”) data encoding and serialization library used and
released by Google, and deployed very widely in numerous projects as a
language and operating-system agnostic protocol. The new release is also
already as a binary via r2u.
This release adjusts to a change upstream. Luca Billi noticed that upstream
removed some fields from FieldDescriptor, filed and issue
and followed up with a spotless PR. No other changes.
The following section from the NEWS.Rd file has all details and
links.
Changes in
RProtoBuf version 0.4.27 (2026-04-26)
Adjust to FieldDescriptor API changes in ProtoBuf 3.4
(Luca Billi in #114
fixing #113)
What appears to be an attempt to assassinate the US President
Donald Trump has dominated the news today. There are numerous people on
social control media suggesting the suspect,
Cole Thomas Allen, may be gay or transgender, like the
Zizian problems. Some people make comments
about a handwritten note left for his transgender partner.
In fact, these comments appear to be identical to the description of
Tyler Robinson, the man who assassinated
Charlie Kirk. They are not necessarily fake news. We simply don't have
enough information to say if the rumours are fake or if they are true.
496.
The plaintiff and other victims feel great apprehension, based on what happened to Dr
Appelbaum's home, based on the drawings of civil disorder, based on the way the Zizian group
behaved, that if these vigilantee tendencies are not constrained then they will again manifest
themselves in physical acts of vandalism or violence.
The Genocidal Healer is the eighth book in James White's medical
science fiction series about the Sector General hospital. As with the rest
of the series, detailed memory of the previous books is not required and
the books could be read out of order if you didn't mind spoilers.
I read this as part of the Orb General Practice omnibus.
Surgeon-Captain Lioren is a Tarlan doctor who was in charge of the medical
response to a newly-discovered civilization. The aliens were suffering
from an apparently universal plague and an ongoing vicious war waged
entirely through hand-to-hand combat, putting them on the edge of
extinction. Lioren rushed the distribution of a possible cure against the
advice of the doctors working on developing it, with catastrophic results.
As The Genocidal Healer opens, Lioren is insisting on a
court-martial in the hope of receiving the sentence it believes it
deserves and was denied: death.
(It pronouns are the convention in the Sector General series for all alien
races and formal discussions, because even someone prone to bouts of
gender essentialism such as White understood the need for avoiding gender
assumptions in a science fiction medical context.)
Predictably, both Sector General and the Monitor Corps that technically
runs the hospital are flatly unwilling to execute Lioren. Instead, he is
assigned as a new apprentice in the psychology department under the
legendary O'Mara, where he is ordered to investigate the psychological
fitness of a senior doctor named Seldal. This leads him to talk to
Seldal's patients, which in turn leads to a challenging set of ethical
dilemmas.
The first five chapters (and more than sixty pages) are the story of
Lioren's trial and a recounting of the events on Cromsag. The series is
full of medical and cultural puzzles like this, and usually I like them,
but I thought this one was less successful. We know the vague (and
horrible) outline of the ending in advance, and the massive simplification
and artificial universality that is required to make this puzzle work is
particularly blatant. A universally infectious disease is more of a
fiction plot than a believable biological concept, and the number of
failures of communication, analysis, and misunderstanding that have to
line up to create White's predetermined outcome were a bit much for me.
Once the story gets past that and into Lioren's psychological work, the
novel improves. Lioren is guilt-ridden and irrational, but also rather
arrogant about his guilt and his concepts of professional responsibility
in a way that I think mostly worked. Most of the novel consists of Lioren
slowly discovering that people like him and enjoy talking to him, much to
his bafflement. In that, it has the gentle kindness and sense of universal
basic decency that is characteristic of this series. There are, of course,
medical puzzles to solve, although this time they are primarily
psychological in nature. Various characters from previous books make an
appearance, but White re-explains their background in sufficient detail
that you don't need to remember (or have read) those previous books.
There are a lot of similarities between this book and the previous one,
Code Blue—Emergency. Both feature
nonhuman viewpoint protagonists and amusing descriptions of human facial
expressions from an alien perspective. Both feature protagonists with
overly rigid ethical structures that partly clash with the generally human
policies of Sector General. The Genocidal Healer is a bit more
subtle and nuanced, although a lot of Lioren's psychological evaluation
rests on an ethical difference that I found somewhat unbelievable. This
book, though, tackles a subject the previous book did not: religion. The
treatment isn't horrible, but I have some complaints.
My primary issue is that Lioren, who starts as an atheist, does extensive
research into religion to help a patient and then starts making statements
summarizing the religions beliefs of the majority of known species that
are just... Christianity. As someone raised Christian, I recognized it
immediately as the sort of abstracted Christianity that Christians claim
is universal while completely ignoring the opinions of the adherents of
any other religion.
Key components of this majority galactic religious pattern, according to
Lioren, include an omnipotent and omnibenevolent creator god, a religious
figure who preaches forgiveness and mercy and is persecuted, and emphasis
on redemption. This simply is not some abstract universal religion. This
is just Christianity in disguise. Even in religions that have some of
those elements in their traditions, they do not get the same emphasis and
are not handled the way that Lioren describes them. I therefore found
Lioren's extended discussions of religion rather annoying, since he kept
claiming as relatively universal principles beliefs that are not even held
by the majority of religious adherents on Earth, let alone a wildly
varying collection of alien races with entirely different biology and
societal constructions. It caused a lot of problems for my suspension of
disbelief, on top of the annoyance at this repetition of, frankly,
Christian propaganda.
Lioren goes, from that research, into theodicy (the problem of evil). The
interesting part of this is White's earnest portrayal of a doctor's
approach to societal problems: a desire to find workarounds and patches
and fixes for anything that makes people unhappy, whether medical or
social. It makes sense, given the horrible biologic hands that some of the
aliens in this series have been dealt, that they would question the idea
of a benevolent god, so this philosophical digression is justified in that
sense. But you might guess that a mid-list science fiction author is not
going to say something new about one of the oldest problems in
Christianity, and indeed he does not. Lioren arrives at the standard
handwaving about the unknowability of divine intent, which I found tedious
to read but at least not fatal to the plot.
White, thankfully, doesn't take the religious material too far. The
characters recognize how sensitive of an issue religion is in a hospital,
Lioren never adopts religion fully, and the resolution of the plot is as
much biological as philosophical. White is going somewhere with the
introduction of religion, and although some of the path there annoyed me,
I think the destination worked. White was from Northern Ireland, and
therefore well aware of the drawbacks of religion, and he abhorred
violence (hence Sector General as a setting), so the reader is in better
hands with him than with most authors who might attempt this plot.
I think I know a bit too much about religion to be the best audience for
this entry in the series, and I'm not sure the introductory five chapters
quite worked. But as with all of the other books in the series, this kept
me turning the pages and I'm glad I read it. The Genocidal Healer
probably isn't worth seeking out unless you're reading the whole series,
but if you're enjoying the rest of the series, you'll probably like this
too.
Leonardo and I are happy to
announce another maintenance release 0.1.4 of our dtts package
which has been on CRAN for four
years now. dtts builds upon
our nanotime
package as well as the beloved data.table to bring
high-performance and high-resolution indexing at the
nanosecond level to data frames. dtts aims to
offers the time-series indexing versatility of xts (and zoo) to the immense
power of data.table while
supporting highest nanosecond resolution.
This release, not unlike yesterday’s
release of nanotime, is driven by recent changes in the bit64 package which
underlies it. Michael,
who now maintains it, had sent in two PRs to prepare for these changes.
I updated continuous integration, and switched to Authors@R, and that
pretty much is the release. The short list of changes follows.
Changes in version 0.1.4
(2026-04-23)
Continuous integration has received some routine updates
Adapt align() column names with changes in
'data.table' (Michael Chirico in #20)
Narrow imports to functions used for packages 'bit64',
'data.table' and 'nanotime' (Michael Chirico in #21)
Courtesy of my CRANberries, there
is also a [diffstat repor]tbsdiffstat
for this release. Questions, comments, issue tickets can be brought to
the GitHub repo.
Another minor update 0.3.14 for our nanotime
package is now on CRAN, and has
compiled for r2u (and
will have to wait to be uploaded to Debian until dependency bit64 has been
updated there). nanotime
relies on the RcppCCTZ
package (as well as the RcppDate
package for additional C++ operations) and offers efficient high(er)
resolution time parsing and formatting up to nanosecond resolution,
using the bit64
package for the actual integer64 arithmetic. Initially
implemented using the S3 system, it has benefitted greatly from a
rigorous refactoring by Leonardo who not only rejigged
nanotime internals in S4 but also added new S4 types for
periods, intervals and durations.
This release has been driven almost entirely by Michael, who took over as
bit64 maintainer
and has been making changes there that have an effect on us
‘downstream’. He reached out with a number of PRs which (following
occassional refinement and smoothing) have all been integrated. There
are no user-facing changes, or behavioural changes or enhancements, in
this release.
The NEWS snippet below has the fuller details.
Changes in version 0.3.14
(2026-04-22)
Tests were refactored to use NA_integer64_ (Michael
Chirico in #149 and
Dirk in #156)
nanoduration was updated for changes in nanotime 4.8.0 (Michael Chirico in #152 fixing
#151)
Use of as.integer64(keep.names=TRUE) has been
refactored (Michael Chirico in #154 fixing
#153)
In tests, nanotime is attached after
bit64; this still needs a better fix (Michael
Chirico in #155)
The package now has a hard dependency on the just released bit64 version 4.8.0 (or later)
Vertical rhythm aligns lines to a consistent spacing cadence down the page. It
creates a predictable flow for the eye to follow. Thanks to the rlh CSS unit,
vertical rhythm is now easier to implement for text.1 But illustrations
and tables can disrupt the layout. The amateur typographer in me wants to follow
Bringhurst’s wisdom:
Headings, subheads, block quotations, footnotes, illustrations, captions and
other intrusions into the text create syncopations and variations against the
base rhythm of regularly leaded lines. These variations can and should add
life to the page, but the main text should also return after each variation
precisely on beat and in phase.
Three factors govern vertical rhythm: font size, line height and
margin or padding. Let’s set our baseline with an 18-pixel font and a 1.5
line height:
CSS Values and Units Module Level 4 defines the rlh unit, equal to the
computed line height of the root element. All browsers support it since
2023.2 Use it to insert vertical spaces or to fix the line height
when altering font size:3
We can check the result by overlaying a grid4 on the content:
Using CSS rlh unit to set vertical space works well for text. You can display the grid using Ctrl+Shift+G.
If a child element uses a font with taller intrinsic metrics, it may stretch
the line’s box beyond the configured line height.5 A workaround
is to reduce the line height to 1. The glyphs overflow but don’t push the line
taller.
code,kbd{line-height:1;}
Responsive images
Responsive images are difficult to align on the grid because we don’t know their
height. CSS Rhythmic Sizing Module Level 1 introduces the block-step
property to adjust the height of an element to a multiple of a step unit. But
most browsers don’t support it yet.
With JavaScript, we can add padding around the image so it does not disturb
the vertical rhythm:
Table cells could set 1rlh as their height but they would feel constricted.
Using 2rlh wastes too much space. Instead, we use incremental leading: we
align one in every five lines.
To align the elements after the table, we need to add some padding. We can
either reuse the JavaScript code from images or use a few lines of CSS that
count the regular rows and compute the missing vertical padding:
A header cell has twice the padding of a regular cell. With two regular rows,
the total padding is 2×2×0.2+2×0.4=1.6. We need to add 0.4rlh to reach
2rlh of extra vertical padding across the table.
One line out of five is aligned to the grid. Additional padding is added after the table to not break the vertical rhythm. 405 is divisible by 27, our line height in this example.
None of this is necessary. But once you start looking, you can’t unsee it. Until
browsers implement CSS Rhythmic Sizing, a
bit of CSS wizardry and a touch of JavaScript is enough to pull it off. The main
text now returns after each intrusion “precisely on beat and in phase.� �
For broader compatibility, you can replace 2rlh with
calc(var(--line-height) * 2rem) and set the --line-height custom
property in the :root pseudo-class. I wrote a simple PostCSS
plugin for this purpose. �
It would have been nicer to compute the line height with
calc(round(up, calc(2.4rem / 1rlh), 0) * 1rlh). Unfortunately, typed
arithmetic is not supported by Firefox yet. Moreover, browsers support
round() only since 2024. Instead, I coded a PostCSS
plugin for this as well. �
The following CSS code defines a grid tracking the line height:
Armadillo is a powerful
and expressive C++ template library for linear algebra and scientific
computing. It aims towards a good balance between speed and ease of use,
has a syntax deliberately close to Matlab, and is useful for algorithm
development directly in C++, or quick conversion of research code into
production environments. RcppArmadillo
integrates this library with the R environment and language–and is
widely used by (currently) 1263 other packages on CRAN, downloaded 45.7 million
times (per the partial logs from the cloud mirrors of CRAN), and the CSDA paper (preprint
/ vignette) by Conrad and myself has been cited 683 times according
to Google Scholar.
This versions updates to the 15.2.5 and 15.2.6 upstream Armadillo releases from,
respectively, two and five days ago. The package has already been
updated for Debian, and built for
r2u. When we ran the
reverse-dependency check for 15.2.5 at the end of last week, one package
failed. I got in touch with the authors, filed an issue, poked some
more, isolated the one line that caused an example to fail … and right
then 15.2.6 came out fixing just that. It was after all an upstream
issue. We used to ran these checks before Conrad made a release, he now
skips this and hence needed a quick follow-up release. It can
happen.
The other big change is that this R package release phases out the
‘dual support’ for both C++14 or newer (as in current Armadillo) along with a C++11
fallback for more slowly updating packages. I am happy to say that after
over eight months of this managed transition (during which CRAN expulsed some laggard
packages that were not moving in from C++11) we are now at all packages
using C++14 or newer which is nice. And I will take this as an
opportunity to stress that one can in fact manage a disruptive API
change this way as we just demonstrated. Sadly, R Core does not seem to
have gotten that message and rollout of this package was also still a
little delayed because of the commotion created by the last minute API
changes preceding the R 4.6.0 release later this week.
Smaller changes in the package are a switch in pdf vignette
production to the Rcpp::asis() driver, and a
higher-precision computation in rmultinom() (matching a
change made in R-devel during last week in its use of Kahan summation).
All detailed changes since the last CRAN release follow.
Changes in
RcppArmadillo version 15.2.6-1 (2026-04-20)
Upgraded to Armadillo release 15.2.6 (Medium Roast Deluxe)
Ensure internally computed tolerances are not NaN
The rmultinom deploys 'Kahan summation' as R-devel
does now.
Changes
in RcppArmadillo version 15.2.5-1 [github-only] (2026-04-18)
Upgraded to Armadillo release 15.2.5 (Medium Roast Deluxe)
Fix for handling NaN elements in .is_zero()
Fix for handling NaN in tolerance and conformance checks
Faster handling of diagonal views and submatrices with one
row>
Sunset the C++11 fallback of including Armadillo 14.6.3 (#504
closing #503)
The vignettes have refreshed bibliographies, and are now built
using the Rcpp::asis vignette builder (#506)
One rmultinom test is skipped under R-devel which
has switched to a higher precisions calc
Just a quick invitation to an in-person event in Tilburg, the Netherlands.
All people interested in the Lomiri Operating Environment are invited to join us at the Lomiri Codefest [codefest] taking place on May 16-17 (participation is free of charge).
We are hiring Lomiri developers
And as another side node, we still have budget (until 07/2027) for 2-3 additional Lomiri developers (depends on each devs weekly availability). The details of my previous post [hiringdetails] +/- still apply. One more limitation / strength: You need real coding skills to apply for the open positions, AI-generated contributions will not be accepted for the tasks at hand.
If you are interested and a skilled FLOSS developer (you need previous OSS contributions as references) and available with at least 10 hrs / week, please get in touch [fsgmbh].
After my previous blog post about eBook readers in Debian [1] a reader recommended FBReader. I tried it and it’s now my favourite reader. It works nicely on laptop and phone and takes significantly less RAM than Calibre or Arianna (especially important for phones). While the problems with my FLX1s not displaying text with Calibre or Arianna might be the fault of something on the FLX1s side those problems just don’t happen with FBReader.
FBReader has apparently now got a proprietary version as the upstream, but we still have FOSS code to use in Debian. It would be nice if someone updated it to store the reading location using WebDAV and/or a local file that can be copied with the NextCloud client or similar. Currently there is code to store reading location in the Google cloud which I don’t want to use. It’s not THAT difficult to see what chapter you are at with one device and just skip to that part on another, but it is an annoyance.
One thing I really like about FBReader is that you can run it with a epub file on the command line and it just opens it and when it’s been closed you can just open it again to the same spot in the same file. I don’t want a “library” to view a book list, I just want to go back to what I was last reading in a hurry. Calibre might be better for some uses, for example I can imagine someone in the publishing industry with a collection of thousands of epub files finding that Calibre works better for them. But for the typical person who just wants to read one book and keep reading it until they finish it FBReader seems clearly better. The GUI is a little unusual, but it’s not at all confusing and it works really well on mobile.
Okular
I tried Okular (the KDE viewer for PDF files etc) which displays epub files if you have the “okular-extra-backends” installed, but it appears to not display books with the background color set to black. I would appreciate it if someone who has read some public domain or CC licences epub files can recommend ones with a black background that I could use for testing as I can’t file a Debian bug report without sample data to reproduce the bug. I decided not to use it for actual book reading as FBReader is far better for my use taking less RAM and being well optimised for mobile use.
Folite
Foliate supports specifying a book on the command-line which is nice. But it takes more memory than FBReader which is probably mostly due to using webkit to display things. The output was in 2 columns on my laptop in small text which is probably configurable but I didn’t proceed with it. I determined that it doesn’t compare with FBReader for my use. It’s written in JavaScript which may be a positive feature for some people.
Koodo
I had a brief test of Koodo which isn’t in Debian. Here is the Koodo Reader Github [2]. I installed the .deb that they created, it installs files to “/opt/Koodo Reader/” (yes that’s a space in the directory name) and appears to have Chromium as part of the runtime. I didn’t go past that even though it appears to have a decent feature set. It is licensed under version 3 of the AGPL so is suitable for Debian packaging if someone wants to do it.
Many thanks to Sruthi Chandran for her campaign, to our Developers for their
votes, and to Andreas Tille for his service as DPL over the past two years!
The new term for the project leader will start on April 21, 2026 and expire
on April 20, 2027.
I recently released version 0.3.0 of my recipe manager application Kookbook – find it in git in KDE Invent or as released tarballs in https://download.kde.org/stable/kookbook/
Changes since last time is more or less “Minor bugfixes and a Qt6 port” – nothing as such noteworthy unless you aim to get rid of Qt5 on your system.
so what is kookbook?
