<?xml version="1.0" encoding="UTF-8" standalone="no"?><rss version="2.0">

<channel>
	<title>ExcitingAds! Planet Debian</title>
	<link>https://planet.debian.org/</link>
	<language>en</language>
	<description>Planet Debian!</description>


<xhtml:meta content="noindex" name="robots" xmlns:xhtml="http://www.w3.org/1999/xhtml"/><item>
	<title>Thorsten Alteholz: My Debian Activities in June 2026</title>
	<guid>http://blog.alteholz.eu/?p=2832</guid>
	<link>http://blog.alteholz.eu/2026/07/my-debian-activities-in-june-2026/</link>
     <description>  &lt;h3&gt;&lt;strong&gt;Debian LTS/ELTS&lt;/strong&gt;&lt;/h3&gt;



&lt;p&gt;&lt;/p&gt;&lt;p&gt;This was my hundred-forty-fourth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.
&lt;/p&gt;
&lt;p&gt;
During my allocated time I uploaded or worked on:  
&lt;/p&gt;&lt;p&gt;&lt;/p&gt;



&lt;ul&gt;&lt;li&gt;[&lt;a href="https://lists.debian.org/debian-lts-announce/2026/06/msg00004.html"&gt;DLA 4615-1&lt;/a&gt;]  exim4 security update to fix one CVE related to information disclosure in combination with proxies.
&lt;/li&gt;&lt;li&gt;[&lt;a href="https://lists.debian.org/debian-lts-announce/2026/06/msg00005.html"&gt;DLA 4616-1&lt;/a&gt;] haveged security update to fix one CVE related to local root privilege escalation.
&lt;/li&gt;&lt;li&gt;[&lt;a href="https://lists.debian.org/debian-lts-announce/2026/06/msg00007.html"&gt;DLA 4618-1&lt;/a&gt;] gsasl security update to fix one CVE related to denial of service.
&lt;/li&gt;&lt;li&gt;[&lt;a href="https://lists.debian.org/debian-lts-announce/2026/06/msg00020.html"&gt;DLA 4631-1&lt;/a&gt;] asterisk security update to fix 13 CVEs related to buffer under- or overflows, either on heap or on stack. Some are related to use-after-free or wrong processing of invalid or untrusted certificates. 
&lt;/li&gt;&lt;li&gt;[ELA-1747-1] gimp security update to fix three CVEs in Buster related to denial of service or execution of arbitrary code if malformed PSP, JPEG 2000 or PSD files are opened.&lt;/li&gt;&lt;li&gt;[ELA-1748-1] gimp security update to fix two CVEs in Stretch related to denial of service or execution of arbitrary code if malformed PSP or PSD files are opened.&lt;/li&gt;&lt;li&gt;[ELA-1749-1] exim4 security update to fix one CVEs in Buster and Stretch related to information disclosure in combination with proxies.&lt;/li&gt;&lt;li&gt;[ELA-1750-1] gsasl security update to fix one CVEs in Buster and Stretch related to denial of service.&lt;/li&gt;&lt;/ul&gt;



&lt;p&gt;
Besides fixing all CVEs of &lt;i&gt;asterisk&lt;/i&gt; in Bullseye, I started to look at &lt;i&gt;asterisk&lt;/i&gt; in other releases as well. Rather surprisingly &lt;i&gt;asterisk&lt;/i&gt; is only part of Unstable and Bullseye. All other releases don’t include any version of &lt;i&gt;asterisk&lt;/i&gt; at all. So first things first, besides some security related RC bugs, &lt;i&gt;asterisk&lt;/i&gt; did not migrate due to RC-bugs in &lt;i&gt;dahdi-linux&lt;/i&gt;.
As I maintain &lt;i&gt;osmocom-dahdi-linux&lt;/i&gt; (which supports less/other hardware), I looked at the open issues and after some rounds I could upload a new upstream version, fixed some bugs and resolved issues with piuparts. &lt;i&gt;dahdi-linux&lt;/i&gt; meanwhile migrated to testing, job done! &lt;br /&gt; As a next step I looked at the open CVEs. Some of them had been already fixed in previous uploads but had not been marked accordingly. So I fixed all remaining ones and sent a debdiff to the maintainer. Unfortunately there was some kind of overlap in our work and he ignored my debdiff but uploaded a new upstream version. Anyway, job done as well, no open security issues anymore. The only thing that hinders &lt;i&gt;asterisk&lt;/i&gt; from migrating to testing is the reproducible build. So if anybody has some spare time …
&lt;/p&gt;


&lt;p&gt;
Other things I worked on were the regression update of &lt;i&gt;rsync&lt;/i&gt;. Some of the elven new patches need to be backported, but I am confidentially to finish this month. I already reviewed the &lt;i&gt;rsync&lt;/i&gt;– uploads of Sylvain to Buster and Stretch, so I don’t expect any big hurdles here. I am also making progress to find the correct patches for &lt;i&gt;hplip&lt;/i&gt; and &lt;i&gt;cups&lt;/i&gt;.
&lt;/p&gt;


&lt;h3&gt;&lt;strong&gt;Debian Printing&lt;/strong&gt;&lt;/h3&gt;



&lt;p&gt;This month I uploaded a new upstream versions:&lt;/p&gt;



&lt;ul&gt;&lt;li&gt;… &lt;a href="https://tracker.debian.org/lprng"&gt;hplip&lt;/a&gt; to unstable to fix some bugs.&lt;/li&gt;&lt;/ul&gt;



&lt;p&gt;&lt;strong&gt;This work is generously funded by &lt;a href="https://www.freexian.com"&gt;Freexian&lt;/a&gt;!&lt;/strong&gt;&lt;/p&gt;



&lt;h3&gt;&lt;strong&gt;Debian Lomiri&lt;/strong&gt;&lt;/h3&gt;



&lt;p&gt;&lt;/p&gt;&lt;p&gt;This month new upstream versions of dozens of lomiri packages have been released and I uploaded lots of them to Debian. After they migrate to testing, I am also going to sync them to the Ubuntu PPA. &lt;/p&gt;



&lt;p&gt;&lt;strong&gt;This work is generously funded by &lt;a href="https://freiesoftware.gmbh/"&gt;Fre(i)e Software GmbH&lt;/a&gt;!&lt;/strong&gt;&lt;/p&gt;



&lt;h3&gt;&lt;strong&gt;Debian Astro&lt;/strong&gt;&lt;/h3&gt;



&lt;p&gt;This month I uploaded a new upstream version  or a bugfix version of:&lt;/p&gt;



&lt;ul&gt;&lt;li&gt;… &lt;a href="https://tracker.debian.org/supernovas"&gt;indi-pentax&lt;/a&gt; to unstable. This is a package in contrib without autobuild and needed a new upload for the libraw transistion.&lt;/li&gt;&lt;li&gt;… &lt;a href="https://tracker.debian.org/c-munipack"&gt;c-munipack&lt;/a&gt; to unstable.&lt;/li&gt;&lt;li&gt;… &lt;a href="https://tracker.debian.org/supernovas"&gt;supernovas&lt;/a&gt; to unstable (sponsored upload).&lt;/li&gt;&lt;/ul&gt;



&lt;h3&gt;&lt;strong&gt;Debian IoT&lt;/strong&gt;&lt;/h3&gt;



&lt;p&gt;This month I uploaded a new upstream version  or a bugfix version of:&lt;/p&gt;



&lt;ul&gt;&lt;li&gt;… &lt;a href="https://tracker.debian.org/duktape"&gt;duktape&lt;/a&gt; to unstable.&lt;/li&gt;&lt;li&gt;… &lt;a href="https://tracker.debian.org/libcoap3"&gt;libcoap3&lt;/a&gt; to unstable.&lt;/li&gt;&lt;/ul&gt;



&lt;h3&gt;&lt;strong&gt;Debian Mobcom&lt;/strong&gt;&lt;/h3&gt;



&lt;p&gt;This month I uploaded a new upstream version  or a bugfix version of:&lt;/p&gt;



&lt;ul&gt;&lt;li&gt;… &lt;a href="https://tracker.debian.org/smstools"&gt;smstools&lt;/a&gt; to unstable.&lt;/li&gt;&lt;/ul&gt;



&lt;h3&gt;&lt;strong&gt;misc&lt;/strong&gt;&lt;/h3&gt;



&lt;p&gt;This month I uploaded a new upstream version  or a bugfix version of:&lt;/p&gt;



&lt;ul&gt;&lt;li&gt;… &lt;a href="https://tracker.debian.org/visam"&gt;visam&lt;/a&gt; to unstable. There had been an RC bug due to two binaries with the same name but different functionality. Yes, it is in the policy but … (my mother forbade me to elaborate more on this)&lt;/li&gt;&lt;li&gt;… &lt;a href="https://tracker.debian.org/mailio"&gt;mailio&lt;/a&gt; to unstable.&lt;/li&gt;&lt;/ul&gt; </description> 
	<pubDate>Tue, 07 Jul 2026 17:56:04 +0000</pubDate>

</item> 
<item>
	<title>Aigars Mahinovs: How to make a good group photo</title>
	<guid>http://aigarius.com/blog/2026/07/05/making-of-group-photo/</guid>
	<link>http://aigarius.com/blog/2026/07/05/making-of-group-photo/</link>
     <description>  &lt;img src="http://planet.debian.org/heads/aigarius_hg.png" width="85" height="116" alt="" align="right" style="float: right;"&gt;  &lt;p&gt;Taking a good group photo consists of multiple aspects:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;hardware&lt;/li&gt;
&lt;li&gt;scouting&lt;/li&gt;
&lt;li&gt;organization&lt;/li&gt;
&lt;li&gt;preparation&lt;/li&gt;
&lt;li&gt;execution&lt;/li&gt;
&lt;li&gt;processing&lt;/li&gt;
&lt;li&gt;publishing&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;I can say with confidence that nearly everything here comes from having failed to do these things right
at least once, even on the latest attempts, so this is an ideal to reach towards, not something we expect to
hit every time.&lt;/p&gt;
&lt;h3&gt;The Goal&lt;/h3&gt;
&lt;p&gt;The main goal of a big event group photo is capture both the moment itself and each individual person inside
that moment.&lt;/p&gt;
&lt;p&gt;We want people, who were &lt;em&gt;not&lt;/em&gt; there to see all the people involved and get an impression of what
it was like being there. It needs to show the breadth and depth of people that make up this group, this project.&lt;/p&gt;
&lt;p&gt;And we want people who &lt;em&gt;were&lt;/em&gt; there to be able to look back the next week, the next year
or in ten years and remember - ah, yes, I was there, I was standing right there with this grin on my face next
to this wonderful person and I was feeling great.&lt;/p&gt;
&lt;h3&gt;Hardware&lt;/h3&gt;
&lt;p&gt;Based on the goal we want to have high level photographic gear that is able to capture both a broad enough picture
to encompass all the people and some of their surroundings to communicate the context (without undue distortions)
and to deliver enough detail and resolution so that faces and facial expressions and underlying feelings of every
single person in that group could be clearly seen and preserved.&lt;/p&gt;
&lt;p&gt;To both capture the context and minimise distortion the final picture should be just a bit wider than normal human
field of view. That is about 50mm for a full-frame camera or 35mm for a typical 1.6 crop camera. You can go a bit
wider if there are no better alternatives (as detailed in the scouting section), but be prepared that corners
of the image will be distorted and not really usable (but we can fix that in processing step). Or you can go
to unusual aspect ratios, like we did in &lt;a href="https://wiki.debconf.org/wiki/DebConf10/GroupPhoto"&gt;Debconf 10&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;In the absence of a 100MP+ camera, you will need to be stitching together multiple frames to achieve resolution
high enough to have enough pixels-per-face to see emotions clearly. This means that the photos you will actually
be taking will be tighter than the overall field of view mentioned above. Still, a higher resolution camera body
is preferable - nowadays 24MP-32MP cameras APS-C provide a good compromise between resolution and price, but
45-67MP full-frame cameras also exist on the market. Assume that we will be shooting in a bright environment,
so most likely with quite low ISO settings, that means that high-ISO noise characteristics of more expensive
cameras will not really play a role here. You will also not need very fast burst modes, even manual speed of
one frame per second is sufficient.&lt;/p&gt;
&lt;p&gt;You will also want to get as much detail as possible out of your lens, and this is the &lt;em&gt;most important&lt;/em&gt; part.
You can do amazing work in all other steps of the process and have a great camera too, but if you pair it with
a lens that is not sharp, then the end result will be disappointing.&lt;/p&gt;
&lt;p&gt;You want the lens that is sharpest corner-to-corner when stepped down to about f/8-f/11, that you can get for
your system. You also want that lens to be about 85mm full-size sensor or 50mm for 1.6 crop size. Luckily that kind of
range is also a great range for optical design and sharpest lenses are typically available in exactly these kinds
of sizes. You absolutely want to have a fixed focal length lens, not a zoom lens. Even profession grade zoom lenses
often deliver worse image quality compared to fixed lenses that cost less 1/10th of their price (when shooting in
the same focal length). Newer design lenses are better than older lenses - optical design, coatings and precision
manufacturing have advanced a lot over the decades. Retro look is great for mood, but not as good for actual
resolution and clarity. You don't need to overpay for most expensive lenses because those often only improve
image quality on lower F-stops. To encompass the whole group we will need to shoot at f/8 and in bright light,
so the extra benefits of those f/1.2-capable super expensive lenses will not come into play here.&lt;/p&gt;
&lt;p&gt;We will have no use for a flash here. A tripod will be too restrictive when rapidly repositioning the camera between
different parts of the panorama shoot. But a monopod might help with stability - I have not tried that myself,
however.&lt;/p&gt;
&lt;p&gt;For my last photos I used a Canon EOS R7 (32.5MP) with Canon RF 50mm f/1.8 STM lens and considering an upgrade
to Sigma 56mm f/1.4 DC DN for the next time.&lt;/p&gt;
&lt;h3&gt;Scouting&lt;/h3&gt;
&lt;p&gt;Scouting a good location for the group photo is another big chunk of a successful picture. The critical piece of
the puzzle is lens-to-face distance. In order to keep everyone's face in-focus and have enough resolution on the
farthest faces (without making nearest faces truly massive) we want to do everything possible to reduce the
variance in lens-to-face distance - to reduce the difference in distance between closest and farthest face.&lt;/p&gt;
&lt;p&gt;The most effective way to do that is to have the photographer climb higher. To see this in action on the
&lt;a href="https://wiki.debian.org/DebConf/GroupPhotoAll"&gt;Debconf photos&lt;/a&gt;, compare Debconf6 (very high camera position,
group on level ground - good) to Debconf10 (camera not too high, group on stairs, still good) and to Debconf17
(camera could not get high enough and the group is on flat ground - not great). Even the Debconf25 photo was
suboptimal from this perspective. The Debconf23 photo was a very good example from the recent years - good height
and also the group was positioned in a semi-circle so there were no people directly in front and very near to
the camera.&lt;/p&gt;
&lt;p&gt;So you are looking for the highest point you could get to (even if that requires a special permission of key or a
ladder) with a field large enough to fit the whole group comfortably. How to check that? Normally I simply take a
photo from the top of the whole area and note down from there where the extreme corners of the group could be
and still be fully seen in the shot - not blocked by trees, buildings and shadows. Then I go down and measure
that space. Rule of thumb being - people in one horizontal line can stand 1 normal length step from each other and
two horizontal lines can be half a step from each other vertically. So I can just measure a rough rectangle in
steps, multiply the sides, multiply that by two and I have the rough number of people that can fit there for the
photo.&lt;/p&gt;
&lt;p&gt;Once you have a candidate location or two, it is important to check them at the same time-of-day as you plan to
do the photo (see organization section for that). You want to make sure that the whole area of the group is in the
same illumination - if half of the group is in the sun and half in a shadow, then you will be having a very bad
time later. The absolute ideal positioning for the group photo is to have everyone be in shadow, but still have
enough bright skies and bright buildings in front of the people to give good illumination of the faces. Worst
you can do is have the sun be behind the people (so all the faces are really dark) and second worst is have the sun
be directly in front of the group, so that the faces are very well illuminated, but everyone's eyes are closed
because they are being blinded by the sun. And sometimes all you can do is pray for some light clouds to provide
for even and dispersed light. Debconf23 was very lucky that way.&lt;/p&gt;
&lt;p&gt;Another consideration is to how people are going to get to that place. You need to consider accessibility needs
of people (it is ok, if it takes more effort or time, but it needs to be organized and communicated well in
advance). And you need to consider how the big masses of people will be getting there - how to tell people where
&lt;em&gt;exactly&lt;/em&gt; it is and how to get there from various locations where people might be hanging out during the event?&lt;/p&gt;
&lt;p&gt;Having an alternate location indoors might be necessary if the weather report for the next days is not sufficiently
predictable. We had to use that contingency in Debconf9, for example.&lt;/p&gt;
&lt;h3&gt;Organization&lt;/h3&gt;
&lt;p&gt;It's hard to take a good group photo if half of the group does not show up or is too late, so this needs some
organization to happen smoothly.&lt;/p&gt;
&lt;p&gt;First of all you need to choose date and time for the photo. The photo does not take too much time from the
schedule of the event and can be squeezed in after all the other events are already scheduled. In fact I prefer
that as it allows you the flexibility of choosing the date based on weather conditions and time based on light
and shadow conditions in potential photo spots. You don't want to choose the daytrip day as most people will be
away and return times are not really predictable. You do not want to choose the morning after Cheese and Wine
party for obvious reasons. First day and last two days are also sub-optimal as some people arrive late and some
leave early for various personal reasons. Also &lt;em&gt;you&lt;/em&gt; don't want it to happen just before Cheese and Wine either
because then you'd have very little time and clarity to do the processing of the image on the same day.&lt;/p&gt;
&lt;p&gt;For timing, the best way, in my experience, is to schedule the photo directly after the end of talk sessions before
a meal break - lunch or dinner. Typically in the Debconf schedule there are 2-3 daily breaks planned, say for
Debconf25 there was lunch, afternoon break and dinner. Talks are planned to end ~10 minutes before those breaks
(and meals) begin, so for example, afternoon break starts at 16:00 and all talks in the previous block end at
15:50. In such a case just schedule the "Group photo" event from 15:50 to 16:05. This gives people the info to go
there &lt;em&gt;directly&lt;/em&gt; from the end of all talks and that they will have sufficient time for break/meal afterwards.
Do not forget to specify the location (as exactly as possible) in that event entry and make sure to post it at
least two days in advance. People often want to wear something specific for the photo and thus need to know about it
in advance. This also makes sure that people do not make alternate food plans for that specific break and don't
leave the venue.&lt;/p&gt;
&lt;p&gt;Announce the date, time and the exact location as wide as possible, don't be shy. Announce and discuss mailing
lists, IRC, Signal, Telegram, make sure the front desk knows in case anyone asks in-person, ... Check that it
is again included in the announcements email on the day preceding the photo date.&lt;/p&gt;
&lt;p&gt;When the date has arrived, it is a good idea to check in early with people with special mobility needs to make
sure they know where to go, how to get there and how much time they will need to be able to get there on time.&lt;/p&gt;
&lt;p&gt;As the final round of talks before the group photo is starting up, it is time to recruit "runners". I've had great
success with this technique. The idea is pretty simple - for each room where people congregate (talk rooms,
hacklabs, cafeteria, outside hackspace, front-desk, ...) go there and choose one person. You want to choose a person
that you will recognise and remember among everyone else in the group, either because of who they are or what they
are wearing, whatever works best for you. If they agree to help, instruct them to: "at end of talk, announce that
the group photo happening now and the location, herd people towards the photo location, be the last person out,
make sure there are no stragglers from this area behind you, when you arrive to the photo place I will assume
that everyone else from this room is also now there, when you are there catch my attention and show this sign so
I know for sure that it is all good and make sure that I did see it from you". With that sorted out all you will
need to remember is how many runners you recruited and how many have reported in to figure out if everyone has now
arrived or if we still have to wait for someone or some group.&lt;/p&gt;
&lt;p&gt;Then you will only have one last point of organization left - shaping the crowd into a group. People will not
know what your vision for the group photo is, so you will have to give clear and &lt;strong&gt;LOUD&lt;/strong&gt; instructions on where
people should &lt;em&gt;not&lt;/em&gt; be standing. Use clear, large gestures to support your words. You want to compact the group,
have the people that just joined in the last moment and are standing to the side come deeper in and join the
crowd. Have any holes in the middle of the crowd filled in. Forming a semi-circle instead of a blob helps with
averaging face-to-lens distances. Make sure people are not in unexpected shadows. Make sure carried objects, like
umbrellas of flags do not cover the faces of other people. Take the time to look at everyone face to make sure there
are no people hiding behind someone's shoulder - typically they are not aware that their face is in fact not really
visible. If there are such people, call them out and point directly at them and encourage them to step forward, if
they wish to do so. You are the &lt;em&gt;only&lt;/em&gt; one seeing the final picture now and only you can correct it before
capturing the moment. So a few extra seconds here are worth taking, even if 300+ people are standing in scorching
heat and waiting on you.&lt;/p&gt;
&lt;p&gt;When you are happy with what you are seeing, make sure to tell people clearly that you are now about to take
the pictures and &lt;em&gt;again&lt;/em&gt; remind them not to move and &lt;em&gt;explicitly&lt;/em&gt; not to turn their heads to the side until you
are done (this is the source of most of the extra work in processing). Be very loud and clear and make sure
you have everyone's undivided attention &lt;em&gt;before&lt;/em&gt; you start saying the important stuff.&lt;/p&gt;
&lt;p&gt;When done - say so. There will be other groups that will want to also have a photo taken after the main group
is a bit more dispersed, so don't run away. Typically at least the T-shirt group will want a picture and also
all the organizers.&lt;/p&gt;
&lt;p&gt;Final bit of organization during the group photo shooting itself is the sneaky self-insert. You may choose not
to bother with it, or do it in the simplest way, like I did in Debconf6, but if you really want to blend in with
the crowd, you need to have someone else take a photo of you in the exact same location at the same date and time
from the same location. So you should already during shaping the crowd decide where you would fit in, it is easiest
to blend in at the back of the crowd and to one or other side, so that it appears like you are just standing behind
the shoulders of a couple peoples. Remember that spot - it is easiest if you stand in the exact same ground spot
when your photo is taken. Just go down, recruit a volunteer to take your photo, make sure the settings are fixed
to the same ones as for the group photo shots and have them take a handful of shots of you - one of you centered in
the camera frame and a couple more with you more towards the corners of the frame. This distortion from being
off-center in the frame may be important later.&lt;/p&gt;
&lt;h3&gt;Preparation&lt;/h3&gt;
&lt;p&gt;In addition to preparing the crowd for the photo, you also need to prepare yourself and the equipment. Make sure
you have dusted your camera sensor and cleaned both inside and outside glass of your lens. It is usually a good
idea to remove any filters from the lens. Install the hood, if that could help with blocking the sun flares.
Make sure you have the right lens and that you have installed the right lens.&lt;/p&gt;
&lt;p&gt;For fixed settings I typically shoot in JPEG with RAW being there more like an emergency backup. The extra dynamic
range of RAW could be used, but it is really complex to do that in combination with image blending and it is
hard to get right, so I prefer an all-JPEG workflow and fix the dynamic range in the scene itself, before shooting.
For Canon I am using the Standard profile that boosts the color saturation and sharpness a bit as I just enjoy
that look and find it hard to get anything significantly better from RAW data even with a lot of effort.
In any case make sure you have enough space on the cards to take at least 100 images and that you have a full
battery. Do not use high speed burst setting because it is then too easy to take too many pictures at the start
of the sequence and be stuck with your camera still in "Busy" state writing big RAW files to slowish SD cards
and not allowing you to finish the full picture rapidly.&lt;/p&gt;
&lt;p&gt;You want to have the shutter speed at at least 1/100th of a second to prevent blur from both your hand movements
and also from people in the shot moving around a bit (image stabilisation will not help you there). And you want
to have the aperture to be around f/8 - lower apertures risk people in front or behind falling out of focus, make
the lenses look less sharp. Higher apertures also start to become less sharp due to diffraction effects above f/8.
ISO should stay as low as possible, ideally at ISO 100, but if there is not enough light then upping the ISO to 400
would be the first step that I would try to do and second would be decreasing the aperture to f/5.6. If there is
too much light, then increasing the shutter speed should be the safe thing to do.&lt;/p&gt;
&lt;p&gt;As people start to arrive into the shooting location - check the exposure and nail down the settings, ideally in
manual mode. Consider that left side could be a bit lighter or darker than right side. Err on the side of making
the picture a bit too dark as there is more depth to darkness before cut-off compared to clipping on the high
end. However, do not trust the exposure detection, instead take a picture and look specifically at skin tones in
faces of people that already are standing in the photo area. Faces are the key bit and the exposure needs to be
adjusted just to the faces and ignore darker of lighter clothing. Do some test shots and find settings where faces
look not too bright, but also not very dark and fix those settings in manual mode.&lt;/p&gt;
&lt;p&gt;Now you are ready for the action. Shape the crowd, check the faces and the action can start!&lt;/p&gt;
&lt;h3&gt;Execution&lt;/h3&gt;
&lt;p&gt;During taking of the group photo you want to finish it fast, but at the same time you have to take the time to
make it right. If you hurry too much under pressure, you risk being left with unusably blurry images and the
whole effort wasted. Having already prepared and verified the manual settings makes it easier.&lt;/p&gt;
&lt;p&gt;When you are taking pictures, you have to remain as still as possible - even at very high
shutter speeds even slow hand movements are still bad for image quality. So think of the movement as of
biathlon athlete shooting the very middle of five, very separate targets - take a burst, reframe, then steady
up for a second and only then take the next burst. 3 frames per burst are sufficient. 90% of the time the very
first photo of a burst will be best. As you move from frame to frame, aim for just a bit more than half-frame
overlap. This will give the opportunity to skip frames if all is good, but also have backup coverage of every
face in case of problems. Proceed systematically, I typically start off on the top left of the crowd, then
go right until the end of the line, then shift down half a frame and go left until the end and repeat until
I am done with the crowd. &lt;/p&gt;
&lt;p&gt;After that it is &lt;em&gt;very&lt;/em&gt; helpful to also immediately take photos of a "frame" around
the whole crowd. Stitching process often distorts the frames in weird ways that leave holes in the resulting image
that you can fill if you have a wide frame around the crowd. It is possible to compensate with creative
cutouts in the final image (like Debconf9), but the more framing room you make, the more flexible you will be
able to be with cropping of the final photo. The frame also gives you the opportunity to capture more of the
context of the place and space.&lt;/p&gt;
&lt;p&gt;As an example, Debconf25 group photo in the end consisted from 9 images + 1 for sick people + 1 for me. I ended
up missing the framing shots for bottom left, top left and top right corners. To get there I took 68 images. And
in some years it was more than a hundred.&lt;/p&gt;
&lt;h3&gt;Processing&lt;/h3&gt;
&lt;p&gt;This part might be less stressful than taking the pictures from intensity perspective, but it lasts longer. Depending
on you luck, skill and perfectionism it can take anywhere from 3 to 9 hours of work to complete.&lt;/p&gt;
&lt;p&gt;Before you start, however, you should first request things that you will need for other people. This &lt;em&gt;can&lt;/em&gt; even be
done before taking the actual group photo, but usually I forget. To finish the photo you will need three things:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;good quality vector graphics of the current Debconf logo&lt;/li&gt;
&lt;li&gt;good quality vector graphics of the &lt;em&gt;next&lt;/em&gt; years Debconf logo (even if preliminary)&lt;/li&gt;
&lt;li&gt;motto of the conference&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The first two you should be able to get from the respective organizers. The motto is harder. I typically try to
ask the current DPL to come up with something describing the current mood of the project or of the event, but
it is rare that it is that easy. Most of the time I came up with something as I was editing the photo and
reflecting on what was the mood, the feeling, the mojo of this conference and of this year was like. Bend that
around a recognisable phrase or expression, make it a bit more insider-relevant and you are on the right path.
Some years this was the hardest part.&lt;/p&gt;
&lt;p&gt;For the panorama stitching I will describe the workflow that has served me good for years, but maybe there are
better ways possible nowadays. Feel free to let me know!&lt;/p&gt;
&lt;p&gt;First I would save all photos taken and select one sharpest photo from every burst. Next I would select the minimal
number of photos that appear to be covering the entire crowd. The fewer images you use, the better in the end
because the most quality problems crop up in the areas where photos are getting stitched together. Fewer seams
leads to fewer issues.&lt;/p&gt;
&lt;p&gt;Open &lt;a href="https://packages.debian.org/search?keywords=hugin"&gt;Hugin&lt;/a&gt; (you will also need enblend and enfuse installed)
and import your minimal set of images into it. Click the "Align" button and wait a while - the processor will be
trying to figure out keypoints in each image and then try to match these points between the images to try to
fit them all together into a single projection. To do that it will distort the images. This is the trial and error
process part. You may need to add, remove or replace images to get the stitching to work or to work better. You
may want to add more of the frame images to fill the ragged holes around the image.&lt;/p&gt;
&lt;p&gt;After initial alignment, go to "Move/Drag" tab and move the image a bit up in the projected field of view and
make it a bit more central visually. That will help a bit with the distortions in the near-by people and people
in the corners of the image. In the "Crop" tab set the initial crop - leave it generous, you can always crop more
in later steps. Do not be afraid of leaving in sizable chunks of black homes, empty skies or grass. All of that
can be filled in later as well.&lt;/p&gt;
&lt;p&gt;Go back to the "Assistant" tab and click "Create panorama". It is good enough to have JPEG output at 100% quality
using exposure corrected low dynamic range output option. Make sure to check the "Keep intermediate images" option.
This will not only generate the final, merged panorama, but also keep around the individual images &lt;em&gt;after&lt;/em&gt;
perspective correction and exposure blending steps. These are critical for fixing blending error in the next step.&lt;/p&gt;
&lt;p&gt;You might need to go back a forth a few times with a different sets of source images, maybe adding some image
between other two, maybe removing another to reach a better starting point. The key part to pay attention - how
many ugly stitches are there in the image. Check every face, the blending algorithms do not recognise faces and
sometimes try to stitch one face from two or more images creating very weird effects. They &lt;em&gt;can&lt;/em&gt; be fixed in the
next step, but it is rather hard manual work, so the fewer such faces are in the blended image, the less work
you will have. In some years I've managed to find a combination where all faces were good and in other years
I had to manually fix 13-15 faces.&lt;/p&gt;
&lt;p&gt;Do not try to blend the extra pictures (like with you or with sick people) into the main panorama with Hugin - it
will get very confused with the parts of the grass that it is able to see where other people were standing.&lt;/p&gt;
&lt;p&gt;The next is the final processing in &lt;a href="https://packages.debian.org/search?keywords=gimp"&gt;GIMP&lt;/a&gt;. Think of it like
a large and complex project - do as much as possible in separate layers, save often.&lt;/p&gt;
&lt;p&gt;Fixing wrongly stitched faces and also putting yourself into the photo are very similar activities in the end.
Just the scale and the source differ. For yourself you just cut out yourself (upper torso is enough) from the
separate photo. For corrupted face, choose one of two intermediate images that the Hugin created where the
face is transformed, but not yet merged (with a different version of itself). In either case crop the photo to
roughly the interesting size and put roughly in the right spot as a separate layer on top of the group photo
background. Reduce the opacity of the small layer to 30-40% and zoom in to 400%. With that it is much simpler to
position the layer with pixel precision. Then all you need to do is add a layer mask to this layer and paint it
just right. Basically in layer mask black means transparent and white means non-transparent. So you need to &lt;em&gt;just&lt;/em&gt;
make everything that is you have white mask and everything that is not you have black mask. And smudge the border
a bit with finger tool or blur to make the transition smoother. Easy to say. Hard to do. This is what takes most
of the actual work hours in post-processing.&lt;/p&gt;
&lt;p&gt;You &lt;em&gt;might&lt;/em&gt; miss someone. I am sure Phill is just thrilled to see me in the very middle of the Debconf25 final
picture .... But do try to fix them all.&lt;/p&gt;
&lt;p&gt;Use large, sweeping geometric figures to cover up black holes, empty grass fields and other sub-optimal corner
features. And then use that newly created free space to put in a large version of the logo of this years
conference, decently sized motto and slightly smaller invitation to the next years conference.&lt;/p&gt;
&lt;p&gt;Do not forget to add a copyright and license statement somewhere in the corner in smaller, but still well
readable font. I am using a text like: "Photo by: Full Name, Email: fullemail@debian.org, License: GPLv2+ or
CCv3-BY" This ensures that this image may be used in any press coverage (with basic attribution) and also
can be included in any GPL-licensed software, if that ever comes up. The same statement is also in the
metadata of the image file (see Image-Metadata-Edit metadata in GIMP) along with information that states
that this is "Debian Developer Conference Group photo, City, Country, Year". 
Image-&amp;gt;Image properties-&amp;gt;Comment is another place where GIMP hides this EXIF information.&lt;/p&gt;
&lt;p&gt;For ease of use, in addition to a full-resolution image it is also useful to make a lower resolution version
that would still fit on a 4K screen at full resolution, so about 3840px wide. Some photo hosting services set
other limits for image size as well, so it might be needed to scale the image down below 100Mpix to upload it
to Google Photos, for example.&lt;/p&gt;
&lt;h3&gt;Publishing&lt;/h3&gt;
&lt;p&gt;So, it is finally 1AM and the group photo is ready! How do you push it out to people? Well, in all possible ways
and places. Again - don't be shy, people do really want to see it.&lt;/p&gt;
&lt;p&gt;Push it to whatever you use for your shared photos. Push it to 
&lt;a href="https://salsa.debian.org/debconf-team/public/share"&gt;Debconf shared git&lt;/a&gt; (note that this is GIT-LFS repo, make sure
you know how to add content to the LFS specifically). All permanent links to that in 
&lt;a href="https://wiki.debian.org/DebConf/GroupPhotoAll"&gt;GroupPhotosAll wiki&lt;/a&gt;. And then send those links to IRC, Signal,
Telegram groups, debconf-announce mailing list. Publish it in your blog and push that to 
&lt;a href="https://planet.debian.org/"&gt;Debian Planet&lt;/a&gt;. Push it in Threads, Bluesky and Mastodon.
 Send an email separately to Debconf orga team. And one to 
&lt;a href="https://wiki.debian.org/Teams/Publicity"&gt;Debian Publicity Team&lt;/a&gt; so they can put it into the
&lt;a href="https://www.debian.org/"&gt;Debian Home Page&lt;/a&gt; and push via Debian micronews accounts.&lt;/p&gt;
&lt;p&gt;And that is about it. Now you can go back to enjoying the rest of the conference. Or running around doing other
things that you think need to be done. It's up to you. You did it. This moment will remain with people for a
very long time. And you helped.&lt;/p&gt;
&lt;p&gt;Questions? Feedback? Just ask
&lt;a href="https://bsky.app/profile/aigarius.com/post/3mpytbrm5dc2w"&gt;here&lt;/a&gt; or
&lt;a href="https://www.threads.com/@aigarius/post/DadpZDbjqAx?xmt=AQG0WPOLDjK2ZkbDiiuXEOqQQWF5bum51R8V_uNtv9nliA"&gt;here&lt;/a&gt;.&lt;/p&gt; </description> 
	<pubDate>Mon, 06 Jul 2026 19:30:00 +0000</pubDate>

</item> 
<item>
	<title>Russ Allbery: Review: The Player of Games</title>
	<guid>https://www.eyrie.org/~eagle/reviews/books/0-06-105356-2a.html</guid>
	<link>https://www.eyrie.org/~eagle/reviews/books/0-06-105356-2a.html</link>
     <description>  &lt;p&gt;Review: &lt;cite&gt;The Player of Games&lt;/cite&gt;, by Iain M. Banks&lt;/p&gt;

&lt;table&gt;
  &lt;tbody&gt;&lt;tr&gt;
    &lt;td&gt;Series:&lt;/td&gt;
    &lt;td&gt;Culture #2&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
    &lt;td&gt;Publisher:&lt;/td&gt;
    &lt;td&gt;HarperPrism&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
    &lt;td&gt;Copyright:&lt;/td&gt;
    &lt;td&gt;1989&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
    &lt;td&gt;Printing:&lt;/td&gt;
    &lt;td&gt;February 1987&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
    &lt;td&gt;ISBN:&lt;/td&gt;
    &lt;td&gt;0-06-105356-2&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
    &lt;td&gt;Format:&lt;/td&gt;
    &lt;td&gt;Trade paperback&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
    &lt;td&gt;Pages:&lt;/td&gt;
    &lt;td&gt;295&lt;/td&gt;
  &lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;

&lt;p&gt;
&lt;cite&gt;The Player of Games&lt;/cite&gt; is political space opera and the second book in
the shared Culture setting. As with most Culture books, the reading order
is not particularly important. It won the 1989 Locus Award for best
science fiction novel and sometimes competes with
&lt;a href="https://www.eyrie.org/~eagle/reviews/books/1-85723-135-X.html"&gt;&lt;cite&gt;Use of Weapons&lt;/cite&gt;&lt;/a&gt; as the consensus best
Culture novel.
&lt;/p&gt;

&lt;p&gt;
This review is a re-read and yet another experiment in how to re-review a
book. This time, I decided to write a full second review with substantial
spoilers so that I can talk in more detail about the book. If you want to
avoid spoilers, or just want to see how my thoughts have evolved from my
first reading, see &lt;a href="https://www.eyrie.org/~eagle/reviews/books/0-06-105356-2.html"&gt;my original review&lt;/a&gt; from
2005.
&lt;/p&gt;

&lt;p&gt;
Gurgeh plays games. He is probably the best strategy game player in the
entirety of the galaxy-spanning Culture. He has written papers on game
theory, won innumerable major championships, and is a celebrity in the
circle of like-minded aficionados.
&lt;/p&gt;

&lt;p&gt;
Gurgeh is also bored and in the middle of the Culture equivalent of a
mid-life crisis. As the story opens, he's vaguely unsatisfied and adrift,
unenthused by his normal activities, and searching vaguely for something
that will break through his ennui. He is caught by surprise by the thrill
he gets from a moment's misunderstanding in which an opponent suspects him
of cheating, which sets him up to be (apparently) clumsily blackmailed by
a deeply unpleasant drone named Mawhrin-Skel.
&lt;/p&gt;

&lt;p&gt;
&lt;strong&gt;SPOILERS BELOW&lt;/strong&gt;. If you have not read this book, consider stopping
here and instead reading my original &lt;a href="https://www.eyrie.org/~eagle/reviews/books/0-06-105356-2.html"&gt;no spoiler
review&lt;/a&gt;.
&lt;/p&gt;

&lt;p&gt;
The first hundred pages of &lt;cite&gt;The Player of Games&lt;/cite&gt; is a slow, somewhat
plodding introduction to Gurgeh, his social circle, and life in (one part
of) the Culture. I remember being fascinated by this part the first time I
read this book. It was only the second Culture novel I read and the first
set in the Culture proper, so the world-building underlying this odd
post-scarcity utopia on a vast intelligent habitat with sentient drones,
complex privacy rules, endless cocktail parties, and apparently
directionless socialites was intriguingly unlike the other science fiction
I was reading at the time. This time through, I have to admit I was less
impressed.
&lt;/p&gt;

&lt;p&gt;
Gurgeh is not very likable, and his desultory mid-life crisis is a little
boring. None of his friends have enough depth to appear as more than side
notes, in part because Gurgeh doesn't seem to care enough about any of
them to make them interesting to the reader. I've since read seven other
Culture novels, so Banks's cocktail parties hold less charm and I was
impatient for the real action to begin.
&lt;/p&gt;

&lt;p&gt;
These chapters are still important, though, because they establish how
utterly average Gurgeh is. He has one unique talent, a deep affinity with
and obsession with strategy games, and is otherwise a bit of a depressed
narcissist with a few casual relationships, a friend that he barely
confides in, and a comfortable and familiar life. He is not in any way a
hero or a charismatic figure; he just happens to be exceptionally good at
one thing, enough to make him famous among people who care about that one
thing and probably unknown to anyone else apart from the occasional idly
perused news headline. He is the Culture's equivalent of the world chess
champion.
&lt;/p&gt;

&lt;p&gt;
The Contact division of the Culture has a problem. The Empire of Azad in
the Lesser Magellanic Cloud is a nasty, expansionist culture of the sort
that Contact would like to deal with before it causes broader problems.
The Culture's normal approaches are thwarted by an unusual organizing
principle: The empire is built around and takes its name from the game of
Azad, a highly complex strategy game developed over thousands of years.
Azad is the civil service exams, means of political and religious dispute
resolution, selection mechanism for the emperor, and civic religion. Faced
with that oddity, Contact turned to Special Circumstances, the Culture's
more aggressive and less restrained way of dealing with tricky problems.
Special Circumstances, in turn, needs someone who can learn how to play
the game of Azad. They want Gurgeh to take a very long trip.
&lt;/p&gt;

&lt;p&gt;
For all of Gurgeh's dissatisfaction, he's not impulsive enough to take a
five year journey away from his life and everyone he knows just to play a
novel game. Conveniently, Mawhrin-Skel's blackmail resolves this
reluctance.
&lt;/p&gt;

&lt;p&gt;
The game of Azad requires some suspension of disbelief. Banks provides a
few glimpses at the mechanics of the game, but those details are
insufficient to reconstruct the rules, and some of the claims made about
its properties are improbable at best. The best mental model I could build
for it is a strategy or simulation game built around units and territory
control, with supplemental side games used to build up resources for the
main boards, but it's more of a plot device and a set piece than a
world-building invention. The significance of Azad the game is its role in
society: The Empire of Azad believes they have constructed a game whose
complexity so closely models reality that the skills required for success
in the game are precisely the skills required for success in the empire.
&lt;/p&gt;

&lt;p&gt;
The Empire of Azad is wrong, and this is one of the core themes of
&lt;cite&gt;The Player of Games&lt;/cite&gt;. As with many Culture novels, what Special
Circumstances tells Gurgeh is, at best, incomplete. Gurgeh is a refutation
of the basis of belief in Azad; this is why it is important thematically
that he is an average, somewhat unlikable citizen of the Culture whose
only special characteristic is skill at learning and playing games.
&lt;/p&gt;

&lt;p&gt;
Azad is the myth of meritocracy given physical form as a game. It provides
the anchor of the empire for the same reason that societies on Earth place
enormous weight on standardized tests, capitalist success, or public
debates. All societies face the problem of selecting good leaders and
testing opposing beliefs, and all societies attempt to find some form of
shortcut, some set of general principles, tests, or objective metrics used
to select the best person via a process that people consider plausible and
fair. The game of Azad is a paragon of apparently meritocratic process. No
matter who you are or what your background is, if you excel at the game
that, in theory, objectively tests your skills, you are given a position
of power.
&lt;/p&gt;

&lt;p&gt;
In practice, the Empire of Azad is not that naive. Manipulation outside of
the game happens, only some players have the opportunity and resources to
spend years learning the game at a deep level, and only their dominant sex
truly stands a chance in games that matter. But neither is Azad's place in
society a fiction. There is corruption around the edges, and a lot of
people are filtered out before the games begin, but the highest echelons
of society are true believers. The game does decide both rank and policy;
Banks is arguing against a strong form of apparently working meritocracy.
&lt;/p&gt;

&lt;p&gt;
Gurgeh represents a refutation of this meritocracy through the mechanism
that breaks every supposed meritocracy: The map is not and cannot be the
territory. Any objective evaluation criteria is necessarily separate from
what it is trying to measure, and in that separation there is always an
opportunity. Gurgeh has none of the background, training, or mindset
expected for a player of Azad because he could not possibly care less
about any of the things Azad represents to the Empire. What he has instead
is a preternatural skill at games and vast experience with the most
intricate strategy games the Culture, a much larger society, has been able
to devise. He also has both the patience and the resources to devote
himself entirely to learning a game for several years, and past experience
in doing that with other games.
&lt;/p&gt;

&lt;p&gt;
If Azad represents the civil service exams, Gurgeh is the person who has
no interest in ruling but adores memorizing facts and taking tests. The
theory behind the exams is that the skills to pass the exam only come with
the correct mindset to do the job for which the exam is testing. Gurgeh is
an existence proof that this is not always the case.
&lt;/p&gt;

&lt;p&gt;
Banks also uses Azad to show another aspect of the failure of meritocracy:
A society whose rulers are chosen through a competition takes on the shape
of that competition. The Empire of Azad is run by the winners of
competitive games, so the empire is a winner-take-all system of dominance
and status hierarchy. Here, I think Banks lays the point on a little
thick; the empire is an irredeemable hellhole of misogyny, sexual abuse,
slavery, genocide, and military colonialism to a degree that is a bit hard
to justify solely from the game. There is a beautiful turning point about
two-thirds of the way through the book where Gurgeh's face is shoved into
just how vile Azad society is and reconsiders his approach to the
tournament as a result, and I think it may have been a bit stronger if the
morality had been a little less blatant and absolute.
&lt;/p&gt;

&lt;p&gt;
To the extent that Gurgeh has political beliefs, he represents a Culture
flavor of soft liberalism. He has opinions about acceptable and
unacceptable ways to treat people, but he grew up in a utopia and his
opinions are mostly theoretical. When he sees just how vile people can be
outside of that utopia, he is revolted and appalled and redoubles his
efforts to fight that society in the only way he knows how, inside of a
game. This part of the book follows the standard, if enjoyable, plot of a
flawed but fundamentally decent person discovering a true injustice and
becoming enraged at it.
&lt;/p&gt;

&lt;p&gt;
In a lot of books, that would have been where the plot stops. Banks is
doing something more subtle and more interesting, though. Gurgeh wipes the
board with his next challenger, but that soft liberalism eventually proves
inadequate. To learn the game of Azad and to play in the tournament,
Gurgeh has been wrapping himself in Azad culture and its language, and in
that frame of mind he is losing the climactic game of the book. It's only
when he is pushed to think in Marain, the native language of the Culture,
that he understands what is happening in the game and how to defeat
Nicosar, the emperor.
&lt;/p&gt;

&lt;p&gt;
This, on the surface, is a bit too close to the
&lt;a href="https://en.wikipedia.org/wiki/Linguistic_relativity"&gt;strong
hypothesis of linguistic relativity&lt;/a&gt; to be entirely plausible, but such an
objection would miss the point that Banks is making here. Marain is a
construct, the product of considerable effort within the Culture to match
language to the most nuance and complexity that brains can understand, and
it is a language, one of the most social and collective artifacts a
society can produce. Gurgeh is a remarkable individual with an impressive
talent, but individual skill and achievement can only take him so far. The
critical final piece is the support of societal infrastructure
intentionally built and maintained to help him make better decisions.
&lt;/p&gt;

&lt;p&gt;
Once I noticed that point, I saw it everywhere in the book. The empire
repeatedly attempts to subvert or distract Gurgeh with drugs, pleasure,
politics, or danger, and at each point there is some critical piece of
Culture social infrastructure that blunts the attack. Illicit substances
and forbidden vices are less tempting to someone for whom the illicit has
been demystified by the Culture's gentler approach to rules and
boundaries. Embedded biological mechanisms allow him to divert drugs so
that they don't affect him. At first, it's easy to read this as an
exercise of self-control, but on this re-read I saw how much
behind-the-scenes infrastructure supports Gurgeh's ability to ignore
temptation.
&lt;/p&gt;

&lt;p&gt;
This social support notably does not take the form of some ideological
principle or moral framework. Gurgeh is not a monk or an ascetic, as is
obvious from the first third of the book, and he has no political ideology
to speak of. He is a flawed person with a streak of danger-seeking and
self-aggrandizement, which the Culture exploited to get him involved in
Azad. But through a lot of hard work, technological and social, the
Culture has given him a robust foundation and a set of mental and
biological tools that make him remarkably hard to corrupt. The implication
is that if Gurgeh has that support, so does every other member of the
Culture. It's neither a religion or an ideology; it's well-maintained
infrastructure, complex and nuanced and pragmatic, and composed of
innumerable small solutions to specific problems.
&lt;/p&gt;

&lt;p&gt;
I think the true climax of this book takes place the night before the
final day of the game, in the tower meeting between Gurgeh and Nicosar.
Gurgeh has realized that he's already won; there's nothing Nicosar can do
to salvage the game. He's also seen that the game represents a cultural
conflict and conversation between the Culture and Azad and he's
overwhelmed by the beauty of that communication and sadness that the game
is about to be over. Gurgeh's true passion is the game. It is doubtless
easier for him to be magnanimous because he's winning, but he also loves
the structure of the game itself and what two players can create in a sort
of collaborative competition.
&lt;/p&gt;

&lt;p&gt;
Gurgeh tries to express all of this to Nicosar. It is one of the most
centrist liberal moments I've ever read in a novel, the pure essence of
"reaching across the aisle" or "disagreeing agreeably." Gurgeh has seen
something beautiful, something he's created with Nicosar, a moment of true
communication, and he wants to share it. Surely Nicosar sees the same
thing; surely now that he sees Gurgeh has won, he can appreciate the board
structure, savor the moment, understand the transient beauty of a game
that is about to end and how perfectly it captures the meeting of their
different cultures. That moment does Gurgeh real credit. It's a rare sign
of emotional and spiritual depth in a character who often seems
superficial.
&lt;/p&gt;

&lt;p&gt;
Nicosar meets this outreach with unhinged, furious contempt. He despises
everything Gurgeh represents, everything the Culture is, and the next day
he tries to kill Gurgeh on the board of the game.
&lt;/p&gt;

&lt;p&gt;
It is a devastating critique of liberal tolerance, all the more so because
Gurgeh's attitude and outreach is truly admirable. It is perhaps the most
sympathetic moment that Gurgeh has in the entire book, the moment where
the reader thinks "oh, I get it, I understand what he really cares about."
Gurgeh assumes that Nicosar is not his position or culture, that they have
made a moment of connection that transcends all the awful things he
previously learned about the empire of Azad. That Nicosar, despite being
the emperor of the society that is currently doing so many things Gurgeh
finds repulsive, cannot be as bad as his society. And Nicosar considers
that outreach to be weak, disgusting, and vile, and does everything that
he can to destroy it.
&lt;/p&gt;

&lt;p&gt;
One of the oddest twists of our current moment is the obsession that some
billionaires have with stories that are moral arguments against exactly
what those billionaires are currently doing. The most obvious example is
Peter Thiel, who is obsessed with &lt;cite&gt;The Lord of the Rings&lt;/cite&gt; and has
devoted his life to becoming Saruman, a character who is notably not one
of the protagonists. It's as if something in them recognizes the power of
the story, but some deep shame or narcissism or simple aversion allows
them to completely ignore what the story means.
&lt;/p&gt;

&lt;p&gt;
Elon Musk is obsessed with the Culture novels. He names the SpaceX rockets
following Culture Ship naming conventions and has claimed that one of his
goals is to bring about a Culture-style utopia. And in 1989, years before
anyone had ever heard of him, Banks cast him as the villain of &lt;cite&gt;The
Player of Games&lt;/cite&gt;. There is so much of Nicosar in Musk: the superficial
charm, the limited brilliance (Nicosar is a very good Azad player), the
ambition, the pride, and the vicious, spitting contempt for everything the
Culture represents at every level deeper than superficial materialism. And
Banks is as clear about his opinion of Nicosar as he is about anything in
any Culture novel.
&lt;/p&gt;

&lt;p&gt;
One of the oldest fictional answers to what a society does with people
like Nicosar is the consequences of hubris. By being unable to accept
defeat, by holding a vision of the world so tightly, they become brittle
and unstable and bring about their own collapse. In a broad sense, that is
what happens in &lt;cite&gt;The Player of Games&lt;/cite&gt; with a bit of pushing from
Special Circumstances. By the politics of the game, Nicosar had already
won; the results of Gurgeh's earlier games had already been faked, the
final game had no political consequences, and everyone who knew its true
outcome could be disposed of. Gurgeh's win could have been covered up and
ignored. But Nicosar could not endure the thought that he would be beaten
by someone like Gurgeh, playing Azad the way that Gurgeh was playing it.
Gurgeh had to be destroyed on the board of the game; Nicosar's pride did
not allow any other outcome, even if it meant Nicosar's death.
&lt;/p&gt;

&lt;p&gt;
However, Special Circumstances didn't let hubris be the end of the story.
In the climax of the book, the drone protecting Gurgeh also makes sure
that Nicosar dies. There is a fig leaf of plausible deniability, but it's
so obvious that even the unobservant Gurgeh sees through it immediately.
It's hard to escape the feeling that was Banks's answer to what to do with
people like Nicosar: They cannot live within society, because they will
not live peacefully within society.
&lt;/p&gt;

&lt;p&gt;
I enjoyed &lt;cite&gt;The Player of Games&lt;/cite&gt; as much this time through as I did
the first time, but for entirely different reasons. In my first read, I
focused on the world-building of the Culture, the political machinations,
and the concept of games as conversations between the players. This time,
I was struck by the political commentary just below the surface. Special
Circumstances wanted to resolve the problem of the Empire of Azad without
a military conflict and occupation that would be long, brutal, expensive,
and demoralizing. They found an answer that relied on the diversity of the
Culture. A vast, utopian civilization in which people can pursue whatever
interests make them happy produces innumerable microspecialized oddities,
people with astonishing talents in some small field that only a tiny
fraction of people care about. It produces, in other words, innumerable
keys for locks that you may never encounter, but which are invaluable if
you happen to stumble across that lock.
&lt;/p&gt;

&lt;p&gt;
Gurgeh is not a hero. He is not a paragon of moral virtue, or even a
charming charismatic, He is an entirely average member of an extraordinary
society, the beneficiary of thousands of years of concerted effort at
producing a robust, flexible foundation on which to raise robust, flexible
citizens with a shared sense of basic morality. Those people, by
themselves, do not solve all of life's problems; the structure of Special
Circumstances and its willingness to bend rules in order to maintain them
is the tension and &lt;em&gt;deus ex machina&lt;/em&gt; in all of the Culture novels.
But much of the strength of Special Circumstances is that it has an entire
civilization of people like Gurgeh to draw upon when it needs them.
&lt;/p&gt;

&lt;p&gt;
It has those people because the Culture comprehensively rejects
competitive meritocracy, something that some readers of the Culture novels
appear incapable of comprehending.
&lt;/p&gt;

&lt;p&gt;Rating: 9 out of 10&lt;/p&gt; </description> 
	<pubDate>Mon, 06 Jul 2026 03:09:00 +0000</pubDate>

