I'm back from my vacation, so time for another weekly recap...
Vacation
Week before last I had a lovely time away in hawaii (The big island).
I saw volcanoes (we missing lava fountaining by like 15minutes), lava
tubes (really cool (literally) and dark), botanical gardens (unreal flowers),
had a dinner/sunset cruise with history and finally a sunset/stargazing
trip to the top of mona kea. Super fun! Wish I had another week there to
lounge on the beach. If you ever have a chance to go, take it!
I did look at my email and such the first day or so, but after that
I was too busy and never took my laptop out even until I got back.
Fedora 44 released!
Of course first thing monday on getting back was that we were go for
fedora 44 release tuesday!
Release went pretty smoothly overall and I hope everyone enjoys the release.
Infra freeze ends
Of course with the release on tuesday, we end our infrastructure freeze on
wed. For some reason this time we had a pretty big pile of pending pull
requests, which I attempted to merge and deploy.
The bulk of them were moving our openshift applications from deploymentconfig
(which was a openshift specific object) to deployment (which is a k8s native
object). Openshift still supports deploymentconfig, but it will go away
and it sprews deprecation notices and the sooner we get moved the better.
I ran into some problems with a few applications that had preexisting
issues in staging when I went to test there. There were also some problems
on some applications with selectors (where it chooses how to map a service
on to a deployment). In one case (fmn) the app had two builds for two
different things and one of them was a newer api version and updated
the database, but then the second one couldn't handle that. Had to update
it upstream to get the db versions to match.
Anyhow, there's only a very few left now. Looking forward to being done
paying down this tech debt. :)
scrapers
What weekly recap would be complete without some scraper news? :)
This time they started hitting cgit links on fedorapeople.org (where
contributors can have git repos). I setup anubis there which mostly
quashed them. That did break some redirects tho, so we will need
to fix that.
Scrapers have also been hitting the wiki pretty hard from time to time.
It's not easy to just put that behind anubis because it's in the base
fedoraproject.org domain and we don't want some things there behind it.
For now we just increased resources for the backend, but we will probibly
have to figure out how to setup anubis there before long.
It’s the first day of May, and it’s time for another update on what’s been happening at the GNOME Foundation. It’s been two weeks since my last post, and this update covers highlights of what we’ve been doing since then.
Remembering Seth Nickell
This week we received the very sad news of the death of Seth Nickell. It’s been a long time since Seth was active in the GNOME project, so many of our members won’t be familiar with him or his work. However, Seth played an important part in GNOME’s history, and was a special and unique character.
Jonathan wrote a wonderful post about Seth, with some great stories. Federico migrated the memorial page from the old wiki to the handbook, and added Seth there (work is currently ongoing to develop that page). Seth’s death has also been covered by LWN, which includes dedications from GNOME contributors.
Whether you knew Seth or came to GNOME after his time, I think we can all appreciate the contributions that he made, which live on in the project and wider ecosystem to this day.
GNOME Fellowship
Applications for the first round of the new GNOME Fellowship program closed last week, on 20th April. We had a great response and received some excellent proposals, and now we have the tough job of deciding who is going to receive support through the program.
To that end, the Fellowship Committee met this week to review the proposals and begin the selection process. We have identified a shortlist of candidates, and will be meeting again next week to narrow the selection further.
Since this is the first round of the Fellowship, we are establishing the selection process as we go. Hopefully we’ll get to put this to use again in future Fellowship rounds!
Conferences
Linux App Summit (LAS) will be held in Berlin on 16-17 May – that’s in a little over two weeks! The schedule has been finalized and looks great, and this year’s LAS is shaping up to be a fantastic event. Please do consider going, and please do register!
Due to high demand, the organizing team have decided to stream the talks from this year, so look out for details about remote participation.
Aside from LAS, preparations for July’s GUADEC conference continue to be worked on. Travel sponsorship is still available if you need assistance in order to attend, so do consider applying for that.
Office transitions ongoing
Work to update many of our backoffice systems and processes has continued at a steady pace over the past fortnight. Many of the big moves are done (new payments system, email accounts, mailing system, accounting procedures, credit card platform), and we are now firmly in the final stages, making sure that our new address is used everywhere, emails are going to the right places, recurring payments are transferred over to new credit cards, and vendors are setup on the new payments system.
The value of this work is already showing, with smoother accounting procedures, more up to date finance reports, and better tracking of incoming queries.
That’s it for this update. Thanks for reading, and take care.
GNOME is once again participating in GSoC. This year, we have 6 contributors working on adding Debug Adapter Protocol support to GJS, incorporating vocab-style puzzles into GNOME Crosswords, creating a native GTK4/Rust rewrite of the Pitivi timeline ruler, porting gitg to GTK4, implementing app uninstallation in the GNOME Shell app grid, and enabling recovery from GPU resets.
As we onboard the contributors, we will be adding them to Planet GNOME, where you can get to know them better and follow their project updates.
GSoC is a great opportunity to welcome new people into our project. Please help them get started and make them feel at home in our community!
Special thanks to our community mentors, who are donating their time and energy to help welcome and guide our new contributors: Philip Chimento, Jonathan Blandford, Yatin, Alex Băluț, Alberto Fanjul, Adrian Vovk, Jonas Ådahl, and Robert Mader.
Trigger warning: this is a report about how
Debianism prefers abusers to those who consistently and
compassionately helped victims of abuse.
Those who dare to look up the public court records about
Jeremy Bicha have been shocked and in some cases unable to sleep
after reading how he exploited every bodily orifice of his little sisters
when they were six and nine years old. Yet I feel a possibility that
Jeremy Bicha himself is now being exploited to make us feel
shock and to soften us up for future revelations about unnamed oligarchs
in the open source eco-system. There have been many falsified rumours
about abuse over the years,
such as the conspiracy against Dr Jacob Appelbaum. Whenever we get
to the point that the leader of some so-called community really is
put on trial for real abuse, the victims are unlikely to have suffered as
extensively as
Bicha's little sisters.
I didn't write and publish this report to start a lynching against
Jeremy Bicha himself. He has confessed his crimes which is much more
than can be said for other sex pests. The real reason for the report is
to look at the decisions that organisations have made putting a
registered sex offender on a pedestal but in the case of commercial
rivals or people who made mistakes with pronouns, we are being censored
and harassed by the oligarchs for the most mundane mistakes.
The BBC is in fresh trouble over their pre-existing knowledge of a scandal
involving
Scott Mills. It was a major story in the
UK the week before Easter and then it disappeared. I suspect that sooner
or later we will hear more details.
Almost every day there is a fresh news report about
Jeffrey Epstein. During the trial of
Ghislaine Maxwell, she told us her partner,
Epstein, needed to
be with a woman at least three times per day. People with children or
teenage daughters will feel very uncomfortable about having these men around.
Less than two percent of Debian Developers are female but at
DebConf almost one in three participants is in the
gay/transgender/Zizian set. In the wider population it is only one in
ten people.
These people don't have children. They don't think about having children.
They don't spend a lot of time thinking about the risks. Having a
registered sex offender present at the after-party may be on the
bucket list for some of these people. They are willing to risk other people's
children and tarnish Debian's reputation so they can have something
unusual at the after-party.
For people who do have children, they don't go to the
DebConf orgy groups but they do stay up all night reading through reports
like this to try and work out whether the risk is acceptable or not.
The
Debian Suicide Cluster correlates with a culture of
violence and humiliations. Coincidentally, rape and abuse are also about
violence and humiliation. Adding a
registered sex offender to the group only reinforces those existing
Debian character traits when we need to be looking for the opposite,
people who serve to neutralise those cultural defects.
News that a
Registered Sex Offender(TM) was invited to speak at
DebConf25 in
France is not a random accident. Certain groups like
Debianism have been overcome by fringe diversity movements. Over the years,
we've seen the same people using their authority to humiliate fellow volunteers
in much the same way that paedophiles humiliate children. Statistically,
we can be certain there are similar men in the same group.
Jeremy Bicha was the thin end of the wedge. By putting a known offender
on a pedestal and claiming they are helping him, they are clearing a path for
other more cunning characters to be given a platform.
The people who control
Debianism mailing lists have a nasty habit of censoring any concerns about
the phenomena. They believe everybody agrees with their worldview. They
are living in a bubble. Sooner or later, there will be a person or an
incident that is so bad that it is the end of Debian. Society at large
simply doesn't accept some of the things these people do.
Moreover, certain companies would like to see Debian fail. They will
give enough money to the diversity budget to create a scandal and then
those companies will get out of the way as quickly as possible.
The Debian Social Contract tells us, in point three,
We will not hide problems.
In the case of the
registered sex offender invited to speak at
DebConf25 in
France, all discussion has been deliberately shut down. Video
of the talk is not hosted with video of the other talks. People are
scouring the
official photo gallery to see if
Jeremy Bicha was really there at all and who sat next to him.
This situation and the manner in which
Debianists are hiding it reveals the real definiton of diversity and
the real use of diversity funds.
This resulted in “Jack� ringing me in an extremely distressed state. His
words on the phone were, “I think it would have been better to hear my
mother had died�. He was a relatively early victim of [Fr Kevin] O’Donnell and his
abuse was reported to the Cathedral in 1958. This allegation was
investigated at the time by both the then Vicar-General, Laurie Moran,
and the then Auxiliary Bishop of Melbourne, Arthur Fox. Nothing
eventuated from this investigation.
In 1962, Stanley Kubrick released the controversial film
Lolita.
Charles Manson was using women in his
cult, the Manson Family, to murder people. He hoped that by committing
these violent murders he could start riots, like the modern day phenomena
of #MeToo mobs on
social control media. On 9 August 1969, they killed the actress
Sharon Tate, who was the wife of film director
Roman Polanski.
In the 1970s, Bishop Fox was the Bishop of Sale. On 3 July 1972, when he was
in his early forties, Hourigan wrote to Bishop Fox asking that he be accepted to study
for the priesthood. In the letter Hourigan set out what he said were two ‘flies in the
ointment’. The first related to an issue with Hourigan’s back, and is of little moment.
The second was a disclosure (referred to by the judge as ‘the disclosure’) that on
three separate occasions, occurring at two separate boarding schools in Papua New
Guinea at which he was working, boys in his care who, he said, he had occasion to
punish for misbehaviour, responded by complaining to a priest that he had treated
them harshly and that he was a homosexual. A short time after the second and third
complaints, Hourigan left the second boarding school and returned to Australia.
The implication is that
Bishop Fox had personal knowledge of the disclosure and history of
abuse before he ever ordained
Fr Hourigan.
Britain's National Council for Civil Liberties (NCCL), known today as
Liberty, had a very open attitude to memberships and affiliations.
PIE and many other fringe groups became members of NCCL / Liberty
and regularly attended the annual general meetings where they rubbed shoulders
with lawyers and lobbyists from a range of different movements.
The Conversation tells us the British Communist Party was also affiliated
with NCCL / Liberty. People have been scouring old copies of British
tabloid newspapers to find evidence of similar diversity fringe groups
promoting incest, canabalism and bestiality. NCCL / Liberty was not endorsing
any of these groups and the PIE was no more or less special than
any other diversity fringe group.
The manner in which the paedophile advocacy groups participated in the
NCCL / Liberty and the legal profession can be summarised by the
expression I don't agree with what you say but I will defend to the
death your right to say it.
As the saying goes, all good things must come to an end. By the
1980s, governments around the world had developed strategies to shut down
and outlaw groups like PIE.
The eradication of these groups was significant because it forced
the pro-abuse lobby to look for more discrete ways to achieve their
unholy objectives. In other words, they have to join other groups like
the Catholic Church and the
Debian Project in the hope they will gain credibility, access
to children or both.
Between 1977 and 1978,
Roman Polanski, whose wife had been murdered by the Manson Family
cult, was prosecuted for drugging and raping a 13-year-old girl.
He fled America to live in
France and evade a likely jail sentence.
As he was born in France he can't be extradited to America. He continued
his career in
France and received numerous awards for his work. Many professionals
in the movie industry have publicly indicated support for
Polanski, despite the very serious crime he committed against a child.
Between 1978 and 1982, in another
Catholic abuse situation where the victim agreed to waive anonymity,
David Ridsdale was abused by his uncle, the priest
Gerald Ridsdale. Under Australian law, when the uncle is found
guilty of such an offence, their identity and their conviction can not
be reported in the media as it would compromise the identity of the
victim. Nonetheless,
David Ridsdale waived his right to anonymity and so it could be
reported that
Gerald Ridsdale, who was the worst offender in the country,
had even committed abuse against one of his own relatives.
The media originally obfuscated the name and face of the victim but it
wasn't long before everybody knew. She had created the dossier, started a
conversation with the police and then she committed suicide. Eventually the
Federal Court judges decided to publish everything for the public to make up our
own minds.
I selected those portions of the document to emphasize the striking
similarities between
Katharine Thornton's abuse report and the acts that
Jeremy Bicha admitted inflicting on his sisters.
According to the summary of the complaint on the
Manatee County Courthouse web site, the abuse occurred between 1995 and 1999,
in other words, when
Jeremy Bicha was only between eleven and fifteen years of age himself.
One of his sisters was nine and another was only six when these horrible crimes
took place.
In the court documents,
Jeremy Bicha told prosecutors his parents were very strict and kept all the
siblings together at home. In countries with urban sprawl and a car culture,
which includes
Australia, a teenage boy starting high school has no way to meet friends
of the same age unless an adult is willing to drive him there and bring him
back home. Europeans who live in apartments and terrace houses are much closer
together. Therefore, people who haven't lived in urban sprawl can't fully
appreciate the impact it has on childhood.
In 1997, Adrian Lyne produced a fresh version of the film
Lolita.
Shortly after that, I was photographed in
Australia's Parliament House,
Canberra with
Natasha Stott-Despoja. After leaving her job as a senator,
Natasha was appointed as
Australia's ambassador for women and girls.
She was subsequently appointed to represent
Australia on the UN CEDAW committee. CEDAW is the Convention on the
Elimination of All Forms of Discrimination Against Women. The committee
is one of the most influential international bodies concerned with the
status and wellbeing of women. The photograph was taken during the same
period of time where
Jeremy Bicha admits abusing his little sisters.
In the early days of
Debianism, many young teenage males were exploited. Ringleaders have been
interchangeably presenting
Debianism as a hobby, as a philosophical mission and as an activity that
people undertake while being paid by an external employer like
Freexian. Ringleaders pivot between these
definitions of
Debianism depending upon which definition is most convenient for the
ringleaders themselves in any particular situation or dispute.
They used the appeal of a philosophical mission to recruit numerous teenagers,
mostly boys in their mid-teens, who were starstruck by the names of companies
like
Pixar, where
Bruce Perens worked. These teenagers didn't really appreciate the extent
to which they were working alongside people who were being paid six-figure
salaries to do similar tasks. I'm talking about
Joel "Espy" Klecker,
Shaya Potter and
Chris Rutter. Klecker was doing this unpaid work while he was in bed
dying of a terminal illness
(
detailed report).
Shaya Potter appears to be the first documented case of somebody
expelled after he had already resigned.
Chris Rutter even had servers for unpaid
Debianism work installed at his high school. He was observed
working long hours to meet his obligations to
Debianists shortly before walking in front of a car. These may be
the three most prominent teenagers in the early days of
Debianism and it is disturbing to see that two died while one was
subject to gaslighting and ostracized.
Here is a debian-private leaked message where the underage
phenomena is mentioned explicitly:
Subject: Re: why I want the archives on me (was Re: spotter@debian.org)
Date: Tue, 17 Nov 1998 12:56:41 -0500
From: Shaya Potter <spotter@ymail.yu.edu>
To: joost@pc47.mpn.cp.philips.com
CC: debian-private@lists.debian.org
----- Original Message -----
From: <joost@pc47.mpn.cp.philips.com>
>
>On Tue, 17 Nov 1998, Shaya Potter wrote:
>
>> Now that this is out of the way, I'd like to publicly ask if I can have
an
>> archive of all the communication that went on in regard to me.
>
>Strictly speaking I tend to disagree that you or anybody has an a-priori
>right to know what is being said and told on debian-private. It is simply
>a private list. Things would be different if you were mentioned in a
>public list without being able to respond. But that is in all aspects
>clearly not the current situation.
First, I never said I have a right. In many ways I think i don't have a
right, or even if I did, I don't deserve it. I don't think my statements
have implied that I believe I have a right to demand that it be given to me.
I do have a right to ask that it be done. Debian has a right to say yes or
no.
>
>(Nevertheless, I think that it would be considerate to cc: you in
>any discussion that involves you in a very personal manner - this has
>IMHO until now hardly been the case though.)
It hasn't? Than how did the decision to expell me come about? Who told
people who made the decision what happened? Was this all done in private
mail?
>
>If a non-subscriber of debian-private must share in the conversation on
>debian-private, then this should IMHO be done by adding that person to the
>clearly visible cc: line of the header of any messages to be "published."
>That way, it will be adequately clear that the correspondence leaves the
>realm of debian-private and thus everybody can conclude that normal
>confidentiality can not be expected. AFAIK respect for the confidential
>nature of debian-private is a prerequisite for subscription to this list.
I would have respected the confidentiality, as I have made it known that I
don't want this to spread, as I am embarrased by my actions.
>
>Practically speaking, I disagree that the underlying case generally
>concerns you. What matters here is not who Shaya Potter personally is or
>what particularly Shaya Potter did. The discussion is about how issues
>like the one involving you relate to Debian. This discussion does not
>involve you personally.
I don't want the entire discussion, I just want to see the parts that touch
on me personally. I don't care for the rest, of what about underage
developers and the like....
>
>> I was told that it would not be a star chamber, and that I'd be cc'd in
>> on all the corrospondace. That didn't occur.
>
>There was no "star chamber." You have already been generously cc:'-ed.
I was? The only cc:'s I ever got were in response to me starting a thread.
That implies to me, that acc. to what you were saying, that no discussion
on -private occured that I didn't start. However, I know this not to be the
case, as before I was unsubscribed from -private, I saw a thread or 2
started that dealt with me.
>
>IMHO you do not have a right to be cc:-'ed on the _general_ discussion
>which does not particularly (personally) involve you.
never said I did.
>
>> Also, I really have no idea of what discussion went on, if mistruthes
>> were spread about the incident (as in reality, I'm the only one that
>> knows completely what happened, and no one really ever asked me for the
>> full story).
>
>If this worries you so much, then I seriously wonder why you did not
>immediately relate it to debian-private when the issue arose in the first
>place?
I did apologize on -private right away, however, I didn't want to spread
what I did. I specifically told people that I would rather this not be
discussed on -private and have me showed the door quietly, and told never to
come back. That didn't happen, it was discussed on -private. I don't know
what was discussed in relation to me, so I want to be informed.
>
>Again, the discussion is not yours. Again, you are not personally
>involved. Your only "role" in the discussion is that you have created a
>precedent. I thinks we can all agree that we would rather have had you
>not be a precedent case, but it happened. I'm very sorry, but you'll
>have to blame yourself for that.
Trust me, I've blamed myself a lot for this. If you seen any of my
corrospondance you would know this. I don't blame anyone for my
predicament, but myself.
>Discussion on debian-private does not count as a statement from Debian.
>So there simply were no statements. I'm not really in favor of making any
>strong or overly verbose statements either. If there ever is to be a
>statement from Debian about an issue such as the current one involving
>Shaya, I think that person should be briefed thoroghly beforehand.
I'm not talking about a debian statement. I don't want a public statement,
and I know a lot of people from debian don't want one either (though some
might). What I meant by statements, was statements that individuals made,
that might be incorrect, or inacurate.
>Shaya, can you please just put this to a rest? IMHO it is not very
>productive for anybody. And please take it from me that you have no
>reason to be concerned that you have been in a "star chamber."
I am not worried about a star chamber, I would have prefered it in many
ways. However, at least with a star chamber you usually get to see the case
presented against you, even though you don't have the ability to defend
yourself. As I said many times, my case is indefensable, so that wouldn't
bother me.
Shaya
We find exactly the same phenomena in the
Jeremy Bicha abuse testimony. His sister tells us she was too young
to know the words for what he was doing in her underpants.
In October 1999 the role of teenagers was back in the spotlight:
Subject: Debian Death March
Date: Thu, 7 Oct 1999 17:41:25 -0700 (PDT)
From: Jonathan Walther <krooger@debian.org>
To: debian-private@lists.debian.org
Guys. Is Debian still the hippest, coolest, happeningest distribution
around, or are we a dinosaur lost in the forest?
The posts I've read on this list today reek of a Death March.
Yes, many of the Debian originals have moved on, retired, or fallen
quiescent. Others of us have had sudden changes in our life; new jobs, loss
of jobs, loss of internet access, newborn infants, need to spend time with
spouses and loved ones.
Many of the rest have gotten tired. The friends they joined this marvelous
big project with are no longer around... The stress of mentoring up a new
generation of package maintainers, and hopefully core developers falls on
their already burdened shoulders, taking away from their time spent coding.
As social scientists know, the future is the children. Or in our case, the
future is the teenage "hackers" getting their first computer, going in their
first irc chatroom, using their first nuker... and realizing there is
something far more interesting, constructive and beautiful beyond the raw
violence of their little world. An ordered system of many parts, of many
people collaborating in peace, cooperating on a scale that they will take
for granted, because we have made it seem so natural, but which makes any
sane adult boggle at our achievement.
[ ... snip ... ]
Given that
Debianism has the exploitation of youth in its DNA, it is really sad
to see that a
registered sex offender and various characters with similar tendencies
were put up on a pedestal in the era of
Chris Lamb.
In 2002, the Boston Globe's Spotlight team published
their reports about the
Catholic abuse crisis. The reports were not simply about the actions
of individual paedophiles. The journalists went to great lengths to examine
how the institution had ordained the wrong people and stonewalled victims.
In the
Debian harassment culture, we see much the same thing. People who ask
questions are censored on the mailing lists. The leaders stonewall and
refuse to answer questions or provide reports about the
Debian suicide cluster and their knowledge of
Jeremy Bicha's history.
Subject: Re: Nut-case of the day - Was: [Fwd: URGENT: This is potentially a threat to your and others personal security]
Date: Tue, 6 Jan 2004 12:53:33 -0700
From: Joel Baker <fenton@debian.org>
To: debian-private@lists.debian.org
On Tue, Jan 06, 2004 at 03:28:03PM +1100, Russell Coker wrote:
> On Tue, 6 Jan 2004 15:23, Joel Baker <fenton@debian.org> wrote:
> > I could probably arrange for Debian to have a TG developer, but somehow,
> > this doesn't seem like a primary qualification; we don't have quotas. :)
>
> If they can code well or can be taught to code well then please get them in!
>
> Especially if they have some skills at kernel coding. I think that we could
> do with having more skilled developers dealing with the kernel patch
> packages.
What I didn't mention is that it would probably involve me bribing her to
deal with it; she doesn't find Debian to be quite worthwhile enough on its
own merits (she likes it, she just likes FreeBSD better, and has little
enough time to spare overall that short of someone making it worth giving
up what else she does, it isn't worth it).
This would be the primary reason she isn't already a DD, since the only
part of NM that would pose any issue at all is the wait (I can sign her
trivially, and passing the requirements is a no-brainer). But we don't
really need another developer not doing much most of the time, and I
have better uses of the money than paying her to work on it. :)
--
Joel Baker <fenton@debian.org> ,''`.
Debian GNU/NetBSD(i386) porter : :' :
`. `'
`-
In 2006,
Red Hat opened their main research site in
Brno, a small city in the
Czech Republic. The
Czech Republic had joined the
European Union (EU) in 2004.
Thanks to the Freedom of Movement policy of EU countries,
Red Hat could employ young male graduates from any other EU country and
bring them to work in
Brno without any uncertainty about residence permits and visas. Over
the years, thousands of young and predominantly male engineers came to work
for various multinational companies in this remote part of the
Czech Republic. At the same time, young women from eastern European
countries were all leaving small cities like
Brno and either moving to the capital,
Prague or moving to other cities like
London,
Paris and
Berlin. These arrangements created a huge imbalance. Thousands of
highly paid young single men found themselves competing for the very
small group of women who decided not to leave. A lot of the companies
started talking about the need for diversity programs. While
nobody says it out loud, it looks like these programs are intended to
increase the size of the dating pool in these offshore centers.
Official statistics tell us that
Brno has the highest suicide rate in the country.
When eastern European countries joined the EU, some of the western
countries like Germany and France introduced a temporary delay on
Freedom of Movement for workers. The delay didn't apply to
Freedom of Movement for wives and girlfriends.
This table shows us that workers from
Czech Republic could go to
the
UK immediately after joining the EU in 2004 but they could not
take jobs in
France until 2008 or
Germany until 2011. As a consequence, young women could use
Freedom of movement to marry somebody in a rich country but
many young men had to stay in the
Czech Republic. The young men who remained found themselves in direct
competition against the
Red Hat workforce for the last girlfriends who remained in
Brno.
During that period, I was living to the north of
London near to
Luton airport. Thousands of people from eastern Europe were arriving
every day on the low cost airlines. It was fairly easy to distinguish
the tourists from the people who were relocating. The people relocating
under Freedom of Movement had typically purchased the maximum
luggage allowance and arrived with their whole life in a suitcase that
was so overloaded it looked like it was about to burst. In particular,
a lot of the women who arrived like this were making the move alone with
no safety net. Their plan was to get off the plane and find a room,
a job and a husband. These are the women who the
Red Hat employees in
Brno missed out on.
In January 2006,
Raphael Hertzog infamously used the debian-devel-announce email
list to promote a message about an external product,
Ubuntu that not everybody is interested in.
Andrew Suffield adapted the subject line of
Hertzog's email to promote lesbians instead of
Ubuntu. Some people speculate
Suffield chose the word lesbian because it looks a little bit
like the word Debian and there are a disproportionate number of
LGBT people lurking in the mailing lists.
To: debian-devel-announce@lists.debian.org
Subject: For those who care about their packages in Ubuntu
From: Raphael Hertzog <hertzog@debian.org>
Date: Fri, 13 Jan 2006 23:35:24 +0100
Hello fellow Debian developers,
let me explain shortly why I'll speak of Ubuntu on a Debian announce
list. I know that many of you do not like the Canonical marketing saying
that "Ubuntu is contributing back" because the most visible official
contribution is scott's patch repository and that all other successful
collaboration has been made at the level of individual developers who are
"friendly to Debian" and not because Canonical's policy ask them to do
so.
[ ... snip ... ]
To: debian-devel-announce@lists.debian.org
Subject: For those who care about lesbians
From: Andrew Suffield <asuffield@debian.org>
Date: Sat, 14 Jan 2006 15:00:40 +0000
Since this sort of thing is apparently okay nowadays, and I know that
a lot of you like looking at lesbians, I'd like to share this with
you:
http://www.flickr.com/photos/63978244@N00/81351129/in/photostream/
[And for the sarcasm-impaired: debian-devel-announce is for Debian
development, not anything that you (or any other group of people)
happen to be interested in. Don't post irrelevant stuff here. It would
be a real shame if the list had to be moderated because people can't
exercise good judgement. Anything sent here should be of interest to
an overwhelming majority of Debian developers, *at least* - if you're
using phrases like "for those who care about X", it belongs somewhere
else, like X-announce.]
--
.''`. ** Debian GNU/Linux ** | Andrew Suffield
: :' : http://www.debian.org/ |
`. `' |
`- -><- |
The message links to this image. It is off-topic but the content is not
illegal in any western countries.
Excuse the pun, the tit-for-tat continued with even more messages
based on the same subject line template:
Not long after that, in May 2006,
DebConf6 took place in
Mexico. One of the candidates in recent
Debianism elections,
Jonathan Walther (Ted), brought a local woman,
Hilda, to the conference dinner. People quickly started the rumour
that
Hilda was a prostitute. Nonetheless, she was the local dentist. To
this day, dozens of messages about the rumour are present online in various
web sites and debian-private archives.
(
more details about the rumours and DebConf6 fight).
To understand why there was so much gossip and aggression at the
DebConf6 dinner, you need to look at who really slept with who
and then
read the story again. The leaked
room list tells us that
Holger was sleeping with
Amaya.
Amaya helped start the rumour and
Holger is the one who ended up exerting physical pressure on the victim,
Jonathan Walther (Ted). When people are sleeping together, they don't
always behave rationally any more.
From: Joerg Jaspert <joerg@debconf.org>
To: rooms@debconf.org
Subject: Re: [Debconf-announce] Room allocation
In-Reply-To: <20060328120500.GA10651@localhost> (Margarita Manterola's message
of "Tue, 28 Mar 2006 09:05:00 -0300")
Organization: Goliath-BBS
[ ... snip ... ]
> * Who you would NOT like to share the room with.
I dont care that much who is in my room, as long as its not
Jonathan/Ted "krooger" Walther or Jeroen van Wolffelaar or Amaya.
[ ... snip ... ]
Date: Fri, 31 Mar 2006 17:39:37 +0200
From: Adeodato =?utf-8?B?U2ltw7M=?= <dato@net.com.org.es>
To: rooms@debconf.org
Cc: Holger Levsen <debian@layer-acht.org>,
Jesus Climent <jesus.climent@hispalinux.es>,
Amaya Rodrigo <amaya@debian.org>,
Alberto =?utf-8?B?R29uesOhbGV6?= Iniesta <agi@inittab.org>,
Marcela Tiznado <mtiznado@linux.org.ar>,
Isaac Clerencia <isaac@debian.org>,
Jacobo =?utf-8?Q?Tarr=C3=ADo?= Barreiro <jacobo@debian.org>,
Javier Fernandez-Sanguino <jfs@computer.org>,
Ana Beatriz Guerrero =?utf-8?B?TMOzcGV6?= <ana@ekaia.org>
Subject: Room preferences for a bunch of ~Spanish people
Hey marga!
Some (mostly) Spanish people have been talking among us, and we'd like
to share room at DebConf. We've thought that it'll be easier for you
if we just write you one mail saying who we are, instead of each of us
mailing you privately with our preferences. :)
So, we'd like:
- a 6-sized room for both DebCamp and DebConf (from 5th to the end)
- a 4-sized room for DebConf only (from 13th to the end)
The involved people (in order of arrival, all of them CC'ed) are:
Holger Levsen <debian@layer-acht.org>
Jesus Climent <jesus.climent@hispalinux.es>
Amaya Rodrigo <amaya@debian.org>
Alberto Gonz=C3=A1lez Iniesta <agi@inittab.org>
Adeodato Sim=C3=B3 <dato@net.com.org.es>
Marcela Tiznado <mtiznado@linux.org.ar>
Isaac Clerencia <isaac@debian.org>
Jacobo Tarr=C3=ADo Barreiro <jacobo@debian.org>
Javier Fernandez-Sanguino <jfs@computer.org>
Ana Beatriz Guerrero L=C3=B3pez <ana@ekaia.org>
Thanks in advance,
In 2006, the
GNOME people created the
Outreach Program for Women (OPW), which was subsequently renamed to
Outreachy. The program pays young female interns to associate with
the developers. The women are not expected and not always trusted to
do development work themselves. Many of the women were offered free trips
to conferences all over the world.
Subject: Total world domination through therapy and free software!
Date: Sun, 31 Dec 2006 13:25:08 +0100
From: Amaya <amaya@debian.org>
Organization: Debian - http://www.debian.org/
To: debian-private@lists.debian.org
Russell Coker wrote:
> True. But we can only change some things and only in some areas.
Sure, we are just humans :)
> I will always have little sympathy for someone who complains bitterly
> about unfairness when by any objective metric they would be regarded
> as being in the most fortunate few percent of the world's population.
Yes, as in having clean tab water. Ack.
> Do you think it might be beneficial to have some group sessions at
> Deb-conf's to help us deal with these things?
I strongly believe in the group sauna effect :)
> Debian has a huge pile of money that is apparently not being spent,
> booking a good psychiatrist for a day for every DebConf would not make
> much of an impact on Debian finances and might have a good impact on
> productivity.
s/psychiatrist/therapist/ Maybe someone that is experienced in large voluntary communities could
give a talk, or workshop, or both.
It would be interesting to know wether anyone knows a person that could
help us this way. I could talk to some people if the idea doesn't look
stupid to the rest you the people reading this.
--
·''`. If I can't dance to it, it's not my revolution
: :' : -- Emma Goldman
`. `' Proudly running Debian GNU/Linux (unstable)
`- www.amayita.com www.malapecora.com www.chicasduras.com
By 2008, they were already talking about how they would recruit people's
teenage children. This was well before the
Debian pregnancy cluster started producing said children.
Subject: Re: [VAC] Going to the chapel ...
Date: Tue, 22 Jul 2008 16:12:29 +0200
From: Lionel Elie Mamane
To: debian-private@lists.debian.org
On Sat, Jun 28, 2008 at 03:29:27PM +1000, Russell Coker wrote:
> On Saturday 28 June 2008 14:32, Benjamin Seidenberg
> wrote:
>> The question is, will we accept parental signatures on the GPG keys?
> Why wouldn't you accept a parental signature? (...)
> Advocacy however is a different matter. We want advocates to not be
> excessively biased, and I'm sure that while growing up we have all
> seen adequate evidence of parents who think that their children are
> angels while everyone else knows the truth...
