So after spending a few years working first on a encrypted proxy solution and then moving to a encrypted tunnel solution, I’ve carried forward this highly modified version of the RC4 stream cipher, trying to tune it up and make improvements to it over time. This latest version includes the following features over the original version.
ARCF-DROP-INIT-CBCX-AUTH
Extended key state generation algorithm to shuffle and drop the first 768-bytes
Enhanced KSGA to incorporate and weight both the secret key as well as a 256-bit initialization vector
Added IV can also include a 40-bit increasing counter to help prevent replay attacks
Core crypto allows for Cipher Byte Chaining which will XOR the last output byte with the next input byte
Core crypto loop also mixes in the IV and the CBC byte values into the key state
The key state itself is never directly used but instead only the XOR of two other key state byte index values
The IV is then encrypted by the unique key state to provide a trailing 256-bit authentication hash tag
MasterDnsVPN یک نرمافزار متنباز و پیشرفته برای DNS Tunneling است که با زبان Go توسعه داده شده و با کپسولهسازی ترافیک TCP داخل درخواستها و پاسخهای DNS، امکان عبور از محدودیتها و فیلترینگ شدید اینترنت را فراهم میکند. این پروژه با تمرکز بر پایداری، سرعت و عملکرد در شبکههای دارای Packet Loss بالا طراحی شده […]
This edition spanned over two days of the weekend, starting early Saturday at 09:00 and ending on Sunday at approx. 17:00. The schedule contained 16 talks on the main track, as well as 4 extra talks on a Python side-track and 3 workshop sessions, plus a round of lightning talks right before the closing ceremony.
The Fedora Project was one of the sponsors of this year’s edition, providing some branded cups — which were given out as prizes for asking good questions in after-talk Q&A — as well as a catering budget.
The Fedora community was represented by Dominik Mierzejewski and Artur Frenszek-Iwicki. Dominik held a workshop session where he talked about video acceleration on Linux and helped the attendees set up their systems to make best use of their hardware.
“It’s actually weird. 10 years ago I’d have a lot to do, but now, people come over to the workshop and it turns out everything just works.” — Dominik
One of this year’s sponsors, Korbank, ran a contest where the attendees could try their best at assembling a rack server: inserting the power supplies, disks, memory and the CPU. The whiteboard tracking the scores revealed a truly fierce competition: while the first contestants barely made it under 2 minutes, the final winner finished well below 50 seconds!
There was also a community stall ran by the Coreforge Foundation, showcasing their progress in developing open hardware RISC-V CPUs. Pictured above is an FPGA programmed to run one of the foundation’s RISC-V cores.
No community meetup can be complete without a big bunch of stickers to share and give away — and this event was no different, featuring two tables full of stickers, posters and postcards, generously provided by the Free Software Foundation Europe and the NGI Zero fund.
I’ve spent a few years now looking for a higher-performing network-wide Proxy or VPN service. I’ve modified some frameworks, like nginx and openvpn, and I’ve created my own versions of those frameworks as well. After modifying OpenVPN, I decided to implement my own version of that modified functionality in roughly 1000 lines of C from 0. I spent some time recently fixing it up and tuning it up and I just wanted to summarize and write about it again. I’ve observed that there are 2 kinds of VPNs with 2 highly different use cases and design differences required. For example:
Client (WiFi) -> VPN -> Server (Wire) [service] - This can be UDP based as the client is directly setting the lower sized MTU tunnel interface on it's operating system so that it can properly size the outgoing packets before they are sent out from the machine so they won't be fragmented or dropped during the routing through the network as well as the underlying connection can also be too flakey for other protocols.
Router (Wire) -> VPN -> Server (Wire) [infrastructure] - This should be TCP based which can handle a full sized MTU tunnel interface as the data is sent out in a synchronous stream rather than individual packets and the clients are not aware of any smaller sized MTUs in the middle of the network routing path as they assume a standardized 1500 byte MTU size by default and in addition there is less risk of communication interruption for a wired connection.
The code is written in C and can be ran with multiple processes at the same time and each process will launch multiple threads which will all operate on a TUN interface created by that process so that the traffic can be load balanced across interfaces as well. The threads will read multiple packets in bulk and transfer them all over TCP in a single large size write/read socket call. It is fairly efficient and performative in my testing so far! No Bloat!!
The entire PC industry is an interesting one to watch function at a distance, there are essentially 3 parties involved which all need to get along with each other, however, what happens when each one is at war with each other? Let’s find out!
ENTER-SCENE: The software maker, the hardware maker, the computer manufacturer
Over a year ago now, I was diagnosed with Diabetes. I'm not going to go into
too much about it here since there's tons of other online resources for it,
but I wanted to share one particular area where I have been able to use serveral
open source products to help monitoring and tracking my blood glucose levels.
Monitoring blood glucose is important information. Various things affect it
and it's good to know what those are and how much they affect it. Some things
affect it very quickly (exercise) and some more slowly (digesting food). Some
foods affect levels dramatically, some not as much.
When I was first diganosed, the recommendation from my doctor was to use
periodic blood tests to see what the levels were. This consists of a set
of lancets, some monitoring strips and a reader. You poke your finger and draw
a drop of blood on the strip, then put that in the reader and it gives you
a reading. This is really quick accurate, but it has a lot of drawbacks:
You have to poke yourself all the time and it's painfull and anoying.
The reader has bluetooth (but the only thing that can connect to it is
a closed source android app).
The closed source/non free android app requires you to make an account
and then send all your readings to some company.
Its really not easy to test a lot, or when traveling.
You consume a lancet and a test strip for every test. They are small,
but it's still consumable/waste.
I looked at getting a CGM (continous glucose monitor) which is a sensor
you affix to your arm and it monitors all the time for a few weeks, when
it needs to be replaced. This seemed much nicer, but it had drawbacks too:
More expensive
Still had a closed source/non free app that required you to make an account
and upload all your data to them.
slightly less accurate
So, I just kept on with infrequent stick testing, until I noticed a post
from Bradley Khun on the software freedom conservency blog:
There was a open source android app to talk to these sensors!
So, a quick message to my doctor and a perscription in hand, I got
some monitors to try out. Juggluco ( https://github.com/j-kaltes/Juggluco ) has kind
of a odd interface, but it works great once you figure it out.
The sensors seem like they would be painful to attach, but I really
haven't noticed anything when applying them. They also make some
'covers' that fit over them to protect them from water/etc. They
do look a bit ragged after 15 days, but I've not had one come off yet.
Being able to have readings all the time has been very nice.
Especially when traveling. It can even give you a 'estimated a1c' value
(This is basically a trending for blood glucose over the last N months).
You can see immediate results from exersize and can definitely see
1-2 hours after meals how much they affect things.
All my data is stored on my phone, which was ok, but I wanted to
have a longer term/more stable backup of that data at least.
Google created a while back a setup in android for medical / heath data.
"Health Connect" is surprisingly well setup. You (the user) can decide
exactly what applications have permissions to write what health data
and what applications have permissions to read that data. The idea being
that you can decide to share some data with some application, or revoke it
later if you choose to. All the data is still stored on the phone, this is
just controlling access to it.
The android home assistant application has the ability (if you grant
it to read health connect data. I then just set juggluco to write blood glucose
values into health connect and allowed home assistant application to read
that. A new sensor appears in home assistant. Now I can graph, run
automations based on it, or do anything I can normally do with a sensor
in home assistant. You can do the same with for example the 'steps' counter
that android keeps automatically.
There is one slight gotcha in this setup that I discovered a few weeks ago.
I went to go look at my longer term blood glucose trends, and... there was
only 10 days of values in home assistant. ;( The home assistant android
app doesn't keep long term statistics anoyingly. You can get around this
by making a template sensor that just reads from the android app one
and it will keep long term data (although the usual home assistant
way of 1 datapoint per hour instead of all the datapoints, but that should
be reasonable for long term trends).
Overall I think its a pretty nice setup now. I do wish the sensors lasted
longer. They last for 15 days and then stop. I'm not sure if thats a limit
of battery life, some kind of reading accuracy issue or just that they want
you to buy more sensors.
Another saturday, time for another longer form weekly recap of
what I have been up to in Fedora Infrastructure.
RHEL10 migrations
RHEL10 migrations are in full swing. Moving things we have that are
on RHEL9 over to RHEL10 with clean re-installs. Mostly this is just
pretty easy, but I did run into a few fun things:
One of our donated servers was really old and couldn't run RHEL10,
so, the provider provisioned us a new(er) one. All good, but we
like to do clean installs of our servers and this provider didn't
happen to have a remote console, so it was kind of flying blind.
First, the RHEL10 installer would hang on boot in systemd-gpt-auto-generator.
My theory ( but I haven't tested it yet to be sure ) is that because
they installed Fedora 44 on it, when it booted to the RHEL10 installer
it would try and figure out the partitions, that would work, but then
because there's no btrfs support it would get confused and hang.
Next I ran into vnc being deprecated in rhel10.1. Fine, but, also
no rdp kickstart directive available, you MUST pass inst.rdp on the
boot line. Then of course various adventures in partitioning and such.
I did finally get it done, but there was a lot of 'please reboot it'
back and forth with the very patent provider.
I found another of our old machines ( which is due to be replaced
this year, but with hardware prices and availablity I am not sure it
actually will be ) is actually BIOS booting still. I just left it
for now, if we don't end up replacing it I might reinstall uefi.
A few issues around our internal repo files and which things they
were or should be pointing to (for minor releases, since 10.2 came
out while I was in the middle of installing some things).
Anyhow, good progress being made on all the easy ones.
Flock coming up fast
https://fedoraproject.org/flock/2026/ is coming up fast. Just 3 weeks.
This is our big conference of the year, will be great to meet up with folks
and discuss everything.
This is a report created by CLE Team, which is a team containing community members working in various Fedora groups for example Infrastructure, Release Engineering, Quality etc. This team is also moving forward some initiatives inside Fedora project.
Week: 18 – 22 May 2026
Fedora Infrastructure
This team is taking care of day to day business regarding Fedora Infrastructure. It’s responsible for services running in Fedora infrastructure. Ticket tracker
Badges: Include deployment controls for Fedora Infrastructure [Commit]
Badges: Refactor/get persons by nickname pagination [Approved]
Badges: Add get_badges_by_string method with pagination [Suggested]
Badges: Include unit tests for the _serve_frontend function path [Triaged][Followup]
Badges: WIP: Move the Fedora Badges static assets from Pagure to Forgejo [Commit]
Nagios is down to < 100 items, it’s nearly gone!
CentOS Infra including CentOS CI
This team is taking care of day to day business regarding CentOS Infrastructure and CentOS Stream Infrastructure. It’s responsible for services running in CentOS Infrastructure and CentOS Stream. CentOS ticket tracker CentOS Stream ticket tracker
Mostly business as usual, just trying to cover the basics
New mirror request completed, some hosts needed reboots/pokes
Watching the CVE storm, mitigating exposed hosts, and waiting for kernels to reboot on
Release Engineering
This team is taking care of day to day business regarding Fedora releases. It’s responsible for releases, retirement process of packages and package builds. Ticket tracker
Continued reviewing releng change proposal for f45 changesets
Continued working for introduction of differentiation in beta and final variants in composeinfo file according to standards.
RISC-V
This is the summary of the work done regarding the RISC-V architecture in Fedora.
F44 rebuild: 22K packages built out of 24K.
Continued with benchmarks on remote SpacemiT K3. (The access will expire in a couple of days.)
Continued preparing the Flock presentation.
Fedora Koji builder hardware: Wrote a brief business justification for two units of K3 for Jason and David.
Debug a failed OpenJDK build, fix the bug, and kick off a fixed up build. Kicked off a fixed up JDK main build
QE
This team is taking care of quality of Fedora. Maintaining CI, organizing test days and keeping an eye on overall quality of Fedora releases.
Published Fedora Quality contributors statistics for the Fedora 44 cycle
Release Candidate versions are available in the testing repository for Fedora and Enterprise Linux (RHEL / CentOS / Alma / Rocky and other clones) to allow more people to test them. They are available as Software Collections, for parallel installation, the perfect solution for such tests, and as base packages.
RPMs of PHP version 8.5.7RC1 are available
as base packages in the remi-modular-test for Fedora 42-44 and Enterprise Linux≥ 8
as SCL in remi-test repository
RPMs of PHP version 8.4.22RC1 are available
as base packages in the remi-modular-test for Fedora 42-44 and Enterprise Linux≥ 8
as SCL in remi-test repository
ℹ️ The packages are available for x86_64 and aarch64.
ℹ️ PHP version 8.3 is now in security mode only, so no more RC will be released.
CVE-2026-46529 is an argument injection vulnerability in Evince, Atril, and Xreader caused by missing shell quoting when composing a command line. The reporter, Jo達o Medeiros, has published a GitHub repo for the CVE and a blog post with the story of how he discovered the flaw and developed the exploit. He also created an Atril security advisory and an Evince issue report.
The vulnerability is fixed in:
Evince 48.4 (fix commit) (I originally reported that it is fixed in 48.2, but there was no successful release for that tag)
The Flatpak sandbox could have drastically reduced the danger of this attack, limiting the compromise to only files that you had previously opened in the PDF reader. Sadly, Evince and Papers both use sandbox holes that render the sandbox totally meaningless. (Atril and Xreader are not available on Flathub.)
The Vulnerability
When you click on a link in a PDF, Evince may execute itself to display the link. Normally the command line used would look something like this:
/usr/bin/evince --named-dest=/home/foo/hello.pdf
But an evil PDF may trick Evince into executing a command that is quite different than expected:
Oops. The first part of the command is always going to be /usr/bin/evince, but the evil PDF is nevertheless able to unexpectedly load a GTK module into Evince. The fix is to quote the untrusted input using g_shell_quote() to ensure it cannot “break out” of its intended context:
Much better: now the threat is neutralized. g_shell_quote() is safe to use even if the untrusted input itself contains quotes. (However, beware: this only works because GLib is parsing the command line itself, and GLib is not a real Unix shell. It’s not safe if the input is going to be passed to an actual Unix shell. It might not even be theoretically possible to do that safely, because it’s valid for filenames to contain entirely arbitrary characters!)
All GTK 3 apps support the --gtk-module command line argument for injecting a shared library into the application. The library may of course then execute whatever code it wants via its library constructor. But GTK 4 no longer has standard GTK command line flags, so this does not work for GTK 4 applications like Papers. It’s still possible to tell a GTK 4 app to load a GTK module, but only via environment variables, not via command line flags, and I don’t see any opportunity for the malicious command to set environment variables. It’s probably not possible to exploit this vulnerability in Papers: although it has the exact same vulnerability as the other PDF readers, the impact is different.
The Exploit
So far this looks like a pretty typical security bug. OK, so if you trick the user into downloading an archive (or perhaps a git repo) that contains both a malicious PDF and also a malicious shared library, then you can trick the PDF reader into loading the shared library and thereby execute arbitrary code. That’s a pretty bad foreseeable exploit, sure, but at least the attacker is at considerable risk of arousing suspicion if the user is trying to download a PDF and also receives a shared library. You’d have to try pretty hard to hide the library in a forest of other boring files if you want the attack to look convincing and unsuspicious. Right?
Nope.
Jo達o used Claude Opus 4.7 to develop a sophisticated script for building malicious polyglot PDFs that are simultaneously both valid PDF files and also valid ELF binaries, so the attacker only needs to trick the victim into downloading one evil PDF file. When the victim clicks on a link in that PDF, the PDF reader will dlopen the PDF itself. The PDF/ELF polyglot’s library constructor will then execute arbitrary code. Much less suspicious, and much scarier. Polyglot files are not entirely novel, but I’d still say this required substantial creativity and expertise from the AI, and substantial persistence from the human. Needless to say, very nice job to both Claude and Jo達o.
You can easily build your own malicious PDF using the provided script and sample GTK module. The script in the Evince and Atril issue reports requires that the attacker predict the absolute path that the malicious PDF file will be saved to; however, Jo達o’s blog post and GitHub repo refine the exploit to remove that requirement.
Thoughts on AI Vulnerability Reports
A human inspecting this code should have been able to find the parameter injection vulnerability, but that requires considerable time and effort, so unsurprisingly nobody did. We’re probably in for a rough time in the short term as the volume of AI-generated vulnerability findings remains temporarily very high and attackers have a much easier time crafting working exploits. But in the long term, I expect we are going to be much more secure than we were before, so this will be worth it.
A human working alone would have almost certainly stopped and moved on after finding the vulnerability. Claude allowed taking the investigation much farther. It’s highly unusual for a GNOME vulnerability report to come with a working exploit. This is a dangerous change. Perhaps it will be a one-time event, but I suspect we will be seeing more frequent exploits in the future.
Silver lining: the exploit helps us better appreciate the severity of the issue. It’s often hard to assess how bad a vulnerability is. If not for the weaponized exploit, I would have thought this bug was not very scary, and would have treated it as not a big deal. We would have fixed it, perhaps or perhaps not with a CVE ID, surely without any blog post or fanfare, and probably without distro security updates. But since there is an exploit, we instead had no doubt that this vulnerability was dangerous, and were able to handle it accordingly.
Several GNOME projects have begun outright prohibiting all AI-generated contributions, including issue reports, with no exception for vulnerability reports. Such policies are misguided and unacceptable. I can sort of understand why some projects might (misguidedly) wish to prohibit AI-generated code contributions. OK, fine. But blocking AI vulnerability reports will make GNOME less safe. AI-assisted vulnerability reporting is the new industry standard for good reason: it is highly effective.
Some humans are not good at preparing AI-assisted vulnerability reports and will spam maintainers with low-quality reports. Sometimes they will be outright bogus, although more often there may be valid underlying bugs with exaggerated severity claims or bad proof of concept demos. This is annoying, but bad issue reports are a cost we are just going to have to accept and deal with.
The quality level of AI vulnerability reports reviewed by conscientious humans — as well as AI assessments of AI vulnerability reports — is now often quite encouraging. But just like humans, AIs may also miss things, especially subtle distinctions that may be highly relevant. Although I�� quite impressed with these AIs, we still need experienced humans to review and manage reports. Please don’t abuse the technology by submitting vulnerability reports that you do not understand or have not validated. And certainly please do not allow an AI agent to interact with an issue tracker on your behalf!
For Security Geeks
This was my first time scoring a vulnerability using CVSS 4.0 rather than CVSS 3.1. It’s also the first time I wasn’t terribly confused about how to set the parameters, because the scoring guide contained answers to all of my questions. Nice. My CVSS vector for CVE-2026-46529 is CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, the base score is 8.4, and I’m pretty sure my choices for each parameter are good. By comparison, using CVSS 3.1 I came up with CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H and base score 7.8.
Our remarkable Fedora ambassador, CentOS, and associate crews delivered live face-to-face support and outreach via our Fedora and CentOS @ SCALE 23x Linux Conference.
Welcome to SCALE! – Photo by @lajuggler
This way to registration… – Photo by @carlwgeorge
TL; DR
What: A community-run open-source and free software conference in Pasadena, California
The SCALE (The Southern CAlifornia Linux Expo) 23x community Linux event encompasses the 23rd Linux and related technology event with four days of exhibits, tutorials, and demos. This year’s SCALE happened in Pasadena (Los Angeles) area.
SCALE attracted about 3,000 worldwide guests to discuss Linux, AI, DevOps, security, free and open-source software, and more. Technical Committee (Online Services) Chairperson, Mr. Phil Dibowitz, and Network & Wifi Chairperson, Robert Hernandez, among many other community volunteers paved the way for a smooth registration.
Expo Highlights
Our Fedora Community Architect @jflory7 curated and arranged delivery of key swag and marketing items to Perry Rivera. Items included: commuter mugs, buttons, pens, stickers, badge lanyards, and more.
Day 0: Wednesday 4 March
Ahead of our event, Fedora Contributor @chris furnished our attendees an amazing SCALE 23x Attendee badge. 58 attendees claimed the badge this year; cheers to @bcotton for being the first earner!
Fedora Ambassador @vwbusguy helped retrieve half of the items needed for the expo for next-day delivery.
Red Hatter and Fedora Ambassador @lajuggler later that evening delivered expo items.
Dry-board markers and flipchart easel
More swag
Rolling case
@lajuggler finalized Fedora setup on 2 laptops.
Meanwhile, the rest of the crew commuted and checked in.
Day 1: Thursday 5 March
@lajuggler attended an early morning Meshtastic workshop.
Ambassadors arrived to the expo floor to pre-setup booth tables and banners.
@carlwgeorge and @nimbinatus unpack project brand items. Photo by @aacosta
Booth setup v1 – Photo by @carlwgeorge
After @lajuggler ‘s workshop, he arrived later to the expo floor to join pre-setup and unpack swag, easel and markers, and a Fedora retromodem demo.
Welcome to Fedora Hatch Day. – Photo by @carlwgeorge
@jflory7 presents “The Fedora Docs Revamp: Building the Docs You Want to Read.” Photo by @carlwgeorge
@nimbinatus presents “A Brief Tour of the Age of Atomic.” – Photo by @carlwgeorge
@Dcavalca presents “Accelerating CentOS with Fedora.” – Photo by @carlwgeorge
A set of us departed for lunch so we could make ready for opening the Expo floor later that day. @lajuggler and @carlwgeorge set up live demos on both systems for guests to use.
Like to set this up? Get started with a presentation from @lajuggler here.
Retromodem demo by @lajuggler. Photo by @jflory7
Retromodem demo by lajuggler. Photo by lajuggler
Star Wars ASCIImation on retromodem demo by @lajuggler. Kudos to @spot for the find. Photo by @carlwgeorge
Retromodem demo by lajuggler. Photo by @vwbusguy
Retromodem telehack demo by lajuggler. Photo by @vwbusguy
Later that evening, we had dinner at El Portal. Moreover, Rob McBryde organized a stellar Karaoke night event at Barney’s Beanery.
Dinner at El Portal. Photo by @jflory7
@Rmcbryde wowed us with amazing karaoke covers. – Photo by @lajuggler
@lajuggler delivers a Toad song. – – Photo by @aacosta
@ichavero sang awesome memorable covers and engaged audience participation. – Photo by @lajuggler
Day 3: Saturday 7 March
Next, Our crew re-assembled in the expo hall to continue meeting and discussing with community. Later that evening, we had dinner and then converged on Game Night.
Enjoyed dinner at The Stand with friends. Photo by @jflory7
Game nite security was pretty extreme! Photo by @carlwgeorge
@carlwgeorge, @vwbusguy, Autumn Nash, Eric Hendricks. – Photo by @carlwgeorge
Photo by @carlwgeorge
Photo by @carlwgeorge
Day 4: Sunday 8 March
Once again, our crew gathered in the convention hall to continue our demos and greets with community. Later that afternoon, the crew packed up and closed the booth.
@vwbusguy and @aacosta serenade the space
@vwbusguy and @ichavero rockin’ out at the booth. Photo by @carlwgeorge
@vwbusguy and @ichavero rockin’ out at the booth. Photo by @aacosta
#CentOS – photo by @carlwegeorege
#Fedora – photo by @carlwegeorege
#leftnotrace Photo by @aacosta
Key Sessions and Takeaways
Session 1: Workshop: Long range, cheap comms through Meshtastic
Takeaway
Relevance to Our Work
Encourages communication with others
Encourages community
Relatively low cost to get started. Does not require a license
Minimal barrier to entry
Open-source
Encourages open-source activities
Physical component and light building assembly
Fairly easy to get started to communicate right away
Demo 1: WiFi Retromodem on Fedora 43 Highlights
Takeaway
Relevance to Our Work
Guests drawn by retro and novelty aspects of the retromodem and coolretroterm
Guests not normally interested in Fedora were happy to download a free PDF to learn how to build a similar setup at home with Fedora.
There was the concern that 9600 bps max would be too slow for guests, but people seemed perfectly fine with text whizzing by onscreen relatively quickly
Conversations would dovetail discussions in the CentOS side of the booth and vice-versa. This synergy brought in various guests and their associates for various reasons, encouraging the community aspect.
From start to finish, Fedora booth visitation highly visited
Fedora Hatch Day sessions were well attended. Most of the morning sessions appeared full or near full. Definitely must have for SCALE 24x.
Standing banners could be revised to include an easy to get to website and clear QR code
Fedora Account creation and badge claiming could be an easier process. It takes about 15-20 minutes just to set one up. Could this process be reviewed and possibly streamlined?
Do users running Fedora 2 revs below current get regularly reminded to update to prevent adverse security issues?
Our Fedora and CentOS Booths
@lajuggler and Kyle
@lajuggler, Bala, and Ilan
The awesome crew at Valkey
@lajuggler and @bcotton
@paradoxguitarist and @jflory
@lajuggler
@carlwgeorge
@lajuggler and Siggy
Our Fedora Booth
@spot and @lajuggler
Kubernetes in a backpage project
@lajuggler and Thomas
Dessert at game night had a strong Tux vibe
@lajuggler and Arthur
Lanyards and pens
@lajuggler and Jerry
Carlos Meza
Ilan
Mark Russinovich
@carlwgeorge
@davdunc and @lajuggler
@lajuggler and Phillip Banks
@lajuggler and Arian
@lajuggler and Jeff
Doug Comer
@lajuggler and Doug Comer
We had a fantastic turnout of about 3,000 Linux guests and a stellar Fedora Hatch Day.
A huge thank you to:
All Speakers: For sharing your expertise and time with the community.
All Volunteers: This event wouldn’t have been possible without the folks who managed the booths, and logistics.
À force d’utiliser des gestionnaires de presse-papiers au quotidien, difficile de revenir en arrière. Après GPaste puis CopyQ, j’ai découvert Copyous, une extension GNOME légère, rapide et parfaitement intégrée au bureau.