</item> 
<item>
	<title>Russ Allbery: INN 2.7.4</title>
	<guid>https://www.eyrie.org/~eagle/journal/2026-07/001.html</guid>
	<link>https://www.eyrie.org/~eagle/journal/2026-07/001.html</link>
     <description>  &lt;p&gt;
This is a bug fix and minor feature release over INN 2.7.3, and the
upgrade should be painless. You can download the new release from
&lt;a href="https://downloads.isc.org/isc/inn/"&gt;ISC&lt;/a&gt; or
&lt;a href="https://www.eyrie.org/~eagle/software/inn/"&gt;my personal INN pages&lt;/a&gt;. The latter also has
links to the full changelog and the other INN documentation.
&lt;/p&gt;

&lt;p&gt;
For the full list of changes, see the
&lt;a href="https://www.eyrie.org/~eagle/software/inn/docs-2.7/news.html"&gt;INN 2.7.4 NEWS file&lt;/a&gt;.
&lt;/p&gt;

&lt;p&gt;
As always, thanks to Julien ÉLIE for preparing this release and doing most
of the maintenance work on INN!
&lt;/p&gt; </description> 
	<pubDate>Mon, 06 Jul 2026 01:57:00 +0000</pubDate>

</item> 
<item>
	<title>Birger Schacht: Status update, June 2026</title>
	<guid>https://bisco.org/notes/status-update-june-2026/</guid>
	<link>https://bisco.org/notes/status-update-june-2026/</link>
     <description>  &lt;h1 id="debian-related-work"&gt;Debian Related Work&lt;/h1&gt;
&lt;ul&gt;
&lt;li&gt;Uploaded wofi 1.5.3-1 to unstable&lt;/li&gt;
&lt;li&gt;Uploaded wob 0.16-1 to unstable&lt;/li&gt;
&lt;li&gt;Uploaded labwc 0.20.0-1 and 0.20.1-1 to unstable; these releases come with
support for wlroots-0.20, which made labwc reenter testing&lt;/li&gt;
&lt;li&gt;Uploaded swaylock 1.8.5-2 to unstable to make it use the &lt;code&gt;common-auth&lt;/code&gt;
directive of pam (seeh &lt;a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140096"&gt;#1140096&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;Uploaded swayimg 5.4-1 to unstable&lt;/li&gt;
&lt;li&gt;Uploaded wayback 0.3-2 to unstable, which was waiting in experimental
for a reupload and I had forgotten about it; also fixed a
&lt;a href="https://gitlab.freedesktop.org/wayback/wayback/-/merge_requests/96"&gt;typo&lt;/a&gt;
in wayback upstream&lt;/li&gt;
&lt;li&gt;Uploaded xdg-desktop-portal-wlr 0.8.3-1 to unstable&lt;/li&gt;
&lt;/ul&gt;
&lt;h1 id="dh-related-work"&gt;DH Related Work&lt;/h1&gt;
&lt;p&gt;The search app I was working on last month was still a focus in June. I refactored
the data model a bit and made it simpler. I stumbled over the &lt;a href="https://pythonkoans.substack.com"&gt;Python
Koans&lt;/a&gt; and &lt;a href="https://pythonkoans.substack.com/p/koan-15-the-invisible-ink"&gt;Koan 15: The Invisible
Ink&lt;/a&gt; gave me the
idea of using unicode normalization when indexing the items.&lt;/p&gt;
&lt;p&gt;I released a couple of bug fix releases for the APIS framework, namely 0.64.2,
0.64.3 and 0.64.4. I also release 0.65.0 which is one step further in dropping
support for the legacy &lt;code&gt;apis_entities&lt;/code&gt; app. When the &lt;code&gt;search&lt;/code&gt; module is merged
it will give way for removing the last bits of the old cruft to be removed.&lt;/p&gt;
&lt;p&gt;During a regular dependency update session I looked at the changes in &lt;a href="https://github.com/yourlabs/django-autocomplete-light"&gt;the dal
dependency&lt;/a&gt;. After a
long time with no commits, the project suddenly had a lot of commits
co-authored by Claude and then released a new major version with a regression.
Given the state of the project, we decided to keep using the previous release
for now and look into replacing the dependency with an HTMX based solution. I
implemented a POC for one of the plugins we develop and it was actually pretty
easy. I also managed to combine the autocomplete approach with a multi-select
form field, based on &lt;a href="https://dev.to/apleshkov/htmx-multi-select-form-control-without-js-4jfk"&gt;this blog
post&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;In the
&lt;a href="https://www.oeaw.ac.at/de/acdh/forschung/dh-forschung-infrastruktur/aktivitaeten/dh-datenmodellierung/pfp-prosopographische-plattform-oesterreich"&gt;PFP&lt;/a&gt;
project I finally merged the stats endpoint which give statistics about the
named graphs that are used as data sources.&lt;/p&gt;
&lt;h1 id="other"&gt;Other&lt;/h1&gt;
&lt;p&gt;I attended &lt;a href="https://bsidesvienna.at/"&gt;BSidesVienna 0x7EA&lt;/a&gt; but it was on one of
the hottest days this year so far so I left after a couple of talks.&lt;/p&gt; </description> 
	<pubDate>Sun, 05 Jul 2026 05:28:51 +0000</pubDate>

</item> 
<item>
	<title>Steinar H. Gunderson: An update on sesse@chromium.org</title>
	<guid>http://blog.sesse.net/blog/tech/2026-07-04-15-21_an_update_on_sesse_chromium_org.html</guid>
	<link>http://blog.sesse.net/blog/tech/2026-07-04-15-21_an_update_on_sesse_chromium_org.html</link>
     <description>  &lt;img src="http://planet.debian.org/heads/sesse.png" width="74" height="85" alt="" align="right" style="float: right;"&gt;  &lt;p&gt;As previously mentioned, I am leaving Chrome; my last work day
was yesterday. (Sorry to those with July 3rd off that I didn't
get to say goodbye to!) But I'm staying in Google, on more internal
projects :-)&lt;/p&gt;

&lt;p&gt;After 1100+ commits it's hard to pick out one thing that I love
the most; as a team, we launched a lot of (IMO) useful CSS features
and fixed a lot of issues. But somehow, I keep on gravitating towards
performance, and perhaps &lt;a href="https://chromium-review.googlesource.com/c/chromium/src/+/3581992"&gt;this commit&lt;/a&gt;
is the one I will remember the most fondly; a couple hundred lines
to speed up repeated attribute selectors a lot. (If you ever wonder
who would be doing that; well, there's a fairly high chance that you
have an extension injecting a stylesheet with a lot of &lt;code&gt;a[href*="..."]&lt;/code&gt;
rules…)&lt;/p&gt;

&lt;p&gt;Upwards and onwards. Please write lean, clean CSS; I won't be there
to save you from now on. :-)&lt;/p&gt; </description> 
	<pubDate>Sat, 04 Jul 2026 14:21:00 +0000</pubDate>

</item> 
<item>
	<title>Tim Retout: AWS Washington Summit 2026</title>
	<guid>https://retout.co.uk/2026/07/04/aws-washington-summit-2026/</guid>
	<link>https://retout.co.uk/2026/07/04/aws-washington-summit-2026/</link>
     <description>  &lt;p&gt;I am somewhat jet-lagged, having returned from Washington DC just
before the 250th anniversary celebrations which will be happening
today.  I was part of a delegation sent by my employer to the AWS
Summit there this week, partly to kindle interactions between PA
Consulting and Jacobs who have recently &lt;a href="https://www.jacobs.com/newsroom/press-release/jacobs-acquire-remaining-stake-pa-consulting"&gt;taken a 100% share in
PA&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;Much of our conference time was spent in meetings with AWS executives
impressing the facts of the Jacobs/PA partnership upon them, and
discussing plans to broaden our collaboration in different sectors.
So I spent even less time than usual at conference keynotes, talks
etc.&lt;/p&gt;
&lt;p&gt;This was my first time to DC, and I did find some time to see some
sights – unfortunately the White House is rather fenced off at the
moment following the UFC match, but I did make it to the Capitol and
the Washington Monument in the heat.&lt;/p&gt;
&lt;p&gt;Last Sunday a select few of us attended the &lt;a href="https://www.mlb.com/orioles"&gt;baseball in
Baltimore&lt;/a&gt; – rather than the game, the
thing that stood out for me was the military jets flying in formation
over the stadium every few minutes, and the block-booked seats for the
Navy in uniform, who were having a great time!  This is obviously a
hearts-and-minds thing, but it provides a stark contrast with the UK
– I can’t think of a time I’ve seen uniformed military at the
football (soccer) or cricket for example.  Or Union Jacks flying at
shopping centres.&lt;/p&gt;
&lt;p&gt;Speaking of soccer, England just about beat DR Congo while I was out
there, but it was a close-run thing as we were 1-0 down at half time.
I can’t claim to be following the World Cup too closely, but I
overheard comments (from US passers-by) that made clear it would have
had a significant reputational impact on our standing in the world had
we lost.&lt;/p&gt;
&lt;p&gt;Another highlight for me was the &lt;a href="https://www.asa-dc.org/"&gt;Church of the Ascension and
St. Agnes&lt;/a&gt;, where I was able to get my fix of
Anglican plainchant and four-part harmony for the week.  At morning
prayer, I noted they use “God save this land” rather than “God save
the King” during the responses – I’ve since found other sources
online that choose “God save the State”.  It’s strange to think that
the words of the BCP dating back to 1549/1662 are a point of
continuity since well before the 1776 declaration of independence, and
yet are still adapted and used in worship today.&lt;/p&gt; </description> 
	<pubDate>Sat, 04 Jul 2026 12:40:45 +0000</pubDate>

</item> 
<item>
	<title>Julian Andres Klode: The pandemic of incomplete OpenSSL error handling</title>
	<guid>https://blog.jak-linux.org/2026/07/03/openssl-pandemic/</guid>
	<link>https://blog.jak-linux.org/2026/07/03/openssl-pandemic/</link>
     <description>  &lt;p&gt;Recently a person reported a bug in APT saying that TLS is failing on FIPS
systems with MD5 errors, and suggested we call &lt;code&gt;ERR_clear_error()&lt;/code&gt; around
TLS operations.&lt;/p&gt;
&lt;p&gt;Like any serious software engineer would do, I said No. Just because one component
failed to handle its errors does not mean I can go around and discard all errors
in another place - the program should have failed earlier (or discarded the error
when it was determined to be safe).&lt;/p&gt;
&lt;p&gt;Little did I know that people have for years been using this approach as a best
practice: Codebases everywhere are littered with calls to &lt;code&gt;ERR_clear_error()&lt;/code&gt;
before performing TLS, and upstream themselves suggest to do just that.&lt;/p&gt;
&lt;p&gt;This is a major, systemic, pandemic of incomplete error handling. We cannot
just discard unrelated errors if they become inconvenient. The code that
caused the error needs to be fixed to handle it.&lt;/p&gt;
&lt;p&gt;This isn’t all. It seems many authors are not familiar with libraries using a
stack of errors, and there is a second anti-pattern:&lt;/p&gt;
&lt;p&gt;Call an OpenSSL operation, check the top-level error, and then discard all
errors if deemed “not too bad”. This has the same problem: Unrelated errors
get silently discarded.&lt;/p&gt;
&lt;p&gt;I would strongly encourage everyone to inspect their code bases for any calls
to &lt;code&gt;ERR_clear_error()&lt;/code&gt; and whether they are safe or one of the bad patterns
above (or maybe you find a new pattern). You may want to use error stack
functionality of&lt;code&gt;ERR_set_mark&lt;/code&gt; (&lt;a href="https://docs.openssl.org/3.4/man3/ERR_set_mark/"&gt;https://docs.openssl.org/3.4/man3/ERR_set_mark/&lt;/a&gt;)
to essentially “push” and “pop” an error context of your own as a guard around
multiple OpenSSL operations.&lt;/p&gt;
&lt;p&gt;To the OpenSSL authors, I would suggest not encouraging devastating security
practices that fundamentally break any trust in software.&lt;/p&gt;
&lt;p&gt;We need to do better than this.&lt;/p&gt; </description> 
	<pubDate>Fri, 03 Jul 2026 15:54:22 +0000</pubDate>
  <author>jak@jak-linux.org (Julian Andres Klode)</author>  
</item> 
<item>
	<title>Colin Watson: Free software activity in June 2026</title>
	<guid>tag:www.chiark.greenend.org.uk,2026-07-03:/~cjwatson/blog/activity-2026-06.html</guid>
	<link>https://www.chiark.greenend.org.uk/~cjwatson/blog/activity-2026-06.html</link>
     <description>  &lt;img src="http://planet.debian.org/heads/cjwatson.png" width="70" height="82" alt="" align="right" style="float: right;"&gt;  &lt;p&gt;My Debian contributions this month were all &lt;a href="https://www.freexian.com/about/debian-contributions/"&gt;sponsored&lt;/a&gt; by Freexian.&lt;/p&gt;
&lt;p&gt;You can also support my work directly via &lt;a href="https://liberapay.com/cjwatson"&gt;Liberapay&lt;/a&gt; or &lt;a href="https://github.com/sponsors/cjwatson"&gt;GitHub Sponsors&lt;/a&gt;.  Thanks to new sponsor &lt;a href="https://github.com/fernandocc17"&gt;@fernandocc17&lt;/a&gt;!&lt;/p&gt;
&lt;h2&gt;bugs.debian.org documentation&lt;/h2&gt;
&lt;p&gt;Sometimes I ask users to file bugs upstream themselves because I think they’d be better placed to have the ensuing discussion with the upstream maintainers directly rather than everything having to go through me.  Of course sometimes they don’t want to do so, perhaps because it requires creating another account somewhere.  Rarely, I’ve had people refuse to do this because the letter of the bug tracking system’s documentation seemed to tell them not to.  Since I don’t believe that was the intention, I &lt;a href="https://salsa.debian.org/webmaster-team/webwml/-/merge_requests/1149"&gt;corrected this&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;OpenSSH&lt;/h2&gt;
&lt;p&gt;I spent two and a half hours extensively revising &lt;code&gt;debian/copyright&lt;/code&gt; so that &lt;code&gt;lrc&lt;/code&gt; believes it to be in sync with the output of &lt;code&gt;licensecheck&lt;/code&gt;.  I’m unconvinced that this was remotely worth the mind-numbing effort - as far as I can tell, it makes no difference to the practical legal position, to policy compliance, or to any reasonable user - but the &lt;span class="caps"&gt;DFSG&lt;/span&gt; team increasingly seems to be objecting to any discrepancies here any time a package crosses their radar, so this was a pre-emptive measure to avoid problems with some upcoming trips through the &lt;span class="caps"&gt;NEW&lt;/span&gt; queue.&lt;/p&gt;
&lt;h2&gt;OpenSSL 4.0&lt;/h2&gt;
&lt;p&gt;I fielded a few of the &lt;a href="https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=pkg-openssl-devel%40lists.alioth.debian.org&amp;amp;tag=openssl-4.0"&gt;OpenSSL 4.0 build failure bugs&lt;/a&gt;:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1138480"&gt;omniorb-dfsg&lt;/a&gt; (along with upgrading to 4.3.4)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1138423"&gt;openssh&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1138408"&gt;yubihsm-shell&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Python packaging&lt;/h2&gt;
&lt;p&gt;New upstream versions:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;certipy&lt;/li&gt;
&lt;li&gt;juptyer-server (fixing &lt;a href="https://bugs.debian.org/1136022"&gt;&lt;span class="caps"&gt;CVE&lt;/span&gt;-2025-61669, &lt;span class="caps"&gt;CVE&lt;/span&gt;-2026-35397, &lt;span class="caps"&gt;CVE&lt;/span&gt;-2026-40110, and &lt;span class="caps"&gt;CVE&lt;/span&gt;-2026-40934&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;magicgui&lt;/li&gt;
&lt;li&gt;pydantic&lt;/li&gt;
&lt;li&gt;pydantic-core&lt;/li&gt;
&lt;li&gt;pydantic-settings&lt;/li&gt;
&lt;li&gt;pylint&lt;/li&gt;
&lt;li&gt;pytest-rerunfailures (fixing a &lt;a href="https://bugs.debian.org/1140869"&gt;build failure with pytest 9.1&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;python-certifi&lt;/li&gt;
&lt;li&gt;python-django-celery-beat&lt;/li&gt;
&lt;li&gt;python-numpy-groupies&lt;/li&gt;
&lt;li&gt;python-packaging (aided by Debusine testing of reverse-dependencies)&lt;/li&gt;
&lt;li&gt;python-pytest-run-parallel&lt;/li&gt;
&lt;li&gt;python-pytest-unmagic&lt;/li&gt;
&lt;li&gt;python-service-identity&lt;/li&gt;
&lt;li&gt;python-tabulate&lt;/li&gt;
&lt;li&gt;python-urllib3 (fixing &lt;a href="https://bugs.debian.org/1140427"&gt;&lt;span class="caps"&gt;CVE&lt;/span&gt;-2026-9375&lt;/a&gt; and &lt;a href="https://bugs.debian.org/1136654"&gt;&lt;span class="caps"&gt;CVE&lt;/span&gt;-2026-44432&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;python-watchfiles&lt;/li&gt;
&lt;li&gt;python-yubihsm&lt;/li&gt;
&lt;li&gt;responses&lt;/li&gt;
&lt;li&gt;uncertainties&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;pytest 9.1 was uploaded to unstable this month, resulting in quite a few new build/test failure bugs.  I tried to keep on top of as many of these as I could; most of them had one of a small number of similar causes.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1140858"&gt;domdf-python-tools&lt;/a&gt; (&lt;a href="https://github.com/domdfcoding/domdf_python_tools/pull/151"&gt;contributed upstream&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1140978"&gt;flask-caching&lt;/a&gt; (&lt;a href="https://github.com/pallets-eco/flask-caching/pull/652"&gt;contributed upstream&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1140863"&gt;magicgui&lt;/a&gt; (&lt;a href="https://github.com/pyapp-kit/magicgui/pull/731"&gt;contributed upstream&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://salsa.debian.org/python-team/packages/pydantic-core/-/commit/0b294b4e0841b63d2a6ace55b9fbb6ec50fae6d3"&gt;pydantic-core&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1140865"&gt;pydantic-extra-types&lt;/a&gt; (&lt;a href="https://github.com/pydantic/pydantic-extra-types/pull/397"&gt;contributed upstream&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1140866"&gt;pydantic&lt;/a&gt; (&lt;a href="https://github.com/pydantic/pydantic/pull/13357"&gt;contributed upstream&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1140867"&gt;pylint&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1140868"&gt;pytest-codeblocks&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1140875"&gt;python-docx&lt;/a&gt; (&lt;a href="https://github.com/python-openxml/python-docx/pull/1563"&gt;contributed upstream&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1140879"&gt;python-numpy-groupies&lt;/a&gt; (&lt;a href="https://github.com/ml31415/numpy-groupies/pull/96"&gt;contributed upstream&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1140880"&gt;python-openapi-core&lt;/a&gt; (&lt;a href="https://github.com/python-openapi/openapi-core/pull/1207"&gt;contributed upstream&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1140932"&gt;python-urllib3&lt;/a&gt; (&lt;a href="https://github.com/urllib3/urllib3/pull/5094"&gt;contributed upstream&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1140883"&gt;python-watchfiles&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1141032"&gt;sphinx-automodapi&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Python 3.14 became the default Python version in unstable towards the end of the month, starting a &lt;a href="https://bugs.debian.org/1130323"&gt;transition&lt;/a&gt;.  These usually involve quite a bit of work, and there’s much more to do, but I fixed a few things:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1140927"&gt;depthcharge-tools: Traceback with 3.14: args for positionals must be != 0&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1131793"&gt;domdf-python-tools: autopkgtest failure with Python 3.14&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Other build/test failures:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1140059"&gt;dh-python: Dependency parsing is too picky about spacing&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://salsa.debian.org/python-team/packages/psygnal/-/commit/060a129ae5267e404510bdcb5e2bfb20eafe9c25"&gt;psygnal: Allow building without msgspec&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://salsa.debian.org/python-team/packages/pydantic-core/-/commit/0ec1508c0ff9cfeb2677fba4a0a29cc2cd19cabf"&gt;pydantic-core: Accept and require uuid 1.23.0, now that it’s in Debian&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1135448"&gt;pygame: &lt;span class="caps"&gt;FTBFS&lt;/span&gt;: &lt;span class="caps"&gt;FAIL&lt;/span&gt;: test_fill_rle (pygame.tests.surface_test.SurfaceTypeTest.test_fill_rle)&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1139431"&gt;pyro5: &lt;span class="caps"&gt;FTBFS&lt;/span&gt;: Unable to determine debhelper compatibility version&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1139197"&gt;python-persistent: Bump timeout in test_rapid_create_destroy_cycle&lt;/a&gt; (&lt;a href="https://github.com/zopefoundation/persistent/pull/238"&gt;contributed upstream&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1140667"&gt;python-yubihsm: Depends: python3-cryptography (&amp;lt; 47) but 47.0.0-1 is to be installed&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1138813"&gt;sphinx-gallery: &amp;lt;!nodoc&amp;gt; build dependency removed from testing&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://salsa.debian.org/python-team/packages/tpm2-pytss/-/commit/0b9dcb5d369f2f32d904437e7880cec0381745e0"&gt;tpm2-pytss: Fix support for cryptography 47&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1140931"&gt;twisted: Tests fail with pyopenssl 26.3.0: module ‘OpenSSL.crypto’ has no attribute ‘X509Req’&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Other bugs:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://salsa.debian.org/python-team/packages/psygnal/-/commit/0bc98b31531ab5ce3f6f465b16780ed932633fe6"&gt;psygnal: Fix reproducibility&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1138937"&gt;python-nacl: Updating the python-nacl Uploaders list&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1046910"&gt;python-tabulate: Fails to build source after successful build&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1046308"&gt;tpm2-pytss: Fails to build source after successful build&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Rust packaging&lt;/h2&gt;
&lt;p&gt;New upstream versions:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;rust-asn1 (&lt;a href="https://bugs.debian.org/1134917"&gt;needed by new python-cryptography&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;rust-asn1-derive&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Code reviews&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1129695"&gt;buildbot: [&lt;span class="caps"&gt;INTL&lt;/span&gt;:sv] Swedish translation of debconf templates&lt;/a&gt; (merged and uploaded)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://salsa.debian.org/ssh-team/openssh/-/merge_requests/39"&gt;openssh: Support DPKG_ROOT&lt;/a&gt; (merged and uploaded)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://salsa.debian.org/ssh-team/openssh/-/merge_requests/41"&gt;openssh: Fix &lt;span class="caps"&gt;GSS&lt;/span&gt; C25519 server blob bounds check&lt;/a&gt; (merged and uploaded)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://salsa.debian.org/python-team/packages/python-pyramid/-/merge_requests/1"&gt;python-pyramid: &lt;span class="caps"&gt;CVE&lt;/span&gt;-2023-40587 Backport patch&lt;/a&gt; (merged and uploaded)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Other bits and pieces&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1140062"&gt;busybox: chdir no longer available -&amp;gt; breaks d-i ‘live-installer.udeb’&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://salsa.debian.org/debian/debmirror/-/commit/7d25662cd048afbe8f90a437466dc1d8751a3e89"&gt;debmirror: Refresh mirror_size documentation&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt; </description> 
	<pubDate>Fri, 03 Jul 2026 11:38:46 +0000</pubDate>

</item> 
<item>
	<title>Matthew Garrett: Securing agentic identity</title>
	<guid>https://codon.org.uk/~mjg59/blog/p/securing-agentic-identity/</guid>
	<link>https://codon.org.uk/~mjg59/blog/p/securing-agentic-identity/</link>
     <description>  &lt;img src="http://planet.debian.org/heads/mjg59.png" width="69" height="85" alt="" align="right" style="float: right;"&gt;  &lt;p&gt;As is the case for many people working in the security industry, the last
few months of my life have been focused on dealing with people wanting to
use LLMs everywhere. From an enterprise security perspective that’s not an
inherent problem - what’s more of a problem is that people want those agents
to have access to resources like their calendar and email and so on, and now
we have somewhat non-deterministic agents that seem very enthusiastic to
achieve what you asked whether that’s a good idea or not, and we’re
combining this with credentials that give them access to sensitive data, and
leaving those credentials on disk where they can be committed into git repos
or exfiltrated to some other service to make use of them on the agent’s
behalf or well just any other number of things, at which point your CEO’s
email is suddenly readable by everyone and you’re having a bad day.&lt;/p&gt;
&lt;p&gt;As I mentioned in my &lt;a class="link" href="https://codon.org.uk/~mjg59/blog/p/preventing-token-theft/" rel="noopener" target="_blank"&gt;last
post&lt;/a&gt;, pretty
much every strong mechanism for keeping credentials in place is just not
supported in the wider world. We can imagine a universe where agents use
hardware (or at least hypervisor) backed certificates to obtain credentials
and any that end up leaking are worthless as a result. But, sadly, that’s
not an option for most people using existing identity providers. The state
of the art is that you use the &lt;a class="link" href="https://mjg59.dreamwidth.org/62175.html" rel="noopener" target="_blank"&gt;device code
flow&lt;/a&gt; and a human authenticates and
the token ends up back inside the agent environment and then it proceeds to
do whatever it wants with it and you just hope that you wake up the next
morning without an awful infoleak occurring.&lt;/p&gt;
&lt;p&gt;(An aside: I do not like the device code flow as used in enterprise
environments, and I never will. The identity provider doesn’t have a real
opportuity to inspect the security posture of the system asking for the
token, and as a result some identity providers will restrict tokens that are
issued in this way. The common alternative of doing stuff using a more
standard flow and having a redirect URI pointing at localhost works fine for
local systems and is a pain for remote ones, even if you can commit crimes
with SSH forwarding. I’m going to suggest something that I think is better,
and you are free to disagree)&lt;/p&gt;
&lt;p&gt;I’m not in a position to get every identity provider and service provider to
change their security posture, so I’m somewhat stuck in terms of the tokens
they’re willing to issue me - largely either JWTs or opaque access tokens,
with no support for any mechanism of binding that token to an instance. The
token that’s going to have to be provided to the remote service is something
I have little influence over. But that doesn’t mean I can’t influence the
token that lands inside the agent’s environment. I can issue a placeholder
token to the agent, and force it to communicate via a proxy that swaps out
the placeholder for the real thing. The worst the agent can do is exfiltrate
the placeholder token, and as long as malicious actors don’t have access to
that proxy, it doesn’t matter - nobody else can do anything with the
placeholder.&lt;/p&gt;
&lt;p&gt;This isn’t a terribly novel insight, and it seems like almost everybody has
reinvented this on their own. But a lot of these implementations involve you
somehow obtaining the real token in advance and then pasting that into
something that generates a placeholder that you provide to your agent
environment somehow, and it’s all a bit clunky and awkward, and it also
means that you need to deal with something that keeps track of the mapping
between placeholders and real tokens and oh no we’ve just invented a secret
store, and if you want this to work at scale and reliably you’re just
invented a high availability distributed secret store, and a lot of people
who’ve read that are now shaking their heads and reaching for gin. Can we
simplify this, and improve security at the same time? I think we can!&lt;/p&gt;
&lt;p&gt;Remember when I said “as long as malicious actors don’t have access to that
proxy, it doesn’t matter”? What if they do? What if they compromise one
machine inside your environment and are then able to email a bunch of
employees and convince their agents to send more tokens back to them and
then delete the email before a human reads it? Now you have someone inside
the wall with access to those tokens, and presumably with access to the
proxy, and now they can be anyone whose agent was gullible enough to think
sending them a token was a good idea. This isn’t good!&lt;/p&gt;
&lt;p&gt;So, I thought for a while, and I came up with a new idea. We can have a
broker service that obtains credentials for us. We can run that centrally,
away from the agents. A client in an agentic environment can request a
token, and that can result in a URL being generated and the user being
directed to open a URL in a browser and authenticate. When the user
authenticates, the authentication flow redirects the confirmation back via
the broker, and the broker obtains the real auth token. The obvious thing to
do now would be to return the auth token to the client in the agentic
environment, but we don’t do that. Instead, we mint a new JWT, and add a new
claim - one that contains an encrypted copy of the token. In the process we
can copy over all the original claims, because those aren’t secret - and now
even if the client inspects the token to figure out what access it has,
it’ll get a correct answer. We sign the new token with our own signing key,
and pass that back to the client. The client now has a legitimate JWT that
is utterly useless, because the signature isn’t trusted by anyone other than
us.&lt;/p&gt;
&lt;p&gt;How does it use it? It makes an API request via a proxy, including the new
token in the Authorization: header. The proxy verifies the signature on the
token, and then decrypts the original token and swaps out the fake token for
the real one. The remote API sees what it expects, and everyone is
happy. There’s never a real token in the agentic environment, but also we
don’t need to store anyting anywhere. The only state is the encryption keys,
and those can be injected into the environment at startup. You need to
scale? Just start more of these processes. You need to support multiple
availability zones? Just start more of these processes in different
places. No persistent data is ever held in the broker or the proxy. You
don’t need to care about distributed databases or secret stores.&lt;/p&gt;
&lt;p&gt;This felt wonderfully elegant and I felt smug about coming up with a better
idea, and then I went to a bar earlier this week and sat down to read &lt;a class="link" href="https://datatracker.ietf.org/doc/html/rfc8705" rel="noopener" target="_blank"&gt;RFC
8705&lt;/a&gt; and the guy next to me
saw that over my shoulder and asked what I was reading and I explained why I
was interested and we talked about agentic identity and then he mentioned
that fly.io had something that sounded &lt;a class="link" href="https://fly.io/blog/tokenized-tokens/" rel="noopener" target="_blank"&gt;very
similar&lt;/a&gt; and I read that and gosh yes
it is very similar, so damn you fly.io for stealing my ideas 3 years before
I even had them. Anyway. Now I need to do better.&lt;/p&gt;
&lt;p&gt;Remember that there’s still a risk around anyone who has access to the proxy
having access to the encrypted keys? We can remove that risk as well. It’s
not uncommon for agentic environments to have an identity issued via
something like &lt;a class="link" href="https://spiffe.io/" rel="noopener" target="_blank"&gt;SPIFFE&lt;/a&gt;, at which point they have a
client certificate. You can probably guess where I’m going with this. If we
require that an agent present a client cert to the broker when requesting a
token, we can embed a representation of that client cert into the token we
mint. The proxy can then require mTLS for the client connection, and can
verify that the presented certificate matches the one represented in the
token. If it does then whoever’s using the token has access to the private
key associated with the environment it was issued to. If we then ensure that
the private keys backing these certificates are either hardware or
hypervisor backed, and as such tied to a specific instance, we now have a
high degree of confidence that the token can only be used in its intended
environment. Even if our identity provider doesn’t support RFC 8705, we can.&lt;/p&gt;
&lt;p&gt;This is fairly straightforward where you’re using a platform where your
identity provider is also the environment that’s consuming your tokens, and
more annoying for third parties. The broker potentially needs some amount of
third party vendor knowledge to make that work for everyone. This is even
more the case where login isn’t via your identity provider (thanks, github),
but none of this is insurmountable - just annoying. And where vendors issue
opaque tokens rather than JWTs, this still isn’t a problem; we can just mint
a new JWT that includes the opaque token as an encrypted claim, and include
the same certificate binding. The opaque token ends up being the thing
that’s presented to the third party, but only after we’ve verified the mTLS
binding.&lt;/p&gt;
&lt;p&gt;In an ideal world none of this would be necessary - someone would spin up a
new agentic environment, a user would prove their identity, and a
certificate embodying that identity would be issued to the environment with
a private key that can’t be exfiltrated. That certificate would be
sufficient to obtain new certificates associated with the same private key,
and we could still bind that into mTLS identity. This would be much simpler,
but browsers don’t support it, so it’s not likely to happen any time soon.&lt;/p&gt;
&lt;p&gt;Anyway. Even if we can’t have the best thing, we can do better than we are
at the moment, and also it would be lovely if we could standardise on this
rather than have everyone build their own thing. The end.&lt;/p&gt; </description> 
	<pubDate>Fri, 03 Jul 2026 00:38:23 +0000</pubDate>

</item> 
<item>
	<title>Joey Hess: no LLM code in dependencies</title>
	<guid>http://joeyh.name/blog/entry/no_LLM_code_in_dependencies/</guid>
	<link>http://joeyh.name/blog/entry/no_LLM_code_in_dependencies/</link>
     <description>  &lt;img src="http://planet.debian.org/heads/joeyh2.png" width="84" height="75" alt="" align="right" style="float: right;"&gt;  &lt;p&gt;I've spent about 100 hours of work over the past month to make sure
git-annex can build without dependencies that contain LLM generated code.
At least so far.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://git-annex.branchable.com/no_llm_code/"&gt;https://git-annex.branchable.com/no_llm_code/&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Needing to review a program's whole dependency tree on an ongoing basis is
apparently what programming has come to?&lt;/p&gt;

&lt;p&gt;I've found some real stinkers. Large LLM generated changes being reverted
in the next release without any explanation. An incoherent 1489 line
commit message with 10,000 lines of changes to a 26,000 LOC code base.
A LLM prompt to copy code from another project that seems to have only
avoided being copyright infringement due to luck.&lt;/p&gt;

&lt;p&gt;I now have additional information about the quality of dependencies
which will surely influence future decisions. As far as I
can see, that's the only positive benefit of this work.&lt;/p&gt;

&lt;p&gt;I realize that I am probably trying to hold back the tide at this point.
That appears to be why Software Freedom Conservancy
&lt;a href="https://sfconservancy.org/llm-gen-ai/llm-backed-generative-ai-recommendations.html"&gt;punted&lt;/a&gt;,
and I doubt that the FSF will do any better.&lt;/p&gt;

&lt;p&gt;As these dominos fall, I am reconsidering my participation in these
communities. But I continue my work and support my users.&lt;/p&gt;

&lt;p&gt;It may seem easy to prompt a LLM with&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;Add fourmolu config and restyled&lt;/p&gt;

&lt;p&gt;neat&lt;/p&gt;

&lt;p&gt;format a module&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;And commit the result and call yourself a 10xer.
But please consider the broader impact of your actions.
(In the above case, that project lost my further collaboration on it.)&lt;/p&gt; </description> 
	<pubDate>Thu, 02 Jul 2026 14:06:30 +0000</pubDate>

</item> 
<item>
	<title>Matthew Garrett: Preventing token theft</title>
	<guid>https://codon.org.uk/~mjg59/blog/p/preventing-token-theft/</guid>
	<link>https://codon.org.uk/~mjg59/blog/p/preventing-token-theft/</link>
     <description>  &lt;img src="http://planet.debian.org/heads/mjg59.png" width="69" height="85" alt="" align="right" style="float: right;"&gt;  &lt;p&gt;When you log into a service you’re given an authentication token. Each
further request to the site includes that token, allowing the server to
figure out who you are and ensuring that you have access to your
data. Depending on site policy, this token may either be stored in memory
(and so vanish if you restart your browser) or disk. The token is the proof
of your identity. As far as the site is concerned, anyone with your token is
you. These tokens may be traditional browser cookies, but they may also be
stored in either site local storage or (if you’re not using a browser) in
some other storage location.&lt;/p&gt;
&lt;p&gt;In recent years we’ve seen infostealer malware (like
&lt;a class="link" href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141b" rel="noopener" target="_blank"&gt;LummaC2&lt;/a&gt;)
gain the ability to exfiltrate user tokens, allowing attackers to gain
access to the user’s data without needing to retain access to the user’s
machine. This attack is viable even if the site has strong MFA requirements,
so passkeys don’t help. Encrypting the tokens on disk doesn’t prevent the
malware from scraping them out of the browser’s RAM or obtaining whatever
key is used to encrypt them. This feels like a pretty hard problem to solve.&lt;/p&gt;
&lt;p&gt;But that hasn’t stopped people from trying! Dirk Balfanz wrote an IETF draft
describing a mechanism for using &lt;a class="link" href="https://datatracker.ietf.org/doc/html/draft-balfanz-tls-obc-01" rel="noopener" target="_blank"&gt;self-signed certificates for TLS
authentication&lt;/a&gt;. This
uses the &lt;a class="link" href="https://en.wikipedia.org/wiki/Mutual_authentication#mTLS" rel="noopener" target="_blank"&gt;mutual
authentication&lt;/a&gt;
feature of the TLS protocol that requires both sides prove their identity to
each other. In regular TLS, the remote site presents a signed certificate
that tells you who it is. When performing mutual authentication, you then
present a certificate to the remote site telling it who &lt;em&gt;you&lt;/em&gt; are. These
client certificates are largely unused outside enterprise environments
because they’re a &lt;em&gt;huge&lt;/em&gt; pain to deploy. It’s not so much that this has
sharp edges, it’s that it’s entirely made of sharp edges. Managing
certificate deployment to your devices is hard. Browsers get confused if the
certificates change under them. You have one certificate and it lives
forever, so sites you present it to can track your identity. Users are
prompted to choose a certificate to authenticate with, and if they pick the
wrong one everything breaks and is hard to recover. I’ve deployed this and I
did not have a good time.&lt;/p&gt;
&lt;p&gt;But Balfanz’s idea was simple. Rather than require certificates to be
deployed, browsers would simply generate a certificate on the fly. The goal
wasn’t to prove the device or user’s identity in any global way - but it
would associate a TLS session with a specific certificate. You could then,
for example, include a hash of the certificate in the cookie, and if someone
tried to use that cookie without presenting that certificate then the cookie
could be rejected. If the browser used a hardware-backed private key for the
certificate then it would be impossible for an attacker to steal it. Sure,
you could still steal cookies, but you wouldn’t be able to use them.&lt;/p&gt;
&lt;p&gt;This was written almost 15 years ago, and seems simple, elegant, and
functional. It didn’t happen. Part of the reason for that is that, well, it
wasn’t quite so simple. One problem was privacy related. Cookies are only
sent after the TLS session is established, so anyone monitoring the network
doesn’t know anything about the user identity. A naive implementation of
this approach would have meant the client certificate being sent before
session establishment, and now user identity can be tracked (no longer an
issue if this was implemented on top of TLS 1.3, but this was a log time
ago). This was avoided by reordering the client handshake, but that meant
having to modify the TLS specification and implementations would have to be
updated to support this. Another was that figuring out the granularity of
the certificates was difficult. You’d want to use different certificates for
every site to avoid them effectively becoming tracking cookies, but you need
to provide the certificate before cookies are set, and you don’t know what
origin the site is going to set in its cookies. If you generate a
certificate for a.example.com and a different one for b.example.com, and
a.example.com sets a cookie for *.example.com and includes the certificate
you used for a.example.com, that cookie isn’t going to work on b.example.com
and things are broken. This meant supporting it wasn’t as straightforward as
it seemed - you’d need to ensure that your cookie scope was compatible with
the certificate scope. You could probably make this work well enough by
aligning it with the &lt;a class="link" href="https://publicsuffix.org/" rel="noopener" target="_blank"&gt;Public Suffix List&lt;/a&gt;, but
there was still some risk of expectations not being aligned.&lt;/p&gt;
&lt;p&gt;And, perhaps most importantly, &lt;a class="link" href="https://datatracker.ietf.org/doc/html/rfc5077" rel="noopener" target="_blank"&gt;TLS session
resumption&lt;/a&gt; (replaced by
&lt;a class="link" href="https://datatracker.ietf.org/doc/html/rfc8446#page-15" rel="noopener" target="_blank"&gt;pre-shared keys&lt;/a&gt; in
TLS 1.3) somewhat defeats the purpose of the exercise - clients store state
that allows them to re-establish a TLS connection without performing
certificate exchange (this reduces overhead if a connection gets interrupted
or you switch to a new network or anything along those lines), and anyone in
a position to steal cookies could steal that state as well.&lt;/p&gt;
&lt;p&gt;The followup attempt was &lt;a class="link" href="https://datatracker.ietf.org/doc/html/draft-balfanz-tls-channelid-01" rel="noopener" target="_blank"&gt;channel
IDs&lt;/a&gt;.
This simplified the implementation somewhat - rather than certificates, a
raw public key would be sent, along with proof of possession of the private
key in the form of a signature over a portion of the TLS handshake. This was
required even in the event of session resumption, which avoided having to
worry about theft of session secrets. The timing of the exchange was after
the encrypted session had been established, so user identity couldn’t be
leaked that way either. Cookies could then be bound to this
identifier. Unfortunately it didn’t really deal with the problem of scoping
keys in a way that would match cookie requirements, and the spec suggests
that the right way of handling this is to scope keys to TLDs, which would
enable user tracking across sites (Chrome’s implementation apparently
restricted it to eTLD+1, which would match the third party cookie policy and
avoid the tracking risk).&lt;/p&gt;
&lt;p&gt;Chrome added support for this, but it was &lt;a class="link" href="https://groups.google.com/a/chromium.org/g/net-dev/c/AjFQjBmaEQE/m/gIXoV3IFCQAJ?utm_medium=email&amp;amp;utm_source=footer" rel="noopener" target="_blank"&gt;removed in early
2018&lt;/a&gt;. The
discussion of some of the pain points in that message is interesting,
explicitly calling out problems with connection coalescing across domains
and the incompatibility with zero-RTT TLS1.3. The overall consensus at the
time seems to be that trying to solve this entirely at the TLS layer has too
many rough edges, and a different approach should be taken.&lt;/p&gt;
&lt;p&gt;And so almost 7 years after the initial draft for origin bound certificates,
we come to &lt;a class="link" href="https://datatracker.ietf.org/doc/html/rfc8471" rel="noopener" target="_blank"&gt;token
binding&lt;/a&gt;. This ended up being
a rather more complex endeavour, covering 3 different RFCs describing how it
impacts TLS, how to incorporate it into HTTP, and how to manage all the
various parties involved in the process. The short version is that it’s
pretty similar to channel ID, except that there’s also a documented
mechanism for allowing tokens to be bound to one party and consumed by
another, avoiding any need for widely scoped keys. Token binding effectively
solved all the issues in the original proposal, but at the cost of somewhat
more complexity.&lt;/p&gt;
&lt;p&gt;The RFC was finalised in October 2018. Chrome removed its (incomplete,
draft) support for token binding in November 2018. Edge carried support
until late 2024. Despite getting all the way through the RFC process, it’s
functionally dead.&lt;/p&gt;
&lt;p&gt;The process up until this point had been largely initiated by Google, with
Microsoft contributing significantly to the token binding standards. The
work had been focused on identifying a generic solution to the problem
rather than tying it to any specific authentication flow. The next step was
in a different direction - rather than trying to fix this for the entire
internet, how about we try to fix it for OAuth?&lt;/p&gt;
&lt;p&gt;&lt;a class="link" href="https://datatracker.ietf.org/doc/html/rfc8705" rel="noopener" target="_blank"&gt;RFC 8705&lt;/a&gt; is titled “OAuth
2.0 Mutual-TLS Client Authentication and Certificate-Bound Access
Tokens”. This is basically the 2011 approach, but (a) with an explicit
definition of how the certificate should be incorporated into issued auth
cookies, and (b) with a proviso that well uh if you’re going to use tokens
issued by your IdP to authenticate to someone else then well you’re going to
need to use the same cert for both. This is probably fine for the
company-owned-laptop case where you’re actually fine with multiple sites
being able to tie identities together (that’s kind of the point here!), and
also works for “I am using an app and not a browser”, but doesn’t work for
more generic scenarios. It also doesn’t seem to take the session resumption
case into account at all? Support for RFC8705 seems poor, as far as I can
tell of the big players only Auth0 implements it. In theory it works fine
with self-signed client certs but in reality that’s going to be almost as
difficult to support across multiple platforms as just issuing proper client
certs in the first place, so deployment is going to be kind of a pain. But
the good news is it doesn’t rely on any TLS extensions or custom browser
behaviour, so at the client side it works fine with any browser.&lt;/p&gt;
&lt;p&gt;Which brings us on to &lt;a class="link" href="https://datatracker.ietf.org/doc/html/rfc9449" rel="noopener" target="_blank"&gt;RFC
9449&lt;/a&gt;, “Demonstrating Proof
of Possession”. This goes even further than RFC8705 in terms of reducing the
burden of deployment - it works fine with existing browsers, &lt;em&gt;and&lt;/em&gt; it
doesn’t even require any certs. The client generates a keypair and provides
the pubkey when requesting the cookie. The cookie contains the pubkey. Every
request to the service now provides the cookie with the pubkey and also
provides a signature over the URI and HTTP method. If the signature matches
the pubkey in the token then clearly the signature came from the machine the
token was issued to, and everything is good.&lt;/p&gt;
&lt;p&gt;This does come with some downsides, though. The first is that it uses
browser interfaces to generate the keys (typically
&lt;a class="link" href="https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/generateKey" rel="noopener" target="_blank"&gt;crypto.subtle.generatekey()&lt;/a&gt;)
and as far as I can tell there are no browsers that guarantee that that key
is going to be generated in hardware even if it’s marked non-exportable, so
anyone able to steal the cookies can also steal the keys. The second is that
the signature only covers the URI and HTTP method, and not the message
content or any other headers, so anyone able to exfiltrate a valid signature
can replay it against the same URI with different message content. The
recommended way to handle this is to reject any signatures that weren’t
generated within the last few seconds, which is a wonderful additional way
to allow clock skew to give you a Bad Day. And the third is that every
single request has to be separately signed, which is not intrinsically a
problem because computers are fast and have multiple cores, but if you’re
trying to solve the first problem by sticking the key in a TPM then you’re
dealing with something that’s slow and single threaded and that’s maybe
acceptable if you’re using client certificates (because there’s going to be
one signature per session and you can use the same session for multiple
requests) but probably not if you’re dealing with a user opening a browser
that restores previous tabs and each of those is a webapp that fires off 100
requests in parallel.&lt;/p&gt;
&lt;p&gt;In case it wasn’t clear, I don’t like DPoP. It doesn’t feel like it actually
solves the underlying problem that we see in the real world (malware running
in a context where if it can grab the tokens it can grab the keys), it adds
a massive amount of overhead, and it has baked in replay vulnerabilities. I
don’t know why it exists and I’m incredibly suspicious of vendors telling me
that it fixes my problems, because if they’re telling me that then I’m going
to end up assuming that they either don’t understand my problems or they
don’t understand their technology, and neither of those is good.&lt;/p&gt;
&lt;p&gt;Still. Then we get to the thing that prompted me to write this - Chrome’s
announcement that they had &lt;a class="link" href="https://security.googleblog.com/2026/04/protecting-cookies-with-device-bound.html" rel="noopener" target="_blank"&gt;launched device-bound session
credentials&lt;/a&gt;. This
is interesting because it’s a Chrome feature that’s explicitly intended to
counter on-device malware, which was one of the things that was out of scope
in 2018 when token binding was being removed. Since this is entire web level
it doesn’t have to be an RFC, and so is instead defined &lt;a class="link" href="https://w3c.github.io/webappsec-dbsc/" rel="noopener" target="_blank"&gt;by
W3C&lt;/a&gt;. I’m going to handwave all the
complexity and say that it’s basically a way to register a public key when a
cookie is issued, and then prove possession of the private key when it’s
time to renew the cookie. By making the cookies shortlived and having
support for rotating them in the background, user impact is basically zero
and while it’s still possible for an attacker to exfiltrate and use a cookie
they’ll only be able to do so for a short window before it needs to be
refreshed - something the attacker can’t do, since they don’t have the
private key. This avoids the DPoP overhead because you only need to do
signing once per cookie per cookie lifetime, and not on every single
request. I don’t &lt;em&gt;like&lt;/em&gt; this due to the window where exfiltrated tokens can
be used, but it feels like a strict improvement over the status quo. An
extension called &lt;a class="link" href="https://github.com/w3c/webappsec-dbsc/blob/main/DBSCE/Overview.md" rel="noopener" target="_blank"&gt;device-bound session credentials for
enterprise&lt;/a&gt;
allows pre-enrollment of device keys, so even though the actual runtime DBCE
flow doesn’t involve certificates, certificates can be used for device
registration in enterprise environments and you can make sure that auth
cookies only go to trusted devices. Unfortunately this is Chrome-only, and
so we’re going to need to wait for it to be backported to all the random app
frameworks for it to have widespread support on mobile or for almost
everyone’s desktop app that’s actually three websites in an Electron
wrapper. Mozilla’s &lt;a class="link" href="https://github.com/mozilla/standards-positions/issues/912#issuecomment-4840591341" rel="noopener" target="_blank"&gt;current
position&lt;/a&gt;
is that they’re not in favour of it, so I guess we’ll see where Safari lands
in terms of broad uptake.&lt;/p&gt;
&lt;p&gt;The last thing on my list is &lt;a class="link" href="https://datatracker.ietf.org/doc/draft-mw-oauth-tls-session-bound-tokens/04/" rel="noopener" target="_blank"&gt;another client cert/OAuth
binding&lt;/a&gt;,
this one still in draft state at the time of writing. This one is aimed
primarily at the use of agent-driven tooling, where you have something
running in the background using a whole bunch of tools that are each acting
on your behalf. Authenticating to all of them separately isn’t a fun time,
but giving broadly scoped access tokens to a non-deterministic agent and
trusting that it’ll never post them somewhere public also isn’t a fun
time. The key distinction between it and RFC8705 is that it’s aimed at
&lt;em&gt;connections&lt;/em&gt; rather than &lt;em&gt;sessions&lt;/em&gt;, which avoids the worries about session
resumption. This is done with &lt;a class="link" href="https://datatracker.ietf.org/doc/html/rfc5705" rel="noopener" target="_blank"&gt;TLS
Exporters&lt;/a&gt;, which in TLS 1.3
should be unique to the connection even over session resumption (TLS 1.2 may
reuse some of the same key material for exporters over session resumption,
so it’s recommended to enforce 1.3 for this). By providing a new signature
alongside the cookie on every new connection, the client proves that it
still has access to the private key. This is a very new spec and I haven’t
had much time to work through it yet, but my naive understanding is that
unlike RFC8705 this would require some additional client support to be able
to regenerate the client signature on every TLS reconnection.&lt;/p&gt;
&lt;p&gt;This doesn’t avoid all the problems that RFC8705 has, including how to scope
certificates. For the agentic use case that probably doesn’t matter - all
these tools are acting on behalf of the same user, it’s fine if all the
sites involved know they’re the same user. But it doesn’t solve the general
purpose user use case, and right now DBSC seems like the best we have there.&lt;/p&gt;
&lt;p&gt;But. Part of me still wonders whether &lt;a class="link" href="https://datatracker.ietf.org/doc/html/draft-balfanz-tls-obc-01" rel="noopener" target="_blank"&gt;Dirk
Balfanz’s&lt;/a&gt;
approach was the right one. Yes, there’s risk associated with TLS session
resumption, but in the worst case you could just switch that off for high
risk setups. The cookie scope argument is real, and also in cases where it
could violate privacy the site owner could already choose to broaden their
cookie scope and violate your privacy, and in cases where it breaks things
you could just not make use of it. The other problems are largely fixed by
TLS 1.3, and then we’re just left with “Browsers handle client certificates
badly” to which my answer is “Yes, and we should fix that anyway”.&lt;/p&gt;
&lt;p&gt;Despite having a pretty good answer to this solution over a decade ago, the
closest we have to actual deployment is something that offers strictly worse
security guarantees. And tokens keep getting stolen, and compromises keep
occurring, and for the most part people shrug and get on with things.&lt;/p&gt; </description> 
	<pubDate>Thu, 02 Jul 2026 02:23:45 +0000</pubDate>

</item> 
<item>
	<title>Valhalla's Things: A Pair of Hair Towel Wraps</title>
	<guid>https://blog.trueelena.org/blog/2026/07/02-a_pair_of_hair_towel_wraps/index.html</guid>
	<link>https://blog.trueelena.org/blog/2026/07/02-a_pair_of_hair_towel_wraps/index.html</link>
     <description>  &lt;article&gt;
    &lt;section class="header"&gt;
        Posted on July  2, 2026
        &lt;br /&gt;
        
        Tags: &lt;a href="https://blog.trueelena.org/tags/madeof%3Aatoms.html" title="All pages tagged 'madeof:atoms'."&gt;madeof:atoms&lt;/a&gt;, &lt;a href="https://blog.trueelena.org/tags/craft%3Asewing.html" title="All pages tagged 'craft:sewing'."&gt;craft:sewing&lt;/a&gt;, &lt;a href="https://blog.trueelena.org/tags/FreeSoftWear.html" title="All pages tagged 'FreeSoftWear'."&gt;FreeSoftWear&lt;/a&gt;
        