It is a simple recipe viewer that works with semi-structured markdown. More details can be seen in the quite old 0.1.0 announcement
At some point I should do a 10 recipe example collection, but my personal collection is in danish, so I’m not sure it is going to be useful. Unless someone will donate me some handfuls of pre-formatted recipes, I will happily announce it.
Surface Detail is the ninth novel in Banks's Culture science
fiction (literary space opera?) series. As with most of the Culture
novels, it can be read in any order, although this isn't the best starting
point. There is an Easter egg reference to Use of Weapons that would be easier to notice if you have read
that book recently, but which is not that important to the story.
Lededje Y'breq is an Indented Intagliate from the Sichultian Enablement.
Her body is patterned from her skin down to her bones, covered with
elaborate markings similar to tattoos that extend to her internal organs.
As an intagliate, she is someone's property. In her case, she is the
property of Joller Veppers, the richest man in the Enablement and her
father's former business partner. Intagliates are a tradition of great
cultural pride in the Enablement. They are a living representation of the
seriousness with which debts and honor are taken, up to and including
one's not-yet-born children becoming the property of one's debtor. Such
children are decorated as living works of art of the highest skill and
technical sophistication; after all, the Enablement are not barbarians.
As the story opens, Lededje is attempting, not for the first time, to
escape. This attempt is successful in an unexpected way.
Prin and Chay are Pavulean researchers and academics who, as this story
opens, are in Hell. They are not dead; they have infiltrated the Hell that
Pavuleans are shown to scare them into proper behavior in order to prove
that it is not an illusion and their society does indeed torture people in
an afterlife, in more awful ways than people dare imagine. They have
reached the portal through which temporary visitors exit, hoping to escape
with firm evidence of the existence and horrors of the Pavulean afterlife.
They will not be entirely successful.
Yime Nsokyi is a Culture agent for Quietus, the part of Contact that
concerns itself with the dead. Many advanced societies throughout the
galaxy have invented and reinvented the ability to digitize a mind and
then run it in a virtual environment. Once a society can capture the minds
of every person in that society from that point forward, it faces the
question of whether to do so and, if it does, what to do with those minds.
More specifically, it faces the moral question of whether to punish the
minds of people who were horrible in life. It faces the question of
whether to create Hell.
Vatueil is a soldier in a contestation, a limited and carefully monitored
virtual war. The purpose of that war game is to, once and for all, resolve
the question of whether civilizations should be allowed to create Hells.
Some civilizations consider them integral to their religion or
self-conception. Others consider them morally abhorrent, and that conflict
was in danger of spilling over into war in the Real. Hence the War in
Heaven: Both sides committed to fight in a virtual space under specific
and structured rules, and the winner decides the fate of the galaxy's
Hells. Vatueil is fighting for the anti-Hell side. The anti-Hell side is
losing.
There are very few authors who were better at big-idea science fiction
than Iain M. Banks. I've been reading a few
books about AI ships and remembered that I had two unread Culture novels
that I was saving. It felt like a good time to lose myself in something
sprawling.
Surface Detail does sprawl. Even by Banks's standards, there was an
impressive amount of infodumping in this book. Banks always has huge and
lovingly described set pieces, and this book is no exception, but there
are also paragraphs and pages of background and cultural musings and
galactic politics. We are introduced to not one but three new Contact
divisions; as well as the already-mentioned Quietus, there is Numina,
which concerns itself with the races that have sublimed (transcended), and
Restoria, which deals with hegemonizing swarms (grey goo nanotech,
paperclip maximizers, and their equivalents).
Infodumping is both a feature and a bane of big-idea science fiction, and
it helps to be in the right mood. It also helps if the info being dumped
is interesting, and this is where Banks shines. This is a huge, sprawling
book, but it deals with some huge, sprawling questions and it has
interesting and non-reductive thoughts about them. The problems posed by
the plot come with history, failed solutions, multi-sided political
disputes, strategies and tactics of varying morality and efficacy, and an
effort to wrestle with the irreducible complexity of trying to resolve
political and ethical disagreements in a universe full of profound
disagreements and moral systems that one cannot simply steamroll.
It also helps that the characters are interesting, even when they're not
likable. Surface Detail has one fully hissable villain (Veppers) as
a viewpoint character, but even Veppers is interesting in a "let me check
the publication date to see if Banks was aware of Peter Thiel" sort of
way. The Culture ships, of which there are several in this story, tend
towards a gently sarcastic kindness that I find utterly charming. Lededje
provides the compelling motive force of someone who has no involvement in
the broader philosophical questions and instead intends to resolve one
specific problem through lethal violence. Vatueil and Yime were a bit
bland in personality, more exposition generators than characters I warmed
to, but their roles and therefore the surrounding exposition were
fascinating enough that I still enjoyed their sections.
I'm sure this is not an original observation, but I was struck reading
this book in the first half of 2026 that the Culture functions as an
implementation of what the United States likes to think it is but has
never been. It has a strong sense of shared ethics and moral principles,
it tries to export them to the rest of the galaxy through example,
persuasion, and careful meddling, but it tries to follow some combination
of pragmatic and moral rules while doing so, partly to avoid a backlash
and partly to avoid becoming its own sort of hegemonizing swarm. That is a
powerfully attractive vision of how to be an advanced civilization, and
the fact that every hegemon that has claimed that mantle has behaved
appallingly just makes it more intriguing as a fictional concept. In this
book, like in many Culture books, the Culture is painfully aware of the
failure modes of meddling, and the story slowly reveals the effort the
Culture put into staying just on a defensible side of their own moral
lines. This is, in a sense, a Prime Directive story, but with a level of
hard-nosed pragmatism and political sophistication that the endless
Star Trek Prime Directive episodes never reach.
Surface Detail does tend to sprawl, and I'm not sure Banks pulled
together all the pieces of the plot. For example, if there was a point to
the subplot involving the Unfallen Bulbitian, it was lost on me. (There is
always a possibility with Banks that I wasn't paying close enough
attention.) But the descriptions are so elaborate and the sense of
politics and history are so deep that I was never bored, even when
following a plot thread that meandered off into apparent irrelevance. The
main plot line comes to a satisfying conclusion that may be even more
biting social commentary today than it was in 2010.
A large part of the plot does involve Hell, so a warning for those who
haven't read much Banks: He adores elaborate descriptions of body horror
and physical torture. The sections involving Prin and Chay are rather
grim and horrific, probably a bit worse than Dante's Inferno. I
have a low tolerance for horror and I was able to read past and around the
worst bits, but be warned that Banks indulges his love for the painfully
grotesque quite a bit.
This was great, and exactly what I was hoping for when I picked it up.
It's not the strongest Culture novel (for me, that's either
The Player of Games or
Excession), but it's one of the better
ones. Highly recommended, although if you're new to the Culture, I would
start with one of the earlier books that provide a more gradual
introduction to the Culture and Special Circumstances.
Followed, in the somewhat disconnected Culture series sense, by The
Hydrogen Sonata.
Content warnings: Rape (largely off-screen), graphic violence, lots of
Bosch-style grotesque torture, and a lot of Veppers being a thoroughly
awful human being as a viewpoint character.
Collision Course is the sixth novel in the Class 5 science fiction
series and the first that doesn't use the Dark X naming convention.
There are lots of spoilers in this story for the earlier books, but you
don't have to remember all the details of previous events. Like the
novella, Dark Ambitions, this novel
returns to Rose, Sazo, and Dav instead of introducing another Earth woman
and Class 5 ship.
In Dark Class, Ellie discovered an
interesting artifact of a previously-unknown space-faring civilization.
Rose, Sazo, and Dav are on their way to make first contact when, during a
routine shuttle flight between the Class 5 and Dav's Grih military ship,
Rose is abducted. The aliens they came to contact have an aggressive,
leverage-based negotiating strategy. They're also in the middle of a
complicated war with more sides than are readily apparent.
What I liked most about Dark Horse, the
first book of this series and our introduction to Rose, was the revealed
ethical system and a tense plot that hinged primarily on establishing
mutual trust when there were excellent reasons for the characters to not
trust each other. As the series has continued, I think the plots have
become more complicated but the ethical dilemmas and revealing moments of
culture shock have become less common. That is certainly true of
Collision Course; this is science fiction as thriller, with a
complex factional conflict, a lot of events, more plot reversals than the
earlier books, but also less ethics and philosophy.
I'm not sure if this is a complaint. I kind of miss the ethics and
philosophy, but Diener also hasn't had much new to say for the past few
books. The plot of Collision Course is quite satisfyingly twisty
for a popcorn-style science fiction series. I was kept guessing about the
merits of some of the factions quite late into the book, although
admittedly I was in the mood for light entertainment and was not trying
too hard to figure out where the book was going. I did read nearly the
entire book in one sitting and stayed up until 2am to finish it, which is
a solid indication that something Diener was doing worked.
I do have quibbles, though. One is that the ending is a bit unsatisfying.
Like Sazo, I was getting quite annoyed at the people capturing (and
recapturing) Rose and would have enjoyed somewhat more decisive
consequences. Also, and here I have to be vague to avoid spoilers, I was
expecting a bit more of a redemption arc for one of the players in the
multi-sided conflict. The ending I did get was believable but rather sad,
and I wish Diener had either chosen a different outcome (this is light
happily-ever-after science fiction, after all) or wrestled more directly
with the implications. There were a bit too many "wait, one more thing"
ending reversals and not quite enough emotional payoff for me.
The other quibble is that Collision Course was a bit too damsel in
distress for this series. Rose is pregnant, which Diener uses throughout
the book as a way to raise the stakes of the plot and also make Rose more
annoyed but also less capable than she was in her earlier novel. Both Sazo
and Dav are in full heroic rescue mode, and while Diener still ensures
Rose is primarily responsible for her own fate, there is some "military
men attempt to protect the vulnerable woman" here. One of the things I
like about this series is that it does not use that plot, so while the
balance between Rose rescuing herself and other people rescuing her is
still tilted towards Rose, I would have liked this book more if Rose were
in firmer control of events.
I will mostly ignore the fact that a human and a Grih sexually reproducing
makes little to no biological sense, since Star Trek did similar
things routinely and it's an established genre trope. But I admit that it
still annoys me a bit that the alien hunk is essentially human except that
he's obsessed with Rose's singing and has pointy ears. Diener cares about
Rose's pregnancy a lot more than I did, which added to my mild grumpiness
at how often it came up.
Overall, this was fine. I prefer a bit more of a protagonist discovering
how powerful she is by making ingenious use of the ethical dilemmas her
captors have trapped themselves in, and a bit less of Rose untangling a
complicated political situation by getting abducted by every player
serially, but it still kept the pages turning. Any book that is
sufficiently engrossing for me to read straight through is working at some
level. Collision Course was highly readable, undemanding, and
distracting, which is what I was looking for when I read it. I would put
it about middle of pack in the series. If Rose's pregnancy is more
interesting to you than it was to me, that might push it a bit higher.
If you have gotten this far in the series, you will probably enjoy this,
although it does feel like Diener is running out of new things to say
about this universe. That's unfortunate given the number of threads about
AI sentience and rights that could still be followed, but I think tracing
them properly would require more philosophical meat than Diener intends
for these books. Which is why the next book I grabbed was a Culture novel.
Currently this is the final book in the Class 5 series, but there is no
inherent reason why Diener couldn't write more of them.
I was hosted for a long time, free of charge, on https://www.branchable.com/
by Joey and Lars. Branchable and Ikiwiki were wonderful ideas that never
took off as much as they deserved. To avoid being a burden now that
Branchable is nearing its
end, I migrated to
a VPS at Sakura.
However, I have not left Ikiwiki. I only use it as a site engine, but I
haven't found any equivalent that gives me both native Git integration, wiki
syntax for a personal site, the creativity of its directives (you can do
anything with inline and
pagespec), and its multilingual
support through the po plugin.
If you have recently installed a very up-to-date Linux distribution with a desktop environment, or upgraded your system on a rolling-release distribution, you might have noticed that your home directory has a new folder: “Projects”
Why?
With the recent 0.20 release of xdg-user-dirs we enabled the “Projects” directory by default. Support for this has already existed since 2007, but was never formally enabled. This closes a more than 11 year old bug report that asked for this feature.
The purpose of the Projects directory is to give applications a default location to place project files that do not cleanly belong into one of the existing categories (Documents, Music, Pictures, Videos). Examples of this are software engineering projects, scientific projects, 3D printing projects, CAD design or even things like video editing projects, where project files would end up in the “Projects” directory, with output video being more at home in “Videos”.
By enabling this by default, and subsequently in the coming months adding support to GLib, Flatpak, desktops and applications that want to make use of it, we hope to give applications that do operate in a “project-centric” manner with mixed media a better default storage location. As of now, those tools either default to the home directory, or will clutter the “Documents” folder, both of which is not ideal. It also gives users a default organization structure, hopefully leading to less clutter overall and better storage layouts.
This sucks, I don’t like it!
As usual, you are in control and can modify your system’s behavior. If you do not like the “Projects” folder, simply delete it! The xdg-user-dirs utility will not try to create it again, and instead adjust the default location for this directory to your home directory. If you want more control, you can influence exactly what goes where by editing your ~/.config/user-dirs.dirs configuration file.
If you are a system administrator or distribution vendor and want to set default locations for the default XDG directories, you can edit the /etc/xdg/user-dirs.defaults file to set global defaults that affect all users on the system (users can still adjust the settings however they like though).
What else is new?
Besides this change, the 0.20 release of xdg-user-dirs brings full support for the Meson build system (dropping Automake), translation updates, and some robustness improvements to its code. We also fixed the “arbitrary code execution from unsanitized input” bug that the Arch Linux Wiki mentions here for the xdg-user-dirs utility, by replacing the shell script with a C binary.
Thanks to everyone who contributed to this release!
On the 19th of March I got a home battery system installed. The government has a rebate scheme so it had a list price of about $22k for a 40kWh setup and cost me about $12k. It seems that 40KWh is the minimum usable size for the amount of electricity I use, I have 84 cores running BOINC when they have nothing better to do which is 585W of TDP according to Intel. While the CPUs are certainly using less than the maximum TDP (both due to design safety limits and the fact that I have disabled hyper-threading on all systems due to it providing minimal benefits and potential security issues) given some power usage by cooling fans and some inefficiency in PSUs I think that assuming that 585W is accounted for 24*7 by CPUs is reasonable. So my home draws between 800W and 1KW when no-one is home and with an electric car and all electric cooking a reasonable amount of electricity can be used.
My bills prior to the battery installation were around $200/month which was based on charging my car only during sunny times as my electricity provider (Amber Electric) has variable rates based on wholesale prices. Also the feed in rates if my solar panels produce too much electricity in sunny times often go negative so if I don’t use enough electricity. I haven’t had the electric car long enough to find out what the bills might be in winter without a home battery.
Before getting the battery my daily bills according to the Amber app were usually between $5 and $10. After getting it the daily bills have almost always been below $5. The only day where it’s been over $5 since the battery installation was when electricity was cheap and I fully charged the home battery and my car which used 50KWh in one day and cost $7.87 which is 16 cents per KWh. 16 cents isn’t the cheapest price (sometimes it gets as low as 10 cents) but is fairly cheap, sometimes even in the cheap parts of the day it doesn’t get that low (the cheapest price on the day I started writing this was 20 cents).
So it looks like this may save me $100 per month, if so there will be a 10% annual return on investment on the $12K I spent. This makes it a good investment, better than repaying a mortgage (which is generally under 6%) and almost as good as the long term results of index tracker funds. However if it cost $22K (the full price without subsidy) then it would still be ok but wouldn’t be a great investment. The government subsidised batteries because the huge amount of power generated by rooftop solar systems was greater than the grid could use during the day in summer and batteries are needed to use that power when it’s dark.
Android App
The battery system is from Fox ESS and the FoxCloud 2.0 Android app is a bit lacking in functionality. It has a timer for mode setting with options “Self-use” (not clearly explained), “Feed-in Priority” (not explained but testing shows feeding everything in to the grid), “Back Up”, “Forced Charge”, and “Forced Discharge”. Currently I have “Forced Charge” setup for most sunny 5 hours of the day for a maximum charge power of 5KW. I did that because about 25KW/day is what I need to cover everything and while the system can do almost 10KW that would charge the battery fully in a few hours and then electricity would be exported to the grid which would at best pay me almost nothing and at worst bill me for supplying electricity when they don’t want it. There doesn’t seem to be a “never put locally generated power into the grid unless the battery is full” option. The force charge mode allows stopping at a certain percentage, but when that is reached there is no fallback to another option. It would be nice if the people who designed the configuration could take as a baseline assumption that the macro programming in office suites and functions in spreadsheets are things that regular people are capable of using when designing the configuration options. I don’t think we need a Turing complete programming language in the app to control batteries (although I would use it if there was one), but I think we need clauses like “if battery is X% full then end this section”.
There is no option to say “force charge until 100%” or “force charge for the next X minutes” as a one-off thing. If I came home in the afternoon with my car below 50% battery and a plan to do a lot of driving the next day then I’d want to force charge it immediately to allow charging the car overnight. But I can’t do that without entering a “schedule”. For Unix people imagine having to do everything via a cron job and no option to run something directly from the command-line.
It’s a little annoying that they appear to have spent more development time on animations for the app than some of what should be core functionality.
Management
Amber has an option to allow my battery to be managed by them based on wholesale pries but I haven’t done that as the feed-in prices are very low. So I just charge my battery when electricity is cheap and use it for the rest of the day. There is usually a factor of 2 or more price difference between the middle of the day and night time so that saves money. It also means I don’t have to go out of my way to try and charge my car in the middle of the day. There is some energy lost in charging and discharging the batteries but it’s not a lot. I configured the system to force charge for the 5 sunniest hours every day for 5KW as that’s enough to keep it charged overnight and 5KW is greater than the amount of solar electricity produced on my house since I’ve been monitoring it so that forces it to all be used for the battery. In summer I might have to change that to 6KW for the sunniest 2 or 3 hours and then 4KW or 5KW surrounding that which will be a pain to manage.
Instead of charging the car every day during sunny times I charge it once or twice a week, I have a 3.3KW charger and the car has a 40KWh battery so usually it takes me less than 10 hours to fully charge it and I get at least 5 hours of good sunlight in the process.
ActBlue is the online fundraising platform used by
US Democratic party candidates. It is the subject of a major scandal
that has gripped the congress. It has been linked to
Debianism, another disappearing developer and in a parody of other
Debianism scandals, there are possibly two people using the same name,
one being the wife of the missing developer and the other being a
US Senate candidate who claims to have exposed the
ActBlue scandal.