En migrant de Fedora 43 vers Fedora 44, j’en ai profité pour revoir mon terminal principal. Après GNOME Terminal, Tilix puis Ptyxis, j’ai finalement adopté Ghostty : un terminal moderne, rapide et minimaliste. Voici pourquoi ce choix m’a convaincu, ainsi que ma configuration complète avec thème Nord, Zsh et quelques ajustements utiles pour SSH.
Did a number of reinstalls for RHEL9 hosts moving to RHEL10 and some Fedora 42
hosts moving to Fedora 44. Most of these are pretty easy, just setup things
and run ansible, but there's a few tricky hosts that are not in our main
datacenter I've been trying to do.
This includes a donated server that was 12 years old. It's served long and
well, but it's too old for RHEL10. Luckily the donating company was happy
to provision us a newer/better host.
Coming up soon will be moving the koji builders from f43 to f44.
I'm hoping we can get the bulk of this done before flock.
502's and AI
For a while now we have had sporadic 502 ( thats "Bad Gateway") errors on koji
and to a more limited extend on src.fedoraproject.org. They have been super hard
to track down and we have tried a number of adjustments based on a number of theories.
This week, I decided to try and really find the cause, and why not also try
some of these AI agents that are so good these days. So, I spent a lot of time
on monday with claude trying to get somewhere. I found claude to be somewhat
useful as a rubber duck and it did point me in some good directions at first.
However, it seemed to loose track of context that happened in the very same
session, like we determined that apache was not logging any 502's at all, but
it kept asking me to enable apache debugging and look at apache logs. no.
It also seemed amusingly unaware of anubis ("what is this anubis application?").
It also did help me actually make a patch for anubis to add debugging as
I know not much about golang. I was able to add that and get more clarity
as to what was happening. On the other side I felt... off after using it
much of the day monday. It may have been the way I was using it, but it
seemed like it was directing the conversation and it was easy for me to just
go along, but actually figuring things out required me to think about how
things were setup more and be more pointed in questions. I think if I hadn't
known a lot about how things were setup, and just let it drive it would
have resulted in no answers and a lot of wasted time/tokens/efforts.
So, I am still somewhat of a skeptic. I think there are uses for AI, but
it's a tool that isn't good for everything.
The actual problem is that on POST requests (only), sometimes, apache is sending
a 200 back from the backend with the results of the request and anubis gets a
EOL when reading it. This causes anubis to send the 502 back to the user.
I am not sure why this happens. Some possible theories:
There's a configuration problem with apache and somehow it's tearing down
reverseproxy replies before anubis can finish reading them.
There's a bug in apache doing above.
There's a bug in go's proxy support thats causing it to not read some
replies correctly.
something else
I did file an anubis bug, but unclear if anubis is really to blame here.
So, since this is only happening on POSTs, and since we already just ALLOW
those in anubis (ie, it doesn't challenge on POSTs), I just set things to
bypass anubus for POST requests (for koji.fedoraproject.org and src.fedoraproject.org).
This works around the bug/issue for now and users should no longer see 502s.
There was a series of kernel security issues this week. I helped out pushing them
out to stable updates in a timely manner, but also I have:
Added two more builders to the secure-boot channel. Should allow more kernel
builds to happen and the ones that are to be faster.
For some reason (likely my fault) there were only a few ppc64le builders available
in the secureboot channel. I added tons more. This was causing kernel builds to
sometimes sit in buildSRPMfromSCM jobs to make the initial src.rpm. Should be better now
We put mitigations in place for hosts that have local users, but we will
likely be doing a update/reboot cycle soon. Week after next perhaps?
s390x maintainer test instance
I decided to poke at the s390x maintainer test instance again. I had managed to
get resources from the LinuxONE community cloud a long while back, but they do
not offer (or have any plans to offer) Fedora instances.
I tried a number of kexec tricks to get a rhel9 instance to reboot into the
fedora 44 installer without much luck. Finally I was able to get a script from
Dan Horak that did all the right magic.
So, the instance installed just fine after that and I got it all setup.
s390x-test01.fedorainfracloud.org should be available for packagers to test
package builds on now.
This is a report created by CLE Team, which is a team containing community members working in various Fedora groups for example Infrastructure, Release Engineering, Quality etc. This team is also moving forward some initiatives inside Fedora project.
Week: 11 – 15 May 2026
Fedora Infrastructure
This team is taking care of day to day business regarding Fedora Infrastructure. It’s responsible for services running in Fedora infrastructure. Ticket tracker
This team is taking care of day to day business regarding CentOS Infrastructure and CentOS Stream Infrastructure. It’s responsible for services running in CentOS Infrastructure and CentOS Stream. CentOS ticket tracker CentOS Stream ticket tracker
This team is taking care of day to day business regarding Fedora releases. It’s responsible for releases, retirement process of packages and package builds. Ticket tracker
Fedora Release Engineering focused this week on Fedora 44 post-release stabilization, compose tooling improvements, and ongoing Forgejo migration work. The team also continued Fedora 45 coordination, infrastructure cleanup, and automation enhancements to improve operational reliability and reduce technical debt.
Completed Fedora 44 post-release cleanup and stabilization work
Reworked failed compose cleanup tooling to support Forgejo and remove remaining Pagure dependencies
Managed and updated the current RelEng sprint board
Continued Fedora 45 tracking and coordination work
Progressed ongoing migration and infrastructure modernization tasks
Assisted with maintainer processing and cleanup workflows
Investigated compose metadata handling improvements for Beta/RC/Final differentiation
Coordinated on ELN and Rawhide related operational issues
RISC-V
This is the summary of the work done regarding the RISC-V architecture in Fedora.
F44 rebuild: it’s almost done—less than 2K packages remaining (big credit to David here). Transition from CMake 3 to 4 and a couple of other solvable issues are causing some delays, but things are moving.
Work with a developer at a hardware vendor (SpacemiT) to get a 3-week access to RVA23 machine.
Study the hardware, documentation
Jason from Red Hat is looking to integrate K3 kernel support into Fedora “omni” kernels.
Started doing benchmarks of heavy-duty packages such as kernel, LLVM, glibc, QEMU and more. Details in this ticking ticket.
We’ll share these comparative at Flock RISC-V update
Explore a potential demo at Flock, logistics permitting
Debugged and found the root cause of a kernel build failure on RVA23 hardware
Work with Matthew to get two units of K3 hardware to be shipped for David (Meta) and Jason (Red Hat) for Fedora Koji builders
Analyzed the root-cause of an ‘io_uring’ error in ‘nbdkit’ with Rich and Andrea.
QE
This team is taking care of quality of Fedora. Maintaining CI, organizing test days and keeping an eye on overall quality of Fedora releases.
dirtyfrag update scramble, Podman test days, ongoing “quiet time” work: openQA test dev, ELN collaboration and test enhancement, tech debt repayment
Another fun branded kernel CVE scramble – got dirtyfrag updates tested and released within hours after submission
Uncovered a regression in GNOME Software potentially causing users (under certain conditions) to see a lower frequency of system updates delivery/notification. Fixed the regression together with the developer.
openQA test dev: gnome-initial-setup test merged and in production, Silverblue installer build test ported to image-builder to match prod, ongoing smaller fixes/improvements
ELN work: collaborating with yselkowitz and jforbes to try and get independent gating of ELN kernel updates, ongoing work on making rmdepcheck work correctly on ELN, adapted openQA tests to changes in ELN release packages, reported several notable bugs
Fedora 44 is out, and in this post we’d like to highlight the top Fedora Quality contributors who helped us reach the finish line. Releasing Fedora is a shared effort, and Fedora wouldn’t be a high-quality distribution without its community. Every single person who helped us detect and resolve issues, or verify that things work as expected, deserves our gratitude, thank you!
If you haven’t participated yet in testing Fedora, perhaps you’d like to give it a try? We gladly welcome everyone. Please look at our Fedora Quality homepage.
Test cases validation
Our release validation efforts consist of running lots of test cases on the upcoming Fedora release composes. Here’s an example of a Fedora 44 release candidate. We have lots of tables like these, see Fedora 44 test results. All test cases which are not automated yet (or which are intentionally manual) need to be verified by people.
Test period: Fedora 44 branch time – Fedora 44 Final release Contributors: 19 Test cases executed: 1380 Unique referenced bugs: 20
1 This is a list of bug reports referenced in test cases results. The bug itself may not be created by the same person.
Reporting bugs
When a new problem is found, we rely on people reporting it. Not every problem can be fixed, but the better data we have, the better we can prioritize and focus on the most important ones. Especially serious bugs can be even proposed as release blockers.
Test period: Fedora 44 branch time – Fedora 44 Beta (2026-02-03 – 2026-03-10) Contributors: 84 Bug reports submitted: 182
…and also 221 other reporters who created less than 3 reports each, but 252 reports combined!
1 The total number of new bug reports (including “excess reports”). Reopened reports or reports with a changed version are not included, because it was not technically easy to retrieve those. This is one of the reasons why you shouldn’t take the numbers too seriously, but just as interesting and fun data. 2 Excess reports are those that were closed as NOTABUG, WONTFIX, WORKSFORME, CANTFIX or INSUFFICIENT_DATA. Excess reports are not necessarily a bad thing, but they make for interesting statistics. Close manual inspection is required to separate valuable excess reports from those which are less valuable. 3 This only includes reports that were created by that particular user and accepted as blockers afterwards. The user might have proposed other people’s reports as blockers, but this is not reflected in this number.
Testing proposed updates
When software packages are updated in Fedora (bringing bug fixes and new features), they are not released to end users immediately. They first go to the updates-testing repository, where they undergo automated testing, and also await manual feedback from human testers. This feedback can be provided through Bodhi, either by using its web interface or CLI tools, see instructions. Alerting package maintainers by posting a negative feedback with a problem description can stop the update from reaching general audience and causing issues to all our users. Testing proposed updates is a simple, yet vital process for keeping Fedora releases of high quality during their whole lifecycle. It is used both for already stable and in-development Fedora releases.
Test period: Fedora 44 branch time – Fedora 44 Final release (2026-02-03 – 2026-04-28) Contributors: 147 Updates commented1: 1428
…and also 116 other testers who commented on less than 5 updates each, but 165 comments combined!
1 If a person provides multiple comments to a single update, it is considered as a single comment. Karma value is not taken into account.
Test days participation
Test Days are events which are partly focused on testing Changes planned for an upcoming Fedora release, but they also regularly test important areas of the Fedora distribution, like upgrades, internationalization, graphical drivers, desktop environments, kernel updates, and others. The upcoming and past events can be seen in our Testdays app.
Test period: Fedora 44 branch time – Fedora 44 Final release Contributors: 98 Test cases executed: 698
Name
Test cases executed
lpavan
42
mcrha
36
adriend
34
tagoh
27
pnemade
23
16levels
23
lruzicka
17
stransky
16
michal odehnal
16
pschindl
15
jgrulich
15
alciregi
15
psklenar
12
dkricka
12
jpb21
12
romangherta
12
royboy626
11
twinkle28
11
vhumpa
11
alangm1001
11
pyadav
10
rduda
10
paolojr
10
dtunma
10
bittin
9
pauloheaven
9
jgroman
8
derekenz
8
gornikfan
8
tdawson
8
vsembiba
8
mkasik
8
clnetbox
8
mzink
8
…and also 64 other testers who executed less than 8 updates each
I find it so funny that I estimated the test deployment at 3 story points; at this point I’m at like 40 with the amount of work I put into this.
But thanks to Claude it’s pretty fast to diagnose and solve problems.
This time I even let it run oc commands, even oc rsh, but I never allowed commands that would change things or write to remote services. Everything stayed local.
This period is open until Thursday, 2026-05-21 at 23:59:59 UTC.
Candidates may self-nominate. If you nominate someone else, check with them first to ensure that they are willing to be nominated before submitting their name.
Nominees do not yet need to complete an interview. However, interviews are mandatory for all nominees. Nominees not having their interview ready by end of the Interview period (2026-05-28) will be disqualified and removed from the election. Nominees will submit questionnaire answers via a private Pagure issue after the nomination period closes on Thursday, 2026-05-21. Either the interim F44 Election Wrangler (Justin Wheeler) or the Fedora Operations Architect (Aoife Moloney) will publish the interviews to the Community Blog before the start of the voting period on Friday, 2026-05-29.
All elected seats are for two-release terms (approximately twelve months). For FESCo specifically, a new two-term consecutive limit was introduced in this election cycle. For more information about FESCo, please visit the FESCo docs.
The full schedule of the elections is available on the Elections schedule. For more information about the elections, process see the Elections docs.
This is not a bug in Flatpak. Flatpak allows sandboxed applications to open URIs or files, meaning the sandboxed application may use a URI or file path to launch another application to open the URI or file. This is brokered via the OpenURI portal. The portal or the app may decide to require user interaction to decide which app to launch, but user interaction is generally not required. This is necessary: you would get pretty frustrated if you were prompted to select which app to use every time you click on a link or try to open something! Accordingly, unsandboxed applications that are installed on the host system are somewhat risky: any malicious sandboxed app may launch an unsandboxed app using a malicious file, generally with no user interaction required. Unsandboxed applications installed on the host OS are inherently part of the attack surface of the Flatpak sandbox.
In this case, a sandboxed application may launch Yelp to open a malicious help file. The help file can then exfiltrate arbitrary files from your host OS to a web server by using a CSS stylesheet embedded in an SVG. Suffice to say the attack is pretty clever, and certainly more impactful than the typical boring memory safety bugs I more commonly see.
This bug was discovered by Codean Labs, which performed a security audit of Flatpak and several GNOME projects thanks to generous sponsorship by the Sovereign Tech Resilience program of Germany’s Sovereign Tech Agency.
This is my personal opinion and I’m going straight to the point, no intro.
AI assistants such as Claude Code, Cursor, OpenCode, OpenClaw, and others are
so addictive for anyone who loves building things.
Software engineers are not going anywhere. Instead, we’re getting excavators
and ditching our shovels.
I authored 192 commits this year (as of May 2026) without writing a single
feature solely myself. I still edit files, but mostly out of convenience. If I
need just one or two lines changed, it’s faster doing it myself than asking
Claude.
Another week has gone by and so time for another bit of round up and
longer form information about the last week for me in Fedora infra.
deploymentconfig to deployment
I finally managed to merge the last of the pull requests moving our
applications from the old deploymentconfig (openshift specific, depreciated)
to deployment (k8s, standard).
I'd like to thank Pedro my co-worker for all the pull requests.
Things were unfortunately anoying at times, as we had some things that
were not working in staging (and I had to fix that to test) or had
odd deploymentconfigs and needed tweaking.
Anyhow, it's all done, we are moved. Great to have that technical debt
all taken care of.
bunch of kernel security issues
As anyone folling linux news knows, there was a series of kernel security
bugs out this week. They were bad in that they were local user to root
and easy to exploit. We pushed out fedora kernel fixes for all these on
friday, but were delayed a bit by the next item below.
Folks are seeing a lot more security related reports of late and it is
indeed likely AI is helping find them. However, in all these cases as far
as I can tell, humans decided to explore the area and Ai simply helped
them zero in on a exploitable path.
I'm sure there will be more. So, keep applying updates, make sure any
local users really need to exist and in the end we should have a more
secure world I hope.
builder capacity / speed
This last week also had discussion about s390x resources (on the fedora
devel list and in the FRCL meeting). s390x is definitely the arch
we have that hits backlogs and is 'slowest' (for some values of slowest).
I was fully away of the 'long builds filling the pipeline' problem there.
That is: a bunch of builds that take a long time are submitted, and
they monopolize the builders, causing all other builds to just sit
and wait for one of them to finish. The solution to that is to have
more builders, so builds can always keep flowing. We can/do have this
for all the other arches, but we don't have nearly as many builders
on s390x. The other side of the balance however is that if you have
lots more smaller builders, those builds that normally take a long time
will take even longer. This problem happens perhaps a few times
a week (often it seems like monday morning, perhaps lots of people
like to do builds then?).
But there was also mention of ppc64le builds being slow.
We did already plan to get another power10 server later this year
because we can see that the two we have are pretty busy.
However, I don't see the slowness that people seem to see.
Taking at random the last rust build for rawhide:
x86_64 - 2 hours 20min
aarch64 - 2 hours 58min
ppc64le - 3 hours 1min
s390x - 4 hours 58min
So, yeah, s390x is slowest (likely because of less cpus for builders there).
But ppc64le is only a few min behind aarch64.
Of course thats just one random package. If you are seeing ppc64le
be wildly slower than the others, please file a infra ticket and we
can look into it. It might be something in the setup, tools, a
specific builder having problems or something else, but if we don't
know about a problem we cannot look.
There were even some people mentioning aarch64 being slow, but
I cannot see that at all. We have a bunch of aarch64 resources now
and lots of builders and they are all really fast. If you are seeing
aarch64 being slow, please do report that too. It may be again tools
or specific builder having some issue or something else we can not do
anything about, but we would like to know about the problem at the
very least.
I didn't see anyone saying x86_64 was slow, so I guess thats good?
s390x outage
Quite unfortunately, we had a complete outage of our s390x builders this
week. They failed on wed morning and were back up friday morning.
I wasn't working directly on the problem, just watching and conveying
information back from the folks doing the work to the community.
I'd like to commend the IBM techs and Red Hat folks working on this.
Including the tech that came back at 1am to replace things.
I'm sure there is going to be a retrospective of this and why it
happened and what can be fixed so it doesn't happen again.
The Fedora ELN SIG maintains a tool called ELNBuildSync (or EBS) which is responsible for monitoring traffic on the Fedora Messaging Bus and listening for Koji tagging events. When a package is tagged into Rawhide (meaning it has passed Fedora QA Gating and is headed to the official repositories), EBS checks whether it’s on the list of packages targeted for Fedora ELN or ELN Extras and enqueues it for the next batch of builds.
A batch begins when there are one or more enqueued builds and at least sixty wallclock seconds have passed since a build has been enqueued. This allows EBS to capture events such as a complete side-tag being merged into Rawhide at once; it will always rebuild those together in a batch. Once a batch begins, EBS stops accepting messages from the Fedora Messaging Bus. The messages remain enqueued and awaiting processing. When the current batch is complete, EBS will resume accepting messages and a new batch will begin.
The first thing that is done when processing a batch is to create a new side-tag derived from the ELN buildroot. Into the new target associated with this side-tag (which will be referred to as the “build tag” from now on), EBS will tag most1 of the Rawhide builds. It will then wait until Koji has regenerated the buildroot for the batch tag before triggering the rebuild of the batched packages. This strategy avoids most of the ordering issues (particularly bootstrap loops) inherent in rebuilding a side-tag, because we can rely on the Rawhide builds having already succeeded.
Once the preparations are complete, we divide the batch up into one or more “batch slices”. The EBS configuration file contains information about certain packages that must be built and added to the buildroot before or after other packages. (Most packages will be part of the same primary slice, but some packages must be built early, such as llvm). EBS triggers all of the builds for a batch slice in the side-tag concurrently, sourcing the content from the git commit that was used to build the triggering Rawhide build. This is to ensure we are building the same content, in case dist-git has received subsequent changes. EBS monitors these builds for completion. Internally, we call these “rebuild attempts”.
Once all of the tasks in a rebuild attempt have completed (successfully or not), EBS will trigger another rebuild attempt of the failures. While a heavyweight solution, this helps us avoid failures due to infrastructure outages, flaky tests and bootstrapping issues not covered by the Rawhide build tagging. Rebuild attempts will continue to be initiated until the same number of failures occurs twice in a row. At that point, we assume they are legitimate build issues and we continue on.
Once all of the rebuild attempts have concluded, EBS moves on to the next slice in order until they have all completed, at which point, the next phase of operation begins: errata creation.
In earlier versions of ELNBuildSync, EBS would now tag all successful builds into the eln-updates-candidate tag and then remove the build tag. The effect of this would be to trigger Bodhi to generate an erratum for each individual package in the batch.
In modern versions of ELNBuildSync, it will now create a second2 side-tag (call it the “errata tag”). EBS then tags all of the successful package builds from the batch into this new errata tag. This ensures that the tag contains only the new ELN builds and none of the Rawhide packages that were tagged into the build tag. From there, EBS talks to Bodhi via its public API and requests that a single Bodhi update erratum be created for all of the packages in this errata tag. This is done to reduce the load on Fedora QA, as the infrastructure there is far better equipped to deal with a single update of a few hundred packages than it is with a few hundred separate updates.
At this point, the batch is complete and EBS moves on to preparing another batch, if there are packages waiting.
History
In its first incarnation, ELNBuildSync (at the time known as DistroBuildSync) was very simplistic. It listened for tag events on Rawhide, checked them against its list and then triggered a build in the ELN target. Very quickly, the ELN SIG realized that this had significant limitations, particularly in the case of packages building in side-tags (which was becoming more common as the era of on-demand side-tags began). One of the main benefits of side-tags is the ability to rebuild packages that depend on one another in the proper order; this was lost in the BuildSync process and many times builds were happening out of order, resulting in packages with the same NVR as Rawhide but incorrectly built against older versions of their dependencies.
Initially, the ELN SIG tried to design a way to exactly mirror the build process in the side-tags, but that resulted in its own new set of problems. First of all, it would be very slow; the only way to guarantee that side-tags are built against the same version of their dependencies as the Rawhide version would be to perform all of those builds serially. Secondly, even determining the order of operations in a side-tag after it already happened turned out to be prohibitively difficult.
Instead, the ELN SIG recognized that the Fedora Rawhide packagers had already done the hardest part. Instead of trying to replicate their work in an overly-complicated manner, instead the tool would just take advantage of the existing builds. Now, prior to triggering a build for ELN, the tool would first tag the current Rawhide builds into ELN and wait for them to be added to the Koji buildroot. This solved about 90% of the problems in a generic manner without engineering an excessively complicated side-tag approach. Naturally, it wasn’t a perfect solution, but it got a lot further. (See below for “Why are some package not tagged into the batch side-tag?” for more details.
A more recent modification to this strategy came about as CentOS Stream 10 started to come into the picture. With the intent to bootstrap CS 10 initially from ELN, tagging Rawhide packages to the ELN tag suddenly became a problem, as CS 10 needs to use that tag event as its trigger. The solution here was not to tag Rawhide builds into Fedora ELN directly, but instead to create a new ELN side-tag target where we could tag them, build the ELN packages there and then tag the successful builds into ELN. As a result, CS 10 builds were only triggered on ELN successes.
In late 2025, Fedora QA came to the ELN SIG and requested that we find some way to reduce the number of individual errata we were generating, as when they attempted to turn on automated testing for ELN, the result was an overload and significant queuing around mass-rebuilds and other large batches. When it got to the point that the Standard Operating Procedure for mass-rebuilds included disabling all the tests for ELN, it became clear that changes were needed and EBS was modified to start directly requesting errata for all the builds in the batch instead.
Frequently Asked Questions
Why does it sometimes take a long time for my package to be rebuilt?
Not all batches are created equal. Sometimes, there will be an ongoing batch with one or more packages whose build takes a very long time to complete. (e.g. gcc, firefox, LibreOffice). This can lead to up to a day’s lag in even getting enqueued. Even if your package was part of the same batch, it will still wait for all packages in the batch to complete before the tag occurs.
As of this writing, we are currently investigating having certain extremely large packages built and tagged directly and without batching in order to shorten the average batch time.
Why do batches not run in parallel?
Simply put, until the previous batch is complete, there’s no way to know if a further batch relies on one or more changes from the previous batch. This is a problem we’re hoping might have a solution down the line, if it becomes possible to create “nested” side-tags (side-tags derived from another side-tag instead of a base tag). Today however, serialization is the only safe approach.
Why are some packages not tagged into the batch side-tag?
Some packages have known incompatibilities, such as libllvm and OCAML. The libraries produced in the ELN build and Rawhide build are API or ABI incompatible and therefore cannot be tagged in safely. We have to rely on the previous ELN version of the build in the buildroot.
Why do you not tag successes back into ELN immediately?
Despite the fact that we do not block ELN builds going to the stable repository based on test results, we do want to know about and address any issues revealed. Many packages are interdependent and it’s far simpler to test the result of all the builds collectively, once we know they have all been rebuilt.
There are certain packages that we exclude from this so that the Rawhide package is not used in the ELN buildroot; see the skip_tag section of the configuration file for the current set. ︎
In the case of very large batches (such as mass-rebuilds), the set of packages may be split into more than one Bodhi update, to avoid in overtaxing things. ︎
During my work on the RISC-V 64-bit architecture port of Fedora, I created
several pull requests to Fedora packages. And some were stalled…
Non-responsive maintainer process
Fedora project has a process called ‘non-responsive maintainer’.
You check is maintainer on vacation, check latest activity and open a bug asking
for action.
The problem was that it linked to fedora_active_user.py script
which does not work since Fedora 41. During cycle of that release the
python-fedora package got retired and no one updated the script.
Let me look
As my actions brought some complains (and some discussions) I decided to take a
look at the script and make it work with current Fedora releases. Created pull
request, mailed original author etc.
There was no answer of any kind so I decided to take over maintaining the
script. Rewrote it to be Python 3 only, moved from urllib to requests,
refactored some repeated code into functions etc.
Then started checking service by service how to get things working better.
Turned out that script had several assumptions which not always apply.
FAS has separate email for Bugzilla
Fedora Accounts Service (FAS) has a separate field for the Bugzilla email. I did
not had to look for testing accounts for this because that’s my case — I use
‘short’ Red Hat email in Bugzilla due to Single Sign-On (SSO) service we use and
my ‘long’ one for the rest. So fedora-active-user script grabs user
information from FAS and checks for separate Bugzilla email and use it if present.
FAS query requires Kerberos
To query FAS you need Kerberos ticket. Both urllib and requests packages
have a way to use it for authentication — one extra package is needed to make
it work.