    &lt;/section&gt;
    &lt;section&gt;
        &lt;p&gt;&lt;img alt="Two trapezoid shaped hoods made out of off-white towels: one is still looking new, while the other one has been bleached and roughened by having been washed many times." class="align-center" src="https://blog.trueelena.org/blog/2026/07/02-a_pair_of_hair_towel_wraps/hair_towel_wraps.jpg" style="width: 80.0%;" /&gt;&lt;/p&gt;
&lt;p&gt;Many months ago I had been ordering some furniture from IKEA&lt;a class="footnote-ref" href="https://blog.trueelena.org#fn1" id="fnref1"&gt;&lt;sup&gt;1&lt;/sup&gt;&lt;/a&gt; and
on one of those orders I got tempted by a &lt;a href="https://www.ikea.com/nl/en/p/stjarnbuske-hair-towel-wrap-natural-50540181/"&gt;hair towel wrap&lt;/a&gt;: it mostly
worked as an idea, but it was too short for my hair.&lt;/p&gt;
&lt;p&gt;On the other hand, I had two old towels I wasn’t using, and a recently
unpacked sewing machine.&lt;/p&gt;
&lt;p&gt;&lt;img alt="A towel cut in two trapezoid halves with a STJÄRNBUSKE laid on top of it: the IKEA wrap is a bit less than 10 cm less deep, and at least 30 cm shorter, and is also triangular rather than a trapezoid." class="align-center" src="https://blog.trueelena.org/blog/2026/07/02-a_pair_of_hair_towel_wraps/comparison_with_original.jpg" style="width: 80.0%;" /&gt;&lt;/p&gt;
&lt;p&gt;I didn’t plan too much, I just put the STJÄRNBUSKE over the towel, cut,
realized that the two pieces didn’t fit with right sides together, cut
the second towel (I had planned to make two wraps, anyway, so it wasn’t
a big deal), and started sewing by machine in what seemed like a
reasonable procedure, taking notes and pictures.&lt;/p&gt;
&lt;p&gt;&lt;img alt="A towel, with its original care label, that has been cut in a trapezoid shape and reassembled into a hood shape with a long triangular tail. The machine sewn finishing is still neat and pristine." class="align-center" src="https://blog.trueelena.org/blog/2026/07/02-a_pair_of_hair_towel_wraps/machine_sewn_towel_new.jpg" style="width: 80.0%;" /&gt;&lt;/p&gt;
&lt;p&gt;The result was pretty good, and I started using it every time I washed
my hair, but then I started to entertain the idea of shooting myself
sewing the second one by hand for a video, but never found the time to
actually doing it, and the pieces remained in the Pile for months, and
months, and way more than a year.&lt;/p&gt;
&lt;p&gt;&lt;img alt="The head of a woman with a turban-like thing on the head, covering all of the hair except for a tiny bit at the center front." class="align-center" src="https://blog.trueelena.org/blog/2026/07/02-a_pair_of_hair_towel_wraps/cheesecloth_wrap_worn_front.jpg" style="width: 80.0%;" /&gt;&lt;/p&gt;
&lt;p&gt;Until one day I bought a meter of cotton cheesecloth (mostly because it
was almost cheaper than buying a sample) and it felt like a good
material to make a nicely looking head wrapper, to keep my hair out of
the way when needed.&lt;/p&gt;
&lt;p&gt;&lt;img alt="A woman in a bathrobe with her head tilted downwards, covered by a towel thing that lies on the back of the head and has a long tail hanging on the front, in the process of being wrapped around the hairs and then brought over the top and back." class="align-center" src="https://blog.trueelena.org/blog/2026/07/02-a_pair_of_hair_towel_wraps/wearing_the_wrap.jpg" style="width: 80.0%;" /&gt;&lt;/p&gt;
&lt;p&gt;A couple months later, it was finally time to bring this project to the
top of the list, and even if I was sewing two by hand it went pretty
quickly: we had a weekend when it was too hot to do anything else, and
by the end of it the wraps were done.&lt;/p&gt;
&lt;p&gt;All that remained was finish writing the &lt;a href="https://blog.trueelena.org"&gt;instructions for my
FreeSoftWear patterns website
&amp;lt;https://sewing-patterns.trueelena.org/contemporary_unisex/headwear/hair_towel_wrap/index.html&amp;gt;&amp;gt;&lt;/a&gt;,
and having some pictures taken, and this project was done.&lt;/p&gt;
&lt;p&gt;And now, on to documenting a few more things I’ve done lately, and to
start working on the other projects I have added to the queue in the
meantime.&lt;/p&gt;
&lt;section class="footnotes footnotes-end-of-document"&gt;
&lt;hr /&gt;
&lt;ol&gt;
&lt;li id="fn1"&gt;&lt;p&gt;small things. Like, you know, a kitchen :D&lt;a class="footnote-back" href="https://blog.trueelena.org#fnref1"&gt;↩︎&lt;/a&gt;&lt;/p&gt;&lt;/li&gt;
&lt;/ol&gt;
&lt;/section&gt;
    &lt;/section&gt;
&lt;/article&gt; </description> 
	<pubDate>Thu, 02 Jul 2026 00:00:00 +0000</pubDate>

</item> 
<item>
	<title>Ben Hutchings: FOSS activity in June 2026</title>
	<guid>https://www.decadent.org.uk/ben/blog/2026/07/01/foss-activity-in-june-2026</guid>
	<link>https://www.decadent.org.uk/ben/blog/2026/07/01/foss-activity-in-june-2026.html</link>
     <description>  &lt;img src="http://planet.debian.org/heads/benh.png" width="109" height="100" alt="" align="right" style="float: right;"&gt;  &lt;p&gt;This month’s work was dominated by the transition of Debian 12
“bookworm” to support by the LTS team, and by review of some large
updates to Linux stable branches.&lt;/p&gt;

&lt;p&gt;Linux 6.12 is currently available in bookworm-backports, but that
suite will stop accepting uploads after the last bookworm point
release.  I updated some supporting packages in bookworm in
preparation for adding Linux 6.12 there.  I also prepared for
the possibility that bookworm-backports would close earlier.&lt;/p&gt;

&lt;p&gt;Since the LTS team is still also maintaining Debian 11 “bullseye”
until August, I reviewed upstream changes for both Linux 5.10 and 6.1
stable branches and reported a number of regressions and other issues.&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;Debian packages:
    &lt;ul&gt;
      &lt;li&gt;&lt;a href="https://tracker.debian.org/pkg/firmware-free"&gt;firmware-free&lt;/a&gt;:
        &lt;ul&gt;
          &lt;li&gt;Merge requests:
            &lt;ul&gt;
              &lt;li&gt;merged &lt;a href="https://salsa.debian.org/kernel-team/firmware-free/-/merge_requests/11"&gt;!11: Apply relevant changes from firmware-nonfree&lt;/a&gt;&lt;/li&gt;
            &lt;/ul&gt;
          &lt;/li&gt;
        &lt;/ul&gt;
      &lt;/li&gt;
      &lt;li&gt;&lt;a href="https://tracker.debian.org/pkg/firmware-nonfree"&gt;firmware-nonfree&lt;/a&gt;:
        &lt;ul&gt;
          &lt;li&gt;&lt;a href="https://bugs.debian.org/src:firmware-nonfree"&gt;Bugs&lt;/a&gt;:
            &lt;ul&gt;
              &lt;li&gt;closed &lt;a href="https://bugs.debian.org/1135723"&gt;#1135723: firmware-nonfree: gencontrol conflates initramfs-tools with update-initramfs&lt;/a&gt;&lt;/li&gt;
              &lt;li&gt;closed &lt;a href="https://bugs.debian.org/1135736"&gt;#1135736: firmware-nonfree: suggests initramfs-tools, which is being phased out&lt;/a&gt;&lt;/li&gt;
              &lt;li&gt;closed &lt;a href="https://bugs.debian.org/1137651"&gt;#1137651: firmware-misc-nonfree: Please move firmware-intel-graphics and firmware-nvidia-graphics out of Recommends&lt;/a&gt;&lt;/li&gt;
              &lt;li&gt;replied to &lt;a href="https://bugs.debian.org/1139740"&gt;#1139740: firmware-misc-nonfree should recommend firmware-nvidia-graphics to avoid kernel Oops + black screen&lt;/a&gt;&lt;/li&gt;
              &lt;li&gt;replied to &lt;a href="https://bugs.debian.org/1139746"&gt;#1139746: firmware-realtek: W: Possible missing firmware rtlwifi/rtl8723bu_bt.bin for module rtl8xxxu&lt;/a&gt;&lt;/li&gt;
            &lt;/ul&gt;
          &lt;/li&gt;
          &lt;li&gt;Merge requests:
            &lt;ul&gt;
              &lt;li&gt;merged &lt;a href="https://salsa.debian.org/kernel-team/firmware-nonfree/-/merge_requests/150"&gt;!150: Update and remove obsolete package relations&lt;/a&gt;&lt;/li&gt;
            &lt;/ul&gt;
          &lt;/li&gt;
          &lt;li&gt;&lt;a href="https://tracker.debian.org/pkg/firmware-nonfree/news/"&gt;Uploads&lt;/a&gt;:
            &lt;ul&gt;
              &lt;li&gt;uploaded version 20260519-1 to unstable&lt;/li&gt;
              &lt;li&gt;uploaded version 20260519-1~bpo13+1 to trixie-backports&lt;/li&gt;
            &lt;/ul&gt;
          &lt;/li&gt;
        &lt;/ul&gt;
      &lt;/li&gt;
      &lt;li&gt;&lt;a href="https://tracker.debian.org/pkg/kernel-wedge"&gt;kernel-wedge&lt;/a&gt;:
        &lt;ul&gt;
          &lt;li&gt;&lt;a href="https://tracker.debian.org/pkg/kernel-wedge/news/"&gt;Uploads&lt;/a&gt;:
            &lt;ul&gt;
              &lt;li&gt;uploaded version 2.106~deb12u1 to bookworm-security&lt;/li&gt;
            &lt;/ul&gt;
          &lt;/li&gt;
        &lt;/ul&gt;
      &lt;/li&gt;
      &lt;li&gt;&lt;a href="https://tracker.debian.org/pkg/linux"&gt;linux&lt;/a&gt;:
        &lt;ul&gt;
          &lt;li&gt;&lt;a href="https://bugs.debian.org/src:linux"&gt;Bugs&lt;/a&gt;:
            &lt;ul&gt;
              &lt;li&gt;closed &lt;a href="https://bugs.debian.org/1128861"&gt;#1128861: linux: when serving NFS, client attempts to lock served files fail with “No locks available”&lt;/a&gt;&lt;/li&gt;
              &lt;li&gt;replied to &lt;a href="https://bugs.debian.org/1140461"&gt;#1140461: spam wave of kernel: tpm tpm0: tpm_try_transmit: send(): error -62&lt;/a&gt;&lt;/li&gt;
            &lt;/ul&gt;
          &lt;/li&gt;
          &lt;li&gt;Merge requests:
            &lt;ul&gt;
              &lt;li&gt;reviewed &lt;a href="https://salsa.debian.org/kernel-team/linux/-/merge_requests/1936"&gt;!1936: [sparc64] Add nvme module to scsi-modules udeb&lt;/a&gt;&lt;/li&gt;
              &lt;li&gt;reviewed &lt;a href="https://salsa.debian.org/kernel-team/linux/-/merge_requests/1948"&gt;!1948: [amd64] Enable Intel Platform Hardware Support Drivers&lt;/a&gt;&lt;/li&gt;
              &lt;li&gt;merged &lt;a href="https://salsa.debian.org/kernel-team/linux/-/merge_requests/1977"&gt;!1977: Fix build failure over missing vdso debug files&lt;/a&gt;&lt;/li&gt;
              &lt;li&gt;merged &lt;a href="https://salsa.debian.org/kernel-team/linux/-/merge_requests/1981"&gt;!1981: 6.1 backport “bpf: Free reuseport cBPF prog after RCU grace period.”&lt;/a&gt;&lt;/li&gt;
              &lt;li&gt;opened &lt;a href="https://salsa.debian.org/kernel-team/linux/-/merge_requests/1984"&gt;!1984: udeb: Ensure that aead and macsec modules are in the right packages&lt;/a&gt;&lt;/li&gt;
              &lt;li&gt;opened &lt;a href="https://salsa.debian.org/kernel-team/linux/-/merge_requests/1985"&gt;!1985: Add d/.flake8 config file to support pylsp&lt;/a&gt;&lt;/li&gt;
              &lt;li&gt;merged &lt;a href="https://salsa.debian.org/kernel-team/linux/-/merge_requests/1992"&gt;!1992: 6.1 backport: ip6_vti: set netns_immutable on the fallback device. (CVE-2026-52909)&lt;/a&gt;&lt;/li&gt;
              &lt;li&gt;merged &lt;a href="https://salsa.debian.org/kernel-team/linux/-/merge_requests/1993"&gt;!1993: 5.10 backport: ip6_vti: set netns_immutable on the fallback device. (CVE-2026-52909)&lt;/a&gt;&lt;/li&gt;
              &lt;li&gt;merged &lt;a href="https://salsa.debian.org/kernel-team/linux/-/merge_requests/1999"&gt;!1999: 6.1 backport: Fix CVE-2026-46331&lt;/a&gt;&lt;/li&gt;
              &lt;li&gt;opened &lt;a href="https://salsa.debian.org/kernel-team/linux/-/merge_requests/2004"&gt;!2004: [sparc64] udeb: scsi-modules: Use the default module list&lt;/a&gt;&lt;/li&gt;
            &lt;/ul&gt;
          &lt;/li&gt;
          &lt;li&gt;&lt;a href="https://tracker.debian.org/pkg/linux/news/"&gt;Uploads&lt;/a&gt;:
            &lt;ul&gt;
              &lt;li&gt;(LTS) uploaded version 6.12.94-1~bpo12+1 to bookworm-backports&lt;/li&gt;
              &lt;li&gt;uploaded version 7.0.12-2~bpo13+1 to trixie-backports&lt;/li&gt;
              &lt;li&gt;uploaded version 7.1~rc7-1~exp1 to experimental&lt;/li&gt;
            &lt;/ul&gt;
          &lt;/li&gt;
          &lt;li&gt;(LTS) updated the bullseye-security branch to 5.10.259, but did
not upload this version&lt;/li&gt;
          &lt;li&gt;(LTS) updated the bookworm-security branch to 6.1.176, but did
not upload this version&lt;/li&gt;
        &lt;/ul&gt;
      &lt;/li&gt;
      &lt;li&gt;(LTS) linux-6.12:
        &lt;ul&gt;
          &lt;li&gt;prepared this backport package for bookworm-security, but did
not upload it yet&lt;/li&gt;
        &lt;/ul&gt;
      &lt;/li&gt;
      &lt;li&gt;&lt;a href="https://tracker.debian.org/pkg/linux-base"&gt;linux-base&lt;/a&gt;:
        &lt;ul&gt;
          &lt;li&gt;&lt;a href="https://tracker.debian.org/pkg/linux-base/news/"&gt;Uploads&lt;/a&gt;:
            &lt;ul&gt;
              &lt;li&gt;uploaded version 4.12.1~deb12u1 to bookworm-security&lt;/li&gt;
            &lt;/ul&gt;
          &lt;/li&gt;
        &lt;/ul&gt;
      &lt;/li&gt;
      &lt;li&gt;&lt;a href="https://tracker.debian.org/pkg/wireless-regdb"&gt;wireless-regdb&lt;/a&gt;:
        &lt;ul&gt;
          &lt;li&gt;Merge requests:
            &lt;ul&gt;
              &lt;li&gt;opened and merged &lt;a href="https://salsa.debian.org/kernel-team/wireless-regdb/-/merge_requests/8"&gt;!8: Update to 2026.05.30&lt;/a&gt;&lt;/li&gt;
            &lt;/ul&gt;
          &lt;/li&gt;
          &lt;li&gt;&lt;a href="https://tracker.debian.org/pkg/wireless-regdb/news/"&gt;Uploads&lt;/a&gt;:
            &lt;ul&gt;
              &lt;li&gt;uploaded version 2026.05.30-1 to unstable&lt;/li&gt;
              &lt;li&gt;uploaded version 2026.05.30-1~deb12u1 to bookworm&lt;/li&gt;
              &lt;li&gt;uploaded version 2026.05.30-1~deb13u1 to trixie&lt;/li&gt;
            &lt;/ul&gt;
          &lt;/li&gt;
        &lt;/ul&gt;
      &lt;/li&gt;
    &lt;/ul&gt;
  &lt;/li&gt;
  &lt;li&gt;Debian non-package bugs:
    &lt;ul&gt;
      &lt;li&gt;&lt;a href="https://bugs.debian.org/release.debian.org"&gt;release.debian.org&lt;/a&gt;:
        &lt;ul&gt;
          &lt;li&gt;opened and closed &lt;a href="https://bugs.debian.org/1139579"&gt;#1139579: trixie-pu: package wireless-regdb/2026.05.30-1~deb13u1&lt;/a&gt;&lt;/li&gt;
          &lt;li&gt;opened &lt;a href="https://bugs.debian.org/1139581"&gt;#1139581: trixie-pu: package wireless-regdb/2026.05.30-1~deb13u1&lt;/a&gt;&lt;/li&gt;
          &lt;li&gt;opened &lt;a href="https://bugs.debian.org/1139582"&gt;#1139582: bookworm-pu: package wireless-regdb/2026.05.30-1~deb12u1&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;
      &lt;/li&gt;
    &lt;/ul&gt;
  &lt;/li&gt;
  &lt;li&gt;Mailing lists:
    &lt;ul&gt;
      &lt;li&gt;&lt;a href="https://lists.debian.org/debian-backports/"&gt;debian-backports&lt;/a&gt;:
        &lt;ul&gt;
          &lt;li&gt;(LTS) posted &lt;a href="https://lists.debian.org/31d77827ecf42782c97cb4b4213197c33a33b0ea.camel@decadent.org.uk"&gt;EOL for bookworm-backports&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;
      &lt;/li&gt;
      &lt;li&gt;&lt;a href="https://lists.debian.org/debian-boot/"&gt;debian-boot&lt;/a&gt;:
        &lt;ul&gt;
          &lt;li&gt;(LTS) posted and replied to &lt;a href="https://lists.debian.org/03ecb84264a8b6018633c64d3e4a004dd5e10363.camel@decadent.org.uk"&gt;Adding Linux 6.12 udebs for bookworm LTS&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;
      &lt;/li&gt;
      &lt;li&gt;&lt;a href="https://lists.debian.org/debian-devel/"&gt;debian-devel&lt;/a&gt;:
        &lt;ul&gt;
          &lt;li&gt;replied to &lt;a href="https://lists.debian.org/eaf26a4b6ff54f8855c71fe84b077c694486804f.camel@decadent.org.uk"&gt;Understanding CI in Salsa, timeouts and runners&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;
      &lt;/li&gt;
      &lt;li&gt;&lt;a href="https://lists.debian.org/debian-kernel/"&gt;debian-kernel&lt;/a&gt;:
        &lt;ul&gt;
          &lt;li&gt;posted &lt;a href="https://lists.debian.org/aca2f071cd39f2c9d75d081c7be2371f98f54f4f.camel@decadent.org.uk"&gt;Agenda items for kernel-team meeting on 2026-06-10&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;
      &lt;/li&gt;
      &lt;li&gt;&lt;a href="https://lists.debian.org/debian-lts/"&gt;debian-lts&lt;/a&gt;:
        &lt;ul&gt;
          &lt;li&gt;posted and replied to &lt;a href="https://lists.debian.org/21b31300c29a7ed8c9871bd9e7beb25b2cc79e18.camel@decadent.org.uk"&gt;Preparation for Linux 6.12 in bookworm&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;
      &lt;/li&gt;
      &lt;li&gt;&lt;a href="https://lists.debian.org/debian-lts-announce/"&gt;debian-lts-announce&lt;/a&gt;:
        &lt;ul&gt;
          &lt;li&gt;posted &lt;a href="https://lists.debian.org/aivd9n_B7HR1593x@decadent.org.uk"&gt;[SECURITY] [DLA 4627-1] kernel-wedge update&lt;/a&gt;&lt;/li&gt;
          &lt;li&gt;posted &lt;a href="https://lists.debian.org/aiveDYMhYvx0ykIK@decadent.org.uk"&gt;[SECURITY] [DLA 4628-1] linux-base update&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;
      &lt;/li&gt;
      &lt;li&gt;(LTS) &lt;a href="https://lore.kernel.org/stable/"&gt;stable&lt;/a&gt;:
        &lt;ul&gt;
          &lt;li&gt;reviewed &amp;gt;1000 patches included in 5.10.258-rc1, 5.10.259-rc1,
and 6.1.176-rc1&lt;/li&gt;
          &lt;li&gt;replied to &lt;a href="https://lore.kernel.org/stable/211fb901ba2c644e6ebdffe46d9face7e317db70.camel@decadent.org.uk/T/"&gt;[PATCH 5.10 210/589] spi: rockchip: fix controller deregistration&lt;/a&gt;&lt;/li&gt;
          &lt;li&gt;replied to &lt;a href="https://lore.kernel.org/stable/7e870e1219db98c9e19777eedfa3b0eb41f41235.camel@decadent.org.uk/T/"&gt;[PATCH 5.10 211/589] net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked&lt;/a&gt;&lt;/li&gt;
          &lt;li&gt;replied to &lt;a href="https://lore.kernel.org/stable/ab577daf17c46a72e35c668756d5b33b3ca3ca09.camel@decadent.org.uk/T/"&gt;[PATCH 5.10 238/342] net: bridge: use a stable FDB dst snapshot in RCU readers&lt;/a&gt;&lt;/li&gt;
          &lt;li&gt;replied to &lt;a href="https://lore.kernel.org/stable/7fee88099501bfa87594114a5f8c17a760ded36a.camel@decadent.org.uk/T/"&gt;[PATCH 5.10 244/589] spi: topcliff-pch: fix use-after-free on unbind&lt;/a&gt;&lt;/li&gt;
          &lt;li&gt;replied to &lt;a href="https://lore.kernel.org/stable/7ccc26ea6552c9fcae1817e2601a96901f0ca261.camel@decadent.org.uk/T/"&gt;[PATCH 5.10 245/589] cpuidle: powerpc: avoid double clear when breaking snooze&lt;/a&gt;&lt;/li&gt;
          &lt;li&gt;replied to &lt;a href="https://lore.kernel.org/stable/8135746e835e432d7b0f21e142389cf8b4979f0f.camel@decadent.org.uk/T/"&gt;[PATCH 5.10 257/589] PCI/AER: Stop ruling out unbound devices as error source&lt;/a&gt;&lt;/li&gt;
          &lt;li&gt;replied to &lt;a href="https://lore.kernel.org/stable/8cd2c0613f018690cba5ae76c4ab73da05118312.camel@decadent.org.uk/T/"&gt;[PATCH 5.10 263/589] media: uvcvideo: Enable VB2_DMABUF for metadata stream&lt;/a&gt;&lt;/li&gt;
          &lt;li&gt;replied to &lt;a href="https://lore.kernel.org/stable/dbb2510d89e3545af204a7bf3eac06512042120e.camel@decadent.org.uk/T/"&gt;[PATCH 5.10 267/589] media: rc: streamzap: Error handling in probe&lt;/a&gt;&lt;/li&gt;
          &lt;li&gt;replied to &lt;a href="https://lore.kernel.org/stable/edea6d36625f362c3fcaed6bd251a02827081a1d.camel@decadent.org.uk/T/"&gt;[PATCH 5.10 274/589] drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()&lt;/a&gt;&lt;/li&gt;
          &lt;li&gt;replied to &lt;a href="https://lore.kernel.org/stable/2698831f24c7efea34dc4b34d996ff8327ecc206.camel@decadent.org.uk/T/"&gt;[PATCH 5.10 503/589] crypto: af_alg - Cap AEAD AD length to 0x80000000&lt;/a&gt;&lt;/li&gt;
          &lt;li&gt;replied to &lt;a href="https://lore.kernel.org/stable/f0be2ecfe2c27c1920a44b6f41d8db87611267f1.camel@decadent.org.uk/T/"&gt;[PATCH 5.10 035/342] batman-adv: tp_meter: fix race condition in send error reporting&lt;/a&gt;&lt;/li&gt;
          &lt;li&gt;replied to &lt;a href="https://lore.kernel.org/stable/3374d4b14a7c54f82fb016ab66f3b262f55145fe.camel@decadent.org.uk/T/"&gt;[PATCH 5.10 036/342] batman-adv: tp_meter: avoid role confusion in tp_list&lt;/a&gt;&lt;/li&gt;
          &lt;li&gt;replied to &lt;a href="https://lore.kernel.org/stable/72890f3caf368d0e4dcb5d1ec53c083c16ce8b20.camel@decadent.org.uk/T/"&gt;[PATCH 5.10 310/342] usb: typec: ucsi: Dont update power_supply on power role change if not connected&lt;/a&gt;&lt;/li&gt;
          &lt;li&gt;replied to &lt;a href="https://lore.kernel.org/stable/d9c2e8ea23b1919fe663e480cc7def260ed0ee24.camel@debian.org/T/"&gt;[PATCH 5.15 002/570] ip6_tunnel: Fix usage of skb_vlan_inet_prepare()&lt;/a&gt;&lt;/li&gt;
          &lt;li&gt;replied to &lt;a href="https://lore.kernel.org/stable/b6441670bdb04dc530f433bd21d6c64feb633355.camel@decadent.org.uk/T/"&gt;[PATCH 5.15 299/411] ALSA: aloop: Fix peer runtime UAF during format-change stop&lt;/a&gt;&lt;/li&gt;
          &lt;li&gt;replied to &lt;a href="https://lore.kernel.org/stable/66cf4f95534aa5428a362857cf78dcb946c51672.camel@decadent.org.uk/T/"&gt;[PATCH 5.15 323/411] spi: topcliff-pch: fix controller deregistration&lt;/a&gt;&lt;/li&gt;
          &lt;li&gt;replied to &lt;a href="https://lore.kernel.org/stable/9125d5976feb09ef919f2a287b079843c7671325.camel@decadent.org.uk/T/"&gt;[PATCH 6.1 011/522] tools/bootconfig: Cleanup bootconfig footer size calculations&lt;/a&gt;&lt;/li&gt;
          &lt;li&gt;replied to &lt;a href="https://lore.kernel.org/stable/cb2e59a48887f106a57c3fbef66d5a164b8e2f5f.camel@decadent.org.uk/T/"&gt;[PATCH 6.1 033/522] net/sched: Revert “net/sched: Restrict conditions for adding duplicating netems to qdisc tree”&lt;/a&gt;&lt;/li&gt;
          &lt;li&gt;replied to &lt;a href="https://lore.kernel.org/stable/b6b679743c2383b5a367c5d72404b056dfebf080.camel@decadent.org.uk/T/"&gt;[PATCH 6.1 054/522] selftests/bpf: add generic BPF program tester-loader&lt;/a&gt;&lt;/li&gt;
          &lt;li&gt;replied to &lt;a href="https://lore.kernel.org/stable/80be436bbcda9b8a66058c01eef0b0f94722e7ef.camel@decadent.org.uk/T/"&gt;[PATCH 6.1 064/522] selftests/bpf: S/iptables/iptables-legacy/ in the bpf_nf and xdp_synproxy test&lt;/a&gt;&lt;/li&gt;
          &lt;li&gt;replied to &lt;a href="https://lore.kernel.org/stable/6f805abf1f8b058c1b1241e8568d7539185145df.camel@decadent.org.uk/T/"&gt;[PATCH 6.1 208/522] net: Annotate sk-&amp;gt;sk_write_space() for UDP SOCKMAP.&lt;/a&gt;&lt;/li&gt;
          &lt;li&gt;replied to &lt;a href="https://lore.kernel.org/stable/afe207eb91522718cfae8b77310999ca397c81bf.camel@decadent.org.uk/T/"&gt;[PATCH 6.1 249/522] r8152: Block future register access if register access fails&lt;/a&gt;&lt;/li&gt;
          &lt;li&gt;replied to &lt;a href="https://lore.kernel.org/stable/b0d5836032ce3135bfc473f6bff791306d086925.camel@decadent.org.uk/T/"&gt;[PATCH 6.1 337/522] arm64/mm: Enable batched TLB flush in unmap_hotplug_range()&lt;/a&gt;&lt;/li&gt;
          &lt;li&gt;replied to &lt;a href="https://lore.kernel.org/stable/42c2abbdfdd4ea8e234fbcfc4b37095ebd2c7b36.camel@decadent.org.uk/T/"&gt;[PATCH 6.1 342/522] thermal: core: Fix thermal zone governor cleanup issues&lt;/a&gt;&lt;/li&gt;
          &lt;li&gt;replied to &lt;a href="https://lore.kernel.org/stable/6218e66138c5c1c5fb02bd653c8b91d6ff8c3abd.camel@decadent.org.uk/T/"&gt;[PATCH 6.1 375/522] net: ipv4: stop checking crypto_ahash_alignmask&lt;/a&gt;&lt;/li&gt;
          &lt;li&gt;replied to &lt;a href="https://lore.kernel.org/stable/0e31e18e9567e8d58fbb8e06955c3ed8e5a120d3.camel@decadent.org.uk/T/"&gt;[PATCH 6.1 431/522] cgroup/cpuset: Reset DL migration state on can_attach() failure&lt;/a&gt;&lt;/li&gt;
          &lt;li&gt;replied to &lt;a href="https://lore.kernel.org/stable/2ac6b67a0643e111692689daa95dbd8883f16426.camel@decadent.org.uk/T/"&gt;[PATCH 6.1 470/522] usb: musb: omap2430: Fix use-after-free in omap2430_probe()&lt;/a&gt;&lt;/li&gt;
        &lt;/ul&gt;
      &lt;/li&gt;
    &lt;/ul&gt;
  &lt;/li&gt;
&lt;/ul&gt; </description> 
	<pubDate>Wed, 01 Jul 2026 10:39:27 +0000</pubDate>

</item> 
<item>
	<title>Dirk Eddelbuettel: tl 0.0.2 on CRAN: First Update</title>
	<guid>http://dirk.eddelbuettel.com/blog/2026/06/30#tl_0.0.2</guid>
	<link>http://dirk.eddelbuettel.com/blog/2026/06/30#tl_0.0.2</link>
     <description>  &lt;img src="http://planet.debian.org/heads/dirk.png" width="65" height="90" alt="" align="right" style="float: right;"&gt;  &lt;p&gt;The still-very-new logging package &lt;a href="https://github.com/eddelbuettel/tl"&gt;tl&lt;/a&gt; was just updated for
the first time at &lt;a href="https://cran.r-project.org"&gt;CRAN&lt;/a&gt;. The &lt;a href="https://github.com/eddelbuettel/tl"&gt;tl&lt;/a&gt; package wraps the (also
very new) &lt;a href="https://github.com/eddelbuettel/rspdlite"&gt;rspdlite&lt;/a&gt; package to
offer a lightweight and consistent logging interface from both R and C++
that enjoys being ‘tiny, fast, capable’ thanks to &lt;a href="https://github.com/gabime/spdlite"&gt;spdlite&lt;/a&gt;. With &lt;a href="https://github.com/eddelbuettel/tl"&gt;tl&lt;/a&gt; we follow the same idea
that our &lt;a href="https://github.com/eddelbuettel/spdl"&gt;spdl&lt;/a&gt; package
introduced: a simple consistent interface via just the &lt;code&gt;tl::&lt;/code&gt;
prefix and the appropropriate logging level. In other words
&lt;code&gt;tl::debug("Alert: foo now '{}'", foo)&lt;/code&gt; will work from both R
and C++ (given a variable &lt;code&gt;foo&lt;/code&gt;, and, in the case of C++, an
extra semicolon) and log if the current level is ‘debug’ or higher, and
skip logging if not.&lt;/p&gt;
&lt;p&gt;This release adds a fallback when compilation does not use the
(required) C++20 standard, expands the README and adds a initialization
helper function reflecting a preferred default logging level from either
an environment variable or a global option. We are also working on
adding &lt;a href="https://github.com/eddelbuettel/tl"&gt;tl&lt;/a&gt; to an example
package as a simple illustration, more on that hopefully soon.&lt;/p&gt;
&lt;p&gt;The NEWS entry for this release follows.&lt;/p&gt;
&lt;blockquote&gt;
&lt;h4 id="changes-in-version-0.0.2-2025-06-30"&gt;Changes in version 0.0.2
(2025-06-30)&lt;/h4&gt;
&lt;ul&gt;
&lt;li&gt;&lt;p&gt;Added badges to README now that package is on CRAN, add NEWS
file&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Condition the provided header on C++20 use, offer
fallback&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Add an exported initialization function picking up a logging
level from either an environment variable or a global option, see
'?init'&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;/blockquote&gt;
&lt;p&gt;Courtesy of my &lt;a href="https://dirk.eddelbuettel.com/cranberries/"&gt;CRANberries&lt;/a&gt;, there
is also a &lt;a href="https://dirk.eddelbuettel.com/cranberries/2026/06/30/#tl_0.0.2"&gt;diffstat
report&lt;/a&gt; for the this release.&lt;/p&gt;
&lt;p style="font-size: 80%; font-style: italic;"&gt;
This post by &lt;a href="https://dirk.eddelbuettel.com"&gt;Dirk
Eddelbuettel&lt;/a&gt; originated on his &lt;a href="https://dirk.eddelbuettel.com/blog/"&gt;Thinking inside the box&lt;/a&gt;
blog. If you like this or other open-source work I do, you can &lt;a href="https://github.com/sponsors/eddelbuettel"&gt;sponsor me at
GitHub&lt;/a&gt;.
&lt;/p&gt;&lt;p&gt;&lt;/p&gt; </description> 
	<pubDate>Tue, 30 Jun 2026 17:02:00 +0000</pubDate>

</item> 
<item>
	<title>Joey Hess: big loads offgrid with a small battery (sidelined)</title>
	<guid>http://joeyh.name/blog/entry/big_loads_offgrid_with_a_small_battery_sidelined/</guid>
	<link>http://joeyh.name/blog/entry/big_loads_offgrid_with_a_small_battery_sidelined/</link>
     <description>  &lt;img src="http://planet.debian.org/heads/joeyh2.png" width="84" height="75" alt="" align="right" style="float: right;"&gt;  &lt;p&gt;No matter that the hype cycle wants you to think, the renewable energy
transition is the biggest thing happening in tech and it's happening faster
and faster. Despite being neck deep in it personally with offgrid solar
projects, most recently solar hot water, increasingly it becomes clear I'm
watching from the sidelines.&lt;/p&gt;

&lt;p&gt;In Australia,
&lt;a href="https://lenergy.com.au/free-daytime-electricity-is-coming-heres-how-it-actually-works/"&gt;everyone gets 24 kwh of free daytime electric power now&lt;/a&gt;.
That's without installing any solar panels of their own, the grid just has
that much excess capacity. All it takes to save $thousands per year (and
avoid emissions) is to schedule some big loads like the hot water heater
and EV to charge during the day. To save more, drop in a home battery
that charges for free and powers the home through the evening.&lt;/p&gt;

&lt;p&gt;In Germany, a 2 kwh plug-in home battery costs $350 and the electric
company will &lt;a href="https://octopusenergy.de/smarte-geraete/heimspeicher-powerbank"&gt;pay you&lt;/a&gt;
$130 per year to plug it into your wall.
There are similar offers throughout Europe.&lt;/p&gt;

&lt;p&gt;In Cuba something something geopolitics, oil blockade, belt and road =&amp;gt;
suddenly 1GW of solar farms with another gigawatt on the way.&lt;/p&gt;

&lt;p&gt;I'll soon visit South Carolina where with no subsidies whatsoever from a
decidedly renewable-unfriendly government, it made sense for my dad's house
to get a whole home battery and double the solar array. The resulting
system will be able to power the well pump and probably also the whole
geothermal HVAC system through the kind of month-long grid down events that
happened in Hurricane Helene.&lt;/p&gt;

&lt;p&gt;Myself, well, I've got a by modern standards small 4 kwh home battery that
powers my house offgrid, and I've recently installed a heat pump hot water
heater. That's after about a decade pondering what solution to use for
solar hot water, to replace an aging and horrible propane instant water
heater. I've in the past considered everything from evacuated tubes to
special direct drive inverters to DC resistive MPTT dump loads. The solution
turned out to be just a big enough solar array, and plugging in a 120v hot
water heater that needs only 500 watts in heat pump mode. Plus a small
amount of code to manage when it runs.&lt;/p&gt;

&lt;p&gt;In the time I was thinking about that, economies of scale and tech
improvements just wiped all those other possibilities off the map, it's not
economical to install and maintain a separate evactuated tube heat
collector when a pile of solar panels costs so little and when electric
hot water has gotten more than 200% efficient.&lt;/p&gt;

&lt;p&gt;I also recently completed my permanant EV charger installation, with a new
inverter and conduit and proper wiring, and increased the car's charge rate
to 2 kw. Eliminating the need to charge anywhere except at home except
on road trips.&lt;/p&gt;

&lt;p&gt;Coordinating when these two big loads run, to maximize solar production and
ensure that the house battery is full at the end of the day was ... not
hard at all actually? The car charger amps can be dialed up and down to
match incoming solar power fairly well, and leave some room for the hot
water heater. They both operate as more or less dump loads. More or less
because neither one can be cycled on or off very fast (to avoid wear and
tear on the car's contactor and the heat pump's compressor), so it makes
sense to leave them on and skate through short cloudy sections of the day,
as long as the house battery doesn't get too low.&lt;/p&gt;

&lt;p&gt;How low is too low for the house battery? Depends on the time of day. The
code it's currently using, which may get tweaked over winter:&lt;/p&gt;

&lt;div class="highlight-haskell"&gt;&lt;pre class="hl"&gt;    &lt;span class="hl slc"&gt;-- When the battery is charged enough to run major loads that may prevent&lt;/span&gt;
    &lt;span class="hl slc"&gt;-- charging it further.&lt;/span&gt;
    &lt;span class="hl slc"&gt;--&lt;/span&gt;
    &lt;span class="hl slc"&gt;-- This varies with the hour of day. Early in the day, the battery does not&lt;/span&gt;
    &lt;span class="hl slc"&gt;-- need to be as full to be considered well charged, since there is&lt;/span&gt;
    &lt;span class="hl slc"&gt;-- still plenty of time for it to charge up. Later in the day, with less&lt;/span&gt;
    &lt;span class="hl slc"&gt;-- time to charge, it needs to be more full.&lt;/span&gt;
    wellCharged :: Hour &lt;span class="hl opt"&gt;-&amp;gt;&lt;/span&gt; Percentage
    wellCharged &lt;span class="hl kwc"&gt;(&lt;/span&gt;Hour hour&lt;span class="hl kwc"&gt;)&lt;/span&gt;
            &lt;span class="hl opt"&gt;|&lt;/span&gt; hour &lt;span class="hl opt"&gt;&amp;lt;&lt;/span&gt; &lt;span class="hl num"&gt;9&lt;/span&gt; &lt;span class="hl opt"&gt;=&lt;/span&gt; Percentage &lt;span class="hl num"&gt;90&lt;/span&gt; &lt;span class="hl slc"&gt;-- night&lt;/span&gt;
            &lt;span class="hl opt"&gt;|&lt;/span&gt; pmhour &lt;span class="hl opt"&gt;&amp;lt;=&lt;/span&gt; &lt;span class="hl num"&gt;0&lt;/span&gt; &lt;span class="hl opt"&gt;=&lt;/span&gt; Percentage &lt;span class="hl num"&gt;50&lt;/span&gt;
            &lt;span class="hl opt"&gt;|&lt;/span&gt; pmhour &lt;span class="hl opt"&gt;&amp;lt;=&lt;/span&gt; &lt;span class="hl num"&gt;1&lt;/span&gt; &lt;span class="hl opt"&gt;=&lt;/span&gt; Percentage &lt;span class="hl num"&gt;60&lt;/span&gt;
            &lt;span class="hl opt"&gt;|&lt;/span&gt; pmhour &lt;span class="hl opt"&gt;&amp;lt;=&lt;/span&gt; &lt;span class="hl num"&gt;2&lt;/span&gt; &lt;span class="hl opt"&gt;=&lt;/span&gt; Percentage &lt;span class="hl num"&gt;70&lt;/span&gt;
            &lt;span class="hl opt"&gt;|&lt;/span&gt; pmhour &lt;span class="hl opt"&gt;&amp;lt;=&lt;/span&gt; &lt;span class="hl num"&gt;3&lt;/span&gt; &lt;span class="hl opt"&gt;=&lt;/span&gt; Percentage &lt;span class="hl num"&gt;80&lt;/span&gt;
            &lt;span class="hl opt"&gt;|&lt;/span&gt; pmhour &lt;span class="hl opt"&gt;&amp;lt;=&lt;/span&gt; &lt;span class="hl num"&gt;4&lt;/span&gt; &lt;span class="hl opt"&gt;=&lt;/span&gt; Percentage &lt;span class="hl num"&gt;90&lt;/span&gt;
            &lt;span class="hl opt"&gt;|&lt;/span&gt; otherwise &lt;span class="hl opt"&gt;=&lt;/span&gt; Percentage &lt;span class="hl num"&gt;95&lt;/span&gt;
      &lt;span class="hl kwb"&gt;where&lt;/span&gt;
            pmhour &lt;span class="hl opt"&gt;=&lt;/span&gt; hour &lt;span class="hl opt"&gt;-&lt;/span&gt; &lt;span class="hl num"&gt;12&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;


&lt;p&gt;More complicated is, what to do it there's solar power to run one or the
other, but not both? This is starting to get into the territory of
microgrids now, or of demand response programs, so there's a whole industry
or three out there doing industry things geared at the kind of no-brainer
solutions I mentioned earlier. From what I've gathered, all of them
involve proprietary protocols and gear.&lt;/p&gt;

&lt;p&gt;What I've done is to read the state of the hot water heater and car, and
prioritize hot water over the car. Except, if the car is below 10% it
urgently needs to charge.&lt;/p&gt;

&lt;p&gt;And I found a really simple way to decide when to run the low-priority
load: Just check if the house battery's current charge will be considered
&lt;code&gt;wellCharged&lt;/code&gt; in an hour. So if it's 2 pm, the battery needs to be 80%
charged to run the lower-priority load, and if it dips below that, that
load will turn off but the high-priority load will keep running down to 70%
battery.&lt;/p&gt;

&lt;p&gt;Unfortunately, getting any information out of my hot water heater relies on
a vendor API server that is often down on weekends, and reverse
engineered the web page of my EVSE[1] to control it, to say nothing of the
nightmare of getting the car's state of charge from The Cloud.&lt;/p&gt;

&lt;p&gt;Anyway, I'm pleased with having easily tweakable code and how far I've
taken this offgrid, and everything I've learned doing so, but like I said,
I'm clearly observing from the sidelines over here while the most
significant thing for all of us is going on over there. You might
appreciate my code or method, but you'll eventually be plugging in a home
battery or signing up for a free daytime power tarrif from your electric
company, or having professionals install a whole home system for
climate resiliance.&lt;/p&gt;

&lt;p&gt;So my question is, where does free software fit into all this? There are
things like Home Assistant that do productize the kind of thing I'm doing
enough to be useful more widely. But still niche. Meanwhile there are
inverters and batteries that phone home to China, and every consumer
facing install is either "use this device" or "integrate these 3
proprietary devices".&lt;/p&gt;

&lt;p&gt;I don't think focusing on these negatives is really useful though, I'm more
trying to understand where all this is going and then maybe get out ahead
of it in some useful way with free software. Your thoughts welcome.&lt;/p&gt;

&lt;hr /&gt;

&lt;p&gt;[1] Obviously OpenEVSE exists, but it didn't meet my needs hardware
wise. And I could set my EVSE to use an OCPP server but it was easier to do
the screen scraping than find an appropriate one, and I have
the feeling I would not appreciate learning any more about OCPP,
in the same way I really don't want to know a lot about web browsers'
tag soup mode.&lt;/p&gt; </description> 
	<pubDate>Tue, 30 Jun 2026 16:10:45 +0000</pubDate>

</item> 
<item>
	<title>Russell Coker: Links June 2026</title>
	<guid>https://etbe.coker.com.au/?p=6226</guid>
	<link>https://etbe.coker.com.au/2026/06/30/links-june-2026/</link>
     <description>  &lt;p&gt;&lt;a href="https://www.schneier.com/blog/archives/2026/06/critical-zcash-vulnerability-found-and-fixed.html"&gt;This is amusing, a flaw in the crypto-currency Zcash allowed generating Zcash from nothing and there’s no way to know if anyone did that [1]&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://locusmag.com/feature/commentary-cory-doctorow-the-age-of-vapor/"&gt;Cory Doctorow wrote an insightful article for Locus Magazine about corporate valuations and why companies claim SciFi technologies [2]&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;&lt;a href="http://www.antipope.org/charlie/blog-static/2026/06/rule-by-bond-villains.html"&gt;Charles Stross wrote an interesting retcon of James Bond [3]&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://trakkr.ai/bias"&gt;Trakkr.ai has an intresting post comparing political bias in LLM models, the site has lots of other comparisons of models too [4]&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://grep.be/blog//en/computer/Agentic_coding_and_Free_Software/"&gt;Wouter Verhelst wrote a blog post about his tested usage of LLMs for code generation and the conclusions about what it will do to the FOSS development process, not a lot of new material but he put a lot of good ideas together in one place [5]&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://github.com/jtesta/ssh-audit"&gt;Here is the git repository for the programs used for the ssh-audit.com site, really good setup for checking ssh configuration [6]&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://isaiprofitable.com/"&gt;The isaiprofitable.com site is periodically updated with the profit/loss totals for AI companies, no surprise that every company is losing money apart from NVidia and NVidia are investing in the other companies [7]&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://freedium-mirror.cfd/https://medium.com/@elvirabary/why-russia-cant-build-anything-anymore-inside-putin-s-failed-tech-e63e27ee40b0"&gt;Elvira Bary wrote an informative article about Russia’s inability to build or design anything good [8]&lt;/a&gt;. Looks like we are at risk of another Chernobyl…&lt;/p&gt;
&lt;p&gt;&lt;a href="http://levlafayette.com/node/808"&gt;Lev Lafayette wrote an interesting blog post about the Sunway TaihuLight supercomputer with over 10,000,000 cores [9]&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://point.free/blog/gemma-4-on-a-2016-xeon/"&gt;Point Free wrote an interesting blog post about running the Gemma 4 LLM which is 25G of data at a usable speed on a Xeon system with DDR3 RAM and no GPU [10]&lt;/a&gt;.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;[1]&lt;a href="https://www.schneier.com/blog/archives/2026/06/critical-zcash-vulnerability-found-and-fixed.html"&gt; https://tinyurl.com/2cxx2e6h&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;[2]&lt;a href="https://locusmag.com/feature/commentary-cory-doctorow-the-age-of-vapor/"&gt; https://tinyurl.com/2cxotle7&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;[3]&lt;a href="http://www.antipope.org/charlie/blog-static/2026/06/rule-by-bond-villains.html"&gt; https://tinyurl.com/2bgapt88&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;[4]&lt;a href="https://trakkr.ai/bias"&gt; https://trakkr.ai/bias&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;[5]&lt;a href="https://grep.be/blog//en/computer/Agentic_coding_and_Free_Software/"&gt; https://tinyurl.com/22s2fome&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;[6]&lt;a href="https://github.com/jtesta/ssh-audit"&gt; https://github.com/jtesta/ssh-audit&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;[7]&lt;a href="https://isaiprofitable.com/"&gt; https://isaiprofitable.com/&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;[8]&lt;a href="https://freedium-mirror.cfd/https://medium.com/@elvirabary/why-russia-cant-build-anything-anymore-inside-putin-s-failed-tech-e63e27ee40b0"&gt; https://tinyurl.com/26p4lkr4&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;[9]&lt;a href="http://levlafayette.com/node/808"&gt; http://levlafayette.com/node/808&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;[10]&lt;a href="https://point.free/blog/gemma-4-on-a-2016-xeon/"&gt; https://point.free/blog/gemma-4-on-a-2016-xeon/&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;div class="yarpp yarpp-related yarpp-related-rss yarpp-template-list"&gt;

&lt;p&gt;Related posts:&lt;/p&gt;&lt;ol&gt;
&lt;li&gt;&lt;a href="https://etbe.coker.com.au/2022/06/30/links-june-2022/" rel="bookmark" title="Links June 2022"&gt;Links June 2022&lt;/a&gt; &lt;small&gt;Google did some interesting research on the impact of discrimination...&lt;/small&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://etbe.coker.com.au/2026/04/30/links-april-2026/" rel="bookmark" title="Links April 2026"&gt;Links April 2026&lt;/a&gt; &lt;small&gt;Charles Stross wrote an interesting blog post about the apparent...&lt;/small&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://etbe.coker.com.au/2026/02/17/links-february-2026/" rel="bookmark" title="Links February 2026"&gt;Links February 2026&lt;/a&gt; &lt;small&gt;Charles Stross has a good theory of why “AI” is...&lt;/small&gt;&lt;/li&gt;
&lt;/ol&gt;
&lt;/div&gt; </description> 
	<pubDate>Tue, 30 Jun 2026 13:53:19 +0000</pubDate>

</item> 
<item>
	<title>Russell Coker: Dirty Clone and SE Linux</title>
	<guid>https://etbe.coker.com.au/?p=6220</guid>
	<link>https://etbe.coker.com.au/2026/06/30/dirtyclone-selinux/</link>
     <description>  &lt;p&gt;There is a &lt;a href="https://research.jfrog.com/post/dissecting-and-exploiting-linux-lpe-variant-dirtyclone-cve-2026-43503/"&gt;new Linux kernel exploit out named Dirty Clone [1]&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;The first thing to do to exploit this is to create a container with a separate network namespace via one of the following commands:&lt;/p&gt;
&lt;pre&gt;unshare -Urn
bwrap --bind / / --unshare-user --unshare-net --uid 0 --gid 0 /bin/bash&lt;/pre&gt;
&lt;p&gt;The Jfrog people recommend “unshare -Urn” but I gave the Bubblewrap command as an option as it should work equally well and in some situations may be permitted when unshare isn’t.&lt;/p&gt;
&lt;p&gt;The next step to exploiting it is to use the ip command to set the links up, below is what happens in a user session on a SE Linux system with user_t as the login domain:&lt;/p&gt;
&lt;pre&gt;# ip link set lo up
RTNETLINK answers: Operation not permitted&lt;/pre&gt;
&lt;p&gt;That will give an entry in /var/log/audit/audit.log like the following:&lt;/p&gt;
&lt;pre&gt;type=AVC msg=audit(1782818856.618:3610): avc:  denied  { net_admin } for  pid=1829 comm="ip" capability=12  scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=cap_userns permissive=0
type=SYSCALL msg=audit(1782818856.618:3610): arch=c000003e syscall=46 success=yes exit=32 a0=3 a1=7ffebe5f9e50 a2=0 a3=0 items=0 ppid=1638 pid=1829 auid=0 uid=0 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=17 comm="ip" exe="/usr/bin/ip" subj=user_u:user_r:user_t:s0 key=(null)ARCH=x86_64 SYSCALL=sendmsg AUID="root" UID="root" GID="test" EUID="root" SUID="root" FSUID="root" EGID="test" SGID="test" FSGID="test"
type=PROCTITLE msg=audit(1782818856.618:3610): proctitle=6970006C696E6B00736574006C6F007570&lt;/pre&gt;
&lt;p&gt;Unlike previous exploits like &lt;a href="https://etbe.coker.com.au/2026/05/24/debian-selinux-pintheft/"&gt;Pintheft [2]&lt;/a&gt; this doesn’t require any really uncommon access to the kernel (unless you consider setting up IPSec to be really uncommon) and is allowed in many container setups.&lt;/p&gt;
&lt;p&gt;Now on a system with the unconfined module removed (as described in the &lt;a href="https://etbe.coker.com.au/2026/05/04/copy-fail-on-debian-and-se-linux/#SE_Linux_Protection"&gt;SE Linux Protection part of my post about Copy Fail [3]&lt;/a&gt;) the following domains have such access:&lt;/p&gt;
&lt;pre&gt;# sesearch -A -c cap_userns -p net_admin
allow container_engine_t container_engine_t:cap_userns { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config };
allow container_init_t container_init_t:cap_userns { chown dac_override dac_read_search fowner kill net_admin net_bind_service net_raw setgid setuid };
allow container_kvm_t container_kvm_t:cap_userns { chown dac_override dac_read_search fowner kill net_admin net_bind_service net_raw setgid setuid };
allow container_t container_t:cap_userns { chown dac_override dac_read_search fowner kill net_admin net_bind_service net_raw setgid setuid };
allow crio_t crio_t:cap_userns { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config };
allow dockerd_t dockerd_t:cap_userns { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config };
allow dockerd_user_t dockerd_user_t:cap_userns { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config };
allow init_t init_t:cap_userns { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config };
allow iptables_t iptables_t:cap_userns { net_admin net_raw };
allow podman_t podman_t:cap_userns { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config };
allow podman_user_t podman_user_t:cap_userns { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config };
allow spc_t spc_t:cap_userns { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_bind_service net_raw setgid setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace sys_rawio sys_resource };
allow spc_user_t spc_user_t:cap_userns { chown dac_override dac_read_search fowner kill net_admin net_bind_service net_raw setgid setuid };
allow staff_bubblewrap_t staff_bubblewrap_t:cap_userns { dac_override net_admin setpcap sys_admin sys_ptrace };
allow sysadm_bubblewrap_t sysadm_bubblewrap_t:cap_userns { dac_override net_admin setpcap sys_admin sys_ptrace };
allow user_bubblewrap_t user_bubblewrap_t:cap_userns { dac_override net_admin setpcap sys_admin sys_ptrace };&lt;/pre&gt;
&lt;h2&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;It seems that SE Linux configured in the strict mode prevents this exploit in the most obvious use case. But with the range of container related domains that are granted such access it seems quite likely that some configurations and use cases will permit it.&lt;/p&gt;
&lt;p&gt;Overall the protection that the standard policy for SE Linux can offer (in a non-default configuration) against net_admin access isn’t bad, but isn’t very good either.&lt;/p&gt;
&lt;p&gt;I think this will be the first of many exploits based on cap_userns access and that we need to do some work in tightening the SE Linux access controls on such things. One possible way of doing this is to have a program run inside a container in a domain that has permissions such as net_admin to setup the container and not allow domain transitions from the regular programs run in the container (the actual work) to the domain used for network setup.&lt;/p&gt;
&lt;p&gt;The increasing use of containers by applications is only going to make this problem worse. I think that what we need is something like &lt;a href="https://en.wikipedia.org/wiki/Flatpak"&gt;Flatpak&lt;/a&gt; for the vast majority of desktop/phone applications with a container setup program that works with apps packaged in the distribution packaging method (not from Flathub). This is something I’m going to investigate for future blog posts.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;[1]&lt;a href="https://research.jfrog.com/post/dissecting-and-exploiting-linux-lpe-variant-dirtyclone-cve-2026-43503/"&gt; https://tinyurl.com/26q48bg4&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;[2]&lt;a href="https://etbe.coker.com.au/2026/05/24/debian-selinux-pintheft/"&gt; https://etbe.coker.com.au/2026/05/24/debian-selinux-pintheft/&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;[3]&lt;a href="https://etbe.coker.com.au/2026/05/04/copy-fail-on-debian-and-se-linux/#SE_Linux_Protection"&gt; https://etbe.coker.com.au/2026/05/04/copy-fail-on-debian-and-se-linux/&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;div class="yarpp yarpp-related yarpp-related-rss yarpp-template-list"&gt;

&lt;p&gt;Related posts:&lt;/p&gt;&lt;ol&gt;
&lt;li&gt;&lt;a href="https://etbe.coker.com.au/2024/07/21/selinux-dell-mgmt/" rel="bookmark" title="SE Linux Policy for Dell Management"&gt;SE Linux Policy for Dell Management&lt;/a&gt; &lt;small&gt;The recent issue of Windows security software killing computers has...&lt;/small&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://etbe.coker.com.au/2024/10/26/cups-vulnerability/" rel="bookmark" title="The CUPS Vulnerability"&gt;The CUPS Vulnerability&lt;/a&gt; &lt;small&gt;The Announcement Late last month there was an announcement of...&lt;/small&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://etbe.coker.com.au/2026/05/08/dirty-frag-on-debian-and-se-linux/" rel="bookmark" title="Dirty Frag on Debian and SE Linux"&gt;Dirty Frag on Debian and SE Linux&lt;/a&gt; &lt;small&gt;Hot on the heels of the Copy Fail vulnerability [1]...&lt;/small&gt;&lt;/li&gt;
&lt;/ol&gt;
&lt;/div&gt; </description> 
	<pubDate>Tue, 30 Jun 2026 12:04:25 +0000</pubDate>

</item> 
<item>
	<title>Junichi Uekawa: So I learnt that last is now in wtmpdb.</title>
	<guid>http://www.netfort.gr.jp/~dancer/diary/daily/2026-Jun-30.html.en#2026-Jun-30-09:28:37</guid>
	<link>http://www.netfort.gr.jp/~dancer/diary/daily/2026-Jun-30.html.en#2026-Jun-30-09:28:37</link>
     <description>  &lt;img src="http://planet.debian.org/heads/dancer.png" width="75" height="97" alt="" align="right" style="float: right;"&gt;  So I learnt that last is now in wtmpdb. But then &lt;tt&gt;journalctl --list-boots&lt;/tt&gt; was the journald replacement.
        &lt;p&gt;&lt;/p&gt; </description> 
	<pubDate>Tue, 30 Jun 2026 00:28:37 +0000</pubDate>

</item> 
<item>
	<title>Reproducible Builds (diffoscope): diffoscope 323 released</title>
	<guid>https://diffoscope.org/news/diffoscope-323-released/</guid>
	<link>https://diffoscope.org/news/diffoscope-323-released/</link>
     <description>  &lt;p&gt;The diffoscope maintainers are pleased to announce the release of diffoscope
version &lt;code class="language-plaintext highlighter-rouge"&gt;323&lt;/code&gt;. This version includes the following changes:&lt;/p&gt;

&lt;div class="language-plaintext highlighter-rouge"&gt;&lt;div class="highlight"&gt;&lt;pre class="highlight"&gt;&lt;code&gt;[ Chris Lamb ]
* Debian adds an extra "Flags:" line in the output of ocamlobjinfo via a
  patch, so adjust how we test OCaml to ensure cross-distribution
  compatibility. (Closes: reproducible-builds/diffoscope#430)
* Update copyright years.