These Github screenshots confirm that
Decklin Foster was affiliated with
ActBlue and vanished in 2018:
Accusations have been made about the concealment
of illegal foreign donations and deception of Congress.
Chris Gleason has nominated to represent Florida in the US Senate.
Gleason registered using a post office box and created a domain name,
voteforgleason.com using an anonymous service in
Iceland.
Gleason's profile on
X/Twitter has no photo while their
Facebook profile is completely disabled.
Up to 2016, we can see that
Decklin Foster was listed in the public filings of ActBlue Civics, Inc
as either a senior engineer or at one point, as
Director of Information Technology.
On 1 January 2015,
Decklin Foster's PGP key was removed because it was only 1024 bits.
Most developers had created stronger keys before this mass removal of
insecure keys took place.
In 2019, the
Debian Account Managers asked the keyring managers to completely remove
Decklin Foster from the Debian keyring. There was no
Statement on Decklin Foster so far.
Clicking the links to see the statements about the removal does not
work. An error message tells us the messages about
Decklin Foster's removal from
debianism are all private.
If you’re interested in me, I have started using Google
Plus. If you’re interested in my work, I’m on Github. I was a Debian developer for some time, but
I’ve mostly given that up. I currently work for ActBlue and live in Cambridge, MA with
my wife.
Clicking on "my wife", we find the web site of Chris Gleason at
http://cgleason.org/.
chris gleason is a graphic designer, zine creator, and print maker in chicago, illinois. they love ...
Therefore, the Debian Developer
(
What is a Debian Developer?) who was Director of Information Technology
for
ActBlue was married to a female or transgender
Chris Gleason. Is this the same person as the elusive male
Chris Gleason who is now running for the US Senate in Florida on
claims about corruption at
ActBlue? Or is it simply a bizarre coincidence that two people so
closely connected with this scandal share the same name?
In 2017, the Trans Women Writers Collective published the book
Nameless Woman, written by trans women of colour. In the credits,
the trans women thank
Decklin Foster.
This anthology was made possible by the
generous support of hundreds of people. In
particular, we would like to thank Annaya Youkai, Kieran Todd, Sadie Laett-Babcock, Adelaida
Shelley, Jaime Peschiera, Kai Cheng Thom, Talon
Wilde, David Cope, Alex Meginnis, Decklin Foster,
and Eli Nelson for their help.
On 22 July 1999,
Raphael Hertzog, known for the
Freexian scandals wrote a message asking people to do unpaid work
on orphaned packages in the hope that their application to become a
Debian Developer would be approved more quickly:
To: debian-devel-announce@lists.debian.org, debian-devel@lists.debian.org, debian-qa@lists.debian.org, debian-mentors@lists.debian.org
Subject: [New maintainer] Working for Debian and becoming a registered Debian developer
From: Raphael Hertzog <rhertzog@hrnet.fr>
Date: Thu, 22 Jul 1999 18:06:26 +0200
[ Large crosspost to start the discussion, please reply to debian-devel
only. Simply respect the reply-to. ]
Hello everybody,
you may or not be aware that getting a Debian developer is quite long. I
want to propose a solution to facilitate the integration of new
Debian developers.
It's quite simple. In order to fully learn how Debian works, the best
solution is :
- to adopt orphaned packages and correct their bugs
- that your work should be checked by an official developer (I'll call
it the sponsor).
Of course, as long you're not a registered Debian developers you cannot
upload your packages. The soluton is that the sponsor will upload the
package you'll do. The official maintainer will be
debian-qa@lists.debian.org. After all when you correct bugs on orphaned
packages, you're doing Quality Assurance.
This does also allow you to get new bugs in your mailbox. You just need
to subscribe to debian-qa@lists.debian.org. You would be allowed to
open/close/set the severity/forward the bugs since all debian-qa members
can do it on debian-qa packages.
If the sponsor finds that you've done a good job with the package, he
will explain that to the new maintainer team in the hope that your
application will be processed faster. And when you'll be
official Debian developper, you'll be able to change the Maintainer field
to your name.
I'll propose myself to be a sponsor. We'll need more sponsor ... any
volunteers ? Hopefully several people from debian-qa will accept to be
sponsor like me ...
All the future Debian developers interested should also reply ...
Any input appreciated !
Cheers,
--
Hertzog Raphaël >> 0C4CABF1 >> http://prope.insa-lyon.fr/~rhertzog/
Decklin Foster was one of the people recruited by those tactics.
To: debian-devel@lists.debian.org
Cc: debian-mentors@lists.debian.org
Subject: Re: [New maintainer] Working for Debian and becoming a registered Debian developer
From: Decklin Foster <decklin@home.com>
Date: Thu, 22 Jul 1999 13:39:13 -0400
Raphael Hertzog writes:
> Of course, as long you're not a registered Debian developers you cannot
> upload your packages. The soluton is that the sponsor will upload the
> package you'll do. The official maintainer will be
> debian-qa@lists.debian.org. After all when you correct bugs on orphaned
> packages, you're doing Quality Assurance.
Sounds good, I'll subscribe right after I finish writing this. I'm
also trying to work on non-orphaned backages as well (for example
right now i'm fixing a bug in gsfonts-x11.) So keep in mind that you
can always just send patches :)
--
Debian GNU/Linux - http://www.debian.org/
The Web is to graphic design as the fax machine is to literature.
Not only was
Decklin under the influence of
Hertzog, they were also under the influnce of the
Red Hat share offer. This email encourages speculation on the
IPO:
To: debian-devel@lists.debian.org
Subject: Re: SPAM from Red Hat
From: Decklin Foster <decklin@home.com>
Date: Wed, 21 Jul 1999 09:57:45 -0400
Martin Bialasinski writes:
> is it only me, or did you also get this spam from Red Hat about stock
> options?
>
> Oh man - the bigger the company, the less clueful people?
On #debian last night, it was suggested that we use our opportunity to
buy some of this stock and sell it when the price goes up. This money
could then be used to fund Debian, buy new hardware, improve our
network connection, etc. Does anyone else think this is a Good
Idea(TM)? I would be willing to donate as much as I reasonably could.
--
Debian GNU/Linux - http://www.debian.org/
The Web is to graphic design as the fax machine is to literature.
Of interest to those watching the
ActBlue saga, there is an email about hacking and cracking:
To: debian-devel@lists.debian.org
Subject: Re: [New maintainer] Working for Debian and becoming a registered Debian developer
From: Decklin Foster <decklin@home.com>
Date: Thu, 22 Jul 1999 16:37:40 -0400
Carl Mummert writes:
> Hacking is a serious crime
Cracking is a serious crime. Breaking into computer systems without
permission is a serious crime. Violation of privacy and theft of
confidential information is a serious crime.
Now what does this have to do with hacking?
> The fact remains that the debian policy is to discourage new
> developers by making it slow and difficult to get an account.
I have no problem with waiting, and I'd rather not look bad just
because some people keep speaking badly about the new-maintainer team.
We don't need another flamewar here. People have work to do.
--
Debian GNU/Linux - http://www.debian.org/
The Web is to graphic design as the fax machine is to literature.
They had a blog on another web site. It is captured in the Wayback
machine up to 2012. The last snapshot with the index is here:
http://blog.rupamsunyata.org/. The last blog post:
I'm the fuel that fires the engine of Failure
So, the Democrats in my very blue state put up a depressing, entitled, out-of-touch candidate for our vacant senate seat and she lost. The only reason I voted for her was because she wasn't a Republican. Supporting someone you don't even slightly like is psychologically draining.
At this point, I would vote for a Democratic party (or a Republican party!) with the exact same fiscal policy as the current Republicans if they actually made a principled, moral stand on equal protection and civil rights, habeas corpus/due process, and reproductive rights. Those don't cost anything[1].
Maybe they should be solved before the stuff that does cost billions of dollars. As it is my choice is weak, almost grudging support for those rights from people who want to hand the economy over to the government, and disgusting, immoral, vehement opposition to them from people who want to hand the economy over to wealthy corporations.
Neither side is doing anything effective to keep us free, or to keep the market free. Each side says or implies that this is a Christian nation, which it explicitly isn't, while failing to do what's right. Sometimes I want to give up and stop voting.
[1] Conversely, of course, it doesn't cost anything to take people's rights away, or prevent them from getting rights in the first place; I think this is why anti-gay-marriage ballot measures have been more successful in the current recession. Some people get their kicks from the suffering of others.
Accessing the blog from 2013 onwards we can see
the front page has been replaced with the message:
This blog is not being updated. Old entries are still around, but I'm turning off the front page for now.
contributors.debian.org tells us that
Decklin Foster stopped contributing in February 2011, immediately
before the
death of Adrian von Bidder-Senn on our wedding day.
Chris Gleason is not on the list at all. If
Decklin had abandoned
Debianism, why did it take eight years to remove them from the keyring?
Reading the full history of the
Debian Harassment culture, we can see many other co-authors were
removed for purely political reasons and blackmail but keys belonging to the
people who had abandoned the project and people who died were left in
the keyring for years.
To: debian-devel <debian-devel@lists.debian.org>
Subject: RFA: all my packages
From: Decklin Foster <decklin@red-bean.com>
Date: Thu, 10 Feb 2011 17:11:05 -0500
Message-id: <1297375750-sup-7355@gillespie.rupamsunyata.org>
I'm looking for a new maintainer for, well, any of these. My heart is
not in it anymore and most of them have been neglected for a while.
Recently my free time has been taken up by other things (mainly my job)
and I forsee that continuing.
http://qa.debian.org/developer.php?login=decklin%40red-bean.com
python-beautifulsoup and mpd need attention for proposed-updates; I
missed getting them into Squeeze. rxvt-unicode is a total clusterfuck.
If any desktop-type packages remain I will orphan them, as I am only
running Debian on servers now. Apart from that, perhaps with a greatly
reduced load I can still make a tiny contribution to the community. If
not, I will retire.
--
things change.
decklin@red-bean.com
Various scholarly articles from Harvard experts on depression have
thanked
Decklin Foster for their contributions in 2008 and 2009.
Decklin Foster was collaborating on this world-class depression
research at exactly the same time they were part of the
debian-private discussions that precipitated the
Debian Day Volunteer Suicide in 2010.
Subject: Re: Death of Adrian von Bidder
Date: Fri, 22 Apr 2011 09:39:49 +0200
From: A Mennucc <mennucc1@debian.org>
To: debian-private@lists.debian.org
Il 19/04/2011 18:17, martin f krafft ha scritto:
> Dear Debian colleagues,
>
> I have the sad task to communicate to you the news of the death of
> Adrian von Bidder (avbidder, cmot), who passed away last Sunday,
> most probably of a heart attack.
I had contacted Adrian regarding the Debian umbrella.
So I had also a chance of seeing a picture of him
http://blog.fortytwo.ch/archives/80-Yay!-Debian-Logo!.html
In that picture he seemed quite happy and young.
His death is quite shocking and sad.
a.
There is a
Decklin Foster profile on Youtube that hasn't been used for nine
years. There are four subscribers. One of the videos has the
comment:
Mixed these together on my show (editsradio.org) this week and really liked the result, so here it is on its own, slowed down and a little extended.
Photo taken at the Wilbur Theater in Boston on 2012-07-31.
The last snapshot of
editsradio.org is on 6 April 2015. After that, the content is
changed to Arabic. From 15 August 2015, it is redirecting to another site,
also in Arabic, at
http://www.17serialbaran.org.
It would be extremely offensive to ask such a question in any other
group of people but in the world of
Debianism and
Zizian phenomena, there are a disproportionate number of people who
are living such lifestyles.
Chris Gleason was born in Lowell, Massachusetts. Gleason's career experience includes working as a technology consultant. He served in the U.S. Army National Guard from 1989 to 1999. Gleason earned a bachelor's degree from the University of Massachusetts, Lowell in 1996. Gleason has been affiliated with Caribbean Christian Center for the Deaf, Michigan -Make-A-Wish, Seniors Helping Seniors.
In the recent UK elections, journalists and researchers found various
examples of candidates who didn't really exist. At least one political
party was accused of making up fake candidates to make their party
look bigger and attract more donations.
I have the impression the
Chris Gleason in
Florida is a different
person but I'm not ruling out the possibility it is a fake profile
or an alter-ego of
Chris Gleason, wife of
Decklin.
The Committee on House Administration, the Committee on the Judiciary, and the
Committee on Oversight and Government Reform are charged with ensuring the integrity of American elections. To that end, the Committees are examining allegations that ActBlue, a leading political fundraising organization, allowed bad actors, including foreign actors, to exploit its online platform to make fraudulent political donations.
CEO at NextMed Holdings, LLC CEO at Translational Analytics and Statistics, LLC
Chris Gleason is a board member at Our Mayberry, a company focused on revolutionizing charitable giving and fundraising.1 He is a lawyer, entrepreneur, and community philanthropist with multiple leadership roles in charities helping children.3 Gleason has also been involved in various business ventures and has held executive positions in different companies.
In addition to his role at Our Mayberry, Gleason has served as a board member for the Goldwater Institute since 2013.5 He was also recently appointed as the president and CEO of Moximed, a medical device company, in June 2024.2
Gleason has a background in sales leadership, having previously worked as VP of sales at Relievant and VP of sales of interventional urology at Teleflex.2 He has also been involved in political activities, receiving income from Election Watch, a Wisconsin-based group, in 2024.4
It's worth noting that Gleason has recently entered the political arena, running for the position of Pinellas County Supervisor of Elections in Florida for the 2024 election. His campaign has been controversial, as he has made unsubstantiated claims about election fraud and criticized the incumbent, Julie Marcus.
In the case of another Debian Developer,
Paul Tagliamonte, he really was working in the White House and the
Pentagon. We have a photo to prove it:
Chris Gleason's campaign web site has the title
Whistleblower in big letters. This implies he was an insider
or he was connected to an insider, in other words, his claim to be
a whistleblower encourages us to ask about the bizarre possibility that he
really is or was the transgender wife of
ActBlue's missing director of
information technology,
Decklin Foster.
Here is one more interesting leak from the
debian-private leaked gossip network. It shows us that
Decklin Foster was in favor of the practice of dividing the community
and humiliating people. It looks like he supported the humiliation of
Sven Luther at the very time he was working in the Harvard Medical
School's depression research team. Sven's mother was dying at the time
this bun fight erupted.
Subject: Expulsion process: Sven Luther
Date: Thu, 01 Mar 2007 00:00:29 +0100
From: Joerg Jaspert <joerg@debian.org>
Organization: Goliath-BBS
To: debian-private@lists.debian.org
...
Now, the list of people who sent something in for the process:
Anthony - Requestor
Supporters, unordered:
srivasta@debian.org
mbanck@debian.org
tbm@cyrius.com
93sam@debian.org
fs@debian.org
jgoerzen@complete.org
fjp@debian.org
dilinger@debian.org
joeyh@debian.org
liw@iki.fi
stappers@stappers.nl
tolimar@debian.org
jeroen@wolffelaar.nl
tfheen@debian.org
micah@riseup.net
decklin@red-bean.com
tb@becket.net
tytso.mit.edu
The conflict between
Sven Luther and
Frans Pop appears to be a factor in the eventual suicide of
Frans Pop. The whole group failed.
Subject: [Very long] Post-partem rant and retrospective
Date: Thu, 31 May 2007 03:56:11 +0200
From: Frans Pop <elendil@planet.nl>
To: debian-private@lists.debian.org
I've decided to write this in a separate mail because I'm afraid this may get long. Quite a bit of this has been written before, but I hope some of you will bear with me.
[snip]
So, what has made me decide to leave the project. It's a combination of just plain emotional stress over the whole Sven Luther issue, frustration with the inability of the project to deal with that and with some other issues, and frustration with the fact that a fair number of members of the project seem to feel that as long as you don't upload packages with trojans, pretty much anything is OK.
and eventually....
Subject: Resignation
Date: Sun, 15 Aug 2010 21:41:18 +0200
From: Frans Pop <elendil@planet.nl>
To: debian-private@lists.debian.org
It's time to say goodbye. I don't want to say too much about it, except that I've been planning this for a long time.
Participating in Debian has been great.
...
At 11pm local time in eastern Australia, a huge fire broke out at
the Viva Energy refinery in Corio, Geelong.
There has been a near-total news vacuum. This may be deliberate or it
may be a consequence of cost-cutting that has replaced many journalists with
artificial intelligence. The few human journalists who remain in
the profession may have already gone to bed when the fire started.
The national broadcaster, the ABC, was quick to include it in their
list of breaking news items but without much detail. About three hours
after the fire started, it was present on the web site of 9 News but
not visible on the web sites of 7 News, Herald Sun or The Age. About
five hours after the fire started, the local newspaper Geelong Advertiser
included it in their
Facebook account.
The story is newsworthy for a number of reasons.
Australia previously had eight refineries but six of them were
phased out and never replaced.
Australia relies on foreign refineries for over eighty percent of
fuel. With the Corio refinery out of action, there is only one domestic
refinery left. Therefore, it is surprising the news media have been
so slow to pick up the story.
The next big reason it is newsworthy is the war in
Iran.
None of the news reports have commented on the fact that
Richard Marles, the deputy prime minister and the minister for defence
is the local member of parliament for the region where the refinery
is located.
In the news vacuum, people have been quick to share rumours on
social control media. Some people are speculating about the
prospect of a drone attack. In Europe last year there were reports about
Russian drones launched from cargo ships in international waters and
interfering with European airports. Other reports have speculated about
cargo ships using their anchors to sabotage pipelines and communications
cables on the sea floor.
France intercepted and seized a ship connected with
Russia.
Another user on
social control media has commented that there was a technical incident
at the plant earlier in the day and the fire could be nothing more
than an accident.
People would be wise not to jump to conclusions. Even if it is a
terror attack, it may not be
Iran. In recent news reports,
Russia announced they had the right to attack any countries who
are sending support to
Ukraine. The French company Thales manufacturers the BushMaster
armored personnel carriers in
Bendigo and the government donated some of them to
Ukraine. Low cost cardboard drones manufactured in
Australia have also been donated to
Ukraine.
It seems my own plans and life's plans diverged this spring,
so I am in the market for a new job. So if you're looking for
someone with a long track record making your code go brrr
really fast, give me a ping (contact information at
my homepage). Working from Oslo
(on-site or remote), CV available upon request. No AI boosterism
or cryptocurrency grifters, please :-)
I’ve been using the Furilabs FLX1s phone [1] as my daily driver for 6 weeks, it’s a decent phone, not as good as I hoped but good enough to use every day and rely on for phone calls about job interviews etc. I intend to keep using it as my main phone and as a platform to improve phone software in Debian as you really can’t effectively find bugs unless you use the platform for important tasks.