Lack of valid ticket is caught and info is provided to the user.
Bugzilla is tricky
Querying Bugzilla service is the trickiest part. You can request data but there
is no warranty that you get the latest one. Sure, there is the ‘order’ field for
a query but it feels like a mere suggestion. It is nothing strange to get 2008
entries next to 2023 ones.
Wanna help?
For now, I am hosting
fedora-active-user on GitHub. Will
move it to Fedora Forge later this year. Feel free to open issues, send pull
requests if you have suggestions or changes.
Current version is not the best one. It is a bit better than it was two weeks ago.
At the moment package is present in Fedora rawhide. I am waiting for branches
for stable releases and updates will follow.
Example output
$ fedora-active-user --user hrw
Last action on koji:
2026-05-04 built fedora-active-user-26.05.04-1.fc45
2024-09-12 built python-system-calls-6.11.0-1.fc42
2024-01-08 built python-system-calls-6.7.0-1.fc40
2023-09-18 built python-system-calls-6.6.0-1.fc40
2023-05-08 built python-system-calls-6.4.0-2.fc39
2022-08-06 built python-system-calls-5.19.0-2.fc37
2022-07-25 built python-system-calls-5.19.0-1.fc36
2022-07-25 built python-system-calls-5.19.0-1.fc37
2022-01-10 built python-system-calls-5.16.2-1.fc36
2021-11-15 built python-system-calls-5.16.0-1.fc35
Last package updates on bodhi:
2026-05-04 fedora-active-user-26.05.04-1.fc45
2024-09-12 python-system-calls-6.11.0-1.fc42
2024-01-08 python-system-calls-6.7.0-1.fc40
2023-09-18 python-system-calls-6.6.0-1.fc40
2023-05-08 python-system-calls-6.4.0-2.fc39
2022-08-06 python-system-calls-5.19.0-2.fc37
2022-07-25 python-system-calls-5.19.0-1.fc36
2022-07-25 python-system-calls-5.19.0-1.fc37
2022-01-10 python-system-calls-5.16.2-1.fc36
2021-11-15 python-system-calls-5.16.0-1.fc35
2021-11-15 python-system-calls-5.16.0-1.fc36
2021-09-21 python-system-calls-5.15.5-1.fc36
Last actions performed according to fedmsg:
2026-05-04 hrw commented on the pull-request rpms/prusa-slicer#67
2026-05-04 hrw's Badges rank changed from 272 to 260
2026-05-04 hrw was awarded the badge `Missed the Train`
2026-05-04 hrw commented on update fedora-active-user-26.05.04-1.fc45 (karma: 0)
2026-05-04 fedora-active-user-26.05.04-1.fc45 was tagged into f45 by bodhi
2026-05-04 fedora-active-user-26.05.04-1.fc45 was untagged from f45-updates-candid
2026-05-04 hrw's fedora-active-user-26.05.04-1.fc45 bodhi update has met stable te
2026-05-04 fedora-active-user-26.05.04-1.fc45 was untagged from f45-updates-testin
2026-05-04 fedora-active-user-26.05.04-1.fc45 was tagged into f45-updates-testing-
2026-05-04 fedora-active-user-26.05.04-1.fc45 was untagged from f45-signing-pendin
Last emails on Fedora mailing lists:
2026-04-29 mjuszkiewicz@redhat.com as Marcin Juszkiewicz mailed devel@lists.fedora
2026-04-17 mjuszkiewicz@redhat.com as Marcin Juszkiewicz mailed devel@lists.fedora
2026-04-17 mjuszkiewicz@redhat.com as Marcin Juszkiewicz mailed devel@lists.fedora
2026-04-17 mjuszkiewicz@redhat.com as Marcin Juszkiewicz mailed devel@lists.fedora
2026-04-17 mjuszkiewicz@redhat.com as Marcin Juszkiewicz mailed devel@lists.fedora
2026-04-17 mjuszkiewicz@redhat.com as Marcin Juszkiewicz mailed devel@lists.fedora
2026-04-17 mjuszkiewicz@redhat.com as Marcin Juszkiewicz mailed devel@lists.fedora
2026-04-17 mjuszkiewicz@redhat.com as Marcin Juszkiewicz mailed devel@lists.fedora
2026-04-17 mjuszkiewicz@redhat.com as Marcin Juszkiewicz mailed devel@lists.fedora
2026-04-17 mjuszkiewicz@redhat.com as Marcin Juszkiewicz mailed devel@lists.fedora
Bugzilla activity (may not be the latest):
No activity found on Bugzilla
Looks like I still need to work on querying Bugzilla ;D
I'm back from my vacation, so time for another weekly recap...
Vacation
Week before last I had a lovely time away in hawaii (The big island).
I saw volcanoes (we missing lava fountaining by like 15minutes), lava
tubes (really cool (literally) and dark), botanical gardens (unreal flowers),
had a dinner/sunset cruise with history and finally a sunset/stargazing
trip to the top of mona kea. Super fun! Wish I had another week there to
lounge on the beach. If you ever have a chance to go, take it!
I did look at my email and such the first day or so, but after that
I was too busy and never took my laptop out even until I got back.
Fedora 44 released!
Of course first thing monday on getting back was that we were go for
fedora 44 release tuesday!
Release went pretty smoothly overall and I hope everyone enjoys the release.
Infra freeze ends
Of course with the release on tuesday, we end our infrastructure freeze on
wed. For some reason this time we had a pretty big pile of pending pull
requests, which I attempted to merge and deploy.
The bulk of them were moving our openshift applications from deploymentconfig
(which was a openshift specific object) to deployment (which is a k8s native
object). Openshift still supports deploymentconfig, but it will go away
and it sprews deprecation notices and the sooner we get moved the better.
I ran into some problems with a few applications that had preexisting
issues in staging when I went to test there. There were also some problems
on some applications with selectors (where it chooses how to map a service
on to a deployment). In one case (fmn) the app had two builds for two
different things and one of them was a newer api version and updated
the database, but then the second one couldn't handle that. Had to update
it upstream to get the db versions to match.
Anyhow, there's only a very few left now. Looking forward to being done
paying down this tech debt. :)
scrapers
What weekly recap would be complete without some scraper news? :)
This time they started hitting cgit links on fedorapeople.org (where
contributors can have git repos). I setup anubis there which mostly
quashed them. That did break some redirects tho, so we will need
to fix that.
Scrapers have also been hitting the wiki pretty hard from time to time.
It's not easy to just put that behind anubis because it's in the base
fedoraproject.org domain and we don't want some things there behind it.
For now we just increased resources for the backend, but we will probibly
have to figure out how to setup anubis there before long.
It’s the first day of May, and it’s time for another update on what’s been happening at the GNOME Foundation. It’s been two weeks since my last post, and this update covers highlights of what we’ve been doing since then.
Remembering Seth Nickell
This week we received the very sad news of the death of Seth Nickell. It’s been a long time since Seth was active in the GNOME project, so many of our members won’t be familiar with him or his work. However, Seth played an important part in GNOME’s history, and was a special and unique character.
Jonathan wrote a wonderful post about Seth, with some great stories. Federico migrated the memorial page from the old wiki to the handbook, and added Seth there (work is currently ongoing to develop that page). Seth’s death has also been covered by LWN, which includes dedications from GNOME contributors.
Whether you knew Seth or came to GNOME after his time, I think we can all appreciate the contributions that he made, which live on in the project and wider ecosystem to this day.
GNOME Fellowship
Applications for the first round of the new GNOME Fellowship program closed last week, on 20th April. We had a great response and received some excellent proposals, and now we have the tough job of deciding who is going to receive support through the program.
To that end, the Fellowship Committee met this week to review the proposals and begin the selection process. We have identified a shortlist of candidates, and will be meeting again next week to narrow the selection further.
Since this is the first round of the Fellowship, we are establishing the selection process as we go. Hopefully we’ll get to put this to use again in future Fellowship rounds!
Conferences
Linux App Summit (LAS) will be held in Berlin on 16-17 May – that’s in a little over two weeks! The schedule has been finalized and looks great, and this year’s LAS is shaping up to be a fantastic event. Please do consider going, and please do register!
Due to high demand, the organizing team have decided to stream the talks from this year, so look out for details about remote participation.
Aside from LAS, preparations for July’s GUADEC conference continue to be worked on. Travel sponsorship is still available if you need assistance in order to attend, so do consider applying for that.
Office transitions ongoing
Work to update many of our backoffice systems and processes has continued at a steady pace over the past fortnight. Many of the big moves are done (new payments system, email accounts, mailing system, accounting procedures, credit card platform), and we are now firmly in the final stages, making sure that our new address is used everywhere, emails are going to the right places, recurring payments are transferred over to new credit cards, and vendors are setup on the new payments system.
The value of this work is already showing, with smoother accounting procedures, more up to date finance reports, and better tracking of incoming queries.
That’s it for this update. Thanks for reading, and take care.
GNOME is once again participating in GSoC. This year, we have 6 contributors working on adding Debug Adapter Protocol support to GJS, incorporating vocab-style puzzles into GNOME Crosswords, creating a native GTK4/Rust rewrite of the Pitivi timeline ruler, porting gitg to GTK4, implementing app uninstallation in the GNOME Shell app grid, and enabling recovery from GPU resets.
As we onboard the contributors, we will be adding them to Planet GNOME, where you can get to know them better and follow their project updates.
GSoC is a great opportunity to welcome new people into our project. Please help them get started and make them feel at home in our community!
Special thanks to our community mentors, who are donating their time and energy to help welcome and guide our new contributors: Philip Chimento, Jonathan Blandford, Yatin, Alex Băluț, Alberto Fanjul, Adrian Vovk, Jonas Ådahl, and Robert Mader.
Trigger warning: this is a report about how
Debianism prefers abusers to those who consistently and
compassionately helped victims of abuse.
Those who dare to look up the public court records about
Jeremy Bicha have been shocked and in some cases unable to sleep
after reading how he exploited every bodily orifice of his little sisters
when they were six and nine years old. Yet I feel a possibility that
Jeremy Bicha himself is now being exploited to make us feel
shock and to soften us up for future revelations about unnamed oligarchs
in the open source eco-system. There have been many falsified rumours
about abuse over the years,
such as the conspiracy against Dr Jacob Appelbaum. Whenever we get
to the point that the leader of some so-called community really is
put on trial for real abuse, the victims are unlikely to have suffered as
extensively as
Bicha's little sisters.
I didn't write and publish this report to start a lynching against
Jeremy Bicha himself. He has confessed his crimes which is much more
than can be said for other sex pests. The real reason for the report is
to look at the decisions that organisations have made putting a
registered sex offender on a pedestal but in the case of commercial
rivals or people who made mistakes with pronouns, we are being censored
and harassed by the oligarchs for the most mundane mistakes.
The BBC is in fresh trouble over their pre-existing knowledge of a scandal
involving
Scott Mills. It was a major story in the
UK the week before Easter and then it disappeared. I suspect that sooner
or later we will hear more details.
Almost every day there is a fresh news report about
Jeffrey Epstein. During the trial of
Ghislaine Maxwell, she told us her partner,
Epstein, needed to
be with a woman at least three times per day. People with children or
teenage daughters will feel very uncomfortable about having these men around.
Less than two percent of Debian Developers are female but at
DebConf almost one in three participants is in the
gay/transgender/Zizian set. In the wider population it is only one in
ten people.
These people don't have children. They don't think about having children.
They don't spend a lot of time thinking about the risks. Having a
registered sex offender present at the after-party may be on the
bucket list for some of these people. They are willing to risk other people's
children and tarnish Debian's reputation so they can have something
unusual at the after-party.
For people who do have children, they don't go to the
DebConf orgy groups but they do stay up all night reading through reports
like this to try and work out whether the risk is acceptable or not.
The
Debian Suicide Cluster correlates with a culture of
violence and humiliations. Coincidentally, rape and abuse are also about
violence and humiliation. Adding a
registered sex offender to the group only reinforces those existing
Debian character traits when we need to be looking for the opposite,
people who serve to neutralise those cultural defects.
News that a
Registered Sex Offender(TM) was invited to speak at
DebConf25 in
France is not a random accident. Certain groups like
Debianism have been overcome by fringe diversity movements. Over the years,
we've seen the same people using their authority to humiliate fellow volunteers
in much the same way that paedophiles humiliate children. Statistically,
we can be certain there are similar men in the same group.
Jeremy Bicha was the thin end of the wedge. By putting a known offender
on a pedestal and claiming they are helping him, they are clearing a path for
other more cunning characters to be given a platform.
The people who control
Debianism mailing lists have a nasty habit of censoring any concerns about
the phenomena. They believe everybody agrees with their worldview. They
are living in a bubble. Sooner or later, there will be a person or an
incident that is so bad that it is the end of Debian. Society at large
simply doesn't accept some of the things these people do.
Moreover, certain companies would like to see Debian fail. They will
give enough money to the diversity budget to create a scandal and then
those companies will get out of the way as quickly as possible.
The Debian Social Contract tells us, in point three,
We will not hide problems.
In the case of the
registered sex offender invited to speak at
DebConf25 in
France, all discussion has been deliberately shut down. Video
of the talk is not hosted with video of the other talks. People are
scouring the
official photo gallery to see if
Jeremy Bicha was really there at all and who sat next to him.
This situation and the manner in which
Debianists are hiding it reveals the real definiton of diversity and
the real use of diversity funds.
This resulted in “Jack� ringing me in an extremely distressed state. His
words on the phone were, “I think it would have been better to hear my
mother had died�. He was a relatively early victim of [Fr Kevin] O’Donnell and his
abuse was reported to the Cathedral in 1958. This allegation was
investigated at the time by both the then Vicar-General, Laurie Moran,
and the then Auxiliary Bishop of Melbourne, Arthur Fox. Nothing
eventuated from this investigation.
In 1962, Stanley Kubrick released the controversial film
Lolita.
Charles Manson was using women in his
cult, the Manson Family, to murder people. He hoped that by committing
these violent murders he could start riots, like the modern day phenomena
of #MeToo mobs on
social control media. On 9 August 1969, they killed the actress
Sharon Tate, who was the wife of film director
Roman Polanski.
In the 1970s, Bishop Fox was the Bishop of Sale. On 3 July 1972, when he was
in his early forties, Hourigan wrote to Bishop Fox asking that he be accepted to study
for the priesthood. In the letter Hourigan set out what he said were two ‘flies in the
ointment’. The first related to an issue with Hourigan’s back, and is of little moment.
The second was a disclosure (referred to by the judge as ‘the disclosure’) that on
three separate occasions, occurring at two separate boarding schools in Papua New
Guinea at which he was working, boys in his care who, he said, he had occasion to
punish for misbehaviour, responded by complaining to a priest that he had treated
them harshly and that he was a homosexual. A short time after the second and third
complaints, Hourigan left the second boarding school and returned to Australia.
The implication is that
Bishop Fox had personal knowledge of the disclosure and history of
abuse before he ever ordained
Fr Hourigan.
Britain's National Council for Civil Liberties (NCCL), known today as
Liberty, had a very open attitude to memberships and affiliations.
PIE and many other fringe groups became members of NCCL / Liberty
and regularly attended the annual general meetings where they rubbed shoulders
with lawyers and lobbyists from a range of different movements.
The Conversation tells us the British Communist Party was also affiliated
with NCCL / Liberty. People have been scouring old copies of British
tabloid newspapers to find evidence of similar diversity fringe groups
promoting incest, canabalism and bestiality. NCCL / Liberty was not endorsing
any of these groups and the PIE was no more or less special than
any other diversity fringe group.
The manner in which the paedophile advocacy groups participated in the
NCCL / Liberty and the legal profession can be summarised by the
expression I don't agree with what you say but I will defend to the
death your right to say it.
As the saying goes, all good things must come to an end. By the
1980s, governments around the world had developed strategies to shut down
and outlaw groups like PIE.
The eradication of these groups was significant because it forced
the pro-abuse lobby to look for more discrete ways to achieve their
unholy objectives. In other words, they have to join other groups like
the Catholic Church and the
Debian Project in the hope they will gain credibility, access
to children or both.
Between 1977 and 1978,
Roman Polanski, whose wife had been murdered by the Manson Family
cult, was prosecuted for drugging and raping a 13-year-old girl.
He fled America to live in
France and evade a likely jail sentence.
As he was born in France he can't be extradited to America. He continued
his career in
France and received numerous awards for his work. Many professionals
in the movie industry have publicly indicated support for
Polanski, despite the very serious crime he committed against a child.
Between 1978 and 1982, in another
Catholic abuse situation where the victim agreed to waive anonymity,
David Ridsdale was abused by his uncle, the priest
Gerald Ridsdale. Under Australian law, when the uncle is found
guilty of such an offence, their identity and their conviction can not
be reported in the media as it would compromise the identity of the
victim. Nonetheless,
David Ridsdale waived his right to anonymity and so it could be
reported that
Gerald Ridsdale, who was the worst offender in the country,
had even committed abuse against one of his own relatives.
The media originally obfuscated the name and face of the victim but it
wasn't long before everybody knew. She had created the dossier, started a
conversation with the police and then she committed suicide. Eventually the
Federal Court judges decided to publish everything for the public to make up our
own minds.
I selected those portions of the document to emphasize the striking
similarities between
Katharine Thornton's abuse report and the acts that
Jeremy Bicha admitted inflicting on his sisters.
According to the summary of the complaint on the
Manatee County Courthouse web site, the abuse occurred between 1995 and 1999,
in other words, when
Jeremy Bicha was only between eleven and fifteen years of age himself.
One of his sisters was nine and another was only six when these horrible crimes
took place.
In the court documents,
Jeremy Bicha told prosecutors his parents were very strict and kept all the
siblings together at home. In countries with urban sprawl and a car culture,
which includes
Australia, a teenage boy starting high school has no way to meet friends
of the same age unless an adult is willing to drive him there and bring him
back home. Europeans who live in apartments and terrace houses are much closer
together. Therefore, people who haven't lived in urban sprawl can't fully
appreciate the impact it has on childhood.
In 1997, Adrian Lyne produced a fresh version of the film
Lolita.
Shortly after that, I was photographed in
Australia's Parliament House,
Canberra with
Natasha Stott-Despoja. After leaving her job as a senator,
Natasha was appointed as
Australia's ambassador for women and girls.
She was subsequently appointed to represent
Australia on the UN CEDAW committee. CEDAW is the Convention on the
Elimination of All Forms of Discrimination Against Women. The committee
is one of the most influential international bodies concerned with the
status and wellbeing of women. The photograph was taken during the same
period of time where
Jeremy Bicha admits abusing his little sisters.
In the early days of
Debianism, many young teenage males were exploited. Ringleaders have been
interchangeably presenting
Debianism as a hobby, as a philosophical mission and as an activity that
people undertake while being paid by an external employer like
Freexian. Ringleaders pivot between these
definitions of
Debianism depending upon which definition is most convenient for the
ringleaders themselves in any particular situation or dispute.
They used the appeal of a philosophical mission to recruit numerous teenagers,
mostly boys in their mid-teens, who were starstruck by the names of companies
like
Pixar, where
Bruce Perens worked. These teenagers didn't really appreciate the extent
to which they were working alongside people who were being paid six-figure
salaries to do similar tasks. I'm talking about
Joel "Espy" Klecker,
Shaya Potter and
Chris Rutter. Klecker was doing this unpaid work while he was in bed
dying of a terminal illness
(
detailed report).
Shaya Potter appears to be the first documented case of somebody
expelled after he had already resigned.
Chris Rutter even had servers for unpaid
Debianism work installed at his high school. He was observed
working long hours to meet his obligations to
Debianists shortly before walking in front of a car. These may be
the three most prominent teenagers in the early days of
Debianism and it is disturbing to see that two died while one was
subject to gaslighting and ostracized.
Here is a debian-private leaked message where the underage
phenomena is mentioned explicitly:
Subject: Re: why I want the archives on me (was Re: spotter@debian.org)
Date: Tue, 17 Nov 1998 12:56:41 -0500
From: Shaya Potter <spotter@ymail.yu.edu>
To: joost@pc47.mpn.cp.philips.com
CC: debian-private@lists.debian.org
----- Original Message -----
From: <joost@pc47.mpn.cp.philips.com>
>
>On Tue, 17 Nov 1998, Shaya Potter wrote:
>
>> Now that this is out of the way, I'd like to publicly ask if I can have
an
>> archive of all the communication that went on in regard to me.
>
>Strictly speaking I tend to disagree that you or anybody has an a-priori
>right to know what is being said and told on debian-private. It is simply
>a private list. Things would be different if you were mentioned in a
>public list without being able to respond. But that is in all aspects
>clearly not the current situation.
First, I never said I have a right. In many ways I think i don't have a
right, or even if I did, I don't deserve it. I don't think my statements
have implied that I believe I have a right to demand that it be given to me.
I do have a right to ask that it be done. Debian has a right to say yes or
no.
>
>(Nevertheless, I think that it would be considerate to cc: you in
>any discussion that involves you in a very personal manner - this has
>IMHO until now hardly been the case though.)
It hasn't? Than how did the decision to expell me come about? Who told
people who made the decision what happened? Was this all done in private
mail?
>
>If a non-subscriber of debian-private must share in the conversation on
>debian-private, then this should IMHO be done by adding that person to the
>clearly visible cc: line of the header of any messages to be "published."
>That way, it will be adequately clear that the correspondence leaves the
>realm of debian-private and thus everybody can conclude that normal
>confidentiality can not be expected. AFAIK respect for the confidential
>nature of debian-private is a prerequisite for subscription to this list.
I would have respected the confidentiality, as I have made it known that I
don't want this to spread, as I am embarrased by my actions.
>
>Practically speaking, I disagree that the underlying case generally
>concerns you. What matters here is not who Shaya Potter personally is or
>what particularly Shaya Potter did. The discussion is about how issues
>like the one involving you relate to Debian. This discussion does not
>involve you personally.
I don't want the entire discussion, I just want to see the parts that touch
on me personally. I don't care for the rest, of what about underage
developers and the like....
>
>> I was told that it would not be a star chamber, and that I'd be cc'd in
>> on all the corrospondace. That didn't occur.
>
>There was no "star chamber." You have already been generously cc:'-ed.
I was? The only cc:'s I ever got were in response to me starting a thread.
That implies to me, that acc. to what you were saying, that no discussion
on -private occured that I didn't start. However, I know this not to be the
case, as before I was unsubscribed from -private, I saw a thread or 2
started that dealt with me.
>
>IMHO you do not have a right to be cc:-'ed on the _general_ discussion
>which does not particularly (personally) involve you.
never said I did.
>
>> Also, I really have no idea of what discussion went on, if mistruthes
>> were spread about the incident (as in reality, I'm the only one that
>> knows completely what happened, and no one really ever asked me for the
>> full story).
>
>If this worries you so much, then I seriously wonder why you did not
>immediately relate it to debian-private when the issue arose in the first
>place?
I did apologize on -private right away, however, I didn't want to spread
what I did. I specifically told people that I would rather this not be
discussed on -private and have me showed the door quietly, and told never to
come back. That didn't happen, it was discussed on -private. I don't know
what was discussed in relation to me, so I want to be informed.
>
>Again, the discussion is not yours. Again, you are not personally
>involved. Your only "role" in the discussion is that you have created a
>precedent. I thinks we can all agree that we would rather have had you
>not be a precedent case, but it happened. I'm very sorry, but you'll
>have to blame yourself for that.
Trust me, I've blamed myself a lot for this. If you seen any of my
corrospondance you would know this. I don't blame anyone for my
predicament, but myself.
>Discussion on debian-private does not count as a statement from Debian.
>So there simply were no statements. I'm not really in favor of making any
>strong or overly verbose statements either. If there ever is to be a
>statement from Debian about an issue such as the current one involving
>Shaya, I think that person should be briefed thoroghly beforehand.
I'm not talking about a debian statement. I don't want a public statement,
and I know a lot of people from debian don't want one either (though some
might). What I meant by statements, was statements that individuals made,
that might be incorrect, or inacurate.
>Shaya, can you please just put this to a rest? IMHO it is not very
>productive for anybody. And please take it from me that you have no
>reason to be concerned that you have been in a "star chamber."
I am not worried about a star chamber, I would have prefered it in many
ways. However, at least with a star chamber you usually get to see the case
presented against you, even though you don't have the ability to defend
yourself. As I said many times, my case is indefensable, so that wouldn't
bother me.
Shaya
We find exactly the same phenomena in the
Jeremy Bicha abuse testimony. His sister tells us she was too young
to know the words for what he was doing in her underpants.
In October 1999 the role of teenagers was back in the spotlight:
Subject: Debian Death March
Date: Thu, 7 Oct 1999 17:41:25 -0700 (PDT)
From: Jonathan Walther <krooger@debian.org>
To: debian-private@lists.debian.org
Guys. Is Debian still the hippest, coolest, happeningest distribution
around, or are we a dinosaur lost in the forest?
The posts I've read on this list today reek of a Death March.
Yes, many of the Debian originals have moved on, retired, or fallen
quiescent. Others of us have had sudden changes in our life; new jobs, loss
of jobs, loss of internet access, newborn infants, need to spend time with
spouses and loved ones.
Many of the rest have gotten tired. The friends they joined this marvelous
big project with are no longer around... The stress of mentoring up a new
generation of package maintainers, and hopefully core developers falls on
their already burdened shoulders, taking away from their time spent coding.
As social scientists know, the future is the children. Or in our case, the
future is the teenage "hackers" getting their first computer, going in their
first irc chatroom, using their first nuker... and realizing there is
something far more interesting, constructive and beautiful beyond the raw
violence of their little world. An ordered system of many parts, of many
people collaborating in peace, cooperating on a scale that they will take
for granted, because we have made it seem so natural, but which makes any
sane adult boggle at our achievement.