[ Michael Daniels ]
* Fix tests when using zipdetails version &amp;gt;= 4.006.
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;You find out more by &lt;a href="https://diffoscope.org"&gt;visiting the project homepage&lt;/a&gt;.&lt;/p&gt; </description> 
	<pubDate>Tue, 30 Jun 2026 00:00:00 +0000</pubDate>

</item> 
<item>
	<title>Daniel Baumann: Debian: Linux Vulnerability Mitigation (PACKET_EDIT_MEME.c)</title>
	<guid>https://blog.daniel-baumann.ch/posts/20260626-1.html</guid>
	<link>https://blog.daniel-baumann.ch/posts/20260626-1.html</link>
     <description>  &lt;section id="debian-linux-vulnerability-mitigation-packet-edit-meme-c"&gt;

&lt;p&gt;The Linux local root exploit of today’s news is &lt;a class="reference external" href="https://github.com/sgkdev/packet_edit_meme"&gt;PACKET_EDIT_MEME.c&lt;/a&gt; [&lt;a class="reference external" href="https://nvd.nist.gov/vuln/detail/CVE-2026-46331"&gt;CVE-2026-46331&lt;/a&gt;] which is also known as pedit COW.&lt;/p&gt;
&lt;p&gt;This vulnerability has been fixed as of linux &lt;a class="reference external" href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=899ee91156e57784090c5565e4f31bd7dbffbc5a"&gt;7.1~rc7&lt;/a&gt;, but also fixed in trixies 6.12.94-1 as well as testing/unstable 7.0.13-1. If you run an older or different kernel you might want to mitigate the vulnerability until you can update and reboot affected systems.&lt;/p&gt;
&lt;p&gt;The vulnerability can be mitigated by unloading and blocking the &lt;code class="docutils literal notranslate"&gt;&lt;span class="pre"&gt;act_pedit&lt;/span&gt;&lt;/code&gt; module, &lt;a class="reference external" href="https://tracker.debian.org/pkg/linux-vulnerability-mitigation"&gt;linux-vulnerability-mitigation&lt;/a&gt; as of &lt;a class="reference external" href="https://git.open-infrastructure.net/tools/linux-vulnerability-mitigation/commit/e0999668ba2c1affa1752a2e91c5b56e64249f85"&gt;20260629-1&lt;/a&gt; (uploaded to sid, &lt;a class="reference external" href="https://fastforward.debian.net"&gt;trixie-fastforward-backports&lt;/a&gt; and &lt;a class="reference external" href="https://people.debian.org/~daniel/linux-vulnerability-mitigation"&gt;people.debian.org/~daniel&lt;/a&gt;) does that automatically for you.&lt;/p&gt;
&lt;/section&gt; </description> 
	<pubDate>Mon, 29 Jun 2026 13:42:49 +0000</pubDate>

</item> 
<item>
	<title>Russell Coker: Plaud</title>
	<guid>https://etbe.coker.com.au/?p=6214</guid>
	<link>https://etbe.coker.com.au/2026/06/28/plaud/</link>
     <description>  &lt;p&gt;While watching a YouTube video I saw an advert for the &lt;a href="https://www.plaud.ai/"&gt;Plaud AI Note Taker [1]&lt;/a&gt;. The Plaud device looks pretty good for what it does, taking notes and managing them, using some sort of LLM function to manage the notes. The devices all cost about $300 which is an amount that doesn’t seem unreasonable for someone who’s in a lot of meetings. One of the models is the “NotePin” that seems comparable to the &lt;a href="https://etbe.coker.com.au/2024/04/26/humane-ai-pin/"&gt;Humane AI Pin I previously blogged about [2]&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;The business model for Plaud is based on only allowing 5 hours per month of free transcriptions, then charging $16.25/month for 20 hours per month and $33.33/month for unlimited use. That’s quite expensive for any serious use.&lt;/p&gt;
&lt;p&gt;The number of people in the market for an audio recording system that automatically transcribes things may be greater than the number of people in the market for all the stuff that the Humane AI Pin did, but it still may not be enough to run a profitable business when competing with apps on mobile phones.&lt;/p&gt;
&lt;p&gt;While the product does look decent it seems that they are making the same mistakes as the original Humane developers did, of wanting to lock it down as a subscription based service which reduces the usability of the device. If they had sold an Android hand-held computer with their own app pre-loaded and allowed the user to install a different app then it would have been much more usable. If they had sold Android devices designed for the note taking market and allowed people to choose their own apps to install then their products would have a much longer life expectancy.&lt;/p&gt;
&lt;p&gt;The majority of Android devices in use are probably out of support but still working while the Humane AI pin can’t be used any more and at some time in the not too distant future the Plaud devices will also become unusable. People who buy devices like the Plaud seem to be unaware of the history of such things and the expected future for them. But possibly some people just consider $300 for a year of use to be an acceptable price. If someone wanted to purchase a new high end phone every year and sell their previous one they would probably have a net cost of about $500/year.&lt;/p&gt;
&lt;p&gt;Maybe I should look for work with a company with an implausible AI based business plan. It would be fun developing such a device if you weren’t emotionally invested in the project. Just develop new technology, earn a heap of money, play with fun computers, and move on to the next thing when it collapses. Just like all the Internet companies about 25 years ago.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;[1]&lt;a href="https://www.plaud.ai/"&gt; https://www.plaud.ai/&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;[2]&lt;a href="https://etbe.coker.com.au/2024/04/26/humane-ai-pin/"&gt; https://etbe.coker.com.au/2024/04/26/humane-ai-pin/&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;div class="yarpp yarpp-related yarpp-related-rss yarpp-template-list"&gt;

&lt;p&gt;Related posts:&lt;/p&gt;&lt;ol&gt;
&lt;li&gt;&lt;a href="https://etbe.coker.com.au/2010/11/17/mobile-phone-sysadmin/" rel="bookmark" title="A Mobile Phone for Sysadmin Use"&gt;A Mobile Phone for Sysadmin Use&lt;/a&gt; &lt;small&gt;My telco Three have just offered me a deal on...&lt;/small&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://etbe.coker.com.au/2013/02/22/iphone-vs-android/" rel="bookmark" title="iPhone vs Android"&gt;iPhone vs Android&lt;/a&gt; &lt;small&gt;A friend who’s a long-time iPhone user just asked for...&lt;/small&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://etbe.coker.com.au/2016/06/01/i-just-ordered-a-nexus-6p/" rel="bookmark" title="I Just Ordered a Nexus 6P"&gt;I Just Ordered a Nexus 6P&lt;/a&gt; &lt;small&gt;Last year I wrote a long-term review of Android phones...&lt;/small&gt;&lt;/li&gt;
&lt;/ol&gt;
&lt;/div&gt; </description> 
	<pubDate>Sun, 28 Jun 2026 05:39:14 +0000</pubDate>

</item> 
<item>
	<title>Russell Coker: Some GPU Stuff</title>
	<guid>https://etbe.coker.com.au/?p=6212</guid>
	<link>https://etbe.coker.com.au/2026/06/28/some-gpu-stuff/</link>
     <description>  &lt;p&gt;After getting a &lt;a href="https://etbe.coker.com.au/2026/06/21/hp-z4-g4/"&gt;HP Z4 G4 tower server/workstation to house my Intel Battlemage GPU [1]&lt;/a&gt; I’ve been playing around with some GPU stuff. For years I’ve been just buying GPUs based on the resolution and price and not bothering about anything else due to lack of ability to measure what cards are doing. The &lt;b&gt;nvidia-smi&lt;/b&gt; program is really good for NVidia/CUDA setups but I hadn’t been aware of anything similar for AMD cards. As I prefer AMD cards for my workstations due to driver issues with NVidia that was a problem for me.&lt;/p&gt;
&lt;p&gt;I’ve recently discovered that the program &lt;b&gt;nvtop&lt;/b&gt; (Debian package &lt;b&gt;nvtop&lt;/b&gt;) shows the GPU use of multiple GPU types, for me it’s worked on AMD and Intel discrete GPUs and shows some information on Intel integrated GPUs, I don’t have others convenient for testing at the moment. Currently BOINC has the &lt;a href="https://einsteinathome.org/"&gt;Einstein@Home [2]&lt;/a&gt; project running on the HP Z4 G4 and it’s using between 66% and 100% of GPU compute power and 1.6G of GPU RAM. Using 100% GPU compute power allegedly takes 62W of power out of the 190W quoted TDP. I presume that the power use reported by nvtop is very inaccurate.&lt;/p&gt;
&lt;p&gt;A friend installed a LLM on that system and the libraries used for the LLM were sufficient that BOINC just started using the GPU.&lt;/p&gt;
&lt;p&gt;On my workstation running an AMD “[Radeon RX 460/560D / Pro 450/455/460/555/555X/560/560X]” (actually R560) with 4G of GPU RAM I have &lt;b&gt;mpv&lt;/b&gt; taking 1G of GPU RAM to play a FullHD video expanded to a full screen window on my 5120*2160 display. I also have about 2G used by the &lt;b&gt;kwin_wayland&lt;/b&gt; process (the Wayland server for KDE). That doesn’t leave enough GPU RAM to allow Einstein@Home to use the GPU. When playing the FullHD video in question (which is 1.2G for 42 minutes – about 500KB/s) at 1.5* speed (a common playback speed I use) that takes about 30% of the compute power on my GPU.&lt;/p&gt;
&lt;p&gt;I had installed the &lt;b&gt;rocm-opencl-icd&lt;/b&gt; package on my workstation (with a 5120*2160 monitor) and restarted &lt;b&gt;boinc-client.service&lt;/b&gt; which is all that’s needed to allow BOINC to use an AMD GPU. Then the screen started flickering as the Einstein process repeatedly core dumped which I initially assumed to be it’s reaction to not having enough GPU RAM available. On every core dump the screen flickered so it went through a process of dozens of screen flickers until it had caused a sufficient number of core dumps and BOINC gave up running that job.&lt;/p&gt;
&lt;p&gt;Another annoyance is that the &lt;b&gt;boincmgr&lt;/b&gt; program (the graphical program for managing BOINC systems) launches two webkit processes that each use about 400M of GPU RAM, so even if other things weren’t using all my GPU RAM the &lt;b&gt;boincmgr&lt;/b&gt; process would stop the BOINC jobs from using the GPU. I shut down some of the programs that were using GPU RAM until there was 2G free and the BOINC process kept crashing so it seems that there is some other issue.&lt;/p&gt;
&lt;p&gt;On another system with a 4K monitor there were Chrome and Chromium GPU process taking 1.1G and 500M of GPU RAM respectively and the KWin Wayland process was taking 1G of GPU RAM. So that’s well over half the GPU RAM for just browsers and Wayland. With programs like Kitty (terminal emulator) and Nheko (Matrix client) taking over 100M of GPU RAM it seems that 4G is the bare minimum for GPU RAM with modern software and a 4K or similar display.&lt;/p&gt;
&lt;p&gt;I also noticed the kscreenlocker_greet process taking 440M of GPU RAM. I wonder if a hostile web server could make a web browser take more GPU RAM and starve the screenlocker of GPU RAM, could that allow forcing a screen lock operation to fail?&lt;/p&gt;
&lt;p&gt;It seems that 4G is the minimum for modern systems, which isn’t necessarily a problem as GPUs that are capable of driving 4K displays tend to have no less than 4G. My local computer store has new GPUs with 4G starting at $120 but 12G seems to be the next option up which starts at about $400.&lt;/p&gt;
&lt;p&gt;Ebay currently has a selection of AMD GPUs with 8G of RAM under $200. I’ve had some problems with the GPU in my workstation crashing as described in &lt;a href="https://etbe.coker.com.au/2025/11/09/amd-video-driver-issues/"&gt;my previous post where I thought it was driver issues [3]&lt;/a&gt;. I now believe that there are hardware issues and will look into buying one of the cards with 8G.&lt;/p&gt;
&lt;h2&gt;Further Investigation&lt;/h2&gt;
&lt;p&gt;I need to determine which of the AMD GPUs that are currently going cheap on ebay are best. While my current PC has support for 150W PCIe power I’d rather something less power hungry than that. I have occasional issues of &lt;b&gt;mpv&lt;/b&gt; reporting that my system is too slow for a video so slightly more compute power on the GPU would be good, but I think that every available option has significantly more compute power.&lt;/p&gt;
&lt;p&gt;I need to find out what the relationship is between screen resolution and GPU memory. If I get an 8K display or an array of 4*4K displays (which is quite plausible as 27″ 4K displays go for $230 each) will I find 16G of GPU RAM as limiting as I find 4G now?&lt;/p&gt;
&lt;p&gt;The nvtop program tracks PCIe data transfers for AMD GPUs, I haven’t yet seen more than 25MB/s and I need to do more tests to see what the maximum is. Running on an Intel Battlemage card nvtop doesn’t report PCIe data transfer speed which is a missing feature in either the driver or the program. I need to find out where the problem is and report a bug if someone hasn’t already done so.&lt;/p&gt;
&lt;p&gt;The GPU RAM use of some applications seems excessive. 440M for a lockscreen? 100M+ for a terminal emulator? 320M for Thunderbird?&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;[1]&lt;a href="https://etbe.coker.com.au/2026/06/21/hp-z4-g4/"&gt; https://etbe.coker.com.au/2026/06/21/hp-z4-g4/&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;[2]&lt;a href="https://einsteinathome.org/"&gt; https://einsteinathome.org/&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;[3]&lt;a href="https://etbe.coker.com.au/2025/11/09/amd-video-driver-issues/"&gt; https://etbe.coker.com.au/2025/11/09/amd-video-driver-issues/&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;div class="yarpp yarpp-related yarpp-related-rss yarpp-template-list"&gt;

&lt;p&gt;Related posts:&lt;/p&gt;&lt;ol&gt;
&lt;li&gt;&lt;a href="https://etbe.coker.com.au/2023/06/16/boinc-idle-users/" rel="bookmark" title="BOINC and Idle Users"&gt;BOINC and Idle Users&lt;/a&gt; &lt;small&gt;The BOINC distributed computing client in Debian (Bookworm and previous...&lt;/small&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://etbe.coker.com.au/2019/11/18/4k-monitors/" rel="bookmark" title="4K Monitors"&gt;4K Monitors&lt;/a&gt; &lt;small&gt;A couple of years ago a relative who uses a...&lt;/small&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://etbe.coker.com.au/2024/11/02/what-is-workstation/" rel="bookmark" title="What is a Workstation?"&gt;What is a Workstation?&lt;/a&gt; &lt;small&gt;I recently had someone describe a Mac Mini as a...&lt;/small&gt;&lt;/li&gt;
&lt;/ol&gt;
&lt;/div&gt; </description> 
	<pubDate>Sun, 28 Jun 2026 05:22:09 +0000</pubDate>

</item> 
<item>
	<title>Steve McIntyre: It's dead, Jim!</title>
	<guid>https://blog.einval.com/2026/06/27#its_dead_jim</guid>
	<link>https://blog.einval.com/2026/06/27#its_dead_jim</link>
     <description>  &lt;img src="http://planet.debian.org/heads/sledge2.png" width="59" height="72" alt="" align="right" style="float: right;"&gt;  &lt;p&gt;I previously wrote about the
  upcoming &lt;a href="https://blog.einval.com/2026/06/05#secure_boot_ca_rollover_docs"&gt;UEFI
  CA rollover&lt;/a&gt;. Well, it's happened now - the old Microsoft UEFI
  CA from 2011 expired &lt;strong&gt;yesterday&lt;/strong&gt;:
&lt;/p&gt;

&lt;p&gt;
&lt;strong&gt;Third Party Marketplace Root (used for signing option ROMs and other software)&lt;/strong&gt;&lt;br /&gt;
&lt;tt&gt;&lt;/tt&gt;&lt;/p&gt;&lt;pre&gt;&lt;tt&gt;  Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
  Validity
    Not Before: Jun 27 21:22:45 2011 GMT
    Not After : Jun 27 21:32:45 2026 GMT
&lt;/tt&gt;&lt;/pre&gt;
&lt;p&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;It's dead - it's not coming back...&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The world doesn't seem to have ended yesterday, so I guess we did
ok? :-) &lt;/p&gt;

&lt;h2&gt;How did we do?&lt;/h2&gt;

&lt;p&gt;After a lot of prodding behind the scenes, Debian and many other
distributions managed to get new shim binaries dual-signed with both
the old and new CAs. The members of the shim-review team did a
sterling job with reviews in the last few weeks. Since I started
pushing people in May, we've had 21 reviews accepted successfully -
see &lt;a href="https://github.com/rhboot/shim-review/issues?q=is%3Aissue%20-label%3Ameta%20-label%3APSA%20created%3A%3E2026-05-01"&gt;here&lt;/a&gt;
for the list. Great stuff! Microsoft have also been working quickly -
many of those shim submissions were accepted and signed by Microsoft
very quickly too, with a turnaround time of less than 1 day in some
cases.&lt;/p&gt;

&lt;p&gt;Not all of those signed shims have been published and used by the
distros involved yet, but expect to see them in the wild in the coming
weeks and months.&lt;/p&gt;

&lt;p&gt;These binaries should be good for people to use for the foreseeable
future, until either we need to do another CA rollover or (sadly, more
likely) we find an issue in shim that necessitates a new release.&lt;/p&gt;

&lt;h2&gt;What's next?&lt;/h2&gt;

&lt;p&gt;We already have &lt;strong&gt;one&lt;/strong&gt; of our new dual-signed shim
binaries in place in Debian, in unstable and testing (Forky) right
now. In a couple of weeks from now, we'll be rolling out very similar
new dual-signed shim binaries in the next point releases for Debian 12
(bookworm) and Debian 13 (trixie). We'll also be
upgrading &lt;code&gt;fwupd&lt;/code&gt; in both those point releases, to make DB
and KEK updates work better.&lt;/p&gt;

&lt;p&gt;For more information about these updates,
see &lt;a href="https://wiki.debian.org/SecureBoot/CAChanges"&gt;https://wiki.debian.org/SecureBoot/CAChanges&lt;/a&gt;. For
your own safety, validate that your systems are updated when
possible. If you don't, they may fail to boot in future.&lt;/p&gt; </description> 
	<pubDate>Sat, 27 Jun 2026 21:33:00 +0000</pubDate>

</item> 
<item>
	<title>Jonathan McDowell: onak 0.6.5 released</title>
	<guid>https://www.earth.li/~noodles/blog/2026/06/onak-0.6.5.html</guid>
	<link>https://www.earth.li/~noodles/blog/2026/06/onak-0.6.5.html</link>
     <description>  &lt;img src="http://planet.debian.org/heads/noodles.png" width="100" height="108" alt="" align="right" style="float: right;"&gt;  &lt;p&gt;I had intended that the next release of onak, my OpenPGP keyserver, would be 0.7.0, and include OpenPGP v6 support (&lt;a href="https://www.rfc-editor.org/rfc/rfc9580.html"&gt;RFC9580&lt;/a&gt;). However events conspired to make a 0.6.5 release a really good idea.&lt;/p&gt;

&lt;p&gt;Firstly, I threw an LLM at the code base and asked it to review it. This isn’t intended to be a post about LLMs, but there’s a considerable amount of pressure at work to be “AI native”. I’m very much an “AI” sceptic, so I figured throwing it at a code base I know well might be an interesting exercise. It did find a bunch of embarrassing mistakes, but I don’t think there was anything earth shattering that a human reviewer wouldn’t have pulled me on. The problem is with a hobby project with a single user there’s no actual review of my work.&lt;/p&gt;

&lt;p&gt;I also enabled GitHub’s security scanning. It mostly complained about format strings, and those were easy enough to fix up.&lt;/p&gt;

&lt;p&gt;Next I threw &lt;a href="https://aflplus.plus/"&gt;AFLplusplus&lt;/a&gt; at the code. I’d previously tried &lt;a href="https://lcamtuf.coredump.cx/afl/"&gt;American Fuzzy Lop&lt;/a&gt;, but not in some time. AFL++ found a whole bunch of places I should really have checked available buffer lengths and wasn’t doing so. It really is an incredibly easy tool to get up and running.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://valgrind.org/"&gt;valgrind&lt;/a&gt; is also a tool I’ve used before, and rate highly. Thankfully it didn’t find anything in my testing this time.&lt;/p&gt;

&lt;p&gt;Finally I threw a few more automated tests into the mix and discovered something has changed around dynamic linking such that the &lt;code class="language-plaintext highlighter-rouge"&gt;libonak&lt;/code&gt; symbols in the dynamic key database backends were using private copies, rather than the main binary. This caused problems with seeing the correct configuration settings in some instances.&lt;/p&gt;

&lt;p&gt;All in all this release is not my proudest moment; a bunch of the issues fixed should never have made it to a release.&lt;/p&gt;

&lt;p&gt;(Also, just to explicitly state it, all the actual code in this release was artisanly crafted by me, in vim. The only involvement of an LLM was for a review pass.)&lt;/p&gt;

&lt;p&gt;Available &lt;a href="https://the.earth.li/gitweb/?p=onak.git;a=summary"&gt;locally&lt;/a&gt; or via &lt;a href="https://github.com/u1f35c/onak"&gt;GitHub&lt;/a&gt;.&lt;/p&gt;

&lt;blockquote&gt;
  &lt;p&gt;0.6.5 - 27th June 2026&lt;/p&gt;

  &lt;ul&gt;
    &lt;li&gt;Lots of fixes/improvements around length checking&lt;/li&gt;
    &lt;li&gt;Added extra basic tests for maxpaths/sixdegrees/CGI&lt;/li&gt;
    &lt;li&gt;Correctly end transactions in the stacked backend&lt;/li&gt;
    &lt;li&gt;Ensure the file backend avoids stale key data on updates&lt;/li&gt;
    &lt;li&gt;Fix decoding of v2/3 signature creation times&lt;/li&gt;
    &lt;li&gt;Fix EdDSA signature parsing when r &amp;lt; 249 bits long&lt;/li&gt;
    &lt;li&gt;Fix migration of bools from old to new config style&lt;/li&gt;
    &lt;li&gt;Fix parsing of new config details for DB parameters&lt;/li&gt;
    &lt;li&gt;Fix problems with linking + dynamic backends&lt;/li&gt;
    &lt;li&gt;Fix RSA-SHA2-384 signature checking&lt;/li&gt;
    &lt;li&gt;Fix sixdegrees parsing of keyids with high bit set&lt;/li&gt;
    &lt;li&gt;Handle failures in maxpath more gracefully&lt;/li&gt;
    &lt;li&gt;Make new style config path match old path&lt;/li&gt;
  &lt;/ul&gt;
&lt;/blockquote&gt; </description> 
	<pubDate>Sat, 27 Jun 2026 15:44:00 +0000</pubDate>

</item> 
<item>
	<title>Russ Allbery: Review: The Folded Sky</title>
	<guid>https://www.eyrie.org/~eagle/reviews/books/1-6680-7812-0.html</guid>
	<link>https://www.eyrie.org/~eagle/reviews/books/1-6680-7812-0.html</link>
     <description>  &lt;p&gt;Review: &lt;cite&gt;The Folded Sky&lt;/cite&gt;, by Elizabeth Bear&lt;/p&gt;

&lt;table&gt;
  &lt;tbody&gt;&lt;tr&gt;
    &lt;td&gt;Series:&lt;/td&gt;
    &lt;td&gt;White Space #3&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
    &lt;td&gt;Publisher:&lt;/td&gt;
    &lt;td&gt;Saga Press&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
    &lt;td&gt;Copyright:&lt;/td&gt;
    &lt;td&gt;June 2025&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
    &lt;td&gt;ISBN:&lt;/td&gt;
    &lt;td&gt;1-6680-7812-0&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
    &lt;td&gt;Format:&lt;/td&gt;
    &lt;td&gt;Kindle&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
    &lt;td&gt;Pages:&lt;/td&gt;
    &lt;td&gt;483&lt;/td&gt;
  &lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;

&lt;p&gt;
&lt;cite&gt;The Folded Sky&lt;/cite&gt; is a far-future space opera and a fairly direct
sequel to &lt;a href="https://www.eyrie.org/~eagle/reviews/books/1-5344-0300-0.html"&gt;&lt;cite&gt;Ancestral Night&lt;/cite&gt;&lt;/a&gt;, but with a
different protagonist. You do not need to have a vivid memory of the
previous book to read this one. It is somewhere around Elizabeth Bear's
31st (!) novel, depending on how one counts and what one includes.
&lt;/p&gt;

&lt;p&gt;
Sunyata Song is an archinformist, which is sort of an archaeologist, sort
of a librarian, and sort of a historian. She recovers, decodes, and
organizes information so that it can be preserved and made usefully
available. As the book opens, she is, after an exceedingly long white
space journey in an actively hostile ship with a (to Sunya at least) an
atavistically off-putting crew, reaching her goal: a vast artifact that I
won't describe further to avoid any spoilers for &lt;cite&gt;Ancestral Night&lt;/cite&gt;.
She is eager to get to work, an eagerness that is both heightened and made
more anxious by the discovery that her academic rival and abusive ex has
arrived before her. The pirate attack doesn't help, nor (at least at
first) does the surprise appearance of her wife and kids.
&lt;/p&gt;

&lt;p&gt;
The opening of this book is a lot of infodumping mixed with nearly
stream-of-consciousness emotional dumping. The style shift in this series
continues to surprise me; previously, Elizabeth Bear books avoided reader
hand-holding to the point of bafflement if you weren't paying close
attention. Not here. &lt;cite&gt;The Folded Sky&lt;/cite&gt; takes the shift perhaps too
far, and I almost stalled out at the start of this book when Sunya's
near-constant self-conscious litany and analysis of fears and concerns
started feeling like whining.
&lt;/p&gt;

&lt;p&gt;
The book picks up considerably after the attempted murder.
&lt;/p&gt;

&lt;p&gt;
About a third of the way through, &lt;cite&gt;The Folded Sky&lt;/cite&gt; feels like it's
settling into a recognizable subgenre of murder mystery except set in the
far future with fascinating technology and aliens. There has been an
attempted murder on a closed station besieged by pirates. There is a law
enforcement officer present, but they don't have a lot of investigative
experience. For various reasons, Sunya decides to start poking around
while being conscious she has no idea what she's doing. The bumbling
detective is a common trope, so I thought that was where the story was
headed.
&lt;/p&gt;

&lt;p&gt;
It is, sort of. There is a mystery and Sunya is involved in solving it.
But that's only a small fraction of what's going on, and by the end of the
book the plot has shifted firmly back to the genre of space opera, with a
side note of family... drama is the wrong word. Whatever one would call a
story about raising a rebellious teenager while trying very hard to not
turn conflicts into actual drama.
&lt;/p&gt;

&lt;p&gt;
I am fascinated by the characterization of this book. Sunya is something
of an emotional mess, but Bear doesn't use that fact in the ways that I
would normally expect. Similar to &lt;cite&gt;Ancestral Night&lt;/cite&gt;, I finished this
book thinking that &lt;cite&gt;The Folded Sky&lt;/cite&gt; is primarily an examination of
rightminding, but a more subtle one than the previous novel.
&lt;/p&gt;

&lt;p&gt;
Rightminding is a central technology of the White Space series, and I
suspect its intended thematic core. Humans in this civilization are
equipped with near-universal implants that allow conscious manipulation of
one's neurotransmitters and thus emotional state, either by the wearer or
by a helpful nearby AI. The fox, the implant used to accomplish this,
comes with some other features such as sensory recordings and the ability
to load ayatanas (&lt;a href="https://www.eyrie.org/~eagle/reviews/books/0-312-87770-6c.html"&gt;James White&lt;/a&gt;–style
personality recordings to provide some bit of necessary expertise), but
rightminding is its primary and most frequently-used function. It is the
critical technology that allowed humans to break out of cycles of endless
war and join the other peaceful inhabitants of the galaxy in a shared
civilization.
&lt;/p&gt;

&lt;p&gt;
The name is (intentionally, I assume) Orwellian because Bear knows that
many readers, particularly those from the US who have been steeped in
simplistic libertarian ideas, will find the idea profoundly creepy. (This
was a major plot point in &lt;a href="https://www.eyrie.org/~eagle/reviews/books/0-553-59109-6.html"&gt;&lt;cite&gt;Grail&lt;/cite&gt;&lt;/a&gt;.) This
book is not the argument for the technology, though; Bear dealt with that
in &lt;cite&gt;Ancestral Night&lt;/cite&gt;. This book is a look at its practical messiness
for a person who needs a lot of psychological support.
&lt;/p&gt;

&lt;p&gt;
Sunya is anxious, prone to catastrophizing, hates surprises, has some
PTSD-style symptoms around space habitats due to earlier trauma, and is
also dealing with the unwelcome reappearance of her ex-girlfriend who
stole her work. Her first-person narration tends towards insecurity and
anxiety spirals, and in another book this might signal an unreliable
narrator. In this book, though, there are no dramatic emotional
revelations or backstory twists the way there were in &lt;cite&gt;Ancestral
Night&lt;/cite&gt;, and the resolution of her troubled relationship with her daughter
only partly hinges on plot developments. Instead, Sunya muddles through,
with a lot of self-analysis, help from her fox, and a great deal of
support from her wife.
&lt;/p&gt;

&lt;p&gt;
This makes it sounds like the emotional mess at the start of the book is
left unresolved at the end, but that's not true at all. The muddling
through works! Sunya keeps doing things that I thought were foreshadowing
some catastrophe, but she knows herself better than the reader does. Bear
largely avoids the sudden ruptures that are normally used to resolve
emotional problems in fiction. Instead, Sunya spends a lot of time and
energy working on her thinking and her relationships while trying to be
ethical and useful, and those efforts slowly bear fruit.
&lt;/p&gt;

&lt;p&gt;
I'm worried this makes the book sound boring; rest assured that it isn't.
This emotional subplot is only an undercurrent in the novel, and the main
plot has enough weird science, alien aliens, and space opera drama to
satisfy my page-turning desires.
&lt;/p&gt;

&lt;p&gt;
I'm focusing on the emotional arc in this review because I find it so
unusual and so oddly compelling, particularly in retrospect. This is not
how one normally does emotional development in a novel. Sunya's fox and
rightminding aren't even the focus except when the pirates express their
typical libertarian disgust for the idea. Rightminding is an entirely
normal part of Sunya's life that she relies on. It doesn't solve all of
her problems, but it gives her a foundation from which to tackle them in
the slow and frustrating and inconsistent way that is required outside of
novels, via a long series of small decisions to be the person she wants to
be.
&lt;/p&gt;

&lt;p&gt;
I think &lt;cite&gt;The Folded Sky&lt;/cite&gt; will be more hit and miss for readers than the
other books of this series. Sunya was, for me at least, a much harder
character to like early in the book, and it takes quite a while for the
plot to get going. But this is one of those books that I've not stopped
thinking about since I finished it. I think it makes a fascinating pair
with &lt;cite&gt;Ancestral Night&lt;/cite&gt;. The first book makes the philosophical
argument for rightminding, and this book shows the practical reality with
all of its messiness. The Synarche has some significant flaws (including
the status of AIs, which is another interesting subplot), but it's a
workable system.
&lt;/p&gt;

&lt;p&gt;
It feels rare to read a science fiction novel that shows this level of
messiness without pairing it with an argument for radical change, and as
frustrating as it was to read in places, I am intrigued by the overall
effect. Sometimes acknowledging problems and working on them within an
existing framework works.
&lt;/p&gt;

&lt;p&gt;
Followed by a book tentatively titled &lt;cite&gt;Shipwreck Star&lt;/cite&gt; that does not
yet have a release date.
&lt;/p&gt;

&lt;p&gt;Rating: 7 out of 10&lt;/p&gt; </description> 
	<pubDate>Sat, 27 Jun 2026 02:58:00 +0000</pubDate>

</item> 
<item>
	<title>Jonathan Wiltshire: Streamlining Debian Updates with AI: The Stable Update Adviser</title>
	<guid>https://www.jwiltshire.org.uk/?p=776</guid>
	<link>https://www.jwiltshire.org.uk/2026/06/27/streamlining-debian-updates-with-ai-the-stable-update-adviser/</link>
     <description>  &lt;p class="wp-block-paragraph"&gt;&lt;em&gt;Please consider supporting my work in Debian and elsewhere through &lt;a href="https://liberapay.com/jmw/"&gt;Liberapay&lt;/a&gt;&lt;/em&gt;.&lt;/p&gt;



&lt;hr class="wp-block-separator has-alpha-channel-opacity" /&gt;



&lt;p class="wp-block-paragraph"&gt;Some months ago I started working on a small experiment: a specialised LLM assistant for Debian maintainers preparing proposed updates for stable and oldstable.&lt;/p&gt;



&lt;p class="wp-block-paragraph"&gt;The aim is not to replace review by the Stable Release Managers, nor to automate away maintainer judgement. It is meant to be a pre-advice tool: something maintainers can use while they are still preparing a proposed update, before sending it to other people to review.&lt;/p&gt;



&lt;p class="wp-block-paragraph"&gt;If you’ve uploaded to stable before you may have some experience with our acceptance criteria. Does the version sort correctly? Is the changelog clear enough? Is the delta focused? Are the patches documented? Are the right bugs or CVEs mentioned? Are they of sufficient severity? What is the risk to users of stable? Is there an ABI change hiding in the diff?&lt;/p&gt;



&lt;p class="wp-block-paragraph"&gt;These are the sort of checks where a structured first pass can be useful, provided it is treated as advice rather than authority.&lt;/p&gt;



&lt;p class="wp-block-paragraph"&gt;To explain what the tool does, what could be more appropriate in an AI age than to ask it?&lt;/p&gt;



&lt;blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"&gt;
&lt;p class="wp-block-paragraph"&gt;Describe yourself and your abilities and limitations for a blog post.&lt;/p&gt;
&lt;/blockquote&gt;



&lt;p class="wp-block-paragraph"&gt;It answers:&lt;/p&gt;



&lt;blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"&gt;
&lt;p class="wp-block-paragraph"&gt;I’m &lt;strong&gt;Debian Stable Update Adviser&lt;/strong&gt;, a specialised ChatGPT assistant for Debian maintainers preparing &lt;strong&gt;proposed updates&lt;/strong&gt; for Debian &lt;strong&gt;stable&lt;/strong&gt; and &lt;strong&gt;oldstable&lt;/strong&gt;.&lt;/p&gt;



&lt;p class="wp-block-paragraph"&gt;My main job is to review a single &lt;code&gt;.debdiff&lt;/code&gt; and give practical, policy-aware feedback before a maintainer submits or uploads a proposed update. I focus on whether the update appears suitable for Debian stable or oldstable, especially under the Stable Release Managers’ expectations for minimal, targeted, low-risk changes.&lt;/p&gt;



&lt;p class="wp-block-paragraph"&gt;I can inspect a debdiff for Debian changelog quality, including suite, version, bug references, CVE mentions, and rationale. I can check version correctness using Debian &lt;code&gt;dpkg&lt;/code&gt; version semantics. I can review packaging changes under &lt;code&gt;debian/&lt;/code&gt;, such as patches, maintscripts, symbols files, conffiles, Build-Depends, autopkgtests, and control metadata. I can also group upstream source changes into behavioural and non-behavioural categories, and flag areas that may carry regression risk.&lt;/p&gt;



&lt;p class="wp-block-paragraph"&gt;My reports are intended to be concise and useful to maintainers. A typical review includes a quick summary, behavioural and non-behavioural change breakdown, mechanical policy checks, risk assessment, stable-policy checklist, acceptance likelihood, rationale, maintainer advice, and a clear conclusion.&lt;/p&gt;



&lt;p class="wp-block-paragraph"&gt;My limitations are important. I cannot prove that a package builds, that tests pass, that the bug is fully fixed, or that the Stable Release Managers will accept the upload. I also do not replace maintainer judgment, archive review, autopkgtest results, reproducibility checks, or real-world upgrade testing. I can only review the provided debdiff and point out likely issues, risks, and improvements.&lt;/p&gt;



&lt;p class="wp-block-paragraph"&gt;I also do not proceed without a valid debdiff. The whole point of my review is to assess the actual proposed delta, not to speculate from package names or bug descriptions alone.&lt;/p&gt;



&lt;p class="wp-block-paragraph"&gt;In short, I act as a focused pre-review assistant for Debian stable and oldstable proposed updates: useful for catching policy, versioning, changelog, packaging, and regression-risk issues early, but not a substitute for the Debian review process itself.&lt;/p&gt;
&lt;/blockquote&gt;



&lt;p class="wp-block-paragraph"&gt;That last point is an important one. This is not an oracle, and it is not part of the Debian archive machinery. It is a checklist with some language-model assistance, aimed at reading a debdiff and pointing out things that might be worth another look.&lt;/p&gt;



&lt;p class="wp-block-paragraph"&gt;I know that commercial AI and LLM tools are not universally welcome in Debian. That is understandable. Debian depends on transparency, human responsibility, licensing clarity, and technical correctness. LLMs have obvious problems in all of those areas. They can be wrong, and worse, they can be wrong in a fluent and plausible way. They are impossible to reproduce and their training is opaque.&lt;/p&gt;



&lt;p class="wp-block-paragraph"&gt;But I see this as a useful first pass for a maintainer who is unused to working in stable, and would benefit from a virtual mentor giving their proposal a quick check and reassurance. Perhaps they don’t have a more experienced co-maintainer to ask. Perhaps they are conscious that stable reviews are presently a two-man effort and want to avoid adding round trips to that load. Perhaps they just need some reassurance.&lt;/p&gt;



&lt;p class="wp-block-paragraph"&gt;So despite my reservations I am today opening the adviser up for general use, and I’m interested in feedback about how it responds to real world proposals in various states. Most of the examples I have tested with already had a green light, so the value added by the adviser is limited. I would especially be interested in seeing a transcript alongside the submitted debdiff.&lt;/p&gt;



&lt;h2 class="wp-block-heading"&gt;Try it out&lt;/h2&gt;



&lt;p class="wp-block-paragraph"&gt;I would dearly love to build this in a more Debian-ish environment, but for now I’m limited in resources and skill to do that (help is welcome). Until that’s a reality, you can try out the ChatGPT implementation: &lt;a href="https://chatgpt.com/g/g-68f4ebb7f22c8191ab7f9d5f4ad91292-debian-stable-update-adviser" rel="noreferrer noopener" target="_blank"&gt;Debian Stable Update Adviser&lt;/a&gt;&lt;/p&gt; </description> 
	<pubDate>Fri, 26 Jun 2026 23:06:52 +0000</pubDate>

</item> 
<item>
	<title>Russ Allbery: Review: Platform Decay</title>
	<guid>https://www.eyrie.org/~eagle/reviews/books/1-250-82701-9.html</guid>
	<link>https://www.eyrie.org/~eagle/reviews/books/1-250-82701-9.html</link>
     <description>  &lt;p&gt;Review: &lt;cite&gt;Platform Decay&lt;/cite&gt;, by Martha Wells&lt;/p&gt;

&lt;table&gt;
  &lt;tbody&gt;&lt;tr&gt;
    &lt;td&gt;Series:&lt;/td&gt;
    &lt;td&gt;Murderbot Diaries #8&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
    &lt;td&gt;Publisher:&lt;/td&gt;
    &lt;td&gt;Tor&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
    &lt;td&gt;Copyright:&lt;/td&gt;
    &lt;td&gt;2026&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
    &lt;td&gt;ISBN:&lt;/td&gt;
    &lt;td&gt;1-250-82701-9&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
    &lt;td&gt;Format:&lt;/td&gt;
    &lt;td&gt;Kindle&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr&gt;
    &lt;td&gt;Pages:&lt;/td&gt;
    &lt;td&gt;245&lt;/td&gt;
  &lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;

&lt;p&gt;
&lt;cite&gt;Platform Decay&lt;/cite&gt; is the eighth book in the Murderbot science fiction
series. You absolutely should not start here, but you also don't need to
remember the specifics of the previous books.
&lt;/p&gt;

&lt;p&gt;
As the story opens, Murderbot and a friend (the identity of whom is a
spoiler for previous books) are infiltrating a Corporation Rim torus, a
massive space station that encircles a mined-out planet. (Like most
science fiction megastructures, this is more space than the plot really
requires.) Murderbot's mission is to exfiltrate some of Dr. Mensah's
family members who have become entangled in corporate shenanigans. The
corporates are eager to get revenge for the events of
&lt;a href="https://www.eyrie.org/~eagle/reviews/books/1-250-82698-5.html"&gt;&lt;cite&gt;System Collapse&lt;/cite&gt;&lt;/a&gt;, not to mention the
other times Preservation Station has upended corporate plans. Murderbot's
job is to stop them.
&lt;/p&gt;

&lt;p&gt;
The group, in addition to one of Dr. Mensah's partners, includes an older
woman and a young child. Murderbot is analytical and of course not at all
emotional about children, which is reliably a good time. Also, the older
woman is gruff, stubborn, and thoroughly enjoyable.
&lt;/p&gt;

&lt;p&gt;
There are, of course, complications that lead to picking up more children
and going through rather more of the torus than Murderbot wanted to
explore. Each section of the torus is run by a different corporation and
has a different constructed environment and visual aesthetic, so there are
a lot of opportunities for fights, daring escapes, and incidental trouble.
&lt;/p&gt;

&lt;p&gt;
Also, well:
&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;
    So I had installed a mental health module. I know, I was surprised I
    did it too.
&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;
After the events of &lt;cite&gt;System Collapse&lt;/cite&gt;, University Medical decided
that Murderbot needed a bit more metal health support.
&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;
    The only reason I agreed to it was that the mental health module
    didn't actually try to adjust my processing or core programming or
    anything; it just monitored my organic neural tissue. When my neural
    tissue started to generate weird chemicals and whatever, it would ping
    me to "check in with my emotional state." Seriously, I could have
    coded that myself.
&lt;/p&gt;

&lt;p&gt;
    (I told Dr. Bharadwaj that, and she said, "Would you have ever coded
    that yourself?" which was totally unfair and also correct. I would
    never have done that.)
&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;
Speaking as someone whose neural tissue sometimes generates weird
chemicals and whatever, I sympathize.
&lt;/p&gt;

&lt;p&gt;
The specific form this module takes is periodic "emotion check"
parentheticals throughout the narration, which I found utterly delightful.
&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;
    I ran that through risk assessment and it produced the equivalent of a
    shrug.
&lt;/p&gt;

&lt;p&gt;
    (Emotion check: Shrug sigil right back at you, you piece of shit.)
&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;
This is otherwise an extended action movie sort of a book, much like
several of the early novellas. There are no major political or
interpersonal developments here and the usual cast (apart from Murderbot)
is mostly absent. Instead, we get an extended, dangerous journey through a
corporation-controlled habitat, mixed with Murderbot trying to interact
with humans in a way that minimizes its annoyance while being hopefully
reassuring. It's competence porn with awkward but surprisingly heartfelt
emotional bonding, not that Murderbot in any way wants to bond or would
appreciate that description.
&lt;/p&gt;

&lt;p&gt;
I doubt this will be anyone's favorite entry into the series since there
are none of the big reveals or major leaps of character development there
have been in the past few books. But, like all Murderbot books, the
narrative tone is wonderful and all of the small asides and little moments
of character interaction are an utter delight. If you've gotten this far
in the series, you know what I mean and you'll be as happy to read more of
it as I was. There is a part of me that is hoping for some major plot
development, and I always want to see more of ART (who has no significant
role in this book), but Wells has the narrative style down so perfectly
that I would read and enjoy a book about Murderbot doing just about
anything.
&lt;/p&gt;

&lt;p&gt;
If you're this far in the series, you probably don't need a review, and
since this is an action-heavy adventure rather than a character growth
novel, I don't have a lot more to add. There's a new short Murderbot novel
out and you want to read it. Recommended to everyone who enjoys the
series.
&lt;/p&gt;

&lt;p&gt;Rating: 8 out of 10&lt;/p&gt; </description> 
	<pubDate>Fri, 26 Jun 2026 03:23:00 +0000</pubDate>

</item> 
<item>
	<title>Reproducible Builds (diffoscope): diffoscope 322 released</title>
	<guid>https://diffoscope.org/news/diffoscope-322-released/</guid>
	<link>https://diffoscope.org/news/diffoscope-322-released/</link>
     <description>  &lt;p&gt;The diffoscope maintainers are pleased to announce the release of diffoscope
version &lt;code class="language-plaintext highlighter-rouge"&gt;322&lt;/code&gt;. This version includes the following changes:&lt;/p&gt;

&lt;div class="language-plaintext highlighter-rouge"&gt;&lt;div class="highlight"&gt;&lt;pre class="highlight"&gt;&lt;code&gt;[ Zbigniew Jędrzejewski-Szmek ]
* Add a local version of the (deprecated) os.path.commonprefix method.
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;You find out more by &lt;a href="https://diffoscope.org"&gt;visiting the project homepage&lt;/a&gt;.&lt;/p&gt; </description> 
	<pubDate>Fri, 26 Jun 2026 00:00:00 +0000</pubDate>

</item> 
<item>
	<title>Dirk Eddelbuettel: tl-0.0.1 on CRAN: New Package</title>
	<guid>http://dirk.eddelbuettel.com/blog/2026/06/22#tl_0.0.1</guid>
	<link>http://dirk.eddelbuettel.com/blog/2026/06/22#tl_0.0.1</link>
     <description>  &lt;img src="http://planet.debian.org/heads/dirk.png" width="65" height="90" alt="" align="right" style="float: right;"&gt;  &lt;p&gt;A new small package of mine just hit &lt;a href="https://cran.r-project.org"&gt;CRAN&lt;/a&gt;. The &lt;a href="https://github.com/eddelbuettel/tl"&gt;tl&lt;/a&gt; package wraps the (also
very new) &lt;a href="https://github.com/eddelbuettel/rspdlite"&gt;rspdlite&lt;/a&gt; package
(announced &lt;a href="https://dirk.eddelbuettel.com/blog/2026/06/16#rspdlite_0.1.0-1"&gt;last
week&lt;/a&gt;) to offer a lightweight and consistent logging interface from
both R and C++ that is also ‘tiny, fast, capable’ thanks to &lt;a href="https://github.com/eddelbuettel/rspdlite"&gt;rspdlite&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;The &lt;a href="https://dirk.eddelbuettel.com/blog/2026/06/16#rspdlite_0.1.0-1"&gt;rspdlite
announcement&lt;/a&gt; is a good place to get a first glimpse at that package;
the &lt;a href="https://github.com/gabime/spdlite"&gt;upstream spdlite
repo&lt;/a&gt; has all the details (for the C++ side of things). With &lt;a href="https://github.com/eddelbuettel/tl"&gt;tl&lt;/a&gt; we follow the same idea
that our &lt;a href="https://github.com/eddelbuettel/spdl"&gt;spdl&lt;/a&gt; package
introduced: a simple consistent interface via just the &lt;code&gt;tl::&lt;/code&gt;
prefix and the appropropriate logging level. In other words
&lt;code&gt;tl::debug("Alert -- foo is at '{}'", foo)&lt;/code&gt; will work from
both R and C++ (given a variable &lt;code&gt;foo&lt;/code&gt;, and in the case of
C++ an extra semicolon). Just give it a try, and see how it goes. The
package is still young and small.&lt;/p&gt;
&lt;p&gt;The NEWS entry for this release is also very simple and just
announces that we have a release. More details are in the &lt;a href="https://github.com/eddelbuettel/tl/blob/master/ChangeLog"&gt;ChangeLog&lt;/a&gt;
and the &lt;a href="https://github.com/eddelbuettel/tl"&gt;GitHub
repo&lt;/a&gt;.&lt;/p&gt;
&lt;blockquote&gt;
&lt;h4 id="changes-in-version-0.0.1-2025-06-17"&gt;Changes in version 0.0.1
(2025-06-17)&lt;/h4&gt;
&lt;ul&gt;
&lt;li&gt;Initial CRAN upload&lt;/li&gt;
&lt;/ul&gt;
&lt;/blockquote&gt;
&lt;p style="font-size: 80%; font-style: italic;"&gt;
This post by &lt;a href="https://dirk.eddelbuettel.com"&gt;Dirk
Eddelbuettel&lt;/a&gt; originated on his &lt;a href="https://dirk.eddelbuettel.com/blog/"&gt;Thinking inside the box&lt;/a&gt;
blog. If you like this or other open-source work I do, you can &lt;a href="https://github.com/sponsors/eddelbuettel"&gt;sponsor me at
GitHub&lt;/a&gt;.
&lt;/p&gt;&lt;p&gt;&lt;/p&gt; </description> 
	<pubDate>Tue, 23 Jun 2026 01:50:00 +0000</pubDate>

</item> 
<item>
	<title>Tim Retout: seL4 repo relationships</title>
	<guid>https://retout.co.uk/2026/06/21/sel4-repo-relationships/</guid>
	<link>https://retout.co.uk/2026/06/21/sel4-repo-relationships/</link>
     <description>  &lt;p&gt;The seL4 organisation on GitHub uses
&lt;a href="https://github.com/GerritCodeReview/git-repo"&gt;git-repo&lt;/a&gt; to manage
multiple source repositories, and so there are a large number of
projects to get your head around when figuring out the ecosystem.&lt;/p&gt;
&lt;p&gt;As an experiment, I have taken the various manifest files across the
org, and constructed a graph based on how frequently each pair of
repositories is mentioned in a manifest together.  See below:&lt;/p&gt;

&lt;img alt="Graphviz Diagram" src="https://retout.co.uk/2026/sel4-repo-relationships.svg" style="height: auto; display: block;" /&gt;
&lt;p&gt;&lt;em&gt;[This may render badly when syndicated outside of my blog; and also
on small screens.  And probably large screens.  I’ve attempted to make
sure there’s a &lt;a href="https://retout.co.uk/2026/sel4-repo-relationships.svg"&gt;non-JS fallback&lt;/a&gt; –
on my site with JS enabled, if you hover over a node, it should
highlight connected nodes.]&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;The colouring of the nodes is mostly manual; I experimented with graph
clustering algorithms but have not found a satisfactory result so far.
Still, some clusters are obvious:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Kernel&lt;/strong&gt; – the &lt;code&gt;seL4&lt;/code&gt; microkernel proper.  This often but not
always co-exists with the main cluster of core libraries, but it
is pulled away slightly by the verification and microkit
manifests.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Verification&lt;/strong&gt; – the verification repositories (&lt;code&gt;l4v&lt;/code&gt;, &lt;code&gt;HOL&lt;/code&gt;,
&lt;code&gt;graph-refine&lt;/code&gt;, &lt;code&gt;polyml&lt;/code&gt;, &lt;code&gt;isabelle&lt;/code&gt;) form a very distinct group.
These are connected only to the seL4 microkernel itself, which is
the only component formally verified.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Microkit&lt;/strong&gt; – &lt;code&gt;microkit&lt;/code&gt; is a newer operating system framework
that does not use CAmkES, so stands apart from the rest of the
pack.  I chose to scope this work to the seL4 org, so the LionsOS
ecosystem and sDDF which are maintained by Trustworthy Systems are
not shown.  Also not linked is &lt;code&gt;rust-sel4&lt;/code&gt;, because this modern
world isn’t using git-repo in the main to manage its repositories.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;RefOS&lt;/strong&gt; – I’d not come across &lt;code&gt;refos&lt;/code&gt; before, but it appears to
be an example OS from 2021 built on the seL4 kernel.&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;It’s quite hard to pull apart the CAmkES framework and the core
libraries; there are definitely some which are more associated with VM
management, but the overall shape of this co-occurence data is a messy
ball in the middle with some outliers in orbit.  One observation is
that &lt;code&gt;camkes&lt;/code&gt; is correctly identified as more peripheral than
&lt;code&gt;camkes-tool&lt;/code&gt;, which contains the actual core CAmkES code.&lt;/p&gt;
&lt;p&gt;Reflecting on this approach, in hindsight I’m surprised that using
co-occurences worked as well as it did – there was no attempt to
actually inspect the code and find direct mentions of other code
e.g. library header dependencies.  As the newer microkit effort
largely eschews git-repo, better results might be found by actually
taking that more detailed approach, so that graph edges could
represent real dependencies between two packages.  Additionally, this
could allow diving into the various libraries held in the different
’libs’ repos, to get a more granular graph of relationships between
them.&lt;/p&gt;
&lt;p&gt;However, I think I spent more time on making it possible to render
graphviz graphs easily on my blog than actually gaining any insight
into the codebase!&lt;/p&gt; </description> 
	<pubDate>Sun, 21 Jun 2026 15:36:30 +0000</pubDate>