Support Problems
I previously wrote about the phone after I received it without a SIM caddy on the 13th of Jan. I had a saga with support about this, on the 16th of Jan one support person said that they would ship it immediately but didn’t provide a tracking number or any indication of when it would arrive. On the 5th of Feb I contacted support again and asked how long it would be, the new support person seemed to have no record of my previous communication but said that they would send it. On the 17th of Feb I made another support request including asking for a way of direct communication as the support email came from an address that wouldn’t accept replies, I was asked for a photo showing where the problem is. The support person also said that they might have to send a replacement phone!
The last support request I sent included my disappointment at the time taken to resolve the issue and the proposed solution of replacing the entire phone (why have two international shipments of a fragile and expensive phone when a single letter with a cheap SIM caddy would do?). I didn’t receive a reply but the SIM caddy arrived on the 2nd of Mar. Here is a pic of the SIM caddy and the package it came in:
One thing that should be noted is that some of the support people seemed to be very good at their jobs and they were all friendly. It was the system that failed here, turning a minor issue of a missing part into a 6 week saga.
Furilabs needs to do the following to address this issue:
Make it possible to reply directly to a message from a support person. Accept email with a custom subject to sort it, give a URL for a web form, anything. Collating discussions with a customer allows giving better support while taking less time for the support people.
Have someone monitor every social media address that is used by the company. When someone sends a support request in a public Mastodon post it indicates that something has gone wrong and you want to move quickly to resolve it.
Take care of the little things, like sending a tracking number for every parcel. If it’s something too small for a parcel (the SIM caddy could have fit in a regular letter) then just tell the customer what date it was posted and where it was posted from so they have some idea of when it will arrive.
This is not just a single failure of Furilabs support, it’s a systemic failure of their processes.
Problems I Will Fix – Unless Someone Beats Me to it
Here are some issues I plan to work on.
Smart Watch Support
I need to port one of the smart watch programs to Debian. Also I want to make one of them support the Colmi P80 [2].
A smart watch significantly increases the utility of a phone even though IMHO they aren’t doing nearly all the things that they could and should do. When we get Debian programs talking to the PineTime it will make a good platform for development of new smart phone and OS features.
Nextcloud
I have ongoing issues of my text Nextcloud installation on a Debian VM not allowing connection from the Linux desktop app (as packaged in Debian) and from the Android client (from f-droid). The desktop client works with a friend’s Nextcloud installation on Ubuntu so I may try running it on an Ubuntu VM I run while waiting for the Debian issue to get resolved. There was a bug recently fixed in Nextcloud that appears related so maybe the next release will fix it.
For the moment I’ve been running without these features and I call and SMS people from knowing their number or just returning calls. Phone calls generally aren’t very useful for me nowadays except when applying for jobs. If I could deal with recruiters and hiring managers via video calls then I would consider just not having a phone number.
Wifi IPv6
Periodically IPv6 support just stops working, I can’t ping the gateway. I turn wifi off and on again and it works. This might be an issue with my wifi network configuration. This might be an issue with the way I have configured my IPv6 networking, although that problem doesn’t happen with any of my laptops.
Chatty Sorting
Chatty is the program for SMS that is installed by default (part of the phosh/phoc setup), it also does Jabber. Version 0.8.7 is installed which apparently has some Furios modifications and it doesn’t properly support sorting SMS/Jabber conversations. Version 0.8.9 from Debian sorts in the same way as most SMS and Jabber programs with the most recent at the top. But the Debian version doesn’t support Jabber (only SMS and Matrix). When I went back to the Furilabs version of Chatty it still sorted for a while but then suddenly stopped. Killing Chatty (not just closing the window and reopening it) seems to make it sort the conversations sometimes.
Problems for Others to Fix
Here are the current issues I have starting with the most important.
Important
The following issues seriously reduce the usability of the device.
Hotspot
The Wifi hotspot functionality wasn’t working for a few weeks, this Gitlab issue seems to match it [3]. It started working correctly for a day and I was not sure if an update I applied fixed the bug or if it’s some sort of race condition that worked for this boot and will return next time I reboot it. Later on I rebooted it and found that it’s somewhat random whether it works or now.
Also while it is mostly working it seemed to stop working about every 25 minutes or so and I had to turn it off and on again to get it going.
On another day it went to a stage where it got repeated packet loss when I pinged the phone as a hotspot from my laptop. A pattern of 3 ping responses and 3 “Destination Host Unreachable” messages was often repeated.
I don’t know if this is related to the way Android software is run in a container to access the hardware.
4G Reliability
Sometimes 4G connectivity has just stopped, sometimes I can stop and restart the 4G data through software to fix it and sometimes I need to use the hardware switch. I haven’t noticed this for a week or two so there is a possibility that one fix addressed both Hotspot and 4G.
One thing that I will do is setup monitoring to give an alert on the phone if it can’t connect to the Internet. I don’t want it to just quietly stop doing networking stuff and not tell me!
On-screen Keyboard
The compatibility issues of the GNOME and KDE on-screen keyboards are getting me. I use phosh/phoc as the login environment as I want to stick to defaults at first to not make things any more difficult than they need to be. When I use programs that use QT such as Nheko the keyboard doesn’t always appear when it should and it forgets the setting for “word completion” (which means spelling correction).
The spelling correction system doesn’t suggest replacing “dont” with “don’t” which is really annoying as a major advantage for spelling checkers on touch screens is inserting an apostrophy. An apostrophy takes at least 3* longer than a regular character and saving that delay makes a difference to typing speed.
The spelling correction doesn’t correct two words run together.
Medium Priority
These issues are ongoing annoyances.
Delay on Power Button
In the best case scenario this phone has a much slower response to pressing the power button than the Android phones I tested (Huawei Mate 10 Pro and Samsung Galaxy Note 9) and a much slower response than my recollection of the vast majority of Android phones I’ve ever used. For testing pressing buttons on the phones simultaneously resulted in the Android phone screens lighting up much sooner. Something like 200ms vs 600ms – I don’t have a good setup to time these things but it’s very obvious when I test.
In a less common case scenario (the phone having been unused for some time) the response can be something like 5 seconds. The worst case scenario is something in excess of 20 seconds.
For UI designers, if you get multiple press events from a button that can turn the screen on/off please make your UI leave the screen on and ignore all the stacked events. Having the screen start turning on and off repeatedly when the phone recovers and processes all the button presses isn’t good, especially when each screen flash takes half a second.
Notifications
Touching on a notification for a program often doesn’t bring it to the foreground. I haven’t yet found a connection between when it does and when it doesn’t.
Also the lack of icons in the top bar on the screen to indicate notifications is annoying, but that seems to be an issue of design not the implementation.
Charge Delay
When I connect the phone to a power source there is a delay of about 22 seconds before it starts to charge. Having it miss 22 seconds of charge time is no big deal, having to wait 22 seconds to be sure it’s charging before leaving it is really annoying. Also the phone makes an audible alert when it gets to 0% charge which woke me up one night when I had failed to push the USB-C connector in hard enough. This phone requires a slightly deeper connector than most phones so with some plugs it’s easy to not quite insert them far enough.
Torch aka Flash
The light for the “torch” or flash for camera is not bright at all. In a quick test staring into the light from 40cm away wasn’t unpleasant compared to my Huawei Mate 10 Pro which has a light bright enough that it hurts to look at it from 4 meters away.
Because of this photos at night are not viable, not even when photographing something that’s less than a meter away.
The torch has a brightness setting which doesn’t seem to change the brightness, so it seems likely that this is a software issue and the brightness is set at a low level and the software isn’t changing it.
Audio
When I connect to my car the Lollypop player starts playing before the phone directs audio to the car, so the music starts coming from the phone for about a second. This is an annoying cosmetic error. Sometimes audio playing pauses for no apparent reason.
It doesn’t support the phone profile with Bluetooth so phone calls can’t go through the car audio system. Also it doesn’t always connect to my car when I start driving, sometimes I need to disable and enable Bluetooth to make it connect.
When I initially set the phone up Lollypop would send the track name when playing music through my car (Nissan LEAF) Bluetooth connection, after an update that often doesn’t happen so the car doesn’t display the track name or whether the music is playing but the pause icon works to pause and resume music (sometimes it does work).
About 30 seconds into a phone call it switches to hands-free mode while the icon to indicate hands-free is not highlighted, so I have to press the hands-free button twice to get it back to normal phone mode.
Low Priority
I could live with these things remaining as-is but it’s annoying.
Ticket Mode
There is apparently some code written to display tickets on screen without unlocking. I want to get this working and store screen-caps of the Android barcode screens of the different loyalty cards so I can scan them without unlocking. My threat model does not include someone trying to steal my phone to get a free loaf of bread on the bakery loyalty program.
Camera
The camera app works with both the back and front cameras, which is nice, and sadly based on my experience with other Debian phones it’s noteworthy. The problem is that it takes a long time to take a photo, something like a second after the button is pressed – long enough for you to think that it just silently took a photo and then move the phone.
The UI of the furios-camera app is also a little annoying, when viewing photos there is an icon at the bottom left of the screen for a video camera and an icon at the bottom right with a cross. Which every time makes me think “record videos” and “leave this screen” not “return to taking photos” and “delete current photo”. I can get used to the surprising icons, but being so slow is a real problem.
GUI App Installation
The program for managing software doesn’t work very well. It said that there were two updates for Mesa package needed, but didn’t seem to want to install them. I ran “flatpak update” as root to fix that. The process of selecting software defaults to including non-free, and most of the available apps are for desktop/laptop with no way to search for phone/tablet apps.
Generally I think it’s best to just avoid this and use apt and flatpak directly from the command-line. Being able to ssh to my phone from a desktop or laptop is good!
Android Emulation
The file /home/furios/.local/share/andromeda/data/system/uiderrors.txt is created by the Andromeda system which runs Android apps in a LXC container and appears to grow without end. After using the phone for a month it was 3.5G in size. The disk space usage isn’t directly a problem, out of the 110G storage space only 17G is used and I don’t have a need to put much else on it, even if I wanted to put backups of /home from my laptop on it when travelling that would still leave plenty of free space. But that sort of thing is a problem for backing up the phone and wasting 3.5G out of 110G total is a fairly significant step towards breaking the entire system.
Also having lots of logging messages from a subsystem that isn’t even being used is a bad sign.
I just tried using it and it doesn’t start from either the settings menu or from the f-droid icon. Android isn’t that important to me as I want to get away from the proprietary app space so I won’t bother trying this any more.
Unfixable Problems
Unlocking
After getting used to fingerprint unlocking going back to a password is a pain. I think that the hardware isn’t sufficient for modern quality face recognition that can’t be fooled by a photo and there isn’t fingerprint hardware.
When I first used an Android phone using a pin to unlock didn’t seem like a big deal, but after getting used to fingerprint unlock it’s a real drag to go without. This is a real annoyance when doing things like checking Wikipedia while watching TV.
This phone would be significantly improved with a fingerprint sensor or a camera that worked well enough for face unlock.
The MAC keeps changing on reboot so I can’t assign a permanent IPv4 address to the phone. It appears from the MAC prefix of 00:08:22 that the network hardware is made in InPro Comm which is well known for using random addresses in the products it OEMs. They apparently have one allocation of 2^24 addresses and each device randomly chooses a MAC from that range on boot.
In the settings for a Wifi connection the “Identity” tab has a field named “Cloned Address” which can be set to “Stable for SSID” that prevents it from changing and allows a static IP address allocation from DHCP. It’s not ideal but it works.
Network Manager can be configured to have a permanent assigned MAC address for all connections or for just some connections. In the past for such things I have copied MAC addresses from ethernet devices that were being discarded and used them for such things. For the moment the “Stable for SSID” setting does what I need but I will consider setting a permanent address at some future time.
Docks
Having the ability to connect to a dock is really handy. The PinePhonePro and Librem5 support it and on the proprietary side a lot of Samsung devices do it with a special desktop GUI named Dex and some Huawei devices also have a desktop version of the GUI. It’s unfortunate that this phone can’t do it.
The Good Things
It’s good to be able to ssh in to my phone, even if the on-screen keyboard worked as well as the Android ones it would still be a major pain to use when compared to a real keyboard. The phone doesn’t support connecting to a dock (unlike Samsung phones I’ve used for which I found Dex to be very useful with a 4K monitor and proper keyboard) so ssh is the best way to access it.
This phone has very reliable connections to my home wifi. I’ve had ssh sessions from my desktop to my phone that have remained open for multiple days. I don’t really need this, I’ve just forgotten to logout and noticed days later that the connection is still running. None of the other phones running Debian could do that.
Running the same OS on desktop and phone makes things easier to test and debug.
Having support for all the things that Linux distributions support is good. For example none of the Android music players support all the encodings of audio that comes from YouTube so to play all of my music collection on Android I would need to transcode most of them which means either losing quality, wasting storage space, or both. While Lollypop plays FLAC0, mp3, m4a, mka, webm, ogg, and more.
Conclusion
This is a step towards where I want to go but it’s far from the end goal.
The PinePhonePro and Librem5 are more open hardware platforms which have some significant benefits. But the battery life issues make them unusable for me.
Running Mobian on a OnePlus 6 or Droidian on a Note 9 works well for the small tablet features but without VoLTE. While the telcos have blocked phones without VoLTE data devices still work so if recruiters etc would stop requiring phone calls then I could make one of them an option.
The phone works well enough that it could potentially be used by one of my older relatives. If I could ssh in to my parents phones when they mess things up that would be convenient.
I’ve run this phone as my daily driver since the 3rd of March and it has worked reasonably well. 6 weeks compared to my previous use of the PinePhonePro for 3 days. This is the first time in 15 years that a non-Android phone has worked for me personally. I have briefly used an iPhone 7 for work which basically did what it needed to do, it was at the bottom of the pile of unused phones at work and I didn’t want to take a newer iPhone that could be used by someone who’s doing more than the occasional SMS or Slack message.
So this is better than it might have been, not as good as I hoped, but a decent platform to use it while developing for it.
I’m looking forward to being able to split out GSS-API key exchange support in OpenSSH once Ubuntu 26.04 LTS has been released! This stuff will still be my problem, but at least it won’t be in packages that nearly everyone has installed.
Python packaging
New upstream versions:
dill
django-modeltranslation
isort
langtable
pathos
pendulum
pox
ppft
pydantic-extra-types
pytango
python-asyncssh
python-datamodel-code-generator
python-evalidate
python-packaging (including fixes for python-hatch-requirements-txt and python-pyproject-examples)
I worked with the security team to release DSA-6161-1 in multipart, fixing CVE-2026-28356 (upstream discussion). (Most of the work for this was in February, but the vulnerability was still embargoed when I published my last monthly update.)
In trixie-backports, I updated pytest-django to 4.12.0.
I fixed a number of packages to support building with pyo3 0.28:
Review: The Teller of Small Fortunes, by Julie Leong
Publisher:
Ace
Copyright:
November 2024
ISBN:
0-593-81590-4
Format:
Kindle
Pages:
324
The Teller of Small Fortunes is a cozy found-family fantasy with a
roughly medieval setting. It was Julie Leong's first novel.
Tao is a traveling teller of small fortunes. In her wagon, pulled by her
friendly mule Laohu, she wanders the small villages of Eshtera and reads
the trivial fortunes of villagers in the tea leaves. An upcoming injury, a
lost ring, a future kiss, a small business deal... she looks around the
large lines of fate and finds the small threads. After a few days, she
moves on, making her solitary way to another village.
Tao is not originally from Eshtera. She is Shinn, which means she
encounters a bit of suspicion and hostility mixed with the fascination of
the exotic. (Language and culture clues lead me to think Shinara is
intended to be this world's not-China, but it's not a direct mapping.) Tao
uses the fascination to help her business; fortune telling is more
believable from someone who seems exotic. The hostility she's learned to
deflect and ignore. In the worst case, there's always another village.
If you've read any cozy found-family novels, you know roughly what happens
next. Tao encounters people on the road and, for various reasons, they
decide to travel together. The first two are a massive mercenary (Mash)
and a semi-reformed thief (Silt), who join Tao somewhat awkwardly after
Tao gives Mash a fortune that is far more significant than she intended.
One town later, they pick up an apprentice baker best known for her
misshapen pastries. They also collect a stray cat, because of course they
do. It's that sort of book.
For me, this sort of novel lives or dies by the characters, so it's good
news that I liked Tao and enjoyed spending time with her. She's quiet,
resilient, competent, and self-contained, with a difficult past and some
mysteries and emotions the others can draw over time. She's also
thoughtful and introspective, which means the tight third-person narration
that almost always stays on Tao offers emotional growth to mull over. I
also liked Kina (the baker) and Mash; they're a bit more obvious and
straightforward, but Kina adds irrepressible energy and Mash is a good
example of the sometimes-gruff soldier with a soft heart. Silt was a bit
more annoying and I never entirely warmed to him, but he's tolerable and
does get a bit of much-needed (if superficial) character development.
It takes some time for the reader to learn about the primary conflict of
the story (Tao does not give up her secrets quickly), so I won't spoil it,
but I thought it worked well. I was momentarily afraid the story would
develop a clear villain, but Leong has some satisfying alternate surprises
in store. The ending was well-done, although it is very happily-ever-after
in a way that may strike some readers as too neat. The Teller of
Small Fortunes aims for a quiet and relaxed mood rather than forcing
character development through difficult choices; it's a fine aim for a
novel, but it won't match everyone's mood.
I liked the world-building, although expect small and somewhat
disconnected details rather than an overarching theory of magic. Tao's
ability gets the most elaboration, for obvious reasons, and I liked how
Leong describes it and explores its consequences. Most of the attention in
the setting is on the friction, wistfulness, and small reminders of coming
from a different culture than everyone around you, but so long ago that
you are not fully a part of either world. This, I thought, was very
well-done and is one of the places where the story is comfortable with
complex feelings and doesn't try to reach a simplifying conclusion.
There is one bit of the story that felt like it was taken directly out of
a Dungeons & Dragons campaign to a degree that felt jarring, but
that was the only odd world-building note.
This book felt like a warm cup of tea intended to comfort and relax,
without large or complex thoughts about the world. It's not intended to be
challenging; there are a few plot twists I didn't anticipate, but nothing
that dramatic, and I doubt anyone will be surprised by the conclusions it
reaches. It's a pleasant time with some nice people and just enough
tension and mystery to add some motivation to find out what happens next.
If that's what you're in the mood for, recommended. If you want a book
that has Things To Say or will put you on the edge of your seat, maybe
save this one for another mood.
All the on-line sources I found for this book call it a standalone, but
The Keeper of Magical Things is set in the same world, so I would
call it a loose series with different protagonists. The Teller of
Small Fortunes is a complete story in one book, though.
