Review: The Keeper of Magical Things, by Julie Leong
Publisher:
Ace
Copyright:
2025
ISBN:
0-593-81593-9
Format:
Kindle
Pages:
353
The Keeper of Magical Things is a cozy fantasy novel. It is set in
the same universe as The Teller of Small
Fortunes, but it doesn't share any characters or plot, they're not
marketed as a series, and so far as I can remember neither book would
spoil the other. It is Julie Leong's second novel.
Certainty Bulrush is a novice mage with one reliable magical ability: She
can talk to objects and occasionally convince them to do small things.
This ability is clearly magical, which means Certainty is indeed a mage,
but this appears to be all that her magic can do. The Guild has
requirements for the level of magical ability required to become a full
mage that go beyond talking stained quilts into unstaining themselves,
which is why Certainty has been a novice for six years.
This by itself is a problem, since Certainty's cohort keeps passing her
by. Worse, though, is that she was counting on the wages of a full mage to
pay for her brother's training to become an apothecary. The thought of
failing him is extremely upsetting. Certainty therefore jumps at an
offered mission to take a cartload of excess magical objects that are
causing a dangerous build-up of energies in the Guildtower to safe storage
in the small and very unmagical village of Shpelling. Successful
completion of that mission will earn Certainty a promotion to Deputy
Keeper and therefore to a full mage.
This is the opportunity she didn't know to hope for. The only drawback is
that she will have to work with Mage Aurelia, the famously off-putting
farspeaker and magical scholar the other novices refer to as the ice
witch.
Aurelia is every bit as icy, formal, and condescending as Certainty was
afraid she would be, Shpelling grows nothing but garlic, and the
inhabitants are suspicious and hostile. The mission could be a disaster if
it weren't for Certainty's stubborn good nature.
It's arguably a spoiler to say that there's an enemies to lovers romance,
but it's hinted at on the cover, mentioned in the publisher's blurb and,
honestly, if you aren't expecting an enemies to lovers romance by a few
chapters in, you probably haven't read many books of this sort.
I found The Keeper of Magical Things quietly enjoyable but
extremely predictable. If you're in the mood for what it's offering, the
predictability may not be a problem, but it was the kind of book where the
direction the plot was headed was so obvious that I got a bit bored
waiting for it to arrive. Certainty has a good heart, humble origins,
limited but specialized magical ability, and a self-esteem problem, and if
you've read much fantasy, you've probably read two or three or a dozen
other books with variations of this protagonist. You know how they
generally turn out, and that is indeed what you're going to get after the
obligatory setbacks and tragedies and looming catastrophes.
Aurelia, similarly, is a variation on a character you've probably met
before. Certainty discovers, not long into the book, that the brilliant
over-achieving mage wears a necklace (supposedly to help her focus) that
constantly whispers to her how inadequate she is and how much harder she
needs to work. The necklace was given to her by her parents. This book is
not exactly subtle.
That said, there's nothing wrong with the characterization. Both Certainty
and Aurelia are interesting characters with rounded-out personalities,
although it takes a while before Certainty (or the reader) is allowed to
see Aurelia's. Their interactions with the inhabitants of Shpelling are
fun to watch in the same way that it can be fun to watch people play
PowerWash
Simulator. You're not in overwhelming suspense about what's going to
happen, but the details are amusing and it is satisfying to watch people
with good intentions slowly fix things. There is a plot, and a villain,
and a not-subtle message about how everyone deserves acknowledgment and
respect, and the hours I spent reading about these characters were
enjoyable.
The problem with this book isn't that there's anything wrong with it, but
that it may not give you more enjoyment than another book you could have
been reading. I quite liked The Teller of Small Fortunes in part
because it surprised me in a few places and the main character felt a bit
different than the typical fantasy protagonist. The Keeper of
Magical Things felt less original and a bit more obvious and predictable.
It was still quietly good-hearted and occasionally charming, and I think
I'll still remember Certainty in a few months, but I'm not feeling the
urge to push it into anyone's hands.
If you're in the mood for a gentle fantasy about finding solutions to
people's problems and waiting out the prickliness of people who
desperately need a friend, you may enjoy this a great deal. Just don't
expect unpredictable twists and turns or a surprising plot structure.
An apparent third book in this loose series, The Isle of Lonely
Monsters, is currently scheduled for publication in 2027.
To associate routing information—like AS paths or BGP communities—to flows,
Akvorado can import routes through the BGP Monitoring Protocol (BMP). As
the Internet routing table contains more than 1 million routes, Akvorado
needs to scale to tens of millions of routes.1 This has been a
long-standing challenge,2 but I expect this issue is now fixed by using
RIB sharding, a method that splits the routing database into several parts
to enable concurrent updates.
The prefix tree uses the bart package, an adaptation of Donald Knuth’s ART
algorithm. The benchmarks demonstrate it outperforms other packages for
lookups, insertions, and memory usage.3 Plus, the author is quite
helpful.
Storing routes in a map
The list of routes for each prefix is not stored directly in the prefix tree:
it would put too much pressure on the garbage collector by allocating per-prefix
arrays.
Instead, the RIB assigns a unique 32-bit prefix identifier for each prefix,
either by picking the last available prefix identifier from the freePrefixIDs
array if any, or using the nextPrefixID value before incrementing it. Then,
the routes are stored in the routes map, leveraging the optimized Swiss
table in Go. To retrieve routes attached to a prefix, we look them up
one by one in the routes map with a 64-bit key combining the 32-bit prefix
index with a 32-bit route index matching the position of the route in the list.
Akvorado scans routes from the first to the last to find the best one.4 It
knows there is no more route if the route key returns no result.
To save memory and allocations, NLRI, next hops, and route attributes are
“interned:� a 32-bit integer replaces the real value. The mechanism predates the
unique package introduced in Go 1.23. We keep it because it has
different trade-offs:
It uses explicit reference counting instead of relying on weak pointers.
It works with non-comparable values implementing Hash() and Equal()
methods.6
It uses explicit pool instances. This will be useful for sharding.
It has better performance. See for example this benchmark.
It consumes half the memory thanks to unsigned 32-bit references instead
of pointers.
The global read/write lock is a bottleneck in this implementation. But how?
There are several users of the RIB, each with its own set of constraints:
The Kafka workers look up the RIB to enrich flows with routing
information. They are bound by the number of Kafka partitions.8
Akvorado also adjusts their number to ensure efficient batching to ClickHouse.
On our setup, the number of workers oscillates between 8 and 16. As we want
to observe the latest data, we cannot afford for the Kafka workers to lag too
much.
The monitored routers send route updates through the BMP protocol. When
connecting, they can send millions of routes.9 After the initial
synchronization, updates are sent continuously and may spike from time to
time. The router detects a stuck BMP station when its TCP window is full and
resets the session in this case. While Akvorado implements a large incoming
buffer, it still needs to update the received routes with the write lock held
fast enough to avoid being detected as stuck.
When a remote BGP peer goes down, Akvorado flushes the associated routes by
walking the RIB with the write lock held. When a monitored router goes
down, Akvorado waits a bit but eventually flushes all the associated routes.
In short: on a busy setup, lock contention is high for both readers and
writers, and neither can lag too much behind.
RIB sharding
First step: basic sharding
To remove the global lock, the RIB is split into several “shards,� each one
handling a subset of the prefixes:
Akvorado BMP RIB implementation with sharding.
The prefix tree stays global and is protected by a single lock. Each shard gets
its read/write lock, its route map, and its intern pools to store NLRIs, next
hops, and route attributes, which would not have been possible with Go’s
unique package. The prefix indexes are also sharded: the 8 most
significant bits are the shard index and the 24 remaining bits are the local
prefix index.
Later, I wrote a concurrent benchmark over half a million synthetic but
plausible routes10 partitioned over 0 to 8 writers, churning routes as
fast as possible, while 1 to 16 readers continuously look up a set of 10,000
routes. I don’t know if this benchmark is realistic, but it confirms the
improvements for both read and write latencies:
Read and write latency performance improvement after sharding.
It also shows that a high number of writers degrades read latency.
Second step: lock-free reads
The single read/write lock protecting the prefix tree is the next target. The
bart package provides alternative mutation methods returning an updated tree
using copy-on-write. Readers don’t need the global lock any more, leaving it
only to synchronize writers. The prefix tree is boxed in an atomic pointer.
Akvorado BMP RIB implementation with sharding and lock-free reads.
Without a lock, readers can now fetch a stale prefix index when walking their
copy of the tree if a concurrent writer removes the last route attached to this
prefix index and recycles it for another prefix. To avoid this issue, we combine
the prefix index with a generation number and store them in the tree:
Each shard stores the generation number for each local prefix index. The
generation number increases by one if the associated prefix index is freed. When
looking up the routes attached to a prefix index, the reader checks if the
generation number matches. Otherwise, it assumes the index was recycled and the
list of routes is empty.11 You can see this case in the diagram above for
prefix index 5, stored with a generation index of 3, while the current value in
the []generations array is 4. The generation number could overflow, but it is
not a problem as lookups are quick.
Running the concurrent benchmark against this new implementation shows the
improvements for the read latency as soon as the cost of the copy-on-write
prefix tree is amortized.
Read and write latency performance improvement after lock-free reads. The middle column shows the cumulative improvements of both steps.
Among the multiple attempts to optimize the BMP component, RIB sharding is one
of the more satisfying. Akvorado 2.2 implements the first step.
PRÂ #2433, drafted while writing this blog post, implements the second step
and will be released with Akvorado 2.4. 🪓
If we consider the BGP RIB as a database, the Network Layer
Reachability Information (NLRI) is the primary key. Its content depends on
the BGP family. With IPv4 or IPv6 unicast, this is the prefix. For VPNv4 and
VPNv6 families, it includes the route distinguisher. If you enable the
ADD-PATH extension, the NLRI also contains a path identifier.
SE Linux in a “strict” configuration stops this exploit.
The test VM is running Debian/Testing, I haven’t bothered investigating whether it’s a default setting for Debian to not load the rds module or whether it was some change that I made either directly or indirectly. Security via SE Linux is of more interest to me than security via controlling module load.
I have been battling Large Language Models (LLM1) for the past
couple of weeks and have struggled to think about what it means and
how to deal with its fallout.
Let's start with War. We've been battling bot armies for control of
our GitLab server for a while. Bots crawl virtually infinite
endpoints on our Git repositories (as opposed to downloading an
archive or shallow clone), including our fork of Firefox, Tor Browser,
a massive repository.
At first, we've tried various methods: robots.txt, blocking user
agents, and finally blocking entire networks. I wrote
asncounter. It worked for a while.
But now, blocking entire networks doesn't work: they come back some
other way, typically through shady proxy networks, which is kind
of ironic considering we're essentially running the largest proxy
network of the world.
But even that, predictably, has failed. I suspect what we consider
bots are now really agents. They run full web browsers, JavaScript
included, so a feeble cookie is no match for the massive bot armies.
Side note on LLM "order of battle"
We often underestimate the size of that army. The cloud was huge even
before LLMs, serving about two thirds of the web. Even larger swaths of
clients like government and corporate databases have all moved to the
cloud, in shared, but private infrastructure with massive spare
capacity that is readily available to anyone who pays.
LLMs have made the problem worse by dramatically expanding the
capacity of the "cloud". We now have data centers that defy
imagination with millions of cores, petabytes of memory, exabytes
of storage.
Those companies can launch thousands, if not millions of fully
functional web browsers at our servers. Computing power or bandwidth
are not a limitation for them, our primitive infrastructure is. No one
but hyperscalers can deal with this kind of load, and I suspect that
they are also struggling, as even Google is deploying extreme
mechanisms in reCAPTCHA.
This is the largest attack on the internet since the Morris
worm but while Robert Tappan Morris went to jail on a felony,
LLM companies are celebrated as innovators and will soon be too big to
fail.2
Which brings us to the second horsemen, famine.
Famine: shortages
All that computing power doesn't come out of thin air: it needs
massive amounts of hardware, power, and cooling.
Earlier this year, I've heard from a colleague that their Dell
supplier refused to even provide a quote before August. Dell!
But regular folks are facing real-life shortages as well, as
city-size data centers are being built at neck-breaking speed,
stealing fresh water and energy from human beings to feed the war
machine.
We've been scared of losing our jobs, but it seems that Apocalypse has
yet to fully materialize. Regardless for engineers, the market feels
tighter than it was a couple years ago, and everyone feels on edge
that they will just have to learn to operate LLMs to keep their jobs.
In the past two weeks, this culminated in a significant number of
critical security issues across multiple projects. Chained
together, remote code execution vulnerabilities in Nginx and
Apache and two local privilege escalations in the Linux kernel
(dirtyfrag and fragnesia) essentially gave anyone root access to any unpatched server to the web.
As I write this, another vulnerability dropped, which gives read
access to any file to a local user, compromising TLS and SSH private
keys.
All those vulnerabilities were released without any significant
coordination while people scrambled to mitigate.
With many people now vibe coding their way out of learning or
remembering how computers work, is this the Death of Copyright?
And that, of course, brings us to the final horseman: Pestilence.
Pestilence: slop
There is a growing meme that programming is essentially over as we
know it. That you can simply vibe-code applications from scratch and
it's pretty good.
Maybe that's true.
So far, most of my attempts at resolving any complex problem with a
LLM have often failed with bizarre failures. Some worked surprisingly
well. Maybe, of course, I am holding it wrong.
I personally don't believe LLMs will ever be good enough to produce
and maintain software at scale. They're surprisingly good at finding
security flaws right now. But what I see is also a lot of
Bullshit, with a capital B. It's not lying: it does not "know"
anything, so it can't lie. It's misleadingly cohesive and
deliberate, but it lacks meaning, intent, will.
I have not been confronted with much slop, apart from the lobster
Jesus or the yellow man atrocities, and particularly not in my
work. But I see what it is doing to my profession: beyond
vibe-coding, people are now token-maxxing, and
land-grabbing their colleagues.
I don't like what LLMs do to our communities, or the fabric of
software we live with.
Software does not evolve in a void. It is a team effort, be it free
software or a corporate product. Generations of humans have carefully
built the scaffolding of technology required for modern networks and
software to operate, in a convoluted contraption that no single human
fully understands anymore.
The idea of simply giving up on that understanding entirely and
delegating it to an unproven model is not only chilling, it feels just
plain stupid. Not stupid as in Skynet, stupid as in "I can't get
inside the data center because the authentication system is
down". Except we're in a "the power plant doesn't reboot" or "their
LLM found an 0day in our slop" kind of stupid.
The fifth horsemen
Researching for this article, I looked up the four horsemen and found
out they original seems to have been:
Famine
War
Death
Conquest (??)
I was surprised. I grew up thinking about the horsemen being Famine,
War, Pestilence, and Death. So I went back to my original source
which actually claims the horsemen are:
Time has taken its toll on you, the lines that crack your face.
Famine, your body, it has torn through, withered in every place.
Pestilence for what you've had to endure, and what you have put others through
Death, deliverance for you, for sure, now there's nothing you can do
So I guess that makes no sense either, which, fair enough, I shouldn't
rely on Metallica for theological references. Especially since that
song was originally called Mechanix and was "about having sex at
a gas station".
Anyways.
The point is, there are actually five horsemen, and the fifth one is,
in my opinion, Conquest.
Those companies (and not "AI", mind you) are taking over the
world. I sense a strong connection with the "post-truth" world imposed
on us by fascists like Trump and Putin. It's not an accident, it's a
power grab part of the Californian Ideology3. Just like Airbnb
broke housing, Uber destroyed the transportation and Amazon is taking
over retail and server hosting, LLM companies are essentially trying
to take over if not everything, at least Cognition as a whole.
But the capitalization of those companies (OpenAI and Nvidia in particular)
are so far beyond reason that their inevitable collapse will likely
lead to a global financial collapse of biblical proportions.
Because they will inevitably fail like previous bubbles they are built
on. And when they fail, I hope it zips all the way back through the
blockchain scam, the ad surveillance system, and the dot com then git
me back my internet.
The Tower of Babel
While I'm off in the woods hallucinating (ha!) on biblical allegories,
I feel there's another sign that the apocalypse is coming.
The Tower of Babel myth says that humans tried to create a big
tower up to heaven and become god. God confounds their speech and
scatters the human race. End of utopia.
This is what is happening to our human translators now. LLMs being,
after all, Language Models, they are excellent at translation work. So
much that the only translators not replaced by LLMs right now are
interpreters, who translate vocally in real time. But
interpreters are worried about their jobs as well.
This article was written without the use of a large language model
and should not be used to train one.
I prefer "LLM" to Artificial Intelligence, as I don't consider
models to have "Intelligence" which goes far beyond the analytical
traits we train models for. Intelligence requires embodiment
and social interaction; machines lack the innate human skills of
empathy, feeling and care, which explains a lot of the evils
behind the current trends.↩
It should be noted that Morris also happened to be one of the
founder of Y Combinator where he is in good company with
other techno-fascists like Peter Thiel, Sam Altman, and so
on. Crime, after all, pays.↩
I'm a member of the EFI team in Debian, and I've done much of the
work for Debian to support UEFI Secure Boot (SB) in recent years. We
have included that support for a number of releases now, starting back
with Debian 10 (aka Buster).
I'm also a long-time accredited member of
the shim-review
team, the group that checks and approves shim binaries before
Microsoft will sign them.
See the Debian
wiki for lots of background details about Secure Boot and how we
do things in Debian.
Secure Boot depends on signatures, which are verified during boot
using a chain of X.509 certificates. The root certificate(s) in the
chain are embedded in computer firmware, then later software such as
shim can add more certificates to extend the trust. Easy, right?
The problem - certificates expire...
Microsoft administer the most widespread Secure Boot root
certificates, and have been doing so since the very beginning of UEFI
Secure Boot as a concept. The Microsoft UEFI CA certificates are
included in just about every x86 and x86-64 computer shipped, and also
in quite a lot of arm64 machines too.
(The fact that Microsoft is therefore a gatekeeper for Linux
running under Secure Boot on most machines is very unpopular in some
quarters, but this is just a fact of life in the world we live
in. None of the following will affect you if you're using
Secure Boot with your own keys only.)
The current certificates have been around since 2011:
1. Windows Production PCA 2011 (used for signing Windows components)
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
Validity
Not Before: Oct 19 18:41:42 2011 GMT
Not After : Oct 19 18:51:42 2026 GMT
This expires in October this year, ~5 months from now.
2. Third Party Marketplace Root (used for signing option ROMs and other software)
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
Validity
Not Before: Jun 27 21:22:45 2011 GMT
Not After : Jun 27 21:32:45 2026 GMT
For Linux folks, this second certificate is more interesting - it
is the root of the certificate chain that Microsoft use when
signing shim for Linux
distributions
This CA expires 5 weeks from today.
OMG!!! Will all my existing Secure Boot machines stop booting?
Almost definitely not, no.
The specification for UEFI Secure Boot expects that valid dates on
certificates should not be enforced for signatures here. All that
matters here is the signatures themselves. Modulo buggy firmware,
existing signed binaries should continue just fine.
New CAs to be aware of
Microsoft have published three new CAs:
1. A new CA used for signing device option ROMs
Subject: C=US, O=Microsoft Corporation, CN=Microsoft Option ROM UEFI CA 2023
Validity
Not Before: Oct 26 19:02:20 2023 GMT
Not After : Oct 26 19:12:20 2038 GMT
2. A new CA used for signing Windows components
Subject: C=US, O=Microsoft Corporation, CN=Windows UEFI CA 2023
Validity
Not Before: Jun 13 18:58:29 2023 GMT
Not After : Jun 13 19:08:29 2035 GMT
3. A new CA used for signing other software (e.g. shim)
Subject: C=US, O=Microsoft Corporation, CN=Microsoft UEFI CA 2023
Validity
Not Before: Jun 13 19:21:47 2023 GMT
Not After : Jun 13 19:31:47 2038 GMT
New machines and updated older machines will most
likely have all of these new CAs installed. New machines are
already shipping that only include the new CAs; they
will not trust older software and this has already started causing
problems for some users.
Isn't this is all a bit short notice?
Yes it is. :-(
A common rule of thumb when deploying CA certificates is to start
the process of replacement ("rollover") when a certificate reaches
half of its lifetime. Unfortunately, Microsoft have done this very
late. They generated new keys in 2023, but didn't start signing shim
and other third-party software with the UEFI CA until October
2025.
If I'm a distro developer, what should I do?
If you already have an old shim signed by Microsoft for your
distribution from before October 2025, then it will only be signed
using the older CA that expires soon. On newer machines, your users
will already not be able to boot your distro with Secure Boot
enabled.
If you want your users to be able to use Secure Boot in future, you
will need to get a new shim build submitted, reviewed and signed using
the new CA. However, that signed build will not work on older machines
unless they have had the new CAs installed. This is also likely to
cause problems for some users. You should encourage your users to
update their systems NOW before things break for
them.
There is an interim solution which will work, but only if you're
quick! Microsoft are currently returning shim binaries signed
using both the old CA and the new CA. More
specifically, for every binary that is submitted they will return two:
one signed with each CA. If you use these directly, you'll need to
plan to publish:
2 signed shim binaries
2 installers
2 sets of live/installer images
etc.
and explain to your users how they'll need to pick one. Good luck
with that!
However, it is possible to extract signatures from
those signed shim binaries and attach them all onto one shim, giving
you the Holy Grail here - a single shim that will boot on the vast
majority of machines. Indeed, this is what I'm planning on doing in
Debian. So-called "dual-signed" shims may provoke
issues with buggy firmware, so be aware that you may have to deal with
this too. But take heart: early testing by various distro folks with a
dual-signed Fedora shim did not show any problems.
You have 5 weeks and counting...
Microsoft have promised to continue signing with the old CA as long
as possible, right up to the last day. They understand how awkward
things are going to be otherwise, and are trying to help here as much
as possible.
In the shim-review team, we have been expecting to see a surge of
shim submissions before the old CA expires, to make the most of the
"Holy Grail" dual-signed shims described above. But we've been really
surprised that this has not been happening.
So, this blog is a wake-up call for people doing Secure Boot with
shim. Even if you're not going to be ready to ship a new shim binary
to your users, you should really try to get a new build prepared and
signed NOW so that you have it available to tide you
over through the coming CA transition. Don't leave it too late.
If you're not sure what to do, ask me and the other shim-review
folks. We're happy to give advice. But don't delay.
You have 5 weeks and counting.
How to make a dual-signed shim binary
Microsoft only ship binaries with a single signature included. To
make things work, extract those signatures using sbattach
--detach (from the sbsigntools source package, available in
most distributions. Then apply those signatures one at a time to your
shim binary, using sbattach --attach. Simple,
really. There's one strong recommendation here: order the signatures
on your shim oldest first - that way, old buggy
firmware implementations that potentially don't look for more than one
signature will find the old signature first.
pesign can also handle moving signatures around, but I
chose sbsigntools when doing this work myself.
If you're looking to see how others handle multiple signed shim
binaries, feel free to look at the Debian shim-signed
package for examples. The repo
is https://salsa.debian.org/efi-team/shim-signed.git.
The Debian wiki has a lot more information
about UEFI
and Secure Boot
already, and I'm going to be adding more user-focused documentation
about the CA rollover
at SecureBoot/CAChanges
shortly.
Another very minor update, now at 0.3.15, for our nanotime
package is now on CRAN, and has
been built for r2u and
Debian. nanotime
relies on the RcppCCTZ
package (as well as the RcppDate
package for additional C++ operations) and offers efficient high(er)
resolution time parsing and formatting up to nanosecond resolution,
using the bit64
package for the actual integer64 arithmetic. Initially
implemented using the S3 system, it has benefitted greatly from a
rigorous refactoring by Leonardo who not only rejigged
nanotime internals in S4 but also added new S4 types for
periods, intervals and durations.
This release adjusts the package for the maybe overly hasty switch R
4.6.0 has undertaken with respect to using C++20 as a default C++
compilation standard. I am of course largely in favour of such a switch
to more modern C++. But I am also cognizant of the fact that not all
compilers and machines are ready. And just as I have already seen one
other package fail to compile on a particular CRAN system (!!) under
C++20, this package all of a sudden, and only on that same system,
started to throw two (harmless) compiler warnings. We could call these
erroneous as newer versions of the same compiler do not throw them but
it does not matter. The decision to default to C++20 has been made, and
now we live with it. But maybe some hardware platforms should be moved
behind the barn. Either way, this release both adds an explicit cast to
two lines that may not really need it (but this will not hurt)
and also dials the compilation standard down to C++17 on one
particular platform. So once again there are no user-facing changes, or
behavioural changes or enhancements, in this release.
The NEWS snippet below has the fuller details.
Changes in version 0.3.15
(2026-05-21)
Add extra const_cast as one CRAN machine with more
ancient setup whines otherwise and is obviously less C++20 ready than it
thinks
tools/configure also checks where this is being
built and ’as needed' downgrades the compilation to C++17
I was getting “<XF86AudioPlay> is undefined” in the status bar of Emacs displayed every 2-3 seconds. Nowhere else I noticed any misbehavior or problems, and also couldn’t find any related log entries. It didn’t stop, though didn’t want to reboot my system to see whether that would fix the problem, but it was driving me nuts.
Now, as a starting point I adjusted my sway configuration, to react to the XF86AudioPlay key press event:
bindsym XF86AudioPlay exec playerctl play-pause
After reloading sway, my music player started to play for 2-3 seconds, stopped playing, started again, etc. It wasn’t a Emacs bug, but something indeed seemed to send the XF86AudioPlay key event every 2-3 seconds. It wasn’t my USB keyboard or any stuck key on it, as verified also by unplugging it. So which device was causing this?
Behind this event12 is sof-hda-dsp Headphone, and evtest confirms that:
% sudo evtest
No device specified, trying to scan all of /dev/input/event*
Available devices:
/dev/input/event0: AT Translated Set 2 keyboard
/dev/input/event1: Sleep Button
/dev/input/event10: ThinkPad Extra Buttons
/dev/input/event11: sof-hda-dsp Mic
/dev/input/event12: sof-hda-dsp Headphone
/dev/input/event13: sof-hda-dsp HDMI/DP,pcm=3
/dev/input/event14: sof-hda-dsp HDMI/DP,pcm=4
/dev/input/event15: sof-hda-dsp HDMI/DP,pcm=5
/dev/input/event16: Yubico YubiKey OTP+FIDO+CCID
/dev/input/event17: Apple Inc. Magic Keyboard with Numeric Keypad
/dev/input/event18: Apple Inc. Magic Keyboard with Numeric Keypad
[...]
Select the device event number [0-24]: ^C
We can even get further information:
% sudo evtest /dev/input/event12
Input driver version is 1.0.1
Input device ID: bus 0x0 vendor 0x0 product 0x0 version 0x0
Input device name: "sof-hda-dsp Headphone"
Supported events:
Event type 0 (EV_SYN)
Event type 1 (EV_KEY)
Event code 114 (KEY_VOLUMEDOWN)
Event code 115 (KEY_VOLUMEUP)
Event code 164 (KEY_PLAYPAUSE)
Event code 582 (KEY_VOICECOMMAND)
Event type 5 (EV_SW)
Event code 2 (SW_HEADPHONE_INSERT) state 0
Properties:
Testing ... (interrupt to exit)
Event: time 1779295060.175766, type 5 (EV_SW), code 2 (SW_HEADPHONE_INSERT), value 1
Event: time 1779295060.175766, -------------- SYN_REPORT ------------
Event: time 1779295061.951168, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295061.951168, -------------- SYN_REPORT ------------
Event: time 1779295061.951194, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295061.951194, -------------- SYN_REPORT ------------
Event: time 1779295064.548671, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295064.548671, -------------- SYN_REPORT ------------
Event: time 1779295064.548689, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295064.548689, -------------- SYN_REPORT ------------
Event: time 1779295067.437172, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295067.437172, -------------- SYN_REPORT ------------
Event: time 1779295067.437187, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295067.437187, -------------- SYN_REPORT ------------
Event: time 1779295070.323775, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295070.323775, -------------- SYN_REPORT ------------
Event: time 1779295070.323790, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295070.323790, -------------- SYN_REPORT ------------
Event: time 1779295073.200350, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295073.200350, -------------- SYN_REPORT ------------
Event: time 1779295073.200373, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295073.200373, -------------- SYN_REPORT ------------
Event: time 1779295076.076228, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295076.076228, -------------- SYN_REPORT ------------
Event: time 1779295076.076250, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295076.076250, -------------- SYN_REPORT ------------
Event: time 1779295078.961740, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295078.961740, -------------- SYN_REPORT ------------
Event: time 1779295078.961754, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295078.961754, -------------- SYN_REPORT ------------
Event: time 1779295081.850156, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295081.850156, -------------- SYN_REPORT ------------
Event: time 1779295081.850175, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295081.850175, -------------- SYN_REPORT ------------
Event: time 1779295083.306612, type 5 (EV_SW), code 2 (SW_HEADPHONE_INSERT), value 0
Event: time 1779295083.306612, -------------- SYN_REPORT ------------
So when I plug in my headphone (see the `SW_HEADPHONE_INSERT` event), the unexpected behavior starts, unplugging stops the problem.
Good! But what was totally unexpected for me: my headphone, being a Beyerdynamic DT-990 Pro, does not have any keys. 8-)
As it turned out, the headphone jack seemed to have been not entirely clean. The analog side of the jack triggers a behavior within the audio codec, where it seems to interpret the fluctuating impedance as a play button of the headset, being pressed, again and again.
I cleaned the jack of my headphone and my XF86AudioPlay problem is gone, case closed.
I've heard "containers are not a security boundary" enough times that it's started to feel like received wisdom, and my honest read (after 13+ years) is that it's technically defensible but practically sloppy – and the sloppiness matters.
The part that's true: containers share a kernel, and a kernel exploit crosses the container boundary where a VM would not. That difference is real and non-trivial, and the CVE history backs it up – CVE-2019-5736, CVE-2022-0492, and CVE-2024-21626 all happened in "correctly configured" production containers.
The part I'd push back on is that the comparison point is almost never stated. "Containers aren't a security boundary" is being used as shorthand for "containers aren't a VM boundary" – but the conclusion people seem to draw from that is "therefore don't bother", which doesn't actually follow. The more honest version is that default Docker doesn't provide strong isolation between mutually untrusting parties, but a hardened configuration does.
What ships by default in Moby is actually a pretty reasonable foundation: seccomp is enabled (with a builtin profile blocking ~50 syscalls – credit where it's due: this is mostly @jessfraz's work; she even ran contained.af as a public CTF for years daring people to escape a container under her seccomp profile, and to my knowledge it was never claimed), AppArmor is enabled (the docker-default profile), and several sensitive /proc paths are masked. What's not on by default: no-new-privileges (setuid binaries inside can escalate), CAP_NET_RAW is still granted to every container (even though the kernel has supported unprivileged ICMP sockets for over a decade, meaning most modern distributions no longer need CAP_NET_RAW for ping), and user namespace remapping – though user namespaces aren't quite the silver bullet they might sound like; Debian left them disabled by default for years because the kernel attack surface they exposed hadn't been hardened against unprivileged callers.
The boundary isn't absent – it doesn't come completely pre-assembled. With VMs, the hypervisor is there whether you asked for it or not; with containers, assembling the boundary is left as an exercise for the operator. That's a much more solvable problem than "the technology is incapable", but it does mean the work falls to whoever's running the containers.
So, some things you can do today without waiting for defaults to change:
--user (or USER in your Dockerfile) is worth calling out specifically, because I think it's arguably stronger than user namespace remapping in one important way – and partly for the same reason Debian was hesitant about user namespaces in the first place. User namespace remapping protects the host from a root-in-container escape: if you do escape, you land as an unprivileged user on the host. But you were still root inside the container the whole time. Running as a non-root user means you were never root anywhere. The blast radius of a compromised process is limited whether or not it escapes, including for things like reading secrets, modifying container contents, or lateral movement within the container itself. Most application containers have no legitimate reason to be root.
Beyond that, a short list of things that are easy to enable and hard to justify leaving off:
--security-opt no-new-privileges – prevents setuid binaries from escalating; can also be set daemon-wide in daemon.json with "no-new-privileges": true
--read-only – a read-only root filesystem means a compromised process can't easily persist tooling or modify the container (pair with a writable tmpfs mount for /tmp etc as needed)
--cap-drop NET_RAW – or --cap-drop ALL and add back only what you actually need; CAP_NET_RAW is almost never legitimately needed by application containers
never --privileged – if something seems to require it, the right answer is almost always a more targeted capability grant or bind mount, not the nuclear option
docker run \--user 1234:5678 \--security-opt no-new-privileges \--read-only\--tmpfs /tmp \--cap-drop ALL \
acme/untrusted-workload:latest
None of these require a daemon restart or infrastructure changes, and stacked together they go a long way toward actually building the boundary that the defaults leave unbuilt.
(this post was written with the assistance of "claude my eyes right out" but all thoughts and understanding are Tianon's)
Royals are my favourite ships in No Man's Sky. The HMS Blueberry is not my
first Exotic/Royal ship (that was the Gravity Hirakao XVI, and a story for
another time).
After years of on-off playing, I recently found my first Royal
multitool: Blue, with gold detailing. I have a Royal-style jetpack (I don't
remember where I got that). I thought I'd try and colour-match my multitool,
ship, jetpack and outfit. Since I only had one multitool, I matched the others to it.
And the HMS Blueberry (credit for the name goes to Beatrice) was the Exotic
in my collection which matched.
Back when we started with a signed shim in Debian, the tooling was
Windows-only and required me to do a reboot dance and it was all quite
tedious. Over time, more and more of the tooling has migrated to
Linux and it all works quite well.
The signing is done with an EV code signing cert from SSL.com and
stored on a Yubikey. Getting the certificate onto the key is a bit
tedious, but reasonably well-explained in the ssl.com docs.
Microsoft wants the shim binaries uploaded to their partner portal
wrapped in a .cab file, which should be signed.
The wrapping in a .cab file is easy enough: lcab shim.efi shim-unsigned.cab. It’s fine to put shims for multiple architectures
in the same .cab file.
chain.crt contains first our EV code signing cert, then the ssl.com
intermediate EV code signing cert, then the ssl.com EV root cert. The
naming of the packages is a tiny bit confusing, but it’s because the
package name in Debian is shim-unsigned.
Occasionally, processing of uploaded binaries just stops in the
validation stage in the portal, but I’ve so far been able to unstuck
them by re-signing and uploading again, and I saw the same with the
MS/Windows toolchain, so I suspect it’s just flakiness on the portal
side.
I have been helping co-maintain the Debian curl package for a few
years now, and even though Samuel and Charles do most of the work, I'm
happy to jump in and help when needed. This is one of those cases.
Nowadays the package is maintained by 3 people (with help from others
occasionally), but it hasn't always been like this. Samuel adopted
the package back in 2021, and since then it has received a lot of love
and care to make sure it lives up to Debian's standards. Again, kudos
to both him and Charles who have been doing great work on this front.
But a little more than 20 years ago, the situation in Debian (and
curl!) was "a bit" different.
Once upon a time...
According to d/changelog, the Debian curl maintainer in 2005
introduced changes to the packaging that allowed it to generate a
version of libcurl for each TLS backend available: OpenSSL and
GnuTLS. This meant that curl would have two binary library packages:
libcurl3-openssl and its respective -dev variant, for libcurl
linked against OpenSSL; and
libcurl3-gnutls and its respective -dev variant, for libcurl
linked against GnuTLS.
But then, around 2006/2007 or so, upstream curl decided to bump the
SONAME version of libcurl from 3 to 4. At the time, they apparently
did not version their library symbols like they do now, which
was... less than ideal. I don't judge them: curl and a lot of other
important projects have come a long way when we consider best
practices to write shared libraries.
Meanwhile, on Debian land, the release team was having trouble with
other transitions going on at the time. For those who are not versed
in Debian's vocabulary, a transition happens when a shared library
gets its SONAME version bumped: when this happens, we have to make
sure that all reverse dependencies of that library still build with
the new version, and fix things that fail. The more reverse
dependencies the library has, the harder this work gets.
When upstream curl bumping the SONAME version of libcurl, the Debian
curl maintainer at the time correctly renamed the binary packages from
libcurl3-{openssl,gnutls} (and their -dev variants) to
libcurl4-{openssl,gnutls} (and their -dev variants), which
obviously triggered a transition. And a big one, because libcurl is
used by several projects.