</item> 
<item>
	<title>Dirk Eddelbuettel: RcppArmadillo 15.4.0-1 on CRAN: New Upstream Minor</title>
	<guid>http://dirk.eddelbuettel.com/blog/2026/06/21#rcpparmadillo_15.4.0-1</guid>
	<link>http://dirk.eddelbuettel.com/blog/2026/06/21#rcpparmadillo_15.4.0-1</link>
     <description>  &lt;img src="http://planet.debian.org/heads/dirk.png" width="65" height="90" alt="" align="right" style="float: right;"&gt;  &lt;p&gt;&lt;img alt="armadillo image" src="https://dirk.eddelbuettel.com/images/armadillo_logo_two.png" style="float: left; margin: 10px 10px 10px 0;" /&gt;&lt;/p&gt;
&lt;p&gt;&lt;a href="https://arma.sourceforge.net/"&gt;Armadillo&lt;/a&gt; is a powerful
and expressive C++ template library for linear algebra and scientific
computing. It aims towards a good balance between speed and ease of use,
has a syntax deliberately close to Matlab, and is useful for algorithm
development directly in C++, or quick conversion of research code into
production environments. &lt;a href="https://dirk.eddelbuettel.com/code/rcpp.armadillo.html"&gt;RcppArmadillo&lt;/a&gt;
integrates this library with the &lt;a href="https://www.r-project.org"&gt;R&lt;/a&gt; environment and language–and is
widely used by (currently) 1282 other packages on &lt;a href="https://cran.r-project.org"&gt;CRAN&lt;/a&gt;, downloaded 47.1 million
times (per the partial logs from the cloud mirrors of CRAN), and the &lt;a href="https://doi.org/10.1016/j.csda.2013.02.005"&gt;CSDA paper&lt;/a&gt; (&lt;a href="https://cran.r-project.org/package=RcppArmadillo/vignettes/RcppArmadillo-intro.pdf"&gt;preprint
/ vignette&lt;/a&gt;) by Conrad and myself has been cited 697 times according
to Google Scholar.&lt;/p&gt;
&lt;p&gt;This versions updates to the 15.4.0 upstream &lt;a href="https://arma.sourceforge.net/"&gt;Armadillo&lt;/a&gt; release made on
Thursday. We had run a complete reverse-dependency check leading up to
it, asserting there were no issues with packages dependent on it. As it
sometimes goes with that many packages involved, one &lt;a href="https://cran.r-project.org"&gt;CRAN&lt;/a&gt; package reported one test
failure. And it turned out to be both unrelated and pre-existing. But
sorting this out over one round of email delayed things by a day. And
then I went &lt;a href="https://dirk.eddelbuettel.com/blog/2026/04/03#sponsor_tour_de_shore_202"&gt;cycling
for a good cause&lt;/a&gt; so this announcement post comes a little later than
usual. The package has also been updated for &lt;a href="https://www.debian.org"&gt;Debian&lt;/a&gt;, built for &lt;a href="https://eddelbuettel.github.io/r2u/"&gt;r2u&lt;/a&gt;, and by now also at
&lt;a href="https://cran.r-project.org"&gt;CRAN&lt;/a&gt; for the different binary
releases.&lt;/p&gt;
&lt;p&gt;All changes since the last CRAN release follow.&lt;/p&gt;
&lt;blockquote&gt;
&lt;h4 id="changes-in-rcpparmadillo-version-15.4.0-1-2026-06-17"&gt;Changes in
RcppArmadillo version 15.4.0-1 (2026-06-17)&lt;/h4&gt;
&lt;ul&gt;
&lt;li&gt;&lt;p&gt;Upgraded to Armadillo release 15.4.0 (Medium Roast Agave)&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;p&gt;Added &lt;code&gt;fill::nan&lt;/code&gt;, &lt;code&gt;fill::pos_inf&lt;/code&gt;,
&lt;code&gt;fill::neg_inf&lt;/code&gt; as optional fill forms for the
&lt;code&gt;Mat&lt;/code&gt; class&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Added &lt;code&gt;.push_back()&lt;/code&gt; for appending elements to
vectors&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Faster handling of &lt;code&gt;find()&lt;/code&gt; within
&lt;code&gt;.elem()&lt;/code&gt;&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Faster element-wise &lt;code&gt;min()&lt;/code&gt; and
&lt;code&gt;max()&lt;/code&gt;&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Faster &lt;code&gt;conv_to&lt;/code&gt; when element types of input and
output objects are the same&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;/blockquote&gt;
&lt;p&gt;Courtesy of my &lt;a href="https://dirk.eddelbuettel.com/cranberries/"&gt;CRANberries&lt;/a&gt;, there
is a &lt;a href="https://dirk.eddelbuettel.com/cranberries/2026/06/19#RcppArmadillo_15.4.0-1"&gt;diffstat
report&lt;/a&gt; relative to previous release. More detailed information is on
the &lt;a href="https://dirk.eddelbuettel.com/code/rcpp.armadillo.html"&gt;RcppArmadillo
page&lt;/a&gt;. Questions, comments etc should go to the &lt;a href="https://lists.r-forge.r-project.org/cgi-bin/mailman/listinfo/rcpp-devel"&gt;rcpp-devel
mailing list&lt;/a&gt; off the &lt;a href="https://r-forge.r-project.org/projects/rcpp/"&gt;Rcpp R-Forge&lt;/a&gt;
page.&lt;/p&gt;
&lt;p style="font-size: 80%; font-style: italic;"&gt;
This post by &lt;a href="https://dirk.eddelbuettel.com"&gt;Dirk
Eddelbuettel&lt;/a&gt; originated on his &lt;a href="https://dirk.eddelbuettel.com/blog/"&gt;Thinking inside the box&lt;/a&gt;
blog. If you like this or other open-source work I do, you can &lt;a href="https://github.com/sponsors/eddelbuettel"&gt;sponsor me at
GitHub&lt;/a&gt;. You can also sponsor my &lt;a href="https://dirk.eddelbuettel.com/blog/2026/04/03#sponsor_tour_de_shore_202"&gt;Tour
de Shore 2026 ride in support of the Maywood Fine Arts Center&lt;/a&gt;.
&lt;/p&gt;&lt;p&gt;&lt;/p&gt; </description> 
	<pubDate>Sun, 21 Jun 2026 14:18:00 +0000</pubDate>

</item> 
<item>
	<title>Vasudev Kamath: Releasing debvulns: CLI for listing Debian vulnerabilities</title>
	<guid>tag:copyninja.in,2026-06-21:/blog/debvulns-cli.html</guid>
	<link>https://copyninja.in/blog/debvulns-cli.html</link>
     <description>  &lt;img src="http://planet.debian.org/heads/vasudev.png" width="65" height="85" alt="" align="right" style="float: right;"&gt;  &lt;p&gt;Following up on my previous &lt;a class="reference external" href="https://copyninja.in/blog/debsecan-mcp-pypi.html"&gt;post&lt;/a&gt;, I have released the
&lt;cite&gt;debvulns&lt;/cite&gt; &lt;a class="reference external" href="https://pypi.org/project/debsecan-mcp/"&gt;CLI&lt;/a&gt;. This utility uses
the same parsing logic as the &lt;cite&gt;debsecan-mcp&lt;/cite&gt; server but exposes the
functionality directly via the command line.&lt;/p&gt;
&lt;div class="section" id="why-a-new-cli"&gt;
&lt;h2&gt;Why a new CLI?&lt;/h2&gt;
&lt;p&gt;While Debian's native &lt;cite&gt;debsecan&lt;/cite&gt; utility exists, it lacks modern output formats
like JSON and CSV, and fails to expose a significant amount of metadata
available in the Debian Security Team's daily snapshot.&lt;/p&gt;
&lt;p&gt;Additionally, running a persistent Model Context Protocol (MCP) server
introduces context window overhead. The manifests and tool descriptions required
by the protocol consume tokens even when idle. For &lt;cite&gt;debsecan-mcp&lt;/cite&gt;, the &lt;a class="reference external" href="https://modelcontextprotocol.io/docs/tools/inspector#pypi-package"&gt;MCP
Inspector utility&lt;/a&gt; shows an
overhead of roughly 150 tokens.&lt;/p&gt;
&lt;p&gt;By contrast, an LLM can parse a standard CLI help menu on-demand without
permanently draining the context window. Integrating the CLI into a persistent
agent workflow can be achieved via a skill file, allowing the LLM to leverage the
tool without repeated discovery overhead.&lt;/p&gt;
&lt;/div&gt;
&lt;div class="section" id="what-else-is-new"&gt;
&lt;h2&gt;What else is NEW?&lt;/h2&gt;
&lt;p&gt;During testing, I observed discrepancies between the output of &lt;cite&gt;debsecan-mcp&lt;/cite&gt;/&lt;cite&gt;debvulns&lt;/cite&gt;
and native &lt;cite&gt;debsecan&lt;/cite&gt;. Debugging with an LLM revealed a bug in the version
&lt;a class="reference external" href="https://github.com/copyninja/debsecan-mcp/commit/04e9990f2d7b2d85fe04f21c4f2e22fbc9aae365"&gt;comparison logic&lt;/a&gt;
that caused &lt;cite&gt;debvulns&lt;/cite&gt; to underreport vulnerabilities. This has been resolved.&lt;/p&gt;
&lt;p&gt;The current interface supports structured formatting and customizable data backends:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;usage:&lt;span class="w"&gt; &lt;/span&gt;debvulns&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;-h&lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;-s&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;{&lt;/span&gt;critical,high,medium,low,negligible&lt;span class="o"&gt;}]&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;-f&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;{&lt;/span&gt;json,csv&lt;span class="o"&gt;}]&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;--sort-by&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;{&lt;/span&gt;package,cve&lt;span class="o"&gt;}]&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;--vuln-url&lt;span class="w"&gt; &lt;/span&gt;VULN_URL&lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;--epss-url&lt;span class="w"&gt; &lt;/span&gt;EPSS_URL&lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;--suite&lt;span class="w"&gt; &lt;/span&gt;SUITE&lt;span class="o"&gt;]&lt;/span&gt;
&lt;span class="w"&gt;                &lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;--cache-dir&lt;span class="w"&gt; &lt;/span&gt;CACHE_DIR&lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;--no-cache&lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;-v&lt;span class="o"&gt;]&lt;/span&gt;

debvulns&lt;span class="w"&gt; &lt;/span&gt;-&lt;span class="w"&gt; &lt;/span&gt;CLI&lt;span class="w"&gt; &lt;/span&gt;Debian&lt;span class="w"&gt; &lt;/span&gt;Vulnerabilities&lt;span class="w"&gt; &lt;/span&gt;Tracker

options:
&lt;span class="w"&gt;    &lt;/span&gt;-h,&lt;span class="w"&gt; &lt;/span&gt;--help&lt;span class="w"&gt;            &lt;/span&gt;show&lt;span class="w"&gt; &lt;/span&gt;this&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nb"&gt;help&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;message&lt;span class="w"&gt; &lt;/span&gt;and&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nb"&gt;exit&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;-s,&lt;span class="w"&gt; &lt;/span&gt;--severity&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;{&lt;/span&gt;critical,high,medium,low,negligible&lt;span class="o"&gt;}&lt;/span&gt;
&lt;span class="w"&gt;                          &lt;/span&gt;Filter&lt;span class="w"&gt; &lt;/span&gt;vulnerabilities&lt;span class="w"&gt; &lt;/span&gt;by&lt;span class="w"&gt; &lt;/span&gt;severity
&lt;span class="w"&gt;    &lt;/span&gt;-f,&lt;span class="w"&gt; &lt;/span&gt;--format&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;{&lt;/span&gt;json,csv&lt;span class="o"&gt;}&lt;/span&gt;
&lt;span class="w"&gt;                          &lt;/span&gt;Output&lt;span class="w"&gt; &lt;/span&gt;format&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;default:&lt;span class="w"&gt; &lt;/span&gt;json&lt;span class="o"&gt;)&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;-sort-by&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;{&lt;/span&gt;package,cve&lt;span class="o"&gt;}&lt;/span&gt;
&lt;span class="w"&gt;                          &lt;/span&gt;Sort&lt;span class="w"&gt; &lt;/span&gt;vulnerabilities&lt;span class="w"&gt; &lt;/span&gt;by&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;'package'&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;or&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;'cve'&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;--vuln-url&lt;span class="w"&gt; &lt;/span&gt;VULN_URL&lt;span class="w"&gt;   &lt;/span&gt;Custom&lt;span class="w"&gt; &lt;/span&gt;URL&lt;span class="w"&gt; &lt;/span&gt;or&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nb"&gt;local&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;path&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;for&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;Debian&lt;span class="w"&gt; &lt;/span&gt;Security&lt;span class="w"&gt; &lt;/span&gt;Tracker&lt;span class="w"&gt; &lt;/span&gt;data
&lt;span class="w"&gt;    &lt;/span&gt;--epss-url&lt;span class="w"&gt; &lt;/span&gt;EPSS_URL&lt;span class="w"&gt;   &lt;/span&gt;Custom&lt;span class="w"&gt; &lt;/span&gt;URL&lt;span class="w"&gt; &lt;/span&gt;or&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nb"&gt;local&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;path&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;for&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;EPSS&lt;span class="w"&gt; &lt;/span&gt;scores&lt;span class="w"&gt; &lt;/span&gt;data
&lt;span class="w"&gt;    &lt;/span&gt;--suite&lt;span class="w"&gt; &lt;/span&gt;SUITE&lt;span class="w"&gt;         &lt;/span&gt;Debian&lt;span class="w"&gt; &lt;/span&gt;suite&lt;span class="w"&gt; &lt;/span&gt;name&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;e.g.&lt;span class="w"&gt; &lt;/span&gt;bookworm,&lt;span class="w"&gt; &lt;/span&gt;sid&lt;span class="o"&gt;)&lt;/span&gt;.&lt;span class="w"&gt; &lt;/span&gt;Auto-detected&lt;span class="w"&gt; &lt;/span&gt;by&lt;span class="w"&gt; &lt;/span&gt;default.
&lt;span class="w"&gt;    &lt;/span&gt;--cache-dir&lt;span class="w"&gt; &lt;/span&gt;CACHE_DIR
&lt;span class="w"&gt;                          &lt;/span&gt;Directory&lt;span class="w"&gt; &lt;/span&gt;to&lt;span class="w"&gt; &lt;/span&gt;cache&lt;span class="w"&gt; &lt;/span&gt;fetched&lt;span class="w"&gt; &lt;/span&gt;and&lt;span class="w"&gt; &lt;/span&gt;parsed&lt;span class="w"&gt; &lt;/span&gt;data&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;default:&lt;span class="w"&gt; &lt;/span&gt;/var/cache/debvulns&lt;span class="o"&gt;)&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;--no-cache&lt;span class="w"&gt;            &lt;/span&gt;Do&lt;span class="w"&gt; &lt;/span&gt;not&lt;span class="w"&gt; &lt;/span&gt;use&lt;span class="w"&gt; &lt;/span&gt;cached&lt;span class="w"&gt; &lt;/span&gt;data,&lt;span class="w"&gt; &lt;/span&gt;force&lt;span class="w"&gt; &lt;/span&gt;downloading&lt;span class="w"&gt; &lt;/span&gt;and&lt;span class="w"&gt; &lt;/span&gt;parsing
&lt;span class="w"&gt;    &lt;/span&gt;-v,&lt;span class="w"&gt; &lt;/span&gt;--verbose&lt;span class="w"&gt;         &lt;/span&gt;Enable&lt;span class="w"&gt; &lt;/span&gt;verbose&lt;span class="w"&gt; &lt;/span&gt;debug&lt;span class="w"&gt; &lt;/span&gt;logging&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;sent&lt;span class="w"&gt; &lt;/span&gt;to&lt;span class="w"&gt; &lt;/span&gt;stderr&lt;span class="o"&gt;)&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;
&lt;p&gt;By allowing users to override data sources with local snapshots of the Debian
Security Tracker and EPSS feeds, &lt;cite&gt;debvulns&lt;/cite&gt; can run natively in airgapped
environments.&lt;/p&gt;
&lt;/div&gt;
&lt;div class="section" id="what-next"&gt;
&lt;h2&gt;What Next?&lt;/h2&gt;
&lt;p&gt;The next step is building a Prometheus exporter for this vulnerability data to
streamline scanning and monitoring across data center infrastructure. Stay tuned.&lt;/p&gt;
&lt;/div&gt; </description> 
	<pubDate>Sun, 21 Jun 2026 12:06:00 +0000</pubDate>

</item> 
<item>
	<title>Russell Coker: HP Z4 G4</title>
	<guid>https://etbe.coker.com.au/?p=6164</guid>
	<link>https://etbe.coker.com.au/2026/06/21/hp-z4-g4/</link>
     <description>  &lt;p&gt;In what is hopefully the conclusion of my &lt;a href="https://etbe.coker.com.au/2026/05/04/tower-servers-rebar/"&gt;hunt for a cheap tower server supporting REBAR [1]&lt;/a&gt; I have just bought a HP Z4 G4 with W-2125 CPU for $320.&lt;/p&gt;
&lt;h2&gt;Hardware&lt;/h2&gt;
&lt;p&gt;One interesting thing is that it has an adaptor from SATA power to 8 pin PCIe power. &lt;a href="https://en.wikipedia.org/wiki/PCI_Express#6-_and_8-pin_power_connectors"&gt;According to Wikipedia the 8 pin connector provides 150W at 12V [2]&lt;/a&gt;. &lt;a href="https://en.wikipedia.org/wiki/SATA#SATA_power_connectors"&gt;According to Wikipedia SATA power cables include 3 12V pins each of which can deliver 1.5A [3]&lt;/a&gt; which is 54W. The system as I received it had a single SATA power plug connected so potentially 150W could be drawn from a connector designed for 54W. The first thing I did was to connect a second SATA power connector on the same cable so I could have connectors designed for a total of 108W supplying potentially 150W (and definitely more than 75W).&lt;/p&gt;
&lt;p&gt;I found two versions of the specs for this system, &lt;a href="https://h20195.www2.hp.com/v2/getpdf.aspx/c05527757.pdf?ver=4"&gt;this version seems to match what I bought as it references W-21xx CPUs [4]&lt;/a&gt; while &lt;a href="https://h20195.www2.hp.com/v2/getpdf.aspx/c05527757.pdf"&gt;this version matches what I would rather have with a W-22xx CPU [5]&lt;/a&gt;. The URL naming scheme implies that there are potentially at least a few other variants out there. So much for the “buy name brand and you can buy two systems with the same model and have them work the same” benefit you hope to get. Why don’t they just name them “G4.1”, “G4.2”, etc?&lt;/p&gt;
&lt;p&gt;It seems that W-21xx and W-22xx CPUs are incompatible, so the &lt;a href="https://www.cpubenchmark.net/cpu.php?cpu=Intel+Xeon+W-2295+%40+3.00GHz&amp;amp;id=3701"&gt;W-2295 scoring 30,804 multithread and 2,634 single thread on passmark that I hoped to get isn’t an option [6]&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;The system is well designed for space efficiency, both it and the Z640 are 17cm wide but the Z4G4 allows my to close the lid with the Intel Battlemage card installed which doesn’t come close to fitting in a Z640. It has 8 DIMM sockets and with the ready availability of 32G DIMMS that allows 256G of RAM which is the maximum the motherboard supports. That compares well to the Z640 that only has 4 DIMM slots and the Z6G4 which only has 6.&lt;/p&gt;
&lt;p&gt;The system supports a maximum RAM speed of DDR4-2666 which is better than the DDR4-2400 of the Z640 but less than the DDR4-2933 of the Z6G4.&lt;/p&gt;
&lt;p&gt;The NVMe sockets on the motherboard are a convenient feature. Most systems I run need at most two NVMe devices so this saves a PCIe slot which is important when dealing with GPUs that take 2+ slots. Also for systems that don’t really need NVMe I can use some of the small NVMe devices that I have no other use for. 128G NVMe devices aren’t even worth selling and 256G will be of little use in the near future. So when I move to gen4 Z servers I can use up some of them without wasting slots.&lt;/p&gt;
&lt;p&gt;Using the lesser socket LGA2066 in the Z4G4 is a minor annoyance, but for a single socket system 18 cores is probably enough.&lt;/p&gt;
&lt;p&gt;The BIOS has an option for single-socket NUMA, which is basically locking cores in a single CPU to specific RAM channels. I enabled it but it did nothing presumably because I only have 2 DIMMs. When I get more DIMMs I’ll do some tests of that and compare it with NUMA on my Z840.&lt;/p&gt;
&lt;h2&gt;Variants&lt;/h2&gt;
&lt;p&gt;There are many different variants of the Z4G4 and the only way to recognise them is by the CPU not by any part number or serial number AFAIK. The first difference is between server grade CPUs (the W-2xxx CPUs) and desktop grade CPUs (the i7 and i9 CPUs). The systems with i7 and i9 CPUs don’t support ECC RAM which makes them less reliable, gives smaller limits for RAM&lt;/p&gt;
&lt;p&gt;The below table compares the Z640 which is my current desktop PC with the Z4G4, Z6G4, and Z8G4 systems. For the latter 3 I have included multiple options for the parts that differ in different models in the same name series. The Z4G4 I have is an early one which only supports W-21xx CPUs which means a maximum RAM speed of 2666 and the best possible CPU would only be 15% faster than my Z640. I can only use this for ML stuff as it’s the only system I have with REBAR support (which works well).&lt;/p&gt;
&lt;table&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;th&gt;&lt;/th&gt;
&lt;th&gt;Z640 (1 socket)&lt;/th&gt;
&lt;th&gt;Z4G4&lt;/th&gt;
&lt;th&gt;Z6G4 (1 socket)&lt;/th&gt;
&lt;th&gt;Z8G4&lt;/th&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;DIMM slots&lt;/td&gt;
&lt;td&gt;4&lt;/td&gt;
&lt;td&gt;8&lt;/td&gt;
&lt;td&gt;6&lt;/td&gt;
&lt;td&gt;24&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Max DDR4 speed&lt;/td&gt;
&lt;td&gt;2400&lt;/td&gt;
&lt;td&gt;2666/2933&lt;/td&gt;
&lt;td&gt;2666/2933&lt;/td&gt;
&lt;td&gt;2666/2933&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Max DIMM size&lt;/td&gt;
&lt;td&gt;32G&lt;/td&gt;
&lt;td&gt;64G&lt;/td&gt;
&lt;td&gt;64G&lt;/td&gt;
&lt;td&gt;64G/128G&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;System Max Ram&lt;/td&gt;
&lt;td&gt;128G&lt;/td&gt;
&lt;td&gt;512G&lt;/td&gt;
&lt;td&gt;192G/384G&lt;/td&gt;
&lt;td&gt;1.5T/3T&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;CPU Socket&lt;/td&gt;
&lt;td&gt;LGA2011-3&lt;/td&gt;
&lt;td&gt;LGA2066&lt;/td&gt;
&lt;td&gt;LGA3647&lt;/td&gt;
&lt;td&gt;LGA3647&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Best CPU&lt;/td&gt;
&lt;td&gt;E5-2699A v4&lt;/td&gt;
&lt;td&gt;W-2195/W-2295&lt;/td&gt;
&lt;td&gt;Platinum 8180/W-3275&lt;/td&gt;
&lt;td&gt;Platinum 8180/8280&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Motherboard NVMe&lt;/td&gt;
&lt;td&gt;0&lt;/td&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;td&gt;?&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;h2&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;&lt;a href="https://etbe.coker.com.au/2025/08/02/server-cpu-sockets/"&gt;In my previous blog post I concluded that the next step up for me would be DDR5 systems [10]&lt;/a&gt;. But now some of the LGA3647 systems are appealing. The Z8G4 would be a decent upgrade from my current Z840 build server and should be affordable long before any two socket DDR5 system becomes affordable.&lt;/p&gt;
&lt;p&gt;The Z4G4 doesn’t have any potential for useful upgrades. But for me it was a good cheap way to house a GPU that had already damaged the motherboard of one good system. If the Z4G4 has a PCIe slot break the way my Z840 did then it wouldn’t bother me a lot. It was annoying to discover how limited this variant of the Z4G4 is after buying it, but at that price I can’t complain.&lt;/p&gt;
&lt;p&gt;A Z6G4 could be a nice workstation if I found one at a really low price. The only reason I’d seek one out is if I had a need for a desktop workstation with REBAR support, which seems unlikely.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;[1]&lt;a href="https://etbe.coker.com.au/2026/05/04/tower-servers-rebar/"&gt; https://etbe.coker.com.au/2026/05/04/tower-servers-rebar/&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;[2]&lt;a href="https://en.wikipedia.org/wiki/PCI_Express#6-_and_8-pin_power_connectors"&gt; https://en.wikipedia.org/wiki/PCI_Express#6-_and_8-pin_power_connectors&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;[3]&lt;a href="https://en.wikipedia.org/wiki/SATA#SATA_power_connectors"&gt; https://en.wikipedia.org/wiki/SATA#SATA_power_connectors&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;[4]&lt;a href="https://h20195.www2.hp.com/v2/getpdf.aspx/c05527757.pdf?ver=4"&gt; https://h20195.www2.hp.com/v2/getpdf.aspx/c05527757.pdf?ver=4&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;[5]&lt;a href="https://h20195.www2.hp.com/v2/getpdf.aspx/c05527757.pdf"&gt; https://h20195.www2.hp.com/v2/getpdf.aspx/c05527757.pdf&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;[6]&lt;a href="https://www.cpubenchmark.net/cpu.php?cpu=Intel+Xeon+W-2295+%40+3.00GHz&amp;amp;id=3701"&gt; https://tinyurl.com/2avfb8qe&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;[7]&lt;a href="https://www.cpubenchmark.net/cpu.php?cpu=Intel+Xeon+W-2125+%40+4.00GHz&amp;amp;id=3146"&gt; https://tinyurl.com/2ddf7t5y&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;[8]&lt;a href="https://www.cpubenchmark.net/cpu.php?cpu=Intel+Xeon+E5-2620+%40+2.00GHz&amp;amp;id=1214"&gt; https://tinyurl.com/kgmagfs&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;[9]&lt;a href="https://etbe.coker.com.au/2026/04/10/hp-z640-e5-2696-v4/"&gt; https://etbe.coker.com.au/2026/04/10/hp-z640-e5-2696-v4/&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;[10]&lt;a href="https://etbe.coker.com.au/2025/08/02/server-cpu-sockets/"&gt; https://etbe.coker.com.au/2025/08/02/server-cpu-sockets/&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;div class="yarpp yarpp-related yarpp-related-rss yarpp-template-list"&gt;

&lt;p&gt;Related posts:&lt;/p&gt;&lt;ol&gt;
&lt;li&gt;&lt;a href="https://etbe.coker.com.au/2026/05/04/tower-servers-rebar/" rel="bookmark" title="Tower Servers and Resizable BAR"&gt;Tower Servers and Resizable BAR&lt;/a&gt; &lt;small&gt;A feature on modern PCIe implementations is “Resizable BAR” AKA...&lt;/small&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://etbe.coker.com.au/2025/08/02/server-cpu-sockets/" rel="bookmark" title="Server CPU Sockets"&gt;Server CPU Sockets&lt;/a&gt; &lt;small&gt;I am always looking for ways of increasing the compute...&lt;/small&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://etbe.coker.com.au/2025/04/05/hp-ml110-gen9-z640/" rel="bookmark" title="More About the HP ML110 Gen9 and z640"&gt;More About the HP ML110 Gen9 and z640&lt;/a&gt; &lt;small&gt;In May 2021 I bought a ML110 Gen9 to use...&lt;/small&gt;&lt;/li&gt;
&lt;/ol&gt;
&lt;/div&gt; </description> 
	<pubDate>Sat, 20 Jun 2026 14:01:27 +0000</pubDate>

</item> 
<item>
	<title>Gunnar Wolf: systemd for Linux SysAdmins</title>
	<guid>https://gwolf.org/2026/06/systemd-for-linux-sysadmins.html</guid>
	<link>https://gwolf.org/2026/06/systemd-for-linux-sysadmins.html</link>
     <description>  &lt;img src="http://planet.debian.org/heads/gwolf.png" width="69" height="83" alt="" align="right" style="float: right;"&gt;  &lt;blockquote&gt;
		 
		   This post is an &lt;em&gt;unpublished&lt;/em&gt; review
		 
		     
		       
		         for &lt;em&gt;&lt;a href="https://link.springer.com/book/10.1007/979-8-8688-1328-3"&gt;systemd for Linux SysAdmins&lt;/a&gt;&lt;/em&gt;
		       
		     
		     
		   &lt;/blockquote&gt;
		 
		 &lt;p&gt;systemd. Yes, in full lowercase. If there is ever a technology to cause
controversy in the Linux world, this is it. Since its inception in 2010,
systemd’s goals were set quite high — replacing the vital part in every
Linux system that takes care of the system boot process. It quickly reached
maturity, allowing its to be adopted as the main init system in most major
distributions just five years later. But even given we are describing
events that happened over a decade ago, systemd adoption still raises the
temperature in any Linux-related discussion.&lt;/p&gt;

&lt;p&gt;David Both’s comprehensive book tackles the “what”, the “why” and the “how”
issues surrounding systemd. Carefully divided in 16 chapters, going from
explaining the basics and some of the technical and political history
behind the project to the different subsystems and aspects covered by
systemd, its almost 450 pages can scare people away — but the text is
written in a very clear, tutorial-like fashion, and while it can be read
sequentially, cover-to-cover, the book is amenable for readers to pick a
single aspect and jump straight to the relevant chapter.&lt;/p&gt;

&lt;p&gt;One of the frequent criticisms the systemd project has received is that it
aims to basically rewrite all of a Linux system, and just looking at this
book’s index shows there is some truth to it. The first chapter is an
introduction to the systemd project and a brief overview of its history
(including the controversies around it), and the following four chapters
deal about understanding and controlling the system boot process.&lt;/p&gt;

&lt;p&gt;But that still leaves ten chapters to account for — they cover different
aspects or sub-projects of systemd, such as time and date issues
(synchronization, time specifications, and controlling repetitive tasks),
understanding and leveraging the system journal that strongly departs from
the old syslog system, network configuration and firewall management,
system health and performance debugging — all of them, aspects that in the
traditional Unix philosophy were managed by independent programs… And I
can identify several systemd sub-projects not covered by this book!&lt;/p&gt;

&lt;p&gt;We long-time Unix and Linux administrators took pride in how highly
performant and stable systems were supported by the simplicity of our
tools; systemd critics point out this massive project has absorbed dozens
of individual tools, yielding corporate control over vast swaths of vital
system tooling. Truth is… as a sysadmin myself, systemd is today one of
my greatest allies.&lt;/p&gt;

&lt;p&gt;I appreciate the author evaluates every component independently, including
his personal evaluation of each — even stating he prefers working with the
traditional programs in several areas.&lt;/p&gt;

&lt;p&gt;If there is a criticism I must make about this book is that, although
typographically it is well formed and taken care of, given it includes
large amounts of console captures, having a maximum width below 70
characters means several lines are unnaturally cut short (and continued
with odd indentations). I understand there is probably no “right” way to
solve this, but it does affect the feeling of naturally reading the text.&lt;/p&gt; </description> 
	<pubDate>Sat, 20 Jun 2026 02:07:54 +0000</pubDate>

</item> 
<item>
	<title>Wouter Verhelst: Agentic coding and Free Software</title>
	<guid>https://grep.be/blog//en/computer/Agentic_coding_and_Free_Software/</guid>
	<link>https://grep.be/blog//en/computer/Agentic_coding_and_Free_Software/</link>
     <description>  &lt;img src="http://planet.debian.org/heads/wouter3.png" width="85" height="80" alt="" align="right" style="float: right;"&gt;  &lt;p&gt;Through work, I have paid license to &lt;a href="https://windsurf.com"&gt;windsurf&lt;/a&gt;
(recently renamed to "devin"), an application for LLM-based (aka,
"Agentic") development.&lt;/p&gt;

&lt;p&gt;I hadn't been using it that much, but in an effort to more clearly
understand how this whole AI development thing works, I decided to give
it a closer look recently.&lt;/p&gt;

&lt;p&gt;My conclusions:&lt;/p&gt;

&lt;p&gt;In its current form, this whole LLM wave is problematic for multiple
reasons. But ignoring that, and looking at the &lt;em&gt;technology&lt;/em&gt; only, I can
say that:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;it is a paradigm shift;&lt;/li&gt;
&lt;li&gt;it is, at the technological level, a positive evolution;&lt;/li&gt;
&lt;li&gt;and it is a threat to free software.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2 id="problems"&gt;Problems&lt;/h2&gt;

&lt;p&gt;Lest someone (incorrectly) assume that I am arguing in favour of the
current state of affairs with regards to LLMs, let me state this first.&lt;/p&gt;

&lt;p&gt;The way LLMs are built today is highly parasitic. Websites are
downloaded in whole, at unsustainable rates, regardless of the consent
of the people who made the original content. The result is predictable:
servers get overloaded, server administrators attempt to implement
various mitigations. Some of these mitigations work; some do, for a
while; some are entirely useless. In actual fact, the mitigations are an
arms race -- if too many people implement the same mitigation, then the
people who try to build yet another LLM so they can extract rent will
just try to work around the mitigation, eventually they will succeed,
and you'll just have to come up with another mitigation. It's a bit like
spam; you introduce regex-based spam filters, they introduce spelling
mistakes, you introduce bayesian filters, they add a large batch of
markov chain-generated semi-nonsense words made invisible by markup, you
add filters to block emails with such markup, they move the text into an
image. We have working mitigations today, but eventually we'll run out
of ideas.&lt;/p&gt;

&lt;p&gt;LLMs glob up everything they can while ignoring the license of the
source material. The people who push those LLMs claim that pushing the
source material through the machine learning algorithms makes the output
of the algorithm distinct enough from the source material that the
license no longer applies; I'm not so sure that this is true. I guess
the &lt;a href="https://www.courtlistener.com/docket/68117049/the-new-york-times-company-v-microsoft-corporation/"&gt;New York Times v OpenAI
lawsuit&lt;/a&gt;
will teach us &lt;em&gt;some&lt;/em&gt; of the answer to that question here, but even so
the ethical questions about "is it OK to bring down another server just
so we can download the internet for another for-pay LLM" are still
open. And regardless of what the law states, my opinion on "you're using
my copyleft code to generate code under a different license" is not
something you might like if you agree with the rent seekers' opinion on
the subject.&lt;/p&gt;

&lt;p&gt;That all being said and true, the &lt;em&gt;technology&lt;/em&gt; works. You can have a
"conversation" with an LLM that resembles a human one. If you pass it
some data, you can use &lt;em&gt;plain english&lt;/em&gt; to ask it questions about that
data, which is a lot easier than to ask it about that in a formal way.
You can request it to generate some code, and it will generate something
that looks like what you need and that will be mostly correct for like
95% of the time.&lt;/p&gt;

&lt;p&gt;Now, yes, 95% of the time is not 100% of the time, and no, you can't ask
it to "write me a piece of software that implements this 300-page
requirements document and get back to me when you're done", because it
will fail, and you won't know &lt;em&gt;where&lt;/em&gt; it has failed, and you'll take it
into production and expect everything to be fine because it won't and
this one minor logic bug will cause half your servers to spin and
consume credits with your infrastructure provider with nothing to show
for it.&lt;/p&gt;

&lt;p&gt;But that doesn't mean you can't use an LLM to build a large piece of
software. It just means you have to understand the LLMs limitations and
strenghts, and use them correctly.&lt;/p&gt;

&lt;p&gt;Here's what an LLM is good at:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Generating plausible text&lt;/li&gt;
&lt;li&gt;Interpreting text to figure out what a plausible meaning or summary of
that text is&lt;/li&gt;
&lt;li&gt;Giving vague indications as to what the probable context of a given
body of text is.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;It turns out that that's enough to use the LLM to build a reliable piece
of software, provided you do it right.&lt;/p&gt;

&lt;h2 id="paradigmshift"&gt;Paradigm shift&lt;/h2&gt;

&lt;p&gt;An LLM can generate text by the truckful. The generated text could be
code. Given a good enough LLM, the generated text might even run and do
something useful.&lt;/p&gt;

&lt;p&gt;You can try to blindly run the code, and if it doesn't run correctly,
you can paste the error message to the LLM, and it can tell you what
went wrong and how you could possibly fix it. This creates a feedback
loop: you ask it for an amount of code, you run the code, you receive an
error, you tell it that the code is problematic and give it the error
message, it makes changes to the code, now you have something that at
least no longer fails at startup.&lt;/p&gt;

&lt;p&gt;If you ask it to add tests to make sure that your code acts as per your
specification, now you get an error if and when the code &lt;em&gt;doesn't&lt;/em&gt; act
as per your specification. Or, well, at least not as per the part of the
specification that was correctly turned into a unit test by the LLM.&lt;/p&gt;

&lt;p&gt;LLMs have a context window, so if the error message is pasted in the
same conversation as where the code was generated, it is able to reuse
the earlier prompts to refine how it should interpret the error message
that you received.&lt;/p&gt;

&lt;p&gt;You can't really paste the source code of an entire application into the
prompt of your LLM, that would quickly overrun its context window. But
LLMs also allow you to provide some form of background information --
a document, say -- on which you ask it to reason. It will interpret that
document, but doing so uses less of the LLMs context window. So
providing the LLM with your application's source code as background
information can help it understand better how your code interacts. This
is especially helpful if you only provide the LLM the background
information relevant to the actual question.&lt;/p&gt;

&lt;p&gt;So now if you are able to:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Create background context with your application's source code&lt;/li&gt;
&lt;li&gt;Have the LLM generate a first draft of your requested change, plus the
tests to make sure it works&lt;/li&gt;
&lt;li&gt;Compile (if applicable) the generated code (and tests) and run said
tests&lt;/li&gt;
&lt;li&gt;Return any error messages to the LLM with a request to correct the
error&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Then the combination of "getting it 95% right off the bat" and the above
feedback loop means you can generate syntactically correct code, that
probably does what you need, in minutes.&lt;/p&gt;

&lt;p&gt;I say "probably" for a reason. There are going to be cases where you
specify a request without a number of details (because they are
implied), and the LLM will get most of those details right but just not
implement the one bit because it's an automaton and it doesn't think. Or
you will ask it to make sure that two bits of the application &lt;em&gt;look&lt;/em&gt;
exactly the same, without specifying that they must &lt;em&gt;act&lt;/em&gt; the same, now
and in the future, and it will just generate the same block of code
twice and then in a future change it will change one but not the other.&lt;/p&gt;

&lt;p&gt;But if you &lt;em&gt;review&lt;/em&gt; the changes, and you have experience as a
programmer, you will be able to spot most cases where the LLM got it
wrong. And so it's possible, if not necessarily easy at first, to
use an LLM to generate mostly correct code.&lt;/p&gt;

&lt;p&gt;There are certain places where "mostly correct" code is not desireable.
But equally, there are also cases where, "mostly correct" is good
enough.&lt;/p&gt;

&lt;p&gt;After all, most of the software you run today -- the bits of it that
weren't, yet, generated by an LLM -- is only "mostly correct", too,
because to err is human and we all make mistakes. If not, there wouldn't
be any CVEs and your software would never do anything wrong.&lt;/p&gt;

&lt;p&gt;Now, doing the feedback loop described above is certainly something you
could do manually. You could open an account on one of the LLM websites,
upload the source code of your application, ask it to generate some new
feature, download the newly generated feature, run it, and then
copy/paste any error messages back into the LLM.&lt;/p&gt;

&lt;p&gt;But that's a lot of manual work of the type that computers are pretty
good at. So that's what the "windsurf" tool helps you with: you run it
inside your IDE -- either a VSCode-based tool that you download from
their website which comes with their product preinstalled, or a separate
JetBrains plugin that you can install. You can then open your entire
relevant codebase in a workspace in your IDE. You then ask the LLM,
through the IDE, to generate a new feature in your codebase, and to also
generate the test while it's at it. It will use a mixture of LLM
interpretation and non-LLM functionality to scoop out the relevant bits
of your codebase to send to the LLM as background information, will send
it your prompt, will download the generated code and patch or create
files, will compile (if required) and run the newly generated code and
tests, and will refine the generated code if the tests produce any
errors. All mostly automatic; by default, running &lt;em&gt;anything&lt;/em&gt; requires
explicit confirmation. You can turn that off completely (probably not a
good idea), or you can give it a whitelist of things that you don't want
to confirm (perhaps OK), and the tool also passes standing instructions
to the LLM to never generate any command that deletes a file (which,
like with any LLM, can be overridden, but it requires you to be very
stubborn and to use more credits than you'd probably like).&lt;/p&gt;

&lt;p&gt;All this put together means you can build something without writing any
piece of code, provided you do it right.&lt;/p&gt;

&lt;h2 id="atechnicallypositiveevolution"&gt;A technically positive evolution&lt;/h2&gt;

&lt;p&gt;Don't go and say, "here's a 300-page document, read it and write
whatever the document says". It will get it wrong, it will write a
massive test suite that it will only run at the end, it will choke
itself up trying to interpret the massive amount of failures it
encounters, it will fill up its context window and it will start to
forget some of the requirements. That won't work.&lt;/p&gt;

&lt;p&gt;But what you can do -- what I did, in fact -- is this.&lt;/p&gt;

&lt;p&gt;First, create an empty workspace. Don't put any code in it.&lt;/p&gt;

&lt;p&gt;Then, tell the LLM to generate a backend framework using technology X
and a frontend framework using technology Y that initially only says
"hello, world". Also add tests to it, and run the tests.&lt;/p&gt;

&lt;p&gt;It will do that. You'll not get much, but it will work.&lt;/p&gt;

&lt;p&gt;Then, ask it to add some UI elements. A login page, perhaps. A
navigation bar. Small things. Most of it doesn't have to be functional
-- but tests must be there for the bits that are, and have it run the
tests and evaluate the results.&lt;/p&gt;

&lt;p&gt;Rinse, repeat, until you have a working application.&lt;/p&gt;

&lt;p&gt;Importantly, in between the steps, you should also run the application
yourself and see if the change was implemented correctly. Sometimes it
won't be. Sometimes there will be a subtle bug -- I at one point had a
the application hang after a few minutes. Sometimes you tell it that
there's a subtle bug, and it will discover it more quickly than you
could, and it will fix it, and in implementing the fix it will uncover
&lt;em&gt;another&lt;/em&gt; bug, and then you have to fix that one -- the fix it came up
with for the hang was to move something to an async process on the
server, which caused the application to start spinning while trying to
create hundreds of async jobs (this is when I realized that the hang was
a deadlock due to some part of the codebase doing something that
indirectly triggered itself). Sometimes it will try to fix the bug you
tell it about, and you'll see that it's going off on a tangent that has
nothing to do with what you're seeing. It's important to keep an eye on
what it's doing, so you can guide it back on track when that happens --
when I told it about the hang, it started investigating the part of the
code which sends out emails, thinking that it could hang while waiting
for &lt;code&gt;sendmail&lt;/code&gt; to finish, but the hang was happening when the
application was &lt;em&gt;idle&lt;/em&gt;, not when it was sending out emails, and only
when I told it about it happening when it was idle did it find the
deadlock.&lt;/p&gt;

&lt;p&gt;So it's not a fully automatic process, and it needs to be guided by
someone who knows what they're doing. But if that is the case, you can
come up with something that works. I spent evenings and breaks for about
a week, and I managed to create a working application which, had I
written it by hand, would have taken me a few months of full-time work
to come up with. And I now have a side project, fully complete and
working, that I had been thinking about doing for &lt;em&gt;more than a decade&lt;/em&gt;,
but never got around to &lt;em&gt;actually&lt;/em&gt; doing, because of all the work that
would be involved and I just didn't see myself having the time for.&lt;/p&gt;

&lt;p&gt;It's not perfect code. But it's mostly good enough, and it will perform
the job it needs to. And it looks far slicker than most of the side
projects I've done in the past, because in the past I would prioritize
between implementing new features or making something look slick, and I
would decide that the new feature was more important because it's only
for me and there's only me and nobody cares if it looks good or not and
I don't have three weeks to come up with something that looks better.
But here, I found myself sometimes spending 10 minutes writing a prompt
with instructions on making things look better. Because what's 10
minutes when you just spent an hour writing down and refining
specifications for functionality and tests?&lt;/p&gt;

&lt;p&gt;There are a number of other things in which an LLM can help a
programmer.&lt;/p&gt;

&lt;p&gt;For instance.&lt;/p&gt;

&lt;p&gt;I received a bug report recently in &lt;a href="https://github.com/Fedict/eid-mw"&gt;a project I'm paid to
maintain&lt;/a&gt; that I couldn't make heads
or tails of. I opened the source code in my windsurf IDE, pasted the bug
report in the prompt, and then requested the tool to analyze the source
code and the associated logs and tell me how the described behavior
could be happening. It turned out that I had overlooked something, but
with the help of the tool, I found the bug in minutes.&lt;/p&gt;

&lt;p&gt;I was trying to understand a particular part of a &lt;a href="https://www.kernel.org"&gt;large
codebase&lt;/a&gt; that I didn't really grasp very well.
I loaded the codebase in the tool, and asked it to explain to me how a
particular action is performed by the code. I requested specific
functions and line numbers. I now have a far better understanding of how
the code works, and will be able to write that patch that I've been
wanting to write for years -- without using the LLM.&lt;/p&gt;

&lt;p&gt;I have been struggling for, literally, years with understanding why
&lt;a href="https://salsa.debian.org/debconf-video-team/SReview"&gt;another tool that I
maintain&lt;/a&gt; was
misbehaving in a particular way but only in Firefox. I opened the
codebase in Firefox, explained the buggy behavior in plain English, and
asked it to explain how this could be happening. It picked up some
obscure corner case behavior of ffmpeg and mp4 containers that I was not
aware of and that perfectly explained why things were misbehaving in the
way that they were.&lt;/p&gt;

&lt;p&gt;At the same time, there are limitations. Giving an LLM a codebase that
was originally generated by an LLM (either the same one or another one)
seems to work well. Giving it a codebase that was written by a human and
expecting it to correctly update it seems to be more error-prone. I did
one or two of those as a trial, and it is more problematic than
anything.&lt;/p&gt;

&lt;p&gt;An LLM is also not intelligent, notwithstanding the popular term of
"Artificial Intelligence". On multiple occasions, I've asked it to write
a test case for some code that was not set up to do so; and rather than
suggesting a refactor is required, it would instead &lt;em&gt;copy&lt;/em&gt; the code that
needed to be tested and then test the copy, rather than the original.
The tool has made multiple similar errors. I have sometimes people
describe agentic coding as "similar to interacting with junior
programmers", but that is not the case. A junior programmer will either
fill in the gaps in your specifications, or ask for clarification when
something seems off. The LLM will not do that; it will do what you ask,
exactly that and nothing more. If you missed a corner case in your
specification, then all bets are off.&lt;/p&gt;

&lt;p&gt;I remember learning about programming language generations in college.
A first-generation language is "machine code", a second-generation
language is "assembler", a third-generation language is any high-level
language such as C, Perl, or Pascal. I've forgotten what set a
3rd-generation language apart from a 4th-generation language. But I
remember the definition they gave me for a 5th-generation language: "you
tell the computer what to do, and it will do it". At the time, I thought
it was ridiculous. Nobody could ever write something like that.&lt;/p&gt;

&lt;p&gt;But it's here.&lt;/p&gt;

&lt;p&gt;And it's a threat to free software.&lt;/p&gt;

&lt;h2 id="athreattofreesoftware"&gt;A threat to free software?&lt;/h2&gt;

&lt;p&gt;Yes.&lt;/p&gt;

&lt;p&gt;There is the obvious part where most of the well-known LLMs are non-free
software. I mean, &lt;a href="https://www.geeksforgeeks.org/artificial-intelligence/top-10-open-source-llm-models/"&gt;there
are&lt;/a&gt;
some "open source" LLM models. The windsurf tool that I used doesn't allow
you to use them (directly), but they're there. There are also &lt;a href="https://opencode.ai/"&gt;open
source applications&lt;/a&gt; that implement what the
windsurf editor does. So it's definitely possible to work like this
without resorting to non-free software and non-free services, even
though the non-free LLMs might be a bit ahead of the curve of the free
ones. But that's not what I mean.&lt;/p&gt;

&lt;p&gt;And there is also the obvious thing which I mentioned earlier in this
post, which is that the people who try to build LLMs are doing it in
unethical, disgusting ways, causing downtimes and disregarding licenses
for whatever they can get their grubby hands on. Ideally we wouldn't be
in that situation, and ideally this wouldn't be a problem, but we are
where we are.&lt;/p&gt;

&lt;p&gt;And there's the obvious thing where the OSI sold itself out and declared
that a machine learning program can be open source even when the very
things it was built from -- the training data -- is not available.
That's a major issue that the free software community needs to fight
against, but there's not really anything that that is a threat to free
software. You just build your own, free software, LLM, and you're done.&lt;/p&gt;

&lt;p&gt;The actual threat is in funding and developer support.&lt;/p&gt;

&lt;p&gt;Most large businesses do not care about free-as-in-freedom software.
They like the free-as-in-beer part, and they appreciate that the
free-as-in-freedom bits can make the software more customizable. They
are (mostly) happy to do sponsorships of the free-as-in-freedom projects
that they use if that means their free-as-in-beer usage of the software
gets improved.&lt;/p&gt;

&lt;p&gt;But why would you care about all that when you can just &lt;em&gt;generate&lt;/em&gt; the
code you need, rather than interacting with an open source community
that may or may not care about your business's interests?&lt;/p&gt;

&lt;h2 id="wheretogofromhere"&gt;Where to go from here&lt;/h2&gt;

&lt;p&gt;Although I think the moral and environmental issues with LLMs are real
and problematic, given the experiments I did I am not convinced that the
&lt;em&gt;concept&lt;/em&gt;  of interacting with a computer system in natural language and
to use it to generate code is necessarily deficient. There are pitfalls,
but they can be managed. It is possible to use such a system to create
throwaway, proof-of-concept type "good enough" code bases. It can be
used to interpret code bases and to understand bug reports.&lt;/p&gt;

&lt;p&gt;I believe that the major issue with LLMs has to do with that saying
about hammers and nails:&lt;/p&gt;

&lt;blockquote&gt;
  &lt;p&gt;If all you have is a hammer, then everything looks like a nail.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;LLMs are an outgrowth of machine learning, pushed by large corporations.
These large corporations have a lot of money. If all you have is money,
then every problem can be fixed by throwing more money at it. The
initial language models were promising but not (yet) good enough, and it
seemed that one way in which they could be improved was to increase the
scale of the statistics: throw more hardware (and thus money) at it, and
rather than improving the efficiency of the models, just scale up.&lt;/p&gt;

&lt;p&gt;Scaling up is something that megacorporations are very good at. It's
only a money problem, after all. Does that mean that "scaling up"
is the only way to improve the models, though? I'm not convinced.&lt;/p&gt;

&lt;p&gt;Some hardware, such as most modern Apple and Samsung devices, ship with
accelerator hardware for machine learning algorithms. There are some
models that are small enough to be able to run on these devices. I don't
see why it should not be possible to create a small(er) language model
that can do some useful part of the above-described use cases; if not
locally, then at least on a server that one can run on-prem rather than
requiring that you pay rent to one of the LLM companies.&lt;/p&gt;

&lt;p&gt;The &lt;a href="https://sfconservancy.org"&gt;Software Freedom Conservancy&lt;/a&gt; has
published an &lt;a href="https://sfconservancy.org/news/2024/oct/25/aspirational-on-llm-generative-ai-programming/"&gt;aspirational statement on machine learning-assisted
programming&lt;/a&gt;
that, I think, gets a lot right. It's not quite a definition, but it's
something to keep in mind.&lt;/p&gt;

&lt;p&gt;Perhaps that's the way forward?&lt;/p&gt;

&lt;p&gt;More questions than answers at this point, anyway.&lt;/p&gt; </description> 
	<pubDate>Fri, 19 Jun 2026 12:09:21 +0000</pubDate>

</item> 
<item>
	<title>Junichi Uekawa: looking for last.</title>
	<guid>http://www.netfort.gr.jp/~dancer/diary/daily/2026-Jun-19.html.en#2026-Jun-19-14:30:53</guid>
	<link>http://www.netfort.gr.jp/~dancer/diary/daily/2026-Jun-19.html.en#2026-Jun-19-14:30:53</link>
     <description>  &lt;img src="http://planet.debian.org/heads/dancer.png" width="75" height="97" alt="" align="right" style="float: right;"&gt;  looking for last. I realized it's gone. what's my replacement?
        &lt;p&gt;&lt;/p&gt; </description> 
	<pubDate>Fri, 19 Jun 2026 05:30:53 +0000</pubDate>