> Of course if a parent was to quietly encourage the NM people to keep
> their child in the queue for an extra year or two then I think we
> should accept such a recommendation.
I fail to see why this is obviously desirable; parents can also be
biased in the other direction, that is think their late teenage
children are like one-year olds that cannot cross the street without
their supervision.
--
Lionel
Around the same time, in June 2008,
Jeffrey Epstein made a guilty plea on two charges in state court.
He was sentenced to 18 months in a county jail, which is less
onerous than a state prison. He was authorised to participate in a
work release program whereby he could leave the prison for sixteen
hours per day, six days per week. It is rumoured that he was unhappy
with his probation officer and exploited political connections to have the
probation officer moved elsewhere.
Jeffrey Epstein worked as a schoolteacher before getting into finance.
Therefore, he is far more culpable than a twelve-year-old juvenile
offender like
Jeremy Bicha.
"I first met my wife at the “International Conference on OpenSource� 2009 in Taiwan. So OpenSource, Debian and me being some tiny wheel in the system wasn’t entirely news to her."
If any other random developer meets a woman at a conference they are insulted
and told that relationships are a bad thing. Yet for the oligarchs representing
Debian at events, it is open season on women. This relationship helped bootstrap
the Debian pregnancy cluster.
In 2010,
Jeremy Bicha's older sister went to Bob Jones university. The on-campus
therapist gave her bad advice. The sister went to a more victim-oriented
off-campus center,
Julie Valentine Center. After counselling there, the victim and another
sister, who is also a victim, reported the abuse to
police.
US Navy investigators immediately questioned
Jeremy Bicha. He admitted the allegations about his childhood are true.
He was immediately terminated from Navy employment.
In August 2010,
DebConf10 was in New York City. By this stage, we can see
Debianism had well and truly adopted a
cult lifestyle. A group of couples share rooms. They pretend
we have no money while keeping it for themselves. They are pretending that
bringing your wife is diversity.
Shortly after
Adrian von Bidder-Senn died, his wife,
Diana von Bidder-Senn sent an email revealing she was oblivious to
what he was doing on his computer. In hindsight, we can see that both
Adrian and Diana were tricked by
Debianism in different ways:
Subject: Re: condolences for Adrian
Date: Mon, 25 Apr 2011 15:02:18 +0200
From: Diana von Bidder <diana@fortytwo.ch>
To: Stefano Zacchiroli <leader@debian.org>
Dear Stefano
Thank you for your wonderful mail! Yes Debian and people were very
important to Adrian. I was glad that he was not only sitting alone in
front of his computer but to know that there are people out there that
estimate him and are his friends even if most of you did not know each
other personally.
The way you describe him (empathy, calm, insight, ... - just the Adrian
I know) assures me on how good friends of Adrian are out there. And I
will always continue to think of this (in a good way!) when continuing
to use debian (which I became quite fond of because of Adrian).
It's a pity that he couldn't go to Banja Luca anymore which he did so
much look forward to. Anyway, I wish you all the best and hope you
continue your good work.
- Diana
The family asked for donations to AMICA Schweiz, a charity that
helps women abused during the conflict in the Balkan countries. People
argued about it on debian-private.
Subject: Re: Death of Adrian von Bidder
Date: Thu, 21 Apr 2011 08:56:04 +0200
From: Andreas Tille <andreas@an3as.eu>
To: debian-private@lists.debian.org
Hi,
I admit that e-mails about emotions tend to be turned into flames
and I do not want this here.
On Thu, Apr 21, 2011 at 07:24:59AM +0200, martin f krafft wrote:
> I suggest that we donate 200 CHF from the project (price of a nice
> wreath with writing). If there are other donators, please get in
> touch with me.
The donators of the Debian project intend to spend money for the
development of the Debian project. If we spend Debian money for a
wreath (or any form of replacement donation) this is not related to the
development of Debian. It is rather *us* *people* who say goodby to
a friend. So the money should not come from project funds but rather
from single developers.
Saying this I would like to vote against spending Debian money but
rather doing a separate collection. I could live with some kind of "de
facto" collection like this: I will ask for Debian money for DebConf.
In case Debian project money is really spended for Adrian's funeral I'd
simply ask for 10Euro less than I would have done otherwise.
Please do not get me wrong: I'm in any case for showing that the Debian
community is sad about the dead of Adrian. But I'm not convinced that
this purpose is in the interest of our donators and it finally comes
quite cheap for us individuals to simply spend Debian money.
Kind regards
Andreas.
--
http://fam-tille.de
In December 2011,
Martin Krafft describes
Debianism itself as a teenage culture. His fingers get a mention
in the email signature:
Subject: Mooing solves everything
Date: Wed, 7 Dec 2011 22:14:13 +0100
From: martin f krafft <madduck@debian.org>
Reply-To: madduck@debian.org
Organization: The Debian project
To: debian private list <debian-private@lists.debian.org>
[Writing to -private with Reply-To set, because this is clearly
a classified topic]
We know about super cow powers and swallowed elephants, and the
power of the Mooing.
What I want to do is collect cow-related stories of relevance to our
project, to prevent an inside joke from dying as Debian prepares to
exit teenagehood.
So, please hit me. What does Debian have to do with mooing?
--
.''`. martin f. krafft <madduck@d.o> Related projects:
: :' : proud Debian developer http://debiansystem.info
`. `'` http://people.debian.org/~madduck http://vcs-pkg.org
`- Debian - when you have better things to do than fixing systems
on the other hand, you have different fingers.
At the same time, in December 2011, a young transgender straight out
of an elite French high school was given a paid job in a student-run
Internet Service Provider, the
CR@NS network at
ENS Cachan. One of the older students, Debian Developer
Nicolas Dandrimont, was dating this vulnerable young person at
the same time as paying them and trying to help them
get Outreachy money. Recall the original discussion about offering
money for transgender participation many years prior. Offering
these people moral support may be acceptable but offering large
sums of "diversity" money at a point when they are unsure of their
identity appears to be highly unethical.
Subject: DM application of Jeremy Bicha
Date: Fri, 30 Mar 2012 18:58:41 -0400
From: Jeremy Bicha <jbicha@ubuntu.com>
To: debian-newmaint@lists.debian.org
CC: Jordi Mallach <jordi@debian.org>, Michael Biebl <biebl@debian.org>,
Sebastien Bacher <seb128@debian.org>, Martin Pitt <mpitt@debian.org>
This is my declaration of intent to become a Debian Maintainer
<URL:http://wiki.debian.org/DebianMaintainer>.
I have read the Social Contract, Debian Free Software Guidelines and
Debian Machine Usage Policy and agree with all of them.
Currently, I maintain the package kabikaboo
and I co�maintain the GNOME packages with the Debian GNOME Team.
My GnuPG key EBFE6C7D is signed by the Debian Developer Andres Mejia.
I look forward to becoming a Debian Maintainer. Thanks for your attention.
Jeremy Bicha
--
To UNSUBSCRIBE, email to debian-newmaint-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
Archive: http://lists.debian.org/4F763AA1.1050503@ubuntu.com
Subject: Re: DM application of Jeremy Bicha
Date: Tue, 3 Apr 2012 07:24:13 +0200
From: Martin Pitt <mpitt@debian.org>
To: Jeremy Bicha <jbicha@ubuntu.com>
CC: debian-newmaint@lists.debian.org, Jordi Mallach <jordi@debian.org>, Michael Biebl <biebl@debian.org>, Sebastien Bacher <seb128@debian.org>
Hello Jeremy,
Jeremy Bicha [2012-03-30 18:58 -0400]:
> This is my declaration of intent to become a Debian Maintainer
> <URL:http://wiki.debian.org/DebianMaintainer>.
>
> I have read the Social Contract, Debian Free Software Guidelines and
> Debian Machine Usage Policy and agree with all of them.
>
> Currently, I maintain the package kabikaboo
> and I co�maintain the GNOME packages with the Debian GNOME Team.
I've seen your great activity in both Debian's and Ubuntu's GNOME
team. You have demonstrated the ability to deal with nontrivial
packaging situations, a sustained enthusiasm and dedication, and good
collaboration with upstream as well. I fully support your application
for DM, thanks!
Martin
--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
On 15 May 2012,
minutes of the GNOME Foundation tell us that
Jeremy Bicha was one of six people given voting rights in the foundation.
Many open source developers have never had the right to vote in any of these
incorporated bodies. It appears that
Jeremy Bicha was able to renew his membership and thereby maintain this status
even during his subsequent prison term.
In April 2013, the
Debianists decided to start offering money to young women under the disguise of
Outreach Program for Women (OPW), which was later renamed to
Outreachy. The Debian
constitution explicitly says that contributors must be volunteers. Therefore,
the payments to these young women are illegal under the constitution and may
be illegal in other ways too.
...
3.2. Composition and appointment
Developers are volunteers who agree to further the aims of the Project insofar as they participate in it, and who maintain package(s) for the Project or do other work which the Project Leader's Delegate(s) consider worthwhile.
...
Here is one of the early advertising banners promoting the illegal payment of
$4,500. The
GNOME Foundation logo is on the woman's foot. It is an uncanny coincidence
the logo strongly hints at the unison of male and female genitalia:
In July 2013, I publicly resigned from the
Australian Labor Party (ALP) due to abuse of female
asylum seekers from Iran. In the resignation email,
which was leaked to Australian political news site Crikey,
I compared the scandal
to the Catholic abuse scandal. I think this may be the first time my name
was on the public record as a supporter of victims. This was well before the
Spotlight movie and the #MeToo phenomena, therefore, it
can't be suggested that those latter revelations influenced the strong words
used in my resignation in 2013.
In September 2013,
Jeremy Bicha was convicted and sentenced to three years in a state prison.
The state prison is a far more onerous punishment than the county jail where
Jeffrey Epstein was briefly incarcerated. The duration of
Jeremy Bicha's sentence is double the 18 month sentence imposed on
Epstein.
At the sentencing,
Bicha's defence lawyer asked the judge not to put his name on the list of
registered sex offenders. This is a controversial topic. The
police have also asked the judges not to automatically put every criminal
like this on the list. The more pragmatic police commanders want these lists of
registered sex offenders used for those pathological predators who never
truly change their ways. Looking at the allegations against
Bicha, he personally stopped offending at 15, during his childhood and there
is no evidence he is committing similar crimes as an adult. To put it another
way, if a child goes missing, the local
police want to be looking at a list of the top twenty lifetime sex
offenders who are dangerous enough to deserve a house call. If the police are
confronted with a list of over a thousand
registered sex offenders in their district they have no way to know
which of those people to visit first.
In Australia and other countries, the media is normally prohibited from
publishing the names of juvenile offenders. In a way, the young boys
are considered victims of their parents' failures. On that basis, they
have a right to privacy equivalent to the rights of the abuse victims.
Nonetheless, this type of restriction doesn't appear to be applicable
in the United States. Nonetheless, if the local pastor and schoolteacher
were not part of the story, it is unlikely the newspapers would publish
the story at all.
In November 2013,
Paul Tagliamonte sent the following message to the leaked
debian-private email list. It concerns a young woman who
applied for the
OPW / Outreachy money. Why are these men always thinking about the
age-of-consent when women are mentioned?
Subject: Re: OPW Student in Kingston, Jamaica
Date: Mon, 25 Nov 2013 13:39:12 -0500
From: Paul Tagliamonte <paultag@debian.org>
To: Joachim Breitner <nomeata@debian.org>
CC: debian-private@lists.debian.org
On Mon, Nov 25, 2013 at 06:37:36PM +0000, Joachim Breitner wrote:
> Hi,
>
> Am Montag, den 25.11.2013, 13:18 -0500 schrieb Paul Tagliamonte:
> > She's got a PhD, so I think this could also be a good beersigning, if
> > she drinks.
>
> not having a PhD yet I wonder what expects me: Will I be a better
> drinker after I get the degree? Or a better keysigner? /me is confused.
It simply means she's likely of age in her jurisdiction. All I was
saying is that she's not a high school student.
Cheers,
Paul
--
.''`. Paul Tagliamonte <paultag@debian.org>
: :' : Proud Debian Developer
`. `'` 4096R / 8F04 9AD8 2C92 066C 7352 D28A 7B58 5B30 807C 2A87
`- http://people.debian.org/~paultag
The next time you defend a predator and say,
’Oh, he was just a child,’ remember the faces
of the innocent little ones whose childhood was stolen.
I have mixed feelings about that. It was not "just a child". As the
judge told us, it was the child and the negligent adults together who
left
Jennifer Bicha to suffer this torture. Many other legal cases
have made similar conclusions, including one high profile case where they
recently decided parents were guilty when their child engaged in a schoolyard
shooting spree.
On 3-4 May 2014, the first
OSCAL conference took place in Tirana,
Albania. (
Fedora wiki page). Photos released by the conference organizers suggest
over eighty percent of the participants were young women. In every other
country, we would normally see the gender statistics reversed. In
Albania various theories have appeared about why large numbers of women
came to these events. Some of the women have ended up moving to the city of
Brno in the
Czech Republic.
On 13 July 2014, Italian newspaper La Repubblica publishes a
report about an interview between Pope Francis and editor Eugenio Scalfari.
The late
Pope Francis allegedly told
Eugenio Scalfari that his own advisors have suggested that two percent
is an accurate estimate of the number of priests who are paedophiles. He
deplores their behaviour but on the other hand he insists it is no higher
than the percentage of paedophiles in any other profession.
"Among the 2% who are paedophiles are priests, bishops and cardinals. Others, more numerous, know but keep quiet. They punish without giving the reason,"
"I find this state of affairs intolerable,"
The comment about punishments resonates with many of the
Debianism scandals over the years.
Likewise, the two percent estimate can be applied to large free software
organisations like
Debianism and the
FSFE misfits. These groups typically have a few hundred core participants
and a few thousand loosely affiliated contributors. In the recent
Debianism election, a thousand people were registered to vote. Two percent
of that is twenty paedophiles.
In August 2015, according to reports from the high-profile hush-money trial,
Donald Trump, his lawyer
Michael Cohen and National Enquirer editor
David Pecker had a meeting and agreed on a catch-and-kill plan. It was
alleged that if any woman tried to sell a story about
Donald Trump,
Pecker would buy exclusive rights to the story and then keep the story
hidden until after the election. Similar plots have been created in
open source software communities.
Debianists created the "anti-harassment" team. Fedora has a
"Community Team". These teams pretend to listen to complaints. If a woman
ever makes a complaint about one of the oligarchs or the men employed
by the controlling corporations then the story is covered up.
The woman who made the complaint will receive a polite response but
she will not be invited to any more events. The same theme emerged in the
Harvey Weinsten saga.
Harvey Weinsten's team was afraid some women posed a risk. They
told other movie producers to avoid the women and lock them out of
the industry. Eventually, Lord of the Rings director Peter Jackson
admitted he had excluded some actresses after receiving
Harvey Weinsten's warnings to avoid them. This is the same
phenomena described by
Lunduke in his report
Fedora's Code of Conduct: 200 Day Response Time, Only Protects You if Red Hat
Likes You.
In November 2015,
the movie Spotlight was released in cinemas. It is a biographical film based
on the 2002 Spotlight investigation that exposed the phenomena of
clerical abuse in Boston. A lot of
Catholics and people from other religions have watched the film. In one of the
key scenes in the movie, they discuss the research of
Richard Sipe, who suggests that two percent of men in the general
population are paedophiles but the rate in the
Catholic abuse context is alleged to be six percent. Many people have
speculated whether or not the figure is true and whether the church is
really responsible for it or whether it is some factor out of their
control.
There are approximately one thousand developers in
Debianism today. If two percent are paedophiles that would be twenty
men. We only know the identity of one,
Jeremy Bicha. Who are the other nineteen? We have evidence about
Elio Qoshi's underage girlfriend but in that case,
Qoshi is not a Debian Developer so he is not in the same group for
statistical purposes.
Looking at the culture of
Debianism, it has some awkward similarities to the
Catholic abuse crisis. Therefore, we need to consider the possibility
that the percentage of Debian Developers who are paedophiles, like the
percentage of priests, may be above the two percent average for the
population. If six percent of Debian Developers are paedophiles, that is
sixty paedophiles.
Subject: Jacob Appelbaum and harrassement
Date: Wed, 15 Jun 2016 13:48:53 +0200
From: Mehdi Dogguy <leader@debian.org>
To: debian-private@lists.debian.org
Hi all,
Jacob Appelbaum is currently facing some serious accusations in other
communities, and DAMs are aware of at least two Debian Developers who
have lived and have witnessed situations that are a clear case for
worry.
[ ... snip defamation crap ... ]
None of the emails really tells us what is a "clear case for worry",
to this day, it is still not clear at all.
In contrast, the accusations against
Jeremy Bicha were very clear. He is accused of abusing his little
sisters and at least two other victims. He admitted these accusations
too.
Notice it is a lot like the vendetta against
Ted Walther from
DebConf6. He never committed any crime but after somebody spread a
rumour that his female friend was a prostitute, it took barely one hour
for the whole conference dinner to turn against him and erupt into
violence.
In both the case of
Ted Walther (2006) and
Dr Jacob Appelbaum (2006), the rogue
Debianists have been far too arrogant to admit the rumours were falsified
and give these men and their families the apology they deserve. Yet they are
asking us to ignore the very real abuse convictions against
Jeremy Bicha and welcome him with open arms.
In April 2017,
Chris Lamb was elected for the first time as the leader of
Debianism. One week later, the Fellowship elected me as their
representative to the
FSFE misfits in Berlin. From this point on,
Chris Lamb appeared to be jealous and resentful that another
Debian Developer was in a leadership position in the community.
Today, we see a similar rivalry between the US President
Donald Trump and the other American head of state,
Pope Leo from Chicago.
When women had complaints about certain oligarchs, they had a choice
between going to
Chris Lamb or telling me about it in my capacity as
Fellowship representative.
Women were coming to me with evidence about problems in the community.
Some of the large corporations would have preferred to see those women
reporting problems through channels controlled by the corporations.
To: Jeremy Bicha <jbicha@ubuntu.com>
Cc: debian-newmaint@lists.debian.org, nm@debian.org, archive-184@nm.debian.org
Subject: Re: Jeremy Bicha: Declaration of intent
From: Andreas Henriksson <andreas@fatal.se>
Date: Fri, 12 May 2017 08:55:11 +0200
Hello!
I have personally worked with Jeremy Bicha <jbicha@ubuntu.com> in the
pkg-gnome team where he has been an outstanding contributor for a
sufficiently long time and I know jbicha having full unsupervised
unrestricted upload access to the archive would benefit us in the
team and likely also Debian as a whole on an even wider scale
than before.
I'm aware Jeremy is also very active in Ubuntu and GNOME upstream.
I find it that Jeremy is very good at interacting with upstream as
well as avoiding/resolving conflict or disagreeing opinions, which
means he has atleast two skills that I think we should have more
people like in Debian.
For any AM tasked to question Jeremy I would say you can skip
any regular packaging related questions. If you want to give
him some challange you might want to focus on a more complicated
philosophical question or ask him specifically about Debian
infrastructure and procedures related to those (as he mainly
uploads to Ubuntu and AFAIK has only very limited usaged his
DM privilegies because of the pkg-gnome streamlined sponsorship
workflow).
But to be frank, please consider just fast-forwarding jbicha through
the entire process because any potential knowledge-gap he might
have I'm more than sure we can discuss and handle those within
the pkg-gnome team which has many very experienced DDs that would
happily assist jbicha if needed.
Regards,
Andreas Henriksson
Here is the other advocacy:
To: debian-newmaint@lists.debian.org
Cc: Jeremy Bicha <jbicha@ubuntu.com>, nm@debian.org, archive-184@nm.debian.org
Subject: Jeremy Bicha: Advocate
From: Gianfranco Costamagna <locutusofborg@debian.org>
Date: Fri, 12 May 2017 09:25:12 -0000
I support Jeremy Bicha <jbicha@ubuntu.com>'s request to become Debian Developer, uploading.
I have worked with Jeremy Bicha for quite some time, even if I sponsored just a few packages for him (in Debian).
His work is excellent, he really cares about keeping is packages in a good shape, he cares about transitions and he is quick in reacting when problems are found.
Debian will benefit a lot from his work.
I have personally worked with Jeremy Bicha <jbicha@ubuntu.com> (key 4D0BE12F0E4776D8AACE9696E66C775AEBFE6C7D) for X time,
and I know Jeremy Bicha can be trusted to be a full member of Debian, and have unsupervised, unrestricted upload rights, right now.
Thanks Jeremy for finally starting the process!
Gianfranco
Those are very positive things to write about somebody who has just been
released from prison on parole.
On the weekend of 13 and 14 May 2017, the fourth
OSCAL conference took place in Tirana,
Albania. A girl of fifteen or sixteen years of age created an
online profile for herself in the
Discourse forum software used by the Albanian
Open Labs group. We subsequently learnt this was the girlfriend of
Elio Qoshi, one of the
Albanian ringleaders.
At exactly the same time they are processing
Jeremy Bicha's ordination as a Debian Developer, we saw
Dominik George going through exactly the same process. Messages about
Dominik George explicitly refer to children:
To: Dominik George <nik@naturalnet.de>
Cc: debian-newmaint@lists.debian.org, nm@debian.org, archive-175@nm.debian.org
Subject: Re: Dominik George: Declaration of intent
From: Holger Levsen <holger@layer-acht.org>
Date: Mon, 15 May 2017 14:09:15 +0000
Hi,
sorry for the delay in writing this…!
On Mon, Apr 24, 2017 at 06:54:13PM -0000, Dominik George wrote:
> I would like to apply to change my status in Debian to Debian Developer, uploading.
yay, this is pretty good news for Debian and for Debian Edu and probably a
bunch of others! :-)
I've met Dominik the first time for "real" (*) at the Debian Edu gathering
in Oslo in December 2016 where I could see him working & discussing and also
learned a few things he does outside Debian, which also involves computers,
kids & schools.
(*) we've briefly bumped into each other before and said hi or so :)
http://layer-acht.org/thinking/blog/20161221-debian-edu-sprint-in-oslo/
shows him wearing a DebConf15 t-shirt, so you might met him too ;)
Not related to Debian, but very much showing his dedications,
is that he is involved in another project with kids + young adults, which
in the last years brought 20-30 young adults to the chaos communication congress:
https://www.teckids.org/hacknfun_2016_xmas.htm
The technical discussions we had in Oslo, plus the ones I've seen on IRC,
plus the questions he had and the attitudes he showed make me believe that
Dominik will be a great DD and contributor to our project and beyond!
I cannot fully vouch for him technically, as we work on different areas in
Debian Edu and I've only reviewed bits of his work, but I'm confident he'll
manage NM well! So I'm much looking forward to him becoming a DD!
--
cheers,
Holger
I will progress this application and assign an application manager shortly, but the key issues need to be resolved before the application can be finalised. Please work with your AM on that.
Where he writes "key issues", he is referring to issues with the PGP key.
There is no reference to the abuse.
Subject: Jeremy Bicha: Application Manager report
Date: Tue, 08 Aug 2017 21:09:52 -0000
From: Gunnar Wolf <gwolf@gwolf.org>
To: debian-newmaint@lists.debian.org
CC: Jeremy Bicha <jbicha@ubuntu.com>, archive-184@nm.debian.org,
nm@debian.org
I have reviewed Jeremy Bicha's answers for the NM process, and am more
than satisfied by them. I have also been approached in DebConf by his
team mates, who very strongly recommended him as a DD. I am of the
opinion the project will win quite a bit having him as a full DD with
unimpended upload rights.
Gunnar Wolf (via nm.debian.org)
--
https://nm.debian.org/process/184
People are cheering him on:
Subject: Re: Jeremy Bicha: Application Manager report
Date: Tue, 8 Aug 2017 18:17:15 -0400
From: Andrew Shadura <andrew@shadura.me>
To: debian-newmaint@lists.debian.org
CC: Gunnar Wolf <gwolf@gwolf.org>, Jeremy Bicha <jbicha@ubuntu.com>
On 8 August 2017 at 17:09, Gunnar Wolf <gwolf@gwolf.org> wrote:
> I have reviewed Jeremy Bicha's answers for the NM process, and am more
> than satisfied by them. I have also been approached in DebConf by his
> team mates, who very strongly recommended him as a DD. I am of the
> opinion the project will win quite a bit having him as a full DD with
> unimpended upload rights.
Yay! Congrats! :)
--
Cheers,
Andrew
From 14 to 18 July 2017, the
Digital-Born Media Carnival was held in Kotor,
Montenegro. Some of the women from open source software groups in
Kosovo and
Albania attended. Kotor is an ancient seaside village without any
modern high-rise tourist accommodation. Visitors stay in bed and breakfast
accommodation or holiday houses. On the last night of the carnival, there
was a party by the waterside. The next morning, as we were departing, I
saw one of the
Albanian women coming out of a holiday house that had been rented by
a group of men from another country. There was a bit of hand-holding and
a kiss goodbye. Every time the woman is selected for an internship or
a conference speaking opportunity, over and above every other woman in
the community, I remember that last day in Kotor.
If you are involved in a sports club and you observe somebody had
a one night stand with another member you might not feel any need
to mention it or cause embarassment. However, open source software
hobbyists are claiming to be a model of integrity, merit and security.
Social engineering attacks are often rated as the biggest risk
to modern organisations and their IT systems.
Shortly after that, the
Open Labs non-profit in
Albania had their birthday party in the hackerspace. At least two
underage people were there and at least one of the other women identified
them to me. Separately, women had told me that the youngest girl was
dating the co-founder of the group
Elio Qoshi. They told me a lot of things about
Elio Qoshi, I observed some of those things with my own eyes and I
observed written evidence in requests for travel funding that confirmed
what the women had told me in person. Eighty percent of the group were
female but a lot of the money did not go into the non-profit bank account.
The money was managed by an accountant but there were rumours that the
same accountant was also managing the bank accounts for
Elio Qoshi consulting company. The women on the committee had never
seen a balance sheet or a profit & loss statement for the non-profit
entity.
In September 2017, they promoted an event called
FOSSCamp. Instead of organising it in
Albania, they decided to organise it in a more expensive destination,
Greece and they asked bigger organisations to pay the travel
expenses for a group of people, many of them who were simultaneously
members of the non-profit but also employees of
Elio Qoshi's commercial enterprise. Questioning them about the
event budget, we reached the point where
Elio Qoshi admitted that one of the amounts charged to the bigger
organisations like
Debian was really a payment for his effort organising the event.
The women who collaborated on the organisation did not receive any
equivalent payment. Yet each woman was asked to send a request to
Debian,
Mozilla,
Wikimedia and maybe other organisations asking for diversity funds
to pay the bus fares, ferry tickets, accommodation and management fee.
In the photos from the conference in May 2017, we could see over twenty
young female students participating. Yet women told me that access to
the trip to
Greece was more tightly controlled. Women needed to get permission
to join this trip.
Various people noticed that two or three men were acting as gatekeepers
and rationing funding and travel opportunities for all the women.
Chris Lamb and I were both warned that something dishonest was
happening. I asked questions but
Lamb didn't want to spoil whatever was going on there.
Here is an example where one of the men is giving one of the women,
Anisa Kuci, permission to go on the trip to
Greece:
Subject: Re: Debian at FOSScamp - funding request
Date: Sun, 13 Aug 2017 19:01:58 +0300 (EEST)
From: Giannis Konstantinidis <giannis@konstantinidis.cc>
To: Chris Lamb <lamby@debian.org>, Silva Arapi <silva.arapi@gmail.com>
CC: leader@debian.org, treasurer@debian.ch, auditor@debian.org,
daniel@pocock.pro, Redon Skikuli <redon@skikuli.com>, ping@anisakuci.com
Hey everyone,
just wish to inform you that unfortunately, due to unforeseen external
factors, I won't be able to make it. I'd like to thank the Debian
community for the generous support. We will stay in touch.
To make sure Debian makes the maximum possible impact at FOSSCamp, I'd
like to sugggest Anisa Kuci (cc'ed ) takes my place. Anisa has been a
longtime experienced member of Open Labs Hackerspace, co-organized OSCAL
and is very much interested in further contributing to Debian.
Thanks once more. I wish the best success to Debian and your
participation FOSSCamp.
Kind regards,
-Giannis K.
Something was not right about this. It is clear that
Chris Lamb, as the leader of
Debianism, had been informed about it since this moment in time
or earlier.
Some women see this type of thing as a sport and they actively seek to
join organisations where they can take shortcuts. Other women were
attracted by the promise of an educational or philosophical project,
they contributed their time and skill helping one or two events in
Albania and then discovered that to qualify for a trip abroad, they
had to do the same things the girlfriends were willing to do. Some
of the women felt even more strongly about this, as it impacts their
professional relationships and job searching, they feel the male
gatekeepers are blackmailing them for sex.
In September 2017,
Jeremy Bicha introduced himself on the debian-private (leaked)
gossip network. He stated he is from
Florida and presented himself as a victim of a woman called Irma
(the hurricane):
Subject: Re: Irma
Date: Sun, 10 Sep 2017 13:52:08 -0400
From: Jeremy Bicha <jbicha@debian.org>
To: debian-private@lists.debian.org
On Sep 8, 2017 15:55, "Jeremy Bicha" <jbicha@debian.org> wrote:
I intend to follow-up on this list on Monday to let you know I'm ok.
Monday is probably too optimistic because of widespread power outages, but I'll check in when I can.
Jeremy Bicha
Subject: Open Labs / Tirana issues
Date: Thu, 12 Oct 2017 18:15:17 +0200
From: Daniel Pocock <daniel@pocock.pro>
To: Larissa Shapiro <lshapiro@mozilla.com>
CC: Kristi Progri <kristi@kristiprogri.com>
Hi Larissa,
I understand you have received some feedback about issues in Tirana
I was there from 27 September - 5 October and observed some of the
troublesome behavior and the impact on people like Kristi.
The behavior towards Kristi and some of the other women is wrong. I can
also see a danger that challenging the people or their behavior may
split the Open Labs group. Nonetheless, I suggested to Kristi and Anisa
that they should put their own wellbeing first.
I sent a funding request to the Outreachy organizers to sponsor Kristi's
trip to Prishtina where she gave a talk at our Mini DebConf. When I
mentioned this funding in the hackerspace, Redon queried this quite
strongly. I don't feel it is any of his business though if I want to
recommend somebody for funding. The following day, Kristi told me that
Redon had called her and shouted at her. The shouting was apparently
witnessed by other women in the hackerspace with Redon. I reported the fact there are problems in the Debian anti-harassment process.
Various people told me that travel sponsorship should be "shared" and
this attitude seems to be connected with Redon's behavior.
I've told Kristi that she did nothing wrong and did not deserve to be
shouted at.
Another problem that occurred to me is that one person who received
Mozilla travel funding, [ .. redacted ..], is 16 years old and is not
legally an adult.
[ .. redacted .. ]
Regards,
Daniel
The discussion continued. The underage risk was acknowledged on the
Mozilla side:
Subject: Re: Open Labs / Tirana issues
Date: Fri, 13 Oct 2017 23:12:14 +0200
From: Daniel Pocock <daniel@pocock.pro>
To: Emma Irwin <eirwin@mozilla.com>, Larissa Shapiro <lshapiro@mozilla.com>
CC: Kristi Progri <kristi@kristiprogri.com>
[ .. redacted .. ]
> I can comment on under-aged contributors - we do have those from time to
> time, and usually on trips at least parents or chaperon are required.
>
Having underage contributors is not an issue itself and I have no
objection to that.
The issue arises when other groups or businesses align themselves with
local Mozilla groups and seek to benefit from those contributors. I'm
not sure how to deal with that risk completely but there are probably
some things Mozilla could do in that area.
Regards,
Daniel
The discussion about underage continued in more emails:
Subject: Re: Open Labs / Tirana issues
Date: Sat, 14 Oct 2017 08:27:24 +0200
From: Daniel Pocock <daniel@pocock.pro>
To: Larissa Shapiro <lshapiro@mozilla.com>, Emma Irwin <eirwin@mozilla.com>
CC: Kristi Progri <kristi@kristiprogri.com>
On 14/10/17 01:51, Larissa Shapiro wrote:
> I'm not sure, but I can seek legal advice on this matter. In my view,
> there is the potential there for other organizations to take advantage
> of these kids.
>
Even if there is no legal problem (in some countries the laws are very
weak), there is also a risk to the reputation of Mozilla and free
software in general.
I wonder if there are other organizations concerned with children's
safety who can help free software organizations develop a reasonable
approach to this risk?
I realize no organization can stamp this out 100%, but there may also be
some little things that can be done to help reduce risk. E.g. maybe
when Mozilla funds travel, requiring the parents to fill out a chaperon
form that must be submitted with receipts, so Mozilla gets the parent's
contact details and the parents see some child safety text on the form.
Somebody trustworthy could sporadically contact parents and the underage
contributors to sniff out any hints of trouble.
Regards,
Daniel
A few weeks later...
Subject: Re: Open Labs / Tirana issues
Date: Wed, 20 Dec 2017 09:19:39 -0800
From: Emma Irwin <eirwin@mozilla.com>
To: Daniel Pocock <daniel@pocock.pro>
Hi Daniel,
Would you be willing to talk to Marta (HR Investigator) and myself about Redon & Elio and your experiences and what you have witnessed?