[ ... snip ... ]
Given that
Debianism has the exploitation of youth in its DNA, it is really sad
to see that a
registered sex offender and various characters with similar tendencies
were put up on a pedestal in the era of
Chris Lamb.
In 2002, the Boston Globe's Spotlight team published
their reports about the
Catholic abuse crisis. The reports were not simply about the actions
of individual paedophiles. The journalists went to great lengths to examine
how the institution had ordained the wrong people and stonewalled victims.
In the
Debian harassment culture, we see much the same thing. People who ask
questions are censored on the mailing lists. The leaders stonewall and
refuse to answer questions or provide reports about the
Debian suicide cluster and their knowledge of
Jeremy Bicha's history.
Subject: Re: Nut-case of the day - Was: [Fwd: URGENT: This is potentially a threat to your and others personal security]
Date: Tue, 6 Jan 2004 12:53:33 -0700
From: Joel Baker <fenton@debian.org>
To: debian-private@lists.debian.org
On Tue, Jan 06, 2004 at 03:28:03PM +1100, Russell Coker wrote:
> On Tue, 6 Jan 2004 15:23, Joel Baker <fenton@debian.org> wrote:
> > I could probably arrange for Debian to have a TG developer, but somehow,
> > this doesn't seem like a primary qualification; we don't have quotas. :)
>
> If they can code well or can be taught to code well then please get them in!
>
> Especially if they have some skills at kernel coding. I think that we could
> do with having more skilled developers dealing with the kernel patch
> packages.
What I didn't mention is that it would probably involve me bribing her to
deal with it; she doesn't find Debian to be quite worthwhile enough on its
own merits (she likes it, she just likes FreeBSD better, and has little
enough time to spare overall that short of someone making it worth giving
up what else she does, it isn't worth it).
This would be the primary reason she isn't already a DD, since the only
part of NM that would pose any issue at all is the wait (I can sign her
trivially, and passing the requirements is a no-brainer). But we don't
really need another developer not doing much most of the time, and I
have better uses of the money than paying her to work on it. :)
--
Joel Baker <fenton@debian.org> ,''`.
Debian GNU/NetBSD(i386) porter : :' :
`. `'
`-
In 2006,
Red Hat opened their main research site in
Brno, a small city in the
Czech Republic. The
Czech Republic had joined the
European Union (EU) in 2004.
Thanks to the Freedom of Movement policy of EU countries,
Red Hat could employ young male graduates from any other EU country and
bring them to work in
Brno without any uncertainty about residence permits and visas. Over
the years, thousands of young and predominantly male engineers came to work
for various multinational companies in this remote part of the
Czech Republic. At the same time, young women from eastern European
countries were all leaving small cities like
Brno and either moving to the capital,
Prague or moving to other cities like
London,
Paris and
Berlin. These arrangements created a huge imbalance. Thousands of
highly paid young single men found themselves competing for the very
small group of women who decided not to leave. A lot of the companies
started talking about the need for diversity programs. While
nobody says it out loud, it looks like these programs are intended to
increase the size of the dating pool in these offshore centers.
Official statistics tell us that
Brno has the highest suicide rate in the country.
When eastern European countries joined the EU, some of the western
countries like Germany and France introduced a temporary delay on
Freedom of Movement for workers. The delay didn't apply to
Freedom of Movement for wives and girlfriends.
This table shows us that workers from
Czech Republic could go to
the
UK immediately after joining the EU in 2004 but they could not
take jobs in
France until 2008 or
Germany until 2011. As a consequence, young women could use
Freedom of movement to marry somebody in a rich country but
many young men had to stay in the
Czech Republic. The young men who remained found themselves in direct
competition against the
Red Hat workforce for the last girlfriends who remained in
Brno.
During that period, I was living to the north of
London near to
Luton airport. Thousands of people from eastern Europe were arriving
every day on the low cost airlines. It was fairly easy to distinguish
the tourists from the people who were relocating. The people relocating
under Freedom of Movement had typically purchased the maximum
luggage allowance and arrived with their whole life in a suitcase that
was so overloaded it looked like it was about to burst. In particular,
a lot of the women who arrived like this were making the move alone with
no safety net. Their plan was to get off the plane and find a room,
a job and a husband. These are the women who the
Red Hat employees in
Brno missed out on.
In January 2006,
Raphael Hertzog infamously used the debian-devel-announce email
list to promote a message about an external product,
Ubuntu that not everybody is interested in.
Andrew Suffield adapted the subject line of
Hertzog's email to promote lesbians instead of
Ubuntu. Some people speculate
Suffield chose the word lesbian because it looks a little bit
like the word Debian and there are a disproportionate number of
LGBT people lurking in the mailing lists.
To: debian-devel-announce@lists.debian.org
Subject: For those who care about their packages in Ubuntu
From: Raphael Hertzog <hertzog@debian.org>
Date: Fri, 13 Jan 2006 23:35:24 +0100
Hello fellow Debian developers,
let me explain shortly why I'll speak of Ubuntu on a Debian announce
list. I know that many of you do not like the Canonical marketing saying
that "Ubuntu is contributing back" because the most visible official
contribution is scott's patch repository and that all other successful
collaboration has been made at the level of individual developers who are
"friendly to Debian" and not because Canonical's policy ask them to do
so.
[ ... snip ... ]
To: debian-devel-announce@lists.debian.org
Subject: For those who care about lesbians
From: Andrew Suffield <asuffield@debian.org>
Date: Sat, 14 Jan 2006 15:00:40 +0000
Since this sort of thing is apparently okay nowadays, and I know that
a lot of you like looking at lesbians, I'd like to share this with
you:
http://www.flickr.com/photos/63978244@N00/81351129/in/photostream/
[And for the sarcasm-impaired: debian-devel-announce is for Debian
development, not anything that you (or any other group of people)
happen to be interested in. Don't post irrelevant stuff here. It would
be a real shame if the list had to be moderated because people can't
exercise good judgement. Anything sent here should be of interest to
an overwhelming majority of Debian developers, *at least* - if you're
using phrases like "for those who care about X", it belongs somewhere
else, like X-announce.]
--
.''`. ** Debian GNU/Linux ** | Andrew Suffield
: :' : http://www.debian.org/ |
`. `' |
`- -><- |
The message links to this image. It is off-topic but the content is not
illegal in any western countries.
Excuse the pun, the tit-for-tat continued with even more messages
based on the same subject line template:
Not long after that, in May 2006,
DebConf6 took place in
Mexico. One of the candidates in recent
Debianism elections,
Jonathan Walther (Ted), brought a local woman,
Hilda, to the conference dinner. People quickly started the rumour
that
Hilda was a prostitute. Nonetheless, she was the local dentist. To
this day, dozens of messages about the rumour are present online in various
web sites and debian-private archives.
(
more details about the rumours and DebConf6 fight).
To understand why there was so much gossip and aggression at the
DebConf6 dinner, you need to look at who really slept with who
and then
read the story again. The leaked
room list tells us that
Holger was sleeping with
Amaya.
Amaya helped start the rumour and
Holger is the one who ended up exerting physical pressure on the victim,
Jonathan Walther (Ted). When people are sleeping together, they don't
always behave rationally any more.
From: Joerg Jaspert <joerg@debconf.org>
To: rooms@debconf.org
Subject: Re: [Debconf-announce] Room allocation
In-Reply-To: <20060328120500.GA10651@localhost> (Margarita Manterola's message
of "Tue, 28 Mar 2006 09:05:00 -0300")
Organization: Goliath-BBS
[ ... snip ... ]
> * Who you would NOT like to share the room with.
I dont care that much who is in my room, as long as its not
Jonathan/Ted "krooger" Walther or Jeroen van Wolffelaar or Amaya.
[ ... snip ... ]
Date: Fri, 31 Mar 2006 17:39:37 +0200
From: Adeodato =?utf-8?B?U2ltw7M=?= <dato@net.com.org.es>
To: rooms@debconf.org
Cc: Holger Levsen <debian@layer-acht.org>,
Jesus Climent <jesus.climent@hispalinux.es>,
Amaya Rodrigo <amaya@debian.org>,
Alberto =?utf-8?B?R29uesOhbGV6?= Iniesta <agi@inittab.org>,
Marcela Tiznado <mtiznado@linux.org.ar>,
Isaac Clerencia <isaac@debian.org>,
Jacobo =?utf-8?Q?Tarr=C3=ADo?= Barreiro <jacobo@debian.org>,
Javier Fernandez-Sanguino <jfs@computer.org>,
Ana Beatriz Guerrero =?utf-8?B?TMOzcGV6?= <ana@ekaia.org>
Subject: Room preferences for a bunch of ~Spanish people
Hey marga!
Some (mostly) Spanish people have been talking among us, and we'd like
to share room at DebConf. We've thought that it'll be easier for you
if we just write you one mail saying who we are, instead of each of us
mailing you privately with our preferences. :)
So, we'd like:
- a 6-sized room for both DebCamp and DebConf (from 5th to the end)
- a 4-sized room for DebConf only (from 13th to the end)
The involved people (in order of arrival, all of them CC'ed) are:
Holger Levsen <debian@layer-acht.org>
Jesus Climent <jesus.climent@hispalinux.es>
Amaya Rodrigo <amaya@debian.org>
Alberto Gonz=C3=A1lez Iniesta <agi@inittab.org>
Adeodato Sim=C3=B3 <dato@net.com.org.es>
Marcela Tiznado <mtiznado@linux.org.ar>
Isaac Clerencia <isaac@debian.org>
Jacobo Tarr=C3=ADo Barreiro <jacobo@debian.org>
Javier Fernandez-Sanguino <jfs@computer.org>
Ana Beatriz Guerrero L=C3=B3pez <ana@ekaia.org>
Thanks in advance,
In 2006, the
GNOME people created the
Outreach Program for Women (OPW), which was subsequently renamed to
Outreachy. The program pays young female interns to associate with
the developers. The women are not expected and not always trusted to
do development work themselves. Many of the women were offered free trips
to conferences all over the world.
Subject: Total world domination through therapy and free software!
Date: Sun, 31 Dec 2006 13:25:08 +0100
From: Amaya <amaya@debian.org>
Organization: Debian - http://www.debian.org/
To: debian-private@lists.debian.org
Russell Coker wrote:
> True. But we can only change some things and only in some areas.
Sure, we are just humans :)
> I will always have little sympathy for someone who complains bitterly
> about unfairness when by any objective metric they would be regarded
> as being in the most fortunate few percent of the world's population.
Yes, as in having clean tab water. Ack.
> Do you think it might be beneficial to have some group sessions at
> Deb-conf's to help us deal with these things?
I strongly believe in the group sauna effect :)
> Debian has a huge pile of money that is apparently not being spent,
> booking a good psychiatrist for a day for every DebConf would not make
> much of an impact on Debian finances and might have a good impact on
> productivity.
s/psychiatrist/therapist/ Maybe someone that is experienced in large voluntary communities could
give a talk, or workshop, or both.
It would be interesting to know wether anyone knows a person that could
help us this way. I could talk to some people if the idea doesn't look
stupid to the rest you the people reading this.
--
·''`. If I can't dance to it, it's not my revolution
: :' : -- Emma Goldman
`. `' Proudly running Debian GNU/Linux (unstable)
`- www.amayita.com www.malapecora.com www.chicasduras.com
By 2008, they were already talking about how they would recruit people's
teenage children. This was well before the
Debian pregnancy cluster started producing said children.
Subject: Re: [VAC] Going to the chapel ...
Date: Tue, 22 Jul 2008 16:12:29 +0200
From: Lionel Elie Mamane <lionel@mamane.lu>
To: debian-private@lists.debian.org
On Sat, Jun 28, 2008 at 03:29:27PM +1000, Russell Coker wrote:
> On Saturday 28 June 2008 14:32, Benjamin Seidenberg
> <benjamin@debian.org> wrote:
>> The question is, will we accept parental signatures on the GPG keys?
> Why wouldn't you accept a parental signature? (...)
> Advocacy however is a different matter. We want advocates to not be
> excessively biased, and I'm sure that while growing up we have all
> seen adequate evidence of parents who think that their children are
> angels while everyone else knows the truth...
> Of course if a parent was to quietly encourage the NM people to keep
> their child in the queue for an extra year or two then I think we
> should accept such a recommendation.
I fail to see why this is obviously desirable; parents can also be
biased in the other direction, that is think their late teenage
children are like one-year olds that cannot cross the street without
their supervision.
--
Lionel
Around the same time, in June 2008,
Jeffrey Epstein made a guilty plea on two charges in state court.
He was sentenced to 18 months in a county jail, which is less
onerous than a state prison. He was authorised to participate in a
work release program whereby he could leave the prison for sixteen
hours per day, six days per week. It is rumoured that he was unhappy
with his probation officer and exploited political connections to have the
probation officer moved elsewhere.
Jeffrey Epstein worked as a schoolteacher before getting into finance.
Therefore, he is far more culpable than a twelve-year-old juvenile
offender like
Jeremy Bicha.
"I first met my wife at the “International Conference on OpenSource� 2009 in Taiwan. So OpenSource, Debian and me being some tiny wheel in the system wasn’t entirely news to her."
If any other random developer meets a woman at a conference they are insulted
and told that relationships are a bad thing. Yet for the oligarchs representing
Debian at events, it is open season on women. This relationship helped bootstrap
the Debian pregnancy cluster.
In 2010,
Jeremy Bicha's older sister went to Bob Jones university. The on-campus
therapist gave her bad advice. The sister went to a more victim-oriented
off-campus center,
Julie Valentine Center. After counselling there, the victim and another
sister, who is also a victim, reported the abuse to
police.
US Navy investigators immediately questioned
Jeremy Bicha. He admitted the allegations about his childhood are true.
He was immediately terminated from Navy employment.
In August 2010,
DebConf10 was in New York City. By this stage, we can see
Debianism had well and truly adopted a
cult lifestyle. A group of couples share rooms. They pretend
we have no money while keeping it for themselves. They are pretending that
bringing your wife is diversity.
Shortly after
Adrian von Bidder-Senn died, his wife,
Diana von Bidder-Senn sent an email revealing she was oblivious to
what he was doing on his computer. In hindsight, we can see that both
Adrian and Diana were tricked by
Debianism in different ways:
Subject: Re: condolences for Adrian
Date: Mon, 25 Apr 2011 15:02:18 +0200
From: Diana von Bidder <diana@fortytwo.ch>
To: Stefano Zacchiroli <leader@debian.org>
Dear Stefano
Thank you for your wonderful mail! Yes Debian and people were very
important to Adrian. I was glad that he was not only sitting alone in
front of his computer but to know that there are people out there that
estimate him and are his friends even if most of you did not know each
other personally.
The way you describe him (empathy, calm, insight, ... - just the Adrian
I know) assures me on how good friends of Adrian are out there. And I
will always continue to think of this (in a good way!) when continuing
to use debian (which I became quite fond of because of Adrian).
It's a pity that he couldn't go to Banja Luca anymore which he did so
much look forward to. Anyway, I wish you all the best and hope you
continue your good work.
- Diana
The family asked for donations to AMICA Schweiz, a charity that
helps women abused during the conflict in the Balkan countries. People
argued about it on debian-private.
Subject: Re: Death of Adrian von Bidder
Date: Thu, 21 Apr 2011 08:56:04 +0200
From: Andreas Tille <andreas@an3as.eu>
To: debian-private@lists.debian.org
Hi,
I admit that e-mails about emotions tend to be turned into flames
and I do not want this here.
On Thu, Apr 21, 2011 at 07:24:59AM +0200, martin f krafft wrote:
> I suggest that we donate 200 CHF from the project (price of a nice
> wreath with writing). If there are other donators, please get in
> touch with me.
The donators of the Debian project intend to spend money for the
development of the Debian project. If we spend Debian money for a
wreath (or any form of replacement donation) this is not related to the
development of Debian. It is rather *us* *people* who say goodby to
a friend. So the money should not come from project funds but rather
from single developers.
Saying this I would like to vote against spending Debian money but
rather doing a separate collection. I could live with some kind of "de
facto" collection like this: I will ask for Debian money for DebConf.
In case Debian project money is really spended for Adrian's funeral I'd
simply ask for 10Euro less than I would have done otherwise.
Please do not get me wrong: I'm in any case for showing that the Debian
community is sad about the dead of Adrian. But I'm not convinced that
this purpose is in the interest of our donators and it finally comes
quite cheap for us individuals to simply spend Debian money.
Kind regards
Andreas.
--
http://fam-tille.de
In December 2011,
Martin Krafft describes
Debianism itself as a teenage culture. His fingers get a mention
in the email signature:
Subject: Mooing solves everything
Date: Wed, 7 Dec 2011 22:14:13 +0100
From: martin f krafft <madduck@debian.org>
Reply-To: madduck@debian.org
Organization: The Debian project
To: debian private list <debian-private@lists.debian.org>
[Writing to -private with Reply-To set, because this is clearly
a classified topic]
We know about super cow powers and swallowed elephants, and the
power of the Mooing.
What I want to do is collect cow-related stories of relevance to our
project, to prevent an inside joke from dying as Debian prepares to
exit teenagehood.
So, please hit me. What does Debian have to do with mooing?
--
.''`. martin f. krafft <madduck@d.o> Related projects:
: :' : proud Debian developer http://debiansystem.info
`. `'` http://people.debian.org/~madduck http://vcs-pkg.org
`- Debian - when you have better things to do than fixing systems
on the other hand, you have different fingers.
At the same time, in December 2011, a young transgender straight out
of an elite French high school was given a paid job in a student-run
Internet Service Provider, the
CR@NS network at
ENS Cachan. One of the older students, Debian Developer
Nicolas Dandrimont, was dating this vulnerable young person at
the same time as paying them and trying to help them
get Outreachy money. Recall the original discussion about offering
money for transgender participation many years prior. Offering
these people moral support may be acceptable but offering large
sums of "diversity" money at a point when they are unsure of their
identity appears to be highly unethical.
Subject: DM application of Jeremy Bicha
Date: Fri, 30 Mar 2012 18:58:41 -0400
From: Jeremy Bicha <jbicha@ubuntu.com>
To: debian-newmaint@lists.debian.org
CC: Jordi Mallach <jordi@debian.org>, Michael Biebl <biebl@debian.org>,
Sebastien Bacher <seb128@debian.org>, Martin Pitt <mpitt@debian.org>
This is my declaration of intent to become a Debian Maintainer
<URL:http://wiki.debian.org/DebianMaintainer>.
I have read the Social Contract, Debian Free Software Guidelines and
Debian Machine Usage Policy and agree with all of them.
Currently, I maintain the package kabikaboo
and I co�maintain the GNOME packages with the Debian GNOME Team.
My GnuPG key EBFE6C7D is signed by the Debian Developer Andres Mejia.
I look forward to becoming a Debian Maintainer. Thanks for your attention.
Jeremy Bicha
--
To UNSUBSCRIBE, email to debian-newmaint-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
Archive: http://lists.debian.org/4F763AA1.1050503@ubuntu.com
Subject: Re: DM application of Jeremy Bicha
Date: Tue, 3 Apr 2012 07:24:13 +0200
From: Martin Pitt <mpitt@debian.org>
To: Jeremy Bicha <jbicha@ubuntu.com>
CC: debian-newmaint@lists.debian.org, Jordi Mallach <jordi@debian.org>, Michael Biebl <biebl@debian.org>, Sebastien Bacher <seb128@debian.org>
Hello Jeremy,
Jeremy Bicha [2012-03-30 18:58 -0400]:
> This is my declaration of intent to become a Debian Maintainer
> <URL:http://wiki.debian.org/DebianMaintainer>.
>
> I have read the Social Contract, Debian Free Software Guidelines and
> Debian Machine Usage Policy and agree with all of them.
>
> Currently, I maintain the package kabikaboo
> and I co�maintain the GNOME packages with the Debian GNOME Team.
I've seen your great activity in both Debian's and Ubuntu's GNOME
team. You have demonstrated the ability to deal with nontrivial
packaging situations, a sustained enthusiasm and dedication, and good
collaboration with upstream as well. I fully support your application
for DM, thanks!
Martin
--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
On 15 May 2012,
minutes of the GNOME Foundation tell us that
Jeremy Bicha was one of six people given voting rights in the foundation.
Many open source developers have never had the right to vote in any of these
incorporated bodies. It appears that
Jeremy Bicha was able to renew his membership and thereby maintain this status
even during his subsequent prison term.
In April 2013, the
Debianists decided to start offering money to young women under the disguise of
Outreach Program for Women (OPW), which was later renamed to
Outreachy. The Debian
constitution explicitly says that contributors must be volunteers. Therefore,
the payments to these young women are illegal under the constitution and may
be illegal in other ways too.
...
3.2. Composition and appointment
Developers are volunteers who agree to further the aims of the Project insofar as they participate in it, and who maintain package(s) for the Project or do other work which the Project Leader's Delegate(s) consider worthwhile.
...
Here is one of the early advertising banners promoting the illegal payment of
$4,500. The
GNOME Foundation logo is on the woman's foot. It is an uncanny coincidence
the logo strongly hints at the unison of male and female genitalia:
In July 2013, I publicly resigned from the
Australian Labor Party (ALP) due to abuse of female
asylum seekers from Iran. In the resignation email,
which was leaked to Australian political news site Crikey,
I compared the scandal
to the Catholic abuse scandal. I think this may be the first time my name
was on the public record as a supporter of victims. This was well before the
Spotlight movie and the #MeToo phenomena, therefore, it
can't be suggested that those latter revelations influenced the strong words
used in my resignation in 2013.
In September 2013,
Jeremy Bicha was convicted and sentenced to three years in a state prison.
The state prison is a far more onerous punishment than the county jail where
Jeffrey Epstein was briefly incarcerated. The duration of
Jeremy Bicha's sentence is double the 18 month sentence imposed on
Epstein.
At the sentencing,
Bicha's defence lawyer asked the judge not to put his name on the list of
registered sex offenders. This is a controversial topic. The
police have also asked the judges not to automatically put every criminal
like this on the list. The more pragmatic police commanders want these lists of
registered sex offenders used for those pathological predators who never
truly change their ways. Looking at the allegations against
Bicha, he personally stopped offending at 15, during his childhood and there
is no evidence he is committing similar crimes as an adult. To put it another
way, if a child goes missing, the local
police want to be looking at a list of the top twenty lifetime sex
offenders who are dangerous enough to deserve a house call. If the police are
confronted with a list of over a thousand
registered sex offenders in their district they have no way to know
which of those people to visit first.
In Australia and other countries, the media is normally prohibited from
publishing the names of juvenile offenders. In a way, the young boys
are considered victims of their parents' failures. On that basis, they
have a right to privacy equivalent to the rights of the abuse victims.
Nonetheless, this type of restriction doesn't appear to be applicable
in the United States. Nonetheless, if the local pastor and schoolteacher
were not part of the story, it is unlikely the newspapers would publish
the story at all.
In November 2013,
Paul Tagliamonte sent the following message to the leaked
debian-private email list. It concerns a young woman who
applied for the
OPW / Outreachy money. Why are these men always thinking about the
age-of-consent when women are mentioned?
Subject: Re: OPW Student in Kingston, Jamaica
Date: Mon, 25 Nov 2013 13:39:12 -0500
From: Paul Tagliamonte <paultag@debian.org>
To: Joachim Breitner <nomeata@debian.org>
CC: debian-private@lists.debian.org
On Mon, Nov 25, 2013 at 06:37:36PM +0000, Joachim Breitner wrote:
> Hi,
>
> Am Montag, den 25.11.2013, 13:18 -0500 schrieb Paul Tagliamonte:
> > She's got a PhD, so I think this could also be a good beersigning, if
> > she drinks.
>
> not having a PhD yet I wonder what expects me: Will I be a better
> drinker after I get the degree? Or a better keysigner? /me is confused.
It simply means she's likely of age in her jurisdiction. All I was
saying is that she's not a high school student.
Cheers,
Paul
--
.''`. Paul Tagliamonte <paultag@debian.org>
: :' : Proud Debian Developer
`. `'` 4096R / 8F04 9AD8 2C92 066C 7352 D28A 7B58 5B30 807C 2A87
`- http://people.debian.org/~paultag
The next time you defend a predator and say,
’Oh, he was just a child,’ remember the faces
of the innocent little ones whose childhood was stolen.
I have mixed feelings about that. It was not "just a child". As the
judge told us, it was the child and the negligent adults together who
left
Jennifer Bicha to suffer this torture. Many other legal cases
have made similar conclusions, including one high profile case where they
recently decided parents were guilty when their child engaged in a schoolyard
shooting spree.
On 3-4 May 2014, the first
OSCAL conference took place in Tirana,
Albania. (
Fedora wiki page). Photos released by the conference organizers suggest
over eighty percent of the participants were young women. In every other
country, we would normally see the gender statistics reversed. In
Albania various theories have appeared about why large numbers of women
came to these events. Some of the women have ended up moving to the city of
Brno in the
Czech Republic.
On 13 July 2014, Italian newspaper La Repubblica publishes a
report about an interview between Pope Francis and editor Eugenio Scalfari.
The late
Pope Francis allegedly told
Eugenio Scalfari that his own advisors have suggested that two percent
is an accurate estimate of the number of priests who are paedophiles. He
deplores their behaviour but on the other hand he insists it is no higher
than the percentage of paedophiles in any other profession.
"Among the 2% who are paedophiles are priests, bishops and cardinals. Others, more numerous, know but keep quiet. They punish without giving the reason,"
"I find this state of affairs intolerable,"
The comment about punishments resonates with many of the
Debianism scandals over the years.
