Deb.News

My Debian Activities in April 2026

2026-05-05T14:24:27+00:00

Debian LTS/ELTS

This was my hundred-forty-second month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

During my allocated time I uploaded or worked on:

[DLA 4530-1] gst-plugins-bad1.0 security update to fix two CVEs related to denial of service or execution of arbitrary code if a malformed media file is opened.
[DLA 4544-1] ntfs-3g to fix one CVE related to local root privilege escalation.
[DLA 4545-1] packagekit security update to fix one CVE related to local privilege escalation.
[DLA 4547-1] gimp security update to fix three CVEs related to denial of service or execution of arbitrary code if a malformed PSP, JPEG 2000 or PSD file is opened.
[ELA-1682-1] gst-plugins-bad1.0 security update to fix two CVEs in Buster and Stretch related to denial of service or execution of arbitrary code.
[ELA-1689-1] ntfs-3g security update to fix one CVE in Buster and Stretch related to local root privilege escalation..
[ELA-1693-1] pakagekit security update to fix one CVE in Buster and Stretch related to local privilege escalation.
[#1126167] bookworm-pu upload of zvbi
[#1126273] bookworm-pu upload of taglib
[#1126370] bookworm-pu upload of libuev
[libcoap3] upload to sid to fix two CVEs related to out-of-bounds read and stacked based buffer overflow.
[#1134340] trixie-pu bug for libcoap3 to fix two CVEs in Trixie.
[cups] upload to sid to fix six CVEs.

I also did a week of front desk duties and started to work on backports of the cups CVEs.

Debian Printing

This month I uploaded a new upstream versions:

… foo2zjs to unstable.
… cups to unstable.

Unfortunately the first upload of cups introduces a regression and another upload was needed to take care of a crash. The patch for one CVE also broke a test script, which is used by lots of printing packages in Debian. As a result some autopkgtest runs failed. This could be fixed as well and the only remaining issue that needs some more investigation is related to cups-pdf.

This work is generously funded by Freexian!

Debian Lomiri

This month I continued to work on unifying packaging on Debian and Ubuntu. This makes it easier to work on those packages independent of the used platform.

I also started working on two new packages: lomiri-radio-app and lomiri-fretboardtrainer-app

This work is generously funded by Fre(i)e Software GmbH!

Debian Astro

This month I uploaded a new upstream version or a bugfix version of:

… indi-apogee to experimental.
… indi-nexdome to experimental.
… libahp-xc to unstable.

Debian IoT

This month I uploaded a new upstream version or a bugfix version of:

… libcoap3 to unstable.

Marcos Talau joined the Debian IoT group, welcome aboard.

Debian Mobcom

This month I uploaded a new upstream version or a bugfix version of:

… osmo-iuh to unstable.

misc

This month I uploaded a new upstream version or a bugfix version of:

… bottlerocket to unstable.
… cd5 to unstable.
… usb-modeswitch-data to unstable.
… libpicohttpparser to unstable (sponsored upload for Joachim Zobel.

Tower Servers and Resizable BAR

2026-05-04T08:22:15+00:00

A feature on modern PCIe implementations is “Resizable BAR” AKA “REBAR”. This basically means that instead of allocating 256MB of address space for a PCIe device to have it’s memory mapped the device can ask for more, the limit can be 4G with some hardware or the combination of motherboard and expansion card can support 64bit addressing to allow the entire memory space of a GPU to be mapped in one region. Directly mapping all the memory will be faster no matter how things work, but a combination of algorithms optimised for a flat memory layout and overheads from remapping can cause 90% of performance to be lost without REBAR support. Some GPUs (or maybe the software driving them) will even refuse to work without it.

I believe that almost all hardware supporting DDR4 will support REBAR at a hardware level, but in many cases the BIOS doesn’t support it. There are people who have reflashed a system BIOS to add REBAR support and there are options to use a modified UEFI boot loader to replace the code that is used for mapping the GPU memory.

The systems I like to use are server grade tower systems with registered ECC RAM, after a few years they become quite cheap and still give decent performance while supporting large amounts of RAM. But many such systems that could support REBAR don’t, presumably because the vendor doesn’t have a great interest in supporting new uses of old hardware.

Comparing the Name Brand Servers

The HP Z640 and Z840 systems I’m running date from 2014 and give good performance with replacement CPUs that are cheap on ebay, but they don’t support REBAR without a flashed BIOS. The next release of those HP servers are the HP Z6 and Z8 Gen 4 systems from 2017 that have BIOS support for enabling REBAR.

The Lenovo Thinkstation Px20 (P520, P920, etc) don’t support REBAR which is especially disappointing as they were on sale from 2017 to 2022 and have decently fast CPUs. The replacement for the Px20 systems are the ones that are still on sale now and they seem likely to have REBAR support – but won’t be affordable on ebay.

The Dell PowerEdge T440 and R740 systems (and presumably all their servers from 2017) don’t support REBAR. There are no google hits for T550 and R750 systems from 2021, so presumably no complaints means that Dell servers from that era support it. But the T350 servers are junk and only take slow CPUs, and the T550 systems are brutally expensive. The Precision 5520 systems don’t support it and newer Precision workstations will get expensive.

It seems that HP is best for this.

Which HP Workstation

The Z2 G4 only supports 64G of RAM so isn’t worth considering.

The Z4 G4 is low end and comes in two variants. The one with i5/i7/i9 CPUs doesn’t support ECC RAM so isn’t suitable for me, and that probably means most Z4 G4 systems on the market. The upside is that apparently 2*6pin PCIe power cables is standard so any size GPU should work and there are 8 DIMM slots supporting up to 512G of RAM. There are 3 options for PSU, 490w for 0 GPUs, 750W for 2 (small) GPUs, and 1000W for up to 4 GPUs.

The Z6 G4 has an option for a second CPU that almost no-one selects, that reduces the space for RAM so there’s only 6 DIMM slots. But as there is no option for a Z6 without ECC RAM every one on offer will be good.

The Z8 G4 is a nice dual socket system that I would not use for a serious GPU after my experience of my Z840 having a motherboard problem from a big GPU.

The Z4 G4 is going for about $500 on ebay with the 750W PSU, that is more than I want to pay but not a lot more. In 6 months they could be going for $350 or so. There are hardly any Z6 G4 systems on offer and they are all well over $1000 so I’m not considering them.

Conclusion

I need to poll the second hand sites for Z4 G4 systems and find one going cheap. One of those could be a good ML test machine for a while and then become a workstation once the faster CPUs (which are currently around $900) become cheap.

Copy Fail on Debian and SE Linux

2026-05-04T08:00:58+00:00

I have just learned of the Copy Fail kernel vulnerability [1] thanks to alexanderkjall@mastodon.social (who I have just followed on Mastodon and I recommend that you follow too). The question for me (after installing the patched kernel the systems of mine that are most exposed) is whether SE Linux would have stopped that.

Basic Policy Analysis

For the SE Linux policy analysis the alg_socket class is the one that is related to the exploit. So the following policy analysis command (run as non-root with policy copied to /tmp from a running system) shows what domains are allowed access on my current Debian development system:

$ sesearch -A -c alg_socket /tmp/policy.35 
allow NetworkManager_t NetworkManager_t:alg_socket { accept bind create read setopt write };
allow bluetooth_t bluetooth_t:alg_socket { accept append bind connect create getattr getopt ioctl listen read setattr setopt shutdown write };
allow daemon init_t:alg_socket { getattr getopt ioctl read setopt write };
allow devicekit_disk_t domain:alg_socket getattr;
allow lvm_t lvm_t:alg_socket { append bind connect create getattr getopt ioctl read setattr setopt shutdown write };
allow sosreport_t domain:alg_socket getattr;
allow sysadm_t domain:alg_socket getattr;
allow unconfined_domain_type domain:alg_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recvfrom relabelfrom relabelto sendto setattr setopt shutdown write };

The above is the same as on the Trixie release policy as these things aren’t changed often. Below is from Debian/Bookworm which is the same apart from Bookworm not allowing lvm_t:

$ sesearch -A -c alg_socket /tmp/policy.33
allow NetworkManager_t NetworkManager_t:alg_socket { accept bind create read setopt write };
allow bluetooth_t bluetooth_t:alg_socket { accept append bind connect create getattr getopt ioctl listen read setattr setopt shutdown write };
allow daemon init_t:alg_socket { getattr getopt ioctl read setopt write };
allow devicekit_disk_t domain:alg_socket getattr;
allow sosreport_t domain:alg_socket getattr;
allow sysadm_t domain:alg_socket getattr;
allow unconfined_domain_type domain:alg_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recvfrom relabelfrom relabelto sendto setattr setopt shutdown write };

I checked every Debian policy back to when the alg_socket class was first added and found that the older versions had fewer domains granted access. The most recently added was bluetooth_t and the one before that was NetworkManager_t.

The Risky Lines

Of those allow statements the following are the risks:

Unconfined Domains and the unconfined_domain_type Attribute

When writing policy lines like the following line aren’t generally considered a problem as unconfined domains are allowed full access to the system. However it can be an issue if you have a process in an unconfined domain without root access, which means a regular user login. Unfortunately this happens to be where this exploit and the default Debian SE Linux configuration intersect.

allow unconfined_domain_type domain:alg_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recvfrom relabelfrom relabelto sendto setattr setopt shutdown write };

The following shell code gets a list of unconfined domains which can be entered from user domains.

A=""
for n in $(seinfo -x -a unconfined_domain_type|grep _t$) ; do
  A="$A|($n)"
done
A=$(echo $A|sed -e s/^.//)
sesearch -T -s user_application_exec_domain -c process|egrep "$A;"

Below is the output on a Debian/Trixie (Stable) system. So a confined user in the user_t domain could run an X server and try and get it to run the exploit code (which seems difficult) or running a Wine or Mono program from the Window manager in a Wayland environment.

type_transition user_t xserver_exec_t:process xserver_t;
type_transition user_wm_t mono_exec_t:process mono_t;
type_transition user_wm_t wine_exec_t:process wine_t;
type_transition user_wm_t xserver_exec_t:process xserver_t;

The issue of unconfined domains in SE Linux policy needs much more work. I’ll write some blog posts about it later and the next release of Debian will be significantly better in this regard.

Daemons that Have Access

allow NetworkManager_t NetworkManager_t:alg_socket { accept bind create read setopt write };
allow bluetooth_t bluetooth_t:alg_socket { accept append bind connect create getattr getopt ioctl listen read setattr setopt shutdown write };

Network Manager is something that can potentially be exploited by a desktop user as it has a large attack surface for the desktop interface. But as the vast majority of desktop user accounts are unconfined that’s not an issue. This might be an issue for some restricted desktop PCs, maybe kiosk systems and those PCs that were being installed in prisons.

The bluetooth_t domain is used by the bluetooth daemon that runs as root. While we generally are less concerned about a root process being exploited the daemon will handle some data from hostile sources and it could be used as an escalation attack by someone with a hostile Bluetooth device.

These can’t be exploited without another bug.

The Lines that Aren’t Problems

The getattr Lines

allow devicekit_disk_t domain:alg_socket getattr;
allow sosreport_t domain:alg_socket getattr;
allow sysadm_t domain:alg_socket getattr;

The above getattr access isn’t an issue as it just allows seeing process information, and it’s also by privileged domains.

The init_t Sockets

allow daemon init_t:alg_socket { getattr getopt ioctl read setopt write };

The daemon access to sockets inherited from init_t probably isn’t a great idea, it’s from the following section in init.te which is to allow socket activation for daemons, the comment is concerning in this context. Also socket_class_set is overly broad as without even inspecting the systemd source code I’m pretty sure that far fewer than 1/3 of the 55 classes allowed by that rule are actually supported in systemd.

ifdef(`init_systemd',`
        # Until systemd is fixed
        allow daemon init_t:socket_class_set { getattr getopt ioctl read setopt write };

But that’s not really a problem as systemd has to just not create a socket of that type, if a hostile party can make systemd create such sockets then you have probably already lost.

SE Linux Protection

Overall SE Linux systems running confined users (kiosks and other confined GUI environments) will be protected barring a bug in Network Manager or the Bluetooth daemon as long as there is no Xserver installed (or the X server won’t run scripts on startup), no Wine system installed, and no Mono.

SE Linux servers and VMs will be protected against daemon issues as long as the daemon isn’t unconfined.

To convert the default login to user_t run the following commands:

semanage login -m -s user_u -r s0 __default__
restorecon -R -v -F /home

But it is still possible to access an unconfined domain from user_t (a topic I will address in detail in a future blog post).

To remove unconfined entirely (not a task for novices or something to be done on in production without testing and planning) run the following commands:

semanage login -m -s root -r s0 root
# logout and login again
semodule -X 100 -r unconfined

Then a Debian/Trixie system running SE Linux will be safe against this attack even when running a vulnerable kernel.

If you still want to use root as unconfined_t but still have untrusted shell users then run the following command to remove the easiest ways for users to run a program in an unconfined domain:

semodule -X 100 -r mono wine

Success and Failure

Blocked by SE Linux

Below is what happens on stdout/stderr when SE Linux blocks the exploit (tested with vulnerable Debian kernel 6.12.74+deb13+1-amd64):

test@testing1:~$ python3 ./copy_fail_exp.py 
Traceback (most recent call last):
  File "/home/test/./copy_fail_exp.py", line 9, in <module>
    while i<len(e):c(f,i,e[i:i+4]);i+=4
                   ~^^^^^^^^^^^^^^
  File "/home/test/./copy_fail_exp.py", line 5, in c
    a=s.socket(38,5,0);a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));h=279;v=a.setsockopt;v(h,1,d('0800010000000010'+'0'*64));v(h,5,None,4);u,_=a.accept();o=t+4;i=d('00');u.sendmsg([b"A"*4+c],[(h,3,i*4),(h,2,b'\x10'+i*19),(h,4,b'\x08'+i*3),],32768);r,w=g.pipe();n=g.splice;n(f,w,o,offset_src=0);n(r,u.fileno(),o)
  File "/usr/lib/python3.13/socket.py", line 233, in __init__
    _socket.socket.__init__(self, family, type, proto, fileno)
    ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^PermissionError: [Errno 13] Permission denied
test@testing1:~$ su
Password:

When the attack is blocked by SE Linux there will be no messages in the kernel message log but the SE Linux audit log (typically stored in /var/log/audit/audit.log) will have lines like the following:

type=AVC msg=audit(1777803068.070:76): avc:  denied  { create } for  pid=811 comm="python3" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=alg_socket permissive=0
type=SYSCALL msg=audit(1777803068.070:76): arch=c000003e syscall=41 success=no exit=-13 a0=26 a1=80005 a2=0 a3=0 items=0 ppid=791 pid=811 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=1 comm="python3" exe="/usr/bin/python3.13" subj=user_u:user_r:user_t:s0 key=(null)ARCH=x86_64 SYSCALL=socket AUID="test" UID="test" GID="test" EUID="test" SUID="test" FSUID="test" EGID="test" SGID="test" FSGID="test"
type=PROCTITLE msg=audit(1777803068.070:76): proctitle=707974686F6E33002E2F636F70795F6661696C5F6578702E7079

For that the :76 is the audit log entry number, the command “ausearch -i -a 76” will interpret that message with the following output:

type=PROCTITLE msg=audit(05/03/26 10:11:08.070:76) : proctitle=python3 ./copy_fail_exp.py 
type=SYSCALL msg=audit(05/03/26 10:11:08.070:76) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=alg a1=SOCK_SEQPACKET a2=ip a3=0x0 items=0 ppid=791 pid=811 auid=test uid=test gid=test euid=test suid=test fsuid=test egid=test sgid=test fsgid=test tty=pts0 ses=1 comm=python3 exe=/usr/bin/python3.13 subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(05/03/26 10:11:08.070:76) : avc:  denied  { create } for  pid=811 comm=python3 scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=alg_socket permissive=0

When it Works

Below is what happens when it works (again tested with Debian kernel 6.12.74+deb13+1-amd64):

test@testing1:~$ python3 ./copy_fail_exp.py 
#

Here is the kernel log when the attack works:

[   30.441830] alg: No test for authencesn(hmac(sha256),cbc(aes)) (authencesn(hmac(sha256-avx2),cbc-aes-aesni))
[   30.447466] process 'su' launched '/bin/sh' with NULL argv: empty string added

When the Kernel Isn’t Vulnerable

If the kernel isn’t vulnerable and SE Linux permits the attack (EG run from an unconfined domain) the following is seen on stdout/stderr:

$ python3 ./copy_fail_exp.py 
Password: 
su: Authentication failure

In that situation the kernel will log something like the following:

[   36.647023] alg: No test for authencesn(hmac(sha256),cbc(aes)) (authencesn(hmac-sha256-lib,cbc-aes-aesni))

This was tested on the Debian/Unstable kernel 6.19.13+deb14-amd64.

Conclusion

Run the following commands and then force all users to logout to make a Debian SE Linux system offering shell access reasonably safe against this bug. But also upgrade your kernel as soon as convenient because having multiple layers of protection is always good.

semanage login -m -s user_u -r s0 __default__
restorecon -R -v -F /home
semodule -X 100 -r mono wine

The GrapheneOS people are doing really good work on securing phones, I am most interested in Mobian (Debian on phones) but for people who have made different choices GrapheneOS is a good option. Here is the GrapheneOS statement on Copy Fail (they are not vulnerable to it) [3]. For people interested in running a secure Android build GrapheneOS is the best option. Their supported devices list shows Pixel 6 to Pixel 10 supported and Pixel 8 to Pixel 10a recommended [4]. In Australia Kogan sells refurbished Pixel 6 phones starting at $251 including delivery and refurbished Pixel 8 phones starting at $499 with “First” membership, they seem to have the cheapest Pixel phones.

I want to make Debian more like Android in terms of security, but that’s a topic for other blog posts.

Here is the Debian page listing kernels that have been fixed against this exploit [5].

Review: Full Speed to a Crash Landing

2026-05-04T03:56:00+00:00

Review: Full Speed to a Crash Landing, by Beth Revis

Series:	Chaotic Orbits #1
Publisher:	DAW
Copyright:	August 2024
ISBN:	0-7564-1947-6
Format:	Kindle
Pages:	153

Full Speed to a Crash Landing is a science fiction novella and the first of a series. Beth Revis made the New York Times bestseller list for an earlier series of young adult science fiction novels, but somehow I had not heard of her before this series.

Ada Lamarr is a salvager. She picks up material from crashed or dead ships for resale. As the story opens, she has a large hole in the side of her ship, she's running out of oxygen, and the other ship nearby is refusing to answer her distress call. By the time they finally respond, there is barely enough time to get aboard before she is entirely out of air.

Ada's first-person narration drops hints that she may not be entirely what she seems. But then, neither is the Halifax, so it's only fair.

The captain of the Halifax treats Ada with a great deal of suspicion and wants her out of the way of their ongoing salvage operation. However, the captain does not appear to be entirely in charge. Ada is immediately struck by the mysterious Rian White, who seems to have some authority over their mission and is more thoughtful and calculating than the rest of the crew. He's also handsome, which doesn't hurt.

I was tempted to keep writing about the plot, but given the short length of this book, I should stop there and let you enjoy the twists and turns for yourself. This is a fun science fiction action romp: lots of banter, lots of tense moments, and a cagey first-person protagonist with an irrepressible sense of humor and a knack for brazening her way through conversations. It's not long on world-building (there isn't enough room), but Revis works in enough details to be intriguing and to set up some interesting motivations.

This is the sort of book that lives and dies by how much you like the protagonist, something that you will easily figure out by the end of an ebook sample if you're the sort of reader who uses those. Ada is irreverent, talkative, and very adroit at diverting attention (entertainingly) onto anything other than the critical piece of information other people are missing. If you want to, I suspect you could easily figure out most of what Ada is up to before the book reveals it explicitly. It's not that complicated, and the book isn't really trying to hide, although it doesn't give you all the necessary information in advance. Personally, I was happy to sit back and enjoy the ride.

There is no romance in this book beyond frequent comments from Ada that she would have liked there to be a romance in this book under different circumstances, but I will be surprised if that romance doesn't show up later in the series. Ada and Rian are clearly being set up as a pair. I didn't like Rian as much, mostly because he's less memorable as a character, but he comes into his own in the appendices after the plot proper.

I thought those concluding appendices were the best part of the novella and question the Kindle formatting decision to treat them like supplemental material. They purport to be a series of government memos, fill in a lot more of the backstory and world building, and have the best footnotes. Don't skip them!

This isn't the sort of book that I am inspired to immediately push into everyone's hands, but it's a fast, well-paced story that delivered a few reading sessions of entertainment. I'm not sure the political philosophy in the background makes a lot of sense, but at least not a standard stereotype of current politics seen in so much science fiction. It's going to set up some interesting character conflict in later books. I'm certainly intrigued enough to keep reading.

Recommended when you're in the mood for some fast-paced fun that's short and undemanding.

Followed by How to Steal a Galaxy.

Rating: 7 out of 10

Inquest, a test result repository in Rust

2026-05-03T10:00:00+00:00

testrepository

For a long time I’ve used Robert Collins’ testrepository (testr) to run tests in many of the projects I work on. It’s a small, focused tool built around a simple idea: decouple the running of tests from the recording and querying of their results.

The way it works is straightforward. A test runner emits a subunit stream — a compact binary protocol for test results — and testrepository stores those streams in a per-project .testrepository/ directory. Once results are in the repository, you can ask questions like “which tests failed in the last run?”, “re-run only the failures”, “what are the slowest tests?”, or “what changed between this run and the previous one?”.

The killer feature, for me, has always been the failing-test loop. When a big test suite breaks, you don’t want to re-run the whole thing after every fix — you want to iterate on just the failures, and only re-run the full suite once they’re all green. testrepository made that workflow ergonomic long before most language-specific test runners had anything comparable, and many of them still don’t have a good answer for it.

testrepository has served me well for over a decade, but it has been largely unmaintained for a while, and I had some ideas of improvements that I wanted to try out. So I wrote a Rust port, which has since grown a number of features of its own.

Inquest

Inquest is a Rust port of testrepository that has since grown a number of features of its own. The binary is called inq.

Goals

The goals are deliberately modest:

a single static binary, no Python runtime required
no need to write a dedicated config file for most projects
compatible enough with testrepository’s workflow that I can switch projects over without retraining my fingers
a richer on-disk format that captures more about each run (git commit, command line, duration, exit code, concurrency)
good support for the languages I actually use day-to-day: Rust, Python, Go, and Node.js
mostly Do What I Mean (DWIM), e.g. getting me to know as quickly as possible what tests are failing and why, and being clever about doing this

Inquest reads and writes subunit v2 streams, so anything that can produce subunit (directly or via one of the many converters) can feed into it.

Quick start

Inquest can usually figure out how to run your tests on its own. In a Rust, Python, Go or Node.js project:

 $ cd my-project
 $ inq

Or if the auto-detection doesn’t work, you can ask it to generate a config file and then run the tests:

 $ inq auto
 $ inq run

inq auto writes an inquest.toml describing how to invoke the test runner; inq run runs the tests, captures the subunit stream, and stores the results in a .inquest/ directory.

For a Rust project the generated config looks like:

 test_command = "cargo subunit $IDOPTION"
 test_id_option = "--test $IDFILE"
 test_list_option = "--list"

After the first run, the usual queries work:

 $ inq stats             # repository-wide statistics
 $ inq last              # results of the most recent run
 $ inq failing           # only the failing tests
 $ inq slowest           # the slowest tests in the last run
 $ inq run --failing     # re-run only what failed last time

The last one is the workflow I use most often: run the full suite once, fix the obvious failures, then iterate on inq run --failing until the list is empty.

A few things that aren’t in testrepository

Some of the features that have grown in inquest beyond the original testrepository functionality:

Timeouts. --test-timeout, --max-duration, and --no-output-timeout will kill a test process that is hanging or has stopped producing output. --test-timeout auto derives a per-test timeout from the historical duration of that test, which is handy for catching tests that hang.

Once the test runner is killed, the test is marked as failed and the next test is started, so a broken test doesn’t hold up the whole suite.
Ordering --order can be used to run tests in a specific order, e.g. to run the slowest tests first, to run the tests that failed most recently first, or to run the widest variety of tests first to maximize the chance of finding a failure early on.
Live progress. inq running tails the in-progress subunit stream on disk and reports observed/expected test counts, percent complete, elapsed wall-clock time, and an ETA derived from each test’s historical duration. Useful when a CI run is taking longer than you’d like.
Flakiness ranking. inq flaky ranks tests by pass↔fail transitions in consecutive runs in which the test was recorded, so chronically broken tests rank low and genuinely flapping tests rank high.
Comparing runs. inq diff <A> <B> shows what changed between two test runs — newly failing, newly passing, and tests that flipped state — which makes it easy to see whether your last change actually fixed (or broke) anything.
Bisecting git history. inq bisect <TEST> drives git bisect to find the commit that broke a given test. It defaults the known-good and known-bad commits from the recorded run history (the most recent run where the test passed, and the most recent where it failed), so in the common case there is no need to remember either — just point it at the test name and let it work.
Richer run metadata. inq info shows the git commit, command line, duration, exit code, and concurrency for a run, with a flag for whether the working tree was dirty when the run started. Combined with inq diff this makes it much easier to triangulate when a regression was introduced.
Rerun a previous run verbatim. inq rerun <ID> re-runs exactly the tests of a previous run, in the same order, forwarding the same -- arguments that the original run used. inq rerun -1 repeats the latest.
Web based view. inq web serves a web-based view of the repository, with a dashboard of recent runs and detailed views of individual runs and tests.

Web UI

Most of the time I drive inquest from the command line, but for browsing historical results of a large suite — spotting flapping tests, drilling into a single test’s run history, or just getting a visual sense of which parts of the suite are hurting — a web view is more pleasant. inq web starts a local server with exactly that:

 $ inq web

The repository overview shows totals and a per-test history grid where each cell is one run, coloured by outcome. Bands of red make it easy to pick out tests that have been broken for a long time, and isolated red cells in an otherwise green column point at flaky tests.

Drilling into an individual test gives you its full run history, a duration sparkline, and per-run pass/fail status:

Migrating from testrepository

If you already have a .testrepository/ directory full of historical runs, inq upgrade will migrate it into the new .inquest/ format, with a progress bar for the impatient.

The legacy .testr.conf (INI) format is still understood, so existing projects don’t have to be converted to inquest.toml immediately — though the TOML format is preferred for new projects.

Trying it

The source is on GitHub at jelmer/inquest. To install from source:

 $ cargo install inquest

In a project with a Rust, Python, Go or Node.js test suite:

 $ inq

Bug reports and patches are welcome.

Status update, February - April 2026

2026-05-03T05:28:51+00:00

Due to health reasons I did not have the energy to write individual status updates for February & March, so I’ll just combine them with the April update:

In February I cleaned out my GitHub account and moved all remaining projects to Codeberg. I archived the repositories on GitHub and added links to the new repositories on Codeberg. GitHub is a platform that is more and more frustrating to use. I still have to use it for my dayjob, though. The number of pull requests and issues that are written either by bots or by users that use bots increased in the last two years. Combined with that, GitHub provides a very low barrier for entitled users who do not want to contribute to a productive environment. GitHub now feels like the Twitter/X of git forges. Codeberg on the other hand is a community project. I feel a lot more at home there and the platform itself feels a lot more responsive than GitHub.

Uploaded wayback 0.3-1 to experimental
Uploaded slurp 1.6.0-1 to unstable
Uploaded first a prerelease of sway to experimental to be able to test wlroots 0.20.0 and then uploaded rc1, rc2 and rc3 of the upcoming 1.12 release
Uploaded waybar 0.15.0-1 to unstable
Uploaded kanshi 1.9.0-1 to unstable, which was possible because the dependency libscfg finally went through NEW
Uploaded libscfg 0.2.0-1 to unstable
Uploaded swaybg 1.2.2-1 to unstable
Uploaded labwc 0.9.4-1, 0.9.5 & 0.9.6 to unstable
Fixed the packaging of vali and uploaded version 0.1.1-1 to unstable; then added vali to the build dependencies of kanshi and reuploaded 1.9.0-2 thereof
Uploaded swaylock 1.8.5-1 to unstable
Uploaded fcft 3.3.3-1 to unstable
Uploaded foot 1.26.1-1 to unstable
Uploaded swayimg 5.0-1 and 5.1-1 to unstable
Fixed some packaging metadata in libsfdo and uploaded 0.1.4-2 to unstable
Reverted the upload of slurp from 1.6.0-1 to 1.6.0really1.5.0-1 because the upstream release of 1.6.0 was made by mistake and yanked a week later. Maybe I should add a cooldown period before uploading new releases ;)
Uploaded mako-notifier 1.11.0-1 to unstable
Uploaded cage 0.3.0-1 to experimental which uses wlroots 0.20.0
Uploaded xdg-desktop-portal-wlr 0.8.2-1 to unstable
Voted

I took part in the DHD 2026 Conference in Vienna, including a hands-on workshop of the dhinfra project.

I released 0.60.0, 0.61.0 and 0.62.0 of apis-core-rdf. We rewrote the configuration format for the importer. We previously used TOML files, but that does not give us inheritance. So we now use simply Python classes as configuration format.

I implemented a new backend for our apis-bibsonomy Django package. The package is meant to provide a datamodel for storing reference data that links to Bibsonomy or Zotero. Given that we don’t use Bibsonomy anymore we now dropped the Bibsonomy backend but added a Zotero backend that allows to cache the entries locally.

Debian welcomes the 2026 GSoC interns

2026-05-02T10:04:00+00:00

We are very excited to announce that Debian has been assigned seven contributors to work under mentorship on a variety of projects with us during the Google Summer of Code.

Here is a list of the projects and contributors, along with details of the tasks to be performed.

Project: Automated Debian Packaging with debianize

Contributor: Anurag Nayak

Deliverables of the project: Debianize is a tool that aims to automatically create debian packages from scratch from upstream source trees. As for the current version, it works for some of the packages but it is not reliable. This project aims at making it production ready such that it can work with most of the projects. Along with that improving its reliability, coverage, integration with the broader ecosystem and other enhancements.

Project: Linux Livepatching

Contributor: Aryan Karamtoth

Deliverables of the project: Linux Kernel Livepatching is the process of replacing functions in the kernel code affected by CVEs with the patch-applied functions during system runtime. It's basically a method to apply security kernel patches to a running system.

Project: DebNet: Visualising the Bus Factor â€“ Graph Analysis of Debian's Infrastructure

Contributor: Fabio Ruhland

Deliverables of the project: DebNet models the Debian archive as a graph to identify critical packages maintained by too few people. Using data from the Ultimate Debian Database (UDD), it builds a package dependency graph and a maintainer-package graph to compute practical metrics like the Bus Factor, Fragility Score, and Dependency Impact for every source package.

Project: Attack of the Clones: Fight Back Using Code Duplication Detection From Security Patches

Contributor: Gajendra Nath Soren

Deliverables of the project: This project aims to detect vulnerable code clones in the Debian archive by automatically extracting signatures from security patches. Using a two-signal approach that separates vulnerable patterns from fix patterns, the system generates high-specificity queries to search the entire archive via Debian CodeSearch.

Project: Debusine: debuginfod server

Contributor: Jugal59

Deliverables of the project: This project implements a debuginfod-compatible server within Debusine to provide automated debug symbol resolution for Debian developers.

Project: Debian-LSP: Improve File Format Support

Contributor: Lucas Ly Ba

Deliverables of the project: The Debian LSP Language Server currently provides only basic features—field completion, parse-error diagnostics, and simple quick fixes—leaving Debian maintainers without the rich IDE experience available in other ecosystems.

Project: Debusine: live log streaming

Contributor: mo-ashraf

Deliverables of the project: Debusine currently only shows task logs after a task has fully completed. This means developers working with long-running jobs (such as package builds or test pipelines) have no way to monitor progress in real time or catch failures early. This project adds live log streaming to Debusine.

Congratulations and welcome to all the contributors!

The Google Summer of Code program is possible in Debian thanks to the efforts of Debian Developers and Debian Contributors that dedicate part of their free time to mentor contributors and outreach tasks.

Join us and help extend Debian! You can follow the contributors' weekly reports on the debian-outreach mailing-list, chat with us on our IRC channel or reach out to the individual projects' team mailing lists.

FOSS activity in April 2026

2026-05-02T09:08:55+00:00

Debian packages:
- firmware-nonfree:
  - Bugs:
    - replied to #1132448: firmware-mediatek: Wifi perf degraded a lot after upgrade firmware-mediatek from 20250410-2 to 20260221-1~bpo13+1 and 20260309-1
  - Merge requests:
    - merged !142: Replace copy-firmware.sh; install files and generate metainfo.xml at build time
    - opened and merged !143: Clean up configuration format and directory
    - opened and merged !144: Remove usr-move mitigation, only needed for the trixie upgrade
    - opened and merged !145: Update to 20260410
  - Uploads:
    - uploaded version 20260309-1~bpo13+1 to trixie-backports
    - uploaded version 20260410-1 to unstable
    - uploaded version 20260410-1~bpo13+1 to trixie-backports
- initramfs-tools:
  - Bugs:
    - replied to #1135141: please be more careful with available disk space on /boot
  - Merge requests:
    - merged !192: [Backport to Trixie] hook-functions: Add Cadence USB driver to base
    - merged !194: d/t/qemu-net-iscsi: determinate boot by LABEL
  - Uploads:
    - uploaded version 0.151 to unstable
- kernel-handbook:
  - Merge requests:
    - opened and merged !11: Update documentation for rebuilding official kernel packages
    - opened !12: Update description of ABI name and delete section about ABI maintenance
    - opened !13: Update list of packages
- ktls-utils:
  - Merge requests:
    - opened and merged !4: Revert “configure: Disable use of GnuTLS API not yet accepted upstream”
    - opened !5: Draft: Update to 1.4.0-rc1
- linux:
  - Bugs:
  - Merge requests:
    - merged !1864: [amd64] drivers/media/i2c: Enable VIDEO_OV02E10 as module
    - opened !1869: Cleanup for kernel-wedge
    - opened !1870: kernel-wedge, udeb: Define which packages to build through package-list
    - opened !1871: Update udeb package definitions
    - reviewed !1872: Install bug files via debhelper
    - merged !1877: [amd64] drivers/staging/media/ipu7: Enable VIDEO_INTEL_IPU7 as module
    - opened !1880: Fix FTBFS on several architectures
    - reviewed !1885: bug script: Extend several parts
    - opened and merged !1891: linux-image: Add retrospective NEWS entry for the removal of XFS V4 support
    - merged !1897: Add selection of bugfixes for 6.1.y on top of 6.1.170
  - Uploads:
    - (LTS) uploaded version 5.10.251-3 to bullseye-security
    - uploaded version 6.12.85-1~bpo12+1 to bookworm-backports
    - uploaded version 6.19.10-1~bpo13+1 to trixie-backports
    - uploaded version 6.19.11-1~bpo13+1 to trixie-backports
    - uploaded version 6.19.13-1~bpo13+1 to trixie-backports
    - uploaded version 7.0-1~exp1 to experimental
  - (LTS) updated the bullseye-security branch to 5.10.253, but did not upload this version
  - (LTS) worked on regression fixes for 5.10/5.15/6.1 upstream stable branches
- (LTS) linux-6.1:
  - Uploads:
    - uploaded version 6.1.170-1~deb11u1 to bullseye-security
- linux-base:
  - Bugs:
    - closed #1128562: /usr/bin/linux-check-removal: Use of uninitialized value $_[2] in join or string at /usr/share/perl5/Debconf/Client/ConfModule.pm line 122.
  - Merge requests:
    - merged !20: Simplify install file
- openntpd:
  - Bugs:
    - closed #791335: openntpd: should set the clock status (ADJ_STATUS) to have the RTC updated by the kernel
Debian non-package bugs:
- wnpp:
  - replied to #1134655: ITP: forge-git – library and CLI for working with git forges
Mailing lists:
- debian-kernel:
  - posted Agenda items for kernel-team meeting on 2026-04-08
  - replied to generating linux-image-${VERSION}-amd64 locally
- initramfs:
  - posted initramfs-tools 0.151 release
- stable:
  - (LTS) reviewed 5.10.253-rc1 and replied to various patches included in it … … … … … … … … … … … …
  - replied to [PATCH 5.10.y] x86/cpu: Enable FSGSBASE early in cpu_init_exception_handling()

binb 0.0.8 on CRAN: Maintenance

2026-05-01T13:34:00+00:00

The eight release of the binb package, and first in two years, is now on CRAN and in r2u. binb regroups four rather nice themes for writing LaTeX Beamer presentations much more easily in (R)Markdown. As a teaser, a quick demo combining all four themes is available; documentation and examples are in the package.

This release contains regular internal updates to continuous integration, URLs reference and switch to Authors@R. The trigger for the release, though, was a small updated need when very recent pandoc versions (as shipped with RStudio) are used which require a new variable declaration in the LaTeX template files in order to process uncaptioned tables. The summary of changes follows.

Changes in binb version 0.0.8 (2026-05-01)

Small updates to documentation URLs and continuous integration

The package now uses Authors@R in DESCRIPTION

Newer pandoc versions are accommodated by adding a required counter variable in the latex template file

CRANberries provides a summary of changes to the previous version. For questions or comments, please use the issue tracker at the GitHub repo.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. If you like this or other open-source work I do, you can sponsor me at GitHub. You can also sponsor my Tour de Shore 2026 ride in support of the Maywood Fine Arts Center.

A rainy day starts May.

2026-05-01T02:31:09+00:00

A rainy day starts May.

Links April 2026

2026-04-30T13:09:37+00:00

Charles Stross wrote an interesting blog post about the apparent desire of super rich people to kill the poor, it seems that the people in power want to make all the conspiracy theories come true [1].

Wouter wrote an insightful blog post about the need for free firmware [2].

Matthew Garrett wrote an interesting blog post about the potential security issues raised by non-free firmware and firmware updates [3]. Which goes well with Wouter’s post.

Interesting article about fake job adverts with a code sample for the applicant to show their skils which depends on hostile libraries that install a RAT [4]. Do we need Qubes for software development nowadays?

Bruce Schneier wrote an insightful and informative article about the two-tiered Internet access scheme in Iran and how it is bad for society [5].

Caleb Hearth gave an interesting talk Don’t Get Distracted about the often ignored unethical uses of software [6].

Techdirt has an insightful article from 2025 Fascism For First Time Founders about why it’s a bad idea for tech companies to support fascism, this aged very well [7].

Dr. Bret C. Devereaux wrote an informative blog post about why fascists always fail at war, and also authoritarians in general [8].

Bruce Schneier and Nathan Sanders wrote an interesting blog post about the new Japanese political party Team Mirai, we need this sort of party in every country to save democracy [9].

Sam Varghese wrote an insightful article about the current situation in Israel and Iran and the poor performance of Australian journalists in covering the issues [10].

Louis Rossman made a video about the Norwegian Consumer Council’s advertising campaign about Enshittification, he includes an excellent advert that the Norwegians produced [11].

Marga Manterola gave a really good talk at Fosdem 2026 “Free as in Burned Out: Who Really Pays for Open Source?” [12].

[1] https://tinyurl.com/2xqrrxkf
[2] https://tinyurl.com/yvahow2x
[3] https://tinyurl.com/27m7qusr
[4] https://tinyurl.com/2adpd7gf
[5] https://tinyurl.com/2bn627x2
[6] https://calebhearth.com/dont-get-distracted
[7] https://tinyurl.com/2b7m8pwa
[8] https://tinyurl.com/2c9m6v4v
[9] https://tinyurl.com/2ybcjpa5
[10] https://sams-blog.com/?p=5730
[11] https://www.youtube.com/watch?v=ii-D9LaitUw
[12] https://tinyurl.com/26j5a8gj

(Trigger Warning) Jeremy Bicha & Debian-Edu, TecKids, Ubuntu incest scandal at DebConf25

2026-04-30T11:30:00+00:00

Trigger warning: this is a report about how Debianism prefers abusers to those who consistently and compassionately helped victims of abuse.

Those who dare to look up the public court records about Jeremy Bicha have been shocked and in some cases unable to sleep after reading how he exploited every bodily orifice of his little sisters when they were six and nine years old. Yet I feel a possibility that Jeremy Bicha himself is now being exploited to make us feel shock and to soften us up for future revelations about unnamed oligarchs in the open source eco-system. There have been many falsified rumours about abuse over the years, such as the conspiracy against Dr Jacob Appelbaum. Whenever we get to the point that the leader of some so-called community really is put on trial for real abuse, the victims are unlikely to have suffered as extensively as Bicha's little sisters.

I didn't write and publish this report to start a lynching against Jeremy Bicha himself. He has confessed his crimes which is much more than can be said for other sex pests. The real reason for the report is to look at the decisions that organisations have made putting a registered sex offender on a pedestal but in the case of commercial rivals or people who made mistakes with pronouns, we are being censored and harassed by the oligarchs for the most mundane mistakes.

The BBC is in fresh trouble over their pre-existing knowledge of a scandal involving Scott Mills. It was a major story in the UK the week before Easter and then it disappeared. I suspect that sooner or later we will hear more details.

Almost every day there is a fresh news report about Jeffrey Epstein. During the trial of Ghislaine Maxwell, she told us her partner, Epstein, needed to be with a woman at least three times per day. People with children or teenage daughters will feel very uncomfortable about having these men around. Less than two percent of Debian Developers are female but at DebConf almost one in three participants is in the gay/transgender/Zizian set. In the wider population it is only one in ten people.

These people don't have children. They don't think about having children. They don't spend a lot of time thinking about the risks. Having a registered sex offender present at the after-party may be on the bucket list for some of these people. They are willing to risk other people's children and tarnish Debian's reputation so they can have something unusual at the after-party.

For people who do have children, they don't go to the DebConf orgy groups but they do stay up all night reading through reports like this to try and work out whether the risk is acceptable or not.

The Debian Suicide Cluster correlates with a culture of violence and humiliations. Coincidentally, rape and abuse are also about violence and humiliation. Adding a registered sex offender to the group only reinforces those existing Debian character traits when we need to be looking for the opposite, people who serve to neutralise those cultural defects.

News that a Registered Sex Offender(TM) was invited to speak at DebConf25 in France is not a random accident. Certain groups like Debianism have been overcome by fringe diversity movements. Over the years, we've seen the same people using their authority to humiliate fellow volunteers in much the same way that paedophiles humiliate children. Statistically, we can be certain there are similar men in the same group. Jeremy Bicha was the thin end of the wedge. By putting a known offender on a pedestal and claiming they are helping him, they are clearing a path for other more cunning characters to be given a platform.

The people who control Debianism mailing lists have a nasty habit of censoring any concerns about the phenomena. They believe everybody agrees with their worldview. They are living in a bubble. Sooner or later, there will be a person or an incident that is so bad that it is the end of Debian. Society at large simply doesn't accept some of the things these people do.

Moreover, certain companies would like to see Debian fail. They will give enough money to the diversity budget to create a scandal and then those companies will get out of the way as quickly as possible.