Thank you
Having informed at least three other organisations who funded this racket,
including
Debian and
Mozilla, my conscience is clean. Nobody can accuse me of protecting an
abuser.
On 25 February 2018,
Jeremy Bicha submits an advocacy for another
Ubuntu developer,
Tim Lunn to become a Debian Developer:
Subject: Tim Lunn: Advocate
Date: Sun, 25 Feb 2018 15:07:40 -0000
From: Jeremy Bicha <jbicha@debian.org>
To: debian-newmaint@lists.debian.org
CC: Tim Lunn <tim@feathertop.org>, archive-455@nm.debian.org
For https://nm.debian.org/process/455/ on 25 February 2018 :
I support Tim Lunn <tim@feathertop.org>'s request to become Debian
Maintainer.
I first started working with Tim in 2012 on packaging for the Ubuntu GNOME
project. Without Tim, Ubuntu GNOME would not have survived.
Tim and I have been interested for a while in reducing the diff and
duplication of work between Debian and Ubuntu with GNOME packages. Tim
getting upload rights to these packages will help with this goal and will
help make Debian GNOME better for our users.
I have personally worked with Tim Lunn <tim@feathertop.org>
(key 0E0880479A6F1063372395275B39C0A1153ACABA) for several years, and I
know Tim Lunn can be trusted to have upload rights for their own packages,
right now.
Thanks,
Jeremy Bicha
In early March 2018, I posted a message in the
Albanian open labs forum asking why some of the money from the non-profit
Open Labs group was being diverted to a private company,
Ura Design, controlled by
Elio Qoshi. I had observed the women were doing all the work for
free in the non-profit association but some of the men were getting
financial benefits out of that work.
The
Albanian ringleader
Elio Qoshi admits complaining to
Chris Lamb, leader of
Debianism, to help cover up the conflicts of interest. In fact,
the relationship between
Open Labs and
Ura Design was analogous to the relationship between
Debian and
Freexian. Although in this case, it was worse, because there was
also the underage problem. Would the leader of
Debianism put the protection of an
Albanian pimp with an underage girlfriend ahead of the work done
by a real Debian Developer?
Subject: [English] FOSScamp 2017 @ Syros, Greece
Date: Mon, 05 Mar 2018 12:16:45 +0000
From: Elio Qoshi <info@openlabs.cc>
Reply-To: Open Labs Hackerspace Forum <forum+ecf37220dfcc7e2ec1a56392b7b00781@openlabs.cc>
To: daniel@pocock.pro
[ ... snip ... ]
I will try to keep this short but I’m not sure how much I will succeed in that, as this will definitely be the last reply from my side here. I have reached out to the Debian Project Leader to close this issue once and for all.
[ ... snip ... ]
On 5 March 2018 I wrote to women from
Albania asking them to share copies of evidence about
Elio Qoshi hurting and exploiting women. The Debianism leader
Chris Lamb immediately barged in with the comments:
Subject: Re: "free travel"
Date: Mon, 05 Mar 2018 16:40:00 +0000
From: Chris Lamb
To: Daniel Pocock , Anisa Kuçi
CC: leader@debian.org, larjona@debian.org, antiharassment@debian.org
[Adding antiharrassment to CC]
Daniel Pocock wrote:
> If Elio or anybody else has made any other comments like this on the
> private members channel or Telegram and you want to discuss them with me
[..]
Anisa, please feel to drop Daniel from any replies you wish to make, if
you even wish to do so.
(Daniel, thank you for your concern but we have got it from this point
onwards. There will be no need for you to reply further on this thread.)
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
This is the catch-and-kill strategy that had been described
earlier. When women had a story about
Donald Trump, they were encouraged to give the story to the
National Enquirer and not talk to anybody else. What we see is the leader of
Debianism knew about
Elio Qoshi and he didn't want me, as the Fellowship representative,
making an independent assessment of the underage scandal.
In the
Catholic abuse crisis many senior cardinals and bishops are alleged
to have known about abuse and failed to protect people. In the
specific case of
Gerald Ridsdale described earlier, one of the victims, his nephew
David Ridsdale told the Royal Commission that the late
Cardinal George Pell had offered him a bribe for silence. The
woman corresponding with
Chris Lamb and I was
Anisa Kuci. She was given a series of free trips around the world,
internships and eventually a job at
GNOME.
At the time of that exchange,
Anisa Kuci ignored
Chris Lamb's condescending words and replied in full:
Subject: Re: "free travel"
Date: Mon, 5 Mar 2018 23:51:28 +0100
From: Anisa Kuci <anisakuci9@gmail.com>
To: larjona@debian.org
CC: Chris Lamb <lamby@debian.org>, Daniel Pocock <daniel@pocock.pro>,
leader@debian.org, antiharassment@debian.org
Hello Chris, Daniel, Laura,
Thank you very much for being so supportive.
I read the comments on the thread and to be honest I am really sad that
Elio [Qoshi] said that. It is not true at all.
They (Elio [Qoshi] & Redon) pretend to support women but on the other hand their
behavior towards many of us shows the opposite.
Daniel I feel bad because you have encouraged and helped not only me,
but so many other people, no matter if they are Open Labs members or
not, and also all the attendees from Kosova to learn new things, to work
and improve their skills and knowledge. They are doubting your good
intentions just to remove the attention from the shady things that they
are doing.
The free travel comment is really offensive to me and i feel it should
be offensive to every woman who is part of the community.
I have been contributing and supporting Open Labs since its early days,
and I have put a lot of effort and time, I do this because I believe in
what it is meant to stand for and without waiting something in exchange,
but the situation lately has been not very positive. Daniel has been
present by chance in few cases where situations have been very hard to
go through.
I would definitely like to talk to any of you and tell you more about
everything that is happening here, its fine to me whether it is a video
call, call or just emails.
Please tell me what would be more convenient to you.
King greetings,
Anisa
In May 2018, immediately after that lunch, the
FSFE misfits modified their constitution to
remove the elections for Fellowship representatives. I was the last
person elected as a Fellowship representative before the democracy was
trashed. The
FSFE misfits count
Google and
Red Hat as significant sponsors and they didn't want the Fellows to
have a voice if that voice may not be identical to the voice of the
corporate overlords.
In June 2018, the women from
Albania were offered sponsorship for travel to
DebConf18 in
Taiwan. For the cost of transporting one woman from
Albania to
Taiwan, you could transport five women from countries that are much
closer in south-east Asia.
Subject: Re: [rt.debian.org #7328] DebConf travel pre-payment requests
From: Martin Michlmayr
Time: Fri Jun 29 08:56:42 2018
* Hector Oron [2018-06-28 10:55]:
> I added Martin to the list, he'll be taking care of flight ticket
> purchase if you send him flight details.
This has been taken care of.
--
Martin Michlmayr
https://www.cyrius.com/
Here is an example from a male intern who was waiting for payment long after
DebConf15 finished:
Subject: Re: [Soc-coordination] DebConf travel / GSoC student payments?
Date: Wed, 25 Nov 2015 00:25:18 +0530
From: Komal Sukhani <komaldsukhani@gmail.com>
To: Michael Schultheiss <schultmc@spi-inc.org>
CC: treasurer@spi-inc.org, soc-coordination@lists.alioth.debian.org
Hi Michael,
I still don't got the DebConf travel reimbursement. Have you made the payment?
Sorry for trouble.
On Mon, Nov 2, 2015 at 9:54 AM, Michael Schultheiss <mailto:schultmc@spi-inc.org> wrote:
Apologies for the delays in payments. I should have the payments processed this week and payments shoud be received in approximately 1-2 weeks.
Pictures appeared during the conference showing us
Lior Kaplan from
Israel with his arm around a young woman. This is the same woman who had
her ticket purchased in advance.
In July 2018
Enrico Zini gave a talk titled "Multiple People" at
DebConf18 in
Taiwan. There have been a series of these talks over the years where
these men seek out introverted young male developers who lack confidence.
Remember the case of the young French transgender
recruited straight out of high school. This slide appears to be
telling us that paedophiles and
registered sex offenders are welcome:
Spectrum (Enrico Zini)
Every color is ok.
Think about who you are,
not about who you should be.
In July 2018,
Debianists were having a discussion about whether the weboob
package should remain in Debian or be removed. Here is one of the private
emails about it. Notice they want to remove the package that makes vague
references to female anatomy but they welcomed the guy who is on parole
for sex crime against his little sisters.
Subject: Re: weboob package
Date: Thu, 12 Jul 2018 16:24:28 +0200
From: Ansgar Burchardt <ansgar@debian.org>
To: debian-private@lists.debian.org
On Thu, 2018-07-12 at 14:48 +0100, Ian Jackson wrote:
> Colin Watson writes ("Re: weboob package"):
> > (I haven't decided what I think should be done about it; certainly
> > if I
> > were the maintainer I'd want to disassociate myself from it as
> > quickly
> > as possible ... but the quoted text is a terrible argument.)
>
> Quite.
>
> What on earth could one do as the maintainer of such a thing ? Write
> some kind of machinery (a git-filter-branch construction maybe) to
> automatically rename all this arseholery ?
Oh, come on. It's not like they liken setting up an interrupt handler
with rape like, for example, Xen does. I would certainly think less of
those who associate themselves with this kind of thing.
There is no incest sex involved either (unlike for example [1]). No
glorification of genocide, ethnical cleansings or such either (same
file as [1]). (Hmm, I wonder what happens when one submits a patch for
that...)
Sadly we are associated with it, by virtue of packaging it, and thus
promoting it. And I'm ashamed and embarrassed to be associated with
such hateful content.
> I also note that the upstream webpage lists the logos of a number of
> companies, which I hope have some kind of corporate
> not-looking-like-a-total-wazzock policy. I CBA to complain to them,
> but maybe someone would like to start a fire on Twitter.
Yes, please go and start a nice shitstorm. A great idea, brilliant.
Ansgar
[1] https://sources.debian.org/src/bible-kjv/4.30/bible.rawtext/#L495
Subject: Re: weboob package
Date: Fri, 13 Jul 2018 14:29:58 +0200
From: Axel Beckert <abe@debian.org> [ ETH Zurich ]
Organization: The Debian Project
To: debian-private@lists.debian.org
Hi,
Jonathan Dowland wrote:
> Yesterday I stumbled across the "weboob" package for the first time,
> which includes a slew of binaries with names similar to the following:
[...]
So what? I don't see any problem with that. (And I don't see why
there's a thread on debian-private about it.)
Regards, Axel
--
,''`. | Axel Beckert <abe@debian.org>, https://people.debian.org/~abe/
: :' : | Debian Develoober, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Jeremy Bicha himself weighed in on the discussion after
Ansgar brought up the incest:
Subject: Re: weboob package
Date: Thu, 12 Jul 2018 10:53:32 -0400
From: Jeremy Bicha <jbicha@debian.org>
To: ansgar@debian.org
CC: debian-private@lists.debian.org
On Thu, Jul 12, 2018 at 10:24 AM Ansgar Burchardt <ansgar@debian.org> wrote:
> There is no incest sex involved either (unlike for example [1]). No
> glorification of genocide, ethnical cleansings or such either (same
> file as [1]). (Hmm, I wonder what happens when one submits a patch for
> that...)
>
> Sadly we are associated with it, by virtue of packaging it, and thus
> promoting it. And I'm ashamed and embarrassed to be associated with
> such hateful content.
Please stop.
At a minimum, if you are serious about removing Bible texts from
Debian, please start a separate thread instead of derailing this
topic. But I think you may have trouble finding consensus for that
viewpoint and I expect it will stir up lots of conflict.
Thanks,
Jeremy Bicha
This is the reality of the so-called diversity in
Debianism: gay male employees in a range of companies and universities
discussing female anatomy with a
registered sex offender during their working hours.
In September 2018, I completely resigned from my role as Fellowship
representative to
the FSFE misfits. I discontinued all involvement with the group and
I encouraged other people to resign too. Therefore, as I resigned and
made the resignation public, there was no way I had any involvement in
the subsequent scandals with women hired in 2019. Those women were only
hired after I resigned. All the complaints made by women concern
psychological abuse from Matthias Kirschner.
In November 2018, the Wayback Machine captured a snapshot of the team in
Elio Qoshi's private company
Ura Design. We can see the underage girl, who may be 17 by this point
in the story, is now being paid to be a
system administrator. System administrators normally have access to all
the data in a company, including the emails of their own bosses and their
colleagues. In small IT companies like this the director normally keeps the
system administrator powers for himself. It is worth remembering the incident
from the team St Kilda in
Australian football. One of the players was dating the woman known as the
St Kilda schoolgirl,
Kimberley Ametoglou (Kim Duthie). Kim was not really from St Kilda,
she was from Frankston, like
Julian Assange. She expertly extracted all the nude photos of the players
from her boyfriend's computer and published them in what came to be known as
dikileaks. It seems highly unlikely
Elio Qoshi was giving his underage girlfriend access to all his files and
emails. In practice, this appears to be a case of privilege escalation.
The men would put the pictures of the young women on a web site like this
to help the women create an online profile. The women would apply to
bigger organisations for travel grants and speaking opportunities at
community conferences.
This is a photo from the
OSCAL conference in
Albania in 2016. There are so many more women than men in the photo.
What is the real reason more women than men were coming to the
OSCAL conferences? Young female students in
Albania earn approximately ten euros per day working in shops and
restaurants. Did somebody pay these girls to attend conferences and make
it look like a real community? One of the women was told that an
Outreachy internship would be too difficult for her but one of the men offered
to help her submit the application if she gave him half the salary.
Even after my lawyer warned him to terminate all attempts to communicate with
me and send someone else to pick up my work laptop, he came in person to my
house, and was very irritated that I was not alone.
What these incidents reveal is the oligarchs in these groups have come
to view the volunteers and the female subordinates as possessions. The
oligarchs feel they have some God-given authority to make decisions about
the lives of those around them.
In late 2018 or early 2019 one of the
Albanian female whistleblowers was given a job at the
GNOME Foundation.
Kristi Progri has been a member of the committee in the non-profit
Open Labs hackerspace in
Albania. She had been one of the organisers of the
OSCAL conferences. She seems to know the identity of every man
who visited
Albania for these conferences. She knows the age of every young
woman who participated in the conferences. Ever since she started
received a salary from
GNOME Foundation, there has been no more evidence about
Elio Qoshi and the underage relationships.
In 2019,
Google decided to reduce the salaries for
Google Summer of Code (GSoC) interns from $6,000 down to as little as
$3,000 based on each intern's country and
a formula for purchasing power parity. However, the parallel
Outreachy internships, which only pay money to single young women and
don't require the women to write any code, have continued increasing their
salaries a little bit almost every year. For example, a slim and attractive
single young woman in Russia, eastern Europe, India or Brazil is offered
$3,000 to participate in
Google Summer of Code but if the same woman wins an
Outreachy
In February 2019, journalist
Frederic Martel released his book
In the Closet of the Vatican. He alleges that eighty percent
of priests in the Vatican are homosexual. In some open source software groups,
including
Debianism, we seem to be looking at a prevelance of homosexuality that
is higher than what is normal for the community at large.
Most gay men are not paedophiles. It is wrong to suggest they would be.
Nonetheless, when a group presents itself as gay-friendly or when a group
provides an opportunity for gay men to gain more respect from society,
as is the case with both the
Catholic church and
Debianism, paedophiles appear to be attracted to the same group.
Therefore, we have to be even more vigilante.
In June 2019, the diversity crowd hijacked the Debian web site and
replaced the logo colours with the colours for Pride month. The majority
of developers did not consent to this:
To: debian-project@lists.debian.org
Subject: Debian supports pridemonth?
From: Gerardo Ballabio <gerardo.ballabio@gmail.com>
Date: Fri, 28 Jun 2019 11:48:18 +0200
Hello all,
I've just seen this on https://micronews.debian.org/ :
"In support of #pridemonth, Debian changes its website logo. The
Debian Project welcomes and encourages participation by everyone
https://www.debian.org/intro/diversity "
May I please ask who decided that and where was it discussed? (I can't
find anything about it at least on -project.)
I do not think that this is appropriate. Welcoming diversity is one
thing, supporting pridemonth is another thing. Pridemonth is a set of
events with a definite political connotation. I don't think that
Debian should take sides on any specific political issues (except of
course issues that have a relation to free software), especially if
that hasn't been discussed at large among project members and there
isn't a clear consensus.
Is it just me (and am I being blatantly wrong, if so please enlighten
me) or do others share my concern?
Thanks
Gerardo
(Not subscribed, please keep me Cc:d)
It feels creepy when these things happen. The people who do these
things don't care about consent. They feel that what is good for them
is good for everybody else too.
In the US Civil Rights movement, there were groups like the
Black Panthers who were very similar to the
Zizian diversity gang in open source software communities. These
people do as they please and they don't care about the law or the
impact on the lives of those they hurt.
Why did they want so many women from
Albania and
Kosovo to visit
DebConf two years in a row? Was it some kind of bribe or hush money
arrangement to prevent further discussion about the former Fedora Ambassador,
who had been photographed with
Chris Lamb in 2017?
In her talk, she displays a hand-drawn slide where we can see three
selfish people like herself pushing one of the developers. This is how
the selfish people get things without paying for them. They use gossip
and violence, just like the fight at
DebConf6.
Molly de Blanc: Well we can use our collective power to push others
On 10 August 2019,
Jeffrey Epstein committed suicide in his prison cell.
In August 2019, the
GNOME annual conference
GUADEC was organised in the city of Thessaloniki in the north of
Greece. It is very close to
Albania and women from the nearby Balkan countries were brought to the
conference on busses.
On 17 September 2019,
Dr Sally Muytjens
completed her PhD thesis on the topic
An exploration of the existence of clergy child sexual
abuse dark networks within the Victorian Catholic Church. It is extremely
relevant to the phenomena we see today in
Debianism. Various people have publicly praised a
registered sex offender and helped him recycle his reputation at
exactly the same time they are trashing the reputations of honest
developers. The blackmail tactics they use, the games they play with the
vocabulary of abuse and the way they operate in packs to reinforce
their worldview all resonate with the scandals the church has been working
so hard to move away from.
In the context of police corruption networks, this code of silence extended to
“prohibiting disclosing perjury or other misconduct by fellow officers, or even testifying
truthfully if the facts would implicate the conduct of a fellow officer� (Chin and Zhang
2008, 238). Merrington (2017, 61) found that police corruption networks exploit the
light network’s resources to facilitate DN operations. Research on a sports doping
network showed that protecting the network included inflicting harm through bribery,
bullying and threats and enforced a code of silence (USADA 2012 cited in Bell, TenHave and Lauchs 2016, 60). A code of silence or omerta was created by the Italian
mafia and is applied to mafia members and anyone who witnesses mafia criminal
activity to ensure silence regarding their illicit activities (UNODC 2008 cited in Bell,
Ten-Have and Lauchs 2016). Omerta extended to a refusal to give evidence to the
police (Fielding 2017,17). Similar methods were utilised by clergy perpetrator
networks within the Victorian Catholic Church to maintain silence and, hence,
resilience of the network of clergy CSA.
The 80,000 messages on debian-private and similar archives in the
FSFE misfits,
GNOME and
Mozilla are analogous to the code of silence in other institutions.
In the
Albanian scandal, the unpaid female volunteers were asked to sign a
Non-Disclosure Agreement (NDA) even before they were abused. In other contexts,
such agreements only appear after the abuse and during negotiation of the
settlement.
In November 2019,
Anisa Kuci, the
Albanian woman who was seated closest to
Chris Lamb at the
DebConf19 conference dinner was awarded a $6,000
Outreachy internship. The woman had previously worked as a waitress and
had no software development experience.
Remember the teenage boys doing unpaid work to bootstrap
Debianism back in the 1990s.
Joel "Espy" Klecker,
Shaya Potter and
Chris Rutter. They did a huge amount of technical work,
they received no payments and some of them
died. When these women from eastern Europe arrived people started
popping champagne and opening the chequebook:
Matthew Garrett spread dozens of message like this without any evidence:
Subject: Re: expulsions vs Reproducible Builds
Date: Tue, 1 Sep 2020 09:52:17 +0100
From: Matthew Garrett <mjg59@srcf.ucam.org>
Reply-To: discussion@lists.fsfellowship.eu
To: discussion@lists.fsfellowship.eu
On Tue, Sep 01, 2020 at 10:26:40AM +0200, Debian Community News Team wrote:
> a) The different approaches taken to complaints about Appelbaum and
> Lange, even though both complaints arrived at the same time.
One of these complaints involved multiple accusations of rape and sexual assault. The other involved an accusation of aggressive and disrespectful behaviour. Do you believe that these things are equivalent?
--
Matthew Garrett | mjg59@srcf.ucam.org
Subject: Re: expulsions vs Reproducible Builds
Date: Wed, 2 Sep 2020 00:40:21 +0100
From: Matthew Garrett <mjg59@srcf.ucam.org>
Reply-To: discussion@lists.fsfellowship.eu
To: discussion@lists.fsfellowship.eu
On Tue, Sep 01, 2020 at 05:59:46PM -0500, quiliro wrote:
> Matthew Garrett <mjg59@srcf.ucam.org> writes:
> > The Universal Declaration of Human Rights does not require that a
> > volunteer organisation grant membership to a rapist, even if said rapist
> > has not been found guilty in a court of law.
> Are you aserting that Jacob Appelbaum is guilty or are you talking about
> someone else? If you cannot prove something, it is a lie.
I am asserting that he's a rapist, an assertion that is backed up by an array of publicly available evidence.
--
Matthew Garrett | mjg59@srcf.ucam.org
These people think that by forming together like a pack of dogs
and repeating the same rumour over and over again they can trick
the whole world to believe it.
One of the reason dishonest people like
Matthew Garrett make such outrageous lies is to cover up the fact the
"diversity" team was bringing real paedophiles into the world of
open source software. This is a classic trick that every junior
magician knows: make the audience look in some other direction while
you discretely move around the evidence.
At some point in 2021,
Elio Qoshi joined
Canonical Ltd, the company making
Ubuntu, as an employee. It looks like he was employed there for a number
of years but eventually they removed him in about 2025. They didn't make any
comment about why he was terminated. It looks like it happened around the same
time they eventually cut ties with
Jeremy Bicha in 2025. Here is a screenshot
of his LinkedIn profile when he was in
Canonical Ltd:
Why are the companies supporting the
Albanians like this? Quite simply,
Elio Qoshi knows the identity of every male developer who visited
the conferences in
Albania. He knows who they spoke to. Most men who look for a wife in
these countries are looking for an adult. If one or two men were looking
for something less than legal then they may well have asked
Elio Qoshi, who had his own underage girlfriend, to help them find what
they wanted. He is one of the few people who would know who those men are
and what they did. The controlling corporations don't know what he knows and
they probably don't want to know either. But what they do know is that as
long as he is on somebody's payroll, the secrets will stay buried.
Shortly after that,
IBM Red Hat began a legal case to seize the domain name
WeMakeFedora.org. They used my blog
Google, FSFE & Child Labor as their evidence that I was publishing
"critical commentary". The legal panel ruled in my favor and moreover,
ruled that
IBM Red Hat was using the legal process to harass me.
See the legal documents here.
In hindsight,
now that everybody knows the truth about
Elio Qoshi and
Jeremy Bicha, people can see that I had good reason to publish the grave
concerns I have about the
FSFE misfits recruiting children to do unpaid work.
In January 2022,
Canonical, the company of
Mark Shuttleworth, decided to employ
Jeremy Bicha. It is not clear if he was previously being paid as a
subcontractor while in prison or on parole. It appears that the move to
permanent employment coincided with the end of his parole period in 2021.
Did the company know he was on parole while interacting with their
developers?
In February 2022, people noticed the speaker profile for
Elio Qoshi had been
removed from the web site of the
FOSDEM conference. No explanation was given. When
FOSDEM removed him, other volunteers were never officially warned about
the issues with underage girls and harassment.
On 14 June 2022,
Anisa Kuci, the waitress from
Albania who sat next to
Chris Lamb at the
DebConf19 conference dinner is given voting rights in the
GNOME Foundation. Many real developers do not have voting rights in
these associations and foundations. The oligarchs appear to be stacking
the associations with personal friends who will vote for the same oligarchs
to keep their positions on the board every year.
The woman eventually appears to become an employee of the association
as well. However, it is not clear if she was on the payroll at the
time the oligarchs made her
a voting member.
From 20 to 25 July 2022,
GNOME's annual conference
GUADEC is in
Mexico during the same week that
DebConf22 is in
Kosovo. The two women from
Albania could take the bus to
Kosovo for fifteen euros each but somebody buys them tickets for flights from
Albania to
Mexico. The money paid for these flights could have been used to buy bus
tickets for twenty more women from local universities in central American
countries close to
Mexico.
Jeremy is a member of the Debian GNOME and Canonical Desktop teams. He lives in Florida and this will be the first DebConf he has attended. [in the year after his probation finished]
Fact checking, over 20,000 women in
Kosovo reported being victim of rape as a war crime back in the late 1990s.
Many of the young women I met at events in
Kosovo appear to have been born at the time of the war.
Trevor Kitchen, a 41-year-old British citizen resident in Switzerland, was arrested by
police in Chiasso (canton of Ticino) on the morning of 25 December 1992 in connection
with offences of defamation and insults against private individuals. In a letter addressed to
the Head of the Federal Department of Justice and Police in Berne and to the Tribunal in
Bellinzona (Ticino) on 3 June 1993 he alleged that two police officers arrested him in a bar
in Chiasso and, after handcuffing him, accompanied him to their car in the street outside.
They then bent him over the car and hit him around the head approximately seven times
and carried out a body search during which his testicles were squeezed. He claimed he was then punched hard between the shoulder blades several times. He said he offered no
resistance during the arrest.
He was then taken to a police station in Chiasso where he was questioned in Italian (a
language he does not understand) and stated that during the questioning "The same
policeman that arrested me came into the office to shout at me and hit me once again
around the head. Another policeman forced me to remove all of my clothes. I was afraid
that they would use physical force again; they continued to shout at me. The one policeman
was pulling at my clothes and took my trouser belt off and removed my shoe laces. Now I
stood in the middle of an office completely naked (for 10 minutes) with the door wide open
and three policemen staring at me, one of the policemen put on a pair of rubber surgical
gloves and instructed me to crouch into a position so that he could insert his fingers into my
anus, I refused and they all became angry and started shouting and demonstrating to me the
position which they wanted me to take, laughing, all were laughing, these police were having a
good time. They pointed at my penis, making jokes, hurling abuse and insults at me, whilst I
stood completely still and naked. Finally, when they finished laughing, one of the
policemen threw my clothes onto the floor in front of me. I got dressed."
He was transferred to prison some hours later and in his letter claimed that during the
night he started to experience severe pains in his chest, back and arms. He asked a prison
guard if he could see a doctor but the request was refused and he claimed the guard kicked
him. He was released on 30 December 1993. Medical reports indicated that since his
release he had been experiencing recurrent pain in the area of his chest and right shoulder
and had been receiving physiotherapy for an injury to the upper thoracic spine and his right
shoulder girdle.
Volunteers discovered
over $120,000 was taken out of Debian bank accounts and used for legal fees
to try and have me molested or killed. Why did they spend so much money on this
vendetta? They are terrified about people who express concern about abuse. They
paid $120,000 in legal fees because they feel more comfortable with
Jeremy Bicha, the man who raped his little sisters, than with
the independent volunteer elected by the Fellowship in 2017.
Subject: Matthias Geiger: Advocate
Date: Thu, 10 Nov 2022 13:26:16 -0000
From: Jeremy Bicha (via nm.debian.org) <nm@debian.org>
Reply-To: debian-newmaint@lists.debian.org, Matthias Geiger
<matthias.geiger1024@tutanota.de>, archive-1128@nm.debian.org,
Jeremy Bicha <jbicha@debian.org>
To: debian-newmaint@lists.debian.org
CC: Matthias Geiger <matthias.geiger1024@tutanota.de>,
archive-1128@nm.debian.org, Jeremy Bicha <jbicha@debian.org>
For nm.debian.org, at 2022-11-10:
I support Matthias Geiger <matthias.geiger1024@tutanota.de>'s request to
become a Debian Maintainer.
I have sponsored numerous uploads for Matthias including 6 new source
packages. He has prepared many new packages with a particular focus on
GNOME apps and Rust libraries to build GNOME apps. Creating new packages
is one of the more complex packaging tasks for Debian. His work has been
consistently high quality. We have also worked together to improve the
initial packaging.
Beyond packaging skills, Matthias has been pleasant to communicate with.
I have personally worked with Matthias Geiger
<matthias.geiger1024@tutanota.de>
(key C2E1A6CBFDECE511A8A4176D18BD106B3B6C5475) for 7 months, and I know
Matthias Geiger
can be trusted to have upload rights for their own packages, right now.
Jeremy Bicha (via nm.debian.org)
In January 2023, the late
Cardinal George Pell, former treasurer of the
Vatican, appeared in news reports from Rome talking about the death of
Pope Benedict. The news reports prompted me to look at the unredacted
Case Study 35 about the Archdiocese of Melbourne. I was shocked to see
the similarities to the
Debianism culture and
social engineering attacks. I printed a lot of the evidence about
Enrico Zini blackmailing and defaming people over so many years. On
10 January 2023, I drove across the Great St Bernard Pass to Aosta in
Italy. I walked in to the Carabinieri station and explained the
similarities between the exploitation of victims in
Debianism and in the
Catholic abuse crisis. In the same hour that I was in the Carabinieri
station, as a witness to these crimes, unbeknownst to me,
Cardinal George Pell was having surgery in Rome. He died four or
five hours later.
Authorities in
Australia pretended the crisis died with
Cardinal George Pell. He had avoided certain questions and surely there
is nobody else left alive who knows the answers to those questions.
On 1 March 2023,
minutes of a
GNOME Foundation Executive Committee meeting capture the names of
Anisa Kuci and
Sonny Piers together for the first time. At this point, she is not on
the list of people receiving payments from
GNOME Foundation. There are serious ethical concerns when members of
the CoC-committee are physically intimate with the very people
they are making up rumours about. Likewise, there are serious ethical
concerns when staff members are able to intercept and suppress
CoC-committee complaints about their workmates and their own boss.
We already discussed the way these CoC schemes are similar to
the catch-and-kill strategy the National Enquirer used to
purchase and suppress stories about
Donald Trump.
These financial and sexual conflicts of interest are even more disturbing
when the conflicts of interest are totally hidden from the victims of
defamation created by these gangsters.
It appears there are now two women from
Albania who were being paid to work on the organisation of
GUADEC and assist other events like
DebConf. Up to this point, the organisations had always insisted
that if volunteers wanted an event they have to organise it themselves.
Nobody had any public discussion about changing the strategy and having
a mix of volunteers and paid event staff. It is vital to ask the question:
did the oligarchs create these jobs because the community chose to
change the strategy or did these jobs get created because somebody wanted
these two specific girls from
Albania to have jobs?
GNOME hired the first girl at the end of 2018. Some time later, the
other girl went to
Outreachy, then she went to
Wikimedia Italia, an organisation that relies on a lot of volunteers
who don't get paid. A list of her past relationships was circulated and
the people doing unpaid work became upset. Shortly after that, it looks like
GNOME took her on their payroll. The fact that
GNOME has ended up with two girls from the same
Albanian background adds weight to the argument that the jobs were created
for these specific girls rather than to fill some general need.
Remember, in 2018 and 2019, these are the same girls who asked the
Debianists to buy their travel tickets in advance while all the other
young interns had to buy tickets with their own money and wait for
reimbursement.
Why did
Kristi Progri get a big title, Director of Project Management but when
Anisa Kuci joined
GNOME they call her an Administrative Assistant? Both girls
grew up together in the same building. The both joined the
Open Labs group together. Either one job title is being overstated or
the other job title is understated. It looks like the job for the second girl
was only created as part of the catch-and-kill strategy to keep
women on side so they won't repeat the things they told me in 2017 and 2018
about the
Fedora Ambassador
Elio Qoshi.
On 10 May 2023,
Jeremy Bicha writes another advocacy for
Matthias Geiger to be promoted from Debian Maintainer to Debian Developer:
Subject: Matthias Geiger: Advocate
Date: Wed, 10 May 2023 15:06:23 -0000
From: Jeremy Bicha (via nm.debian.org) <nm@debian.org>
Reply-To: debian-newmaint@lists.debian.org,
Matthias Geiger <matthias.geiger1024@tutanota.de>,
archive-1181@nm.debian.org,
Jeremy Bicha <jbicha@debian.org>
To: debian-newmaint@lists.debian.org
CC: Matthias Geiger <matthias.geiger1024@tutanota.de>,
archive-1181@nm.debian.org,
Jeremy Bicha <jbicha@debian.org>
For nm.debian.org, at 2023-05-10:
I support Matthias Geiger <matthias.geiger1024@tutanota.de>'s request to
become a Debian Developer, uploading.
I have worked with Matthias Geiger on GNOME packages since March 2022.