These reports outline what we’ve been up to over the past month, highlighting items of news from elsewhere in the increasingly-important area of software supply-chain security. As ever, if you are interested in contributing to the Reproducible Builds project, please see the Contribute page on our website.
The current signature-based module integrity checking has some drawbacks in combination with reproducible builds. Either the module signing key is generated at build time, which makes the build unreproducible, or a static signing key is used, which precludes rebuilds by third parties and makes the whole build and packaging process much more complicated.
I think this actually undersells the feature. It’s also much simpler than the signature-based module authentication. The latter relies on PKCS#7, X.509, ASN.1, OID registry, crypto_sig API, etc in addition to the implementations of the actual signature algorithm (RSA / ECDSA / ML-DSA) and at least one hash algorithm.
Distribution work
In Debian this month,
Lucas Nussbaum announced Debaudit, a “new service to verify the reproducibility of Debian source packages”:
debaudit complements the work of the Reproducible Builds project. While reproduce.debian.net focuses on ensuring that binary packages can be bit-for-bit reproduced from their source packages, debaudit focuses on the preceding step: ensuring that the source package itself is a faithful and reproducible representation of its upstream source or Vcs-Git repository.
Lastly, Bernhard M. Wiedemann posted another openSUSEmonthly update for their work there.
Tool development
diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made a number of changes, including preparing and uploading versions, 314 and 315 to Debian.
Chris Lamb:
Don’t run test_code_is_black_clean test in the autopkgtests. (#1130402). […]
rebuilderd, our server designed monitor the official package repositories of Linux distributions and attempt to reproduce the observed results there; it powers, amongst other things, reproduce.debian.net.
A new version, 0.26.0, was released this month, with the following improvements:
Much smoother onboarding/installation.
Complete database redesign with many improvements.
New REST HTTP API.
It’s now possible to artificially delay the first reproduce attempt. This gives archive infrastructure more time to catch up.
The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
Attacks on software supply chains are on the rise, and attackers are becoming increasingly creative in how they inject malicious code into software components.
This paper is the first to investigate Python cache poisoning, which manipulates bytecode cache files to execute malicious code without altering the human-readable source code.
We demonstrate a proof of concept, showing that an attacker can inject malicious bytecode into a cache file without failing the Python interpreter’s integrity checks.
In a large-scale analysis of the Python Package Index, we find that about 12,500 packages are distributed with cache files.
Through manual investigation of cache files that cannot be reproduced automatically from the corresponding source files, we identify classes of reasons for irreproducibility to locate malicious cache files.
While we did not identify any malware leveraging this attack vector, we demonstrate that several widespread package managers are vulnerable to such attacks.
Mario Lins of the University of Linz, Austria, has published their PhD doctoral thesis on the topic of Software supply chain transparency:
We begin by examining threats to the software distribution stage — the point at which artifacts (e.g., mobile apps) are delivered to end users — with an emphasis on mobile ecosystems [and] we next focus on the operating system on mobile devices, with an emphasis on mitigating bootloader-targeted attacks. We demonstrate how to compensate lost security guarantees on devices with an unlocked bootloader. This allows users to flash custom operating systems on devices that no longer receive security updates from the original manufacturer without compromising security. We then move to the source code stage. [Also,] we introduce a new architecture to ensure strong source-to-binary correspondence by leveraging the security guarantees of Confidential Computing technology. Finally, we present The Supply Chain Game, an organizational security approach that enhances standard risk-management methods. We demonstrate how game-theoretic techniques, combined with common risk management practices, can derive new criteria to better support decision makers.
Holger Levsen announced that this year’s Reproducible Builds summit will almost certainly be held in Gothenburg, Sweden, from September 22 until 24, followed by two days of hacking. However, these dates are preliminary and not 100% final — an official announcement is forthcoming.
Mark Wielaard posted to our list asking a question on the difference between debugedit and relative debug paths based on a comment on the Build path page: “Have people tried more modern versions of debugedit to get deterministic (absolute) DWARF paths and found issues with it?
Finally, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:
A colleague asked me if we should move all our money to our pillow cases after
reading the latest AI editorial from Thomas
Friedman.
The article reads like a press release from Anthropic, repeating the claim that
their latest AI model is so good at finding software vulnerabilities that it is
a danger to the world.
I think I now know what it’s like to be a doctor who is forced to watch Gray’s
Anatomy.
By now every journalist should be able to recognize the AI publicity playbook:
Step 1: Start with a wildly unsubstantiated claim about how dangerous your
product is:
AI will cause human extinction before we have a chance to colonize mars
(remember that one? Even Kim Stanley Robinson, author of perhaps the most
compelling science fiction on colonizing mars calls bull
shit
on it).
AI will eliminate all of our jobs (this one was extremely effective at
providing cover for software companies laying off staff but it has quickly
dawned on people that the companies that did this are living in chaos not
humming along happily with functional robots)
AI will discover massive software vulnerabilities allowing bad actors to “hack
pretty much every major software system in the world”. (Did Friedman pull that
directly from Anthropic’s press release or was that his contribution?)
Step 2: To help stave off human collapse, only release the new version to a
vetted group of software companies and developers, preferably ones with big
social media followings
Step 3: Wait for the limited release developers to spew unbridled
enthusiasm and shocking examples that seem to suggest this new AI produce is
truly unbelievable
Step 4: Watch stock prices and valuations soar
Step 5: Release to the world, and experience a steady stream of mockery as
people discover how wrong you are
Step 6: Start over
Even if Friedman missed the text book example of the playbook, I have to ask:
if you think bad actors compromising software resulting in massive loss of
private data, major outages and wasted resources needs to be reported on, then
where have you been for the last 10 years? This literally happens on a daily
basis due to the
fundamentally flawed way capitalism has been writing software even before the
invention of AI. A small part of me wonders - maybe AI writing software is not
so bad, because how could it be any worse than it is now?
Also, let’s keep in mind that AI’s super ability at finding vulnerable software
depends on having access to the software’s source code, which most companies
keep locked up tight. That means the owners of the software can use AI to find
vulnerabilities and fix them but bad actors can’t.
Surely that would allow AI bots to discover their vulnerabilities and destroy
the company right? I’m not sure if anyone has discovered world ending
vulnerabilities in Anthropic’s Claude code since it was accidentally released,
but it is fun to watch people mock
software that is clearly
written by AI (and spoiler alert, it seems way worse that software written
now).
Well… we probably should all be keeping our money in a pillow case anyway.
I installed the new CPU in another Z640 which had a E5-1620 v3 CPU and it worked. I was a little surprised to discover that the hole in the corner is in the bottom right (according to the alignment of the printed text on the top) for all my E5-26xx CPUs while it’s in the top left on the E5-1620 v3. Google searches for things like “e5-2600 e5-1600 difference” and “e5-2600 e5-1600 difference hole in corner” didn’t turn up any useful information. The best information I found was from the Linus Tech Tips forum which says that the hole is to allow gasses to escape when the CPU package is glued together [5] which implies (but doesn’t state) that the location of the hole has no meaning. I had previously thought that the hole was to indicate the location of “pin 1” and was surprised when the new CPU had the hole in the opposite corner. Hopefully in future when people have such concerns they can find this post and not be worried that they are about to destroy their CPU, PC, or both when upgrading the CPU.
The previous Z640 was one I bought from Facebook marketplace for $50 in “unknown condition” in the expectation that I would get at least $50 of parts but it worked perfectly apart from one DIMM socket. The Z640 I’m using now is one I bought from Facebook marketplace for $200 and it’s working perfectly with 4 DIMMs, 128G of RAM, and the E5-2696 v4 CPU. $300 for a workstation with ECC RAM and a 22 core CPU is good value for money!
There are some accounts of the E5-2696 v4 not working on white-box motherboards including a claim that when it was selling for $4000US someone’s motherboard destroyed one. The best plan for such CPUs is to google for someone who’s already got it working in the same machine, which means a name-brand server. That doesn’t guarantee that it will work (Intel refuses to supply specs and states that different items may work differently) but greatly improves the probability.
This system has the HP BIOS version 2.61, note that the Linux fwupd package doesn’t seem to update the BIOS on HP workstations so you need to manually download it and install it. There is a possibility that a Z640 with an older BIOS won’t work with this CPU.
In January 2025,
as a pre-requisite for something else, I published a minimal neovim
plugin called nvim-µwiki. It's essentially just the features from
vimwiki that I regularly use, which is a small fraction them.
I forgot to blog about it. I recently dusted it off and cleaned it up.
You can find it here, along with a longer list of its features and
how to configure it: https://github.com/jmtd/nvim-microwiki
I had a couple of design goals. I didn't want to define a new filetype,
so this is designed to work with the existing markdown one. I'm
using neovim, so I wanted to leverage some of its features: this plugin
is written in Lua, rather than vimscript. I use the parse trees
provided by TreeSitter to navigate the structure of a document.
I also decided to "plug into" the existing tag stack navigation, rather
than define another dimension of navigation (along with buffers, etc.)
to track: Following a wiki-link pushes onto the tag stack, just as if
you followed a tag.
This was my first serious bit of Lua programming, as well as my first
dive into neovim (or even vim) internals.
Lua is quite reasonable. Most
of the vim and neovim architecture is reasonable. The emerging conventions
about structuring neovim plugins are mostly reasonable. TreeSitter is, well,
interesting, but the devil is very much in the details. Somehow all
together the experience for me was largely just frustrating, and I didn't
really enjoy writing it.
This was my hundred-forty-first month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.
During my allocated time I uploaded or worked on:
[DLA 4500-1] gimp security update to fix four CVEs related to denial of service or execution of arbitrary code.
[DLA 4503-1] evolution-data-server to fix one CVE related to a missing canonicalization of a file path.
[DLA 4512-1] strongswan security update to fix one CVE related to a denial of service.
[ELA-1656-1] gimp security update to fix four CVEs in Buster and Stretch related to denial of service or execution of arbitrary code.
[ELA-1660-1] evolution-data-server security update to fix one CVE in Buster and Stretch related to a missing canonicalization of a file path.
[ELA-1665-1] strongswan security update to fix one CVE in Buster related to a denial of service.
[ELA-1666-1] libvpx security update to fix one CVE in Buster and Stretch related to a denial of service or potentially execution of arbitrary code.
I also worked on the check-advisories script and proposed a fix for cases where issues would be assigned to the coordinator instead of the person who forgot doing something.
I also did some work for a kernel update and packages snapd and ldx on security-master and attended the monthly LTS/ELTS meeting. Last but not least I started to work on gst-plugins-bad1.0
Several packages take care of group lpadmin in their maintainer scripts. With the upload of version 260.1-1 of systemd there is now a central package (systemd | systemd-standalone-sysusers | systemd-sysusers) that takes care of this. Other dependencies like adduser can now be dropped.
This month I continued to work on unifying packaging on Debian and Ubuntu. This makes it easier to work on those packages independent of the used platform. I am also able to upload Debian packages to the corresponding Ubuntu PPA now. A small bug had to be fixed in the python script to allow the initial configuration in Launchpad.
This month I uploaded a new upstream version or a bugfix version of:
… libplayerone to experimental. For a list of other packages please see below.
I also uploaded lots of indi-drivers (libplayerone, libsbig, libricohcamerasdk, indi-asi, indi-eqmod, indi-fishcamp, indi-inovaplx, indi-pentax, indi-playerone, indi-sbig, indi-mi, libahp-xc, indi-aagcloudwatcher, indi-aok, indi-apogee, libapogee3, indi-nightscape, libasi, libinovasdk, libmicam, indi-avalon, indi-beefocus, indi-bresserexos2, indi-dsi, indi-ffmv, indi-fli, indi-gige, info-gphoto, indi-gpsd, indi-gpsnmea, indi-limesdr, indi-maxdomeii, indi-mgen, indi-rtklib, indi-shelyak, indi-starbook, indi-starbookten, indi-talon6, indi-weewx-json, indi-webcam, indi-orion-ssg3, indi-armadillo-playtypus ) to experimental to make progress with the indi-transition. No problems with those drivers appeared and the next step would be the upload of indi version 2.x to unstable. I hope this will happen soon, as new drivers are already waiting in the pipeline. There have been also four packages, that migrated to the official indi package and are no longer needed as 3rdparty drivers (indi-astrolink4, indi-astromechfoc, indi-dreamfocuser, indi-spectracyber).
While working on these packages, I thought about testing them. Unfortunately I don’t have enough hardware to really check out every package, so I can upload most of them only as is. In case anybody is interested in a better testing coverage and me being able to provide upstream patches, I would be very glad about hardware donations.
Debian IoT
This month I uploaded a new upstream version or a bugfix version of:
The Tour de Los Padres is coming! The race organizer post the route on
ridewithgps. This works, but has convoluted interfaces for people not wanting to
use their service. I just wrote a simple script to export their data into a
plain .gpx file, including all the waypoints; their exporter omits those.
I've seen two flavors of their data, so here're two flavors of the
gpx-from-ridewithgps.py script:
Haven’t written here about it, but last March we finally started on
our journey to get our own house build, so we can move out of the
rented flat here.
That will be a big step, both the actual building, but also the
moving - I am living at this one single place for 36 years now.
If you can read german there is a dedicated
webpage where I sometimes write about the
process. Will have much more details (and way more ramblings) than the
following part.
If you can’t read german, a somewhat short summary follows. Yes,
still a lot of text, but shortened, still.
What? Why now?
Current flat has 83m² - which simply isn’t enough space. And
the number of rooms also doesn’t fit anymore. But it is hard to find a
place that fits our requirements (which do include location).
Moving to a different rented place would also mean changed amount of
rent. And nowadays that would be huge increase (my current rent is
still the price from about 30 years ago!).
So if we go and pay more - we could adjust and pay for something we
own instead. And both, my wife and I had changes in our jobs that made
it possible for us now, so we started looking.
Market
Brrrr, looking is good, actually finding something that fits - not so.
We never found an offer that fit. Space wise, sure. But then location
was off, or price was idiotically high. Location fit, but then size
was a joke, and guess about the price… Who needs 200 square meters
with 3 rooms? Entirely stupid design choices there. Or how about 40
square meters of hallway - with 50m² of tiny rooms around. What are
they smoking? Oh, there, useful size, good rooms - but now you want
more money than a kidney is worth, or something. Thanks, no.
New place
In February 2025 we finally got lucky and found a (newly opened) area
with a large number of places to build a house on. Had multiple talks
with someone from on of the companies developing that area (there are
two you can select from), then talked with banks and signed a contract
in March 2025. We got promised that actual house construction would be
first quarter of 2026, finished in second quarter.
House type
There are basically 2 ways of building a new house (that matter here).
First is called “Massivhaus”, second is called “Fertighaus” in german,
roughly translating to solid and prefabricated. The latter commonly a
wood based construction, though it doesn’t need to be. The important
part of it is the prefabrication, walls and stuff get assembled in a
factory somewhere and then transported to your place, where they play
“big kid lego” for a day and suddenly a house is there.
A common thought is “prefabricated” is faster, but that is only a half
true. Sure, the actual work on side is way shorter - usually one or
two days and the house is done - while a massive construction usually
takes weeks to build up. But that is only a tiny part of the time
needed, the major part goes of into planning and waiting and in there
it doesn’t matter what material you end up with.
Money fun
Last year already wasn’t the best time to start a huge loan - but
isn’t it always “a few years ago would have been better”? So we had
multiple talks with different banks and specialised consultants until
we found something that we thought is good for us.
Thinking about it now - we should have put even more money on top as
“reserve”, but who could have thought that 2026 turns into such a
shitshow? Does not help at all, quite the contrary. And that damn
lotto game always ends up with the wrong numbers, meh.
Plans and plans and more plans - and rules
For whichever reason you can not just go and put something on your
ground and be happy. At least not if you are part of the normal people and not
enormously rich. There is a large set of rules to follow. Usually that
is a good thing, even though some rules are sometimes hard to understand.
In Germany, besides the usual laws, we have something that is called
“Bebauungsplan”, which translates to “development plan” (don’t know if
that carries the right meaning, it’s a plan on what and how may be
build, which can have really detailed specifications in). It basically
tells you every aspect on top of the normal law that you have to
keep in mind.
In our case we have the requirement of 2 full floors and CAN have a
third smaller on top, it limits how high the house can be and also
how high our ground floor may be compared to the street. It regulates
where on the property we may build and how much ground we may cover
with the house, it gives a set of colors we are allowed to use, it
demands a flat roof that we must have as a green roof and has a number
of things more that aren’t important enough to list here. If you do
want to see the full list, my german post on it has all the details
that matter to
us.
With all that stuff in mind - off to plans. Wouldn’t have believed how
many details there are to take in. Room sizes are simple, but how to
arrange them for ideal usage of the sun, useful ways inside the house,
but also keeping in mind that water needs to flow through and out.
Putting a bath room right atop a living room means a water pipe needs
to go down there. Switch the bath room side in the house, and it
suddenly is above the kitchen - means you can connect the pipes from
it to the ones from kitchen, which is much preferred than going
through the living room. And lots more such things.
It took us until nearly end of October to finalize the plans! And we
learned a whole load from it. We started with a lot of wishes. The
planner tried to make them work. Then we changed our minds. Plans
changed. Minds changed again. Comparing the end result with the first
draft we changed most of the ground floor around, with only the stairs
and the entrance door at the same position. Less changes for the upper
floor, but still enough.
Side quests
The whole year was riddled with something my son named side quests. We
visited a construction exhibition near us, we went to the house
builders factory and took a look on how they work. We went to many
different other companies that do SOME type of work which we need
soon, say inside floors, painters, kitchen and more stuff.
Of course the most important side quest was a visit to the notary to
finalize the contracts, especially for the plot of land (in Germany
you must have a notary for that to get entered into the governments
books). Creates lots of fees, of course, for the notary and also the
government (both fees and taxes here).
Building permit
We had been lucky and only needed a small change to the plans to get
the building permit - and the second part, the wastewater permit (yes,
you need a separate one for this) also got through without trouble.
Choices, so many of them
So in January we finally had an appointment for something that’s
called “Bemusterung” which badly translates to “Sampling”. Basically
two days at the house builders factory to select all of what’s needed
for the house that you don’t do in the plans. Doors, inside and out
and their type and color and handles. Same things for the windows and
the blinds and the protection level you want the windows to have.
Decide about stairs, design for the sanitary installations - and also
the height of the toilet! - and the tiles to put into the bathrooms.
Decisions on all the tech needed (heating system, ventilation and
whatnot.
Two days, busy ones - and you can easily spend a lot of extra money
here if you aren’t careful. We managed to get “out of it” with only
about 4000€ extra, so pretty good.