We talked a while back about the curl transition, and about how upstream's
change from libcurl.so.3 to libcurl.so.4 is gratuitously painful for us in
light of the large number of reverse dependencies.
The libcurl transition has at this point gotten tangled with soname
transitions in jasper, exiv2, kexiv2, and God only knows what else. So I'd
like to revisit this question, because tracking this transition is costing
the release team a lot of time that would be better spent elsewhere, and
removing the need for a libcurl transition promises to reduce the complexity
of the other components by an order of magnitude.
On looking at the curl package, I've come to understand that the
symbol versioning in place in this library is the result of a
Debian-local patch. That's great news, because it suggests a solution
to this quandary that doesn't require an unreasonable amount of
developer time.
Yeah, it wasn't pretty. Here's what was proposed:
I am proposing the following:
Keep the library soname the same as it currently is upstream. Because
upstream uses unversioned symbols, our package will be binary-compatible
with applications built against the upstream libcurl regardless of what we
do with symbol versioning, so leaving the soname alone minimizes the
amount of patching to be done against upstream code here.
Revert the Debian symbol versioning to the libcurl3 version, and make
libcurl.so.3 a symlink to libcurl.so.4. We have already established that
libcurl.so.4 is still API-compatible with libcurl.so.3, in spite of the
soname change upstream; reverting the symbol versioning will make it fully
ABI-compatible with libcurl.so.3, and adding the symlink lets
previously-built binaries find it.
Revert the Debian package names to the curl 7.15.5 versions. Because
compatibility has been restored with libcurl3 and libcurl3-gnutls,
restoring the package names provides the best upgrade path from etch to
lenny; and because the symbol versions have been reverted, the libraries
are not binary-compatible with the Debian packages currently named
libcurl4/libcurl4-gnutls/libcurl4-openssl (in spite of being
binary-compatible with upstream), so it would be wrong to keep the current
names regardless.
Drop the SSL-less variant of the library, which was not present in curl
7.15.5; AFAICS, there is no use case where a user of curl needs to not
have SSL support, so this split seems to be unnecessary overhead. Please
correct me if I'm mistaken.
Leave the -dev package names alone otherwise, to simplify binNMUing of the
reverse-dependencies (some packages have already added versioned
build-deps on libcurl4.*-dev -- I have no idea why -- so reverting the
names would mean more work to chase down those packages). Drop
libcurl4-dev as a binary package, though, in favor of being Provided by
libcurl4-gnutls-dev. Many of the packages currently build-depending on
libcurl4-dev -- including some that wrongly used libcurl3-dev before --
are GPL, and these are apparently all packages where having SSL support
missing in libcurl4 wasn't hurting them, so libcurl4-gnutls-dev seems to
be the reasonable "default" here.
Schedule binNMUs for all reverse-dependencies.
Again, no judgement here: this was what needed to be done at the time,
and I believe it was a good solution given the circumstances.
In the end, the binary library packages got renamed again: from
libcurl4-{openssl,gnutls} back to libcurl3-{openssl,gnutls} (but
not their -dev variants!), but they continued shipping
libcurl libraries whose SONAME version was 4. This solved the
immediate problem of untangling the transitions mentioned by Steve,
but introduced a technical debt that would stick with the package
literally for decades.
The situation at the end of 2007 was:
libcurl3-openssl with libcurl4-openssl-dev; and
libcurl3-gnutls with libcurl4-gnutls-dev.
More discrepancy is added
Eventually the libcurl3-openssl package got renamed to libcurl3,
but aside from that the situation with mismatched library names
vs. SONAME versions stayed relatively unchanged until around 2018,
when the Debian curl maintainer at the time (a different person)
renamed libcurl3 to libcurl4 to fix a bug. This was the right
thing to do for libcurl3, and at the time upstream curl was already
properly versioning their symbols, but for some reason
libcurl3-gnutls got left behind. So now we had:
libcurl4 with libcurl4-dev; and
libcurl3-gnutls with libcurl4-gnutls-dev.
In other words, we now have a discrepancy between the OpenSSL and
GnuTLS variants' names. Yeah, confusing. And this is the situation
right now, on May 2026, while I write this post.
To make matters worse, the Debian curl package has been carrying a
patch to facilitate the split of OpenSSL and GnuTLS flavours for
decades now, and, for some reason I didn't bother to investigate, the
patch pins the SONAME version of libcurl3-gnutls to CURL_GNUTLS_3,
effectively overriding upstream's decision to version the symbols as
CURL_GNUTLS_4.
A call to make things right
Back in 2022, Simon McVittie filed a Debian bug to try and call our
attention to the fact that we were shipping this messy set of curl
packages. I had just started to get involved in the package
maintenance and Samuel asked me to take a look at the bug. I noticed
it was going to take more time than I had available, so I decided to
put it in my TODO list (TM).
Simon was generous enough to lay out a possible plan to tackle the
problem, but I had a feeling that this was going to be harder than it
looked. I kept postponing working on the bug, but also kept thinking
about it now and then because it's an interesting thing to solve.
Then, a month or so ago the Debian Brasil community got together for
MiniDebConf Campinas 2026 and we decided to do a bug squashing party
there. I started working on a few FTBFS bugs with GCC 16, but then
got remembered about the curl bug and thought that that was the
perfect time and place to start working on it, for a few reasons:
Samuel and Charles were also attending the conference, so I could
talk to them about my plans and show them a PoC.
The plan I had in mind was a variant of Simon's proposed plan:
I would have to adjust our GnuTLS-specific patch so that it did not
override the SONAME version for libcurl-gnutls. Then,
For each symbol from libcurl3-gnutls I would have to:
Explicitly version it as curl_symbol_name@@CURL_GNUTLS_4.
Create an alias for the symbol (let's call it __curl_compat_symbol_name).
Explicitly version this alias as __curl_compat_symbol_name@CURL_GNUTLS_3.
Have a separate version of curl's linker script to make it
possible to create a hierarchy between CURL_GNUTLS_3 and
CURL_GNUTLS_4 symbols.
Note that this whole dance is needed because it is a hard requirement
that programs linked against libcurl3-gnutlskeep working when we
ship libcurl4-gnutls, without needing to recompile them. Due to the
fact that we will not really bump the SONAME of libcurl-gnutls (but
instead fix the symbol versions shipped by it), we cannot expect
programs to break given that they are actually using the exact same
ABI as before.
Unfortunately (as it is common with low level tools) the documentation
for ld's versioning syntax is quite incomplete and hard to find.
One of the best sources I found was this blog post. For this reason,
let me quickly explain the different notations for symbol versioning
used above.
curl_symbol_name@@CURL_GNUTLS_4
When we use curl_symbol_name@@CURL_GNUTLS_4 (note the @@) we are
telling the linker that this should be considered the default
version of curl_symbol_name. In other words, when a binary that
links against libcurl-gnutls calls curl_symbol_name, the linker
should use curl_symbol_name@@CURL_GNUTLS_4 to resolve the symbol.
There are a few ways to specify a symbol version in C/C++:
Finally, when we use __curl_compat_symbol_name@CURL_GNUTL_3 (note
the single @) we are telling the linker that this symbol exists, but
it should not be used as the default symbol. In fact, this
notation will basically hide the symbol and make it only available for
those programs that have already been linked against it. It's a way
of saying "don't offer this symbol when linking, but it's here in case
a program needs it to run" (it's a bit more complicated than that, but
you get the point).
The reason I had to create an alias to the function before
versioning the symbol with @CURL_GNUTLS_3 is because, once I've
versioned the main symbol as @@CURL_GNUTLS_4, I can't create another
version of it. It's also important to mention that to be able to
create a version for the alias I also had to change its visibility to
default. In the end, the alias ended up being defined as:
For my PoC I decided to tackle a small subset of the problem. The
symbols file for libcurl3-gnutls contains around 100 symbols that
need to be fixed, so I chose two of them and started trying to write a
patch to see if I could make things work. And after some time
struggling with GCC's syntax and inspecting nm -D's output I finally
got something that looked like it was going to work. The two symbols
I had chosen to work with got correctly versioned (both as
@@CURL_GNUTLS_4 and @CURL_GNUTLS_3), and a quick-and-dirty C
program that used those symbols correctly compiled and ran with the
expected symbols. I showed the results to Samuel and Charles, we got
excited about what we saw, and then the conference ended.
Second attempt and some adjustments
After getting back home I resumed the work on my branch and wrote an
Emacs function that semi-automatically adjusted all 100+ symbols
listed in the symbols file so that they all looked like:
The patch was big but mostly repetitive, and I was happy to have come
up with a solution that looked clean. Until I tried to build the
package, that is.
I started seeing some strange errors that happened when ld was
trying to link the final libcurl4-gnutls object (yes, at that point
I had already renamed the binary package). This is one of the errors
I was getting from ld (I got variants of this error as I was trying
to fix the approach):
/usr/bin/x86_64-linux-gnu-ld.bfd: .libs/libcurl_gnutls_la-easy.o: in function `dupeasy_meta_freeentry':./debian/build-gnutls/lib/./debian/build-gnutls/lib/easy.c:1024: multiple definition of `curl_easy_cleanup'; .libs/libcurl_gnutls_la-easy.o:./debian/build-gnutls/lib/./debian/build-gnutls/lib/easy.c:908: first defined here/usr/bin/x86_64-linux-gnu-ld.bfd: .libs/libcurl-gnutls.so.4.8.0: version node not found for symbol curl_easy_duphandle@CURL_GNUTLS3/usr/bin/x86_64-linux-gnu-ld.bfd: failed to set dynamic section sizes: bad value
This was strange. I did some tests with very simple versions of a
shared library using the versioning mechanism I had implemented and it
all worked. I could not reproduce the problem, and that's not a great
feeling to have.
Then, after reading a lot of documentation and blog posts throughout
the internet I found something interesting. Apparently ld has a
limitation when it comes to dealing with symbols versioned with @@.
If there is a single symbol versioned like that in a source file (the
actual term is TU, which means Translation Unit, but let's
simplify), then ld is happy and generates the expected version
without issues. But when we're dealing with multiple definitions of
@@ symbols in a source file (which is exactly what happens in curl),
then ld can get confused and start giving errors during the link
stage.
To solve that limitation, we have to resort to yet another symbol
versioning notation: @@@. Yes, three at signs. For example:
Note that we have to use __asm__ because GCC's __attribute__
doesn't support the triple-at notation.
What this does is tell the linker to create a versioned symbol for
curl_symbol_name, set it as the default symbol when linking, but
also remove the unversioned curl_symbol_name symbol. This makes
ld happy and allows it to successfully link libcurl-gnutls. As
usual, you won't find any mention of the @@@ notation inside ld's
documentation.
With libcurl-gnutls compiling again, I had to adjust libcurl's
linker script to create a hierarchy between CURL_GNUTLS_3 and
CURL_GNUTLS_4 symbols. Here's the final version of the file:
CURL_GNUTLS_3{ global: curl_easy_cleanup; /* lots of other symbols here */ local: *;};CURL_GNUTLS_4{ global: curl_*; local: *;} CURL_GNUTLS_3;
Debian package adjustments
After getting the hard part out of the way, the rest was easy. It was
time to finally rename libcurl3-gnutls to libcurl4-gnutls.
Initially I was thinking that I'd need to ask the release team for a
transition to happen, but as it turns out that won't be necessary.
Because we are effectively shipping the same exact library/ABI and the
only difference is the inclusion of the extra CURL_GNUTLS_4
versioned symbols, and given that we will be shipping CURL_GNUTLS_3
versioned symbols to guarantee backwards compatibility, packages won't
need to get rebuild just to pick up the new dependency. Instead, we
can safely turn libcurl3-gnutls into a transitional package that
depends on libcurl4-gnutls.
Merge request and next steps
This is the merge request where I am working on the fix. As of this
writing it is in a draft state, but I expect to merge in the next
couple of days. Once the fixed curl package is uploaded, we should
keep an eye on the archive to make sure no unexpected bugs happen.
I would like to carry this patch downstream at least until forky is
released. It doesn't make sense to propose it upstream because this
problem is Debian-specific and should be fixed there. We will need to
make sure that all reverse dependencies of libcurl3-gnutls are
recompiled before we can get rid of the transitional package, too.
This was a fun bug to investigate and fix, and I am happy that we will
finally have sensible names (and symbol versions!) for both of our
libcurl variants. Stay tuned for the next challenge!
Unwinding Anxiety is a non-fiction self-help book about how to
reduce anxiety. The author is a board-certified psychiatrist specializing
in addiction and substance abuse, who has subsequently done clinical and
research (and commercial, more on that later) work in anxiety. His
previous book, The Craving Mind, was a pop science treatment of
addiction research. This book is more deliberately structured as a
self-help guide.
(The cover will assure you that he has an M.D. and a Ph.D. I don't include
honorifics and degrees in author listings as a small protest against the
weird social rules about which degrees count and which don't.)
There are a lot of self-help books out there about anxiety. There are a
lot fewer that say something relatively original. I think this is one of
the latter, but I certainly have not done a survey of the subgenre, and
it's possible the ideas here are only new to me. Brewer makes three basic
claims in this book, all of which I found personally useful:
Anxiety can be usefully analyzed as a habit. The rumination loop and
other related anxiety behaviors such as excessive analysis,
reassurance-seeking, and negative anticipation take the form of deeply
ingrained habits triggered by stimuli.
Raw willpower is not a useful way to break habits in general and
anxiety habits in particular. In order to displace the habit, you have
to retrain the part of your brain that runs habits on autopilot.
Attempting to override it with willful effort is exhausting and likely
to fail.
Habit loops in general, and anxiety loops in particular, can be
defused and replaced using mindfulness techniques.
This is not the way Brewer lays out the book. He goes to some effort to
lead the reader slowly through three techniques for handling anxiety (for
which he uses the metaphor of "gears," like for a bicycle or car) by
introducing them one at a time and encouraging the reader to become
thoroughly familiar with each one before moving on to the next. Since this
is a book review, I'm going to give you the whole argument at once so that
you know where this book is going. This may be less helpful in practice;
if you're trying to use this technique on your own anxiety, you may want
to read the book instead and not jump ahead.
Brewer's three gears are:
Identify your habit loops and recognize when they're happening. (This
part felt the most similar to traditional cognitive behavioral therapy
to me.)
Focus on how those habit loops make you feel. Rather than trying to
force the habit loop to stop, let it happen but pay very close
attention to the outcome and its effects on you.
Find and focus on a different reaction that provides better rewards
than the anxiety habit loop. Brewer suggests curiosity.
For me, the point where I thought "okay, you have my attention" is when
Brewer described the way many people, particularly people without anxiety,
tell people with anxiety to "just stop thinking about it" or "just do the
thing you're anxious about anyway and you'll see it will be fine" and then
described in detail why he believes that doesn't work. This is one of the
few discussions of anxiety I've read where the author goes out of his way
to stress that you cannot simply think your way out of anxiety and that
repeatedly trying to do so and failing is exhausting and demoralizing.
Everyone is different and I know some people find cognitive behavioral
therapy very helpful, but I find the constant effort to challenge
cognitive distortions more draining and demoralizing than useful. His
second gear, of not directly confronting the habit loop but instead
watching its effect and thinking about its outcome, feels so much more
approachable to me. Assuming, of course, it works.
Brewer's approach is essentially just mindfulness, although he mostly
avoids the (to me at least) somewhat off-putting typical introduction to
mindfulness via religious practice or general well-being and instead ties
it to a theorized model of how habits work in the human brain. His
contention is that habits, including anxiety, exist because at some point
they provided a reward that was sufficiently compelling to make the
habit-following part of your brain seek that reward. You were getting some
benefit (a sense of control, a sense of being prepared, temporary
reassurance, etc.) out of the anxiety reaction, which is why the anxiety
habit formed in the first place. Once that habit is in place, it can
continue without the reward. (Although in my experience there is probably
still some short-term reward.)
Rather than trying to force yourself to stop following the habit, Brewer
instead suggests letting the habit happen but then focusing (via
mindfulness) on how following the habit makes you feel, whether it
improves your sense of well-being or worsens it, and whether other actions
produce different feelings. The goal, in other words, is to undermine the
assumption of reward and to challenge any short-term reward with the
long-term discomfort that made you want to stop being anxious.
This avoids using your conscious brain to exert direct willpower, which is
exhausting and usually unsuccessful since the habit-following part of your
brain is stronger (for various evolutionary psychology reasons he explains
and that I found at least partly credible). Instead, you are using its
strengths of observation and classification. You pay close attention to
the ways in which the habit loop makes you feel bad, which in theory
provides feedback to the habit-following part of your brain that can
dislodge the habit. If the habit is recognized as no longer rewarding, it
will weaken.
Brewer's background is in addiction treatment, so he is predisposed to see
addiction in everything and one should probably be a bit cautious about
his enthusiasm. He claims a great deal of success with this approach in
clinical settings, mostly with addiction but also with anxiety, but this
is always hard to verify. (Few doctors who write self-help books
rigorously document their failures.) He apparently also has a company that
produces various phone apps that assist with this technique. I'm rather
cynical about anyone who talks about products their company has produced
in self-help books of this type, and I'm also rather cynical about anyone
who calls himself "Dr. Jud," but the book doesn't seem to be a sales pitch
and there's no direct information in it about how to get the apps.
For me, the first two parts of the book were the most useful and the
conception of anxiety reactions as habits made a surprising amount of
intuitive sense. I thought the third part of the book, where he tries to
describe a better in-the-moment reaction that you can try to build into a
more beneficial habit, to be the weakest. It's mostly stock mindfulness
advice that I've seen in other places, and you will be entirely
unsurprised to learn that Brewer meditates and has studied meditation. I
think it's clear that, for him, a feeling of curiosity works as an anxiety
replacement; I'm not sure that's universal and I'm not sure it works for
me.
That core idea that anxiety reactions are a type of addictive habit that
have outlived their useful rewards but continue because habits are hard to
change felt both useful and at least a little bit true, though. Your
mileage may, of course, vary, but I've been trying out various ideas from
this book since I first started reading it, and I think it's helping. If
any of this clicks with you and you're also prone to anxiety, it might be
worth a read.
One warning, though: Brewer's previous work on addiction includes binge
eating, and while it's not a primary focus, he uses several weight loss
and disordered eating examples and has a very traditional medical attitude
towards weight. I'm somewhat dubious of the addiction model of weight gain
in general, but more to the point, it's rather off-putting in a book
supposedly about anxiety. It's something I was able to skim over, but be
aware going in if you're likely to find this obnoxious.
I do think this book is a case of an addiction researcher seeing
everything through the lens of addiction, and I'm a little dubious this is
the right model for everyone's anxiety. But this is one of the good
reasons why there are a lot of books about anxiety: Different approaches
suit different people. This one made more sense to me than most; maybe you
are similar.
I can't really recommend or not recommend a book like this, since I think
so much will depend on whether you are one of the people for whom this
specific explanation will click, but I'm glad that I read it and I think
it's good to know that this model of anxiety exists.
When it is run as unconfined_t the contents of the /etc/ssh/ssh_host_ecdsa_key file are correctly displayed on standard out in about 10ms, the file in question is only readable by root and a non-root user can use this exploit to read it.
It wouldn’t be uncommon to have a system configured to allow users to trace their own processes. The following policy addition grants access for the user to trace their own processes:
allow user_t self:process ptrace;
With that in place the sshkeysign_pwn exploit still doesn’t work and there are logs like the following:
So if you could find some secret data in a file that’s only restricted by Unix permissions and user_t is granted ptrace access then a variant of that exploit could work.
When user_t is allowed ptrace access the chage_pwn exploit fails with the following log entries, so any binary that runs in a different domain can’t be used in that situation.
In a “strict” configuration with users having the user_t domain a Debian system is not vulnerable to these exploits unless there is some configuration error or some unusual configuration choices. Users with the unconfined_t domain can successfully run the exploits.
In or around 2014 I bought an iPad Mini (2), and following the normal
lifecycle of iOS devices, a major OS update eventually killed it as
a useful, general-purpose device: operating it was just too sluggish.
It remained useful as a streaming media player for a little while
longer until eventually the big streamers (BBC iPlayer, Netflix, etc.)
stopped supporting the version of their app which the iPad could
install: the last officially supported iOS was 12.4.8 in July 2020,
and by November it was officially dead.
Old 32bit games
During its useful life, the iPad Mini witnessed Apple's transition
from 32 to 64 bit apps. In the 32 bit days, there was a little cottage
industry of app developers, and in particular, game developers. There
were even several independent websites (App Shopper, Pod Gamer, Free-App Hero), which aided in sorting through
the morass of apps to find the good ones (then as now, the App Store
itself was almost impossible to effectively browse). This all went
away during the 32/64 transition, as many small-scale developers
weren't actively developing their applications or games any more, and
weren't prepared to pay the time or apple tax to rebuild and publish
them as 64 bit.
The last version of iOS that supported 32 bit apps on this device was
10.3.3, and by luck, there are some methods available to install this
old version of iOS on the Mini 2 Today. A couple of years ago I did so,
and I kept no notes so sadly I can't report on which method I used. But
it worked, and I was able to install a bunch of old 32 bit games that I
had no access to on more modern devices.
Prior to John Carmack's1 departure from iD Software, he'd been
responsible for publishing several experimental iD software games on iOS. These
mostly disappeared in the 64 bit transition. Amongst them are ports of
Wolfenstein 3D, classic Doom, some RAGE tie-ins, but perhaps most
interestingly. at least two original games, designed for the phone form factor:
Doom 2 RPG and Wolfenstein RPG.
Reading magazine-style things
Another notable game that disappeared was "Civilisation Revolution", a
cut-down Civ game that for a while I was obsessed with. Rather than port
it to 64 bit, the publisher withdrew it, and then published a "new" game
"Civilisation Revolution 2", requiring a separate purchase. Sadly, it is
rubbish, nowhere near as good as the first one.
Anyway, having managed to downgrade it to the 32 bit iOS and install these old
lost games, I then, of course, never played them and the device continued to
gather dust. I should make clear that, running such an old unpatched iOS version
means it's not safe at all to put any kind of sensitive information on this,
including entering passwords. I don't recommend even opening the web browser.
However, this 12 year old device does have some use as an e-reader, especially
for certain types of ebook or magazine, that I've struggled to engage with
on other devices. That's a topic for another blog post.
Carmack reportedly also had a pivotal role in convincing Steve
Jobs to permit native apps and provide an App Store on iOS:
the plan had been to solely support web apps, at least for 3rd
parties.↩
Ian Jackson reported that dput-ng could lose data when using the local install method (relevant in tests of other packages, for instance) and filed an initial merge request to fix it. I improved this to isolate its tests properly, and uploaded it.
groff
I upgraded from 1.23.0 to 1.24.1. 1.24.0 and 1.24.1 were the first upstream releases since 2023, and had extensive changes; I’d had the corresponding packaging changes in the works since January, but it took me a while to get round to finishing them off. It was good to get this off my list.
OpenSSH
I released bookworm and trixie fixes for CVE-2026-3497, and issued the corresponding BSA-130 for trixie-backports.
I upgraded from 10.2p1 to 10.3p1.
parted
I upgraded from 3.6 to 3.7. 3.7 was the first upstream release since 2023, but the changes were nowhere near as extensive as groff, so this was a fairly quick job. I also fixed the parted-doc package to ship proper API documentation.
MySQL released (well, flipped the default compilation flag for) the
hypergraph join optimizer in the community builds; this was the main project
I started and worked on while I was there, so it's nice to see even though
it's been default in e.g. their cloud column store for a long time. You can read
their blog post
(though beware, likely-LLM text ahead).
(The cost model improvements and TPC-DS benchmarking are from after my time.)
deb-scrub-obsolete is a tool in the debian-codemods suite that tries to
identify and remove cruft automatically. It knows about dummy
transitional packages, superseded alternatives, and similar patterns it can
detect by querying the archive. But some workarounds are too
project-specific for a generic tool to recognise on its own.
Developers can leave structured comments in their packaging files that tell
deb-scrub-obsolete when a particular line or block can be removed.
The Debian Janitor regularly
runs various codemods like deb-scrub-obsolete on all
vcs-accessible Debian packages. This means that if you
leave a “remove-after: trixie” annotation in your package, you will
automatically get a pull request to remove the annotated code once trixie has
been released, without needing to remember to do it yourself.
The Comment Format
The annotations take the form of specially-formatted comments. For shell files
(and by extension most maintainer scripts), a line-level annotation looks like this:
When trixie has been released, deb-scrub-obsolete will remove that line
entirely. The comment can appear anywhere on the line — before or after other
comments — and additional explanatory text can follow:
blah # Trixie comes with blah built in # remove-after: trixie
For larger sections, block-level annotations bracket the code to remove:
These blocks can be nested, which is useful when one outer condition wraps
several inner ones with finer-grained timing.
Expressions
The initial set of supported expressions is deliberately small. The main one
is a Debian release name: remove-after: trixie means “once trixie has
been released”. The condition is checked against distro-info <https://manpages.debian.org/trixie/distro-info/distro-info.1.en.html>_, the same data
source that other Debian tooling uses to track release status.
The expression language is designed to be monotonic — conditions should only
ever go from false to true, not back. A workaround that needs to be
re-introduced after removal belongs in a new commit, not in an annotation. If
deb-scrub-obsolete cannot parse an annotation it finds in a file, it
leaves all annotations in that file untouched, to avoid a situation where
related blocks are only partially removed.
Annotations can also carry a marker name — an arbitrary label with no spaces,
commas, or the word “after” — which can then be passed to
deb-scrub-obsolete on the command line. This makes it possible to trigger
removal of a named set of annotations together, useful for coordinated
transitions where several packages need to be cleaned up at the same time.
Future Extensions
The initial expression set is minimal; the design leaves room for richer
conditions. Some candidates under consideration:
Whether a particular suite has a new enough version of a package (removing
a Build-Depends version constraint once it is satisfied everywhere)
Whether a package has been removed from the archive
Whether all currently-supported releases contain a new enough version
Compound expressions using “and” / “or” are also on the list, for cases where
removal depends on multiple conditions being true simultaneously.
Status
The annotation format is specified but not yet implemented in
deb-scrub-obsolete - it is planned for a future release. If you maintain
Debian packages and have opinions on the annotation format or the expression
language, feedback is welcome. The specification lives in
scrub-obsolete/doc/scrub-annotations.md
in the lintian-brush repository. Many thanks to Helmut Grohne for the initial
suggestion and feedback on the design.
This release features a rewritten internal routine unpacking the R
variadic arguments into C++ variadic template arguments. This in turn
allows to turn back to std::format in C++ mode when C++20
is used. We also adjust for the not-quite-ready-for-this state of the
x86-64 based macOS machine at CRAN. It is running a compiler and SDK
choice that cannot fully deal with C++20, so we dial compilation on it
down to C++17. Similarly, and as we found out after the release, Ubuntu
jammy is also too old to default to std::format so we need
to add a better detection here too so that we can also fall back to the
included fmt there.
The NEWS entry for this release follows.
Changes in
RcppSpdlog version 0.0.29 (2026-05-08)
Some small continuous integration updates
The internal formatter was rewritten as a recursive generator of
variadic templates.
Switch back to std::format with C++20, but force
inferior macos-release-x86_64 to use C++17 rather than default C++20
which fails
These packages are currently using QT5 which is a good reason to not upload them now as the transition to QT6 is in progress. Patching them to work with QT6 (as the libnemodbus upstream is apparently not migrating to QT6 yet) shouldn’t be that difficult but is something that needs some care and communication to get it right.
Running this package on my laptop with my PineTime (which worked very reliably when run by GadgetBridge on Android) wasn’t reliable and the PineTime would disconnect and refuse to connect again. Doing it on the Furilabs FLX1s gave a similar result. If Amazfish was the only Bluetooth program having problems on my laptop and on my FLX1s then I’d blame it, but both those systems have some other Bluetooth issues.
Running this on my laptop Amazfish would send it’s own test notifications to my watch but system notifications (from notify-send among others) wouldn’t get sent. Running this on my FLX1s I got ONE notification from my network monitoring system sent to my watch before my phone and watch stopped talking to each other.
To make things even more difficult for me the harbour-amazfish-ui program doesn’t work correctly with the libraries installed on my FLX1s and doesn’t display the content of many screens but it works correctly when running in a container environment with stock Debian/Testing.
Below is the script that I’m currently using to launch apps in a Debian/Testing container on my FLX1s. The comment about unshare-user doesn’t apply to this version of the script but I left it in to avoid the potential for future confusion. The Furilabs people diverted the bwrap binary and have a wrapper that removes a set of parameters that they think will cause problems.
#!/bin/bash
set -e
BUILDBASE=/chroot/testing
# bwrap: Can't mount proc on /newroot/proc: Device or resource busy
# get the above with --unshare-user and --unshare-pid
exec bwrap.real --bind /tmp /tmp --bind /run /run --bind $HOME $HOME --ro-bind $BUILDBASE/etc /etc --ro-bind $BUILDBASE/usr /usr --ro-bind $BUILDBASE/var/lib /var/lib --symlink usr/bin /bin --symlink usr/sbin /sbin --symlink usr/lib /lib --proc /proc --dev-bind /dev /dev --die-with-parent --new-session "$@"
Due to the range of problems I’m having I think it would be best to pass this package on to someone else who has a different test setup. It could be that further testing will reveal that my issues are related to bugs in Amazfish but I can’t prove it either way at this time. Maybe when using a smart watch other than a Pine Time it will work more reliably but it seems most likely that my laptop and phone are to blame. I can’t make more progress on this now.
Discussion of “AI” systems seems to be dominated by fears of uncommon and unlikely threats. I think that we should be focusing more on real issues with LLMs and with society in general and put the most effort towards the biggest problems.
It’s Not AI
True Artificial Intelligence [1] (IE a computer that has the mental capacity of a household pet) is something that I think can be developed, but it hasn’t been developed and we don’t have good plans for developing it. We seem to be a lot further away from achieving that goal than we were from landing on the moon in 1962 when JFK gave his historic speech.
What we have is a variety of pattern recognition systems that can predict what fits into a pattern. The most well known type of Machine Learning (ML) is the Large Language Model (LLM) which means ChatGPT and similar systems which predict which text would be likely to come next and can make an essay from it. They can give interesting and useful output, but there is no thought behind it, it’s just a better form of Eliza (the famous program from 1964 that simulates conversation by pattern matching) [2]. By analysing billions of documents, storing the data in a condensed mathematical way, and then using computation to extract from that record LLMs can produce output that is unfortunately considered by some people to be good enough to include in legal documents submitted to courts, university assignments, and many other documents. But they do so without even having the thinking ability of a mouse.
To call current systems “AIs” without any significant qualifiers when criticising them is to concede the debate about the worth of such things.
Here is a list of some of the most unreasonable arguments I’ve seen against “AI” which distract attention from real problems both related to “AI” and other problems in society.
Suicide and Homicide
Wikipedia has a page listing Deaths Linked to Chatbots [4] which right now has 16 entries from 2023 to Feb 2026. They are all tragedies and as a society we should try to prevent such things. But what I would like to see from the media is some analysis of overall trends, yes it gets people’s attention when someone dies in an unusual way but we need to have attention paid to the more numerous deaths which are preventable. It has become a standard practice to give information on Lifeline in media referencing suicide, it would be good if they also developed a practice of mentioning the relative incidence of a problem when publishing an article about it.
One of the many factors that cause more suicides than chatbots is school, Scientific American has an informative article from 2022 about the correlation between child suicide and school [5]. It is based on US statistics and shows that the lowest suicide rate is in July (a no-school month in the US) which has a rate of 2.3 per 100,000 person years. So if kids had a quality of life equivalent to July all year around then there would be 2.3 suicides per 100,000 kids every year while if they had a quality of life equivalent to a Monday in January or November it would be 3.9 suicides per 100,000 kids every year. The article states “Any time I present these data to teachers, parents, principals or school administrators, they are shocked. This should be common knowledge.” It is common knowledge to anyone who takes any notice of what happens in schools, but paying attention to serious problems is unpleasant, it’s more fun to pretend that school is good for everyone. No parent wants to think that they sent their child to a place that was horrible, no teacher wants to think that they are part of a system that harms kids.
The US CDC has an informative article about youth suicide [6] which documents it as the 3rd largest cause of death in the 14-18 age range fro 2021. This article was published in 2024 and based on statistics from 2023 and earlier. It notes significant differences in suicides, attempts, and “persistent feelings of sadness or hopelessness” which had girls at more than twice the rate of boys and “LGBQ+” kids at more than twice the rate of “heterosexual” students. It seems obvious that misogyny and homophobia is correlated with suicide and that’s something that could and should be addressed in schools. My state has a Safer Schools program [7] to try and alleviate the problems related to homophobia, but I expect that things are getting worse in the US in that regard. 39.7% of kids in US high schools had “persistent feelings of sadness or hopelessness” before LLMs became popular, school could and should be a happy time for the vast majority of kids but instead almost half of the kids don’t enjoy it and a majority of girls and “LGBQ+” kids don’t. Having no mention of trans kids is a significant omission from that article, based on everything I’ve heard from trans people I expect that their statistics would be even worse.
One could argue that the small number of deaths inspired by use or misuse of LLMs is an indication of a larger number of people suffering in ways that don’t result in death and don’t get noticed. But I don’t think that can compare to the fact that the majority of girls and “LGBQ+” kids have “persistent feelings of sadness or hopelessness” in the current school system.
I think it’s great to address any cause of suicide or homicide, but devoting government resources and legislation towards very uncommon causes instead of things that happen every day is not a good strategy. It would be fine to address all factors leading to suicide, but problems with the school system have been a major factor for decades with little effort applied to fix it.
Fraud and Other Crime
There is evidence of criminals using LLMs to help prepare for crimes, the ability to generate large amounts of text quickly can be used for fraud and extortion. This is going to be a serious problem and we need structural changes to society to deal with it. There is an ongoing issue of scammers convincing older people that their child or other young relative is in trouble and a large amount of cash is required to address it. This sort of scam as well as the more well known “Nigerian” scams will probably become more common as the cost of running them decreases. This may be more of a problem for people in developing countries as currently a common scam business model is to have people in regions where wages are low (such as Pakistan for one who I spoke to) scamming people in relatively wealthy countries like Australia so an attack with a low probability of success is financially viable. Cheaper attacks will make less affluent victims financially viable to the scammers.
While writing this post I received a financial scam phone call trying to get me to invest in SpaceX that was run by an “AI” chat system, I expect to receive more of them and this is something that needs to be dealt with via both technical measures and legislation.
Do we have to accept less freedom and less anonymity in finances as a cost of reducing financial crime? Greater restrictions on the use of cash would make some crimes more difficult or less profitable for criminals. As a society I think we need to have a discussion about a balance between financial freedom and freedom from criminal exploitation, failing to have such a discussion is likely to lead to policies which don’t work well.
Also one thing that ML systems are good at is recognising patterns in data. Banks could scan all their transactions and look for patterns that correlate with fraud. They currently do this badly and do things like locking credit cards when someone goes to another country and spends money. They could do a better job of that and involve the police in cases of obvious fraud even when the customer doesn’t realise that they are a victim.
This isn’t a reason to criticise “AIs”, it’s a reason to plan defensive technology that matches the capabilities of attackers.
As an aside I used to work for a company that was developing “AI” software to scan bank phone calls and allow banks to recognise employees who acted illegally. Unfortunately the Royal Commission into banking misconduct [9] didn’t impose any penalties that gave the banks a financial reason to avoid criminal activity.
Unemployment and Inequality
There are many claims about AI systems making large numbers of jobs obsolete, some of them are outlandish such as the claims that all white-collar jobs will be obsolete in the near future. There are some reasonable claims like the ability to replace some mundane jobs.
Replacing jobs that suck with computers, robots, and other machinery is a good thing! Very few people wish that they were working on a farm without a tractor. In 1900 it’s estimated that between 60% and 70% of the world labour force worked in agriculture and 40% of the US labour force did so. Now it’s something like 27% globally and between 1% and 3% in developed countries. Automated factories are also a good thing, it’s best to avoid boring and dangerous work.