Matthias has created new Debian packages
for several GNOME related apps and libraries and maintained them well
ever since.
Matthias has been very instrumental in doing the major prerequisite work
to get newer GNOME apps written in Rust
into Debian Trixie. This is very complicated but important work.
I have personally worked with Matthias Geiger
<matthias.geiger1024@tutanota.de>
(key C2E1A6CBFDECE511A8A4176D18BD106B3B6C5475) for 14 months, and I know
Matthias Geiger
can be trusted to be a full member of Debian, and have unsupervised,
unrestricted upload rights, right now.
Jeremy Bicha (via nm.debian.org)
Matthias Geiger is a very common name.
Jeremy Bicha has vouched for him but neither of them have told us if they
have any conflicts of interest, for example, if they both work for the same
employer,
Canonical Ltd or if they ever shared a prison cell together.
On 11 September 2023,
Jeremy Bicha writes an advocacy for
Amin Bandali. This time he reveals that they are both working at the same
company,
Canonical Ltd, the maker of
Ubuntu. Some people have serious ethical concerns about
Ubuntu developers and co-workers writing references for each other like
this because they are under pressure to serve the needs of their company
rather than being objective about Debian.
Subject: Amin Bandali: Advocate
Date: Mon, 11 Sep 2023 14:15:25 -0000
From: Jeremy Bicha (via nm.debian.org) <nm@debian.org>
Reply-To: debian-newmaint@lists.debian.org,
Amin Bandali <bandali@gnu.org>,
archive-1211@nm.debian.org,
Jeremy Bicha <jbicha@debian.org>
To: debian-newmaint@lists.debian.org
CC: Amin Bandali <bandali@gnu.org>,
archive-1211@nm.debian.org,
Jeremy Bicha <jbicha@debian.org>
For nm.debian.org, at 2023-09-11:
I support Amin Bandali <bandali@gnu.org>'s request to become a Debian
Developer, uploading.
I have personally worked with Amin Bandali <bandali@gnu.org>
(key BE6273738E616D6D1B3A08E8A21A020248816103) on the Debian GNOME team
since the end of 2022. He has packaged updates for a variety of GNOME
packages. Earlier this year, he officially joined the Debian GNOME team
and has been entrusted with DM upload rights to several packages. He has
used those upload rights well.
Amin Bandali also has interest and skill with troubleshooting build
issues on non-amd64 architectures which is why he is not just a DM, but
a "DM with guest account".
Amin Bandali is a coworker with me at Canonical since late 2022. His
primary job duties are not .deb packaging for Debian and he was already
maintaining packages in Debian before joining Canonical.
I firmly believe that the Debian Project will benefit from granting
Debian Developer, uploading status to Amin Bandali. I know Amin Bandali
can be trusted to be a full member of Debian, and have unsupervised,
unrestricted upload rights, right now.
Jeremy Bicha (via nm.debian.org)
Oddly enough, those messages were exchanged at the same time as
DebConf23 in
India. On 9 September 2023, I sent the coroner for Cambridgeshire a
written warning about the risk for health and safety in
Debianism, with a reference to the culture and the blackmail behaviour:
Subject: Re: Inquest Christopher Rutter - Information Request
Date: Sat, 9 Sep 2023 18:59:26 +0200
From: Daniel Pocock <daniel@pocock.pro>
To: Coroners <Coroners@cambridgeshire.gov.uk>
Hi [redacted],
I've updated the document with some extra email evidence and two more
deaths, both of those being under management from a doctoral candidate
at Cambridge.
Based on my own experience of both Debian culture, the Pell situation
and the evidence in these emails, I feel that there is an ongoing risk
to the health of people who engage with this culture.
Please kindly confirm if the coroner can escalate this to the relevant
people or whether you need somebody to present the document in person.
Regards,
Daniel
Abraham Raji died three days later. It is the first case of somebody dying at
DebConf. It was anticipated, therefore, it was avoidable.
During 2023, there was a high profile underage rape and incest prosecution in
South Australia. A bakery on the Eyre Peninsula had recruited
fifteen-year-old girls to do some baking, smile at the customers and help
the owner have more children. The man in charge and his wife were both
convicted. Three children were born in one seven month period. The baker's
father had shared one of the girls. There are thirteen children and they
need to make DNA tests to verify which man is responsible for each of them.
Newspapers described it as a
cult-like living arrangement but it is not uncommon for workers to live
with their boss when in a remote location like this. When you look at the
remoteness of the location and the nature of such jobs where the young girls
are living at their workplace, it has some similarity to the situation where
Jeremy Bicha and his little sisters were living a life that was isolated
from other children.
Also in May 2024, minutes of the
GNOME Foundation board have been redacted to hide discussions about
Sonny Piers and the "staffing", which really means the hush money being
paid to the
Albanian female whistleblowers.
Sonny Piers was secretly expelled at this point but it is redacted in
the minutes.
On 18 July 2024, immediately after they shut down the
Open Labs web site and discussion forum in
Albania, an anonymous account is created in the
GNOME Foundation forum on
Discourse. The account is used to post a hideous defamation about
Sonny Piers, who they had expelled with a secret trial in May. Dozens of
discussions and news reports appear about
Sonny Piers being banned from
GNOME. The girls are insisting that everybody should know they
decided to humiliate
Sonny but nobody is allowed to ask why the girls are obsessed
with humiliating him. Whenever messages like this appear, they always hint
at some sort of bad sexual etiquette. As we saw with every other case,
such as
Ted Walther in 2006 and
Dr Jacob Appelbaum in 2016, these rumours are not only false but
they have been deliberately fabricated by some chronically dishonest people
intent on harming male volunteers and our families.
The defamation message about
Sonny Piers explicitly mentions "Code of Conduct" but what they
really mean is "Code of Silence". They are doing all this to stop
Sonny Piers talking about payments to one of the
Albanian girls or something similar to that.
I am no longer a member of the board of directors of the GNOME Foundation since May 2024. The process and decision shocked me. I know people are looking for answers, but I want to protect people involved and the project/foundation. It was never an interpersonal conflict for me.
Remember,
Sonny Piers has been doing voluntary work for twenty years and he
contributed substantial intellectual property. The Albanian girls who
were secretly added to the
GNOME payroll only work when they receive money
and they only go to events when somebody, usually the male oligarchs,
buy the tickets for them.
The community had elected
Sonny Piers to the board. As a member of the board it is absolutely
certain he saw privileged information about the payments to
Albanian female whistleblowers. However, he may not have been told
the real reason for those payments. He may have asked questions about
why the same girls are selected for every diversity grant. All this
happened in
GNOME Foundation immediately after the controlling corporations
shut down the
Open Labs group in
Albania. Follow the money / girls.
The
GNOME Foundation hired two girls from
Albania. Now we see the policies of
Enver Hoxha and totalitarianism being reincarnated in a non-profit
voluntary organisation. History is repeating itself.
Jeremy Bicha had engaged in real abuse of his little sisters when they
were six and nine years old. As a voting member of the
GNOME Foundation and a member of the Release Team he has a higher
status than
Sonny Piers. Why can people go to the web site of the
Manatee County Court and read all the details about real abuse of the
little sisters but we are not allowed to know anything about the questions
Sonny Piers was asking at board meetings?
Here is an example of the things
Jeremy Bicha was convicted for:
Reading comments like that reminded me of the way misfits on
debian-private (leaked) discussed the words used by
the parents of
Frans Pop after he committed suicide:
Subject: Re: Death of Frans Pop
Date: Sat, 21 Aug 2010 13:39:21 +0100
From: Colin Watson <cjwatson@debian.org>
To: debian-private@lists.debian.org
On Sat, Aug 21, 2010 at 01:52:33PM +0200, Ludovic Brenta wrote:
> Steve McIntyre <steve@einval.com> writes:
> > "Yesterday morning our son Frans Pop has died. He took his own life,
> > in a well-considered, courageous, and considerate manner. During the
> > last years his main concern was his work for Debian. I would like to
> > ask you to inform those members of the Debian community who knew him
> > well."
>
> Does that imply he took his own life *because* of Debian, which was "his
> main concern"?
This is probably the wrong thread for linguistics, but that phrase would
normally just indicate that Debian was his main interest. In
http://oxforddictionaries.com/view/entry/m_en_gb0169810 under "noun",
this would be sense 2 rather than sense 1.
--
Colin Watson [cjwatson@debian.org]
What is so much more sensitive about the
Sonny Piers drama that
GNOME will not tell us? Did he do something that is even worse than
raping a little girl? Or did he stumble onto an inconvenient truth about
Albanian girls that must be hidden from the community at all costs?
My suspicion is that this is more than somebody's sex life at stake.
It is not unusual for people to hook up with their colleagues in student unions
and open source software conferences. Some of the women have told me they
were under pressure to lie. Paying women to create or repeat a lie,
knowing it is a lie, undermines trust in the whole organisation that
paid for those lies.
Software producers are particularly keen to maintain the trust of the
community. The moment people stop trusting the
GNOME developers everybody will abandon the project. How could we
trust these developers if they used the foundation's funds to make
payments to a woman who spread a lie or defamation?
After you pay a woman to lie, you can't sack that woman. You have to
keep her on the payroll until she's ready to have children and become
a stay-home mother.
I suspect that is why
Anisa Kuci was immediately given a job at
GNOME after the end of her relationship with
Wikimedia Italia. Somebody didn't want to see her join some random
employer where random developers will ask her to disclose details about
the conspiracies at
DebConf19.
It is important to reflect on these secrecy tactics. These tactics
create the type of environment where real abusers can thrive.
I've nominated Jeremy BÃcha to GNOME Advisory Board. Jeremy has volunteered to represent Debian at GUADEC in Denver.
Sonny Piers, like other victims, was censored and humiliated indefinitely
while the
registered sex offender is put up on a pedestal to supposedly be the
representative of the rest of us. I certainly didn't consent to him speaking
for me.
Furthermore, how can a
Canonical Ltd employee be representing the interests of both
Debianism and
the
Ubuntu misfits at the GNOME Advisory Board? The conflict of interest
is enormous. It isn't possible for him to do both at the same time.
In March 2025, shortly before
DebConf25, we saw
Jeremy Bicha began contributing to the
Debian-Edu project. That is the derivative of Debian created to
meet the needs of the education industry. Why does he have schools on his mind?
Jeremy Bicha's status as a
registered sex offender is intended to prevent him being employed
inside a school. By collaborating on
Debian-Edu, he gains credibility that allows him to interact with
schools as a volunteer. This looks like privilege escalation. He was
engaged in this while he was an employee of
Canonical Ltd and
Ubuntu.
At
DebConf25 in Brest,
France, the
GNOME
talk from
Jeremy Bicha was scheduled for 14 July, the French national holiday. In
France, the day normally starts with parades by the military and the
emergency services, including the police. Therefore, people were asked to
choose between applauding the
police as they marched through Brest or watching a
registered sex offender giving a talk in the university campus.
Putting this type of diversity on display at a prominent event feels like
the thin end of the wedge. Brest is a city known for its strong naval history.
Jeremy Bicha had been discharged from the US Navy after they found out.
Like the rogue
Russian spy-ships who periodically sail the English channel,
Debianists have decided to test the waters of diversity by putting this
man on display. They wanted to see how the public reacts. They want us to
know this is the new normal. The victims were only six and nine years old.
On the scale of sexual offences, these were some of the worst. By
putting this out in the open, they make it easier to bring in offenders
who have less serious crimes.
Back in the 1970s, people like this tried to create organizations
like the
Paedophile Information Exchange (PIE) where their cause was published
in broad daylight. Within a few years these organisations had been
outlawed. The lesson they have learnt from those prosecutions is the
need to affiliate themselves with more general causes like diversity
and then expand the definition of diversity to include, by stealth, all
kinds of people who are irreconcilably incompatible with the rest of us.
We already looked at the prosecution of
Matthias Kirschner for the
psychological abuse of
Galia Mancheva. Sooner or later another oligarch will face one of these
prosecutions. If it is somebody the cabal wants to protect, they can remind
us how
Jeremy Bicha came to
DebConf25 and it didn't kill anybody. They will remind us the diversity
statement says anybody is welcome as long as you display total
submission to their
CoC.
This time, instead of using an anonymous account,
Robert McQueen has written the post under his own name. He tells us the
punishment has been reduced:
The Board is providing this information to clarify the decisions made in this case, and to eliminate any uncertainty within the GNOME community about the matter.
In fact, the very long post does not include any example of the questions
Sonny Piers asked about the
Albanian women. Therefore, we all remain totally in the dark.
the Board also voted that Sonny will not be eligible for appointment in any position of authority within the Foundation, or to act as an agent on behalf of the organization, or to have paid work with the GNOME Foundation. This means that he will be unable to be a committee member, director, officer, staff member or contractor, or officially represent the GNOME Foundation to other entities. The Board resolution put these restrictions in place on an indefinite basis.
Turn that statement on its head: why does
Robert McQueen feel more comfortable with the Ubuntu man who
popped the cherry of a six year old than he does with an
independent developer who the community voted onto the board?
On 4 April 2026,
Oscar Langley asked about it in the election discussion for the next leader
of
Debianism. None of the candidates would reply to questions about child
safety.
Subject: DebConf25 decisions affecting Child Safety and talk scheduling
Date: Sat, 4 Apr 2026 11:01:37 +0000
From: Oscar Langley <oscar.langley@hotmail.com>
To: debian-vote@lists.debian.org <debian-vote@lists.debian.org>
I understand this topic may be somewhat tangential to the election mailing list, but I reviewed the list of voters in this year's DPL election and discovered that Jeremy Bicha is a Debian developer who cast a ballot: https://vote.debian.org/~secretary/leader2026/voters.txt
If you search up his name on Google, the very first result is his profile on Florida's Sexual Offender and Predator System, as he molested multiple preteen girls throughout the 1990's and confessed to all this in court.
https://offender.fdle.state.fl.us/offender/sops/flyer.jsf?personId=85068
https://wng.org/articles/the-high-cost-of-negligence-1617309216
Being a child molester is most likely a violation of the Debian Code of Conduct, and if it is not, it is reprehensible enough to call into question his continued status as a member of the project.
Additionally, there are two more important questions about Bicha's relationship with the Debian Project that have yet to be answered. Bicha was due to speak at DebConf25 last year, an event that children were permitted to attend. The livestream also experienced technical issues when his talk was about to start, leaving it unclear whether he actually spoke.
The two questions are:
1. What factors led to the decision to allow children in the presence of Bicha?
2. Was Bicha' talk was canceled, or did it indeed take place but was simply never streamed?
And a third question is begged:
3. Why hasn't the Debian Project cut ties with Bicha?
but one person made a reply praising the extreme definition of diversity:
Subject: Wasn't sure where to send but thank you...
Date: Wed, 8 Apr 2026 12:08:58 -0400
From: Star Light Catcher <catcherstarlight@gmail.com>
To: debian-project@lists.debian.org
I would just like to say, I would sometimes browse the reddits for Linux and in the general Linux reddit I saw someone saying the project was "in trouble" and worried I went to the Debian reddit to look into it... And what I'm very sad to say I found was people being very cruel and closed minded about the fact that the project seems to be valuing inclusion and bringing in new voices and talents to the FOSS community and the Debian project... So, I no longer really read reddit for Linux news but I very much wanted to say how much I've adored using Debian these past 8 months since switching to Linux. It's been rock solid, my best experience on Linux ever (and despite only switching 8 months ago I had tried Linux many times since 2010! Tons of different distros!) Debian has been genuinely an oasis from so much of what is wrong about modern tech, all while being built on what is obviously such a solid foundation I can't see myself switching back to Distros which genuinely often seemed to nuke themselves with little cause from me, and I've done plenty of things to ride my installs of Debian hard and it's never faltered at all.
And about the people behind the Debian project... In a time of increasing authoritarianism and such a huge increase to push minorities even further to the fringes... Debian embracing diversity during all of this... It warms this trans woman's heart who has felt such a sense of dread at the way the world is going. So thank y'all genuinely. Linux users are known to distrohop but... I can't imagine ever needing anything but the Universal Operating System ever again 🫂 and what brings me such joy is that it feels that it's not just universal, as in, for all devices, but universal, as in /for everyone/. 💜
Thank you for all you do, I plan to up my donation when I can,
Star Elizabeth Wilkerson 🦄â�ï¸�
Ben Carroll is the Deputy Premier and Education Minister for the
State of Victoria. On Mother's Day in 2024, he posted a picture
of himself with his local priest, who I'll simply refer to as Father X:
In 1994, the Archdiocese of Melbourne had to exfiltrate another priest,
Fr Barry Robinson, from
Boston. Father X was tasked with the mission. In particular, the scope of
his mission was far bigger than the exfiltration. Father X was also asked to
look at the crisis in
Boston and report back to his superiors in
Australia. This was eight years before the Spotlight news
reports raised public awareness of the scandal. The priest who gives
communion to
Victoria's Education minister had himself learnt about the extent of
the global crisis and expressed concern about warehousing paedophiles:
After returning from
Boston,
Fr Barry Robinson had lived in the same house as Father X while
the US authorities continued their investigation.
Fr Barry Robinson had admitted abuse but they decided not to
prosecute him at all. The church decided to ignore his admission and
put him back into practice:
In 2024, another lawsuit cast attention on
the use of scholarships for the two children of a victim. People gain
status in society through attending these elite high schools. There is a risk
that this perpetuates the culture of silence. It is analogous to the
manner in which some open source software organisations are giving people
internships, big titles and speaking opportunities so they will stay
silent about abuse in
Albania
Here is the redacted deed that mentions scholarships:
In February 2025, The Monthly published and then almost immediately
took down an article by
Louise Milligan titled The True Legacy of the Rapist George Pell.
The late Cardinal Pell had been successful in his appeal and the conviction
had been overturned by the High Court. Therefore, calling him a rapist is
a very strong defamation. Nonetheless, copies of the article are easily found
online.
The Debian Diversity statement tells us the definition of diversity
is very large. A lot like to National Council of Civil Liberties in
the 1970s, the Diversity Statement say anyone is welcome
(up to the day when you ask an ethical question). At
DebConf25, they demonstrated the definition of anyone includes
registered sex offenders. He is not the only one and he won't be
the last one.
Smoke testing – You want to know if your system commands actually work, not just when you run them the way the docs say, but when users (or their scripts) feed them garbage.
AI is excellent at generating potential edge cases, and tracking systems are already all too eager to collect new tickets. I’m being careful not to dump every AI finding into Bugzilla; I don’t want to clutter the backlog and mainly waste developer time on theoretical bugs. Or Should I?
Plus, segfaults don’t lie – either the system crashed or it didn’t, and those are the issues that actually deserve the ticket.
Throwing Random Arguments at System Binaries Until They Crash
Script to do the work:
A pretty straightforward bash script, vibing with AI-generated chaos.
Grab all binaries from /usr/bin and /usr/sbin
Parse --help for flags (--whatever, -x, you know the drill)
Pick random combos of those flags (1-4 per run)
Feed them garbage: broken JSON/XML, binary junk, path traversal attempts, format strings, absurdly long lines
Only logs actual crashes – SIGSEGV, SIGABRT, SIGILL, SIGBUS. Exit code 1 from bad args gets ignored.
Core logic looks like this:
# Extract flags from --help
flags=$(timeout 3s "$bin" --help 2>&1 |
grep -aoE -e '--[a-zA-Z0-9_-]+' -e '-[a-zA-Z]' |
grep -avE 'help|version|usage')
# Pick random flags (1-4 of them)
chosen=$(echo "$flags" | shuf -n $((1 + RANDOM % 4)))
# Add a random test file
fuzz_file="$WORKSPACE/$(random_pick: bad.json, random.bin, longline.txt, ...)"
# Run it
timeout 5s "$bin" $chosen $fuzz_file
Script skips the obvious no go zones – package managers, rm, network tools, editors. I’m glad to see the script finish with the machine still answering.
Look, these are edge cases. Nobody’s actually running edgepaint --wtf malformed.json in prod. But segfaults are segfaults – the binary should bail with “invalid option” or “bad input”, not dump core.
Now What?
So I’ve got a pile of crashes. Some in critical components. All reproducible.
File bugs for all of them? That’s a lot of BZ tickets for “yes hm this crashes if you feed it random garbage with weird flags”. Developers have better things to do.
Ignore them? They’re real bugs. And some of these are in grub2 and perl – not exactly throwaway packages.
Some time ago I used a feature in KDE called “Run a command” when an event triggered. It triggered for me when a calendar event fired and used Piper TTS to read the event to me out loud. A small popup and a pling don’t work for me.
I tried to get the feature back into KDE, but since the merge request isn’t going anywhere and people don’t give details how to implement it correctly I wrote Sigrun now. It is named after a Norse Valkyrie and is short for Signal Run.
It is a systemd service running as a user and listening on DBus signals. Once it finds a configured one, it runs its command. The desktop doesn’t matter.
Here is the rule that reads my calendar reminders aloud via kde-tts.py:
What appears to be an attempt to assassinate the US President
Donald Trump has dominated the news today. There are numerous people on
social control media suggesting the suspect,
Cole Thomas Allen, may be gay or transgender, like the
Zizian problems. Some people make comments
about a handwritten note left for his transgender partner.
In fact, these comments appear to be identical to the description of
Tyler Robinson, the man who assassinated
Charlie Kirk. They are not necessarily fake news. We simply don't have
enough information to say if the rumours are fake or if they are true.
496.
The plaintiff and other victims feel great apprehension, based on what happened to Dr
Appelbaum's home, based on the drawings of civil disorder, based on the way the Zizian group
behaved, that if these vigilantee tendencies are not constrained then they will again manifest
themselves in physical acts of vandalism or violence.
While working on the new git signing feature for
tumpa-cli I noticed that some of
the commits can not be verified. For a moment I freaked out and then thought it
must be a problem in my code. But, I could not dig enough. Opus 4.7 helped me
to find the eaxct commit in git's history and a reproducer. I reported the issue to the
maintainers
and they are working on a fix.
\xc2\xa7 aka ยง was the cause for me.
msg.txt body
sign stdin (tee'd)
stored commit body
verify
git 2.43 (host)
... 20 a7 0a
... 20 c2 a7 0a
... 20 c2 a7 0a
OK
git 2.53 (CI, docker)
... 20 a7 0a
... 20 a7 0a
... 20 c2 a7 0a
BAD
git 2.43 transcoded the message to UTF-8 BEFORE calling the signer;
signer and storage saw the same bytes (c2 a7). git 2.53 hands the
signer the RAW bytes (a7) and transcodes only on the way to the
commit object (c2 a7). The invariant "bytes fed to gpg.program at
sign time equal the bytes a verifier sees when it reads the commit
back" is broken.
git config i18n.commitEncoding iso-8859-1 is supposed to be the configuration
if we have non UTF-8 characters. But, I never knew about this configuration
before I found the bug.
I want to thank my friends in Anthropic for letting me use the tools and
techonology to keep building.
The Linux operating system represents one of the most significant technological achievements in modern computing. From powering enterprise-grade servers to running embedded systems and smartphones, Linux has become a cornerstone of digital infrastructure. Unlike proprietary operating systems, Linux is open-source, meaning its source code is freely available, modifiable, and distributable. This openness has fostered a global ecosystem of developers, organizations, and communities contributing to its rapid evolution.
Originally created in 1991 by Linus Torvalds, Linux was inspired by UNIX, a multi-user, multitasking operating system developed in the 1970s at AT&T Bell Labs . Today, Linux is not just an operating system but a family of systems—commonly referred to as distributions—that serve a wide variety of computing needs.
Linus Torvalds | Linux was inspired by UNIX
Historical Background
UNIX Foundations
To understand Linux, one must first examine UNIX. UNIX introduced key principles such as modular design, multi-user capabilities, and multitasking, which influenced nearly all modern operating systems . These principles include:
Separation of concerns
Use of simple tools that perform specific tasks
File-based abstraction of system resources
Linux adopted these design philosophies while remaining independent in implementation.
Birth of Linux
Linus Torvalds developed the Linux kernel as a personal project while studying at the University of Helsinki. Initially intended as a free alternative to MINIX, Linux quickly attracted contributions from developers worldwide.
The GNU Project, which had already developed essential tools like compilers and shells, complemented the Linux kernel. Together, they formed what is commonly referred to as a GNU/Linux system.
Growth and Adoption
Over time, Linux evolved from a hobbyist system into a dominant force in computing:
Late 1990s: Adoption in server environments
Early 2000s: Enterprise support (e.g., Red Hat, SUSE)
2010s onward: Dominance in cloud computing, mobile (Android), and DevOps
Today, Linux powers the majority of web servers, supercomputers, and cloud infrastructures.
Linux | A Terminal session
What is Linux?
Linux is often described as a Unix-like operating system, but technically it refers to the kernel, the core component responsible for managing hardware resources and enabling communication between software and hardware .
A complete Linux operating system includes:
The Linux kernel
System libraries
Shell interfaces
Utilities and applications
These components together form a fully functional computing environment.
Architecture of Linux
Linux follows a layered architecture that separates concerns and ensures modularity. The primary components include:
Kernel
The kernel is the heart of the system. Its responsibilities include:
Process management
Memory management
Device drivers
File system management
It ensures that multiple applications can run concurrently without interfering with each other .
Linux uses a monolithic kernel architecture, meaning that most services run in kernel space, offering high performance but requiring careful design to maintain stability.
Linux | Architecture of Linux
System Libraries
System libraries provide an interface between applications and the kernel. They simplify development by offering reusable functions for common operations.
For example:
File I/O operations
Memory allocation
Process control
These libraries abstract low-level kernel interactions.
Shell
The shell is the command-line interface (CLI) that allows users to interact with the system. It interprets commands and executes them through the kernel.
Each distribution is tailored to specific use cases, such as servers, desktops, or embedded systems.
Key Features of Linux
Open Source
Linux is distributed under open-source licenses, allowing users to:
Modify source code
Redistribute software
Customize systems
This fosters innovation and collaboration.
Multiuser and Multitasking
Linux supports multiple users simultaneously and can run multiple processes concurrently, ensuring efficient resource utilization.
Security
Linux is known for its strong security model:
User permission systems
File access controls
SELinux and AppArmor frameworks
These features make Linux ideal for servers and enterprise environments.
Stability and Performance
Linux systems are highly stable and can run for long periods without rebooting. This makes them suitable for mission-critical applications.
Portability
Linux runs on a wide range of hardware architectures, including:
x86
ARM
RISC-V
Linux File System
Linux uses a hierarchical file system structure rooted at /.
Directory Structure
Key directories include:
/home – user files
/etc – configuration files
/bin – essential binaries
/var – variable data (logs, caches)
File Permissions
Each file has permissions for:
Owner
Group
Others
Permissions include read (r), write (w), and execute (x).
Linux Commands and CLI
The command-line interface is a defining feature of Linux.
Common Commands
ls – list files
cd – change directory
pwd – print working directory
cp, mv, rm – file operations
Advanced Tools
grep – text search
awk, sed – text processing
top – process monitoring
Mastering these commands enables efficient system management .
Package Management
Linux distributions use package managers to install and manage software.
Examples
APT (Debian-based systems)
DNF (Fedora-based systems)
Pacman (Arch Linux)
Zypper (openSUSE)
Advantages
Dependency resolution
Easy updates
Secure repositories
Applications of Linux
Linux is used across diverse domains:
Servers and Cloud Computing
Linux powers most web servers and cloud platforms due to its stability and security .
Software Development
Developers prefer Linux for:
Native support for programming languages
Powerful command-line tools
Integration with DevOps pipelines
Cybersecurity
Distributions like Kali Linux are widely used for penetration testing and digital forensics.
Embedded Systems and IoT
Linux runs on routers, smart devices, and industrial systems due to its lightweight nature.
Supercomputers
Most of the world’s supercomputers run Linux because of its scalability and performance.
Advantages and Disadvantages
Advantages
Free and open-source
High security
Customizable
Strong community support
Disadvantages
Steep learning curve for beginners
Limited support for some proprietary software
Hardware compatibility issues (rare but possible)
Linux vs Other Operating Systems
Linux vs Windows
Feature
Linux
Windows
Cost
Free
Paid
Customization
High
Limited
Security
Strong
Moderate
Ease of Use
Moderate
High
Linux vs macOS
macOS is Unix-based (BSD) but proprietary, while Linux is open-source and more customizable.
Linux in Modern Computing
Linux plays a central role in:
Cloud computing (AWS, Azure, Google Cloud)
Containerization (Docker, Kubernetes)
Artificial Intelligence and machine learning
Edge computing
Its flexibility makes it indispensable in modern IT infrastructures.
Future of Linux
The future of Linux is promising, driven by:
Growth in cloud computing
Expansion of IoT devices
Increased demand for open-source solutions
Emerging trends include:
Integration with AI systems
Enhanced security frameworks
Improved user-friendly distributions
Conclusion
Linux is more than just an operating system—it is a paradigm of open collaboration and technological innovation. Its modular architecture, flexibility, and robustness make it suitable for virtually every computing environment, from embedded devices to supercomputers.
As technology continues to evolve, Linux remains at the forefront, powering critical systems and enabling innovation across industries. For computer scientists, developers, and IT professionals, understanding Linux is not just beneficial—it is essential.
If you work with patches and git am, then you’re probably used to seeing patches fail to apply. For example:
$ git am CVE-2025-14512.patch
Applying: gfileattribute: Fix integer overflow calculating escaping for byte strings
error: patch failed: gio/gfileattribute.c:166
error: gio/gfileattribute.c: patch does not apply
Patch failed at 0001 gfileattribute: Fix integer overflow calculating escaping for byte strings
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
This is sad and frustrating because the entire patch has failed, and now you have to apply the entire thing manually. That is no good.
Here is the solution, which I wish I had learned long ago:
$ git config --global am.threeWay true
This enables three-way merge conflict resolution, same as if you were using git cherry-pick or git merge. For example:
$ git am CVE-2025-14512.patch
Applying: gfileattribute: Fix integer overflow calculating escaping for byte strings
Using index info to reconstruct a base tree...
M gio/gfileattribute.c
Falling back to patching base and 3-way merge...
Auto-merging gio/gfileattribute.c
CONFLICT (content): Merge conflict in gio/gfileattribute.c
error: Failed to merge in the changes.
Patch failed at 0001 gfileattribute: Fix integer overflow calculating escaping for byte strings
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Now you have merge conflicts, which you can handle as usual. This seems like a better default for pretty much everybody, so if you use git am, you should probably enable it.
I’ve no doubt that many readers will have known about this already, but it’s new to me, and it makes me happy, so I wanted to share. You’re welcome, Internet!
Motivation: dealing with multiple Toolbox containers¶
Lately, I've been getting annoyed by my current Bash prompt offering me a poor
UX when dealing with multiple Toolbox containers.
The prompt lacked crucial information: to which of the running containers a
given shell belongs to?
I did a quick search to see if there's an easy fix I'm missing out but it turned
out there is a long-standing desire to improve Toolbox's UX in this respect and
multiple approaches have been discussed/tried. Here are some relevant tickets:
Discovering the old and new version of Bash Color Prompt¶
After looking around on how to update my Bash prompt to become
"container name"-aware, I came across Fedora's shell-color-prompt package
which was conveniently just a dnf install bash-color-prompt away (strangely,
the source package is named shell-color-prompt while the binary package is
named bash-color-prompt, see also RHBZ #2291024).
My attempts at configuring the Bash prompt to be "container name"-aware with the
help of shell-color-prompt didn't look very promising.
I had a little epiphany when discovering that shell-color-prompt's maintainer,
Jens Petersen, recently wrote a replacement for it: namely Bash Color Prompt
(bcp). Jens describes it as having a cleaner declarative approach for creating
one's custom Bash prompt.
It worked and its declarative approach at creating a custom Bash prompt was
really easy to follow and tailor to my needs.
Currently, until the new version of Bash Color Prompt (bcp) is packaged in
Fedora (and other distributions), a simple way to install it is to just grab the
bash-color-prompt.sh file directly from its GitHub repository and put it
somewhere in your home directory.
Afterwards, just source and configure it in your .bashrc file. Here is how
I've done it:
# Use the new Bash Color Prompt (bcp) by Jens Petersen (Red Hat) to handle PS1.# NOTE: Temporarily, I've just copied the script from:# https://github.com/juhp/bash-color-prompt/blob/main/bash-color-prompt.shif[-f$HOME/bash-color-prompt.sh];thensource$HOME/bash-color-prompt.sh
fi# Configure bcp.
bcp_layout(){localexit_code=$1# hexagonbcp_container
# opening [bcp_append"["# user@host or user@container(host)localuser_color="green"if[[$EUID-eq0]];thenuser_color="red";filocalmachine="\h"if[-f/run/.containerenv];thencontainer_name=$(grep-oP'(?<=name=")[^"]+'/run/.containerenv)machine="$container_name(\h)"fibcp_append"\u@$machine ""$user_color;bold"bcp_title"\u@$machine:\w"# directorybcp_append"\w""blue"# git statusbcp_git_branch" ""magenta""yellow"# status indicatorif[[$exit_code-ne0]];thenbcp_append" ✘$exit_code""red;bold"fi# actual prompt charbcp_append"]\$ ""default"}# Initialize bcp.
bcp_init
This is a report created by CLE Team, which is a team containing community members working in various Fedora groups for example Infrastructure, Release Engineering, Quality etc. This team is also moving forward some initiatives inside Fedora project.