The Debian Social Contract tells us, in point three, We will not hide problems.

In the case of the registered sex offender invited to speak at DebConf25 in France, all discussion has been deliberately shut down. Video of the talk is not hosted with video of the other talks. People are scouring the official photo gallery to see if Jeremy Bicha was really there at all and who sat next to him.

This situation and the manner in which Debianists are hiding it reveals the real definiton of diversity and the real use of diversity funds.

Phil O'Donnell is a priest who quit and became a whistleblower. In his testimony to the state inquiry, he tells us:

This resulted in â€œJackâ€� ringing me in an extremely distressed state. His words on the phone were, â€œI think it would have been better to hear my mother had diedâ€�. He was a relatively early victim of [Fr Kevin] Oâ€™Donnell and his abuse was reported to the Cathedral in 1958. This allegation was investigated at the time by both the then Vicar-General, Laurie Moran, and the then Auxiliary Bishop of Melbourne, Arthur Fox. Nothing eventuated from this investigation.

A recent report from Lunduke has the title Fedora's Code of Conduct: 200 Day Response Time, Only Protects You if Red Hat Likes You.

In 1962, Stanley Kubrick released the controversial film Lolita.

Charles Manson was using women in his cult, the Manson Family, to murder people. He hoped that by committing these violent murders he could start riots, like the modern day phenomena of #MeToo mobs on social control media. On 9 August 1969, they killed the actress Sharon Tate, who was the wife of film director Roman Polanski.

Debian's Jeremy Bicha ordination has curious parallels to the mistakes made by the Catholic Church when handling real abuse complaints. In the 1960s, the wedding of my aunt was conducted by a bishop rather than an ordinary priest. Coincidentally, it was the same bishop mentioned above. As well as the missed opportunity to protect children from Fr Kevin O'Donnell, another court case revealed Bishop Arthur Fox was accused of ordaining at least one known paedophile, just as Debianists have now ordained a registered sex offender by telling everybody that he is a Debian Developer.

In the 1970s, Bishop Fox was the Bishop of Sale. On 3 July 1972, when he was in his early forties, Hourigan wrote to Bishop Fox asking that he be accepted to study for the priesthood. In the letter Hourigan set out what he said were two â€˜flies in the ointmentâ€™. The first related to an issue with Houriganâ€™s back, and is of little moment. The second was a disclosure (referred to by the judge as â€˜the disclosureâ€™) that on three separate occasions, occurring at two separate boarding schools in Papua New Guinea at which he was working, boys in his care who, he said, he had occasion to punish for misbehaviour, responded by complaining to a priest that he had treated them harshly and that he was a homosexual. A short time after the second and third complaints, Hourigan left the second boarding school and returned to Australia.

The implication is that Bishop Fox had personal knowledge of the disclosure and history of abuse before he ever ordained Fr Hourigan.

Between the 1960s and 1980s, groups were formed in various countries with their primary purpose being to lower or abolish the age of consent. In the USA, it was the North American Man/Boy Love Association (NAMBLA). In the UK, the Paedophile Information Exchange (PIE) was formed in 1974. The group recruited young law students keen to advocate for what they felt was a pressing human rights issue.

Britain's National Council for Civil Liberties (NCCL), known today as Liberty, had a very open attitude to memberships and affiliations. PIE and many other fringe groups became members of NCCL / Liberty and regularly attended the annual general meetings where they rubbed shoulders with lawyers and lobbyists from a range of different movements.

The Conversation tells us the British Communist Party was also affiliated with NCCL / Liberty. People have been scouring old copies of British tabloid newspapers to find evidence of similar diversity fringe groups promoting incest, canabalism and bestiality. NCCL / Liberty was not endorsing any of these groups and the PIE was no more or less special than any other diversity fringe group.

In the same era, Tom O'Carroll, leader of the PIE and Robert Lamb, father of Debian's future leader Chris Lamb both graduated from the University of Cambridge. Robert Lamb went to work for Roger Ellis QC at 13 King's Bench West (13KBW) Chambers.

The manner in which the paedophile advocacy groups participated in the NCCL / Liberty and the legal profession can be summarised by the expression I don't agree with what you say but I will defend to the death your right to say it.

As the saying goes, all good things must come to an end. By the 1980s, governments around the world had developed strategies to shut down and outlaw groups like PIE.

The eradication of these groups was significant because it forced the pro-abuse lobby to look for more discrete ways to achieve their unholy objectives. In other words, they have to join other groups like the Catholic Church and the Debian Project in the hope they will gain credibility, access to children or both.

Between 1977 and 1978, Roman Polanski, whose wife had been murdered by the Manson Family cult, was prosecuted for drugging and raping a 13-year-old girl. He fled America to live in France and evade a likely jail sentence. As he was born in France he can't be extradited to America. He continued his career in France and received numerous awards for his work. Many professionals in the movie industry have publicly indicated support for Polanski, despite the very serious crime he committed against a child.

Between 1978 and 1982, in another Catholic abuse situation where the victim agreed to waive anonymity, David Ridsdale was abused by his uncle, the priest Gerald Ridsdale. Under Australian law, when the uncle is found guilty of such an offence, their identity and their conviction can not be reported in the media as it would compromise the identity of the victim. Nonetheless, David Ridsdale waived his right to anonymity and so it could be reported that Gerald Ridsdale, who was the worst offender in the country, had even committed abuse against one of his own relatives.

Jeremy Bicha was born on 12 August 1984.

In 1988, Katharine (Kath) Thornton and Christian Porter participated in Australia's national high school debating team. The former alleges she was abused by the latter. She took her own life. He became the Attorney General. Federal Court judges published her accusations in full, bypassing Australia's strict defamation laws. Related: ABC News report.

The media originally obfuscated the name and face of the victim but it wasn't long before everybody knew. She had created the dossier, started a conversation with the police and then she committed suicide. Eventually the Federal Court judges decided to publish everything for the public to make up our own minds.

I selected those portions of the document to emphasize the striking similarities between Katharine Thornton's abuse report and the acts that Jeremy Bicha admitted inflicting on his sisters.

According to the summary of the complaint on the Manatee County Courthouse web site, the abuse occurred between 1995 and 1999, in other words, when Jeremy Bicha was only between eleven and fifteen years of age himself. One of his sisters was nine and another was only six when these horrible crimes took place.

In the court documents, Jeremy Bicha told prosecutors his parents were very strict and kept all the siblings together at home. In countries with urban sprawl and a car culture, which includes Australia, a teenage boy starting high school has no way to meet friends of the same age unless an adult is willing to drive him there and bring him back home. Europeans who live in apartments and terrace houses are much closer together. Therefore, people who haven't lived in urban sprawl can't fully appreciate the impact it has on childhood.

In 1997, Adrian Lyne produced a fresh version of the film Lolita.

Shortly after that, I was photographed in Australia's Parliament House, Canberra with Natasha Stott-Despoja. After leaving her job as a senator, Natasha was appointed as Australia's ambassador for women and girls. She was subsequently appointed to represent Australia on the UN CEDAW committee. CEDAW is the Convention on the Elimination of All Forms of Discrimination Against Women. The committee is one of the most influential international bodies concerned with the status and wellbeing of women. The photograph was taken during the same period of time where Jeremy Bicha admits abusing his little sisters.

In the early days of Debianism, many young teenage males were exploited. Ringleaders have been interchangeably presenting Debianism as a hobby, as a philosophical mission and as an activity that people undertake while being paid by an external employer like Freexian. Ringleaders pivot between these definitions of Debianism depending upon which definition is most convenient for the ringleaders themselves in any particular situation or dispute.

They used the appeal of a philosophical mission to recruit numerous teenagers, mostly boys in their mid-teens, who were starstruck by the names of companies like Pixar, where Bruce Perens worked. These teenagers didn't really appreciate the extent to which they were working alongside people who were being paid six-figure salaries to do similar tasks. I'm talking about Joel "Espy" Klecker, Shaya Potter and Chris Rutter. Klecker was doing this unpaid work while he was in bed dying of a terminal illness ( detailed report). Shaya Potter appears to be the first documented case of somebody expelled after he had already resigned. Chris Rutter even had servers for unpaid Debianism work installed at his high school. He was observed working long hours to meet his obligations to Debianists shortly before walking in front of a car. These may be the three most prominent teenagers in the early days of Debianism and it is disturbing to see that two died while one was subject to gaslighting and ostracized.

Here is a debian-private leaked message where the underage phenomena is mentioned explicitly:

Subject: Re: why I want the archives on me (was Re: spotter@debian.org)
Date: Tue, 17 Nov 1998 12:56:41 -0500
From: Shaya Potter <spotter@ymail.yu.edu>
To: joost@pc47.mpn.cp.philips.com
CC: debian-private@lists.debian.org

----- Original Message -----
From: <joost@pc47.mpn.cp.philips.com>

>
>On Tue, 17 Nov 1998, Shaya Potter wrote:
>
>> Now that this is out of the way, I'd like to publicly ask if I can have
an
>> archive of all the communication that went on in regard to me.
>
>Strictly speaking I tend to disagree that you or anybody has an a-priori
>right to know what is being said and told on debian-private.  It is simply
>a private list.  Things would be different if you were mentioned in a
>public list without being able to respond.  But that is in all aspects
>clearly not the current situation.

First, I never said I have a right.  In many ways I think i don't have a
right, or even if I did, I don't deserve it.  I don't think my statements
have implied that I believe I have a right to demand that it be given to me.

I do have a right to ask that it be done.  Debian has a right to say yes or
no.

>
>(Nevertheless, I think that it would be considerate to cc: you in
>any discussion that involves you in a very personal manner - this has
>IMHO until now hardly been the case though.)

It hasn't?  Than how did the decision to expell me come about?  Who told
people who made the decision what happened?  Was this all done in private
mail?

>
>If a non-subscriber of debian-private must share in the conversation on
>debian-private, then this should IMHO be done by adding that person to the
>clearly visible cc: line of the header of any messages to be "published."
>That way, it will be adequately clear that the correspondence leaves the
>realm of debian-private and thus everybody can conclude that normal
>confidentiality can not be expected.  AFAIK respect for the confidential
>nature of debian-private is a prerequisite for subscription to this list.

I would have respected the confidentiality, as I have made it known that I
don't want this to spread, as I am embarrased by my actions.

>
>Practically speaking, I disagree that the underlying case generally
>concerns you. What matters here is not who Shaya Potter personally is or
>what particularly Shaya Potter did. The discussion is about how issues
>like the one involving you relate to Debian.  This discussion does not
>involve you personally.

I don't want the entire discussion, I just want to see the parts that touch
on me personally.  I don't care for the rest, of what about underage
developers and the like....

>
>> I was told that it would not be a star chamber, and that I'd be cc'd in
>> on all the corrospondace.  That didn't occur.
>
>There was no "star chamber."  You have already been generously cc:'-ed.

I was?  The only cc:'s I ever got were in response to me starting a thread.
That implies to me, that acc. to what you were saying, that no discussion
on -private occured that I didn't start.  However, I know this not to be the
case, as before I was unsubscribed from -private, I saw a thread or 2
started that dealt with me.

>
>IMHO you do not have a right to be cc:-'ed on the _general_ discussion
>which does not particularly (personally) involve you.

never said I did.

>
>> Also, I really have no idea of what discussion went on, if mistruthes
>> were spread about the incident (as in reality, I'm the only one that
>> knows completely what happened, and no one really ever asked me for the
>> full story).
>
>If this worries you so much, then I seriously wonder why you did not
>immediately relate it to debian-private when the issue arose in the first
>place?

I did apologize on -private right away, however, I didn't want to spread
what I did.  I specifically told people that I would rather this not be
discussed on -private and have me showed the door quietly, and told never to
come back.  That didn't happen, it was discussed on -private.  I don't know
what was discussed in relation to me, so I want to be informed.

>
>Again, the discussion is not yours.  Again, you are not personally
>involved.  Your only "role" in the discussion is that you have created a
>precedent.  I thinks we can all agree that we would rather have had you
>not be a precedent case, but it happened.  I'm very sorry, but you'll
>have to blame yourself for that.

Trust me, I've blamed myself a lot for this.  If you seen any of my
corrospondance you would know this.  I don't blame anyone for my
predicament, but myself.

>Discussion on debian-private does not count as a statement from Debian.
>So there simply were no statements.  I'm not really in favor of making any
>strong or overly verbose statements either.  If there ever is to be a
>statement from Debian about an issue such as the current one involving
>Shaya, I think that person should be briefed thoroghly beforehand.

I'm not talking about a debian statement.  I don't want a public statement,
and I know a lot of people from debian don't want one either (though some
might).  What I meant by statements, was statements that individuals made,
that might be incorrect, or inacurate.

>Shaya, can you please just put this to a rest?  IMHO it is not very
>productive for anybody.  And please take it from me that you have no
>reason to be concerned that you have been in a "star chamber."

I am not worried about a star chamber, I would have prefered it in many
ways.  However, at least with a star chamber you usually get to see the case
presented against you, even though you don't have the ability to defend
yourself.  As I said many times, my case is indefensable, so that wouldn't
bother me.

Shaya

Joel "Espy" Klecker, Shaya Potter and Chris Rutter, due to their youth and inexperience, didn't realize what they were doing was work. They didn't realize it is normal to be paid.

We find exactly the same phenomena in the Jeremy Bicha abuse testimony. His sister tells us she was too young to know the words for what he was doing in her underpants.

It is scary how this type of paedophile and Debianism at large has exploited naivitÃ© to gain an unfair advantage over young victims.

In October 1999 the role of teenagers was back in the spotlight:

Subject: Debian Death March
Date: Thu, 7 Oct 1999 17:41:25 -0700 (PDT)
From: Jonathan Walther <krooger@debian.org>
To: debian-private@lists.debian.org

Guys.  Is Debian still the hippest, coolest, happeningest distribution
around, or are we a dinosaur lost in the forest?

The posts I've read on this list today reek of a Death March.

Yes, many of the Debian originals have moved on, retired, or fallen
quiescent.  Others of us have had sudden changes in our life; new jobs, loss
of jobs, loss of internet access, newborn infants, need to spend time with
spouses and loved ones.

Many of the rest have gotten tired.  The friends they joined this marvelous
big project with are no longer around...  The stress of mentoring up a new
generation of package maintainers, and hopefully core developers falls on
their already burdened shoulders, taking away from their time spent coding.

As social scientists know, the future is the children.  Or in our case, the
future is the teenage "hackers" getting their first computer, going in their
first irc chatroom, using their first nuker... and realizing there is
something far more interesting, constructive and beautiful beyond the raw
violence of their little world.  An ordered system of many parts, of many
people collaborating in peace, cooperating on a scale that they will take
for granted, because we have made it seem so natural, but which makes any
sane adult boggle at our achievement.

[ ... snip ... ]

In 1999, Red Hat made their Initial Public Offering (IPO) on the stock market. Debian Developers were invited to buy some of the shares but inexperienced investors, which includes the underage developers, were excluded by the manner in which the IPO was conducted.

Given that Debianism has the exploitation of youth in its DNA, it is really sad to see that a registered sex offender and various characters with similar tendencies were put up on a pedestal in the era of Chris Lamb.

In 2002, the Boston Globe's Spotlight team published their reports about the Catholic abuse crisis. The reports were not simply about the actions of individual paedophiles. The journalists went to great lengths to examine how the institution had ordained the wrong people and stonewalled victims. In the Debian harassment culture, we see much the same thing. People who ask questions are censored on the mailing lists. The leaders stonewall and refuse to answer questions or provide reports about the Debian suicide cluster and their knowledge of Jeremy Bicha's history.

In 2004, we had the first discussion about offering financial incentives to transgender people. It is an ethical and moral minefield:

Subject: Re: Nut-case of the day - Was: [Fwd: URGENT: This is potentially a threat to your and others personal security]
Date: Tue, 6 Jan 2004 12:53:33 -0700
From: Joel Baker <fenton@debian.org>
To: debian-private@lists.debian.org

On Tue, Jan 06, 2004 at 03:28:03PM +1100, Russell Coker wrote:
> On Tue, 6 Jan 2004 15:23, Joel Baker <fenton@debian.org> wrote:
> > I could probably arrange for Debian to have a TG developer, but somehow,
> > this doesn't seem like a primary qualification; we don't have quotas. :)
> 
> If they can code well or can be taught to code well then please get them in!
> 
> Especially if they have some skills at kernel coding.  I think that we could 
> do with having more skilled developers dealing with the kernel patch 
> packages.

What I didn't mention is that it would probably involve me bribing her to
deal with it; she doesn't find Debian to be quite worthwhile enough on its
own merits (she likes it, she just likes FreeBSD better, and has little
enough time to spare overall that short of someone making it worth giving
up what else she does, it isn't worth it).

This would be the primary reason she isn't already a DD, since the only
part of NM that would pose any issue at all is the wait (I can sign her
trivially, and passing the requirements is a no-brainer). But we don't
really need another developer not doing much most of the time, and I
have better uses of the money than paying her to work on it. :)
-- 
Joel Baker <fenton@debian.org>                                        ,''`.
Debian GNU/NetBSD(i386) porter                                       : :' :
                                                                     `. `'
				                                       `-

In 2006, Red Hat opened their main research site in Brno, a small city in the Czech Republic. The Czech Republic had joined the European Union (EU) in 2004. Thanks to the Freedom of Movement policy of EU countries, Red Hat could employ young male graduates from any other EU country and bring them to work in Brno without any uncertainty about residence permits and visas. Over the years, thousands of young and predominantly male engineers came to work for various multinational companies in this remote part of the Czech Republic. At the same time, young women from eastern European countries were all leaving small cities like Brno and either moving to the capital, Prague or moving to other cities like London, Paris and Berlin. These arrangements created a huge imbalance. Thousands of highly paid young single men found themselves competing for the very small group of women who decided not to leave. A lot of the companies started talking about the need for diversity programs. While nobody says it out loud, it looks like these programs are intended to increase the size of the dating pool in these offshore centers. Official statistics tell us that Brno has the highest suicide rate in the country.

When eastern European countries joined the EU, some of the western countries like Germany and France introduced a temporary delay on Freedom of Movement for workers. The delay didn't apply to Freedom of Movement for wives and girlfriends. This table shows us that workers from Czech Republic could go to the UK immediately after joining the EU in 2004 but they could not take jobs in France until 2008 or Germany until 2011. As a consequence, young women could use Freedom of movement to marry somebody in a rich country but many young men had to stay in the Czech Republic. The young men who remained found themselves in direct competition against the Red Hat workforce for the last girlfriends who remained in Brno.

During that period, I was living to the north of London near to Luton airport. Thousands of people from eastern Europe were arriving every day on the low cost airlines. It was fairly easy to distinguish the tourists from the people who were relocating. The people relocating under Freedom of Movement had typically purchased the maximum luggage allowance and arrived with their whole life in a suitcase that was so overloaded it looked like it was about to burst. In particular, a lot of the women who arrived like this were making the move alone with no safety net. Their plan was to get off the plane and find a room, a job and a husband. These are the women who the Red Hat employees in Brno missed out on.

During the Cold War, the UK, out of all the western countries, had developed a unique, mythical fairytale status in the minds of people from eastern European countries. This was captured in James Bond movies and John le CarrÃ© spy novels where the fictional women of eastern European communist countries spoke in glowing terms of the new lives they dreamed about having in London.

In January 2006, Raphael Hertzog infamously used the debian-devel-announce email list to promote a message about an external product, Ubuntu that not everybody is interested in. Andrew Suffield adapted the subject line of Hertzog's email to promote lesbians instead of Ubuntu. Some people speculate Suffield chose the word lesbian because it looks a little bit like the word Debian and there are a disproportionate number of LGBT people lurking in the mailing lists.

The original message has been censored but it is easy to find here in the Wayback Machine.

To: debian-devel-announce@lists.debian.org
Subject: For those who care about their packages in Ubuntu
From: Raphael Hertzog <hertzog@debian.org>
Date: Fri, 13 Jan 2006 23:35:24 +0100

Hello fellow Debian developers,

let me explain shortly why I'll speak of Ubuntu on a Debian announce
list. I know that many of you do not like the Canonical marketing saying
that "Ubuntu is contributing back" because the most visible official
contribution is scott's patch repository and that all other successful
collaboration has been made at the level of individual developers who are
"friendly to Debian" and not because Canonical's policy ask them to do
so.

[ ... snip ... ]

and Andrew Suffield:

To: debian-devel-announce@lists.debian.org
Subject: For those who care about lesbians
From: Andrew Suffield <asuffield@debian.org>
Date: Sat, 14 Jan 2006 15:00:40 +0000

Since this sort of thing is apparently okay nowadays, and I know that
a lot of you like looking at lesbians, I'd like to share this with
you:

http://www.flickr.com/photos/63978244@N00/81351129/in/photostream/

[And for the sarcasm-impaired: debian-devel-announce is for Debian
development, not anything that you (or any other group of people)
happen to be interested in. Don't post irrelevant stuff here. It would
be a real shame if the list had to be moderated because people can't
exercise good judgement. Anything sent here should be of interest to
an overwhelming majority of Debian developers, *at least* - if you're
using phrases like "for those who care about X", it belongs somewhere
else, like X-announce.]

-- 
  .''`.  ** Debian GNU/Linux ** | Andrew Suffield
 : :' :  http://www.debian.org/ |
 `. `'                          |
   `-             -><-          |

The message links to this image. It is off-topic but the content is not illegal in any western countries.

Excuse the pun, the tit-for-tat continued with even more messages based on the same subject line template:

Not long after that, in May 2006, DebConf6 took place in Mexico. One of the candidates in recent Debianism elections, Jonathan Walther (Ted), brought a local woman, Hilda, to the conference dinner. People quickly started the rumour that Hilda was a prostitute. Nonetheless, she was the local dentist. To this day, dozens of messages about the rumour are present online in various web sites and debian-private archives. ( more details about the rumours and DebConf6 fight).

To understand why there was so much gossip and aggression at the DebConf6 dinner, you need to look at who really slept with who and then read the story again. The leaked room list tells us that Holger was sleeping with Amaya. Amaya helped start the rumour and Holger is the one who ended up exerting physical pressure on the victim, Jonathan Walther (Ted). When people are sleeping together, they don't always behave rationally any more.

From: Joerg Jaspert <joerg@debconf.org>
To: rooms@debconf.org
Subject: Re: [Debconf-announce] Room allocation
In-Reply-To: <20060328120500.GA10651@localhost> (Margarita Manterola's message
        of "Tue, 28 Mar 2006 09:05:00 -0300")
Organization: Goliath-BBS

[ ... snip ... ]

>  * Who you would NOT like to share the room with.

I dont care that much who is in my room, as long as its not
Jonathan/Ted "krooger" Walther or Jeroen van Wolffelaar or Amaya.

[ ... snip ... ]

Date: Fri, 31 Mar 2006 17:39:37 +0200
From: Adeodato =?utf-8?B?U2ltw7M=?= <dato@net.com.org.es>
To: rooms@debconf.org
Cc: Holger Levsen <debian@layer-acht.org>,
        Jesus Climent <jesus.climent@hispalinux.es>,
        Amaya Rodrigo <amaya@debian.org>,
        Alberto =?utf-8?B?R29uesOhbGV6?= Iniesta <agi@inittab.org>,
        Marcela Tiznado <mtiznado@linux.org.ar>,
        Isaac Clerencia <isaac@debian.org>,
        Jacobo =?utf-8?Q?Tarr=C3=ADo?= Barreiro <jacobo@debian.org>,
        Javier Fernandez-Sanguino <jfs@computer.org>,
        Ana Beatriz Guerrero =?utf-8?B?TMOzcGV6?= <ana@ekaia.org>
Subject: Room preferences for a bunch of ~Spanish people

Hey marga!

  Some (mostly) Spanish people have been talking among us, and we'd like
  to share room at DebConf. We've thought that it'll be easier for you
  if we just write you one mail saying who we are, instead of each of us
  mailing you privately with our preferences. :)

  So, we'd like:

    - a 6-sized room for both DebCamp and DebConf (from 5th to the end)
    - a 4-sized room for DebConf only (from 13th to the end)

  The involved people (in order of arrival, all of them CC'ed) are:

    Holger Levsen <debian@layer-acht.org>
    Jesus Climent <jesus.climent@hispalinux.es>
    Amaya Rodrigo <amaya@debian.org>
    Alberto Gonz=C3=A1lez Iniesta <agi@inittab.org>
    Adeodato Sim=C3=B3 <dato@net.com.org.es>
    Marcela Tiznado <mtiznado@linux.org.ar>

    Isaac Clerencia <isaac@debian.org>
    Jacobo Tarr=C3=ADo Barreiro <jacobo@debian.org>
    Javier Fernandez-Sanguino <jfs@computer.org>
    Ana Beatriz Guerrero L=C3=B3pez <ana@ekaia.org>

  Thanks in advance,

From the DebConf8 room list:

In 2006, the GNOME people created the Outreach Program for Women (OPW), which was subsequently renamed to Outreachy. The program pays young female interns to associate with the developers. The women are not expected and not always trusted to do development work themselves. Many of the women were offered free trips to conferences all over the world.

By December 2006, the Debianists had admitted they need professional help from a psychiatrist or occupational therapist to deal with the toxic culture.

Subject: Total world domination through therapy and free software!
Date: Sun, 31 Dec 2006 13:25:08 +0100
From: Amaya <amaya@debian.org>
Organization: Debian - http://www.debian.org/
To: debian-private@lists.debian.org

Russell Coker wrote:
> True.  But we can only change some things and only in some areas.

Sure, we are just humans :)

> I will always have little sympathy for someone who complains bitterly
> about unfairness when by any objective metric they would be regarded
> as being in the most fortunate few percent of the world's population.

Yes, as in having clean tab water. Ack.

> Do you think it might be beneficial to have some group sessions at
> Deb-conf's to help us deal with these things?

I strongly believe in the group sauna effect :)

> Debian has a huge pile of money that is apparently not being spent,
> booking a good psychiatrist for a day for every DebConf would not make
> much of an impact on Debian finances and might have a good impact on
> productivity.

s/psychiatrist/therapist/ Maybe someone that is experienced in large voluntary communities could
give a talk, or workshop, or both.

It would be interesting to know wether anyone knows a person that could
help us this way. I could talk to some people if the idea doesn't look
stupid to the rest you the people reading this.

-- 
  Â·''`.             If I can't dance to it, it's not my revolution
 : :' :                                            -- Emma Goldman
 `. `'           Proudly running Debian GNU/Linux (unstable)
   `-     www.amayita.com  www.malapecora.com  www.chicasduras.com

In 2007, Jeremy Bicha joined the US Navy. The Navy is a very large organisation. The Navy recruited 37,000 personnel in the same year. They had no way to know about Jeremy Bicha's childhood.

By 2008, they were already talking about how they would recruit people's teenage children. This was well before the Debian pregnancy cluster started producing said children.

Subject: Re: [VAC] Going to the chapel ...
Date: Tue, 22 Jul 2008 16:12:29 +0200
From: Lionel Elie Mamane 
To: debian-private@lists.debian.org

On Sat, Jun 28, 2008 at 03:29:27PM +1000, Russell Coker wrote:

> On Saturday 28 June 2008 14:32, Benjamin Seidenberg
>  wrote:

>> The question is, will we accept parental signatures on the GPG keys?

> Why wouldn't you accept a parental signature? (...)

> Advocacy however is a different matter.  We want advocates to not be
> excessively biased, and I'm sure that while growing up we have all
> seen adequate evidence of parents who think that their children are
> angels while everyone else knows the truth...

> Of course if a parent was to quietly encourage the NM people to keep
> their child in the queue for an extra year or two then I think we
> should accept such a recommendation.

I fail to see why this is obviously desirable; parents can also be
biased in the other direction, that is think their late teenage
children are like one-year olds that cannot cross the street without
their supervision.

--
Lionel

Around the same time, in June 2008, Jeffrey Epstein made a guilty plea on two charges in state court. He was sentenced to 18 months in a county jail, which is less onerous than a state prison. He was authorised to participate in a work release program whereby he could leave the prison for sixteen hours per day, six days per week. It is rumoured that he was unhappy with his probation officer and exploited political connections to have the probation officer moved elsewhere.

Jeffrey Epstein worked as a schoolteacher before getting into finance. Therefore, he is far more culpable than a twelve-year-old juvenile offender like Jeremy Bicha.

From 25 to 27 September 2009, Taiwan hosted the International Conference on Open Source. One of the Debian Account Managers, Joerg Jaspert, travelled there and brought an Asian woman, Pei-Hua Tseng, back to Germany to marry him. He admits that he was presenting himself as a Debian Developer at the conference:

"I first met my wife at the â€œInternational Conference on OpenSourceâ€� 2009 in Taiwan. So OpenSource, Debian and me being some tiny wheel in the system wasnâ€™t entirely news to her."

If any other random developer meets a woman at a conference they are insulted and told that relationships are a bad thing. Yet for the oligarchs representing Debian at events, it is open season on women. This relationship helped bootstrap the Debian pregnancy cluster.

In 2010, Jeremy Bicha's older sister went to Bob Jones university. The on-campus therapist gave her bad advice. The sister went to a more victim-oriented off-campus center, Julie Valentine Center. After counselling there, the victim and another sister, who is also a victim, reported the abuse to police.

US Navy investigators immediately questioned Jeremy Bicha. He admitted the allegations about his childhood are true. He was immediately terminated from Navy employment.

In August 2010, DebConf10 was in New York City. By this stage, we can see Debianism had well and truly adopted a cult lifestyle. A group of couples share rooms. They pretend we have no money while keeping it for themselves. They are pretending that bringing your wife is diversity.

On 15 August 2010, the night before Debian Day, the volunteer Frans Pop sent us his resignation / suicide note.

On 17 April 2011, the day that Carla and I got married, Adrian von Bidder-Senn died in Basel, Switzerland. People discussed it like a copycat suicide. This is a horrific thing to recall on your wedding anniversary each year.

Shortly after Adrian von Bidder-Senn died, his wife, Diana von Bidder-Senn sent an email revealing she was oblivious to what he was doing on his computer. In hindsight, we can see that both Adrian and Diana were tricked by Debianism in different ways:

Subject: Re: condolences for Adrian
Date: Mon, 25 Apr 2011 15:02:18 +0200
From: Diana von Bidder <diana@fortytwo.ch>
To: Stefano Zacchiroli <leader@debian.org>

Dear Stefano
Thank you for your wonderful mail! Yes Debian and people were very
important to Adrian. I was glad that he was not only sitting alone in
front of his computer but to know that there are people out there that
estimate him and are his friends even if most of you did not know each
other personally.
The way you describe him (empathy, calm, insight, ... - just the Adrian
I know) assures me on how good friends of Adrian are out there. And I
will always continue to think of this (in a good way!) when continuing
to use debian (which I became quite fond of because of Adrian). 
It's a pity that he couldn't go to Banja Luca anymore which he did so
much look forward to. Anyway, I wish you all the best and hope you
continue your good work.

- Diana

The family asked for donations to AMICA Schweiz, a charity that helps women abused during the conflict in the Balkan countries. People argued about it on debian-private.

Two hundred Swiss francs is a trivial sum compared to the $120,000 given to lawyers and WIPO UDRP to stop people talking about the deaths.

Subject: Re: Death of Adrian von Bidder
Date: Thu, 21 Apr 2011 08:56:04 +0200
From: Andreas Tille <andreas@an3as.eu>
To: debian-private@lists.debian.org

Hi,

I admit that e-mails about emotions tend to be turned into flames
and I do not want this here.

On Thu, Apr 21, 2011 at 07:24:59AM +0200, martin f krafft wrote:
> I suggest that we donate 200 CHF from the project (price of a nice
> wreath with writing). If there are other donators, please get in
> touch with me.

The donators of the Debian project intend to spend money for the
development of the Debian project.  If we spend Debian money for a
wreath (or any form of replacement donation) this is not related to the
development of Debian.  It is rather *us* *people* who say goodby to
a friend.  So the money should not come from project funds but rather
from single developers.

Saying this I would like to vote against spending Debian money but
rather doing a separate collection.  I could live with some kind of "de
facto" collection like this:  I will ask for Debian money for DebConf.
In case Debian project money is really spended for Adrian's funeral I'd
simply ask for 10Euro less than I would have done otherwise.

Please do not get me wrong: I'm in any case for showing that the Debian
community is sad about the dead of Adrian.  But I'm not convinced that
this purpose is in the interest of our donators and it finally comes
quite cheap for us individuals to simply spend Debian money.

Kind regards

       Andreas.

-- 
http://fam-tille.de

In December 2011, Martin Krafft describes Debianism itself as a teenage culture. His fingers get a mention in the email signature:

Subject: Mooing solves everything
Date: Wed, 7 Dec 2011 22:14:13 +0100
From: martin f krafft <madduck@debian.org>
Reply-To: madduck@debian.org
Organization: The Debian project
To: debian private list <debian-private@lists.debian.org>

[Writing to -private with Reply-To set, because this is clearly
a classified topic]

We know about super cow powers and swallowed elephants, and the
power of the Mooing.

What I want to do is collect cow-related stories of relevance to our
project, to prevent an inside joke from dying as Debian prepares to
exit teenagehood.

So, please hit me. What does Debian have to do with mooing?

-- 
 .''`.   martin f. krafft <madduck@d.o>      Related projects:
: :'  :  proud Debian developer               http://debiansystem.info
`. `'`   http://people.debian.org/~madduck    http://vcs-pkg.org
  `-  Debian - when you have better things to do than fixing systems
 on the other hand, you have different fingers.

At the same time, in December 2011, a young transgender straight out of an elite French high school was given a paid job in a student-run Internet Service Provider, the CR@NS network at ENS Cachan. One of the older students, Debian Developer Nicolas Dandrimont, was dating this vulnerable young person at the same time as paying them and trying to help them get Outreachy money. Recall the original discussion about offering money for transgender participation many years prior. Offering these people moral support may be acceptable but offering large sums of "diversity" money at a point when they are unsure of their identity appears to be highly unethical.

On 31 March 2012, Jeremy Bicha requested to be authorised as a Debian Maintainer. His request received advocacies from Jordi Mallach and Martin Pitt.

Subject: DM application of Jeremy Bicha
Date: Fri, 30 Mar 2012 18:58:41 -0400
From: Jeremy Bicha <jbicha@ubuntu.com>
To: debian-newmaint@lists.debian.org
CC: Jordi Mallach <jordi@debian.org>, Michael Biebl <biebl@debian.org>,
Sebastien Bacher <seb128@debian.org>, Martin Pitt <mpitt@debian.org>

This is my declaration of intent to become a Debian Maintainer
<URL:http://wiki.debian.org/DebianMaintainer>.

I have read the Social Contract, Debian Free Software Guidelines and
Debian Machine Usage Policy and agree with all of them.

Currently, I maintain the package kabikaboo
and I coâ€�maintain the GNOME packages with the Debian GNOME Team.

My GnuPG key EBFE6C7D is signed by the Debian Developer Andres Mejia.

I look forward to becoming a Debian Maintainer. Thanks for your attention.

Jeremy Bicha

-- 
To UNSUBSCRIBE, email to debian-newmaint-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
Archive: http://lists.debian.org/4F763AA1.1050503@ubuntu.com

The first advocacy:

Subject: Re: DM application of Jeremy Bicha
Date: Sat, 31 Mar 2012 10:58:40 +0200
From: Jordi Mallach <jordi@canonical.com>
Organization: SinDominio
To: Jeremy Bicha <jbicha@ubuntu.com>
CC: debian-newmaint@lists.debian.org, Michael Biebl <biebl@debian.org>, Sebastien Bacher <seb128@debian.org>, Martin Pitt <mpitt@debian.org>

Hello!

On Fri, Mar 30, 2012 at 06:58:41PM -0400, Jeremy Bicha wrote:
> This is my declaration of intent to become a Debian Maintainer
> <URL:http://wiki.debian.org/DebianMaintainer>.
> 
> I have read the Social Contract, Debian Free Software Guidelines and
> Debian Machine Usage Policy and agree with all of them.
> 
> Currently, I maintain the package kabikaboo
> and I coâ€�maintain the GNOME packages with the Debian GNOME Team.
> 
> My GnuPG key EBFE6C7D is signed by the Debian Developer Andres Mejia.
> 
> I look forward to becoming a Debian Maintainer. Thanks for your attention.

I've been silently waiting for this email to hit my inbox for some time
now, and I'm very, very happy Jeremy has taken this step forward.

Jeremy is an Ubuntu member and is very involved, as far as I can tell, in
Ubuntu Core packaging. For a long time, though, he has been working with
the Debian GNOME team, which helps us reduce the delta with Ubuntu, get
new blood in the team (something that's really appreciated) and generally
have another voice to discuss Debianâ†�â†’Ubuntu matters wrt GNOME.

Jeremy is part of our team, and it's only natural he becomes (at least!) a
Debian Maintainer.

Jordi
-- 
Jordi Mallach PÃ©rez  --  Debian developer     http://www.debian.org/
jordi@sindominio.net     jordi@debian.org     http://www.sindominio.net/
GnuPG public key information available at http://oskuro.net/

The second advocacy:

Subject: Re: DM application of Jeremy Bicha
Date: Tue, 3 Apr 2012 07:24:13 +0200
From: Martin Pitt <mpitt@debian.org>
To: Jeremy Bicha <jbicha@ubuntu.com>
CC: debian-newmaint@lists.debian.org, Jordi Mallach <jordi@debian.org>, Michael Biebl <biebl@debian.org>, Sebastien Bacher <seb128@debian.org>

Hello Jeremy,

Jeremy Bicha [2012-03-30 18:58 -0400]:
> This is my declaration of intent to become a Debian Maintainer
> <URL:http://wiki.debian.org/DebianMaintainer>.
> 
> I have read the Social Contract, Debian Free Software Guidelines and
> Debian Machine Usage Policy and agree with all of them.
> 
> Currently, I maintain the package kabikaboo
> and I coâ€�maintain the GNOME packages with the Debian GNOME Team.

I've seen your great activity in both Debian's and Ubuntu's GNOME
team. You have demonstrated the ability to deal with nontrivial
packaging situations, a sustained enthusiasm and dedication, and good
collaboration with upstream as well. I fully support your application
for DM, thanks!

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

On 15 May 2012, minutes of the GNOME Foundation tell us that Jeremy Bicha was one of six people given voting rights in the foundation. Many open source developers have never had the right to vote in any of these incorporated bodies. It appears that Jeremy Bicha was able to renew his membership and thereby maintain this status even during his subsequent prison term.

On 4 June 2012, Jeremy Bicha became part of the Masters of the Universe (MOTU) group in Ubuntu.

In April 2013, the Debianists decided to start offering money to young women under the disguise of Outreach Program for Women (OPW), which was later renamed to Outreachy. The Debian constitution explicitly says that contributors must be volunteers. Therefore, the payments to these young women are illegal under the constitution and may be illegal in other ways too.

...

3.2. Composition and appointment

Developers are volunteers who agree to further the aims of the Project insofar as they participate in it, and who maintain package(s) for the Project or do other work which the Project Leader's Delegate(s) consider worthwhile.
...

Here is one of the early advertising banners promoting the illegal payment of $4,500. The GNOME Foundation logo is on the woman's foot. It is an uncanny coincidence the logo strongly hints at the unison of male and female genitalia:

In July 2013, I publicly resigned from the Australian Labor Party (ALP) due to abuse of female asylum seekers from Iran. In the resignation email, which was leaked to Australian political news site Crikey, I compared the scandal to the Catholic abuse scandal. I think this may be the first time my name was on the public record as a supporter of victims. This was well before the Spotlight movie and the #MeToo phenomena, therefore, it can't be suggested that those latter revelations influenced the strong words used in my resignation in 2013.

In September 2013, Jeremy Bicha was convicted and sentenced to three years in a state prison. The state prison is a far more onerous punishment than the county jail where Jeffrey Epstein was briefly incarcerated. The duration of Jeremy Bicha's sentence is double the 18 month sentence imposed on Epstein.

At the sentencing, Bicha's defence lawyer asked the judge not to put his name on the list of registered sex offenders. This is a controversial topic. The police have also asked the judges not to automatically put every criminal like this on the list. The more pragmatic police commanders want these lists of registered sex offenders used for those pathological predators who never truly change their ways. Looking at the allegations against Bicha, he personally stopped offending at 15, during his childhood and there is no evidence he is committing similar crimes as an adult. To put it another way, if a child goes missing, the local police want to be looking at a list of the top twenty lifetime sex offenders who are dangerous enough to deserve a house call. If the police are confronted with a list of over a thousand registered sex offenders in their district they have no way to know which of those people to visit first.

In October 2013, WORLD published a report about the case with an emphasis on the failure of adults, including the parents, a pastor and a schoolteacher who all failed to help the sisters during their childhood.

The story was syndicated widely and an extract containing Bicha's name is on the Bishop-Accountability.org web site.

In Australia and other countries, the media is normally prohibited from publishing the names of juvenile offenders. In a way, the young boys are considered victims of their parents' failures. On that basis, they have a right to privacy equivalent to the rights of the abuse victims. Nonetheless, this type of restriction doesn't appear to be applicable in the United States. Nonetheless, if the local pastor and schoolteacher were not part of the story, it is unlikely the newspapers would publish the story at all.

In November 2013, Paul Tagliamonte sent the following message to the leaked debian-private email list. It concerns a young woman who applied for the OPW / Outreachy money. Why are these men always thinking about the age-of-consent when women are mentioned?

 
Subject: Re: OPW Student in Kingston, Jamaica
Date: Mon, 25 Nov 2013 13:39:12 -0500
From: Paul Tagliamonte <paultag@debian.org>
To: Joachim Breitner <nomeata@debian.org>
CC: debian-private@lists.debian.org

On Mon, Nov 25, 2013 at 06:37:36PM +0000, Joachim Breitner wrote:
> Hi,
> 
> Am Montag, den 25.11.2013, 13:18 -0500 schrieb Paul Tagliamonte:
> > She's got a PhD, so I think this could also be a good beersigning, if
> > she drinks.
> 
> not having a PhD yet I wonder what expects me: Will I be a better
> drinker after I get the degree? Or a better keysigner? /me is confused.

It simply means she's likely of age in her jurisdiction. All I was
saying is that she's not a high school student.

Cheers,
  Paul

-- 
 .''`.  Paul Tagliamonte <paultag@debian.org>
: :'  : Proud Debian Developer
`. `'`  4096R / 8F04 9AD8 2C92 066C 7352  D28A 7B58 5B30 807C 2A87
 `-     http://people.debian.org/~paultag

On 16 January 2014, this appeared in a discussion about bug report 735031 (censorship):

Subject: Re: Bug#735031: lists.debian.org: arbitrary bans
Date: Thu, 16 Jan 2014 11:44:29 -0500
From: Yaroslav Halchenko <debian@onerussian.com>
To: debian-private@lists.debian.org

On Thu, 16 Jan 2014, Antoine BeauprÃ© wrote:
> >> If you believe such language is acceptable, and within social norms,
> >> and you are sure you would be unhappy in a community which rejects
> >> these things, may I gently suggest you find another community?