The most plausible claims about job replacement from “AI” is jobs that involve analysing and summarising documents. One example that comes to mind is the worst kind of journalism where press releases from companies are massaged into the format of a feature article. I don’t think anyone wants that sort of job and doing it with “AI” hopefully means no human has to sign their name to it.
For work like programming few people will be directly replaced by “AI” but if people can do their work more efficiently while using it then less people are required. I don’t think that any programmer likes the part of their job where they have to skim read long documents looking for a clue about how to solve a problem with a library or protocol. A LLM processing the document and finding the potentially useful things will take away the drudgery from the work and allow greater productivity.
The trend in replacing people has been making people work longer. If you force all employees to work 60 hour weeks then that can theoretically allow hiring fewer people than having 40 hour weeks. For some work that applies but for skilled work it mostly doesn’t as productivity and work quality on average drops when people work more than 40 hours in a week.
Another trend for exploiting people is having a low minimum wage and making accommodation expensive so that many people need to work two jobs. What we need is legislation to restore the situation in the 70s where a single full time job was sufficient to provide for a family. The low minimum wage and high expenses for many things is a problem that’s been slowly developing over the course of decades while being mostly ignored by journalists. If they could concentrate on the real issues that are hurting workers today they could incite political action to fix these problems.
Academic Cheating
There is no shortage of ways of cheating in school and university. There are people who are paid to write essays, mobile phones are used for cheating in exams, etc. Getting an “AI” to write essays makes it easier to cheat for the essay writing part but does so with lower quality and in a less stealthy way.
What’s the worst case scenario? That we have to change to oral exams for all university subjects?
In the US the average annual price for tuition at a university is apparently $25,000, if each student had individually supervised assessment for their exams at a cost of $100 per hour it would make the degree cost 4% more. The cost of university in the US is unreasonably high and that’s a problem that needs to be fixed, but a hypothetical case of increasing the price by 4% isn’t going to be a major part of it.
There are issues of bots from “AI” companies doing a bad job of trying to download all the Internet’s content and using a lot of resources. When it was just the major search engines and the Wayback Machine doing it the load was small due to having a small number of organisations that were very good at the way they did it having evolved practices over many years. Now we have a lot of idiots doing it badly and repeatedly hitting generated content.
This is really annoying but is something that we can deal with. Currently my blog and many other sites are hosted on a Hetzner server with a E3-1271 v3 CPU with 32G of RAM and there are occasions where more than half the CPU power is being used to service web requests from such systems. Even on the “server bidding” (renting servers previously used by other customers) Hetzner isn’t offering systems so slow nowadays, the slowest they offer is about 20% faster than that. This is something that can be dealt with by spending a little more on hosting until the companies doing that go bankrupt.
I’m sure this is a serious problem for some people, but for most people it’s not a big deal. Also hostile traffic on the Internet is something we have all had to deal with as a part of life since the mid to late 90s.
RAM Prices
The unreasonably high prices for RAM are annoying and hurt the development of useful computer projects. Big companies can afford it, even with current high prices and large quantities of RAM used for some servers it’s still not significant. But it is a major issue for hobbyists and small projects. Things like setting up a dozen test VMs for FOSS development are now too expensive for many people who develop software in their spare time.
But this is a temporary thing, if AI companies were to keep buying RAM at high rates for a few years companies would just manufacture more of it to meet demand. In some situations capitalism can work.
Environmental Damage
There are many people claiming that power used by data centers for “AI” will lead to environmental damage, using power and water when there isn’t enough.
The trend of computer hardware is to get smaller and faster. It hasn’t been going as fast as it used to in many areas but it hasn’t stopped either and it’s an exponential trend. There has been an increase in data centers (DCs) for “AI” use as the use has been increasing faster than the hardware gets smaller. Eventually they will stop increasing faster than advances in hardware and software can match and the size of DCs will decrease.
As the production of renewable energy is increases the environmental cost of energy hungry industries decreases. In a few years this won’t be an issue anyone is bothered about.
I’ve previously written about Communication and Hostile AIs [13]. I think that filling all communication channels with rubbish is a denial of service attack against society.
In the past communication took some effort, even the simplest email that was directly targeted at the recipient took some human effort and that reduced it’s frequency. I get a lot of spam saying something like “I see your web site doesn’t rank in the top for Google searches” while my web site in fact rates well and the actor named Russell Coker is ranking below me, so I know that such spam hasn’t had the minimum of human involvement. Now a spammer who wanted to do a better job could get an LLM written spam for every target so the message was specifically aimed at them and would take much longer to be recognised by a human as spam and would also avoid most anti-spam software.
Searching for businesses used to be easy, the phone book had listings for them and there was a real cost to being in the book as well as humans actively trying to stop fraud. Creating fake web sites to get business isn’t too difficult but it’s also not trivial at the moment and such fake sites won’t look complete. Now with LLMs it’s possible to create hundreds of sites that have content and look reasonable without human involvement. Instead of the small number of suicides and homicides inspired by “AI” chat systems we should probably be concerned about people who need psychological or medical advice being misled by bogus web sites created as part of fraud campaigns. Imagine people searching for mental health assistance finding web sites run by cults who oppose psychology as a profession. Imagine people searching for basic medical advice such as how to cook a healthy meal getting sucked in to web sites that start sane and then lead people to Ivermectin as a universal medicine.
LLMs have the potential to take spam from quick and simple attacks to large scale targeted fraud aimed at people and organisations that don’t have the resources to defend against it. There have been many reports of CEO impersonation fraud against major corporations aiming to steal hundreds of thousands of dollars and fraud against individuals who are persuaded to get amounts like $50,000 to help a relative who is allegedly in a difficult situation. But if every corner store experienced the same type of attack that CEOs experience and if every child had someone trying to steal the pocket money in the same way that relatively wealthy people are being targeted now it would really change things.
There is some overlap between filling all communications channels with rubbish (fake news etc) and deep fake. Making a fake photo of a politician or celebrity to lobby for legislative changes is a real issue but it’s not what most people think of when the term “deep fake” is used.
Using photo and video faking targeting non-consenting people is a serious issue. It’s not just fake porn (which is a major issue and will cause some suicides) as there are many other possibilities. Fake videos showing behaviour that justifies sacking people from their jobs is going to become an issue, for people in public facing positions even proof that the videos are fake won’t necessarily help them.
Will we find ourselves in a situation where every politician gets deep-fake porn made of them and the only people who run for public office are ones who are cool with that? Will positions of leadership in the technology industry be restricted to people who aren’t bothered by having the most depraved fake porn made of them?
When determining whether someone should be considered a suspect or whether a prisoner should be eligible for parole the number of factors that a human can use is limited. But a computer can take many more factors into account so the issues of whether inappropriate factors are being used can be masked. Computers are also unable to explain decisions that they made and are also able to come up with better fake reasons.
In the past there have been racist policies in the US about banks not lending to people living in suburbs where most houses were owned by non-white people, these policies were documented and the documents have become part of the historical record showing racist policies. If a LLM decides not to lend money to people based on mathematical correlations it determined based on historical banking practices it could assign negative weights to factors such as non-English names and implement the racism in a large array of numbers with no proof.
The current cases of lawyers getting LLM systems to do some of their work and having their incompetence revealed when the computer generated work is shown to be ridiculously bad are amusing. But that is not the real problem. The real problems will start when the computers in police cars start flagging every car owned by a non-write person as having a “probable cause” for a drug stop.
Technically Not Financial Fraud
The majority of the ecosystem around “AI” is a financial scam [16]. There are companies and individuals doing good things with machine learning some of which is based on hardware and software developed as part of this ecosystem. But the majority of it has no plausible path to profits and a the future of it inevitably ends with some bankruptcies. There are circular flows of money that have the major cloud providers and NVidia looped in, when the values of these companies correct it will become apparent that they have all burned a lot of money keeping this running and all the senior people have got a share of it (the entire purpose of stock options is to allow senior people to suck money out of the company). Then every cloud provider will increase costs while under chapter 11 and all the companies that depend on them will pay whatever it takes. That includes all major companies and most governments. Unlike the dot-com boom and crash and the housing crash the coming financial crash will impact every company that we deal with and most governments. So the people in first-world countries will effectively be taxed to pay for this scam while the executives go party in Monaco. This may seem like an extreme claim but it all happened before with the dot com crash and the housing market crash.
The CEO class has an ongoing practice of doing things that aren’t crimes because they lobby (bribe) politicians to make them legal. So the current stock market shenanigans around “AI” don’t seem to involve things that governments consider to be crimes. But any normal person might be surprised to learn that such things are legal and most people would vote for such things to be crimes if they had the opportunity.
A global financial crisis is the least of the problems that seem likely to afflict society from “AI” systems. But it will be more immediately obvious when it happens – which could be this year!
Propaganda
Creating art requires skills that the type of people who want to create propaganda tend to lack. “AI” technologies allow creating “art” that is based on mathematical models of actual art to the requirements of the person running the program.
I have seen the term “AI Fascism” used to describe the use of “AI” to help authoritarian governments. I am dubious about whether it deserves that term and while every article I’ve read about the topic has had some good points I thought that they were all weak points.
But there are lots of ways that governments can abuse their populations without going full fascist. In the last century there were lots of truly terrible governments that didn’t even make the top 10 of fascism.
Machine Learning (abbreviated as ML) can do useful things. It’s not just Large Language Models (LLMs) such as ChatGPT etc. There are also ML systems that can analyse images and other data sets.
I have found ChatGPT to be very useful for making suggestions for improving blog posts. I don’t get it to write anything just ask for suggestions. It has pointed out things that I missed such as when I didn’t include the price when reviewing a car because the car in question was much more expensive than I will ever pay, the price wasn’t relevant to me but would be to some readers. It has also made useful suggestions about structure of blog posts, repeating points, and having a good conclusion. It has some downsides which include trying to erase my voice from my writing, suggesting that the rhetorical question “does email suck?” is unprofessional.
I have worked for a company that used ML systems to analyse driver performance and alert people if a driver is falling asleep, using a phone, or otherwise seems unable to drive safely. Their business model involved a human reviewing the images from the drivers the computer flagged and then determining who is actually doing the wrong thing. This seems a good use of the technology.
I have also worked for a company that used ML systems to analyse the performance of bank employees and detect potentially fraudulent behaviour. Preventing crime seems to be clearly a good thing and in this case the manager of the employee in question would review the evidence to make sure that they weren’t being falsely accused.
Conclusion
I don’t think that the problems with managing the changes that so called “AI” is introducing are particularly new. An example of how society handles change that’s worth considering is car safety. The seat belt first became mandatory for aeroplanes in some jurisdictions in 1928. The Model T Ford is widely regarded as the first vehicle to start a mass market for cars and it was released in 1925. So if society acted in a reasonable way then for the majority of mass market cars seat belts would have been a standard feature. However seat belts were first made compulsory in 1970 in Victoria Australia and there are still people who think that they are safer without seat belts! The delay in adoption of car seat belts is only one example of needless deaths caused by not taking reasonable measures for car safety but it’s one that’s easy to demonstrate and measure.
The difference between past problems like car safety and the current problems of “AI” is that the “AI” problems will be more pervasive. Most of my history as a car driver and car passenger was in cars that are much less safe than cars made in the last 10 years. But partly through luck I’ve never been in a serious crash so being in cars that wouldn’t have given me a low probability of surviving a freeway speed crash didn’t affect me. There is no possibility that through any combination of luck and skill someone could avoid the downsides of “AI”. If nothing else the results of elections will be affected and no-one can avoid that.
As a society we really need to address the real issues related to “AI” which in some cases requires legislation.
I’ve had some problems running apps I want on my Furilabs FLX1s [1], so I decided to install some container environments to test various versions. I started with Debian/Testing so I can test the build process for some packages I’m about to upload to Unstable.
Systemd Issues
When running debootstrap testing testing to setup the chroot the process aborted with errors including the following from the systemd postinst:
Failed to enable units: Protocol driver not attached.
Cannot open '/etc/machine-id': Protocol driver not attached
This turned out to be from trying to run systemctl in the postinst, I just removed the “set -e” line from /chroot/testing/var/lib/dpkg/info/systemd.postinst and kept on going (I’m not planning to actually use systemd so it’s failure to setup wasn’t a problem).
Then I installed a bunch of -dev packages needed to build my package which had a dependency chain that included udev leading to the following error:
Setting up udev (260.1-1) ...
Failed to chase and open directory '/etc/udev/hwdb.d', ignoring: Protocol driver not attached
Failed to chase and open directory '/usr/lib/udev/hwdb.d', ignoring: Protocol driver not attached
Checking the kernel version isn’t that hard to do, if the systemd programs in question checked the version and reported “can’t run on kernels prior to 5.10 then it would avoid a lot of confusion – and also bug reports that the systemd developers don’t want.
Some Debian package dependencies can probably do with revision. Installing the packages “libkdb3-dev libkf5archive-dev qtdeclarative5-dev qtpositioning5-dev qttools5-dev” ideally wouldn’t have a dependency chain leading to udev.
The Furilabs people appear to have patched the latest Debian version of systemd to work with the older kernels, the version is currently 260.1-1+furios0+git20260425023744.8401044.forky.production.
Compile Times
I got this working by just editing every postinst script and either removing the “set -e” or adding an “exit 0” at the top, I don’t need things to be configured properly for a running OS I just need the files in the right locations for a container.
One issue I discovered when I started compiling is that it was only running on 1 core and the “nprocs” program was returning “1”. The “lscpu” program showed that only 1 of the 8 cores was online, it was a single Cortex-A78 core. Some combination of putting it in “caffeine mode” and having the screen on enabled all 6*Cortex-A55 and 2*Cortex-A78 cores.
The below table compares compiling Harbour-Amazfish on the Furiphone with all 8 CPU cores active, my E5-2696 v4 workstation (almost the fastest socket 2011-3 CPU ever made), running ARM64 software emulation on a system with two E5-2699A v4 CPUs, and a Radxa 8 core ARM SBC (which I will review in a future blog post).
Given that the source apparently limits the parallelism to less than 7 cores on average it’s pretty impressive for the elapsed time to be only 2.5* longer on the phone. Emulating the ARM64 build at about 4* the system CPU time is impressive too, as the system has 4.5* as many CPU cores it could theoretically compile ARM code faster than the native ARM hardware I own for any project that uses enough cores.
Our reports outline what we’ve been up to over the past month, highlighting items of news from elsewhere in the increasingly-important area of software supply-chain security. As ever, if you are interested in contributing to the Reproducible Builds project, please see the Contribute page on our website.
For relay operators, this approach raises the security bar by enforcing better behaviors by design:
[…]
Reproducibility. A system that doesn’t change between reboots is easier to verify and, eventually, to reproduce and audit.
Furthermore, using a Trusted Platform Module (TPM), could allow for greater integrity in the future:
Transparency logs. Once you have a measured boot chain, you can publish it. A relay operator provides a recipe for a reproducible build; anyone can recompute the expected hash and verify it matches what the TPM reports. An append-only transparency log can make these attestations publicly auditable. The Tor community could run an independent monitor to track this across the relay fleet.
Civil Infrastructure Platform celebrates 10 years of supporting industrial grade Linux
The collaboration between the Reproducible Builds project and CIP highlights a critical shift in how we approach industrial software. Through verifiability, CIP ensures that the open source foundation of our critical infrastructure is not only sustainable but also demonstrably secure. This commitment to transparency is vital for the trust and resilience required by critical systems over decades of operation.”
Reproducible Builds at LinuxFest NorthWest
Vagrant Cascadian and Chris Lamb hosted a table in the exposition hall at LinuxFest NorthWest 2026 this month in Bellingham, WA, USA, introducing many people to Reproducible Builds and answering questions both days of the conference.
In addition, Vagrant presented Beyond Trusting Open Source Software on Sunday afternoon, exploring the intersection of Free/Open Source Software, Reproducible Builds and Bootstrappable builds, and how they all reinforce each other. Vagrant’s slides are available online, including source code to build them reproducibly.
Reproducibility issues in Rust binaries that embed random bytes
Reproducible Builds developer kpcyrdopened a ticket on the Rustsec issue tracker regarding binaries that deliberately inject random bytes into their binaries “as a secret seed for a Hash Collision DoS mitigation.”
As kpcyrd notes in his message, this causes issues for reproducibility, and because the relevant end-user binaries are “mostly distributed pre-compiled through package managers, those binaries (and by extension the secret seed) are public knowledge”. kpcyrd goes on to note:
This is somewhat unique to Rust because Python/JavaScript doesn’t compile binaries, and Go (to my knowledge) is too restrictive during build for any library to pull something like this.
to ensure reproducibility, the pacman [package manager] keys have to be stripped from the image, meaning that pacman is not usable out of the box in this image. While waiting to find a suitable solution to this technical constraint, we are therefore providing this reproducible image under a dedicated tag as a first milestone. […]
In Debian this month, 24 reviews of Debian packages were added, 7 were updated and 16 were removed this month adding to our knowledge about identified issues.
Lastly, in openSUSE, Michael Schroeder added reproducibility verification support in the Open Build Service […] and Bernhard M. Wiedemann posted another openSUSEmonthly update for their reproducibility work there.
Patches
The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where applicable or possible. This month, we wrote a large number of such patches, including:
binutils (consider SOURCE_DATE_EPOCH when emitting static library archive header)
diffoscope development
diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made a number of changes, including preparing and uploading versions, 316, 317 and 318 to Debian.
Yet again, there were a number of improvements made to our website this month including:
Manuel Jacob:
Fix some minor wording issues on the Stable inputs page, and update information about the sorting behavior of GNU Make […].
On the Archives page, remove information about deterministic archives in historical Fedora versions […], add a note about .tar file portability […] and correct a section about .tar PAX headers […].
Timo Pohl posted our list inviting people to “online group discussions with 4-6 participants each to talk about your perception of terms and
requirements for reproducibility.” As Timo notes:
During our research of the existing literature, as well as my experience
at the Reproducible Builds Summit 2025 in Vienna,
we noticed that some of the terminology in the field is not used
consistently across different groups of people, and that the precise
meaning of some core terms like “reproducibility of an artifact” in
itself is not uniform.
As Timo mentions, the sessions will last roughly 90 minutes and will be rewarded with 50€ per participant.
kpcyrd posted to the list asking for assistance with fixing an issue after updating the flake.lock file for their repro-env project.
The goal of the project is to assess whether
GitHub Actions can be reproduced.
Currently, it focuses on two types of Actions: JavaScript-based actions
and Docker-based actions (composite actions are
not considered). For JavaScript actions, the project rebuilds the
distributed files and compares them bit-by-bit with the repository
contents. For Docker actions, it rebuilds
images from the Dockerfile and checks for semantic equivalence, using
diffoci, across
builds.
Finally, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:
This was my hundred-forty-second month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.
During my allocated time I uploaded or worked on:
[DLA 4530-1] gst-plugins-bad1.0 security update to fix two CVEs related to denial of service or execution of arbitrary code if a malformed media file is opened.
[DLA 4544-1] ntfs-3g to fix one CVE related to local root privilege escalation.
[DLA 4545-1] packagekit security update to fix one CVE related to local privilege escalation.
[DLA 4547-1] gimp security update to fix three CVEs related to denial of service or execution of arbitrary code if a malformed PSP, JPEG 2000 or PSD file is opened.
[ELA-1682-1] gst-plugins-bad1.0 security update to fix two CVEs in Buster and Stretch related to denial of service or execution of arbitrary code.
[ELA-1689-1] ntfs-3g security update to fix one CVE in Buster and Stretch related to local root privilege escalation..
[ELA-1693-1] pakagekit security update to fix one CVE in Buster and Stretch related to local privilege escalation.
Unfortunately the first upload of cups introduces a regression and another upload was needed to take care of a crash. The patch for one CVE also broke a test script, which is used by lots of printing packages in Debian. As a result some autopkgtest runs failed. This could be fixed as well and the only remaining issue that needs some more investigation is related to cups-pdf.
This month I continued to work on unifying packaging on Debian and Ubuntu. This makes it easier to work on those packages independent of the used platform.
I also started working on two new packages: lomiri-radio-app and lomiri-fretboardtrainer-app
Review: Full Speed to a Crash Landing, by Beth Revis
Series:
Chaotic Orbits #1
Publisher:
DAW
Copyright:
August 2024
ISBN:
0-7564-1947-6
Format:
Kindle
Pages:
153
Full Speed to a Crash Landing is a science fiction novella and the
first of a series. Beth Revis made the New York Times bestseller list for
an earlier series of young adult science fiction novels, but somehow I had
not heard of her before this series.
Ada Lamarr is a salvager. She picks up material from crashed or dead ships
for resale. As the story opens, she has a large hole in the side of her
ship, she's running out of oxygen, and the other ship nearby is refusing
to answer her distress call. By the time they finally respond, there is
barely enough time to get aboard before she is entirely out of air.
Ada's first-person narration drops hints that she may not be entirely what
she seems. But then, neither is the Halifax, so it's only fair.
The captain of the Halifax treats Ada with a great deal of
suspicion and wants her out of the way of their ongoing salvage operation.
However, the captain does not appear to be entirely in charge. Ada is
immediately struck by the mysterious Rian White, who seems to have some
authority over their mission and is more thoughtful and calculating than
the rest of the crew. He's also handsome, which doesn't hurt.
I was tempted to keep writing about the plot, but given the short length
of this book, I should stop there and let you enjoy the twists and turns
for yourself. This is a fun science fiction action romp: lots of banter,
lots of tense moments, and a cagey first-person protagonist with an
irrepressible sense of humor and a knack for brazening her way through
conversations. It's not long on world-building (there isn't enough room),
but Revis works in enough details to be intriguing and to set up some
interesting motivations.
This is the sort of book that lives and dies by how much you like the
protagonist, something that you will easily figure out by the end of an
ebook sample if you're the sort of reader who uses those. Ada is
irreverent, talkative, and very adroit at diverting attention
(entertainingly) onto anything other than the critical piece of
information other people are missing. If you want to, I suspect you could
easily figure out most of what Ada is up to before the book reveals it
explicitly. It's not that complicated, and the book isn't really trying to
hide, although it doesn't give you all the necessary information in
advance. Personally, I was happy to sit back and enjoy the ride.
There is no romance in this book beyond frequent comments from Ada that
she would have liked there to be a romance in this book under different
circumstances, but I will be surprised if that romance doesn't show up
later in the series. Ada and Rian are clearly being set up as a pair. I
didn't like Rian as much, mostly because he's less memorable as a
character, but he comes into his own in the appendices after the plot
proper.
I thought those concluding appendices were the best part of the novella
and question the Kindle formatting decision to treat them like
supplemental material. They purport to be a series of government memos,
fill in a lot more of the backstory and world building, and have the best
footnotes. Don't skip them!
This isn't the sort of book that I am inspired to immediately push into
everyone's hands, but it's a fast, well-paced story that delivered a few
reading sessions of entertainment. I'm not sure the political philosophy
in the background makes a lot of sense, but at least not a standard
stereotype of current politics seen in so much science fiction. It's going
to set up some interesting character conflict in later books. I'm
certainly intrigued enough to keep reading.
Recommended when you're in the mood for some fast-paced fun that's short
and undemanding.
For a long time I’ve used Robert Collins’ testrepository (testr) to
run tests in many of the projects I work on. It’s a small, focused tool
built around a simple idea: decouple the running of tests from the
recording and querying of their results.
The way it works is straightforward. A test runner emits a subunit
stream — a compact binary protocol for test results — and testrepository
stores those streams in a per-project .testrepository/ directory.
Once results are in the repository, you can ask questions like “which
tests failed in the last run?”, “re-run only the failures”, “what are the
slowest tests?”, or “what changed between this run and the previous one?”.
The killer feature, for me, has always been the failing-test loop. When a
big test suite breaks, you don’t want to re-run the whole thing after every
fix — you want to iterate on just the failures, and only re-run the full
suite once they’re all green. testrepository made that workflow ergonomic
long before most language-specific test runners had anything comparable,
and many of them still don’t have a good answer for it.
testrepository has served me well for over a decade, but it has been
largely unmaintained for a while, and I had some ideas of improvements that I
wanted to try out. So I wrote a Rust port, which has since grown a number of
features of its own.
Inquest
Inquest is a Rust port of testrepository that has since grown a
number of features of its own. The binary is called inq.
Goals
The goals are deliberately modest:
a single static binary, no Python runtime required
no need to write a dedicated config file for most projects
compatible enough with testrepository’s workflow that I can switch projects
over without retraining my fingers
a richer on-disk format that captures more about each run (git commit,
command line, duration, exit code, concurrency)
good support for the languages I actually use day-to-day: Rust, Python,
Go, and Node.js
mostly Do What I Mean (DWIM), e.g. getting me to know as quickly
as possible what tests are failing and why, and being clever
about doing this
Inquest reads and writes subunit v2 streams, so anything that can produce
subunit (directly or via one of the many converters) can feed into it.
Quick start
Inquest can usually figure out how to run your tests on its own. In a Rust,
Python, Go or Node.js project:
$ cdmy-project
$ inq
Or if the auto-detection doesn’t work, you can ask it to generate a config file and
then run the tests:
$ inqauto
$ inqrun
inq auto writes an inquest.toml describing how to invoke the test
runner; inq run runs the tests, captures the subunit stream, and stores
the results in a .inquest/ directory.
For a Rust project the generated config looks like:
$ inqstats# repository-wide statistics $ inqlast# results of the most recent run $ inqfailing# only the failing tests $ inqslowest# the slowest tests in the last run $ inqrun--failing# re-run only what failed last time
The last one is the workflow I use most often: run the full suite once, fix
the obvious failures, then iterate on inq run --failing until the list
is empty.
A few things that aren’t in testrepository
Some of the features that have grown in inquest beyond the original
testrepository functionality:
Timeouts.--test-timeout, --max-duration, and
--no-output-timeout will kill a test process that is hanging or has
stopped producing output. --test-timeout auto derives a per-test
timeout from the historical duration of that test, which is handy for
catching tests that hang.
Once the test runner is killed, the test is marked as failed and the next
test is started, so a broken test doesn’t hold up the whole suite.
Ordering--order can be used to run tests in a specific order, e.g.
to run the slowest tests first, to run the tests that failed most recently
first, or to run the widest variety of tests first to maximize the chance of
finding a failure early on.
Live progress.inq running tails the in-progress subunit stream
on disk and reports observed/expected test counts, percent complete,
elapsed wall-clock time, and an ETA derived from each test’s historical
duration. Useful when a CI run is taking longer than you’d like.
Flakiness ranking.inq flaky ranks tests by pass↔fail transitions
in consecutive runs in which the test was recorded, so chronically broken
tests rank low and genuinely flapping tests rank high.
Comparing runs.inq diff <A> <B> shows what changed between two
test runs — newly failing, newly passing, and tests that flipped state —
which makes it easy to see whether your last change actually fixed (or
broke) anything.
Bisecting git history.inq bisect <TEST> drives git bisect
to find the commit that broke a given test. It defaults the
known-good and known-bad commits from the recorded run history (the
most recent run where the test passed, and the most recent where it
failed), so in the common case there is no need to remember either —
just point it at the test name and let it work.
Richer run metadata.inq info shows the git commit, command
line, duration, exit code, and concurrency for a run, with a flag for
whether the working tree was dirty when the run started. Combined with
inq diff this makes it much easier to triangulate when a regression
was introduced.
Rerun a previous run verbatim.inq rerun <ID> re-runs exactly the
tests of a previous run, in the same order, forwarding the same --
arguments that the original run used. inq rerun -1 repeats the latest.
Web based view.inq web serves a web-based view of the repository,
with a dashboard of recent runs and detailed views of individual runs and tests.
Web UI
Most of the time I drive inquest from the command line, but for browsing
historical results of a large suite — spotting flapping tests, drilling
into a single test’s run history, or just getting a visual sense of which
parts of the suite are hurting — a web view is more pleasant. inq web
starts a local server with exactly that:
$ inqweb
The repository overview shows totals and a per-test history grid where
each cell is one run, coloured by outcome. Bands of red make it easy to
pick out tests that have been broken for a long time, and isolated red
cells in an otherwise green column point at flaky tests.
Drilling into an individual test gives you its full run history, a
duration sparkline, and per-run pass/fail status:
Migrating from testrepository
If you already have a .testrepository/ directory full of historical
runs, inq upgrade will migrate it into the new .inquest/ format,
with a progress bar for the impatient.
The legacy .testr.conf (INI) format is still understood, so existing
projects don’t have to be converted to inquest.toml immediately —
though the TOML format is preferred for new projects.
Trying it
The source is on GitHub at jelmer/inquest. To install from source:
$ cargoinstallinquest
In a project with a Rust, Python, Go or Node.js test suite:
Due to health reasons I did not have the energy to write individual status
updates for February & March, so I’ll just combine them with the April update:
In February I cleaned out my GitHub account and moved all remaining
projects to Codeberg. I archived the
repositories on GitHub and added links to the new repositories on Codeberg.
GitHub is a platform that is more and more frustrating to use. I still have to
use it for my dayjob, though. The number of pull requests and issues that are
written either by bots or by users that use bots increased in the last two
years. Combined with that, GitHub provides a very low barrier for entitled
users who do not want to contribute to a productive environment. GitHub now
feels like the Twitter/X of git forges. Codeberg on the other hand is a
community project. I feel a lot more at home there and the platform itself
feels a lot more responsive than GitHub.
Debian Related Work
Uploaded wayback 0.3-1 to experimental
Uploaded slurp 1.6.0-1 to unstable
Uploaded first a prerelease of sway to experimental to be able to test
wlroots 0.20.0 and then uploaded rc1, rc2 and rc3 of the upcoming 1.12
release
Uploaded waybar 0.15.0-1 to unstable
Uploaded kanshi 1.9.0-1 to unstable, which was possible because the dependency libscfg finally went through NEW
Uploaded libscfg 0.2.0-1 to unstable
Uploaded swaybg 1.2.2-1 to unstable
Uploaded labwc 0.9.4-1, 0.9.5 & 0.9.6 to unstable
Fixed the packaging of vali and uploaded version 0.1.1-1 to unstable; then
added vali to the build dependencies of kanshi and reuploaded 1.9.0-2 thereof
Uploaded swaylock 1.8.5-1 to unstable
Uploaded fcft 3.3.3-1 to unstable
Uploaded foot 1.26.1-1 to unstable
Uploaded swayimg 5.0-1 and 5.1-1 to unstable
Fixed some packaging metadata in libsfdo and uploaded 0.1.4-2 to unstable
Reverted the upload of slurp from 1.6.0-1 to 1.6.0really1.5.0-1 because the
upstream release of 1.6.0 was made by mistake and yanked a week later. Maybe
I should add a cooldown period before uploading new releases ;)
Uploaded mako-notifier 1.11.0-1 to unstable
Uploaded cage 0.3.0-1 to experimental which uses wlroots 0.20.0
Uploaded xdg-desktop-portal-wlr 0.8.2-1 to unstable
I released 0.60.0, 0.61.0 and 0.62.0 of apis-core-rdf. We rewrote the
configuration format for the importer. We previously used TOML files, but that
does not give us inheritance. So we now use simply Python classes as
configuration format.
I implemented a new backend for our apis-bibsonomy Django package. The package
is meant to provide a datamodel for storing reference data that links to
Bibsonomy or Zotero. Given that we don’t use Bibsonomy anymore we now dropped
the Bibsonomy backend but added a Zotero backend that allows to cache the
entries locally.
We are very excited to announce that Debian has been assigned seven contributors
to work under mentorship on a variety of
projects with us during the
Google Summer of Code.
Here is a list of the projects and contributors, along with details of the
tasks to be performed.
Deliverables of the project: Debianize is a tool that aims to automatically
create debian packages from scratch from upstream source trees. As for the
current version, it works for some of the packages but it is not reliable. This
project aims at making it production ready such that it can work with most of
the projects. Along with that improving its reliability, coverage, integration
with the broader ecosystem and other enhancements.
Deliverables of the project: Linux Kernel Livepatching is the process of
replacing functions in the kernel code affected by CVEs with the patch-applied
functions during system runtime. It's basically a method to apply security
kernel patches to a running system.
Deliverables of the project: DebNet models the Debian archive as a graph to
identify critical packages maintained by too few people. Using data from the
Ultimate Debian Database (UDD), it builds a package dependency graph and a
maintainer-package graph to compute practical metrics like the Bus Factor,
Fragility Score, and Dependency Impact for every source package.
Deliverables of the project: This project aims to detect vulnerable code clones
in the Debian archive by automatically extracting signatures from security
patches. Using a two-signal approach that separates vulnerable patterns from
fix patterns, the system generates high-specificity queries to search the entire
archive via Debian CodeSearch.
Deliverables of the project: This project implements a debuginfod-compatible
server within Debusine to provide automated debug symbol resolution for Debian
developers.
Deliverables of the project: The Debian LSP Language Server currently provides
only basic features—field completion, parse-error diagnostics, and simple
quick fixes—leaving Debian maintainers without the rich IDE experience
available in other ecosystems.
Deliverables of the project: Debusine currently only shows task logs after a
task has fully completed. This means developers working with long-running jobs
(such as package builds or test pipelines) have no way to monitor progress in
real time or catch failures early. This project adds live log streaming to
Debusine.
Congratulations and welcome to all the contributors!
The Google Summer of Code program is possible in Debian thanks to the efforts of
Debian Developers and Debian Contributors that dedicate part of their free time
to mentor contributors and outreach tasks.
Join us and help extend Debian! You can follow the contributors' weekly reports
on the debian-outreach mailing-list, chat with us on our
IRC channel or reach out to the individual projects' team
mailing lists.
The eight release of the binb package,
and first in two years, is now on CRAN and in r2u. binb regroups
four rather nice themes for writing LaTeX Beamer
presentations much more easily in (R)Markdown. As a teaser,
a quick demo combining all four themes is
available; documentation and examples are in the package.
This release contains regular internal updates to continuous
integration, URLs reference and switch to Authors@R. The trigger for the
release, though, was a small updated need when very recent
pandoc versions (as shipped with RStudio) are used which
require a new variable declaration in the LaTeX template files in order
to process uncaptioned tables. The summary of changes follows.
Changes in binb
version 0.0.8 (2026-05-01)
Small updates to documentation URLs and continuous
integration
The package now uses Authors@R in DESCRIPTION
Newer pandoc versions are accommodated by adding a required
counter variable in the latex template file
Trigger warning: this is a report about how
Debianism prefers abusers to those who consistently and
compassionately helped victims of abuse.
Those who dare to look up the public court records about
Jeremy Bicha have been shocked and in some cases unable to sleep
after reading how he exploited every bodily orifice of his little sisters
when they were six and nine years old. Yet I feel a possibility that
Jeremy Bicha himself is now being exploited to make us feel
shock and to soften us up for future revelations about unnamed oligarchs
in the open source eco-system. There have been many falsified rumours
about abuse over the years,
such as the conspiracy against Dr Jacob Appelbaum. Whenever we get
to the point that the leader of some so-called community really is
put on trial for real abuse, the victims are unlikely to have suffered as
extensively as
Bicha's little sisters.
I didn't write and publish this report to start a lynching against
Jeremy Bicha himself. He has confessed his crimes which is much more
than can be said for other sex pests. The real reason for the report is
to look at the decisions that organisations have made putting a
registered sex offender on a pedestal but in the case of commercial
rivals or people who made mistakes with pronouns, we are being censored
and harassed by the oligarchs for the most mundane mistakes.
The BBC is in fresh trouble over their pre-existing knowledge of a scandal
involving
Scott Mills. It was a major story in the
UK the week before Easter and then it disappeared. I suspect that sooner
or later we will hear more details.
Almost every day there is a fresh news report about
Jeffrey Epstein. During the trial of
Ghislaine Maxwell, she told us her partner,
Epstein, needed to
be with a woman at least three times per day. People with children or
teenage daughters will feel very uncomfortable about having these men around.
Less than two percent of Debian Developers are female but at
DebConf almost one in three participants is in the
gay/transgender/Zizian set. In the wider population it is only one in
ten people.
These people don't have children. They don't think about having children.
They don't spend a lot of time thinking about the risks. Having a
registered sex offender present at the after-party may be on the
bucket list for some of these people. They are willing to risk other people's
children and tarnish Debian's reputation so they can have something
unusual at the after-party.
For people who do have children, they don't go to the
DebConf orgy groups but they do stay up all night reading through reports
like this to try and work out whether the risk is acceptable or not.