Electro and automation
Now, here I am special. Back when I was young the job I learned is
electrician. So here I have very detailed wishes. I am also running
lots of automatism in my current flat - obviously the new house should
be better than that. So I have a lot of ideas and thoughts on it, so
this is entirely extra and certainly out of the ordinary the house
builder usually see.
Which means I do all of that on my own. Well, the planning and some of
the work, I must have a company at hand for certain tasks, it is
required by some rules. But they will do what I planned, as long as I
don’t violate regulations.
Which means the whole electrical installation is … different.
Entirely planned for automatisms and using KNX for it. I am so happy
to ditch Homeassistant and the load of Homematic, Zigbee and ZWave
based wireless things.
Ok, Homeassistant is a nice thing - it can do a lot. And it can bridge
between about any system you can find. But it is a central single point of
failure. And it is a system that needs constant maintenance. Not
touched for a while? Plan for a few hours playing update whack-a-mole.
And often enough a component here or there breaks with an update. Can
be fixed, but takes another hour or two.
So I change. Away from wireless based stuff. To wires. To a system
thats a standard for decades already. And works entirely without a
SPOF. (Yes, you can add one here too). And, most important, should I
ever die - can easily be maintained by anyone out there dealing with
KNX, which is a large number of people and companies. Without digging
through dozens of specialised integrations and whatnot.
I may even end up with Homeassistant again - but that will entirely be
as a client. It won’t drive automations. It won’t be the central point
to do anything for the house. It will be a logging and data collecting
thing that enables me to put up easy visualizations. It may be an easy
interface for smartphones or tablets to control parts of the house,
for those parts where one wants this to happen. Not the usual
day-to-day stuff, extras on top.
Actual work happening
Since march there finally is action visible. The base of the house
is getting build. Wednesday the 1st April we finally got the base
slab poured on the construction site and in another 10 days the house
is getting delivered and build up. A 40ton mobile crane will be there.
Per my policies,
I need to ban every employee and contractor of Anthropic Inc from ever
contributing code to any of my projects. Anyone have a list?
Any project that requires a Developer Certificate of Origin or similar should
be doing this, because Anthropic is making tools that explicitly lie about
the origin of patches to free software projects.
UNDERCOVER MODE — CRITICAL
You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository. [...]
Do not blow your cover.
NEVER include in commit messages or PR descriptions:
[...]
The phrase 'Claude Code' or any mention that you are an AI
Co-Authored-By lines or any other attribution
The fact that only one candidate is running in the
Debianism elections gives a stark reminder about the state of the
so-called community. The main reason why other people did not contest
the election is because of fear. Fear of a circle of reprisals that began
when Adrian von Bidder-Senn died on our wedding day.
When CentOS died, people tried to carry on in various ways. That tells
us a lot about human psychology. People knew the game was over but they
tried to continue as if it was business as usual, as if the situation
could be salvaged, as if it was only a temporary crisis.
Now Sruthi has stopped answering questions on the
Debian-vote mailing list and it seems reality has started to sink in.
People are coming to realize that the position of Debian Project Leader
is the interface between
Debianism and the outside world. People can fool themselves and
use the Code of Conduct gaslighting to blackmail other volunteers to
pretend that
Sruthi is a great leader. People are coming to realise that these
tricks won't work on the wider community. Given that
Sruthi would be Debian's interface to the outside world, we can't
just ignore how the world views
the candidate who is the wife of another developer.
She has ignored the most serious questions on
Debian-vote mailing list. A woman trying to run Debian from a
social control media
account is the death of Debian. Here is a tally of the number of replies
she provided each day for those who use email, the mainstay of Debian
communication:
Day
Count
14 March
0
15 March
0
16 March
0
17 March
4
18 March
0
19 March
0
20 March
0
21 March
3
22 March
1
23 March
0
24 March
7
25 March
0
26 March
0
27 March
0
28 March
0
29 March
0
30 March
0
31 March
0
That is a total of only 15 replies. She has been largely silent for a
whole week since 24 March.
Technically, questions and their answers are supposed to be completed
before midnight on Friday, 3 April. The most critical questions have not
been answered. In her platform,
Sruthi Chandran boasts about being the "Chief orga DebConf India 2023"
but there has never been an official report about the
death of Abraham Raji at the conference.
Voting runs from 4 April to 17 April, which is the 15th anniversary of
the day
Adrian von Bidder-Senn died on our wedding day. It was discussed like
a copy-cat suicide but there was no official report about those deaths
either.
Everything in Debian is transparent, all forms of official communication are a matter of public record, the amount of unresolved bugs, every step taken by debian as an organization, everything is in the open! I appreciate that from my distribution. There is no room for underhand corporate deals, no unfair treatment behind private mails and everything can be reviewed by the public.
Does
Sruthi Chandran spend more time in debian-private (leaked)
and WhatsApp groups than the public communication channels that Debian
is supposed to be using?
Sruthi Chandran's platform tells us she wants to put diversity ahead
of traditional goals like freedom and security. She has been very vague
about this. As a consequence, more evidence is going to be published
during the voting period to prove that Debian "diversity" means some men who
did the real work are not being given credit while some large sums of
money were assigned to the wives and girlfriends of cabal members.
I've never stated whether people should vote for
Sruthi Chandran or not. Looking at the tone of the discussion, I feel
people are coming to realise the way the outside world views candidates
like this is not the same way that people view it from inside the bubble.
Consider the irony: they spent all that money in arguments about
leaks that are "tarnishing" the trademark. The implication of these
arguments about tarnishing is that the way the outside world views
Debianism does matter. Can anybody see the risk that
Sruthi Chandran and a lop-sided diversity crusade could do far more
to tarnish the trademark than any leaks that have appeared up to this
moment?
Debian may not die exactly the same way that CentOS died. At some
point, as with CentOS, we will go past the point of no return. Maybe
we already did. Will people have the courage to ask questions before
that threshold is crossed or will they continue acting as if nothing is
wrong even long after the life support system has been unplugged from
the corpse?
The best way to encourage people to nominate for the election will be for
the existing leader,
Andreas Tille, to withdraw all the privacy attacks, settle the lawsuits
proactively and ensure the next leader can walk in and find the desk is clean
ready to work on productive things.
Don't hold your breath waiting for transparency about these attacks on my
family. There is still time to watch my video and
contribute to the crowdfunding campaign.
Although I never submitted to it, I made several appearances in the now-defunct quote database on bash.org (QDB). I’m dealing with a broken keyboard now, and went to dig hard to find this classic in the Wayback machine. I thought I would put it back on the web:
<mako> my letter "eye" stopped worng
<luca> k, too?
<mako> yeah
<luca> sounds like a mountain dew spill
<mako> and comma
<mako> those three
<mako> ths s horrble
<luca> tme for a new eyboard
<luca> 've successfully taen my eyboard apart and fxed t by cleanng t wth alcohol
<mako> stop mang fun of me
<mako> ths s a laptop!
Legacy cloud templates often lack the partitioning and bootloader
binaries required for UEFI Secure Boot. Attempting to switch such a VM
to OVMF in Proxmox results in “not a bootable disk.” We discovered that
a surgical promotion is possible by manipulating the block device and
EFI variables from the hypervisor.
The Problem
Protective MBR Flags: Legacy installers often set
the pmbr_boot flag on the GPT’s protective MBR. Strict UEFI
implementations (OVMF) will ignore the GPT if this flag is present.
Missing ESP: Cloud images often lack a FAT32 EFI
System Partition (ESP).
Variable Store: A fresh Proxmox efidisk0 is empty and lacks both the trust certificates
(PK/KEK/db) and the BootOrder entries required for an automated
boot.
The “Promotion” Rule
To upgrade a SeaBIOS VM to Secure Boot without a full OS reinstall:
1. Surgical Partitioning: Map the disk on the host and
add a FAT32 partition (Type EF00). Clear the pmbr_boot flag from the MBR. 2. Binary
Preparation: Boot the VM in SeaBIOS mode to install shim and grub-efi packages. Use grub2-mkconfig to populate the new ESP. 3. Trust
Injection: Use the virt-fw-vars utility on the
hypervisor to programmatically enroll the Red Hat/Microsoft CA keys and
any custom certificates (e.g., FreeIPA CA) into the VM’s efidisk. 4. Boot Pinning: Explicitly set
the UEFI BootOrder to point to the shimx64.efi
path via virt-fw-vars --append-boot-filepath.
Solution (Example Command
Sequence)
On the Proxmox Host (root):
# Map and Clean MBRDEV=$(rbd map pool/disk)parted-s$DEV disk_set pmbr_boot off# Inject Trust and Boot Path (VM must be stopped)virt-fw-vars--inplace /dev/rbd/mapped_efidisk \--enroll-redhat\--add-db<GUID> /path/to/ipa-ca.crt \--append-boot-filepath'\EFI\centos\shimx64.efi'\--sb
This workflow enables high-integrity Secure Boot environments using
existing SeaBIOS infrastructure templates.
The FAI.me service
has become faster over the past two months.
First, the tool fai-mirror can now download all packages
in one go (with all their dependencies) instead of downloading one by
one. This helped a lot for the Linux Mint ISO because it uses a long
list of packages.
I've also added a local apt cache (using apt-cacher-ng),
so the network speed does not matter any more in most cases.
This led to the following improvements:
Linux Mint install ISOs went from around 6-7 min to now only 2min.
Ubuntu install ISO went from average 3min to around 90 seconds.
The average time for a Debian Linux install ISO dropped from 2min
to 40 seconds.
So far we only had once a problem with apt-cacher-ng, because the
underlying partition was full.
Building cloud and live images do not gain that much from the local
package cache, because most time is spend in extracting and installing
the packages.
At May First we have been carefully planning our
migration of about 1200 lists from mailman2 to mailman3 for almost six months
now. We did a lot of user communications, had several months of beta testing
with a handful of lists ported over, and everything was looking good. So we
kicked off the migration!
But, about 15% of the way through I started seeing sqlite lock errors. Wait,
what? I carefully re-configured mailman3 to use postgres, not sqlite. Well,
yes, but apparently that was for the database managing the email list
configuration, not the database powering the django web app, which,
incidentally, also includes hundresds of gigabytes of archives. In other words,
the one we really need in postgres, not sqlite.
Moving from sqlite to postgres
Well that sucks. We immediately stopped the migration to deal with this.
I noticed that the web is full of useful django instructions on how to migrate
your database from one database to antoher. However, if you read the fine
print, those convenient looking “dumpdataloaddata” workflows are designed
to move the table definitions and a small amount of data. In our case, even
after just 15% of our lists moved, our sqlite database was about 30GB.
I considered some of the hacks to manage memory and try to run this via django,
but eventually decided that pgloader was a more robust
option. This option also allowed me to more easily test things out on a copy of
our sqlite database (made while mailman was turned off). This way I could
migrate and re-migrate the sqlite database over and over without impacting our
live installation until I was satisfied it was all working.
My first decision was to opt out of pgloader’s schema creation. I used django’s
schema creation tool by:
Turning off mailman3 and mailman3-web and changing the mailman web
configuration to use the new postgresql database.
Running mailman-web migrate
Changing the mailman web configuration back to sqlite and starting
everything again.
Note: I tried just adding new database settings in the mailman web
configuration indexed to ’new’ - django has the ability to define different
databases by name, then you can run mailman-web migrate --database new. But,
during the migration, I caught django querying the sqlite database for some
migrations that required referencing existing fields (specifically hyperkitty’s
0003_thread_starting_email). I didn’t want any of these steps to touch the
live database so I opted for the cleaner approach.
Once I had a clean postgres schema, I dumped it so I could easily return to
this spot.
Next I started working on our pgloader load file. After a lot of trial and
error, I ended with:
The batch, prefetch, workers and concurreny settings are all there to ensure
memory doesn’t blow up.
I also discovered that I had to make some changes to the schema before loading
data. Mostly truncating tables that the django migrate command populated to
avoid duplicate key errors:
And also, I had to change a column type. Apparently the mailman import process
allowed an attachment file name that exceeds the limit for postgres, but was
allowed into sqlite:
ALTER TABLE hyperkitty_attachment ALTER COLUMN name TYPE text
When pgloader runs, we still get a lot of warnings from pgloader, which wants
to cast columns differently than django does. These are harmless (I was able to
import the data without a problem).
And there are still a lot of warnings along the lines of:
2026-03-30T14:08:01.691990Z WARNING PostgreSQL warning: constraint “hyperkitty_vote_email_id_73a50f4d_fk_hyperkitty_email_id” of relation “hyperkitty_vote” does not exist, skipping
These are harmless as well. They appear because disable triggers disables
foreign key constraints. Without it, we wouldn’t be able to load tables that
require values in tables that have not yet been populated.
After all the tweaking, the import of our 30GB sqlite database took about 40
minutes.
Final Steps
I think the reset sequences from pgloader should take care of this, but just in case:
And, just to ensure postgres is optimized, run this in the psql shell:
ANALYZE VERBOSE;
Last thoughts
I understand very well all the decisions the mailman3 devs made in designing
the next version of mailman, and if I was in the same place I may have made
them the same ones. For example, separating the code running the mailing list
from the code managing the archives and the web interface makes perfectly good
sense - many people might want to run just the mailing list part without a web
interface. And building the web interface in django makes a lot of sense as
well - why re-invent the wheel? I’m sure a lot of time and effort was saved by
simply using the built in features you get for free with django.
But the unfortunate consequence of these decisions is that sys admins have a
much harder time. Almost everyone wants the email lists along with the web
interface and the archives. But nobody wants two different configuration files
with different syntaxes and logic, not to mention two different command lines
to use for maintenance and configuration with completely different APIs. Trying
to understand how to change a default template or set list defaults requires a
lot of research and usually you have to write a python script to do it.
I have finally come to the conclusion that mailman2 is designed for sys admins,
while mailman3 is designed for developers.
Despite these short comings, I am impressed with the community and their quick
and friendly responses to the questions of a confused sys admin. That might be
more valuable than anything else.
I finally upgraded my mail server to Debian 13 and, as expected, the Dovecot part was quite a ride.
The configuration syntax changed between Dovecot 2.3 (Debian 12) and Dovecot 2.4 (Debian 13),
so I started first with diffing my configuration against a vanilla Debian 12 one (this setup is slightly old) and then applied the same (logical) changes to a vanilla Debian 13 one.
This mostly went well.
Mostly because my user database is stored in SQL and while the Dovecot Configuration Upgrader says it can convert old dovecot-auth-sql.conf.ext files to the new syntax,
it only does so for the structure, not the SQL queries themselves.
While I don't expect it to be able to parse the queries and adopt them correctly,
at least a hint that the field names in userdb changed and might require adjustment would've been cool.
Once I got that all sorted, Dovecot would still refuse to let me in:
Error: sql: Invalid password in passdb: Weak password scheme 'MD5-CRYPT' used and refused
Yeah, right.
Did I mention that this setup is old?
The quick cure against this is a auth_allow_weak_schemes = yes in /etc/dovecot/conf.d/10-auth.conf,
but long term I really should upgrade the password hashes in the database to something more modern.
And this is what this post is about.
My database only contains hashed (and salted) passwords,
so I can't just update them without changing the password.
And while there are only 9 users in total,
I wanted to play nice and professional.
(LOL)
There is a Converting Password Schemes howto in the Dovecot documentation,
but it uses a rather odd looking PHP script, wrapped in a shell script which leaks the plaintext password to the process list,
and I really didn't want to remember how to write PHP to complete this task.
As we're using plaintext authentication (auth_mechanisms = plain login),
the plaintext password is available during login.
After Dovecot's imap-login has verified the password against the old (insecure) hash in the database,
we can execute a post-login script,
which will connect to the database and update it with a new hash of the plaintext password.
To make the plaintext password available to the post-login script,
we add '%{password}' as userdb_plain_pass to the SELECT statement of our passdb query.
The original howto also says to add a prefetchuserdb, which we do.
The sqluserdb remains, as otherwise Postfix can't use Dovecot to deliver mail.
Now comes the interesting part.
We need to write a script that is executed by Dovecot's script-login and that will update the database for us.
Thanks to Python's passlib and mysqlclient,
the database and hashing parts are relatively straight forward:
#!/usr/bin/env python3importosimportMySQLdbimportpasslib.hashDB_SETTINGS={"host":"127.0.0.1","user":"user","password":"password","database":"mail"}SELECT_QUERY="SELECT password_enc FROM mail_users WHERE username=%(username)s"UPDATE_QUERY="UPDATE mail_users SET password_enc=%(pwhash)s WHERE username=%(username)s"SCHEME="bcrypt"EXPECTED_PREFIX="$2b$"defmain():# https://doc.dovecot.org/2.4.3/core/config/post_login_scripting.html# https://doc.dovecot.org/2.4.3/howto/convert_password_schemes.htmluser=os.environ.get("USER")plain_pass=os.environ.get("PLAIN_PASS")ifplain_passisnotNone:db=MySQLdb.connect(**DB_SETTINGS)cursor=db.cursor()cursor.execute(SELECT_QUERY,{"username":user})result=cursor.fetchone()current_pwhash=result[0]ifnotcurrent_pwhash.startswith(EXPECTED_PREFIX):hash_module=getattr(passlib.hash,SCHEME)pwhash=hash_module.hash(plain_pass)data={"pwhash":pwhash,"username":user}cursor.execute(UPDATE_QUERY,data)cursor.close()db.close()if__name__=="__main__":main()
But if we add that as executable = script-login /etc/dovecot/dpsu.py to our imap-postloginservice,
as the howto suggests, the users won't be able to login anymore:
Error: Post-login script denied access to user
WAT?
Remember that shell script I wanted to avoid?
It ends with exec "$@".
Turns out the script-login "API" is rather interesting.
It's not "pass in a list of scripts to call and I'll call all of them".
It's "pass a list of scripts, I'll execv the first item and pass the rest as args, and every item is expected to execv the next one again". 🤯
With that (cursed) knowledge, the script becomes:
#!/usr/bin/env python3importosimportsysimportMySQLdbimportpasslib.hashDB_SETTINGS={"host":"127.0.0.1","user":"user","password":"password","database":"mail"}SELECT_QUERY="SELECT password_enc FROM mail_users WHERE username=%(username)s"UPDATE_QUERY="UPDATE mail_users SET password_enc=%(pwhash)s WHERE username=%(username)s"SCHEME="bcrypt"EXPECTED_PREFIX="$2b$"defmain():# https://doc.dovecot.org/2.4.3/core/config/post_login_scripting.html# https://doc.dovecot.org/2.4.3/howto/convert_password_schemes.htmluser=os.environ.get("USER")plain_pass=os.environ.get("PLAIN_PASS")ifplain_passisnotNone:db=MySQLdb.connect(**DB_SETTINGS)cursor=db.cursor()cursor.execute(SELECT_QUERY,{"username":user})result=cursor.fetchone()current_pwhash=result[0]ifnotcurrent_pwhash.startswith(EXPECTED_PREFIX):hash_module=getattr(passlib.hash,SCHEME)pwhash=hash_module.hash(plain_pass)data={"pwhash":pwhash,"username":user}cursor.execute(UPDATE_QUERY,data)cursor.close()db.close()os.execv(sys.argv[1],sys.argv[1:])if__name__=="__main__":main()
And the passwords are getting gradually updated as the users log in.