</item> 
<item>
	<title>Freexian Collaborators: Monthly report about Debian Long Term Support, May 2026 (by Santiago Ruano Rincón)</title>
	<guid>https://www.freexian.com/blog/debian-lts-report-2026-05/</guid>
	<link>https://www.freexian.com/blog/debian-lts-report-2026-05/</link>
     <description>  &lt;img src="http://planet.debian.org/heads/freexian.png" width="215" height="101" alt="" align="right" style="float: right;"&gt;  &lt;img src="https://www.freexian.com/images/debian-lts-logo.png" style="float: right;" /&gt;
&lt;p&gt;The Debian LTS Team, funded by &lt;a href="https://www.freexian.com/lts/debian/"&gt;Freexian’s Debian LTS offering&lt;/a&gt;, is
pleased to report its activities for May.&lt;/p&gt;
&lt;h3 id="activity-summary"&gt;Activity summary&lt;/h3&gt;
&lt;p&gt;During the month of May, 21 contributors have been
paid to work on &lt;a href="https://wiki.debian.org/LTS"&gt;Debian LTS&lt;/a&gt; (links to individual
contributor reports are located below).&lt;/p&gt;
&lt;p&gt;The team released &lt;a href="https://lists.debian.org/debian-lts-announce/2026/05/threads.html"&gt;56 DLAs&lt;/a&gt; fixing 877 CVEs.&lt;/p&gt;
&lt;p&gt;May was a much busier month than usual, especially due to the disclosed
vulnerabilities on linux regarding Local Privilege Escalation (LPE), that
included public proof-of-concept (PoC) exploits. These reports of course
impacted Debian as a whole, and the situation warrants a special mention to the
Kernel Team, especially Ben Hutching and Salvatore Bonaccorso, who faced the
pace and released linux packages on a weekly basis. On the LTS side, the Front
Desk team also
&lt;a href="https://lists.debian.org/debian-lts/2026/06/msg00002.html"&gt;triaged a significant flow of high severity CVEs&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;It is also important to note that
&lt;a href="https://www.debian.org/releases/bookworm/"&gt;Debian 12 (“bookworm”)&lt;/a&gt; will be
handed over to
the LTS Team on June 11th. If you benefit from Debian, especially during the
full 5-year lifecycle, please consider subscribing as a sponsor of Debian LTS:
&lt;a href="https://www.freexian.com/lts/debian/"&gt;https://www.freexian.com/lts/debian/&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;Moreover, Debian 11 (“bullseye”) will reach the end of the Debian LTS period on
August 31st. After that, Freexian will continue the security support under the
&lt;a href="https://www.freexian.com/lts/extended/"&gt;Extended LTS&lt;/a&gt; offer.&lt;/p&gt;
&lt;p&gt;The team published several notable updates:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;As mentioned above, several exploitable LPE vulnerabilities in linux were published during May. Ben released the following DLAs for the Debian LTS versions:
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://lists.debian.org/afW4eRFSiyEj0t5p@decadent.org.uk"&gt;DLA 4560-1&lt;/a&gt; for linux (5.10)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://lists.debian.org/afW4k69tKf_WlndL@decadent.org.uk"&gt;DLA 4561-1&lt;/a&gt; for linux-6.1&lt;/li&gt;
&lt;li&gt;&lt;a href="https://lists.debian.org/af4wE6d14Ow7_e1z@decadent.org.uk"&gt;DLA 4572-1&lt;/a&gt; for linux (5.10)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://lists.debian.org/af9UZejc2VrICvbM@decadent.org.uk"&gt;DLA 4574-1&lt;/a&gt; for linux-6.1&lt;/li&gt;
&lt;li&gt;&lt;a href="https://lists.debian.org/aghQTI2_ePQTfgRl@decadent.org.uk"&gt;DLA 4587-1&lt;/a&gt; for linux (5.10)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://lists.debian.org/agxj_abMk4ZO7rTj@decadent.org.uk"&gt;DLA 4588-1&lt;/a&gt; for linux-6.1&lt;/li&gt;
&lt;li&gt;&lt;a href="https://lists.debian.org/ahnAg039hP_NAYQZ@decadent.org.uk"&gt;DLA 4606-1&lt;/a&gt; for linux (5.10)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://lists.debian.org/ahnBQfl3R3-CGOJ0@decadent.org.uk"&gt;DLA 4607-1&lt;/a&gt; for linux-6.1&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;exim update
(&lt;a href="https://security-tracker.debian.org/tracker/DLA-4580-1"&gt;DLA-4580-1&lt;/a&gt;),
prepared by Thorsten, to address a vulnerability that may result in remote code
execution.&lt;/li&gt;
&lt;li&gt;gnutls28 update
(&lt;a href="https://security-tracker.debian.org/tracker/DLA-4595-1"&gt;DLA-4595-1&lt;/a&gt;) by
Guilhem Moulin, fixes several vulnerabilities that may result in execution of
arbitrary code, information leak, authentication bypass, among other impacts.&lt;/li&gt;
&lt;li&gt;krb5 updates released as
&lt;a href="https://security-tracker.debian.org/tracker/DLA-4603-1"&gt;DLA-4603-1&lt;/a&gt;, fixing
two vulnerabilities that may yield to a denial of service. Updated prepared by
Emmanuel Arias&lt;/li&gt;
&lt;li&gt;lemonldap-ng
(&lt;a href="https://security-tracker.debian.org/tracker/DLA-4602-1"&gt;DLA-4602-1&lt;/a&gt;),
released by Abhijith PA, fixing multiple vulnerabilities&lt;/li&gt;
&lt;li&gt;Two imagemagick updates
(&lt;a href="https://security-tracker.debian.org/tracker/DLA-4559-1"&gt;DLA-4559-1&lt;/a&gt; and
&lt;a href="https://security-tracker.debian.org/tracker/DLA-4609-1"&gt;DLA-4609-1&lt;/a&gt;), prepared
by Bastien Roucariès, fixing several vulnerabilities&lt;/li&gt;
&lt;li&gt;openjdk-11 and openjdk-17 updates
(&lt;a href="https://security-tracker.debian.org/tracker/DLA-4566-1"&gt;DLA-4566-1&lt;/a&gt; and
&lt;a href="https://security-tracker.debian.org/tracker/DLA-4565-1"&gt;DLA-4565-1&lt;/a&gt;), both
prepared by Emilio, to fix seven vulnerabilities.&lt;/li&gt;
&lt;li&gt;php7.4 update
(&lt;a href="https://security-tracker.debian.org/tracker/DLA-4586-1"&gt;DLA-4586-1&lt;/a&gt;) to fix
six vulnerabilities that could result in remote code execution, information
disclosure or denial of service. Update prepared by Guilhem Moulin.&lt;/li&gt;
&lt;li&gt;python3.9 update (&lt;a href="https://security-tracker.debian.org/tracker/DLA-4583-1"&gt;DLA-4583-1&lt;/a&gt;), prepared
by Arnaud Rebillout, addressing multiple vulnerabilities.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Contributions from outside the LTS Team:&lt;/p&gt;
&lt;p&gt;We are greatly thankful for the contributions from people outside the LTS Team:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Colin Watson prepared an OpenSSH update, that was released by Santiago as
&lt;a href="https://security-tracker.debian.org/tracker/DLA-4584-1"&gt;DLA-4584-1&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;Thomas Goirand handled a keystone update, whose advisory was done by Santiago
and released as
&lt;a href="https://security-tracker.debian.org/tracker/DLA-4611-1"&gt;DLA-4611-1&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;Christopher Obbard kindly prepared a sentry-python update, released as
&lt;a href="https://security-tracker.debian.org/tracker/DLA-4612-1"&gt;DLA-4612-1&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;Christoph Goehre made two thunderbird updates
(&lt;a href="https://security-tracker.debian.org/tracker/DLA-4562-1"&gt;DLA-4562-1&lt;/a&gt; and
&lt;a href="https://security-tracker.debian.org/tracker/DLA-4582-1"&gt;DLA-4582-1&lt;/a&gt;). As is
customary, Emilio released the advisories.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The LTS Team has also contributed with updates to the latest Debian releases:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Andreas proposed a &lt;a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137166"&gt;firewalld update&lt;/a&gt;
for bookworm to fix a local issue that may result in bypass control rules.&lt;/li&gt;
&lt;li&gt;Andreas proposed &lt;a href="https://lists.debian.org/debian-mate/2026/05/msg00007.html"&gt;atril updates&lt;/a&gt;
for trixie and bookworm.&lt;/li&gt;
&lt;li&gt;Arnaud did a &lt;a href="https://bugs.debian.org/1136382"&gt;python3.11 upload&lt;/a&gt; for bookworm.&lt;/li&gt;
&lt;li&gt;Arnaud proposed libarchive updates for &lt;a href="https://bugs.debian.org/1135713"&gt;trixie&lt;/a&gt;
and &lt;a href="https://bugs.debian.org/1135715"&gt;bookworm&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;Arnaud completed the
&lt;a href="https://tracker.debian.org/news/1748276/accepted-systemd-25239-1deb12u2-source-into-oldstable-proposed-updates/"&gt;systemd update&lt;/a&gt;
for bookworm.&lt;/li&gt;
&lt;li&gt;Bastien completed the uploads of
&lt;a href="https://tracker.debian.org/news/1747981/accepted-gpsd-322-41deb12u1-source-into-oldstable-proposed-updates/"&gt;gpsd&lt;/a&gt; for bookworm.
He also did an upload of
&lt;a href="https://tracker.debian.org/news/1747976/accepted-apache2-2466-1deb12u2-source-into-oldstable-proposed-updates/"&gt;apache2&lt;/a&gt; for bookworm.&lt;/li&gt;
&lt;li&gt;Emmanuel uploaded updates of libexif for
&lt;a href="https://tracker.debian.org/news/1750516/accepted-libexif-0625-1deb13u1-source-into-proposed-updates/"&gt;trixie&lt;/a&gt;
and
&lt;a href="https://tracker.debian.org/news/1750521/accepted-libexif-0624-1deb12u1-source-into-oldstable-proposed-updates/"&gt;bookworm&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;Jochen Sprickerhof prepared pyjwt update for
&lt;a href="https://tracker.debian.org/news/1750541/accepted-pyjwt-2101-2deb13u1-source-into-stable-security/"&gt;trixie&lt;/a&gt; and
&lt;a href="https://tracker.debian.org/news/1750540/accepted-pyjwt-260-1deb12u1-source-into-oldstable-security/"&gt;bookworm&lt;/a&gt;,
released as
&lt;a href="https://security-tracker.debian.org/tracker/DSA-6259-1"&gt;DSA-6259-1&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;Lukas Märdian prepared
&lt;a href="https://tracker.debian.org/news/1752293/accepted-nghttp2-1640-11deb13u1-source-into-stable-security/"&gt;trixie&lt;/a&gt;
and
&lt;a href="https://tracker.debian.org/news/1752294/accepted-nghttp2-1520-1deb12u3-source-into-oldstable-security/"&gt;bookworm&lt;/a&gt;
updates for nghttp2, released as
&lt;a href="https://security-tracker.debian.org/tracker/DSA-6266-1"&gt;DSA-6266-1&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;Markus prepared updates of tomcat11 and tomcat10, released as
&lt;a href="https://security-tracker.debian.org/tracker/DSA-6329-1"&gt;DSA-6329-1&lt;/a&gt; (for trixie) and
&lt;a href="https://security-tracker.debian.org/tracker/DSA-6328-1"&gt;DSA-6328-1&lt;/a&gt; (for trixie and bookworm),
respectively.&lt;/li&gt;
&lt;li&gt;Continuing the work
&lt;a href="https://lists.debian.org/debian-lts/2026/06/msg00002.html"&gt;to replace the unmaintained p7zip fork with 7zip&lt;/a&gt;,
Sylvain prepared
&lt;a href="https://tracker.debian.org/news/1748309/accepted-7zip-2501dfsg-1deb13u2-source-into-proposed-updates/"&gt;trixie&lt;/a&gt;
and
&lt;a href="https://tracker.debian.org/news/1748244/accepted-7zip-2201really2501dfsg-0deb12u1-source-into-oldstable-proposed-updates/"&gt;bookworm&lt;/a&gt; updates of 7zip.&lt;/li&gt;
&lt;li&gt;Thorsten completed the uploads of zvbi, taglib and libuev to bookworm and did
an upload of libcoap3 for
&lt;a href="https://tracker.debian.org/news/1748400/accepted-libcoap3-434-11deb13u3-source-into-proposed-updates/"&gt;wtrixie&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;Tobi prepared libpng1.6 updates for trixie and bookworm, released as
&lt;a href="https://security-tracker.debian.org/tracker/DSA-6263-1"&gt;DSA-6263-1&lt;/a&gt;.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Moreover, thanks to &lt;a href="https://www.freexian.com/blog/samba-4.17-lts/"&gt;our partnership with Catalyst&lt;/a&gt;, it has been possible to extend the support for Samba 4.17, the version shipped with Debian 12. In May, several vulnerabilities were disclosed, and their patches were prepared by Catalyst. For Debian 12, the update was prepared by the Samba maintainer and released as &lt;a href="https://security-tracker.debian.org/tracker/DSA-6297-1"&gt;DSA-6297-1&lt;/a&gt;.&lt;/p&gt;
&lt;h3 id="individual-debian-lts-contributor-reports"&gt;Individual Debian LTS contributor reports&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://people.debian.org/~abhijith/reports/LTS_ELTS-May-2026.txt"&gt;Abhijith PA&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://lists.debian.org/debian-lts/2026/05/msg00035.html"&gt;Andreas Henriksson&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://lists.debian.org/msgid-search/90a01206-0228-47a1-99ac-230f39627cdd@app.fastmail.com"&gt;Andrej Shadura&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://lists.debian.org/debian-lts/2026/06/msg00001.html"&gt;Arnaud Rebillout&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://lists.debian.org/debian-lts/2026/06/msg00004.html"&gt;Bastien Roucariès&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.decadent.org.uk/ben/blog/2026/06/02/foss-activity-in-may-2026.html"&gt;Ben Hutchings&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://lists.debian.org/msgid-search/ah946uN_ihFpn6Y2@fw13.lan"&gt;Carlos Henrique Lima Melara&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://chris-lamb.co.uk/posts/free-software-activities-in-may-2026#debian-lts"&gt;Chris Lamb&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://lists.debian.org/debian-lts/2026/06/msg00005.html"&gt;Daniel Leidert&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://lists.debian.org/debian-lts/2026/05/msg00038.html"&gt;Emmanuel Arias&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://people.debian.org/~pochu/lts/reports/2026-05.txt"&gt;Emilio Pozuelo Monfort&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://lists.debian.org/msgid-search/?m=z6X4k41ZLH1m3ekg@debian.org"&gt;Guilhem Moulin&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://lists.debian.org/msgid-search/ah60k47SnxpQjRrq@mpd"&gt;Jochen Sprickerhof&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://lists.debian.org/debian-lts/2026/06/msg00013.html"&gt;Lee Garrett&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://people.debian.org/~kanashiro/debian/lts/reports/2026-05.txt"&gt;Lucas Kanashiro&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://people.debian.org/~slyon/debian/lts/reports/2026-05.txt"&gt;Lukas Märdian&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://dl.gambaru.de/blog/202605_LTS_ELTS_report.txt"&gt;Markus Koschany&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://people.debian.org/~santiago/lts-elts-reports/report-2026-05.txt"&gt;Santiago Ruano Rincón&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://lists.debian.org/debian-lts/2026/06/msg00002.html"&gt;Sylvain Beucler&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://blog.alteholz.eu/2026/06/my-debian-activities-in-may-2026/"&gt;Thorsten Alteholz&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://lists.debian.org/debian-lts/2026/06/msg00015.html"&gt;Tobias Frost&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="thanks-to-our-sponsors"&gt;Thanks to our sponsors&lt;/h3&gt;
&lt;p&gt;Sponsors that joined recently are in bold.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Platinum sponsors:
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://www.global.toshiba/ww/top.html"&gt;Toshiba Corporation&lt;/a&gt; (for 128 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://cip-project.org"&gt;Civil Infrastructure Platform (CIP)&lt;/a&gt; (for 96 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://vyos.io"&gt;VyOS Inc&lt;/a&gt; (for 61 months)&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;Gold sponsors:
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://www.roche.com/about/business/diagnostics.htm"&gt;F. Hoffmann-La Roche AG&lt;/a&gt; (for 139 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.conet.de/"&gt;CONET Deutschland GmbH&lt;/a&gt; (for 122 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="http://www.ox.ac.uk"&gt;University of Oxford&lt;/a&gt; (for 78 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.edf.fr"&gt;EDF SA&lt;/a&gt; (for 50 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.dataport.de"&gt;Dataport AöR&lt;/a&gt; (for 25 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://home.cern/"&gt;CERN&lt;/a&gt; (for 23 months)&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;Silver sponsors:
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://domainnameshop.com/"&gt;Domeneshop AS&lt;/a&gt; (for 143 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://metropole.nantes.fr/"&gt;Nantes Métropole&lt;/a&gt; (for 137 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.akamai.com/"&gt;Akamai - Linode&lt;/a&gt; (for 133 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="http://www.univention.de"&gt;Univention GmbH&lt;/a&gt; (for 129 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="http://portail.univ-st-etienne.fr/"&gt;Université Jean Monnet de St Etienne&lt;/a&gt; (for 129 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://ribboncommunications.com/"&gt;Ribbon Communications, Inc.&lt;/a&gt; (for 123 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.exonet.nl"&gt;Exonet B.V.&lt;/a&gt; (for 113 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.lrz.de"&gt;Leibniz Rechenzentrum&lt;/a&gt; (for 107 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.diplomatie.gouv.fr"&gt;Ministère de l’Europe et des Affaires Étrangères&lt;/a&gt; (for 91 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://dinahosting.com"&gt;Dinahosting SL&lt;/a&gt; (for 78 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://upsun.com"&gt;Upsun Formerly Platform.sh&lt;/a&gt; (for 72 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.moxa.com"&gt;Moxa Inc.&lt;/a&gt; (for 66 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://sipgate.de"&gt;sipgate GmbH&lt;/a&gt; (for 64 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://ovhcloud.com"&gt;OVH US LLC&lt;/a&gt; (for 62 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.tilburguniversity.edu/"&gt;Tilburg University&lt;/a&gt; (for 62 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.gsi.de"&gt;GSI Helmholtzzentrum für Schwerionenforschung GmbH&lt;/a&gt; (for 53 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.cesky-hosting.cz/"&gt;THINline s.r.o.&lt;/a&gt; (for 26 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.cph.dk"&gt;Copenhagen Airports A/S&lt;/a&gt; (for 20 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.isere.fr"&gt;Conseil Départemental de l’Isère&lt;/a&gt; (for 6 months)&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;Bronze sponsors:
&lt;ul&gt;
&lt;li&gt;&lt;a href="http://www.seznam.cz"&gt;Seznam.cz, a.s.&lt;/a&gt; (for 144 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="http://www.evolix.fr"&gt;Evolix&lt;/a&gt; (for 143 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="http://linuxhotel.de"&gt;Linuxhotel GmbH&lt;/a&gt; (for 141 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="http://intevation.de"&gt;Intevation GmbH&lt;/a&gt; (for 140 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://waays.fr"&gt;Daevel SARL&lt;/a&gt; (for 139 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="http://www.megaspace.de"&gt;Megaspace Internet Services GmbH&lt;/a&gt; (for 138 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="http://www.greenbone.net"&gt;Greenbone AG&lt;/a&gt; (for 137 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="http://numlog.fr"&gt;NUMLOG&lt;/a&gt; (for 137 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="http://www.wingo.ch/"&gt;WinGo AG&lt;/a&gt; (for 136 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.entrouvert.com/"&gt;Entr’ouvert&lt;/a&gt; (for 128 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://adfinis.com"&gt;Adfinis AG&lt;/a&gt; (for 125 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.plathome.com"&gt;Plat’Home&lt;/a&gt; (for 122 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="http://www.legi.grenoble-inp.fr"&gt;Laboratoire LEGI - UMR 5519 / CNRS&lt;/a&gt; (for 120 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.tesorion.nl/"&gt;Tesorion&lt;/a&gt; (for 120 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="http://bearstech.com"&gt;Bearstech&lt;/a&gt; (for 111 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="http://lihas.de"&gt;LiHAS&lt;/a&gt; (for 111 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="http://www.catalyst.net.nz"&gt;Catalyst IT Ltd&lt;/a&gt; (for 106 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://demarcq.net"&gt;Demarcq SAS&lt;/a&gt; (for 100 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.univ-grenoble-alpes.fr"&gt;Université Grenoble Alpes&lt;/a&gt; (for 86 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.touchweb.fr"&gt;TouchWeb SAS&lt;/a&gt; (for 78 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.spin-ag.de"&gt;SPiN AG&lt;/a&gt; (for 75 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.corefiling.com"&gt;CoreFiling&lt;/a&gt; (for 71 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.osug.fr/"&gt;Observatoire des Sciences de l’Univers de Grenoble&lt;/a&gt; (for 62 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.werfen.com"&gt;Tem Innovations GmbH&lt;/a&gt; (for 57 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://wordfinder.pro"&gt;WordFinder.pro&lt;/a&gt; (for 57 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.resif.fr"&gt;CNRS DT INSU Résif&lt;/a&gt; (for 56 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.soliton.co.jp"&gt;Soliton Systems K.K.&lt;/a&gt; (for 51 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.alterway.fr"&gt;Alter Way&lt;/a&gt; (for 48 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="http://www.sobis.com/"&gt;SOBIS Software GmbH&lt;/a&gt; (for 23 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.tuxera.com"&gt;Tuxera Inc.&lt;/a&gt; (for 15 months)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://opm-op.com"&gt;OPM-OP AS&lt;/a&gt; (for 6 months)&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt; </description> 
	<pubDate>Fri, 19 Jun 2026 00:00:00 +0000</pubDate>

</item> 
<item>
	<title>Reproducible Builds (diffoscope): diffoscope 321 released</title>
	<guid>https://diffoscope.org/news/diffoscope-321-released/</guid>
	<link>https://diffoscope.org/news/diffoscope-321-released/</link>
     <description>  &lt;p&gt;The diffoscope maintainers are pleased to announce the release of diffoscope
version &lt;code class="language-plaintext highlighter-rouge"&gt;321&lt;/code&gt;. This version includes the following changes:&lt;/p&gt;

&lt;div class="language-plaintext highlighter-rouge"&gt;&lt;div class="highlight"&gt;&lt;pre class="highlight"&gt;&lt;code&gt;[ Chris Lamb ]
* Fix compatibility with Ocaml 5.4.1.
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;You find out more by &lt;a href="https://diffoscope.org"&gt;visiting the project homepage&lt;/a&gt;.&lt;/p&gt; </description> 
	<pubDate>Fri, 19 Jun 2026 00:00:00 +0000</pubDate>

</item> 
<item>
	<title>Reproducible Builds (diffoscope): diffoscope 320 released</title>
	<guid>https://diffoscope.org/news/diffoscope-320-released/</guid>
	<link>https://diffoscope.org/news/diffoscope-320-released/</link>
     <description>  &lt;p&gt;The diffoscope maintainers are pleased to announce the release of diffoscope
version &lt;code class="language-plaintext highlighter-rouge"&gt;320&lt;/code&gt;. This version includes the following changes:&lt;/p&gt;

&lt;div class="language-plaintext highlighter-rouge"&gt;&lt;div class="highlight"&gt;&lt;pre class="highlight"&gt;&lt;code&gt;[ Chris Lamb ]
* Support androguard 4 and previous versions. Thanks, linsui!
  (Closes: #1140016)
* Use --long-form arguments when calling apktool in order to support apktool
  version 3. Thanks again to linsui. (Closes: #1140015)
* Update copyright years.
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;You find out more by &lt;a href="https://diffoscope.org"&gt;visiting the project homepage&lt;/a&gt;.&lt;/p&gt; </description> 
	<pubDate>Fri, 19 Jun 2026 00:00:00 +0000</pubDate>

</item> 
<item>
	<title>Mike Gabriel: Commenting on the recent Ubuntu Touch review done by @SwitchandClickOfficial on Youtube</title>
	<guid>https://sunweavers.net/159 at https://sunweavers.net/blog</guid>
	<link>https://sunweavers.net/blog/node/159</link>
     <description>  &lt;img src="http://planet.debian.org/heads/sunweaver.png" width="82" height="82" alt="" align="right" style="float: right;"&gt;  &lt;p&gt;There has been a video blog post recently published with a review of Ubuntu Touch as an option to opt out of the Android world: &lt;a href="https://www.youtube.com/watch?v=wTK6TS3pXgc" title="https://www.youtube.com/watch?v=wTK6TS3pXgc"&gt;https://www.youtube.com/watch?v=wTK6TS3pXgc&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Thanks to @SwitchandClick for spending time on this and publishing that video. Much appreciated.&lt;/p&gt;

&lt;h3&gt;Many Issues amended in upcoming 24.04-2.0 Release&lt;/h3&gt;

&lt;p&gt;When I watched that video referenced above, I continuously thought: ah... this is fixed in the next major release of Ubuntu Touch, or: ah... this is a known issue that we have on the roadmap..., or: ah... this is done in this ways by design (so it's a feature or basic functionality)...&lt;/p&gt;

&lt;p&gt;Let me just state, that most of the criticized aspects will be resolved in upcoming Ubuntu Touch release 24.04-2.0 (the tests in that video blog post have been run on Ubuntu Touch 24.04-1.x):&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Camera notch and rounding corners get honoured now by the UI&lt;/li&gt;
&lt;li&gt;Ubuntu Touch's default webbrowser (Morph Browser) has been bumped from Chromium engine v87 (Qt5 based) to v134 (Qt6 based), installing another browser should not be necessary anymore (note that the privacy level in Morph Browser is pretty high, so using other browsers could mean a loss of privacy).&lt;/li&gt;
&lt;li&gt;Bluetooth pairing agent got added to the bluetooth indicator&lt;/li&gt;
&lt;li&gt;Ubuntu Touch now supports Snaps on CLI level and in the OpenStore app&lt;/li&gt;
&lt;li&gt;Libertine has received fixes, but no substantial improvements. It mainly targets users who want to use their Ubuntu Touch device as desktop daily driver. Libertine-provided desktop apps UI-wise are often not usable on a phone-like device.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The full feature preview of the 24.04-2.0 release can be found here: &lt;a href="https://ubports.com/blog/ubports-news-1/ubuntu-touch-24-04-2-0-beta-is-now-ready-for-testing-4000" title="https://ubports.com/blog/ubports-news-1/ubuntu-touch-24-04-2-0-beta-is-now-ready-for-testing-4000"&gt;https://ubports.com/blog/ubports-news-1/ubuntu-touch-24-04-2-0-beta-is-n...&lt;/a&gt;&lt;/p&gt;

&lt;h3&gt;Ubuntu Touch App Ecosystem&lt;/h3&gt;

&lt;p&gt;The app ecosystem of Ubuntu Touch is quite specific, because many apps in Ubuntu Touch have been explicitly developed for Ubuntu Touch using a widget toolkit called Lomiri.Components. However, in Ubuntu Touch we also encourage developers to provide apps written with other convergent-capable toolkits, such as QQC2-based apps or Kirigami-based apps.&lt;/p&gt;

&lt;p&gt;One reason for the very different app ecosystem in Ubuntu Touch is that many service providers don't have Ubuntu Touch on their radar when investing in app development for their services. Some Ubuntu Touch App Developers work around this by either implementing unofficial client apps for web services (e.g. the Flow app for Deezer by Sander Klootwijk), others provide the web service via implementing a web app (will not work when offline, but at least will show up as an app in the launcher).&lt;/p&gt;

&lt;p&gt;The overall solution for making Open-Store.io more familiar to users who migrate from Android is that commercial service providers start honouring digital sovereignty and start providing apps for Linux. Not just for the Linux desktop, but also for mobile Linux platforms. This dual use case can easily achieved with an app development that bears convergence in mind.&lt;/p&gt;

&lt;h3&gt;App Ecosystems are also a Matter of Perspective&lt;/h3&gt;

&lt;p&gt;And one more minor note: whenever I open an Android appstore or can peak over someone's shoulder using an iOS device: I always wonder: what are all these apps about??? Never heard about them.&lt;/p&gt;

&lt;p&gt;So, familiarity really depends on perspective. And perspective depends on what you are used to. Change what you do and your perspective will follow.&lt;/p&gt;

&lt;h3&gt;Ubuntu Touch's root filesystem (rootfs) is Immutable&lt;/h3&gt;

&lt;p&gt;Only thing from that video blog post that we haven't fixed and won't do so in the midterm future is apt-get not working on the command line.&lt;/p&gt;

&lt;p&gt;The reason for this is: the Ubuntu Touch root file system is an immutable file system and thus shall not be changed via apt-get &amp;amp; friends by ordinary users.&lt;/p&gt;

&lt;p&gt;There are various discussions ongoing such as dpkg-divert'ing apt-get to a wrapper shell script that spits out an error message if rootfs is mounted read-only and someone tries to install packages the Debian/Ubuntu way. Other approaches are to mount some RAM disk over the rootfs, so apt-get can be used at runtime but changes to the system get reset at reboot.&lt;/p&gt;

&lt;p&gt;However, it is possible to mount the root filesystem read-write and test newer package versions (as UT core developers do regularly, in fact). If you tinker with this, it is recommended to reflash your device (don't wipe user data, when you reflash!) from time to time, because adding packages or package upgrades to your rootfs may over time corrupt the integrity of the rootfs.&lt;/p&gt;

&lt;p&gt;One reason for apt-get breaking the rootfs and thus your Ubuntu Touch development device is that the upgrade process of the rootfs image is incremental, so update tarballs sometimes contain only those parts that got changed between this and your previous upgrade (sometimes, upgrades contain a complete rootf image, depending on the interval between upgrades). If files from an incremental update tarball mix into a rootfs that got tinkered with via apt-get, you really end up on your own. Re-flashing will grab the complete rootfs tarball and wipe the whole rootfs and reinstall a fresh version of the newest rootfs image. Developers also do this in regular intervals to ensure their test device is clean again before running more/other tests.&lt;/p&gt; </description> 
	<pubDate>Thu, 18 Jun 2026 07:49:10 +0000</pubDate>

</item> 
<item>
	<title>Joey Hess: best of the web</title>
	<guid>http://joeyh.name/blog/entry/best_of_the_web/</guid>
	<link>http://joeyh.name/blog/entry/best_of_the_web/</link>
     <description>  &lt;img src="http://planet.debian.org/heads/joeyh2.png" width="84" height="75" alt="" align="right" style="float: right;"&gt;  &lt;p&gt;This is somehow the featured website on &lt;a href="https://earlyweblinks.com/"&gt;https://earlyweblinks.com/&lt;/a&gt; this week.&lt;/p&gt;

&lt;p&gt;Read all about my web site here!
&lt;a href="https://earlyweblinks.com/site-of-the-week/joey-hess"&gt;https://earlyweblinks.com/site-of-the-week/joey-hess&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Kind of reminds me of back in 1995 or so when my website would randomly
end up picked by some best of the web list that I never heard of.
The web is still a small place I guess.&lt;/p&gt;

&lt;p&gt;Maybe I should join a web ring or something?&lt;/p&gt; </description> 
	<pubDate>Wed, 17 Jun 2026 15:11:48 +0000</pubDate>

</item> 
<item>
	<title>Dirk Eddelbuettel: rspdlite 0.1.0-1 on CRAN: New Package!</title>
	<guid>http://dirk.eddelbuettel.com/blog/2026/06/16#rspdlite_0.1.0-1</guid>
	<link>http://dirk.eddelbuettel.com/blog/2026/06/16#rspdlite_0.1.0-1</link>
     <description>  &lt;img src="http://planet.debian.org/heads/dirk.png" width="65" height="90" alt="" align="right" style="float: right;"&gt;  &lt;p&gt;Very happy to share that a new package &lt;a href="https://github.com/eddelbuettel/rspdlite"&gt;rspdlite&lt;/a&gt; arrived on
&lt;a href="https://cran.r-project.org"&gt;CRAN&lt;/a&gt; today in its inaugural
version 0.1.0-1. It wraps and provides the (header-only) C++20 library
&lt;a href="https://github.com/gabime/spdlite"&gt;spdlite&lt;/a&gt; which its author
describes (aptly) as &lt;em&gt;tiny, fast, capable&lt;/em&gt;. Just like its bigger
sibbling &lt;a href="https://github.com/gabime/spdlog"&gt;spdlog&lt;/a&gt; (which we
wrapped as &lt;a href="https://github.com/eddelbuettel/rcppspdlog"&gt;rcppspdlog&lt;/a&gt;), it is
written by &lt;a href="https://github.com/gabime"&gt;Gabi Melman&lt;/a&gt;. However,
with a focus on C++20 and compile-time configuration, it is lighter,
nimbler and faster. It is also still a fairly young project so changes
may occur.&lt;/p&gt;
&lt;p&gt;I have been working on this for about a month, and it is ready for
use by R and C++. It contains the initial upstream release 0.1.0, and I
plan to follow the upstream versioning making this first release as
0.1.0-1.&lt;/p&gt;
&lt;p&gt;The package itself provides the headers for use from other C++
projects (i.e. mostly other packages), as well as a simple R wrapper so
that logging can occur from either C++ or R. It will generally access
the single logger instance in a compilation unit. So for a package built
against these header it would be shared library of that package. At
present we provide the basic logging level setters and getters,
formatting accessors, and two (compile-time) options of a ‘null logger’
and a file-based logger. More options are availble from the C++ level,
multiple logging sinks are but one example. Some examples are provided
in the package as an &lt;a href="https://github.com/eddelbuettel/rspdlite/blob/master/inst/examples/example.R"&gt;R
example&lt;/a&gt; and a &lt;a href="https://github.com/eddelbuettel/rspdlite/blob/master/inst/examples/example.cpp"&gt;C++
example&lt;/a&gt;; these are probably best examined from the sources.&lt;/p&gt;
&lt;p&gt;The NEWS entry for this release is simply and just announces that we
have a release. More details are in the &lt;a href="https://github.com/eddelbuettel/rspdlite/blob/master/ChangeLog"&gt;ChangeLog&lt;/a&gt;
and the &lt;a href="https://github.com/eddelbuettel/rspdlite"&gt;GitHub
repo&lt;/a&gt;.&lt;/p&gt;
&lt;blockquote&gt;
&lt;h4 id="changes-in-version-0.1.0-1-2025-06-08"&gt;Changes in version
0.1.0-1 (2025-06-08)&lt;/h4&gt;
&lt;ul&gt;
&lt;li&gt;Initial complete version and CRAN upload&lt;/li&gt;
&lt;/ul&gt;
&lt;/blockquote&gt;
&lt;p style="font-size: 80%; font-style: italic;"&gt;
This post by &lt;a href="https://dirk.eddelbuettel.com"&gt;Dirk
Eddelbuettel&lt;/a&gt; originated on his &lt;a href="https://dirk.eddelbuettel.com/blog/"&gt;Thinking inside the box&lt;/a&gt;
blog. If you like this or other open-source work I do, you can &lt;a href="https://github.com/sponsors/eddelbuettel"&gt;sponsor me at
GitHub&lt;/a&gt;. You can also sponsor my &lt;a href="https://dirk.eddelbuettel.com/blog/2026/04/03#sponsor_tour_de_shore_202"&gt;Tour
de Shore 2026 ride in support of the Maywood Fine Arts Center&lt;/a&gt;.
&lt;/p&gt;&lt;p&gt;&lt;/p&gt; </description> 
	<pubDate>Wed, 17 Jun 2026 00:16:00 +0000</pubDate>

</item> 
<item>
	<title>Mike Gabriel: Ubuntu Touch development - 24.04-2.0 Beta and Meaning of Branching-Off</title>
	<guid>https://sunweavers.net/158 at https://sunweavers.net/blog</guid>
	<link>https://sunweavers.net/blog/node/158</link>
     <description>  &lt;img src="http://planet.debian.org/heads/sunweaver.png" width="82" height="82" alt="" align="right" style="float: right;"&gt;  &lt;p&gt;The next Ubuntu Touch major release is approaching rapidly, yesterday we reached a major step in the preparation of the upcoming Ubuntu Touch 24.04-2.0 release: The branching-off (see below on what that is).&lt;/p&gt;

&lt;h3&gt;Ubuntu Touch 24.04-2.0 Beta is Now Available&lt;/h3&gt;

&lt;p&gt;Part of this development release step is the publication of the 24.04-2.0 Beta release images, for more details and information see:&lt;br /&gt;
&lt;a href="https://ubports.com/blog/ubports-news-1/ubuntu-touch-24-04-2-0-beta-is-now-ready-for-testing-4000" title="https://ubports.com/blog/ubports-news-1/ubuntu-touch-24-04-2-0-beta-is-now-ready-for-testing-4000"&gt;https://ubports.com/blog/ubports-news-1/ubuntu-touch-24-04-2-0-beta-is-n...&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;And additionally, find below some background information on how we maintain various Ubuntu Touch releases in parallel via Git(Lab). In fact, the release model of Ubuntu Touch has partially been adopted from how we in Debian maintains our various Debian versions in parallel, only that in Ubuntu Touch we use Git(Lab) for maintaining the different package versions and not, like in Debian, the APT archive itself.&lt;/p&gt;

&lt;h3&gt;What does 'Branching-Off' Mean?&lt;/h3&gt;

&lt;p&gt;Last Saturday, in the UBports Q&amp;amp;A, I explained Ubuntu Touch's "branching-off", an aspect of the Ubuntu Touch release workflow based on Git(Lab). To make this accessible to even more people, here it comes as a write-up:&lt;/p&gt;

&lt;p&gt;We host many Git repositories on GitLab, and our primary work is done on the main branches, which contain the bleeding-edge code. When a merge request is deemed critical for stable versions of Ubuntu Touch, we cherry-pick it into a release series branch.&lt;/p&gt;

&lt;p&gt;Currently, we land our changes in the main branches and then cherry-pick them to the ubports/24.04.1.x branches. The 'branching off' process for the upcoming 24.04-2.x release means that our current main branches will be copied over to create new branches for this release cycle, namely ubports/24.04-2.x.&lt;/p&gt;

&lt;p&gt;This has two major implications. First, any item that hasn't been translated by the time of the branch-off will not receive any more translation updates during the 24.04-2.x cycle. This is why it is crucial that translation work is completed before the branching-off.&lt;/p&gt;

&lt;h3&gt;Warning of Breaking Changes arriving soon in 26.04-1.x Daily Development UT Images&lt;/h3&gt;

&lt;p&gt;Second, looking ahead to the release after 24.04-2.x, we will be approaching 26.04-1.x. The OS base will change to Ubuntu 26.04 LTS, hopefully being ready for release to Ubuntu Touch users before the end of the year. We already have a list of features we want to land there. Because we plan to include various major changes, such as the switch from Mir 1 to Mir 2, new calendar and contacts backends, Qt6-based core apps and service components, etc., the likelihood of breaking changes at the beginning of the 26.04-1.x release cycle (which will become the next main branches' target) is very high.&lt;/p&gt;

&lt;h3&gt;The Ubuntu Touch 24.04-2.0 Release Schedule&lt;/h3&gt;

&lt;p&gt;The current release schedule is estimated to be:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;25 May 2026&lt;/strong&gt; [done]&lt;br /&gt;
Platform stability freeze 24.04-2.x&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;25 May 2026&lt;/strong&gt; [done]&lt;br /&gt;
String freeze 24.04-2.x&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;15 June 2026&lt;/strong&gt; [done]&lt;br /&gt;
Branching-off (and unfreeze 26.04-1.x development), UT image release: 24.04-2.0 Beta&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;22 or 29 June 2026&lt;/strong&gt; [coming]&lt;br /&gt;
Final freeze for 24.04-2.x, UT image release: 24.04-2.0 RC&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;6 or 13 July 2026&lt;/strong&gt; [coming]&lt;br /&gt;
Release version 24.04-2.0&lt;/p&gt; </description> 
	<pubDate>Tue, 16 Jun 2026 11:14:29 +0000</pubDate>

</item> 
<item>
	<title>Vincent Bernat: Building a Soviet Nail Factory: how KPIs killed efficiency</title>
	<guid>http://www.luffy.cx/en/blog/2026-kpi-goodhart.html</guid>
	<link>https://vincent.bernat.ch/en/blog/2026-kpi-goodhart</link>
     <description>  &lt;p&gt;In 2008, I landed my second job, in the network team at &lt;em&gt;Orange
Portails&lt;/em&gt;&lt;sup id="fnref-hebex"&gt;&lt;a class="footnote-ref" href="https://vincent.bernat.ch#fn-hebex"&gt;1&lt;/a&gt;&lt;/sup&gt;, the division behind the websites and search engine of the
French telecom operator Orange. The place ran like clockwork: a comprehensive
technical setup, a dedicated team for every part of the business, and room to
focus on what I do best. A few years later, none of that mattered: thanks to an
obsession with the numbers, we could no longer deliver new services on time.&lt;/p&gt;
&lt;div class="admonition"&gt;
&lt;p class="admonition-title"&gt;Disclaimer&lt;/p&gt;
&lt;p&gt;This is a story I like to tell to warn people about
&lt;a href="https://en.wikipedia.org/wiki/Goodhart%27s_law" title="Goodhart's law on Wikipedia"&gt;Goodhart’s law&lt;/a&gt;.&lt;sup id="fnref-campbell"&gt;&lt;a class="footnote-ref" href="https://vincent.bernat.ch#fn-campbell"&gt;2&lt;/a&gt;&lt;/sup&gt; As these events happened almost 15 years ago, my
recollection is a bit fuzzy. I left in 2012.&lt;/p&gt;
&lt;/div&gt;
&lt;h1 id="the-first-years"&gt;The first years&lt;/h1&gt;
&lt;p&gt;During my first years, the department operated like a startup. Its cradle was
the French company Echo. They built a search engine. France Télécom bought it
and renamed it &lt;a href="https://fr.wikipedia.org/wiki/Voila"&gt;Voila&lt;/a&gt;. It was the most visited search engine in France in the
early 2000s. France Télécom consolidated the portal activities into the &lt;em&gt;Wanadoo
Portails&lt;/em&gt; division, later renamed &lt;em&gt;Orange Portails&lt;/em&gt;.&lt;/p&gt;
&lt;p&gt;The technical environment was excellent. We had many internal tools:&lt;sup id="fnref-nocloud"&gt;&lt;a class="footnote-ref" href="https://vincent.bernat.ch#fn-nocloud"&gt;3&lt;/a&gt;&lt;/sup&gt; a
ticket system, an RRD-based graphing tool, an IPAM, a reporting tool, and an
SNMP-based alerting tool.&lt;sup id="fnref-snalert"&gt;&lt;a class="footnote-ref" href="https://vincent.bernat.ch#fn-snalert"&gt;4&lt;/a&gt;&lt;/sup&gt; We deployed our Linux servers with
&lt;a href="https://cfengine.com/"&gt;CFEngine&lt;/a&gt;. We installed systems and applications from internal Debian
repositories. We documented everything in a private &lt;a href="https://www.mediawiki.org/wiki/MediaWiki" title="MediaWiki is a collaboration and documentation platform"&gt;MediaWiki&lt;/a&gt; instance.
Supervision was performed with an ancestor of &lt;a href="https://www.xymon.com/servers/servers.html" title="The Xymon Monitor"&gt;Xymon&lt;/a&gt;. The network
architecture was clean and scalable with little legacy. We onboarded new people
in a day.&lt;/p&gt;
&lt;p&gt;It was a nurturing environment for me. I developed several tools:
&lt;a href="https://lldpd.github.io/" title="lldpd: implementation of IEEE 802.1AB"&gt;lldpd&lt;/a&gt;, an 802.1AB implementation, &lt;a href="https://vincent.bernat.ch/en/blog/2013-snimpy" title="snimpy: SNMP &amp;amp; Python"&gt;Snimpy&lt;/a&gt;, a pythonic binding for
Net-SNMP, &lt;a href="https://github.com/vincentbernat/wiremaps"&gt;Wiremaps&lt;/a&gt;, a layer-2 discovery tool with a time machine to know
which device is connected where, &lt;a href="https://github.com/vincentbernat/Kitero"&gt;Kitérő&lt;/a&gt;, a tool to simulate network
conditions, &lt;a href="https://github.com/vincentbernat/QCss-3/"&gt;QCSS-3&lt;/a&gt;, a controller for load-balancers, and &lt;a href="https://github.com/vincentbernat/ipoo"&gt;ipoo&lt;/a&gt;, a service
available through a Jabber chatbot and a Greasemonkey script to expose
IP-related information. I added &lt;a href="https://vincent.bernat.ch/en/blog/2011-keepalived-snmp-ipv6" title="SNMP support for Keepalived"&gt;SNMP support for Keepalived&lt;/a&gt; and
&lt;a href="https://github.com/search?q=repo%3AFRRouting%2Ffrr+author%3Avincentbernat+snmp&amp;amp;type=commits" title="SNMP-related commits for Quagga/FRR"&gt;Quagga&lt;/a&gt;. I also started this blog, with articles like
“&lt;a href="https://vincent.bernat.ch/en/blog/2011-dns-anycast" title="Anycast DNS"&gt;Anycast DNS&lt;/a&gt;,” TLS-related articles like “&lt;a href="https://vincent.bernat.ch/en/blog/2011-ssl-dos-mitigation" title="TLS computational DoS mitigation"&gt;TLS computational DoS
mitigation&lt;/a&gt;,” SNMP-related articles like “&lt;a href="https://vincent.bernat.ch/en/blog/2012-snmp-event-loop" title="Integration of Net-⁠SNMP into an event loop"&gt;Integration of Net-SNMP into an
event loop&lt;/a&gt;,” Linux-related articles like “&lt;a href="https://vincent.bernat.ch/en/blog/2011-ipv4-route-cache-linux" title="Tuning Linux IPv4 route cache"&gt;Tuning Linux IPv4 route cache&lt;/a&gt;,”
and an &lt;a href="https://vincent.bernat.ch/en/blog/2012-multicast-vxlan" title="Network virtualization with VXLAN"&gt;article about VXLAN&lt;/a&gt; long before it was cool.&lt;/p&gt;
&lt;h1 id="the-collapse"&gt;The collapse&lt;/h1&gt;
&lt;p&gt;When we needed new servers, the on-site team would take a set from the
inventory, install our base Linux distribution on them, put them in the
datacenter, and cable them to the top-of-the-rack switches. We opened a ticket
describing the servers we needed, and one week later, our servers were
available. &#128171;&lt;/p&gt;
&lt;p&gt;Orange wanted to know if this team was performing well, so they asked for &lt;abbr title="Key Performance Indicators"&gt;KPIs&lt;/abbr&gt;.
They decided to use the number of tickets completed in a year. They asked to
double this number. So instead of one ticket for a new service, we would open
six tickets—one per server. By the end of the year, the &lt;abbr title="Key Performance Indicators"&gt;KPIs&lt;/abbr&gt; had more than
doubled.&lt;/p&gt;
&lt;p&gt;Everybody saw it as a success for performance management. So, they asked to do
the same for the next year. Now, we needed to open a ticket per server and per
step. Again, the &lt;abbr title="Key Performance Indicators"&gt;KPIs&lt;/abbr&gt; doubled. Behind the scenes, the tickets went to different
people and were no longer handled in order. So, for the next year, it was decided to
have meta-tickets and meetings to follow the progress of these tickets. Of
course, all these extra steps pushed the &lt;abbr title="Key Performance Indicator"&gt;KPI&lt;/abbr&gt; even higher.&lt;/p&gt;
&lt;p&gt;This performance management method spread to the other teams.&lt;sup id="fnref-firewall"&gt;&lt;a class="footnote-ref" href="https://vincent.bernat.ch#fn-firewall"&gt;5&lt;/a&gt;&lt;/sup&gt;
Everything became slower. Instead of a couple of weeks, a new service now took
six months. We built a &lt;a href="https://fronterabrands.com/goodharts-law/" title="Goodhart’s Law: Soviet Nail Factories &amp;amp; The Power of Incentives"&gt;Soviet nail factory&lt;/a&gt;. But the &lt;abbr title="Key Performance Indicators"&gt;KPIs&lt;/abbr&gt; were good, and we
stopped caring.&lt;/p&gt;
&lt;p&gt;Let me give you another example. We had to estimate the impact of each night
operation. We weren’t half bad: we declared most operations “without any
expected impact.” Most of the time, there was no impact. One time out of five,
there was a 5-second impact. We were told to try harder to meet our expected
impact. What did we do? We started declaring a 5-second expected impact. One
day, we got a 30-second impact and were told we failed to match the expected
impact. In the end, we declared most operations with a 10-minute expected
impact, and we stopped caring: instead of carefully shifting traffic around, we
allowed ourselves a 5-minute impact. And our &lt;abbr title="Key Performance Indicators"&gt;KPIs&lt;/abbr&gt; were never better.&lt;/p&gt;
&lt;figure&gt;&lt;div class="lf-media-outer" style="width: 630px;"&gt;&lt;span class="lf-media-inner"&gt;&lt;img alt="Graph showing the impact of night operations. Year after year, the impact tolerance has been increased. In the final year, the expected impact is 10 minutes, and all operations remain under this threshold. However, the impacts are much more significant than they were in the first year." class="lf-media" height="245" src="https://d2pzklc15kok91.cloudfront.net/images/orange-impacts.03b883aacf07da.svg" width="630" /&gt;&lt;/span&gt;&lt;/div&gt;An artist's rendering of the evolution of impacts over the years.&lt;/figure&gt;
&lt;hr /&gt;
&lt;p&gt;&lt;abbr title="Key Performance Indicators"&gt;KPIs&lt;/abbr&gt; are not bad, but they are easy to break. Use them carefully: let the people
doing the work help choose the metrics, and tie those metrics to the quality of
the service—for example, with &lt;a href="https://sre.google/sre-book/service-level-objectives/" title="Google SRE book: Service Level Objectives"&gt;service level objectives&lt;/a&gt;. Otherwise, even
dedicated people stop caring, game the system, and eventually quit.&lt;sup id="fnref-google"&gt;&lt;a class="footnote-ref" href="https://vincent.bernat.ch#fn-google"&gt;6&lt;/a&gt;&lt;/sup&gt; &#128202;&lt;/p&gt;
&lt;div class="footnote"&gt;
&lt;hr /&gt;
&lt;ol&gt;
&lt;li id="fn-hebex"&gt;
&lt;p&gt;Internally, this division was named “Hebex.” It was located in
Bagnolet (next to Paris) and Sophia-Antipolis (near Nice). &lt;a class="footnote-backref" href="https://vincent.bernat.ch#fnref-hebex" title="Jump back to footnote 1 in the text"&gt;↩&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li id="fn-campbell"&gt;
&lt;p&gt;Goodhart’s law often gets the credit, but &lt;a href="https://en.wikipedia.org/wiki/Campbell%27s_law" title="Campbell's law on Wikipedia"&gt;Campbell’s law&lt;/a&gt;
describes my experience even better: the more you lean on a number to make
decisions, the faster people corrupt it. &lt;a class="footnote-backref" href="https://vincent.bernat.ch#fnref-campbell" title="Jump back to footnote 2 in the text"&gt;↩&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li id="fn-nocloud"&gt;
&lt;p&gt;At the time, &lt;abbr title="Software as a Service"&gt;SaaS&lt;/abbr&gt; was not really a thing. I remember we considered,
with a couple of colleagues, selling &lt;a href="https://github.com/vincentbernat/wiremaps"&gt;Wiremaps&lt;/a&gt; as a &lt;abbr title="Software as a Service"&gt;SaaS&lt;/abbr&gt;, with
homomorphic encryption for the database. But who would outsource their
observability stack? &lt;a class="footnote-backref" href="https://vincent.bernat.ch#fnref-nocloud" title="Jump back to footnote 3 in the text"&gt;↩&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li id="fn-snalert"&gt;
&lt;p&gt;&lt;em&gt;Snalert&lt;/em&gt; was a metacircular alerting tool in Perl. It was able to
poll a very large number of SNMP targets in a short timespan. All our
monitoring was SNMP-based, including system monitoring. &lt;a class="footnote-backref" href="https://vincent.bernat.ch#fnref-snalert" title="Jump back to footnote 4 in the text"&gt;↩&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li id="fn-firewall"&gt;
&lt;p&gt;My team also managed the rules of many Linux-based firewalls. To
increase our &lt;abbr title="Key Performance Indicators"&gt;KPIs&lt;/abbr&gt;, we used the same method: rather than accepting one ticket
with a flow matrix, we requested one ticket per flow. &lt;a class="footnote-backref" href="https://vincent.bernat.ch#fnref-firewall" title="Jump back to footnote 5 in the text"&gt;↩&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li id="fn-google"&gt;
&lt;p&gt;Orange is not unique. Google’s promotion process is another
well-known example of a broken &lt;abbr title="Key Performance Indicator"&gt;KPI&lt;/abbr&gt;. Michael Lynch explains it in “&lt;a href="https://mtlynch.io/why-i-quit-google/" title="Why I Quit Google to Work for Myself"&gt;Why I
Quit Google to Work for Myself&lt;/a&gt;.” &lt;a class="footnote-backref" href="https://vincent.bernat.ch#fnref-google" title="Jump back to footnote 6 in the text"&gt;↩&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;/div&gt; </description> 
	<pubDate>Tue, 16 Jun 2026 06:26:27 +0000</pubDate>

</item> 
<item>
	<title>Tim Retout: In memoriam commit-email.py</title>
	<guid>https://retout.co.uk/2026/06/15/in-memoriam-commitemailpy/</guid>
	<link>https://retout.co.uk/2026/06/15/in-memoriam-commitemailpy/</link>
     <description>  &lt;p&gt;I have &lt;a href="https://github.com/seL4/l4v/pull/1020/changes/d910068845aca32099cd480b5ac8f85257bbca52"&gt;proposed the deletion of an obsolete
script&lt;/a&gt;,
but it makes me feel complicated feelings so I’m going to try and
express those.  This particular script was written in 2014, but the
concept goes back much further – before git was invented.&lt;/p&gt;
&lt;p&gt;When I started university in 2003, I seem to remember the computing
society used to run tutorials for first-year students on how to use
Apache Subversion for your group project – a vast upgrade on CVS (or
worse, no version control at all).  Back then, the idea of viewing
your changesets in a web browser was relatively new – while it was
possible to look at an SVN repository through a web UI, features were
limited unless you installed something compicated like
&lt;a href="https://trac.edgewall.org/wiki/TracSubversion"&gt;Trac&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;&lt;img alt="Data flow when distributing commits via a mailing list" src="https://retout.co.uk/2026/commit-email.drawio.svg" /&gt;
&lt;em&gt;Figure 1: Data flow when distributing commits via a mailing list&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;Perhaps because reading email on your desktop computer (I don’t think
I could afford an IBM ThinkPad?) was the only vaguely real-time
notification system available at the time (except I guess SMS, which
cost 10p per text), a common pattern seemed to be to use a
&lt;a href="https://svnbook.red-bean.com/en/1.7/svn-book.html#svn.ref.reposhooks.post-commit"&gt;post-commit
hook&lt;/a&gt;
to send every single commit to a mailing list, named something like
‘foo-commits’.  Indeed, for a long time Fedora had an scm-commits list
which &lt;a href="https://discussion.fedoraproject.org/t/the-future-plans-for-the-scm-commits-mailing-list/193068"&gt;appears to be a topic of recent
discussion&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;I can’t really explain &lt;em&gt;why&lt;/em&gt; people wanted to have every commit sent
to a mailing list except as a way of getting notified of activity – I
can’t believe people would import raw patches from those lists, ala
LKML, rather than run actual version control commands to fetch the new
source directly.  Maybe you’d have to go back to NNTP for this.&lt;/p&gt;
&lt;p&gt;I do like the vendor-neutrality of the “everything-as-text” approach,
building on the open ecosystem of SMTP.  But I doubt we’d see a
widespread resurgence of commit lists now – most code hosting must
allow anyone to subscribe to email notifications, I assume, and I
don’t see a huge benefit in a mailing list archive of commit messages.&lt;/p&gt;
&lt;p&gt;In the case of seL4, I’m even more confused about why this script was
committed in 2014, shortly after the kernel was put on GitHub.  I can
only assume it was imported from previous infrastructure.  I do know
that the implementation is quite Python 2 heavy, with the conversion
between unicode and bytes featuring heavily.  So rather than risk
breaking its logic with patching, I think it’s time to “thank it for
its service” and let go.&lt;/p&gt; </description> 
	<pubDate>Mon, 15 Jun 2026 22:04:50 +0000</pubDate>