Likewise, the two percent estimate can be applied to large free software
organisations like
Debianism and the
FSFE misfits. These groups typically have a few hundred core participants
and a few thousand loosely affiliated contributors. In the recent
Debianism election, a thousand people were registered to vote. Two percent
of that is twenty paedophiles.
In August 2015, according to reports from the high-profile hush-money trial,
Donald Trump, his lawyer
Michael Cohen and National Enquirer editor
David Pecker had a meeting and agreed on a catch-and-kill plan. It was
alleged that if any woman tried to sell a story about
Donald Trump,
Pecker would buy exclusive rights to the story and then keep the story
hidden until after the election. Similar plots have been created in
open source software communities.
Debianists created the "anti-harassment" team. Fedora has a
"Community Team". These teams pretend to listen to complaints. If a woman
ever makes a complaint about one of the oligarchs or the men employed
by the controlling corporations then the story is covered up.
The woman who made the complaint will receive a polite response but
she will not be invited to any more events. The same theme emerged in the
Harvey Weinsten saga.
Harvey Weinsten's team was afraid some women posed a risk. They
told other movie producers to avoid the women and lock them out of
the industry. Eventually, Lord of the Rings director Peter Jackson
admitted he had excluded some actresses after receiving
Harvey Weinsten's warnings to avoid them. This is the same
phenomena described by
Lunduke in his report
Fedora's Code of Conduct: 200 Day Response Time, Only Protects You if Red Hat
Likes You.
In November 2015,
the movie Spotlight was released in cinemas. It is a biographical film based
on the 2002 Spotlight investigation that exposed the phenomena of
clerical abuse in Boston. A lot of
Catholics and people from other religions have watched the film. In one of the
key scenes in the movie, they discuss the research of
Richard Sipe, who suggests that two percent of men in the general
population are paedophiles but the rate in the
Catholic abuse context is alleged to be six percent. Many people have
speculated whether or not the figure is true and whether the church is
really responsible for it or whether it is some factor out of their
control.
There are approximately one thousand developers in
Debianism today. If two percent are paedophiles that would be twenty
men. We only know the identity of one,
Jeremy Bicha. Who are the other nineteen? We have evidence about
Elio Qoshi's underage girlfriend but in that case,
Qoshi is not a Debian Developer so he is not in the same group for
statistical purposes.
Looking at the culture of
Debianism, it has some awkward similarities to the
Catholic abuse crisis. Therefore, we need to consider the possibility
that the percentage of Debian Developers who are paedophiles, like the
percentage of priests, may be above the two percent average for the
population. If six percent of Debian Developers are paedophiles, that is
sixty paedophiles.
Subject: Jacob Appelbaum and harrassement
Date: Wed, 15 Jun 2016 13:48:53 +0200
From: Mehdi Dogguy <leader@debian.org>
To: debian-private@lists.debian.org
Hi all,
Jacob Appelbaum is currently facing some serious accusations in other
communities, and DAMs are aware of at least two Debian Developers who
have lived and have witnessed situations that are a clear case for
worry.
[ ... snip defamation crap ... ]
None of the emails really tells us what is a "clear case for worry",
to this day, it is still not clear at all.
In contrast, the accusations against
Jeremy Bicha were very clear. He is accused of abusing his little
sisters and at least two other victims. He admitted these accusations
too.
Notice it is a lot like the vendetta against
Ted Walther from
DebConf6. He never committed any crime but after somebody spread a
rumour that his female friend was a prostitute, it took barely one hour
for the whole conference dinner to turn against him and erupt into
violence.
In both the case of
Ted Walther (2006) and
Dr Jacob Appelbaum (2016), the rogue
Debianists have been far too arrogant to admit the rumours were falsified
and give these men and their families the apology they deserve. Yet they are
asking us to ignore the very real abuse convictions against
Jeremy Bicha and welcome him with open arms.
In April 2017,
Chris Lamb was elected for the first time as the leader of
Debianism. One week later, the Fellowship elected me as their
representative to the
FSFE misfits in Berlin. From this point on,
Chris Lamb appeared to be jealous and resentful that another
Debian Developer was in a leadership position in the community.
Today, we see a similar rivalry between the US President
Donald Trump and the other American head of state,
Pope Leo from Chicago.
When women had complaints about certain oligarchs, they had a choice
between going to
Chris Lamb or telling me about it in my capacity as
Fellowship representative.
Women were coming to me with evidence about problems in the community.
Some of the large corporations would have preferred to see those women
reporting problems through channels controlled by the corporations.
To: Jeremy Bicha <jbicha@ubuntu.com>
Cc: debian-newmaint@lists.debian.org, nm@debian.org, archive-184@nm.debian.org
Subject: Re: Jeremy Bicha: Declaration of intent
From: Andreas Henriksson <andreas@fatal.se>
Date: Fri, 12 May 2017 08:55:11 +0200
Hello!
I have personally worked with Jeremy Bicha <jbicha@ubuntu.com> in the
pkg-gnome team where he has been an outstanding contributor for a
sufficiently long time and I know jbicha having full unsupervised
unrestricted upload access to the archive would benefit us in the
team and likely also Debian as a whole on an even wider scale
than before.
I'm aware Jeremy is also very active in Ubuntu and GNOME upstream.
I find it that Jeremy is very good at interacting with upstream as
well as avoiding/resolving conflict or disagreeing opinions, which
means he has atleast two skills that I think we should have more
people like in Debian.
For any AM tasked to question Jeremy I would say you can skip
any regular packaging related questions. If you want to give
him some challange you might want to focus on a more complicated
philosophical question or ask him specifically about Debian
infrastructure and procedures related to those (as he mainly
uploads to Ubuntu and AFAIK has only very limited usaged his
DM privilegies because of the pkg-gnome streamlined sponsorship
workflow).
But to be frank, please consider just fast-forwarding jbicha through
the entire process because any potential knowledge-gap he might
have I'm more than sure we can discuss and handle those within
the pkg-gnome team which has many very experienced DDs that would
happily assist jbicha if needed.
Regards,
Andreas Henriksson
Here is the other advocacy:
To: debian-newmaint@lists.debian.org
Cc: Jeremy Bicha <jbicha@ubuntu.com>, nm@debian.org, archive-184@nm.debian.org
Subject: Jeremy Bicha: Advocate
From: Gianfranco Costamagna <locutusofborg@debian.org>
Date: Fri, 12 May 2017 09:25:12 -0000
I support Jeremy Bicha <jbicha@ubuntu.com>'s request to become Debian Developer, uploading.
I have worked with Jeremy Bicha for quite some time, even if I sponsored just a few packages for him (in Debian).
His work is excellent, he really cares about keeping is packages in a good shape, he cares about transitions and he is quick in reacting when problems are found.
Debian will benefit a lot from his work.
I have personally worked with Jeremy Bicha <jbicha@ubuntu.com> (key 4D0BE12F0E4776D8AACE9696E66C775AEBFE6C7D) for X time,
and I know Jeremy Bicha can be trusted to be a full member of Debian, and have unsupervised, unrestricted upload rights, right now.
Thanks Jeremy for finally starting the process!
Gianfranco
Those are very positive things to write about somebody who has just been
released from prison on parole.
On the weekend of 13 and 14 May 2017, the fourth
OSCAL conference took place in Tirana,
Albania. A girl of fifteen or sixteen years of age created an
online profile for herself in the
Discourse forum software used by the Albanian
Open Labs group. We subsequently learnt this was the girlfriend of
Elio Qoshi, one of the
Albanian ringleaders.
At exactly the same time they are processing
Jeremy Bicha's ordination as a Debian Developer, we saw
Dominik George going through exactly the same process. Messages about
Dominik George explicitly refer to children:
To: Dominik George <nik@naturalnet.de>
Cc: debian-newmaint@lists.debian.org, nm@debian.org, archive-175@nm.debian.org
Subject: Re: Dominik George: Declaration of intent
From: Holger Levsen <holger@layer-acht.org>
Date: Mon, 15 May 2017 14:09:15 +0000
Hi,
sorry for the delay in writing this…!
On Mon, Apr 24, 2017 at 06:54:13PM -0000, Dominik George wrote:
> I would like to apply to change my status in Debian to Debian Developer, uploading.
yay, this is pretty good news for Debian and for Debian Edu and probably a
bunch of others! :-)
I've met Dominik the first time for "real" (*) at the Debian Edu gathering
in Oslo in December 2016 where I could see him working & discussing and also
learned a few things he does outside Debian, which also involves computers,
kids & schools.
(*) we've briefly bumped into each other before and said hi or so :)
http://layer-acht.org/thinking/blog/20161221-debian-edu-sprint-in-oslo/
shows him wearing a DebConf15 t-shirt, so you might met him too ;)
Not related to Debian, but very much showing his dedications,
is that he is involved in another project with kids + young adults, which
in the last years brought 20-30 young adults to the chaos communication congress:
https://www.teckids.org/hacknfun_2016_xmas.htm
The technical discussions we had in Oslo, plus the ones I've seen on IRC,
plus the questions he had and the attitudes he showed make me believe that
Dominik will be a great DD and contributor to our project and beyond!
I cannot fully vouch for him technically, as we work on different areas in
Debian Edu and I've only reviewed bits of his work, but I'm confident he'll
manage NM well! So I'm much looking forward to him becoming a DD!
--
cheers,
Holger
I will progress this application and assign an application manager shortly, but the key issues need to be resolved before the application can be finalised. Please work with your AM on that.
Where he writes "key issues", he is referring to issues with the PGP key.
There is no reference to the abuse.
Subject: Jeremy Bicha: Application Manager report
Date: Tue, 08 Aug 2017 21:09:52 -0000
From: Gunnar Wolf <gwolf@gwolf.org>
To: debian-newmaint@lists.debian.org
CC: Jeremy Bicha <jbicha@ubuntu.com>, archive-184@nm.debian.org,
nm@debian.org
I have reviewed Jeremy Bicha's answers for the NM process, and am more
than satisfied by them. I have also been approached in DebConf by his
team mates, who very strongly recommended him as a DD. I am of the
opinion the project will win quite a bit having him as a full DD with
unimpended upload rights.
Gunnar Wolf (via nm.debian.org)
--
https://nm.debian.org/process/184
People are cheering him on:
Subject: Re: Jeremy Bicha: Application Manager report
Date: Tue, 8 Aug 2017 18:17:15 -0400
From: Andrew Shadura <andrew@shadura.me>
To: debian-newmaint@lists.debian.org
CC: Gunnar Wolf <gwolf@gwolf.org>, Jeremy Bicha <jbicha@ubuntu.com>
On 8 August 2017 at 17:09, Gunnar Wolf <gwolf@gwolf.org> wrote:
> I have reviewed Jeremy Bicha's answers for the NM process, and am more
> than satisfied by them. I have also been approached in DebConf by his
> team mates, who very strongly recommended him as a DD. I am of the
> opinion the project will win quite a bit having him as a full DD with
> unimpended upload rights.
Yay! Congrats! :)
--
Cheers,
Andrew
From 14 to 18 July 2017, the
Digital-Born Media Carnival was held in Kotor,
Montenegro. Some of the women from open source software groups in
Kosovo and
Albania attended. Kotor is an ancient seaside village without any
modern high-rise tourist accommodation. Visitors stay in bed and breakfast
accommodation or holiday houses. On the last night of the carnival, there
was a party by the waterside. The next morning, as we were departing, I
saw one of the
Albanian women coming out of a holiday house that had been rented by
a group of men from another country. There was a bit of hand-holding and
a kiss goodbye. Every time the woman is selected for an internship or
a conference speaking opportunity, over and above every other woman in
the community, I remember that last day in Kotor.
If you are involved in a sports club and you observe somebody had
a one night stand with another member you might not feel any need
to mention it or cause embarassment. However, open source software
hobbyists are claiming to be a model of integrity, merit and security.
Social engineering attacks are often rated as the biggest risk
to modern organisations and their IT systems.
Shortly after that, the
Open Labs non-profit in
Albania had their birthday party in the hackerspace. At least two
underage people were there and at least one of the other women identified
them to me. Separately, women had told me that the youngest girl was
dating the co-founder of the group
Elio Qoshi. They told me a lot of things about
Elio Qoshi, I observed some of those things with my own eyes and I
observed written evidence in requests for travel funding that confirmed
what the women had told me in person. Eighty percent of the group were
female but a lot of the money did not go into the non-profit bank account.
The money was managed by an accountant but there were rumours that the
same accountant was also managing the bank accounts for
Elio Qoshi consulting company. The women on the committee had never
seen a balance sheet or a profit & loss statement for the non-profit
entity.
In September 2017, they promoted an event called
FOSSCamp. Instead of organising it in
Albania, they decided to organise it in a more expensive destination,
Greece and they asked bigger organisations to pay the travel
expenses for a group of people, many of them who were simultaneously
members of the non-profit but also employees of
Elio Qoshi's commercial enterprise. Questioning them about the
event budget, we reached the point where
Elio Qoshi admitted that one of the amounts charged to the bigger
organisations like
Debian was really a payment for his effort organising the event.
The women who collaborated on the organisation did not receive any
equivalent payment. Yet each woman was asked to send a request to
Debian,
Mozilla,
Wikimedia and maybe other organisations asking for diversity funds
to pay the bus fares, ferry tickets, accommodation and management fee.
In the photos from the conference in May 2017, we could see over twenty
young female students participating. Yet women told me that access to
the trip to
Greece was more tightly controlled. Women needed to get permission
to join this trip.
Various people noticed that two or three men were acting as gatekeepers
and rationing funding and travel opportunities for all the women.
Chris Lamb and I were both warned that something dishonest was
happening. I asked questions but
Lamb didn't want to spoil whatever was going on there.
Here is an example where one of the men is giving one of the women,
Anisa Kuci, permission to go on the trip to
Greece:
Subject: Re: Debian at FOSScamp - funding request
Date: Sun, 13 Aug 2017 19:01:58 +0300 (EEST)
From: Giannis Konstantinidis <giannis@konstantinidis.cc>
To: Chris Lamb <lamby@debian.org>, Silva Arapi <silva.arapi@gmail.com>
CC: leader@debian.org, treasurer@debian.ch, auditor@debian.org,
daniel@pocock.pro, Redon Skikuli <redon@skikuli.com>, ping@anisakuci.com
Hey everyone,
just wish to inform you that unfortunately, due to unforeseen external
factors, I won't be able to make it. I'd like to thank the Debian
community for the generous support. We will stay in touch.
To make sure Debian makes the maximum possible impact at FOSSCamp, I'd
like to sugggest Anisa Kuci (cc'ed ) takes my place. Anisa has been a
longtime experienced member of Open Labs Hackerspace, co-organized OSCAL
and is very much interested in further contributing to Debian.
Thanks once more. I wish the best success to Debian and your
participation FOSSCamp.
Kind regards,
-Giannis K.
Something was not right about this. It is clear that
Chris Lamb, as the leader of
Debianism, had been informed about it since this moment in time
or earlier.
Some women see this type of thing as a sport and they actively seek to
join organisations where they can take shortcuts. Other women were
attracted by the promise of an educational or philosophical project,
they contributed their time and skill helping one or two events in
Albania and then discovered that to qualify for a trip abroad, they
had to do the same things the girlfriends were willing to do. Some
of the women felt even more strongly about this, as it impacts their
professional relationships and job searching, they feel the male
gatekeepers are blackmailing them for sex.
In September 2017,
Jeremy Bicha introduced himself on the debian-private (leaked)
gossip network. He stated he is from
Florida and presented himself as a victim of a woman called Irma
(the hurricane):
Subject: Re: Irma
Date: Sun, 10 Sep 2017 13:52:08 -0400
From: Jeremy Bicha <jbicha@debian.org>
To: debian-private@lists.debian.org
On Sep 8, 2017 15:55, "Jeremy Bicha" <jbicha@debian.org> wrote:
I intend to follow-up on this list on Monday to let you know I'm ok.
Monday is probably too optimistic because of widespread power outages, but I'll check in when I can.
Jeremy Bicha
Subject: Open Labs / Tirana issues
Date: Thu, 12 Oct 2017 18:15:17 +0200
From: Daniel Pocock <daniel@pocock.pro>
To: Larissa Shapiro <lshapiro@mozilla.com>
CC: Kristi Progri <kristi@kristiprogri.com>
Hi Larissa,
I understand you have received some feedback about issues in Tirana
I was there from 27 September - 5 October and observed some of the
troublesome behavior and the impact on people like Kristi.
The behavior towards Kristi and some of the other women is wrong. I can
also see a danger that challenging the people or their behavior may
split the Open Labs group. Nonetheless, I suggested to Kristi and Anisa
that they should put their own wellbeing first.
I sent a funding request to the Outreachy organizers to sponsor Kristi's
trip to Prishtina where she gave a talk at our Mini DebConf. When I
mentioned this funding in the hackerspace, Redon queried this quite
strongly. I don't feel it is any of his business though if I want to
recommend somebody for funding. The following day, Kristi told me that
Redon had called her and shouted at her. The shouting was apparently
witnessed by other women in the hackerspace with Redon. I reported the fact there are problems in the Debian anti-harassment process.
Various people told me that travel sponsorship should be "shared" and
this attitude seems to be connected with Redon's behavior.
I've told Kristi that she did nothing wrong and did not deserve to be
shouted at.
Another problem that occurred to me is that one person who received
Mozilla travel funding, [ .. redacted ..], is 16 years old and is not
legally an adult.
[ .. redacted .. ]
Regards,
Daniel
The discussion continued. The underage risk was acknowledged on the
Mozilla side:
Subject: Re: Open Labs / Tirana issues
Date: Fri, 13 Oct 2017 23:12:14 +0200
From: Daniel Pocock <daniel@pocock.pro>
To: Emma Irwin <eirwin@mozilla.com>, Larissa Shapiro <lshapiro@mozilla.com>
CC: Kristi Progri <kristi@kristiprogri.com>
[ .. redacted .. ]
> I can comment on under-aged contributors - we do have those from time to
> time, and usually on trips at least parents or chaperon are required.
>
Having underage contributors is not an issue itself and I have no
objection to that.
The issue arises when other groups or businesses align themselves with
local Mozilla groups and seek to benefit from those contributors. I'm
not sure how to deal with that risk completely but there are probably
some things Mozilla could do in that area.
Regards,
Daniel
The discussion about underage continued in more emails:
Subject: Re: Open Labs / Tirana issues
Date: Sat, 14 Oct 2017 08:27:24 +0200
From: Daniel Pocock <daniel@pocock.pro>
To: Larissa Shapiro <lshapiro@mozilla.com>, Emma Irwin <eirwin@mozilla.com>
CC: Kristi Progri <kristi@kristiprogri.com>
On 14/10/17 01:51, Larissa Shapiro wrote:
> I'm not sure, but I can seek legal advice on this matter. In my view,
> there is the potential there for other organizations to take advantage
> of these kids.
>
Even if there is no legal problem (in some countries the laws are very
weak), there is also a risk to the reputation of Mozilla and free
software in general.
I wonder if there are other organizations concerned with children's
safety who can help free software organizations develop a reasonable
approach to this risk?
I realize no organization can stamp this out 100%, but there may also be
some little things that can be done to help reduce risk. E.g. maybe
when Mozilla funds travel, requiring the parents to fill out a chaperon
form that must be submitted with receipts, so Mozilla gets the parent's
contact details and the parents see some child safety text on the form.
Somebody trustworthy could sporadically contact parents and the underage
contributors to sniff out any hints of trouble.
Regards,
Daniel
A few weeks later...
Subject: Re: Open Labs / Tirana issues
Date: Wed, 20 Dec 2017 09:19:39 -0800
From: Emma Irwin <eirwin@mozilla.com>
To: Daniel Pocock <daniel@pocock.pro>
Hi Daniel,
Would you be willing to talk to Marta (HR Investigator) and myself about Redon & Elio and your experiences and what you have witnessed?
Thank you
Having informed at least three other organisations who funded this racket,
including
Debian and
Mozilla, my conscience is clean. Nobody can accuse me of protecting an
abuser.
On 25 February 2018,
Jeremy Bicha submits an advocacy for another
Ubuntu developer,
Tim Lunn to become a Debian Developer:
Subject: Tim Lunn: Advocate
Date: Sun, 25 Feb 2018 15:07:40 -0000
From: Jeremy Bicha <jbicha@debian.org>
To: debian-newmaint@lists.debian.org
CC: Tim Lunn <tim@feathertop.org>, archive-455@nm.debian.org
For https://nm.debian.org/process/455/ on 25 February 2018 :
I support Tim Lunn <tim@feathertop.org>'s request to become Debian
Maintainer.
I first started working with Tim in 2012 on packaging for the Ubuntu GNOME
project. Without Tim, Ubuntu GNOME would not have survived.
Tim and I have been interested for a while in reducing the diff and
duplication of work between Debian and Ubuntu with GNOME packages. Tim
getting upload rights to these packages will help with this goal and will
help make Debian GNOME better for our users.
I have personally worked with Tim Lunn <tim@feathertop.org>
(key 0E0880479A6F1063372395275B39C0A1153ACABA) for several years, and I
know Tim Lunn can be trusted to have upload rights for their own packages,
right now.
Thanks,
Jeremy Bicha
In early March 2018, I posted a message in the
Albanian open labs forum asking why some of the money from the non-profit
Open Labs group was being diverted to a private company,
Ura Design, controlled by
Elio Qoshi. I had observed the women were doing all the work for
free in the non-profit association but some of the men were getting
financial benefits out of that work.
The
Albanian ringleader
Elio Qoshi admits complaining to
Chris Lamb, leader of
Debianism, to help cover up the conflicts of interest. In fact,
the relationship between
Open Labs and
Ura Design was analogous to the relationship between
Debian and
Freexian. Although in this case, it was worse, because there was
also the underage problem. Would the leader of
Debianism put the protection of an
Albanian pimp with an underage girlfriend ahead of the work done
by a real Debian Developer?
Subject: [English] FOSScamp 2017 @ Syros, Greece
Date: Mon, 05 Mar 2018 12:16:45 +0000
From: Elio Qoshi <info@openlabs.cc>
Reply-To: Open Labs Hackerspace Forum <forum+ecf37220dfcc7e2ec1a56392b7b00781@openlabs.cc>
To: daniel@pocock.pro
[ ... snip ... ]
I will try to keep this short but I’m not sure how much I will succeed in that, as this will definitely be the last reply from my side here. I have reached out to the Debian Project Leader to close this issue once and for all.
[ ... snip ... ]
On 5 March 2018 I wrote to women from
Albania asking them to share copies of evidence about
Elio Qoshi hurting and exploiting women. The Debianism leader
Chris Lamb immediately barged in with the comments:
Subject: Re: "free travel"
Date: Mon, 05 Mar 2018 16:40:00 +0000
From: Chris Lamb
To: Daniel Pocock , Anisa Kuçi
CC: leader@debian.org, larjona@debian.org, antiharassment@debian.org
[Adding antiharrassment to CC]
Daniel Pocock wrote:
> If Elio or anybody else has made any other comments like this on the
> private members channel or Telegram and you want to discuss them with me
[..]
Anisa, please feel to drop Daniel from any replies you wish to make, if
you even wish to do so.
(Daniel, thank you for your concern but we have got it from this point
onwards. There will be no need for you to reply further on this thread.)
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
This is the catch-and-kill strategy that had been described
earlier. When women had a story about
Donald Trump, they were encouraged to give the story to the
National Enquirer and not talk to anybody else. What we see is the leader of
Debianism knew about
Elio Qoshi and he didn't want me, as the Fellowship representative,
making an independent assessment of the underage scandal.
In the
Catholic abuse crisis many senior cardinals and bishops are alleged
to have known about abuse and failed to protect people. In the
specific case of
Gerald Ridsdale described earlier, one of the victims, his nephew
David Ridsdale told the Royal Commission that the late
Cardinal George Pell had offered him a bribe for silence. The
woman corresponding with
Chris Lamb and I was
Anisa Kuci. She was given a series of free trips around the world,
internships and eventually a job at
GNOME.
At the time of that exchange,
Anisa Kuci ignored
Chris Lamb's condescending words and replied in full:
Subject: Re: "free travel"
Date: Mon, 5 Mar 2018 23:51:28 +0100
From: Anisa Kuci <anisakuci9@gmail.com>
To: larjona@debian.org
CC: Chris Lamb <lamby@debian.org>, Daniel Pocock <daniel@pocock.pro>,
leader@debian.org, antiharassment@debian.org
Hello Chris, Daniel, Laura,
Thank you very much for being so supportive.
I read the comments on the thread and to be honest I am really sad that
Elio [Qoshi] said that. It is not true at all.
They (Elio [Qoshi] & Redon) pretend to support women but on the other hand their
behavior towards many of us shows the opposite.
Daniel I feel bad because you have encouraged and helped not only me,
but so many other people, no matter if they are Open Labs members or
not, and also all the attendees from Kosova to learn new things, to work
and improve their skills and knowledge. They are doubting your good
intentions just to remove the attention from the shady things that they
are doing.
The free travel comment is really offensive to me and i feel it should
be offensive to every woman who is part of the community.
I have been contributing and supporting Open Labs since its early days,
and I have put a lot of effort and time, I do this because I believe in
what it is meant to stand for and without waiting something in exchange,
but the situation lately has been not very positive. Daniel has been
present by chance in few cases where situations have been very hard to
go through.
I would definitely like to talk to any of you and tell you more about
everything that is happening here, its fine to me whether it is a video
call, call or just emails.
Please tell me what would be more convenient to you.
King greetings,
Anisa
In May 2018, immediately after that lunch, the
FSFE misfits modified their constitution to
remove the elections for Fellowship representatives. I was the last
person elected as a Fellowship representative before the democracy was
trashed. The
FSFE misfits count
Google and
Red Hat as significant sponsors and they didn't want the Fellows to
have a voice if that voice may not be identical to the voice of the
corporate overlords.