The
Debian Suicide Cluster correlates with a culture of
violence and humiliations. Coincidentally, rape and abuse are also about
violence and humiliation. Adding a
registered sex offender to the group only reinforces those existing
Debian character traits when we need to be looking for the opposite,
people who serve to neutralise those cultural defects.
News that a
Registered Sex Offender(TM) was invited to speak at
DebConf25 in
France is not a random accident. Certain groups like
Debianism have been overcome by fringe diversity movements. Over the years,
we've seen the same people using their authority to humiliate fellow volunteers
in much the same way that paedophiles humiliate children. Statistically,
we can be certain there are similar men in the same group.
Jeremy Bicha was the thin end of the wedge. By putting a known offender
on a pedestal and claiming they are helping him, they are clearing a path for
other more cunning characters to be given a platform.
The people who control
Debianism mailing lists have a nasty habit of censoring any concerns about
the phenomena. They believe everybody agrees with their worldview. They
are living in a bubble. Sooner or later, there will be a person or an
incident that is so bad that it is the end of Debian. Society at large
simply doesn't accept some of the things these people do.
Moreover, certain companies would like to see Debian fail. They will
give enough money to the diversity budget to create a scandal and then
those companies will get out of the way as quickly as possible.
The Debian Social Contract tells us, in point three,
We will not hide problems.
In the case of the
registered sex offender invited to speak at
DebConf25 in
France, all discussion has been deliberately shut down. Video
of the talk is not hosted with video of the other talks. People are
scouring the
official photo gallery to see if
Jeremy Bicha was really there at all and who sat next to him.
This situation and the manner in which
Debianists are hiding it reveals the real definiton of diversity and
the real use of diversity funds.
This resulted in “Jack� ringing me in an extremely distressed state. His
words on the phone were, “I think it would have been better to hear my
mother had died�. He was a relatively early victim of [Fr Kevin] O’Donnell and his
abuse was reported to the Cathedral in 1958. This allegation was
investigated at the time by both the then Vicar-General, Laurie Moran,
and the then Auxiliary Bishop of Melbourne, Arthur Fox. Nothing
eventuated from this investigation.
In 1962, Stanley Kubrick released the controversial film
Lolita.
Charles Manson was using women in his
cult, the Manson Family, to murder people. He hoped that by committing
these violent murders he could start riots, like the modern day phenomena
of #MeToo mobs on
social control media. On 9 August 1969, they killed the actress
Sharon Tate, who was the wife of film director
Roman Polanski.
In the 1970s, Bishop Fox was the Bishop of Sale. On 3 July 1972, when he was
in his early forties, Hourigan wrote to Bishop Fox asking that he be accepted to study
for the priesthood. In the letter Hourigan set out what he said were two ‘flies in the
ointment’. The first related to an issue with Hourigan’s back, and is of little moment.
The second was a disclosure (referred to by the judge as ‘the disclosure’) that on
three separate occasions, occurring at two separate boarding schools in Papua New
Guinea at which he was working, boys in his care who, he said, he had occasion to
punish for misbehaviour, responded by complaining to a priest that he had treated
them harshly and that he was a homosexual. A short time after the second and third
complaints, Hourigan left the second boarding school and returned to Australia.
The implication is that
Bishop Fox had personal knowledge of the disclosure and history of
abuse before he ever ordained
Fr Hourigan.
Britain's National Council for Civil Liberties (NCCL), known today as
Liberty, had a very open attitude to memberships and affiliations.
PIE and many other fringe groups became members of NCCL / Liberty
and regularly attended the annual general meetings where they rubbed shoulders
with lawyers and lobbyists from a range of different movements.
The Conversation tells us the British Communist Party was also affiliated
with NCCL / Liberty. People have been scouring old copies of British
tabloid newspapers to find evidence of similar diversity fringe groups
promoting incest, canabalism and bestiality. NCCL / Liberty was not endorsing
any of these groups and the PIE was no more or less special than
any other diversity fringe group.
The manner in which the paedophile advocacy groups participated in the
NCCL / Liberty and the legal profession can be summarised by the
expression I don't agree with what you say but I will defend to the
death your right to say it.
As the saying goes, all good things must come to an end. By the
1980s, governments around the world had developed strategies to shut down
and outlaw groups like PIE.
The eradication of these groups was significant because it forced
the pro-abuse lobby to look for more discrete ways to achieve their
unholy objectives. In other words, they have to join other groups like
the Catholic Church and the
Debian Project in the hope they will gain credibility, access
to children or both.
Between 1977 and 1978,
Roman Polanski, whose wife had been murdered by the Manson Family
cult, was prosecuted for drugging and raping a 13-year-old girl.
He fled America to live in
France and evade a likely jail sentence.
As he was born in France he can't be extradited to America. He continued
his career in
France and received numerous awards for his work. Many professionals
in the movie industry have publicly indicated support for
Polanski, despite the very serious crime he committed against a child.
Between 1978 and 1982, in another
Catholic abuse situation where the victim agreed to waive anonymity,
David Ridsdale was abused by his uncle, the priest
Gerald Ridsdale. Under Australian law, when the uncle is found
guilty of such an offence, their identity and their conviction can not
be reported in the media as it would compromise the identity of the
victim. Nonetheless,
David Ridsdale waived his right to anonymity and so it could be
reported that
Gerald Ridsdale, who was the worst offender in the country,
had even committed abuse against one of his own relatives.
The media originally obfuscated the name and face of the victim but it
wasn't long before everybody knew. She had created the dossier, started a
conversation with the police and then she committed suicide. Eventually the
Federal Court judges decided to publish everything for the public to make up our
own minds.
I selected those portions of the document to emphasize the striking
similarities between
Katharine Thornton's abuse report and the acts that
Jeremy Bicha admitted inflicting on his sisters.
According to the summary of the complaint on the
Manatee County Courthouse web site, the abuse occurred between 1995 and 1999,
in other words, when
Jeremy Bicha was only between eleven and fifteen years of age himself.
One of his sisters was nine and another was only six when these horrible crimes
took place.
In the court documents,
Jeremy Bicha told prosecutors his parents were very strict and kept all the
siblings together at home. In countries with urban sprawl and a car culture,
which includes
Australia, a teenage boy starting high school has no way to meet friends
of the same age unless an adult is willing to drive him there and bring him
back home. Europeans who live in apartments and terrace houses are much closer
together. Therefore, people who haven't lived in urban sprawl can't fully
appreciate the impact it has on childhood.
In 1997, Adrian Lyne produced a fresh version of the film
Lolita.
Shortly after that, I was photographed in
Australia's Parliament House,
Canberra with
Natasha Stott-Despoja. After leaving her job as a senator,
Natasha was appointed as
Australia's ambassador for women and girls.
She was subsequently appointed to represent
Australia on the UN CEDAW committee. CEDAW is the Convention on the
Elimination of All Forms of Discrimination Against Women. The committee
is one of the most influential international bodies concerned with the
status and wellbeing of women. The photograph was taken during the same
period of time where
Jeremy Bicha admits abusing his little sisters.
In the early days of
Debianism, many young teenage males were exploited. Ringleaders have been
interchangeably presenting
Debianism as a hobby, as a philosophical mission and as an activity that
people undertake while being paid by an external employer like
Freexian. Ringleaders pivot between these
definitions of
Debianism depending upon which definition is most convenient for the
ringleaders themselves in any particular situation or dispute.
They used the appeal of a philosophical mission to recruit numerous teenagers,
mostly boys in their mid-teens, who were starstruck by the names of companies
like
Pixar, where
Bruce Perens worked. These teenagers didn't really appreciate the extent
to which they were working alongside people who were being paid six-figure
salaries to do similar tasks. I'm talking about
Joel "Espy" Klecker,
Shaya Potter and
Chris Rutter. Klecker was doing this unpaid work while he was in bed
dying of a terminal illness
(
detailed report).
Shaya Potter appears to be the first documented case of somebody
expelled after he had already resigned.
Chris Rutter even had servers for unpaid
Debianism work installed at his high school. He was observed
working long hours to meet his obligations to
Debianists shortly before walking in front of a car. These may be
the three most prominent teenagers in the early days of
Debianism and it is disturbing to see that two died while one was
subject to gaslighting and ostracized.
Here is a debian-private leaked message where the underage
phenomena is mentioned explicitly:
Subject: Re: why I want the archives on me (was Re: spotter@debian.org)
Date: Tue, 17 Nov 1998 12:56:41 -0500
From: Shaya Potter <spotter@ymail.yu.edu>
To: joost@pc47.mpn.cp.philips.com
CC: debian-private@lists.debian.org
----- Original Message -----
From: <joost@pc47.mpn.cp.philips.com>
>
>On Tue, 17 Nov 1998, Shaya Potter wrote:
>
>> Now that this is out of the way, I'd like to publicly ask if I can have
an
>> archive of all the communication that went on in regard to me.
>
>Strictly speaking I tend to disagree that you or anybody has an a-priori
>right to know what is being said and told on debian-private. It is simply
>a private list. Things would be different if you were mentioned in a
>public list without being able to respond. But that is in all aspects
>clearly not the current situation.
First, I never said I have a right. In many ways I think i don't have a
right, or even if I did, I don't deserve it. I don't think my statements
have implied that I believe I have a right to demand that it be given to me.
I do have a right to ask that it be done. Debian has a right to say yes or
no.
>
>(Nevertheless, I think that it would be considerate to cc: you in
>any discussion that involves you in a very personal manner - this has
>IMHO until now hardly been the case though.)
It hasn't? Than how did the decision to expell me come about? Who told
people who made the decision what happened? Was this all done in private
mail?
>
>If a non-subscriber of debian-private must share in the conversation on
>debian-private, then this should IMHO be done by adding that person to the
>clearly visible cc: line of the header of any messages to be "published."
>That way, it will be adequately clear that the correspondence leaves the
>realm of debian-private and thus everybody can conclude that normal
>confidentiality can not be expected. AFAIK respect for the confidential
>nature of debian-private is a prerequisite for subscription to this list.
I would have respected the confidentiality, as I have made it known that I
don't want this to spread, as I am embarrased by my actions.
>
>Practically speaking, I disagree that the underlying case generally
>concerns you. What matters here is not who Shaya Potter personally is or
>what particularly Shaya Potter did. The discussion is about how issues
>like the one involving you relate to Debian. This discussion does not
>involve you personally.
I don't want the entire discussion, I just want to see the parts that touch
on me personally. I don't care for the rest, of what about underage
developers and the like....
>
>> I was told that it would not be a star chamber, and that I'd be cc'd in
>> on all the corrospondace. That didn't occur.
>
>There was no "star chamber." You have already been generously cc:'-ed.
I was? The only cc:'s I ever got were in response to me starting a thread.
That implies to me, that acc. to what you were saying, that no discussion
on -private occured that I didn't start. However, I know this not to be the
case, as before I was unsubscribed from -private, I saw a thread or 2
started that dealt with me.
>
>IMHO you do not have a right to be cc:-'ed on the _general_ discussion
>which does not particularly (personally) involve you.
never said I did.
>
>> Also, I really have no idea of what discussion went on, if mistruthes
>> were spread about the incident (as in reality, I'm the only one that
>> knows completely what happened, and no one really ever asked me for the
>> full story).
>
>If this worries you so much, then I seriously wonder why you did not
>immediately relate it to debian-private when the issue arose in the first
>place?
I did apologize on -private right away, however, I didn't want to spread
what I did. I specifically told people that I would rather this not be
discussed on -private and have me showed the door quietly, and told never to
come back. That didn't happen, it was discussed on -private. I don't know
what was discussed in relation to me, so I want to be informed.
>
>Again, the discussion is not yours. Again, you are not personally
>involved. Your only "role" in the discussion is that you have created a
>precedent. I thinks we can all agree that we would rather have had you
>not be a precedent case, but it happened. I'm very sorry, but you'll
>have to blame yourself for that.
Trust me, I've blamed myself a lot for this. If you seen any of my
corrospondance you would know this. I don't blame anyone for my
predicament, but myself.
>Discussion on debian-private does not count as a statement from Debian.
>So there simply were no statements. I'm not really in favor of making any
>strong or overly verbose statements either. If there ever is to be a
>statement from Debian about an issue such as the current one involving
>Shaya, I think that person should be briefed thoroghly beforehand.
I'm not talking about a debian statement. I don't want a public statement,
and I know a lot of people from debian don't want one either (though some
might). What I meant by statements, was statements that individuals made,
that might be incorrect, or inacurate.
>Shaya, can you please just put this to a rest? IMHO it is not very
>productive for anybody. And please take it from me that you have no
>reason to be concerned that you have been in a "star chamber."
I am not worried about a star chamber, I would have prefered it in many
ways. However, at least with a star chamber you usually get to see the case
presented against you, even though you don't have the ability to defend
yourself. As I said many times, my case is indefensable, so that wouldn't
bother me.
Shaya
We find exactly the same phenomena in the
Jeremy Bicha abuse testimony. His sister tells us she was too young
to know the words for what he was doing in her underpants.
In October 1999 the role of teenagers was back in the spotlight:
Subject: Debian Death March
Date: Thu, 7 Oct 1999 17:41:25 -0700 (PDT)
From: Jonathan Walther <krooger@debian.org>
To: debian-private@lists.debian.org
Guys. Is Debian still the hippest, coolest, happeningest distribution
around, or are we a dinosaur lost in the forest?
The posts I've read on this list today reek of a Death March.
Yes, many of the Debian originals have moved on, retired, or fallen
quiescent. Others of us have had sudden changes in our life; new jobs, loss
of jobs, loss of internet access, newborn infants, need to spend time with
spouses and loved ones.
Many of the rest have gotten tired. The friends they joined this marvelous
big project with are no longer around... The stress of mentoring up a new
generation of package maintainers, and hopefully core developers falls on
their already burdened shoulders, taking away from their time spent coding.
As social scientists know, the future is the children. Or in our case, the
future is the teenage "hackers" getting their first computer, going in their
first irc chatroom, using their first nuker... and realizing there is
something far more interesting, constructive and beautiful beyond the raw
violence of their little world. An ordered system of many parts, of many
people collaborating in peace, cooperating on a scale that they will take
for granted, because we have made it seem so natural, but which makes any
sane adult boggle at our achievement.
[ ... snip ... ]
Given that
Debianism has the exploitation of youth in its DNA, it is really sad
to see that a
registered sex offender and various characters with similar tendencies
were put up on a pedestal in the era of
Chris Lamb.
In 2002, the Boston Globe's Spotlight team published
their reports about the
Catholic abuse crisis. The reports were not simply about the actions
of individual paedophiles. The journalists went to great lengths to examine
how the institution had ordained the wrong people and stonewalled victims.
In the
Debian harassment culture, we see much the same thing. People who ask
questions are censored on the mailing lists. The leaders stonewall and
refuse to answer questions or provide reports about the
Debian suicide cluster and their knowledge of
Jeremy Bicha's history.
Subject: Re: Nut-case of the day - Was: [Fwd: URGENT: This is potentially a threat to your and others personal security]
Date: Tue, 6 Jan 2004 12:53:33 -0700
From: Joel Baker <fenton@debian.org>
To: debian-private@lists.debian.org
On Tue, Jan 06, 2004 at 03:28:03PM +1100, Russell Coker wrote:
> On Tue, 6 Jan 2004 15:23, Joel Baker <fenton@debian.org> wrote:
> > I could probably arrange for Debian to have a TG developer, but somehow,
> > this doesn't seem like a primary qualification; we don't have quotas. :)
>
> If they can code well or can be taught to code well then please get them in!
>
> Especially if they have some skills at kernel coding. I think that we could
> do with having more skilled developers dealing with the kernel patch
> packages.
What I didn't mention is that it would probably involve me bribing her to
deal with it; she doesn't find Debian to be quite worthwhile enough on its
own merits (she likes it, she just likes FreeBSD better, and has little
enough time to spare overall that short of someone making it worth giving
up what else she does, it isn't worth it).
This would be the primary reason she isn't already a DD, since the only
part of NM that would pose any issue at all is the wait (I can sign her
trivially, and passing the requirements is a no-brainer). But we don't
really need another developer not doing much most of the time, and I
have better uses of the money than paying her to work on it. :)
--
Joel Baker <fenton@debian.org> ,''`.
Debian GNU/NetBSD(i386) porter : :' :
`. `'
`-
In 2006,
Red Hat opened their main research site in
Brno, a small city in the
Czech Republic. The
Czech Republic had joined the
European Union (EU) in 2004.
Thanks to the Freedom of Movement policy of EU countries,
Red Hat could employ young male graduates from any other EU country and
bring them to work in
Brno without any uncertainty about residence permits and visas. Over
the years, thousands of young and predominantly male engineers came to work
for various multinational companies in this remote part of the
Czech Republic. At the same time, young women from eastern European
countries were all leaving small cities like
Brno and either moving to the capital,
Prague or moving to other cities like
London,
Paris and
Berlin. These arrangements created a huge imbalance. Thousands of
highly paid young single men found themselves competing for the very
small group of women who decided not to leave. A lot of the companies
started talking about the need for diversity programs. While
nobody says it out loud, it looks like these programs are intended to
increase the size of the dating pool in these offshore centers.
Official statistics tell us that
Brno has the highest suicide rate in the country.
When eastern European countries joined the EU, some of the western
countries like Germany and France introduced a temporary delay on
Freedom of Movement for workers. The delay didn't apply to
Freedom of Movement for wives and girlfriends.
This table shows us that workers from
Czech Republic could go to
the
UK immediately after joining the EU in 2004 but they could not
take jobs in
France until 2008 or
Germany until 2011. As a consequence, young women could use
Freedom of movement to marry somebody in a rich country but
many young men had to stay in the
Czech Republic. The young men who remained found themselves in direct
competition against the
Red Hat workforce for the last girlfriends who remained in
Brno.
During that period, I was living to the north of
London near to
Luton airport. Thousands of people from eastern Europe were arriving
every day on the low cost airlines. It was fairly easy to distinguish
the tourists from the people who were relocating. The people relocating
under Freedom of Movement had typically purchased the maximum
luggage allowance and arrived with their whole life in a suitcase that
was so overloaded it looked like it was about to burst. In particular,
a lot of the women who arrived like this were making the move alone with
no safety net. Their plan was to get off the plane and find a room,
a job and a husband. These are the women who the
Red Hat employees in
Brno missed out on.
In January 2006,
Raphael Hertzog infamously used the debian-devel-announce email
list to promote a message about an external product,
Ubuntu that not everybody is interested in.
Andrew Suffield adapted the subject line of
Hertzog's email to promote lesbians instead of
Ubuntu. Some people speculate
Suffield chose the word lesbian because it looks a little bit
like the word Debian and there are a disproportionate number of
LGBT people lurking in the mailing lists.
To: debian-devel-announce@lists.debian.org
Subject: For those who care about their packages in Ubuntu
From: Raphael Hertzog <hertzog@debian.org>
Date: Fri, 13 Jan 2006 23:35:24 +0100
Hello fellow Debian developers,
let me explain shortly why I'll speak of Ubuntu on a Debian announce
list. I know that many of you do not like the Canonical marketing saying
that "Ubuntu is contributing back" because the most visible official
contribution is scott's patch repository and that all other successful
collaboration has been made at the level of individual developers who are
"friendly to Debian" and not because Canonical's policy ask them to do
so.
[ ... snip ... ]
To: debian-devel-announce@lists.debian.org
Subject: For those who care about lesbians
From: Andrew Suffield <asuffield@debian.org>
Date: Sat, 14 Jan 2006 15:00:40 +0000
Since this sort of thing is apparently okay nowadays, and I know that
a lot of you like looking at lesbians, I'd like to share this with
you:
http://www.flickr.com/photos/63978244@N00/81351129/in/photostream/
[And for the sarcasm-impaired: debian-devel-announce is for Debian
development, not anything that you (or any other group of people)
happen to be interested in. Don't post irrelevant stuff here. It would
be a real shame if the list had to be moderated because people can't
exercise good judgement. Anything sent here should be of interest to
an overwhelming majority of Debian developers, *at least* - if you're
using phrases like "for those who care about X", it belongs somewhere
else, like X-announce.]
--
.''`. ** Debian GNU/Linux ** | Andrew Suffield
: :' : http://www.debian.org/ |
`. `' |
`- -><- |
The message links to this image. It is off-topic but the content is not
illegal in any western countries.
Excuse the pun, the tit-for-tat continued with even more messages
based on the same subject line template:
Not long after that, in May 2006,
DebConf6 took place in
Mexico. One of the candidates in recent
Debianism elections,
Jonathan Walther (Ted), brought a local woman,
Hilda, to the conference dinner. People quickly started the rumour
that
Hilda was a prostitute. Nonetheless, she was the local dentist. To
this day, dozens of messages about the rumour are present online in various
web sites and debian-private archives.
(
more details about the rumours and DebConf6 fight).
To understand why there was so much gossip and aggression at the
DebConf6 dinner, you need to look at who really slept with who
and then
read the story again. The leaked
room list tells us that
Holger was sleeping with
Amaya.
Amaya helped start the rumour and
Holger is the one who ended up exerting physical pressure on the victim,
Jonathan Walther (Ted). When people are sleeping together, they don't
always behave rationally any more.
From: Joerg Jaspert <joerg@debconf.org>
To: rooms@debconf.org
Subject: Re: [Debconf-announce] Room allocation
In-Reply-To: <20060328120500.GA10651@localhost> (Margarita Manterola's message
of "Tue, 28 Mar 2006 09:05:00 -0300")
Organization: Goliath-BBS
[ ... snip ... ]
> * Who you would NOT like to share the room with.
I dont care that much who is in my room, as long as its not
Jonathan/Ted "krooger" Walther or Jeroen van Wolffelaar or Amaya.
[ ... snip ... ]
Date: Fri, 31 Mar 2006 17:39:37 +0200
From: Adeodato =?utf-8?B?U2ltw7M=?= <dato@net.com.org.es>
To: rooms@debconf.org
Cc: Holger Levsen <debian@layer-acht.org>,
Jesus Climent <jesus.climent@hispalinux.es>,
Amaya Rodrigo <amaya@debian.org>,
Alberto =?utf-8?B?R29uesOhbGV6?= Iniesta <agi@inittab.org>,
Marcela Tiznado <mtiznado@linux.org.ar>,
Isaac Clerencia <isaac@debian.org>,
Jacobo =?utf-8?Q?Tarr=C3=ADo?= Barreiro <jacobo@debian.org>,
Javier Fernandez-Sanguino <jfs@computer.org>,
Ana Beatriz Guerrero =?utf-8?B?TMOzcGV6?= <ana@ekaia.org>
Subject: Room preferences for a bunch of ~Spanish people
Hey marga!
Some (mostly) Spanish people have been talking among us, and we'd like
to share room at DebConf. We've thought that it'll be easier for you
if we just write you one mail saying who we are, instead of each of us
mailing you privately with our preferences. :)
So, we'd like:
- a 6-sized room for both DebCamp and DebConf (from 5th to the end)
- a 4-sized room for DebConf only (from 13th to the end)
The involved people (in order of arrival, all of them CC'ed) are:
Holger Levsen <debian@layer-acht.org>
Jesus Climent <jesus.climent@hispalinux.es>
Amaya Rodrigo <amaya@debian.org>
Alberto Gonz=C3=A1lez Iniesta <agi@inittab.org>
Adeodato Sim=C3=B3 <dato@net.com.org.es>
Marcela Tiznado <mtiznado@linux.org.ar>
Isaac Clerencia <isaac@debian.org>
Jacobo Tarr=C3=ADo Barreiro <jacobo@debian.org>
Javier Fernandez-Sanguino <jfs@computer.org>
Ana Beatriz Guerrero L=C3=B3pez <ana@ekaia.org>
Thanks in advance,
In 2006, the
GNOME people created the
Outreach Program for Women (OPW), which was subsequently renamed to
Outreachy. The program pays young female interns to associate with
the developers. The women are not expected and not always trusted to
do development work themselves. Many of the women were offered free trips
to conferences all over the world.
Subject: Total world domination through therapy and free software!
Date: Sun, 31 Dec 2006 13:25:08 +0100
From: Amaya <amaya@debian.org>
Organization: Debian - http://www.debian.org/
To: debian-private@lists.debian.org
Russell Coker wrote:
> True. But we can only change some things and only in some areas.
Sure, we are just humans :)
> I will always have little sympathy for someone who complains bitterly
> about unfairness when by any objective metric they would be regarded
> as being in the most fortunate few percent of the world's population.
Yes, as in having clean tab water. Ack.
> Do you think it might be beneficial to have some group sessions at
> Deb-conf's to help us deal with these things?
I strongly believe in the group sauna effect :)
> Debian has a huge pile of money that is apparently not being spent,
> booking a good psychiatrist for a day for every DebConf would not make
> much of an impact on Debian finances and might have a good impact on
> productivity.
s/psychiatrist/therapist/ Maybe someone that is experienced in large voluntary communities could
give a talk, or workshop, or both.
It would be interesting to know wether anyone knows a person that could
help us this way. I could talk to some people if the idea doesn't look
stupid to the rest you the people reading this.
--
·''`. If I can't dance to it, it's not my revolution
: :' : -- Emma Goldman
`. `' Proudly running Debian GNU/Linux (unstable)
`- www.amayita.com www.malapecora.com www.chicasduras.com
By 2008, they were already talking about how they would recruit people's
teenage children. This was well before the
Debian pregnancy cluster started producing said children.
Subject: Re: [VAC] Going to the chapel ...
Date: Tue, 22 Jul 2008 16:12:29 +0200
From: Lionel Elie Mamane <lionel@mamane.lu>
To: debian-private@lists.debian.org
On Sat, Jun 28, 2008 at 03:29:27PM +1000, Russell Coker wrote:
> On Saturday 28 June 2008 14:32, Benjamin Seidenberg
> <benjamin@debian.org> wrote:
>> The question is, will we accept parental signatures on the GPG keys?
> Why wouldn't you accept a parental signature? (...)
> Advocacy however is a different matter. We want advocates to not be
> excessively biased, and I'm sure that while growing up we have all
> seen adequate evidence of parents who think that their children are
> angels while everyone else knows the truth...
> Of course if a parent was to quietly encourage the NM people to keep
> their child in the queue for an extra year or two then I think we
> should accept such a recommendation.
I fail to see why this is obviously desirable; parents can also be
biased in the other direction, that is think their late teenage
children are like one-year olds that cannot cross the street without
their supervision.
--
Lionel
Around the same time, in June 2008,
Jeffrey Epstein made a guilty plea on two charges in state court.
He was sentenced to 18 months in a county jail, which is less
onerous than a state prison. He was authorised to participate in a
work release program whereby he could leave the prison for sixteen
hours per day, six days per week. It is rumoured that he was unhappy
with his probation officer and exploited political connections to have the
probation officer moved elsewhere.
Jeffrey Epstein worked as a schoolteacher before getting into finance.
Therefore, he is far more culpable than a twelve-year-old juvenile
offender like
Jeremy Bicha.
"I first met my wife at the “International Conference on OpenSource� 2009 in Taiwan. So OpenSource, Debian and me being some tiny wheel in the system wasn’t entirely news to her."
If any other random developer meets a woman at a conference they are insulted
and told that relationships are a bad thing. Yet for the oligarchs representing
Debian at events, it is open season on women. This relationship helped bootstrap
the Debian pregnancy cluster.
In 2010,
Jeremy Bicha's older sister went to Bob Jones university. The on-campus
therapist gave her bad advice. The sister went to a more victim-oriented
off-campus center,
Julie Valentine Center. After counselling there, the victim and another
sister, who is also a victim, reported the abuse to
police.
US Navy investigators immediately questioned
Jeremy Bicha. He admitted the allegations about his childhood are true.
He was immediately terminated from Navy employment.
In August 2010,
DebConf10 was in New York City. By this stage, we can see
Debianism had well and truly adopted a
cult lifestyle. A group of couples share rooms. They pretend
we have no money while keeping it for themselves. They are pretending that
bringing your wife is diversity.
Shortly after
Adrian von Bidder-Senn died, his wife,
Diana von Bidder-Senn sent an email revealing she was oblivious to
what he was doing on his computer. In hindsight, we can see that both
Adrian and Diana were tricked by
Debianism in different ways:
Subject: Re: condolences for Adrian
Date: Mon, 25 Apr 2011 15:02:18 +0200
From: Diana von Bidder <diana@fortytwo.ch>
To: Stefano Zacchiroli <leader@debian.org>
Dear Stefano
Thank you for your wonderful mail! Yes Debian and people were very
important to Adrian. I was glad that he was not only sitting alone in
front of his computer but to know that there are people out there that
estimate him and are his friends even if most of you did not know each
other personally.
The way you describe him (empathy, calm, insight, ... - just the Adrian
I know) assures me on how good friends of Adrian are out there. And I
will always continue to think of this (in a good way!) when continuing
to use debian (which I became quite fond of because of Adrian).
It's a pity that he couldn't go to Banja Luca anymore which he did so
much look forward to. Anyway, I wish you all the best and hope you
continue your good work.
- Diana
The family asked for donations to AMICA Schweiz, a charity that
helps women abused during the conflict in the Balkan countries. People
argued about it on debian-private.
Subject: Re: Death of Adrian von Bidder
Date: Thu, 21 Apr 2011 08:56:04 +0200
From: Andreas Tille <andreas@an3as.eu>
To: debian-private@lists.debian.org
Hi,
I admit that e-mails about emotions tend to be turned into flames
and I do not want this here.
On Thu, Apr 21, 2011 at 07:24:59AM +0200, martin f krafft wrote:
> I suggest that we donate 200 CHF from the project (price of a nice
> wreath with writing). If there are other donators, please get in
> touch with me.
The donators of the Debian project intend to spend money for the
development of the Debian project. If we spend Debian money for a
wreath (or any form of replacement donation) this is not related to the
development of Debian. It is rather *us* *people* who say goodby to
a friend. So the money should not come from project funds but rather
from single developers.
Saying this I would like to vote against spending Debian money but
rather doing a separate collection. I could live with some kind of "de
facto" collection like this: I will ask for Debian money for DebConf.
In case Debian project money is really spended for Adrian's funeral I'd
simply ask for 10Euro less than I would have done otherwise.
Please do not get me wrong: I'm in any case for showing that the Debian
community is sad about the dead of Adrian. But I'm not convinced that
this purpose is in the interest of our donators and it finally comes
quite cheap for us individuals to simply spend Debian money.
Kind regards
Andreas.
--
http://fam-tille.de
In December 2011,
Martin Krafft describes
Debianism itself as a teenage culture. His fingers get a mention
in the email signature:
Subject: Mooing solves everything
Date: Wed, 7 Dec 2011 22:14:13 +0100
From: martin f krafft <madduck@debian.org>
Reply-To: madduck@debian.org
Organization: The Debian project
To: debian private list <debian-private@lists.debian.org>
[Writing to -private with Reply-To set, because this is clearly
a classified topic]
We know about super cow powers and swallowed elephants, and the
power of the Mooing.
What I want to do is collect cow-related stories of relevance to our
project, to prevent an inside joke from dying as Debian prepares to
exit teenagehood.
So, please hit me. What does Debian have to do with mooing?
--
.''`. martin f. krafft <madduck@d.o> Related projects:
: :' : proud Debian developer http://debiansystem.info
`. `'` http://people.debian.org/~madduck http://vcs-pkg.org
`- Debian - when you have better things to do than fixing systems
on the other hand, you have different fingers.
At the same time, in December 2011, a young transgender straight out
of an elite French high school was given a paid job in a student-run
Internet Service Provider, the
CR@NS network at
ENS Cachan. One of the older students, Debian Developer
Nicolas Dandrimont, was dating this vulnerable young person at
the same time as paying them and trying to help them
get Outreachy money. Recall the original discussion about offering
money for transgender participation many years prior. Offering
these people moral support may be acceptable but offering large
sums of "diversity" money at a point when they are unsure of their
identity appears to be highly unethical.
Subject: DM application of Jeremy Bicha
Date: Fri, 30 Mar 2012 18:58:41 -0400
From: Jeremy Bicha <jbicha@ubuntu.com>
To: debian-newmaint@lists.debian.org
CC: Jordi Mallach <jordi@debian.org>, Michael Biebl <biebl@debian.org>,
Sebastien Bacher <seb128@debian.org>, Martin Pitt <mpitt@debian.org>
This is my declaration of intent to become a Debian Maintainer
<URL:http://wiki.debian.org/DebianMaintainer>.
I have read the Social Contract, Debian Free Software Guidelines and
Debian Machine Usage Policy and agree with all of them.
Currently, I maintain the package kabikaboo
and I co�maintain the GNOME packages with the Debian GNOME Team.
My GnuPG key EBFE6C7D is signed by the Debian Developer Andres Mejia.
I look forward to becoming a Debian Maintainer. Thanks for your attention.
Jeremy Bicha
--
To UNSUBSCRIBE, email to debian-newmaint-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
Archive: http://lists.debian.org/4F763AA1.1050503@ubuntu.com
Subject: Re: DM application of Jeremy Bicha
Date: Tue, 3 Apr 2012 07:24:13 +0200
From: Martin Pitt <mpitt@debian.org>
To: Jeremy Bicha <jbicha@ubuntu.com>
CC: debian-newmaint@lists.debian.org, Jordi Mallach <jordi@debian.org>, Michael Biebl <biebl@debian.org>, Sebastien Bacher <seb128@debian.org>
Hello Jeremy,
Jeremy Bicha [2012-03-30 18:58 -0400]:
> This is my declaration of intent to become a Debian Maintainer
> <URL:http://wiki.debian.org/DebianMaintainer>.
>
> I have read the Social Contract, Debian Free Software Guidelines and
> Debian Machine Usage Policy and agree with all of them.
>
> Currently, I maintain the package kabikaboo
> and I co�maintain the GNOME packages with the Debian GNOME Team.
I've seen your great activity in both Debian's and Ubuntu's GNOME
team. You have demonstrated the ability to deal with nontrivial
packaging situations, a sustained enthusiasm and dedication, and good
collaboration with upstream as well. I fully support your application
for DM, thanks!
Martin
--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
On 15 May 2012,
minutes of the GNOME Foundation tell us that
Jeremy Bicha was one of six people given voting rights in the foundation.
Many open source developers have never had the right to vote in any of these
incorporated bodies. It appears that
Jeremy Bicha was able to renew his membership and thereby maintain this status
even during his subsequent prison term.
In April 2013, the
Debianists decided to start offering money to young women under the disguise of
Outreach Program for Women (OPW), which was later renamed to
Outreachy. The Debian
constitution explicitly says that contributors must be volunteers. Therefore,
the payments to these young women are illegal under the constitution and may
be illegal in other ways too.
...
3.2. Composition and appointment
Developers are volunteers who agree to further the aims of the Project insofar as they participate in it, and who maintain package(s) for the Project or do other work which the Project Leader's Delegate(s) consider worthwhile.
...
Here is one of the early advertising banners promoting the illegal payment of
$4,500. The
GNOME Foundation logo is on the woman's foot. It is an uncanny coincidence
the logo strongly hints at the unison of male and female genitalia:
In July 2013, I publicly resigned from the
Australian Labor Party (ALP) due to abuse of female
asylum seekers from Iran. In the resignation email,
which was leaked to Australian political news site Crikey,
I compared the scandal
to the Catholic abuse scandal. I think this may be the first time my name
was on the public record as a supporter of victims. This was well before the
Spotlight movie and the #MeToo phenomena, therefore, it
can't be suggested that those latter revelations influenced the strong words
used in my resignation in 2013.
In September 2013,
Jeremy Bicha was convicted and sentenced to three years in a state prison.
The state prison is a far more onerous punishment than the county jail where
Jeffrey Epstein was briefly incarcerated. The duration of
Jeremy Bicha's sentence is double the 18 month sentence imposed on
Epstein.
At the sentencing,
Bicha's defence lawyer asked the judge not to put his name on the list of
registered sex offenders. This is a controversial topic. The
police have also asked the judges not to automatically put every criminal
like this on the list. The more pragmatic police commanders want these lists of
registered sex offenders used for those pathological predators who never
truly change their ways. Looking at the allegations against
Bicha, he personally stopped offending at 15, during his childhood and there
is no evidence he is committing similar crimes as an adult. To put it another
way, if a child goes missing, the local
police want to be looking at a list of the top twenty lifetime sex
offenders who are dangerous enough to deserve a house call. If the police are
confronted with a list of over a thousand
registered sex offenders in their district they have no way to know
which of those people to visit first.