> > is, to my mind, much ruder and more offensive than anything in either
> > Norbert Preining's message or the cited messages of Jordon Bedwell.

> No, it is not. Norbert took the liberty of comparing people to Pol
> Pot. Jordon made sexist comments about "teenage girls" or calling people
> "asses".

I once (after being with the project for many years) have been called a
"random guy" by another respectful DD, while I was trying to improve the
state of one of the packages in the archive.  I was offended, probably
even more than those teenage girls in a single random technical thread.

Should I also have sought him being banned?  I do not think so.

IMHO the balance here is too fragile, and excessive abstraction away
from the technical merits could IMHO hurt the project more than to help
our community (which is like a homeland and many other social entities
to me).

Just my 1cent
-- 
Yaroslav O. Halchenko, Ph.D.
http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org
Senior Research Associate,     Psychological and Brain Sciences Dept.
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834                       Fax: +1 (603) 646-1419
WWW:   http://www.linkedin.com/in/yarik

In April 2014, Manatee Glens Rape Crisis Center organised a march and the sister, Jennifer (Jen) Bicha gave a speech. News report about the march.

Around the same time, the GRACE web site published a report by Jennifer Bicha under the heading Sexually Assaulted in a Christian Home. They highlighted the following quote:

The next time you defend a predator and say, â€™Oh, he was just a child,â€™ remember the faces of the innocent little ones whose childhood was stolen.

I have mixed feelings about that. It was not "just a child". As the judge told us, it was the child and the negligent adults together who left Jennifer Bicha to suffer this torture. Many other legal cases have made similar conclusions, including one high profile case where they recently decided parents were guilty when their child engaged in a schoolyard shooting spree.

On 3-4 May 2014, the first OSCAL conference took place in Tirana, Albania. ( Fedora wiki page). Photos released by the conference organizers suggest over eighty percent of the participants were young women. In every other country, we would normally see the gender statistics reversed. In Albania various theories have appeared about why large numbers of women came to these events. Some of the women have ended up moving to the city of Brno in the Czech Republic.

On 13 July 2014, Italian newspaper La Repubblica publishes a report about an interview between Pope Francis and editor Eugenio Scalfari. The late Pope Francis allegedly told Eugenio Scalfari that his own advisors have suggested that two percent is an accurate estimate of the number of priests who are paedophiles. He deplores their behaviour but on the other hand he insists it is no higher than the percentage of paedophiles in any other profession.

"Among the 2% who are paedophiles are priests, bishops and cardinals. Others, more numerous, know but keep quiet. They punish without giving the reason,"

"I find this state of affairs intolerable,"

The comment about punishments resonates with many of the Debianism scandals over the years.

Likewise, the two percent estimate can be applied to large free software organisations like Debianism and the FSFE misfits. These groups typically have a few hundred core participants and a few thousand loosely affiliated contributors. In the recent Debianism election, a thousand people were registered to vote. Two percent of that is twenty paedophiles.

Jennifer Bicha, sister of Jeremy Bicha, had sought help from an on-campus therapist and the support she received was very poor. The campus, Bob Jones University, undertook an investigation, culminating in the GRACE report. WYFF News interviewed Jennifer Bicha about her experience with Bob Jones University and other supports she had reached out to. She is also on Youtube for those who are geoblocked. The focus of these news reports is not really Jeremy Bicha himself but the failure to support victims. Nonetheless, Jeremy Bicha was regularly in news reports due to these wider circumstances. Therefore, it is shameful that he has come into GNOME, Ubuntu & Debianism without anybody having a public discussion about risk to victims.

The same news network published a detailed article on their web site.

Jennifer Bicha spoke at a fundraising event for the Julie Valentine Rape Crisis Center. This lead to another news report in Greenville Online. ( alternative link). Jeremy Bicha's name is not mentioned in this report.

In August 2015, according to reports from the high-profile hush-money trial, Donald Trump, his lawyer Michael Cohen and National Enquirer editor David Pecker had a meeting and agreed on a catch-and-kill plan. It was alleged that if any woman tried to sell a story about Donald Trump, Pecker would buy exclusive rights to the story and then keep the story hidden until after the election. Similar plots have been created in open source software communities. Debianists created the "anti-harassment" team. Fedora has a "Community Team". These teams pretend to listen to complaints. If a woman ever makes a complaint about one of the oligarchs or the men employed by the controlling corporations then the story is covered up. The woman who made the complaint will receive a polite response but she will not be invited to any more events. The same theme emerged in the Harvey Weinsten saga. Harvey Weinsten's team was afraid some women posed a risk. They told other movie producers to avoid the women and lock them out of the industry. Eventually, Lord of the Rings director Peter Jackson admitted he had excluded some actresses after receiving Harvey Weinsten's warnings to avoid them. This is the same phenomena described by Lunduke in his report Fedora's Code of Conduct: 200 Day Response Time, Only Protects You if Red Hat Likes You.

In November 2015, the movie Spotlight was released in cinemas. It is a biographical film based on the 2002 Spotlight investigation that exposed the phenomena of clerical abuse in Boston. A lot of Catholics and people from other religions have watched the film. In one of the key scenes in the movie, they discuss the research of Richard Sipe, who suggests that two percent of men in the general population are paedophiles but the rate in the Catholic abuse context is alleged to be six percent. Many people have speculated whether or not the figure is true and whether the church is really responsible for it or whether it is some factor out of their control.

There are approximately one thousand developers in Debianism today. If two percent are paedophiles that would be twenty men. We only know the identity of one, Jeremy Bicha. Who are the other nineteen? We have evidence about Elio Qoshi's underage girlfriend but in that case, Qoshi is not a Debian Developer so he is not in the same group for statistical purposes.

Looking at the culture of Debianism, it has some awkward similarities to the Catholic abuse crisis. Therefore, we need to consider the possibility that the percentage of Debian Developers who are paedophiles, like the percentage of priests, may be above the two percent average for the population. If six percent of Debian Developers are paedophiles, that is sixty paedophiles.

On 12 March 2016, Jeremy Bicha was released from prison under supervision / parole until 11 March 2021.

Subject: Jacob Appelbaum and harrassement
Date: Wed, 15 Jun 2016 13:48:53 +0200
From: Mehdi Dogguy <leader@debian.org>
To: debian-private@lists.debian.org

Hi all,

Jacob Appelbaum is currently facing some serious accusations in other
communities, and DAMs are aware of at least two Debian Developers who
have lived and have witnessed situations that are a clear case for
worry.

[ ... snip defamation crap ... ]

None of the emails really tells us what is a "clear case for worry", to this day, it is still not clear at all.

In contrast, the accusations against Jeremy Bicha were very clear. He is accused of abusing his little sisters and at least two other victims. He admitted these accusations too.

Notice it is a lot like the vendetta against Ted Walther from DebConf6. He never committed any crime but after somebody spread a rumour that his female friend was a prostitute, it took barely one hour for the whole conference dinner to turn against him and erupt into violence.

In both the case of Ted Walther (2006) and Dr Jacob Appelbaum (2006), the rogue Debianists have been far too arrogant to admit the rumours were falsified and give these men and their families the apology they deserve. Yet they are asking us to ignore the very real abuse convictions against Jeremy Bicha and welcome him with open arms.

In April 2017, Chris Lamb was elected for the first time as the leader of Debianism. One week later, the Fellowship elected me as their representative to the FSFE misfits in Berlin. From this point on, Chris Lamb appeared to be jealous and resentful that another Debian Developer was in a leadership position in the community. Today, we see a similar rivalry between the US President Donald Trump and the other American head of state, Pope Leo from Chicago. When women had complaints about certain oligarchs, they had a choice between going to Chris Lamb or telling me about it in my capacity as Fellowship representative. Women were coming to me with evidence about problems in the community. Some of the large corporations would have preferred to see those women reporting problems through channels controlled by the corporations.

On 11 May 2017, while on parole, Jeremy Bicha submitted an application to become a Debian Developer. The email advocacies are available online.

To: Jeremy Bicha <jbicha@ubuntu.com>
Cc: debian-newmaint@lists.debian.org, nm@debian.org, archive-184@nm.debian.org
Subject: Re: Jeremy Bicha: Declaration of intent
From: Andreas Henriksson <andreas@fatal.se>
Date: Fri, 12 May 2017 08:55:11 +0200

Hello!

I have personally worked with Jeremy Bicha <jbicha@ubuntu.com> in the
pkg-gnome team where he has been an outstanding contributor for a
sufficiently long time and I know jbicha having full unsupervised
unrestricted upload access to the archive would benefit us in the
team and likely also Debian as a whole on an even wider scale
than before.
I'm aware Jeremy is also very active in Ubuntu and GNOME upstream.
I find it that Jeremy is very good at interacting with upstream as
well as avoiding/resolving conflict or disagreeing opinions, which
means he has atleast two skills that I think we should have more
people like in Debian.

For any AM tasked to question Jeremy I would say you can skip
any regular packaging related questions. If you want to give
him some challange you might want to focus on a more complicated
philosophical question or ask him specifically about Debian
infrastructure and procedures related to those (as he mainly
uploads to Ubuntu and AFAIK has only very limited usaged his
DM privilegies because of the pkg-gnome streamlined sponsorship
workflow).

But to be frank, please consider just fast-forwarding jbicha through
the entire process because any potential knowledge-gap he might
have I'm more than sure we can discuss and handle those within
the pkg-gnome team which has many very experienced DDs that would
happily assist jbicha if needed.

Regards,
Andreas Henriksson

Here is the other advocacy:

To: debian-newmaint@lists.debian.org
Cc: Jeremy Bicha <jbicha@ubuntu.com>, nm@debian.org, archive-184@nm.debian.org
Subject: Jeremy Bicha: Advocate
From: Gianfranco Costamagna <locutusofborg@debian.org>
Date: Fri, 12 May 2017 09:25:12 -0000

I support Jeremy Bicha <jbicha@ubuntu.com>'s request to become Debian Developer, uploading.
I have worked with Jeremy Bicha for quite some time, even if I sponsored just a few packages for him (in Debian).

His work is excellent, he really cares about keeping is packages in a good shape, he cares about transitions and he is quick in reacting when problems are found.

Debian will benefit a lot from his work.

I have personally worked with Jeremy Bicha <jbicha@ubuntu.com> (key 4D0BE12F0E4776D8AACE9696E66C775AEBFE6C7D) for X time,
and I know Jeremy Bicha can be trusted to be a full member of Debian, and have unsupervised, unrestricted upload rights, right now.  

Thanks Jeremy for finally starting the process!

Gianfranco

Those are very positive things to write about somebody who has just been released from prison on parole.

Andreas Henriksson does not reveal his employer details or affiliation with Ubuntu, Canonical or GNOME. Gianfranco Costamagna reveals he works for Datalogic. They are based in the city of Bologna, Italy, the same city where Enrico Zini is located. Did Gianfranco Costamagna exercise any personal connections with Enrico Zini to have the Debian Account Managers approve the registered sex offender while he was still on parole?

On the weekend of 13 and 14 May 2017, the fourth OSCAL conference took place in Tirana, Albania. A girl of fifteen or sixteen years of age created an online profile for herself in the Discourse forum software used by the Albanian Open Labs group. We subsequently learnt this was the girlfriend of Elio Qoshi, one of the Albanian ringleaders.

Justin Flory, an employee of UNICEF who is closely affiliated with Red Hat, was pictured lying on the ground with Elio Qoshi at his feet.

Chris Lamb, then leader of Debianism, was pictured at the Red Hat table alongside Elio Qoshi.

At exactly the same time they are processing Jeremy Bicha's ordination as a Debian Developer, we saw Dominik George going through exactly the same process. Messages about Dominik George explicitly refer to children:

To: Dominik George <nik@naturalnet.de>
Cc: debian-newmaint@lists.debian.org, nm@debian.org, archive-175@nm.debian.org
Subject: Re: Dominik George: Declaration of intent
From: Holger Levsen <holger@layer-acht.org>
Date: Mon, 15 May 2017 14:09:15 +0000

Hi,

sorry for the delay in writing thisâ€¦!

On Mon, Apr 24, 2017 at 06:54:13PM -0000, Dominik George wrote:
> I would like to apply to change my status in Debian to Debian Developer, uploading.

yay, this is pretty good news for Debian and for Debian Edu and probably a
bunch of others! :-)

I've met Dominik the first time for "real" (*) at the Debian Edu gathering
in Oslo in December 2016 where I could see him working & discussing and also
learned a few things he does outside Debian, which also involves computers,
kids & schools.

(*) we've briefly bumped into each other before and said hi or so :)
    http://layer-acht.org/thinking/blog/20161221-debian-edu-sprint-in-oslo/
    shows him wearing a DebConf15 t-shirt, so you might met him too ;)

Not related to Debian, but very much showing his dedications,
is that he is involved in another project with kids + young adults, which 
in the last years brought 20-30 young adults to the chaos communication congress:
https://www.teckids.org/hacknfun_2016_xmas.htm

The technical discussions we had in Oslo, plus the ones I've seen on IRC,
plus the questions he had and the attitudes he showed make me believe that
Dominik will be a great DD and contributor to our project and beyond! 

I cannot fully vouch for him technically, as we work on different areas in 
Debian Edu and I've only reviewed bits of his work, but I'm confident he'll
manage NM well! So I'm much looking forward to him becoming a DD!

-- 
cheers,
	Holger

On 29 May 2017, Jonathan Wiltshire of the Debian Account Managers team writes:

I will progress this application and assign an application manager shortly, but the key issues need to be resolved before the application can be finalised. Please work with your AM on that.

Where he writes "key issues", he is referring to issues with the PGP key. There is no reference to the abuse.

On 7 June 2017, Jeremy Bicha became a Core Dev in the world of Ubuntu.

On 8 August 2017, the Application Manager, Gunnar Wolf, who is also one of the Debian keyring managers, wrote the following:

Subject: Jeremy Bicha: Application Manager report
Date: Tue, 08 Aug 2017 21:09:52 -0000
From: Gunnar Wolf <gwolf@gwolf.org>
To: debian-newmaint@lists.debian.org
CC: Jeremy Bicha <jbicha@ubuntu.com>, archive-184@nm.debian.org,
nm@debian.org

I have reviewed Jeremy Bicha's answers for the NM process, and am more
than satisfied by them. I have also been approached in DebConf by his
team mates, who very strongly recommended him as a DD. I am of the
opinion the project will win quite a bit having him as a full DD with
unimpended upload rights.

Gunnar Wolf (via nm.debian.org)
-- 
https://nm.debian.org/process/184

People are cheering him on:

Subject: Re: Jeremy Bicha: Application Manager report
Date: Tue, 8 Aug 2017 18:17:15 -0400
From: Andrew Shadura <andrew@shadura.me>
To: debian-newmaint@lists.debian.org
CC: Gunnar Wolf <gwolf@gwolf.org>, Jeremy Bicha <jbicha@ubuntu.com>

On 8 August 2017 at 17:09, Gunnar Wolf <gwolf@gwolf.org> wrote:
> I have reviewed Jeremy Bicha's answers for the NM process, and am more
> than satisfied by them. I have also been approached in DebConf by his
> team mates, who very strongly recommended him as a DD. I am of the
> opinion the project will win quite a bit having him as a full DD with
> unimpended upload rights.

Yay! Congrats! :)

-- 
Cheers,
  Andrew

From 14 to 18 July 2017, the Digital-Born Media Carnival was held in Kotor, Montenegro. Some of the women from open source software groups in Kosovo and Albania attended. Kotor is an ancient seaside village without any modern high-rise tourist accommodation. Visitors stay in bed and breakfast accommodation or holiday houses. On the last night of the carnival, there was a party by the waterside. The next morning, as we were departing, I saw one of the Albanian women coming out of a holiday house that had been rented by a group of men from another country. There was a bit of hand-holding and a kiss goodbye. Every time the woman is selected for an internship or a conference speaking opportunity, over and above every other woman in the community, I remember that last day in Kotor.

If you are involved in a sports club and you observe somebody had a one night stand with another member you might not feel any need to mention it or cause embarassment. However, open source software hobbyists are claiming to be a model of integrity, merit and security. Social engineering attacks are often rated as the biggest risk to modern organisations and their IT systems.

Shortly after that, the Open Labs non-profit in Albania had their birthday party in the hackerspace. At least two underage people were there and at least one of the other women identified them to me. Separately, women had told me that the youngest girl was dating the co-founder of the group Elio Qoshi. They told me a lot of things about Elio Qoshi, I observed some of those things with my own eyes and I observed written evidence in requests for travel funding that confirmed what the women had told me in person. Eighty percent of the group were female but a lot of the money did not go into the non-profit bank account. The money was managed by an accountant but there were rumours that the same accountant was also managing the bank accounts for Elio Qoshi consulting company. The women on the committee had never seen a balance sheet or a profit & loss statement for the non-profit entity.

In September 2017, they promoted an event called FOSSCamp. Instead of organising it in Albania, they decided to organise it in a more expensive destination, Greece and they asked bigger organisations to pay the travel expenses for a group of people, many of them who were simultaneously members of the non-profit but also employees of Elio Qoshi's commercial enterprise. Questioning them about the event budget, we reached the point where Elio Qoshi admitted that one of the amounts charged to the bigger organisations like Debian was really a payment for his effort organising the event. The women who collaborated on the organisation did not receive any equivalent payment. Yet each woman was asked to send a request to Debian, Mozilla, Wikimedia and maybe other organisations asking for diversity funds to pay the bus fares, ferry tickets, accommodation and management fee.

In the photos from the conference in May 2017, we could see over twenty young female students participating. Yet women told me that access to the trip to Greece was more tightly controlled. Women needed to get permission to join this trip.

Various people noticed that two or three men were acting as gatekeepers and rationing funding and travel opportunities for all the women. Chris Lamb and I were both warned that something dishonest was happening. I asked questions but Lamb didn't want to spoil whatever was going on there.

Here is an example where one of the men is giving one of the women, Anisa Kuci, permission to go on the trip to Greece:

Subject: Re: Debian at FOSScamp - funding request
Date: Sun, 13 Aug 2017 19:01:58 +0300 (EEST)
From: Giannis Konstantinidis <giannis@konstantinidis.cc>
To: Chris Lamb <lamby@debian.org>, Silva Arapi <silva.arapi@gmail.com>
CC: leader@debian.org, treasurer@debian.ch, auditor@debian.org,
daniel@pocock.pro, Redon Skikuli <redon@skikuli.com>, ping@anisakuci.com

Hey everyone,
just wish to inform you that unfortunately, due to unforeseen external
factors, I won't be able to make it. I'd like to thank the Debian
community for the generous support. We will stay in touch.

To make sure Debian makes the maximum possible impact at FOSSCamp, I'd
like to sugggest Anisa Kuci (cc'ed ) takes my place. Anisa has been a
longtime experienced member of Open Labs Hackerspace, co-organized OSCAL
and is very much interested in further contributing to Debian.

Thanks once more. I wish the best success to Debian and your
participation FOSSCamp.

Kind regards,
-Giannis K.

Something was not right about this. It is clear that Chris Lamb, as the leader of Debianism, had been informed about it since this moment in time or earlier.

Some women see this type of thing as a sport and they actively seek to join organisations where they can take shortcuts. Other women were attracted by the promise of an educational or philosophical project, they contributed their time and skill helping one or two events in Albania and then discovered that to qualify for a trip abroad, they had to do the same things the girlfriends were willing to do. Some of the women felt even more strongly about this, as it impacts their professional relationships and job searching, they feel the male gatekeepers are blackmailing them for sex.

On 9 August 2017, looking at process 184 for Jeremy Bicha in the New Maintainer portal, we can see the process was frozen for review at the last minute. Yet this freeze was unblocked again less than three days later by Jonathan Wiltshire of the Debian Account Managers.

On 12 August 2017, minutes after the process was unfrozen, Jonathan McDowell added Jeremy Bicha's key to the Debian keyring.

In September 2017, Jeremy Bicha introduced himself on the debian-private (leaked) gossip network. He stated he is from Florida and presented himself as a victim of a woman called Irma (the hurricane):

Subject: 	Re: Irma
Date: 	Sun, 10 Sep 2017 13:52:08 -0400
From: 	Jeremy Bicha <jbicha@debian.org>
To: 	debian-private@lists.debian.org

On Sep 8, 2017 15:55, "Jeremy Bicha" <jbicha@debian.org> wrote:

    I intend to follow-up on this list on Monday to let you know I'm ok.


Monday is probably too optimistic because of widespread power outages, but I'll check in when I can.

Jeremy Bicha

On 20 September 2017, Elio Qoshi publishes a blog post about resigning as a Fedora Ambassador. Other volunteers did not receive any warning from Red Hat about Elio Qoshi's underage girlfriend and the complaints from other women.

On 12 October 2017 I sent Mozilla a protected whistleblower complaint about the harassment and underage issues. The date is 12 October 2017 so the misfits publishing alternative statements about harassment with dates later than this are lying. I have redacted the section that identifies underage victims. There were a series of interactions with Mozilla about the scandal. I was a witness and Elio Qoshi was clearly the suspect.

Subject: Open Labs / Tirana issues
Date: Thu, 12 Oct 2017 18:15:17 +0200
From: Daniel Pocock <daniel@pocock.pro>
To: Larissa Shapiro <lshapiro@mozilla.com>
CC: Kristi Progri <kristi@kristiprogri.com>

Hi Larissa,

I understand you have received some feedback about issues in Tirana

I was there from 27 September - 5 October and observed some of the
troublesome behavior and the impact on people like Kristi.

The behavior towards Kristi and some of the other women is wrong.  I can
also see a danger that challenging the people or their behavior may
split the Open Labs group.  Nonetheless, I suggested to Kristi and Anisa
that they should put their own wellbeing first.

I sent a funding request to the Outreachy organizers to sponsor Kristi's
trip to Prishtina where she gave a talk at our Mini DebConf.  When I
mentioned this funding in the hackerspace, Redon queried this quite
strongly.  I don't feel it is any of his business though if I want to
recommend somebody for funding.  The following day, Kristi told me that
Redon had called her and shouted at her.  The shouting was apparently
witnessed by other women in the hackerspace with Redon.  I reported the fact there are problems in the Debian anti-harassment process.

Various people told me that travel sponsorship should be "shared" and
this attitude seems to be connected with Redon's behavior.

I've told Kristi that she did nothing wrong and did not deserve to be
shouted at.

Another problem that occurred to me is that one person who received

Mozilla travel funding, [ .. redacted ..], is 16 years old and is not
legally an adult.

[ .. redacted .. ]

Regards,

Daniel

The discussion continued. The underage risk was acknowledged on the Mozilla side:

Subject: Re: Open Labs / Tirana issues
Date: Fri, 13 Oct 2017 23:12:14 +0200
From: Daniel Pocock <daniel@pocock.pro>
To: Emma Irwin <eirwin@mozilla.com>, Larissa Shapiro <lshapiro@mozilla.com>
CC: Kristi Progri <kristi@kristiprogri.com>

[ .. redacted .. ]

> I can comment on under-aged contributors - we do have those from time to
> time, and usually on trips at least parents or chaperon are required.
> 

Having underage contributors is not an issue itself and I have no
objection to that.

The issue arises when other groups or businesses align themselves with
local Mozilla groups and seek to benefit from those contributors.  I'm
not sure how to deal with that risk completely but there are probably
some things Mozilla could do in that area.

Regards,

Daniel

The discussion about underage continued in more emails:

Subject: Re: Open Labs / Tirana issues
Date: Sat, 14 Oct 2017 08:27:24 +0200
From: Daniel Pocock <daniel@pocock.pro>
To: Larissa Shapiro <lshapiro@mozilla.com>, Emma Irwin <eirwin@mozilla.com>
CC: Kristi Progri <kristi@kristiprogri.com>

On 14/10/17 01:51, Larissa Shapiro wrote:
> I'm not sure, but I can seek legal advice on this matter. In my view,
> there is the potential there for other organizations to take advantage
> of these kids.
> 

Even if there is no legal problem (in some countries the laws are very
weak), there is also a risk to the reputation of Mozilla and free
software in general.

I wonder if there are other organizations concerned with children's
safety who can help free software organizations develop a reasonable
approach to this risk?

I realize no organization can stamp this out 100%, but there may also be
some little things that can be done to help reduce risk.  E.g. maybe
when Mozilla funds travel, requiring the parents to fill out a chaperon
form that must be submitted with receipts, so Mozilla gets the parent's
contact details and the parents see some child safety text on the form.
Somebody trustworthy could sporadically contact parents and the underage
contributors to sniff out any hints of trouble.

Regards,

Daniel

A few weeks later...

Subject: 	Re: Open Labs / Tirana issues
Date: 	Wed, 20 Dec 2017 09:19:39 -0800
From: 	Emma Irwin <eirwin@mozilla.com>
To: 	Daniel Pocock <daniel@pocock.pro>

Hi Daniel,

Would you be willing to talk to Marta (HR Investigator) and myself about Redon & Elio and your experiences and what you have witnessed?

Thank you

Having informed at least three other organisations who funded this racket, including Debian and Mozilla, my conscience is clean. Nobody can accuse me of protecting an abuser.

On 25 February 2018, Jeremy Bicha submits an advocacy for another Ubuntu developer, Tim Lunn to become a Debian Developer:

Subject: Tim Lunn: Advocate
Date: Sun, 25 Feb 2018 15:07:40 -0000
From: Jeremy Bicha <jbicha@debian.org>
To: debian-newmaint@lists.debian.org
CC: Tim Lunn <tim@feathertop.org>, archive-455@nm.debian.org

For https://nm.debian.org/process/455/ on 25 February 2018 :
I support Tim Lunn <tim@feathertop.org>'s request to become Debian
Maintainer.

I first started working with Tim in 2012 on packaging for the Ubuntu GNOME
project. Without Tim, Ubuntu GNOME would not have survived.

Tim and I have been interested for a while in reducing the diff and
duplication of work between Debian and Ubuntu with GNOME packages. Tim
getting upload rights to these packages will help with this goal and will
help make Debian GNOME better for our users.

I have personally worked with Tim Lunn <tim@feathertop.org>
(key 0E0880479A6F1063372395275B39C0A1153ACABA) for several years, and I
know Tim Lunn can be trusted to have upload rights for their own packages,
right now.

Thanks,
Jeremy Bicha

Tim Lunn's page on the Ubuntu wiki suggests he is from Australia. We will find out later about his proximity to a murder trial.

In early March 2018, I posted a message in the Albanian open labs forum asking why some of the money from the non-profit Open Labs group was being diverted to a private company, Ura Design, controlled by Elio Qoshi. I had observed the women were doing all the work for free in the non-profit association but some of the men were getting financial benefits out of that work.

The Albanian ringleader Elio Qoshi admits complaining to Chris Lamb, leader of Debianism, to help cover up the conflicts of interest. In fact, the relationship between Open Labs and Ura Design was analogous to the relationship between Debian and Freexian. Although in this case, it was worse, because there was also the underage problem. Would the leader of Debianism put the protection of an Albanian pimp with an underage girlfriend ahead of the work done by a real Debian Developer?

Subject: 	[English] FOSScamp 2017 @ Syros, Greece
Date: 	Mon, 05 Mar 2018 12:16:45 +0000
From: 	Elio Qoshi <info@openlabs.cc>
Reply-To: 	Open Labs Hackerspace Forum <forum+ecf37220dfcc7e2ec1a56392b7b00781@openlabs.cc>
To: 	daniel@pocock.pro

[ ... snip ... ]

I will try to keep this short but Iâ€™m not sure how much I will succeed in that, as this will definitely be the last reply from my side here. I have reached out to the Debian Project Leader to close this issue once and for all.

[ ... snip ... ]

On 5 March 2018 I wrote to women from Albania asking them to share copies of evidence about Elio Qoshi hurting and exploiting women. The Debianism leader Chris Lamb immediately barged in with the comments:

Subject: Re: "free travel"
Date: Mon, 05 Mar 2018 16:40:00 +0000
From: Chris Lamb 
To: Daniel Pocock , Anisa KuÃ§i 
CC: leader@debian.org, larjona@debian.org, antiharassment@debian.org

[Adding antiharrassment to CC]

Daniel Pocock wrote:

> If Elio or anybody else has made any other comments like this on the 
> private members channel or Telegram and you want to discuss them with me 

[..]

Anisa, please feel to drop Daniel from any replies you wish to make, if
you even wish to do so.

(Daniel, thank you for your concern but we have got it from this point
onwards. There will be no need for you to reply further on this thread.)

Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

This is the catch-and-kill strategy that had been described earlier. When women had a story about Donald Trump, they were encouraged to give the story to the National Enquirer and not talk to anybody else. What we see is the leader of Debianism knew about Elio Qoshi and he didn't want me, as the Fellowship representative, making an independent assessment of the underage scandal.

In the Catholic abuse crisis many senior cardinals and bishops are alleged to have known about abuse and failed to protect people. In the specific case of Gerald Ridsdale described earlier, one of the victims, his nephew David Ridsdale told the Royal Commission that the late Cardinal George Pell had offered him a bribe for silence. The woman corresponding with Chris Lamb and I was Anisa Kuci. She was given a series of free trips around the world, internships and eventually a job at GNOME.

Chris Lamb was observed to be close to Neil McGovern who was the Executive Director of GNOME in that era. Are we to believe neither of those men knew that a member of the Debian GNOME packaging team was a registered sex offender being put onto the Debianism keyring during Chris Lamb's tenure as leader?

At the time of that exchange, Anisa Kuci ignored Chris Lamb's condescending words and replied in full:

Subject: 	Re: "free travel"
Date: 	Mon, 5 Mar 2018 23:51:28 +0100
From: 	Anisa Kuci <anisakuci9@gmail.com>
To: 	larjona@debian.org
CC: 	Chris Lamb <lamby@debian.org>, Daniel Pocock <daniel@pocock.pro>,
leader@debian.org, antiharassment@debian.org

Hello Chris, Daniel, Laura,

Thank you very much for being so supportive.

I read the comments on the thread and to be honest I am really sad that
Elio [Qoshi] said that. It is not true at all.

They (Elio [Qoshi] & Redon) pretend to support women but on the other hand their
behavior towards many of us shows the opposite.

Daniel I feel bad because you have encouraged and helped not only me,
but so many other people, no matter if they are Open Labs members or
not, and also all the attendees from Kosova to learn new things, to work
and improve their skills and knowledge. They are doubting your good
intentions just to remove the attention from the shady things that they
are doing.

The free travel comment is really offensive to me and i feel it should
be offensive to every woman who is part of the community.
I have been contributing and supporting Open Labs since its early days,
and I have put a lot of effort and time, I do this because I believe in
what it is meant to stand for and without waiting something in exchange,
but the situation lately has been not very positive. Daniel has been
present by chance in few cases where situations have been very hard to
go through.

I would definitely like to talk to any of you and tell you more about
everything that is happening here, its fine to me whether it is a video
call, call or just emails.
Please tell me what would be more convenient to you.

King greetings,
Anisa

On 17 March 2018, Jeremy Bicha pushes an update to hyperkitty and it includes collaboration with Jonas Meurer and Pierre-Elliott BÃ©cue. The latter was an employee of ANSSI, the French government's agency for cybersecurity. Did BÃ©cue realize Jeremy Bicha was on parole or was he blinded by all the fanfare about diversity?

Subject: [ubuntu/bionic-proposed] hyperkitty 1.1.4-4 (Accepted)
From: Jeremy Bicha <jeremy@bicha.net>
Date: Sat Mar 17 17:49:53 UTC 2018

hyperkitty (1.1.4-4) unstable; urgency=medium

  [ Jonas Meurer ]
  * d/control:
    - Don't recommend mailman3, recommend mailman3-web instead.

  [ Pierre-Elliott BÃ©cue ]
  * d/rules:
    - Remove the embedded fonts that are in other packages. Same for
      bootstrap.js{,.min}
    - Add upstream's changelog to the package
    - Move django's static files in /usr/share/python-django-hyperkitty
  * d/control:
    - Add dependency on the font/js packages required by the rules change
  * wrap-and-sort
  * Add d/s/lintian-overrides to give intel on the current python3 missing
    package status.

Date: 2018-03-17 04:30:11.786430+00:00
Signed-By: Jeremy Bicha <jeremy@bicha.net>
https://launchpad.net/ubuntu/+source/hyperkitty/1.1.4-4

In April 2018, according to a report in Business Insider, there was a meeting between IBM's CEO Ginni Rometty and Jim Whitehurst, who was CEO of Red Hat. This lunch has been identified as the moment both companies were put on the trajectory for a merger.

In May 2018, immediately after that lunch, the FSFE misfits modified their constitution to remove the elections for Fellowship representatives. I was the last person elected as a Fellowship representative before the democracy was trashed. The FSFE misfits count Google and Red Hat as significant sponsors and they didn't want the Fellows to have a voice if that voice may not be identical to the voice of the corporate overlords.

In June 2018, the women from Albania were offered sponsorship for travel to DebConf18 in Taiwan. For the cost of transporting one woman from Albania to Taiwan, you could transport five women from countries that are much closer in south-east Asia.

When male interns are offered the same sponsorship funds to attend DebConf, they are asked to pay for the flights themselves and then wait until after the conference to get reimbursement. There are examples of email from male interns still waiting for their money three or four months after the conference. The women from Albania told the Debianists somebody has to buy the tickets for them, in advance. Martin Michlmayr, the treasurer, did just that:

Subject: Re: [rt.debian.org #7328] DebConf travel pre-payment requests
From: Martin Michlmayr
Time: Fri Jun 29 08:56:42 2018

* Hector Oron [2018-06-28 10:55]:
> I added Martin to the list, he'll be taking care of flight ticket
> purchase if you send him flight details.

This has been taken care of.

--
Martin Michlmayr
https://www.cyrius.com/

Here is an example from a male intern who was waiting for payment long after DebConf15 finished:

Subject: Re: [Soc-coordination] DebConf travel / GSoC student payments?
Date: Wed, 25 Nov 2015 00:25:18 +0530
From: Komal Sukhani <komaldsukhani@gmail.com>
To: Michael Schultheiss <schultmc@spi-inc.org>
CC: treasurer@spi-inc.org, soc-coordination@lists.alioth.debian.org

Hi Michael,

I still don't got the DebConf travel reimbursement. Have you made the payment?

Sorry for trouble.

On Mon, Nov 2, 2015 at 9:54 AM, Michael Schultheiss <mailto:schultmc@spi-inc.org> wrote:

    Apologies for the delays in payments. I should have the payments processed this week and payments shoud be received in approximately 1-2 weeks.

Pictures appeared during the conference showing us Lior Kaplan from Israel with his arm around a young woman. This is the same woman who had her ticket purchased in advance.

In July 2018 Enrico Zini gave a talk titled "Multiple People" at DebConf18 in Taiwan. There have been a series of these talks over the years where these men seek out introverted young male developers who lack confidence. Remember the case of the young French transgender recruited straight out of high school. This slide appears to be telling us that paedophiles and registered sex offenders are welcome:

Spectrum (Enrico Zini)

Every color is ok.

Think about who you are,
not about who you should be.

In July 2018, Debianists were having a discussion about whether the weboob package should remain in Debian or be removed. Here is one of the private emails about it. Notice they want to remove the package that makes vague references to female anatomy but they welcomed the guy who is on parole for sex crime against his little sisters.

Subject: Re: weboob package
Date: Thu, 12 Jul 2018 16:24:28 +0200
From: Ansgar Burchardt <ansgar@debian.org>
To: debian-private@lists.debian.org

On Thu, 2018-07-12 at 14:48 +0100, Ian Jackson wrote:
> Colin Watson writes ("Re: weboob package"):
> > (I haven't decided what I think should be done about it; certainly
> > if I
> > were the maintainer I'd want to disassociate myself from it as
> > quickly
> > as possible ... but the quoted text is a terrible argument.)
> 
> Quite.
> 
> What on earth could one do as the maintainer of such a thing ?  Write
> some kind of machinery (a git-filter-branch construction maybe) to
> automatically rename all this arseholery ?

Oh, come on.  It's not like they liken setting up an interrupt handler
with rape like, for example, Xen does.  I would certainly think less of
those who associate themselves with this kind of thing.

There is no incest sex involved either (unlike for example [1]). No
glorification of genocide, ethnical cleansings or such either (same
file as [1]).  (Hmm, I wonder what happens when one submits a patch for
that...)

Sadly we are associated with it, by virtue of packaging it, and thus
promoting it. And I'm ashamed and embarrassed to be associated with
such hateful content.

> I also note that the upstream webpage lists the logos of a number of
> companies, which I hope have some kind of corporate
> not-looking-like-a-total-wazzock policy.  I CBA to complain to them,
> but maybe someone would like to start a fire on Twitter.

Yes, please go and start a nice shitstorm. A great idea, brilliant.

Ansgar

  [1] https://sources.debian.org/src/bible-kjv/4.30/bible.rawtext/#L495

One of those in favor of the weboob package was Axel Beckert from the elite Swiss university ETH Zurich:

Subject: Re: weboob package
Date: Fri, 13 Jul 2018 14:29:58 +0200
From: Axel Beckert <abe@debian.org> [ ETH Zurich ]
Organization: The Debian Project
To: debian-private@lists.debian.org

Hi,

Jonathan Dowland wrote:
> Yesterday I stumbled across the "weboob" package for the first time,
> which includes a slew of binaries with names similar to the following:
[...]

So what? I don't see any problem with that. (And I don't see why
there's a thread on debian-private about it.)

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Develoober, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Jeremy Bicha himself weighed in on the discussion after Ansgar brought up the incest:

Subject: Re: weboob package
Date: Thu, 12 Jul 2018 10:53:32 -0400
From: Jeremy Bicha <jbicha@debian.org>
To: ansgar@debian.org
CC: debian-private@lists.debian.org

On Thu, Jul 12, 2018 at 10:24 AM Ansgar Burchardt <ansgar@debian.org> wrote:
> There is no incest sex involved either (unlike for example [1]). No
> glorification of genocide, ethnical cleansings or such either (same
> file as [1]).  (Hmm, I wonder what happens when one submits a patch for
> that...)
>
> Sadly we are associated with it, by virtue of packaging it, and thus
> promoting it. And I'm ashamed and embarrassed to be associated with
> such hateful content.

Please stop.

At a minimum, if you are serious about removing Bible texts from
Debian, please start a separate thread instead of derailing this
topic. But I think you may have trouble finding consensus for that
viewpoint and I expect it will stir up lots of conflict.

Thanks,
Jeremy Bicha

This is the reality of the so-called diversity in Debianism: gay male employees in a range of companies and universities discussing female anatomy with a registered sex offender during their working hours.

Dr Richard Stallman (RMS) was accused of participating in some unpleasant discussions when he was at MIT. Yet the debian-private discussions, where university staff rub shoulders with Jeremy Bicha, while he is still on parole, appear to be far more scandalous. Why do the snobby people attack Dr Richard Stallman (RMS) but go out of their way to protect Jeremy Bicha, the registered sex offender?

In September 2018, I completely resigned from my role as Fellowship representative to the FSFE misfits. I discontinued all involvement with the group and I encouraged other people to resign too. Therefore, as I resigned and made the resignation public, there was no way I had any involvement in the subsequent scandals with women hired in 2019. Those women were only hired after I resigned. All the complaints made by women concern psychological abuse from Matthias Kirschner.

On 28 October 2018, Red Hat announced the merger with IBM. The developers who got shares very early thanks to the 1999 share offer, which excluded the teenage volunteers, made a lot of money. It looks like they didn't want reports from the Albanian female whistleblowers to become a public news story and undermine the $34 billion price tag for the transaction.

In November 2018, the Wayback Machine captured a snapshot of the team in Elio Qoshi's private company Ura Design. We can see the underage girl, who may be 17 by this point in the story, is now being paid to be a system administrator. System administrators normally have access to all the data in a company, including the emails of their own bosses and their colleagues. In small IT companies like this the director normally keeps the system administrator powers for himself. It is worth remembering the incident from the team St Kilda in Australian football. One of the players was dating the woman known as the St Kilda schoolgirl, Kimberley Ametoglou (Kim Duthie). Kim was not really from St Kilda, she was from Frankston, like Julian Assange. She expertly extracted all the nude photos of the players from her boyfriend's computer and published them in what came to be known as dikileaks. It seems highly unlikely Elio Qoshi was giving his underage girlfriend access to all his files and emails. In practice, this appears to be a case of privilege escalation. The men would put the pictures of the young women on a web site like this to help the women create an online profile. The women would apply to bigger organisations for travel grants and speaking opportunities at community conferences.

This is a photo from the OSCAL conference in Albania in 2016. There are so many more women than men in the photo. What is the real reason more women than men were coming to the OSCAL conferences? Young female students in Albania earn approximately ten euros per day working in shops and restaurants. Did somebody pay these girls to attend conferences and make it look like a real community? One of the women was told that an Outreachy internship would be too difficult for her but one of the men offered to help her submit the application if she gave him half the salary.

Early in 2019, the FSFE misfits hired two women, Susanne Eiswirt and Galia Mancheva. Within a year, Matthias Kirschner had sacked them both again. Galia Mancheva took him to court and wrote a damning testimony about the culture of psychological abuse in the FSFE "community":

Even after my lawyer warned him to terminate all attempts to communicate with me and send someone else to pick up my work laptop, he came in person to my house, and was very irritated that I was not alone.

What these incidents reveal is the oligarchs in these groups have come to view the volunteers and the female subordinates as possessions. The oligarchs feel they have some God-given authority to make decisions about the lives of those around them.

Here is a picture of Matthias Kirschner with the young girls in Albania:

In late 2018 or early 2019 one of the Albanian female whistleblowers was given a job at the GNOME Foundation. Kristi Progri has been a member of the committee in the non-profit Open Labs hackerspace in Albania. She had been one of the organisers of the OSCAL conferences. She seems to know the identity of every man who visited Albania for these conferences. She knows the age of every young woman who participated in the conferences. Ever since she started received a salary from GNOME Foundation, there has been no more evidence about Elio Qoshi and the underage relationships.

In 2019, Google decided to reduce the salaries for Google Summer of Code (GSoC) interns from $6,000 down to as little as $3,000 based on each intern's country and a formula for purchasing power parity. However, the parallel Outreachy internships, which only pay money to single young women and don't require the women to write any code, have continued increasing their salaries a little bit almost every year. For example, a slim and attractive single young woman in Russia, eastern Europe, India or Brazil is offered $3,000 to participate in Google Summer of Code but if the same woman wins an Outreachy

internship, she gets $6,000 and a lot of free trips.

In February 2019, journalist Frederic Martel released his book In the Closet of the Vatican. He alleges that eighty percent of priests in the Vatican are homosexual. In some open source software groups, including Debianism, we seem to be looking at a prevelance of homosexuality that is higher than what is normal for the community at large.