In June 2018, the women from
Albania were offered sponsorship for travel to
DebConf18 in
Taiwan. For the cost of transporting one woman from
Albania to
Taiwan, you could transport five women from countries that are much
closer in south-east Asia.
Subject: Re: [rt.debian.org #7328] DebConf travel pre-payment requests
From: Martin Michlmayr
Time: Fri Jun 29 08:56:42 2018
* Hector Oron [2018-06-28 10:55]:
> I added Martin to the list, he'll be taking care of flight ticket
> purchase if you send him flight details.
This has been taken care of.
--
Martin Michlmayr
https://www.cyrius.com/
Here is an example from a male intern who was waiting for payment long after
DebConf15 finished:
Subject: Re: [Soc-coordination] DebConf travel / GSoC student payments?
Date: Wed, 25 Nov 2015 00:25:18 +0530
From: Komal Sukhani <komaldsukhani@gmail.com>
To: Michael Schultheiss <schultmc@spi-inc.org>
CC: treasurer@spi-inc.org, soc-coordination@lists.alioth.debian.org
Hi Michael,
I still don't got the DebConf travel reimbursement. Have you made the payment?
Sorry for trouble.
On Mon, Nov 2, 2015 at 9:54 AM, Michael Schultheiss <mailto:schultmc@spi-inc.org> wrote:
Apologies for the delays in payments. I should have the payments processed this week and payments shoud be received in approximately 1-2 weeks.
Pictures appeared during the conference showing us
Lior Kaplan from
Israel with his arm around a young woman. This is the same woman who had
her ticket purchased in advance.
In July 2018
Enrico Zini gave a talk titled "Multiple People" at
DebConf18 in
Taiwan. There have been a series of these talks over the years where
these men seek out introverted young male developers who lack confidence.
Remember the case of the young French transgender
recruited straight out of high school. This slide appears to be
telling us that paedophiles and
registered sex offenders are welcome:
Spectrum (Enrico Zini)
Every color is ok.
Think about who you are,
not about who you should be.
In July 2018,
Debianists were having a discussion about whether the weboob
package should remain in Debian or be removed. Here is one of the private
emails about it. Notice they want to remove the package that makes vague
references to female anatomy but they welcomed the guy who is on parole
for sex crime against his little sisters.
Subject: Re: weboob package
Date: Thu, 12 Jul 2018 16:24:28 +0200
From: Ansgar Burchardt <ansgar@debian.org>
To: debian-private@lists.debian.org
On Thu, 2018-07-12 at 14:48 +0100, Ian Jackson wrote:
> Colin Watson writes ("Re: weboob package"):
> > (I haven't decided what I think should be done about it; certainly
> > if I
> > were the maintainer I'd want to disassociate myself from it as
> > quickly
> > as possible ... but the quoted text is a terrible argument.)
>
> Quite.
>
> What on earth could one do as the maintainer of such a thing ? Write
> some kind of machinery (a git-filter-branch construction maybe) to
> automatically rename all this arseholery ?
Oh, come on. It's not like they liken setting up an interrupt handler
with rape like, for example, Xen does. I would certainly think less of
those who associate themselves with this kind of thing.
There is no incest sex involved either (unlike for example [1]). No
glorification of genocide, ethnical cleansings or such either (same
file as [1]). (Hmm, I wonder what happens when one submits a patch for
that...)
Sadly we are associated with it, by virtue of packaging it, and thus
promoting it. And I'm ashamed and embarrassed to be associated with
such hateful content.
> I also note that the upstream webpage lists the logos of a number of
> companies, which I hope have some kind of corporate
> not-looking-like-a-total-wazzock policy. I CBA to complain to them,
> but maybe someone would like to start a fire on Twitter.
Yes, please go and start a nice shitstorm. A great idea, brilliant.
Ansgar
[1] https://sources.debian.org/src/bible-kjv/4.30/bible.rawtext/#L495
Subject: Re: weboob package
Date: Fri, 13 Jul 2018 14:29:58 +0200
From: Axel Beckert <abe@debian.org> [ ETH Zurich ]
Organization: The Debian Project
To: debian-private@lists.debian.org
Hi,
Jonathan Dowland wrote:
> Yesterday I stumbled across the "weboob" package for the first time,
> which includes a slew of binaries with names similar to the following:
[...]
So what? I don't see any problem with that. (And I don't see why
there's a thread on debian-private about it.)
Regards, Axel
--
,''`. | Axel Beckert <abe@debian.org>, https://people.debian.org/~abe/
: :' : | Debian Develoober, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Jeremy Bicha himself weighed in on the discussion after
Ansgar brought up the incest:
Subject: Re: weboob package
Date: Thu, 12 Jul 2018 10:53:32 -0400
From: Jeremy Bicha <jbicha@debian.org>
To: ansgar@debian.org
CC: debian-private@lists.debian.org
On Thu, Jul 12, 2018 at 10:24 AM Ansgar Burchardt <ansgar@debian.org> wrote:
> There is no incest sex involved either (unlike for example [1]). No
> glorification of genocide, ethnical cleansings or such either (same
> file as [1]). (Hmm, I wonder what happens when one submits a patch for
> that...)
>
> Sadly we are associated with it, by virtue of packaging it, and thus
> promoting it. And I'm ashamed and embarrassed to be associated with
> such hateful content.
Please stop.
At a minimum, if you are serious about removing Bible texts from
Debian, please start a separate thread instead of derailing this
topic. But I think you may have trouble finding consensus for that
viewpoint and I expect it will stir up lots of conflict.
Thanks,
Jeremy Bicha
This is the reality of the so-called diversity in
Debianism: gay male employees in a range of companies and universities
discussing female anatomy with a
registered sex offender during their working hours.
In September 2018, I completely resigned from my role as Fellowship
representative to
the FSFE misfits. I discontinued all involvement with the group and
I encouraged other people to resign too. Therefore, as I resigned and
made the resignation public, there was no way I had any involvement in
the subsequent scandals with women hired in 2019. Those women were only
hired after I resigned. All the complaints made by women concern
psychological abuse from Matthias Kirschner.
In November 2018, the Wayback Machine captured a snapshot of the team in
Elio Qoshi's private company
Ura Design. We can see the underage girl, who may be 17 by this point
in the story, is now being paid to be a
system administrator. System administrators normally have access to all
the data in a company, including the emails of their own bosses and their
colleagues. In small IT companies like this the director normally keeps the
system administrator powers for himself. It is worth remembering the incident
from the team St Kilda in
Australian football. One of the players was dating the woman known as the
St Kilda schoolgirl,
Kimberley Ametoglou (Kim Duthie). Kim was not really from St Kilda,
she was from Frankston, like
Julian Assange. She expertly extracted all the nude photos of the players
from her boyfriend's computer and published them in what came to be known as
dikileaks. It seems highly unlikely
Elio Qoshi was giving his underage girlfriend access to all his files and
emails. In practice, this appears to be a case of privilege escalation.
The men would put the pictures of the young women on a web site like this
to help the women create an online profile. The women would apply to
bigger organisations for travel grants and speaking opportunities at
community conferences.
This is a photo from the
OSCAL conference in
Albania in 2016. There are so many more women than men in the photo.
What is the real reason more women than men were coming to the
OSCAL conferences? Young female students in
Albania earn approximately ten euros per day working in shops and
restaurants. Did somebody pay these girls to attend conferences and make
it look like a real community? One of the women was told that an
Outreachy internship would be too difficult for her but one of the men offered
to help her submit the application if she gave him half the salary.
Even after my lawyer warned him to terminate all attempts to communicate with
me and send someone else to pick up my work laptop, he came in person to my
house, and was very irritated that I was not alone.
What these incidents reveal is the oligarchs in these groups have come
to view the volunteers and the female subordinates as possessions. The
oligarchs feel they have some God-given authority to make decisions about
the lives of those around them.
In late 2018 or early 2019 one of the
Albanian female whistleblowers was given a job at the
GNOME Foundation.
Kristi Progri has been a member of the committee in the non-profit
Open Labs hackerspace in
Albania. She had been one of the organisers of the
OSCAL conferences. She seems to know the identity of every man
who visited
Albania for these conferences. She knows the age of every young
woman who participated in the conferences. Ever since she started
receiving a salary from
GNOME Foundation, there has been no more evidence about
Elio Qoshi and the underage relationships.
On 2 February 2019, at the
FOSDEM conference in Brussels,
Belgium,
Molly de Blanc gave a talk about how companies can bully volunteers with
Code of Conduct gaslighting.
In the slides for her talk, she had selected an infamous graphic of a
cat behind bars:
In 2019,
Google decided to reduce the salaries for
Google Summer of Code (GSoC) interns from $6,000 down to as little as
$3,000 based on each intern's country and
a formula for purchasing power parity. However, the parallel
Outreachy internships, which only pay money to single young women and
don't require the women to write any code, have continued increasing their
salaries a little bit almost every year. For example, a slim and attractive
single young woman in Russia, eastern Europe, India or Brazil is offered
$3,000 to participate in
Google Summer of Code but if the same woman wins an
Outreachy internship, she gets $6,000 and a lot of free trips.
In February 2019, journalist
Frederic Martel released his book
In the Closet of the Vatican. He alleges that eighty percent
of priests in the Vatican are homosexual. In some open source software groups,
including
Debianism, we seem to be looking at a prevelance of homosexuality that
is higher than what is normal for the community at large.
Most gay men are not paedophiles. It is wrong to suggest they would be.
Nonetheless, when a group presents itself as gay-friendly or when a group
provides an opportunity for gay men to gain more respect from society,
as is the case with both the
Catholic church and
Debianism, paedophiles appear to be attracted to the same group.
Therefore, we have to be even more vigilant.
In June 2019, the diversity crowd hijacked the Debian web site and
replaced the logo colours with the colours for Pride month. The majority
of developers did not consent to this:
To: debian-project@lists.debian.org
Subject: Debian supports pridemonth?
From: Gerardo Ballabio <gerardo.ballabio@gmail.com>
Date: Fri, 28 Jun 2019 11:48:18 +0200
Hello all,
I've just seen this on https://micronews.debian.org/ :
"In support of #pridemonth, Debian changes its website logo. The
Debian Project welcomes and encourages participation by everyone
https://www.debian.org/intro/diversity "
May I please ask who decided that and where was it discussed? (I can't
find anything about it at least on -project.)
I do not think that this is appropriate. Welcoming diversity is one
thing, supporting pridemonth is another thing. Pridemonth is a set of
events with a definite political connotation. I don't think that
Debian should take sides on any specific political issues (except of
course issues that have a relation to free software), especially if
that hasn't been discussed at large among project members and there
isn't a clear consensus.
Is it just me (and am I being blatantly wrong, if so please enlighten
me) or do others share my concern?
Thanks
Gerardo
(Not subscribed, please keep me Cc:d)
It feels creepy when these things happen. The people who do these
things don't care about consent. They feel that what is good for them
is good for everybody else too.
In the US Civil Rights movement, there were groups like the
Black Panthers who were very similar to the
Zizian diversity gang in open source software communities. These
people do as they please and they don't care about the law or the
impact on the lives of those they hurt.
Why did they want so many women from
Albania and
Kosovo to visit
DebConf two years in a row? Was it some kind of bribe or hush money
arrangement to prevent further discussion about the former Fedora Ambassador,
who had been photographed with
Chris Lamb in 2017?
In her talk, she displays a hand-drawn slide where we can see three
selfish people like herself pushing one of the developers. This is how
the selfish people get things without paying for them. They use gossip
and violence, just like the fight at
DebConf6.
Molly de Blanc: Well we can use our collective power to push others
On 10 August 2019,
Jeffrey Epstein committed suicide in his prison cell.
In August 2019, the
GNOME annual conference
GUADEC was organised in the city of Thessaloniki in the north of
Greece. It is very close to
Albania and women from the nearby Balkan countries were brought to the
conference on busses.
On 17 September 2019,
Dr Sally Muytjens
completed her PhD thesis on the topic
An exploration of the existence of clergy child sexual
abuse dark networks within the Victorian Catholic Church. It is extremely
relevant to the phenomena we see today in
Debianism. Various people have publicly praised a
registered sex offender and helped him recycle his reputation at
exactly the same time they are trashing the reputations of honest
developers. The blackmail tactics they use, the games they play with the
vocabulary of abuse and the way they operate in packs to reinforce
their worldview all resonate with the scandals the church has been working
so hard to move away from.
In the context of police corruption networks, this code of silence extended to
“prohibiting disclosing perjury or other misconduct by fellow officers, or even testifying
truthfully if the facts would implicate the conduct of a fellow officer� (Chin and Zhang
2008, 238). Merrington (2017, 61) found that police corruption networks exploit the
light network’s resources to facilitate DN operations. Research on a sports doping
network showed that protecting the network included inflicting harm through bribery,
bullying and threats and enforced a code of silence (USADA 2012 cited in Bell, TenHave and Lauchs 2016, 60). A code of silence or omerta was created by the Italian
mafia and is applied to mafia members and anyone who witnesses mafia criminal
activity to ensure silence regarding their illicit activities (UNODC 2008 cited in Bell,
Ten-Have and Lauchs 2016). Omerta extended to a refusal to give evidence to the
police (Fielding 2017,17). Similar methods were utilised by clergy perpetrator
networks within the Victorian Catholic Church to maintain silence and, hence,
resilience of the network of clergy CSA.
The 80,000 messages on debian-private and similar archives in the
FSFE misfits,
GNOME and
Mozilla are analogous to the code of silence in other institutions.
In the
Albanian scandal, the unpaid female volunteers were asked to sign a
Non-Disclosure Agreement (NDA) even before they were abused. In other contexts,
such agreements only appear after the abuse and during negotiation of the
settlement.
In November 2019,
Anisa Kuci, the
Albanian woman who was seated closest to
Chris Lamb at the
DebConf19 conference dinner was awarded a $6,000
Outreachy internship. The woman had previously worked as a waitress and
had no software development experience.
Remember the teenage boys doing unpaid work to bootstrap
Debianism back in the 1990s.
Joel "Espy" Klecker,
Shaya Potter and
Chris Rutter. They did a huge amount of technical work,
they received no payments and some of them
died. When these women from eastern Europe arrived people started
popping champagne and opening the chequebook:
Matthew Garrett spread dozens of message like this without any evidence:
Subject: Re: expulsions vs Reproducible Builds
Date: Tue, 1 Sep 2020 09:52:17 +0100
From: Matthew Garrett <mjg59@srcf.ucam.org>
Reply-To: discussion@lists.fsfellowship.eu
To: discussion@lists.fsfellowship.eu
On Tue, Sep 01, 2020 at 10:26:40AM +0200, Debian Community News Team wrote:
> a) The different approaches taken to complaints about Appelbaum and
> Lange, even though both complaints arrived at the same time.
One of these complaints involved multiple accusations of rape and sexual assault. The other involved an accusation of aggressive and disrespectful behaviour. Do you believe that these things are equivalent?
--
Matthew Garrett | mjg59@srcf.ucam.org
Subject: Re: expulsions vs Reproducible Builds
Date: Wed, 2 Sep 2020 00:40:21 +0100
From: Matthew Garrett <mjg59@srcf.ucam.org>
Reply-To: discussion@lists.fsfellowship.eu
To: discussion@lists.fsfellowship.eu
On Tue, Sep 01, 2020 at 05:59:46PM -0500, quiliro wrote:
> Matthew Garrett <mjg59@srcf.ucam.org> writes:
> > The Universal Declaration of Human Rights does not require that a
> > volunteer organisation grant membership to a rapist, even if said rapist
> > has not been found guilty in a court of law.
> Are you aserting that Jacob Appelbaum is guilty or are you talking about
> someone else? If you cannot prove something, it is a lie.
I am asserting that he's a rapist, an assertion that is backed up by an array of publicly available evidence.
--
Matthew Garrett | mjg59@srcf.ucam.org
These people think that by forming together like a pack of dogs
and repeating the same rumour over and over again they can trick
the whole world to believe it.
One of the reason dishonest people like
Matthew Garrett make such outrageous lies is to cover up the fact the
"diversity" team was bringing real paedophiles into the world of
open source software. This is a classic trick that every junior
magician knows: make the audience look in some other direction while
you discretely move around the evidence.
At some point in 2021,
Elio Qoshi joined
Canonical Ltd, the company making
Ubuntu, as an employee. It looks like he was employed there for a number
of years but eventually they removed him in about 2025. They didn't make any
comment about why he was terminated. It looks like it happened around the same
time they eventually cut ties with
Jeremy Bicha in 2025. Here is a screenshot
of his LinkedIn profile when he was in
Canonical Ltd:
Why are the companies supporting the
Albanians like this? Quite simply,
Elio Qoshi knows the identity of every male developer who visited
the conferences in
Albania. He knows who they spoke to. Most men who look for a wife in
these countries are looking for an adult. If one or two men were looking
for something less than legal then they may well have asked
Elio Qoshi, who had his own underage girlfriend, to help them find what
they wanted. He is one of the few people who would know who those men are
and what they did. The controlling corporations don't know what he knows and
they probably don't want to know either. But what they do know is that as
long as he is on somebody's payroll, the secrets will stay buried.
Shortly after that,
IBM Red Hat began a legal case to seize the domain name
WeMakeFedora.org. They used my blog
Google, FSFE & Child Labor as their evidence that I was publishing
"critical commentary". The legal panel ruled in my favor and moreover,
ruled that
IBM Red Hat was using the legal process to harass me.
See the legal documents here.
In hindsight,
now that everybody knows the truth about
Elio Qoshi and
Jeremy Bicha, people can see that I had good reason to publish the grave
concerns I have about the
FSFE misfits recruiting children to do unpaid work.
In January 2022,
Canonical, the company of
Mark Shuttleworth, decided to employ
Jeremy Bicha. It is not clear if he was previously being paid as a
subcontractor while in prison or on parole. It appears that the move to
permanent employment coincided with the end of his parole period in 2021.
Did the company know he was on parole while interacting with their
developers?
In February 2022, people noticed the speaker profile for
Elio Qoshi had been
removed from the web site of the
FOSDEM conference. No explanation was given. When
FOSDEM removed him, other volunteers were never officially warned about
the issues with underage girls and harassment.
On 14 June 2022,
Anisa Kuci, the waitress from
Albania who sat next to
Chris Lamb at the
DebConf19 conference dinner is given voting rights in the
GNOME Foundation. Many real developers do not have voting rights in
these associations and foundations. The oligarchs appear to be stacking
the associations with personal friends who will vote for the same oligarchs
to keep their positions on the board every year.
The woman eventually appears to become an employee of the association
as well. However, it is not clear if she was on the payroll at the
time the oligarchs made her
a voting member.
From 20 to 25 July 2022,
GNOME's annual conference
GUADEC is in
Mexico during the same week that
DebConf22 is in
Kosovo. The two women from
Albania could take the bus to
Kosovo for fifteen euros each but somebody buys them tickets for flights from
Albania to
Mexico. The money paid for these flights could have been used to buy bus
tickets for twenty more women from local universities in central American
countries close to
Mexico.
Jeremy is a member of the Debian GNOME and Canonical Desktop teams. He lives in Florida and this will be the first DebConf he has attended. [in the year after his probation finished]
Fact checking, over 20,000 women in
Kosovo reported being victim of rape as a war crime back in the late 1990s.
Many of the young women I met at events in
Kosovo appear to have been born at the time of the war.
Trevor Kitchen, a 41-year-old British citizen resident in Switzerland, was arrested by
police in Chiasso (canton of Ticino) on the morning of 25 December 1992 in connection
with offences of defamation and insults against private individuals. In a letter addressed to
the Head of the Federal Department of Justice and Police in Berne and to the Tribunal in
Bellinzona (Ticino) on 3 June 1993 he alleged that two police officers arrested him in a bar
in Chiasso and, after handcuffing him, accompanied him to their car in the street outside.
They then bent him over the car and hit him around the head approximately seven times
and carried out a body search during which his testicles were squeezed. He claimed he was then punched hard between the shoulder blades several times. He said he offered no
resistance during the arrest.
He was then taken to a police station in Chiasso where he was questioned in Italian (a
language he does not understand) and stated that during the questioning "The same
policeman that arrested me came into the office to shout at me and hit me once again
around the head. Another policeman forced me to remove all of my clothes. I was afraid
that they would use physical force again; they continued to shout at me. The one policeman
was pulling at my clothes and took my trouser belt off and removed my shoe laces. Now I
stood in the middle of an office completely naked (for 10 minutes) with the door wide open
and three policemen staring at me, one of the policemen put on a pair of rubber surgical
gloves and instructed me to crouch into a position so that he could insert his fingers into my
anus, I refused and they all became angry and started shouting and demonstrating to me the
position which they wanted me to take, laughing, all were laughing, these police were having a
good time. They pointed at my penis, making jokes, hurling abuse and insults at me, whilst I
stood completely still and naked. Finally, when they finished laughing, one of the
policemen threw my clothes onto the floor in front of me. I got dressed."
He was transferred to prison some hours later and in his letter claimed that during the
night he started to experience severe pains in his chest, back and arms. He asked a prison
guard if he could see a doctor but the request was refused and he claimed the guard kicked
him. He was released on 30 December 1993. Medical reports indicated that since his
release he had been experiencing recurrent pain in the area of his chest and right shoulder
and had been receiving physiotherapy for an injury to the upper thoracic spine and his right
shoulder girdle.
Volunteers discovered
over $120,000 was taken out of Debian bank accounts and used for legal fees
to try and have me molested or killed. Why did they spend so much money on this
vendetta? They are terrified about people who express concern about abuse. They
paid $120,000 in legal fees because they feel more comfortable with
Jeremy Bicha, the man who raped his little sisters, than with
the independent volunteer elected by the Fellowship in 2017.
Subject: Matthias Geiger: Advocate
Date: Thu, 10 Nov 2022 13:26:16 -0000
From: Jeremy Bicha (via nm.debian.org) <nm@debian.org>
Reply-To: debian-newmaint@lists.debian.org, Matthias Geiger
<matthias.geiger1024@tutanota.de>, archive-1128@nm.debian.org,
Jeremy Bicha <jbicha@debian.org>
To: debian-newmaint@lists.debian.org
CC: Matthias Geiger <matthias.geiger1024@tutanota.de>,
archive-1128@nm.debian.org, Jeremy Bicha <jbicha@debian.org>
For nm.debian.org, at 2022-11-10:
I support Matthias Geiger <matthias.geiger1024@tutanota.de>'s request to
become a Debian Maintainer.
I have sponsored numerous uploads for Matthias including 6 new source
packages. He has prepared many new packages with a particular focus on
GNOME apps and Rust libraries to build GNOME apps. Creating new packages
is one of the more complex packaging tasks for Debian. His work has been
consistently high quality. We have also worked together to improve the
initial packaging.
Beyond packaging skills, Matthias has been pleasant to communicate with.
I have personally worked with Matthias Geiger
<matthias.geiger1024@tutanota.de>
(key C2E1A6CBFDECE511A8A4176D18BD106B3B6C5475) for 7 months, and I know
Matthias Geiger
can be trusted to have upload rights for their own packages, right now.
Jeremy Bicha (via nm.debian.org)
In January 2023, the late
Cardinal George Pell, former treasurer of the
Vatican, appeared in news reports from Rome talking about the death of
Pope Benedict. The news reports prompted me to look at the unredacted
Case Study 35 about the Archdiocese of Melbourne. I was shocked to see
the similarities to the
Debianism culture and
social engineering attacks. I printed a lot of the evidence about
Enrico Zini blackmailing and defaming people over so many years. On
10 January 2023, I drove across the Great St Bernard Pass to Aosta in
Italy. I walked in to the Carabinieri station and explained the
similarities between the exploitation of victims in
Debianism and in the
Catholic abuse crisis. In the same hour that I was in the Carabinieri
station, as a witness to these crimes, unbeknownst to me,
Cardinal George Pell was having surgery in Rome. He died four
hours later.
Authorities in
Australia pretended the crisis died with
Cardinal George Pell. He had avoided certain questions and surely there
is nobody else left alive who knows the answers to those questions.
On 1 March 2023,
minutes of a
GNOME Foundation Executive Committee meeting capture the names of
Anisa Kuci and
Sonny Piers together for the first time. At this point, she is not on
the list of people receiving payments from
GNOME Foundation. There are serious ethical concerns when members of
the CoC-committee are physically intimate with the very people
they are making up rumours about. Likewise, there are serious ethical
concerns when staff members are able to intercept and suppress
CoC-committee complaints about their workmates and their own boss.
We already discussed the way these CoC schemes are similar to
the catch-and-kill strategy the National Enquirer used to
purchase and suppress stories about
Donald Trump.
These financial and sexual conflicts of interest are even more disturbing
when the conflicts of interest are totally hidden from the victims of
defamation created by these gangsters.
It appears there are now two women from
Albania who were being paid to work on the organisation of
GUADEC and assist other events like
DebConf. Up to this point, the organisations had always insisted
that if volunteers wanted an event they have to organise it themselves.
Nobody had any public discussion about changing the strategy and having
a mix of volunteers and paid event staff. It is vital to ask the question:
did the oligarchs create these jobs because the community chose to
change the strategy or did these jobs get created because somebody wanted
these two specific girls from
Albania to have jobs?
GNOME hired the first girl at the end of 2018. Some time later, the
other girl went to
Outreachy, then she went to
Wikimedia Italia, an organisation that relies on a lot of volunteers
who don't get paid. A list of her past relationships was circulated and
the people doing unpaid work became upset. Shortly after that, it looks like
GNOME took her on their payroll. The fact that
GNOME has ended up with two girls from the same
Albanian background adds weight to the argument that the jobs were created
for these specific girls rather than to fill some general need.