Week: 20 – 24 April 2026
Fedora Infrastructure
This team is taking care of day to day business regarding Fedora Infrastructure. It’s responsible for services running in Fedora infrastructure. Ticket tracker
[Badges/Outreachy] refactor: Extract duplicated search dropdowns and error handling into reusable components [Suggested]
[Badges/Outreachy] Refactor: Replace hardcoded email domain with config variable [Approved][Resolved]
[Badges/Outreachy] cleanup: remove dead template infrastructure from app.py[Suggested]
[Badges/Outreachy] fix: add missing session.commit() in opt_out [Approved]
[Badges/Outreachy] Add get_persons_by_nickname with pagination to TahrirDatabase [Rejected]
This team is taking care of day to day business regarding CentOS Infrastructure and CentOS Stream Infrastructure. It’s responsible for services running in CentOS Infratrusture and CentOS Stream. CentOS ticket tracker CentOS Stream ticket tracker
This team is taking care of day to day business regarding Fedora releases. It’s responsible for releases, retirement process of packages and package builds. Ticket tracker
Fedora 44 Final release preparation
RISC-V
This is the summary of the work done regarding the RISC-V architecture in Fedora.
F44 rebuild: we’re halfway through; getting through about 300 builds/day. (NB: This is still pretty decent, given the reduced builders we have. Fedora also has a non-trivial number of ‘noarch’ packages; they can get imported into RISC-V Koji without a rebuild.)
Tried out an upcoming server hardware called SpacemiT K3. I got 24h remote access (with some limitations). Uploaded some basic data. Ran an initial benchmark of building ‘binutils’:
K3 is ~6.5x faster at compiling ‘binutils’ compared to our current build horse P550. (NB: this is not a 100% apples-to-apples comparison, as P550 is on Fedora, while the K3 is on some FrankenLinux, so the default compiler flags from the host differ.)
Started a thread with a few folks on a backup plan to improve reliability of builder hardware. Roughly: until server-grade hardware is widely accessible, see if we can get a few of the current “workhorse” (SiFive P550), and make them available somewhere so that they can be easily hooked to RISC-V Koji.
Conferences: RISC-V EU Summit schedule preparation is done.
QE
This team is taking care of quality of Fedora. Maintaining CI, organizing test days and keeping an eye on overall quality of Fedora releases.
Rmdepcheck (replacement for rpmdeplint repoclosure) improvements: swapped out the core implementation from XML parsing to clever dnf commands to make it simpler, more robust, faster, and work properly on EPEL packages/updates
Forgejo
This team is working on introduction of https://forge.fedoraproject.org to Fedora and migration of repositories from pagure.io.
[Forgejo] Participated in the Fedora Forge Sprint Planning meeting call
[Forgejo] Strategized the collaboration on the private issues feature inclusion
Release Candidate versions are available in the testing repository for Fedora and Enterprise Linux (RHEL / CentOS / Alma / Rocky and other clones) to allow more people to test them. They are available as Software Collections, for parallel installation, the perfect solution for such tests, and as base packages.
RPMs of PHP version 8.5.6RC1 are available
as base packages in the remi-modular-test for Fedora 42-44 and Enterprise Linux≥ 8
as SCL in remi-test repository
RPMs of PHP version 8.4.21RC1 are available
as base packages in the remi-modular-test for Fedora 42-44 and Enterprise Linux≥ 8
as SCL in remi-test repository
ℹ️ The packages are available for x86_64 and aarch64.
ℹ️ PHP version 8.3 is now in security mode only, so no more RC will be released.
I usually don’t want all of the files in the linux Kernel for my ctags. Sometimes I want a cvery small subset: a set of C files and the included header files.
#!/bin/sh
for CFILE in drivers/net/mctp/mctp-pcc.c drivers/mailbox/mailbox.c drivers/mailbox/pcc.c drivers/mailbox/mailbox.h
do
echo $CFILE
for HFILE in `grep "#include <" $CFILE | cut -f2 -d '<' | sed 's/.$//' `
do
echo include/$HFILE
done
done
Dans cet article, je détaille la mise en place d’une authentification mTLS avec Cloudflare afin de sécuriser l’accès à mes métriques Prometheus. Un cas concret avec reverse proxy Apache et intégration dans Grafana.
The question was simple enough: How good of an image editor can you build with $20 worth of
Claude Code Pro subscription?
The answer, after one month and roughly that budget, is: surprisingly good, occasionally wrong
about performance, and frustratingly confident about things it hadn’t measured.
RasterLab is a non-destructive RAW image editor written in Rust, built almost entirely by Claude
Code. Not prototyped by it, not scaffolded by it — actually built by it, with me driving
direction and reviewing the output. One month, four weekly usage blocks, one image editor.
The Fedora Project is proposing a new contributor status called “Fedora Verified” to better recognize all forms of community contribution, and we need your feedback. Following the Fedora Council 2026 Strategy Summit, Fedora leadership is reflecting on how we recognize, support, and empower the people who make Fedora possible. Please read through our proposal below and share your thoughts in the Fedora Verified community survey.
As the global open source community grows, the Fedora Project needs to ensure that our systems for recognizing contributors keep pace. Historically, open source recognition has leaned heavily on easily-quantifiable systems such as git repository commits and Pull Requests. But Fedora is built on much more than just code. We want to implement a more human-centered approach that equally values all forms of contribution including mentoring, documentation, design, event organization, and community support.
To help us get there, we are proposing a new contributor status called “Fedora Verified” (Name TBD – feedback welcome!). But before we finalize this model, we need your feedback.
What is the “Fedora Verified” Status?
“Fedora Verified” is a proposed membership-driven approach for the Fedora Account System that distinguishes highly engaged, committed contributors from tens of thousands of standard registered accounts.
How is “Fedora Verified” different from a standard account? Anyone can create a new account in the Fedora Account System (FAS) to begin their journey, file bugs, or make initial contributions. A FAS account is the equivalent of a digital passport to access various Fedora-hosted applications and services for users and contributors alike. “Fedora Verified” represents the next step: a mutual commitment between the contributor and the project, recognizing a sustained track record of positive impact and adherence to our core principles as a community: the Four Foundations (Freedom, Friends, Features, First).
What are the proposed benefits? The primary motivation behind “Fedora Verified” is to build trust-based recognition that grants elevated, privileged rights within the project. Most notably, this status would determine eligibility for strategic governance activities, such as:
Voting in Fedora community elections.
Running for leadership or decision-making roles within the project (i.e., Fedora Council, FESCo, Mindshare Committee, EPEL Steering Committee).
(Potential, unplanned) Accessing specific shared project resources or educational opportunities (e.g., Red Hat training credits).
Proposed Baseline Metrics for Fedora Verified
To ensure fairness and transparency, we are proposing a set of baseline metrics that a contributor must meet before their request for “Fedora Verified” status goes to a human review. The proposed baseline includes:
Sustained Activity: Active involvement in the Fedora community for a minimum of two Fedora release cycles (i.e., sustained participation between 6-12 months at minimum).
Consistent Contributions: A measurable track record of contributions across any recognized area (code, documentation, design, community support, etc.) in the current and previous Fedora release cycle.
Good Community Standing: The contributor is in good standing in the community and does not have a history of behavior that is contradictory to the Fedora Code of Conduct.
Unanswered Questions for the Fedora Community
While we have a framework, there are several major questions we need the community to answer before we move forward. Specifically, we want to know:
Validation: Should applicants be approved by grassroots peer vouches, or an elected committee?
Fairness: Does this model truly value non-code contributions equally?
Progression: How strictly structured should the path to becoming “Verified” be?
Maintenance: Should the status expire after 12 months of inactivity?
Share Your Voice on the Proposal
We want to make sure this proposed membership model is fair, sustainable, and truly represents what our contributors value. Your feedback will directly influence how this policy is drafted and implemented.
The survey will be open until Sunday, 5th May 2026 at 23:59 UTC. Thank you for taking the time to share your perspective, and for everything you do to make Fedora an amazing community!
I am presently experimenting with a software-based routing-offload feature of nftables that I am not used as an iptables fan called flowtable. I haven’t had a chance yet to measure the performance of this config but I am using the commands below to help set it up in my firewall:
nft add flowtable ip filter fast "{ hook ingress priority 0; devices = { eth0, eth1 }; counter; }"
nft add rule ip filter FORWARD iifname "eth0" oifname "eth1" ct state "{ established, related }" counter flow add @fast
nft add rule ip filter FORWARD iifname "eth1" oifname "eth0" ct state "{ established, related }" counter flow add @fast
nft add rule ip filter FORWARD iifname "eth0" oifname "eth1" ct state "{ established, related }" counter accept
nft add rule ip filter FORWARD iifname "eth1" oifname "eth0" ct state "{ established, related }" counter accept
You will see some connections being tracked and offloaded with the conntrack -L command:
Thanks all, and apologies if I missed something or someone.
Aaron Merey added two new options to helgrind.
To control helgrind tracing of internal synchronization, threading and memory events use –show-events=1|2|3.
Use –track-destroy=no|yes|all to checks for missing pthread_mutex_destroy and pthread_rwlock_destroy calls. With yes, helgrind warns when pthread_mutex_init or pthread_rwlock_init is called on the address of a live (undestroyed) lock. With all, Helgrind also reports undestroyed locks at process exit.
Valgrind has separate VEX IR translators for AMD64 and x86 (32 bit) code. While the AMD64 translator has seen support for new encodings and instruction sets, the x86 translator has not.
Alexandra Hájková decided to port the SSE4.1 instruction set from the AMD64 translator to the x86 translator and add backend support. This is ongoing work, see the bug dependency tree.
But many more 32bit programs using SSE4.1 should now run under Valgrind.
Andreas Arnez and Florian Krohm did a lot of work on the s390x support.
Andreas added support for new s390x z/Architecture features from the 15th edition. This enables running binaries compiled with -march=arch15 or -march=z17 and exploiting the new MSA extensions 10-13.
Florian Krohm integrated binutils objdump for s390x disassembly in VEX. And did a lot of s390x code and facilities cleanups. s390x machine models older than z196 are no longer supported.
Martin Cermak maintains the Linux Test Program (LTP) valgrind integration, which checks our syscall wrappers work correctly. And he makes sure newer linux syscalls are wrapped. Valgrind 3.27.0 adds support for file_getattr, file_setattr, lsm_get_self_attr, lsm_set_self_attr, lsm_list_modules. And corrects various syscall and ioctl corner cases.
Martin also added Valgrind address space manager support for tracking linux kernel lightweight guard pages, created through madvise (MADV_GUARD_INSTALL).
These guard pages are very low overhead for the kernel because they aren’t tracked as separate VMAs and don’t show up in the process proc maps. But Valgrind does still need to know whether the addresses are accessible. A new –max-guard-pages option controls the memory Valgrind reserves for tracking these pages.
Paul Floyd had more commits than all others combined for this release. Paul takes care of the alternative toolchains, Solaris/illumos, FreeBSD and Darwin/MacOS ports.
Tested Oracle Solaris 11.4, OpenIndiana Hipster and OmniOS. FreeBSD works on both amd64 and arm64, support for 16.0-CURRENT has been added.
A lot of code in valgrind 3.27.0 to support MacOS was previously maintained by Louis Brunner out of tree.
There are two new client requests (macros defined in valgrind.h)
VALGRIND_REPLACES_MALLOC Returns 1 if the tool replaces malloc (e.g., memcheck). Returns 0 if the tool does not replace malloc (e.g., cachegrind and callgrind) or if the executable is not running under Valgrind.
VALGRIND_GET_TOOLNAME Get the running tool name as a string. Takes two arguments, an input buffer pointer and the length of that buffer.
Another frozen week before the Fedora 44 release, just a few
notable things:
openssl4
Openssl4 landed in rawhide and caused some issues and then was pulled back
out by FESCo. We definitely do need to move to it for Fedora 45, but hopefully
we can land it in a way that doesn't break as many things as this last time.
Folks are working on it and I expect we will see it soon.
builder news
We had a aarch64 builder virthost fail to reboot with memory errors
a few weeks ago. Finally got someone onsite to pull and reseat all it's
memory and that seems to have done the trick. We are back to full
on aarch64 builders again. Of course we had enough that I doubt anyone
actually noticed that some were down.
I also brought up 3 more big x86_64 builders. They should be added
after freeze/sometime soon. Nice to have extra capacity there even
thought we aren't hurting for x86_64 builders.
Bots found the wiki
Yesterday our wiki was up and down in the morning. Seems scrapers not
only found the wiki, but also found that they could query time ranges
for changes in Special:RecentChanges.
We put in some blocking and then increased a bunch of cpu on the backend
and everything seems to be back to 'normal' now.
Until the next time...
vacation!
I will be out on a family vacation next week. Our plane leaves super
stupid early on tuesday morning and I will be packging and such on monday.
So, please don't ping me: file tickets or ask others to take care of
any fedora issues you might have.
Hopefully when I am back we will be go for Fedora 44 release!
Welcome to another update about everything that’s been happening at the GNOME Foundation. It’s been four weeks since my last post, due to a vacation and public holidays, so there’s lots to cover. This period included a major announcement, but there’s also been a lot of other notable work behind the scenes.
Fellowship & Fundraising
The really big news from the last four weeks was the launch of our new Fellowship program. This is something that the Board has been discussing for quite some time, so we were thrilled to be able to make the program a reality. We are optimistic that it will make a significant difference to the GNOME project.
If you didn’t see it already, check out the announcement for details. Also, if you want to apply to be our first Fellow, you have just three days until the application deadline on 20th April!
donate.gnome.org has been a great success for the GNOME Foundation, and it is only through the support of our existing donors that the Fellowship was possible. Despite these amazing contributions, the GNOME Foundation needs to grow our donations if we are going to be able to support future Fellowship rounds while simultaneously sustaining the organisation.
To this end, there’s an effort happening to build our marketing and fundraising effort. This is primarily taking place in the GNOME Engagement Team, and we would love help from the community to help boost our outbound comms. If you are interested, please join the Engagement space and look out for announcements.
Also, if you haven’t already, and are able to do so: please donate!
The schedules for both of these upcoming events are currently being worked on, and arrangements for catering, photographers, and audio visual services are all in the process of being finalized.
The Travel Committee has also been busy handling GUADEC travel requests, and has sent out the first batch of approvals. There are some budget pressures right now due to rising flight prices, but budget has been put aside for more GUADEC travel, so please apply if you want to attend and need support.
April 2026 Board Meeting
This week was the Board’s regular monthly meeting for April. Highlights from the meeting included:
I gave a general report on the Foundation’s activities, and we discussed progress on programs and initiatives, including the new Fellowship program and fundraising.
Deepa gave a finance report for October to December 2025.
Andrea Veri joined us to give an update on the Membership & Elections Committee, as well as the Infrastructure team. Andrea has been doing this work for a long time and has been instrumental in helping to keep the Foundation running, so this was a great opportunity to thank him for his work.
One key takeaway from this month’s discussion was the very high level of support that GNOME receives from our infrastructure partners, particularly AWS and also Fastly. We are hugely appreciative of this support, which represents a major financial contribution to GNOME, and want to make sure that these partners get positive exposure from us and feel appreciated.
We reviewed the timeline for the upcoming 2026 board elections, which we are tweaking a little this year, in order to ensure that there is opportunity to discuss every candidacy, and reduce some unnecessary delay in final result.
Infrastructure
As usual, plenty has been happening on the infrastructure side over the past month. This has included:
Ongoing work to tune our Fastly configuration and managing the resource usage of GNOME’s infra.
Deployment of a LiberaForms instance on GNOME infrastructure. This is hooked up to GNOME’s SSO, so is available to anyone with an account who wants to use it – just head over to forms.gnome.org to give it a try.
Changes to the Foundation’s internal email setup, to allow easier management of the generic contact email addresses, as well as better organisation of the role-based email addresses that we have.
New translation support for donate.gnome.org.
Ongoing work in Flathub, around OAuth and flat-manager.
Admin & Finance
On the accounting side, the team has been busy catching up on regular work that got put to one side during last month’s audit. There were some significant delays to our account process as a result of this, but we are now almost up to date.
Reorganisation of many of our finance processes has also continued over the past four weeks. Progress has included a new structure and cadence for our internal accounting calls, continued configuration of our new payments platform, and new forms for handling reimbursement requests.
Finally, we have officially kicked off the process of migrating to our new physical mail service. Work on this is ongoing and will take some time to complete. Our new address is on the website, if anyone needs it.
That’s it for this report! Thanks for reading, and feel free to use the comments if you have questions!
This is a report created by CLE Team, which is a team containing community members working in various Fedora groups for example Infrastructure, Release Engineering, Quality etc. This team is also moving forward some initiatives inside Fedora project.
Week: 13 – 17 Apr 2026
Fedora Infrastructure
This team is taking care of day to day business regarding Fedora Infrastructure. It’s responsible for services running in Fedora infrastructure. Ticket tracker
[Badges/Outreachy] Reviewed over 15 pull requests across Tahrir and Tahrir API
This team is taking care of day to day business regarding CentOS Infrastructure and CentOS Stream Infrastructure. It’s responsible for services running in CentOS Infratrusture and CentOS Stream. CentOS ticket tracker CentOS Stream ticket tracker
This team is taking care of day to day business regarding Fedora releases. It’s responsible for releases, retirement process of packages and package builds. Ticket tracker
Producing release candidates for Fedora 44 Final release.
F44 GO/NO-GO meeting is tentatively scheduled for Thursday, April 16th.
Some work related to the migration to Forgejo..
OpenH264 RPMs are now published for F44 and Rawhide (F45).
Otherwise business as usual operations.
RISC-V
This is the summary of the work done regarding the RISC-V architecture in Fedora.
F44 rebuild in full swing:
GCC 16 builds slowed down some progress, but a workaround version was used to compensate.
The diff with F43 is about 1K packages
Discussed setting up Pungi for “compose’ artifacts (installation & kickstart trees, ISOs, etc)
RISC-V “omni kernels” (formerly “unified kernel”)
kernel 7.0 is in the mainline repository and work is proceeding normally (Jason)
A new f44-omni tag and target will be in Koji to support a single omni kernel.
QE
This team is taking care of quality of Fedora. Maintaining CI, organizing test days and keeping an eye on overall quality of Fedora releases.
Private Issues: shared branch created, blocking items identified and being addressed (rebase ongoing)
EPEL
This team is working on keeping Epel running and helping package things.
Routine packaging work, including backporting multiple CVE fixes to tinyproxy and python-cbor2. Also filed eight FTI (fail-to-install) bugs and updated three packages.
Refinement work on EPEL minor EOL SOP, which will be used next month when EPEL 10.1 reaches EOL.
Continued collaboration with RHEL Lightspeed team on goose packaging work.
UX
This team is working on improving User experience. Providing artwork, user experience, usability, and general design services to the Fedora project
Emma was on the Fedora Podcast with Justin to talk about Flock 2026 and the branding! [Youtube link]
Continuing working with contributor on poster about getting involved with Fedora community [Ticket link]
ActBlue is the online fundraising platform used by
US Democratic party candidates. It is the subject of a major scandal
that has gripped the congress. It has been linked to
Debianism, another disappearing developer and in a parody of other
Debianism scandals, there are possibly two people using the same name,
one being the wife of the missing developer and the other being a
US Senate candidate who claims to have exposed the
ActBlue scandal.
These Github screenshots confirm that
Decklin Foster was affiliated with
ActBlue and vanished in 2018:
Accusations have been made about the concealment
of illegal foreign donations and deception of Congress.
Chris Gleason has nominated to represent Florida in the US Senate.
Gleason registered using a post office box and created a domain name,
voteforgleason.com using an anonymous service in
Iceland.
Gleason's profile on
X/Twitter has no photo while their
Facebook profile is completely disabled.
Up to 2016, we can see that
Decklin Foster was listed in the public filings of ActBlue Civics, Inc
as either a senior engineer or at one point, as
Director of Information Technology.
On 1 January 2015,
Decklin Foster's PGP key was removed because it was only 1024 bits.
Most developers had created stronger keys before this mass removal of
insecure keys took place.
In 2019, the
Debian Account Managers asked the keyring managers to completely remove
Decklin Foster from the Debian keyring. There was no
Statement on Decklin Foster so far.
Clicking the links to see the statements about the removal does not
work. An error message tells us the messages about
Decklin Foster's removal from
debianism are all private.
If you’re interested in me, I have started using Google
Plus. If you’re interested in my work, I’m on Github. I was a Debian developer for some time, but
I’ve mostly given that up. I currently work for ActBlue and live in Cambridge, MA with
my wife.
Clicking on "my wife", we find the web site of Chris Gleason at
http://cgleason.org/.
chris gleason is a graphic designer, zine creator, and print maker in chicago, illinois. they love ...
Therefore, the Debian Developer
(
What is a Debian Developer?) who was Director of Information Technology
for
ActBlue was married to a female or transgender
Chris Gleason. Is this the same person as the elusive male
Chris Gleason who is now running for the US Senate in Florida on
claims about corruption at
ActBlue? Or is it simply a bizarre coincidence that two people so
closely connected with this scandal share the same name?
In 2017, the Trans Women Writers Collective published the book
Nameless Woman, written by trans women of colour. In the credits,
the trans women thank
Decklin Foster.
This anthology was made possible by the
generous support of hundreds of people. In
particular, we would like to thank Annaya Youkai, Kieran Todd, Sadie Laett-Babcock, Adelaida
Shelley, Jaime Peschiera, Kai Cheng Thom, Talon
Wilde, David Cope, Alex Meginnis, Decklin Foster,
and Eli Nelson for their help.
On 22 July 1999,
Raphael Hertzog, known for the
Freexian scandals wrote a message asking people to do unpaid work
on orphaned packages in the hope that their application to become a
Debian Developer would be approved more quickly:
To: debian-devel-announce@lists.debian.org, debian-devel@lists.debian.org, debian-qa@lists.debian.org, debian-mentors@lists.debian.org
Subject: [New maintainer] Working for Debian and becoming a registered Debian developer
From: Raphael Hertzog <rhertzog@hrnet.fr>
Date: Thu, 22 Jul 1999 18:06:26 +0200
[ Large crosspost to start the discussion, please reply to debian-devel
only. Simply respect the reply-to. ]
Hello everybody,
you may or not be aware that getting a Debian developer is quite long. I
want to propose a solution to facilitate the integration of new
Debian developers.
It's quite simple. In order to fully learn how Debian works, the best
solution is :
- to adopt orphaned packages and correct their bugs
- that your work should be checked by an official developer (I'll call
it the sponsor).
Of course, as long you're not a registered Debian developers you cannot
upload your packages. The soluton is that the sponsor will upload the
package you'll do. The official maintainer will be
debian-qa@lists.debian.org. After all when you correct bugs on orphaned
packages, you're doing Quality Assurance.
This does also allow you to get new bugs in your mailbox. You just need
to subscribe to debian-qa@lists.debian.org. You would be allowed to
open/close/set the severity/forward the bugs since all debian-qa members
can do it on debian-qa packages.
If the sponsor finds that you've done a good job with the package, he
will explain that to the new maintainer team in the hope that your
application will be processed faster. And when you'll be
official Debian developper, you'll be able to change the Maintainer field
to your name.
I'll propose myself to be a sponsor. We'll need more sponsor ... any
volunteers ? Hopefully several people from debian-qa will accept to be
sponsor like me ...
All the future Debian developers interested should also reply ...
Any input appreciated !
Cheers,
--
Hertzog Raphaël >> 0C4CABF1 >> http://prope.insa-lyon.fr/~rhertzog/
Decklin Foster was one of the people recruited by those tactics.
To: debian-devel@lists.debian.org
Cc: debian-mentors@lists.debian.org
Subject: Re: [New maintainer] Working for Debian and becoming a registered Debian developer
From: Decklin Foster <decklin@home.com>
Date: Thu, 22 Jul 1999 13:39:13 -0400
Raphael Hertzog writes:
> Of course, as long you're not a registered Debian developers you cannot
> upload your packages. The soluton is that the sponsor will upload the
> package you'll do. The official maintainer will be
> debian-qa@lists.debian.org. After all when you correct bugs on orphaned
> packages, you're doing Quality Assurance.
Sounds good, I'll subscribe right after I finish writing this. I'm
also trying to work on non-orphaned backages as well (for example
right now i'm fixing a bug in gsfonts-x11.) So keep in mind that you
can always just send patches :)
--
Debian GNU/Linux - http://www.debian.org/
The Web is to graphic design as the fax machine is to literature.
Not only was
Decklin under the influence of
Hertzog, they were also under the influnce of the
Red Hat share offer. This email encourages speculation on the
IPO:
To: debian-devel@lists.debian.org
Subject: Re: SPAM from Red Hat
From: Decklin Foster <decklin@home.com>
Date: Wed, 21 Jul 1999 09:57:45 -0400
Martin Bialasinski writes:
> is it only me, or did you also get this spam from Red Hat about stock
> options?
>
> Oh man - the bigger the company, the less clueful people?
On #debian last night, it was suggested that we use our opportunity to
buy some of this stock and sell it when the price goes up. This money
could then be used to fund Debian, buy new hardware, improve our
network connection, etc. Does anyone else think this is a Good
Idea(TM)? I would be willing to donate as much as I reasonably could.
--
Debian GNU/Linux - http://www.debian.org/
The Web is to graphic design as the fax machine is to literature.
Of interest to those watching the
ActBlue saga, there is an email about hacking and cracking:
To: debian-devel@lists.debian.org
Subject: Re: [New maintainer] Working for Debian and becoming a registered Debian developer
From: Decklin Foster <decklin@home.com>
Date: Thu, 22 Jul 1999 16:37:40 -0400
Carl Mummert writes:
> Hacking is a serious crime
Cracking is a serious crime. Breaking into computer systems without
permission is a serious crime. Violation of privacy and theft of
confidential information is a serious crime.
Now what does this have to do with hacking?
> The fact remains that the debian policy is to discourage new
> developers by making it slow and difficult to get an account.
I have no problem with waiting, and I'd rather not look bad just
because some people keep speaking badly about the new-maintainer team.
We don't need another flamewar here. People have work to do.
--
Debian GNU/Linux - http://www.debian.org/
The Web is to graphic design as the fax machine is to literature.
They had a blog on another web site. It is captured in the Wayback
machine up to 2012. The last snapshot with the index is here:
http://blog.rupamsunyata.org/. The last blog post:
I'm the fuel that fires the engine of Failure
So, the Democrats in my very blue state put up a depressing, entitled, out-of-touch candidate for our vacant senate seat and she lost. The only reason I voted for her was because she wasn't a Republican. Supporting someone you don't even slightly like is psychologically draining.
At this point, I would vote for a Democratic party (or a Republican party!) with the exact same fiscal policy as the current Republicans if they actually made a principled, moral stand on equal protection and civil rights, habeas corpus/due process, and reproductive rights. Those don't cost anything[1].
Maybe they should be solved before the stuff that does cost billions of dollars. As it is my choice is weak, almost grudging support for those rights from people who want to hand the economy over to the government, and disgusting, immoral, vehement opposition to them from people who want to hand the economy over to wealthy corporations.
Neither side is doing anything effective to keep us free, or to keep the market free. Each side says or implies that this is a Christian nation, which it explicitly isn't, while failing to do what's right. Sometimes I want to give up and stop voting.
[1] Conversely, of course, it doesn't cost anything to take people's rights away, or prevent them from getting rights in the first place; I think this is why anti-gay-marriage ballot measures have been more successful in the current recession. Some people get their kicks from the suffering of others.
Accessing the blog from 2013 onwards we can see
the front page has been replaced with the message:
This blog is not being updated. Old entries are still around, but I'm turning off the front page for now.
contributors.debian.org tells us that
Decklin Foster stopped contributing in February 2011, immediately
before the
death of Adrian von Bidder-Senn on our wedding day.
Chris Gleason is not on the list at all. If
Decklin had abandoned
Debianism, why did it take eight years to remove them from the keyring?
Reading the full history of the
Debian Harassment culture, we can see many other co-authors were
removed for purely political reasons and blackmail but keys belonging to the
people who had abandoned the project and people who died were left in
the keyring for years.
To: debian-devel <debian-devel@lists.debian.org>
Subject: RFA: all my packages
From: Decklin Foster <decklin@red-bean.com>
Date: Thu, 10 Feb 2011 17:11:05 -0500
Message-id: <1297375750-sup-7355@gillespie.rupamsunyata.org>
I'm looking for a new maintainer for, well, any of these. My heart is
not in it anymore and most of them have been neglected for a while.
Recently my free time has been taken up by other things (mainly my job)
and I forsee that continuing.
http://qa.debian.org/developer.php?login=decklin%40red-bean.com
python-beautifulsoup and mpd need attention for proposed-updates; I
missed getting them into Squeeze. rxvt-unicode is a total clusterfuck.
If any desktop-type packages remain I will orphan them, as I am only
running Debian on servers now. Apart from that, perhaps with a greatly
reduced load I can still make a tiny contribution to the community. If
not, I will retire.
--
things change.
decklin@red-bean.com
Various scholarly articles from Harvard experts on depression have
thanked
Decklin Foster for their contributions in 2008 and 2009.
Decklin Foster was collaborating on this world-class depression
research at exactly the same time they were part of the
debian-private discussions that precipitated the
Debian Day Volunteer Suicide in 2010.
Subject: Re: Death of Adrian von Bidder
Date: Fri, 22 Apr 2011 09:39:49 +0200
From: A Mennucc <mennucc1@debian.org>
To: debian-private@lists.debian.org
Il 19/04/2011 18:17, martin f krafft ha scritto:
> Dear Debian colleagues,
>
> I have the sad task to communicate to you the news of the death of
> Adrian von Bidder (avbidder, cmot), who passed away last Sunday,
> most probably of a heart attack.
I had contacted Adrian regarding the Debian umbrella.
So I had also a chance of seeing a picture of him
http://blog.fortytwo.ch/archives/80-Yay!-Debian-Logo!.html
In that picture he seemed quite happy and young.
His death is quite shocking and sad.
a.
There is a
Decklin Foster profile on Youtube that hasn't been used for nine
years. There are four subscribers. One of the videos has the
comment:
Mixed these together on my show (editsradio.org) this week and really liked the result, so here it is on its own, slowed down and a little extended.
Photo taken at the Wilbur Theater in Boston on 2012-07-31.
The last snapshot of
editsradio.org is on 6 April 2015. After that, the content is
changed to Arabic. From 15 August 2015, it is redirecting to another site,
also in Arabic, at
http://www.17serialbaran.org.
It would be extremely offensive to ask such a question in any other
group of people but in the world of
Debianism and
Zizian phenomena, there are a disproportionate number of people who
are living such lifestyles.
Chris Gleason was born in Lowell, Massachusetts. Gleason's career experience includes working as a technology consultant. He served in the U.S. Army National Guard from 1989 to 1999. Gleason earned a bachelor's degree from the University of Massachusetts, Lowell in 1996. Gleason has been affiliated with Caribbean Christian Center for the Deaf, Michigan -Make-A-Wish, Seniors Helping Seniors.
In the recent UK elections, journalists and researchers found various
examples of candidates who didn't really exist. At least one political
party was accused of making up fake candidates to make their party
look bigger and attract more donations.
I have the impression the
Chris Gleason in
Florida is a different
person but I'm not ruling out the possibility it is a fake profile
or an alter-ego of
Chris Gleason, wife of
Decklin.
The Committee on House Administration, the Committee on the Judiciary, and the
Committee on Oversight and Government Reform are charged with ensuring the integrity of American elections. To that end, the Committees are examining allegations that ActBlue, a leading political fundraising organization, allowed bad actors, including foreign actors, to exploit its online platform to make fraudulent political donations.
CEO at NextMed Holdings, LLC CEO at Translational Analytics and Statistics, LLC
Chris Gleason is a board member at Our Mayberry, a company focused on revolutionizing charitable giving and fundraising.1 He is a lawyer, entrepreneur, and community philanthropist with multiple leadership roles in charities helping children.3 Gleason has also been involved in various business ventures and has held executive positions in different companies.
In addition to his role at Our Mayberry, Gleason has served as a board member for the Goldwater Institute since 2013.5 He was also recently appointed as the president and CEO of Moximed, a medical device company, in June 2024.2
Gleason has a background in sales leadership, having previously worked as VP of sales at Relievant and VP of sales of interventional urology at Teleflex.2 He has also been involved in political activities, receiving income from Election Watch, a Wisconsin-based group, in 2024.4
It's worth noting that Gleason has recently entered the political arena, running for the position of Pinellas County Supervisor of Elections in Florida for the 2024 election. His campaign has been controversial, as he has made unsubstantiated claims about election fraud and criticized the incumbent, Julie Marcus.
In the case of another Debian Developer,
Paul Tagliamonte, he really was working in the White House and the
Pentagon. We have a photo to prove it:
Chris Gleason's campaign web site has the title
Whistleblower in big letters. This implies he was an insider
or he was connected to an insider, in other words, his claim to be
a whistleblower encourages us to ask about the bizarre possibility that he
really is or was the transgender wife of
ActBlue's missing director of
information technology,
Decklin Foster.