Most gay men are not paedophiles. It is wrong to suggest they would be. Nonetheless, when a group presents itself as gay-friendly or when a group provides an opportunity for gay men to gain more respect from society, as is the case with both the Catholic church and Debianism, paedophiles appear to be attracted to the same group. Therefore, we have to be even more vigilante.

In June 2019, the diversity crowd hijacked the Debian web site and replaced the logo colours with the colours for Pride month. The majority of developers did not consent to this:

To: debian-project@lists.debian.org
Subject: Debian supports pridemonth?
From: Gerardo Ballabio <gerardo.ballabio@gmail.com>
Date: Fri, 28 Jun 2019 11:48:18 +0200

Hello all,
I've just seen this on https://micronews.debian.org/ :

"In support of #pridemonth, Debian changes its website logo. The
Debian Project welcomes and encourages participation by everyone
https://www.debian.org/intro/diversity "

May I please ask who decided that and where was it discussed? (I can't
find anything about it at least on -project.)

I do not think that this is appropriate. Welcoming diversity is one
thing, supporting pridemonth is another thing. Pridemonth is a set of
events with a definite political connotation. I don't think that
Debian should take sides on any specific political issues (except of
course issues that have a relation to free software), especially if
that hasn't been discussed at large among project members and there
isn't a clear consensus.

Is it just me (and am I being blatantly wrong, if so please enlighten
me) or do others share my concern?

Thanks
Gerardo

(Not subscribed, please keep me Cc:d)

It feels creepy when these things happen. The people who do these things don't care about consent. They feel that what is good for them is good for everybody else too.

In the US Civil Rights movement, there were groups like the Black Panthers who were very similar to the Zizian diversity gang in open source software communities. These people do as they please and they don't care about the law or the impact on the lives of those they hurt.

In July 2019, the Debianism annual conference DebConf19 was in Brazil. At the conference dinner, the leader of Debianism, Chris Lamb, had four women from Albania and Kosovo seated next to him.

Why did they want so many women from Albania and Kosovo to visit DebConf two years in a row? Was it some kind of bribe or hush money arrangement to prevent further discussion about the former Fedora Ambassador, who had been photographed with Chris Lamb in 2017?

On 2 August 2019, Molly de Blanc was invited to give a keynote speech at FrOSCon in Germany. It is rumoured that Molly de Blanc was the girlfriend of former Debianism leader Chris Lamb, a.k.a., Mollamby.

In her talk, she displays a hand-drawn slide where we can see three selfish people like herself pushing one of the developers. This is how the selfish people get things without paying for them. They use gossip and violence, just like the fight at DebConf6.

Molly de Blanc: Well we can use our collective power to push others

On 10 August 2019, Jeffrey Epstein committed suicide in his prison cell.

In August 2019, the GNOME annual conference GUADEC was organised in the city of Thessaloniki in the north of Greece. It is very close to Albania and women from the nearby Balkan countries were brought to the conference on busses.

On 17 September 2019, Dr Sally Muytjens completed her PhD thesis on the topic An exploration of the existence of clergy child sexual abuse dark networks within the Victorian Catholic Church. It is extremely relevant to the phenomena we see today in Debianism. Various people have publicly praised a registered sex offender and helped him recycle his reputation at exactly the same time they are trashing the reputations of honest developers. The blackmail tactics they use, the games they play with the vocabulary of abuse and the way they operate in packs to reinforce their worldview all resonate with the scandals the church has been working so hard to move away from.

In the context of police corruption networks, this code of silence extended to â€œprohibiting disclosing perjury or other misconduct by fellow officers, or even testifying truthfully if the facts would implicate the conduct of a fellow officerâ€� (Chin and Zhang 2008, 238). Merrington (2017, 61) found that police corruption networks exploit the light networkâ€™s resources to facilitate DN operations. Research on a sports doping network showed that protecting the network included inflicting harm through bribery, bullying and threats and enforced a code of silence (USADA 2012 cited in Bell, TenHave and Lauchs 2016, 60). A code of silence or omerta was created by the Italian mafia and is applied to mafia members and anyone who witnesses mafia criminal activity to ensure silence regarding their illicit activities (UNODC 2008 cited in Bell, Ten-Have and Lauchs 2016). Omerta extended to a refusal to give evidence to the police (Fielding 2017,17). Similar methods were utilised by clergy perpetrator networks within the Victorian Catholic Church to maintain silence and, hence, resilience of the network of clergy CSA.

The 80,000 messages on debian-private and similar archives in the FSFE misfits, GNOME and Mozilla are analogous to the code of silence in other institutions.

In the Albanian scandal, the unpaid female volunteers were asked to sign a Non-Disclosure Agreement (NDA) even before they were abused. In other contexts, such agreements only appear after the abuse and during negotiation of the settlement.

In November 2019, Anisa Kuci, the Albanian woman who was seated closest to Chris Lamb at the DebConf19 conference dinner was awarded a $6,000 Outreachy internship. The woman had previously worked as a waitress and had no software development experience.

Remember the teenage boys doing unpaid work to bootstrap Debianism back in the 1990s. Joel "Espy" Klecker, Shaya Potter and Chris Rutter. They did a huge amount of technical work, they received no payments and some of them died. When these women from eastern Europe arrived people started popping champagne and opening the chequebook:

In January 2020, Joerg Jaspert from the Debian Account Managers cyberbullies was appointed as a parent representative at Dalbergschule in Fulda, Germany. Is it appropriate for any Debian Developer to have such a role in a school, even as a volunteer, while the organisation is refusing to discuss the concerns about their registered sex offender?

At the end of August 2020, we saw Matthew Garrett went wild spreading false accusations that Dr Jacob Appelbaum is a rapist, all the while, Debianists were protecting a real rapist.

Matthew Garrett spread dozens of message like this without any evidence:

Subject: Re: expulsions vs Reproducible Builds
Date: Tue, 1 Sep 2020 09:52:17 +0100
From: Matthew Garrett <mjg59@srcf.ucam.org>
Reply-To: discussion@lists.fsfellowship.eu
To: discussion@lists.fsfellowship.eu

On Tue, Sep 01, 2020 at 10:26:40AM +0200, Debian Community News Team wrote:

> a) The different approaches taken to complaints about Appelbaum and
> Lange, even though both complaints arrived at the same time.

One of these complaints involved multiple accusations of rape and sexual assault. The other involved an accusation of aggressive and disrespectful behaviour. Do you believe that these things are equivalent?

-- 
Matthew Garrett | mjg59@srcf.ucam.org

Subject: Re: expulsions vs Reproducible Builds
Date: Wed, 2 Sep 2020 00:40:21 +0100
From: Matthew Garrett <mjg59@srcf.ucam.org>
Reply-To: discussion@lists.fsfellowship.eu
To: discussion@lists.fsfellowship.eu

On Tue, Sep 01, 2020 at 05:59:46PM -0500, quiliro wrote:
> Matthew Garrett <mjg59@srcf.ucam.org> writes:
> > The Universal Declaration of Human Rights does not require that a 
> > volunteer organisation grant membership to a rapist, even if said rapist 
> > has not been found guilty in a court of law.
> Are you aserting that Jacob Appelbaum is guilty or are you talking about
> someone else? If you cannot prove something, it is a lie.

I am asserting that he's a rapist, an assertion that is backed up by an array of publicly available evidence.

-- 
Matthew Garrett | mjg59@srcf.ucam.org

These people think that by forming together like a pack of dogs and repeating the same rumour over and over again they can trick the whole world to believe it.

One of the reason dishonest people like Matthew Garrett make such outrageous lies is to cover up the fact the "diversity" team was bringing real paedophiles into the world of open source software. This is a classic trick that every junior magician knows: make the audience look in some other direction while you discretely move around the evidence.

At some point in 2021, Elio Qoshi joined Canonical Ltd, the company making Ubuntu, as an employee. It looks like he was employed there for a number of years but eventually they removed him in about 2025. They didn't make any comment about why he was terminated. It looks like it happened around the same time they eventually cut ties with Jeremy Bicha in 2025. Here is a screenshot of his LinkedIn profile when he was in Canonical Ltd:

On 11 March 2021, Jeremy Bicha parole period finished at about the same time the Albanian joined Canonical Ltd. An uncanny coincidence indeed.

Between July and October 2021, the web site of Justin Flory told us he was living in Albania (Wayback Machine snapshot). Shortly after that, Justin W Flory changed his name to Justin W Wheeler, changed his employer from UNICEF to Red Hat and removed the reference to Albania from his blog.

Why are the companies supporting the Albanians like this? Quite simply, Elio Qoshi knows the identity of every male developer who visited the conferences in Albania. He knows who they spoke to. Most men who look for a wife in these countries are looking for an adult. If one or two men were looking for something less than legal then they may well have asked Elio Qoshi, who had his own underage girlfriend, to help them find what they wanted. He is one of the few people who would know who those men are and what they did. The controlling corporations don't know what he knows and they probably don't want to know either. But what they do know is that as long as he is on somebody's payroll, the secrets will stay buried.

Late in 2021, the FSFE misfits announced a program called Youth Hacking for Freedom (YH4F) to recruit underage people between thirteen and seventeen years of age to work for free. Having resigned from the FSFE, I had grave concerns for the welfare of children and I published the blog Google, FSFE & Child Labor.

Shortly after that, IBM Red Hat began a legal case to seize the domain name WeMakeFedora.org. They used my blog Google, FSFE & Child Labor as their evidence that I was publishing "critical commentary". The legal panel ruled in my favor and moreover, ruled that IBM Red Hat was using the legal process to harass me. See the legal documents here. In hindsight, now that everybody knows the truth about Elio Qoshi and Jeremy Bicha, people can see that I had good reason to publish the grave concerns I have about the FSFE misfits recruiting children to do unpaid work.

In January 2022, Canonical, the company of Mark Shuttleworth, decided to employ Jeremy Bicha. It is not clear if he was previously being paid as a subcontractor while in prison or on parole. It appears that the move to permanent employment coincided with the end of his parole period in 2021. Did the company know he was on parole while interacting with their developers?

In February 2022, people noticed the speaker profile for Elio Qoshi had been removed from the web site of the FOSDEM conference. No explanation was given. When FOSDEM removed him, other volunteers were never officially warned about the issues with underage girls and harassment.

On 14 June 2022, Anisa Kuci, the waitress from Albania who sat next to Chris Lamb at the DebConf19 conference dinner is given voting rights in the GNOME Foundation. Many real developers do not have voting rights in these associations and foundations. The oligarchs appear to be stacking the associations with personal friends who will vote for the same oligarchs to keep their positions on the board every year.

The woman eventually appears to become an employee of the association as well. However, it is not clear if she was on the payroll at the time the oligarchs made her a voting member.

From 20 to 25 July 2022, GNOME's annual conference GUADEC is in Mexico during the same week that DebConf22 is in Kosovo. The two women from Albania could take the bus to Kosovo for fifteen euros each but somebody buys them tickets for flights from Albania to Mexico. The money paid for these flights could have been used to buy bus tickets for twenty more women from local universities in central American countries close to Mexico.

In his DebConf22 profile, with three talks, Jeremy Bicha tells us:

Jeremy is a member of the Debian GNOME and Canonical Desktop teams. He lives in Florida and this will be the first DebConf he has attended. [in the year after his probation finished]

Fact checking, over 20,000 women in Kosovo reported being victim of rape as a war crime back in the late 1990s.

Many of the young women I met at events in Kosovo appear to have been born at the time of the war.

On 11 September 2022, the anniversary of a notorious terror attack, Axel Beckert asked the Swiss police to take sides with Jeremy Bicha, Elio Qoshi and all help cover up the death of Adrian von Bidder on our wedding day because his wife wanted to be Mayor of Basel.

The abuse details can be found in a report that Amnesty International prepared about the case of Trevor Kitchen:

Trevor Kitchen, a 41-year-old British citizen resident in Switzerland, was arrested by police in Chiasso (canton of Ticino) on the morning of 25 December 1992 in connection with offences of defamation and insults against private individuals. In a letter addressed to the Head of the Federal Department of Justice and Police in Berne and to the Tribunal in Bellinzona (Ticino) on 3 June 1993 he alleged that two police officers arrested him in a bar in Chiasso and, after handcuffing him, accompanied him to their car in the street outside. They then bent him over the car and hit him around the head approximately seven times and carried out a body search during which his testicles were squeezed. He claimed he was then punched hard between the shoulder blades several times. He said he offered no resistance during the arrest.

He was then taken to a police station in Chiasso where he was questioned in Italian (a language he does not understand) and stated that during the questioning "The same policeman that arrested me came into the office to shout at me and hit me once again around the head. Another policeman forced me to remove all of my clothes. I was afraid that they would use physical force again; they continued to shout at me. The one policeman was pulling at my clothes and took my trouser belt off and removed my shoe laces. Now I stood in the middle of an office completely naked (for 10 minutes) with the door wide open and three policemen staring at me, one of the policemen put on a pair of rubber surgical gloves and instructed me to crouch into a position so that he could insert his fingers into my anus, I refused and they all became angry and started shouting and demonstrating to me the position which they wanted me to take, laughing, all were laughing, these police were having a good time. They pointed at my penis, making jokes, hurling abuse and insults at me, whilst I stood completely still and naked. Finally, when they finished laughing, one of the policemen threw my clothes onto the floor in front of me. I got dressed."

He was transferred to prison some hours later and in his letter claimed that during the night he started to experience severe pains in his chest, back and arms. He asked a prison guard if he could see a doctor but the request was refused and he claimed the guard kicked him. He was released on 30 December 1993. Medical reports indicated that since his release he had been experiencing recurrent pain in the area of his chest and right shoulder and had been receiving physiotherapy for an injury to the upper thoracic spine and his right shoulder girdle.

Volunteers discovered over $120,000 was taken out of Debian bank accounts and used for legal fees to try and have me molested or killed. Why did they spend so much money on this vendetta? They are terrified about people who express concern about abuse. They paid $120,000 in legal fees because they feel more comfortable with Jeremy Bicha, the man who raped his little sisters, than with the independent volunteer elected by the Fellowship in 2017.

On 13 October 2022, the GNOME board minutes tell us they decided to add Jeremy Bicha to the Release Team.

In November 2022, Jeremy Bicha writes an advocacy for Matthias Geiger to become a Debian Maintainer:

Subject: Matthias Geiger: Advocate
Date: Thu, 10 Nov 2022 13:26:16 -0000
From: Jeremy Bicha (via nm.debian.org) <nm@debian.org>
Reply-To: debian-newmaint@lists.debian.org, Matthias Geiger
  <matthias.geiger1024@tutanota.de>, archive-1128@nm.debian.org,
  Jeremy Bicha <jbicha@debian.org>
To: debian-newmaint@lists.debian.org
CC: Matthias Geiger <matthias.geiger1024@tutanota.de>,
  archive-1128@nm.debian.org, Jeremy Bicha <jbicha@debian.org>

For nm.debian.org, at 2022-11-10:
I support Matthias Geiger <matthias.geiger1024@tutanota.de>'s request to
become a Debian Maintainer.

I have sponsored numerous uploads for Matthias including 6 new source
packages. He has prepared many new packages with a particular focus on
GNOME apps and Rust libraries to build GNOME apps. Creating new packages
is one of the more complex packaging tasks for Debian. His work has been
consistently high quality. We have also worked together to improve the
initial packaging.
Beyond packaging skills, Matthias has been pleasant to communicate with.

I have personally worked with Matthias Geiger
<matthias.geiger1024@tutanota.de>
(key C2E1A6CBFDECE511A8A4176D18BD106B3B6C5475) for 7 months, and I know
Matthias Geiger
can be trusted to have upload rights for their own packages, right now.

Jeremy Bicha (via nm.debian.org)

In January 2023, the late Cardinal George Pell, former treasurer of the Vatican, appeared in news reports from Rome talking about the death of Pope Benedict. The news reports prompted me to look at the unredacted Case Study 35 about the Archdiocese of Melbourne. I was shocked to see the similarities to the Debianism culture and social engineering attacks. I printed a lot of the evidence about Enrico Zini blackmailing and defaming people over so many years. On 10 January 2023, I drove across the Great St Bernard Pass to Aosta in Italy. I walked in to the Carabinieri station and explained the similarities between the exploitation of victims in Debianism and in the Catholic abuse crisis. In the same hour that I was in the Carabinieri station, as a witness to these crimes, unbeknownst to me, Cardinal George Pell was having surgery in Rome. He died four or five hours later.

Authorities in Australia pretended the crisis died with Cardinal George Pell. He had avoided certain questions and surely there is nobody else left alive who knows the answers to those questions.

On 1 March 2023, minutes of a GNOME Foundation Executive Committee meeting capture the names of Anisa Kuci and Sonny Piers together for the first time. At this point, she is not on the list of people receiving payments from GNOME Foundation. There are serious ethical concerns when members of the CoC-committee are physically intimate with the very people they are making up rumours about. Likewise, there are serious ethical concerns when staff members are able to intercept and suppress CoC-committee complaints about their workmates and their own boss. We already discussed the way these CoC schemes are similar to the catch-and-kill strategy the National Enquirer used to purchase and suppress stories about Donald Trump. These financial and sexual conflicts of interest are even more disturbing when the conflicts of interest are totally hidden from the victims of defamation created by these gangsters.

It appears there are now two women from Albania who were being paid to work on the organisation of GUADEC and assist other events like DebConf. Up to this point, the organisations had always insisted that if volunteers wanted an event they have to organise it themselves. Nobody had any public discussion about changing the strategy and having a mix of volunteers and paid event staff. It is vital to ask the question: did the oligarchs create these jobs because the community chose to change the strategy or did these jobs get created because somebody wanted these two specific girls from Albania to have jobs?

GNOME hired the first girl at the end of 2018. Some time later, the other girl went to Outreachy, then she went to Wikimedia Italia, an organisation that relies on a lot of volunteers who don't get paid. A list of her past relationships was circulated and the people doing unpaid work became upset. Shortly after that, it looks like GNOME took her on their payroll. The fact that GNOME has ended up with two girls from the same Albanian background adds weight to the argument that the jobs were created for these specific girls rather than to fill some general need.

Remember, in 2018 and 2019, these are the same girls who asked the Debianists to buy their travel tickets in advance while all the other young interns had to buy tickets with their own money and wait for reimbursement.

Before Boris Johnson became prime minister of the UK, he served as the mayor of London. Various people have come forward with evidence that he tried to have specific women assigned to jobs rather than the normal process of advertising the job and choosing the best candidate. The pattern was repeated when he was prime minister and his girlfriend, now wife, was proposed for a job in the Foreign Office.

On 19 April 2023, Anisa Kuci, the waitress from Albania who sat closest to Chris Lamb at the DebConf19 conference dinner goes for the CoC-committee in the GNOME Foundation forum, which runs on Discourse software.

Why did Kristi Progri get a big title, Director of Project Management but when Anisa Kuci joined GNOME they call her an Administrative Assistant? Both girls grew up together in the same building. The both joined the Open Labs group together. Either one job title is being overstated or the other job title is understated. It looks like the job for the second girl was only created as part of the catch-and-kill strategy to keep women on side so they won't repeat the things they told me in 2017 and 2018 about the Fedora Ambassador Elio Qoshi.

What is the Code of Conduct gaslighting all about anyway? This is the stuff of cults. People are supposed to smile and pretend everything is alright even when something bad happens. Remember the story of Adrian von Bidder's death on our wedding day? We are expected to keep smiling. If a rape victim sees Jeremy Bicha in the bunk beds at DebConf, is she allowed to talk about her concerns? Of course not. The Code of Conduct gaslighting doesn't care how she feels.

On 21 April 2023, Elio Qoshi publishes a blog about his job at Canonical Ltd, makers of Ubuntu. The blog is about How we designed the new Ubuntu Desktop installer.

On 10 May 2023, Jeremy Bicha writes another advocacy for Matthias Geiger to be promoted from Debian Maintainer to Debian Developer:

Subject: Matthias Geiger: Advocate
Date: Wed, 10 May 2023 15:06:23 -0000
From: Jeremy Bicha (via nm.debian.org) <nm@debian.org>
Reply-To: debian-newmaint@lists.debian.org,
  Matthias Geiger <matthias.geiger1024@tutanota.de>,
  archive-1181@nm.debian.org,
  Jeremy Bicha <jbicha@debian.org>
To: debian-newmaint@lists.debian.org
CC: Matthias Geiger <matthias.geiger1024@tutanota.de>,
  archive-1181@nm.debian.org,
  Jeremy Bicha <jbicha@debian.org>

For nm.debian.org, at 2023-05-10:
I support Matthias Geiger <matthias.geiger1024@tutanota.de>'s request to
become a Debian Developer, uploading.
I have worked with Matthias Geiger on GNOME packages since March 2022.
Matthias has created new Debian packages
for several GNOME related apps and libraries and maintained them well
ever since.

Matthias has been very instrumental in doing the major prerequisite work
to get newer GNOME apps written in Rust
into Debian Trixie. This is very complicated but important work.

I have personally worked with Matthias Geiger
<matthias.geiger1024@tutanota.de>
(key C2E1A6CBFDECE511A8A4176D18BD106B3B6C5475) for 14 months, and I know
Matthias Geiger
can be trusted to be a full member of Debian, and have unsupervised,
unrestricted upload rights, right now.

Jeremy Bicha (via nm.debian.org)

Matthias Geiger is a very common name. Jeremy Bicha has vouched for him but neither of them have told us if they have any conflicts of interest, for example, if they both work for the same employer, Canonical Ltd or if they ever shared a prison cell together.

On 26 July 2023, Jeremy Bicha gave a talk at GUADEC in Latvia on the topic How GNOME Gets into Ubuntu. Here are some of the slides, with his sister's testimony superimposed over them:

On 11 September 2023, Jeremy Bicha writes an advocacy for Amin Bandali. This time he reveals that they are both working at the same company, Canonical Ltd, the maker of Ubuntu. Some people have serious ethical concerns about Ubuntu developers and co-workers writing references for each other like this because they are under pressure to serve the needs of their company rather than being objective about Debian.

Subject: Amin Bandali: Advocate
Date: Mon, 11 Sep 2023 14:15:25 -0000
From: Jeremy Bicha (via nm.debian.org) <nm@debian.org>
Reply-To: debian-newmaint@lists.debian.org,
  Amin Bandali <bandali@gnu.org>,
  archive-1211@nm.debian.org,
  Jeremy Bicha <jbicha@debian.org>
To: debian-newmaint@lists.debian.org
CC: Amin Bandali <bandali@gnu.org>,
  archive-1211@nm.debian.org,
  Jeremy Bicha <jbicha@debian.org>

For nm.debian.org, at 2023-09-11:
I support Amin Bandali <bandali@gnu.org>'s request to become a Debian
Developer, uploading.

I have personally worked with Amin Bandali <bandali@gnu.org>
(key BE6273738E616D6D1B3A08E8A21A020248816103) on the Debian GNOME team
since the end of 2022. He has packaged updates for a variety of GNOME
packages. Earlier this year, he officially joined the Debian GNOME team
and has been entrusted with DM upload rights to several packages. He has
used those upload rights well.

Amin Bandali also has interest and skill with troubleshooting build
issues on non-amd64 architectures which is why he is not just a DM, but
a "DM with guest account".

Amin Bandali is a coworker with me at Canonical since late 2022. His
primary job duties are not .deb packaging for Debian and he was already
maintaining packages in Debian before joining Canonical.

I firmly believe that the Debian Project will benefit from granting
Debian Developer, uploading status to Amin Bandali. I know Amin Bandali
can be trusted to be a full member of Debian, and have unsupervised,
unrestricted upload rights, right now.

Jeremy Bicha (via nm.debian.org)

Oddly enough, those messages were exchanged at the same time as DebConf23 in India. On 9 September 2023, I sent the coroner for Cambridgeshire a written warning about the risk for health and safety in Debianism, with a reference to the culture and the blackmail behaviour:

Subject: Re: Inquest Christopher Rutter - Information Request
Date: Sat, 9 Sep 2023 18:59:26 +0200
From: Daniel Pocock <daniel@pocock.pro>
To: Coroners <Coroners@cambridgeshire.gov.uk>

Hi [redacted],

I've updated the document with some extra email evidence and two more
deaths, both of those being under management from a doctoral candidate
at Cambridge.

Based on my own experience of both Debian culture, the Pell situation
and the evidence in these emails, I feel that there is an ongoing risk
to the health of people who engage with this culture.

Please kindly confirm if the coroner can escalate this to the relevant
people or whether you need somebody to present the document in person.

Regards,

Daniel

Abraham Raji died three days later. It is the first case of somebody dying at DebConf. It was anticipated, therefore, it was avoidable.

During 2023, there was a high profile underage rape and incest prosecution in South Australia. A bakery on the Eyre Peninsula had recruited fifteen-year-old girls to do some baking, smile at the customers and help the owner have more children. The man in charge and his wife were both convicted. Three children were born in one seven month period. The baker's father had shared one of the girls. There are thirteen children and they need to make DNA tests to verify which man is responsible for each of them. Newspapers described it as a cult-like living arrangement but it is not uncommon for workers to live with their boss when in a remote location like this. When you look at the remoteness of the location and the nature of such jobs where the young girls are living at their workplace, it has some similarity to the situation where Jeremy Bicha and his little sisters were living a life that was isolated from other children.

In May 2024, a news report from Australia tells us that Timothy / Tim Lunn, an IT specialist was called as a witness in the high profile Gregory Lynn murder trial in the Supreme Court of Victoria. Yet if Mr Lunn himself had been associating with a registered sex offender on parole in Florida, is it fair for him to be trusted in a judicial process as serious as a murder trial?

Also in May 2024, minutes of the GNOME Foundation board have been redacted to hide discussions about Sonny Piers and the "staffing", which really means the hush money being paid to the Albanian female whistleblowers. Sonny Piers was secretly expelled at this point but it is redacted in the minutes.

On 21 June 2024, immediately after GNOME Foundation expelled and censored Sonny Piers, the web site for the Open Labs non-profit with all the girls in Tirana, Albania is completely taken offline. The group uses their Facebook account to post a message telling us that they decided to close the organisation without giving us the real reason.

On 18 July 2024, immediately after they shut down the Open Labs web site and discussion forum in Albania, an anonymous account is created in the GNOME Foundation forum on Discourse. The account is used to post a hideous defamation about Sonny Piers, who they had expelled with a secret trial in May. Dozens of discussions and news reports appear about Sonny Piers being banned from GNOME. The girls are insisting that everybody should know they decided to humiliate Sonny but nobody is allowed to ask why the girls are obsessed with humiliating him. Whenever messages like this appear, they always hint at some sort of bad sexual etiquette. As we saw with every other case, such as Ted Walther in 2006 and Dr Jacob Appelbaum in 2016, these rumours are not only false but they have been deliberately fabricated by some chronically dishonest people intent on harming male volunteers and our families.

The defamation message about Sonny Piers explicitly mentions "Code of Conduct" but what they really mean is "Code of Silence". They are doing all this to stop Sonny Piers talking about payments to one of the Albanian girls or something similar to that.

Sonny Piers writes a response on his own blog three days later:

I am no longer a member of the board of directors of the GNOME Foundation since May 2024. The process and decision shocked me. I know people are looking for answers, but I want to protect people involved and the project/foundation. It was never an interpersonal conflict for me.

Remember, Sonny Piers has been doing voluntary work for twenty years and he contributed substantial intellectual property. The Albanian girls who were secretly added to the GNOME payroll only work when they receive money and they only go to events when somebody, usually the male oligarchs, buy the tickets for them.

The community had elected Sonny Piers to the board. As a member of the board it is absolutely certain he saw privileged information about the payments to Albanian female whistleblowers. However, he may not have been told the real reason for those payments. He may have asked questions about why the same girls are selected for every diversity grant. All this happened in GNOME Foundation immediately after the controlling corporations shut down the Open Labs group in Albania. Follow the money / girls.

Back in the communist era, Albania was run by a totalitarian dictator, Enver Hoxha. Among other things, he had banned all western pop music. When Kylie Minogue from Australia became the Princess of Pop, she immediately went to the top of the list of singers banned in Albania until communism ended in 1991.

The GNOME Foundation hired two girls from Albania. Now we see the policies of Enver Hoxha and totalitarianism being reincarnated in a non-profit voluntary organisation. History is repeating itself.

Jeremy Bicha had engaged in real abuse of his little sisters when they were six and nine years old. As a voting member of the GNOME Foundation and a member of the Release Team he has a higher status than Sonny Piers. Why can people go to the web site of the Manatee County Court and read all the details about real abuse of the little sisters but we are not allowed to know anything about the questions Sonny Piers was asking at board meetings?

Here is an example of the things Jeremy Bicha was convicted for:

Reading comments like that reminded me of the way misfits on debian-private (leaked) discussed the words used by the parents of Frans Pop after he committed suicide:

Subject: Re: Death of Frans Pop
Date: Sat, 21 Aug 2010 13:39:21 +0100
From: Colin Watson <cjwatson@debian.org>
To: debian-private@lists.debian.org

On Sat, Aug 21, 2010 at 01:52:33PM +0200, Ludovic Brenta wrote:
> Steve McIntyre <steve@einval.com> writes:
> > "Yesterday morning our son Frans Pop has died. He took his own life,
> > in a well-considered, courageous, and considerate manner. During the
> > last years his main concern was his work for Debian. I would like to
> > ask you to inform those members of the Debian community who knew him
> > well."
>
> Does that imply he took his own life *because* of Debian, which was "his
> main concern"?

This is probably the wrong thread for linguistics, but that phrase would
normally just indicate that Debian was his main interest.  In
http://oxforddictionaries.com/view/entry/m_en_gb0169810 under "noun",
this would be sense 2 rather than sense 1.

--
Colin Watson                                       [cjwatson@debian.org]

What is so much more sensitive about the Sonny Piers drama that GNOME will not tell us? Did he do something that is even worse than raping a little girl? Or did he stumble onto an inconvenient truth about Albanian girls that must be hidden from the community at all costs?

My suspicion is that this is more than somebody's sex life at stake. It is not unusual for people to hook up with their colleagues in student unions and open source software conferences. Some of the women have told me they were under pressure to lie. Paying women to create or repeat a lie, knowing it is a lie, undermines trust in the whole organisation that paid for those lies.

Software producers are particularly keen to maintain the trust of the community. The moment people stop trusting the GNOME developers everybody will abandon the project. How could we trust these developers if they used the foundation's funds to make payments to a woman who spread a lie or defamation?

After you pay a woman to lie, you can't sack that woman. You have to keep her on the payroll until she's ready to have children and become a stay-home mother.

I suspect that is why Anisa Kuci was immediately given a job at GNOME after the end of her relationship with Wikimedia Italia. Somebody didn't want to see her join some random employer where random developers will ask her to disclose details about the conspiracies at DebConf19.

It is important to reflect on these secrecy tactics. These tactics create the type of environment where real abusers can thrive.

On 2 August 2024, Andreas Tille, then leader of Debianism, wrote in his Bits from DPL:

Nominating Jeremy BÃcha for GNOME Advisory Board

I've nominated Jeremy BÃcha to GNOME Advisory Board. Jeremy has volunteered to represent Debian at GUADEC in Denver.

Sonny Piers, like other victims, was censored and humiliated indefinitely while the registered sex offender is put up on a pedestal to supposedly be the representative of the rest of us. I certainly didn't consent to him speaking for me.

Furthermore, how can a Canonical Ltd employee be representing the interests of both Debianism and the Ubuntu misfits at the GNOME Advisory Board? The conflict of interest is enormous. It isn't possible for him to do both at the same time.

On 17 November 2024, there was a MiniDebConf in Toulouse, France. In the video, we can see Pierre-Elliott BÃ©cue wearing a t-shirt with the expression Losing my mind, one kid at a time and a picture of a child sitting on a man's shoulders. Most people will see a normal parent-child relationship in the picture but about two percent of men see something else.

On 6 January 2025, Justin W. Flory / Wheeler registers the domain name jwheel.org. On 11 February 2025, the Wayback Machine captures the last snapshot of his web site at jwf.io using the name Justin W. Flory. On 17 February 2025, in the next snapshot captured by the Wayback Machine, we can see him using a new name, Justin W. Wheeler. It begs the question: why did he leave the USA and move to eastern Europe? Why did he have to change his name after spending time in Albania? Why was he moved from a job at UNICEF to the IBM Red Hat payroll around the same time the Albanian female whistleblowers were put on the GNOME Foundation payroll?

In March 2025, shortly before DebConf25, we saw Jeremy Bicha began contributing to the Debian-Edu project. That is the derivative of Debian created to meet the needs of the education industry. Why does he have schools on his mind? Jeremy Bicha's status as a registered sex offender is intended to prevent him being employed inside a school. By collaborating on Debian-Edu, he gains credibility that allows him to interact with schools as a volunteer. This looks like privilege escalation. He was engaged in this while he was an employee of Canonical Ltd and Ubuntu.

Look at his collaborators on debian-edu. Some of the people we discussed previously are also there: Holger Levsen, one of the protagonists of the DebConf6 violence. The founder of Teckids, who joined Debianism at the same time as Jeremy Bicha, is Dominik George.

At DebConf25 in Brest, France, the GNOME talk from Jeremy Bicha was scheduled for 14 July, the French national holiday. In France, the day normally starts with parades by the military and the emergency services, including the police. Therefore, people were asked to choose between applauding the police as they marched through Brest or watching a registered sex offender giving a talk in the university campus.

To make matters worse, president of Debian France is Pierre-Elliott BÃ©cue, a former employee of ANSSI, the cybersecurity arm of the French military.

On 14 July each year in Brest, the military parade in Cours Dajot begins at 11:00

The talk by Jeremy Bicha is listed in the DebConf25 schedule at 18:00 on the same day.

Did the conference organisers know about this risk in advance? As we can see above, incest had been mentioned on debian-private as early as 2018.

In the first week of July 2025, Jeremy Bicha made some Nazi comment on the XLibre project wiki. On 4 July 2025, it was discussed in this Github issue.

People started investigating all the participants in the argument. On 7 July 2025, this forum post mentions the sex crime. On 8 July 2025, Bryan Lunduke used his account on Twitter/X to tell us he had found the conviction. It is not clear if he was the first to find it. On 11 July 2025, a lengthy post appears on Telegram.

On 14 July 2025, Fandom Pulse discusses the way people tolerate the registered sex offender but not Dr Richard Stallman. Bryan Lunduke blogged Registered Sex Offender Speaking at Debian Conference This Week. He followed up the next day with Registered Sex Offender No Longer Working at Canonical. On 16 July 2025, somebody posted the Fandom Pulse link in Hacker News and somebody else censored the link because the Hacker News people are in the same snobby set who prefer the registered sex offender over Dr Richard Stallman. Remember, this was a scandal that started with a comment about who is a Nazi. On 17 July 2025, Techrights gave their view on the scandal.

On 9 August 2025, it was mentioned again in Hacker News in this thread and somebody from the snobby set removed the link again but the comments remain.

Talks at the conference were video recorded and published online but the registered sex offender video is missing from the collection.

Putting this type of diversity on display at a prominent event feels like the thin end of the wedge. Brest is a city known for its strong naval history. Jeremy Bicha had been discharged from the US Navy after they found out. Like the rogue Russian spy-ships who periodically sail the English channel, Debianists have decided to test the waters of diversity by putting this man on display. They wanted to see how the public reacts. They want us to know this is the new normal. The victims were only six and nine years old. On the scale of sexual offences, these were some of the worst. By putting this out in the open, they make it easier to bring in offenders who have less serious crimes.

Back in the 1970s, people like this tried to create organizations like the Paedophile Information Exchange (PIE) where their cause was published in broad daylight. Within a few years these organisations had been outlawed. The lesson they have learnt from those prosecutions is the need to affiliate themselves with more general causes like diversity and then expand the definition of diversity to include, by stealth, all kinds of people who are irreconcilably incompatible with the rest of us.

We already looked at the prosecution of Matthias Kirschner for the psychological abuse of Galia Mancheva. Sooner or later another oligarch will face one of these prosecutions. If it is somebody the cabal wants to protect, they can remind us how Jeremy Bicha came to DebConf25 and it didn't kill anybody. They will remind us the diversity statement says anybody is welcome as long as you display total submission to their CoC.

The revelations about Jeremy Bicha's abuse of his little sisters sparked an uproar. People wanted to know why Bicha was sent to prison for three years but Sonny Piers had been given a lifetime punishment in the GNOME Discourse forum. Ten days after the scheduled talk at DebConf25, there was a new post in the GNOME Discourse forum about Sonny Piers.

This time, instead of using an anonymous account, Robert McQueen has written the post under his own name. He tells us the punishment has been reduced:

The Board is providing this information to clarify the decisions made in this case, and to eliminate any uncertainty within the GNOME community about the matter.

In fact, the very long post does not include any example of the questions Sonny Piers asked about the Albanian women. Therefore, we all remain totally in the dark.

the Board also voted that Sonny will not be eligible for appointment in any position of authority within the Foundation, or to act as an agent on behalf of the organization, or to have paid work with the GNOME Foundation. This means that he will be unable to be a committee member, director, officer, staff member or contractor, or officially represent the GNOME Foundation to other entities. The Board resolution put these restrictions in place on an indefinite basis.

The board and Robert McQueen are telling us that Sonny Piers is permitted to return to GNOME but he will always have a lower status than the registered sex offender. Think about how that feels.

Turn that statement on its head: why does Robert McQueen feel more comfortable with the Ubuntu man who popped the cherry of a six year old than he does with an independent developer who the community voted onto the board?

On 4 April 2026, Oscar Langley asked about it in the election discussion for the next leader of Debianism. None of the candidates would reply to questions about child safety.

Subject: 	DebConf25 decisions affecting Child Safety and talk scheduling
Date: 	Sat, 4 Apr 2026 11:01:37 +0000
From: 	Oscar Langley <oscar.langley@hotmail.com>
To: 	debian-vote@lists.debian.org <debian-vote@lists.debian.org>

I understand this topic may be somewhat tangential to the election mailing list, but I reviewed the list of voters in this year's DPL election and discovered that Jeremy Bicha is a Debian developer who cast a ballot: https://vote.debian.org/~secretary/leader2026/voters.txt

If you search up his name on Google, the very first result is his profile on Florida's Sexual Offender and Predator System, as he molested multiple preteen girls throughout the 1990's and confessed to all this in court.
https://offender.fdle.state.fl.us/offender/sops/flyer.jsf?personId=85068
https://wng.org/articles/the-high-cost-of-negligence-1617309216

Being a child molester is most likely a violation of the Debian Code of Conduct, and if it is not, it is reprehensible enough to call into question his continued status as a member of the project.

Additionally, there are two more important questions about Bicha's relationship with the Debian Project that have yet to be answered. Bicha was due to speak at DebConf25 last year, an event that children were permitted to attend. The livestream also experienced technical issues when his talk was about to start, leaving it unclear whether he actually spoke.

The two questions are:

1. What factors led to the decision to allow children in the presence of Bicha?

2. Was Bicha' talk was canceled, or did it indeed take place but was simply never streamed?

And a third question is begged:

3. Why hasn't the Debian Project cut ties with Bicha?

but one person made a reply praising the extreme definition of diversity:

Subject: 	Wasn't sure where to send but thank you...
Date: 	Wed, 8 Apr 2026 12:08:58 -0400
From: 	Star Light Catcher <catcherstarlight@gmail.com>
To: 	debian-project@lists.debian.org

I would just like to say, I would sometimes browse the reddits for Linux and in the general Linux reddit I saw someone saying the project was "in trouble" and worried I went to the Debian reddit to look into it... And what I'm very sad to say I found was people being very cruel and closed minded about the fact that the project seems to be valuing inclusion and bringing in new voices and talents to the FOSS community and the Debian project... So, I no longer really read reddit for Linux news but I very much wanted to say how much I've adored using Debian these past 8 months since switching to Linux. It's been rock solid, my best experience on Linux ever (and despite only switching 8 months ago I had tried Linux many times since 2010! Tons of different distros!) Debian has been genuinely an oasis from so much of what is wrong about modern tech, all while being built on what is obviously such a solid foundation I can't see myself switching back to Distros which genuinely often seemed to nuke themselves with little cause from me, and I've done plenty of things to ride my installs of Debian hard and it's never faltered at all.

And about the people behind the Debian project... In a time of increasing authoritarianism and such a huge increase to push minorities even further to the fringes... Debian embracing diversity during all of this... It warms this trans woman's heart who has felt such a sense of dread at the way the world is going. So thank y'all genuinely. Linux users are known to distrohop but... I can't imagine ever needing anything but the Universal Operating System ever again ğŸ«‚ and what brings me such joy is that it feels that it's not just universal, as in, for all devices, but universal, as in /for everyone/. ğŸ’œ

Thank you for all you do, I plan to up my donation when I can,
Star Elizabeth Wilkerson ğŸ¦„â�ï¸�

17 to 20 April 2026, it was discussed and then suppressed in the Arch wiki.

Ben Carroll is the Deputy Premier and Education Minister for the State of Victoria. On Mother's Day in 2024, he posted a picture of himself with his local priest, who I'll simply refer to as Father X:

In 1994, the Archdiocese of Melbourne had to exfiltrate another priest, Fr Barry Robinson, from Boston. Father X was tasked with the mission. In particular, the scope of his mission was far bigger than the exfiltration. Father X was also asked to look at the crisis in Boston and report back to his superiors in Australia. This was eight years before the Spotlight news reports raised public awareness of the scandal. The priest who gives communion to Victoria's Education minister had himself learnt about the extent of the global crisis and expressed concern about warehousing paedophiles:

These letters resonate with our observations of Jeremy Bicha in the world of Debianism. The same people attacked every volunteer who ever asked serious ethical questions, they attacked my family when my father died but they welcome a registered sex offender with open arms.

After returning from Boston, Fr Barry Robinson had lived in the same house as Father X while the US authorities continued their investigation. Fr Barry Robinson had admitted abuse but they decided not to prosecute him at all. The church decided to ignore his admission and put him back into practice:

In 2024, another lawsuit cast attention on the use of scholarships for the two children of a victim. People gain status in society through attending these elite high schools. There is a risk that this perpetuates the culture of silence. It is analogous to the manner in which some open source software organisations are giving people internships, big titles and speaking opportunities so they will stay silent about abuse in Albania

Here is the redacted deed that mentions scholarships:

On the GNOME web site, we can see that one of the Albanian female whistleblowers has asked to hide her name. Is this because of Sonny Piers, because of Jeremy Bicha or because of Elio Qoshi?

In February 2025, The Monthly published and then almost immediately took down an article by Louise Milligan titled The True Legacy of the Rapist George Pell. The late Cardinal Pell had been successful in his appeal and the conviction had been overturned by the High Court. Therefore, calling him a rapist is a very strong defamation. Nonetheless, copies of the article are easily found online.

The Debian Diversity statement tells us the definition of diversity is very large. A lot like to National Council of Civil Liberties in the 1970s, the Diversity Statement say anyone is welcome (up to the day when you ask an ethical question). At DebConf25, they demonstrated the definition of anyone includes registered sex offenders. He is not the only one and he won't be the last one.