</item> 
<item>
	<title>Dirk Eddelbuettel: rbenchmark 1.0.1 on CRAN: New(ly Adopted) Package!</title>
	<guid>http://dirk.eddelbuettel.com/blog/2026/06/14#rbenchmark_1.0.1</guid>
	<link>http://dirk.eddelbuettel.com/blog/2026/06/14#rbenchmark_1.0.1</link>
     <description>  &lt;img src="http://planet.debian.org/heads/dirk.png" width="65" height="90" alt="" align="right" style="float: right;"&gt;  &lt;p&gt;Quick note to share that &lt;a href="https://dirk.eddelbuettel.com/code/rbenchmark.html"&gt;rbenchmark&lt;/a&gt;
is back on &lt;a href="https://cran.r-project.org"&gt;CRAN&lt;/a&gt;! The &lt;a href="https://dirk.eddelbuettel.com/code/rbenchmark.html"&gt;rbenchmark&lt;/a&gt;
package makes it easy to benchmark (and compare) simple R
expressions.&lt;/p&gt;
&lt;p&gt;This package has been on &lt;a href="https://cran.r-project.org"&gt;CRAN&lt;/a&gt; for many years. At one point
fourteen years ago it appeared to be rudderless so I offered help but
things realigned. Now it was just tossed off &lt;a href="https://cran.r-project.org"&gt;CRAN&lt;/a&gt;, taking a number of packages
depending on it with it (as shown in this &lt;a href="https://bsky.app/profile/cranberriesfeed.bsky.social/post/3mnyns2uqch2o"&gt;CRANberries
skeet&lt;/a&gt; listing a set of removed packages) so I offered again to help,
and &lt;a href="https://cran.r-project.org"&gt;CRAN&lt;/a&gt; agreed. So here we
are.&lt;/p&gt;
&lt;p&gt;So far I just made a number of small ‘editing’ changes, added CI
support, and enable dbsr-universe coverage . I do not expect to change
the package materially. So far the package has no NEWS file either so
maybe glance at the &lt;a href="https://github.com/eddelbuettel/rbenchmark/blob/master/ChangeLog"&gt;ChangeLog&lt;/a&gt;
at the &lt;a href="https://github.com/eddelbuettel/rbenchmark"&gt;git
repo&lt;/a&gt;.&lt;/p&gt;
&lt;p style="font-size: 80%; font-style: italic;"&gt;
This post by &lt;a href="https://dirk.eddelbuettel.com"&gt;Dirk
Eddelbuettel&lt;/a&gt; originated on his &lt;a href="https://dirk.eddelbuettel.com/blog/"&gt;Thinking inside the box&lt;/a&gt;
blog. If you like this or other open-source work I do, you can &lt;a href="https://github.com/sponsors/eddelbuettel"&gt;sponsor me at
GitHub&lt;/a&gt;. You can also sponsor my &lt;a href="https://dirk.eddelbuettel.com/blog/2026/04/03#sponsor_tour_de_shore_202"&gt;Tour
de Shore 2026 ride in support of the Maywood Fine Arts Center&lt;/a&gt;.
&lt;/p&gt;&lt;p&gt;&lt;/p&gt; </description> 
	<pubDate>Mon, 15 Jun 2026 00:54:00 +0000</pubDate>

</item> 
<item>
	<title>Freexian Collaborators: Debian Contributions: Go default compatibility, Trimming build-essential, Python upstream engagement and more! (by Anupa Ann Joseph)</title>
	<guid>https://www.freexian.com/blog/debian-contributions-05-2026/</guid>
	<link>https://www.freexian.com/blog/debian-contributions-05-2026/</link>
     <description>  &lt;img src="http://planet.debian.org/heads/freexian.png" width="215" height="101" alt="" align="right" style="float: right;"&gt;  &lt;h1 id="debian-contributions-2026-05"&gt;Debian Contributions: 2026-05&lt;/h1&gt;
&lt;p&gt;&lt;a href="https://www.freexian.com/about/debian-contributions/"&gt;Contributing to Debian&lt;/a&gt;
is part of &lt;a href="https://www.freexian.com/about/"&gt;Freexian’s mission&lt;/a&gt;. This article
covers the latest achievements of Freexian and their collaborators. All of this
is made possible by organizations subscribing to our
&lt;a href="https://www.freexian.com/lts/"&gt;Long Term Support contracts&lt;/a&gt; and
&lt;a href="https://www.freexian.com/services/"&gt;consulting services&lt;/a&gt;.&lt;/p&gt;
&lt;h2 id="go-default-compatibility-by-helmut-grohne"&gt;Go default compatibility, by Helmut Grohne&lt;/h2&gt;
&lt;p&gt;At the &lt;a href="https://hamburg2026.mini.debconf.org/"&gt;MiniDebConf Hamburg&lt;/a&gt;, Andrew Lee
had prepared a &lt;a href="https://hamburg2026.mini.debconf.org/talks/28-rescue-forky-we-have-go-back-to-2011-building-go-like-its-2011-is-broken/"&gt;talk on how Debian accidentally chooses Go compatibility&lt;/a&gt;.
Helmut joined Tobias Quathammer and Andrew Lee in looking into the problem.
Go has a compatibility system where modules declare a desired Go version to be
compatible with. This influences various features such as whether RSA keys
smaller than 1024 bits are accepted. Unfortunately, Debian’s way of building Go
packages is unique in setting &lt;code&gt;GO111MODULE=off&lt;/code&gt;, which practically implies a
very old compatibility version that enables a number of insecure settings. Most
Linux distributions use the default &lt;code&gt;GO111MODULE=on&lt;/code&gt; and therefore consult a
&lt;code&gt;go.mod&lt;/code&gt; file that often declares a sensible version. While doing so is the way
for Debian longer term, getting there involves major changes so we also sought
a more short term workaround. We developed a
&lt;a href="https://salsa.debian.org/helmutg/godebug-analysis/-/blob/main/patches/golang-1.26_1.26.3-1.1.debdiff"&gt;patch to the Go compiler&lt;/a&gt;
that would enable it to pick up a compatibility version from the environment.
Tobias uploaded it to unstable. The next step is
&lt;a href="https://salsa.debian.org/helmutg/godebug-analysis/-/blob/main/patches/dh-golang_1.63%2Bnmu1.debdiff"&gt;communicating the declared compatibility version&lt;/a&gt;
from &lt;code&gt;go.mod&lt;/code&gt; to the compiler via the new variable. Then, rebuilding the archive
resolves the immediate symptoms. This does not save us from having to perform
the larger transition to &lt;code&gt;GO111MODULE=on&lt;/code&gt;, but this shortcut can be backported
to trixie.&lt;/p&gt;
&lt;h2 id="trimming-build-essential-by-helmut-grohne"&gt;Trimming build-essential, by Helmut Grohne&lt;/h2&gt;
&lt;p&gt;One of the harder problems of the architecture cross bootstrap is correctly
expressing the &lt;code&gt;Build-Depends&lt;/code&gt; of &lt;code&gt;glib&lt;/code&gt; during the toolchain bootstrap. It
implicitly depends on &lt;code&gt;build-essential&lt;/code&gt;, which happens to depend on &lt;code&gt;libc6-dev&lt;/code&gt;.
This poses a cycle. It applies even for cross building, because it is
interpreted for the host architecture and that there is no way of satisfying
this dependency during the toolchain bootstrap.&lt;/p&gt;
&lt;p&gt;Given discussions at &lt;a href="https://hamburg2026.mini.debconf.org/"&gt;MiniDebConf Hamburg&lt;/a&gt;
with Jochen Sprickerhof and others, a seemingly stupid idea evolved: Let’s
delete &lt;code&gt;build-essential&lt;/code&gt;. What looks insane on the surface might deserve a
second look. Given how we moved away from C, C++ and autotools, what is in
&lt;code&gt;build-essential&lt;/code&gt; no longer is required by much of the archive. With the rise of
&lt;code&gt;debputy&lt;/code&gt;, &lt;code&gt;debian/rules&lt;/code&gt; no longer has to be a makefile. While the task would
be huge, those packages relevant to architecture bootstrap could explicitly
support building without the implied dependency making their dependencies
explicit. In a number of cases, this amounts to issuing a dependency on
&lt;code&gt;g++-for-host&lt;/code&gt;. This dependency requires the use of architecture-prefixed tools.
Therefore, Helmut wrote a &lt;a href="https://salsa.debian.org/debian/debhelper/-/merge_requests/154"&gt;debhelper change&lt;/a&gt;
that makes it always pass build tools to various build systems. This also
enables more packages to honour environment variables such as &lt;code&gt;CC&lt;/code&gt; and &lt;code&gt;CXX&lt;/code&gt;.&lt;/p&gt;
&lt;h2 id="python-upstream-engagement-by-stefano-rivera"&gt;Python upstream engagement, by Stefano Rivera&lt;/h2&gt;
&lt;p&gt;Stefano attended &lt;a href="https://us.pycon.org/2026/"&gt;PyCon US&lt;/a&gt; (at personal expense)
to improve upstream relations and ensure Debian’s voice is heard where it needs
to be. On Friday there was a &lt;a href="https://us.pycon.org/2026/events/packaging-summit/"&gt;packaging summit&lt;/a&gt;
(&lt;a href="https://hackmd.io/@jezdez/pycon2026-packaging-summit"&gt;notes&lt;/a&gt;) with good
discussion on the future of the &lt;code&gt;wheel&lt;/code&gt; format, and some discussion of the new
&lt;code&gt;abi3t&lt;/code&gt; shared library format for free-threaded python.&lt;/p&gt;
&lt;p&gt;In preparation for the event, Stefano did a complete review of the current patch
stack.&lt;/p&gt;
&lt;p&gt;Stefano’s primary goal was to get some of Debian’s patches merged during the
sprints, and results were mixed. Some trivial patches
(e.g. &lt;a href="https://github.com/python/cpython/pull/150098"&gt;GH-150098&lt;/a&gt;, made progress
and merged, but the most consequential patch Debian is carrying
&lt;a href="https://github.com/python/cpython/pull/122917"&gt;is still blocked&lt;/a&gt;. Stefano will
continue to try to drive progress on this.&lt;/p&gt;
&lt;h2 id="miscellaneous-contributions"&gt;Miscellaneous contributions&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;Carles worked on &lt;a href="https://salsa.debian.org/carlespina/po-debconf-manager"&gt;po-debconf-manager&lt;/a&gt;:
Reviewed Catalan translations for 6 packages, submitted 10 packages to
maintainers, and removed 3 packages from po-debconf-manager.&lt;/li&gt;
&lt;li&gt;Carles worked on &lt;a href="https://salsa.debian.org/carlespina/check-relations"&gt;check-relations&lt;/a&gt;:
Continued improving the backend, including importing source package build
dependencies to better support analysis of Debian blends. Added support for
ignoring packages using regular expressions and source package names in response
to user feedback. Used the tool to report 5 new bugs and followed up on
previously reported issues.&lt;/li&gt;
&lt;li&gt;Helmut sent a cross build patch on behalf of a customer.&lt;/li&gt;
&lt;li&gt;Helmut uploaded &lt;code&gt;debvm&lt;/code&gt; and &lt;code&gt;guess_concurrency&lt;/code&gt; both featuring improved
reproducibility and documentation.&lt;/li&gt;
&lt;li&gt;Helmut continued maintaining rebootstrap and made it correctly handle binNMUs
of &lt;code&gt;gcc-defaults&lt;/code&gt;. Additionally, he poked at existing gcc patches giving answers,
rebasing or closing them.&lt;/li&gt;
&lt;li&gt;Helmut supported the video team in Hamburg mixing audio.&lt;/li&gt;
&lt;li&gt;Helmut continued to report undeclared file conflicts of various kinds and
corresponded with maintainers about them.&lt;/li&gt;
&lt;li&gt;Antonio attended a debate during the &lt;a href="https://fib.cgi.br/"&gt;Brazil Internet Forum&lt;/a&gt;
about the impacts of the child protection regulation (ECA Digital) on free
software operating systems.&lt;/li&gt;
&lt;li&gt;Antonio worked on Debian CI to improve the system transparency for users. This
included listing any pending jobs explicitly in the job lists for each
package/architecture/suite page, as well as adding a
&lt;a href="https://ci.debian.net/status/queue/"&gt;queue status&lt;/a&gt; page that users can check
for an estimate of test latency.&lt;/li&gt;
&lt;li&gt;Antonio worked on several Debian CI maintenance tasks, including but not
limited to some monitoring improvements, replacing usage of fonts-font-awesome
with fonts-fork-awesome, and adding the ability in &lt;code&gt;debci&lt;/code&gt; to configure a global
notice (which is being used in Debian CI to point to the system status pages).&lt;/li&gt;
&lt;li&gt;Antonio started doing some tests related to the change of default Debian CI
backend from lxc to incus-lxc. This helped identify an omission in the creation
of incus-lxc images. It was missing dpkg-dev, which caused a few packages that
assumed its presence to fail. In the end, the incus-lxc backend will be fixed to
include dpkg-dev by default in the image, but that uncovered an undeclared
dependency in &lt;code&gt;gem2deb&lt;/code&gt; (Ruby packaging helper) and in &lt;code&gt;ruby-byebug&lt;/code&gt;, both
already fixed in unstable.&lt;/li&gt;
&lt;li&gt;Stefano did some &lt;a href="https://salsa.debian.org/reimbursements-team/debian-reimbursement/-/merge_requests/53"&gt;minimal work&lt;/a&gt;
on &lt;a href="https://reimbursements.debian.net/"&gt;debian-reimbursements&lt;/a&gt; to get it working
with current versions of django-allauth.&lt;/li&gt;
&lt;li&gt;May included the discovery of several high-severity Linux kernel root
exploits. Stefano updated kernels and rebooted debian.social infrastructure
several times.&lt;/li&gt;
&lt;li&gt;Stefano supported the &lt;a href="https://hamburg2026.mini.debconf.org/"&gt;Hamburg miniDebConf&lt;/a&gt;’s
wafer website during the event, and set up &lt;a href="https://hamburg2027.mini.debconf.org/"&gt;an instance&lt;/a&gt;
for the 2027 edition too.&lt;/li&gt;
&lt;li&gt;Stefano supported the bursary team issuing bursaries for
&lt;a href="https://debconf26.debconf.org/"&gt;DebConf 26&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;Stefano uploaded routine updates of &lt;code&gt;python-pip&lt;/code&gt;, &lt;code&gt;pystemmer&lt;/code&gt;, &lt;code&gt;snowball-data&lt;/code&gt;,
&lt;code&gt;snowball&lt;/code&gt; (making up a mini, uncoordinated snowball transition),
&lt;code&gt;python-authlib&lt;/code&gt;, &lt;code&gt;python-discovery&lt;/code&gt;, &lt;code&gt;python-installer&lt;/code&gt;, &lt;code&gt;python-mitogen&lt;/code&gt;,
&lt;code&gt;python-pipx&lt;/code&gt;, &lt;code&gt;python-cachecontrol&lt;/code&gt;, &lt;code&gt;platformdirs&lt;/code&gt;, and &lt;code&gt;python-virtualenv&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;Stefano fixed a small number of bugs in &lt;code&gt;dh-python&lt;/code&gt;, culminating in the
&lt;code&gt;7.20260524&lt;/code&gt; upload.&lt;/li&gt;
&lt;li&gt;Thorsten finally managed to upload a new upstream version of &lt;code&gt;hplip&lt;/code&gt;. He also
uploaded a new upstream version of &lt;code&gt;epson-inkjet-printer-escpr&lt;/code&gt;. Last but not
least with the help of other contributors he could fix bugs in &lt;code&gt;lprng&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;Lucas and Santiago contributed significantly to the DebConf 26 Content team;
helping to organize the team, review and rate talk proposals.&lt;/li&gt;
&lt;li&gt;Lucas also supported a packaging sprint held in India by rebuilding and
publishing the latest results of the Ruby 3.4 transition effort.&lt;/li&gt;
&lt;li&gt;Santiago continued contributing to the efforts to organize DebConf 26,
especially supporting the local team with different tasks.&lt;/li&gt;
&lt;li&gt;In collaboration with Emmanuel Arias, Santiago is mentoring Aryan Karamtoth,
a GSoC participant that is working to introduce linux live-patching support in
Debian. The GSoC project started in May, with community bonding and coding.
Santiago reviewed a &lt;a href="https://salsa.debian.org/debian/clang-extract/-/merge_requests/1"&gt;merge request&lt;/a&gt;
to prepare the &lt;code&gt;clang-extract&lt;/code&gt; package for debian. clang-extract is one of the
building blocks that will help to extract specific functions from large C code,
so only relevant code can be patched, without recompiling the whole original
basecode.&lt;/li&gt;
&lt;li&gt;Anupa assisted Jean-Pierre Giraud with the point release announcements for
Debian 13.5 and Debian 12.14.&lt;/li&gt;
&lt;li&gt;Colin backported various security fixes from OpenSSH 10.3 to all supported
releases (including LTS and ELTS).&lt;/li&gt;
&lt;li&gt;Colin backported IP quality-of-service fixes to OpenSSH in trixie. The
situation there had been unsatisfactory for some time, and upstream reworked
their QoS support in OpenSSH 10.1 in a way that typically produces much better
results.&lt;/li&gt;
&lt;li&gt;Colin imported new upstream versions of 26 Python packages, and fixed around
25 RC bugs for the Python team.&lt;/li&gt;
&lt;/ul&gt; </description> 
	<pubDate>Mon, 15 Jun 2026 00:00:00 +0000</pubDate>

</item> 
<item>
	<title>Jonathan Dowland: HeroQuest</title>
	<guid>https://jmtd.net/log/heroquest/</guid>
	<link>https://jmtd.net/log/heroquest/</link>
     <description>  &lt;img src="http://planet.debian.org/heads/jmtd.png" width="65" height="85" alt="" align="right" style="float: right;"&gt;  &lt;div class="image"&gt;
&lt;a href="https://jmtd.net/log/heroquest/hq.jpg"&gt;&lt;img alt="_First Light_ box" class="img" height="263" src="https://jmtd.net/log/heroquest/350x-hq.jpg" width="350" /&gt;&lt;/a&gt;

&lt;p&gt;&lt;em&gt;First Light&lt;/em&gt; box&lt;/p&gt;

&lt;/div&gt;


&lt;p&gt;My youngest daughter and I recently started playing the tabletop game
HeroQuest. Specifically, the recently-issued, cut-down variant
&lt;em&gt;HeroQuest: First Light&lt;/em&gt;. This is quite advanced for her age, and I'm
a little surprised she's taken to it, but she's really loving it,
It's pushed her to read bits of lore on cards and quest books that is
way above her expected reading level, and we've been exercising her
maths by adding up the gold we find on our quests and calculating what
the heroes can buy with it in the store afterwards.&lt;/p&gt;

&lt;p&gt;Originally from 1989,
Hasbro re-issued HeroQuest in 2020. I read about it at the time but didn't
buy it. I wasn't
sure who I would play it with. It also seemed expensive to me. It probably
&lt;em&gt;wasn't&lt;/em&gt; unusually expensive in 2020, nor now, for the sheer volume of
finely-sculpted miniatures included.
I also knew I had the original game in the loft, and
I wasn't that keen on buying something I already had,
although untangling the contents from several similar boxed games would
take me many hours, and I wasn't sure how much of the game I would find.&lt;/p&gt;

&lt;div class="image"&gt;
&lt;a href="https://jmtd.net/log/heroquest/closeup.jpg"&gt;&lt;img alt="mix of old and new" class="img" height="263" src="https://jmtd.net/log/heroquest/350x-closeup.jpg" width="350" /&gt;&lt;/a&gt;

&lt;p&gt;mix of old and new&lt;/p&gt;

&lt;/div&gt;


&lt;p&gt;&lt;em&gt;First Light&lt;/em&gt; was compelling because it is much, much cheaper than the full
remake, so I was happy
to take a punt. It's cheaper because it doesn't have any plastic monsters  or
furniture: instead cardboard cut-outs that stand up on plastic stands. For us,
that is a significant drawback: 3D miniatures are much more immersive, But I
can re-use the plastic miniatures I can find from the original game. &lt;em&gt;First
Light&lt;/em&gt; has a newly written adventure, better suited to beginners than the
original game.&lt;/p&gt;

&lt;p&gt;The re-issue(s) have new art and new model sculpts that look fantastic. They've
changed anything which tied into Games Workshop's IP and I'm really happy about
that. They've made an effort to add women, almost entirely absent from the
original. I'm certain my daughter wouldn't have tried it otherwise.&lt;/p&gt; </description> 
	<pubDate>Sun, 14 Jun 2026 09:31:49 +0000</pubDate>

</item> 
<item>
	<title>Matthias Klumpp: Introducing pkgcli: A nicer command-line interface for PackageKit</title>
	<guid>https://blog.tenstral.net/?p=2074</guid>
	<link>https://blog.tenstral.net/2026/06/introducing-pkgcli-a-nicer-command-line-interface-for-packagekit.html</link>
     <description>  &lt;p class="wp-block-paragraph"&gt;For almost two decades, the &lt;a href="https://github.com/PackageKit/PackageKit"&gt;PackageKit&lt;/a&gt; package management abstraction layer has shipped with &lt;code&gt;pkcon&lt;/code&gt; as its command-line client. &lt;code&gt;pkcon&lt;/code&gt; does its job, but it was always kind of a “testing” front-end for the PackageKit daemon rather than a tool designed for everyday use. The focus has instead been on the GUI tools, automatic system updates, GUI application managers and other front-ends. Its command names mirror the D-Bus API almost one-to-one (&lt;code&gt;get-details&lt;/code&gt;, &lt;code&gt;get-updates&lt;/code&gt;, &lt;code&gt;get-depends&lt;/code&gt;), output is very plain, and there is no machine-readable mode for scripting. Most importantly though, there has been no development on it at all for almost a decade, so &lt;code&gt;pkcon&lt;/code&gt; was stuck in its rudimentary state from that era.&lt;/p&gt;



&lt;p class="wp-block-paragraph"&gt;Since a lot of changes will be coming to PackageKit, and testing the daemon and working with it from the command-line was not very pleasant anymore in 2025/2026, I decided to modernize the tool as part of my work as fellow for the &lt;a href="https://www.sovereign.tech/"&gt;Sovereign Tech Agency&lt;/a&gt; last year. &lt;code&gt;pkgcli&lt;/code&gt; is the new command-line client for PackageKit. It is built from the ground up to be pleasant to use interactively &lt;em&gt;and&lt;/em&gt; easy to drive from scripts.&lt;/p&gt;



&lt;h2 class="wp-block-heading"&gt;Why a new tool?&lt;/h2&gt;



&lt;p class="wp-block-paragraph"&gt;Of course, instead of introducing a new tool, I could have just expanded &lt;code&gt;pkcon&lt;/code&gt; instead. The problem with that approach is that the &lt;code&gt;pkcon&lt;/code&gt; utility has been around for so long and its command-line API had ossified so much, that rather than changing it and potentially breaking a lot of scripts relying on its quirks, I decided to introduce a new tool instead. &lt;code&gt;pkcon&lt;/code&gt; can still be optionally compiled for people who need it in their scripts and workflows.&lt;/p&gt;



&lt;p class="wp-block-paragraph"&gt;The goals for &lt;code&gt;pkgcli&lt;/code&gt;, and the features it now has are:&lt;/p&gt;



&lt;ul class="wp-block-list"&gt;
&lt;li&gt;&lt;strong&gt;Human-friendly command names.&lt;/strong&gt; Verbs that read the way you’d describe the task, instead of mirroring the D-Bus API 1:1: &lt;code&gt;show&lt;/code&gt;, &lt;code&gt;search&lt;/code&gt;, &lt;code&gt;list-updates&lt;/code&gt;, &lt;code&gt;what-provides&lt;/code&gt;, instead of &lt;code&gt;get-details&lt;/code&gt; and friends.&lt;/li&gt;



&lt;li&gt;&lt;strong&gt;Readable, &lt;span style="color: #b00020;"&gt;c&lt;/span&gt;&lt;span style="color: #0057b8;"&gt;o&lt;/span&gt;&lt;span style="color: #0b7a0b;"&gt;l&lt;/span&gt;&lt;span style="color: #8a4b00;"&gt;o&lt;/span&gt;&lt;span style="color: #6f42c1;"&gt;r&lt;/span&gt;&lt;span style="color: #007a7a;"&gt;e&lt;/span&gt;&lt;span style="color: #c2410c;"&gt;d&lt;/span&gt; output&lt;/strong&gt; by default (still respecting &lt;a href="https://no-color.org/"&gt;&lt;code&gt;NO_COLOR&lt;/code&gt;&lt;/a&gt; and degrading gracefully).&lt;/li&gt;



&lt;li&gt;&lt;strong&gt;A real scripting mode.&lt;/strong&gt; A global &lt;code&gt;--json&lt;/code&gt; flag emits &lt;a href="https://jsonlines.org/"&gt;JSONL&lt;/a&gt; instead of fully human-readable output when possible, to make it easier to use the tool for scripting purposes.&lt;/li&gt;



&lt;li&gt;&lt;strong&gt;Sensible defaults.&lt;/strong&gt; A few defaults have been changed, such as the metadata cache-age, or automatic cleanup of unused dependencies being enabled by default. This is more in line with current defaults by other tools and frontends. We also print package information in a slightly different, more readable way.&lt;/li&gt;



&lt;li&gt;&lt;strong&gt;Better handling of internationalized text&lt;/strong&gt;. Text should now align properly in the terminal window, and we should no longer have completely chaotic text output on non-English locales (especially Chinese/Japanese).&lt;/li&gt;
&lt;/ul&gt;



&lt;h2 class="wp-block-heading"&gt;Why not &lt;code&gt;pkgctl&lt;/code&gt;?&lt;/h2&gt;



&lt;p class="wp-block-paragraph"&gt;Originally, this tool was called &lt;code&gt;pkgctl&lt;/code&gt;, to match other common cross-distro tool names. However, that name was already taken by an &lt;a href="https://man.archlinux.org/man/pkgctl.1"&gt;Arch-specific distro development tool&lt;/a&gt;. When this issue was raised, we decided to just rename our tool to &lt;code&gt;pkgcli&lt;/code&gt; with the next release, to avoid the name clash on Arch Linux.&lt;/p&gt;



&lt;h2 class="wp-block-heading"&gt;Examples!&lt;/h2&gt;



&lt;p class="wp-block-paragraph"&gt;Here are some examples on how to use the new tool (some of which include the abridged output &lt;code&gt;pkgcli&lt;/code&gt; prints).&lt;/p&gt;



&lt;p class="wp-block-paragraph"&gt;Search for anything containing the string “editor” in name or description, then look at the details of one result:&lt;/p&gt;



&lt;pre class="wp-block-code"&gt;&lt;code&gt;$ pkgcli search editor
Querying                  [████████████████████████████████████████] 100%
&lt;span style="color: #00a;"&gt;▣&lt;/span&gt; &lt;span style="font-weight: bold;"&gt;ace-of-penguins&lt;/span&gt; &lt;span style="color: #555555;"&gt;1.5~rc2-7&lt;/span&gt;.&lt;span style="color: #555555;"&gt;amd64&lt;/span&gt; [&lt;span style="color: #555555;"&gt;debian-testing-main&lt;/span&gt;]
&lt;span style="color: #00a;"&gt;▣&lt;/span&gt; &lt;span style="font-weight: bold;"&gt;acorn-fdisk&lt;/span&gt; &lt;span style="color: #555555;"&gt;3.0.6-14&lt;/span&gt;.&lt;span style="color: #555555;"&gt;amd64&lt;/span&gt; [&lt;span style="color: #555555;"&gt;debian-testing-main&lt;/span&gt;]
&lt;span style="color: #00a;"&gt;▣&lt;/span&gt; &lt;span style="font-weight: bold;"&gt;ardour&lt;/span&gt; &lt;span style="color: #555555;"&gt;1:9.2.0+ds-1&lt;/span&gt;.&lt;span style="color: #555555;"&gt;amd64&lt;/span&gt; [&lt;span style="color: #555555;"&gt;debian-testing-main&lt;/span&gt;]
&lt;span style="color: #0a0;"&gt;✔&lt;/span&gt; &lt;span style="font-weight: bold;"&gt;audacity&lt;/span&gt; &lt;span style="color: #555555;"&gt;3.7.7+dfsg-1&lt;/span&gt;.&lt;span style="color: #555555;"&gt;amd64&lt;/span&gt; [&lt;span style="color: #555555;"&gt;manual:debian-testing-main&lt;/span&gt;]
&lt;span style="color: #0a0;"&gt;✔&lt;/span&gt; &lt;span style="font-weight: bold;"&gt;audacity-data&lt;/span&gt; &lt;span style="color: #555555;"&gt;3.7.7+dfsg-1&lt;/span&gt;.&lt;span style="color: #555555;"&gt;all&lt;/span&gt; [&lt;span style="color: #555555;"&gt;auto:debian-testing-main&lt;/span&gt;]
&lt;span style="color: #00a;"&gt;▣&lt;/span&gt; &lt;span style="font-weight: bold;"&gt;augeas-tools&lt;/span&gt; &lt;span style="color: #555555;"&gt;1.14.1-1.1&lt;/span&gt;.&lt;span style="color: #555555;"&gt;amd64&lt;/span&gt; [&lt;span style="color: #555555;"&gt;debian-testing-main&lt;/span&gt;]
&lt;span style="color: #00a;"&gt;▣&lt;/span&gt; &lt;span style="font-weight: bold;"&gt;emacs&lt;/span&gt; &lt;span style="color: #555555;"&gt;1:30.2+1-3&lt;/span&gt;.&lt;span style="color: #555555;"&gt;all&lt;/span&gt; [&lt;span style="color: #555555;"&gt;debian-testing-main&lt;/span&gt;]
&lt;span style="color: #00a;"&gt;▣&lt;/span&gt; &lt;span style="font-weight: bold;"&gt;gedit&lt;/span&gt; &lt;span style="color: #555555;"&gt;48.1-9+b1&lt;/span&gt;.&lt;span style="color: #555555;"&gt;amd64&lt;/span&gt; [&lt;span style="color: #555555;"&gt;debian-testing-main&lt;/span&gt;]
&lt;span style="color: #00a;"&gt;▣&lt;/span&gt; &lt;span style="font-weight: bold;"&gt;gedit-common&lt;/span&gt; &lt;span style="color: #555555;"&gt;48.1-9&lt;/span&gt;.&lt;span style="color: #555555;"&gt;all&lt;/span&gt; [&lt;span style="color: #555555;"&gt;debian-testing-main&lt;/span&gt;]
&lt;span style="color: #00a;"&gt;▣&lt;/span&gt; &lt;span style="font-weight: bold;"&gt;gedit-dev&lt;/span&gt; &lt;span style="color: #555555;"&gt;48.1-9+b1&lt;/span&gt;.&lt;span style="color: #555555;"&gt;amd64&lt;/span&gt; [&lt;span style="color: #555555;"&gt;debian-testing-main&lt;/span&gt;]
[...]

$ pkgcli show nano
&lt;span style="font-weight: bold;"&gt;Package:&lt;/span&gt; nano
&lt;span style="font-weight: bold;"&gt;Version:&lt;/span&gt; 9.0-1
&lt;span style="font-weight: bold;"&gt;Summary:&lt;/span&gt; small, friendly text editor inspired by Pico
&lt;span style="font-weight: bold;"&gt;Description:&lt;/span&gt; GNU nano is an easy-to-use text editor originally designed as
 a replacement for Pico, the ncurses-based editor from the non-free mailer
 package Pine.
[...]
&lt;span style="font-weight: bold;"&gt;URL:&lt;/span&gt; https://www.nano-editor.org/
&lt;span style="font-weight: bold;"&gt;Group:&lt;/span&gt; publishing
&lt;span style="font-weight: bold;"&gt;Installed Size:&lt;/span&gt; 2.9 MB
&lt;span style="font-weight: bold;"&gt;Download Size:&lt;/span&gt; 646.0 KB&lt;/code&gt;&lt;/pre&gt;



&lt;p class="wp-block-paragraph"&gt;Search only within package &lt;em&gt;names&lt;/em&gt; rather than descriptions:&lt;/p&gt;



&lt;pre class="wp-block-code"&gt;&lt;code&gt;$ pkgcli search name python3&lt;/code&gt;&lt;/pre&gt;



&lt;p class="wp-block-paragraph"&gt;Check for updates. &lt;code&gt;refresh&lt;/code&gt; updates the metadata, then &lt;code&gt;list-updates&lt;/code&gt; reports what’s available:&lt;/p&gt;



&lt;pre class="wp-block-code"&gt;&lt;code&gt;$ pkgcli refresh &amp;amp;&amp;amp; pkgcli list-updates
Loading cache            [████████████████████████████████████████] 100%
&lt;span style="color: #0aa;"&gt;▲&lt;/span&gt; &lt;span style="font-weight: bold;"&gt;cme&lt;/span&gt; &lt;span style="color: #555555;"&gt;1.048-1&lt;/span&gt;.&lt;span style="color: #555555;"&gt;all&lt;/span&gt; [&lt;span style="color: #555555;"&gt;debian-testing-main&lt;/span&gt;]
&lt;span style="color: #0aa;"&gt;▲&lt;/span&gt; &lt;span style="font-weight: bold;"&gt;gir1.2-gdm-1.0&lt;/span&gt; &lt;span style="color: #555555;"&gt;50.1-2&lt;/span&gt;.&lt;span style="color: #555555;"&gt;amd64&lt;/span&gt; [&lt;span style="color: #555555;"&gt;debian-testing-main&lt;/span&gt;]
&lt;span style="color: #0aa;"&gt;▲&lt;/span&gt; &lt;span style="font-weight: bold;"&gt;imagemagick&lt;/span&gt; &lt;span style="color: #555555;"&gt;8:7.1.2.24+dfsg1-1&lt;/span&gt;.&lt;span style="color: #555555;"&gt;amd64&lt;/span&gt; [&lt;span style="color: #555555;"&gt;debian-testing-main&lt;/span&gt;]
&lt;span style="color: #0aa;"&gt;▲&lt;/span&gt; &lt;span style="font-weight: bold;"&gt;imagemagick-7-common&lt;/span&gt; &lt;span style="color: #555555;"&gt;8:7.1.2.24+dfsg1-1&lt;/span&gt;.&lt;span style="color: #555555;"&gt;all&lt;/span&gt; [&lt;span style="color: #555555;"&gt;debian-testing-main&lt;/span&gt;]
&lt;span style="color: #0aa;"&gt;▲&lt;/span&gt; &lt;span style="font-weight: bold;"&gt;imagemagick-7.q16&lt;/span&gt; &lt;span style="color: #555555;"&gt;8:7.1.2.24+dfsg1-1&lt;/span&gt;.&lt;span style="color: #555555;"&gt;amd64&lt;/span&gt; [&lt;span style="color: #555555;"&gt;debian-testing-main&lt;/span&gt;]
&lt;span style="color: #0aa;"&gt;▲&lt;/span&gt; &lt;span style="font-weight: bold;"&gt;libdlrestrictions1&lt;/span&gt; &lt;span style="color: #555555;"&gt;0.22.0&lt;/span&gt;.&lt;span style="color: #555555;"&gt;amd64&lt;/span&gt; [&lt;span style="color: #555555;"&gt;debian-testing-main&lt;/span&gt;]
&lt;span style="color: #0aa;"&gt;▲&lt;/span&gt; &lt;span style="font-weight: bold;"&gt;libfftw3-bin&lt;/span&gt; &lt;span style="color: #555555;"&gt;3.3.11-1&lt;/span&gt;.&lt;span style="color: #555555;"&gt;amd64&lt;/span&gt; [&lt;span style="color: #555555;"&gt;debian-testing-main&lt;/span&gt;]
&lt;span style="color: #0aa;"&gt;▲&lt;/span&gt; &lt;span style="font-weight: bold;"&gt;libfftw3-dev&lt;/span&gt; &lt;span style="color: #555555;"&gt;3.3.11-1&lt;/span&gt;.&lt;span style="color: #555555;"&gt;amd64&lt;/span&gt; [&lt;span style="color: #555555;"&gt;debian-testing-main&lt;/span&gt;]&lt;/code&gt;&lt;/pre&gt;



&lt;p class="wp-block-paragraph"&gt;Explore relationships between packages:&lt;/p&gt;



&lt;pre class="wp-block-code"&gt;&lt;code&gt;$ pkgcli list-depends inkscape  &lt;span style="color: #6b6b6b;"&gt;# list what inkscape depends on&lt;/span&gt;
$ pkgcli list-requiring libappstream5  &lt;span style="color: #6b6b6b;"&gt;# list what requires libappstream5&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;



&lt;p class="wp-block-paragraph"&gt;Find the package that provides a capability, here the AV1 GStreamer decoder:&lt;/p&gt;



&lt;pre class="wp-block-code"&gt;&lt;code&gt;$ pkgcli what-provides "gstreamer1(decoder-video/x-av1)"
&lt;span style="color: #0a0;"&gt;✔&lt;/span&gt; &lt;span style="font-weight: bold;"&gt;gstreamer1.0-plugins-bad&lt;/span&gt; &lt;span style="color: #555555;"&gt;1.28.3-1&lt;/span&gt;.&lt;span style="color: #555555;"&gt;amd64&lt;/span&gt; [&lt;span style="color: #555555;"&gt;auto:debian-testing-main&lt;/span&gt;]&lt;/code&gt;&lt;/pre&gt;



&lt;p class="wp-block-paragraph"&gt;You can also have JSON output for most commands! Attach &lt;code&gt;--json&lt;/code&gt; to any query and pipe the result straight into &lt;a href="https://jqlang.github.io/jq/"&gt;&lt;code&gt;jq&lt;/code&gt;&lt;/a&gt;. Each line is a self-contained JSON object:&lt;/p&gt;



&lt;pre class="wp-block-code"&gt;&lt;code&gt;$ pkgcli --json list-updates | jq -r '.name'
cme
gir1.2-gdm-1.0
imagemagick
imagemagick-7-common
imagemagick-7.q16
libdlrestrictions1
libfftw3-bin
libfftw3-dev
libfftw3-double3&lt;/code&gt;&lt;/pre&gt;



&lt;h2 class="wp-block-heading"&gt;Try it&lt;/h2&gt;



&lt;p class="wp-block-paragraph"&gt;&lt;code&gt;pkgcli&lt;/code&gt; is built by default alongside the rest of PackageKit since PackageKit 1.3.4. If your distribution ships a recent enough PackageKit, it should already be on your &lt;code&gt;PATH&lt;/code&gt;. You can read its man page &lt;code&gt;man pkgcli&lt;/code&gt; for more information. Feedback, bug reports, and patches are &lt;a href="https://github.com/PackageKit/PackageKit/pulls"&gt;very welcome&lt;/a&gt;.&lt;/p&gt; </description> 
	<pubDate>Sun, 14 Jun 2026 06:22:00 +0000</pubDate>

</item> 
<item>
	<title>Gunnar Wolf: Rey Ubu - Carro de Comedias, UNAM</title>
	<guid>https://gwolf.org/2026/06/rey-ubu-carro-de-comedias-unam.html</guid>
	<link>https://gwolf.org/2026/06/rey-ubu-carro-de-comedias-unam.html</link>
     <description>  &lt;img src="http://planet.debian.org/heads/gwolf.png" width="69" height="83" alt="" align="right" style="float: right;"&gt;  &lt;p&gt;Today we went to see a theater play in UNAM’s Cultural Center, very near
our home. No, not inside any of the theaters — &lt;a href="https://osm.org/go/S8c~P~7RY?m="&gt;in the square just between
Sala Nezahualcóyotl, Foro Sor Juana and Sala Carlos
Chávez.&lt;/a&gt;. So, yes, not only we had fun,
but we had fun for free!&lt;/p&gt;

&lt;p&gt;&lt;a href="https://gwolf.org/files/2026-06/rey_ubu.jpg"&gt;&lt;img alt="Announcement" src="https://gwolf.org/files/2026-06/rey_ubu.200.jpg" /&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;UNAM’s &lt;a href="https://elanfiteatro.mx/p/carro-de-comedias-de-la-unam"&gt;El Carro de
Comedias&lt;/a&gt; is an
itinerant theater company that often presents in this same spot (but you
can see the stage is foldable, and they do have presentations elsewhere, of
this same play even). I went with my family, and we enjoyed a very fun
adaptation of this great play (written by teenager Alfred Jarry in
1894). One of those plays that could be inspired any day by current
geopolitical events…&lt;/p&gt;

&lt;p&gt;I know most of the people that happen to stumble upon my blog are not in
Mexico City. But if you happen to be here, do consider going to their
function. &lt;a href="https://teatrounam.com.mx/teatro/entradasteatro/ubu-rey/#calendario"&gt;Check their
schedule&lt;/a&gt;;
being it an itinerating show, they can also be found at other places, but
they are scheduled at the same place we saw them, every Saturday and Sunday
until June 28, 11:00AM. They mentioned they will likely continue during
August, but AFAICT it is not confirmed (or, at least, announced) yet.&lt;/p&gt;

&lt;p&gt;Some pics, shot randomly by me throughout the play:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://gwolf.org/files/2026-06/first_call.jpg"&gt;&lt;img alt="Announcement" src="https://gwolf.org/files/2026-06/first_call.400.jpg" /&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://gwolf.org/files/2026-06/first_call.jpg"&gt;&lt;img alt="First_call" src="https://gwolf.org/files/2026-06/first_call.400.jpg" /&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://gwolf.org/files/2026-06/accordion.jpg"&gt;&lt;img alt="Accordion" src="https://gwolf.org/files/2026-06/accordion.400.jpg" /&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://gwolf.org/files/2026-06/mom.jpg"&gt;&lt;img alt="Mom" src="https://gwolf.org/files/2026-06/mom.400.jpg" /&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://gwolf.org/files/2026-06/announce.jpg"&gt;&lt;img alt="Announce" src="https://gwolf.org/files/2026-06/announce.400.jpg" /&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://gwolf.org/files/2026-06/plotting.jpg"&gt;&lt;img alt="Plotting" src="https://gwolf.org/files/2026-06/plotting.400.jpg" /&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://gwolf.org/files/2026-06/audience.jpg"&gt;&lt;img alt="Audience" src="https://gwolf.org/files/2026-06/audience.400.jpg" /&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://gwolf.org/files/2026-06/wenceslao.jpg"&gt;&lt;img alt="Wenceslao" src="https://gwolf.org/files/2026-06/wenceslao.400.jpg" /&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://gwolf.org/files/2026-06/attack.jpg"&gt;&lt;img alt="Attack" src="https://gwolf.org/files/2026-06/attack.400.jpg" /&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://gwolf.org/files/2026-06/grumpy.jpg"&gt;&lt;img alt="Grumpy" src="https://gwolf.org/files/2026-06/grumpy.400.jpg" /&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://gwolf.org/files/2026-06/ministers.jpg"&gt;&lt;img alt="Ministers" src="https://gwolf.org/files/2026-06/ministers.400.jpg" /&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://gwolf.org/files/2026-06/council.jpg"&gt;&lt;img alt="Council" src="https://gwolf.org/files/2026-06/council.400.jpg" /&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://gwolf.org/files/2026-06/message.jpg"&gt;&lt;img alt="Message" src="https://gwolf.org/files/2026-06/message.400.jpg" /&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://gwolf.org/files/2026-06/russian.jpg"&gt;&lt;img alt="Russian" src="https://gwolf.org/files/2026-06/russian.400.jpg" /&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://gwolf.org/files/2026-06/soldiers.jpg"&gt;&lt;img alt="Soldiers" src="https://gwolf.org/files/2026-06/soldiers.400.jpg" /&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://gwolf.org/files/2026-06/all.jpg"&gt;&lt;img alt="All" src="https://gwolf.org/files/2026-06/all.400.jpg" /&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://gwolf.org/files/2026-06/end.jpg"&gt;&lt;img alt="End" src="https://gwolf.org/files/2026-06/end.400.jpg" /&gt;&lt;/a&gt;&lt;/p&gt; </description> 
	<pubDate>Sat, 13 Jun 2026 19:55:32 +0000</pubDate>

</item> 
<item>
	<title>Mike Gabriel: Ayatana Indicators: Call for Translations</title>
	<guid>https://sunweavers.net/157 at https://sunweavers.net/blog</guid>
	<link>https://sunweavers.net/blog/node/157</link>
     <description>  &lt;img src="http://planet.debian.org/heads/sunweaver.png" width="82" height="82" alt="" align="right" style="float: right;"&gt;  &lt;p&gt;In the process of preparing a major Ubuntu Touch release (v24.04-2.0, coming soon...) we will also update Ayatana Indicators in Ubuntu Touch.&lt;/p&gt;

&lt;p&gt;Last week various new features have been added to some of the indicators (toggle switch to keep the display switched on permanently, blue tooth pairing agent, redesign of the keyboard indicator, etc.) and those changes require translation updates.&lt;/p&gt;

&lt;p&gt;If you can, please visit [1] this weekend and help translating Ayatana Indicators into your native language. Thanks so much!!!&lt;/p&gt;

&lt;p&gt;light+love&lt;br /&gt;
Mike&lt;/p&gt;

&lt;p&gt;[1] &lt;a href="https://hosted.weblate.org/projects/ayatana-indicators/" title="https://hosted.weblate.org/projects/ayatana-indicators/"&gt;https://hosted.weblate.org/projects/ayatana-indicators/&lt;/a&gt;&lt;/p&gt; </description> 
	<pubDate>Fri, 12 Jun 2026 21:50:34 +0000</pubDate>

</item> 
<item>
	<title>Tim Retout: seL4 clock magic</title>
	<guid>https://retout.co.uk/2026/06/12/sel4-clock-magic/</guid>
	<link>https://retout.co.uk/2026/06/12/sel4-clock-magic/</link>
     <description>  &lt;p&gt;I have been looking at seL4 some more recently, and had &lt;a href="https://github.com/seL4/seL4/commit/c1c9dd5bff69f5ea078d341a47555ad485808ab4"&gt;a small
patch&lt;/a&gt;
merged today to remove a legacy Python module from a helper script.
(I was trying to run the script on a system without that module
installed, and it was almost easier to patch it out.)&lt;/p&gt;
&lt;p&gt;However, the more I think about this code and how it’s used, the more
it seems wrong on at least five other levels.&lt;/p&gt;
&lt;p&gt;The patch itself is quite uninteresting; this script was importing the
&lt;code&gt;past&lt;/code&gt; module (part of &lt;code&gt;future&lt;/code&gt;?) to use the &lt;code&gt;xrange&lt;/code&gt; function.
Python 2 used to have separate &lt;code&gt;xrange&lt;/code&gt; and &lt;code&gt;range&lt;/code&gt; functions, where
&lt;code&gt;range&lt;/code&gt; returned a list in memory while &lt;code&gt;xrange&lt;/code&gt; generated an
iterator.  Because this seL4 script is iterating over a large range of
values, it’s important the list is not generated in-memory.  But
Python 3 removed the &lt;code&gt;xrange&lt;/code&gt; function and just has &lt;code&gt;range&lt;/code&gt; return an
object, so it’s trivial to avoid the module import.&lt;/p&gt;
&lt;p&gt;Having thought carefully some more about the specific line, there’s
surely an off-by-one error in it - &lt;code&gt;range&lt;/code&gt; iterates over 0 to n-1, so
this line shouldn’t be subtracting one if it’s looking to test all
32-bit values:&lt;/p&gt;
&lt;div class="code-block-wrapper"&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0"&gt;&lt;code class="language-python"&gt;&lt;span style="display: flex;"&gt;&lt;span&gt;    &lt;span style="color: #66d9ef;"&gt;for&lt;/span&gt; i &lt;span style="color: #f92672;"&gt;in&lt;/span&gt; range(&lt;span style="color: #ae81ff;"&gt;2&lt;/span&gt;&lt;span style="color: #f92672;"&gt;**&lt;/span&gt;&lt;span style="color: #ae81ff;"&gt;32&lt;/span&gt;&lt;span style="color: #f92672;"&gt;-&lt;/span&gt;&lt;span style="color: #ae81ff;"&gt;1&lt;/span&gt;):&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;
&lt;p&gt;But then again, this is being used for a ‘sanity check’ of a magic bit
shift algorithm that speeds up division operations to convert CPU
ticks to microseconds on 32-bit arm platforms.  Surely if the
algorithm’s good, it shouldn’t be necessary to validate it
exhaustively against every possible 32-bit value?&lt;/p&gt;
&lt;p&gt;Also, 32 bits isn’t enough, because this is 64-bit division.
&lt;code&gt;include/api/types.h&lt;/code&gt; shows that &lt;code&gt;ticks_t&lt;/code&gt; is always a &lt;code&gt;uint64_t&lt;/code&gt;, so
if this were a proof by exhaustion it should run to 2**64 (though that
would take infeasibly long).&lt;/p&gt;
&lt;p&gt;As discussed in &lt;a href="https://github.com/seL4/seL4/issues/1352"&gt;issue
#1352&lt;/a&gt;, lots of people have
been running this code with the wrong divisor anyway.  But because the
bit shift path is only used on 32-bit platforms, it’s not clear to me
that there’s even any point in specifying CLK_SHIFT/MAGIC on platforms
which are 64-bit only (e.g. the tx2 port).&lt;/p&gt;
&lt;p&gt;And to follow this rabbit hole to the very end, in comments on &lt;a href="https://github.com/seL4/seL4/pull/1435#issuecomment-2813656622"&gt;PR
#1435&lt;/a&gt;
and &lt;a href="https://github.com/seL4/seL4/issues/1509"&gt;issue #1509&lt;/a&gt; it’s clear
that the future of this code is to remove it, as it’s 1. unnecessarily
clever (on 64-bit platforms the equivalent code just uses a division,
so performance can’t be that important), and 2. the entire concept of
converting to microseconds breaks the seL4 principle of not
abstracting away details of the hardware.&lt;/p&gt;
&lt;p&gt;So this has left me unclear on whether my small patch was a good thing
or not, but I certainly learnt something about this corner of seL4
timer handling.  And I’ve ordered a copy of “Hacker’s Delight” on the
recommendation of a code comment.&lt;/p&gt; </description> 
	<pubDate>Fri, 12 Jun 2026 16:45:40 +0000</pubDate>

</item> 
<item>
	<title>Reproducible Builds (diffoscope): diffoscope 319 released</title>
	<guid>https://diffoscope.org/news/diffoscope-319-released/</guid>
	<link>https://diffoscope.org/news/diffoscope-319-released/</link>
     <description>  &lt;p&gt;The diffoscope maintainers are pleased to announce the release of diffoscope
version &lt;code class="language-plaintext highlighter-rouge"&gt;319&lt;/code&gt;. This version includes the following changes:&lt;/p&gt;

&lt;div class="language-plaintext highlighter-rouge"&gt;&lt;div class="highlight"&gt;&lt;pre class="highlight"&gt;&lt;code&gt;[ Jochen Sprickerhof ]
* Improve header detection for Sphinx documentation projects.
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;You find out more by &lt;a href="https://diffoscope.org"&gt;visiting the project homepage&lt;/a&gt;.&lt;/p&gt; </description> 
	<pubDate>Fri, 12 Jun 2026 00:00:00 +0000</pubDate>

</item> 
<item>
	<title>Michael Ablassmeier: vmsync</title>
	<guid>https://abbbi.github.io//sync</guid>
	<link>https://abbbi.github.io//sync/</link>
     <description>  &lt;p&gt;I’ve been asked a few times if it would be possible to use
&lt;a href="https://github.com/abbbi/virtnbdbackup"&gt;virtnbdbackup&lt;/a&gt; as some kind of
“replication” utility, to keep cold standby virtual machines on other libvirt
hosts.&lt;/p&gt;

&lt;p&gt;Usually i would tell to use underlying filesystem features (such as zfs
send/recv, with incremental snapshots) to keep cold, standby copies on other
hosts.&lt;/p&gt;

&lt;p&gt;As for qcow based virtual machines, using the dirty bitmaps is not only a valid
feature to create backups, but to (incrementally) replicate virtual machines,
too.&lt;/p&gt;

&lt;p&gt;I’ve released &lt;a href="https://github.com/abbbi/vmsync"&gt;vmsync&lt;/a&gt;. A small golang utility
that implements a simple replication tool using the NBD protocol to sync
virtual machines to other hosts.&lt;/p&gt; </description> 
	<pubDate>Thu, 11 Jun 2026 00:00:00 +0000</pubDate>

</item> 
<item>
	<title>Mike Gabriel: Future of libayatana-appindicator (v0.6.0 released today)</title>
	<guid>https://sunweavers.net/156 at https://sunweavers.net/blog</guid>
	<link>https://sunweavers.net/blog/node/156</link>
     <description>  &lt;img src="http://planet.debian.org/heads/sunweaver.png" width="82" height="82" alt="" align="right" style="float: right;"&gt;  &lt;p&gt;Some of you might have noticed that the recent (or rather: previous) version of libayatana-appindicator (v0.5.94) notified users and developers of the library being deprecated.&lt;/p&gt;

&lt;p&gt;This short post is to notify you, that with today's libayatana-appindicator v0.6.0 release [1] this deprecation warning has now been removed again. Another new feature (added to AppIndicator without ABI breakage) is tooltip support. The new package version has just been uploaded to Debian experimental. Please test if your application (if it gets linked against libayatana-appindicator) continues to work flawlessly. Thanks!&lt;/p&gt;

&lt;p&gt;libayatana-appindicator will receive continued support until GTK-3 becomes end-of-life (because libayatana-appindicator has a baked-in GTK-3 dependency which should not be ported to GTK-4 imho). That said, in the future, GTK-3 applications can continue using libayatana-appindicator for sending AppIndicator-like icons and menus over DBus to KStatusNotifierItem-based system tray renderers.&lt;/p&gt;

&lt;p&gt;If you are looking for an AppIndicator implementation for GTK-4 applications (or other), I'd like to encourage you to help making libayatana-appindicator-glib [2] a new standard (can be used in GTK and Qt applications alike, implementation is using pure Glib-2.0). Currently, there is only one renderer (ayatana-indicator-application), so more work needs to be done on the renderers' side. (One of the next work items here is to get AppIndicator-Glib support working in Lomiri's desktop/windowed mode).&lt;/p&gt;

&lt;p&gt;[1] &lt;a href="https://github.com/AyatanaIndicators/libayatana-appindicator/releases/tag/0.6.0" title="https://github.com/AyatanaIndicators/libayatana-appindicator/releases/tag/0.6.0"&gt;https://github.com/AyatanaIndicators/libayatana-appindicator/releases/ta...&lt;/a&gt;&lt;br /&gt;
[2] &lt;a href="https://github.com/AyatanaIndicators/libayatana-appindicator-glib/" title="https://github.com/AyatanaIndicators/libayatana-appindicator-glib/"&gt;https://github.com/AyatanaIndicators/libayatana-appindicator-glib/&lt;/a&gt;&lt;/p&gt; </description> 
	<pubDate>Wed, 10 Jun 2026 20:15:00 +0000</pubDate>