In Australia and other countries, the media is normally prohibited from
publishing the names of juvenile offenders. In a way, the young boys
are considered victims of their parents' failures. On that basis, they
have a right to privacy equivalent to the rights of the abuse victims.
Nonetheless, this type of restriction doesn't appear to be applicable
in the United States. Nonetheless, if the local pastor and schoolteacher
were not part of the story, it is unlikely the newspapers would publish
the story at all.
In November 2013,
Paul Tagliamonte sent the following message to the leaked
debian-private email list. It concerns a young woman who
applied for the
OPW / Outreachy money. Why are these men always thinking about the
age-of-consent when women are mentioned?
Subject: Re: OPW Student in Kingston, Jamaica
Date: Mon, 25 Nov 2013 13:39:12 -0500
From: Paul Tagliamonte <paultag@debian.org>
To: Joachim Breitner <nomeata@debian.org>
CC: debian-private@lists.debian.org
On Mon, Nov 25, 2013 at 06:37:36PM +0000, Joachim Breitner wrote:
> Hi,
>
> Am Montag, den 25.11.2013, 13:18 -0500 schrieb Paul Tagliamonte:
> > She's got a PhD, so I think this could also be a good beersigning, if
> > she drinks.
>
> not having a PhD yet I wonder what expects me: Will I be a better
> drinker after I get the degree? Or a better keysigner? /me is confused.
It simply means she's likely of age in her jurisdiction. All I was
saying is that she's not a high school student.
Cheers,
Paul
--
.''`. Paul Tagliamonte <paultag@debian.org>
: :' : Proud Debian Developer
`. `'` 4096R / 8F04 9AD8 2C92 066C 7352 D28A 7B58 5B30 807C 2A87
`- http://people.debian.org/~paultag
The next time you defend a predator and say,
’Oh, he was just a child,’ remember the faces
of the innocent little ones whose childhood was stolen.
I have mixed feelings about that. It was not "just a child". As the
judge told us, it was the child and the negligent adults together who
left
Jennifer Bicha to suffer this torture. Many other legal cases
have made similar conclusions, including one high profile case where they
recently decided parents were guilty when their child engaged in a schoolyard
shooting spree.
On 3-4 May 2014, the first
OSCAL conference took place in Tirana,
Albania. (
Fedora wiki page). Photos released by the conference organizers suggest
over eighty percent of the participants were young women. In every other
country, we would normally see the gender statistics reversed. In
Albania various theories have appeared about why large numbers of women
came to these events. Some of the women have ended up moving to the city of
Brno in the
Czech Republic.
On 13 July 2014, Italian newspaper La Repubblica publishes a
report about an interview between Pope Francis and editor Eugenio Scalfari.
The late
Pope Francis allegedly told
Eugenio Scalfari that his own advisors have suggested that two percent
is an accurate estimate of the number of priests who are paedophiles. He
deplores their behaviour but on the other hand he insists it is no higher
than the percentage of paedophiles in any other profession.
"Among the 2% who are paedophiles are priests, bishops and cardinals. Others, more numerous, know but keep quiet. They punish without giving the reason,"
"I find this state of affairs intolerable,"
The comment about punishments resonates with many of the
Debianism scandals over the years.
Likewise, the two percent estimate can be applied to large free software
organisations like
Debianism and the
FSFE misfits. These groups typically have a few hundred core participants
and a few thousand loosely affiliated contributors. In the recent
Debianism election, a thousand people were registered to vote. Two percent
of that is twenty paedophiles.
In August 2015, according to reports from the high-profile hush-money trial,
Donald Trump, his lawyer
Michael Cohen and National Enquirer editor
David Pecker had a meeting and agreed on a catch-and-kill plan. It was
alleged that if any woman tried to sell a story about
Donald Trump,
Pecker would buy exclusive rights to the story and then keep the story
hidden until after the election. Similar plots have been created in
open source software communities.
Debianists created the "anti-harassment" team. Fedora has a
"Community Team". These teams pretend to listen to complaints. If a woman
ever makes a complaint about one of the oligarchs or the men employed
by the controlling corporations then the story is covered up.
The woman who made the complaint will receive a polite response but
she will not be invited to any more events. The same theme emerged in the
Harvey Weinsten saga.
Harvey Weinsten's team was afraid some women posed a risk. They
told other movie producers to avoid the women and lock them out of
the industry. Eventually, Lord of the Rings director Peter Jackson
admitted he had excluded some actresses after receiving
Harvey Weinsten's warnings to avoid them. This is the same
phenomena described by
Lunduke in his report
Fedora's Code of Conduct: 200 Day Response Time, Only Protects You if Red Hat
Likes You.
In November 2015,
the movie Spotlight was released in cinemas. It is a biographical film based
on the 2002 Spotlight investigation that exposed the phenomena of
clerical abuse in Boston. A lot of
Catholics and people from other religions have watched the film. In one of the
key scenes in the movie, they discuss the research of
Richard Sipe, who suggests that two percent of men in the general
population are paedophiles but the rate in the
Catholic abuse context is alleged to be six percent. Many people have
speculated whether or not the figure is true and whether the church is
really responsible for it or whether it is some factor out of their
control.
There are approximately one thousand developers in
Debianism today. If two percent are paedophiles that would be twenty
men. We only know the identity of one,
Jeremy Bicha. Who are the other nineteen? We have evidence about
Elio Qoshi's underage girlfriend but in that case,
Qoshi is not a Debian Developer so he is not in the same group for
statistical purposes.
Looking at the culture of
Debianism, it has some awkward similarities to the
Catholic abuse crisis. Therefore, we need to consider the possibility
that the percentage of Debian Developers who are paedophiles, like the
percentage of priests, may be above the two percent average for the
population. If six percent of Debian Developers are paedophiles, that is
sixty paedophiles.
Subject: Jacob Appelbaum and harrassement
Date: Wed, 15 Jun 2016 13:48:53 +0200
From: Mehdi Dogguy <leader@debian.org>
To: debian-private@lists.debian.org
Hi all,
Jacob Appelbaum is currently facing some serious accusations in other
communities, and DAMs are aware of at least two Debian Developers who
have lived and have witnessed situations that are a clear case for
worry.
[ ... snip defamation crap ... ]
None of the emails really tells us what is a "clear case for worry",
to this day, it is still not clear at all.
In contrast, the accusations against
Jeremy Bicha were very clear. He is accused of abusing his little
sisters and at least two other victims. He admitted these accusations
too.
Notice it is a lot like the vendetta against
Ted Walther from
DebConf6. He never committed any crime but after somebody spread a
rumour that his female friend was a prostitute, it took barely one hour
for the whole conference dinner to turn against him and erupt into
violence.
In both the case of
Ted Walther (2006) and
Dr Jacob Appelbaum (2016), the rogue
Debianists have been far too arrogant to admit the rumours were falsified
and give these men and their families the apology they deserve. Yet they are
asking us to ignore the very real abuse convictions against
Jeremy Bicha and welcome him with open arms.
In April 2017,
Chris Lamb was elected for the first time as the leader of
Debianism. One week later, the Fellowship elected me as their
representative to the
FSFE misfits in Berlin. From this point on,
Chris Lamb appeared to be jealous and resentful that another
Debian Developer was in a leadership position in the community.
Today, we see a similar rivalry between the US President
Donald Trump and the other American head of state,
Pope Leo from Chicago.
When women had complaints about certain oligarchs, they had a choice
between going to
Chris Lamb or telling me about it in my capacity as
Fellowship representative.
Women were coming to me with evidence about problems in the community.
Some of the large corporations would have preferred to see those women
reporting problems through channels controlled by the corporations.
To: Jeremy Bicha <jbicha@ubuntu.com>
Cc: debian-newmaint@lists.debian.org, nm@debian.org, archive-184@nm.debian.org
Subject: Re: Jeremy Bicha: Declaration of intent
From: Andreas Henriksson <andreas@fatal.se>
Date: Fri, 12 May 2017 08:55:11 +0200
Hello!
I have personally worked with Jeremy Bicha <jbicha@ubuntu.com> in the
pkg-gnome team where he has been an outstanding contributor for a
sufficiently long time and I know jbicha having full unsupervised
unrestricted upload access to the archive would benefit us in the
team and likely also Debian as a whole on an even wider scale
than before.
I'm aware Jeremy is also very active in Ubuntu and GNOME upstream.
I find it that Jeremy is very good at interacting with upstream as
well as avoiding/resolving conflict or disagreeing opinions, which
means he has atleast two skills that I think we should have more
people like in Debian.
For any AM tasked to question Jeremy I would say you can skip
any regular packaging related questions. If you want to give
him some challange you might want to focus on a more complicated
philosophical question or ask him specifically about Debian
infrastructure and procedures related to those (as he mainly
uploads to Ubuntu and AFAIK has only very limited usaged his
DM privilegies because of the pkg-gnome streamlined sponsorship
workflow).
But to be frank, please consider just fast-forwarding jbicha through
the entire process because any potential knowledge-gap he might
have I'm more than sure we can discuss and handle those within
the pkg-gnome team which has many very experienced DDs that would
happily assist jbicha if needed.
Regards,
Andreas Henriksson
Here is the other advocacy:
To: debian-newmaint@lists.debian.org
Cc: Jeremy Bicha <jbicha@ubuntu.com>, nm@debian.org, archive-184@nm.debian.org
Subject: Jeremy Bicha: Advocate
From: Gianfranco Costamagna <locutusofborg@debian.org>
Date: Fri, 12 May 2017 09:25:12 -0000
I support Jeremy Bicha <jbicha@ubuntu.com>'s request to become Debian Developer, uploading.
I have worked with Jeremy Bicha for quite some time, even if I sponsored just a few packages for him (in Debian).
His work is excellent, he really cares about keeping is packages in a good shape, he cares about transitions and he is quick in reacting when problems are found.
Debian will benefit a lot from his work.
I have personally worked with Jeremy Bicha <jbicha@ubuntu.com> (key 4D0BE12F0E4776D8AACE9696E66C775AEBFE6C7D) for X time,
and I know Jeremy Bicha can be trusted to be a full member of Debian, and have unsupervised, unrestricted upload rights, right now.
Thanks Jeremy for finally starting the process!
Gianfranco
Those are very positive things to write about somebody who has just been
released from prison on parole.
On the weekend of 13 and 14 May 2017, the fourth
OSCAL conference took place in Tirana,
Albania. A girl of fifteen or sixteen years of age created an
online profile for herself in the
Discourse forum software used by the Albanian
Open Labs group. We subsequently learnt this was the girlfriend of
Elio Qoshi, one of the
Albanian ringleaders.
At exactly the same time they are processing
Jeremy Bicha's ordination as a Debian Developer, we saw
Dominik George going through exactly the same process. Messages about
Dominik George explicitly refer to children:
To: Dominik George <nik@naturalnet.de>
Cc: debian-newmaint@lists.debian.org, nm@debian.org, archive-175@nm.debian.org
Subject: Re: Dominik George: Declaration of intent
From: Holger Levsen <holger@layer-acht.org>
Date: Mon, 15 May 2017 14:09:15 +0000
Hi,
sorry for the delay in writing this…!
On Mon, Apr 24, 2017 at 06:54:13PM -0000, Dominik George wrote:
> I would like to apply to change my status in Debian to Debian Developer, uploading.
yay, this is pretty good news for Debian and for Debian Edu and probably a
bunch of others! :-)
I've met Dominik the first time for "real" (*) at the Debian Edu gathering
in Oslo in December 2016 where I could see him working & discussing and also
learned a few things he does outside Debian, which also involves computers,
kids & schools.
(*) we've briefly bumped into each other before and said hi or so :)
http://layer-acht.org/thinking/blog/20161221-debian-edu-sprint-in-oslo/
shows him wearing a DebConf15 t-shirt, so you might met him too ;)
Not related to Debian, but very much showing his dedications,
is that he is involved in another project with kids + young adults, which
in the last years brought 20-30 young adults to the chaos communication congress:
https://www.teckids.org/hacknfun_2016_xmas.htm
The technical discussions we had in Oslo, plus the ones I've seen on IRC,
plus the questions he had and the attitudes he showed make me believe that
Dominik will be a great DD and contributor to our project and beyond!
I cannot fully vouch for him technically, as we work on different areas in
Debian Edu and I've only reviewed bits of his work, but I'm confident he'll
manage NM well! So I'm much looking forward to him becoming a DD!
--
cheers,
Holger
I will progress this application and assign an application manager shortly, but the key issues need to be resolved before the application can be finalised. Please work with your AM on that.
Where he writes "key issues", he is referring to issues with the PGP key.
There is no reference to the abuse.
Subject: Jeremy Bicha: Application Manager report
Date: Tue, 08 Aug 2017 21:09:52 -0000
From: Gunnar Wolf <gwolf@gwolf.org>
To: debian-newmaint@lists.debian.org
CC: Jeremy Bicha <jbicha@ubuntu.com>, archive-184@nm.debian.org,
nm@debian.org
I have reviewed Jeremy Bicha's answers for the NM process, and am more
than satisfied by them. I have also been approached in DebConf by his
team mates, who very strongly recommended him as a DD. I am of the
opinion the project will win quite a bit having him as a full DD with
unimpended upload rights.
Gunnar Wolf (via nm.debian.org)
--
https://nm.debian.org/process/184
People are cheering him on:
Subject: Re: Jeremy Bicha: Application Manager report
Date: Tue, 8 Aug 2017 18:17:15 -0400
From: Andrew Shadura <andrew@shadura.me>
To: debian-newmaint@lists.debian.org
CC: Gunnar Wolf <gwolf@gwolf.org>, Jeremy Bicha <jbicha@ubuntu.com>
On 8 August 2017 at 17:09, Gunnar Wolf <gwolf@gwolf.org> wrote:
> I have reviewed Jeremy Bicha's answers for the NM process, and am more
> than satisfied by them. I have also been approached in DebConf by his
> team mates, who very strongly recommended him as a DD. I am of the
> opinion the project will win quite a bit having him as a full DD with
> unimpended upload rights.
Yay! Congrats! :)
--
Cheers,
Andrew
From 14 to 18 July 2017, the
Digital-Born Media Carnival was held in Kotor,
Montenegro. Some of the women from open source software groups in
Kosovo and
Albania attended. Kotor is an ancient seaside village without any
modern high-rise tourist accommodation. Visitors stay in bed and breakfast
accommodation or holiday houses. On the last night of the carnival, there
was a party by the waterside. The next morning, as we were departing, I
saw one of the
Albanian women coming out of a holiday house that had been rented by
a group of men from another country. There was a bit of hand-holding and
a kiss goodbye. Every time the woman is selected for an internship or
a conference speaking opportunity, over and above every other woman in
the community, I remember that last day in Kotor.
If you are involved in a sports club and you observe somebody had
a one night stand with another member you might not feel any need
to mention it or cause embarassment. However, open source software
hobbyists are claiming to be a model of integrity, merit and security.
Social engineering attacks are often rated as the biggest risk
to modern organisations and their IT systems.
Shortly after that, the
Open Labs non-profit in
Albania had their birthday party in the hackerspace. At least two
underage people were there and at least one of the other women identified
them to me. Separately, women had told me that the youngest girl was
dating the co-founder of the group
Elio Qoshi. They told me a lot of things about
Elio Qoshi, I observed some of those things with my own eyes and I
observed written evidence in requests for travel funding that confirmed
what the women had told me in person. Eighty percent of the group were
female but a lot of the money did not go into the non-profit bank account.
The money was managed by an accountant but there were rumours that the
same accountant was also managing the bank accounts for
Elio Qoshi consulting company. The women on the committee had never
seen a balance sheet or a profit & loss statement for the non-profit
entity.
In September 2017, they promoted an event called
FOSSCamp. Instead of organising it in
Albania, they decided to organise it in a more expensive destination,
Greece and they asked bigger organisations to pay the travel
expenses for a group of people, many of them who were simultaneously
members of the non-profit but also employees of
Elio Qoshi's commercial enterprise. Questioning them about the
event budget, we reached the point where
Elio Qoshi admitted that one of the amounts charged to the bigger
organisations like
Debian was really a payment for his effort organising the event.
The women who collaborated on the organisation did not receive any
equivalent payment. Yet each woman was asked to send a request to
Debian,
Mozilla,
Wikimedia and maybe other organisations asking for diversity funds
to pay the bus fares, ferry tickets, accommodation and management fee.
In the photos from the conference in May 2017, we could see over twenty
young female students participating. Yet women told me that access to
the trip to
Greece was more tightly controlled. Women needed to get permission
to join this trip.
Various people noticed that two or three men were acting as gatekeepers
and rationing funding and travel opportunities for all the women.
Chris Lamb and I were both warned that something dishonest was
happening. I asked questions but
Lamb didn't want to spoil whatever was going on there.
Here is an example where one of the men is giving one of the women,
Anisa Kuci, permission to go on the trip to
Greece:
Subject: Re: Debian at FOSScamp - funding request
Date: Sun, 13 Aug 2017 19:01:58 +0300 (EEST)
From: Giannis Konstantinidis <giannis@konstantinidis.cc>
To: Chris Lamb <lamby@debian.org>, Silva Arapi <silva.arapi@gmail.com>
CC: leader@debian.org, treasurer@debian.ch, auditor@debian.org,
daniel@pocock.pro, Redon Skikuli <redon@skikuli.com>, ping@anisakuci.com
Hey everyone,
just wish to inform you that unfortunately, due to unforeseen external
factors, I won't be able to make it. I'd like to thank the Debian
community for the generous support. We will stay in touch.
To make sure Debian makes the maximum possible impact at FOSSCamp, I'd
like to sugggest Anisa Kuci (cc'ed ) takes my place. Anisa has been a
longtime experienced member of Open Labs Hackerspace, co-organized OSCAL
and is very much interested in further contributing to Debian.
Thanks once more. I wish the best success to Debian and your
participation FOSSCamp.
Kind regards,
-Giannis K.
Something was not right about this. It is clear that
Chris Lamb, as the leader of
Debianism, had been informed about it since this moment in time
or earlier.
Some women see this type of thing as a sport and they actively seek to
join organisations where they can take shortcuts. Other women were
attracted by the promise of an educational or philosophical project,
they contributed their time and skill helping one or two events in
Albania and then discovered that to qualify for a trip abroad, they
had to do the same things the girlfriends were willing to do. Some
of the women felt even more strongly about this, as it impacts their
professional relationships and job searching, they feel the male
gatekeepers are blackmailing them for sex.
In September 2017,
Jeremy Bicha introduced himself on the debian-private (leaked)
gossip network. He stated he is from
Florida and presented himself as a victim of a woman called Irma
(the hurricane):
Subject: Re: Irma
Date: Sun, 10 Sep 2017 13:52:08 -0400
From: Jeremy Bicha <jbicha@debian.org>
To: debian-private@lists.debian.org
On Sep 8, 2017 15:55, "Jeremy Bicha" <jbicha@debian.org> wrote:
I intend to follow-up on this list on Monday to let you know I'm ok.
Monday is probably too optimistic because of widespread power outages, but I'll check in when I can.
Jeremy Bicha
Subject: Open Labs / Tirana issues
Date: Thu, 12 Oct 2017 18:15:17 +0200
From: Daniel Pocock <daniel@pocock.pro>
To: Larissa Shapiro <lshapiro@mozilla.com>
CC: Kristi Progri <kristi@kristiprogri.com>
Hi Larissa,
I understand you have received some feedback about issues in Tirana
I was there from 27 September - 5 October and observed some of the
troublesome behavior and the impact on people like Kristi.
The behavior towards Kristi and some of the other women is wrong. I can
also see a danger that challenging the people or their behavior may
split the Open Labs group. Nonetheless, I suggested to Kristi and Anisa
that they should put their own wellbeing first.
I sent a funding request to the Outreachy organizers to sponsor Kristi's
trip to Prishtina where she gave a talk at our Mini DebConf. When I
mentioned this funding in the hackerspace, Redon queried this quite
strongly. I don't feel it is any of his business though if I want to
recommend somebody for funding. The following day, Kristi told me that
Redon had called her and shouted at her. The shouting was apparently
witnessed by other women in the hackerspace with Redon. I reported the fact there are problems in the Debian anti-harassment process.
Various people told me that travel sponsorship should be "shared" and
this attitude seems to be connected with Redon's behavior.
I've told Kristi that she did nothing wrong and did not deserve to be
shouted at.
Another problem that occurred to me is that one person who received
Mozilla travel funding, [ .. redacted ..], is 16 years old and is not
legally an adult.
[ .. redacted .. ]
Regards,
Daniel
The discussion continued. The underage risk was acknowledged on the
Mozilla side:
Subject: Re: Open Labs / Tirana issues
Date: Fri, 13 Oct 2017 23:12:14 +0200
From: Daniel Pocock <daniel@pocock.pro>
To: Emma Irwin <eirwin@mozilla.com>, Larissa Shapiro <lshapiro@mozilla.com>
CC: Kristi Progri <kristi@kristiprogri.com>
[ .. redacted .. ]
> I can comment on under-aged contributors - we do have those from time to
> time, and usually on trips at least parents or chaperon are required.
>
Having underage contributors is not an issue itself and I have no
objection to that.
The issue arises when other groups or businesses align themselves with
local Mozilla groups and seek to benefit from those contributors. I'm
not sure how to deal with that risk completely but there are probably
some things Mozilla could do in that area.
Regards,
Daniel
The discussion about underage continued in more emails:
Subject: Re: Open Labs / Tirana issues
Date: Sat, 14 Oct 2017 08:27:24 +0200
From: Daniel Pocock <daniel@pocock.pro>
To: Larissa Shapiro <lshapiro@mozilla.com>, Emma Irwin <eirwin@mozilla.com>
CC: Kristi Progri <kristi@kristiprogri.com>
On 14/10/17 01:51, Larissa Shapiro wrote:
> I'm not sure, but I can seek legal advice on this matter. In my view,
> there is the potential there for other organizations to take advantage
> of these kids.
>
Even if there is no legal problem (in some countries the laws are very
weak), there is also a risk to the reputation of Mozilla and free
software in general.
I wonder if there are other organizations concerned with children's
safety who can help free software organizations develop a reasonable
approach to this risk?
I realize no organization can stamp this out 100%, but there may also be
some little things that can be done to help reduce risk. E.g. maybe
when Mozilla funds travel, requiring the parents to fill out a chaperon
form that must be submitted with receipts, so Mozilla gets the parent's
contact details and the parents see some child safety text on the form.
Somebody trustworthy could sporadically contact parents and the underage
contributors to sniff out any hints of trouble.
Regards,
Daniel
A few weeks later...
Subject: Re: Open Labs / Tirana issues
Date: Wed, 20 Dec 2017 09:19:39 -0800
From: Emma Irwin <eirwin@mozilla.com>
To: Daniel Pocock <daniel@pocock.pro>
Hi Daniel,
Would you be willing to talk to Marta (HR Investigator) and myself about Redon & Elio and your experiences and what you have witnessed?
Thank you
Having informed at least three other organisations who funded this racket,
including
Debian and
Mozilla, my conscience is clean. Nobody can accuse me of protecting an
abuser.
On 25 February 2018,
Jeremy Bicha submits an advocacy for another
Ubuntu developer,
Tim Lunn to become a Debian Developer:
Subject: Tim Lunn: Advocate
Date: Sun, 25 Feb 2018 15:07:40 -0000
From: Jeremy Bicha <jbicha@debian.org>
To: debian-newmaint@lists.debian.org
CC: Tim Lunn <tim@feathertop.org>, archive-455@nm.debian.org
For https://nm.debian.org/process/455/ on 25 February 2018 :
I support Tim Lunn <tim@feathertop.org>'s request to become Debian
Maintainer.
I first started working with Tim in 2012 on packaging for the Ubuntu GNOME
project. Without Tim, Ubuntu GNOME would not have survived.
Tim and I have been interested for a while in reducing the diff and
duplication of work between Debian and Ubuntu with GNOME packages. Tim
getting upload rights to these packages will help with this goal and will
help make Debian GNOME better for our users.
I have personally worked with Tim Lunn <tim@feathertop.org>
(key 0E0880479A6F1063372395275B39C0A1153ACABA) for several years, and I
know Tim Lunn can be trusted to have upload rights for their own packages,
right now.
Thanks,
Jeremy Bicha
In early March 2018, I posted a message in the
Albanian open labs forum asking why some of the money from the non-profit
Open Labs group was being diverted to a private company,
Ura Design, controlled by
Elio Qoshi. I had observed the women were doing all the work for
free in the non-profit association but some of the men were getting
financial benefits out of that work.
The
Albanian ringleader
Elio Qoshi admits complaining to
Chris Lamb, leader of
Debianism, to help cover up the conflicts of interest. In fact,
the relationship between
Open Labs and
Ura Design was analogous to the relationship between
Debian and
Freexian. Although in this case, it was worse, because there was
also the underage problem. Would the leader of
Debianism put the protection of an
Albanian pimp with an underage girlfriend ahead of the work done
by a real Debian Developer?
Subject: [English] FOSScamp 2017 @ Syros, Greece
Date: Mon, 05 Mar 2018 12:16:45 +0000
From: Elio Qoshi <info@openlabs.cc>
Reply-To: Open Labs Hackerspace Forum <forum+ecf37220dfcc7e2ec1a56392b7b00781@openlabs.cc>
To: daniel@pocock.pro
[ ... snip ... ]
I will try to keep this short but I’m not sure how much I will succeed in that, as this will definitely be the last reply from my side here. I have reached out to the Debian Project Leader to close this issue once and for all.
[ ... snip ... ]
On 5 March 2018 I wrote to women from
Albania asking them to share copies of evidence about
Elio Qoshi hurting and exploiting women. The Debianism leader
Chris Lamb immediately barged in with the comments:
Subject: Re: "free travel"
Date: Mon, 05 Mar 2018 16:40:00 +0000
From: Chris Lamb
To: Daniel Pocock , Anisa Kuçi
CC: leader@debian.org, larjona@debian.org, antiharassment@debian.org
[Adding antiharrassment to CC]
Daniel Pocock wrote:
> If Elio or anybody else has made any other comments like this on the
> private members channel or Telegram and you want to discuss them with me
[..]
Anisa, please feel to drop Daniel from any replies you wish to make, if
you even wish to do so.
(Daniel, thank you for your concern but we have got it from this point
onwards. There will be no need for you to reply further on this thread.)
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
This is the catch-and-kill strategy that had been described
earlier. When women had a story about
Donald Trump, they were encouraged to give the story to the
National Enquirer and not talk to anybody else. What we see is the leader of
Debianism knew about
Elio Qoshi and he didn't want me, as the Fellowship representative,
making an independent assessment of the underage scandal.
In the
Catholic abuse crisis many senior cardinals and bishops are alleged
to have known about abuse and failed to protect people. In the
specific case of
Gerald Ridsdale described earlier, one of the victims, his nephew
David Ridsdale told the Royal Commission that the late
Cardinal George Pell had offered him a bribe for silence. The
woman corresponding with
Chris Lamb and I was
Anisa Kuci. She was given a series of free trips around the world,
internships and eventually a job at
GNOME.
At the time of that exchange,
Anisa Kuci ignored
Chris Lamb's condescending words and replied in full:
Subject: Re: "free travel"
Date: Mon, 5 Mar 2018 23:51:28 +0100
From: Anisa Kuci <anisakuci9@gmail.com>
To: larjona@debian.org
CC: Chris Lamb <lamby@debian.org>, Daniel Pocock <daniel@pocock.pro>,
leader@debian.org, antiharassment@debian.org
Hello Chris, Daniel, Laura,
Thank you very much for being so supportive.
I read the comments on the thread and to be honest I am really sad that
Elio [Qoshi] said that. It is not true at all.
They (Elio [Qoshi] & Redon) pretend to support women but on the other hand their
behavior towards many of us shows the opposite.
Daniel I feel bad because you have encouraged and helped not only me,
but so many other people, no matter if they are Open Labs members or
not, and also all the attendees from Kosova to learn new things, to work
and improve their skills and knowledge. They are doubting your good
intentions just to remove the attention from the shady things that they
are doing.
The free travel comment is really offensive to me and i feel it should
be offensive to every woman who is part of the community.
I have been contributing and supporting Open Labs since its early days,
and I have put a lot of effort and time, I do this because I believe in
what it is meant to stand for and without waiting something in exchange,
but the situation lately has been not very positive. Daniel has been
present by chance in few cases where situations have been very hard to
go through.
I would definitely like to talk to any of you and tell you more about
everything that is happening here, its fine to me whether it is a video
call, call or just emails.
Please tell me what would be more convenient to you.
King greetings,
Anisa
In May 2018, immediately after that lunch, the
FSFE misfits modified their constitution to
remove the elections for Fellowship representatives. I was the last
person elected as a Fellowship representative before the democracy was
trashed. The
FSFE misfits count
Google and
Red Hat as significant sponsors and they didn't want the Fellows to
have a voice if that voice may not be identical to the voice of the
corporate overlords.
In June 2018, the women from
Albania were offered sponsorship for travel to
DebConf18 in
Taiwan. For the cost of transporting one woman from
Albania to
Taiwan, you could transport five women from countries that are much
closer in south-east Asia.
Subject: Re: [rt.debian.org #7328] DebConf travel pre-payment requests
From: Martin Michlmayr
Time: Fri Jun 29 08:56:42 2018
* Hector Oron [2018-06-28 10:55]:
> I added Martin to the list, he'll be taking care of flight ticket
> purchase if you send him flight details.
This has been taken care of.
--
Martin Michlmayr
https://www.cyrius.com/
Here is an example from a male intern who was waiting for payment long after
DebConf15 finished:
Subject: Re: [Soc-coordination] DebConf travel / GSoC student payments?
Date: Wed, 25 Nov 2015 00:25:18 +0530
From: Komal Sukhani <komaldsukhani@gmail.com>
To: Michael Schultheiss <schultmc@spi-inc.org>
CC: treasurer@spi-inc.org, soc-coordination@lists.alioth.debian.org
Hi Michael,
I still don't got the DebConf travel reimbursement. Have you made the payment?
Sorry for trouble.
On Mon, Nov 2, 2015 at 9:54 AM, Michael Schultheiss <mailto:schultmc@spi-inc.org> wrote:
Apologies for the delays in payments. I should have the payments processed this week and payments shoud be received in approximately 1-2 weeks.
Pictures appeared during the conference showing us
Lior Kaplan from
Israel with his arm around a young woman. This is the same woman who had
her ticket purchased in advance.
In July 2018
Enrico Zini gave a talk titled "Multiple People" at
DebConf18 in
Taiwan. There have been a series of these talks over the years where
these men seek out introverted young male developers who lack confidence.
Remember the case of the young French transgender
recruited straight out of high school. This slide appears to be
telling us that paedophiles and
registered sex offenders are welcome:
Spectrum (Enrico Zini)
Every color is ok.
Think about who you are,
not about who you should be.
In July 2018,
Debianists were having a discussion about whether the weboob
package should remain in Debian or be removed. Here is one of the private
emails about it. Notice they want to remove the package that makes vague
references to female anatomy but they welcomed the guy who is on parole
for sex crime against his little sisters.
Subject: Re: weboob package
Date: Thu, 12 Jul 2018 16:24:28 +0200
From: Ansgar Burchardt <ansgar@debian.org>
To: debian-private@lists.debian.org
On Thu, 2018-07-12 at 14:48 +0100, Ian Jackson wrote:
> Colin Watson writes ("Re: weboob package"):
> > (I haven't decided what I think should be done about it; certainly
> > if I
> > were the maintainer I'd want to disassociate myself from it as
> > quickly
> > as possible ... but the quoted text is a terrible argument.)
>
> Quite.
>
> What on earth could one do as the maintainer of such a thing ? Write
> some kind of machinery (a git-filter-branch construction maybe) to
> automatically rename all this arseholery ?
Oh, come on. It's not like they liken setting up an interrupt handler
with rape like, for example, Xen does. I would certainly think less of
those who associate themselves with this kind of thing.
There is no incest sex involved either (unlike for example [1]). No
glorification of genocide, ethnical cleansings or such either (same
file as [1]). (Hmm, I wonder what happens when one submits a patch for
that...)
Sadly we are associated with it, by virtue of packaging it, and thus
promoting it. And I'm ashamed and embarrassed to be associated with
such hateful content.
> I also note that the upstream webpage lists the logos of a number of
> companies, which I hope have some kind of corporate
> not-looking-like-a-total-wazzock policy. I CBA to complain to them,
> but maybe someone would like to start a fire on Twitter.
Yes, please go and start a nice shitstorm. A great idea, brilliant.
Ansgar
[1] https://sources.debian.org/src/bible-kjv/4.30/bible.rawtext/#L495
Subject: Re: weboob package
Date: Fri, 13 Jul 2018 14:29:58 +0200
From: Axel Beckert <abe@debian.org> [ ETH Zurich ]
Organization: The Debian Project
To: debian-private@lists.debian.org
Hi,
Jonathan Dowland wrote:
> Yesterday I stumbled across the "weboob" package for the first time,
> which includes a slew of binaries with names similar to the following:
[...]
So what? I don't see any problem with that. (And I don't see why
there's a thread on debian-private about it.)
Regards, Axel
--
,''`. | Axel Beckert <abe@debian.org>, https://people.debian.org/~abe/
: :' : | Debian Develoober, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Jeremy Bicha himself weighed in on the discussion after
Ansgar brought up the incest:
Subject: Re: weboob package
Date: Thu, 12 Jul 2018 10:53:32 -0400
From: Jeremy Bicha <jbicha@debian.org>
To: ansgar@debian.org
CC: debian-private@lists.debian.org
On Thu, Jul 12, 2018 at 10:24 AM Ansgar Burchardt <ansgar@debian.org> wrote:
> There is no incest sex involved either (unlike for example [1]). No
> glorification of genocide, ethnical cleansings or such either (same
> file as [1]). (Hmm, I wonder what happens when one submits a patch for
> that...)
>
> Sadly we are associated with it, by virtue of packaging it, and thus
> promoting it. And I'm ashamed and embarrassed to be associated with
> such hateful content.
Please stop.
At a minimum, if you are serious about removing Bible texts from
Debian, please start a separate thread instead of derailing this
topic. But I think you may have trouble finding consensus for that
viewpoint and I expect it will stir up lots of conflict.
Thanks,
Jeremy Bicha
This is the reality of the so-called diversity in
Debianism: gay male employees in a range of companies and universities
discussing female anatomy with a
registered sex offender during their working hours.
In September 2018, I completely resigned from my role as Fellowship
representative to
the FSFE misfits. I discontinued all involvement with the group and
I encouraged other people to resign too. Therefore, as I resigned and
made the resignation public, there was no way I had any involvement in
the subsequent scandals with women hired in 2019. Those women were only
hired after I resigned. All the complaints made by women concern
psychological abuse from Matthias Kirschner.
In November 2018, the Wayback Machine captured a snapshot of the team in
Elio Qoshi's private company
Ura Design. We can see the underage girl, who may be 17 by this point
in the story, is now being paid to be a
system administrator. System administrators normally have access to all
the data in a company, including the emails of their own bosses and their
colleagues. In small IT companies like this the director normally keeps the
system administrator powers for himself. It is worth remembering the incident
from the team St Kilda in
Australian football. One of the players was dating the woman known as the
St Kilda schoolgirl,
Kimberley Ametoglou (Kim Duthie). Kim was not really from St Kilda,
she was from Frankston, like
Julian Assange. She expertly extracted all the nude photos of the players
from her boyfriend's computer and published them in what came to be known as
dikileaks. It seems highly unlikely
Elio Qoshi was giving his underage girlfriend access to all his files and
emails. In practice, this appears to be a case of privilege escalation.
The men would put the pictures of the young women on a web site like this
to help the women create an online profile. The women would apply to
bigger organisations for travel grants and speaking opportunities at
community conferences.
This is a photo from the
OSCAL conference in
Albania in 2016. There are so many more women than men in the photo.