Please watch my crowdfunding video to learn more about the lawsuit in US federal court.

Patience could've saved me time.

2026-04-28T06:33:00+00:00

If I had been patient, it would have saved me time. One such instance is following.

From my early blogs, you might know I am using mutt to do email. Just after I get along with mutt, I started using notmuch. Because limit search in mutt is always a pain when you have multiple folders. And what better tool out there than notmuch-mutt to bind both these.

notmuch-mutt provide three macros by default.

macro index <F8> \
"<enter-command>set my_old_pipe_decode=\$pipe_decode my_old_wait_key=\$wait_key nopipe_decode nowait_key<enter>\
<shell-escape>notmuch-mutt -r --prompt search<enter>\
<change-folder-readonly>`echo ${XDG_CACHE_HOME:-$HOME/.cache}/notmuch/mutt/results`<enter>\
<enter-command>set pipe_decode=\$my_old_pipe_decode wait_key=\$my_old_wait_key<enter>" \
      "notmuch: search mail"
macro index <F9> \
"<enter-command>set my_old_pipe_decode=\$pipe_decode my_old_wait_key=\$wait_key nopipe_decode nowait_key<enter>\
<pipe-message>notmuch-mutt -r thread<enter>\
<change-folder-readonly>`echo ${XDG_CACHE_HOME:-$HOME/.cache}/notmuch/mutt/results`<enter>\
<enter-command>set pipe_decode=\$my_old_pipe_decode wait_key=\$my_old_wait_key<enter>" \
      "notmuch: reconstruct thread"
macro index <F6> \
"<enter-command>set my_old_pipe_decode=\$pipe_decode my_old_wait_key=\$wait_key nopipe_decode nowait_key<enter>\
<pipe-message>notmuch-mutt tag -- -inbox<enter>\
<enter-command>set pipe_decode=\$my_old_pipe_decode wait_key=\$my_old_wait_key<enter>" \
      "notmuch: remove message from inbox"

One for search, one for reconstructing threads and one for manipulating tags, which I missed.

Now my impatient part. I have already mapped f6 for my folder movements and in my initial days of notmuch, I only use just search. So I never cared about the f6 macro provided by notmuch-mutt. As time goes by I got very comfortable with notmuch. I was stretching my notmuch legs. I started to live more on notmuch search results date:today tag:unread than more on the mutt index. To the problem, since notmuch-mutt dump all results to a temp maildir location, can’t perform flag changes back to the original maildir which was annoying, because we need to distinguish what mail you read and what not when you subscribed to most of all debian mailing list.

I was under the impression that, the notmuch-mutt is not capable of doing so and I just went like that without checking docs. I started doing all crazy hack to sync these maildirs.

I even started reading notmuch-mutt codebase.

Later, I settled on notmuch-vim. Cause I can manipulate flags sync back from notmuch to maildir.

And while searching for something, I accidentally revisited the the the notmuch-mutt macro page and saw the tag manipulation. I was like :( .

If I read about the third macro patiently when added that to config, I could’ve saved time by not doing ugly hacks around it.

I think I learned my lesson.

Heads we win, tails you lose — AI detectors in education

2026-04-27T18:10:48+00:00

This post is an unpublished review for Heads we win, tails you lose — AI detectors in education

Educators throughout the world are tasked with the difficult requirement of evaluating students’ works, making sure the grades meaningfully reflect the students’ understanding of the subject, and that a graded assignment maps to the relevant work invested in solving it. After the irruption of Large-Language Models in late 2023, this task became obviously much harder: if a widely available computer program is able to solve an assignment in a way that resembles a human-generated response, how can educators meaningfully grade their groups?

As it has been the case with different innovations over time (such as with the appearance of electronic calculators or the mass availability of digital encyclopedias), the first reactions were of prohibition and denial: students who use the new tool in question are to be disqualified or somehow punished. It is only some time after the innovation in question settles that teachers find a way to properly weigh, integrate and accept its use.

The authors of this position article present several arguments as to why it is impossible, unethical and unadvisable to use automated AI detection systems to process student assignments. The first argument is whether it is at all possible to reliably differentiate human-written essays from LLM-generated artifacts. The first criticism is that AI detectors are, themselves, LLMs trained on human-generated texts (negative) and LLM-generated texts (positive). However, the only way to assert the training material is not noisy is to use pre-2020 text as human-generated — but natural ways of writing are influenced by what people read, and the authors quote studies pointing out that human language, particularly in the scholarly fields, has incorporated terms and constructions that were used as LLM markers. Quoting the authors, «As exposure to AI-generated material becomes increasingly widespread, it is reasonable to expect that the linguistic patterns of human writing will shift, reflecting the influence of AI-assisted texts encountered across education, media, and everyday communication». Stylistic elements and other such markers are being adopted back into regular speech at a high rate.

Then, the aspect of ethics comes into play as well. While it is expected that teachers should demand intellectual integrity from students, and plagiarism detectors have been widely accepted into the workflow of academics, the accusation of presenting LLM output as own work is necessarily an uphill battle: the accused party is tasked with providing proof of innocence based on nebulous, probabilistic accusations. The authors argue, once an accusation of turning in a LLM-generated text is made on a student, the onus on proving innocence lies with the accused.

The authors review and argue against a series of techniques that have been presented in literature to aid teachers in detecting LLM abuse, such as linguistic markers, single or multiple AI detectors, the use of false references, hidden adversarial prompts, arguing in all cases the techniques fail to be trustable enough and highlighting the probability of both false positives and negatives. They also present AI detection as a false dichotomy: many works presented are not 100% human generated nor 100% LLM-generated, but some pertinent LLM-generated paragraphs are presented mixed with human-generated content, in a positive, critical AI use (“Students’ work is frequently created with, not by, generative AI”).

The article closes by reiterating the authors’ position: “AI detection in education is not merely flawed; it is conceptually unsound”. they call upon institutions to accept the use of generative LLMs cannot be “solved through surveillance and punishment”, but has to be tackled by an “assessment design that recognizes AI’s role in learning”.

This article’s position is very strong and well argued, and although it will surely meet with ample opposition, it surely poses an important, very current problematic. As a teacher, I found it a very enlightening read.

KVM Support inside LXC Containers [updated]

2026-04-27T09:44:28+00:00

Yesterday, I had to add support for running KVM virtual machines inside an LXC container. More as a reminder to myself, in case I ever have to do this again, here the simple recipe:

LXC Container Config Adjustment

Enable lxc.autodev and execute hook script to be executed after initial /dev creation (updated 20260428: lxc.cgroup2.* instead of lxc.cgroup.*):

[...]

# Auto-create /dev nodes and add native KVM support to the LXC container
lxc.autodev = 1
lxc.hook.autodev = /var/lib/lxc/.hooks/lxc-hook.kvm-support
lxc.cgroup2.devices.allow = c 10:232 rwm
lxc.cgroup2.devices.allow = c 10:238 rwm
lxc.cgroup2.devices.allow = c 10:241 rwm

[...]

[added 20260408] On the internet, you can find a recipe that simply bind-mounts /dev/kvm from the host in to the LXC container. However, this fails if group ID of POSIX group kvm differs between host and container.

LXC Hook Script for KVM Support Enablement

The following script I placed at /var/lib/lxc/.hooks/lxc-hook.kvm-support (on the LXC host!):

#!/bin/sh

# set up native KVM support in LXC container
mknod -m 0660 ${LXC_ROOTFS_MOUNT}/dev/kvm c 10 232
chown :kvm ${LXC_ROOTFS_MOUNT}/dev/kvm
mknod -m 0660 ${LXC_ROOTFS_MOUNT}/dev/vhost-net c 10 238
chown :kvm ${LXC_ROOTFS_MOUNT}/dev/vhost-net
mknod -m 0660 ${LXC_ROOTFS_MOUNT}/dev/vhost-vsock c 10 241
chown :kvm ${LXC_ROOTFS_MOUNT}/dev/vhost-vsock

Review: What We Are Seeking

2026-04-27T02:04:00+00:00

Review: What We Are Seeking, by Cameron Reed

Publisher:	Tor
Copyright:	2026
ISBN:	1-250-36474-4
Format:	Kindle
Pages:	339

What We Are Seeking is a bit hard to classify beyond science fiction. I think I would call it anthropological science fiction, but it's also a first contact story and a planetary colony story. It is a standalone novel (well, so far as I know; see later in the review for caveats). This is Cameron Reed's second novel after the excellent and memorable cyberpunk novel The Fortunate Fall, first published in 1996 under Reed's former name of Raphael Carter.

John Maraintha is a doctor from the world of Essius. He took what he thought was a temporary job on the Free Ship Edgar's Folly, where he's endured considerable culture shock. As the novel opens, John learns that the colonists on Scythia have requested a translator to talk to one of the native life forms, and a doctor since they're down to only one. John will be that doctor. The captain has decided, and by the rules of the free ships, John does not get a choice in the matter.

The Scythian colony is about four hundred people, now located in a desert climate since the complex native life forms destroyed their previous settlement. The colonists are a split between Ischnurans and Zandaheans, two other human civilizations from the scatter of colony worlds left after Earth embraced AIs (aiyis here) and turned inward. Both of those groups marry, something John considers a moral abomination. Neither of them seem likely to understand Essian sexual ethics. More devastatingly, John had intended to spend some time as a ship doctor and then return home to a new place in Essian society. Once he lands on Scythia, the chances of that are gone; it is highly unlikely any ship would pick him up again and take him home.

I have been trying to find the right books to compare What We Are Seeking with ever since I read it. The best I've come up with are Ursula K. Le Guin (particularly The Dispossessed), Eleanor Arnason's A Woman of the Iron People, and Becky Chambers's To Be Taught, If Fortunate. The start of the book felt like an intentional revisiting of an earlier era of science fiction, with somewhat updated science and politics, but the last half of the book, where the action picks up considerably, is a meditation on gender, social systems, religion, and small-group politics. All of that is mixed with biological exploration and a first-contact story with some quite-alien aliens.

This is the sort of novel where the protagonist's culture is as foreign to the reader as any of the other cultures he counters, so the reader is assembling several jigsaw puzzles at once. John is dropped into an established colony with its own social norms and established hierarchies. The one other outsider, the translator Sudharma Jain, is, as his name implies, a Jain who keeps very strict religious observances. Half of the colony is from something akin to a fundamentalist Christian religious sect that practices patriarchy and strict marriage codes. The other half is more gently sexist (but still sexist) and has its own tradition of a third gender that becomes central to the story. John, meanwhile, is a strong believer in the Essian approach to social organization: Any two partners of any gender freely have sex by mutual consent and without obligation, and family is based solely on blood relations. These beliefs do not fit comfortably together, even when people are trying (as they mostly do) to be welcoming.

The first half of this book is very slow. This gives all of the characters space to breathe and become comfortable, and the characterization is superb, but it is a book to start when you're in the mood for something slow and observational. There is a plot that gradually becomes apparent, or rather there are several plots that are intertwined, but tension and urgency are mostly reserved for the second half of the book. Instead, the book opens with a lot of close observation of alien flora and fauna and the untangling of subtle social dynamics among the Scythians.

There is also a visitor from earth, much to the distress of the Scythians. Earth presence means the ships will not return and the colony may be cut off from any sort of technological resupply. Despite speaking a common language, that visitor is as mutually alien to the other groups as they are to the native flora. Her life is fully integrated with aiyis, giving her essentially godlike powers and the ability to turn off inconvenient emotions and disregard anything she doesn't want to see. What she and the Earth aiyis are doing on the planet is one of the early mysteries.

The dialogue in this book is truly excellent. Each characters has their own voice, there are fascinating digressions on different words that lead to tidbits of world-building, and some of the culture-specific idioms are delightful.

"I'm making a mess of this. None of that matters. Let me fall out the window and come in the door again. This is how my story ought to start:"

The challenges for the characters in this story are slow but deep ones: belonging and self-definition, the conflict between cultural tradition and personal circumstance, and the sacrifices required to live with small groups in situations where civil war is viscerally attractive. It has one of the most comprehensive and fascinating treatments of transgender issues that I've read in science fiction. Its commentary on current politics is subtle and estranged in the way that science fiction does best, but still pointed and satisfying. And, well, there are passages like this that I absolutely adore:

"I wouldn't go that far. It could be they are right, the universe we see exists because a mind like ours created it — at least, a mind enough like ours that we can say it wants one thing and not another, and when it acts it does so with intent. That's as good an idea as any. But it is certainly not plausible that such a being believes that people everywhere should marry, or that men should never visit men, or no one should become a jess. Look at what they have created. The universe could have been nothing at all, or one atom of hydrogen floating in a void, or a diamond crystal infinite in all directions, if their mind cared for simplicity or tidiness. Instead we have stars and planets and black holes and nebulas. It could have all been cold and dead, but there is life. They could have made one species for each world, or just a few, which could have stayed the same forever, but instead we have millions and millions, all of which are changing every moment, varying among themselves and boiling off in all directions. Such a god is like an artist who fills up a library of sketchbooks with their drawings of strange creatures, and when every scrap of paper in the place is used up, goes back with a different color ink and scribbles over them again. They are obsessed with variation — they gorge themselves with it and never grow full. Do you really think a mind like that could want us all to live in the same way?"

I had one problem with this book, though, and for me it was a big one: There is no ending. Reed effectively builds tension, gets me caring about all of the characters, sets up several problems, starts down a path towards resolution, and then the book just... ends.

Long-time readers of my reviews will know that I'm a denouement fanatic. I want the scouring of the shire, I want the chapter set in the happily ever after, I want the catharsis of an ending. This made me so grumpy!

To be clear, this is not sequel bait (at least so far as I can tell). I can write a philosophical defense of the ending. The types of problems and lives that Reed set up don't have clear endings; this is, to some extent, the point. We muddle through, and then those who come after us muddle through some more, and the cumulative effect is called human civilization. And there is some denouement; Reed doesn't leave the reader at a cliffhanger or anything that egregious.

But still, I wanted the happy ending, even though that was unrealistic for the style of story this is, because I'm a happy ending reader. This is not an ending sort of book; it's the sort of book where I get a sinking feeling at the 95% mark because there aren't enough pages left for the number of remaining unresolved problems. I've gotten less annoyed in the days since I finished the book, and I can appreciate the thematic point made by how the book ends, but I still feel like it's worth an advance warning if you're a reader like I am.

I would be delighted by a sequel, but it didn't feel like that was the intent.

Apart from that, this was both excellent and rather unlike a lot of current science fiction. I think the closest comparison I can make among recent novels I've read is Sue Burke's Semiosis. What We Are Seeking has a similar sort of world-building, but I liked these characters so much more. It felt like a classic literary science fiction novel, but very much written in 2026. Highly recommended, just beware of the lack of closure.

Content notes: Sexism, homophobia, stomach illness, and some religious abuse.

Rating: 8 out of 10

RProtoBuf 0.4.27 on CRAN: Upstream Adjustment

2026-04-26T18:07:00+00:00

A new maintenance release 0.4.27 of RProtoBuf arrived on CRAN today. RProtoBuf provides R with bindings for the Google Protocol Buffers (“ProtoBuf”) data encoding and serialization library used and released by Google, and deployed very widely in numerous projects as a language and operating-system agnostic protocol. The new release is also already as a binary via r2u.

This release adjusts to a change upstream. Luca Billi noticed that upstream removed some fields from FieldDescriptor, filed and issue and followed up with a spotless PR. No other changes.

The following section from the NEWS.Rd file has all details and links.

Changes in RProtoBuf version 0.4.27 (2026-04-26)

Adjust to FieldDescriptor API changes in ProtoBuf 3.4 (Luca Billi in #114 fixing #113)

Thanks to my CRANberries, there is a diff to the previous release. The RProtoBuf page has copies of the (older) package vignette, the ‘quick’ overview vignette, and the pre-print of our JSS paper. Questions, comments etc should go to the GitHub issue tracker off the GitHub repo.

Predicted: Cole Thomas Allen, gay or transgender boyfriend rumours

2026-04-26T12:00:00+00:00

What appears to be an attempt to assassinate the US President Donald Trump has dominated the news today. There are numerous people on social control media suggesting the suspect, Cole Thomas Allen, may be gay or transgender, like the Zizian problems. Some people make comments about a handwritten note left for his transgender partner.

In fact, these comments appear to be identical to the description of Tyler Robinson, the man who assassinated Charlie Kirk. They are not necessarily fake news. We simply don't have enough information to say if the rumours are fake or if they are true.

Nonetheless, this phenomena was anticipated in the US federal lawsuit 1:25-CV-03883-UA submitted in the Southern District of New York on 6 May 2025. Here is a copy of paragraph 496:

496. The plaintiff and other victims feel great apprehension, based on what happened to Dr Appelbaum's home, based on the drawings of civil disorder, based on the way the Zizian group behaved, that if these vigilantee tendencies are not constrained then they will again manifest themselves in physical acts of vandalism or violence.

Please watch my video about the law suit.

Review: The Genocidal Healer

2026-04-25T04:44:00+00:00

Review: The Genocidal Healer, by James White

Series:	Sector General #8
Publisher:	Orb
Copyright:	1991
Printing:	May 2003
ISBN:	0-7653-0663-8
Format:	Trade paperback
Pages:	255

The Genocidal Healer is the eighth book in James White's medical science fiction series about the Sector General hospital. As with the rest of the series, detailed memory of the previous books is not required and the books could be read out of order if you didn't mind spoilers.

I read this as part of the Orb General Practice omnibus.

Surgeon-Captain Lioren is a Tarlan doctor who was in charge of the medical response to a newly-discovered civilization. The aliens were suffering from an apparently universal plague and an ongoing vicious war waged entirely through hand-to-hand combat, putting them on the edge of extinction. Lioren rushed the distribution of a possible cure against the advice of the doctors working on developing it, with catastrophic results. As The Genocidal Healer opens, Lioren is insisting on a court-martial in the hope of receiving the sentence it believes it deserves and was denied: death.

(It pronouns are the convention in the Sector General series for all alien races and formal discussions, because even someone prone to bouts of gender essentialism such as White understood the need for avoiding gender assumptions in a science fiction medical context.)

Predictably, both Sector General and the Monitor Corps that technically runs the hospital are flatly unwilling to execute Lioren. Instead, he is assigned as a new apprentice in the psychology department under the legendary O'Mara, where he is ordered to investigate the psychological fitness of a senior doctor named Seldal. This leads him to talk to Seldal's patients, which in turn leads to a challenging set of ethical dilemmas.

The first five chapters (and more than sixty pages) are the story of Lioren's trial and a recounting of the events on Cromsag. The series is full of medical and cultural puzzles like this, and usually I like them, but I thought this one was less successful. We know the vague (and horrible) outline of the ending in advance, and the massive simplification and artificial universality that is required to make this puzzle work is particularly blatant. A universally infectious disease is more of a fiction plot than a believable biological concept, and the number of failures of communication, analysis, and misunderstanding that have to line up to create White's predetermined outcome were a bit much for me.

Once the story gets past that and into Lioren's psychological work, the novel improves. Lioren is guilt-ridden and irrational, but also rather arrogant about his guilt and his concepts of professional responsibility in a way that I think mostly worked. Most of the novel consists of Lioren slowly discovering that people like him and enjoy talking to him, much to his bafflement. In that, it has the gentle kindness and sense of universal basic decency that is characteristic of this series. There are, of course, medical puzzles to solve, although this time they are primarily psychological in nature. Various characters from previous books make an appearance, but White re-explains their background in sufficient detail that you don't need to remember (or have read) those previous books.

There are a lot of similarities between this book and the previous one, Code Blueâ€”Emergency. Both feature nonhuman viewpoint protagonists and amusing descriptions of human facial expressions from an alien perspective. Both feature protagonists with overly rigid ethical structures that partly clash with the generally human policies of Sector General. The Genocidal Healer is a bit more subtle and nuanced, although a lot of Lioren's psychological evaluation rests on an ethical difference that I found somewhat unbelievable. This book, though, tackles a subject the previous book did not: religion. The treatment isn't horrible, but I have some complaints.

My primary issue is that Lioren, who starts as an atheist, does extensive research into religion to help a patient and then starts making statements summarizing the religions beliefs of the majority of known species that are just... Christianity. As someone raised Christian, I recognized it immediately as the sort of abstracted Christianity that Christians claim is universal while completely ignoring the opinions of the adherents of any other religion.

Key components of this majority galactic religious pattern, according to Lioren, include an omnipotent and omnibenevolent creator god, a religious figure who preaches forgiveness and mercy and is persecuted, and emphasis on redemption. This simply is not some abstract universal religion. This is just Christianity in disguise. Even in religions that have some of those elements in their traditions, they do not get the same emphasis and are not handled the way that Lioren describes them. I therefore found Lioren's extended discussions of religion rather annoying, since he kept claiming as relatively universal principles beliefs that are not even held by the majority of religious adherents on Earth, let alone a wildly varying collection of alien races with entirely different biology and societal constructions. It caused a lot of problems for my suspension of disbelief, on top of the annoyance at this repetition of, frankly, Christian propaganda.

Lioren goes, from that research, into theodicy (the problem of evil). The interesting part of this is White's earnest portrayal of a doctor's approach to societal problems: a desire to find workarounds and patches and fixes for anything that makes people unhappy, whether medical or social. It makes sense, given the horrible biologic hands that some of the aliens in this series have been dealt, that they would question the idea of a benevolent god, so this philosophical digression is justified in that sense. But you might guess that a mid-list science fiction author is not going to say something new about one of the oldest problems in Christianity, and indeed he does not. Lioren arrives at the standard handwaving about the unknowability of divine intent, which I found tedious to read but at least not fatal to the plot.

White, thankfully, doesn't take the religious material too far. The characters recognize how sensitive of an issue religion is in a hospital, Lioren never adopts religion fully, and the resolution of the plot is as much biological as philosophical. White is going somewhere with the introduction of religion, and although some of the path there annoyed me, I think the destination worked. White was from Northern Ireland, and therefore well aware of the drawbacks of religion, and he abhorred violence (hence Sector General as a setting), so the reader is in better hands with him than with most authors who might attempt this plot.

I think I know a bit too much about religion to be the best audience for this entry in the series, and I'm not sure the introductory five chapters quite worked. But as with all of the other books in the series, this kept me turning the pages and I'm glad I read it. The Genocidal Healer probably isn't worth seeking out unless you're reading the whole series, but if you're enjoying the rest of the series, you'll probably like this too.

Followed by The Galactic Gourmet.

Rating: 6 out of 10

dtts 0.1.4 on CRAN: Maintenance

2026-04-23T18:58:00+00:00

Leonardo and I are happy to announce another maintenance release 0.1.4 of our dtts package which has been on CRAN for four years now. dtts builds upon our nanotime package as well as the beloved data.table to bring high-performance and high-resolution indexing at the nanosecond level to data frames. dtts aims to offers the time-series indexing versatility of xts (and zoo) to the immense power of data.table while supporting highest nanosecond resolution.

This release, not unlike yesterdayâ€™s release of nanotime, is driven by recent changes in the bit64 package which underlies it. Michael, who now maintains it, had sent in two PRs to prepare for these changes. I updated continuous integration, and switched to Authors@R, and that pretty much is the release. The short list of changes follows.

Changes in version 0.1.4 (2026-04-23)

Continuous integration has received some routine updates

Adapt align() column names with changes in 'data.table' (Michael Chirico in #20)

Narrow imports to functions used for packages 'bit64', 'data.table' and 'nanotime' (Michael Chirico in #21)

Courtesy of my CRANberries, there is also a [diffstat repor]tbsdiffstat for this release. Questions, comments, issue tickets can be brought to the GitHub repo.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. If you like this or other open-source work I do, you can now sponsor me at GitHub. You can also sponsor my Tour de Shore 2026 ride in support of the Maywood Fine Arts Center.

nanotime 0.3.14 on CRAN: Upstream Maintenance

2026-04-22T20:34:00+00:00

Another minor update 0.3.14 for our nanotime package is now on CRAN, and has compiled for r2u (and will have to wait to be uploaded to Debian until dependency bit64 has been updated there). nanotime relies on the RcppCCTZ package (as well as the RcppDate package for additional C++ operations) and offers efficient high(er) resolution time parsing and formatting up to nanosecond resolution, using the bit64 package for the actual integer64 arithmetic. Initially implemented using the S3 system, it has benefitted greatly from a rigorous refactoring by Leonardo who not only rejigged nanotime internals in S4 but also added new S4 types for periods, intervals and durations.

This release has been driven almost entirely by Michael, who took over as bit64 maintainer and has been making changes there that have an effect on us ‘downstream’. He reached out with a number of PRs which (following occassional refinement and smoothing) have all been integrated. There are no user-facing changes, or behavioural changes or enhancements, in this release.

The NEWS snippet below has the fuller details.

Changes in version 0.3.14 (2026-04-22)

Tests were refactored to use NA_integer64_ (Michael Chirico in #149 and Dirk in #156)

nanoduration was updated for changes in nanotime 4.8.0 (Michael Chirico in #152 fixing #151)

Use of as.integer64(keep.names=TRUE) has been refactored (Michael Chirico in #154 fixing #153)

In tests, nanotime is attached after bit64; this still needs a better fix (Michael Chirico in #155)

The package now has a hard dependency on the just released bit64 version 4.8.0 (or later)

Thanks to my CRANberries, there is a diffstat report for this release. More details and examples are at the nanotime page; code, issue tickets etc at the GitHub repository – and all documentation is provided at the nanotime documentation site.

CSS & vertical rhythm for text, images, and tables

2026-04-22T19:48:10+00:00

Vertical rhythm aligns lines to a consistent spacing cadence down the page. It creates a predictable flow for the eye to follow. Thanks to the rlh CSS unit, vertical rhythm is now easier to implement for text.¹ But illustrations and tables can disrupt the layout. The amateur typographer in me wants to follow Bringhurstâ€™s wisdom:

Headings, subheads, block quotations, footnotes, illustrations, captions and other intrusions into the text create syncopations and variations against the base rhythm of regularly leaded lines. These variations can and should add life to the page, but the main text should also return after each variation precisely on beat and in phase.

â€• Robert Bringhurst, The Elements of Typographic Style

Text

Three factors govern vertical rhythm: font size, line height and margin or padding. Letâ€™s set our baseline with an 18-pixel font and a 1.5 line height:

html {
  font-size: 112.5%;
  line-height: 1.5;
}
h1, h2, h3, h4 {
  font-size: 100%;
}
html, body,
h1, h2, h3, h4,
p, blockquote,
dl, dt, dd, ol, ul, li {
  margin: 0;
  padding: 0;
}

CSS Values and Units Module Levelâ€¯4 defines the rlh unit, equal to the computed line height of the root element. All browsers support it since 2023.² Use it to insert vertical spaces or to fix the line height when altering font size:³

h1, h2, h3, h4 {
  margin-top: 2rlh;
  margin-bottom: 1rlh;
}
h1 {
  font-size: 2.4rem;
  line-height: 2rlh;
}
h2 {
  font-size: 1.5rem;
  line-height: 1rlh;
}
h3 {
  font-size: 1.2rem;
  line-height: 1rlh;
}
p, blockquote, pre {
  margin-top: 1rlh;
}
aside {
  font-size: 0.875rem;
  line-height: 1rlh;
}

We can check the result by overlaying a grid⁴ on the content:

Using CSS rlh unit to set vertical space works well for text. You can display the grid using Ctrl+Shift+G.

If a child element uses a font with taller intrinsic metrics, it may stretch the lineâ€™s box beyond the configured line height.⁵ A workaround is to reduce the line height to 1. The glyphs overflow but donâ€™t push the line taller.

code, kbd {
  line-height: 1;
}

Responsive images

Responsive images are difficult to align on the grid because we donâ€™t know their height. CSS Rhythmic Sizing Module Levelâ€¯1 introduces the block-step property to adjust the height of an element to a multiple of a step unit. But most browsers donâ€™t support it yet.

With JavaScript, we can add padding around the image so it does not disturb the vertical rhythm:

const targets = document.querySelectorAll(".lf-media-outer");
const adjust = (el, height) => {
  const rlh = parseFloat(getComputedStyle(document.documentElement).lineHeight);
  const padding = Math.ceil(height / rlh) * rlh - height;
  el.style.padding = `${padding / 2}px 0`;
};

targets.forEach((el) => adjust(el, el.clientHeight));

The image is snapped to the grid thanks to the additional padding computed with JavaScript. 216 is divisible by 27, our line height in this example.

As the image is responsive, its height can change. We need to wrap a resize observer around the adjust() function:

const ro = new ResizeObserver((entries) => {
  for (const entry of entries) {
    const height = entry.contentBoxSize[0].blockSize;
    adjust(entry.target, height);
  }
});
for (const target of targets) {
  ro.observe(target);
}

Tables

Table cells could set 1rlh as their height but they would feel constricted. Using 2rlh wastes too much space. Instead, we use incremental leading: we align one in every five lines.

table {
  border-spacing: 2px 0;
  border-collapse: separate;
  th {
    padding: 0.4rlh 1em;
  }
  td {
    padding: 0.2rlh 0.5em;
  }
}

To align the elements after the table, we need to add some padding. We can either reuse the JavaScript code from images or use a few lines of CSS that count the regular rows and compute the missing vertical padding:

table:has(tbody tr:nth-child(5n):last-child)   { padding-bottom: 0.2rlh; }
table:has(tbody tr:nth-child(5n+1):last-child) { padding-bottom: 0.8rlh; }
table:has(tbody tr:nth-child(5n+2):last-child) { padding-bottom: 0.4rlh; }
table:has(tbody tr:nth-child(5n+3):last-child) { padding-bottom: 0 }
table:has(tbody tr:nth-child(5n+4):last-child) { padding-bottom: 0.6rlh; }

A header cell has twice the padding of a regular cell. With two regular rows, the total padding is 2Ã—2Ã—0.2+2Ã—0.4=1.6. We need to add 0.4rlh to reach 2rlh of extra vertical padding across the table.

One line out of five is aligned to the grid. Additional padding is added after the table to not break the vertical rhythm. 405 is divisible by 27, our line height in this example.

None of this is necessary. But once you start looking, you canâ€™t unsee it. Until browsers implement CSS Rhythmic Sizing, a bit of CSS wizardry and a touch of JavaScript is enough to pull it off. The main text now returns after each intrusion â€œprecisely on beat and in phase.â€� ğŸ�¼

See â€œVertical rhythm using CSS lh and rlh unitsâ€� by PaweÅ‚ Grzybek.Â â�¦
For broader compatibility, you can replace 2rlh with calc(var(--line-height) * 2rem) and set the --line-height custom property in the :root pseudo-class. I wrote a simple PostCSS plugin for this purpose.Â â�¦
It would have been nicer to compute the line height with calc(round(up, calc(2.4rem / 1rlh), 0) * 1rlh). Unfortunately, typed arithmetic is not supported by Firefox yet. Moreover, browsers support round() only since 2024. Instead, I coded a PostCSS plugin for this as well.Â â�¦

The following CSS code defines a grid tracking the line height:

body {
  position: relative;
}
body::after {
  content: "";
  position: absolute;
  inset: 0;
  z-index: 9999;
  background: linear-gradient(180deg, #c8e1ff99 1px, transparent 1px);
  background-size: 20px 1rlh;
  pointer-events: none;
}

â�¦

See â€œDeep dive CSS: font metrics, line-height and vertical-alignâ€� by Vincent De Oliveira.Â â�¦

RcppArmadillo 15.2.6-1 on CRAN: Several Updates

2026-04-21T23:20:00+00:00

Armadillo is a powerful and expressive C++ template library for linear algebra and scientific computing. It aims towards a good balance between speed and ease of use, has a syntax deliberately close to Matlab, and is useful for algorithm development directly in C++, or quick conversion of research code into production environments. RcppArmadillo integrates this library with the R environment and language–and is widely used by (currently) 1263 other packages on CRAN, downloaded 45.7 million times (per the partial logs from the cloud mirrors of CRAN), and the CSDA paper (preprint / vignette) by Conrad and myself has been cited 683 times according to Google Scholar.

This versions updates to the 15.2.5 and 15.2.6 upstream Armadillo releases from, respectively, two and five days ago. The package has already been updated for Debian, and built for r2u. When we ran the reverse-dependency check for 15.2.5 at the end of last week, one package failed. I got in touch with the authors, filed an issue, poked some more, isolated the one line that caused an example to fail … and right then 15.2.6 came out fixing just that. It was after all an upstream issue. We used to ran these checks before Conrad made a release, he now skips this and hence needed a quick follow-up release. It can happen.

The other big change is that this R package release phases out the ‘dual support’ for both C++14 or newer (as in current Armadillo) along with a C++11 fallback for more slowly updating packages. I am happy to say that after over eight months of this managed transition (during which CRAN expulsed some laggard packages that were not moving in from C++11) we are now at all packages using C++14 or newer which is nice. And I will take this as an opportunity to stress that one can in fact manage a disruptive API change this way as we just demonstrated. Sadly, R Core does not seem to have gotten that message and rollout of this package was also still a little delayed because of the commotion created by the last minute API changes preceding the R 4.6.0 release later this week.

Smaller changes in the package are a switch in pdf vignette production to the Rcpp::asis() driver, and a higher-precision computation in rmultinom() (matching a change made in R-devel during last week in its use of Kahan summation). All detailed changes since the last CRAN release follow.

Changes in RcppArmadillo version 15.2.6-1 (2026-04-20)

Upgraded to Armadillo release 15.2.6 (Medium Roast Deluxe)

Ensure internally computed tolerances are not NaN

The rmultinom deploys 'Kahan summation' as R-devel does now.

Changes in RcppArmadillo version 15.2.5-1 [github-only] (2026-04-18)

Upgraded to Armadillo release 15.2.5 (Medium Roast Deluxe)

Fix for handling NaN elements in .is_zero()

Fix for handling NaN in tolerance and conformance checks

Faster handling of diagonal views and submatrices with one row>

Sunset the C++11 fallback of including Armadillo 14.6.3 (#504 closing #503)

The vignettes have refreshed bibliographies, and are now built using the Rcpp::asis vignette builder (#506)

One rmultinom test is skipped under R-devel which has switched to a higher precisions calc

Courtesy of my CRANberries, there is a diffstat report relative to previous release. More detailed information is on the RcppArmadillo page. Questions, comments etc should go to the rcpp-devel mailing list off the Rcpp R-Forge page.

Join us at Lomiri CodeFest on May 16-17 & Fre(i)e Software GmbH is hiring more Lomiri Developers

2026-04-21T17:35:40+00:00

Lomiri Codefest in Tilburg NL (May 16-17 2026)

Just a quick invitation to an in-person event in Tilburg, the Netherlands.

All people interested in the Lomiri Operating Environment are invited to join us at the Lomiri Codefest [codefest] taking place on May 16-17 (participation is free of charge).

We are hiring Lomiri developers

And as another side node, we still have budget (until 07/2027) for 2-3 additional Lomiri developers (depends on each devs weekly availability). The details of my previous post [hiringdetails] +/- still apply. One more limitation / strength: You need real coding skills to apply for the open positions, AI-generated contributions will not be accepted for the tasks at hand.

If you are interested and a skilled FLOSS developer (you need previous OSS contributions as references) and available with at least 10 hrs / week, please get in touch [fsgmbh].

References

[codefest] https://codefest.os-sci.info/?lang=en
[hiringdetails] https://sunweavers.net/blog/node/150
[fsgmbh] https://freiesoftware.gmbh/

Debian Project Leader election 2026 is over, Sruthi Chandran elected!

2026-04-20T17:00:00+00:00

The voting period and tally of votes for the Debian Project Leader election has just concluded, and the winner is Sruthi Chandran. Congratulations!

347 out of 1,039 Developers voted using the Condorcet method.

More information about the results of the voting is available on the Debian Project Leader Elections 2026 page.

Many thanks to Sruthi Chandran for her campaign, to our Developers for their votes, and to Andreas Tille for his service as DPL over the past two years!

The new term for the project leader will start on April 21, 2026 and expire on April 20, 2027.

Kookbook 0.3.0 released

2026-04-20T15:01:53+00:00

I recently released version 0.3.0 of my recipe manager application Kookbook – find it in git in KDE Invent or as released tarballs in https://download.kde.org/stable/kookbook/

Changes since last time is more or less “Minor bugfixes and a Qt6 port” – nothing as such noteworthy unless you aim to get rid of Qt5 on your system.

so what is kookbook?
It is a simple recipe viewer that works with semi-structured markdown. More details can be seen in the quite old 0.1.0 announcement

At some point I should do a 10 recipe example collection, but my personal collection is in danish, so I’m not sure it is going to be useful. Unless someone will donate me some handfuls of pre-formatted recipes, I will happily announce it.

Review: Surface Detail

2026-04-20T04:26:00+00:00

Review: Surface Detail, by Iain M. Banks

Publisher:	Orbit
Copyright:	October 2010
Printing:	May 2011
ISBN:	0-316-12341-2
Format:	Trade paperback
Pages:	627

Surface Detail is the ninth novel in Banks's Culture science fiction (literary space opera?) series. As with most of the Culture novels, it can be read in any order, although this isn't the best starting point. There is an Easter egg reference to Use of Weapons that would be easier to notice if you have read that book recently, but which is not that important to the story.

Lededje Y'breq is an Indented Intagliate from the Sichultian Enablement. Her body is patterned from her skin down to her bones, covered with elaborate markings similar to tattoos that extend to her internal organs. As an intagliate, she is someone's property. In her case, she is the property of Joller Veppers, the richest man in the Enablement and her father's former business partner. Intagliates are a tradition of great cultural pride in the Enablement. They are a living representation of the seriousness with which debts and honor are taken, up to and including one's not-yet-born children becoming the property of one's debtor. Such children are decorated as living works of art of the highest skill and technical sophistication; after all, the Enablement are not barbarians.

As the story opens, Lededje is attempting, not for the first time, to escape. This attempt is successful in an unexpected way.

Prin and Chay are Pavulean researchers and academics who, as this story opens, are in Hell. They are not dead; they have infiltrated the Hell that Pavuleans are shown to scare them into proper behavior in order to prove that it is not an illusion and their society does indeed torture people in an afterlife, in more awful ways than people dare imagine. They have reached the portal through which temporary visitors exit, hoping to escape with firm evidence of the existence and horrors of the Pavulean afterlife. They will not be entirely successful.

Yime Nsokyi is a Culture agent for Quietus, the part of Contact that concerns itself with the dead. Many advanced societies throughout the galaxy have invented and reinvented the ability to digitize a mind and then run it in a virtual environment. Once a society can capture the minds of every person in that society from that point forward, it faces the question of whether to do so and, if it does, what to do with those minds. More specifically, it faces the moral question of whether to punish the minds of people who were horrible in life. It faces the question of whether to create Hell.

Vatueil is a soldier in a contestation, a limited and carefully monitored virtual war. The purpose of that war game is to, once and for all, resolve the question of whether civilizations should be allowed to create Hells. Some civilizations consider them integral to their religion or self-conception. Others consider them morally abhorrent, and that conflict was in danger of spilling over into war in the Real. Hence the War in Heaven: Both sides committed to fight in a virtual space under specific and structured rules, and the winner decides the fate of the galaxy's Hells. Vatueil is fighting for the anti-Hell side. The anti-Hell side is losing.

There are very few authors who were better at big-idea science fiction than Iain M. Banks. I've been reading a few books about AI ships and remembered that I had two unread Culture novels that I was saving. It felt like a good time to lose myself in something sprawling.

Surface Detail does sprawl. Even by Banks's standards, there was an impressive amount of infodumping in this book. Banks always has huge and lovingly described set pieces, and this book is no exception, but there are also paragraphs and pages of background and cultural musings and galactic politics. We are introduced to not one but three new Contact divisions; as well as the already-mentioned Quietus, there is Numina, which concerns itself with the races that have sublimed (transcended), and Restoria, which deals with hegemonizing swarms (grey goo nanotech, paperclip maximizers, and their equivalents).

Infodumping is both a feature and a bane of big-idea science fiction, and it helps to be in the right mood. It also helps if the info being dumped is interesting, and this is where Banks shines. This is a huge, sprawling book, but it deals with some huge, sprawling questions and it has interesting and non-reductive thoughts about them. The problems posed by the plot come with history, failed solutions, multi-sided political disputes, strategies and tactics of varying morality and efficacy, and an effort to wrestle with the irreducible complexity of trying to resolve political and ethical disagreements in a universe full of profound disagreements and moral systems that one cannot simply steamroll.

It also helps that the characters are interesting, even when they're not likable. Surface Detail has one fully hissable villain (Veppers) as a viewpoint character, but even Veppers is interesting in a "let me check the publication date to see if Banks was aware of Peter Thiel" sort of way. The Culture ships, of which there are several in this story, tend towards a gently sarcastic kindness that I find utterly charming. Lededje provides the compelling motive force of someone who has no involvement in the broader philosophical questions and instead intends to resolve one specific problem through lethal violence. Vatueil and Yime were a bit bland in personality, more exposition generators than characters I warmed to, but their roles and therefore the surrounding exposition were fascinating enough that I still enjoyed their sections.

I'm sure this is not an original observation, but I was struck reading this book in the first half of 2026 that the Culture functions as an implementation of what the United States likes to think it is but has never been. It has a strong sense of shared ethics and moral principles, it tries to export them to the rest of the galaxy through example, persuasion, and careful meddling, but it tries to follow some combination of pragmatic and moral rules while doing so, partly to avoid a backlash and partly to avoid becoming its own sort of hegemonizing swarm. That is a powerfully attractive vision of how to be an advanced civilization, and the fact that every hegemon that has claimed that mantle has behaved appallingly just makes it more intriguing as a fictional concept. In this book, like in many Culture books, the Culture is painfully aware of the failure modes of meddling, and the story slowly reveals the effort the Culture put into staying just on a defensible side of their own moral lines. This is, in a sense, a Prime Directive story, but with a level of hard-nosed pragmatism and political sophistication that the endless Star Trek Prime Directive episodes never reach.

Surface Detail does tend to sprawl, and I'm not sure Banks pulled together all the pieces of the plot. For example, if there was a point to the subplot involving the Unfallen Bulbitian, it was lost on me. (There is always a possibility with Banks that I wasn't paying close enough attention.) But the descriptions are so elaborate and the sense of politics and history are so deep that I was never bored, even when following a plot thread that meandered off into apparent irrelevance. The main plot line comes to a satisfying conclusion that may be even more biting social commentary today than it was in 2010.

A large part of the plot does involve Hell, so a warning for those who haven't read much Banks: He adores elaborate descriptions of body horror and physical torture. The sections involving Prin and Chay are rather grim and horrific, probably a bit worse than Dante's Inferno. I have a low tolerance for horror and I was able to read past and around the worst bits, but be warned that Banks indulges his love for the painfully grotesque quite a bit.