Remember, in 2018 and 2019, these are the same girls who asked the
Debianists to buy their travel tickets in advance while all the other
young interns had to buy tickets with their own money and wait for
reimbursement.
Why did
Kristi Progri get a big title, Director of Project Management but when
Anisa Kuci joined
GNOME they call her an Administrative Assistant? Both girls
grew up together in the same building. They both joined the
Open Labs group together. Either one job title is being overstated or
the other job title is understated. It looks like the job for the second girl
was only created as part of the catch-and-kill strategy to keep
women on side so they won't repeat the things they told me in 2017 and 2018
about the
Fedora Ambassador
Elio Qoshi.
On 10 May 2023,
Jeremy Bicha writes another advocacy for
Matthias Geiger to be promoted from Debian Maintainer to Debian Developer:
Subject: Matthias Geiger: Advocate
Date: Wed, 10 May 2023 15:06:23 -0000
From: Jeremy Bicha (via nm.debian.org) <nm@debian.org>
Reply-To: debian-newmaint@lists.debian.org,
Matthias Geiger <matthias.geiger1024@tutanota.de>,
archive-1181@nm.debian.org,
Jeremy Bicha <jbicha@debian.org>
To: debian-newmaint@lists.debian.org
CC: Matthias Geiger <matthias.geiger1024@tutanota.de>,
archive-1181@nm.debian.org,
Jeremy Bicha <jbicha@debian.org>
For nm.debian.org, at 2023-05-10:
I support Matthias Geiger <matthias.geiger1024@tutanota.de>'s request to
become a Debian Developer, uploading.
I have worked with Matthias Geiger on GNOME packages since March 2022.
Matthias has created new Debian packages
for several GNOME related apps and libraries and maintained them well
ever since.
Matthias has been very instrumental in doing the major prerequisite work
to get newer GNOME apps written in Rust
into Debian Trixie. This is very complicated but important work.
I have personally worked with Matthias Geiger
<matthias.geiger1024@tutanota.de>
(key C2E1A6CBFDECE511A8A4176D18BD106B3B6C5475) for 14 months, and I know
Matthias Geiger
can be trusted to be a full member of Debian, and have unsupervised,
unrestricted upload rights, right now.
Jeremy Bicha (via nm.debian.org)
Matthias Geiger is a very common name.
Jeremy Bicha has vouched for him but neither of them have told us if they
have any conflicts of interest, for example, if they both work for the same
employer,
Canonical Ltd or if they ever shared a prison cell together.
On 11 September 2023,
Jeremy Bicha writes an advocacy for
Amin Bandali. This time he reveals that they are both working at the same
company,
Canonical Ltd, the maker of
Ubuntu. Some people have serious ethical concerns about
Ubuntu developers and co-workers writing references for each other like
this because they are under pressure to serve the needs of their company
rather than being objective about Debian.
Subject: Amin Bandali: Advocate
Date: Mon, 11 Sep 2023 14:15:25 -0000
From: Jeremy Bicha (via nm.debian.org) <nm@debian.org>
Reply-To: debian-newmaint@lists.debian.org,
Amin Bandali <bandali@gnu.org>,
archive-1211@nm.debian.org,
Jeremy Bicha <jbicha@debian.org>
To: debian-newmaint@lists.debian.org
CC: Amin Bandali <bandali@gnu.org>,
archive-1211@nm.debian.org,
Jeremy Bicha <jbicha@debian.org>
For nm.debian.org, at 2023-09-11:
I support Amin Bandali <bandali@gnu.org>'s request to become a Debian
Developer, uploading.
I have personally worked with Amin Bandali <bandali@gnu.org>
(key BE6273738E616D6D1B3A08E8A21A020248816103) on the Debian GNOME team
since the end of 2022. He has packaged updates for a variety of GNOME
packages. Earlier this year, he officially joined the Debian GNOME team
and has been entrusted with DM upload rights to several packages. He has
used those upload rights well.
Amin Bandali also has interest and skill with troubleshooting build
issues on non-amd64 architectures which is why he is not just a DM, but
a "DM with guest account".
Amin Bandali is a coworker with me at Canonical since late 2022. His
primary job duties are not .deb packaging for Debian and he was already
maintaining packages in Debian before joining Canonical.
I firmly believe that the Debian Project will benefit from granting
Debian Developer, uploading status to Amin Bandali. I know Amin Bandali
can be trusted to be a full member of Debian, and have unsupervised,
unrestricted upload rights, right now.
Jeremy Bicha (via nm.debian.org)
Oddly enough, those messages were exchanged at the same time as
DebConf23 in
India. On 9 September 2023, I sent the coroner for Cambridgeshire a
written warning about the risk for health and safety in
Debianism, with a reference to the culture and the blackmail behaviour:
Subject: Re: Inquest Christopher Rutter - Information Request
Date: Sat, 9 Sep 2023 18:59:26 +0200
From: Daniel Pocock <daniel@pocock.pro>
To: Coroners <Coroners@cambridgeshire.gov.uk>
Hi [redacted],
I've updated the document with some extra email evidence and two more
deaths, both of those being under management from a doctoral candidate
at Cambridge.
Based on my own experience of both Debian culture, the Pell situation
and the evidence in these emails, I feel that there is an ongoing risk
to the health of people who engage with this culture.
Please kindly confirm if the coroner can escalate this to the relevant
people or whether you need somebody to present the document in person.
Regards,
Daniel
Abraham Raji died three days later. It is the first case of somebody dying at
DebConf. It was anticipated, therefore, it was avoidable.
During 2023, there was a high profile underage rape and incest prosecution in
South Australia. A bakery on the Eyre Peninsula had recruited
fifteen-year-old girls to do some baking, smile at the customers and help
the owner have more children. The man in charge and his wife were both
convicted. Three children were born in one seven month period. The baker's
father had shared one of the girls. There are thirteen children and they
need to make DNA tests to verify which man is responsible for each of them.
Newspapers described it as a
cult-like living arrangement but it is not uncommon for workers to live
with their boss when in a remote location like this. When you look at the
remoteness of the location and the nature of such jobs where the young girls
are living at their workplace, it has some similarity to the situation where
Jeremy Bicha and his little sisters were living a life that was isolated
from other children.
Also in May 2024, minutes of the
GNOME Foundation board have been redacted to hide discussions about
Sonny Piers and the "staffing", which really means the hush money being
paid to the
Albanian female whistleblowers.
Sonny Piers was secretly expelled at this point but it is redacted in
the minutes.
On 18 July 2024, immediately after they shut down the
Open Labs web site and discussion forum in
Albania, an anonymous account is created in the
GNOME Foundation forum on
Discourse. The account is used to post a hideous defamation about
Sonny Piers, who they had expelled with a secret trial in May. Dozens of
discussions and news reports appear about
Sonny Piers being banned from
GNOME. The girls are insisting that everybody should know they
decided to humiliate
Sonny but nobody is allowed to ask why the girls are obsessed
with humiliating him. Whenever messages like this appear, they always hint
at some sort of bad sexual etiquette. As we saw with every other case,
such as
Ted Walther in 2006 and
Dr Jacob Appelbaum in 2016, these rumours are not only false but
they have been deliberately fabricated by some chronically dishonest people
intent on harming male volunteers and our families.
The defamation message about
Sonny Piers explicitly mentions "Code of Conduct" but what they
really mean is "Code of Silence". They are doing all this to stop
Sonny Piers talking about payments to one of the
Albanian girls or something similar to that.
I am no longer a member of the board of directors of the GNOME Foundation since May 2024. The process and decision shocked me. I know people are looking for answers, but I want to protect people involved and the project/foundation. It was never an interpersonal conflict for me.
Remember,
Sonny Piers has been doing voluntary work for twenty years and he
contributed substantial intellectual property. The Albanian girls who
were secretly added to the
GNOME payroll only work when they receive money
and they only go to events when somebody, usually the male oligarchs,
buy the tickets for them.
The community had elected
Sonny Piers to the board. As a member of the board it is absolutely
certain he saw privileged information about the payments to
Albanian female whistleblowers. However, he may not have been told
the real reason for those payments. He may have asked questions about
why the same girls are selected for every diversity grant. All this
happened in
GNOME Foundation immediately after the controlling corporations
shut down the
Open Labs group in
Albania. Follow the money / girls.
The
GNOME Foundation hired two girls from
Albania. Now we see the policies of
Enver Hoxha and totalitarianism being reincarnated in a non-profit
voluntary organisation. History is repeating itself.
Jeremy Bicha had engaged in real abuse of his little sisters when they
were six and nine years old. As a voting member of the
GNOME Foundation and a member of the Release Team he has a higher
status than
Sonny Piers. Why can people go to the web site of the
Manatee County Court and read all the details about real abuse of the
little sisters but we are not allowed to know anything about the questions
Sonny Piers was asking at board meetings?
Here is an example of the things
Jeremy Bicha was convicted for:
Reading comments like that reminded me of the way misfits on
debian-private (leaked) discussed the words used by
the parents of
Frans Pop after he committed suicide:
Subject: Re: Death of Frans Pop
Date: Sat, 21 Aug 2010 13:39:21 +0100
From: Colin Watson <cjwatson@debian.org>
To: debian-private@lists.debian.org
On Sat, Aug 21, 2010 at 01:52:33PM +0200, Ludovic Brenta wrote:
> Steve McIntyre <steve@einval.com> writes:
> > "Yesterday morning our son Frans Pop has died. He took his own life,
> > in a well-considered, courageous, and considerate manner. During the
> > last years his main concern was his work for Debian. I would like to
> > ask you to inform those members of the Debian community who knew him
> > well."
>
> Does that imply he took his own life *because* of Debian, which was "his
> main concern"?
This is probably the wrong thread for linguistics, but that phrase would
normally just indicate that Debian was his main interest. In
http://oxforddictionaries.com/view/entry/m_en_gb0169810 under "noun",
this would be sense 2 rather than sense 1.
--
Colin Watson [cjwatson@debian.org]
What is so much more sensitive about the
Sonny Piers drama that
GNOME will not tell us? Did he do something that is even worse than
raping a little girl? Or did he stumble onto an inconvenient truth about
Albanian girls that must be hidden from the community at all costs?
My suspicion is that this is more than somebody's sex life at stake.
It is not unusual for people to hook up with their colleagues in student unions
and open source software conferences. Some of the women have told me they
were under pressure to lie. Paying women to create or repeat a lie,
knowing it is a lie, undermines trust in the whole organisation that
paid for those lies.
Software producers are particularly keen to maintain the trust of the
community. The moment people stop trusting the
GNOME developers everybody will abandon the project. How could we
trust these developers if they used the foundation's funds to make
payments to a woman who spread a lie or defamation?
After you pay a woman to lie, you can't sack that woman. You have to
keep her on the payroll until she's ready to have children and become
a stay-home mother.
I suspect that is why
Anisa Kuci was immediately given a job at
GNOME after the end of her relationship with
Wikimedia Italia. Somebody didn't want to see her join some random
employer where random developers will ask her to disclose details about
the conspiracies at
DebConf19.
It is important to reflect on these secrecy tactics. These tactics
create the type of environment where real abusers can thrive.
I've nominated Jeremy BÃcha to GNOME Advisory Board. Jeremy has volunteered to represent Debian at GUADEC in Denver.
Sonny Piers, like other victims, was censored and humiliated indefinitely
while the
registered sex offender is put up on a pedestal to supposedly be the
representative of the rest of us. I certainly didn't consent to him speaking
for me.
Furthermore, how can a
Canonical Ltd employee be representing the interests of both
Debianism and
the
Ubuntu misfits at the GNOME Advisory Board? The conflict of interest
is enormous. It isn't possible for him to do both at the same time.
In March 2025, shortly before
DebConf25, we saw
Jeremy Bicha began contributing to the
Debian-Edu project. That is the derivative of Debian created to
meet the needs of the education industry. Why does he have schools on his mind?
Jeremy Bicha's status as a
registered sex offender is intended to prevent him being employed
inside a school. By collaborating on
Debian-Edu, he gains credibility that allows him to interact with
schools as a volunteer. This looks like privilege escalation. He was
engaged in this while he was an employee of
Canonical Ltd and
Ubuntu.
At
DebConf25 in Brest,
France, the
GNOME
talk from
Jeremy Bicha was scheduled for 14 July, the French national holiday. In
France, the day normally starts with parades by the military and the
emergency services, including the police. Therefore, people were asked to
choose between applauding the
police as they marched through Brest or watching a
registered sex offender giving a talk in the university campus.
Putting this type of diversity on display at a prominent event feels like
the thin end of the wedge. Brest is a city known for its strong naval history.
Jeremy Bicha had been discharged from the US Navy after they found out.
Like the rogue
Russian spy-ships who periodically sail the English channel,
Debianists have decided to test the waters of diversity by putting this
man on display. They wanted to see how the public reacts. They want us to
know this is the new normal. The victims were only six and nine years old.
On the scale of sexual offences, these were some of the worst. By
putting this out in the open, they make it easier to bring in offenders
who have less serious crimes.
Back in the 1970s, people like this tried to create organizations
like the
Paedophile Information Exchange (PIE) where their cause was published
in broad daylight. Within a few years these organisations had been
outlawed. The lesson they have learnt from those prosecutions is the
need to affiliate themselves with more general causes like diversity
and then expand the definition of diversity to include, by stealth, all
kinds of people who are irreconcilably incompatible with the rest of us.
We already looked at the prosecution of
Matthias Kirschner for the
psychological abuse of
Galia Mancheva. Sooner or later another oligarch will face one of these
prosecutions. If it is somebody the cabal wants to protect, they can remind
us how
Jeremy Bicha came to
DebConf25 and it didn't kill anybody. They will remind us the diversity
statement says anybody is welcome as long as you display total
submission to their
CoC.
This time, instead of using an anonymous account,
Robert McQueen has written the post under his own name. He tells us the
punishment has been reduced:
The Board is providing this information to clarify the decisions made in this case, and to eliminate any uncertainty within the GNOME community about the matter.
In fact, the very long post does not include any example of the questions
Sonny Piers asked about the
Albanian women. Therefore, we all remain totally in the dark.
the Board also voted that Sonny will not be eligible for appointment in any position of authority within the Foundation, or to act as an agent on behalf of the organization, or to have paid work with the GNOME Foundation. This means that he will be unable to be a committee member, director, officer, staff member or contractor, or officially represent the GNOME Foundation to other entities. The Board resolution put these restrictions in place on an indefinite basis.
Turn that statement on its head: why does
Robert McQueen feel more comfortable with the Ubuntu man who
popped the cherry of a six year old than he does with an
independent developer who the community voted onto the board?
On 4 April 2026,
Oscar Langley asked about it in the election discussion for the next leader
of
Debianism. None of the candidates would reply to questions about child
safety.
Subject: DebConf25 decisions affecting Child Safety and talk scheduling
Date: Sat, 4 Apr 2026 11:01:37 +0000
From: Oscar Langley <oscar.langley@hotmail.com>
To: debian-vote@lists.debian.org <debian-vote@lists.debian.org>
I understand this topic may be somewhat tangential to the election mailing list, but I reviewed the list of voters in this year's DPL election and discovered that Jeremy Bicha is a Debian developer who cast a ballot: https://vote.debian.org/~secretary/leader2026/voters.txt
If you search up his name on Google, the very first result is his profile on Florida's Sexual Offender and Predator System, as he molested multiple preteen girls throughout the 1990's and confessed to all this in court.
https://offender.fdle.state.fl.us/offender/sops/flyer.jsf?personId=85068
https://wng.org/articles/the-high-cost-of-negligence-1617309216
Being a child molester is most likely a violation of the Debian Code of Conduct, and if it is not, it is reprehensible enough to call into question his continued status as a member of the project.
Additionally, there are two more important questions about Bicha's relationship with the Debian Project that have yet to be answered. Bicha was due to speak at DebConf25 last year, an event that children were permitted to attend. The livestream also experienced technical issues when his talk was about to start, leaving it unclear whether he actually spoke.
The two questions are:
1. What factors led to the decision to allow children in the presence of Bicha?
2. Was Bicha' talk was canceled, or did it indeed take place but was simply never streamed?
And a third question is begged:
3. Why hasn't the Debian Project cut ties with Bicha?
but one person made a reply praising the extreme definition of diversity:
Subject: Wasn't sure where to send but thank you...
Date: Wed, 8 Apr 2026 12:08:58 -0400
From: Star Light Catcher <catcherstarlight@gmail.com>
To: debian-project@lists.debian.org
I would just like to say, I would sometimes browse the reddits for Linux and in the general Linux reddit I saw someone saying the project was "in trouble" and worried I went to the Debian reddit to look into it... And what I'm very sad to say I found was people being very cruel and closed minded about the fact that the project seems to be valuing inclusion and bringing in new voices and talents to the FOSS community and the Debian project... So, I no longer really read reddit for Linux news but I very much wanted to say how much I've adored using Debian these past 8 months since switching to Linux. It's been rock solid, my best experience on Linux ever (and despite only switching 8 months ago I had tried Linux many times since 2010! Tons of different distros!) Debian has been genuinely an oasis from so much of what is wrong about modern tech, all while being built on what is obviously such a solid foundation I can't see myself switching back to Distros which genuinely often seemed to nuke themselves with little cause from me, and I've done plenty of things to ride my installs of Debian hard and it's never faltered at all.
And about the people behind the Debian project... In a time of increasing authoritarianism and such a huge increase to push minorities even further to the fringes... Debian embracing diversity during all of this... It warms this trans woman's heart who has felt such a sense of dread at the way the world is going. So thank y'all genuinely. Linux users are known to distrohop but... I can't imagine ever needing anything but the Universal Operating System ever again 🫂 and what brings me such joy is that it feels that it's not just universal, as in, for all devices, but universal, as in /for everyone/. 💜
Thank you for all you do, I plan to up my donation when I can,
Star Elizabeth Wilkerson 🦄â�ï¸�
Ben Carroll is the Deputy Premier and Education Minister for the
State of Victoria. On Mother's Day in 2024, he posted a picture
of himself with his local priest, who I'll simply refer to as Father X:
In 1994, the Archdiocese of Melbourne had to exfiltrate another priest,
Fr Barry Robinson, from
Boston. Father X was tasked with the mission. In particular, the scope of
his mission was far bigger than the exfiltration. Father X was also asked to
look at the crisis in
Boston and report back to his superiors in
Australia. This was eight years before the Spotlight news
reports raised public awareness of the scandal. The priest who gives
communion to
Victoria's Education minister had himself learnt about the extent of
the global crisis and expressed concern about warehousing paedophiles:
After returning from
Boston,
Fr Barry Robinson had lived in the same house as Father X while
the US authorities continued their investigation.
Fr Barry Robinson had admitted abuse but they decided not to
prosecute him at all. The church decided to ignore his admission and
put him back into practice:
In 2024, another lawsuit cast attention on
the use of scholarships for the two children of a victim. People gain
status in society through attending these elite high schools. There is a risk
that this perpetuates the culture of silence. It is analogous to the
manner in which some open source software organisations are giving people
internships, big titles and speaking opportunities so they will stay
silent about abuse in
Albania
Here is the redacted deed that mentions scholarships:
In February 2025, The Monthly published and then almost immediately
took down an article by
Louise Milligan titled The True Legacy of the Rapist George Pell.
The late Cardinal Pell had been successful in his appeal and the conviction
had been overturned by the High Court. Therefore, calling him a rapist is
a very strong defamation. Nonetheless, copies of the article are easily found
online.
The Debian Diversity statement tells us the definition of diversity
is very large. A lot like the National Council of Civil Liberties in
the 1970s, the Diversity Statement says anyone is welcome
(up to the day when you ask an ethical question). At
DebConf25, they demonstrated the definition of anyone includes
registered sex offenders. He is not the only one and he won't be
the last one.
Some time ago I used a feature in KDE called “Run a command” when an event triggered. It triggered for me when a calendar event fired and used Piper TTS to read the event to me out loud. A small popup and a pling don’t work for me.
I tried to get the feature back into KDE, but since the merge request isn’t going anywhere and people don’t give details how to implement it correctly I wrote Sigrun now. It is named after a Norse Valkyrie and is short for Signal Run.
It is a systemd service running as a user and listening on DBus signals. Once it finds a configured one, it runs its command. The desktop doesn’t matter.
Here is the rule that reads my calendar reminders aloud via kde-tts.py:
What appears to be an attempt to assassinate the US President
Donald Trump has dominated the news today. There are numerous people on
social control media suggesting the suspect,
Cole Thomas Allen, may be gay or transgender, like the
Zizian problems. Some people make comments
about a handwritten note left for his transgender partner.
In fact, these comments appear to be identical to the description of
Tyler Robinson, the man who assassinated
Charlie Kirk. They are not necessarily fake news. We simply don't have
enough information to say if the rumours are fake or if they are true.
496.
The plaintiff and other victims feel great apprehension, based on what happened to Dr
Appelbaum's home, based on the drawings of civil disorder, based on the way the Zizian group
behaved, that if these vigilantee tendencies are not constrained then they will again manifest
themselves in physical acts of vandalism or violence.
While working on the new git signing feature for
tumpa-cli I noticed that some of
the commits can not be verified. For a moment I freaked out and then thought it
must be a problem in my code. But, I could not dig enough. Opus 4.7 helped me
to find the eaxct commit in git's history and a reproducer. I reported the issue to the
maintainers
and they are working on a fix.
\xc2\xa7 aka ยง was the cause for me.
msg.txt body
sign stdin (tee'd)
stored commit body
verify
git 2.43 (host)
... 20 a7 0a
... 20 c2 a7 0a
... 20 c2 a7 0a
OK
git 2.53 (CI, docker)
... 20 a7 0a
... 20 a7 0a
... 20 c2 a7 0a
BAD
git 2.43 transcoded the message to UTF-8 BEFORE calling the signer;
signer and storage saw the same bytes (c2 a7). git 2.53 hands the
signer the RAW bytes (a7) and transcodes only on the way to the
commit object (c2 a7). The invariant "bytes fed to gpg.program at
sign time equal the bytes a verifier sees when it reads the commit
back" is broken.
git config i18n.commitEncoding iso-8859-1 is supposed to be the configuration
if we have non UTF-8 characters. But, I never knew about this configuration
before I found the bug.
I want to thank my friends in Anthropic for letting me use the tools and
techonology to keep building.
The Linux operating system represents one of the most significant technological achievements in modern computing. From powering enterprise-grade servers to running embedded systems and smartphones, Linux has become a cornerstone of digital infrastructure. Unlike proprietary operating systems, Linux is open-source, meaning its source code is freely available, modifiable, and distributable. This openness has fostered a global ecosystem of developers, organizations, and communities contributing to its rapid evolution.
Originally created in 1991 by Linus Torvalds, Linux was inspired by UNIX, a multi-user, multitasking operating system developed in the 1970s at AT&T Bell Labs . Today, Linux is not just an operating system but a family of systems—commonly referred to as distributions—that serve a wide variety of computing needs.
Linus Torvalds | Linux was inspired by UNIX
Historical Background
UNIX Foundations
To understand Linux, one must first examine UNIX. UNIX introduced key principles such as modular design, multi-user capabilities, and multitasking, which influenced nearly all modern operating systems . These principles include:
Separation of concerns
Use of simple tools that perform specific tasks
File-based abstraction of system resources
Linux adopted these design philosophies while remaining independent in implementation.
Birth of Linux
Linus Torvalds developed the Linux kernel as a personal project while studying at the University of Helsinki. Initially intended as a free alternative to MINIX, Linux quickly attracted contributions from developers worldwide.
The GNU Project, which had already developed essential tools like compilers and shells, complemented the Linux kernel. Together, they formed what is commonly referred to as a GNU/Linux system.
Growth and Adoption
Over time, Linux evolved from a hobbyist system into a dominant force in computing:
Late 1990s: Adoption in server environments
Early 2000s: Enterprise support (e.g., Red Hat, SUSE)
2010s onward: Dominance in cloud computing, mobile (Android), and DevOps
Today, Linux powers the majority of web servers, supercomputers, and cloud infrastructures.
Linux | A Terminal session
What is Linux?
Linux is often described as a Unix-like operating system, but technically it refers to the kernel, the core component responsible for managing hardware resources and enabling communication between software and hardware .
A complete Linux operating system includes:
The Linux kernel
System libraries
Shell interfaces
Utilities and applications
These components together form a fully functional computing environment.
Architecture of Linux
Linux follows a layered architecture that separates concerns and ensures modularity. The primary components include:
Kernel
The kernel is the heart of the system. Its responsibilities include:
Process management
Memory management
Device drivers
File system management
It ensures that multiple applications can run concurrently without interfering with each other .
Linux uses a monolithic kernel architecture, meaning that most services run in kernel space, offering high performance but requiring careful design to maintain stability.
Linux | Architecture of Linux
System Libraries
System libraries provide an interface between applications and the kernel. They simplify development by offering reusable functions for common operations.
For example:
File I/O operations
Memory allocation
Process control
These libraries abstract low-level kernel interactions.
Shell
The shell is the command-line interface (CLI) that allows users to interact with the system. It interprets commands and executes them through the kernel.
Each distribution is tailored to specific use cases, such as servers, desktops, or embedded systems.
Key Features of Linux
Open Source
Linux is distributed under open-source licenses, allowing users to:
Modify source code
Redistribute software
Customize systems
This fosters innovation and collaboration.
Multiuser and Multitasking
Linux supports multiple users simultaneously and can run multiple processes concurrently, ensuring efficient resource utilization.
Security
Linux is known for its strong security model:
User permission systems
File access controls
SELinux and AppArmor frameworks
These features make Linux ideal for servers and enterprise environments.
Stability and Performance
Linux systems are highly stable and can run for long periods without rebooting. This makes them suitable for mission-critical applications.