What is the real reason more women than men were coming to the
OSCAL conferences? Young female students in
Albania earn approximately ten euros per day working in shops and
restaurants. Did somebody pay these girls to attend conferences and make
it look like a real community? One of the women was told that an
Outreachy internship would be too difficult for her but one of the men offered
to help her submit the application if she gave him half the salary.
Even after my lawyer warned him to terminate all attempts to communicate with
me and send someone else to pick up my work laptop, he came in person to my
house, and was very irritated that I was not alone.
What these incidents reveal is the oligarchs in these groups have come
to view the volunteers and the female subordinates as possessions. The
oligarchs feel they have some God-given authority to make decisions about
the lives of those around them.
In late 2018 or early 2019 one of the
Albanian female whistleblowers was given a job at the
GNOME Foundation.
Kristi Progri has been a member of the committee in the non-profit
Open Labs hackerspace in
Albania. She had been one of the organisers of the
OSCAL conferences. She seems to know the identity of every man
who visited
Albania for these conferences. She knows the age of every young
woman who participated in the conferences. Ever since she started
receiving a salary from
GNOME Foundation, there has been no more evidence about
Elio Qoshi and the underage relationships.
On 2 February 2019, at the
FOSDEM conference in Brussels,
Belgium,
Molly de Blanc gave a talk about how companies can bully volunteers with
Code of Conduct gaslighting.
In the slides for her talk, she had selected an infamous graphic of a
cat behind bars:
In 2019,
Google decided to reduce the salaries for
Google Summer of Code (GSoC) interns from $6,000 down to as little as
$3,000 based on each intern's country and
a formula for purchasing power parity. However, the parallel
Outreachy internships, which only pay money to single young women and
don't require the women to write any code, have continued increasing their
salaries a little bit almost every year. For example, a slim and attractive
single young woman in Russia, eastern Europe, India or Brazil is offered
$3,000 to participate in
Google Summer of Code but if the same woman wins an
Outreachy internship, she gets $6,000 and a lot of free trips.
In February 2019, journalist
Frederic Martel released his book
In the Closet of the Vatican. He alleges that eighty percent
of priests in the Vatican are homosexual. In some open source software groups,
including
Debianism, we seem to be looking at a prevelance of homosexuality that
is higher than what is normal for the community at large.
Most gay men are not paedophiles. It is wrong to suggest they would be.
Nonetheless, when a group presents itself as gay-friendly or when a group
provides an opportunity for gay men to gain more respect from society,
as is the case with both the
Catholic church and
Debianism, paedophiles appear to be attracted to the same group.
Therefore, we have to be even more vigilant.
In June 2019, the diversity crowd hijacked the Debian web site and
replaced the logo colours with the colours for Pride month. The majority
of developers did not consent to this:
To: debian-project@lists.debian.org
Subject: Debian supports pridemonth?
From: Gerardo Ballabio <gerardo.ballabio@gmail.com>
Date: Fri, 28 Jun 2019 11:48:18 +0200
Hello all,
I've just seen this on https://micronews.debian.org/ :
"In support of #pridemonth, Debian changes its website logo. The
Debian Project welcomes and encourages participation by everyone
https://www.debian.org/intro/diversity "
May I please ask who decided that and where was it discussed? (I can't
find anything about it at least on -project.)
I do not think that this is appropriate. Welcoming diversity is one
thing, supporting pridemonth is another thing. Pridemonth is a set of
events with a definite political connotation. I don't think that
Debian should take sides on any specific political issues (except of
course issues that have a relation to free software), especially if
that hasn't been discussed at large among project members and there
isn't a clear consensus.
Is it just me (and am I being blatantly wrong, if so please enlighten
me) or do others share my concern?
Thanks
Gerardo
(Not subscribed, please keep me Cc:d)
It feels creepy when these things happen. The people who do these
things don't care about consent. They feel that what is good for them
is good for everybody else too.
In the US Civil Rights movement, there were groups like the
Black Panthers who were very similar to the
Zizian diversity gang in open source software communities. These
people do as they please and they don't care about the law or the
impact on the lives of those they hurt.
Why did they want so many women from
Albania and
Kosovo to visit
DebConf two years in a row? Was it some kind of bribe or hush money
arrangement to prevent further discussion about the former Fedora Ambassador,
who had been photographed with
Chris Lamb in 2017?
In her talk, she displays a hand-drawn slide where we can see three
selfish people like herself pushing one of the developers. This is how
the selfish people get things without paying for them. They use gossip
and violence, just like the fight at
DebConf6.
Molly de Blanc: Well we can use our collective power to push others
On 10 August 2019,
Jeffrey Epstein committed suicide in his prison cell.
In August 2019, the
GNOME annual conference
GUADEC was organised in the city of Thessaloniki in the north of
Greece. It is very close to
Albania and women from the nearby Balkan countries were brought to the
conference on busses.
On 17 September 2019,
Dr Sally Muytjens
completed her PhD thesis on the topic
An exploration of the existence of clergy child sexual
abuse dark networks within the Victorian Catholic Church. It is extremely
relevant to the phenomena we see today in
Debianism. Various people have publicly praised a
registered sex offender and helped him recycle his reputation at
exactly the same time they are trashing the reputations of honest
developers. The blackmail tactics they use, the games they play with the
vocabulary of abuse and the way they operate in packs to reinforce
their worldview all resonate with the scandals the church has been working
so hard to move away from.
In the context of police corruption networks, this code of silence extended to
“prohibiting disclosing perjury or other misconduct by fellow officers, or even testifying
truthfully if the facts would implicate the conduct of a fellow officer� (Chin and Zhang
2008, 238). Merrington (2017, 61) found that police corruption networks exploit the
light network’s resources to facilitate DN operations. Research on a sports doping
network showed that protecting the network included inflicting harm through bribery,
bullying and threats and enforced a code of silence (USADA 2012 cited in Bell, TenHave and Lauchs 2016, 60). A code of silence or omerta was created by the Italian
mafia and is applied to mafia members and anyone who witnesses mafia criminal
activity to ensure silence regarding their illicit activities (UNODC 2008 cited in Bell,
Ten-Have and Lauchs 2016). Omerta extended to a refusal to give evidence to the
police (Fielding 2017,17). Similar methods were utilised by clergy perpetrator
networks within the Victorian Catholic Church to maintain silence and, hence,
resilience of the network of clergy CSA.
The 80,000 messages on debian-private and similar archives in the
FSFE misfits,
GNOME and
Mozilla are analogous to the code of silence in other institutions.
In the
Albanian scandal, the unpaid female volunteers were asked to sign a
Non-Disclosure Agreement (NDA) even before they were abused. In other contexts,
such agreements only appear after the abuse and during negotiation of the
settlement.
In November 2019,
Anisa Kuci, the
Albanian woman who was seated closest to
Chris Lamb at the
DebConf19 conference dinner was awarded a $6,000
Outreachy internship. The woman had previously worked as a waitress and
had no software development experience.
Remember the teenage boys doing unpaid work to bootstrap
Debianism back in the 1990s.
Joel "Espy" Klecker,
Shaya Potter and
Chris Rutter. They did a huge amount of technical work,
they received no payments and some of them
died. When these women from eastern Europe arrived people started
popping champagne and opening the chequebook:
Matthew Garrett spread dozens of message like this without any evidence:
Subject: Re: expulsions vs Reproducible Builds
Date: Tue, 1 Sep 2020 09:52:17 +0100
From: Matthew Garrett <mjg59@srcf.ucam.org>
Reply-To: discussion@lists.fsfellowship.eu
To: discussion@lists.fsfellowship.eu
On Tue, Sep 01, 2020 at 10:26:40AM +0200, Debian Community News Team wrote:
> a) The different approaches taken to complaints about Appelbaum and
> Lange, even though both complaints arrived at the same time.
One of these complaints involved multiple accusations of rape and sexual assault. The other involved an accusation of aggressive and disrespectful behaviour. Do you believe that these things are equivalent?
--
Matthew Garrett | mjg59@srcf.ucam.org
Subject: Re: expulsions vs Reproducible Builds
Date: Wed, 2 Sep 2020 00:40:21 +0100
From: Matthew Garrett <mjg59@srcf.ucam.org>
Reply-To: discussion@lists.fsfellowship.eu
To: discussion@lists.fsfellowship.eu
On Tue, Sep 01, 2020 at 05:59:46PM -0500, quiliro wrote:
> Matthew Garrett <mjg59@srcf.ucam.org> writes:
> > The Universal Declaration of Human Rights does not require that a
> > volunteer organisation grant membership to a rapist, even if said rapist
> > has not been found guilty in a court of law.
> Are you aserting that Jacob Appelbaum is guilty or are you talking about
> someone else? If you cannot prove something, it is a lie.
I am asserting that he's a rapist, an assertion that is backed up by an array of publicly available evidence.
--
Matthew Garrett | mjg59@srcf.ucam.org
These people think that by forming together like a pack of dogs
and repeating the same rumour over and over again they can trick
the whole world to believe it.
One of the reason dishonest people like
Matthew Garrett make such outrageous lies is to cover up the fact the
"diversity" team was bringing real paedophiles into the world of
open source software. This is a classic trick that every junior
magician knows: make the audience look in some other direction while
you discretely move around the evidence.
At some point in 2021,
Elio Qoshi joined
Canonical Ltd, the company making
Ubuntu, as an employee. It looks like he was employed there for a number
of years but eventually they removed him in about 2025. They didn't make any
comment about why he was terminated. It looks like it happened around the same
time they eventually cut ties with
Jeremy Bicha in 2025. Here is a screenshot
of his LinkedIn profile when he was in
Canonical Ltd:
Why are the companies supporting the
Albanians like this? Quite simply,
Elio Qoshi knows the identity of every male developer who visited
the conferences in
Albania. He knows who they spoke to. Most men who look for a wife in
these countries are looking for an adult. If one or two men were looking
for something less than legal then they may well have asked
Elio Qoshi, who had his own underage girlfriend, to help them find what
they wanted. He is one of the few people who would know who those men are
and what they did. The controlling corporations don't know what he knows and
they probably don't want to know either. But what they do know is that as
long as he is on somebody's payroll, the secrets will stay buried.
Shortly after that,
IBM Red Hat began a legal case to seize the domain name
WeMakeFedora.org. They used my blog
Google, FSFE & Child Labor as their evidence that I was publishing
"critical commentary". The legal panel ruled in my favor and moreover,
ruled that
IBM Red Hat was using the legal process to harass me.
See the legal documents here.
In hindsight,
now that everybody knows the truth about
Elio Qoshi and
Jeremy Bicha, people can see that I had good reason to publish the grave
concerns I have about the
FSFE misfits recruiting children to do unpaid work.
In January 2022,
Canonical, the company of
Mark Shuttleworth, decided to employ
Jeremy Bicha. It is not clear if he was previously being paid as a
subcontractor while in prison or on parole. It appears that the move to
permanent employment coincided with the end of his parole period in 2021.
Did the company know he was on parole while interacting with their
developers?
In February 2022, people noticed the speaker profile for
Elio Qoshi had been
removed from the web site of the
FOSDEM conference. No explanation was given. When
FOSDEM removed him, other volunteers were never officially warned about
the issues with underage girls and harassment.
On 14 June 2022,
Anisa Kuci, the waitress from
Albania who sat next to
Chris Lamb at the
DebConf19 conference dinner is given voting rights in the
GNOME Foundation. Many real developers do not have voting rights in
these associations and foundations. The oligarchs appear to be stacking
the associations with personal friends who will vote for the same oligarchs
to keep their positions on the board every year.
The woman eventually appears to become an employee of the association
as well. However, it is not clear if she was on the payroll at the
time the oligarchs made her
a voting member.
From 20 to 25 July 2022,
GNOME's annual conference
GUADEC is in
Mexico during the same week that
DebConf22 is in
Kosovo. The two women from
Albania could take the bus to
Kosovo for fifteen euros each but somebody buys them tickets for flights from
Albania to
Mexico. The money paid for these flights could have been used to buy bus
tickets for twenty more women from local universities in central American
countries close to
Mexico.
Jeremy is a member of the Debian GNOME and Canonical Desktop teams. He lives in Florida and this will be the first DebConf he has attended. [in the year after his probation finished]
Fact checking, over 20,000 women in
Kosovo reported being victim of rape as a war crime back in the late 1990s.
Many of the young women I met at events in
Kosovo appear to have been born at the time of the war.
Trevor Kitchen, a 41-year-old British citizen resident in Switzerland, was arrested by
police in Chiasso (canton of Ticino) on the morning of 25 December 1992 in connection
with offences of defamation and insults against private individuals. In a letter addressed to
the Head of the Federal Department of Justice and Police in Berne and to the Tribunal in
Bellinzona (Ticino) on 3 June 1993 he alleged that two police officers arrested him in a bar
in Chiasso and, after handcuffing him, accompanied him to their car in the street outside.
They then bent him over the car and hit him around the head approximately seven times
and carried out a body search during which his testicles were squeezed. He claimed he was then punched hard between the shoulder blades several times. He said he offered no
resistance during the arrest.
He was then taken to a police station in Chiasso where he was questioned in Italian (a
language he does not understand) and stated that during the questioning "The same
policeman that arrested me came into the office to shout at me and hit me once again
around the head. Another policeman forced me to remove all of my clothes. I was afraid
that they would use physical force again; they continued to shout at me. The one policeman
was pulling at my clothes and took my trouser belt off and removed my shoe laces. Now I
stood in the middle of an office completely naked (for 10 minutes) with the door wide open
and three policemen staring at me, one of the policemen put on a pair of rubber surgical
gloves and instructed me to crouch into a position so that he could insert his fingers into my
anus, I refused and they all became angry and started shouting and demonstrating to me the
position which they wanted me to take, laughing, all were laughing, these police were having a
good time. They pointed at my penis, making jokes, hurling abuse and insults at me, whilst I
stood completely still and naked. Finally, when they finished laughing, one of the
policemen threw my clothes onto the floor in front of me. I got dressed."
He was transferred to prison some hours later and in his letter claimed that during the
night he started to experience severe pains in his chest, back and arms. He asked a prison
guard if he could see a doctor but the request was refused and he claimed the guard kicked
him. He was released on 30 December 1993. Medical reports indicated that since his
release he had been experiencing recurrent pain in the area of his chest and right shoulder
and had been receiving physiotherapy for an injury to the upper thoracic spine and his right
shoulder girdle.
Volunteers discovered
over $120,000 was taken out of Debian bank accounts and used for legal fees
to try and have me molested or killed. Why did they spend so much money on this
vendetta? They are terrified about people who express concern about abuse. They
paid $120,000 in legal fees because they feel more comfortable with
Jeremy Bicha, the man who raped his little sisters, than with
the independent volunteer elected by the Fellowship in 2017.
Subject: Matthias Geiger: Advocate
Date: Thu, 10 Nov 2022 13:26:16 -0000
From: Jeremy Bicha (via nm.debian.org) <nm@debian.org>
Reply-To: debian-newmaint@lists.debian.org, Matthias Geiger
<matthias.geiger1024@tutanota.de>, archive-1128@nm.debian.org,
Jeremy Bicha <jbicha@debian.org>
To: debian-newmaint@lists.debian.org
CC: Matthias Geiger <matthias.geiger1024@tutanota.de>,
archive-1128@nm.debian.org, Jeremy Bicha <jbicha@debian.org>
For nm.debian.org, at 2022-11-10:
I support Matthias Geiger <matthias.geiger1024@tutanota.de>'s request to
become a Debian Maintainer.
I have sponsored numerous uploads for Matthias including 6 new source
packages. He has prepared many new packages with a particular focus on
GNOME apps and Rust libraries to build GNOME apps. Creating new packages
is one of the more complex packaging tasks for Debian. His work has been
consistently high quality. We have also worked together to improve the
initial packaging.
Beyond packaging skills, Matthias has been pleasant to communicate with.
I have personally worked with Matthias Geiger
<matthias.geiger1024@tutanota.de>
(key C2E1A6CBFDECE511A8A4176D18BD106B3B6C5475) for 7 months, and I know
Matthias Geiger
can be trusted to have upload rights for their own packages, right now.
Jeremy Bicha (via nm.debian.org)
In January 2023, the late
Cardinal George Pell, former treasurer of the
Vatican, appeared in news reports from Rome talking about the death of
Pope Benedict. The news reports prompted me to look at the unredacted
Case Study 35 about the Archdiocese of Melbourne. I was shocked to see
the similarities to the
Debianism culture and
social engineering attacks. I printed a lot of the evidence about
Enrico Zini blackmailing and defaming people over so many years. On
10 January 2023, I drove across the Great St Bernard Pass to Aosta in
Italy. I walked in to the Carabinieri station and explained the
similarities between the exploitation of victims in
Debianism and in the
Catholic abuse crisis. In the same hour that I was in the Carabinieri
station, as a witness to these crimes, unbeknownst to me,
Cardinal George Pell was having surgery in Rome. He died four
hours later.
Authorities in
Australia pretended the crisis died with
Cardinal George Pell. He had avoided certain questions and surely there
is nobody else left alive who knows the answers to those questions.
On 1 March 2023,
minutes of a
GNOME Foundation Executive Committee meeting capture the names of
Anisa Kuci and
Sonny Piers together for the first time. At this point, she is not on
the list of people receiving payments from
GNOME Foundation. There are serious ethical concerns when members of
the CoC-committee are physically intimate with the very people
they are making up rumours about. Likewise, there are serious ethical
concerns when staff members are able to intercept and suppress
CoC-committee complaints about their workmates and their own boss.
We already discussed the way these CoC schemes are similar to
the catch-and-kill strategy the National Enquirer used to
purchase and suppress stories about
Donald Trump.
These financial and sexual conflicts of interest are even more disturbing
when the conflicts of interest are totally hidden from the victims of
defamation created by these gangsters.
It appears there are now two women from
Albania who were being paid to work on the organisation of
GUADEC and assist other events like
DebConf. Up to this point, the organisations had always insisted
that if volunteers wanted an event they have to organise it themselves.
Nobody had any public discussion about changing the strategy and having
a mix of volunteers and paid event staff. It is vital to ask the question:
did the oligarchs create these jobs because the community chose to
change the strategy or did these jobs get created because somebody wanted
these two specific girls from
Albania to have jobs?
GNOME hired the first girl at the end of 2018. Some time later, the
other girl went to
Outreachy, then she went to
Wikimedia Italia, an organisation that relies on a lot of volunteers
who don't get paid. A list of her past relationships was circulated and
the people doing unpaid work became upset. Shortly after that, it looks like
GNOME took her on their payroll. The fact that
GNOME has ended up with two girls from the same
Albanian background adds weight to the argument that the jobs were created
for these specific girls rather than to fill some general need.
Remember, in 2018 and 2019, these are the same girls who asked the
Debianists to buy their travel tickets in advance while all the other
young interns had to buy tickets with their own money and wait for
reimbursement.
Why did
Kristi Progri get a big title, Director of Project Management but when
Anisa Kuci joined
GNOME they call her an Administrative Assistant? Both girls
grew up together in the same building. They both joined the
Open Labs group together. Either one job title is being overstated or
the other job title is understated. It looks like the job for the second girl
was only created as part of the catch-and-kill strategy to keep
women on side so they won't repeat the things they told me in 2017 and 2018
about the
Fedora Ambassador
Elio Qoshi.
On 10 May 2023,
Jeremy Bicha writes another advocacy for
Matthias Geiger to be promoted from Debian Maintainer to Debian Developer:
Subject: Matthias Geiger: Advocate
Date: Wed, 10 May 2023 15:06:23 -0000
From: Jeremy Bicha (via nm.debian.org) <nm@debian.org>
Reply-To: debian-newmaint@lists.debian.org,
Matthias Geiger <matthias.geiger1024@tutanota.de>,
archive-1181@nm.debian.org,
Jeremy Bicha <jbicha@debian.org>
To: debian-newmaint@lists.debian.org
CC: Matthias Geiger <matthias.geiger1024@tutanota.de>,
archive-1181@nm.debian.org,
Jeremy Bicha <jbicha@debian.org>
For nm.debian.org, at 2023-05-10:
I support Matthias Geiger <matthias.geiger1024@tutanota.de>'s request to
become a Debian Developer, uploading.
I have worked with Matthias Geiger on GNOME packages since March 2022.
Matthias has created new Debian packages
for several GNOME related apps and libraries and maintained them well
ever since.
Matthias has been very instrumental in doing the major prerequisite work
to get newer GNOME apps written in Rust
into Debian Trixie. This is very complicated but important work.
I have personally worked with Matthias Geiger
<matthias.geiger1024@tutanota.de>
(key C2E1A6CBFDECE511A8A4176D18BD106B3B6C5475) for 14 months, and I know
Matthias Geiger
can be trusted to be a full member of Debian, and have unsupervised,
unrestricted upload rights, right now.
Jeremy Bicha (via nm.debian.org)
Matthias Geiger is a very common name.
Jeremy Bicha has vouched for him but neither of them have told us if they
have any conflicts of interest, for example, if they both work for the same
employer,
Canonical Ltd or if they ever shared a prison cell together.
On 11 September 2023,
Jeremy Bicha writes an advocacy for
Amin Bandali. This time he reveals that they are both working at the same
company,
Canonical Ltd, the maker of
Ubuntu. Some people have serious ethical concerns about
Ubuntu developers and co-workers writing references for each other like
this because they are under pressure to serve the needs of their company
rather than being objective about Debian.
Subject: Amin Bandali: Advocate
Date: Mon, 11 Sep 2023 14:15:25 -0000
From: Jeremy Bicha (via nm.debian.org) <nm@debian.org>
Reply-To: debian-newmaint@lists.debian.org,
Amin Bandali <bandali@gnu.org>,
archive-1211@nm.debian.org,
Jeremy Bicha <jbicha@debian.org>
To: debian-newmaint@lists.debian.org
CC: Amin Bandali <bandali@gnu.org>,
archive-1211@nm.debian.org,
Jeremy Bicha <jbicha@debian.org>
For nm.debian.org, at 2023-09-11:
I support Amin Bandali <bandali@gnu.org>'s request to become a Debian
Developer, uploading.
I have personally worked with Amin Bandali <bandali@gnu.org>
(key BE6273738E616D6D1B3A08E8A21A020248816103) on the Debian GNOME team
since the end of 2022. He has packaged updates for a variety of GNOME
packages. Earlier this year, he officially joined the Debian GNOME team
and has been entrusted with DM upload rights to several packages. He has
used those upload rights well.
Amin Bandali also has interest and skill with troubleshooting build
issues on non-amd64 architectures which is why he is not just a DM, but
a "DM with guest account".
Amin Bandali is a coworker with me at Canonical since late 2022. His
primary job duties are not .deb packaging for Debian and he was already
maintaining packages in Debian before joining Canonical.
I firmly believe that the Debian Project will benefit from granting
Debian Developer, uploading status to Amin Bandali. I know Amin Bandali
can be trusted to be a full member of Debian, and have unsupervised,
unrestricted upload rights, right now.
Jeremy Bicha (via nm.debian.org)
Oddly enough, those messages were exchanged at the same time as
DebConf23 in
India. On 9 September 2023, I sent the coroner for Cambridgeshire a
written warning about the risk for health and safety in
Debianism, with a reference to the culture and the blackmail behaviour:
Subject: Re: Inquest Christopher Rutter - Information Request
Date: Sat, 9 Sep 2023 18:59:26 +0200
From: Daniel Pocock <daniel@pocock.pro>
To: Coroners <Coroners@cambridgeshire.gov.uk>
Hi [redacted],
I've updated the document with some extra email evidence and two more
deaths, both of those being under management from a doctoral candidate
at Cambridge.
Based on my own experience of both Debian culture, the Pell situation
and the evidence in these emails, I feel that there is an ongoing risk
to the health of people who engage with this culture.
Please kindly confirm if the coroner can escalate this to the relevant
people or whether you need somebody to present the document in person.
Regards,
Daniel
Abraham Raji died three days later. It is the first case of somebody dying at
DebConf. It was anticipated, therefore, it was avoidable.
During 2023, there was a high profile underage rape and incest prosecution in
South Australia. A bakery on the Eyre Peninsula had recruited
fifteen-year-old girls to do some baking, smile at the customers and help
the owner have more children. The man in charge and his wife were both
convicted. Three children were born in one seven month period. The baker's
father had shared one of the girls. There are thirteen children and they
need to make DNA tests to verify which man is responsible for each of them.
Newspapers described it as a
cult-like living arrangement but it is not uncommon for workers to live
with their boss when in a remote location like this. When you look at the
remoteness of the location and the nature of such jobs where the young girls
are living at their workplace, it has some similarity to the situation where
Jeremy Bicha and his little sisters were living a life that was isolated
from other children.
Also in May 2024, minutes of the
GNOME Foundation board have been redacted to hide discussions about
Sonny Piers and the "staffing", which really means the hush money being
paid to the
Albanian female whistleblowers.
Sonny Piers was secretly expelled at this point but it is redacted in
the minutes.
On 18 July 2024, immediately after they shut down the
Open Labs web site and discussion forum in
Albania, an anonymous account is created in the
GNOME Foundation forum on
Discourse. The account is used to post a hideous defamation about
Sonny Piers, who they had expelled with a secret trial in May. Dozens of
discussions and news reports appear about
Sonny Piers being banned from
GNOME. The girls are insisting that everybody should know they
decided to humiliate
Sonny but nobody is allowed to ask why the girls are obsessed
with humiliating him. Whenever messages like this appear, they always hint
at some sort of bad sexual etiquette. As we saw with every other case,
such as
Ted Walther in 2006 and
Dr Jacob Appelbaum in 2016, these rumours are not only false but
they have been deliberately fabricated by some chronically dishonest people
intent on harming male volunteers and our families.
The defamation message about
Sonny Piers explicitly mentions "Code of Conduct" but what they
really mean is "Code of Silence". They are doing all this to stop
Sonny Piers talking about payments to one of the
Albanian girls or something similar to that.
I am no longer a member of the board of directors of the GNOME Foundation since May 2024. The process and decision shocked me. I know people are looking for answers, but I want to protect people involved and the project/foundation. It was never an interpersonal conflict for me.
Remember,
Sonny Piers has been doing voluntary work for twenty years and he
contributed substantial intellectual property. The Albanian girls who
were secretly added to the
GNOME payroll only work when they receive money
and they only go to events when somebody, usually the male oligarchs,
buy the tickets for them.
The community had elected
Sonny Piers to the board. As a member of the board it is absolutely
certain he saw privileged information about the payments to
Albanian female whistleblowers. However, he may not have been told
the real reason for those payments. He may have asked questions about
why the same girls are selected for every diversity grant. All this
happened in
GNOME Foundation immediately after the controlling corporations
shut down the
Open Labs group in
Albania. Follow the money / girls.
The
GNOME Foundation hired two girls from
Albania. Now we see the policies of
Enver Hoxha and totalitarianism being reincarnated in a non-profit
voluntary organisation. History is repeating itself.
Jeremy Bicha had engaged in real abuse of his little sisters when they
were six and nine years old. As a voting member of the
GNOME Foundation and a member of the Release Team he has a higher
status than
Sonny Piers. Why can people go to the web site of the
Manatee County Court and read all the details about real abuse of the
little sisters but we are not allowed to know anything about the questions
Sonny Piers was asking at board meetings?
Here is an example of the things
Jeremy Bicha was convicted for:
Reading comments like that reminded me of the way misfits on
debian-private (leaked) discussed the words used by
the parents of
Frans Pop after he committed suicide:
Subject: Re: Death of Frans Pop
Date: Sat, 21 Aug 2010 13:39:21 +0100
From: Colin Watson <cjwatson@debian.org>
To: debian-private@lists.debian.org
On Sat, Aug 21, 2010 at 01:52:33PM +0200, Ludovic Brenta wrote:
> Steve McIntyre <steve@einval.com> writes:
> > "Yesterday morning our son Frans Pop has died. He took his own life,
> > in a well-considered, courageous, and considerate manner. During the
> > last years his main concern was his work for Debian. I would like to
> > ask you to inform those members of the Debian community who knew him
> > well."
>
> Does that imply he took his own life *because* of Debian, which was "his
> main concern"?
This is probably the wrong thread for linguistics, but that phrase would
normally just indicate that Debian was his main interest. In
http://oxforddictionaries.com/view/entry/m_en_gb0169810 under "noun",
this would be sense 2 rather than sense 1.
--
Colin Watson [cjwatson@debian.org]
What is so much more sensitive about the
Sonny Piers drama that
GNOME will not tell us? Did he do something that is even worse than
raping a little girl? Or did he stumble onto an inconvenient truth about
Albanian girls that must be hidden from the community at all costs?
My suspicion is that this is more than somebody's sex life at stake.
It is not unusual for people to hook up with their colleagues in student unions
and open source software conferences. Some of the women have told me they
were under pressure to lie. Paying women to create or repeat a lie,
knowing it is a lie, undermines trust in the whole organisation that
paid for those lies.
Software producers are particularly keen to maintain the trust of the
community. The moment people stop trusting the
GNOME developers everybody will abandon the project. How could we
trust these developers if they used the foundation's funds to make
payments to a woman who spread a lie or defamation?
After you pay a woman to lie, you can't sack that woman. You have to
keep her on the payroll until she's ready to have children and become
a stay-home mother.
I suspect that is why
Anisa Kuci was immediately given a job at
GNOME after the end of her relationship with
Wikimedia Italia. Somebody didn't want to see her join some random
employer where random developers will ask her to disclose details about
the conspiracies at
DebConf19.
It is important to reflect on these secrecy tactics. These tactics
create the type of environment where real abusers can thrive.
I've nominated Jeremy BÃcha to GNOME Advisory Board. Jeremy has volunteered to represent Debian at GUADEC in Denver.
Sonny Piers, like other victims, was censored and humiliated indefinitely
while the
registered sex offender is put up on a pedestal to supposedly be the
representative of the rest of us. I certainly didn't consent to him speaking
for me.
Furthermore, how can a
Canonical Ltd employee be representing the interests of both
Debianism and
the
Ubuntu misfits at the GNOME Advisory Board? The conflict of interest
is enormous. It isn't possible for him to do both at the same time.
In March 2025, shortly before
DebConf25, we saw
Jeremy Bicha began contributing to the
Debian-Edu project. That is the derivative of Debian created to
meet the needs of the education industry. Why does he have schools on his mind?
Jeremy Bicha's status as a
registered sex offender is intended to prevent him being employed
inside a school. By collaborating on
Debian-Edu, he gains credibility that allows him to interact with
schools as a volunteer. This looks like privilege escalation. He was
engaged in this while he was an employee of
Canonical Ltd and
Ubuntu.
At
DebConf25 in Brest,
France, the
GNOME
talk from
Jeremy Bicha was scheduled for 14 July, the French national holiday. In
France, the day normally starts with parades by the military and the
emergency services, including the police. Therefore, people were asked to
choose between applauding the
police as they marched through Brest or watching a
registered sex offender giving a talk in the university campus.
Putting this type of diversity on display at a prominent event feels like
the thin end of the wedge. Brest is a city known for its strong naval history.
Jeremy Bicha had been discharged from the US Navy after they found out.
Like the rogue
Russian spy-ships who periodically sail the English channel,
Debianists have decided to test the waters of diversity by putting this
man on display. They wanted to see how the public reacts. They want us to
know this is the new normal. The victims were only six and nine years old.
On the scale of sexual offences, these were some of the worst. By
putting this out in the open, they make it easier to bring in offenders
who have less serious crimes.
Back in the 1970s, people like this tried to create organizations
like the
Paedophile Information Exchange (PIE) where their cause was published
in broad daylight. Within a few years these organisations had been
outlawed. The lesson they have learnt from those prosecutions is the
need to affiliate themselves with more general causes like diversity
and then expand the definition of diversity to include, by stealth, all
kinds of people who are irreconcilably incompatible with the rest of us.
We already looked at the prosecution of
Matthias Kirschner for the
psychological abuse of
Galia Mancheva. Sooner or later another oligarch will face one of these
prosecutions. If it is somebody the cabal wants to protect, they can remind
us how
Jeremy Bicha came to
DebConf25 and it didn't kill anybody. They will remind us the diversity
statement says anybody is welcome as long as you display total
submission to their
CoC.
This time, instead of using an anonymous account,
Robert McQueen has written the post under his own name. He tells us the
punishment has been reduced:
The Board is providing this information to clarify the decisions made in this case, and to eliminate any uncertainty within the GNOME community about the matter.
In fact, the very long post does not include any example of the questions
Sonny Piers asked about the
Albanian women. Therefore, we all remain totally in the dark.
the Board also voted that Sonny will not be eligible for appointment in any position of authority within the Foundation, or to act as an agent on behalf of the organization, or to have paid work with the GNOME Foundation. This means that he will be unable to be a committee member, director, officer, staff member or contractor, or officially represent the GNOME Foundation to other entities. The Board resolution put these restrictions in place on an indefinite basis.
Turn that statement on its head: why does
Robert McQueen feel more comfortable with the Ubuntu man who
popped the cherry of a six year old than he does with an
independent developer who the community voted onto the board?
On 4 April 2026,
Oscar Langley asked about it in the election discussion for the next leader
of
Debianism. None of the candidates would reply to questions about child
safety.
Subject: DebConf25 decisions affecting Child Safety and talk scheduling
Date: Sat, 4 Apr 2026 11:01:37 +0000
From: Oscar Langley <oscar.langley@hotmail.com>
To: debian-vote@lists.debian.org <debian-vote@lists.debian.org>
I understand this topic may be somewhat tangential to the election mailing list, but I reviewed the list of voters in this year's DPL election and discovered that Jeremy Bicha is a Debian developer who cast a ballot: https://vote.debian.org/~secretary/leader2026/voters.txt
If you search up his name on Google, the very first result is his profile on Florida's Sexual Offender and Predator System, as he molested multiple preteen girls throughout the 1990's and confessed to all this in court.
https://offender.fdle.state.fl.us/offender/sops/flyer.jsf?personId=85068
https://wng.org/articles/the-high-cost-of-negligence-1617309216
Being a child molester is most likely a violation of the Debian Code of Conduct, and if it is not, it is reprehensible enough to call into question his continued status as a member of the project.
Additionally, there are two more important questions about Bicha's relationship with the Debian Project that have yet to be answered. Bicha was due to speak at DebConf25 last year, an event that children were permitted to attend. The livestream also experienced technical issues when his talk was about to start, leaving it unclear whether he actually spoke.
The two questions are:
1. What factors led to the decision to allow children in the presence of Bicha?
2. Was Bicha' talk was canceled, or did it indeed take place but was simply never streamed?
And a third question is begged:
3. Why hasn't the Debian Project cut ties with Bicha?
but one person made a reply praising the extreme definition of diversity:
Subject: Wasn't sure where to send but thank you...
Date: Wed, 8 Apr 2026 12:08:58 -0400
From: Star Light Catcher <catcherstarlight@gmail.com>
To: debian-project@lists.debian.org
I would just like to say, I would sometimes browse the reddits for Linux and in the general Linux reddit I saw someone saying the project was "in trouble" and worried I went to the Debian reddit to look into it... And what I'm very sad to say I found was people being very cruel and closed minded about the fact that the project seems to be valuing inclusion and bringing in new voices and talents to the FOSS community and the Debian project... So, I no longer really read reddit for Linux news but I very much wanted to say how much I've adored using Debian these past 8 months since switching to Linux. It's been rock solid, my best experience on Linux ever (and despite only switching 8 months ago I had tried Linux many times since 2010! Tons of different distros!) Debian has been genuinely an oasis from so much of what is wrong about modern tech, all while being built on what is obviously such a solid foundation I can't see myself switching back to Distros which genuinely often seemed to nuke themselves with little cause from me, and I've done plenty of things to ride my installs of Debian hard and it's never faltered at all.