This was great, and exactly what I was hoping for when I picked it up. It's not the strongest Culture novel (for me, that's either The Player of Games or Excession), but it's one of the better ones. Highly recommended, although if you're new to the Culture, I would start with one of the earlier books that provide a more gradual introduction to the Culture and Special Circumstances.

Followed, in the somewhat disconnected Culture series sense, by The Hydrogen Sonata.

Content warnings: Rape (largely off-screen), graphic violence, lots of Bosch-style grotesque torture, and a lot of Veppers being a thoroughly awful human being as a viewpoint character.

Rating: 8 out of 10

Review: Collision Course

2026-04-19T04:52:00+00:00

Review: Collision Course, by Michelle Diener

Series:	Class 5 #6
Publisher:	Eclipse
Copyright:	November 2024
ISBN:	1-7637844-0-1
Format:	Kindle
Pages:	289

Collision Course is the sixth novel in the Class 5 science fiction series and the first that doesn't use the Dark X naming convention. There are lots of spoilers in this story for the earlier books, but you don't have to remember all the details of previous events. Like the novella, Dark Ambitions, this novel returns to Rose, Sazo, and Dav instead of introducing another Earth woman and Class 5 ship.

In Dark Class, Ellie discovered an interesting artifact of a previously-unknown space-faring civilization. Rose, Sazo, and Dav are on their way to make first contact when, during a routine shuttle flight between the Class 5 and Dav's Grih military ship, Rose is abducted. The aliens they came to contact have an aggressive, leverage-based negotiating strategy. They're also in the middle of a complicated war with more sides than are readily apparent.

What I liked most about Dark Horse, the first book of this series and our introduction to Rose, was the revealed ethical system and a tense plot that hinged primarily on establishing mutual trust when there were excellent reasons for the characters to not trust each other. As the series has continued, I think the plots have become more complicated but the ethical dilemmas and revealing moments of culture shock have become less common. That is certainly true of Collision Course; this is science fiction as thriller, with a complex factional conflict, a lot of events, more plot reversals than the earlier books, but also less ethics and philosophy.

I'm not sure if this is a complaint. I kind of miss the ethics and philosophy, but Diener also hasn't had much new to say for the past few books. The plot of Collision Course is quite satisfyingly twisty for a popcorn-style science fiction series. I was kept guessing about the merits of some of the factions quite late into the book, although admittedly I was in the mood for light entertainment and was not trying too hard to figure out where the book was going. I did read nearly the entire book in one sitting and stayed up until 2am to finish it, which is a solid indication that something Diener was doing worked.

I do have quibbles, though. One is that the ending is a bit unsatisfying. Like Sazo, I was getting quite annoyed at the people capturing (and recapturing) Rose and would have enjoyed somewhat more decisive consequences. Also, and here I have to be vague to avoid spoilers, I was expecting a bit more of a redemption arc for one of the players in the multi-sided conflict. The ending I did get was believable but rather sad, and I wish Diener had either chosen a different outcome (this is light happily-ever-after science fiction, after all) or wrestled more directly with the implications. There were a bit too many "wait, one more thing" ending reversals and not quite enough emotional payoff for me.

The other quibble is that Collision Course was a bit too damsel in distress for this series. Rose is pregnant, which Diener uses throughout the book as a way to raise the stakes of the plot and also make Rose more annoyed but also less capable than she was in her earlier novel. Both Sazo and Dav are in full heroic rescue mode, and while Diener still ensures Rose is primarily responsible for her own fate, there is some "military men attempt to protect the vulnerable woman" here. One of the things I like about this series is that it does not use that plot, so while the balance between Rose rescuing herself and other people rescuing her is still tilted towards Rose, I would have liked this book more if Rose were in firmer control of events.

I will mostly ignore the fact that a human and a Grih sexually reproducing makes little to no biological sense, since Star Trek did similar things routinely and it's an established genre trope. But I admit that it still annoys me a bit that the alien hunk is essentially human except that he's obsessed with Rose's singing and has pointy ears. Diener cares about Rose's pregnancy a lot more than I did, which added to my mild grumpiness at how often it came up.

Overall, this was fine. I prefer a bit more of a protagonist discovering how powerful she is by making ingenious use of the ethical dilemmas her captors have trapped themselves in, and a bit less of Rose untangling a complicated political situation by getting abducted by every player serially, but it still kept the pages turning. Any book that is sufficiently engrossing for me to read straight through is working at some level. Collision Course was highly readable, undemanding, and distracting, which is what I was looking for when I read it. I would put it about middle of pack in the series. If Rose's pregnancy is more interesting to you than it was to me, that might push it a bit higher.

If you have gotten this far in the series, you will probably enjoy this, although it does feel like Diener is running out of new things to say about this universe. That's unfortunate given the number of threads about AI sentience and rights that could still be followed, but I think tracing them properly would require more philosophical meat than Diener intends for these books. Which is why the next book I grabbed was a Culture novel.

Currently this is the final book in the Class 5 series, but there is no inherent reason why Diener couldn't write more of them.

Rating: 7 out of 10

Thanks Branchable!

2026-04-18T13:37:22+00:00

I was hosted for a long time, free of charge, on https://www.branchable.com/ by Joey and Lars. Branchable and Ikiwiki were wonderful ideas that never took off as much as they deserved. To avoid being a burden now that Branchable is nearing its end, I migrated to a VPS at Sakura.

However, I have not left Ikiwiki. I only use it as a site engine, but I haven't found any equivalent that gives me both native Git integration, wiki syntax for a personal site, the creativity of its directives (you can do anything with inline and pagespec), and its multilingual support through the po plugin.

Joey and Lars, thank you for everything!

Hello old new “Projects” directory!

2026-04-18T08:06:00+00:00

If you have recently installed a very up-to-date Linux distribution with a desktop environment, or upgraded your system on a rolling-release distribution, you might have noticed that your home directory has a new folder: “Projects”

Why?

With the recent 0.20 release of xdg-user-dirs we enabled the “Projects” directory by default. Support for this has already existed since 2007, but was never formally enabled. This closes a more than 11 year old bug report that asked for this feature.

The purpose of the Projects directory is to give applications a default location to place project files that do not cleanly belong into one of the existing categories (Documents, Music, Pictures, Videos). Examples of this are software engineering projects, scientific projects, 3D printing projects, CAD design or even things like video editing projects, where project files would end up in the “Projects” directory, with output video being more at home in “Videos”.

By enabling this by default, and subsequently in the coming months adding support to GLib, Flatpak, desktops and applications that want to make use of it, we hope to give applications that do operate in a “project-centric” manner with mixed media a better default storage location. As of now, those tools either default to the home directory, or will clutter the “Documents” folder, both of which is not ideal. It also gives users a default organization structure, hopefully leading to less clutter overall and better storage layouts.

This sucks, I don’t like it!

As usual, you are in control and can modify your system’s behavior. If you do not like the “Projects” folder, simply delete it! The xdg-user-dirs utility will not try to create it again, and instead adjust the default location for this directory to your home directory. If you want more control, you can influence exactly what goes where by editing your ~/.config/user-dirs.dirs configuration file.

If you are a system administrator or distribution vendor and want to set default locations for the default XDG directories, you can edit the /etc/xdg/user-dirs.defaults file to set global defaults that affect all users on the system (users can still adjust the settings however they like though).

What else is new?

Besides this change, the 0.20 release of xdg-user-dirs brings full support for the Meson build system (dropping Automake), translation updates, and some robustness improvements to its code. We also fixed the “arbitrary code execution from unsanitized input” bug that the Arch Linux Wiki mentions here for the xdg-user-dirs utility, by replacing the shell script with a C binary.

Thanks to everyone who contributed to this release!

Home Battery

2026-04-17T12:58:23+00:00

Prices

On the 19th of March I got a home battery system installed. The government has a rebate scheme so it had a list price of about $22k for a 40kWh setup and cost me about $12k. It seems that 40KWh is the minimum usable size for the amount of electricity I use, I have 84 cores running BOINC when they have nothing better to do which is 585W of TDP according to Intel. While the CPUs are certainly using less than the maximum TDP (both due to design safety limits and the fact that I have disabled hyper-threading on all systems due to it providing minimal benefits and potential security issues) given some power usage by cooling fans and some inefficiency in PSUs I think that assuming that 585W is accounted for 24*7 by CPUs is reasonable. So my home draws between 800W and 1KW when no-one is home and with an electric car and all electric cooking a reasonable amount of electricity can be used.

My bills prior to the battery installation were around $200/month which was based on charging my car only during sunny times as my electricity provider (Amber Electric) has variable rates based on wholesale prices. Also the feed in rates if my solar panels produce too much electricity in sunny times often go negative so if I don’t use enough electricity. I haven’t had the electric car long enough to find out what the bills might be in winter without a home battery.

Before getting the battery my daily bills according to the Amber app were usually between $5 and $10. After getting it the daily bills have almost always been below $5. The only day where it’s been over $5 since the battery installation was when electricity was cheap and I fully charged the home battery and my car which used 50KWh in one day and cost $7.87 which is 16 cents per KWh. 16 cents isn’t the cheapest price (sometimes it gets as low as 10 cents) but is fairly cheap, sometimes even in the cheap parts of the day it doesn’t get that low (the cheapest price on the day I started writing this was 20 cents).

So it looks like this may save me $100 per month, if so there will be a 10% annual return on investment on the $12K I spent. This makes it a good investment, better than repaying a mortgage (which is generally under 6%) and almost as good as the long term results of index tracker funds. However if it cost $22K (the full price without subsidy) then it would still be ok but wouldn’t be a great investment. The government subsidised batteries because the huge amount of power generated by rooftop solar systems was greater than the grid could use during the day in summer and batteries are needed to use that power when it’s dark.

Android App

The battery system is from Fox ESS and the FoxCloud 2.0 Android app is a bit lacking in functionality. It has a timer for mode setting with options “Self-use” (not clearly explained), “Feed-in Priority” (not explained but testing shows feeding everything in to the grid), “Back Up”, “Forced Charge”, and “Forced Discharge”. Currently I have “Forced Charge” setup for most sunny 5 hours of the day for a maximum charge power of 5KW. I did that because about 25KW/day is what I need to cover everything and while the system can do almost 10KW that would charge the battery fully in a few hours and then electricity would be exported to the grid which would at best pay me almost nothing and at worst bill me for supplying electricity when they don’t want it. There doesn’t seem to be a “never put locally generated power into the grid unless the battery is full” option. The force charge mode allows stopping at a certain percentage, but when that is reached there is no fallback to another option. It would be nice if the people who designed the configuration could take as a baseline assumption that the macro programming in office suites and functions in spreadsheets are things that regular people are capable of using when designing the configuration options. I don’t think we need a Turing complete programming language in the app to control batteries (although I would use it if there was one), but I think we need clauses like “if battery is X% full then end this section”.

There is no option to say “force charge until 100%” or “force charge for the next X minutes” as a one-off thing. If I came home in the afternoon with my car below 50% battery and a plan to do a lot of driving the next day then I’d want to force charge it immediately to allow charging the car overnight. But I can’t do that without entering a “schedule”. For Unix people imagine having to do everything via a cron job and no option to run something directly from the command-line.

It’s a little annoying that they appear to have spent more development time on animations for the app than some of what should be core functionality.

Management

Amber has an option to allow my battery to be managed by them based on wholesale pries but I haven’t done that as the feed-in prices are very low. So I just charge my battery when electricity is cheap and use it for the rest of the day. There is usually a factor of 2 or more price difference between the middle of the day and night time so that saves money. It also means I don’t have to go out of my way to try and charge my car in the middle of the day. There is some energy lost in charging and discharging the batteries but it’s not a lot. I configured the system to force charge for the 5 sunniest hours every day for 5KW as that’s enough to keep it charged overnight and 5KW is greater than the amount of solar electricity produced on my house since I’ve been monitoring it so that forces it to all be used for the battery. In summer I might have to change that to 6KW for the sunniest 2 or 3 hours and then 4KW or 5KW surrounding that which will be a pain to manage.

Instead of charging the car every day during sunny times I charge it once or twice a week, I have a 3.3KW charger and the car has a 40KWh battery so usually it takes me less than 10 hours to fully charge it and I get at least 5 hours of good sunlight in the process.

There are people hacking on these devices which is interesting to get direct control from computers [1], and apparently not banned from the official community for doing so. I’m not enthusiastic enough to do this, I’ve got plenty of other free software things to work on. But it’s good that others are doing so.

[1] https://foxesscommunity.com/viewtopic.php?t=2397

ActBlue former IT boss disappearance: Decklin Foster & Debian, Harvard suicide lab, Chris Gleason is wife, whistleblower or both?

2026-04-16T20:30:00+00:00

ActBlue is the online fundraising platform used by US Democratic party candidates. It is the subject of a major scandal that has gripped the congress. It has been linked to Debianism, another disappearing developer and in a parody of other Debianism scandals, there are possibly two people using the same name, one being the wife of the missing developer and the other being a US Senate candidate who claims to have exposed the ActBlue scandal.

These Github screenshots confirm that Decklin Foster was affiliated with ActBlue and vanished in 2018:

Accusations have been made about the concealment of illegal foreign donations and deception of Congress.

Chris Gleason has nominated to represent Florida in the US Senate. Gleason registered using a post office box and created a domain name, voteforgleason.com using an anonymous service in Iceland. Gleason's profile on X/Twitter has no photo while their Facebook profile is completely disabled.

A similar web site has been created at https://chris4florida.com/

The phone number on voteforgleason.com and chris4florida.com goes to a pharmacy rather than a campaign office.

Nonetheless, I was able to verify Christopher Gleason submitted a nomination that is registered with the state officials.

Gleason's web site tells us:

Chris Gleason built the forensic tools that exposed ActBlue's billion-dollar money laundering operation. His evidence ...

Therefore, the candidate Gleason is not a pharmacist.

So far, Chris appears to be male, intermittently using the name Christopher and the masculin pronouns like His.

At the height of the Debian suicide cluster, shortly before Adrian von Bidder-Senn died on our wedding day ( detailed report), another Debian Developer, Decklin Foster put all his packages up for adoption.

Up to 2016, we can see that Decklin Foster was listed in the public filings of ActBlue Civics, Inc as either a senior engineer or at one point, as Director of Information Technology.

Decklin Foster's activity on their Github profile stops abruptly in May 2018.

ProPublic shows the last salary payment to Decklin Foster's bank account was in July 2018.

Decklin Foster disappeared at almost the exact same time as Arjen Kamphuis, author of the book on Information Security for Investigative Journalists. I was one of the last people to see Arjen before he vanished. Remarkably, Arjen had even asked me for protection.

On 1 January 2015, Decklin Foster's PGP key was removed because it was only 1024 bits. Most developers had created stronger keys before this mass removal of insecure keys took place.

In 2019, the Debian Account Managers asked the keyring managers to completely remove Decklin Foster from the Debian keyring. There was no Statement on Decklin Foster so far.

Clicking the links to see the statements about the removal does not work. An error message tells us the messages about Decklin Foster's removal from debianism are all private.

Foster's web site address is https://www.red-bean.com/decklin and it is currently reporting "The requested URL was not found on this server.". Thanks to the Wayback Machine we can find a snapshot from 2019 which reveals an inconvenient truth:

If you’re interested in me, I have started using Google Plus. If you’re interested in my work, I’m on Github. I was a Debian developer for some time, but I’ve mostly given that up. I currently work for ActBlue and live in Cambridge, MA with my wife.

Clicking on "my wife", we find the web site of Chris Gleason at http://cgleason.org/.

Reading Gleason's about page, we find the pronoun "they":

chris gleason is a graphic designer, zine creator, and print maker in chicago, illinois. they love ...

Therefore, the Debian Developer ( What is a Debian Developer?) who was Director of Information Technology for ActBlue was married to a female or transgender Chris Gleason. Is this the same person as the elusive male Chris Gleason who is now running for the US Senate in Florida on claims about corruption at ActBlue? Or is it simply a bizarre coincidence that two people so closely connected with this scandal share the same name?

Remember the case of Francois Thiébaud, the pimp who usurped the reputation of the legendary boss of Tissot SA? They both have the same name too but they are different people.

In 2017, the Trans Women Writers Collective published the book Nameless Woman, written by trans women of colour. In the credits, the trans women thank Decklin Foster.

This anthology was made possible by the generous support of hundreds of people. In particular, we would like to thank Annaya Youkai, Kieran Todd, Sadie Laett-Babcock, Adelaida Shelley, Jaime Peschiera, Kai Cheng Thom, Talon Wilde, David Cope, Alex Meginnis, Decklin Foster, and Eli Nelson for their help.

Here are photos from the respective online profiles of Decklin Foster and Chris Gleason.

Decklin Foster

Chris Gleason

They don't look too similar but who knows. Anything is possible in America today.

In 2017, Bitch Magazine included Decklin Foster in a list of donors.

In 1999, at the time Decklin Foster was recruited by Debianism, they had a home page at http://members.home.com/decklin/.

Shortly after, the page moved to http://www.red-bean.com/~decklin/ and that eventually evolved to http://www.red-bean.com/decklin/. The last good capture of the site at the Wayback machine was 11 October 2019. It looks like they disabled the web site after that date.

On 22 July 1999, Raphael Hertzog, known for the Freexian scandals wrote a message asking people to do unpaid work on orphaned packages in the hope that their application to become a Debian Developer would be approved more quickly:

To: debian-devel-announce@lists.debian.org, debian-devel@lists.debian.org, debian-qa@lists.debian.org, debian-mentors@lists.debian.org
Subject: [New maintainer] Working for Debian and becoming a registered Debian developer
From: Raphael Hertzog <rhertzog@hrnet.fr>
Date: Thu, 22 Jul 1999 18:06:26 +0200

[ Large crosspost to start the discussion, please reply to debian-devel
  only. Simply respect the reply-to. ]

Hello everybody,

you may or not be aware that getting a Debian developer is quite long. I
want to propose a solution to facilitate the integration of new
Debian developers.

It's quite simple. In order to fully learn how Debian works, the best
solution is :
- to adopt orphaned packages and correct their bugs
- that your work should be checked by an official developer (I'll call
  it the sponsor).

Of course, as long you're not a registered Debian developers you cannot
upload your packages. The soluton is that the sponsor will upload the
package you'll do. The official maintainer will be
debian-qa@lists.debian.org. After all when you correct bugs on orphaned
packages, you're doing Quality Assurance.

This does also allow you to get new bugs in your mailbox. You just need
to subscribe to debian-qa@lists.debian.org. You would be allowed to
open/close/set the severity/forward the bugs since all debian-qa members
can do it on debian-qa packages.

If the sponsor finds that you've done a good job with the package, he
will explain that to the new maintainer team in the hope that your
application will be processed faster. And when you'll be
official Debian developper, you'll be able to change the Maintainer field
to your name.

I'll propose myself to be a sponsor. We'll need more sponsor ... any
volunteers ? Hopefully several people from debian-qa will accept to be
sponsor like me ...

All the future Debian developers interested should also reply ...

Any input appreciated !

Cheers,
-- 
Hertzog Raphaël >> 0C4CABF1 >> http://prope.insa-lyon.fr/~rhertzog/

Decklin Foster was one of the people recruited by those tactics.

To: debian-devel@lists.debian.org
Cc: debian-mentors@lists.debian.org
Subject: Re: [New maintainer] Working for Debian and becoming a registered Debian developer
From: Decklin Foster <decklin@home.com>
Date: Thu, 22 Jul 1999 13:39:13 -0400

Raphael Hertzog writes:

> Of course, as long you're not a registered Debian developers you cannot
> upload your packages. The soluton is that the sponsor will upload the
> package you'll do. The official maintainer will be
> debian-qa@lists.debian.org. After all when you correct bugs on orphaned
> packages, you're doing Quality Assurance.

Sounds good, I'll subscribe right after I finish writing this. I'm
also trying to work on non-orphaned backages as well (for example
right now i'm fixing a bug in gsfonts-x11.) So keep in mind that you
can always just send patches :)

-- 
Debian GNU/Linux - http://www.debian.org/
The Web is to graphic design as the fax machine is to literature.

Not only was Decklin under the influence of Hertzog, they were also under the influnce of the Red Hat share offer. This email encourages speculation on the IPO:

To: debian-devel@lists.debian.org
Subject: Re: SPAM from Red Hat
From: Decklin Foster <decklin@home.com>
Date: Wed, 21 Jul 1999 09:57:45 -0400

Martin Bialasinski writes:

> is it only me, or did you also get this spam from Red Hat about stock
> options?
> 
> Oh man - the bigger the company, the less clueful people?

On #debian last night, it was suggested that we use our opportunity to
buy some of this stock and sell it when the price goes up. This money
could then be used to fund Debian, buy new hardware, improve our
network connection, etc. Does anyone else think this is a Good
Idea(TM)? I would be willing to donate as much as I reasonably could.

-- 
Debian GNU/Linux - http://www.debian.org/
The Web is to graphic design as the fax machine is to literature.

Of interest to those watching the ActBlue saga, there is an email about hacking and cracking:

To: debian-devel@lists.debian.org
Subject: Re: [New maintainer] Working for Debian and becoming a registered Debian developer
From: Decklin Foster <decklin@home.com>
Date: Thu, 22 Jul 1999 16:37:40 -0400

Carl Mummert writes:

> Hacking is a serious crime

Cracking is a serious crime. Breaking into computer systems without
permission is a serious crime. Violation of privacy and theft of
confidential information is a serious crime.

Now what does this have to do with hacking?

> The fact remains that the debian policy is to discourage new
> developers by making it slow and difficult to get an account.

I have no problem with waiting, and I'd rather not look bad just
because some people keep speaking badly about the new-maintainer team.
We don't need another flamewar here. People have work to do.

-- 
Debian GNU/Linux - http://www.debian.org/
The Web is to graphic design as the fax machine is to literature.

The New Maintainer report tells us they entered the process in the same month, their application manager was Craig Small and they completed the process in July/August 2000. The advocacies and the application manager (AM) report are all missing from the mailing list archives.

They had a page at https://people.debian.org/~decklin/ but that has been inaccessible ever since the peak of the Debian suicide cluster.

They had a blog on another web site. It is captured in the Wayback machine up to 2012. The last snapshot with the index is here: http://blog.rupamsunyata.org/. The last blog post:

I'm the fuel that fires the engine of Failure

So, the Democrats in my very blue state put up a depressing, entitled, out-of-touch candidate for our vacant senate seat and she lost. The only reason I voted for her was because she wasn't a Republican. Supporting someone you don't even slightly like is psychologically draining.

At this point, I would vote for a Democratic party (or a Republican party!) with the exact same fiscal policy as the current Republicans if they actually made a principled, moral stand on equal protection and civil rights, habeas corpus/due process, and reproductive rights. Those don't cost anything[1].

Maybe they should be solved before the stuff that does cost billions of dollars. As it is my choice is weak, almost grudging support for those rights from people who want to hand the economy over to the government, and disgusting, immoral, vehement opposition to them from people who want to hand the economy over to wealthy corporations.

Neither side is doing anything effective to keep us free, or to keep the market free. Each side says or implies that this is a Christian nation, which it explicitly isn't, while failing to do what's right. Sometimes I want to give up and stop voting.

[1] Conversely, of course, it doesn't cost anything to take people's rights away, or prevent them from getting rights in the first place; I think this is why anti-gay-marriage ballot measures have been more successful in the current recession. Some people get their kicks from the suffering of others.

Accessing the blog from 2013 onwards we can see the front page has been replaced with the message:

This blog is not being updated. Old entries are still around, but I'm turning off the front page for now.

From there, we could find a link to Decklin Foster on LiveJournal. Their profile tells us they like #Debian-women. Don't forget the Debian pregnancy cluster.

There is a link to a Twitter/X account for Decklin Foster.

contributors.debian.org tells us that Decklin Foster stopped contributing in February 2011, immediately before the death of Adrian von Bidder-Senn on our wedding day. Chris Gleason is not on the list at all. If Decklin had abandoned Debianism, why did it take eight years to remove them from the keyring? Reading the full history of the Debian Harassment culture, we can see many other co-authors were removed for purely political reasons and blackmail but keys belonging to the people who had abandoned the project and people who died were left in the keyring for years.

To: debian-devel <debian-devel@lists.debian.org>
Subject: RFA: all my packages
From: Decklin Foster <decklin@red-bean.com>
Date: Thu, 10 Feb 2011 17:11:05 -0500
Message-id: <1297375750-sup-7355@gillespie.rupamsunyata.org>

I'm looking for a new maintainer for, well, any of these. My heart is
not in it anymore and most of them have been neglected for a while.
Recently my free time has been taken up by other things (mainly my job)
and I forsee that continuing.

http://qa.debian.org/developer.php?login=decklin%40red-bean.com

python-beautifulsoup and mpd need attention for proposed-updates; I
missed getting them into Squeeze. rxvt-unicode is a total clusterfuck.

If any desktop-type packages remain I will orphan them, as I am only
running Debian on servers now. Apart from that, perhaps with a greatly
reduced load I can still make a tiny contribution to the community. If
not, I will retire.

-- 
things change.
decklin@red-bean.com

Decklin Foster is on a list of former members of Harvard's Center for Depression, Anxiety and Stress Research. They have a photo of him when he was younger. It appears to be the same person as the Github profile.

Various scholarly articles from Harvard experts on depression have thanked Decklin Foster for their contributions in 2008 and 2009. Decklin Foster was collaborating on this world-class depression research at exactly the same time they were part of the debian-private discussions that precipitated the Debian Day Volunteer Suicide in 2010.

Pizzagalli, Diego A., Avram J. Holmes, Daniel G. Dillon, Elena L. Goetz, Jeffrey L. Birk, Ryan Bogdan, Darin D. Dougherty, Dan V. Iosifescu, Scott L. Rauch, and Maurizio Fava. 2009. Reduced Caudate and Nucleus Accumbens Response to Rewards in Unmedicated Individuals With Major Depressive Disorder. The American Journal of Psychiatry 166: 702-710. 2008
Deveney, Christen M., and Diego A. Pizzagalli. 2008. The cognitive consequences of emotion regulation: An ERP investigation. Psychophysiology 45(3): 435-444.
Wacker, Jan, Daniel G. Dillon, and Diego A. Pizzagalli. 2009. The role of the nucleus accumbens and rostral anterior cingulate cortex in anhedonia: Integration of resting EEG, fMRI, and volumetric techniques. Neuroimage 46, no. 1: 327-337.
Diane L. Santesso, Daniel G. Dillon, Jeffrey L. Birk, Avram J. Holmes, Elena Goetz, Ryan Bogdan, Diego A. Pizzagalli. 2008. Individual differences in reinforcement learning: Behavioral, electrophysiological, and neuroimaging correlates - NeuroImage
Daniel G. Dillon, Ryan Bogdan, Jesen Fagerness, Avram J. Holmes, Roy H. Perlis, and Diego A. Pizzagalli, 2010 - Variation in TREK1 Gene Linked to DepressionResistant Phenotype is Associated with Potentiated Neural Responses to Rewards in Humans - Human Brain Mapping 31:210–221
Santesso DL, Bogdan R, Birk JL, Goetz EL, Holmes AJ, Pizzagalli DA. Neural responses to negative feedback are related to negative emotionality in healthy adults - Soc Cogn Affect Neurosci. 2012 Oct;7(7):794-803. doi: 10.1093/scan/nsr054. Epub 2011 Sep 14. PMID: 21917847; PMCID: PMC3475354.

The connection to psychiatric research is a really odd coincidence, given that Decklin sent that RFA (resignation) email immediately before the death of Adrian von Bidder-Senn on our wedding day. The death was discussed like a suicide.

Subject: Re: Death of Adrian von Bidder
Date: Fri, 22 Apr 2011 09:39:49 +0200
From: A Mennucc <mennucc1@debian.org>
To: debian-private@lists.debian.org

Il 19/04/2011 18:17, martin f krafft ha scritto:
> Dear Debian colleagues,
>
> I have the sad task to communicate to you the news of the death of
> Adrian von Bidder (avbidder, cmot), who passed away last Sunday,
> most probably of a heart attack.

I had contacted Adrian regarding the Debian umbrella.
So I had also a chance of seeing a picture of him
http://blog.fortytwo.ch/archives/80-Yay!-Debian-Logo!.html
In that picture he seemed quite happy and young.
His death is quite shocking and sad.

a.

Remember, Debianists admitted the group needed a psychiatrist back in 2006, well before most of the deaths.

Around the same time, a petition about suicide prevention was submitted to the Basel city council and it had the name A. von Bidder at the bottom.

Now Decklin Foster himself is missing.

William Lee Irwin III was another Debian Developer who asked for help and then vanished.

There is a Decklin Foster profile on Youtube that hasn't been used for nine years. There are four subscribers. One of the videos has the comment:

Mixed these together on my show (editsradio.org) this week and really liked the result, so here it is on its own, slowed down and a little extended.

Photo taken at the Wilbur Theater in Boston on 2012-07-31.

The last snapshot of editsradio.org is on 6 April 2015. After that, the content is changed to Arabic. From 15 August 2015, it is redirecting to another site, also in Arabic, at http://www.17serialbaran.org.

In January 2015, Decklin Foster & Chris Gleason are listed as a couple as new members of the Brattle Theatre, Cambridge, Massachusetts.

Later in 2015, a report from the World Science Fiction Society lists Decklin Foster as a new member.

Spokeo has a report about Christina N Gleason-Foster in Chicago, IL with a former address in Cambridge, MA, the same location as Decklin Foster.

Going back to 2013, when the blog vanished, Universal Hub published a report "House of Blues turns down the heat, adds ice water for electronica shows due to Molly scourge". This is not about Molly de Blanc it is about the Molly pills. Decklin Foster drops a comment in the discussion:

This sounds like a bad idea. You really don't want to give huge amounts of water to MDMA users

There is a LinkedIn profile for Chris Gleason in Pinellas County, in Florida, not far from Jeremy Bícha, the Registered Sex Offender who was invited to speak at DebConf25 in Brest, France. Looking at the photo on LinkedIn, is this an older version of Decklin Foster's wife who has transitioned back to being a man or is it a completely different person?

It would be extremely offensive to ask such a question in any other group of people but in the world of Debianism and Zizian phenomena, there are a disproportionate number of people who are living such lifestyles.

Let's not forget the example of another Debianism transgender bedmate with at least five identities, that was Pauline / Maria Climent / Pommeret.

The Republican Chris Gleason has a profile on Ballotpedia where they claim to have come from Massachusetts, the same Democrat state where we found Decklin Foster.

Chris Gleason was born in Lowell, Massachusetts. Gleason's career experience includes working as a technology consultant. He served in the U.S. Army National Guard from 1989 to 1999. Gleason earned a bachelor's degree from the University of Massachusetts, Lowell in 1996. Gleason has been affiliated with Caribbean Christian Center for the Deaf, Michigan -Make-A-Wish, Seniors Helping Seniors.

In the recent UK elections, journalists and researchers found various examples of candidates who didn't really exist. At least one political party was accused of making up fake candidates to make their party look bigger and attract more donations.

I have the impression the Chris Gleason in Florida is a different person but I'm not ruling out the possibility it is a fake profile or an alter-ego of Chris Gleason, wife of Decklin.

The ActBlue crisis is real however. Here is a committee report on the US house web site.

The Committee on House Administration, the Committee on the Judiciary, and the Committee on Oversight and Government Reform are charged with ensuring the integrity of American elections. To that end, the Committees are examining allegations that ActBlue, a leading political fundraising organization, allowed bad actors, including foreign actors, to exploit its online platform to make fraudulent political donations.

There is a profile on Mesh that tells us about Gleason's career and finishes with a paragraph about the election fraud claims:

Chris Gleason

CEO at NextMed Holdings, LLC CEO at Translational Analytics and Statistics, LLC

Chris Gleason is a board member at Our Mayberry, a company focused on revolutionizing charitable giving and fundraising.1 He is a lawyer, entrepreneur, and community philanthropist with multiple leadership roles in charities helping children.3 Gleason has also been involved in various business ventures and has held executive positions in different companies.

In addition to his role at Our Mayberry, Gleason has served as a board member for the Goldwater Institute since 2013.5 He was also recently appointed as the president and CEO of Moximed, a medical device company, in June 2024.2

Gleason has a background in sales leadership, having previously worked as VP of sales at Relievant and VP of sales of interventional urology at Teleflex.2 He has also been involved in political activities, receiving income from Election Watch, a Wisconsin-based group, in 2024.4

It's worth noting that Gleason has recently entered the political arena, running for the position of Pinellas County Supervisor of Elections in Florida for the 2024 election. His campaign has been controversial, as he has made unsubstantiated claims about election fraud and criticized the incumbent, Julie Marcus.

On 10 April 2026, Miami Independent published a video where they interview Chris Gleason and Jeff Buongiorno about vote rigging allegations. The CIA is mentioned within the first ninety seconds of the video. I stopped watching at that point.

In the case of another Debian Developer, Paul Tagliamonte, he really was working in the White House and the Pentagon. We have a photo to prove it:

Chris Gleason's campaign web site has the title Whistleblower in big letters. This implies he was an insider or he was connected to an insider, in other words, his claim to be a whistleblower encourages us to ask about the bizarre possibility that he really is or was the transgender wife of ActBlue's missing director of information technology, Decklin Foster.

If that was true, did his/her domestic arrangements give them unauthorized access to servers, laptops or cloud accounts for ActBlue? I was very grateful to receive donations of file servers from the Catholic archdiocese of Melbourne.

Take a side-step and have a look at the other Florida connection with the US Republican party. In the report about Senior management and HR email privacy: Martin Ebnoether (venty), Axel Beckert (xtaran) & Debian abuse in Switzerland, I made the observation that Axel Beckert's boyfriend and I both worked at the same company. The owner of that company is one of the top donors of the US Republican party and he lives three doors away from Mar-a-Lago, the home of current US President Donald Trump. Trump himself was elected for the first time on my birthday and I correctly predicted there would be conflict in the Strait of Hormuz.

Decklin was using Gists, they also stopped abruptly in 2017.

The Red-Bean.com web site has a list of people associated with their web site and Decklin's name is not on the list.

Whether they are the same Chris Gleason or not, we can say for sure that the Decklin Foster from Debianism is the same Decklin Foster who became Director of Information Technology for disgraced fundraising platform ActBlue Civics, Inc.

Here is one more interesting leak from the debian-private leaked gossip network. It shows us that Decklin Foster was in favor of the practice of dividing the community and humiliating people. It looks like he supported the humiliation of Sven Luther at the very time he was working in the Harvard Medical School's depression research team. Sven's mother was dying at the time this bun fight erupted.

Subject: Expulsion process: Sven Luther
Date: Thu, 01 Mar 2007 00:00:29 +0100
From: Joerg Jaspert <joerg@debian.org>
Organization: Goliath-BBS
To: debian-private@lists.debian.org

...

Now, the list of people who sent something in for the process:

Anthony - Requestor

Supporters, unordered:

srivasta@debian.org
mbanck@debian.org
tbm@cyrius.com
93sam@debian.org
fs@debian.org
jgoerzen@complete.org
fjp@debian.org
dilinger@debian.org
joeyh@debian.org
liw@iki.fi
stappers@stappers.nl
tolimar@debian.org
jeroen@wolffelaar.nl
tfheen@debian.org
micah@riseup.net
decklin@red-bean.com
tb@becket.net
tytso.mit.edu

The conflict between Sven Luther and Frans Pop appears to be a factor in the eventual suicide of Frans Pop. The whole group failed.

Subject: [Very long] Post-partem rant and retrospective
Date: Thu, 31 May 2007 03:56:11 +0200
From: Frans Pop <elendil@planet.nl>
To: debian-private@lists.debian.org

I've decided to write this in a separate mail because I'm afraid this may get long. Quite a bit of this has been written before, but I hope some of you will bear with me.

[snip]

So, what has made me decide to leave the project. It's a combination of just plain emotional stress over the whole Sven Luther issue, frustration with the inability of the project to deal with that and with some other issues, and frustration with the fact that a fair number of members of the project seem to feel that as long as you don't upload packages with trojans, pretty much anything is OK.

and eventually....

Subject: Resignation
Date: Sun, 15 Aug 2010 21:41:18 +0200
From: Frans Pop <elendil@planet.nl>
To: debian-private@lists.debian.org


It's time to say goodbye. I don't want to say too much about it, except that I've been planning this for a long time.


Participating in Debian has been great.

...

To see all the leaked messages from debian-private, including the history of Decklin Foster, please see my crowdfunding campaign video.

Terrorism or accident? Geelong Corio refinery fire, drone attack rumours in news vacuum

2026-04-15T19:30:00+00:00

At 11pm local time in eastern Australia, a huge fire broke out at the Viva Energy refinery in Corio, Geelong.

There has been a near-total news vacuum. This may be deliberate or it may be a consequence of cost-cutting that has replaced many journalists with artificial intelligence. The few human journalists who remain in the profession may have already gone to bed when the fire started.

The national broadcaster, the ABC, was quick to include it in their list of breaking news items but without much detail. About three hours after the fire started, it was present on the web site of 9 News but not visible on the web sites of 7 News, Herald Sun or The Age. About five hours after the fire started, the local newspaper Geelong Advertiser included it in their Facebook account.

The story is newsworthy for a number of reasons. Australia previously had eight refineries but six of them were phased out and never replaced. Australia relies on foreign refineries for over eighty percent of fuel. With the Corio refinery out of action, there is only one domestic refinery left. Therefore, it is surprising the news media have been so slow to pick up the story.

The next big reason it is newsworthy is the war in Iran.

None of the news reports have commented on the fact that Richard Marles, the deputy prime minister and the minister for defence is the local member of parliament for the region where the refinery is located.

In the news vacuum, people have been quick to share rumours on social control media. Some people are speculating about the prospect of a drone attack. In Europe last year there were reports about Russian drones launched from cargo ships in international waters and interfering with European airports. Other reports have speculated about cargo ships using their anchors to sabotage pipelines and communications cables on the sea floor. France intercepted and seized a ship connected with Russia.

Another user on social control media has commented that there was a technical incident at the plant earlier in the day and the fire could be nothing more than an accident.

People would be wise not to jump to conclusions. Even if it is a terror attack, it may not be Iran. In recent news reports, Russia announced they had the right to attack any countries who are sending support to Ukraine. The French company Thales manufacturers the BushMaster armored personnel carriers in Bendigo and the government donated some of them to Ukraine. Low cost cardboard drones manufactured in Australia have also been donated to Ukraine.

Looking for work

2026-04-14T16:44:00+00:00

It seems my own plans and life's plans diverged this spring, so I am in the market for a new job. So if you're looking for someone with a long track record making your code go brrr really fast, give me a ping (contact information at my homepage). Working from Oslo (on-site or remote), CV available upon request. No AI boosterism or cryptocurrency grifters, please :-)

Free software activity in March 2026

2026-04-12T10:13:15+00:00

My Debian contributions this month were all sponsored by Freexian.

You can also support my work directly via Liberapay or GitHub Sponsors.

OpenSSH

I fixed CVE-2026-3497 in unstable, thanks to a fix in Ubuntu by Marc Deslauriers. Relatedly, I applied an Ubuntu patch by Athos Ribeiro to not default to weak GSS-API exchange algorithms.

I’m looking forward to being able to split out GSS-API key exchange support in OpenSSH once Ubuntu 26.04 LTS has been released! This stuff will still be my problem, but at least it won’t be in packages that nearly everyone has installed.

Python packaging

New upstream versions:

dill
django-modeltranslation
isort
langtable
pathos
pendulum
pox
ppft
pydantic-extra-types
pytango
python-asyncssh
python-datamodel-code-generator
python-evalidate
python-packaging (including fixes for python-hatch-requirements-txt and python-pyproject-examples)
python-zxcvbn-rs-py
rpds-py
smart-open
trove-classifiers

I packaged pybind11-stubgen, needed for new upstream versions of pytango. Tests of reproducible builds revealed that it didn’t generate imports in a stable order; I contributed a fix for that upstream.

I worked with the security team to release DSA-6161-1 in multipart, fixing CVE-2026-28356 (upstream discussion). (Most of the work for this was in February, but the vulnerability was still embargoed when I published my last monthly update.)

In trixie-backports, I updated pytest-django to 4.12.0.

I fixed a number of packages to support building with pyo3 0.28:

pendulum
pydantic-core
python-jellyfish
python-zxcvbn-rs-py
rpds-py

Other build/test failures:

Rust packaging

New upstream versions:

rust-rpds

Other bits and pieces

I upgraded tango to 10.1.2, and yubihsm-shell to 2.7.2.

Code reviews

python-backports.zstd: Obsolete with Python 3.14 (sponsored partial fix from YOKOTA Hiroshi)

Reproducible Builds in March 2026

2026-04-10T16:13:12+00:00

Welcome to the March 2026 report from the Reproducible Builds project!

These reports outline what we’ve been up to over the past month, highlighting items of news from elsewhere in the increasingly-important area of software supply-chain security. As ever, if you are interested in contributing to the Reproducible Builds project, please see the Contribute page on our website.

Linux kernel hash-based integrity checking proposed

Eric Biggers posted to the Linux Kernel Mailing List in response to a patch series posted by Thomas Weißschuh to introduce a calculated hash-based system of integrity checking to complement the existing signature-based approach. Thomas’ original post mentions:

The current signature-based module integrity checking has some drawbacks in combination with reproducible builds. Either the module signing key is generated at build time, which makes the build unreproducible, or a static signing key is used, which precludes rebuilds by third parties and makes the whole build and packaging process much more complicated.

However, Eric’s followup message goes further:

I think this actually undersells the feature. It’s also much simpler than the signature-based module authentication. The latter relies on PKCS#7, X.509, ASN.1, OID registry, crypto_sig API, etc in addition to the implementations of the actual signature algorithm (RSA / ECDSA / ML-DSA) and at least one hash algorithm.

Distribution work

In Debian this month,

Lucas Nussbaum announced Debaudit, a “new service to verify the reproducibility of Debian source packages”:

debaudit complements the work of the Reproducible Builds project. While reproduce.debian.net focuses on ensuring that binary packages can be bit-for-bit reproduced from their source packages, debaudit focuses on the preceding step: ensuring that the source package itself is a faithful and reproducible representation of its upstream source or Vcs-Git repository.
kpcyrd filed a bug against the librust-const-random-dev package reporting that the compile-time-rng feature of the ahash crate uses the const-random crate in turn, which uses a macro to read/generate a random number generator during the build. This issue was also filed upstream.
60 reviews of Debian packages were added, 4 were updated and 16 were removed this month adding to our knowledge about identified issues. One new issue types was added, pkgjs_lock_json_file_issue.

Lastly, Bernhard M. Wiedemann posted another openSUSE monthly update for their work there.

Tool development

diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made a number of changes, including preparing and uploading versions, 314 and 315 to Debian.