Once all are updated, we can remove the post-login script and drop the auth_allow_weak_schemes = yes.
I was reading a post on Alex Chan's
website1 that referenced the concept of
digital gardens,
a concept/analogy for organising information which dates back to the 90s.
This old concept is getting new traction today by contrasting the approach
with "endless stream" as used and abused by social media, but also how blogs
are typically presented.
This site, my homepage, has a blog, and that's the bit that most people who
interact with the site will experience. Partly, because it's the bit that gets
syndicated out: via feeds; on Planet
Debian and downstream from it; once upon a time on
Twitter; nowadays on the Fediverse.
However there's more to my homepage than that. The rest of it may be of little
interest to anyone beside me, but it's useful to me, at least. So I may switch
focus a little bit from mainly writing blog posts, and tend to the rest of the
garden a bit more.
Some recent seeding and pruning:
Recently my guest status at Newcastle University came up for renewal, so I
wrote down my goals in the Historic Computing Committee for the next year or
so, and put them here: nuhcc. I've also been pondering what I'm up to in
Debian at the moment, so took some time to add my current projects to
that page.
I'm reminded that I should really publish a "blog roll" of cool
blogs I'm following at the moment, of which Alex Chan's is one.↩
A few months ago, in June 2025, I joined Chainguard, a company focused on software supply chain security.
This post is a reflection on how I got here, what I’ve been doing, and why this role feels like a natural
fit for my interests in Linux and open source technology.
The company and its mission
Chainguard’s mission is to make the software supply chain secure by default. The company is built around
the idea that the software we all depend on — from operating system packages to container base images — carries
hidden risk in the form of vulnerabilities, unverified provenance, and untrusted build processes.
The company is perhaps best known for Chainguard Images: a catalog of minimal, hardened container
base images that are continuously rebuilt and kept free of known CVEs. Each image is accompanied by a signed
SBOM (Software Bill of Materials) and a verifiable provenance attestation, making it possible
to cryptographically verify what went into a given image and how it was built.
Chainguard has an extensive catalog of software, and maintaining it up-to-date and CVE-free is a significant
engineering challenge.
What I do
I joined the Chainguard Sustaining Engineering team as a Senior Software Engineer. We are responsible
for maintaining packages and images in the software catalog up-to-date and CVE-free. The core of the business, basically.
We focus on the horizontal dimension of the catalog (pretty much all packages and images).
With +30,000 packages and +2,000 images, this is indeed an interesting task.
My role as Debian Developer, and my experiencie in the Debian LTS project was extremely valuable when joning this
new team.
Looking ahead
Software supply chain is truly a deep topic, gaining more and more relevance every day, especially as new technologies emerge
and get adopted everywhere.
Since early in my career, I saw a recurrent problem of how companies, enterprises, or even governments, relate to and consume
open source software, in a reliable, secure way. I believe Chainguard is doing the right things in the ecosystem,
and I’m happy to be participating in the effort.
AI sure is a hot topic right now, and I see a lot of people arguing about it. To a lot of people around here, I’m the “computer person” they know and I get asked a lot about AI.
I’m going to suggest a lot of things can be true at once. For instance:
LLMs are changing how we work and will continue to do so.
LLMs are vastly over-hyped by vested interests, and may be in a bubble.
Or how about:
Huge investment in GenAI is having many negative consequences, ranging from environmental to causing affordability problems in many industries that use hardware (ie, everywhere)
Useful results can be had from models that run on local hardware, even battery-powered hardware, which may have negligible harm or even some benefit
And:
GenAI is further concentrating wealth and power in megacorps, with the effect of squeezing out the smaller players even more.
GenAI is lowering the cost of entry for people without a lot of resources already.
I have sympathy for the naysayers; those that say it’s nothing but a stochastic parrot. But I don’t have a lot of sympathy for the naysayers that deny ever using it; you can’t form a credible argument against something without having an understanding of it informed by experience.
I also have sympathy for the cheerleaders. I have seen some impressive things from AI; for instance, a story from an engineer who has a child with a rare disease without a credible cure. The engineer did a lot of research on it, started feeding research papers into AI to analyze, and the AI started finding correlations between different areas of research that humans hadn’t yet found — leading to a positive result for the child.
To be fair, I have rarely seen an AI deliver a 100% correct answer on anything with any real level of complexity. I have seen it both waste more time than it saves, and save a ton of time.
My point here is: It is neither always fantastic nor always terrible.
Let me talk you through an example.
I am a fan of inbox zero for email. That is, the inbox should be empty. Unfortunately, mine has 8000 messages in it. According to the oldest messages in my inbox, I last had inbox zero 8 years ago. But really, only a handful are older than 2020. I guess something must have happened that year…
I’ve been chipping away at this for quite some time now. The problem is, there are certain emails in there that really do still need some action – maybe it’s photos to save off into our photo collection, for instance. But when looking at things sorted by date or thread, there are old shipping confirmations next to phishing attempts and family photos. One can’t just scan down the list.
I’ve tried all the usual tricks, most of which involve selecting groups of message that are easy to bulk erase, or at least easy to scan visually for the occasional thing worth saving. Sort by sender or subject line, for instance. Then I can, for instance, delete all the old messages from the shopping sites I commonly use all at once. But then they start using different senders and different subject lines and that doesn’t get all of them. I’ve tried keyword searches for this sort of thing too. Still, that got me down to about 8000 messages.
So I thought: why not see if an LLM could help me classify these? Maybe it could categorize them, and then I could look at emails grouped by category.
I have one machine with a discrete GPU, an Nvidia RTX 4070. It’s a desktop machine I don’t use all that often. But I set up Ollama on it, running in a Docker container. Ollama runs models locally.
I should also mention at this point that we are solar-powered, and this time of year is a time of peak production of excess solar, because it is sunny and not much heat or AC is required. So that machine is solar-powered and isn’t causing environmental harm. In any case, charging the EV uses much more power than that GPU.
I figured I would do this in two passes. First, ask the LLM to classify each message (or a sampling of them would probably work too), letting it pick its own categories for each. Then, look at the patterns that emerge and give it a single, much smaller, set of broad categories to use and rerun it over that.
Then I can easily select messages from my Maildirs by category and process them in bulk.
I used open-interpreter pointing to that GPU on my network to help me write the scripts for this. It didn’t get things right on its own; for instance, it didn’t call the Ollama API correctly, and insisted on appending “/cur” to the path to the Maildir (which was not going to fly with Python’s maildir module). It took roughly an hour to classify those 8000 messages (or, as I had it do, the first 2000 characters of them), and then the same to do it a second time. I had it output lines in the form of “filename\tcategory” and hand-wrote the shell script that processed those.
In the end, was it useful? Yes, quite. Its classifications weren’t perfect (and it didn’t even follow my prompt perfectly; sometimes it would give me a long discussion on why it picked a certain category rather than just that category, and occasionally it picked categories not on the list). But then, neither were my manual keyword searches. So far I’ve gotten rid of nearly 1000 more messages. Several categories were a “visual scan for sanity and then delete all” sort of thing.
My emails never left my network. I didn’t rely on a cloud AI to process them. I didn’t contribute to global warming (this may have even been a case of saving energy, since it no doubt will offset quite a bit of manual time that would keep screens and room lights energized and so forth). I used about as much energy as watching a movie on a TV.
Did it complete the task for me entirely autonomously? Also no. AI isn’t a mind reader and it can’t possibly evaluate exactly what my thought process would be for a given task. But it can do a decent enough job to save me some time.
Still, this didn’t require hyperscaler datacenters. AI even runs on-phone (Google Translate being one of the most useful AI-driven apps I’ve ever seen, and it can run on-device).
This needs to be clear: systemd is under attack by a trolling campaign orchestrated by fascist elements. Nobody is forced to like or use systemd, but anybody who wants to pick a side should know the facts.
Recently, the free software Nazi bar crowd styling themselves as "concerned citizens" has tried to start a moral panic by saying that systemd is implementing age verification checks or that somehow it will require providing personally identifiable information.
This is a lie: the facts are simply that the systemd users database has gained an optional "date of birth" field, which the desktop environments may use or not as they deem appropriate. Of course there is no "identity verification" or requirements to provide any data, which in any case would not be shared beyond authorized local applications.
While the multiple recent bills proposing that general purpose operating systems implement age verification mechanisms are often concerning, both from a social and technical point of view, this is not the topic being discussed here. They are often suboptimal, but for a long time I have been opposing attempts to implement parental control at the network level and argued that it should be managed locally, by parents on their own machines: I cannot see why I should outright reject an attempt to implement the infrastructure to do that.
If we want to keep age-appropriate controls out of the hands of centralized authorities, the alternative is giving families the means to manage it themselves: this is what this field enables. Whether desktop environments use it for parental controls, for birthday reminders, or for nothing at all, is their users' decision.
By the way, the original UNIX users database has allowed storing PII in the GECOS field since it was invented in the '70s. Similar fields are also specified by many popular LDAP schemes: adding such an optional field is consistent with the UNIX tradition.
And while we are at it, let's also refute the other smear campaign started by the same people: the systemd project is not accepting "AI slop". What happened is that a documentation file for the benefit of coding agents was added to the repository. To be clear: agents still cannot submit merge requests. The file itself remarks that all contributions must be reviewed in detail by humans, and this is basically the same policy used by the Linux kernel.
Note: I have not published blog posts about my academic papers over the past few years. To ensure that my blog contains a more comprehensive record of my published papers and to surface them for folks who missed them, I will periodically (re) publish blog posts about some “older” published projects. This post draws material from a previously published post by Kaylea Champion on the Community Data Science Blog.
Taboo subjects—such as sexuality and mental health—are as important to discuss as they are difficult to raise in conversation. Although many people turn to online resources for information on taboo subjects, censorship and low-quality information are common in search results. In two papers I recently published at CSCW—both led by Kaylea Champion—we presented a series of analyses showing how taboo shapes the process of collaborative knowledge building on English Wikipedia.
The first study is a quantitative analysis showing that articles on taboo subjects are much more popular and are the subject of more vandalism than articles on non-taboo topics. In surprising news, we also found that they were edited more often and were of higher quality!
Short video of Kaylea’s presentation of the work given at Wikimania in August 2023.
The first challenge we faced in conducting this work was identifying taboo articles. Kaylea had a brilliant idea for a new computational approach to doing so without relying on our individual intuitions about what qualifies as taboo (something we understood would be highly specific to our own culture, class, etc). Her approach was to make use of an insight from linguistics: people develop euphemisms as ways to talk about taboos (i.e., think about all the euphemisms we’ve devised for death, or sex, or menstruation, or mental health).
We used this insight to build a new machine-learning classifier based on English Wiktionary definitions. If a ‘sense’ of a word was tagged as euphemistic, we treated the words in the definition as indicators of taboo. The end result was a series of words and phrases that most powerfully differentiate taboo from non-taboo. We then did a simple match between those words and phrases and the titles of Wikipedia articles. The topics were taboo enough that we were a little uncomfortable discussing them in our meetings! We built a comparison sample of articles whose titles are words that, like our taboo articles, appear in Wiktionary definitions.
In the first paper, we used this new dataset to test a series of hypotheses about how taboo shapes collaborative production in Wikipedia. Our initial hypotheses were based on the idea that taboo information is often in high demand but that Wikipedians might be reluctant to associate their names (or usernames) with taboo topics. The result, we argued, would be articles that were in high demand but of low quality.
We found that taboo articles are thriving on Wikipedia! In summary, we found that in comparison to non-taboo articles:
Taboo articles are more popular (as expected).
Taboo articles receive more contributions (contrary to expectations).
Taboo articles receive more low-quality contributions (as expected).
Taboo articles are higher quality (contrary to expectations).
Taboo article contributors are more likely to contribute without an account (as expected), and have less experience (as expected), but that accountholders are more likely to make themselves more identifiable by having a user page, disclosing their gender, and making themselves emailable (all three of these are contrary to expectation!).
Image of the estimated qualiy of articles of the four articles in the second mixed-methods paper. Extreme dips reflect periods of frequent vandalism.
Kaylea attempted to understand these somewhat confusing results by designing a fantastic mixed-methods analysis that sought to unpack some of the nuance missing in the quantitative analysis by delving deep into the “life histories” of four articles on English Wikipedia: two on taboo topics related to women’s anatomy (Clitoris and Menstration) and two nontaboo articles chosen for comparison (Cell membrance and Philip Pullman).
Although the findings from the analysis can be difficult to summarize succinctly (as with many qualitative studies), we showed how the taboo example articles’ success was hard-won amid real challenges and attacks. The paper describes how challenges were overcome through resilient leadership, often provided by a single dedicated individual. The paper provides a template for how taboo can be—and frequently is—overcome by dedicated Wikipedians in ways that provide useful knowledge resources in real demand.
For more details, visualizations, statistics, and more, we hope you’ll take a look at our papers, both linked below.
The full citation for the papers are: (1) Champion, Kaylea, and Benjamin Mako Hill. 2023. “Taboo and Collaborative Knowledge Production: Evidence from Wikipedia.” Proceedings of the ACM on Human-Computer Interaction 7 (CSCW2): 299:1-299:25. https://doi.org/10.1145/3610090. (2) Champion, Kaylea, and Benjamin Mako Hill. 2024. “Life Histories of Taboo Knowledge Artifacts.” Proceedings of the ACM: Human-Computer Interaction 8 (CSCW2): 505:1-505:32. https://doi.org/10.1145/3687044.
I often need a quick calculation or a unit conversion. Rather than reaching for
a separate tool, a few lines of Zsh configuration turn = into a calculator.
Typing = 660km / (2/3)c * 2 -> ms gives me 6.60457 ms1 without
leaving my terminal, thanks to the Zsh line editor.
The main idea looks simple: define = as an alias to a calculator command. I
prefer Numbat, a scientific calculator that supports unit conversions.
Qalculate is a close second.2 If neither is available, we fall back to
Zsh’s built-in zcalc module.
As the alias built-in uses = as a separator for name and value, we need to
alter the aliases associative array:
With this in place, = 847/11 becomes numbat -e 847/11.
The quoting problem
The first problem surfaces quickly. Typing = 5 * 3 fails: Zsh expands the *
character as a glob pattern before passing it to the calculator. The same issue
applies to other characters that Zsh treats specially, such as > or |. You
must quote the expression:
$ ='5 * 3'15
We fix this by hooking into the Zsh line editor to quote the expression
before executing it.
Automatic quoting with ZLE
Zsh calls the line-finish widget before submitting a command. We hook a
function that detects the = prefix and quotes the expression:
_vbe_calc_quote(){case$BUFFERin"="*)typeset-g_vbe_calc_expr=$BUFFER# not used yetBUFFER="= ${(q-)${${BUFFER#=}# }}";;esac}
add-zle-hook-widgetline-finish_vbe_calc_quote
When you type = 5 * 3 and press ↲, _vbe_calc_quote strips the =
prefix, quotes the remainder with the (q-) parameter expansion flag,
and rewrites the buffer to = '5 * 3' before Zsh submits the command. As a
bonus, you can save a few keystrokes with =5*3! 🚀
You can now compute math expressions and convert units directly from your shell.
Zsh automatically quotes your expressions:
The metric system is the tool of the devil! My car gets forty rods to the hogshead, and that's the way I like it! ― Grampa Simpson, A Star Is Burns
Storing unquoted history
As is, Zsh records the quoted expression in history. You must unquote it
before submitting it again. Otherwise, the ZLE widget quotes it a second time.
Bart Schaefer provided a solution to store the
original version:
The zshaddhistory hook returns 1 if we are evaluating an expression, telling
Zsh not to record the command. The preexec hook then adds the original,
unquoted command with print -s.
The complete code is available in my zshrc. A common alternative is the
noglob precommand modifier. If you stick with to instead of ->
for unit conversion, it covers 90% of use cases. For a related Zsh line editor
trick, see how I use auto-expanding aliases to fix common typos.
This is the fastest a packet can travel back and forth between
Paris and Marseille over optical fiber. �
Qalculate is less understanding with units. For example, it parses
“Mbps� as megabarn per picosecond: ☢�
I saw Ladytron perform in Digital, Newcastle last night. The
last time I saw them was, I think, at the same venue, 18 years ago. Time flies!
Back in the day (perhaps their heyday, perhaps not!) Ladytron ploughed a
particular sonic furrow and did it very well. Going into the gig I had set my
expectations that, should they play just these hits, I'd have a good time.
The gig exceeded my expectations. The setlist very much did not lean into
their best-known period: the more recent few albums were very well represented
and to me this felt very confident. The lead singer, Helen Marnie, demonstrated
some excellent range, particularly on some of the new songs. Daniel Hunt did a
lot of backing vocals and they were really complementary to Helen's: underscoring
but not overpowering. I enjoyed nerding out watching Mira Ayoro's excellent
wrangling of her Korg MS-20. One highlight was an encore performance of
Light & Magic, which was arguably the "alternate version" as available on the
expanded versions of that album or the Remixed and Rare companion.
I thought I'd try to put together a 5-track playlist for a friend who attended
the gig but isn't super familiar with them. As usual this is hard. I'm going
to avoid the obvious hits, try to represent their whole career and try to
ensure the current trio each get a vocal turn in the selection.
They actually released their latest album, Paradises, yesterday as well. One
track from it is in the list below.
The
WWW::Mechanize::Chrome Saga: A Comprehensive Narrative of PR #104
This document synthesizes the extensive work performed from March
13th to March 20th, 2026, to harden, stabilize, and refactor the WWW::Mechanize::Chrome library and its test suite. This
effort involved deep dives into asynchronous programming,
platform-specific bug hunting, and strategic architectural
decisions.
Part I:
The Quest for Cross-Platform Stability (March 13 – 16)
The initial phase of work focused on achieving a “green” test suite
across a variety of Linux distributions and preparing for a new release.
This involved significant hardening of the library to account for
different browser versions, OS-level security restrictions, and
filesystem differences.