Here is one more interesting leak from the
debian-private leaked gossip network. It shows us that
Decklin Foster was in favor of the practice of dividing the community
and humiliating people. It looks like he supported the humiliation of
Sven Luther at the very time he was working in the Harvard Medical
School's depression research team. Sven's mother was dying at the time
this bun fight erupted.
Subject: Expulsion process: Sven Luther
Date: Thu, 01 Mar 2007 00:00:29 +0100
From: Joerg Jaspert <joerg@debian.org>
Organization: Goliath-BBS
To: debian-private@lists.debian.org
...
Now, the list of people who sent something in for the process:
Anthony - Requestor
Supporters, unordered:
srivasta@debian.org
mbanck@debian.org
tbm@cyrius.com
93sam@debian.org
fs@debian.org
jgoerzen@complete.org
fjp@debian.org
dilinger@debian.org
joeyh@debian.org
liw@iki.fi
stappers@stappers.nl
tolimar@debian.org
jeroen@wolffelaar.nl
tfheen@debian.org
micah@riseup.net
decklin@red-bean.com
tb@becket.net
tytso.mit.edu
The conflict between
Sven Luther and
Frans Pop appears to be a factor in the eventual suicide of
Frans Pop. The whole group failed.
Subject: [Very long] Post-partem rant and retrospective
Date: Thu, 31 May 2007 03:56:11 +0200
From: Frans Pop <elendil@planet.nl>
To: debian-private@lists.debian.org
I've decided to write this in a separate mail because I'm afraid this may get long. Quite a bit of this has been written before, but I hope some of you will bear with me.
[snip]
So, what has made me decide to leave the project. It's a combination of just plain emotional stress over the whole Sven Luther issue, frustration with the inability of the project to deal with that and with some other issues, and frustration with the fact that a fair number of members of the project seem to feel that as long as you don't upload packages with trojans, pretty much anything is OK.
and eventually....
Subject: Resignation
Date: Sun, 15 Aug 2010 21:41:18 +0200
From: Frans Pop <elendil@planet.nl>
To: debian-private@lists.debian.org
It's time to say goodbye. I don't want to say too much about it, except that I've been planning this for a long time.
Participating in Debian has been great.
...
At 11pm local time in eastern Australia, a huge fire broke out at
the Viva Energy refinery in Corio, Geelong.
There has been a near-total news vacuum. This may be deliberate or it
may be a consequence of cost-cutting that has replaced many journalists with
artificial intelligence. The few human journalists who remain in
the profession may have already gone to bed when the fire started.
The national broadcaster, the ABC, was quick to include it in their
list of breaking news items but without much detail. About three hours
after the fire started, it was present on the web site of 9 News but
not visible on the web sites of 7 News, Herald Sun or The Age. About
five hours after the fire started, the local newspaper Geelong Advertiser
included it in their
Facebook account.
The story is newsworthy for a number of reasons.
Australia previously had eight refineries but six of them were
phased out and never replaced.
Australia relies on foreign refineries for over eighty percent of
fuel. With the Corio refinery out of action, there is only one domestic
refinery left. Therefore, it is surprising the news media have been
so slow to pick up the story.
The next big reason it is newsworthy is the war in
Iran.
None of the news reports have commented on the fact that
Richard Marles, the deputy prime minister and the minister for defence
is the local member of parliament for the region where the refinery
is located.
In the news vacuum, people have been quick to share rumours on
social control media. Some people are speculating about the
prospect of a drone attack. In Europe last year there were reports about
Russian drones launched from cargo ships in international waters and
interfering with European airports. Other reports have speculated about
cargo ships using their anchors to sabotage pipelines and communications
cables on the sea floor.
France intercepted and seized a ship connected with
Russia.
Another user on
social control media has commented that there was a technical incident
at the plant earlier in the day and the fire could be nothing more
than an accident.
People would be wise not to jump to conclusions. Even if it is a
terror attack, it may not be
Iran. In recent news reports,
Russia announced they had the right to attack any countries who
are sending support to
Ukraine. The French company Thales manufacturers the BushMaster
armored personnel carriers in
Bendigo and the government donated some of them to
Ukraine. Low cost cardboard drones manufactured in
Australia have also been donated to
Ukraine.
There's a disconnect in the AI Engineering space right now and I think that the
open source community has alread risen to the occasion to bridge the gap, but
I don't see any signal that it's well understood or widely adopted.
The industry is overwhelmingly focused on building agents from
scratch via custom frameworks, bespoke orchestration layers, hand-rolled
tool-calling loops, etc. when many of the hard problems have already been solved
in that layer of the stack. The building block exists. It's open source. It's called
goose.
I think for over 90% of use cases, if you're spending your time implementing an
agent from scratch, you're already behind or potentially have already lost the race.
My hypothesis is that Goose is the building block. It's the small, composable
thing that becomes powerful when you wrap it in what the industry is rapidly agreeing
is called the Harness.
The composable agent you didn't know you needed
Most people hear "goose" and think either "another AI coding assistant" or "another
AI chatbot" (depending on how they came across goose and how they use it). That
misunderstanding is the problem. Goose is not a coding assistant. It is not a
chatbot. It is not a Claude Code competitor, though it can be configured to act
as all of those things. At its core, goose is a small, configurable agent
runtime with an extension-based architecture that can be composed into virtually
anything.
It operates on three components:
Interface: Desktop app or CLI/TUI that collects user input and displays
output.
Agent: The core logic engine that manages the interactive loop: sending
requests to LLM providers, orchestrating tool calls, and handling context
revision.
Extensions: Pluggable components built on the Model Context Protocol
(MCP) that provide specific tools and
capabilities.
A small core with a lot of power delivered through native extensions, external
plugins, and configuration options. The agent core itself is minimal, it's an
interactive loop plus context management. That's it. All capabilities come
through the extension system.
You can strip goose down to nothing. No external capabilities. No tool calling.
No skills. No plugins. You can even configure it so it cannot access the
internet, only the inference service to talk to the model (which can be local).
At that point, it's a plain chatbot with no agency whatsoever.
Or you can go the other direction entirely.
From zero to everything
Configure goose with the Developer extension, Computer Controller, Memory,
and a handful of MCP servers and you have a working replacement for
Claude Code,
Codex,
Gemini CLI,
OpenCode,
or any other similar tool. Same capabilities, no vendor lock-in, and you choose
your own inference provider from over 25 options (at the time of this writing)including
Anthropic,
OpenAI,
Google Gemini,
Groq,
Mistral,
and more. You can run fully local inference via goose's native inference
provider, or offload to Ollama, RamalamaLM Studio, or
Docker Model Runner. The full list
of providers is in the
goose documentation.
If you put this together, you're well on your way to unlocking the full potential
but you're just getting started.
Recipes: reproducible, composable workflows
Where goose gets interesting is its composition model.
Goose Recipes are reusable,
shareable workflow definitions that package together instructions, extensions,
parameters, provider settings, retry logic, and structured response schemas. A
recipe can be as simple as a single prompt with a specific extension configuration.
Alternatively it can be sophisticated, composed of subrecipes where each subrecipe is
effectively another goose agent with its own configuration: its own extensions,
plugins, inference provider, system prompt, and skills.
Subrecipes run in isolated sessions with no shared conversation history, memory,
or state. The main recipe's agent decides when to invoke them, can run them
sequentially or in parallel, and chains their outputs through conversation
context. Compositional agent orchestration without writing a single line of
framework code.
You're not writing an orchestration layer. You're not building a DAG executor.
You're not implementing tool-calling logic. You're writing YAML that describes
what you want done and goose handles the how.
Goosetown: multi-agent orchestration, no framework required
If want to take this all the way to the extreme of a fully autonomous software
factory like the one Steve Yegge outlines in his now infamous blog post,
"Welcome to Gas Town",
and implemented via his Gastown project.
Gastown is a multi-agent workspace
manager for orchestrating Claude Code, GitHub Copilot, Codex, Gemini, and other
AI agents with persistent work tracking. It's a Go application with concepts
like Mayors, Rigs, Polecats, Hooks, Convoys, and Beads. It's a real engineering
effort to coordinate 20-30 agents on a codebase.
You can do exactly that by using goose as the building block. The open source
community did it. They looked at Gastown and re-implemented its core concepts using goose's
native capabilities. The result is
Goosetown. Goosetown is a multi-agent
coordination system that orchestrates "flocks" of AI agents (researchers,
writers, workers, reviewers) to decompose and execute complex tasks. Goosetown
uses goose's subagent delegation, skills system for role-based specialization,
inter-agent communication via a broadcast channel called the "Town Wall," and
multi-model support for adversarial cross-reviews where different LLMs review
each other's work.
If you look at the code, it's just a few flat files, some shell scripts,
some skills markdown, and some agent definitions.
All of this built on top of goose. Not alongside it. Not wrapping it. On it.
Using the primitives goose already provides: skills, subagents, extensions, and
recipes.
Goose as a service
Goose also runs as a daemon, exposing itself to other applications via the
Agent Client Protocol (ACP)
(a standardized JSON-RPC protocol developed by Zed Industries).
ACP does for AI agents what LSP did for language servers. ACP decouples agents
from editors and frontends, so goose can be embedded directly into Zed, JetBrains, Neovim, or
any ACP-compatible environment.
The composability runs both directions. Goose can also consume other ACP
agents as providers, routing its LLM calls through Claude Code, Codex, or
Gemini while keeping its own extension ecosystem and UI. As Adrian Cole wrote
in his blog post
"How to Break Up with Your Agent":
"Pick the UI you like. Pick the agent you like. They don't have to be the
same thing."
This bidirectional composability — goose as a component and goose as an
orchestrator — is what separates it from other agent tools.
Open governance, no vendor lock-in
Goose is fully open source under the leadership of the
Agentic AI Foundation (AAIF), which provides
vendor-neutral governance under the umbrella of the
Linux Foundation. AAIF also hosts the
Model Context Protocol (MCP) itself, so
the standards goose builds on are governed with the same neutrality.
This matters. When you build your workflows on goose, you're building on a
foundation governed by a neutral body with a Governing Board, a Technical
Committee, and a transparent contribution model. This is the same open,
collaborative, and neutral model that made Linux and Kubernetes into reliable
core components of the entire software industry, and it's the same reason I
think it's worth investing time and energy into.
It's no secret I'm an open source nerd, and goose checks all the boxes.
The harness is the thing
We've collectively been on a journey. First it was Prompt Engineering, crafting the right
words to get the right output. Then it was Context Engineering, making sure the
model has the right information at the right time. Now, it seems we've arrived
at the next turn in this adventure we all find ourselves in: Harness Engineering.
Ralph Bean nails this in his blog post
"What Even Is the Harness?".
The harness is the enablement layer. It's everything you add to the agent runtime
that gives you control over your outcomes:
"Harness — the enablement layer. AGENTS.md files, skills, custom tools,
hand-crafted linters, system prompts for task-oriented agents. These are the
things you engineer, iteratively, to increase the chances the agent gets
things right. This is what Birgitta Böckeler calls the user harness and is
where Mitchell Hashimoto's attention lives."
—Ralph Bean
Read that again. The harness is not the agent. The harness is what you add to
the agent. The AGENTS.md files. The skills. The custom MCP tools. The
hand-crafted linters. The system prompts. The recipes and subrecipes. The
extension configurations. The provider choices. The permission policies.
This is where your engineering effort belongs. Not in building the interactive
loop, or implementing tool-calling JSON parsing, or writing context window
management, or building MCP client libraries. Goose already does all of that and
does so with the full backing of the AAIF, the Linux Foundation, and a vibrant
open source community.
In most cases, and I'd argue almost all cases, your job is to build the harness.
The 90% argument
I think for over 90% of use cases where someone is building an
agent today, goose is a better starting point than a blank text editor or a vibe
coding session (are we calling it Agentic Engineering yet?).
If you need a coding assistant, goose does that. If you need a research agent,
configure goose with web scraping extensions and a research-focused recipe or skill.
If you need a CI/CD bot, run goose in daemon mode with ACP or orchestrate it with
scripts/recipes in your CI job runner of choice. If you need multi-agent
orchestration, compose goose instances with subrecipes or build a
Goosetown-style flock. If you need local-only, air-gapped inference, point
goose at Ollama, Ramalama, LM Studio, or its native inference provider. If you
need to integrate with your existing editor, goose speaks ACP natively or you
can set GOOSE_PROMPT_EDITOR
and run the whole flow from inside your editor of choice. If you need vendor-neutral
governance, it's under the Linux Foundation umbrella via AAIF.
The remaining 10%? Those are the genuinely novel agent architectures, the
research projects pushing boundaries, the use cases where you do need to control
every byte of the agent loop. For those, build from scratch. For everything else,
build the harness. I'm not saying you can't build agents from scratch. I'm simply
suggesting that you probably don't need to.
A call to action
If you're a professional technologist or an aspiring AI Engineer, I'd encourage
you to shift your mental model. Stop thinking about building agents. Start
thinking about harnessing them. At this point in the AI hype cycle, the agent
is mature enough to be the commodity. The harness is your competitive advantage.
Install goose. Strip it down to
nothing and build it back up. Write a recipe. Compose some subrecipes. Add
skills. Configure extensions. Point it at different providers. Run it as a
daemon. Embed it in your editor. Build a flock. Engineer the harness.
The hypervisor is an old Fedora install that I first upgraded to Fedora 43.
I used nmcli to remove all connections (I was in via telnet and a serial concentrator) and then added a bridge. I had to figure out which of the interfaces was actually attached to the outside world, which I did by re-creating a ethernet connection, and bringing it up, then deleting the connection. That device becomes the bridge-slave-device.
So, after a bunch of nmcli con del commands to get to a baseline, I ran:
nmcli con add type bridge con-name virbr0 ifname virbr0
nmcli connection modify virbr0 ipv4.method auto
nmcli connection add type bridge-slave ifname enP5p1s0f0np0 master virbr0 con-name enP5p1s0f0np0
nmcli con up virbr0
And this should be enough to recreate.
I also had to create a permission for the bridge-helper to alow connection from userland:
I had to create he direcotry and then edit the file in :
This post attempts to explain how Huion tablet devices currently integrate into the desktop stack. I'll touch a bit on the Huion driver and the OpenTablet driver but primarily this explains the intended integration[1]. While I have access to some Huion devices and have seen reports from others, there are likely devices that are slightly different. Huion's vendor ID is also used by other devices (UCLogic and Gaomon) so this applies to those devices as well.
This post was written without AI support, so any errors are organic artisian hand-crafted ones. Enjoy.
The graphics tablet stack
First, a short overview of the ideal graphics tablet stack in current desktops. At the bottom is the physical device which contains a significant amount of firmware. That device provides something resembling the HID protocol over the wire (or bluetooth) to the kernel. The kernel typically handles this via the generic HID drivers [2] and provides us with an /dev/input/event evdev node, ideally one for the pen (and any other tool) and one for the pad (the buttons/rings/wheels/dials on the physical tablet). libinput then interprets the data from these event nodes, passes them on to the compositor which then passes them via Wayland to the client. Here's a simplified illustration of this:
Unlike the X11 api, libinput's API works both per-tablet and per-tool basis. In other words, when you plug in a tablet you get a libinput device that has a tablet tool capability and (optionally) a tablet pad capability. But the tool will only show up once you bring it into proximity. Wacom tools have sufficient identifiers that we can a) know what tool it is and b) get a unique serial number for that particular device. This means you can, if you wanted to, track your physical tool as it is used on multiple devices. No-one [3] does this but it's possible. More interesting is that because of this you can also configure the tools individually, different pressure curves, etc. This was possible with the xf86-input-wacom driver in X but only with some extra configuration, libinput provides/requires this as the default behaviour.
The most prominent case for this is the eraser which is present on virtually all pen-like tools though some will have an eraser at the tail end and others (the numerically vast majority) will have it hardcoded on one of the buttons. Changing to eraser mode will create a new tool (the eraser) and bring it into proximity - that eraser tool is logically separate from the pen tool and can thus be configured differently. [4]
Another effect of this per-tool behaviour is also that we know exactly what a tool can do. If you use two different styli with different capabilities (e.g. one with tilt and 2 buttons, one without tilt and 3 buttons), they will have the right bits set. This requires libwacom - a library that tells us, simply: any tool with id 0x1234 has N buttons and capabilities A, B and C. libwacom is just a bunch of static text files with a C library wrapped around those. Without libwacom, we cannot know what any individual tool can do - the firmware and kernel always expose the capability set of all tools that can be used on any particular tablet. For example: wacom's devices support an airbrush tool so any tablet plugged in will announce the capabilities for an airbrush even though >99% of users will never use an airbrush [5].
The compositor then takes the libinput events, modifies them (e.g. pressure curve handling is done by the compositor) and passes them via the Wayland protocol to the client. That protocol is a pretty close mirror of the libinput API so it works mostly the same. From then on, the rest is up to the application/toolkit.
Notably, libinput is a hardware abstraction layer and conversion of hardware events into others is generally left to the compositor. IOW if you want a button to generate a key event, that's done either in the compositor or in the application/toolkit. But the current versions of libinput and the Wayland protocol do support all hardware features we're currently aware of: the various stylus types (including Wacom's lens cursor and mouse-like "puck" devices) and buttons, rings, wheels/dials, and touchstrips on pads. We even support the rather once-off Dell Canvas Totem device.
Huion devices
Huion's devices are HID compatible which means they "work" out of the box but they come in two different modes, let's call them firmware mode and tablet mode. Each tablet device pretends to be three HID devices on the wire and depending on the mode some of those devices won't send events.
Firmware mode
This is the default mode after plugging the device in. Two of the HID devices exposed look like a tablet stylus and a keyboard. The tablet stylus is usually correct (enough) to work OOTB with the generic kernel drivers, it exports the buttons, pressure, tilt, etc. The buttons and strips/wheels/dials on the tablet are configured to send key events. For example, the Inspiroy 2S I have sends b/i/e/Ctrl+S/space/Ctrl+Alt+z for the buttons and the roller wheel sends Ctrl-/Ctrl= depending on direction. The latter are often interpreted as zoom in/out so hooray, things work OOTB. Other Huion devices have similar bindings, there is quite some overlap but not all devices have exactly the same key assignments for each button. It does of course get a lot more interesting when you want a button to do something different - you need to remap the key event (ideally without messing up your key map lest you need to type an 'e' later).
The userspace part is effectively the same, so here's a simplified illustration of what happens in kernel land:
Any vendor-specific data is discarded by the kernel (but in this mode that HID device doesn't send events anyway).
Tablet mode
If you read a special USB string descriptor from the English language ID, the device switches into tablet mode. Once in tablet mode, the HID tablet stylus and keyboard devices will stop sending events and instead all events from the device are sent via the third HID device which consists of a single vendor-specific report descriptor (read: 11 bytes of "here be magic"). Those bits represent the various features on the device, including the stylus features and all pad features as buttons/wheels/rings/strips (and not key events!). This mode is the one we want to handle the tablet properly. The kernel's hid-uclogic driver switches into tablet mode for supported devices, in userspace you can use e.g. huion-switcher. The device cannot be switched back to firmware mode but will return to firmware mode once unplugged.
Once we have the device in tablet mode, we can get true tablet data and pass it on through our intended desktop stack. Alas, like ogres there are layers.
hid-uclogic and udev-hid-bpf
Historically and thanks in large parts to the now-discontinued digimend project, the hid-uclogic kernel driver did do the switching into tablet mode, followed by report descriptor mangling (inside the kernel) so that the resulting devices can be handled by the generic HID drivers. The more modern approach we are pushing for is to use udev-hid-bpf which is quite a bit easer to develop for. But both do effectively the same thing: they overlay the vendor-specific data with a normal HID report descriptor so that the incoming data can be handled by the generic HID kernel drivers. This will look like this:
Notable here: the stylus and keyboard may still exist and get event nodes but never send events[6] but the uclogic/bpf-enabled device will be proper stylus/pad event nodes that can be handled by libinput (and thus the rest), with raw hardware data where buttons are buttons.
Challenges
Because in true manager speak we don't have problems, just challenges. And oh boy, we collect challenges as if we'd be organising the olypmics.
hid-uclogic and libinput
First and probably most embarrassing is that hid-uclogic has a different way of exposing event nodes than what libinput expects. This is largely my fault for having focused on Wacom devices and internalized their behaviour for long years. The hid-uclogic driver exports the wheels and strips on separate event nodes - libinput doesn't handle this correctly (or at all). That'd be fixable but the compositors also don't really expect this so there's a bit more work involved but the immediate effect is that those wheels/strips will likely be ignored and not work correctly. Buttons and pens work.
udev-hid-bpf and huion-switcher
hid-uclogic being a kernel driver has access to the underlying USB device. The HID-BPF hooks in the kernel currently do not, so we cannot switch the device into tablet mode from a BPF, we need it in tablet mode already. This means a userspace tool (read: huion-switcher) triggered via udev on plug-in and before the udev-hid-bpf udev rules trigger. Not a problem but it's one more moving piece that needs to be present (but boy, does this feel like the unix way...).
Huion's precious product IDs
By far the most annoying part about anything Huion is that until relatively recently (I don't have a date but maybe until 2 years ago) all of Huion's devices shared the same few USB product IDs. For most of these devices we worked around it by matching on device names but there were devices that had the same product id and device name. At some point libwacom and the kernel and huion-switcher had to implement firmware ID extraction and matching so we could differ between devices with the same 0256:006d usb IDs. Luckily this seems to be in the past now with modern devices now getting new PIDs for each individual device. But if you have an older device, expect difficulties and, worse, things to potentially break after firmware updates when/if the firmware identification string changes. udev-hid-bpf (and uclogic) rely on the firmware strings to identify the device correctly.
edit: and of course less than 24h after posting this I process a bug report about two completely different new devices sharing one of the product IDs
udev-hid-bpf and hid-uclogic
Because we have a changeover from the hid-uclogic kernel driver to the udev-hid-bpf files there are rough edges on "where does this device go". The general rule is now: if it's not a shared product ID (see above) it should go into udev-hid-bpf and not the uclogic driver. Easier to maintain, much more fire-and-forget. Devices already supported by udev-hid-bpf will remain there, we won't implement BPFs for those (older) devices, doubly so because of the aforementioned libinput difficulties with some hid-uclogic features.
Reverse engineering required
The newer tablets are always slightly different so we basically need to reverse-engineer each tablet to get it working. That's common enough for any device but we do rely on volunteers to do this. Mind you, the udev-hid-bpf approach is much simpler than doing it in the kernel, much of it is now copy-paste and I've even had quite some success to get e.g. Claude Code to spit out a 90% correct BPF on its first try. At least the advantage of our approach to change the report descriptor means once it's done it's done forever, there is no maintenance required because it's a static array of bytes that doesn't ever change.
Plumbing support into userspace
Because we're abstracting the hardware, userspace needs to be fully plumbed. This was a problem last year for example when we (slowly) got support for relative wheels into libinput, then wayland, then the compositors, then the toolkits to make it available to the applications (of which I think none so far use the wheels). Depending on how fast your distribution moves, this may mean that support is months and years off even when everything has been implemented. On the plus side these new features tend to only appear once every few years. Nonetheless, it's not hard to see why the "just sent Ctrl=, that'll do" approach is preferred by many users over "probably everything will work in 2027, I'm sure".
So, what stylus is this?
A currently unsolved problem is the lack of tool IDs on all Huion tools. We cannot know if the tool used is the two-button + eraser PW600L or the three-button-one-is-an-eraser-button PW600S or the two-button PW550 (I don't know if it's really 2 buttons or 1 button + eraser button). We always had this problem with e.g. the now quite old Wacom Bamboo devices but those pens all had the same functionality so it just didn't matter. It would matter less if the various pens would only work on the device they ship with but it's apparently quite possible to use a 3 button pen on a tablet that shipped with a 2 button pen OOTB. This is not difficult to solve (pretend to support all possible buttons on all tools) but it's frustrating because it removes a bunch of UI niceties that we've had for years - such as the pen settings only showing buttons that actually existed. Anyway, a problem currently in the "how I wish there was time" basket.
Summary
Overall, we are in an ok state but not as good as we are for Wacom devices. The lack of tool IDs is the only thing not fixable without Huion changing the hardware[7]. The delay between a new device release and driver support is really just dependent on one motivated person reverse-engineering it (our BPFs can work across kernel versions and you can literally download them from a successful CI pipeline).
The hid-uclogic split should become less painful over time and the same as the devices with shared USB product IDs age into landfill and even more so if libinput gains support for the separate event nodes for wheels/strips/... (there is currently no plan and I'm somewhat questioning whether anyone really cares). But other than that our main feature gap is really the ability for much more flexible configuration of buttons/wheels/... in all compositors - having that would likely make the requirement for OpenTabletDriver and the Huion tablet disappear.
OpenTabletDriver and Huion's own driver
The final topic here: what about the existing non-kernel drivers?
Both of these are userspace HID input drivers which all use the same approach: read from a /dev/hidraw node, create a uinput device and pass events back. On the plus side this means you can do literally anything that the input subsystem supports, at the cost of a context switch for every input event. Again, a diagram on how this looks like (mostly) below userspace:
Note how the kernel's HID devices are not exercised here at all because we parse the vendor report, create our own custom (separate) uinput device(s) and then basically re-implement the HID to evdev event mapping. This allows for great flexibility (and control, hence the vendor drivers are shipped this way) because any remapping can be done before you hit uinput. I don't immediately know whether OpenTabletDriver switches to firmware mode or maps the tablet mode but architecturally it doesn't make much difference.
From a security perspective: having a userspace driver means you either need to run that driver daemon as root or (in the case of OpenTabletDriver at least) you need to allow uaccess to /dev/uinput, usually via udev rules. Once those are installed, anything can create uinput devices, which is a risk but how much is up for interpretation.
[1] As is so often the case, even the intended state does not necessarily spark joy
[2] Again, we're talking about the intended case here...
[3] fsvo "no-one"
[4] The xf86-input-wacom driver always initialises a separate eraser tool even if you never press that button
[5] For historical reasons those are also multiplexed so getting ABS_Z on a device has different meanings depending on the tool currently in proximity
[6] In our udev-hid-bpf BPFs we hide those devices so you really only get the correct event nodes, I'm not immediately sure what hid-uclogic does
[7] At which point Pandora will once again open the box because most of the stack is not yet ready for non-Wacom tool ids
Sorting a terabyte of data in the late 1990s meant serious hardware, serious
planning, and probably a serious budget approval process. Today you can do it
on a workstation before lunch. I wanted to know how fast, so I wrote
rustbucket to find out.
It’s a two-phase external sort implemented in Rust, built around io_uring,
and named for reasons that should be obvious to anyone who has spent time
with either Rust or storage systems.
Accessibility Conformance Reports basically document how our software measures up against accessibility standards like WCAG and Section 508. Since RHEL 10 is built on GNOME 47, this report is a good look at how our stack handles various accessibility things from screen readers to keyboard navigation.
Getting a desktop environment to meet these requirements is a huge task and it’s only possible because of the work done by our community in projects like: Orca, GTK, Libadwaita, Mutter, GNOME Shell, core apps, etc…
Kudos to everyone in the GNOME project that cares about improving accessibility. We all know there’s a long way to go before desktop computing is fully accessible to everyone, but we are surely working on that.
If you’re curious about the state of accessibility in the 47 release or how these audits work, you can find the full PDF here.
Another saturday and... oh wait, it's sunday!
I was away almost all the day yesterday (morning at https://beaverbarcamp.org/
and afternoon/evening visiting family ), so this will be a day late. :)
This week we were still in Fedora 44 final freeze (we canceled the go/nogo on
thursday because there were still unaddressed blockers) so there was a lot of
catching up on old issues/processing docs and other pull requests and the like.
There were a few things that stood out however:
Matrix bots learn new tricks
Diego wrote up a pull request to adjust our matrix bot to point to forge.fedoraproject.org
for things that have moved there from pagure.io ( https://github.com/fedora-infra/maubot-fedora/pull/150 ) and so I merged it, figured out how to cut a release there,
figured out how to deploy it to first staging and the production.
So, now !epel !ticket !releng should all work for those trackers, and
!forge org repo should work for a generic pointer to any forge project.
Hopefully this will make meetings and discussion on matrix nicer.
Fixed a websocket proxy issue with openqa
We had to move openqa behind anubis as the scrapers discovered it and were
making it unusable. Unfortunately, openqa has a mode where you can update
test screens that uses websockets and those were not correctly passing
though anubis so that functionality was broken.
I was going to go look at apache docs and see if I could track down
what needed to be set to do that, but decided to just ride the ai wave
and ask a ai agent about it.
It snarfed in the config, thought about it for a bit, then spewed out
a solution. The solution was largely for older apache versions (but I
didn't tell it what apache version we were running), but at the end
it correctly noted that on newer versions passing "upgrade=websocket"
to the proxy commandline would fix it.
It did. It definitely saved me time poking through the apache docs.
a few new builders soon
We have had a number of machines we moved from our old datacenter that
we wanted to repurpose as builders sitting around. It's not been very
high priority to get them setup, but what better time that a freeze
to get them online.
So, I got 3 of them ready, which involved updating a bunch of firmware
on them, installing them, configuring networking, etc.
Will need a small freeze break to add them into ansible and finish them
up, but then there should be 3 more buildhw-x86 builders.
Fedora 44 upgrades
Since I was catching up on things I decided to go ahead and upgrade
my main server and it's vmhost to fedora 44 this morning.
Everything went super fast and painlessly, aside one issue with
matrix-synapse (The f43 packager is newer than the f44 one so it
would not work with my config/database). For now I just "downgraded"
(or is that "sidegraded") to the f43 one. It seems to have a pretty
nasty tangle of rust crate version changes, so it might not be too
easy to sort out quickly.
Family Vacation time
The week after next (the week of april 20th) I will be away all week.
I might look in on matrix/email some, but don't count on it. I'll be
at a family vacation in hawaii. Please file tickets and be kind to
my co-workers who are perfectly capable of handling anything in my
absense. :)
This is a report created by CLE Team, which is a team containing community members working in various Fedora groups for example Infrastructure, Release Engineering, Quality etc. This team is also moving forward some initiatives inside Fedora project.
Week: 06 – 10 Apr 2026
Fedora Infrastructure
This team is taking care of day to day business regarding Fedora Infrastructure. It’s responsible for services running in Fedora infrastructure. Ticket tracker
[Badges/Outreachy] Over 45 pull requests reviewed in the last week [Repo A] [Repo B]
This team is taking care of day to day business regarding CentOS Infrastructure and CentOS Stream Infrastructure. It’s responsible for services running in CentOS Infratrusture and CentOS Stream. CentOS ticket tracker CentOS Stream ticket tracker
Cloudflare protège efficacement vos services… sauf si votre serveur reste accessible en direct. Dans cet article, on met en place Authenticated Origin Pulls pour garantir que seules les requêtes provenant de Cloudflare peuvent atteindre votre infrastructure, avec deux niveaux de sécurité.
ws: Prevent remote code execution with SSH argument injection [CVE-2026-4631]
Impact
Cockpit’s remote login feature passes user-supplied hostnames and usernames from
the web interface to the SSH client without validation or sanitization.
An attacker with network access to the Cockpit web service can craft a single
HTTP request to the login endpoint that injects malicious SSH options or shell
commands, achieving code execution on the Cockpit host without valid credentials.
The injection occurs during the authentication flow before any credential
verification takes place, meaning no login is required to exploit the vulnerability.
Affected systems
The affected Cockpit versions are Cockpit 326 up to and including Cockpit 359. (cockpit >= 326, cockpit <= 359)
A workaround is disabling LoginTo option in cockpit.conf,
this disables the direct login feature but it is still strongly recommended to upgrade to Cockpit 360.
Acknowledgments
Many thanks to Florian Kohnhäuser for reporting this issue!
After building a custom Qemu, there are a couple ways to run a VM to get to it. The older approach to VM management is to create a block device, run the VM with a boot device, do a full install and log in to the serial console. However, if you run the Qemu/KVM machine from the command lilne, hitting control C will stop your VM, and this is annoying. I have found it worth while to set up networking and then to SSH in to the machine.
My notes here suck. I am going to try and document what I have here working, and, over time, reverse engineer how I got here.
This is the command I use to run my virtual machine. This is on an AmpereOne test machine in my lab. You probably don’t have access to AARCH64 machines at this scale. Maybe someday….
The VM is running based on a cloud image I downloaded from Fedora. To get the Keys in the machine, I started by running it using libvirt and virt-install:
5: virbr0: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 0c:42:a1:5a:9b:36 brd ff:ff:ff:ff:ff:ff
inet 10.76.112.72/24 brd 10.76.112.255 scope global dynamic noprefixroute virbr0
valid_lft 12409sec preferred_lft 12409sec
inet6 fe80::7098:f305:ad32:181e/64 scope link noprefixroute
valid_lft forever preferred_lft forever
This took a bunch of trial and error to get right. I don’t know how much is specific to my environment, but I do know that the bridge IP address is how I log in to the machine.