Chris Lamb:
- Don’t run test_code_is_black_clean test in the autopkgtests. (#1130402). […]
- Add some debugging info for PyPI debugging. […]
Jelle van der Waa:
- Fix compatibility with LLVM version 22. […]
- Adjust the PGP file detection regular expression. […]
Michael R. Crusoe:
- Reformat the source code using Black version 26.1.0 […][…]

In addition, Vagrant Cascadian updated diffoscope in GNU Guix to version 315.

rebuilderd, our server designed monitor the official package repositories of Linux distributions and attempt to reproduce the observed results there; it powers, amongst other things, reproduce.debian.net.

A new version, 0.26.0, was released this month, with the following improvements:

Much smoother onboarding/installation.
Complete database redesign with many improvements.
New REST HTTP API.
It’s now possible to artificially delay the first reproduce attempt. This gives archive infrastructure more time to catch up.
And many, many other changes.

Upstream patches

The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:

Bernhard M. Wiedemann:
- minify (rust random HashMap) / (alternative by kpcyrd)
- rpm-config-SUSE (toolchain)
Chris Lamb:
- #1129544 filed against python-nxtomomill.
- #1130622 filed against dh-fortran.
- #1130623 filed against python-discovery.
- #1130666 filed against kanboard.
- #1131168 filed against moltemplate.
- #1131384 filed against stacer.
- #1131385 filed against libcupsfilters.
- #1131395 filed against django-ninja.
- #1131403 filed against python-agate.
- #1132074 filed against aetos.
- #1132508 filed against python-bayespy.
kpcyrd:
- cargo (HashMap random order issue; more info)

Documentation updates

Once again, there were a number of improvements made to our website this month including:

kpcyrd:
- Add a new page about Rust specifics. […][…][…]
Robin Candau:
- Add link to the diffoci Arch Linux package on the Tools page. […]
Timo Pohl:
- Add new From Constrictor to Serpent: Investigating the Threat of Cache Poisoning in the Python Ecosystem paper to the Academic publications page. […]
- Add GitLab registration confirmation to How to join the Salsa group page. […]

Two new academic papers

Marc Ohm, Timo Pohl, Ben Swierzy and Michael Meier published a paper on the threat of cache poisoning in the Python ecosystem:

Attacks on software supply chains are on the rise, and attackers are becoming increasingly creative in how they inject malicious code into software components. This paper is the first to investigate Python cache poisoning, which manipulates bytecode cache files to execute malicious code without altering the human-readable source code. We demonstrate a proof of concept, showing that an attacker can inject malicious bytecode into a cache file without failing the Python interpreter’s integrity checks. In a large-scale analysis of the Python Package Index, we find that about 12,500 packages are distributed with cache files. Through manual investigation of cache files that cannot be reproduced automatically from the corresponding source files, we identify classes of reasons for irreproducibility to locate malicious cache files. While we did not identify any malware leveraging this attack vector, we demonstrate that several widespread package managers are vulnerable to such attacks.

A PDF of the paper is available online.

Mario Lins of the University of Linz, Austria, has published their PhD doctoral thesis on the topic of Software supply chain transparency:

We begin by examining threats to the software distribution stage — the point at which artifacts (e.g., mobile apps) are delivered to end users — with an emphasis on mobile ecosystems [and] we next focus on the operating system on mobile devices, with an emphasis on mitigating bootloader-targeted attacks. We demonstrate how to compensate lost security guarantees on devices with an unlocked bootloader. This allows users to flash custom operating systems on devices that no longer receive security updates from the original manufacturer without compromising security. We then move to the source code stage. [Also,] we introduce a new architecture to ensure strong source-to-binary correspondence by leveraging the security guarantees of Confidential Computing technology. Finally, we present The Supply Chain Game, an organizational security approach that enhances standard risk-management methods. We demonstrate how game-theoretic techniques, combined with common risk management practices, can derive new criteria to better support decision makers.

A PDF of the paper is available online.

Misc news

On our mailing list this month:

Holger Levsen announced that this year’s Reproducible Builds summit will almost certainly be held in Gothenburg, Sweden, from September 22 until 24, followed by two days of hacking. However, these dates are preliminary and not 100% final — an official announcement is forthcoming.
Mark Wielaard posted to our list asking a question on the difference between debugedit and relative debug paths based on a comment on the Build path page: “Have people tried more modern versions of debugedit to get deterministic (absolute) DWARF paths and found issues with it?

Finally, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

IRC: #reproducible-builds on irc.oftc.net.
Mastodon: @reproducible_builds@fosstodon.org
Mailing list: rb-general@lists.reproducible-builds.org

AI Hacking the Planet

2026-04-10T12:27:10+00:00

A colleague asked me if we should move all our money to our pillow cases after reading the latest AI editorial from Thomas Friedman. The article reads like a press release from Anthropic, repeating the claim that their latest AI model is so good at finding software vulnerabilities that it is a danger to the world.

I think I now know what it’s like to be a doctor who is forced to watch Gray’s Anatomy.

By now every journalist should be able to recognize the AI publicity playbook:

Step 1: Start with a wildly unsubstantiated claim about how dangerous your product is:

~~AI will cause human extinction before we have a chance to colonize mars~~ (remember that one? Even Kim Stanley Robinson, author of perhaps the most compelling science fiction on colonizing mars calls bull shit on it).

~~AI will eliminate all of our jobs~~ (this one was extremely effective at providing cover for software companies laying off staff but it has quickly dawned on people that the companies that did this are living in chaos not humming along happily with functional robots)

AI will discover massive software vulnerabilities allowing bad actors to “hack pretty much every major software system in the world”. (Did Friedman pull that directly from Anthropic’s press release or was that his contribution?)

Step 2: To help stave off human collapse, only release the new version to a vetted group of software companies and developers, preferably ones with big social media followings

Step 3: Wait for the limited release developers to spew unbridled enthusiasm and shocking examples that seem to suggest this new AI produce is truly unbelievable

Step 4: Watch stock prices and valuations soar

Step 5: Release to the world, and experience a steady stream of mockery as people discover how wrong you are

Step 6: Start over

Even if Friedman missed the text book example of the playbook, I have to ask: if you think bad actors compromising software resulting in massive loss of private data, major outages and wasted resources needs to be reported on, then where have you been for the last 10 years? This literally happens on a daily basis due to the fundamentally flawed way capitalism has been writing software even before the invention of AI. A small part of me wonders - maybe AI writing software is not so bad, because how could it be any worse than it is now?

Also, let’s keep in mind that AI’s super ability at finding vulnerable software depends on having access to the software’s source code, which most companies keep locked up tight. That means the owners of the software can use AI to find vulnerabilities and fix them but bad actors can’t.

Oh, but wait, what if a company is so incompetent that they accidentally release their proprietary software to the Internet?

Surely that would allow AI bots to discover their vulnerabilities and destroy the company right? I’m not sure if anyone has discovered world ending vulnerabilities in Anthropic’s Claude code since it was accidentally released, but it is fun to watch people mock software that is clearly written by AI (and spoiler alert, it seems way worse that software written now).

Well… we probably should all be keeping our money in a pillow case anyway.

nvim-µwiki

2026-04-08T20:31:44+00:00

In January 2025, as a pre-requisite for something else, I published a minimal neovim plugin called nvim-µwiki. It's essentially just the features from vimwiki that I regularly use, which is a small fraction them. I forgot to blog about it. I recently dusted it off and cleaned it up. You can find it here, along with a longer list of its features and how to configure it: https://github.com/jmtd/nvim-microwiki

I had a couple of design goals. I didn't want to define a new filetype, so this is designed to work with the existing markdown one. I'm using neovim, so I wanted to leverage some of its features: this plugin is written in Lua, rather than vimscript. I use the parse trees provided by TreeSitter to navigate the structure of a document. I also decided to "plug into" the existing tag stack navigation, rather than define another dimension of navigation (along with buffers, etc.) to track: Following a wiki-link pushes onto the tag stack, just as if you followed a tag.

This was my first serious bit of Lua programming, as well as my first dive into neovim (or even vim) internals. Lua is quite reasonable. Most of the vim and neovim architecture is reasonable. The emerging conventions about structuring neovim plugins are mostly reasonable. TreeSitter is, well, interesting, but the devil is very much in the details. Somehow all together the experience for me was largely just frustrating, and I didn't really enjoy writing it.

My Debian Activities in March 2026

2026-04-06T17:45:48+00:00

Debian LTS/ELTS

This was my hundred-forty-first month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

During my allocated time I uploaded or worked on:

[DLA 4500-1] gimp security update to fix four CVEs related to denial of service or execution of arbitrary code.
[DLA 4503-1] evolution-data-server to fix one CVE related to a missing canonicalization of a file path.
[DLA 4512-1] strongswan security update to fix one CVE related to a denial of service.
[ELA-1656-1] gimp security update to fix four CVEs in Buster and Stretch related to denial of service or execution of arbitrary code.
[ELA-1660-1] evolution-data-server security update to fix one CVE in Buster and Stretch related to a missing canonicalization of a file path.
[ELA-1665-1] strongswan security update to fix one CVE in Buster related to a denial of service.
[ELA-1666-1] libvpx security update to fix one CVE in Buster and Stretch related to a denial of service or potentially execution of arbitrary code.

I also worked on the check-advisories script and proposed a fix for cases where issues would be assigned to the coordinator instead of the person who forgot doing something. I also did some work for a kernel update and packages snapd and ldx on security-master and attended the monthly LTS/ELTS meeting. Last but not least I started to work on gst-plugins-bad1.0

Debian Printing

This month I uploaded a new upstream versions:

… epson-inkjet-printer-escpr to unstable.
… sane-airscan to unstable.
… printer-driver-oki to unstable.

Several packages take care of group lpadmin in their maintainer scripts. With the upload of version 260.1-1 of systemd there is now a central package (systemd | systemd-standalone-sysusers | systemd-sysusers) that takes care of this. Other dependencies like adduser can now be dropped.

This work is generously funded by Freexian!

Debian Lomiri

This month I continued to work on unifying packaging on Debian and Ubuntu. This makes it easier to work on those packages independent of the used platform. I am also able to upload Debian packages to the corresponding Ubuntu PPA now. A small bug had to be fixed in the python script to allow the initial configuration in Launchpad.

This work is generously funded by Fre(i)e Software GmbH!

Debian Astro

This month I uploaded a new upstream version or a bugfix version of:

… libplayerone to experimental. For a list of other packages please see below.

I also uploaded lots of indi-drivers (libplayerone, libsbig, libricohcamerasdk, indi-asi, indi-eqmod, indi-fishcamp, indi-inovaplx, indi-pentax, indi-playerone, indi-sbig, indi-mi, libahp-xc, indi-aagcloudwatcher, indi-aok, indi-apogee, libapogee3, indi-nightscape, libasi, libinovasdk, libmicam, indi-avalon, indi-beefocus, indi-bresserexos2, indi-dsi, indi-ffmv, indi-fli, indi-gige, info-gphoto, indi-gpsd, indi-gpsnmea, indi-limesdr, indi-maxdomeii, indi-mgen, indi-rtklib, indi-shelyak, indi-starbook, indi-starbookten, indi-talon6, indi-weewx-json, indi-webcam, indi-orion-ssg3, indi-armadillo-playtypus ) to experimental to make progress with the indi-transition. No problems with those drivers appeared and the next step would be the upload of indi version 2.x to unstable. I hope this will happen soon, as new drivers are already waiting in the pipeline. There have been also four packages, that migrated to the official indi package and are no longer needed as 3rdparty drivers (indi-astrolink4, indi-astromechfoc, indi-dreamfocuser, indi-spectracyber).

While working on these packages, I thought about testing them. Unfortunately I don’t have enough hardware to really check out every package, so I can upload most of them only as is. In case anybody is interested in a better testing coverage and me being able to provide upstream patches, I would be very glad about hardware donations.

Debian IoT

This month I uploaded a new upstream version or a bugfix version of:

… pywws to unstable.

Debian Mobcom

This month I uploaded a new upstream version or a bugfix version of:

… osmo-trx to unstable.

misc

This month I uploaded a new upstream version or a bugfix version of:

… cc-tool to unstable.
… mailio to unstable.
… gnupg-pkcs11-scd to unstable.
… odoo to unstable.

I also sponsored the upload of Matomo. Thanks a lot to William for preparing the package.

Simple gpx export from ridewithgps

2026-04-04T17:21:00+00:00

The Tour de Los Padres is coming! The race organizer post the route on ridewithgps. This works, but has convoluted interfaces for people not wanting to use their service. I just wrote a simple script to export their data into a plain .gpx file, including all the waypoints; their exporter omits those.

I've seen two flavors of their data, so here're two flavors of the gpx-from-ridewithgps.py script:

#!/usr/bin/python3
import sys
import json

def quote_xml(s):
    return s.replace("&", "&amp;").replace("<", "&lt;").replace(">", "&gt;")

print("Reading stdin", file=sys.stderr)
data = json.load(sys.stdin)

print(r"""<?xml version="1.0" encoding="UTF-8"?>
<gpx version="1.1" creator="gpx-from-ridewithgps.py" xmlns="http://www.topografix.com/GPX/1/1">""")

for item in data["extras"]:
    if item["type"] != "point_of_interest":
        continue
    poi = item["point_of_interest"]
    print(f'  <wpt lat="{poi["lat"]}" lon="{poi["lng"]}">')
    print(f'    <name>{quote_xml(poi["name"])}</name>')

    desc = poi.get("description","")
    if len(desc):
        print(f'    <desc>{quote_xml(desc)}</desc>')
    print(f'  </wpt>')

print("  <trk><trkseg>")
for pt in data.get("route", {}).get("track_points", []):
    print(f'    <trkpt lat="{pt["y"]}" lon="{pt["x"]}"><ele>{pt["e"]}</ele></trkpt>')
print("  </trkseg></trk>")

print("</gpx>")

#!/usr/bin/python3
import sys
import json

def quote_xml(s):
    return s.replace("&", "&amp;").replace("<", "&lt;").replace(">", "&gt;")

print("Reading stdin", file=sys.stderr)
data = json.load(sys.stdin)

print(r"""<?xml version="1.0" encoding="UTF-8"?>
<gpx version="1.1" creator="gpx-from-ridewithgps.py" xmlns="http://www.topografix.com/GPX/1/1">""")

for poi in data["points_of_interest"]:
    print(f'  <wpt lat="{poi["lat"]}" lon="{poi["lng"]}">')
    print(f'    <name>{quote_xml(poi["name"])}</name>')

    desc = poi.get("description","")
    if len(desc):
        print(f'    <desc>{quote_xml(desc)}</desc>')
    print(f'  </wpt>')

for poi in data["course_points"]:
    print(f'  <wpt lat="{poi["y"]}" lon="{poi["x"]}">')
    print(f'    <name>{quote_xml(poi["n"])}</name>')
    print(f'  </wpt>')

print("  <trk><trkseg>")
for pt in data['track_points']:
    print(f'    <trkpt lat="{pt["y"]}" lon="{pt["x"]}"><ele>{pt["e"]}</ele></trkpt>')
print("  </trkseg></trk>")

print("</gpx>")

You invoke it by downloading the route and feeding it into the script:

curl -s https://ridewithgps.com/routes/54493422.json | ./ridewithgps-to-gpx.py > out.gpx

Note that the route number 54493422 is in the url above.

Building a house - 1 year in

2026-04-02T21:23:23+00:00

Haven’t written here about it, but last March we finally started on our journey to get our own house build, so we can move out of the rented flat here.

That will be a big step, both the actual building, but also the moving - I am living at this one single place for 36 years now.

If you can read german there is a dedicated webpage where I sometimes write about the process. Will have much more details (and way more ramblings) than the following part.

If you can’t read german, a somewhat short summary follows. Yes, still a lot of text, but shortened, still.

What? Why now?

Current flat has 83m² - which simply isn’t enough space. And the number of rooms also doesn’t fit anymore. But it is hard to find a place that fits our requirements (which do include location).

Moving to a different rented place would also mean changed amount of rent. And nowadays that would be huge increase (my current rent is still the price from about 30 years ago!).

So if we go and pay more - we could adjust and pay for something we own instead. And both, my wife and I had changes in our jobs that made it possible for us now, so we started looking.

Market

Brrrr, looking is good, actually finding something that fits - not so. We never found an offer that fit. Space wise, sure. But then location was off, or price was idiotically high. Location fit, but then size was a joke, and guess about the price… Who needs 200 square meters with 3 rooms? Entirely stupid design choices there. Or how about 40 square meters of hallway - with 50m² of tiny rooms around. What are they smoking? Oh, there, useful size, good rooms - but now you want more money than a kidney is worth, or something. Thanks, no.

New place

In February 2025 we finally got lucky and found a (newly opened) area with a large number of places to build a house on. Had multiple talks with someone from on of the companies developing that area (there are two you can select from), then talked with banks and signed a contract in March 2025. We got promised that actual house construction would be first quarter of 2026, finished in second quarter.

House type

There are basically 2 ways of building a new house (that matter here). First is called “Massivhaus”, second is called “Fertighaus” in german, roughly translating to solid and prefabricated. The latter commonly a wood based construction, though it doesn’t need to be. The important part of it is the prefabrication, walls and stuff get assembled in a factory somewhere and then transported to your place, where they play “big kid lego” for a day and suddenly a house is there.

A common thought is “prefabricated” is faster, but that is only a half true. Sure, the actual work on side is way shorter - usually one or two days and the house is done - while a massive construction usually takes weeks to build up. But that is only a tiny part of the time needed, the major part goes of into planning and waiting and in there it doesn’t matter what material you end up with.

Money fun

Last year already wasn’t the best time to start a huge loan - but isn’t it always “a few years ago would have been better”? So we had multiple talks with different banks and specialised consultants until we found something that we thought is good for us.

Thinking about it now - we should have put even more money on top as “reserve”, but who could have thought that 2026 turns into such a shitshow? Does not help at all, quite the contrary. And that damn lotto game always ends up with the wrong numbers, meh.

Plans and plans and more plans - and rules

For whichever reason you can not just go and put something on your ground and be happy. At least not if you are part of the normal people and not enormously rich. There is a large set of rules to follow. Usually that is a good thing, even though some rules are sometimes hard to understand.

In Germany, besides the usual laws, we have something that is called “Bebauungsplan”, which translates to “development plan” (don’t know if that carries the right meaning, it’s a plan on what and how may be build, which can have really detailed specifications in). It basically tells you every aspect on top of the normal law that you have to keep in mind.

In our case we have the requirement of 2 full floors and CAN have a third smaller on top, it limits how high the house can be and also how high our ground floor may be compared to the street. It regulates where on the property we may build and how much ground we may cover with the house, it gives a set of colors we are allowed to use, it demands a flat roof that we must have as a green roof and has a number of things more that aren’t important enough to list here. If you do want to see the full list, my german post on it has all the details that matter to us.

With all that stuff in mind - off to plans. Wouldn’t have believed how many details there are to take in. Room sizes are simple, but how to arrange them for ideal usage of the sun, useful ways inside the house, but also keeping in mind that water needs to flow through and out. Putting a bath room right atop a living room means a water pipe needs to go down there. Switch the bath room side in the house, and it suddenly is above the kitchen - means you can connect the pipes from it to the ones from kitchen, which is much preferred than going through the living room. And lots more such things.

It took us until nearly end of October to finalize the plans! And we learned a whole load from it. We started with a lot of wishes. The planner tried to make them work. Then we changed our minds. Plans changed. Minds changed again. Comparing the end result with the first draft we changed most of the ground floor around, with only the stairs and the entrance door at the same position. Less changes for the upper floor, but still enough.

Side quests

The whole year was riddled with something my son named side quests. We visited a construction exhibition near us, we went to the house builders factory and took a look on how they work. We went to many different other companies that do SOME type of work which we need soon, say inside floors, painters, kitchen and more stuff.

Of course the most important side quest was a visit to the notary to finalize the contracts, especially for the plot of land (in Germany you must have a notary for that to get entered into the governments books). Creates lots of fees, of course, for the notary and also the government (both fees and taxes here).

Building permit

We had been lucky and only needed a small change to the plans to get the building permit - and the second part, the wastewater permit (yes, you need a separate one for this) also got through without trouble.

Choices, so many of them

So in January we finally had an appointment for something that’s called “Bemusterung” which badly translates to “Sampling”. Basically two days at the house builders factory to select all of what’s needed for the house that you don’t do in the plans. Doors, inside and out and their type and color and handles. Same things for the windows and the blinds and the protection level you want the windows to have. Decide about stairs, design for the sanitary installations - and also the height of the toilet! - and the tiles to put into the bathrooms. Decisions on all the tech needed (heating system, ventilation and whatnot.

Two days, busy ones - and you can easily spend a lot of extra money here if you aren’t careful. We managed to get “out of it” with only about 4000€ extra, so pretty good.

Electro and automation

Now, here I am special. Back when I was young the job I learned is electrician. So here I have very detailed wishes. I am also running lots of automatism in my current flat - obviously the new house should be better than that. So I have a lot of ideas and thoughts on it, so this is entirely extra and certainly out of the ordinary the house builder usually see.

Which means I do all of that on my own. Well, the planning and some of the work, I must have a company at hand for certain tasks, it is required by some rules. But they will do what I planned, as long as I don’t violate regulations.

Which means the whole electrical installation is … different. Entirely planned for automatisms and using KNX for it. I am so happy to ditch Homeassistant and the load of Homematic, Zigbee and ZWave based wireless things.

Ok, Homeassistant is a nice thing - it can do a lot. And it can bridge between about any system you can find. But it is a central single point of failure. And it is a system that needs constant maintenance. Not touched for a while? Plan for a few hours playing update whack-a-mole. And often enough a component here or there breaks with an update. Can be fixed, but takes another hour or two.

So I change. Away from wireless based stuff. To wires. To a system thats a standard for decades already. And works entirely without a SPOF. (Yes, you can add one here too). And, most important, should I ever die - can easily be maintained by anyone out there dealing with KNX, which is a large number of people and companies. Without digging through dozens of specialised integrations and whatnot.

I may even end up with Homeassistant again - but that will entirely be as a client. It won’t drive automations. It won’t be the central point to do anything for the house. It will be a logging and data collecting thing that enables me to put up easy visualizations. It may be an easy interface for smartphones or tablets to control parts of the house, for those parts where one wants this to happen. Not the usual day-to-day stuff, extras on top.

Actual work happening

Since march there finally is action visible. The base of the house is getting build. Wednesday the 1st April we finally got the base slab poured on the construction site and in another 10 days the house is getting delivered and build up. A 40ton mobile crane will be there.

banning all Anthropic employees

2026-04-01T16:41:33+00:00

Per my policies, I need to ban every employee and contractor of Anthropic Inc from ever contributing code to any of my projects. Anyone have a list?

Any project that requires a Developer Certificate of Origin or similar should be doing this, because Anthropic is making tools that explicitly lie about the origin of patches to free software projects.

UNDERCOVER MODE â€” CRITICAL

You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository. [...] Do not blow your cover.

NEVER include in commit messages or PR descriptions:

[...] The phrase 'Claude Code' or any mention that you are an AI
Co-Authored-By lines or any other attribution

-- via @vedolos

FOSS activity in March 2026

2026-04-01T15:30:53+00:00

Debian packages:
- firmware-nonfree:
  - Bugs:
  - Merge requests:
    - opened and merged !140: Update to 20260309
    - opened and merged !141: Clean up packaging (from Nicolas Boulenguez)
    - opened !142: Replace copy-firmware.sh; install files and generate metainfo.xml at build time
  - Uploads:
    - uploaded version 20260110-1~bpo13+1 to trixie-backports
    - uploaded version 20260221-1 to unstable
    - uploaded version 20260221-1~bpo13+1 to trixie-backports
    - uploaded version 20260309-1 to unstable
- hexagon-dsp-binaries:
  - Bugs:
    - replied to and reassigned #1130844: firmware-qcom-soc depends on unavailable package firmware-qcom-dsp
- initramfs-tools:
  - Merge requests:
- libtirpc:
  - Bugs:
    - replied to and reassigned #1132176: rpc.mountd: symbol lookup error: rpc.mountd: undefined symbol: rpc_gss_getcred, version TIRPC_0.3.0
- libvirt:
  - Bugs:
    - replied to and reassigned #1130974: libvirt: Should use nftables for IP masquerading to work with PREEMPT_RT
- linux:
  - Bugs:
  - Merge requests:
    - reviewed !1842: Merge kernel-wedge and use directly
    - reviewed and merged !1849: Cleanup installer
    - merged !1853: [amd64] drivers/platform/x86/uniwill: Enable UNIWILL_LAPTOP as module
    - opened and merged !1854: Fix ordering of kernel version strings for multiple Debian revisions
    - reviewed and closed !1857: crypto: padlock-sha - Disable for Zhaoxin processor
    - opened !1862: Fix regressions in debian/bin/test-patches
    - opened !1865: Draft: hyperv-daemons: Build using upstream Makefile; install hv_fcopy_uio_daemon
  - (LTS) worked on backports to 5.10 and 6.1 of the fixes for “CrackArmor” security flaws
  - Uploads:
    - (LTS) uploaded version 5.10.251-1 to bullseye-security
    - uploaded version 6.12.74-2~bpo12+1 to bookworm-backports
    - uploaded version 6.18.15-1~bpo13+1 to trixie-backports
    - uploaded version 6.19.6-2~bpo13+1 to trixie-backports
    - uploaded version 6.19.8-1~bpo13+1 to trixie-backports
- (LTS) linux-6.1:
  - Uploads:
    - uploaded version 6.1.164-1~deb11u1 to bullseye-security
- linux-base:
  - Uploads:
    - uploaded version 4.12.1~bpo12+1 to bookworm-backports
- sgt-puzzles:
  - Bugs:
  - Uploads:
    - uploaded version 20250730.a7c7826-1 to unstable
- wireless-regdb:
  - Uploads:
    - (LTS) uploaded version 2026.02.04-1~deb11u1 to bullseye-security
Debian non-packages:
- kernel-team:
  - added script to show status of all kernel team backports
- pipeline:
  - Issues:
    - opened #552: piuparts job fails to install dependencies outside of main
Mailing lists:
- debian-kernel:
  - posted and replied to Agenda items for kernel-team meeting on 2026-03-18
  - replied to How is “keep two last kernels” policy implemented?
- debian-lts-announce:
- linux-bluetooth:
  - (LTS) replied to [PATCH v3] Bluetooth: L2CAP: Fix invalid response to L2CAP_ECRED_RECONF_REQ
- netdev:
  - (LTS) replied to [PATCH net v2] net: consume xmit errors of GSO frames
- stable/patches:
  - (LTS) reviewed 5.10.252 and replied to various patches included in it

Losing Debian: Sruthi Chandran election flop

2026-04-01T13:30:00+00:00

The fact that only one candidate is running in the Debianism elections gives a stark reminder about the state of the so-called community. The main reason why other people did not contest the election is because of fear. Fear of a circle of reprisals that began when Adrian von Bidder-Senn died on our wedding day.

When CentOS died, people tried to carry on in various ways. That tells us a lot about human psychology. People knew the game was over but they tried to continue as if it was business as usual, as if the situation could be salvaged, as if it was only a temporary crisis.

Due to years of censorship, including the payment of $120,000 to steal Debian-related domain names, the Debianists have been living in a bubble and deluding themselves. When Sruthi Chandran nominated on Friday 13th, people acted as if this was a good thing.

Now Sruthi has stopped answering questions on the Debian-vote mailing list and it seems reality has started to sink in. People are coming to realize that the position of Debian Project Leader is the interface between Debianism and the outside world. People can fool themselves and use the Code of Conduct gaslighting to blackmail other volunteers to pretend that Sruthi is a great leader. People are coming to realise that these tricks won't work on the wider community. Given that Sruthi would be Debian's interface to the outside world, we can't just ignore how the world views the candidate who is the wife of another developer.

She has ignored the most serious questions on Debian-vote mailing list. A woman trying to run Debian from a social control media account is the death of Debian. Here is a tally of the number of replies she provided each day for those who use email, the mainstay of Debian communication:

Day	Count
14 March	0
15 March	0
16 March	0
17 March	4
18 March	0
19 March	0
20 March	0
21 March	3
22 March	1
23 March	0
24 March	7
25 March	0
26 March	0
27 March	0
28 March	0
29 March	0
30 March	0
31 March	0

That is a total of only 15 replies. She has been largely silent for a whole week since 24 March.

Technically, questions and their answers are supposed to be completed before midnight on Friday, 3 April. The most critical questions have not been answered. In her platform, Sruthi Chandran boasts about being the "Chief orga DebConf India 2023" but there has never been an official report about the death of Abraham Raji at the conference.

Voting runs from 4 April to 17 April, which is the 15th anniversary of the day Adrian von Bidder-Senn died on our wedding day. It was discussed like a copy-cat suicide but there was no official report about those deaths either.

Remember the words from Abraham Raji himself:

Everything in Debian is transparent, all forms of official communication are a matter of public record, the amount of unresolved bugs, every step taken by debian as an organization, everything is in the open! I appreciate that from my distribution. There is no room for underhand corporate deals, no unfair treatment behind private mails and everything can be reviewed by the public.

Does Sruthi Chandran spend more time in debian-private (leaked) and WhatsApp groups than the public communication channels that Debian is supposed to be using?

Sruthi Chandran's platform tells us she wants to put diversity ahead of traditional goals like freedom and security. She has been very vague about this. As a consequence, more evidence is going to be published during the voting period to prove that Debian "diversity" means some men who did the real work are not being given credit while some large sums of money were assigned to the wives and girlfriends of cabal members.

I've never stated whether people should vote for Sruthi Chandran or not. Looking at the tone of the discussion, I feel people are coming to realise the way the outside world views candidates like this is not the same way that people view it from inside the bubble.

Consider the irony: they spent all that money in arguments about leaks that are "tarnishing" the trademark. The implication of these arguments about tarnishing is that the way the outside world views Debianism does matter. Can anybody see the risk that Sruthi Chandran and a lop-sided diversity crusade could do far more to tarnish the trademark than any leaks that have appeared up to this moment?

Debian may not die exactly the same way that CentOS died. At some point, as with CentOS, we will go past the point of no return. Maybe we already did. Will people have the courage to ask questions before that threshold is crossed or will they continue acting as if nothing is wrong even long after the life support system has been unplugged from the corpse?

Remember, Debianists gave over $120,000 in kill money to racist Swiss lawyerists to attack my family but they didn't pay Abraham Raji anything for the work he did helping organise DebConf23. When Raji joined the other developers on the day trip, they asked him to contribute some of his own money, he was left behind to swim alone and he drowned. Yet the lawyerists were given $120,000.

The best way to encourage people to nominate for the election will be for the existing leader, Andreas Tille, to withdraw all the privacy attacks, settle the lawsuits proactively and ensure the next leader can walk in and find the desk is clean ready to work on productive things.

Don't hold your breath waiting for transparency about these attacks on my family. There is still time to watch my video and contribute to the crowdfunding campaign.

Quote #75514

2026-03-31T21:13:00+00:00

Although I never submitted to it, I made several appearances in the now-defunct quote database on bash.org (QDB). I’m dealing with a broken keyboard now, and went to dig hard to find this classic in the Wayback machine. I thought I would put it back on the web:

<mako> my letter "eye" stopped worng
<luca> k, too?
<mako> yeah
<luca> sounds like a mountain dew spill
<mako> and comma
<mako> those three
<mako> ths s horrble
<luca> tme for a new eyboard
<luca> 've successfully taen my eyboard apart and fxed t by cleanng t wth alcohol
<mako> stop mang fun of me
<mako> ths s a laptop!

It was, in fact, horrble.

Finding: Promoting SeaBIOS Cloud Images to UEFI Secure Boot (Proxmox)

2026-03-31T21:03:24+00:00

Discovery

Legacy cloud templates often lack the partitioning and bootloader
binaries required for UEFI Secure Boot. Attempting to switch such a VM
to OVMF in Proxmox results in “not a bootable disk.” We discovered that
a surgical promotion is possible by manipulating the block device and
EFI variables from the hypervisor.

The Problem

Protective MBR Flags: Legacy installers often set
the pmbr_boot flag on the GPT’s protective MBR. Strict UEFI
implementations (OVMF) will ignore the GPT if this flag is present.
Missing ESP: Cloud images often lack a FAT32 EFI
System Partition (ESP).
Variable Store: A fresh Proxmox
efidisk0 is empty and lacks both the trust certificates
(PK/KEK/db) and the BootOrder entries required for an automated
boot.

The “Promotion” Rule

To upgrade a SeaBIOS VM to Secure Boot without a full OS reinstall:
1. Surgical Partitioning: Map the disk on the host and
add a FAT32 partition (Type EF00). Clear the
pmbr_boot flag from the MBR. 2. Binary
Preparation: Boot the VM in SeaBIOS mode to install
shim and grub-efi packages. Use
grub2-mkconfig to populate the new ESP. 3. Trust
Injection: Use the virt-fw-vars utility on the
hypervisor to programmatically enroll the Red Hat/Microsoft CA keys and
any custom certificates (e.g., FreeIPA CA) into the VM’s
efidisk. 4. Boot Pinning: Explicitly set
the UEFI BootOrder to point to the shimx64.efi
path via virt-fw-vars --append-boot-filepath.

Solution (Example Command
Sequence)

On the Proxmox Host (root):

# Map and Clean MBR
DEV=$(rbd map pool/disk)
parted -s $DEV disk_set pmbr_boot off

# Inject Trust and Boot Path (VM must be stopped)
virt-fw-vars --inplace /dev/rbd/mapped_efidisk \
  --enroll-redhat \
  --add-db <GUID> /path/to/ipa-ca.crt \
  --append-boot-filepath '\EFI\centos\shimx64.efi' \
  --sb

This workflow enables high-integrity Secure Boot environments using
existing SeaBIOS infrastructure templates.

FAIme using apt-cacher-ng

2026-03-31T13:50:57+00:00

The FAI.me service has become faster over the past two months.

First, the tool fai-mirror can now download all packages in one go (with all their dependencies) instead of downloading one by one. This helped a lot for the Linux Mint ISO because it uses a long list of packages.

I've also added a local apt cache (using apt-cacher-ng), so the network speed does not matter any more in most cases. This led to the following improvements:

Linux Mint install ISOs went from around 6-7 min to now only 2min.
Ubuntu install ISO went from average 3min to around 90 seconds.
The average time for a Debian Linux install ISO dropped from 2min to 40 seconds.

So far we only had once a problem with apt-cacher-ng, because the underlying partition was full.

Building cloud and live images do not gain that much from the local package cache, because most time is spend in extracting and installing the packages.

Mailman3 has 2 databases. Whoops.

2026-03-30T12:27:10+00:00

At May First we have been carefully planning our migration of about 1200 lists from mailman2 to mailman3 for almost six months now. We did a lot of user communications, had several months of beta testing with a handful of lists ported over, and everything was looking good. So we kicked off the migration!

But, about 15% of the way through I started seeing sqlite lock errors. Wait, what? I carefully re-configured mailman3 to use postgres, not sqlite. Well, yes, but apparently that was for the database managing the email list configuration, not the database powering the django web app, which, incidentally, also includes hundresds of gigabytes of archives. In other words, the one we really need in postgres, not sqlite.

Moving from sqlite to postgres

Well that sucks. We immediately stopped the migration to deal with this.

I noticed that the web is full of useful django instructions on how to migrate your database from one database to antoher. However, if you read the fine print, those convenient looking “dumpdata loaddata” workflows are designed to move the table definitions and a small amount of data. In our case, even after just 15% of our lists moved, our sqlite database was about 30GB.

I considered some of the hacks to manage memory and try to run this via django, but eventually decided that pgloader was a more robust option. This option also allowed me to more easily test things out on a copy of our sqlite database (made while mailman was turned off). This way I could migrate and re-migrate the sqlite database over and over without impacting our live installation until I was satisfied it was all working.

My first decision was to opt out of pgloader’s schema creation. I used django’s schema creation tool by:

Turning off mailman3 and mailman3-web and changing the mailman web configuration to use the new postgresql database.
Running mailman-web migrate
Changing the mailman web configuration back to sqlite and starting everything again.

Note: I tried just adding new database settings in the mailman web configuration indexed to ’new’ - django has the ability to define different databases by name, then you can run mailman-web migrate --database new. But, during the migration, I caught django querying the sqlite database for some migrations that required referencing existing fields (specifically hyperkitty’s 0003_thread_starting_email). I didn’t want any of these steps to touch the live database so I opted for the cleaner approach.

Once I had a clean postgres schema, I dumped it so I could easily return to this spot.

Next I started working on our pgloader load file. After a lot of trial and error, I ended with:

LOAD DATABASE
    FROM sqlite:///var/lib/mailman3/sqlite-postgres-migration/mailman3web.clean.backup.db
    INTO postgresql://mailmanweb:xxxxxxxxxxx@localhost:5432/mailmanweb

WITH data only,
    reset sequences,
    include no drop,
    disable triggers,
    create no tables,
    batch size = 5MB,
    batch rows = 500,
    prefetch rows = 50,
    workers = 2,
    concurrency = 1

SET work_mem to '64MB',
    maintenance_work_mem to '512MB'

CAST type datetime to timestamptz drop default drop not null,
    type date to date drop default drop not null,
    type int when (= precision 1) to boolean using tinyint-to-boolean,
    type text to varchar using remove-null-characters;

The batch, prefetch, workers and concurreny settings are all there to ensure memory doesn’t blow up.

I also discovered that I had to make some changes to the schema before loading data. Mostly truncating tables that the django migrate command populated to avoid duplicate key errors:

TRUNCATE TABLE django_migrations CASCADE;
TRUNCATE TABLE django_content_type CASCADE;
TRUNCATE TABLE auth_permission CASCADE;
TRUNCATE TABLE django_site CASCADE;

And also, I had to change a column type. Apparently the mailman import process allowed an attachment file name that exceeds the limit for postgres, but was allowed into sqlite:

ALTER TABLE hyperkitty_attachment ALTER COLUMN name TYPE text

When pgloader runs, we still get a lot of warnings from pgloader, which wants to cast columns differently than django does. These are harmless (I was able to import the data without a problem).

And there are still a lot of warnings along the lines of:

2026-03-30T14:08:01.691990Z WARNING PostgreSQL warning: constraint “hyperkitty_vote_email_id_73a50f4d_fk_hyperkitty_email_id” of relation “hyperkitty_vote” does not exist, skipping

These are harmless as well. They appear because disable triggers disables foreign key constraints. Without it, we wouldn’t be able to load tables that require values in tables that have not yet been populated.

After all the tweaking, the import of our 30GB sqlite database took about 40 minutes.

Final Steps

I think the reset sequences from pgloader should take care of this, but just in case:

mailman-web sqlsequencereset hyperkitty mailman_django auth | mailman-web dbshell

And, just to ensure postgres is optimized, run this in the psql shell:

ANALYZE VERBOSE;

Last thoughts

I understand very well all the decisions the mailman3 devs made in designing the next version of mailman, and if I was in the same place I may have made them the same ones. For example, separating the code running the mailing list from the code managing the archives and the web interface makes perfectly good sense - many people might want to run just the mailing list part without a web interface. And building the web interface in django makes a lot of sense as well - why re-invent the wheel? I’m sure a lot of time and effort was saved by simply using the built in features you get for free with django.

But the unfortunate consequence of these decisions is that sys admins have a much harder time. Almost everyone wants the email lists along with the web interface and the archives. But nobody wants two different configuration files with different syntaxes and logic, not to mention two different command lines to use for maintenance and configuration with completely different APIs. Trying to understand how to change a default template or set list defaults requires a lot of research and usually you have to write a python script to do it.

I have finally come to the conclusion that mailman2 is designed for sys admins, while mailman3 is designed for developers.

Despite these short comings, I am impressed with the community and their quick and friendly responses to the questions of a confused sys admin. That might be more valuable than anything else.

Converting Dovecot password schemes on the fly without (too much) cursing

2026-03-28T22:11:57+00:00

I finally upgraded my mail server to Debian 13 and, as expected, the Dovecot part was quite a ride.

The configuration syntax changed between Dovecot 2.3 (Debian 12) and Dovecot 2.4 (Debian 13), so I started first with diffing my configuration against a vanilla Debian 12 one (this setup is slightly old) and then applied the same (logical) changes to a vanilla Debian 13 one. This mostly went well. Mostly because my user database is stored in SQL and while the Dovecot Configuration Upgrader says it can convert old dovecot-auth-sql.conf.ext files to the new syntax, it only does so for the structure, not the SQL queries themselves. While I don't expect it to be able to parse the queries and adopt them correctly, at least a hint that the field names in userdb changed and might require adjustment would've been cool.

Once I got that all sorted, Dovecot would still refuse to let me in:

Error: sql: Invalid password in passdb: Weak password scheme 'MD5-CRYPT' used and refused

Yeah, right. Did I mention that this setup is old?

The quick cure against this is a auth_allow_weak_schemes = yes in /etc/dovecot/conf.d/10-auth.conf, but long term I really should upgrade the password hashes in the database to something more modern.

And this is what this post is about.

My database only contains hashed (and salted) passwords, so I can't just update them without changing the password. And while there are only 9 users in total, I wanted to play nice and professional. (LOL)

There is a Converting Password Schemes howto in the Dovecot documentation, but it uses a rather odd looking PHP script, wrapped in a shell script which leaks the plaintext password to the process list, and I really didn't want to remember how to write PHP to complete this task.

Luckily, I know Python.

The general idea is:

As we're using plaintext authentication (auth_mechanisms = plain login), the plaintext password is available during login.
After Dovecot's imap-login has verified the password against the old (insecure) hash in the database, we can execute a post-login script, which will connect to the database and update it with a new hash of the plaintext password.

To make the plaintext password available to the post-login script, we add '%{password}' as userdb_plain_pass to the SELECT statement of our passdb query. The original howto also says to add a prefetch userdb, which we do. The sql userdb remains, as otherwise Postfix can't use Dovecot to deliver mail.

Now comes the interesting part. We need to write a script that is executed by Dovecot's script-login and that will update the database for us. Thanks to Python's passlib and mysqlclient, the database and hashing parts are relatively straight forward:

#!/usr/bin/env python3

import os

import MySQLdb
import passlib.hash

DB_SETTINGS = {"host": "127.0.0.1", "user": "user", "password": "password", "database": "mail"}
SELECT_QUERY = "SELECT password_enc FROM mail_users WHERE username=%(username)s"
UPDATE_QUERY = "UPDATE mail_users SET password_enc=%(pwhash)s WHERE username=%(username)s"

SCHEME = "bcrypt"
EXPECTED_PREFIX = "$2b$"


def main():
    # https://doc.dovecot.org/2.4.3/core/config/post_login_scripting.html
    # https://doc.dovecot.org/2.4.3/howto/convert_password_schemes.html
    user = os.environ.get("USER")

    plain_pass = os.environ.get("PLAIN_PASS")
    if plain_pass is not None:
        db = MySQLdb.connect(**DB_SETTINGS)
        cursor = db.cursor()
        cursor.execute(SELECT_QUERY, {"username": user})
        result = cursor.fetchone()
        current_pwhash = result[0]

        if not current_pwhash.startswith(EXPECTED_PREFIX):
            hash_module = getattr(passlib.hash, SCHEME)
            pwhash = hash_module.hash(plain_pass)
            data = {"pwhash": pwhash, "username": user}
            cursor.execute(UPDATE_QUERY, data)
        cursor.close()
        db.close()


if __name__ == "__main__":
    main()

But if we add that as executable = script-login /etc/dovecot/dpsu.py to our imap-postlogin service, as the howto suggests, the users won't be able to login anymore:

Error: Post-login script denied access to user

WAT?