And about the people behind the Debian project... In a time of increasing authoritarianism and such a huge increase to push minorities even further to the fringes... Debian embracing diversity during all of this... It warms this trans woman's heart who has felt such a sense of dread at the way the world is going. So thank y'all genuinely. Linux users are known to distrohop but... I can't imagine ever needing anything but the Universal Operating System ever again 🫂 and what brings me such joy is that it feels that it's not just universal, as in, for all devices, but universal, as in /for everyone/. 💜
Thank you for all you do, I plan to up my donation when I can,
Star Elizabeth Wilkerson 🦄â�ï¸�
Ben Carroll is the Deputy Premier and Education Minister for the
State of Victoria. On Mother's Day in 2024, he posted a picture
of himself with his local priest, who I'll simply refer to as Father X:
In 1994, the Archdiocese of Melbourne had to exfiltrate another priest,
Fr Barry Robinson, from
Boston. Father X was tasked with the mission. In particular, the scope of
his mission was far bigger than the exfiltration. Father X was also asked to
look at the crisis in
Boston and report back to his superiors in
Australia. This was eight years before the Spotlight news
reports raised public awareness of the scandal. The priest who gives
communion to
Victoria's Education minister had himself learnt about the extent of
the global crisis and expressed concern about warehousing paedophiles:
After returning from
Boston,
Fr Barry Robinson had lived in the same house as Father X while
the US authorities continued their investigation.
Fr Barry Robinson had admitted abuse but they decided not to
prosecute him at all. The church decided to ignore his admission and
put him back into practice:
In 2024, another lawsuit cast attention on
the use of scholarships for the two children of a victim. People gain
status in society through attending these elite high schools. There is a risk
that this perpetuates the culture of silence. It is analogous to the
manner in which some open source software organisations are giving people
internships, big titles and speaking opportunities so they will stay
silent about abuse in
Albania
Here is the redacted deed that mentions scholarships:
In February 2025, The Monthly published and then almost immediately
took down an article by
Louise Milligan titled The True Legacy of the Rapist George Pell.
The late Cardinal Pell had been successful in his appeal and the conviction
had been overturned by the High Court. Therefore, calling him a rapist is
a very strong defamation. Nonetheless, copies of the article are easily found
online.
The Debian Diversity statement tells us the definition of diversity
is very large. A lot like the National Council of Civil Liberties in
the 1970s, the Diversity Statement says anyone is welcome
(up to the day when you ask an ethical question). At
DebConf25, they demonstrated the definition of anyone includes
registered sex offenders. He is not the only one and he won't be
the last one.
If I had been patient, it would have saved me time. One such instance
is following.
From my early blogs, you might know I am using mutt to do email. Just
after I get along with mutt, I started using notmuch. Because limit
search in mutt is always a pain when you have multiple folders. And
what better tool out there than notmuch-mutt to bind both these.
One for search, one for reconstructing threads and one for
manipulating tags, which I missed.
Now my impatient part. I have already mapped f6 for my folder
movements and in my initial days of notmuch, I only use just search.
So I never cared about the f6 macro provided by notmuch-mutt. As time
goes by I got very comfortable with notmuch. I was stretching my
notmuch legs. I started to live more on notmuch search results
date:today tag:unread than more on the mutt index. To the problem,
since notmuch-mutt dump all results to a temp maildir location, can’t
perform flag changes back to the original maildir which was annoying,
because we need to distinguish what mail you read and what not when
you subscribed to most of all debian mailing list.
I was under the impression that, the notmuch-mutt is not capable of
doing so and I just went like that without checking docs. I started
doing all crazy hack to sync these maildirs.
I even started reading notmuch-mutt codebase.
Later, I settled on notmuch-vim. Cause I can manipulate flags sync
back from notmuch to maildir.
And while searching for something, I accidentally revisited the the
the notmuch-mutt macro page and saw the tag manipulation. I was like
:( .
If I read about the third macro patiently when added that to config,
I could’ve saved time by not doing ugly hacks around it.
Educators throughout the world are tasked with the difficult requirement of
evaluating students’ works, making sure the grades meaningfully reflect the
students’ understanding of the subject, and that a graded assignment maps
to the relevant work invested in solving it. After the irruption of
Large-Language Models in late 2023, this task became obviously much harder:
if a widely available computer program is able to solve an assignment in a
way that resembles a human-generated response, how can educators
meaningfully grade their groups?
As it has been the case with different innovations over time (such as with
the appearance of electronic calculators or the mass availability of
digital encyclopedias), the first reactions were of prohibition and denial:
students who use the new tool in question are to be disqualified or somehow
punished. It is only some time after the innovation in question settles
that teachers find a way to properly weigh, integrate and accept its use.
The authors of this position article present several arguments as to why it
is impossible, unethical and unadvisable to use automated AI detection
systems to process student assignments. The first argument is whether it is
at all possible to reliably differentiate human-written essays from
LLM-generated artifacts. The first criticism is that AI detectors are,
themselves, LLMs trained on human-generated texts (negative) and
LLM-generated texts (positive). However, the only way to assert the
training material is not noisy is to use pre-2020 text as human-generated —
but natural ways of writing are influenced by what people read, and the
authors quote studies pointing out that human language, particularly in the
scholarly fields, has incorporated terms and constructions that were used
as LLM markers. Quoting the authors, «As exposure to AI-generated material
becomes increasingly widespread, it is reasonable to expect that the
linguistic patterns of human writing will shift, reflecting the influence
of AI-assisted texts encountered across education, media, and everyday
communication». Stylistic elements and other such markers are being adopted
back into regular speech at a high rate.
Then, the aspect of ethics comes into play as well. While it is expected
that teachers should demand intellectual integrity from students, and
plagiarism detectors have been widely accepted into the workflow of
academics, the accusation of presenting LLM output as own work is
necessarily an uphill battle: the accused party is tasked with providing
proof of innocence based on nebulous, probabilistic accusations. The
authors argue, once an accusation of turning in a LLM-generated text is
made on a student, the onus on proving innocence lies with the accused.
The authors review and argue against a series of techniques that have been
presented in literature to aid teachers in detecting LLM abuse, such as
linguistic markers, single or multiple AI detectors, the use of false
references, hidden adversarial prompts, arguing in all cases the techniques
fail to be trustable enough and highlighting the probability of both false
positives and negatives. They also present AI detection as a false
dichotomy: many works presented are not 100% human generated nor 100%
LLM-generated, but some pertinent LLM-generated paragraphs are presented
mixed with human-generated content, in a positive, critical AI use
(“Students’ work is frequently created with, not by, generative AI”).
The article closes by reiterating the authors’ position: “AI detection in
education is not merely flawed; it is conceptually unsound”. they call upon
institutions to accept the use of generative LLMs cannot be “solved through
surveillance and punishment”, but has to be tackled by an “assessment
design that recognizes AI’s role in learning”.
This article’s position is very strong and well argued, and although it
will surely meet with ample opposition, it surely poses an important, very
current problematic. As a teacher, I found it a very enlightening read.
Yesterday, I had to add support for running KVM virtual machines inside an LXC container. More as a reminder to myself, in case I ever have to do this again, here the simple recipe:
LXC Container Config Adjustment
Enable lxc.autodev and execute hook script to be executed after initial /dev creation (updated 20260428: lxc.cgroup2.* instead of lxc.cgroup.*):
[...]
# Auto-create /dev nodes and add native KVM support to the LXC container
lxc.autodev = 1
lxc.hook.autodev = /var/lib/lxc/.hooks/lxc-hook.kvm-support
lxc.cgroup2.devices.allow = c 10:232 rwm
lxc.cgroup2.devices.allow = c 10:238 rwm
lxc.cgroup2.devices.allow = c 10:241 rwm
[...]
[added 20260408] On the internet, you can find a recipe that simply bind-mounts /dev/kvm from the host in to the LXC container. However, this fails if group ID of POSIX group kvm differs between host and container.
LXC Hook Script for KVM Support Enablement
The following script I placed at /var/lib/lxc/.hooks/lxc-hook.kvm-support (on the LXC host!):
#!/bin/sh
# set up native KVM support in LXC container
mknod -m 0660 ${LXC_ROOTFS_MOUNT}/dev/kvm c 10 232
chown :kvm ${LXC_ROOTFS_MOUNT}/dev/kvm
mknod -m 0660 ${LXC_ROOTFS_MOUNT}/dev/vhost-net c 10 238
chown :kvm ${LXC_ROOTFS_MOUNT}/dev/vhost-net
mknod -m 0660 ${LXC_ROOTFS_MOUNT}/dev/vhost-vsock c 10 241
chown :kvm ${LXC_ROOTFS_MOUNT}/dev/vhost-vsock
What We Are Seeking is a bit hard to classify beyond science
fiction. I think I would call it anthropological science fiction, but it's
also a first contact story and a planetary colony story. It is a
standalone novel (well, so far as I know; see later in the review for
caveats). This is Cameron Reed's second novel after the excellent and
memorable cyberpunk novel The Fortunate
Fall, first published in 1996 under Reed's former name of Raphael
Carter.
John Maraintha is a doctor from the world of Essius. He took what he
thought was a temporary job on the Free Ship Edgar's Folly, where
he's endured considerable culture shock. As the novel opens, John learns
that the colonists on Scythia have requested a translator to talk to one
of the native life forms, and a doctor since they're down to only one.
John will be that doctor. The captain has decided, and by the rules of the
free ships, John does not get a choice in the matter.
The Scythian colony is about four hundred people, now located in a desert
climate since the complex native life forms destroyed their previous
settlement. The colonists are a split between Ischnurans and Zandaheans,
two other human civilizations from the scatter of colony worlds left after
Earth embraced AIs (aiyis here) and turned inward. Both of those groups
marry, something John considers a moral abomination. Neither of them seem
likely to understand Essian sexual ethics. More devastatingly, John had
intended to spend some time as a ship doctor and then return home to a new
place in Essian society. Once he lands on Scythia, the chances of that are
gone; it is highly unlikely any ship would pick him up again and take him
home.
I have been trying to find the right books to compare What We Are
Seeking with ever since I read it. The best I've come up with are Ursula
K. Le Guin (particularly The
Dispossessed), Eleanor Arnason's A Woman
of the Iron People, and Becky Chambers's To Be Taught, If Fortunate. The start of the book felt like an
intentional revisiting of an earlier era of science fiction, with somewhat
updated science and politics, but the last half of the book, where the
action picks up considerably, is a meditation on gender, social systems,
religion, and small-group politics. All of that is mixed with biological
exploration and a first-contact story with some quite-alien aliens.
This is the sort of novel where the protagonist's culture is as foreign to
the reader as any of the other cultures he counters, so the reader is
assembling several jigsaw puzzles at once. John is dropped into an
established colony with its own social norms and established hierarchies.
The one other outsider, the translator Sudharma Jain, is, as his name
implies, a Jain who keeps very strict religious observances. Half of the
colony is from something akin to a fundamentalist Christian religious sect
that practices patriarchy and strict marriage codes. The other half is
more gently sexist (but still sexist) and has its own tradition of a third
gender that becomes central to the story. John, meanwhile, is a strong
believer in the Essian approach to social organization: Any two partners
of any gender freely have sex by mutual consent and without obligation,
and family is based solely on blood relations. These beliefs do not fit
comfortably together, even when people are trying (as they mostly do) to
be welcoming.
The first half of this book is very slow. This gives all of the characters
space to breathe and become comfortable, and the characterization is
superb, but it is a book to start when you're in the mood for something
slow and observational. There is a plot that gradually becomes apparent,
or rather there are several plots that are intertwined, but tension and
urgency are mostly reserved for the second half of the book. Instead, the
book opens with a lot of close observation of alien flora and fauna and
the untangling of subtle social dynamics among the Scythians.
There is also a visitor from earth, much to the distress of the Scythians.
Earth presence means the ships will not return and the colony may be cut
off from any sort of technological resupply. Despite speaking a common
language, that visitor is as mutually alien to the other groups as they
are to the native flora. Her life is fully integrated with aiyis, giving
her essentially godlike powers and the ability to turn off inconvenient
emotions and disregard anything she doesn't want to see. What she and the
Earth aiyis are doing on the planet is one of the early mysteries.
The dialogue in this book is truly excellent. Each characters has their
own voice, there are fascinating digressions on different words that lead
to tidbits of world-building, and some of the culture-specific idioms are
delightful.
"I'm making a mess of this. None of that matters. Let me fall out the
window and come in the door again. This is how my story ought to
start:"
The challenges for the characters in this story are slow but deep ones:
belonging and self-definition, the conflict between cultural tradition and
personal circumstance, and the sacrifices required to live with small
groups in situations where civil war is viscerally attractive. It has one
of the most comprehensive and fascinating treatments of transgender issues
that I've read in science fiction. Its commentary on current politics is
subtle and estranged in the way that science fiction does best, but still
pointed and satisfying. And, well, there are passages like this that I
absolutely adore:
"I wouldn't go that far. It could be they are right, the universe we
see exists because a mind like ours created it — at least, a mind
enough like ours that we can say it wants one thing and not another,
and when it acts it does so with intent. That's as good an idea as
any. But it is certainly not plausible that such a being believes that
people everywhere should marry, or that men should never visit men, or
no one should become a jess. Look at what they have created. The
universe could have been nothing at all, or one atom of hydrogen
floating in a void, or a diamond crystal infinite in all directions,
if their mind cared for simplicity or tidiness. Instead we have stars
and planets and black holes and nebulas. It could have all been cold
and dead, but there is life. They could have made one species for each
world, or just a few, which could have stayed the same forever, but
instead we have millions and millions, all of which are changing every
moment, varying among themselves and boiling off in all directions.
Such a god is like an artist who fills up a library of sketchbooks
with their drawings of strange creatures, and when every scrap of
paper in the place is used up, goes back with a different color ink
and scribbles over them again. They are obsessed with variation — they
gorge themselves with it and never grow full. Do you really think a
mind like that could want us all to live in the same way?"
I had one problem with this book, though, and for me it was a big one:
There is no ending. Reed effectively builds tension, gets me caring about
all of the characters, sets up several problems, starts down a path
towards resolution, and then the book just... ends.
Long-time readers of my reviews will know that I'm a denouement fanatic. I
want the scouring of the shire, I want the chapter set in the happily ever
after, I want the catharsis of an ending. This made me so grumpy!
To be clear, this is not sequel bait (at least so far as I can tell). I
can write a philosophical defense of the ending. The types of problems and
lives that Reed set up don't have clear endings; this is, to some extent,
the point. We muddle through, and then those who come after us muddle
through some more, and the cumulative effect is called human civilization.
And there is some denouement; Reed doesn't leave the reader at a
cliffhanger or anything that egregious.
But still, I wanted the happy ending, even though that was unrealistic for
the style of story this is, because I'm a happy ending reader. This is not
an ending sort of book; it's the sort of book where I get a sinking
feeling at the 95% mark because there aren't enough pages left for the
number of remaining unresolved problems. I've gotten less annoyed in the
days since I finished the book, and I can appreciate the thematic point
made by how the book ends, but I still feel like it's worth an advance
warning if you're a reader like I am.
I would be delighted by a sequel, but it didn't feel like that was the
intent.
Apart from that, this was both excellent and rather unlike a lot of
current science fiction. I think the closest comparison I can make among
recent novels I've read is Sue Burke's Semiosis. What We Are Seeking has a similar sort of
world-building, but I liked these characters so much more. It felt like a
classic literary science fiction novel, but very much written in 2026.
Highly recommended, just beware of the lack of closure.
Content notes: Sexism, homophobia, stomach illness, and some religious
abuse.
A new maintenance release 0.4.27 of RProtoBuf
arrived on CRAN today. RProtoBuf
provides R with bindings for the
Google Protocol Buffers
(“ProtoBuf”) data encoding and serialization library used and
released by Google, and deployed very widely in numerous projects as a
language and operating-system agnostic protocol. The new release is also
already as a binary via r2u.
This release adjusts to a change upstream. Luca Billi noticed that upstream
removed some fields from FieldDescriptor, filed and issue
and followed up with a spotless PR. No other changes.
The following section from the NEWS.Rd file has all details and
links.
Changes in
RProtoBuf version 0.4.27 (2026-04-26)
Adjust to FieldDescriptor API changes in ProtoBuf 3.4
(Luca Billi in #114
fixing #113)
What appears to be an attempt to assassinate the US President
Donald Trump has dominated the news today. There are numerous people on
social control media suggesting the suspect,
Cole Thomas Allen, may be gay or transgender, like the
Zizian problems. Some people make comments
about a handwritten note left for his transgender partner.
In fact, these comments appear to be identical to the description of
Tyler Robinson, the man who assassinated
Charlie Kirk. They are not necessarily fake news. We simply don't have
enough information to say if the rumours are fake or if they are true.
496.
The plaintiff and other victims feel great apprehension, based on what happened to Dr
Appelbaum's home, based on the drawings of civil disorder, based on the way the Zizian group
behaved, that if these vigilantee tendencies are not constrained then they will again manifest
themselves in physical acts of vandalism or violence.
The Genocidal Healer is the eighth book in James White's medical
science fiction series about the Sector General hospital. As with the rest
of the series, detailed memory of the previous books is not required and
the books could be read out of order if you didn't mind spoilers.
I read this as part of the Orb General Practice omnibus.
Surgeon-Captain Lioren is a Tarlan doctor who was in charge of the medical
response to a newly-discovered civilization. The aliens were suffering
from an apparently universal plague and an ongoing vicious war waged
entirely through hand-to-hand combat, putting them on the edge of
extinction. Lioren rushed the distribution of a possible cure against the
advice of the doctors working on developing it, with catastrophic results.
As The Genocidal Healer opens, Lioren is insisting on a
court-martial in the hope of receiving the sentence it believes it
deserves and was denied: death.
(It pronouns are the convention in the Sector General series for all alien
races and formal discussions, because even someone prone to bouts of
gender essentialism such as White understood the need for avoiding gender
assumptions in a science fiction medical context.)
Predictably, both Sector General and the Monitor Corps that technically
runs the hospital are flatly unwilling to execute Lioren. Instead, he is
assigned as a new apprentice in the psychology department under the
legendary O'Mara, where he is ordered to investigate the psychological
fitness of a senior doctor named Seldal. This leads him to talk to
Seldal's patients, which in turn leads to a challenging set of ethical
dilemmas.
The first five chapters (and more than sixty pages) are the story of
Lioren's trial and a recounting of the events on Cromsag. The series is
full of medical and cultural puzzles like this, and usually I like them,
but I thought this one was less successful. We know the vague (and
horrible) outline of the ending in advance, and the massive simplification
and artificial universality that is required to make this puzzle work is
particularly blatant. A universally infectious disease is more of a
fiction plot than a believable biological concept, and the number of
failures of communication, analysis, and misunderstanding that have to
line up to create White's predetermined outcome were a bit much for me.
Once the story gets past that and into Lioren's psychological work, the
novel improves. Lioren is guilt-ridden and irrational, but also rather
arrogant about his guilt and his concepts of professional responsibility
in a way that I think mostly worked. Most of the novel consists of Lioren
slowly discovering that people like him and enjoy talking to him, much to
his bafflement. In that, it has the gentle kindness and sense of universal
basic decency that is characteristic of this series. There are, of course,
medical puzzles to solve, although this time they are primarily
psychological in nature. Various characters from previous books make an
appearance, but White re-explains their background in sufficient detail
that you don't need to remember (or have read) those previous books.
There are a lot of similarities between this book and the previous one,
Code Blue—Emergency. Both feature
nonhuman viewpoint protagonists and amusing descriptions of human facial
expressions from an alien perspective. Both feature protagonists with
overly rigid ethical structures that partly clash with the generally human
policies of Sector General. The Genocidal Healer is a bit more
subtle and nuanced, although a lot of Lioren's psychological evaluation
rests on an ethical difference that I found somewhat unbelievable. This
book, though, tackles a subject the previous book did not: religion. The
treatment isn't horrible, but I have some complaints.
My primary issue is that Lioren, who starts as an atheist, does extensive
research into religion to help a patient and then starts making statements
summarizing the religions beliefs of the majority of known species that
are just... Christianity. As someone raised Christian, I recognized it
immediately as the sort of abstracted Christianity that Christians claim
is universal while completely ignoring the opinions of the adherents of
any other religion.
Key components of this majority galactic religious pattern, according to
Lioren, include an omnipotent and omnibenevolent creator god, a religious
figure who preaches forgiveness and mercy and is persecuted, and emphasis
on redemption. This simply is not some abstract universal religion. This
is just Christianity in disguise. Even in religions that have some of
those elements in their traditions, they do not get the same emphasis and
are not handled the way that Lioren describes them. I therefore found
Lioren's extended discussions of religion rather annoying, since he kept
claiming as relatively universal principles beliefs that are not even held
by the majority of religious adherents on Earth, let alone a wildly
varying collection of alien races with entirely different biology and
societal constructions. It caused a lot of problems for my suspension of
disbelief, on top of the annoyance at this repetition of, frankly,
Christian propaganda.
Lioren goes, from that research, into theodicy (the problem of evil). The
interesting part of this is White's earnest portrayal of a doctor's
approach to societal problems: a desire to find workarounds and patches
and fixes for anything that makes people unhappy, whether medical or
social. It makes sense, given the horrible biologic hands that some of the
aliens in this series have been dealt, that they would question the idea
of a benevolent god, so this philosophical digression is justified in that
sense. But you might guess that a mid-list science fiction author is not
going to say something new about one of the oldest problems in
Christianity, and indeed he does not. Lioren arrives at the standard
handwaving about the unknowability of divine intent, which I found tedious
to read but at least not fatal to the plot.
White, thankfully, doesn't take the religious material too far. The
characters recognize how sensitive of an issue religion is in a hospital,
Lioren never adopts religion fully, and the resolution of the plot is as
much biological as philosophical. White is going somewhere with the
introduction of religion, and although some of the path there annoyed me,
I think the destination worked. White was from Northern Ireland, and
therefore well aware of the drawbacks of religion, and he abhorred
violence (hence Sector General as a setting), so the reader is in better
hands with him than with most authors who might attempt this plot.
I think I know a bit too much about religion to be the best audience for
this entry in the series, and I'm not sure the introductory five chapters
quite worked. But as with all of the other books in the series, this kept
me turning the pages and I'm glad I read it. The Genocidal Healer
probably isn't worth seeking out unless you're reading the whole series,
but if you're enjoying the rest of the series, you'll probably like this
too.
Leonardo and I are happy to
announce another maintenance release 0.1.4 of our dtts package
which has been on CRAN for four
years now. dtts builds upon
our nanotime
package as well as the beloved data.table to bring
high-performance and high-resolution indexing at the
nanosecond level to data frames. dtts aims to
offers the time-series indexing versatility of xts (and zoo) to the immense
power of data.table while
supporting highest nanosecond resolution.
This release, not unlike yesterday’s
release of nanotime, is driven by recent changes in the bit64 package which
underlies it. Michael,
who now maintains it, had sent in two PRs to prepare for these changes.
I updated continuous integration, and switched to Authors@R, and that
pretty much is the release. The short list of changes follows.
Changes in version 0.1.4
(2026-04-23)
Continuous integration has received some routine updates
Adapt align() column names with changes in
'data.table' (Michael Chirico in #20)
Narrow imports to functions used for packages 'bit64',
'data.table' and 'nanotime' (Michael Chirico in #21)
Courtesy of my CRANberries, there
is also a [diffstat repor]tbsdiffstat
for this release. Questions, comments, issue tickets can be brought to
the GitHub repo.
Vertical rhythm aligns lines to a consistent spacing cadence down the page. It
creates a predictable flow for the eye to follow. Thanks to the rlh CSS unit,
vertical rhythm is now easier to implement for text.1 But illustrations
and tables can disrupt the layout. The amateur typographer in me wants to follow
Bringhurst’s wisdom:
Headings, subheads, block quotations, footnotes, illustrations, captions and
other intrusions into the text create syncopations and variations against the
base rhythm of regularly leaded lines. These variations can and should add
life to the page, but the main text should also return after each variation
precisely on beat and in phase.
Three factors govern vertical rhythm: font size, line height and
margin or padding. Let’s set our baseline with an 18-pixel font and a 1.5
line height:
CSS Values and Units Module Level 4 defines the rlh unit, equal to the
computed line height of the root element. All browsers support it since
2023.2 Use it to insert vertical spaces or to fix the line height
when altering font size:3
We can check the result by overlaying a grid4 on the content:
Using CSS rlh unit to set vertical space works well for text. You can display the grid using Ctrl+Shift+G.
If a child element uses a font with taller intrinsic metrics, it may stretch
the line’s box beyond the configured line height.5 A workaround
is to reduce the line height to 1. The glyphs overflow but don’t push the line
taller.
code,kbd{line-height:1;}
Responsive images
Responsive images are difficult to align on the grid because we don’t know their
height. CSS Rhythmic Sizing Module Level 1 introduces the block-step
property to adjust the height of an element to a multiple of a step unit. But
most browsers don’t support it yet.
With JavaScript, we can add padding around the image so it does not disturb
the vertical rhythm:
Table cells could set 1rlh as their height but they would feel constricted.
Using 2rlh wastes too much space. Instead, we use incremental leading: we
align one in every five lines.
To align the elements after the table, we need to add some padding. We can
either reuse the JavaScript code from images or use a few lines of CSS that
count the regular rows and compute the missing vertical padding:
A header cell has twice the padding of a regular cell. With two regular rows,
the total padding is 2×2×0.2+2×0.4=1.6. We need to add 0.4rlh to reach
2rlh of extra vertical padding across the table.
One line out of five is aligned to the grid. Additional padding is added after the table to not break the vertical rhythm. 405 is divisible by 27, our line height in this example.
None of this is necessary. But once you start looking, you can’t unsee it. Until
browsers implement CSS Rhythmic Sizing, a
bit of CSS wizardry and a touch of JavaScript is enough to pull it off. The main
text now returns after each intrusion “precisely on beat and in phase.� �
Just a quick invitation to an in-person event in Tilburg, the Netherlands.
All people interested in the Lomiri Operating Environment are invited to join us at the Lomiri Codefest [codefest] taking place on May 16-17 (participation is free of charge).
We are hiring Lomiri developers
And as another side node, we still have budget (until 07/2027) for 2-3 additional Lomiri developers (depends on each devs weekly availability). The details of my previous post [hiringdetails] +/- still apply. One more limitation / strength: You need real coding skills to apply for the open positions, AI-generated contributions will not be accepted for the tasks at hand.
If you are interested and a skilled FLOSS developer (you need previous OSS contributions as references) and available with at least 10 hrs / week, please get in touch [fsgmbh].
Many thanks to Sruthi Chandran for her campaign, to our Developers for their
votes, and to Andreas Tille for his service as DPL over the past two years!
The new term for the project leader will start on April 21, 2026 and expire
on April 20, 2027.
I recently released version 0.3.0 of my recipe manager application Kookbook – find it in git in KDE Invent or as released tarballs in https://download.kde.org/stable/kookbook/
Changes since last time is more or less “Minor bugfixes and a Qt6 port” – nothing as such noteworthy unless you aim to get rid of Qt5 on your system.
so what is kookbook?
It is a simple recipe viewer that works with semi-structured markdown. More details can be seen in the quite old 0.1.0 announcement
At some point I should do a 10 recipe example collection, but my personal collection is in danish, so I’m not sure it is going to be useful. Unless someone will donate me some handfuls of pre-formatted recipes, I will happily announce it.
I was hosted for a long time, free of charge, on https://www.branchable.com/
by Joey and Lars. Branchable and Ikiwiki were wonderful ideas that never
took off as much as they deserved. To avoid being a burden now that
Branchable is nearing its
end, I migrated to
a VPS at Sakura.
However, I have not left Ikiwiki. I only use it as a site engine, but I
haven't found any equivalent that gives me both native Git integration, wiki
syntax for a personal site, the creativity of its directives (you can do
anything with inline and
pagespec), and its multilingual
support through the po plugin.
If you have recently installed a very up-to-date Linux distribution with a desktop environment, or upgraded your system on a rolling-release distribution, you might have noticed that your home directory has a new folder: “Projects”
Why?
With the recent 0.20 release of xdg-user-dirs we enabled the “Projects” directory by default. Support for this has already existed since 2007, but was never formally enabled. This closes a more than 11 year old bug report that asked for this feature.
The purpose of the Projects directory is to give applications a default location to place project files that do not cleanly belong into one of the existing categories (Documents, Music, Pictures, Videos). Examples of this are software engineering projects, scientific projects, 3D printing projects, CAD design or even things like video editing projects, where project files would end up in the “Projects” directory, with output video being more at home in “Videos”.
By enabling this by default, and subsequently in the coming months adding support to GLib, Flatpak, desktops and applications that want to make use of it, we hope to give applications that do operate in a “project-centric” manner with mixed media a better default storage location. As of now, those tools either default to the home directory, or will clutter the “Documents” folder, both of which is not ideal. It also gives users a default organization structure, hopefully leading to less clutter overall and better storage layouts.
This sucks, I don’t like it!
As usual, you are in control and can modify your system’s behavior. If you do not like the “Projects” folder, simply delete it! The xdg-user-dirs utility will not try to create it again, and instead adjust the default location for this directory to your home directory. If you want more control, you can influence exactly what goes where by editing your ~/.config/user-dirs.dirs configuration file.
If you are a system administrator or distribution vendor and want to set default locations for the default XDG directories, you can edit the /etc/xdg/user-dirs.defaults file to set global defaults that affect all users on the system (users can still adjust the settings however they like though).
What else is new?
Besides this change, the 0.20 release of xdg-user-dirs brings full support for the Meson build system (dropping Automake), translation updates, and some robustness improvements to its code. We also fixed the “arbitrary code execution from unsanitized input” bug that the Arch Linux Wiki mentions here for the xdg-user-dirs utility, by replacing the shell script with a C binary.
Thanks to everyone who contributed to this release!
ActBlue is the online fundraising platform used by
US Democratic party candidates. It is the subject of a major scandal
that has gripped the congress. It has been linked to
Debianism, another disappearing developer and in a parody of other
Debianism scandals, there are possibly two people using the same name,
one being the wife of the missing developer and the other being a
US Senate candidate who claims to have exposed the
ActBlue scandal.
These Github screenshots confirm that
Decklin Foster was affiliated with
ActBlue and vanished in 2018:
Accusations have been made about the concealment
of illegal foreign donations and deception of Congress.
Chris Gleason has nominated to represent Florida in the US Senate.
Gleason registered using a post office box and created a domain name,
voteforgleason.com using an anonymous service in
Iceland.
Gleason's profile on
X/Twitter has no photo while their
Facebook profile is completely disabled.
Up to 2016, we can see that
Decklin Foster was listed in the public filings of ActBlue Civics, Inc
as either a senior engineer or at one point, as
Director of Information Technology.
On 1 January 2015,
Decklin Foster's PGP key was removed because it was only 1024 bits.
Most developers had created stronger keys before this mass removal of
insecure keys took place.
In 2019, the
Debian Account Managers asked the keyring managers to completely remove
Decklin Foster from the Debian keyring. There was no
Statement on Decklin Foster so far.
Clicking the links to see the statements about the removal does not
work. An error message tells us the messages about
Decklin Foster's removal from
debianism are all private.
If you’re interested in me, I have started using Google
Plus. If you’re interested in my work, I’m on Github. I was a Debian developer for some time, but
I’ve mostly given that up. I currently work for ActBlue and live in Cambridge, MA with
my wife.
Clicking on "my wife", we find the web site of Chris Gleason at
http://cgleason.org/.
chris gleason is a graphic designer, zine creator, and print maker in chicago, illinois. they love ...
Therefore, the Debian Developer
(
What is a Debian Developer?) who was Director of Information Technology
for
ActBlue was married to a female or transgender
Chris Gleason. Is this the same person as the elusive male
Chris Gleason who is now running for the US Senate in Florida on
claims about corruption at
ActBlue? Or is it simply a bizarre coincidence that two people so
closely connected with this scandal share the same name?
In 2017, the Trans Women Writers Collective published the book
Nameless Woman, written by trans women of colour. In the credits,
the trans women thank
Decklin Foster.
This anthology was made possible by the
generous support of hundreds of people. In
particular, we would like to thank Annaya Youkai, Kieran Todd, Sadie Laett-Babcock, Adelaida
Shelley, Jaime Peschiera, Kai Cheng Thom, Talon
Wilde, David Cope, Alex Meginnis, Decklin Foster,
and Eli Nelson for their help.
On 22 July 1999,
Raphael Hertzog, known for the
Freexian scandals wrote a message asking people to do unpaid work
on orphaned packages in the hope that their application to become a
Debian Developer would be approved more quickly:
To: debian-devel-announce@lists.debian.org, debian-devel@lists.debian.org, debian-qa@lists.debian.org, debian-mentors@lists.debian.org
Subject: [New maintainer] Working for Debian and becoming a registered Debian developer
From: Raphael Hertzog <rhertzog@hrnet.fr>
Date: Thu, 22 Jul 1999 18:06:26 +0200
[ Large crosspost to start the discussion, please reply to debian-devel
only. Simply respect the reply-to. ]
Hello everybody,
you may or not be aware that getting a Debian developer is quite long. I
want to propose a solution to facilitate the integration of new
Debian developers.
It's quite simple. In order to fully learn how Debian works, the best
solution is :
- to adopt orphaned packages and correct their bugs
- that your work should be checked by an official developer (I'll call
it the sponsor).
Of course, as long you're not a registered Debian developers you cannot
upload your packages. The soluton is that the sponsor will upload the
package you'll do. The official maintainer will be
debian-qa@lists.debian.org. After all when you correct bugs on orphaned
packages, you're doing Quality Assurance.
This does also allow you to get new bugs in your mailbox. You just need
to subscribe to debian-qa@lists.debian.org. You would be allowed to
open/close/set the severity/forward the bugs since all debian-qa members
can do it on debian-qa packages.
If the sponsor finds that you've done a good job with the package, he
will explain that to the new maintainer team in the hope that your
application will be processed faster. And when you'll be
official Debian developper, you'll be able to change the Maintainer field
to your name.
I'll propose myself to be a sponsor. We'll need more sponsor ... any
volunteers ? Hopefully several people from debian-qa will accept to be
sponsor like me ...
All the future Debian developers interested should also reply ...
Any input appreciated !
Cheers,
--
Hertzog Raphaël >> 0C4CABF1 >> http://prope.insa-lyon.fr/~rhertzog/
Decklin Foster was one of the people recruited by those tactics.
To: debian-devel@lists.debian.org
Cc: debian-mentors@lists.debian.org
Subject: Re: [New maintainer] Working for Debian and becoming a registered Debian developer
From: Decklin Foster <decklin@home.com>
Date: Thu, 22 Jul 1999 13:39:13 -0400
Raphael Hertzog writes:
> Of course, as long you're not a registered Debian developers you cannot
> upload your packages. The soluton is that the sponsor will upload the
> package you'll do. The official maintainer will be
> debian-qa@lists.debian.org. After all when you correct bugs on orphaned
> packages, you're doing Quality Assurance.
Sounds good, I'll subscribe right after I finish writing this. I'm
also trying to work on non-orphaned backages as well (for example
right now i'm fixing a bug in gsfonts-x11.) So keep in mind that you
can always just send patches :)
--
Debian GNU/Linux - http://www.debian.org/
The Web is to graphic design as the fax machine is to literature.
Not only was
Decklin under the influence of
Hertzog, they were also under the influnce of the
Red Hat share offer. This email encourages speculation on the
IPO:
To: debian-devel@lists.debian.org
Subject: Re: SPAM from Red Hat
From: Decklin Foster <decklin@home.com>
Date: Wed, 21 Jul 1999 09:57:45 -0400
Martin Bialasinski writes:
> is it only me, or did you also get this spam from Red Hat about stock
> options?
>
> Oh man - the bigger the company, the less clueful people?
On #debian last night, it was suggested that we use our opportunity to
buy some of this stock and sell it when the price goes up. This money
could then be used to fund Debian, buy new hardware, improve our
network connection, etc. Does anyone else think this is a Good
Idea(TM)? I would be willing to donate as much as I reasonably could.
--
Debian GNU/Linux - http://www.debian.org/
The Web is to graphic design as the fax machine is to literature.
Of interest to those watching the
ActBlue saga, there is an email about hacking and cracking:
To: debian-devel@lists.debian.org
Subject: Re: [New maintainer] Working for Debian and becoming a registered Debian developer
From: Decklin Foster <decklin@home.com>
Date: Thu, 22 Jul 1999 16:37:40 -0400
Carl Mummert writes:
> Hacking is a serious crime
Cracking is a serious crime. Breaking into computer systems without
permission is a serious crime. Violation of privacy and theft of
confidential information is a serious crime.
Now what does this have to do with hacking?
> The fact remains that the debian policy is to discourage new
> developers by making it slow and difficult to get an account.