Looking at how this is stored in /etc/NetworkManager/system-connections/virbr0.nmconnection
I know I got here by running nmcli commands, but they have long since fallen off my bash history, and I did not write them down.
One thing I can tell by the IP address that my VM gets is that it is talking to the same DHCP server as the Hypervisor.
I recently destroyed my previous VM that had NFS setup. I would like to get that working again, as that allowed me to sync the Kernel between the Hypervisor and the VM. But that is a tale for another day.
Dans cet article, je détaille la migration de mes DNS vers Cloudflare : configuration, mise en place du CDN, gestion des certificats avec Traefik et retour sur les problèmes rencontrés (ACME, SSH, mTLS). Un retour d’expérience concret avec les pièges à éviter.
For a couple of years, Andreas Schneider and I have been working on a project we call the ‘local authentication hub’: an effort to use the Kerberos protocol to track authentication and authorization context for applications, regardless of whether the system they run on is enrolled into a larger organizational domain or is standalone. We aim to reuse the code and experience we got while developing Samba and FreeIPA over the past twenty years.
Local authentication hub
The local authentication hub relies on a Kerberos KDC available on demand on each system. We achieved this by allowing MIT Kerberos to communicate over UNIX domain sockets. On Linux systems, systemd allows processes to be started on demand when someone connects to a UNIX domain socket, and MIT Kerberos 1.22 has support for this mode.
A KDC accessible over a UNIX domain socket is not very useful in itself: it is only available within the context of a single machine (or a single container, or pod, if UNIX domain sockets are shared across multiple containers). Otherwise, it is a fully featured KDC with its own quirks. And we can start looking at what could be improved based on the enhanced context locality we have achieved. For example, a KDB driver can see host-specific network interfaces and thus be able to react to requests such as host/<ip.ad.dr.ess>@LOCALKDC-REALM dynamically—something that a centrally-managed KDC would only do through statically registered service principal names (SPNs), which are a pain to update as machines move across networks.
Adding support for dynamic features means new code needs to be written. MIT Kerberos is written in C, so our choices are either to continue writing in C or to integrate with whatever new language we choose. Initially, we kept the local KDC database driver written in C and decided to build the infrastructure we need in Rust. The end goal is to have most bits written in Rust.
The local KDC database isn’t supposed to handle millions of principal entries, but even for millions of them, MIT Kerberos has a pretty good default database driver built on LMDB: klmdb. We wanted to get out of the data store business and instead focus on higher-level logic. Thus, we made the same change I made in Samba around 2003 for virtual file system modules: we introduced support for stackable KDB drivers. This is also a part of the MIT Kerberos 1.22 release: a KDB driver implementation can ask the KDC to load a different KDB driver and choose to delegate some requests to it. The local KDC driver is using klmdb for that purpose.
With the database handled for us by klmdb, we focused on the local KDC-specific logic. We wanted to dynamically discover user principals from the operating system so that administrators do not need to maintain separate databases for them. systemd provides a userdb API to query such information over a varlink interface (also available over a UNIX domain socket) in a structured way, using JSON format. Thus, the Kirmes project was born. Kirmes is a Rust data library backed by the userdb API. It handles varlink communication through the wonderful Zlink library and exposes both asynchronous and synchronous access to user and group information.
The local KDC database driver prototype used the Kirmes C API. We demonstrated it at FOSDEM 2025: a user lookup is done over varlink, and if a user is present on the system, their Kerberos key is then looked up in klmdb using a specially-formatted userdb:<username> principal. You still need to handle those keys somehow, but there is a way to avoid that: use RADIUS.
Pre-authentication
A bit of historical reference. In 2012, Red Hat collaborated with MIT to introduce a KDC-side implementation of RFC 6560 (the OTP pre-authentication mechanism; at that point implemented in a proprietary solution by the RSA corporation). This mechanism allowed the KDC to get a hint out of a KDB driver and ask a RADIUS server to authenticate the credentials provided by the Kerberos client. Unlike traditional Kerberos symmetric keys, in this case, the client is sending a plain-text credential over the Kerberos protocol, and this credential can be forwarded to the RADIUS server. The plain-text nature of the RADIUS credential requires the use of a secure communication channel, and a good part of RFC 6560 relies on Flexible Authentication Secure Tunneling (FAST, RFC6113), where a pre-existing Kerberos ticket is used to encrypt the content of that tunnel.
Since ~2013, FreeIPA has used this mechanism to provide multi-factor authentication mechanisms: HOTP/TOTP tokens, RADIUS proxying to remote servers, the OAuth2 device authorization grant flow, and FIDO2 tokens. The list of mechanisms can be extended, as long as the model fits into the somewhat constrained Kerberos exchange flow. FreeIPA handles all communication from the KDC side via a local UNIX domain socket-activated daemon, ipa-otpd, which performs a user principal lookup and then decides on the details of how that user will be authenticated.
For the local KDC case, we used a similar approach but wrote a simplified version, localkdc-pam-auth, which uses PAM to authenticate user credentials. It works well and allows for a drop-in replacement: once the local KDC is set up, users defined on the system will automatically be able to receive Kerberos tickets, with no need to change any passwords or migrate their credentials into the Kerberos KDC. All we need now is the business logic to guide the KDC to use the OTP pre-authentication mechanism so that our RADIUS ‘proxy’ (localkdc-pam-auth) gets activated. This logic is implemented and will be available in the first localkdc release soon.
API bindings
But back to the KDC side. As mentioned above, our goal was to write the local KDC database driver in a modern, safe language. Interfacing Rust with the MIT Kerberos KDC means building an interface that allows aligning code on both sides. This is what this blog is actually about (sorry for the long prelude…): how to make an MIT Kerberos KDB driver in Rust.
Today I published Kurbu5, a project that aims to provide these API bindings to Rust. The name is a transliteration of “krb5” into Mesopotamian cuneiform phonology: Kurbu-ḫamšat-qaqqadī—”The Blessed Five-Headed One”.
Creating API bindings is tedious work: there are many interfaces, each representing multiple functions and structures. MIT Kerberos has 12 interfaces which altogether expose roughly 117 methods that plugin authors implement, backed by around 70 supporting types (data structures passed into and out of those methods). It all sounds like a Tolkien tale: nine interfaces for core Kerberos functionality (checking password quality, mapping hostnames to Kerberos realms, mapping Kerberos principals to local accounts, selecting which credential cache to use, handling pre-authentication on both the client and server side, enforcing KDC policy, authorizing PKINIT certificates, and auditing events on the KDC side), the database backend interface, and two administrative interfaces. This is something that could be automated with agentic workflows—which I did to allow a parallel porting effort. The resulting agent instructions are useful artifacts in themselves: they show how to work when porting MIT Kerberos C code to Rust.
The result is split over several Rust crates to allow targeted reuse. The bulk of the code lives in three crates. The core Kerberos plugin crate (kurbu5-rs) is the largest at around 12,600 lines. The database backend crate (kurbu5-kdb-rs) follows at 5,600 lines, and the administration crate (kurbu5-kadm5-rs) at 3,100 lines. The remaining crates—the proc-macro derives and the raw FFI sys crates—are much smaller, with the sys crates being almost trivially thin (the KDB and kadm5 ones are under 40 lines each, since they mostly just re-export bindings from the main sys crate).
All crates are available on crates.io and share the same MIT license as the original MIT Kerberos.
kurbu5-sys — Raw FFI bindings to the MIT Kerberos libkrb5 and KDB plugin API
kurbu5-derive — Proc-macro derives for kurbu5-rs non-KDB plugin interfaces
kurbu5-rs — Safe, idiomatic Rust API for writing MIT Kerberos non-KDB plugin modules
kurbu5-kdb-sys — KDB plugin API re-export — thin wrapper over kurbu5-sys adding libkdb5 linkage
kurbu5-kdb-derive — Proc-macro derive for kurbu5-kdb-rs KDB driver plugins
kurbu5-kdb-rs — Safe, idiomatic Rust API for writing MIT Kerberos KDB driver plugins
kurbu5-kadm5-sys — KADM5 plugin API bindings — links libkadm5srv_mit and re-exports kurbu5-sys types
kurbu5-kadm5-derive — Proc-macro derives for kurbu5-kadm5-rs KADM5_AUTH and KADM5_HOOK plugin interfaces
kurbu5-kadm5-rs — Safe, idiomatic Rust API for writing MIT Kerberos KADM5_AUTH and KADM5_HOOK plugin modules
In the localkdc project, we use kurbu5 to build a KDB driver and provide our audit plugin. We also have an experimental re-implementation of the OTP pre-authentication mechanism, both client and KDC sides, that was used to test interoperability with MIT Kerberos versions. The core of the KDB driver is ~520 lines of heavily documented Rust code, mostly handling business logic.
A somewhat quiet week in fedora land this time, which is nice,
as it allows for catching up on planned work. Of course there
was the usual flow of day to day items too.
DeploymentConfig to Deployment
Long ago OpenShift used a custom object called 'DeploymentConfig'
to define how to deploy applications. After a while it was deprecated
in favor of the normal k8s 'Deployment' object. We have a bunch of
apps using the old DeploymentConfig and we wanted to migrate
them to the new Deployment.
To be clear, this is just a deprecation right now, it's not been
removed from OpenShift yet, but we wanted to get things moveed
sooner rather than later.
So, Pedro did all the heavy lifting here and created pull requests
for all our apps to move them.
I spent some time this last week merging those and then doing the
dance to change the existing app over, which roughly was:
merge pull request
delete DeploymentConfig
run ansible to deploy the Deployment
check that everything was redeployed and working correctly.
I managed to find a few apps in staging that were not working or deployed
correctly and had to fix those up along the way. We also hit some
issues with selectors not getting updated, so applications didn't have
correct routes/services.
There's a few more of these to do, but will probibly wait until after
freeze is over to do them as they could be disruptive.
Fedora 44 Final freeze
Speaking of freeze, we started the Fedora 44 Final infrastructure freeze.
So far things are looking smooth for composes and such.
There are a few blockers currently, but hopefully we can get them sorted
out and get a good release soon.
koji packaging
koji 1.36.0 came out last week and I spent a bit of time this week looking
at modernizing the fedora spec to more match the python packaging guidelines
and also to enable tests.
It's nice to run the tests and have things not throwing deprecation
warnings.
Upcoming blogs and vacation
I have some posts planned which I need to actually write up sometime. One
on my solar system, which is mostly going great, and another fun one on
open source monitoring of blood glucose levels. Perhaps this weekend.
I'm going to be largely away from the internet the week of April 20th.
I'm going on a family vacation to Hawaii. :) I have never been there, so
it should be pretty fun. I'll probibly check emails from time to time, but
I will definitely not be around day to day on matrix/slack/irc/whatever.
In order to perform test driven development, you need a way to drive your code that can isolate behavior. Linux Kernel drivers that communicate with hardware devices can be hard to test: you might not have access to the hardware from your test systems, or the hardware may be flakey. I have such a set of issues with the Platform Communication Channel (PCC) drivers I am working with.
My primary work has been with a network driver that only exists on the newest hardware. However, I also need to be able to handle some drivers that would only work against old hardware. There are also PCC based drivers for hardware that my company does not support or have access to. I might want to make a test to ensure that changes to the Linux Kernel PCC driver does not change its behavior against these drivers. There exists no system where all of these drivers would be supported. But I can build one with Qemu.
The Qemu based driver might not completely simulate the hardware exactly as implemented, and that is OK: I want to be able to do things with Qemu I cannot do with current hardware. For example, the MCTP-over-PCC driver should be able to handle a wide array of messages, but the hardware I have access to only supports a very limited subset of message types.
I want this code to run on Aarch64 (ARM64) natively. That means that I run the machine specified in hw/arm/virt.c. Thus, the first line of my run script is:
../qemu/build/qemu-system-aarch64 -machine virt \
The device itself lives in hw/arm/pcc.c. It was originally called mctp-pcc.c, but I soon realized that there was no reason to make it MCTP specific. While the code is testing type 3/4 devices, I suspect it would work fine for a type 2 or other driver with a minimum of changes.
Every device has to hang off a bus. Thus I started by creating a device like this article suggests: off the system bus: SysBusDevice parent_obj; This differs from some of the other examples out there where you are create, say a PCIe device, as there is a way to dynamically load PCIe devices: you cannot dynamically load SysBus devices, at least not in the default AARCH64 Qemu virt machine. Thus, I have to modify the virt.c code to add in my device.
ACPI Tables
I had to generate two new ACPI Tables: Secondary System Descriptor Table (SSDT) and and Platform Communication Channel (PCCT.) These tables are gnenerated from a vall in virt.c to create_pcc_devices. This function probably should be moved to a pcc specific file so it could potentially be shared by other virtual machine types, but for now it co-exists in virt.c as well. For now it is hard coded to only build the one device. This is obviosuly not going to scale. I will talk about how to improve this at the end of the article.
The bulk of the code in the driver is for generating the entries for the PCCT. The data in the PCCT has the address of the shared memory registers and data buffer, and the IRQ ID used to communicate between the OS and the platform. THe information is stored in a structure called PcctExtMemSubtable, which will then be written to the PCCT using ACPI primitives. This structure is filled during the device realise function mctp_pcc_realize.
The SSDT is a bit more free form, and does not have a structure to support it, but probably should. Right now I am just writing the direct primitives for the entry.
Memory Mapped IO
Both the outbox and inbox channels are mapped to single, contiguous block of memory. When reads or writes happen, Qemu forwards them to custom functions. I can then use the memory offset to identify if this a register or if it is the shared buffer. One of these memory offsets is the doorbell, and is used to implement the IRQ processing.
Each machine type in Qemu has a memory map table. In virt.c it is called
static const MemMapEntry base_memmap[] = {...
I found a space in the middle of the table that was unclaimed and use it for both of the channels of the PCCT: the code looks like this:
[VIRT_MMIO] = { 0x0a000000, 0x00000200 },
/* ...repeating for a total of NUM_VIRTIO_TRANSPORTS, each of that size */
[VIRT_PCC] = { 0x0a008000, 0x00008000 },
[VIRT_PLATFORM_BUS] = { 0x0c000000, 0x02000000 },
There is enough room between VIRT_PCC and VIRT_PLATFORM_BUS for multiple PCC entries. NUM_VIRTIO_TRANSPORTS is set to 32 (0x20). Multipltied by 0x200 = 0x0a004000 there is still plenty of room beyond the end of that and 0x0a008000.
Mapping IRQs
Just as the machine has a mapping for memory mappied IO, the machine has a table for IRQs. For virt.c this table is defined as
Since NUM_SMMU_IRQS is defined as 4, we have enough room for 2 IRQs at 80.
The ARM64 Virtual machine uses a GIC. IT has an internal offset, so ID 1 inside Qemu because IRQ 33 inside the linux virtual machine. Thus the actual mapping takes place inside create_pcc_devices:
The outbox is designed to be triggered from the OS, and then to trigger it back once a message has been processed. The inbox is for sending messages to the OS.
One thing that is not well done yet is that these numbers are not then communicated to the Device: right now we you magic constants to keep them in sync. This is something to improve in the future.
Flattened Device Tree
Qemu has a standard way to represnt all hardware devices. Even though ACPI can play this role in a physical machine, Qemu goes with the more uniform FLattened Device Tree. Thus, for each device we create, we need to create a FDT entry. This includes knowing about the interrupts assigned.
When an interrupt comes from the OS to Qemu, I copy the contents of the shared buffer to a file in /tmp/pcc/outbox. I have written a program called PCCD which runs as an external process. PCCD uses Inotify to identify that a new file has been written and closed, and will then process the file. PCCD responds by posting a message to an inbox directory. Qemu also uses Inotify to identify that there is a new message, and stores it in the shared buffer. It then triggers an IRQ in the OS which tells the OS that there is a message to read. All files names are generated from timestamps.
Testing the system
I was able to reuse a shell script I had written for the MCTP over PCC driver to send messages to the Kernel. I copied this inside the VM. This is essentially the same test as I use to test the physical hardware implementation. However, now I can extend it to run messages that the Hardware does not implement. TO do this, I can implement the messages in PCCD.
Future Improvements
The PCCT itself could be thought of as a type of bus. It may make sense to create a new Bus Type to support it and the devices that hang off it. That would allow a way to scope in PCC specific behavior.
There is a mechanism to create DSDT entries for ACPI device interfaces. It loops through all the devices on a Bus and checks to see if the device implements the AcpiDeviceIf interface. If it does, it adds a couple functions to the device. While our devices are ACPI devices, we do not need those functions. Instead, we can take the pattern and create a PCC interface that allows the device to define its own values.
This interface could be hung off of the SystemBus, but then we need to enumerate each SystemBusDevice to see if it has this interface.
Both options seem viable.
The benefit to going with the PCCBus is we should be able to then make the devices loadable at run time via command line parameters. To do that with SystemBus would require a change to virt.c that might not be acceptable.
And I need a struct for the SSDT.
A huge Thank You to Greg Rose for his support and mentorship on this project.
Spring, pourquoi pas. Spring Kafka, beaucoup moins automatiquement. Quand on touche aux garanties de livraison, aux stratégies de commit ou au diagnostic en production, le client Java Kafka natif reste souvent plus lisible, plus honnête, et plus sûr.
This post discusses tools reluctantly written with AI assistance. If you don’t entertain
using them under any circumstance, and think even reading about them legally compromise
your ability to reimplement them yourselves, stop reading now
This is a follow-up to the original Sandogasa announcement. Before I ended up fedora-cve-triage to extract library crates and reuse them in the other Sandogasa tools, I already created two tools for managing CentOS Hyperscale SIG workflows, hs-intake and hs-relmon. It simply makes sense to also merge them back in and deduplicate functionalities.
I'm doing a podcast recording this week, so I wanted to run some numbers so I could have some facts rather than feels. It turns out my feels were off by a factor of 3 or so.
If asked, I've always said the contributor count to the drm subsystem is probably in the 100 or so developers per release cycle.
The number for the complete kernel in those scenarios are ~2000 usually, which means drm subsystem has around 15-16% of the kernel contributors.
I'm a bit spun out, that's quite a lot of people. I think I'll blame Sima for it. This also explains why I'm a bit out of touch with the process problems other maintainers have, and when I say stuff like a lot of workflows don't scale, this is what I mean.
The fact that only one candidate is running in the
Debianism elections gives a stark reminder about the state of the
so-called community. The main reason why other people did not contest
the election is because of fear. Fear of a circle of reprisals that began
when Adrian von Bidder-Senn died on our wedding day.
When CentOS died, people tried to carry on in various ways. That tells
us a lot about human psychology. People knew the game was over but they
tried to continue as if it was business as usual, as if the situation
could be salvaged, as if it was only a temporary crisis.
Now Sruthi has stopped answering questions on the
Debian-vote mailing list and it seems reality has started to sink in.
People are coming to realize that the position of Debian Project Leader
is the interface between
Debianism and the outside world. People can fool themselves and
use the Code of Conduct gaslighting to blackmail other volunteers to
pretend that
Sruthi is a great leader. People are coming to realise that these
tricks won't work on the wider community. Given that
Sruthi would be Debian's interface to the outside world, we can't
just ignore how the world views
the candidate who is the wife of another developer.
She has ignored the most serious questions on
Debian-vote mailing list. A woman trying to run Debian from a
social control media
account is the death of Debian. Here is a tally of the number of replies
she provided each day for those who use email, the mainstay of Debian
communication:
Day
Count
14 March
0
15 March
0
16 March
0
17 March
4
18 March
0
19 March
0
20 March
0
21 March
3
22 March
1
23 March
0
24 March
7
25 March
0
26 March
0
27 March
0
28 March
0
29 March
0
30 March
0
31 March
0
That is a total of only 15 replies. She has been largely silent for a
whole week since 24 March.
Technically, questions and their answers are supposed to be completed
before midnight on Friday, 3 April. The most critical questions have not
been answered. In her platform,
Sruthi Chandran boasts about being the "Chief orga DebConf India 2023"
but there has never been an official report about the
death of Abraham Raji at the conference.
Voting runs from 4 April to 17 April, which is the 15th anniversary of
the day
Adrian von Bidder-Senn died on our wedding day. It was discussed like
a copy-cat suicide but there was no official report about those deaths
either.
Everything in Debian is transparent, all forms of official communication are a matter of public record, the amount of unresolved bugs, every step taken by debian as an organization, everything is in the open! I appreciate that from my distribution. There is no room for underhand corporate deals, no unfair treatment behind private mails and everything can be reviewed by the public.
Does
Sruthi Chandran spend more time in debian-private (leaked)
and WhatsApp groups than the public communication channels that Debian
is supposed to be using?
Sruthi Chandran's platform tells us she wants to put diversity ahead
of traditional goals like freedom and security. She has been very vague
about this. As a consequence, more evidence is going to be published
during the voting period to prove that Debian "diversity" means some men who
did the real work are not being given credit while some large sums of
money were assigned to the wives and girlfriends of cabal members.
I've never stated whether people should vote for
Sruthi Chandran or not. Looking at the tone of the discussion, I feel
people are coming to realise the way the outside world views candidates
like this is not the same way that people view it from inside the bubble.
Consider the irony: they spent all that money in arguments about
leaks that are "tarnishing" the trademark. The implication of these
arguments about tarnishing is that the way the outside world views
Debianism does matter. Can anybody see the risk that
Sruthi Chandran and a lop-sided diversity crusade could do far more
to tarnish the trademark than any leaks that have appeared up to this
moment?
Debian may not die exactly the same way that CentOS died. At some
point, as with CentOS, we will go past the point of no return. Maybe
we already did. Will people have the courage to ask questions before
that threshold is crossed or will they continue acting as if nothing is
wrong even long after the life support system has been unplugged from
the corpse?
The best way to encourage people to nominate for the election will be for
the existing leader,
Andreas Tille, to withdraw all the privacy attacks, settle the lawsuits
proactively and ensure the next leader can walk in and find the desk is clean
ready to work on productive things.
Don't hold your breath waiting for transparency about these attacks on my
family. There is still time to watch my video and
contribute to the crowdfunding campaign.
About seven years ago, a ticket was
filed noting aarch64 systems were
shipping with Secure Boot enabled, and that Fedora should start signing its boot path to support
these devices out of the box.
I’m pleased to say that today’s Fedora Rawhide images - what will be Fedora 45 - finally does this
thanks to the work of a whole bunch of people.
This means you can grab the latest Rawhide images and boot them on your favorite aarch64 laptop
without turning off Secure Boot, or launch VMs in any of the major clouds with Secure Boot on. For
example, I’m able to start a VM in Azure with the TrustedLaunch security type:
❯ az group create --name"jcline-aarch64-secureboot"--location"eastus2"
❯ az vm create --location eastus2 --name fedora \--resource-group jcline-aarch64-secureboot \--image /CommunityGalleries/Fedora-5e266ba4-2250-406d-adad-5d73860d958f/Images/Fedora-Cloud-Rawhide-Arm64/Versions/latest \--security-type TrustedLaunch \--size Standard_D2plds_v6 \--accept-term\--ssh-key-values @/home/jcline/.ssh/id_ed25519.pub
❯ ssh jcline@20.12.69.183
[jcline@fedora ~]$ mokutil --sb-state
SecureBoot enabled
Why Now?
The way Fedora used to sign UEFI applications for Secure Boot was delightfully simple (for some
value of simple). The keys were in a smart card, plugged into a special build host, and anything
that needed a signature was routed to be built on that host. pesign, one of the common utilities
to sign PE applications, has a mode where it can run as a daemon and sign anything provided to it
over a Unix socket. That Unix socket is threaded into the build environment, where builds can access
it to sign PE applications with pesign-client.
Unfortunately, that host was x86_64 so when aarch64 started shipping with Secure Boot
enabled, an alternative approach was needed.
Ultimately we moved the smart card to the signing server we use for RPMs and other things. The
tricky bit about the whole process is that Fedora signs each bit of the boot chain during the build.
Each time any of the UEFI applications in the boot chain is built it needs to be signed. One way to
do this is to build the application in Fedora’s infrastructure, and then have a second build which
uses the output of the first build along with a signature as input to construct a signed final
version. However, this means you’ve got two specfiles which you have to keep in sync, and there’s
probably other painful aspects I’ve not considered. In any case, that’s not what Fedora does.
Instead, Fedora signs the UEFI applications during the build. Since we want the signing key to be
stored in a remote server, this implies some sort of networking, but builds aren’t permitted network
access. Nor can the build environment provide the necessary secrets to authenticate with the signing
service. In order to handle this, I wrote a small service that pretends to be the pesign Unix
socket, and that can be exposed to the build environment in the same way. However, it just shovels
anything it gets to the signing server and returns whatever the signing server does.
That service got deployed last week, and after a little bit of debugging it even worked. In fact,
everything was signed for aarch64 last week, except for the fallback UEFI application that adds a
boot entry for Fedora if it’s not there, which happens on first boot. Without that, booting new
images would fail unless you explicitly added the correct Fedora boot entry manually. Yesterday,
shim got rebuilt and everything works.
Stable When?
It’s possible this will eventually work in Fedora 44 Cloud images. Shim in Fedora 44 hasn’t (yet)
been rebuilt and we’re in the final freeze for Fedora 44, so unfortunately we just missed it, but
if it does get rebuilt later, Cloud images will be updated and will start working.
For Fedora 43 and older, the version of shim shipped doesn’t include the version signed for aarch64.
I’m not sure it’s worth the risk to update it, as much as I’d like it to work there, as well.
Anyway, Fedora 45 will be upon us before you know it, and after seven years, six more months isn’t
so bad, right?
Comments and Feedback
Thoughts, comments, or feedback greatly welcomed on Mastodon
I’ve been trying out contact lenses for the first time. Multi-focal lenses provide different focal lengths to the eye at once, and you can have different prescription lenses in each eye (as long as they don’t differ by too much).
This means the brain is getting signals from the eyes, each providing potentially multiple focal lengths, and learns to combine them to reduce blur. It’s interesting and I wanted to be able to visualise how that works, so I made this interactive simulator with the help of Gemini. It shows a heatmap (green is sharp, red is blurry) over distance, comparing uncorrected vision with modern multi-focal lenses. Try it out! All the calculations happen locally within your browser.
Multifocal Simulator
Modelling EDOF contrast loss, intermediate dips and true binocular fusion.
1. True Prescription
RIGHT EYE
LEFT EYE
2. Contact Lenses
RIGHT EYE LENS
LEFT EYE LENS
* Low ADD ≈ +1.25 | Med ADD ≈ +1.75 | High ADD ≈ +2.50
Sharp
Very Good
Functional
Blurry
Very Blurry
Why do the rows look the way they do? Multi-focal contact lenses trade absolute sharpness for a wider range of vision. When seeing an object in sharp focus without corrective lenses, all of the light entering your eye gets focused at a single sharp point. If you can see an object in perfect focus, the light is converging to a single point on the retina.
With modern contact lenses this same amount of light is focused into multiple points: some might converge early (in front of the retina) or late (would be focused behind the retina). This is why the graph doesn’t show true green for the contact lenses. It’s the trade-off.
This next interactive simulator shows what’s actually happening to the rays of light within the eye, explaining why the focus heatmap above has dips in between areas of very good focus.
Optical Focus Simulator
Observe how light splits in a multifocal lens. The rays only glow cyan when they form a perfectly sharp point on the retina.
Last week we finally got the new secure boot setup fully switched over.
We are now signing aarch64 grub2/kernel/fwupd as we are the x86_64 versions.
The aarch64 signed artifacts are in rawhide now, but will move to stable
releases as testing permits.
Sadly my Lenovo slim7x doesn't boot correctly with the signed artifacts,
I think due to needing a firmware update or manually enrolling the microsoft
certs. I'll try and test more with it when I can, but many other folks
are seeing it work fine.
It's been a 7 year journey to get this done. Why so long? A few of the reasons
in no particular order:
At first we were not even sure MS would sign others on aarch64
Our old x86_64 setup was smart cards in 2 builders, and we didn't have
any easy way to install more in aarch64 builders.
They stopped making the smart cards we were using.
There were a number of things that made the fedora aarch64 kernel
not work with secure boot. Many around the 'lockdown' patches.
Lack of time from everyone involved.
Need for someone to write a way to use our normal signing server
to sign these things (so we wouldn't need cards in builders).
Lack of capacity in old smart cards to add new certs.
And probibly many more things I have forgotten about.
Feels great to get us in a better place and have signed aarch64 builds!
mass update/reboots
We had a mass update/reboot cycle this last week. It went pretty smoothly
this time as we were not applying firmware updates or doing any other
work.
We should be all caught up for the freeze next week....
final freeze coming up
Next tuesday starts the Fedora 44 Final freeze. This is the weeks
running up to the Fedora 44 linux final release. So, if you need to
get anything in, do so before tuesday.
solar fun
So the reason I was off line thursday was because I was getting solar
and battery and inverter installed here. It's already pretty awesome.
Look for a long blog post on it next weekish or so.
whats next?
During this freeze I am hoping to get started on some projects I was
meaning to do already, but got busy with the signing stuff: revamping
our backups and moving more stuff to rhel10 (will do staging in freeze).
The 23rd edition of my favorite conference just came to an end, I can’t believe this incredibly feeling of joy, satisfaction, gratitude and proud that I’m experimenting even though there’s been a few days since I attended it. Probably similar to the first time when I went Wow! The dust has finally settled after SCaLE 23x in Pasadena, and if you weren’t there, you missed one for the history books. The sun was out, the Pasadena Convention Center was buzzing, and the Fedora Project was right in the thick of it.
The Fedora Hatch: A Track of Our Own
This year felt different. For the first time in many years, we had a dedicated Fedora Hatch track on Friday in Room 208. It was basically a mini-Flock (our contributor conference) nestled right inside SCaLE. We covered everything from Fedora Docs revamps to the «Age of Atomic» desktops.
One of the standout moments was the RPM Packaging Workshop. Seeing folks roll up their sleeves to learn the guts of Fedora packaging reminded me why this community is so special—people here don’t just use the tech; they want to build it.
Better Together: The Fedora & CentOS Booth
We tried something a little different this year by sharing our booth space with the CentOS Project. Honestly? It was a masterstroke.
The synergy was palpable. Whether we were talking about how CentOS Stream benefits from Fedora’s fast-moving innovation or just swapping stickers, the unified presence showed the strength of the ecosystem. It made the booth a «one-stop shop» for anyone curious about the Red Hat-sponsored community projects, and the flow of traffic was non-stop.
Ambassador Energy & Attendee Vibes
A huge shout-out to our Fedora Ambassadors. You all are the heartbeat of these events. From managing the «swag hounds» (yes, the Fedora 43 stickers went fast!) to answering deep-dive technical questions about GNOME 49 and Btrfs, our ambassadors handled it with grace, wit, and a lot of caffeine.
The enthusiasm from the attendees was off the charts. We met:
First-time Linux users looking for a friendly home.
Hardcore sysadmins curious about Fedora Atomic, lots of questions, immutable desktops are definitely attracting attention.
Long-time contributors who just wanted to say «hi» and grab a new sticker.
In every edition we try to do something different, something that attracts people to our booth just for curiosity. We have had 3d printers, Fedora Jam with actual musical instruments, old games, and stuff. This year we had a retro modem that did hit directly into the nostalgy of many.
SCaLE Has Grown
Looking back, it’s wild to see how much SCaLE has evolved. What started many years ago as a humble gathering has grown into North America’s largest community-run open-source expo. The professional production, the sheer variety of tracks (AI, Security, DevOps, oh my!), and the diversity of the crowd have all leveled up. Yet, somehow, it still keeps that «local user group» feeling where you can grab a beer with a kernel dev and talk shop.
SCaLE is all about community and Fedora has a foundation of Friends, our community. This event would not mean the same for Fedora if we didn’t find time to spend with amigos and had our coumminity stronger. This is probably my favorite part and the single thing that makes me realize that it is all worth.
Looking Ahead
If SCaLE 23x is any indication, the future of open source in Southern California (and beyond) is looking bright. We left Pasadena feeling energized, inspired, and maybe just a little bit exhausted.
Fedora is already looking forward to 24x. We have big plans for the next release, more «Hatch» events, and even more ways to collaborate with our friends in the ecosystem. See you all next year!
Release Candidate versions are available in the testing repository for Fedora and Enterprise Linux (RHEL / CentOS / Alma / Rocky and other clones) to allow more people to test them. They are available as Software Collections, for parallel installation, the perfect solution for such tests, and as base packages.
RPMs of PHP version 8.5.5RC1 are available
as base packages in the remi-modular-test for Fedora 42-44 and Enterprise Linux≥ 8
as SCL in remi-test repository
RPMs of PHP version 8.4.20RC1 are available
as base packages in the remi-modular-test for Fedora 42-44 and Enterprise Linux≥ 8
as SCL in remi-test repository
ℹ️ The packages are available for x86_64 and aarch64.
ℹ️ PHP version 8.3 is now in security mode only, so no more RC will be released.
In the weeks leading up to that release (and since then) I have posted
a series of serieses of posts to Mastodon about key new features in
this release, under the
#systemd260
hash tag. In case you aren't using Mastodon, but would like to
read up, here's a list of all 21 posts:
I intend to do a similar series of serieses of posts for the next systemd
release (v261), hence if you haven't left tech Twitter for Mastodon yet, now is
the opportunity.