Remember that shell script I wanted to avoid? It ends with exec "$@".

Turns out the script-login "API" is rather interesting. It's not "pass in a list of scripts to call and I'll call all of them". It's "pass a list of scripts, I'll execv the first item and pass the rest as args, and every item is expected to execv the next one again". ðŸ¤¯

With that (cursed) knowledge, the script becomes:

#!/usr/bin/env python3

import os
import sys

import MySQLdb
import passlib.hash

DB_SETTINGS = {"host": "127.0.0.1", "user": "user", "password": "password", "database": "mail"}
SELECT_QUERY = "SELECT password_enc FROM mail_users WHERE username=%(username)s"
UPDATE_QUERY = "UPDATE mail_users SET password_enc=%(pwhash)s WHERE username=%(username)s"

SCHEME = "bcrypt"
EXPECTED_PREFIX = "$2b$"


def main():
    # https://doc.dovecot.org/2.4.3/core/config/post_login_scripting.html
    # https://doc.dovecot.org/2.4.3/howto/convert_password_schemes.html
    user = os.environ.get("USER")

    plain_pass = os.environ.get("PLAIN_PASS")
    if plain_pass is not None:
        db = MySQLdb.connect(**DB_SETTINGS)
        cursor = db.cursor()
        cursor.execute(SELECT_QUERY, {"username": user})
        result = cursor.fetchone()
        current_pwhash = result[0]

        if not current_pwhash.startswith(EXPECTED_PREFIX):
            hash_module = getattr(passlib.hash, SCHEME)
            pwhash = hash_module.hash(plain_pass)
            data = {"pwhash": pwhash, "username": user}
            cursor.execute(UPDATE_QUERY, data)
        cursor.close()
        db.close()

    os.execv(sys.argv[1], sys.argv[1:])


if __name__ == "__main__":
    main()

And the passwords are getting gradually updated as the users log in. Once all are updated, we can remove the post-login script and drop the auth_allow_weak_schemes = yes.

Digital gardening

2026-03-27T22:05:39+00:00

I was reading a post on Alex Chan's website¹ that referenced the concept of digital gardens, a concept/analogy for organising information which dates back to the 90s. This old concept is getting new traction today by contrasting the approach with "endless stream" as used and abused by social media, but also how blogs are typically presented.

This site, my homepage, has a blog, and that's the bit that most people who interact with the site will experience. Partly, because it's the bit that gets syndicated out: via feeds; on Planet Debian and downstream from it; once upon a time on Twitter; nowadays on the Fediverse.

However there's more to my homepage than that. The rest of it may be of little interest to anyone beside me, but it's useful to me, at least. So I may switch focus a little bit from mainly writing blog posts, and tend to the rest of the garden a bit more.

Some recent seeding and pruning: Recently my guest status at Newcastle University came up for renewal, so I wrote down my goals in the Historic Computing Committee for the next year or so, and put them here: nuhcc. I've also been pondering what I'm up to in Debian at the moment, so took some time to add my current projects to that page.

I'm reminded that I should really publish a "blog roll" of cool blogs I'm following at the moment, of which Alex Chan's is one.↩

New Debian Developers and Maintainers (January and February 2026)

2026-03-27T22:00:00+00:00

The following contributors got their Debian Developer accounts in the last two months:

Jongmin Kim (jmkim)
Yifei Zhan (yifei)
Sébastien Noel (twolife)

The following contributors were added as Debian Maintainers in the last two months:

Andreas Dolp
Dandan Zhang
M Hickford

Congratulations!

New job at Chainguard

2026-03-27T08:00:00+00:00

A few months ago, in June 2025, I joined Chainguard, a company focused on software supply chain security. This post is a reflection on how I got here, what I’ve been doing, and why this role feels like a natural fit for my interests in Linux and open source technology.

The company and its mission

Chainguard’s mission is to make the software supply chain secure by default. The company is built around the idea that the software we all depend on — from operating system packages to container base images — carries hidden risk in the form of vulnerabilities, unverified provenance, and untrusted build processes.

The company is perhaps best known for Chainguard Images: a catalog of minimal, hardened container base images that are continuously rebuilt and kept free of known CVEs. Each image is accompanied by a signed SBOM (Software Bill of Materials) and a verifiable provenance attestation, making it possible to cryptographically verify what went into a given image and how it was built.

Chainguard has an extensive catalog of software, and maintaining it up-to-date and CVE-free is a significant engineering challenge.

What I do

I joined the Chainguard Sustaining Engineering team as a Senior Software Engineer. We are responsible for maintaining packages and images in the software catalog up-to-date and CVE-free. The core of the business, basically.

We focus on the horizontal dimension of the catalog (pretty much all packages and images).

With +30,000 packages and +2,000 images, this is indeed an interesting task.

My role as Debian Developer, and my experiencie in the Debian LTS project was extremely valuable when joning this new team.

Looking ahead

Software supply chain is truly a deep topic, gaining more and more relevance every day, especially as new technologies emerge and get adopted everywhere.

Since early in my career, I saw a recurrent problem of how companies, enterprises, or even governments, relate to and consume open source software, in a reliable, secure way. I believe Chainguard is doing the right things in the ecosystem, and I’m happy to be participating in the effort.

Artificial Intelligence: Shades of Gray

2026-03-25T04:12:18+00:00

AI sure is a hot topic right now, and I see a lot of people arguing about it. To a lot of people around here, I’m the “computer person” they know and I get asked a lot about AI.

I’m going to suggest a lot of things can be true at once. For instance:

LLMs are changing how we work and will continue to do so.
LLMs are vastly over-hyped by vested interests, and may be in a bubble.

Or how about:

Huge investment in GenAI is having many negative consequences, ranging from environmental to causing affordability problems in many industries that use hardware (ie, everywhere)
Useful results can be had from models that run on local hardware, even battery-powered hardware, which may have negligible harm or even some benefit

And:

GenAI is further concentrating wealth and power in megacorps, with the effect of squeezing out the smaller players even more.
GenAI is lowering the cost of entry for people without a lot of resources already.

I have sympathy for the naysayers; those that say it’s nothing but a stochastic parrot. But I don’t have a lot of sympathy for the naysayers that deny ever using it; you can’t form a credible argument against something without having an understanding of it informed by experience.

I also have sympathy for the cheerleaders. I have seen some impressive things from AI; for instance, a story from an engineer who has a child with a rare disease without a credible cure. The engineer did a lot of research on it, started feeding research papers into AI to analyze, and the AI started finding correlations between different areas of research that humans hadn’t yet found — leading to a positive result for the child.

To be fair, I have rarely seen an AI deliver a 100% correct answer on anything with any real level of complexity. I have seen it both waste more time than it saves, and save a ton of time.

My point here is: It is neither always fantastic nor always terrible.

Let me talk you through an example.

I am a fan of inbox zero for email. That is, the inbox should be empty. Unfortunately, mine has 8000 messages in it. According to the oldest messages in my inbox, I last had inbox zero 8 years ago. But really, only a handful are older than 2020. I guess something must have happened that year…

I’ve been chipping away at this for quite some time now. The problem is, there are certain emails in there that really do still need some action – maybe it’s photos to save off into our photo collection, for instance. But when looking at things sorted by date or thread, there are old shipping confirmations next to phishing attempts and family photos. One can’t just scan down the list.

I’ve tried all the usual tricks, most of which involve selecting groups of message that are easy to bulk erase, or at least easy to scan visually for the occasional thing worth saving. Sort by sender or subject line, for instance. Then I can, for instance, delete all the old messages from the shopping sites I commonly use all at once. But then they start using different senders and different subject lines and that doesn’t get all of them. I’ve tried keyword searches for this sort of thing too. Still, that got me down to about 8000 messages.

So I thought: why not see if an LLM could help me classify these? Maybe it could categorize them, and then I could look at emails grouped by category.

I have one machine with a discrete GPU, an Nvidia RTX 4070. It’s a desktop machine I don’t use all that often. But I set up Ollama on it, running in a Docker container. Ollama runs models locally.

I should also mention at this point that we are solar-powered, and this time of year is a time of peak production of excess solar, because it is sunny and not much heat or AC is required. So that machine is solar-powered and isn’t causing environmental harm. In any case, charging the EV uses much more power than that GPU.

I figured I would do this in two passes. First, ask the LLM to classify each message (or a sampling of them would probably work too), letting it pick its own categories for each. Then, look at the patterns that emerge and give it a single, much smaller, set of broad categories to use and rerun it over that.

Then I can easily select messages from my Maildirs by category and process them in bulk.

I used open-interpreter pointing to that GPU on my network to help me write the scripts for this. It didn’t get things right on its own; for instance, it didn’t call the Ollama API correctly, and insisted on appending “/cur” to the path to the Maildir (which was not going to fly with Python’s maildir module). It took roughly an hour to classify those 8000 messages (or, as I had it do, the first 2000 characters of them), and then the same to do it a second time. I had it output lines in the form of “filename\tcategory” and hand-wrote the shell script that processed those.

In the end, was it useful? Yes, quite. Its classifications weren’t perfect (and it didn’t even follow my prompt perfectly; sometimes it would give me a long discussion on why it picked a certain category rather than just that category, and occasionally it picked categories not on the list). But then, neither were my manual keyword searches. So far I’ve gotten rid of nearly 1000 more messages. Several categories were a “visual scan for sanity and then delete all” sort of thing.

My emails never left my network. I didn’t rely on a cloud AI to process them. I didn’t contribute to global warming (this may have even been a case of saving energy, since it no doubt will offset quite a bit of manual time that would keep screens and room lights energized and so forth). I used about as much energy as watching a movie on a TV.

Did it complete the task for me entirely autonomously? Also no. AI isn’t a mind reader and it can’t possibly evaluate exactly what my thought process would be for a given task. But it can do a decent enough job to save me some time.

Still, this didn’t require hyperscaler datacenters. AI even runs on-phone (Google Translate being one of the most useful AI-driven apps I’ve ever seen, and it can run on-device).

systemd has not implemented age verification

2026-03-23T15:47:22+00:00

This needs to be clear: systemd is under attack by a trolling campaign orchestrated by fascist elements. Nobody is forced to like or use systemd, but anybody who wants to pick a side should know the facts.

Recently, the free software Nazi bar crowd styling themselves as "concerned citizens" has tried to start a moral panic by saying that systemd is implementing age verification checks or that somehow it will require providing personally identifiable information.

This is a lie: the facts are simply that the systemd users database has gained an optional "date of birth" field, which the desktop environments may use or not as they deem appropriate. Of course there is no "identity verification" or requirements to provide any data, which in any case would not be shared beyond authorized local applications.

While the multiple recent bills proposing that general purpose operating systems implement age verification mechanisms are often concerning, both from a social and technical point of view, this is not the topic being discussed here. They are often suboptimal, but for a long time I have been opposing attempts to implement parental control at the network level and argued that it should be managed locally, by parents on their own machines: I cannot see why I should outright reject an attempt to implement the infrastructure to do that.

If we want to keep age-appropriate controls out of the hands of centralized authorities, the alternative is giving families the means to manage it themselves: this is what this field enables. Whether desktop environments use it for parental controls, for birthday reminders, or for nothing at all, is their users' decision.

By the way, the original UNIX users database has allowed storing PII in the GECOS field since it was invented in the '70s. Similar fields are also specified by many popular LDAP schemes: adding such an optional field is consistent with the UNIX tradition.

And while we are at it, let's also refute the other smear campaign started by the same people: the systemd project is not accepting "AI slop". What happened is that a documentation file for the benefit of coding agents was added to the repository. To be clear: agents still cannot submit merge requests. The file itself remarks that all contributions must be reviewed in detail by humans, and this is basically the same policy used by the Linux kernel.

How taboo shapes knowledge production on Wikipedia

2026-03-23T09:33:53+00:00

Note: I have not published blog posts about my academic papers over the past few years. To ensure that my blog contains a more comprehensive record of my published papers and to surface them for folks who missed them, I will periodically (re) publish blog posts about some “older” published projects. This post draws material from a previously published post by Kaylea Champion on the Community Data Science Blog.

Taboo subjects—such as sexuality and mental health—are as important to discuss as they are difficult to raise in conversation. Although many people turn to online resources for information on taboo subjects, censorship and low-quality information are common in search results. In two papers I recently published at CSCW—both led by Kaylea Champion—we presented a series of analyses showing how taboo shapes the process of collaborative knowledge building on English Wikipedia.

The first study is a quantitative analysis showing that articles on taboo subjects are much more popular and are the subject of more vandalism than articles on non-taboo topics. In surprising news, we also found that they were edited more often and were of higher quality!

Short video of Kaylea’s presentation of the work given at Wikimania in August 2023.

The first challenge we faced in conducting this work was identifying taboo articles. Kaylea had a brilliant idea for a new computational approach to doing so without relying on our individual intuitions about what qualifies as taboo (something we understood would be highly specific to our own culture, class, etc). Her approach was to make use of an insight from linguistics: people develop euphemisms as ways to talk about taboos (i.e., think about all the euphemisms we’ve devised for death, or sex, or menstruation, or mental health).

We used this insight to build a new machine-learning classifier based on English Wiktionary definitions. If a ‘sense’ of a word was tagged as euphemistic, we treated the words in the definition as indicators of taboo. The end result was a series of words and phrases that most powerfully differentiate taboo from non-taboo. We then did a simple match between those words and phrases and the titles of Wikipedia articles. The topics were taboo enough that we were a little uncomfortable discussing them in our meetings! We built a comparison sample of articles whose titles are words that, like our taboo articles, appear in Wiktionary definitions.

In the first paper, we used this new dataset to test a series of hypotheses about how taboo shapes collaborative production in Wikipedia. Our initial hypotheses were based on the idea that taboo information is often in high demand but that Wikipedians might be reluctant to associate their names (or usernames) with taboo topics. The result, we argued, would be articles that were in high demand but of low quality.

We found that taboo articles are thriving on Wikipedia! In summary, we found that in comparison to non-taboo articles:

Taboo articles are more popular (as expected).
Taboo articles receive more contributions (contrary to expectations).
Taboo articles receive more low-quality contributions (as expected).
Taboo articles are higher quality (contrary to expectations).
Taboo article contributors are more likely to contribute without an account (as expected), and have less experience (as expected), but that accountholders are more likely to make themselves more identifiable by having a user page, disclosing their gender, and making themselves emailable (all three of these are contrary to expectation!).

Image of the estimated qualiy of articles of the four articles in the second mixed-methods paper. Extreme dips reflect periods of frequent vandalism.

Kaylea attempted to understand these somewhat confusing results by designing a fantastic mixed-methods analysis that sought to unpack some of the nuance missing in the quantitative analysis by delving deep into the “life histories” of four articles on English Wikipedia: two on taboo topics related to women’s anatomy (Clitoris and Menstration) and two nontaboo articles chosen for comparison (Cell membrance and Philip Pullman).

Although the findings from the analysis can be difficult to summarize succinctly (as with many qualitative studies), we showed how the taboo example articles’ success was hard-won amid real challenges and attacks. The paper describes how challenges were overcome through resilient leadership, often provided by a single dedicated individual. The paper provides a template for how taboo can be—and frequently is—overcome by dedicated Wikipedians in ways that provide useful knowledge resources in real demand.

For more details, visualizations, statistics, and more, we hope you’ll take a look at our papers, both linked below.

The full citation for the papers are: (1) Champion, Kaylea, and Benjamin Mako Hill. 2023. “Taboo and Collaborative Knowledge Production: Evidence from Wikipedia.” Proceedings of the ACM on Human-Computer Interaction 7 (CSCW2): 299:1-299:25. https://doi.org/10.1145/3610090. (2) Champion, Kaylea, and Benjamin Mako Hill. 2024. “Life Histories of Taboo Knowledge Artifacts.” Proceedings of the ACM: Human-Computer Interaction 8 (CSCW2): 505:1-505:32. https://doi.org/10.1145/3687044.

We have also released replication materials for the paper, including all the data and code used to conduct the analyses.

This blog post and the paper it describes are collaborative work by Kaylea Champion and Benjamin Mako Hill.

Calculate “1/(40rods/hogshead) to L/100km” from your Zsh prompt

2026-03-22T13:37:09+00:00

I often need a quick calculation or a unit conversion. Rather than reaching for a separate tool, a few lines of Zsh configuration turn = into a calculator. Typing = 660km / (2/3)c * 2 -> ms gives me 6.60457 ms¹ without leaving my terminal, thanks to the Zsh line editor.

The equal alias

The main idea looks simple: define = as an alias to a calculator command. I prefer Numbat, a scientific calculator that supports unit conversions. Qalculate is a close second.² If neither is available, we fall back to Zshâ€™s built-in zcalc module.

As the alias built-in uses = as a separator for name and value, we need to alter the aliases associative array:

if (( $+commands[numbat] )); then
  aliases[=]='numbat -e'
elif (( $+commands[qalc] )); then
  aliases[=]='qalc'
else
  autoload -Uz zcalc
  aliases[=]='zcalc -f -e'
fi

With this in place, = 847/11 becomes numbat -e 847/11.

The quoting problem

The first problem surfaces quickly. Typing = 5 * 3 fails: Zsh expands the * character as a glob pattern before passing it to the calculator. The same issue applies to other characters that Zsh treats specially, such as > or |. You must quote the expression:

$ = '5 * 3'
15

We fix this by hooking into the Zsh line editor to quote the expression before executing it.

Automatic quoting with ZLE

Zsh calls the line-finish widget before submitting a command. We hook a function that detects the = prefix and quotes the expression:

_vbe_calc_quote() {
  case $BUFFER in
    "="*)
      typeset -g _vbe_calc_expr=$BUFFER # not used yet
      BUFFER="= ${(q-)${${BUFFER#=}# }}"
      ;;
  esac
}
add-zle-hook-widget line-finish _vbe_calc_quote

When you type = 5 * 3 and press â†², _vbe_calc_quote strips the = prefix, quotes the remainder with the (q-) parameter expansion flag, and rewrites the buffer to = '5 * 3' before Zsh submits the command. As a bonus, you can save a few keystrokes with =5*3! ğŸš€

You can now compute math expressions and convert units directly from your shell. Zsh automatically quotes your expressions:

$ = '1 + 2'
3
$ = 'pi/3 + pi |> cos'
-0.5
$ = '17 USD -> EUR'
14.7122 â‚¬
$ = '180*500mg -> g'
90 g
$ = '5 gigabytes / (2 minutes + 17 seconds) -> megabits/s'
291.971 Mbit/s
$ = 'now() -> tz("Asia/Tokyo")'
2026-03-22 22:00:03 JST (UTC +09), Asia/Tokyo
$ = '1 / (40 rods / hogshead) -> L / 100km'
118548 Ã— 0.01 l/km

The metric system is the tool of the devil! My car gets forty rods to the hogshead, and that's the way I like it! â€• Grampa Simpson, A Star Is Burns

Storing unquoted history

As is, Zsh records the quoted expression in history. You must unquote it before submitting it again. Otherwise, the ZLE widget quotes it a second time. Bart Schaefer provided a solution to store the original version:

_vbe_calc_history() {
  return ${+_vbe_calc_expr}
}
add-zsh-hook zshaddhistory _vbe_calc_history

_vbe_calc_preexec() {
  (( ${+_vbe_calc_expr} )) && print -s $_vbe_calc_expr
  unset _vbe_calc_expr
  return 0
}
add-zsh-hook preexec _vbe_calc_preexec

The zshaddhistory hook returns 1 if we are evaluating an expression, telling Zsh not to record the command. The preexec hook then adds the original, unquoted command with print -s.

The complete code is available in my zshrc. A common alternative is the noglob precommand modifier. If you stick with to instead of -> for unit conversion, it covers 90% of use cases. For a related Zsh line editor trick, see how I use auto-expanding aliases to fix common typos.

This is the fastest a packet can travel back and forth between Paris and Marseille over optical fiber.Â â�¦
Qalculate is less understanding with units. For example, it parses â€œMbpsâ€� as megabarn per picosecond: â˜¢ï¸�
```
$ numbat -e '5 MB/s -> Mbps'
40 Mbps
$ qalc 5 MB/s to Mbps
5 megabytes/second = 0.000005 B/ps
```
â�¦

Ladytron

2026-03-21T22:18:11+00:00

I saw Ladytron perform in Digital, Newcastle last night. The last time I saw them was, I think, at the same venue, 18 years ago. Time flies!

Back in the day (perhaps their heyday, perhaps not!) Ladytron ploughed a particular sonic furrow and did it very well. Going into the gig I had set my expectations that, should they play just these hits, I'd have a good time.

The gig exceeded my expectations. The setlist very much did not lean into their best-known period: the more recent few albums were very well represented and to me this felt very confident. The lead singer, Helen Marnie, demonstrated some excellent range, particularly on some of the new songs. Daniel Hunt did a lot of backing vocals and they were really complementary to Helen's: underscoring but not overpowering. I enjoyed nerding out watching Mira Ayoro's excellent wrangling of her Korg MS-20. One highlight was an encore performance of Light & Magic, which was arguably the "alternate version" as available on the expanded versions of that album or the Remixed and Rare companion.

I thought I'd try to put together a 5-track playlist for a friend who attended the gig but isn't super familiar with them. As usual this is hard. I'm going to avoid the obvious hits, try to represent their whole career and try to ensure the current trio each get a vocal turn in the selection.

They actually released their latest album, Paradises, yesterday as well. One track from it is in the list below.

I'm Not Scared by Ladytron Kingdom Undersea by Ladytron Blue Jeans by Ladytron He took her to a movie by Ladytron Transparent Days by Ladytron

(If you can't see anything, the bandcamp embeds have been stripped out by whatever you are viewing this with)

A286874(16) >= 48

2026-03-21T15:19:00+00:00

Following up on the previous post, here are some heuristic results:

First, if restricting oneself to 5-uniform values (all values have exactly five bits set), the best 15-bit code one can make is indeed 42 elements, and there are two distinct solutions: {31, 227, 364, 692, 1240, 1577, 1606, 2353, 3008, 3205, 3338, 4434, 4746, 4869, 5536, 6182, 6217, 7696, 8582, 8984, 9266, 9537, 10324, 10408, 10755, 12433, 12896, 13324, 16777, 16977, 17186, 17684, 18578, 18956, 19552, 20536, 20676, 21507, 24613, 24650, 26240, 30976} and {31, 227, 364, 692, 849, 906, 1240, 2354, 3206, 3337, 3680, 4485, 5169, 5442, 5644, 6228, 6312, 6659, 8745, 9285, 9632, 9746, 10314, 10385, 11012, 12326, 12568, 12992, 16966, 17450, 17684, 18049, 18469, 18880, 18968, 20553, 20626, 21280, 24688, 24716, 24835, 31744}. This supports, but does not prove, the conjecture that A286874(15) = 42.

Second, A286874(16) >= 48 (the best previously known bound was 45), since this is a valid 48-element solution:

0000000000011111
0000000011100011
0000000101101100
0000001010110100
0000010011011000
0000011100000011
0000100100110001
0000101000101010
0000101111000000
0001000110001001
0001010000110010
0001011000001100
0001100100000110
0001110001000001
0010000110010010
0010010010000101
0010011001100000
0010100001010100
0010110100001000
0011000001001010
0011001000010001
0011100010100000
0100001001001001
0100010001000110
0100010110100000
0100100010001100
0100111000010000
0101000000100101
0101000101010000
0101001010000010
0110000000111000
0110001100000100
0110100000000011
1000001001010010
1000010000101001
1000010100010100
1000101000000101
1000110010000010
1001000011000100
1001001100100000
1001100000011000
1010000000100110
1010000101000001
1010001010001000
1100000010010001
1100000100001010
1100100001100000
1111010000000000

I won't be sweeping all of the 15- or 16-bit spaces.

The WWW::Mechanize::Chrome Saga: A Comprehensive Narrative of PR #104

2026-03-21T01:52:46+00:00

The
WWW::Mechanize::Chrome Saga: A Comprehensive Narrative of PR #104

This document synthesizes the extensive work performed from March
13th to March 20th, 2026, to harden, stabilize, and refactor the
WWW::Mechanize::Chrome library and its test suite. This
effort involved deep dives into asynchronous programming,
platform-specific bug hunting, and strategic architectural
decisions.

Part I:
The Quest for Cross-Platform Stability (March 13 – 16)

The initial phase of work focused on achieving a “green” test suite
across a variety of Linux distributions and preparing for a new release.
This involved significant hardening of the library to account for
different browser versions, OS-level security restrictions, and
filesystem differences.

Key Milestones &
Engineering Decisions:

Fedora & RHEL-family Success: A major effort
was undertaken to achieve a 100% pass rate on modern Fedora 43 and
CentOS Stream 10. This required several key engineering decisions to
handle modern browser behavior:
- Decision: Implement Asynchronous DOM Serialization
  Fallback. Synchronous fallbacks in an async context are
  dangerous. To prevent Resource was not cached errors during
  saveResources, we implemented a fully asynchronous fallback
  in _saveResourceTree. By chaining
  _cached_document with DOM.getOuterHTML
  messages, we can reconstruct document content without blocking the event
  loop, even if Chromium has evicted the resource from its cache. This
  also proved resilient against Fedora’s security policies, which often
  block file:// access.
- Decision: Truncate Filenames for Cross-Platform
  Safety. To avoid File name too long errors,
  especially on Windows where the MAX_PATH limit is 260
  characters, filenameFromUrl was hardened. The filename
  truncation was reduced to a more conservative 150
  characters, leaving ample headroom for deeply nested CI
  temporary directories. Logic was also added to preserve file extensions
  during truncation and to sanitize backslashes from URI paths.
- Decision: Expand Browser Discovery Paths. To
  support RHEL-based systems out-of-the-box, the
  default_executable_names was expanded to include
  headless_shell and search paths were updated to include
  /usr/lib64/chromium-browser/.
- Decision: Mitigate Race Conditions with Stabilization Waits
  and Resilient Fetching. On fast systems,
  DOM.documentUpdated events could invalidate
  nodeIds immediately after navigation, causing XPath queries
  to fail with “Could not find node with given id”. A small stabilization
  sleep(0.25s) was added after page loads to ensure the DOM
  is settled. Furthermore, the asynchronous DOM fetching loop was hardened
  to gracefully handle these errors by catching protocol errors and
  returning an empty string for any node that was invalidated during
  serialization, ensuring the overall process could complete.
Windows Hardening:
- Decision: Adopt Platform-Aware Watchdogs. The test
  suite’s reliance on ualarm was a blocker for Windows, where
  it is not implemented. The t::helper::set_watchdog function
  was refactored to use standard alarm() (seconds) on Windows
  and ualarm (microseconds) on Unix-like systems, enabling
  consistent test-level timeout enforcement.
Version 0.77 Release:
- Decision: Adopt SOP for Version Synchronization.
  The project maintains duplicate version strings across 24+ files. A
  Standard Operating Procedure was adopted to use a batch-replacement tool
  to update all sub-modules in lib/ and to always run
  make clean and perl Makefile.PL to ensure
  META.json and META.yml reflect the new
  version. After achieving stability on Linux, the project version was
  bumped to 0.77.
Infrastructure & Strategic Work:
- The ad2 Windows Server 2025 instance was restored and
  optimized, with Active Directory demoted and disk I/O performance
  improved.
- A strategic proposal for the Heterogeneous Directory
  Replication Protocol (HDRP) was drafted and published.

Part II: The
Great Async Refactor (March 17 – 18)

Despite success on Linux, tests on the slow ad2 Windows
host were still plagued by intermittent, indefinite hangs. This
triggered a fundamental architectural shift to move the library’s core
from a mix of synchronous and asynchronous code to a fully non-blocking
internal API.

Key Milestones &
Engineering Decisions:

Decision: Expose a _future API.
Instead of hardcoding timeouts in the library, the core strategy was to
refactor all blocking methods (xpath, field,
get, etc.) into thin wrappers around new non-blocking
..._future counterparts. This moved timeout management to
the test harness, allowing for flexible and explicit handling of
stalls.
```
# Example library implementation
sub xpath($self, $query, %options) {
    return $self->xpath_future($query, %options)->get;
}

sub xpath_future($self, $query, %options) {
    # Async implementation using $self->target->send_message(...)
}
```

Decision: Centralize Test Hardening in a Helper.
A dedicated test library, t/lib/t/helper.pm, was created to
contain all stabilization logic. “Safe” wrappers (safe_get,
safe_xpath) were implemented there, using
Future->wait_any to race asynchronous operations against
a timeout, preventing tests from hanging.

# Example test helper implementation
sub safe_xpath {
    my ($mech, $query, %options) = @_;
    my $timeout = delete $options{timeout} || 5;
    my $call_f = $mech->xpath_future($query, %options);
    my $timeout_f = $mech->sleep_future($timeout)->then(sub { Future->fail("Timeout") });
    return Future->wait_any($call_f, $timeout_f)->get;
}

Decision: Refactor Node Attribute Cache.
Investigations into flaky checkbox tests (t/50-tick.t)
revealed that WWW::Mechanize::Chrome::Node was storing
attributes as a flat list ([key, val, key, val]), which was
inefficient for lookups and individual updates. The cache was refactored
to definitively use a HashRef, providing O(1) lookups
and enabling atomic dual-updates where both the browser property (via
JS) and the internal library attribute are synchronized
simultaneously.
Decision: Implement Self-Cancelling Socket
Watchdog. On Windows, traditional watchdog processes often
failed to detect parent termination, leading to 60-second hangs after
successful tests. We implemented a new socket-based watchdog in
t::helper that listens on an ephemeral port; the background
process terminates immediately when the parent socket closes,
eliminating these cumulative delays.
Decision: Deep Recursive Refactoring & Form
Selection. To make the API truly non-blocking, the entire
internal call stack had to be refactored. For example, making
get_set_value_future non-blocking required first making its
dependency, _field_by_name, asynchronous. This culminated
in refactoring the entire form selection API (form_name,
form_id, etc.) to use the new asynchronous
_future lookups, which was a key step in mitigating the
Windows deadlocks.
Decision: Fix Critical Regressions & Memory
Cycles.
- Evaluation Normalization: Implemented a
  _process_eval_result helper to centralize the parsing of
  results from Runtime.evaluate. This ensures consistent
  handling of return values and exceptions between synchronous
  (eval_in_page) and asynchronous (eval_future)
  calls.
- Memory Cycle Mitigation: A significant memory
  leak was discovered where closures attached to CDP event futures (like
  for asynchronous body retrieval) would capture strong references to
  $self and the $response object, creating a
  circular reference. The established rule is to now always use
  Scalar::Util::weaken on both $self and any
  other relevant objects before they are used inside a
  ->then block that is stored on an object.
- Context Propagation (wantarray): A
  major regression was discovered where Perl’s wantarray
  context, which distinguishes between scalar and list context, was lost
  inside asynchronous Future->then blocks. This caused
  methods like xpath to return incorrect results (e.g., a
  count instead of a list of nodes). The solution was to adopt the “Async
  Context Pattern”: capture wantarray in the synchronous
  wrapper, pass it as an option to the _future method, and
  then use that captured value inside the future’s final resolution
  block.
```
# Synchronous Wrapper
sub xpath($self, $query, %options) {
    $options{ wantarray } = wantarray; # 1. Capture
    return $self->xpath_future($query, %options)->get; # 2. Pass
}

# Asynchronous Implementation
sub xpath_future($self, $query, %options) {
    my $wantarray = delete $options{ wantarray }; # 3. Retrieve
    # ... async logic ...
    return $doc->then(sub {
        if ($wantarray) { # 4. Respect
            return Future->done(@results);
        } else {
            return Future->done($results[0]);
        }
    });
}
```
- Asynchronous Body Retrieval & Robust Content
  Fallbacks: Fixed a bug where decoded_content()
  would return empty strings by ensuring it awaited a
  __body_future. This was implemented by storing the
  retrieval future directly on the response object
  ($response->{__body_future}). To make this more robust,
  a tiered strategy was implemented: first try to get the content from the
  network response, but if that fails (e.g., for about:blank
  or due to cache eviction), fall back to a JavaScript
  XMLSerializer to get the live DOM content.
- Signature Hardening: Fixed “Too few arguments”
  errors when using modern Perl signatures with
  Future->then. Callbacks were updated to use optional
  parameters (sub($result = undef) { ... }) to gracefully
  handle futures that resolve with no value.
- XHTML “Split-Brain” Bug: Resolved a
  long-standing Chromium bug (40130141) where content provided via
  setDocumentContent is parsed differently than content
  loaded from a URL. A workaround was implemented: for XHTML documents,
  WMC now uses a JavaScript-based XPath evaluation
  (document.evaluate) against the live DOM, bypassing the
  broken CDP search mechanism.

Derived Architectural Rules
& SOPs:

Rule: Always provide _future variants.
Every library method that interacts with the browser via CDP must have a
non-blocking asynchronous counterpart.
Rule: Centralize stabilization in the test layer.
All timeout and retry logic should reside in the test harness
(t/lib/t/helper.pm), not in the core library.
Rule: Explicitly propagate wantarray
context. Synchronous wrappers must capture the caller’s context
and pass it down the Future chain to ensure correct
scalar/list behavior.
Rule: The entire call chain must be asynchronous.
To enable non-blocking timeouts, even a single “hidden” blocking call in
an otherwise asynchronous method will cause a stall.
SOP: Reduce Library Noise. Diagnostic messages
(warn, note, diag) should be
removed from library code before commits. All such messages should be
converted to use the internal $self->log('debug', ...)
mechanism, ensuring a clean TAP output for CI systems.

Part III: The
`MutationObserver` Saga (March 19)

With most of the library refactored to be asynchronous, one stubborn
test, t/65-is_visible.t, continued to fail with timeouts.
This led to an ambitious, but ultimately unsuccessful, attempt to
replace the wait_until_visible polling logic with a more
“modern” MutationObserver.

Key Milestones & Challenges:

The Theory: The goal was to replace an inefficient
repeat { sleep } loop with an event-driven
MutationObserver in JavaScript that would notify Perl
immediately when an element’s visibility changed.
Implementation & Cascade Failure: The
implementation proved incredibly difficult and introduced a series of
new, hard-to-diagnose bugs:
1. An incorrect function signature for
  callFunctionOn_future.
2. A critical unit mismatch, passing seconds from Perl to JavaScript’s
  setTimeout, which expected milliseconds.
3. A fundamental hang where the MutationObserver’s
  JavaScript Promise would never resolve, even after the
  underlying DOM element changed.
Debugging Maze: Multiple attempts to fix the
checkVisibility JavaScript logic inside the observer
callback, including making it more robust by adding DOM tree traversal
and extensive console.log tracing, failed to resolve the
hang. This highlighted the opacity and difficulty of debugging complex,
cross-language asynchronous interactions, especially when dealing with
low-level browser APIs.

Procedural Learning:
Granular Edits

The effort was plagued by procedural missteps in using automated
file-editing tools. Initial attempts to replace large code blocks in a
single operation led to accidental code loss and match failures.

Decision: Adopt “Delete, then Add” Workflow.
Following forceful user correction, a new SOP was established for all
future modifications:
1. Isolate: Break the file into small, manageable
  chunks (e.g., 250 lines).
2. Delete: Perform a “delete” operation by replacing
  the old code block with an empty string.
3. Add: Perform an “add” operation by inserting the
  new code into the empty space.
4. Verify: Verifying each atomic step before
  proceeding. This granular process, while slower, ensured surgical
  precision and regained technical control over the large
  Chrome.pm module.

The consistent failure of the MutationObserver approach
eventually led to the decision to abandon it in favor of stabilizing the
original, more transparent implementation.

Part IV:
Reversion and Final Stabilization (March 20)

After exhausting all reasonable attempts to fix the
MutationObserver, a strategic decision was made to revert
to the simpler, more transparent polling implementation and fix it
correctly. This proved to be the correct path to a stable solution.

Key Milestones &
Engineering Decisions:

Decision: Perform Strategic Reversion. The
MutationObserver implementation, when integrated via
callFunctionOn_future with awaitPromise,
proved fundamentally unstable. Its JavaScript promise would consistently
fail to resolve, causing indefinite hangs. A decision was made to
revert all MutationObserver code from
WWW::Mechanize::Chrome.pm and restore the original
repeat { sleep } polling mechanism. A stable,
understandable solution was prioritized over an elegant but broken
one.
Decision: Correct Timeout Delegation in the
Harness. The root cause of the original timeout failure was
identified as a race condition in the t/lib/t/helper.pm
test harness. The safe_wait_until_* wrappers were
implementing their own timeout (via wait_any and
sleep_future) that raced against the underlying polling
function’s internal timeout. This led to intermittent failures on slow
machines. The helpers were refactored to delegate all timeout
management to the library’s polling functions, ensuring a
single, authoritative timer controlled the operation.
Decision: Optimize Polling Performance. At the
user’s request, the polling interval was reduced from 300ms to
150ms. This modest performance improvement reduced the
test suite’s wallclock execution time by over a second while maintaining
stability.
Decision: Tune Test Watchdogs. The global watchdog
timeout was adjusted to 12 seconds, specifically calculated as 1.5x the
observed real execution time of the optimized test. This provides a
data-driven safety margin for CI.

Part
V: The Last Bug – A Platform-Specific Memory Leak (March 20)

With all other tests passing, a single memory leak failure in
t/78-memleak.t persisted, but only on the Windows
ad2 environment. This required a different approach than
the timeout fixes.

Key Milestones:

The Bug: A strong reference cycle involving the
on_dialog event listener was not being broken on Windows,
despite multiple attempts to fix it. Fixes that worked on Linux (such as
calling on_dialog(undef) in DESTROY) were not
sufficient on the Windows host.
The Diagnosis: The issue was determined to be a
deep, platform-specific interaction between Perl’s garbage collector,
the IO::Async event loop implementation on Windows, and the
Test::Memory::Cycle module. The cycle report was identical
on both platforms, but the cleanup behavior was different.
Failed Attempts: A series of increasingly
aggressive fixes were attempted to break the cycle, including:
1. Moving the on_dialog(undef) call from
  close() to DESTROY().
2. Explicitly deleteing the listener and callback
  properties from the object hash in DESTROY.
3. Swapping between $self->remove_listener and
  $self->target->unlisten in a mistaken attempt to find
  the correct un-registration method.
Pragmatic Solution: After exhausting all reasonable
code-level fixes without a resolution on Windows, the user opted to mark
the failing test as a known issue for that specific platform.
Final Fix: The single failing test in
t/78-memleak.t was wrapped in a conditional
TODO block that only executes on Windows
(if ($^O =~ /MSWin32/i)), formally acknowledging the bug
without blocking the build. This allows the test suite to pass in CI
environments while flagging the issue for future, deeper
investigation.

Part VI: CI Hardening (March
20)

A final failure in the GitHub Actions CI environment revealed one
last configuration flaw.

Key Milestones:

The Bug: The CI was running
prove --nocount --jobs 3 -I local/ -bl xt t directly. This
command was missing the crucial -It/lib include path, which
is necessary for test files to locate the t::helper module.
This resulted in nearly all tests failing with
Can't locate t/helper.pm in @INC.
The Investigation: An analysis of
Makefile.PL revealed a custom MY::test block
specifically designed to inject the -It/lib flag into the
make test command. This confirmed that
make test is the correct, canonical way to run the test
suite for this project.
The Fix: The
.github/workflows/linux.yml file was modified to replace
the direct prove call with make test in the
Run Tests step. This ensures the CI environment runs the
tests in the exact same way as a local developer, with all necessary
include paths correctly configured by the project’s build system.

Final Outcome

After this long and arduous journey, the
WWW::Mechanize::Chrome test suite is now stable and
passing on all targeted platforms, with known
platform-specific issues clearly documented in the code. The project is
in a vastly more robust and reliable state.

Deb.News

My Debian Activities in April 2026

Debian LTS/ELTS

Debian Printing

Debian Lomiri

Debian Astro

Debian IoT

Debian Mobcom

misc

Tower Servers and Resizable BAR

Comparing the Name Brand Servers

Which HP Workstation

Conclusion

Copy Fail on Debian and SE Linux

Basic Policy Analysis

The Risky Lines

Unconfined Domains and the unconfined_domain_type Attribute

Daemons that Have Access

The Lines that Aren’t Problems

The getattr Lines

The init_t Sockets

SE Linux Protection

Success and Failure

Blocked by SE Linux

When it Works

When the Kernel Isn’t Vulnerable

Conclusion

Review: Full Speed to a Crash Landing

Inquest, a test result repository in Rust

testrepository

Inquest

Goals

Quick start

A few things that aren’t in testrepository

Web UI

Migrating from testrepository

Trying it

Status update, February - April 2026

Debian Related Work

DH Related Work

Debian welcomes the 2026 GSoC interns

FOSS activity in April 2026

binb 0.0.8 on CRAN: Maintenance

Changes in binb version 0.0.8 (2026-05-01)

A rainy day starts May.

Links April 2026

(Trigger Warning) Jeremy Bicha & Debian-Edu, TecKids, Ubuntu incest scandal at DebConf25

3.2. Composition and appointment

Spectrum (Enrico Zini)

Nominating Jeremy BÃ­cha for GNOME Advisory Board

Patience could've saved me time.

Heads we win, tails you lose — AI detectors in education

KVM Support inside LXC Containers [updated]

LXC Container Config Adjustment

LXC Hook Script for KVM Support Enablement

Review: What We Are Seeking

RProtoBuf 0.4.27 on CRAN: Upstream Adjustment

Changes in RProtoBuf version 0.4.27 (2026-04-26)

Predicted: Cole Thomas Allen, gay or transgender boyfriend rumours

Review: The Genocidal Healer

dtts 0.1.4 on CRAN: Maintenance

Changes in version 0.1.4 (2026-04-23)

nanotime 0.3.14 on CRAN: Upstream Maintenance

Changes in version 0.3.14 (2026-04-22)

CSS & vertical rhythm for text, images, and tables

Text

Responsive images

Tables

RcppArmadillo 15.2.6-1 on CRAN: Several Updates

Changes in RcppArmadillo version 15.2.6-1 (2026-04-20)

Changes in RcppArmadillo version 15.2.5-1 [github-only] (2026-04-18)

Join us at Lomiri CodeFest on May 16-17 & Fre(i)e Software GmbH is hiring more Lomiri Developers

Lomiri Codefest in Tilburg NL (May 16-17 2026)

We are hiring Lomiri developers

References

More About Ebook Readers in Debian

FBReader

Okular

Folite

Koodo

Nominating Jeremy BÃcha for GNOME Advisory Board

Solution (Example Command
Sequence)