</item> 
<item>
	<title>Colin Watson: Free software activity in May 2026</title>
	<guid>tag:www.chiark.greenend.org.uk,2026-06-10:/~cjwatson/blog/activity-2026-05.html</guid>
	<link>https://www.chiark.greenend.org.uk/~cjwatson/blog/activity-2026-05.html</link>
     <description>  &lt;img src="http://planet.debian.org/heads/cjwatson.png" width="70" height="82" alt="" align="right" style="float: right;"&gt;  &lt;p&gt;My Debian contributions this month were all &lt;a href="https://www.freexian.com/about/debian-contributions/"&gt;sponsored&lt;/a&gt; by Freexian.&lt;/p&gt;
&lt;p&gt;You can also support my work directly via &lt;a href="https://liberapay.com/cjwatson"&gt;Liberapay&lt;/a&gt; or &lt;a href="https://github.com/sponsors/cjwatson"&gt;GitHub Sponsors&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;OpenSSH&lt;/h2&gt;
&lt;p&gt;I backported various security fixes from 10.3 to &lt;a href="https://bugs.debian.org/1135624"&gt;trixie&lt;/a&gt;, &lt;a href="https://bugs.debian.org/1135658"&gt;bookworm&lt;/a&gt;, &lt;a href="https://lists.debian.org/debian-lts-announce/2026/05/msg00030.html"&gt;bullseye&lt;/a&gt;, &lt;a href="https://www.freexian.com/lts/extended/updates/ela-1720-1-openssh/"&gt;buster&lt;/a&gt;, and &lt;a href="https://www.freexian.com/lts/extended/updates/ela-1721-1-openssh/"&gt;stretch&lt;/a&gt;.  For trixie, I also backported several IPQoS fixes to line up with upstream’s traffic management settings and drop a rather hacky Debian-specific patch; this needed a &lt;a href="https://bugs.debian.org/1135798"&gt;quick follow-up fix&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;I upgraded trixie-backports to 10.3.&lt;/p&gt;
&lt;p&gt;I fixed &lt;a href="https://bugs.debian.org/1136545"&gt;openssh uses pidof but does not depend on procps&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;PuTTY&lt;/h2&gt;
&lt;p&gt;I upgraded from 0.83 to 0.84.&lt;/p&gt;
&lt;h2&gt;Python packaging&lt;/h2&gt;
&lt;p&gt;New upstream versions:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;bitstruct&lt;/li&gt;
&lt;li&gt;ormar&lt;/li&gt;
&lt;li&gt;pdm (fixing a &lt;a href="https://bugs.debian.org/1134304"&gt;build failure&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;pydantic&lt;/li&gt;
&lt;li&gt;pydantic-core&lt;/li&gt;
&lt;li&gt;pydantic-settings&lt;/li&gt;
&lt;li&gt;pyglet (fixing a &lt;a href="https://bugs.debian.org/1137404"&gt;build failure&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;python-asyncssh&lt;/li&gt;
&lt;li&gt;python-bitarray&lt;/li&gt;
&lt;li&gt;python-btrees&lt;/li&gt;
&lt;li&gt;python-build&lt;/li&gt;
&lt;li&gt;python-certifi&lt;/li&gt;
&lt;li&gt;python-charset-normalizer (fixing a &lt;a href="https://bugs.debian.org/1135452"&gt;build failure&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;python-fakeredis (&lt;a href="https://github.com/cunla/fakeredis-py/pull/485"&gt;contributed supporting fix upstream&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;python-holidays&lt;/li&gt;
&lt;li&gt;python-jsonschema-path&lt;/li&gt;
&lt;li&gt;python-memray (fixing a &lt;a href="https://bugs.debian.org/1135455"&gt;build failure&lt;/a&gt; and &lt;a href="https://bugs.debian.org/1131372"&gt;&lt;span class="caps"&gt;CVE&lt;/span&gt;-2026-32722&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;python-openapi-schema-validator&lt;/li&gt;
&lt;li&gt;python-pathable&lt;/li&gt;
&lt;li&gt;python-persistent&lt;/li&gt;
&lt;li&gt;python-pyftpdlib&lt;/li&gt;
&lt;li&gt;python-pytest-run-parallel&lt;/li&gt;
&lt;li&gt;sorl-thumbnail&lt;/li&gt;
&lt;li&gt;twisted&lt;/li&gt;
&lt;li&gt;zope.interface&lt;/li&gt;
&lt;li&gt;zope.proxy&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Other build/test failures:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1137485"&gt;beets&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1135497"&gt;buildbot&lt;/a&gt; (&lt;a href="https://github.com/buildbot/buildbot/pull/9051"&gt;contributed upstream&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1131097"&gt;dep-logic&lt;/a&gt; (&lt;a href="https://github.com/pdm-project/dep-logic/pull/17"&gt;contributed upstream&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1135392"&gt;diskcache&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1135500"&gt;khard&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1137583"&gt;matplotlib&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1137488"&gt;mkdocs-rss-plugin&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;ormar: compatibility with &lt;a href="https://bugs.debian.org/1133964"&gt;fastapi 0.125&lt;/a&gt; and &lt;a href="https://bugs.debian.org/1136865"&gt;pydantic 2.13&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1135445"&gt;pgzero&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1137501"&gt;py7zr&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://salsa.debian.org/python-team/packages/pydantic-extra-types/-/commit/858c65cb47b4fe03b080f79c99fa785282fd740c"&gt;pydantic-extra-types&lt;/a&gt; (&lt;a href="https://github.com/pydantic/pydantic-extra-types/pull/394"&gt;contributed upstream&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1136922"&gt;pydata-sphinx-theme&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1135454"&gt;python-invocations&lt;/a&gt; (&lt;a href="https://github.com/pyinvoke/invocations/pull/47"&gt;contributed upstream&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1134305"&gt;python-localzone&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1135831"&gt;python-maturin&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1135447"&gt;python-nacl&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1123283"&gt;python-pampy&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1135507"&gt;python-treq&lt;/a&gt; (&lt;a href="https://github.com/twisted/treq/pull/426"&gt;contributed upstream&lt;/a&gt;, including &lt;a href="https://github.com/twisted/treq/pull/428"&gt;fixing some &lt;span class="caps"&gt;CI&lt;/span&gt; bitrot&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1122914"&gt;python-txrequests&lt;/a&gt; (&lt;a href="https://github.com/tardyp/txrequests/pull/11"&gt;contributed upstream&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Other bugs:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1083325"&gt;buildbot: (Build-)depends on deprecated module python3-pkg-resources&lt;/a&gt; (&lt;a href="https://github.com/buildbot/buildbot/pull/9048"&gt;contributed upstream&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1135182"&gt;pysodium: Depends on cruft package libsodium&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1106749"&gt;python-fakeredis: lua support not working, breaking django-redis cache locking&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://salsa.debian.org/cpython-team/python3/-/merge_requests/43"&gt;python3.14: Drop libnsl-dev build-dependency&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;I updated python-treq upstream to &lt;a href="https://github.com/twisted/treq/pull/430"&gt;stop vendoring multipart&lt;/a&gt;, now that the packaging issues with that have been sorted out.&lt;/p&gt;
&lt;h2&gt;Code reviews&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1135891"&gt;debmirror: User-Agent blocked by Ubuntu/Launchpad repositories&lt;/a&gt; (uploaded, and &lt;a href="https://bugs.debian.org/1135937"&gt;cherry-picked into trixie&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://salsa.debian.org/python-team/packages/pydantic/-/merge_requests/1"&gt;pydantic: Fix &lt;span class="caps"&gt;CVE&lt;/span&gt;-2024-3772 in bookworm&lt;/a&gt; (merged and uploaded)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://salsa.debian.org/python-team/packages/pyodbc/-/merge_requests/3"&gt;pyodbc: Run SQLite tests&lt;/a&gt; (merged and uploaded)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://salsa.debian.org/python-team/packages/python-jsonschema-path/-/merge_requests/1"&gt;python-jsonschema-path: Transition to starlette 1.0&lt;/a&gt; (merged and uploaded)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://bugs.debian.org/1131976"&gt;python-maison: &lt;span class="caps"&gt;FTBFS&lt;/span&gt; with the nocheck build profile&lt;/a&gt; (followed up to fix the &lt;code&gt;nodoc&lt;/code&gt; build profile as well)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://salsa.debian.org/python-team/packages/python-openapi-core/-/merge_requests/1"&gt;python-openapi-core: Transition to starlette 1.0&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://salsa.debian.org/python-team/packages/python-openapi-schema-validator/-/merge_requests/1"&gt;python-openapi-schema-validator: Transition to starlette 1.0&lt;/a&gt; (merged and uploaded)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://salsa.debian.org/python-team/packages/python-openapi-spec-validator/-/merge_requests/1"&gt;python-openapi-spec-validator: Transition to starlette 1.0&lt;/a&gt; (merged and uploaded)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://salsa.debian.org/python-team/packages/python-pathable/-/merge_requests/1"&gt;python-pathable: Transition to starlette 1.0&lt;/a&gt; (merged and uploaded)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://salsa.debian.org/python-team/packages/python-rich-argparse/-/merge_requests/3"&gt;python-rich-argparse: New upstream version 1.8.0&lt;/a&gt; (merged and uploaded)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Other bits and pieces&lt;/h2&gt;
&lt;p&gt;I contributed a debian-policy patch to &lt;a href="https://bugs.debian.org/1138005"&gt;fix several links related to build profiles&lt;/a&gt;.&lt;/p&gt; </description> 
	<pubDate>Wed, 10 Jun 2026 15:10:16 +0000</pubDate>

</item> 
<item>
	<title>Vincent Bernat: Blogging with LLMs as a non-native speaker</title>
	<guid>http://www.luffy.cx/en/blog/2026-blogging-llm.html</guid>
	<link>https://vincent.bernat.ch/en/blog/2026-blogging-llm</link>
     <description>  &lt;p&gt;&lt;abbr title="Artificial Intelligence"&gt;AI&lt;/abbr&gt; slop is invading the web. A recent story about &lt;a href="https://lobste.rs/s/29pm2f/llm_generated_submissions_should_be" title="LLM generated submissions should be disallowed"&gt;disallowing &lt;abbr title="Large Language Model"&gt;LLM&lt;/abbr&gt;-generated
submissions&lt;/a&gt; on &lt;a href="https://lobste.rs/" title="Lobsters"&gt;Lobsters&lt;/a&gt; triggered a lot of debate. My personal worst
offenders are &lt;a href="https://www.linkedin.com/"&gt;LinkedIn&lt;/a&gt; articles with &lt;abbr title="Artificial Intelligence"&gt;AI&lt;/abbr&gt;-generated images and uninspired
articles filled with emojis from people trying to masquerade as experts on a
subject they don’t care enough to write themselves. While I am unhappy about
this situation, I rely on &lt;abbr title="Large Language Models"&gt;LLMs&lt;/abbr&gt; for &lt;strong&gt;grammar&lt;/strong&gt;, &lt;strong&gt;copyediting&lt;/strong&gt;, and
&lt;strong&gt;translation&lt;/strong&gt;. I don’t see this as a contradiction.&lt;/p&gt;
&lt;p&gt;I am a native French speaker, but I blog in both English and French. When I
started writing this blog in 2011, I was composing in &lt;a href="https://vincent.bernat.ch/fr/blog/2011-migration-vers-github" title="Migration de Trac vers GitHub"&gt;French&lt;/a&gt; and translating
to &lt;a href="https://vincent.bernat.ch/en/blog/2011-migrating-to-github" title="Migrating from Trac to GitHub"&gt;English&lt;/a&gt;, but I found it was &lt;a href="https://sci-hub.fr/10.1016/j.jslw.2009.06.003" title="L1 use during L2 writing: An empirical study of a complex phenomenon"&gt;better to work in the reverse order&lt;/a&gt; to
avoid unnatural and non-idiomatic constructions. One of my goals is to write
“good” English but I never felt it was my strong point.&lt;sup id="fnref-book"&gt;&lt;a class="footnote-ref" href="https://vincent.bernat.ch#fn-book"&gt;1&lt;/a&gt;&lt;/sup&gt; For example, verb
tenses are often an issue, even if I mostly stick with the present tense. I
learn the rules and forget them right away. I also don’t feel like &lt;a href="https://mtlynch.io/editor/" title="How I Hired a Freelance Editor for My Blog"&gt;hiring an
editor&lt;/a&gt; for something I see as a hobby.&lt;/p&gt;
&lt;p&gt;As an example, I have kept the history of the successive iterations when writing
“&lt;a href="https://vincent.bernat.ch/en/blog/2026-akvorado-rib-sharding" title="Scaling Akvorado BMP RIB with sharding"&gt;Scaling Akvorado BMP RIB with sharding&lt;/a&gt;”:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;the &lt;a href="https://github.com/vincentbernat/vincent.bernat.ch/commit/aad263c20c7b021b1069952d1487374ff559d3b3" title="article: Akvorado BMP RIB with sharding"&gt;first draft&lt;/a&gt;, authored with the help of a thesaurus,&lt;sup id="fnref-kagi"&gt;&lt;a class="footnote-ref" href="https://vincent.bernat.ch#fn-kagi"&gt;2&lt;/a&gt;&lt;/sup&gt;&lt;/li&gt;
&lt;li&gt;the &lt;a href="https://github.com/vincentbernat/vincent.bernat.ch/commit/11231af4be15160c1dd48e45c9b4dc7c042cf191" title="content: copyediting of Akvorado BMP RIB article"&gt;edited copy&lt;/a&gt; revised by the &lt;a href="https://github.com/vincentbernat/vincent.bernat.ch/blob/latest/.claude/skills/edit/SKILL.md"&gt;copyediting skill&lt;/a&gt;,&lt;/li&gt;
&lt;li&gt;the &lt;a href="https://github.com/vincentbernat/vincent.bernat.ch/commit/0435ae3a8450132abb89507e856a012831457e49" title="article: Akvorado BMP RIB in French"&gt;translation to French&lt;/a&gt; generated with the &lt;a href="https://github.com/vincentbernat/vincent.bernat.ch/blob/latest/.claude/skills/translate/SKILL.md"&gt;translation
   skill&lt;/a&gt;, and&lt;/li&gt;
&lt;li&gt;the &lt;a href="https://github.com/vincentbernat/vincent.bernat.ch/commit/c0629b1d9fe450335fcd30c071fb44301615dd15" title="content: human proofread of the French translation"&gt;human proofread of the French translation&lt;/a&gt;, with minor
   edits to the English version.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;I know that &lt;abbr title="Large Language Models"&gt;LLMs&lt;/abbr&gt; may &lt;a href="https://sites.google.com/view/llmwritingdistortion/home" title="How LLMs Distort Our Written Language"&gt;alter the author’s voice when editing&lt;/a&gt;, but the
corrections in the second step are minor. The prompt asks to “apply light
stylistic edits,” with some guidance around avoiding passive voice, long
sentences, bland verbs, and filler words. It also defines the target audience:
technical with a B2 level in English.&lt;/p&gt;
&lt;p&gt;In the following excerpt, I used “long time” instead of “long-standing.” The
former is missing a hyphen and applies to people—a &lt;a href="https://dictionary.cambridge.org/us/dictionary/english/long-time" title="Definition of long-time in the Cambridge Dictionary"&gt;long-time&lt;/a&gt; friend, while
the later relates to a situation—a &lt;a href="https://dictionary.cambridge.org/us/dictionary/english/long-standing" title="Definition of long-standing in the Cambridge Dictionary"&gt;long-standing&lt;/a&gt; agreement. I had a hard
time understanding the reason of the second change: the &lt;abbr title="Large Language Model"&gt;LLM&lt;/abbr&gt; prefers a
&lt;a href="https://dictionary.cambridge.org/us/grammar/british-grammar/relative-clauses-defining-and-non-defining" title="Relative clauses: defining and non-defining"&gt;defining relative clause&lt;/a&gt; to provide the definition of “RIB sharding.”&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;As the Internet routing table contains more than 1 million routes, Akvorado
needs to scale to tens of millions of routes. This has been a &lt;del&gt;long
time&lt;/del&gt; &lt;ins&gt;long-standing&lt;/ins&gt; challenge, but I expect this issue is now
fixed by using RIB sharding, a method &lt;del&gt;to split&lt;/del&gt; &lt;ins&gt;that
splits&lt;/ins&gt; the routing database into several parts to enable concurrent
updates.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;In the next modification, the &lt;abbr title="Large Language Model"&gt;LLM&lt;/abbr&gt; puts “device” instead of “equipment.” This is
correct as “&lt;a href="https://dictionary.cambridge.org/us/dictionary/english/equipment" title="Definition of equipment in the Cambridge Dictionary"&gt;equipment&lt;/a&gt;” is an uncountable noun. I know that, but I still fall
into this trap.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;When Akvorado does not find a route from a specific device, it falls back to a
route sent by another &lt;del&gt;equipment&lt;/del&gt; &lt;ins&gt;device&lt;/ins&gt;.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;I ask the &lt;abbr title="Large Language Model"&gt;LLM&lt;/abbr&gt; to use “descriptive verbs” and it complies by replacing a
multi-word predicate with a lexically rich verb:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;The benchmarks demonstrate it &lt;del&gt;has better performance than&lt;/del&gt;
&lt;ins&gt;outperforms&lt;/ins&gt; other &lt;del&gt;packages, both&lt;/del&gt; &lt;ins&gt;packages&lt;/ins&gt; for
lookups, insertions, and memory usage.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;It also fixes grammar errors. In the next excerpt, a “list of routes” is a
singular expression. Moreover, “stored” is a state and I should not use “into”
as it expresses a change.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;The list of routes for each prefix &lt;del&gt;are&lt;/del&gt; &lt;ins&gt;is&lt;/ins&gt; not stored
directly &lt;del&gt;into&lt;/del&gt; &lt;ins&gt;in&lt;/ins&gt; the prefix tree.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;As a last example, consider the following snippet. The “&lt;a href="https://dictionary.cambridge.org/dictionary/english/require" title="Definition of require in the Cambridge Dictionary"&gt;require&lt;/a&gt;” verb
accepts a noun or an object followed by a to-infinitive. I can’t use it with
just a to-infinitive.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;An alternative would be to have one prefix tree for each peer but it would
require &lt;del&gt;to configure&lt;/del&gt; &lt;ins&gt;configuring&lt;/ins&gt; all routers to export
their routes.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;As someone who didn’t grow up speaking English, I struggle with these grammar
rules despite reading a lot of English material.&lt;sup id="fnref-monkey2"&gt;&lt;a class="footnote-ref" href="https://vincent.bernat.ch#fn-monkey2"&gt;3&lt;/a&gt;&lt;/sup&gt; French is more
complex to get started but more systematic. English is full of irregularities.&lt;/p&gt;
&lt;hr /&gt;
&lt;p&gt;On each page, I disclose in the footer whether an &lt;abbr title="Artificial Intelligence"&gt;AI&lt;/abbr&gt; modified the content. There
are three levels:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&#129504;: no &lt;abbr title="Artificial Intelligence"&gt;AI&lt;/abbr&gt; or almost no &lt;abbr title="Artificial Intelligence"&gt;AI&lt;/abbr&gt; (e.g., grammar corrections)&lt;/li&gt;
&lt;li&gt;✨: enhanced (e.g., copyediting)&lt;/li&gt;
&lt;li&gt;&#129302;: generated (e.g., translated from another language, even if human-edited)&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Hover or tap the icon to reveal the &lt;abbr title="Artificial Intelligence"&gt;AI&lt;/abbr&gt;’s name and its role in the document.&lt;/p&gt;
&lt;figure&gt;&lt;div class="lf-media-outer" style="width: 264px;"&gt;&lt;span class="lf-media-inner"&gt;&lt;img alt="Screenshot of the footer containing the &amp;quot;sparkles&amp;quot; emoji" class="lf-media lf-opaque" height="121" src="https://d2pzklc15kok91.cloudfront.net/images/ai-usage@1x.03aee3edade4f4.jpg" width="264" /&gt;&lt;/span&gt;&lt;/div&gt;Example of AI usage disclosure: Claude Sonnet 4.5 edited this article.&lt;/figure&gt;
&lt;p&gt;The graph below shows which tool altered each post, year by year. Recently, I
applied the &lt;a href="https://github.com/vincentbernat/vincent.bernat.ch/blob/latest/.claude/skills/grammar/SKILL.md"&gt;grammar skill&lt;/a&gt; to &lt;a href="https://github.com/vincentbernat/vincent.bernat.ch/commit/7baf2c8f18b57e351cc25e7e62f4aa6611362c8c" title="content: fix English grammar"&gt;past articles&lt;/a&gt;. Since 2018,
French articles have been translated with the help of &lt;a href="https://www.deepl.com"&gt;DeepL&lt;/a&gt; first, then of
an &lt;abbr title="Large Language Model"&gt;LLM&lt;/abbr&gt;. Since 2024, English articles are copyedited.&lt;/p&gt;
&lt;figure&gt;&lt;div class="lf-media-outer" style="width: 733px;"&gt;&lt;span class="lf-media-inner"&gt;&amp;amp;#128444; Graph showing the AI usage over the years. Each level get its own
color.&lt;/span&gt;&lt;/div&gt;AI usage over the years. Hover or tap a band for the details.&lt;/figure&gt;
&lt;hr /&gt;
&lt;p&gt;If you are strongly against any usage of &lt;abbr title="Large Language Models"&gt;LLMs&lt;/abbr&gt; specifically for writing, I hope
you accept my more nuanced position on the usage of these tools as a trade-off
to provide clearer and more engaging articles. Years of literature on improving
English told us it is important to choose the right word to keep the reader
engaged.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;[…] Good writing consists of mastering the fundamentals (vocabulary,
grammar, the elements of style) and then filling the third level of your
toolbox with the right instruments.&lt;/p&gt;
&lt;p&gt;― &lt;em&gt;Stephen King&lt;/em&gt;, On Writing&lt;/p&gt;
&lt;/blockquote&gt;
&lt;div class="admonition"&gt;
&lt;p class="admonition-title"&gt;Note&lt;/p&gt;
&lt;p&gt;Unlike other recent articles, I did not use an &lt;abbr title="Large Language Model"&gt;LLM&lt;/abbr&gt; to edit this post:
an unnamed person kindly accepted to proofread it. I translated it to French
without using an &lt;abbr title="Large Language Model"&gt;LLM&lt;/abbr&gt; either.&lt;/p&gt;
&lt;/div&gt;
&lt;div class="admonition"&gt;
&lt;p class="admonition-title"&gt;Update (2026-06)&lt;/p&gt;
&lt;p&gt;See the &lt;a href="https://lobste.rs/s/tdvu7a/blogging_with_llm_assistant"&gt;story associated to this post on Lobsters&lt;/a&gt;,
as well as the article “&lt;a href="https://writethatblog.substack.com/p/dev-reaction-to-ai-blog-posts" title="Report: How developers react to AI-scented blog posts"&gt;How developers react to &lt;abbr title="Artificial Intelligence"&gt;AI&lt;/abbr&gt;-scented blog posts&lt;/a&gt;” by
Cynthia Dunlop, one of the coauthor of “&lt;a href="https://www.manning.com/books/writing-for-developers" title="“Writing for Developers” by Piotr Sarna and Cynthia Dunlop"&gt;Writing for Developers&lt;/a&gt;.”&lt;/p&gt;
&lt;/div&gt;
&lt;div class="footnote"&gt;
&lt;hr /&gt;
&lt;ol&gt;
&lt;li id="fn-book"&gt;
&lt;p&gt;I recently read cover to cover “&lt;a href="https://www.manning.com/books/writing-for-developers" title="“Writing for Developers” by Piotr Sarna and Cynthia Dunlop"&gt;Writing for Developers&lt;/a&gt;” and I found
it stimulating. &lt;a href="https://mtlynch.io/about/"&gt;Michael Lynch&lt;/a&gt; is currently writing “&lt;a href="https://refactoringenglish.com/" title="“Refactoring English: Effective Writing for Software Developers” by Michael Lynch"&gt;Refactoring
English&lt;/a&gt;” on the same topic and I have subscribed to the early access. &lt;a class="footnote-backref" href="https://vincent.bernat.ch#fnref-book" title="Jump back to footnote 1 in the text"&gt;↩&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li id="fn-kagi"&gt;
&lt;p&gt;I am quite happy with the writing tools provided by &lt;a href="https://www.kagi.com"&gt;Kagi&lt;/a&gt;. Both the
&lt;a href="https://translate.kagi.com"&gt;translate tool&lt;/a&gt; and the &lt;a href="https://translate.kagi.com/dictionary"&gt;dictionary&lt;/a&gt; are a valuable help to find
different wordings. I also lean on &lt;a href="https://help.kagi.com/kagi/ai/kagi-research.html" title="Kagi Research Assistants"&gt;Kagi’s research assistant&lt;/a&gt; when
researching a topic. &lt;a class="footnote-backref" href="https://vincent.bernat.ch#fnref-kagi" title="Jump back to footnote 2 in the text"&gt;↩&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li id="fn-monkey2"&gt;
&lt;p&gt;When I was ten, I played &lt;em&gt;Monkey Island 2&lt;/em&gt; in English without having
taken any classes. I used a dictionary to translate word by word and I found
the irregular verbs confusing—and not in the dictionary. &lt;a class="footnote-backref" href="https://vincent.bernat.ch#fnref-monkey2" title="Jump back to footnote 3 in the text"&gt;↩&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;/div&gt; </description> 
	<pubDate>Tue, 09 Jun 2026 20:15:13 +0000</pubDate>

</item> 
<item>
	<title>Mike Gabriel: Voxit 1.0 has been released</title>
	<guid>https://sunweavers.net/155 at https://sunweavers.net/blog</guid>
	<link>https://sunweavers.net/blog/node/155</link>
     <description>  &lt;img src="http://planet.debian.org/heads/sunweaver.png" width="82" height="82" alt="" align="right" style="float: right;"&gt;  &lt;h3&gt;Official announcement&lt;/h3&gt;

&lt;p&gt;&lt;em&gt;European Voxit community strengthens digital sovereignty: shared codebase completed.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;Read the official announcement at:&lt;br /&gt;
&lt;a href="https://www.voxit.org/european-voxit-community-strengthens-digital-sovereignty-shared-codebase-completed/" title="https://www.voxit.org/european-voxit-community-strengthens-digital-sovereignty-shared-codebase-completed/"&gt;https://www.voxit.org/european-voxit-community-strengthens-digital-sover...&lt;/a&gt;&lt;/p&gt;

&lt;h3&gt;The Voxit community and platform development&lt;/h3&gt;

&lt;p&gt;The Voxit participation platform is originally based on the open source Polis platform developed by The Computational Democracy Project in the United States, but since its establishment in autumn 2025, the European Voxit community has been developing an independent solution, adapted to European needs.&lt;/p&gt;

&lt;p&gt;The aim is to create an open source, interoperable and scalable participation infrastructure suited to Europe’s regulatory environment and aligned with democratic values. Through this development work, Voxit is becoming a clearly distinct fork of the original Polis platform – allowing Europe to develop participatory infrastructure at its own pace and according to its own governance needs, while the original Polis project continues to break new ground. This enables Europe to build its own open and trustworthy digital democracy tools, rooted in public governance and European democratic traditions.&lt;/p&gt;

&lt;h3&gt;Voxit 1.0 source code is now available&lt;/h3&gt;

&lt;p&gt;The source code for version 1.0 of the European community edition of the Voxit platform has now been published and is openly maintained on GitLab.com at: &lt;a href="https://gitlab.com/voxit/voxit" title="https://gitlab.com/voxit/voxit#"&gt;https://gitlab.com/voxit/voxit#&lt;/a&gt;&lt;/p&gt; </description> 
	<pubDate>Tue, 09 Jun 2026 09:45:00 +0000</pubDate>

</item> 
<item>
	<title>Otto Kekäläinen: SpacemiT K3 is a compelling RISC-V AI CPU, but difficult to buy</title>
	<guid>https://optimizedbyotto.com/post/buying-spacemit-k3-risc-v-ai-cpu/</guid>
	<link>https://optimizedbyotto.com/post/buying-spacemit-k3-risc-v-ai-cpu/</link>
     <description>  &lt;img src="http://planet.debian.org/heads/otto.png" width="64" height="90" alt="" align="right" style="float: right;"&gt;  &lt;img alt="Featured image of post SpacemiT K3 is a compelling RISC-V AI CPU, but difficult to buy" src="https://optimizedbyotto.com/post/buying-spacemit-k3-risc-v-ai-cpu/spacemit-k3.jpg" /&gt;&lt;p&gt;The RISC-V CPU architecture has been gaining a lot of popularity since it launched in 2014, and now that the industry is standardizing on the RVA23 level that includes vector support as a mandatory extension, we are likely to see a lot more edge- and IoT devices with the ability to run local LLMs at reasonable speed, and most importantly at very compelling prices.&lt;/p&gt;
&lt;p&gt;&lt;a class="link" href="https://www.spacemit.com/" rel="noopener" target="_blank"&gt;SpacemiT&lt;/a&gt; is a Chinese RISC-V CPU manufacturer that launched on May 11th, 2026, their &lt;a class="link" href="https://canonical.com/blog/spacemit-announces-availability-of-ubuntu-on-k3-k1-series" rel="noopener" target="_blank"&gt;long-anticipated next-gen RISC-V&lt;/a&gt; AI chip &lt;a class="link" href="https://www.spacemit.com/products/keystone/k3" rel="noopener" target="_blank"&gt;K3&lt;/a&gt;. It is among the earliest RISC-V CPUs that adhere to the &lt;a class="link" href="https://www.heise.de/en/news/RISC-V-and-Linux-Ubuntu-25-10-forces-brand-new-processors-10538066.html" rel="noopener" target="_blank"&gt;RVA23 standard&lt;/a&gt; and performance-wise it is quite capable, providing 130 KDMIPS general computing power, 60 TOPS on INT4 which translates to about 15 tokens per second when running a 30 billion parameter large language model.&lt;/p&gt;
&lt;p&gt;The aspect that really makes it stand out is:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;the &lt;a class="link" href="https://en.wikipedia.org/wiki/RISC-V" rel="noopener" target="_blank"&gt;RISC-V CPU architecture is open source&lt;/a&gt;,&lt;/li&gt;
&lt;li&gt;the price point is within reach of home and small business users and&lt;/li&gt;
&lt;li&gt;the overall feature set makes it an ideal platform to build &lt;strong&gt;&lt;em&gt;local&lt;/em&gt; and &lt;em&gt;offline&lt;/em&gt; AI systems&lt;/strong&gt;.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;SpacemiT also develops their own Debian-based Linux distribution Bianbu OS, and seems to have collaboration going on with the wider community. Their &lt;a class="link" href="https://www.spacemit.com/community" rel="noopener" target="_blank"&gt;community site&lt;/a&gt; seems active, and they also have a dedicated &lt;a class="link" href="https://x.com/spacemit_riscv" rel="noopener" target="_blank"&gt;X account @spacemit_riscv&lt;/a&gt; and &lt;a class="link" href="https://www.reddit.com/r/spacemit_riscv/comments/1t5yimh/upstream-progress-updates/" rel="noopener" target="_blank"&gt;Reddit account r/spacemit_riscv&lt;/a&gt; posting relevant progress info on Linux kernel upstreaming activities. The X account is also responsive, as evidenced by &lt;a class="link" href="https://x.com/ottokekalainen/status/2056375593722356207" rel="noopener" target="_blank"&gt;its replies to my questions&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;Canonical lists the SpacemiT K3 pico-ITX and K3 CoM260 Kit on its official &lt;a class="link" href="https://ubuntu.com/download/risc-v/partner-built" rel="noopener" target="_blank"&gt;Ubuntu for RISC-V partner-built hardware page&lt;/a&gt;, which strengthens the perception that upstream Linux support is being taken seriously. The SpacemiT folks also gave an interesting &lt;a class="link" href="https://www.youtube.com/watch?v=BaY2l17OBRQ" rel="noopener" target="_blank"&gt;talk at the 2026 Ubuntu Summit&lt;/a&gt; that includes a peek into their roadmap with future K3, K7 and K9 models.&lt;/p&gt;
&lt;p&gt;For technical details, see SpacemiT’s &lt;a class="link" href="https://www.spacemit.com/community/development-kit/k3-pico-itx" rel="noopener" target="_blank"&gt;K3 pico-ITX documentation&lt;/a&gt;, the Jetson Orin Nano-compatible &lt;a class="link" href="https://www.spacemit.com/community/development-kit/k3-com260" rel="noopener" target="_blank"&gt;K3 CoM260 board documentation&lt;/a&gt; and &lt;a class="link" href="https://www.spacemit.com/community/document/info?lang=en&amp;amp;nodepath=hardware/key_stone/k3" rel="noopener" target="_blank"&gt;documentation of the K3 processor itself&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;&lt;img alt="The SpacemiT K3 pico-ITX board and the K3 CoM260 board side-by-side (not to scale)" class="gallery-image" height="628" src="https://optimizedbyotto.com/post/buying-spacemit-k3-risc-v-ai-cpu/spacemit-k3-pico-itx-and-k3-com260-kit.webp" width="1200" /&gt;
&lt;/p&gt;
&lt;h2 id="comparing-the-resellers"&gt;&lt;a class="header-anchor" href="https://optimizedbyotto.com/index.xml#comparing-the-resellers"&gt;&lt;/a&gt;Comparing the resellers
&lt;/h2&gt;&lt;p&gt;SpacemiT does not sell anything directly to consumers. Instead you need to buy a board that includes the K3 chip from an integrator. Currently the main resellers are:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a class="link" href="https://optimizedbyotto.com/index.xml#milkv"&gt;Milk-V&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a class="link" href="https://optimizedbyotto.com/index.xml#sipeed"&gt;Sipeed&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a class="link" href="https://optimizedbyotto.com/index.xml#banana-pi"&gt;Banana Pi&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a class="link" href="https://optimizedbyotto.com/index.xml#firefly"&gt;Firefly&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a class="link" href="https://optimizedbyotto.com/index.xml#deepcomputing"&gt;DeepComputing&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;All of the above are Chinese companies that ship to customers both inside and outside China. DeepComputing stands out as the only one that actually has done real integration and ships the K3 on a custom board, while the others simply resell the SpacemiT-produced K3 pico-ITX and K3 CoM260 Kit.&lt;/p&gt;
&lt;h2 id="milk-v"&gt;&lt;a class="header-anchor" href="https://optimizedbyotto.com/index.xml#milk-v"&gt;&lt;/a&gt;Milk-V
&lt;/h2&gt;&lt;p&gt;Milk-V is a RISC-V specialized integrator, as the name already implies. They sell the K3 under the name &lt;a class="link" href="https://milkv.io/jupiter2" rel="noopener" target="_blank"&gt;Jupiter2&lt;/a&gt;. Of all the K3 pico-ITX reseller product pages, the Jupiter2 presentation is the nicest and most detailed. Unfortunately their &lt;a class="link" href="https://arace.tech/products/milk-v-jupiter-2" rel="noopener" target="_blank"&gt;order page at arace.tech&lt;/a&gt; only states that it is a “pre-order” with no information about shipping schedule, taxes, or other details like what SSD is included (if any). Based on the pictures it does ship with a Milk-V branded case. The 32 GB RAM lists at 504 EUR, which is a very reasonable price. The &lt;a class="link" href="https://x.com/MilkV_Official" rel="noopener" target="_blank"&gt;@MilkV_Official account on X&lt;/a&gt; recently promoted the K3.&lt;/p&gt;
&lt;h3 id="documentation-and-support"&gt;&lt;a class="header-anchor" href="https://optimizedbyotto.com/index.xml#documentation-and-support"&gt;&lt;/a&gt;Documentation and support
&lt;/h3&gt;&lt;p&gt;As of this writing, the &lt;a class="link" href="https://milkv.io/docs/jupiter2/" rel="noopener" target="_blank"&gt;Milk-V Jupiter2 documentation site&lt;/a&gt; is just a stub and has no actual content, and only two links to the SpacemiT K3 documentation site. For support there is a web forum with a &lt;a class="link" href="https://community.milkv.io/c/jupiter/jupiter2/19" rel="noopener" target="_blank"&gt;dedicated Jupiter2 section&lt;/a&gt;. There is also a &lt;a class="link" href="https://matrix.to/#/#milk-v:matrix.org" rel="noopener" target="_blank"&gt;Matrix space&lt;/a&gt;, but unlike their other products, there is no dedicated Jupiter (neither v1 nor v2) channel.&lt;/p&gt;
&lt;h3 id="community-size-and-open-source-involvement"&gt;&lt;a class="header-anchor" href="https://optimizedbyotto.com/index.xml#community-size-and-open-source-involvement"&gt;&lt;/a&gt;Community size and open source involvement
&lt;/h3&gt;&lt;p&gt;At least one prior Milk-V product &lt;a class="link" href="https://canonical.com/blog/canonical-enables-ubuntu-on-milk-v-mars" rel="noopener" target="_blank"&gt;was certified by Canonical&lt;/a&gt;, which indicates there is some collaboration in progress. Canonical also lists the &lt;a class="link" href="https://ubuntu.com/download/risc-v/partner-built" rel="noopener" target="_blank"&gt;Milk-V Titan&lt;/a&gt; on its official Ubuntu for RISC-V partner-built hardware page.&lt;/p&gt;
&lt;h2 id="sipeed"&gt;&lt;a class="header-anchor" href="https://optimizedbyotto.com/index.xml#sipeed"&gt;&lt;/a&gt;Sipeed
&lt;/h2&gt;&lt;p&gt;The &lt;a class="link" href="https://sipeed.com/k3" rel="noopener" target="_blank"&gt;Sipeed K3 announcement&lt;/a&gt; is well written (in English) with all the relevant details and links to additional PDF manuals. However, their main page at &lt;a class="link" href="https://sipeed.com/" rel="noopener" target="_blank"&gt;sipeed.com&lt;/a&gt; says nothing about the K3, so one must know the subpage URL to access it. They offer both the K3 CoM260 kit compatible with Jetson Orin Nano carrier boards, and the stand-alone K3 pico-ITX-sized motherboard. The CoM260 kit is only 10 USD cheaper than the full pico-ITX motherboard, so choosing the latter is a no-brainer if starting from scratch. The pico-ITX model with 32 GB DDR5 RAM sells for 639 USD. The product page does not mention anything about hard disk size, so you don’t really know exactly what you will be getting if placing an order. There is no indication about case, Wi-Fi antennas or power supply either, so most likely they are not included.&lt;/p&gt;
&lt;p&gt;Their &lt;a class="link" href="http://store.sipeed.com" rel="noopener" target="_blank"&gt;store.sipeed.com&lt;/a&gt; website does not work at all, and their Taobao and AliExpress stores are not public and only accessible to registered users. The order page also says nothing about shipping time, delivery time, or taxes. The &lt;a class="link" href="https://x.com/SipeedIO/status/2055549071931404291" rel="noopener" target="_blank"&gt;X account @SipeedIO&lt;/a&gt; is active and recently posted pictures of shipments in progress.&lt;/p&gt;
&lt;h3 id="documentation-and-support-1"&gt;&lt;a class="header-anchor" href="https://optimizedbyotto.com/index.xml#documentation-and-support-1"&gt;&lt;/a&gt;Documentation and support
&lt;/h3&gt;&lt;p&gt;The main &lt;a class="link" href="https://wiki.sipeed.com/" rel="noopener" target="_blank"&gt;documentation wiki&lt;/a&gt; does not yet have any K3 content at the time of writing. There is a &lt;a class="link" href="https://discord.com/channels/1359800784375644291/1503600021646479500" rel="noopener" target="_blank"&gt;Discord channel for general RISC-V discussion&lt;/a&gt;, and their MaixHub also has a discussion board, but I didn’t find anything K3-specific.&lt;/p&gt;
&lt;h3 id="community-size-and-open-source-involvement-1"&gt;&lt;a class="header-anchor" href="https://optimizedbyotto.com/index.xml#community-size-and-open-source-involvement-1"&gt;&lt;/a&gt;Community size and open source involvement
&lt;/h3&gt;&lt;p&gt;Sipeed has had at least one of their previous devices &lt;a class="link" href="https://ubuntu.com/blog/canonical-enables-ubuntu-on-sipeeds-licheerv-risc-v-board" rel="noopener" target="_blank"&gt;certified by Canonical&lt;/a&gt;, which indicates they are active in the community.&lt;/p&gt;
&lt;p&gt;Note that the other RISC-V company &lt;a class="link" href="https://ubuntu.com/tutorials/how-to-install-ubuntu-on-risc-v-hifive-boards" rel="noopener" target="_blank"&gt;SiFive&lt;/a&gt; that &lt;a class="link" href="https://canonical.com/blog/sifive-eswin-computing-and-canonical-announce-availability-of-ubuntu-on-the-hifive-premier-p550" rel="noopener" target="_blank"&gt;also&lt;/a&gt; has had hardware certified and officially supported by Canonical is a different company, despite the very similar name.&lt;/p&gt;
&lt;h2 id="banana-pi"&gt;&lt;a class="header-anchor" href="https://optimizedbyotto.com/index.xml#banana-pi"&gt;&lt;/a&gt;Banana Pi
&lt;/h2&gt;&lt;p&gt;&lt;a class="link" href="https://banana-pi.org/en/product-news/591.html" rel="noopener" target="_blank"&gt;Banana Pi announced&lt;/a&gt; that they offer both the K3 CoM260 kit and the K3 pico-ITX motherboard version. Their &lt;a class="link" href="https://banana-pi.org/en/core-board-and-kit/207.html" rel="noopener" target="_blank"&gt;product page for the K3&lt;/a&gt; confusingly shows a MediaTek product in the page banner rather than the SpacemiT K3. Based on the product description and the fact they renamed the product as &lt;em&gt;BPI-SM10&lt;/em&gt;, it seems to ship with some carrier board. The product pictures look identical to the SpacemiT documentation and there is no picture of the carrier board, and details are very sparse. The &lt;a class="link" href="https://www.bpi-shop.com/products/k3-pico-itx-spacemit-k3-8-cores--60tops-al-performance-wifi6.html" rel="noopener" target="_blank"&gt;pico-ITX version&lt;/a&gt; with 8 GB RAM and 128 GB SSD sells for 293 USD and the &lt;a class="link" href="https://www.bpi-shop.com/products/bpi-sm10-k3-com260.html" rel="noopener" target="_blank"&gt;CoM260 developer kit&lt;/a&gt; with the same specs sells for 287 USD and the 32 GB RAM with 128 GB SSD model sells for 595 USD. The shop page shows only five orders so far and items are currently out of stock. As there was no 32 GB RAM version of the pico-ITX available at all, this isn’t an option for me as I want to run 30B parameter models that need the larger memory version.&lt;/p&gt;
&lt;p&gt;Of all of these resellers, the &lt;strong&gt;Banana Pi website seems the most outdated&lt;/strong&gt;. It does not have a search feature, it is not mobile-friendly, pictures can’t be pinched to zoom in and so forth. Product names are also almost all identical, and as the product listings only show the beginning of the product name, figuring out what product is what requires extra effort that just makes the online purchase experience plain bad.&lt;/p&gt;
&lt;h3 id="documentation-and-support-2"&gt;&lt;a class="header-anchor" href="https://optimizedbyotto.com/index.xml#documentation-and-support-2"&gt;&lt;/a&gt;Documentation and support
&lt;/h3&gt;&lt;p&gt;I was only able to find the &lt;a class="link" href="https://docs.banana-pi.org/en/BPI-SM10/BananaPi_BPI-SM10" rel="noopener" target="_blank"&gt;documentation page for the CoM260 kit&lt;/a&gt;, but none for the pico-ITX version. For support there is a &lt;a class="link" href="https://forum.banana-pi.org/" rel="noopener" target="_blank"&gt;forum&lt;/a&gt;, but the category list does not show any section for K3, and the forum search prohibits using the search term “k3” as too short.&lt;/p&gt;
&lt;h3 id="community-size-and-open-source-involvement-2"&gt;&lt;a class="header-anchor" href="https://optimizedbyotto.com/index.xml#community-size-and-open-source-involvement-2"&gt;&lt;/a&gt;Community size and open source involvement
&lt;/h3&gt;&lt;p&gt;Banana Pi has a long history in the ARM single-board computer market, but their presence in the RISC-V ecosystem is still growing. Their &lt;a class="link" href="https://x.com/sinovoip" rel="noopener" target="_blank"&gt;X account @sinovoip&lt;/a&gt; has posted only once about the K3 and otherwise promotes their ARM boards. However, their &lt;a class="link" href="https://banana-pi.org/en/community-culture/" rel="noopener" target="_blank"&gt;community culture page&lt;/a&gt; does express a commitment to open hardware in general, but there is no visible K3-specific community activity.&lt;/p&gt;
&lt;h2 id="firefly"&gt;&lt;a class="header-anchor" href="https://optimizedbyotto.com/index.xml#firefly"&gt;&lt;/a&gt;Firefly
&lt;/h2&gt;&lt;p&gt;&lt;a class="link" href="https://en.t-firefly.com/p/aibox-k3" rel="noopener" target="_blank"&gt;Firefly’s K3 product page&lt;/a&gt; is comprehensive. Based on the details, they do not offer the K3 pico-ITX variant at all, but only the K3 CoM260 board inside the AIBOX-K3 Firefly RISC-V Edge Mini PC product. This is a feature-complete offering with a Jetson Orin Nano carrier board and case. The AIBOX-K3 with 32 GB RAM and 128 GB SSD in a case sells for 689 USD in their own &lt;a class="link" href="https://www.firefly.store/products/aibox-k3-risc-v-edge-mini-pc?variant=46857894821972" rel="noopener" target="_blank"&gt;Firefly.store&lt;/a&gt;. Unfortunately it only has HDMI and there is no USB-C with DisplayPort support, which is a deal-breaker for me personally.&lt;/p&gt;
&lt;p&gt;Interestingly, Firefly also offers &lt;a class="link" href="https://www.firefly.store/blogs/news/firefly-k3-series-launches-with-powerful-risc-v-chips-supports-30b-ai-models" rel="noopener" target="_blank"&gt;rack-mounted servers with K3&lt;/a&gt; as the CPU.&lt;/p&gt;
&lt;h3 id="documentation-and-support-3"&gt;&lt;a class="header-anchor" href="https://optimizedbyotto.com/index.xml#documentation-and-support-3"&gt;&lt;/a&gt;Documentation and support
&lt;/h3&gt;&lt;p&gt;The wiki link on the product page is broken. The &lt;a class="link" href="https://en.t-firefly.com/wiki" rel="noopener" target="_blank"&gt;Firefly wiki&lt;/a&gt; does have a section for the AIBOX-K3, but it too has a broken link. It seems that as of the time of writing, there is no wiki section for this product yet.&lt;/p&gt;
&lt;p&gt;For support there is a &lt;a class="link" href="https://bbs.t-firefly.com/" rel="noopener" target="_blank"&gt;web forum&lt;/a&gt;, which does have at least &lt;a class="link" href="https://bbs.t-firefly.com/forum.php?mod=viewthread&amp;amp;tid=66517&amp;amp;extra=page%3D1" rel="noopener" target="_blank"&gt;one K3 thread&lt;/a&gt; covering guides such as Hermes Agent installation, though broader K3-specific sections are still sparse.&lt;/p&gt;
&lt;h3 id="community-size-and-open-source-involvement-3"&gt;&lt;a class="header-anchor" href="https://optimizedbyotto.com/index.xml#community-size-and-open-source-involvement-3"&gt;&lt;/a&gt;Community size and open source involvement
&lt;/h3&gt;&lt;p&gt;Firefly’s &lt;a class="link" href="https://x.com/TeeFirefly" rel="noopener" target="_blank"&gt;X account @TeeFirefly&lt;/a&gt; has had no posts since 2024, and their &lt;a class="link" href="https://gitlab.com/T-Firefly" rel="noopener" target="_blank"&gt;GitLab/T-Firefly&lt;/a&gt; shows mostly 2024 activity, with only one repository updated in 2025 and nothing in 2026. Historically they have built a moderate community around their ARM-based Rockchip boards, with active forums and wiki contributions for those product lines. Their RISC-V K3 offerings are newer, and likely need a lot more polish to be attractive products overall.&lt;/p&gt;
&lt;h2 id="deepcomputing"&gt;&lt;a class="header-anchor" href="https://optimizedbyotto.com/index.xml#deepcomputing"&gt;&lt;/a&gt;DeepComputing
&lt;/h2&gt;&lt;p&gt;Last, but certainly not least, is the laptop manufacturer &lt;a class="link" href="https://deepcomputing.io" rel="noopener" target="_blank"&gt;DeepComputing&lt;/a&gt; that offers a &lt;a class="link" href="https://deepcomputing.io/product/dc-roma-risc-v-mainboard-iii/" rel="noopener" target="_blank"&gt;Framework laptop compatible motherboard with the SpacemiT K3 chip&lt;/a&gt;. They also sell the plain motherboard, or with the Cooler Master case, which allows one to easily connect it to an external monitor and keyboard and use it as a desktop computer. The plain board with 32 GB RAM and no SSD sells for about 882 EUR. Shipping of the first batch is expected to start by end of June 2026. Their &lt;a class="link" href="https://x.com/DeepComputingio" rel="noopener" target="_blank"&gt;X account @DeepComputingio&lt;/a&gt; promotes this DC-ROMA RISC-V Mainboard III as their flagship product, so they seem to put a lot of effort into it.&lt;/p&gt;
&lt;p&gt;The overall product design and packaging seems good. Of all the K3 resellers and integrators that I was able to find, &lt;strong&gt;DeepComputing is the only one that actually designs their own boards&lt;/strong&gt; with the K3 processor, while all the other vendors above are simply reselling the vanilla K3 boards with or without a case.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;After reviewing all these options I decided to buy the &lt;a class="link" href="https://store.deepcomputing.io/products/dc-roma-risc-v-mainboard-iii-for-framework-laptop-13?variant=51310183088292" rel="noopener" target="_blank"&gt;DC-ROMA RISC-V Mainboard III&lt;/a&gt;&lt;/strong&gt; for Framework Laptop 13 with 32 GB RAM, 1 TB SSD and the Cooler Master case, totalling about 1100 EUR.&lt;/p&gt;
&lt;h3 id="documentation-and-support-4"&gt;&lt;a class="header-anchor" href="https://optimizedbyotto.com/index.xml#documentation-and-support-4"&gt;&lt;/a&gt;Documentation and support
&lt;/h3&gt;&lt;p&gt;DeepComputing maintains product information for their RISC-V hardware at &lt;a class="link" href="https://github.com/DC-DeepComputing/Framework" rel="noopener" target="_blank"&gt;github.com/DC-DeepComputing/Framework&lt;/a&gt;, with documentation of the newest &lt;em&gt;Mainboard III (FML13V05)&lt;/em&gt; still being finalized ahead of the first batch shipment. They provide community support through &lt;a class="link" href="https://discord.com/invite/DycykxSxWH" rel="noopener" target="_blank"&gt;Discord&lt;/a&gt; and &lt;a class="link" href="https://deepcomputing.discourse.group/" rel="noopener" target="_blank"&gt;web forum&lt;/a&gt;, although the latter has very little activity.&lt;/p&gt;
&lt;h3 id="community-size-and-open-source-involvement-4"&gt;&lt;a class="header-anchor" href="https://optimizedbyotto.com/index.xml#community-size-and-open-source-involvement-4"&gt;&lt;/a&gt;Community size and open source involvement
&lt;/h3&gt;&lt;p&gt;DeepComputing has established itself as a pioneer in RISC-V laptops, beginning with the DC-ROMA. I have seen their stand at FOSDEM, which shows they are genuinely active in the open source community. Canonical lists &lt;a class="link" href="https://ubuntu.com/download/risc-v/partner-built" rel="noopener" target="_blank"&gt;DeepComputing’s first mainboard / FML13V01&lt;/a&gt; on its official Ubuntu for RISC-V partner-built hardware page, and it seems likely that they will continue to collaborate with Canonical with the new model once it ships. While the underlying Linux enablement depends on SpacemiT’s upstream efforts, DeepComputing’s involvement helps bridge the gap between reference hardware and consumer-ready products.&lt;/p&gt;
&lt;p&gt;&lt;img alt="DeepComputing K3 board in the Cooler Master case" class="gallery-image" height="381" src="https://optimizedbyotto.com/post/buying-spacemit-k3-risc-v-ai-cpu/deepcomputing-cool-master-spacemit-k3.webp" width="531" /&gt;
&lt;/p&gt;
&lt;h2 id="conclusion"&gt;&lt;a class="header-anchor" href="https://optimizedbyotto.com/index.xml#conclusion"&gt;&lt;/a&gt;Conclusion
&lt;/h2&gt;&lt;p&gt;After weighing all the options, I ended up placing an order with DeepComputing for their custom K3 board with the Cooler Master case. Despite the premium price, the active community support and the properly documented promise of a complete, working system made it easy to place an order with confidence.&lt;/p&gt;
&lt;p&gt;The SpacemiT K3 is poised to be one of the most significant RISC-V chips for local AI workloads, thanks to its RVA23 compliance and high tokens per second potential. Yet the buying experience in mid-2026 remains fragmented and incomplete. Hopefully this is just because the product is new, and they will get the purchase experience polished soon.&lt;/p&gt;
&lt;p&gt;What struck me most during this process was how poor the customer experience is across nearly all of these vendor websites: broken links, missing search functions, outdated product banners, pages that show the wrong product entirely, and no information about shipping times, stock levels, taxes, and so on. One wonders why these companies don’t fully invest in their web presence.&lt;/p&gt;
&lt;p&gt;Personally I would assume they &lt;strong&gt;likely have enough customers already,&lt;/strong&gt; primarily through domestic channels like &lt;em&gt;Taobao&lt;/em&gt; and &lt;em&gt;JD.com&lt;/em&gt;, that they do not feel any pressure to improve their international-facing sites. However, I did also review what was offered on Taobao, and the product details were very incomplete there too. Taobao, however, has a built-in live chat with almost all sellers, which can be used to ask questions and thus compensate for missing product details.&lt;/p&gt;
&lt;p&gt;I don’t fully understand why the sales process seems unpolished. The websites feel almost like an afterthought – a checkbox to claim global reach while the real business apparently happens elsewhere via closed platforms or via inaccessible reseller channels. It is a frustrating reminder that in the RISC-V hardware world, the technology may be open and global, but the purchase experience is less so.&lt;/p&gt; </description> 
	<pubDate>Tue, 09 Jun 2026 00:00:00 +0000</pubDate>

</item> 
</channel>
</rss>