My series for v261 will begin in a few weeks most likely, under the
#systemd261
hash tag.
Vous l’aurez peut-être remarqué, mais le blog vient d’atteindre sa 7ème itération en 22 ans d’existence. J’en avais un peu marre de mon ancien thème basé sur des widgets, que je trouvais difficile à faire évoluer. Sa structure reposait sur une base Timber / webpack vieillissante et particulièrement lourde. Et puisqu’on parle de lourdeur, l’interface […]
This post discusses tools reluctantly written with AI assistance. If you don’t entertain
using them under any circumstance, and think even reading about them legally compromise
your ability to reimplement them yourselves, stop reading now
I’ve spent the past few weeks of having to use LLMs to scratch some long-standing itches that, unfortunately, no one in the community has had the time to solve programmatically.
fedora-cve-triage
It started off with fedora-cve-triage, written to address the issue that a lot of CVE bugs filed against Fedora packages are badly attributed, and there is a lack of automation for handling issues filed against CVEs that have been addressed in a software update but failed to reference said issue.
the old pen resists but the cursor blinks, waiting— I press Enter. Fine.
~ Claude Opus 4.6 (1M context)
If you know where I work, you’ve probably heard of news reports that we will be judged on AI-driven impact. I’ll let you drawn your own conclusion on how much truth there is in the reports, but you can listen to what Zuck said about AI in a recent earnings report.
Suddenly I have been hearing the term Landlock more in (agent) security
circles. To me this is a bit weird because while Landlock
is absolutely a useful Linux security tool, it’s been a bit obscure
and that’s for good reason. It feels to me a lot like the how weird
prevalence of the word delve
became a clear tipoff that LLMs were the ones writing, not a human.
Here’s my opinion: Agentic LLM AI security is just security.
We do not need to reinvent any fundamental technologies for this. Most uses of
agents one hears about provide the ability to execute arbitrary code as a feature.
It’s how OpenCode, Claude Code, Cursor, OpenClaw and many more work.
Especially let me emphasize since OpenClaw is popular for some reason
right now: You should absolutely not give any LLM tool blanket read and write
access to your full user account on your computer. There are many issues with that, but
everyone using an LLM needs to understand just how dangerous
prompt injection can be.
This post is just one of many
examples. Even global read access is dangerous because an attacker
could exfiltrate your browser cookies or other files.
Let’s go back to Landlock – one prominent place I’ve seen it
mentioned is in this project nono.sh pitches itself as a new sandbox for agents.
It’s not the only one, but indeed it heavily leans on Landlock on Linux.
Let’s dig into this blog post
from the author. First of all, I’m glad they are working on agentic
security. We both agree: unsandboxed OpenClaw (and other tools!) is a bad idea.
Here’s where we disagree:
With AI agents, the core issue is access without boundaries. We give agents our full filesystem permissions because that’s how Unix works. We give them network access because they need to call APIs. We give them access to our SSH keys, our cloud credentials, our shell history, our browser cookies – not because they need any of that, but because we haven’t built the tooling to say “you can have this, but not that.”
No. We have had usable tooling for “you can have this, but not that”
for well over a decade. Docker kicked off a revolution for a reason:
docker run <app> is “reasonably completely isolated” from the host system.
Since then of course, there’s many OCI runtime implementations,
from podman to apple/container on MacOS
and more.
If you want to provide the app some credentials, you can just
use bind mounts to provide them like docker|podman|ctr -v ~/.config/somecred.json:/etc/cred.json:ro.
Notice there the ro which makes it readonly. Yes, it’s
that straightforward to have “this but not that”.
Other tools like Flatpak on Linux
have leveraged Linux kernel namespacing similar to this
to streamline running GUI apps in an isolated way
from the host. For a decade.
There’s far more sophisticated tooling built on top
of similar container runtimes since then, from
having them transparently backed by virtual machines,
Kubernetes and similar projects are all about running
containers at scale with lots of built up security
knowledge.
That doesn’t need reinventing. It’s generic workload
technology, and agentic AI is just another workload
from the perspective of kernel/host level isolation.
There absolutely are some new, novel risks and issues
of course: but again the core principle here is
we don’t need to reinvent anything from the kernel level up.
Security here really needs to start from defaulting
to fully isolating (from the host and other apps),
and then only allow-listing in what is needed. That’s again how
docker run worked from the start. Also on this topic,
Flatpak portals
are a cool technology for dynamic resource access on a single
host system.
So why do I think Landlock is obscure? Basically
because most workloads should already be isolated already
per above, and Landlock has heavy overlap with the wide
variety of Linux kernel security mechanisms already in
use in containers.
The primary pitch of Landlock is more for an application to
further isolate itself – it’s at its best when it’s a complement
coarse-grained isolation techniques like virtualization or containers.
One way to think of it is that often container runtimes don’t
grant privileges needed for an application to further spawn
its own sub-containers (for kernel attack surface reasons), but
Landlock is absolutely a reasonable thing for an app to use
to e.g. disable networking from a sub-process that doesn’t need
it, etc.
Of course the challenge is that not every app is easy to run
in a container or virtual machine. Some workloads are most
convenient with that “ambient access” to all of your data
(like an IDE or just a file browser).
But giving that ambient access by default to agentic AI is a terrible
idea. So don’t do it: use (OCI) containers and allowlist in
what you need.
(There’s other things nono is doing here that I find
dubious/duplicative; for example I don’t see the need for
a new filesystem snapshotting system when we have both git and OCI)
But I’m not specifially trying to pick on nono – just in the last
two weeks I had to point out similar problems in two different projects
I saw go by also pitched for AI security. One used bubblewrap,
but with insufficient sandboxing, and the other was also trying
to use Landlock.
On the other hand, I do think the credential problem (that nono and others are
trying to address in differnet ways) is somewhat specific
to agentic AI, and likely does need new tooling.
When deploying a typical containerized
app usually one just provisions a few relatively static
credentials. In contrast, developer/user agentic AI is often a lot
more freeform and dynamic, and while it’s hard to
get most apps to leak credentials without completely compromising
it, it’s much easier with agentic AI and prompt injection.
I have thoughts on credentials, and absolutely more work
here is needed.
It’s great that people want to work on FOSS security, and AI
could certainly use more people thinking about security.
But I don’t think we need “next generation” security here:
we should build on top of the “previous generation”.
I actually use plain separate Unix users for isolation for some things, which
works quite well! Running OpenShell in a secondary user account
where one only logs into a select few things (i.e. not your email and online banking)
is much more reasonable, although clearly a lot of care is still needed.
Landlock is a fine technology but is just not there as
a replacement for other sandboxing techniques. So just use
containers and virtual machines because these are proven technologies.
And if you take one message away from this: absolutely don’t wire up an LLM
via OpenShell or a similar tool to your complete digital life with
no sandboxing.
Pretty much everything I deal with requires parsing ASN.1 encodings. ASN.1 definitions published as part of internet RFCs: certificates are encoded using DER, LDAP exchanges use BER, Kerberos packets are using DER as well. ASN.1 use is a never ending source of security issues in pretty much all applications. Having safer ASN.1 processing is important to any application developer.
In FreeIPA we are using three separate ASN.1 libraries: pyasn1 and x509 (part of PyCA) for Python code, and asn1c code generator for C code. In fact, we use more: LDAP server plugins also use OpenLDAP’s lber library, while Kerberos KDC plugins also use internal MIT Kerberos parsers.
[…] when pyca/cryptography migrated X.509 certificate parsing from OpenSSL to our own Rust code, we got a 10x performance improvement relative to OpenSSL 3 (n.b., some of this improvement is attributable to advantages in our own code, but much is explainable by the OpenSSL 3 regressions). Later, moving public key parsing to our own Rust code made end-to-end X.509 path validation 60% faster — just improving key loading led to a 60% end-to-end improvement, that’s how extreme the overhead of key parsing in OpenSSL was.
That’s 16x performance improvement over the OpenSSL 3. OpenSSL did improve their performance since then but it still pays an overhead for a very flexible design to allow loading cryptographic implementations from dynamic modules (providers). Enablement for externally-provided modules is essential to allow adding new primitives and support for government-enforced standards (such as FIPS 140) where implementations have to be validated in advance and code changes cannot come without expensive and slow re-validation process.
Nevertheless, in FreeIPA we focus on integrating with Linux distributions. Fedora, CentOS Stream, and RHEL enforce crypto consolidation rules, where all packaged applications must be using the same crypto primitives provided by the operating system. We can process metadata ourselves but all cryptographic operations still have to go through OpenSSL and NSS. And paying large performance costs during metadata processing would be hurting to infrastructure components such as FreeIPA.
FreeIPA is a large beast. Aside from its management component, written in Python, it has more than a dozen plugins for 389-ds LDAP server, plugins for MIT Kerberos KDC, plugins for Samba, and tight integration with SSSD, all written in C. Its default certificate authority software, Dogtag PKI, is written in Java and relies on own stack of Java and C dependencies. We are using PyCA’s x509 module for certificate processing in Python code but we cannot use it and underlying ASN.1 libraries in C as those libraries aren’t exposed to C applications or intentionally limited in their functionality to PKI-related tasks.
For the 2026-2028, I’m focusing on enabling FreeIPA to handle post-quantum cryptography (PQC), as a part of the Quantum-Resistant Cryptography in Practice (QARC) project. The project is funded by the European Union under the Horizon Europe framework programme (Grant Agreement No. 101225691) and supported by the European Cybersecurity Competence Centre. One of well publicized aspects of moving to PQC certificates is their sizes. The following table 5 is from Post-Quantum Cryptography for Engineers IETF draft summarizes it well:
PQ Security Level
Algorithm
Public key size (bytes)
Private key size (bytes)
Signature size(bytes)
Traditional
RSA2048
256
256
256
Traditional
ECDSA-P256
64
32
64
1
FN-DSA-512
897
1281
666
2
ML-DSA-44
1312
2560
2420
3
ML-DSA-65
1952
4032
3309
5
FN-DSA-1024
1793
2305
1280
5
ML-DSA-87
2592
4896
4627
Public keys for ML-DSA-65 certificates 7.6x bigger than RSA-2048 ones. You need to handle public keys in multiple situations: when performing certificates’ verification against known certificate authorities (CAs), when matching their properties for validation and identity derivation during authorization, when storing them. FreeIPA uses LDAP as a backend, so storing 7.6 times more data directly affects your scalability when number of users or machines (or Kerberos services) grow up. And since certificates are all ASN.1 encoded, I naturally wanted to establish a performance baseline to ASN.1 parsing.
Synta, ASN.1 library
I started with a small task: created a Rust library, synta, to decode and encode ASN.1 with the help of AI tooling. It quickly grew up to have its own ASN.1 schema parser and code generation tool. With those in place, I started generating more code, this time to process X.509 certificates, handle Kerberos packet structures, and so on. Throwing different tasks at Claude Code led to iterative improvements. Over couple months we progressed to a project with more than 60K lines of Rust code.
Language
files
blank
comment
code
Rust
207
9993
17492
67284
Markdown
52
5619
153
18059
Python
41
2383
2742
7679
C
17
852
889
4333
Bourne Shell
8
319
482
1640
C/C++ Header
4
319
1957
1138
TOML
20
196
97
896
YAML
1
20
46
561
make
4
166
256
493
CMake
3
36
25
150
JSON
6
0
0
38
diff
1
6
13
29
SUM
364
19909
24152
102300
I published some of the synta crates yesterday on crates.io, the whole project is available at codeberg.org/abbra/synta. In total, there are 11 crates, though only seven are published (and synta-python is also available at PyPI):
Crate
Lines (src/ only)
synta
10572
synta-derive
2549
synta-codegen
17578
synta-certificate
4549
synta-python
8953
synta-ffi
7843
synta-krb5
2765
synta-mtc
7876
synta-tools
707
synta-bench
0
synta-fuzz
3551
Benchmarking, fuzzer, and tools aren’t published. They only needed for development purposes.
Performance
The numbers below were obtained on Lenovo ThinkPad P1 Gen 5, 12th Gen Intel(R) Core(TM) i7-12800H, 64 GB RAM, on Fedora 42. This is pretty much a 3-4 years old hardware.
Benchmarking is what brought this project to life, let’s look at the numbers. When dealing with certificates, ASN.1 encoding can be parsed in different ways: you can visit every structure or stop at outer shells and only visit the remaining nested structures when you really need them. The former is “parse+fields” and the latter is “parse-only” in the following table that summarizes comparison between synta and various Rust crates (and OpenSSL/NSS which were accessible through their Rust FFI bindings):
Library
Parse-only
Parse+fields
vs synta (parse-only)
vs synta (parse+fields)
synta
0.48 µs
1.32 µs
—
—
cryptography-x509
1.45 µs
1.43 µs
3.0× slower
1.1× slower
x509-parser
2.01 µs
1.99 µs
4.2× slower
1.5× slower
x509-cert
3.16 µs
3.15 µs
6.6× slower
2.4× slower
NSS
7.90 µs
7.99 µs
16× slower
6.1× slower
rust-openssl
15.4 µs
15.1 µs
32× slower
11× slower
ossl
16.1 µs
15.8 µs
33× slower
12× slower
“Parse+fields” tests access every named field: serial number, issuer/subject DNs, signature algorithm OID, signature bytes, validity period, public key algorithm OID, public key bytes, and version. The “parse+fields” speedup is the fair end-to-end comparison: synta’s parse-only advantage is large because most fields are stored as zero-copy slices deferred until access, while other libraries must materialise all fields eagerly at parse time.
The dominant cost in X.509 parsing is Distinguished Name traversal: a certificate’s issuer and subject each contain a SEQUENCE OF SET OF SEQUENCE with per-attribute OID lookup. synta defers this entirely by storing the Name as a RawDer<'a> — a pointer+length into the original input with no decoding. cryptography-x509 takes a similar deferred approach. The nom-based and RustCrypto libraries decode Names eagerly. NSS goes further and formats them into C strings, which is the dominant fraction of its 16× parse overhead.
For benchmarking I used certificates from PyCA test vectors. There are few certificates with different properties, so we parse them multiple times and then average numbers:
Certificate
synta
cryptography-x509
x509-parser
x509-cert
NSS
cert_00 (NoPolicies)
1333.7 ns
1386.7 ns
1815.9 ns
2990.6 ns
7940.3 ns
cert_01 (SamePolicies-1)
1348.8 ns
1441.0 ns
2033.4 ns
3174.3 ns
7963.8 ns
cert_02 (SamePolicies-2)
1338.6 ns
1440.1 ns
2120.1 ns
3205.6 ns
8206.8 ns
cert_03 (anyPolicy)
1362.4 ns
1468.3 ns
2006.2 ns
3194.5 ns
7902.4 ns
cert_04 (AnyPolicyEE)
1232.9 ns
1424.7 ns
1968.6 ns
3168.1 ns
7913.1 ns
Average
1323 ns
1432 ns
1989 ns
3147 ns
7985 ns
The gap between synta (1.32 µs) and cryptography-x509 (1.43 µs) is tighter here than in parse-only (3.0×) because synta’s field access includes two format_dn() calls (~800 ns combined) that cryptography-x509 does for effectively free (its offsets were computed at parse time). Synta leads by ~8% overall.
Now, when parsing PQC certificates, an interesting thing happens. First, it is faster to parse ML-DSA than traditional certificates.
Certificate
synta
cryptography-x509
x509-parser
x509-cert
NSS
ML-DSA-44
1030.9 ns
1256.4 ns
1732.2 ns
2666.0 ns
7286.9 ns
ML-DSA-65
1124.9 ns
1237.5 ns
1690.5 ns
2664.2 ns
7222.1 ns
ML-DSA-87
1102.6 ns
1226.5 ns
1727.2 ns
2696.6 ns
7284.6 ns
Average
1086 ns
1240 ns
1717 ns
2675 ns
7265 ns
synta’s ML-DSA parse+fields (1.09 µs) is faster than its traditional parse+fields (1.32 µs)
because ML-DSA test certificates have shorter Distinguished Names (one attribute each in issuer and subject vs multiple attributes in traditional certificates in the test above). The signature BIT STRING — which is 2,420–4,627 bytes for ML-DSA — is accessed as a zero-copy slice with no size-dependent cost.
Processing CA databases
Imaging your app needs to test whether the certificate presented by a client is known to you (e.g. belongs to a trusted CAs set). A library like OpenSSL looks at the client’s certificate, extracts identifiers of the certificate issuer, looks up whether such issuer is known in the CA database. That would require looking up properties of the certificates in the database. The fast we can do that, the better.
All those numbers in the previous section are for a single certificate being parsed millions of times. In a real app we often need to validate the certificate against a system-wide database of certificate authorities. The database used by Fedora and other Linux distributions comes from Firefox. It contains 180 self-signed root CA certificates for all public CAs with diverse key types (RSA 2048/4096, ECDSA P-256/P-384) and DN structures. The median cert by DER size is “Entrust.net Premium 2048 Secure Server CA” (1,070 bytes); the benchmark uses this cert for single-certificate and field-access sub-benchmarks to get stable results that are not sensitive to certificate-size outliers.
Another data I tried to benchmark against is 9,898 certificates from the Common CA Database (CCADB), covering the full multi-level hierarchy used by Mozilla, Chrome, Apple, and Microsoft:
Depth
Count
Description
0
919
Root CAs (self-signed)
1
6,627
Intermediates issued directly by roots
2
2,212
Two levels deep
3
137
Three levels deep
4
3
Four levels deep
Intermediate CA certificates tend to have more complex DNs and more extensions than the root
CAs in the Mozilla store. The CCADB median cert is “Bayerische SSL-CA-2014-01” (10,432 bytes). These certificates from CCADB cover past 30 years of certificate issuance on the internet.
To see how those benchmarks would behave if CA roots database would be built with post quantum cryptography, I rebuilt the CCADB corpus as ML-DSA certificates. Nine CCADB certificates were skipped: OpenSSL’s x509 -x509toreq -copy_extensions copy step failed to convert them to CSR form, typically because those certs use non-standard DER encodings or critical extensions that the x509toreq pipeline cannot copy into a PKCS#10 request. (The failures are in OpenSSL’s cert→CSR conversion; synta parses all 9,898 original CCADB certs without error.) This leaves 9,889 of the original 9,898 certs in the synthetic database.
The median cert by DER size is “TrustCor Basic Secure Site (CA1)” (6,705 bytes). ML-DSA certs range from 5,530 B to 16,866 B; the distribution is shifted left relative to the CCADB RSA/ECDSA median (10,432 B) because the smallest CCADB certs (compact root CAs with few extensions) become the new median position after ML-DSA key replacement enlarges all certs uniformly.
Benchmark
Library
Dataset
Time
Throughput
synta_parse_all
synta
Mozilla (180 certs)
87.8 µs
2.0 M/sec
nss_parse_all
NSS
Mozilla (180 certs)
1.577 ms
114 K/sec
openssl_parse_all
rust-openssl
Mozilla (180 certs)
3.552 ms
50.7 K/sec
ossl_parse_all
ossl
Mozilla (180 certs)
3.617 ms
49.8 K/sec
synta_parse_and_access
synta
Mozilla (180 certs)
261 µs
690 K/sec
synta_build_trust_chain
synta
Mozilla (180 certs)
11.6 µs
—
synta_parse_all
synta
CCADB (9,898 certs)
5.10 ms
1.94 M/sec
nss_parse_all
NSS
CCADB (9,898 certs)
106 ms
93 K/sec
openssl_parse_all
rust-openssl
CCADB (9,898 certs)
203 ms
48.8 K/sec
ossl_parse_all
ossl
CCADB (9,898 certs)
214 ms
46.3 K/sec
synta_parse_and_access
synta
CCADB (9,898 certs)
16.1 ms
615 K/sec
synta_parse_roots
synta
CCADB (919 roots)
457.7 µs
2.01 M/sec
synta_parse_intermediates
synta
CCADB (8,979 intermediates)
4.735 ms
1.90 M/sec
synta_build_dependency_tree
synta
CCADB (9,898 certs)
559 µs
—
synta_parse_all
synta
ML-DSA synth (9,889 certs)
5.78 ms
1.71 M/sec
nss_parse_all
NSS
ML-DSA synth (9,889 certs)
103 ms
96.4 K/sec
openssl_parse_all
rust-openssl
ML-DSA synth (9,889 certs)
239 ms
41.4 K/sec
ossl_parse_all
ossl
ML-DSA synth (9,889 certs)
256 ms
38.6 K/sec
synta_parse_and_access
synta
ML-DSA synth (9,889 certs)
17.5 ms
566 K/sec
synta_parse_roots
synta
ML-DSA synth (919 roots)
463 µs
1.98 M/sec
synta_parse_intermediates
synta
ML-DSA synth (8,970 ints.)
5.10 ms
1.76 M/sec
synta_build_dependency_tree
synta
ML-DSA synth (9,889 certs)
549 µs
—
NSS is 18–21× slower than synta across all three datasets; rust-openssl is 40–41× slower and ossl is 41–44× slower. All three C-backed libraries successfully parse ML-DSA certificates (NSS 3.120+ and OpenSSL 3.4+ support ML-DSA natively). NSS’s absolute parse time is nearly identical across CCADB traditional certs (106 ms) and ML-DSA synthetic certs (103 ms) — confirming that NSS’s dominant cost is eager DN formatting at parse time, which depends on DN attribute count rather than the signature algorithm. The slightly lower relative slowdown for NSS on ML-DSA (18× vs 21×) is entirely because synta is slower on ML-DSA (5.78 ms vs 5.10 ms), not because NSS is faster.
synta’s throughput is consistent at ~1.7–2.0 M certs/sec across all three datasets, confirming linear O(n) scaling. Parse rate is slightly lower for the ML-DSA synthetic hierarchy (1.71 M/sec) than for the CCADB traditional hierarchy (1.94 M/sec) because the larger ML-DSA SubjectPublicKeyInfo and signature BIT STRING fields add bytes to the tag+length-header scan that synta performs at parse time. The intermediates-only sub-benchmark is slightly lower than roots-only in each dataset (1.76 M/sec vs 1.98 M/sec for ML-DSA; 1.90 M/sec vs 2.01 M/sec for CCADB) because intermediate CAs tend to have more complex DNs and extension lists.
Finally, individual property access for a pre-parsed certificate, single field read, no allocation unless noted:
Field
Mozilla (1,070 B)
CCADB (10,432 B)
ML-DSA (6,705 B)
Notes
issuer_raw / subject_raw
4.1 / 4.1 ns
4.2 / 4.1 ns
4.5 / 4.4 ns
Zero-copy slice
public_key_bytes / signature_bytes
4.1 / 4.1 ns
4.2 / 4.2 ns
4.6 / 4.4 ns
Zero-copy slice
signature_algorithm / public_key_algorithm
5.9 / 5.4 ns
5.9 / 5.5 ns
6.3 / 6.4 ns
OID → &'static str
serial_number
10.9 ns
6.8 ns
7.5 ns
Integer → i64, length-dependent
validity
180 ns
206 ns
231 ns
Two time-string allocations
issuer_dn
401 ns
224 ns
246 ns
format_dn() → String
subject_dn
404 ns
292 ns
324 ns
format_dn() → String
Zero-copy fields (issuer_raw, subject_raw, public_key_bytes, signature_bytes) cost
~4–5 ns — the price of reading a pointer and length from a struct field. The slightly higher
cost for CCADB and ML-DSA fields vs Mozilla is within measurement noise.
identify_signature_algorithm() and identify_public_key_algorithm() match the OID
component array against a static table and return &'static str — no allocation, no string
formatting. The ~5–6 ns cost is a few comparisons and a pointer return.
serial_number cost depends on the integer’s byte length: the Entrust Mozilla cert carries
a 16-byte serial number (parsed via SmallVec<[u8; 16]>), while the CCADB and ML-DSA
synthetic medians have shorter serials. At 10.9, 6.8, and 7.5 ns respectively, all are
negligible.
validity (~180–231 ns) allocates two strings: UTCTime and GeneralizedTime are formatted
from their raw DER bytes into owned Strings. The two calls account for essentially all
of the cost; the YYMMDDHHMMSSZ to RFC 3339 formatting is the dominant work.
format_dn() is the most variable field: it walks the Name DER bytes, decodes each
SEQUENCE OF SET OF SEQUENCE, looks up each attribute OID by name, and formats the result
into an owned String. The Mozilla cert’s issuer DN is more complex (multiple attributes,
longer values: 401 ns) than the CCADB median (224 ns) or the ML-DSA synthetic median
(246 ns). The ML-DSA synthetic median’s subject DN (324 ns) is slightly more expensive
than the CCADB median (292 ns) because a different cert occupies the median position after
key replacement. format_dn() cost is proportional to the DN’s attribute count and string
lengths.
Why C Libraries Are Slower
CERT_NewTempCertificate (NSS) and OpenSSL’s d2i_X509 perform significantly more work
per certificate than synta:
Eager DN formatting — NSS formats the issuer and subject Distinguished Names into
internal C strings during CERT_NewTempCertificate, even when the caller never reads
them. Distinguished Name formatting is the single most expensive operation in certificate
parsing; doing it unconditionally at parse time accounts for roughly 80% of NSS’s total
parse cost. OpenSSL decodes DN structure eagerly as well.
Arena and heap allocation — each NSS certificate allocates a PLArena block and
copies the full DER buffer into it (copyDER = 1). OpenSSL allocates from the C heap.
These allocations are additional work beyond decoding.
Library state and locking — NSS acquires internal locks on every
CERT_NewTempCertificate call to update the certificate cache, even when the resulting
certificate is marked as temporary. This serialises concurrent parsing in multi-threaded
applications.
FFI boundary costs — the rust-openssl and ossl measurements include the overhead
of crossing from Rust into the C library via extern "C" calls and pointer marshalling.
synta defers all of (1): issuer and subject are stored as RawDer<'a> (borrowed byte
spans) and decoded only when the caller calls format_dn(). There is no locking, no arena,
and no FFI boundary.
In these tests I also found out that PyCA’s cryptography-x509 doesn’t have optimizations for multiple accesses to the same fields. It is typically not a problem if you are just loading a certificate and use it once. If you have to return back to it multiple times, that becomes visible and hurts your performance. So I submitted a pull request to apply some of the optimizations I found with synta. The pull request had to be split into smaller ones and few of them were already merged, so performance to access issuer, subject, and public key in certificates and to some attributes in CSRs was improved 100x. The rest waits for improvements in PyO3 to save some of memory use.
Hello and welcome to another update on what’s been happening at the GNOME Foundation. It’s been two weeks since my last update, and there’s been plenty going on, so let’s dive straight in.
GNOME 50!
My update wouldn’t be complete without mentioning this week’s GNOME 50 release. It looks like an amazing release with lots of great improvements! Many thanks to everyone who contributed and made it such a success.
The Foundation plays a critical role in these releases, whether it’s providing development infrastructure, organising events where planning takes place, or providing development funding. If you are reading this and have the means, please consider signing up as a Friend of GNOME. Even small regular donations make a huge difference.
Board Meeting
The Board of Directors had its regular monthly meeting on March 9th, and we had a full agenda. Highlights from the meeting included:
We heard reports from a number of committees, including the Executive Committee, Finance Committee, Travel Committee, and Code of Conduct Committee. Committee presentations are a new addition to the Board meeting format, with the goal of pushing more activity out to committees, with the Board providing high-level oversight and coordination.
Creation of a new bank account was authorized, which is needed as part of our ongoing finance and accounting development effort.
The main discussion topic was Flathub and what the organizational arrangements could be for it in the future. There weren’t any concrete decisions made here, but the Board indicated that it’s open to different options and sees Flathub’s success as the main priority rather than being attached to any particular organisation type or location.
The next regular Board meeting will be on April 13th.
Travel
The Travel Committee met both this week and last week, as it processed the initial batch of GUADEC sponsorship applications. As a result of this work the first set of approvals have been sent out. Documentation has also been provided for those who are applying for visas for their travel.
The membership of the current committee is quite new and it is having to figure out processes and decision-making principals as it goes, which is making its work more intensive than might normally be the case. We are starting to write up guidelines for future funding rounds, to help smooth the process.
Huge thanks to our committee members Asmit, Anisa, Julian, Maria, and Nirbheek, for taking on this important work.
Conferences
Planning and preparation for the 2026 editions of LAS and GUADEC have continued over the past fortnight. The call for papers for both events is a particular focus right now, and there are a couple of important deadlines to be aware of:
If you want to speak at LAS 2026, the deadline for proposals is 23 March – that’s in just three days.
The GUADEC 2026 call for abstracts has been extended to 27 March, so there is one more week to submit a talk.
There are teams behind each of these calls, reviewing and selecting proposals. Many thanks to the volunteers doing this work!
We are also excited to have sponsors come forward to support GUADEC.
Accounting
The Foundation has been undertaking a program of improvements to our accounting and finance systems in recent months. Those were put on hold for the audit fieldwork that took place at the beginning of March, but now that’s done, attention has turned to the remaining work items there.
We’ve been migrating to a new payments processing platform since the beginning of the year, and setup work has continued, including configuration to make it integrate correctly with our accounting software, migrating credit cards over from our previous solution, and creating new web forms which are going to be used for reimbursement requests in future.
There are a number of significant advantages to the new system, like the accounting integration, which are already helping to reduce workloads, and I’m looking forward to having the final pieces of the new system in place.
Another major change that is currently ongoing is that we are moving from a quarterly to a monthly cadence for our accounting. This is the cycle we move on to “complete” the accounts, with all data inputted and reconciled by the end of the cycle. The move to a monthly cycle will mean that we are generating finance reports on a more frequent basis, which will allow the Board to have a closer view on the organisation’s finances.
Finally, this week we also had our regular monthly “books” call with our accountant and finance advisor. This was our usual opportunity to resolve any questions that have come up in relation to the accounts, but we also discussed progress on the improvements that we’ve been making.
Infrastructure
On the infrastructure side, the main highlight in recent weeks has been the migration from Anubis to Fastly’s Next-Gen Web Application Firewall (WAF) for protecting our infrastructure. The result of this migration will be an increased level of protection from bots, while simultaneously not interfering in peoples’ way when they’re using our infra. The Fastly product provides sophisticated detection of threats plus the ability for us to write our own fine-grained detection rules, so we can adjust firewall behaviour as we go.
Huge thanks to Fastly for providing us with sponsorship for this service – it is a major improvement for our community and would not have been possible without their help.
That’s it for this update. Thanks for reading and be on the lookout for the next update, probably in two weeks!
After nearly three years of development (it takes time to make up one’s mind) Firefox for Linux users can now enjoy seamless emoji insertion using the native GTK emoji chooser. This long-requested feature, implemented in Firefox 150 (recent Beta), brings a more integrated experience for Linux users who want to add emojis to their web content.
Starting with Firefox 150, the native Gtk emoji picker can be invoked directly within Firefox. This means you can insert emojis into text fields, comment boxes, social media posts, and any other web input using the same interface you’re already familiar with from other GTK applications.
How to use it
Using the emoji picker is simple and follows standard GTK conventions:
Click into any text input field on a webpage
Press Ctrl+. (Control + period) or Ctrl+; (Control + semicolon)
The native GTK emoji chooser will appear
Select your emoji, and it will be inserted at your cursor position. The picker works seamlessly in both main browser windows and popup windows.
How to disable it
The feature leverages GTK’s built-in GtkEmojiChooser widget, ensuring that the look and feel matches other applications in your desktop environment.
For users who prefer not to use this feature (perhaps due to conflicts with custom keybindings or specific workflows), Firefox provides a preference to disable it. Go to about:config page and set widget.gtk.native-emoji-dialog to false.
Why it took too long?
The native GTK emoji picker implementation uses the GtkEmojiChooser popover built into GTK3. Unlike other GTK dialogs (file picker, print dialog), it can’t be invoked directly in GTK3 – it must be triggered by a key-binding event or signal on GtkEntry or GtkTextView widgets, and the widget has to be visible from GTK’s perspective.
This conflicts with Firefox’s GTK architecture, which doesn’t use GTK widgets directly but instead paints everything itself.
But a solution was found. Firefox already has an invisible GtkEntry widget that’s not attached to any actual window. It’s an offscreen widget used to invoke key-binding events from GTK input events, like copy/paste and other edit commands. It also receives the ’emoji-insert’ signal after Ctrl+., but normally ignores it since the GtkEntry itself isn’t visible.
I configured the GtkEntry to listen for the ’emoji-insert’ signal. When received, I create a new GtkEntry as a child of the recently focused GtkWindow and redirect the ’emoji-insert’ signal there. The GtkEntry has to be ‘shown’ but remains invisible to users because Firefox paints a wl_subsurface over it.
It also needs to be correctly positioned to show the GtkEmojiChooser in the right location, and connected to other signals like ‘insert_text’ to retrieve the selected emoji. Thanks to Emilio Cobos Ã�lvarez and Masayuki Nakano for their helpful hints on text processing and positioning!
This is an independent, censorship-resistant site run by volunteers. This site and the blogs of individual volunteers are not officially affiliated with or endorsed by the Fedora Project.
comments? additions? reactions?
As always, comment on the fediverse: https://fosstodon.org/@nirik/116506323315055393