I have no problem with waiting, and I'd rather not look bad just
because some people keep speaking badly about the new-maintainer team.
We don't need another flamewar here. People have work to do.
--
Debian GNU/Linux - http://www.debian.org/
The Web is to graphic design as the fax machine is to literature.
They had a blog on another web site. It is captured in the Wayback
machine up to 2012. The last snapshot with the index is here:
http://blog.rupamsunyata.org/. The last blog post:
I'm the fuel that fires the engine of Failure
So, the Democrats in my very blue state put up a depressing, entitled, out-of-touch candidate for our vacant senate seat and she lost. The only reason I voted for her was because she wasn't a Republican. Supporting someone you don't even slightly like is psychologically draining.
At this point, I would vote for a Democratic party (or a Republican party!) with the exact same fiscal policy as the current Republicans if they actually made a principled, moral stand on equal protection and civil rights, habeas corpus/due process, and reproductive rights. Those don't cost anything[1].
Maybe they should be solved before the stuff that does cost billions of dollars. As it is my choice is weak, almost grudging support for those rights from people who want to hand the economy over to the government, and disgusting, immoral, vehement opposition to them from people who want to hand the economy over to wealthy corporations.
Neither side is doing anything effective to keep us free, or to keep the market free. Each side says or implies that this is a Christian nation, which it explicitly isn't, while failing to do what's right. Sometimes I want to give up and stop voting.
[1] Conversely, of course, it doesn't cost anything to take people's rights away, or prevent them from getting rights in the first place; I think this is why anti-gay-marriage ballot measures have been more successful in the current recession. Some people get their kicks from the suffering of others.
Accessing the blog from 2013 onwards we can see
the front page has been replaced with the message:
This blog is not being updated. Old entries are still around, but I'm turning off the front page for now.
contributors.debian.org tells us that
Decklin Foster stopped contributing in February 2011, immediately
before the
death of Adrian von Bidder-Senn on our wedding day.
Chris Gleason is not on the list at all. If
Decklin had abandoned
Debianism, why did it take eight years to remove them from the keyring?
Reading the full history of the
Debian Harassment culture, we can see many other co-authors were
removed for purely political reasons and blackmail but keys belonging to the
people who had abandoned the project and people who died were left in
the keyring for years.
To: debian-devel <debian-devel@lists.debian.org>
Subject: RFA: all my packages
From: Decklin Foster <decklin@red-bean.com>
Date: Thu, 10 Feb 2011 17:11:05 -0500
Message-id: <1297375750-sup-7355@gillespie.rupamsunyata.org>
I'm looking for a new maintainer for, well, any of these. My heart is
not in it anymore and most of them have been neglected for a while.
Recently my free time has been taken up by other things (mainly my job)
and I forsee that continuing.
http://qa.debian.org/developer.php?login=decklin%40red-bean.com
python-beautifulsoup and mpd need attention for proposed-updates; I
missed getting them into Squeeze. rxvt-unicode is a total clusterfuck.
If any desktop-type packages remain I will orphan them, as I am only
running Debian on servers now. Apart from that, perhaps with a greatly
reduced load I can still make a tiny contribution to the community. If
not, I will retire.
--
things change.
decklin@red-bean.com
Various scholarly articles from Harvard experts on depression have
thanked
Decklin Foster for their contributions in 2008 and 2009.
Decklin Foster was collaborating on this world-class depression
research at exactly the same time they were part of the
debian-private discussions that precipitated the
Debian Day Volunteer Suicide in 2010.
Subject: Re: Death of Adrian von Bidder
Date: Fri, 22 Apr 2011 09:39:49 +0200
From: A Mennucc <mennucc1@debian.org>
To: debian-private@lists.debian.org
Il 19/04/2011 18:17, martin f krafft ha scritto:
> Dear Debian colleagues,
>
> I have the sad task to communicate to you the news of the death of
> Adrian von Bidder (avbidder, cmot), who passed away last Sunday,
> most probably of a heart attack.
I had contacted Adrian regarding the Debian umbrella.
So I had also a chance of seeing a picture of him
http://blog.fortytwo.ch/archives/80-Yay!-Debian-Logo!.html
In that picture he seemed quite happy and young.
His death is quite shocking and sad.
a.
There is a
Decklin Foster profile on Youtube that hasn't been used for nine
years. There are four subscribers. One of the videos has the
comment:
Mixed these together on my show (editsradio.org) this week and really liked the result, so here it is on its own, slowed down and a little extended.
Photo taken at the Wilbur Theater in Boston on 2012-07-31.
The last snapshot of
editsradio.org is on 6 April 2015. After that, the content is
changed to Arabic. From 15 August 2015, it is redirecting to another site,
also in Arabic, at
http://www.17serialbaran.org.
It would be extremely offensive to ask such a question in any other
group of people but in the world of
Debianism and
Zizian phenomena, there are a disproportionate number of people who
are living such lifestyles.
Chris Gleason was born in Lowell, Massachusetts. Gleason's career experience includes working as a technology consultant. He served in the U.S. Army National Guard from 1989 to 1999. Gleason earned a bachelor's degree from the University of Massachusetts, Lowell in 1996. Gleason has been affiliated with Caribbean Christian Center for the Deaf, Michigan -Make-A-Wish, Seniors Helping Seniors.
In the recent UK elections, journalists and researchers found various
examples of candidates who didn't really exist. At least one political
party was accused of making up fake candidates to make their party
look bigger and attract more donations.
I have the impression the
Chris Gleason in
Florida is a different
person but I'm not ruling out the possibility it is a fake profile
or an alter-ego of
Chris Gleason, wife of
Decklin.
The Committee on House Administration, the Committee on the Judiciary, and the
Committee on Oversight and Government Reform are charged with ensuring the integrity of American elections. To that end, the Committees are examining allegations that ActBlue, a leading political fundraising organization, allowed bad actors, including foreign actors, to exploit its online platform to make fraudulent political donations.
CEO at NextMed Holdings, LLC CEO at Translational Analytics and Statistics, LLC
Chris Gleason is a board member at Our Mayberry, a company focused on revolutionizing charitable giving and fundraising.1 He is a lawyer, entrepreneur, and community philanthropist with multiple leadership roles in charities helping children.3 Gleason has also been involved in various business ventures and has held executive positions in different companies.
In addition to his role at Our Mayberry, Gleason has served as a board member for the Goldwater Institute since 2013.5 He was also recently appointed as the president and CEO of Moximed, a medical device company, in June 2024.2
Gleason has a background in sales leadership, having previously worked as VP of sales at Relievant and VP of sales of interventional urology at Teleflex.2 He has also been involved in political activities, receiving income from Election Watch, a Wisconsin-based group, in 2024.4
It's worth noting that Gleason has recently entered the political arena, running for the position of Pinellas County Supervisor of Elections in Florida for the 2024 election. His campaign has been controversial, as he has made unsubstantiated claims about election fraud and criticized the incumbent, Julie Marcus.
In the case of another Debian Developer,
Paul Tagliamonte, he really was working in the White House and the
Pentagon. We have a photo to prove it:
Chris Gleason's campaign web site has the title
Whistleblower in big letters. This implies he was an insider
or he was connected to an insider, in other words, his claim to be
a whistleblower encourages us to ask about the bizarre possibility that he
really is or was the transgender wife of
ActBlue's missing director of
information technology,
Decklin Foster.
Here is one more interesting leak from the
debian-private leaked gossip network. It shows us that
Decklin Foster was in favor of the practice of dividing the community
and humiliating people. It looks like he supported the humiliation of
Sven Luther at the very time he was working in the Harvard Medical
School's depression research team. Sven's mother was dying at the time
this bun fight erupted.
Subject: Expulsion process: Sven Luther
Date: Thu, 01 Mar 2007 00:00:29 +0100
From: Joerg Jaspert <joerg@debian.org>
Organization: Goliath-BBS
To: debian-private@lists.debian.org
...
Now, the list of people who sent something in for the process:
Anthony - Requestor
Supporters, unordered:
srivasta@debian.org
mbanck@debian.org
tbm@cyrius.com
93sam@debian.org
fs@debian.org
jgoerzen@complete.org
fjp@debian.org
dilinger@debian.org
joeyh@debian.org
liw@iki.fi
stappers@stappers.nl
tolimar@debian.org
jeroen@wolffelaar.nl
tfheen@debian.org
micah@riseup.net
decklin@red-bean.com
tb@becket.net
tytso.mit.edu
The conflict between
Sven Luther and
Frans Pop appears to be a factor in the eventual suicide of
Frans Pop. The whole group failed.
Subject: [Very long] Post-partem rant and retrospective
Date: Thu, 31 May 2007 03:56:11 +0200
From: Frans Pop <elendil@planet.nl>
To: debian-private@lists.debian.org
I've decided to write this in a separate mail because I'm afraid this may get long. Quite a bit of this has been written before, but I hope some of you will bear with me.
[snip]
So, what has made me decide to leave the project. It's a combination of just plain emotional stress over the whole Sven Luther issue, frustration with the inability of the project to deal with that and with some other issues, and frustration with the fact that a fair number of members of the project seem to feel that as long as you don't upload packages with trojans, pretty much anything is OK.
and eventually....
Subject: Resignation
Date: Sun, 15 Aug 2010 21:41:18 +0200
From: Frans Pop <elendil@planet.nl>
To: debian-private@lists.debian.org
It's time to say goodbye. I don't want to say too much about it, except that I've been planning this for a long time.
Participating in Debian has been great.
...
At 11pm local time in eastern Australia, a huge fire broke out at
the Viva Energy refinery in Corio, Geelong.
There has been a near-total news vacuum. This may be deliberate or it
may be a consequence of cost-cutting that has replaced many journalists with
artificial intelligence. The few human journalists who remain in
the profession may have already gone to bed when the fire started.
The national broadcaster, the ABC, was quick to include it in their
list of breaking news items but without much detail. About three hours
after the fire started, it was present on the web site of 9 News but
not visible on the web sites of 7 News, Herald Sun or The Age. About
five hours after the fire started, the local newspaper Geelong Advertiser
included it in their
Facebook account.
The story is newsworthy for a number of reasons.
Australia previously had eight refineries but six of them were
phased out and never replaced.
Australia relies on foreign refineries for over eighty percent of
fuel. With the Corio refinery out of action, there is only one domestic
refinery left. Therefore, it is surprising the news media have been
so slow to pick up the story.
The next big reason it is newsworthy is the war in
Iran.
None of the news reports have commented on the fact that
Richard Marles, the deputy prime minister and the minister for defence
is the local member of parliament for the region where the refinery
is located.
In the news vacuum, people have been quick to share rumours on
social control media. Some people are speculating about the
prospect of a drone attack. In Europe last year there were reports about
Russian drones launched from cargo ships in international waters and
interfering with European airports. Other reports have speculated about
cargo ships using their anchors to sabotage pipelines and communications
cables on the sea floor.
France intercepted and seized a ship connected with
Russia.
Another user on
social control media has commented that there was a technical incident
at the plant earlier in the day and the fire could be nothing more
than an accident.
People would be wise not to jump to conclusions. Even if it is a
terror attack, it may not be
Iran. In recent news reports,
Russia announced they had the right to attack any countries who
are sending support to
Ukraine. The French company Thales manufacturers the BushMaster
armored personnel carriers in
Bendigo and the government donated some of them to
Ukraine. Low cost cardboard drones manufactured in
Australia have also been donated to
Ukraine.
It seems my own plans and life's plans diverged this spring,
so I am in the market for a new job. So if you're looking for
someone with a long track record making your code go brrr
really fast, give me a ping (contact information at
my homepage). Working from Oslo
(on-site or remote), CV available upon request. No AI boosterism
or cryptocurrency grifters, please :-)
I’m looking forward to being able to split out GSS-API key exchange support in OpenSSH once Ubuntu 26.04 LTS has been released! This stuff will still be my problem, but at least it won’t be in packages that nearly everyone has installed.
Python packaging
New upstream versions:
dill
django-modeltranslation
isort
langtable
pathos
pendulum
pox
ppft
pydantic-extra-types
pytango
python-asyncssh
python-datamodel-code-generator
python-evalidate
python-packaging (including fixes for python-hatch-requirements-txt and python-pyproject-examples)
I worked with the security team to release DSA-6161-1 in multipart, fixing CVE-2026-28356 (upstream discussion). (Most of the work for this was in February, but the vulnerability was still embargoed when I published my last monthly update.)
In trixie-backports, I updated pytest-django to 4.12.0.
I fixed a number of packages to support building with pyo3 0.28:
These reports outline what we’ve been up to over the past month, highlighting items of news from elsewhere in the increasingly-important area of software supply-chain security. As ever, if you are interested in contributing to the Reproducible Builds project, please see the Contribute page on our website.
The current signature-based module integrity checking has some drawbacks in combination with reproducible builds. Either the module signing key is generated at build time, which makes the build unreproducible, or a static signing key is used, which precludes rebuilds by third parties and makes the whole build and packaging process much more complicated.
I think this actually undersells the feature. It’s also much simpler than the signature-based module authentication. The latter relies on PKCS#7, X.509, ASN.1, OID registry, crypto_sig API, etc in addition to the implementations of the actual signature algorithm (RSA / ECDSA / ML-DSA) and at least one hash algorithm.
Distribution work
In Debian this month,
Lucas Nussbaum announced Debaudit, a “new service to verify the reproducibility of Debian source packages”:
debaudit complements the work of the Reproducible Builds project. While reproduce.debian.net focuses on ensuring that binary packages can be bit-for-bit reproduced from their source packages, debaudit focuses on the preceding step: ensuring that the source package itself is a faithful and reproducible representation of its upstream source or Vcs-Git repository.
Lastly, Bernhard M. Wiedemann posted another openSUSEmonthly update for their work there.
Tool development
diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made a number of changes, including preparing and uploading versions, 314 and 315 to Debian.
Chris Lamb:
Don’t run test_code_is_black_clean test in the autopkgtests. (#1130402). […]
rebuilderd, our server designed monitor the official package repositories of Linux distributions and attempt to reproduce the observed results there; it powers, amongst other things, reproduce.debian.net.
A new version, 0.26.0, was released this month, with the following improvements:
Much smoother onboarding/installation.
Complete database redesign with many improvements.
New REST HTTP API.
It’s now possible to artificially delay the first reproduce attempt. This gives archive infrastructure more time to catch up.
The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
Attacks on software supply chains are on the rise, and attackers are becoming increasingly creative in how they inject malicious code into software components.
This paper is the first to investigate Python cache poisoning, which manipulates bytecode cache files to execute malicious code without altering the human-readable source code.
We demonstrate a proof of concept, showing that an attacker can inject malicious bytecode into a cache file without failing the Python interpreter’s integrity checks.
In a large-scale analysis of the Python Package Index, we find that about 12,500 packages are distributed with cache files.
Through manual investigation of cache files that cannot be reproduced automatically from the corresponding source files, we identify classes of reasons for irreproducibility to locate malicious cache files.
While we did not identify any malware leveraging this attack vector, we demonstrate that several widespread package managers are vulnerable to such attacks.
Mario Lins of the University of Linz, Austria, has published their PhD doctoral thesis on the topic of Software supply chain transparency:
We begin by examining threats to the software distribution stage — the point at which artifacts (e.g., mobile apps) are delivered to end users — with an emphasis on mobile ecosystems [and] we next focus on the operating system on mobile devices, with an emphasis on mitigating bootloader-targeted attacks. We demonstrate how to compensate lost security guarantees on devices with an unlocked bootloader. This allows users to flash custom operating systems on devices that no longer receive security updates from the original manufacturer without compromising security. We then move to the source code stage. [Also,] we introduce a new architecture to ensure strong source-to-binary correspondence by leveraging the security guarantees of Confidential Computing technology. Finally, we present The Supply Chain Game, an organizational security approach that enhances standard risk-management methods. We demonstrate how game-theoretic techniques, combined with common risk management practices, can derive new criteria to better support decision makers.
Holger Levsen announced that this year’s Reproducible Builds summit will almost certainly be held in Gothenburg, Sweden, from September 22 until 24, followed by two days of hacking. However, these dates are preliminary and not 100% final — an official announcement is forthcoming.
Mark Wielaard posted to our list asking a question on the difference between debugedit and relative debug paths based on a comment on the Build path page: “Have people tried more modern versions of debugedit to get deterministic (absolute) DWARF paths and found issues with it?
Finally, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:
A colleague asked me if we should move all our money to our pillow cases after
reading the latest AI editorial from Thomas
Friedman.
The article reads like a press release from Anthropic, repeating the claim that
their latest AI model is so good at finding software vulnerabilities that it is
a danger to the world.
I think I now know what it’s like to be a doctor who is forced to watch Gray’s
Anatomy.
By now every journalist should be able to recognize the AI publicity playbook:
Step 1: Start with a wildly unsubstantiated claim about how dangerous your
product is:
AI will cause human extinction before we have a chance to colonize mars
(remember that one? Even Kim Stanley Robinson, author of perhaps the most
compelling science fiction on colonizing mars calls bull
shit
on it).
AI will eliminate all of our jobs (this one was extremely effective at
providing cover for software companies laying off staff but it has quickly
dawned on people that the companies that did this are living in chaos not
humming along happily with functional robots)
AI will discover massive software vulnerabilities allowing bad actors to “hack
pretty much every major software system in the world”. (Did Friedman pull that
directly from Anthropic’s press release or was that his contribution?)
Step 2: To help stave off human collapse, only release the new version to a
vetted group of software companies and developers, preferably ones with big
social media followings
Step 3: Wait for the limited release developers to spew unbridled
enthusiasm and shocking examples that seem to suggest this new AI produce is
truly unbelievable
Step 4: Watch stock prices and valuations soar
Step 5: Release to the world, and experience a steady stream of mockery as
people discover how wrong you are
Step 6: Start over
Even if Friedman missed the text book example of the playbook, I have to ask:
if you think bad actors compromising software resulting in massive loss of
private data, major outages and wasted resources needs to be reported on, then
where have you been for the last 10 years? This literally happens on a daily
basis due to the
fundamentally flawed way capitalism has been writing software even before the
invention of AI. A small part of me wonders - maybe AI writing software is not
so bad, because how could it be any worse than it is now?
Also, let’s keep in mind that AI’s super ability at finding vulnerable software
depends on having access to the software’s source code, which most companies
keep locked up tight. That means the owners of the software can use AI to find
vulnerabilities and fix them but bad actors can’t.
Surely that would allow AI bots to discover their vulnerabilities and destroy
the company right? I’m not sure if anyone has discovered world ending
vulnerabilities in Anthropic’s Claude code since it was accidentally released,
but it is fun to watch people mock
software that is clearly
written by AI (and spoiler alert, it seems way worse that software written
now).
Well… we probably should all be keeping our money in a pillow case anyway.
In January 2025,
as a pre-requisite for something else, I published a minimal neovim
plugin called nvim-µwiki. It's essentially just the features from
vimwiki that I regularly use, which is a small fraction them.
I forgot to blog about it. I recently dusted it off and cleaned it up.
You can find it here, along with a longer list of its features and
how to configure it: https://github.com/jmtd/nvim-microwiki
I had a couple of design goals. I didn't want to define a new filetype,
so this is designed to work with the existing markdown one. I'm
using neovim, so I wanted to leverage some of its features: this plugin
is written in Lua, rather than vimscript. I use the parse trees
provided by TreeSitter to navigate the structure of a document.
I also decided to "plug into" the existing tag stack navigation, rather
than define another dimension of navigation (along with buffers, etc.)
to track: Following a wiki-link pushes onto the tag stack, just as if
you followed a tag.
This was my first serious bit of Lua programming, as well as my first
dive into neovim (or even vim) internals.
Lua is quite reasonable. Most
of the vim and neovim architecture is reasonable. The emerging conventions
about structuring neovim plugins are mostly reasonable. TreeSitter is, well,
interesting, but the devil is very much in the details. Somehow all
together the experience for me was largely just frustrating, and I didn't
really enjoy writing it.
This was my hundred-forty-first month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.
During my allocated time I uploaded or worked on:
[DLA 4500-1] gimp security update to fix four CVEs related to denial of service or execution of arbitrary code.
[DLA 4503-1] evolution-data-server to fix one CVE related to a missing canonicalization of a file path.
[DLA 4512-1] strongswan security update to fix one CVE related to a denial of service.
[ELA-1656-1] gimp security update to fix four CVEs in Buster and Stretch related to denial of service or execution of arbitrary code.
[ELA-1660-1] evolution-data-server security update to fix one CVE in Buster and Stretch related to a missing canonicalization of a file path.
[ELA-1665-1] strongswan security update to fix one CVE in Buster related to a denial of service.
[ELA-1666-1] libvpx security update to fix one CVE in Buster and Stretch related to a denial of service or potentially execution of arbitrary code.
I also worked on the check-advisories script and proposed a fix for cases where issues would be assigned to the coordinator instead of the person who forgot doing something.
I also did some work for a kernel update and packages snapd and ldx on security-master and attended the monthly LTS/ELTS meeting. Last but not least I started to work on gst-plugins-bad1.0
Several packages take care of group lpadmin in their maintainer scripts. With the upload of version 260.1-1 of systemd there is now a central package (systemd | systemd-standalone-sysusers | systemd-sysusers) that takes care of this. Other dependencies like adduser can now be dropped.
This month I continued to work on unifying packaging on Debian and Ubuntu. This makes it easier to work on those packages independent of the used platform. I am also able to upload Debian packages to the corresponding Ubuntu PPA now. A small bug had to be fixed in the python script to allow the initial configuration in Launchpad.
This month I uploaded a new upstream version or a bugfix version of:
… libplayerone to experimental. For a list of other packages please see below.
I also uploaded lots of indi-drivers (libplayerone, libsbig, libricohcamerasdk, indi-asi, indi-eqmod, indi-fishcamp, indi-inovaplx, indi-pentax, indi-playerone, indi-sbig, indi-mi, libahp-xc, indi-aagcloudwatcher, indi-aok, indi-apogee, libapogee3, indi-nightscape, libasi, libinovasdk, libmicam, indi-avalon, indi-beefocus, indi-bresserexos2, indi-dsi, indi-ffmv, indi-fli, indi-gige, info-gphoto, indi-gpsd, indi-gpsnmea, indi-limesdr, indi-maxdomeii, indi-mgen, indi-rtklib, indi-shelyak, indi-starbook, indi-starbookten, indi-talon6, indi-weewx-json, indi-webcam, indi-orion-ssg3, indi-armadillo-playtypus ) to experimental to make progress with the indi-transition. No problems with those drivers appeared and the next step would be the upload of indi version 2.x to unstable. I hope this will happen soon, as new drivers are already waiting in the pipeline. There have been also four packages, that migrated to the official indi package and are no longer needed as 3rdparty drivers (indi-astrolink4, indi-astromechfoc, indi-dreamfocuser, indi-spectracyber).
While working on these packages, I thought about testing them. Unfortunately I don’t have enough hardware to really check out every package, so I can upload most of them only as is. In case anybody is interested in a better testing coverage and me being able to provide upstream patches, I would be very glad about hardware donations.
Debian IoT
This month I uploaded a new upstream version or a bugfix version of:
The Tour de Los Padres is coming! The race organizer post the route on
ridewithgps. This works, but has convoluted interfaces for people not wanting to
use their service. I just wrote a simple script to export their data into a
plain .gpx file, including all the waypoints; their exporter omits those.
I've seen two flavors of their data, so here're two flavors of the
gpx-from-ridewithgps.py script:
Haven’t written here about it, but last March we finally started on
our journey to get our own house build, so we can move out of the
rented flat here.
That will be a big step, both the actual building, but also the
moving - I am living at this one single place for 36 years now.
If you can read german there is a dedicated
webpage where I sometimes write about the
process. Will have much more details (and way more ramblings) than the
following part.
If you can’t read german, a somewhat short summary follows. Yes,
still a lot of text, but shortened, still.
What? Why now?
Current flat has 83m² - which simply isn’t enough space. And
the number of rooms also doesn’t fit anymore. But it is hard to find a
place that fits our requirements (which do include location).
Moving to a different rented place would also mean changed amount of
rent. And nowadays that would be huge increase (my current rent is
still the price from about 30 years ago!).
So if we go and pay more - we could adjust and pay for something we
own instead. And both, my wife and I had changes in our jobs that made
it possible for us now, so we started looking.
Market
Brrrr, looking is good, actually finding something that fits - not so.
We never found an offer that fit. Space wise, sure. But then location
was off, or price was idiotically high. Location fit, but then size
was a joke, and guess about the price… Who needs 200 square meters
with 3 rooms? Entirely stupid design choices there. Or how about 40
square meters of hallway - with 50m² of tiny rooms around. What are
they smoking? Oh, there, useful size, good rooms - but now you want
more money than a kidney is worth, or something. Thanks, no.
New place
In February 2025 we finally got lucky and found a (newly opened) area
with a large number of places to build a house on. Had multiple talks
with someone from on of the companies developing that area (there are
two you can select from), then talked with banks and signed a contract
in March 2025. We got promised that actual house construction would be
first quarter of 2026, finished in second quarter.
House type
There are basically 2 ways of building a new house (that matter here).
First is called “Massivhaus”, second is called “Fertighaus” in german,
roughly translating to solid and prefabricated. The latter commonly a
wood based construction, though it doesn’t need to be. The important
part of it is the prefabrication, walls and stuff get assembled in a
factory somewhere and then transported to your place, where they play
“big kid lego” for a day and suddenly a house is there.
A common thought is “prefabricated” is faster, but that is only a half
true. Sure, the actual work on side is way shorter - usually one or
two days and the house is done - while a massive construction usually
takes weeks to build up. But that is only a tiny part of the time
needed, the major part goes of into planning and waiting and in there
it doesn’t matter what material you end up with.
Money fun
Last year already wasn’t the best time to start a huge loan - but
isn’t it always “a few years ago would have been better”? So we had
multiple talks with different banks and specialised consultants until
we found something that we thought is good for us.
Thinking about it now - we should have put even more money on top as
“reserve”, but who could have thought that 2026 turns into such a
shitshow? Does not help at all, quite the contrary. And that damn
lotto game always ends up with the wrong numbers, meh.
Plans and plans and more plans - and rules
For whichever reason you can not just go and put something on your
ground and be happy. At least not if you are part of the normal people and not
enormously rich. There is a large set of rules to follow. Usually that
is a good thing, even though some rules are sometimes hard to understand.
In Germany, besides the usual laws, we have something that is called
“Bebauungsplan”, which translates to “development plan” (don’t know if
that carries the right meaning, it’s a plan on what and how may be
build, which can have really detailed specifications in). It basically
tells you every aspect on top of the normal law that you have to
keep in mind.
In our case we have the requirement of 2 full floors and CAN have a
third smaller on top, it limits how high the house can be and also
how high our ground floor may be compared to the street. It regulates
where on the property we may build and how much ground we may cover
with the house, it gives a set of colors we are allowed to use, it
demands a flat roof that we must have as a green roof and has a number
of things more that aren’t important enough to list here. If you do
want to see the full list, my german post on it has all the details
that matter to
us.
With all that stuff in mind - off to plans. Wouldn’t have believed how
many details there are to take in. Room sizes are simple, but how to
arrange them for ideal usage of the sun, useful ways inside the house,
but also keeping in mind that water needs to flow through and out.
Putting a bath room right atop a living room means a water pipe needs
to go down there. Switch the bath room side in the house, and it
suddenly is above the kitchen - means you can connect the pipes from
it to the ones from kitchen, which is much preferred than going
through the living room. And lots more such things.
It took us until nearly end of October to finalize the plans! And we
learned a whole load from it. We started with a lot of wishes. The
planner tried to make them work. Then we changed our minds. Plans
changed. Minds changed again. Comparing the end result with the first
draft we changed most of the ground floor around, with only the stairs
and the entrance door at the same position. Less changes for the upper
floor, but still enough.
Side quests
The whole year was riddled with something my son named side quests. We
visited a construction exhibition near us, we went to the house
builders factory and took a look on how they work. We went to many
different other companies that do SOME type of work which we need
soon, say inside floors, painters, kitchen and more stuff.
Of course the most important side quest was a visit to the notary to
finalize the contracts, especially for the plot of land (in Germany
you must have a notary for that to get entered into the governments
books). Creates lots of fees, of course, for the notary and also the
government (both fees and taxes here).
Building permit
We had been lucky and only needed a small change to the plans to get
the building permit - and the second part, the wastewater permit (yes,
you need a separate one for this) also got through without trouble.
Choices, so many of them
So in January we finally had an appointment for something that’s
called “Bemusterung” which badly translates to “Sampling”. Basically
two days at the house builders factory to select all of what’s needed
for the house that you don’t do in the plans. Doors, inside and out
and their type and color and handles. Same things for the windows and
the blinds and the protection level you want the windows to have.
Decide about stairs, design for the sanitary installations - and also
the height of the toilet! - and the tiles to put into the bathrooms.
Decisions on all the tech needed (heating system, ventilation and
whatnot.
Two days, busy ones - and you can easily spend a lot of extra money
here if you aren’t careful. We managed to get “out of it” with only
about 4000€ extra, so pretty good.
Electro and automation
Now, here I am special. Back when I was young the job I learned is
electrician. So here I have very detailed wishes. I am also running
lots of automatism in my current flat - obviously the new house should
be better than that. So I have a lot of ideas and thoughts on it, so
this is entirely extra and certainly out of the ordinary the house
builder usually see.
Which means I do all of that on my own. Well, the planning and some of
the work, I must have a company at hand for certain tasks, it is
required by some rules. But they will do what I planned, as long as I
don’t violate regulations.
Which means the whole electrical installation is … different.
Entirely planned for automatisms and using KNX for it. I am so happy
to ditch Homeassistant and the load of Homematic, Zigbee and ZWave
based wireless things.
Ok, Homeassistant is a nice thing - it can do a lot. And it can bridge
between about any system you can find. But it is a central single point of
failure. And it is a system that needs constant maintenance. Not
touched for a while? Plan for a few hours playing update whack-a-mole.
And often enough a component here or there breaks with an update. Can
be fixed, but takes another hour or two.
So I change. Away from wireless based stuff. To wires. To a system
thats a standard for decades already. And works entirely without a
SPOF. (Yes, you can add one here too). And, most important, should I
ever die - can easily be maintained by anyone out there dealing with
KNX, which is a large number of people and companies. Without digging
through dozens of specialised integrations and whatnot.
I may even end up with Homeassistant again - but that will entirely be
as a client. It won’t drive automations. It won’t be the central point
to do anything for the house. It will be a logging and data collecting
thing that enables me to put up easy visualizations. It may be an easy
interface for smartphones or tablets to control parts of the house,
for those parts where one wants this to happen. Not the usual
day-to-day stuff, extras on top.
Actual work happening
Since march there finally is action visible. The base of the house
is getting build. Wednesday the 1st April we finally got the base
slab poured on the construction site and in another 10 days the house
is getting delivered and build up. A 40ton mobile crane will be there.
Per my policies,
I need to ban every employee and contractor of Anthropic Inc from ever
contributing code to any of my projects. Anyone have a list?
Any project that requires a Developer Certificate of Origin or similar should
be doing this, because Anthropic is making tools that explicitly lie about
the origin of patches to free software projects.
UNDERCOVER MODE — CRITICAL
You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository. [...]
Do not blow your cover.
NEVER include in commit messages or PR descriptions:
[...]
The phrase 'Claude Code' or any mention that you are an AI
Co-Authored-By lines or any other attribution
The fact that only one candidate is running in the
Debianism elections gives a stark reminder about the state of the
so-called community. The main reason why other people did not contest
the election is because of fear. Fear of a circle of reprisals that began
when Adrian von Bidder-Senn died on our wedding day.
When CentOS died, people tried to carry on in various ways. That tells
us a lot about human psychology. People knew the game was over but they
tried to continue as if it was business as usual, as if the situation
could be salvaged, as if it was only a temporary crisis.
Now Sruthi has stopped answering questions on the
Debian-vote mailing list and it seems reality has started to sink in.
People are coming to realize that the position of Debian Project Leader
is the interface between
Debianism and the outside world. People can fool themselves and
use the Code of Conduct gaslighting to blackmail other volunteers to
pretend that
Sruthi is a great leader. People are coming to realise that these
tricks won't work on the wider community. Given that
Sruthi would be Debian's interface to the outside world, we can't
just ignore how the world views
the candidate who is the wife of another developer.
She has ignored the most serious questions on
Debian-vote mailing list. A woman trying to run Debian from a
social control media
account is the death of Debian. Here is a tally of the number of replies
she provided each day for those who use email, the mainstay of Debian
communication:
Day
Count
14 March
0
15 March
0
16 March
0
17 March
4
18 March
0
19 March
0
20 March
0
21 March
3
22 March
1
23 March
0
24 March
7
25 March
0
26 March
0
27 March
0
28 March
0
29 March
0
30 March
0
31 March
0
That is a total of only 15 replies. She has been largely silent for a
whole week since 24 March.
Technically, questions and their answers are supposed to be completed
before midnight on Friday, 3 April. The most critical questions have not
been answered. In her platform,
Sruthi Chandran boasts about being the "Chief orga DebConf India 2023"
but there has never been an official report about the
death of Abraham Raji at the conference.
Voting runs from 4 April to 17 April, which is the 15th anniversary of
the day
Adrian von Bidder-Senn died on our wedding day. It was discussed like
a copy-cat suicide but there was no official report about those deaths
either.
Everything in Debian is transparent, all forms of official communication are a matter of public record, the amount of unresolved bugs, every step taken by debian as an organization, everything is in the open! I appreciate that from my distribution. There is no room for underhand corporate deals, no unfair treatment behind private mails and everything can be reviewed by the public.
Does
Sruthi Chandran spend more time in debian-private (leaked)
and WhatsApp groups than the public communication channels that Debian
is supposed to be using?
Sruthi Chandran's platform tells us she wants to put diversity ahead
of traditional goals like freedom and security. She has been very vague
about this. As a consequence, more evidence is going to be published
during the voting period to prove that Debian "diversity" means some men who
did the real work are not being given credit while some large sums of
money were assigned to the wives and girlfriends of cabal members.
I've never stated whether people should vote for
Sruthi Chandran or not. Looking at the tone of the discussion, I feel
people are coming to realise the way the outside world views candidates
like this is not the same way that people view it from inside the bubble.
Consider the irony: they spent all that money in arguments about
leaks that are "tarnishing" the trademark. The implication of these
arguments about tarnishing is that the way the outside world views
Debianism does matter. Can anybody see the risk that
Sruthi Chandran and a lop-sided diversity crusade could do far more
to tarnish the trademark than any leaks that have appeared up to this
moment?
Debian may not die exactly the same way that CentOS died. At some
point, as with CentOS, we will go past the point of no return. Maybe
we already did. Will people have the courage to ask questions before
that threshold is crossed or will they continue acting as if nothing is
wrong even long after the life support system has been unplugged from
the corpse?
The best way to encourage people to nominate for the election will be for
the existing leader,
Andreas Tille, to withdraw all the privacy attacks, settle the lawsuits
proactively and ensure the next leader can walk in and find the desk is clean
ready to work on productive things.
Don't hold your breath waiting for transparency about these attacks on my
family. There is still time to watch my video and
contribute to the crowdfunding campaign.
Although I never submitted to it, I made several appearances in the now-defunct quote database on bash.org (QDB). I’m dealing with a broken keyboard now, and went to dig hard to find this classic in the Wayback machine. I thought I would put it back on the web:
<mako> my letter "eye" stopped worng
<luca> k, too?
<mako> yeah
<luca> sounds like a mountain dew spill
<mako> and comma
<mako> those three
<mako> ths s horrble
<luca> tme for a new eyboard
<luca> 've successfully taen my eyboard apart and fxed t by cleanng t wth alcohol
<mako> stop mang fun of me
<mako> ths s a laptop!
![[RSS 1.0 Feed]](common/rss10.png){kind=small}
![[RSS 2.0 Feed]](common/rss20.png){kind=small}
![[Atom Feed]](common/atom.png){kind=small}
![[FOAF Subscriptions]](common/foaf.png){kind=small}
![[OPML Subscriptions]](common/opml.png){kind=small}
![[Hacker]](common/hacker.png){kind=small}
![[Planet]](common/planet.png){kind=small}