Key Milestones &
Engineering Decisions:
Fedora & RHEL-family Success: A major effort
was undertaken to achieve a 100% pass rate on modern Fedora 43 and
CentOS Stream 10. This required several key engineering decisions to
handle modern browser behavior:
Decision: Implement Asynchronous DOM Serialization
Fallback. Synchronous fallbacks in an async context are
dangerous. To prevent Resource was not cached errors during saveResources, we implemented a fully asynchronous fallback
in _saveResourceTree. By chaining _cached_document with DOM.getOuterHTML
messages, we can reconstruct document content without blocking the event
loop, even if Chromium has evicted the resource from its cache. This
also proved resilient against Fedora’s security policies, which often
block file:// access.
Decision: Truncate Filenames for Cross-Platform
Safety. To avoid File name too long errors,
especially on Windows where the MAX_PATH limit is 260
characters, filenameFromUrl was hardened. The filename
truncation was reduced to a more conservative 150
characters, leaving ample headroom for deeply nested CI
temporary directories. Logic was also added to preserve file extensions
during truncation and to sanitize backslashes from URI paths.
Decision: Expand Browser Discovery Paths. To
support RHEL-based systems out-of-the-box, the default_executable_names was expanded to include headless_shell and search paths were updated to include /usr/lib64/chromium-browser/.
Decision: Mitigate Race Conditions with Stabilization Waits
and Resilient Fetching. On fast systems, DOM.documentUpdated events could invalidate nodeIds immediately after navigation, causing XPath queries
to fail with “Could not find node with given id”. A small stabilization sleep(0.25s) was added after page loads to ensure the DOM
is settled. Furthermore, the asynchronous DOM fetching loop was hardened
to gracefully handle these errors by catching protocol errors and
returning an empty string for any node that was invalidated during
serialization, ensuring the overall process could complete.
Windows Hardening:
Decision: Adopt Platform-Aware Watchdogs. The test
suite’s reliance on ualarm was a blocker for Windows, where
it is not implemented. The t::helper::set_watchdog function
was refactored to use standard alarm() (seconds) on Windows
and ualarm (microseconds) on Unix-like systems, enabling
consistent test-level timeout enforcement.
Version 0.77 Release:
Decision: Adopt SOP for Version Synchronization.
The project maintains duplicate version strings across 24+ files. A
Standard Operating Procedure was adopted to use a batch-replacement tool
to update all sub-modules in lib/ and to always run make clean and perl Makefile.PL to ensure META.json and META.yml reflect the new
version. After achieving stability on Linux, the project version was
bumped to 0.77.
Infrastructure & Strategic Work:
The ad2 Windows Server 2025 instance was restored and
optimized, with Active Directory demoted and disk I/O performance
improved.
A strategic proposal for the Heterogeneous Directory
Replication Protocol (HDRP) was drafted and published.
Part II: The
Great Async Refactor (March 17 – 18)
Despite success on Linux, tests on the slow ad2 Windows
host were still plagued by intermittent, indefinite hangs. This
triggered a fundamental architectural shift to move the library’s core
from a mix of synchronous and asynchronous code to a fully non-blocking
internal API.
Key Milestones &
Engineering Decisions:
Decision: Expose a _future API.
Instead of hardcoding timeouts in the library, the core strategy was to
refactor all blocking methods (xpath, field, get, etc.) into thin wrappers around new non-blocking ..._future counterparts. This moved timeout management to
the test harness, allowing for flexible and explicit handling of
stalls.
# Example library implementationsub xpath($self, $query, %options) {return$self->xpath_future($query, %options)->get;}sub xpath_future($self, $query, %options) {# Async implementation using $self->target->send_message(...)}
Decision: Centralize Test Hardening in a Helper.
A dedicated test library, t/lib/t/helper.pm, was created to
contain all stabilization logic. “Safe” wrappers (safe_get, safe_xpath) were implemented there, using Future->wait_any to race asynchronous operations against
a timeout, preventing tests from hanging.
Decision: Refactor Node Attribute Cache.
Investigations into flaky checkbox tests (t/50-tick.t)
revealed that WWW::Mechanize::Chrome::Node was storing
attributes as a flat list ([key, val, key, val]), which was
inefficient for lookups and individual updates. The cache was refactored
to definitively use a HashRef, providing O(1) lookups
and enabling atomic dual-updates where both the browser property (via
JS) and the internal library attribute are synchronized
simultaneously.
Decision: Implement Self-Cancelling Socket
Watchdog. On Windows, traditional watchdog processes often
failed to detect parent termination, leading to 60-second hangs after
successful tests. We implemented a new socket-based watchdog in t::helper that listens on an ephemeral port; the background
process terminates immediately when the parent socket closes,
eliminating these cumulative delays.
Decision: Deep Recursive Refactoring & Form
Selection. To make the API truly non-blocking, the entire
internal call stack had to be refactored. For example, making get_set_value_future non-blocking required first making its
dependency, _field_by_name, asynchronous. This culminated
in refactoring the entire form selection API (form_name, form_id, etc.) to use the new asynchronous _future lookups, which was a key step in mitigating the
Windows deadlocks.
Evaluation Normalization: Implemented a _process_eval_result helper to centralize the parsing of
results from Runtime.evaluate. This ensures consistent
handling of return values and exceptions between synchronous
(eval_in_page) and asynchronous (eval_future)
calls.
Memory Cycle Mitigation: A significant memory
leak was discovered where closures attached to CDP event futures (like
for asynchronous body retrieval) would capture strong references to $self and the $response object, creating a
circular reference. The established rule is to now always use Scalar::Util::weaken on both $self and any
other relevant objects before they are used inside a ->then block that is stored on an object.
Context Propagation (wantarray): A
major regression was discovered where Perl’s wantarray
context, which distinguishes between scalar and list context, was lost
inside asynchronous Future->then blocks. This caused
methods like xpath to return incorrect results (e.g., a
count instead of a list of nodes). The solution was to adopt the “Async
Context Pattern”: capture wantarray in the synchronous
wrapper, pass it as an option to the _future method, and
then use that captured value inside the future’s final resolution
block.
Asynchronous Body Retrieval & Robust Content
Fallbacks: Fixed a bug where decoded_content()
would return empty strings by ensuring it awaited a __body_future. This was implemented by storing the
retrieval future directly on the response object
($response->{__body_future}). To make this more robust,
a tiered strategy was implemented: first try to get the content from the
network response, but if that fails (e.g., for about:blank
or due to cache eviction), fall back to a JavaScript XMLSerializer to get the live DOM content.
Signature Hardening: Fixed “Too few arguments”
errors when using modern Perl signatures with Future->then. Callbacks were updated to use optional
parameters (sub($result = undef) { ... }) to gracefully
handle futures that resolve with no value.
XHTML “Split-Brain” Bug: Resolved a
long-standing Chromium bug (40130141) where content provided via setDocumentContent is parsed differently than content
loaded from a URL. A workaround was implemented: for XHTML documents,
WMC now uses a JavaScript-based XPath evaluation
(document.evaluate) against the live DOM, bypassing the
broken CDP search mechanism.
Derived Architectural Rules
& SOPs:
Rule: Always provide _future variants.
Every library method that interacts with the browser via CDP must have a
non-blocking asynchronous counterpart.
Rule: Centralize stabilization in the test layer.
All timeout and retry logic should reside in the test harness
(t/lib/t/helper.pm), not in the core library.
Rule: Explicitly propagate wantarray
context. Synchronous wrappers must capture the caller’s context
and pass it down the Future chain to ensure correct
scalar/list behavior.
Rule: The entire call chain must be asynchronous.
To enable non-blocking timeouts, even a single “hidden” blocking call in
an otherwise asynchronous method will cause a stall.
SOP: Reduce Library Noise. Diagnostic messages
(warn, note, diag) should be
removed from library code before commits. All such messages should be
converted to use the internal $self->log('debug', ...)
mechanism, ensuring a clean TAP output for CI systems.
Part III: The MutationObserver Saga (March 19)
With most of the library refactored to be asynchronous, one stubborn
test, t/65-is_visible.t, continued to fail with timeouts.
This led to an ambitious, but ultimately unsuccessful, attempt to
replace the wait_until_visible polling logic with a more
“modern” MutationObserver.
Key Milestones & Challenges:
The Theory: The goal was to replace an inefficient repeat { sleep } loop with an event-driven MutationObserver in JavaScript that would notify Perl
immediately when an element’s visibility changed.
Implementation & Cascade Failure: The
implementation proved incredibly difficult and introduced a series of
new, hard-to-diagnose bugs:
An incorrect function signature for callFunctionOn_future.
A critical unit mismatch, passing seconds from Perl to JavaScript’s setTimeout, which expected milliseconds.
A fundamental hang where the MutationObserver’s
JavaScript Promise would never resolve, even after the
underlying DOM element changed.
Debugging Maze: Multiple attempts to fix the checkVisibility JavaScript logic inside the observer
callback, including making it more robust by adding DOM tree traversal
and extensive console.log tracing, failed to resolve the
hang. This highlighted the opacity and difficulty of debugging complex,
cross-language asynchronous interactions, especially when dealing with
low-level browser APIs.
Procedural Learning:
Granular Edits
The effort was plagued by procedural missteps in using automated
file-editing tools. Initial attempts to replace large code blocks in a
single operation led to accidental code loss and match failures.
Decision: Adopt “Delete, then Add” Workflow.
Following forceful user correction, a new SOP was established for all
future modifications:
Isolate: Break the file into small, manageable
chunks (e.g., 250 lines).
Delete: Perform a “delete” operation by replacing
the old code block with an empty string.
Add: Perform an “add” operation by inserting the
new code into the empty space.
Verify: Verifying each atomic step before
proceeding. This granular process, while slower, ensured surgical
precision and regained technical control over the large Chrome.pm module.
The consistent failure of the MutationObserver approach
eventually led to the decision to abandon it in favor of stabilizing the
original, more transparent implementation.
Part IV:
Reversion and Final Stabilization (March 20)
After exhausting all reasonable attempts to fix the MutationObserver, a strategic decision was made to revert
to the simpler, more transparent polling implementation and fix it
correctly. This proved to be the correct path to a stable solution.
Key Milestones &
Engineering Decisions:
Decision: Perform Strategic Reversion. The MutationObserver implementation, when integrated via callFunctionOn_future with awaitPromise,
proved fundamentally unstable. Its JavaScript promise would consistently
fail to resolve, causing indefinite hangs. A decision was made to revert all MutationObserver code from WWW::Mechanize::Chrome.pm and restore the original repeat { sleep } polling mechanism. A stable,
understandable solution was prioritized over an elegant but broken
one.
Decision: Correct Timeout Delegation in the
Harness. The root cause of the original timeout failure was
identified as a race condition in the t/lib/t/helper.pm
test harness. The safe_wait_until_* wrappers were
implementing their own timeout (via wait_any and sleep_future) that raced against the underlying polling
function’s internal timeout. This led to intermittent failures on slow
machines. The helpers were refactored to delegate all timeout
management to the library’s polling functions, ensuring a
single, authoritative timer controlled the operation.
Decision: Optimize Polling Performance. At the
user’s request, the polling interval was reduced from 300ms to 150ms. This modest performance improvement reduced the
test suite’s wallclock execution time by over a second while maintaining
stability.
Decision: Tune Test Watchdogs. The global watchdog
timeout was adjusted to 12 seconds, specifically calculated as 1.5x the
observed real execution time of the optimized test. This provides a
data-driven safety margin for CI.
Part
V: The Last Bug – A Platform-Specific Memory Leak (March 20)
With all other tests passing, a single memory leak failure in t/78-memleak.t persisted, but only on the Windows ad2 environment. This required a different approach than
the timeout fixes.
Key Milestones:
The Bug: A strong reference cycle involving the on_dialog event listener was not being broken on Windows,
despite multiple attempts to fix it. Fixes that worked on Linux (such as
calling on_dialog(undef) in DESTROY) were not
sufficient on the Windows host.
The Diagnosis: The issue was determined to be a
deep, platform-specific interaction between Perl’s garbage collector,
the IO::Async event loop implementation on Windows, and the Test::Memory::Cycle module. The cycle report was identical
on both platforms, but the cleanup behavior was different.
Failed Attempts: A series of increasingly
aggressive fixes were attempted to break the cycle, including:
Moving the on_dialog(undef) call from close() to DESTROY().
Explicitly deleteing the listener and callback
properties from the object hash in DESTROY.
Swapping between $self->remove_listener and $self->target->unlisten in a mistaken attempt to find
the correct un-registration method.
Pragmatic Solution: After exhausting all reasonable
code-level fixes without a resolution on Windows, the user opted to mark
the failing test as a known issue for that specific platform.
Final Fix: The single failing test in t/78-memleak.t was wrapped in a conditional TODO block that only executes on Windows
(if ($^O =~ /MSWin32/i)), formally acknowledging the bug
without blocking the build. This allows the test suite to pass in CI
environments while flagging the issue for future, deeper
investigation.
Part VI: CI Hardening (March
20)
A final failure in the GitHub Actions CI environment revealed one
last configuration flaw.
Key Milestones:
The Bug: The CI was running prove --nocount --jobs 3 -I local/ -bl xt t directly. This
command was missing the crucial -It/lib include path, which
is necessary for test files to locate the t::helper module.
This resulted in nearly all tests failing with Can't locate t/helper.pm in @INC.
The Investigation: An analysis of Makefile.PL revealed a custom MY::test block
specifically designed to inject the -It/lib flag into the make test command. This confirmed that make test is the correct, canonical way to run the test
suite for this project.
The Fix: The .github/workflows/linux.yml file was modified to replace
the direct prove call with make test in the Run Tests step. This ensures the CI environment runs the
tests in the exact same way as a local developer, with all necessary
include paths correctly configured by the project’s build system.
Final Outcome
After this long and arduous journey, the WWW::Mechanize::Chrome test suite is now stable and passing on all targeted platforms, with known
platform-specific issues clearly documented in the code. The project is
in a vastly more robust and reliable state.
During the mentorship the mentees acted on several of the team's translation
efforts and joined presentations about the Debian Project and its
community given by the mentors. We thank the dedication and contributions of
Ana Parra, Bruno Freitas, Henrique Barbosa, Raul Banzatto and Vitoria Cordeiro.
And we also thank the members of the team who have reviewed the work of the
mentees, specially the ones who were designated as official mentors, namely
Allythy Rennan, Daniel Lenharo, Thiago Pezzo, and Victor Marinho.
Results:
Package descriptions, translations: 27
Package descriptions, revisions: 190
Web pages: 11
Revisions to the Debian Administrator's Handbook
Revisions to the Debian Edu documentation
We hope that this experience will inspire new paths and that you continue to
contribute to Free Software – especially to Debian.
As an opportunity to rewire my brain from "docker" to "podman" and "buildah"
I started to create an image build with an ECH enabled curl at
https://gitlab.com/hoexter/ech.
Not sure if it helps anyone, but setup should be like this:
Oh dear! I've been suffering print reliability issues on my Prusa
Mini+ for quite a while, roughly since they introduced Input Shaping
(although that might not be the culprit). Whilst trying different
things to resolve it, I managed to sheer off the brass nozzle within
the heatblock. I now have half the nozzle stuck in the ratchet spanner,
and half in the heatblock.
Back in FOSDEM I asked the Prusa folks what cool projects
I could do with the Mini+… they looked a little blank (I think the Mini+
is now a somewhat forgotten product) but they did say somebody had managed
to port over the "Nextruder" from the more recent Prusa XL/MK4. I could
take a look at that.
Another thing I've always wanted to explore (although I had intended it to
be temporary/reversible) was converting it into a plotter, for plotter
art.
Somehow this is my first 3d printing blog post in over a year. The
printables.com feed I linked to is still going,
I'm happy to report (as is the one I wrote but didn't publish, slightly
more surprisingly)
On our way to Austria last week, on March 6th, we left my daughter's laptop on a train: ICE 1201 (Hamburg-Harburg to Bludenz).
The laptop is a Lenovo X230 notebook. The most obvious distinguishing feature is a Mathilda Hands sticker in the middle of the lid:
I seem to remember that it also has some hexagonal stickers, one probably being one of these:
The keyboard layout is British (with a £ above the 3).
It was left in coach 24 of ICE 1201, next to seats 51-54, in the luggage gap between the seats, on the floor.
My hope is that whoever found it will end up searching for Mathilda Hands and see this. If that's how you got here, please email me:
phil-lostlaptop2026@hands.com - doing so will make Mathilda (and me) most cheerful.
On Friday May the 13th OpenSSL project has published advisory details for CVE-2026-2673. The CVE is treated as non-important by the project. The patches are only provided as commits on the stable branches. No git tag, no precise fixed version, and no source tarballs provided.
The patches that were merged to openssl-3.5 and openssl-3.6 branches were not based on top of the last stable point release and did not split code changes & documentation updates. It means that cherry-picking the commits referenced in the advisory will always lead to conflicts requiring manual resolution. It is not clear if support is provided for snapshot builds off the openssl-3.5 and openssl-3.6 branches. As the builds from the stable branches declare themselves as dev builds of the next unreleased point release. For example, in contrast to projects such as vim and glibc, with every commit to stable branches explicitly recommended for distributors to ship and is supported.
I have requested OpenSSL upstream in the past for the security fixes to branch off the last point release, commit code changes separate from the NEWS.md / CHANGES.md updates, and then merge that into the stable branches. This way the advisory that recommends cherry-picking individual commits, would actually apply conflict free - at no additional maintenance burden to the OpenSSL project and everyone who has to cherry-pick these updates. There is a wide support voiced for such strategy by the OpenSSL distributors and the OpenSSL Corporation. But this is not something that OpenSSL Project is yet choosing to provide.
To avoid duplication of work, I am starting to provide stable OpenSSL re-releases of the last upstream tagged stable point release with security only patches split into code-change only; documentation update; version update to create security only source tarball releases that are easy to build; easy to identify by the security scanners; and which cherry-pick changes without conflicts. The first two releases are published on GitHub as immutable releases with attestations:
If there are any other branches, CVEs, point releases that would be useful for similar style releases, do open discussion on the GitHub Project.
If you find these releases useful, do star the project and download these releases. If this project gets popular, I hope that OpenSSL upstream will reconsider their releases strategy for all security releases. If you have support contracts with OpenSSL - please request OpenSSL corporation to release tagged releases and versioned tarballs.
![[RSS 1.0 Feed]](common/rss10.png){kind=small}
![[RSS 2.0 Feed]](common/rss20.png){kind=small}
![[Atom Feed]](common/atom.png){kind=small}
![[FOAF Subscriptions]](common/foaf.png){kind=small}
![[OPML Subscriptions]](common/opml.png){kind=small}
![[Hacker]](common/hacker.png){kind=small}
![[Planet]](common/planet.png){kind=small}