Portability
Linux runs on a wide range of hardware architectures, including:
x86
ARM
RISC-V
Linux File System
Linux uses a hierarchical file system structure rooted at /.
Directory Structure
Key directories include:
/home – user files
/etc – configuration files
/bin – essential binaries
/var – variable data (logs, caches)
File Permissions
Each file has permissions for:
Owner
Group
Others
Permissions include read (r), write (w), and execute (x).
Linux Commands and CLI
The command-line interface is a defining feature of Linux.
Common Commands
ls – list files
cd – change directory
pwd – print working directory
cp, mv, rm – file operations
Advanced Tools
grep – text search
awk, sed – text processing
top – process monitoring
Mastering these commands enables efficient system management .
Package Management
Linux distributions use package managers to install and manage software.
Examples
APT (Debian-based systems)
DNF (Fedora-based systems)
Pacman (Arch Linux)
Zypper (openSUSE)
Advantages
Dependency resolution
Easy updates
Secure repositories
Applications of Linux
Linux is used across diverse domains:
Servers and Cloud Computing
Linux powers most web servers and cloud platforms due to its stability and security .
Software Development
Developers prefer Linux for:
Native support for programming languages
Powerful command-line tools
Integration with DevOps pipelines
Cybersecurity
Distributions like Kali Linux are widely used for penetration testing and digital forensics.
Embedded Systems and IoT
Linux runs on routers, smart devices, and industrial systems due to its lightweight nature.
Supercomputers
Most of the world’s supercomputers run Linux because of its scalability and performance.
Advantages and Disadvantages
Advantages
Free and open-source
High security
Customizable
Strong community support
Disadvantages
Steep learning curve for beginners
Limited support for some proprietary software
Hardware compatibility issues (rare but possible)
Linux vs Other Operating Systems
Linux vs Windows
Feature
Linux
Windows
Cost
Free
Paid
Customization
High
Limited
Security
Strong
Moderate
Ease of Use
Moderate
High
Linux vs macOS
macOS is Unix-based (BSD) but proprietary, while Linux is open-source and more customizable.
Linux in Modern Computing
Linux plays a central role in:
Cloud computing (AWS, Azure, Google Cloud)
Containerization (Docker, Kubernetes)
Artificial Intelligence and machine learning
Edge computing
Its flexibility makes it indispensable in modern IT infrastructures.
Future of Linux
The future of Linux is promising, driven by:
Growth in cloud computing
Expansion of IoT devices
Increased demand for open-source solutions
Emerging trends include:
Integration with AI systems
Enhanced security frameworks
Improved user-friendly distributions
Conclusion
Linux is more than just an operating system—it is a paradigm of open collaboration and technological innovation. Its modular architecture, flexibility, and robustness make it suitable for virtually every computing environment, from embedded devices to supercomputers.
As technology continues to evolve, Linux remains at the forefront, powering critical systems and enabling innovation across industries. For computer scientists, developers, and IT professionals, understanding Linux is not just beneficial—it is essential.
If you work with patches and git am, then you’re probably used to seeing patches fail to apply. For example:
$ git am CVE-2025-14512.patch
Applying: gfileattribute: Fix integer overflow calculating escaping for byte strings
error: patch failed: gio/gfileattribute.c:166
error: gio/gfileattribute.c: patch does not apply
Patch failed at 0001 gfileattribute: Fix integer overflow calculating escaping for byte strings
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
This is sad and frustrating because the entire patch has failed, and now you have to apply the entire thing manually. That is no good.
Here is the solution, which I wish I had learned long ago:
$ git config --global am.threeWay true
This enables three-way merge conflict resolution, same as if you were using git cherry-pick or git merge. For example:
$ git am CVE-2025-14512.patch
Applying: gfileattribute: Fix integer overflow calculating escaping for byte strings
Using index info to reconstruct a base tree...
M gio/gfileattribute.c
Falling back to patching base and 3-way merge...
Auto-merging gio/gfileattribute.c
CONFLICT (content): Merge conflict in gio/gfileattribute.c
error: Failed to merge in the changes.
Patch failed at 0001 gfileattribute: Fix integer overflow calculating escaping for byte strings
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Now you have merge conflicts, which you can handle as usual. This seems like a better default for pretty much everybody, so if you use git am, you should probably enable it.
I’ve no doubt that many readers will have known about this already, but it’s new to me, and it makes me happy, so I wanted to share. You’re welcome, Internet!
Motivation: dealing with multiple Toolbox containers¶
Lately, I've been getting annoyed by my current Bash prompt offering me a poor
UX when dealing with multiple Toolbox containers.
The prompt lacked crucial information: to which of the running containers a
given shell belongs to?
I did a quick search to see if there's an easy fix I'm missing out but it turned
out there is a long-standing desire to improve Toolbox's UX in this respect and
multiple approaches have been discussed/tried. Here are some relevant tickets:
Discovering the old and new version of Bash Color Prompt¶
After looking around on how to update my Bash prompt to become
"container name"-aware, I came across Fedora's shell-color-prompt package
which was conveniently just a dnf install bash-color-prompt away (strangely,
the source package is named shell-color-prompt while the binary package is
named bash-color-prompt, see also RHBZ #2291024).
My attempts at configuring the Bash prompt to be "container name"-aware with the
help of shell-color-prompt didn't look very promising.
I had a little epiphany when discovering that shell-color-prompt's maintainer,
Jens Petersen, recently wrote a replacement for it: namely Bash Color Prompt
(bcp). Jens describes it as having a cleaner declarative approach for creating
one's custom Bash prompt.
It worked and its declarative approach at creating a custom Bash prompt was
really easy to follow and tailor to my needs.
Currently, until the new version of Bash Color Prompt (bcp) is packaged in
Fedora (and other distributions), a simple way to install it is to just grab the
bash-color-prompt.sh file directly from its GitHub repository and put it
somewhere in your home directory.
Afterwards, just source and configure it in your .bashrc file. Here is how
I've done it:
# Use the new Bash Color Prompt (bcp) by Jens Petersen (Red Hat) to handle PS1.# NOTE: Temporarily, I've just copied the script from:# https://github.com/juhp/bash-color-prompt/blob/main/bash-color-prompt.shif[-f$HOME/bash-color-prompt.sh];thensource$HOME/bash-color-prompt.sh
fi# Configure bcp.
bcp_layout(){localexit_code=$1# hexagonbcp_container
# opening [bcp_append"["# user@host or user@container(host)localuser_color="green"if[[$EUID-eq0]];thenuser_color="red";filocalmachine="\h"if[-f/run/.containerenv];thencontainer_name=$(grep-oP'(?<=name=")[^"]+'/run/.containerenv)machine="$container_name(\h)"fibcp_append"\u@$machine ""$user_color;bold"bcp_title"\u@$machine:\w"# directorybcp_append"\w""blue"# git statusbcp_git_branch" ""magenta""yellow"# status indicatorif[[$exit_code-ne0]];thenbcp_append" ✘$exit_code""red;bold"fi# actual prompt charbcp_append"]\$ ""default"}# Initialize bcp.
bcp_init
Release Candidate versions are available in the testing repository for Fedora and Enterprise Linux (RHEL / CentOS / Alma / Rocky and other clones) to allow more people to test them. They are available as Software Collections, for parallel installation, the perfect solution for such tests, and as base packages.
RPMs of PHP version 8.5.6RC1 are available
as base packages in the remi-modular-test for Fedora 42-44 and Enterprise Linux≥ 8
as SCL in remi-test repository
RPMs of PHP version 8.4.21RC1 are available
as base packages in the remi-modular-test for Fedora 42-44 and Enterprise Linux≥ 8
as SCL in remi-test repository
ℹ️ The packages are available for x86_64 and aarch64.
ℹ️ PHP version 8.3 is now in security mode only, so no more RC will be released.
I usually don’t want all of the files in the linux Kernel for my ctags. Sometimes I want a cvery small subset: a set of C files and the included header files.
#!/bin/sh
for CFILE in drivers/net/mctp/mctp-pcc.c drivers/mailbox/mailbox.c drivers/mailbox/pcc.c drivers/mailbox/mailbox.h
do
echo $CFILE
for HFILE in `grep "#include <" $CFILE | cut -f2 -d '<' | sed 's/.$//' `
do
echo include/$HFILE
done
done
Dans cet article, je détaille la mise en place d’une authentification mTLS avec Cloudflare afin de sécuriser l’accès à mes métriques Prometheus. Un cas concret avec reverse proxy Apache et intégration dans Grafana.
The question was simple enough: How good of an image editor can you build with $20 worth of
Claude Code Pro subscription?
The answer, after one month and roughly that budget, is: surprisingly good, occasionally wrong
about performance, and frustratingly confident about things it hadn’t measured.
RasterLab is a non-destructive RAW image editor written in Rust, built almost entirely by Claude
Code. Not prototyped by it, not scaffolded by it — actually built by it, with me driving
direction and reviewing the output. One month, four weekly usage blocks, one image editor.
Thanks all, and apologies if I missed something or someone.
Aaron Merey added two new options to helgrind.
To control helgrind tracing of internal synchronization, threading and memory events use –show-events=1|2|3.
Use –track-destroy=no|yes|all to checks for missing pthread_mutex_destroy and pthread_rwlock_destroy calls. With yes, helgrind warns when pthread_mutex_init or pthread_rwlock_init is called on the address of a live (undestroyed) lock. With all, Helgrind also reports undestroyed locks at process exit.
Valgrind has separate VEX IR translators for AMD64 and x86 (32 bit) code. While the AMD64 translator has seen support for new encodings and instruction sets, the x86 translator has not.
Alexandra Hájková decided to port the SSE4.1 instruction set from the AMD64 translator to the x86 translator and add backend support. This is ongoing work, see the bug dependency tree.
But many more 32bit programs using SSE4.1 should now run under Valgrind.
Andreas Arnez and Florian Krohm did a lot of work on the s390x support.
Andreas added support for new s390x z/Architecture features from the 15th edition. This enables running binaries compiled with -march=arch15 or -march=z17 and exploiting the new MSA extensions 10-13.
Florian Krohm integrated binutils objdump for s390x disassembly in VEX. And did a lot of s390x code and facilities cleanups. s390x machine models older than z196 are no longer supported.
Martin Cermak maintains the Linux Test Program (LTP) valgrind integration, which checks our syscall wrappers work correctly. And he makes sure newer linux syscalls are wrapped. Valgrind 3.27.0 adds support for file_getattr, file_setattr, lsm_get_self_attr, lsm_set_self_attr, lsm_list_modules. And corrects various syscall and ioctl corner cases.
Martin also added Valgrind address space manager support for tracking linux kernel lightweight guard pages, created through madvise (MADV_GUARD_INSTALL).
These guard pages are very low overhead for the kernel because they aren’t tracked as separate VMAs and don’t show up in the process proc maps. But Valgrind does still need to know whether the addresses are accessible. A new –max-guard-pages option controls the memory Valgrind reserves for tracking these pages.
Paul Floyd had more commits than all others combined for this release. Paul takes care of the alternative toolchains, Solaris/illumos, FreeBSD and Darwin/MacOS ports.
Tested Oracle Solaris 11.4, OpenIndiana Hipster and OmniOS. FreeBSD works on both amd64 and arm64, support for 16.0-CURRENT has been added.
A lot of code in valgrind 3.27.0 to support MacOS was previously maintained by Louis Brunner out of tree.
There are two new client requests (macros defined in valgrind.h)
VALGRIND_REPLACES_MALLOC Returns 1 if the tool replaces malloc (e.g., memcheck). Returns 0 if the tool does not replace malloc (e.g., cachegrind and callgrind) or if the executable is not running under Valgrind.
VALGRIND_GET_TOOLNAME Get the running tool name as a string. Takes two arguments, an input buffer pointer and the length of that buffer.
Welcome to another update about everything that’s been happening at the GNOME Foundation. It’s been four weeks since my last post, due to a vacation and public holidays, so there’s lots to cover. This period included a major announcement, but there’s also been a lot of other notable work behind the scenes.
Fellowship & Fundraising
The really big news from the last four weeks was the launch of our new Fellowship program. This is something that the Board has been discussing for quite some time, so we were thrilled to be able to make the program a reality. We are optimistic that it will make a significant difference to the GNOME project.
If you didn’t see it already, check out the announcement for details. Also, if you want to apply to be our first Fellow, you have just three days until the application deadline on 20th April!
donate.gnome.org has been a great success for the GNOME Foundation, and it is only through the support of our existing donors that the Fellowship was possible. Despite these amazing contributions, the GNOME Foundation needs to grow our donations if we are going to be able to support future Fellowship rounds while simultaneously sustaining the organisation.
To this end, there’s an effort happening to build our marketing and fundraising effort. This is primarily taking place in the GNOME Engagement Team, and we would love help from the community to help boost our outbound comms. If you are interested, please join the Engagement space and look out for announcements.
Also, if you haven’t already, and are able to do so: please donate!
The schedules for both of these upcoming events are currently being worked on, and arrangements for catering, photographers, and audio visual services are all in the process of being finalized.
The Travel Committee has also been busy handling GUADEC travel requests, and has sent out the first batch of approvals. There are some budget pressures right now due to rising flight prices, but budget has been put aside for more GUADEC travel, so please apply if you want to attend and need support.
April 2026 Board Meeting
This week was the Board’s regular monthly meeting for April. Highlights from the meeting included:
I gave a general report on the Foundation’s activities, and we discussed progress on programs and initiatives, including the new Fellowship program and fundraising.
Deepa gave a finance report for October to December 2025.
Andrea Veri joined us to give an update on the Membership & Elections Committee, as well as the Infrastructure team. Andrea has been doing this work for a long time and has been instrumental in helping to keep the Foundation running, so this was a great opportunity to thank him for his work.
One key takeaway from this month’s discussion was the very high level of support that GNOME receives from our infrastructure partners, particularly AWS and also Fastly. We are hugely appreciative of this support, which represents a major financial contribution to GNOME, and want to make sure that these partners get positive exposure from us and feel appreciated.
We reviewed the timeline for the upcoming 2026 board elections, which we are tweaking a little this year, in order to ensure that there is opportunity to discuss every candidacy, and reduce some unnecessary delay in final result.
Infrastructure
As usual, plenty has been happening on the infrastructure side over the past month. This has included:
Ongoing work to tune our Fastly configuration and managing the resource usage of GNOME’s infra.
Deployment of a LiberaForms instance on GNOME infrastructure. This is hooked up to GNOME’s SSO, so is available to anyone with an account who wants to use it – just head over to forms.gnome.org to give it a try.
Changes to the Foundation’s internal email setup, to allow easier management of the generic contact email addresses, as well as better organisation of the role-based email addresses that we have.
New translation support for donate.gnome.org.
Ongoing work in Flathub, around OAuth and flat-manager.
Admin & Finance
On the accounting side, the team has been busy catching up on regular work that got put to one side during last month’s audit. There were some significant delays to our account process as a result of this, but we are now almost up to date.
Reorganisation of many of our finance processes has also continued over the past four weeks. Progress has included a new structure and cadence for our internal accounting calls, continued configuration of our new payments platform, and new forms for handling reimbursement requests.
Finally, we have officially kicked off the process of migrating to our new physical mail service. Work on this is ongoing and will take some time to complete. Our new address is on the website, if anyone needs it.
That’s it for this report! Thanks for reading, and feel free to use the comments if you have questions!
ActBlue is the online fundraising platform used by
US Democratic party candidates. It is the subject of a major scandal
that has gripped the congress. It has been linked to
Debianism, another disappearing developer and in a parody of other
Debianism scandals, there are possibly two people using the same name,
one being the wife of the missing developer and the other being a
US Senate candidate who claims to have exposed the
ActBlue scandal.
These Github screenshots confirm that
Decklin Foster was affiliated with
ActBlue and vanished in 2018:
Accusations have been made about the concealment
of illegal foreign donations and deception of Congress.
Chris Gleason has nominated to represent Florida in the US Senate.
Gleason registered using a post office box and created a domain name,
voteforgleason.com using an anonymous service in
Iceland.
Gleason's profile on
X/Twitter has no photo while their
Facebook profile is completely disabled.
Up to 2016, we can see that
Decklin Foster was listed in the public filings of ActBlue Civics, Inc
as either a senior engineer or at one point, as
Director of Information Technology.
On 1 January 2015,
Decklin Foster's PGP key was removed because it was only 1024 bits.
Most developers had created stronger keys before this mass removal of
insecure keys took place.
In 2019, the
Debian Account Managers asked the keyring managers to completely remove
Decklin Foster from the Debian keyring. There was no
Statement on Decklin Foster so far.
Clicking the links to see the statements about the removal does not
work. An error message tells us the messages about
Decklin Foster's removal from
debianism are all private.
If you’re interested in me, I have started using Google
Plus. If you’re interested in my work, I’m on Github. I was a Debian developer for some time, but
I’ve mostly given that up. I currently work for ActBlue and live in Cambridge, MA with
my wife.
Clicking on "my wife", we find the web site of Chris Gleason at
http://cgleason.org/.
chris gleason is a graphic designer, zine creator, and print maker in chicago, illinois. they love ...
Therefore, the Debian Developer
(
What is a Debian Developer?) who was Director of Information Technology
for
ActBlue was married to a female or transgender
Chris Gleason. Is this the same person as the elusive male
Chris Gleason who is now running for the US Senate in Florida on
claims about corruption at
ActBlue? Or is it simply a bizarre coincidence that two people so
closely connected with this scandal share the same name?
In 2017, the Trans Women Writers Collective published the book
Nameless Woman, written by trans women of colour. In the credits,
the trans women thank
Decklin Foster.
This anthology was made possible by the
generous support of hundreds of people. In
particular, we would like to thank Annaya Youkai, Kieran Todd, Sadie Laett-Babcock, Adelaida
Shelley, Jaime Peschiera, Kai Cheng Thom, Talon
Wilde, David Cope, Alex Meginnis, Decklin Foster,
and Eli Nelson for their help.
On 22 July 1999,
Raphael Hertzog, known for the
Freexian scandals wrote a message asking people to do unpaid work
on orphaned packages in the hope that their application to become a
Debian Developer would be approved more quickly:
To: debian-devel-announce@lists.debian.org, debian-devel@lists.debian.org, debian-qa@lists.debian.org, debian-mentors@lists.debian.org
Subject: [New maintainer] Working for Debian and becoming a registered Debian developer
From: Raphael Hertzog <rhertzog@hrnet.fr>
Date: Thu, 22 Jul 1999 18:06:26 +0200
[ Large crosspost to start the discussion, please reply to debian-devel
only. Simply respect the reply-to. ]
Hello everybody,
you may or not be aware that getting a Debian developer is quite long. I
want to propose a solution to facilitate the integration of new
Debian developers.
It's quite simple. In order to fully learn how Debian works, the best
solution is :
- to adopt orphaned packages and correct their bugs
- that your work should be checked by an official developer (I'll call
it the sponsor).
Of course, as long you're not a registered Debian developers you cannot
upload your packages. The soluton is that the sponsor will upload the
package you'll do. The official maintainer will be
debian-qa@lists.debian.org. After all when you correct bugs on orphaned
packages, you're doing Quality Assurance.
This does also allow you to get new bugs in your mailbox. You just need
to subscribe to debian-qa@lists.debian.org. You would be allowed to
open/close/set the severity/forward the bugs since all debian-qa members
can do it on debian-qa packages.
If the sponsor finds that you've done a good job with the package, he
will explain that to the new maintainer team in the hope that your
application will be processed faster. And when you'll be
official Debian developper, you'll be able to change the Maintainer field
to your name.
I'll propose myself to be a sponsor. We'll need more sponsor ... any
volunteers ? Hopefully several people from debian-qa will accept to be
sponsor like me ...
All the future Debian developers interested should also reply ...
Any input appreciated !
Cheers,
--
Hertzog Raphaël >> 0C4CABF1 >> http://prope.insa-lyon.fr/~rhertzog/
Decklin Foster was one of the people recruited by those tactics.
To: debian-devel@lists.debian.org
Cc: debian-mentors@lists.debian.org
Subject: Re: [New maintainer] Working for Debian and becoming a registered Debian developer
From: Decklin Foster <decklin@home.com>
Date: Thu, 22 Jul 1999 13:39:13 -0400
Raphael Hertzog writes:
> Of course, as long you're not a registered Debian developers you cannot
> upload your packages. The soluton is that the sponsor will upload the
> package you'll do. The official maintainer will be
> debian-qa@lists.debian.org. After all when you correct bugs on orphaned
> packages, you're doing Quality Assurance.
Sounds good, I'll subscribe right after I finish writing this. I'm
also trying to work on non-orphaned backages as well (for example
right now i'm fixing a bug in gsfonts-x11.) So keep in mind that you
can always just send patches :)
--
Debian GNU/Linux - http://www.debian.org/
The Web is to graphic design as the fax machine is to literature.
Not only was
Decklin under the influence of
Hertzog, they were also under the influnce of the
Red Hat share offer. This email encourages speculation on the
IPO:
To: debian-devel@lists.debian.org
Subject: Re: SPAM from Red Hat
From: Decklin Foster <decklin@home.com>
Date: Wed, 21 Jul 1999 09:57:45 -0400
Martin Bialasinski writes:
> is it only me, or did you also get this spam from Red Hat about stock
> options?
>
> Oh man - the bigger the company, the less clueful people?
On #debian last night, it was suggested that we use our opportunity to
buy some of this stock and sell it when the price goes up. This money
could then be used to fund Debian, buy new hardware, improve our
network connection, etc. Does anyone else think this is a Good
Idea(TM)? I would be willing to donate as much as I reasonably could.
--
Debian GNU/Linux - http://www.debian.org/
The Web is to graphic design as the fax machine is to literature.
Of interest to those watching the
ActBlue saga, there is an email about hacking and cracking:
To: debian-devel@lists.debian.org
Subject: Re: [New maintainer] Working for Debian and becoming a registered Debian developer
From: Decklin Foster <decklin@home.com>
Date: Thu, 22 Jul 1999 16:37:40 -0400
Carl Mummert writes:
> Hacking is a serious crime
Cracking is a serious crime. Breaking into computer systems without
permission is a serious crime. Violation of privacy and theft of
confidential information is a serious crime.
Now what does this have to do with hacking?
> The fact remains that the debian policy is to discourage new
> developers by making it slow and difficult to get an account.
I have no problem with waiting, and I'd rather not look bad just
because some people keep speaking badly about the new-maintainer team.
We don't need another flamewar here. People have work to do.
--
Debian GNU/Linux - http://www.debian.org/
The Web is to graphic design as the fax machine is to literature.
They had a blog on another web site. It is captured in the Wayback
machine up to 2012. The last snapshot with the index is here:
http://blog.rupamsunyata.org/. The last blog post:
I'm the fuel that fires the engine of Failure
So, the Democrats in my very blue state put up a depressing, entitled, out-of-touch candidate for our vacant senate seat and she lost. The only reason I voted for her was because she wasn't a Republican. Supporting someone you don't even slightly like is psychologically draining.
At this point, I would vote for a Democratic party (or a Republican party!) with the exact same fiscal policy as the current Republicans if they actually made a principled, moral stand on equal protection and civil rights, habeas corpus/due process, and reproductive rights. Those don't cost anything[1].
Maybe they should be solved before the stuff that does cost billions of dollars. As it is my choice is weak, almost grudging support for those rights from people who want to hand the economy over to the government, and disgusting, immoral, vehement opposition to them from people who want to hand the economy over to wealthy corporations.
Neither side is doing anything effective to keep us free, or to keep the market free. Each side says or implies that this is a Christian nation, which it explicitly isn't, while failing to do what's right. Sometimes I want to give up and stop voting.
[1] Conversely, of course, it doesn't cost anything to take people's rights away, or prevent them from getting rights in the first place; I think this is why anti-gay-marriage ballot measures have been more successful in the current recession. Some people get their kicks from the suffering of others.
Accessing the blog from 2013 onwards we can see
the front page has been replaced with the message:
This blog is not being updated. Old entries are still around, but I'm turning off the front page for now.
contributors.debian.org tells us that
Decklin Foster stopped contributing in February 2011, immediately
before the
death of Adrian von Bidder-Senn on our wedding day.
Chris Gleason is not on the list at all. If
Decklin had abandoned
Debianism, why did it take eight years to remove them from the keyring?
Reading the full history of the
Debian Harassment culture, we can see many other co-authors were
removed for purely political reasons and blackmail but keys belonging to the
people who had abandoned the project and people who died were left in
the keyring for years.
To: debian-devel <debian-devel@lists.debian.org>
Subject: RFA: all my packages
From: Decklin Foster <decklin@red-bean.com>
Date: Thu, 10 Feb 2011 17:11:05 -0500
Message-id: <1297375750-sup-7355@gillespie.rupamsunyata.org>
I'm looking for a new maintainer for, well, any of these. My heart is
not in it anymore and most of them have been neglected for a while.
Recently my free time has been taken up by other things (mainly my job)
and I forsee that continuing.
http://qa.debian.org/developer.php?login=decklin%40red-bean.com
python-beautifulsoup and mpd need attention for proposed-updates; I
missed getting them into Squeeze. rxvt-unicode is a total clusterfuck.
If any desktop-type packages remain I will orphan them, as I am only
running Debian on servers now. Apart from that, perhaps with a greatly
reduced load I can still make a tiny contribution to the community. If
not, I will retire.
--
things change.
decklin@red-bean.com
Various scholarly articles from Harvard experts on depression have
thanked
Decklin Foster for their contributions in 2008 and 2009.
Decklin Foster was collaborating on this world-class depression
research at exactly the same time they were part of the
debian-private discussions that precipitated the
Debian Day Volunteer Suicide in 2010.
Subject: Re: Death of Adrian von Bidder
Date: Fri, 22 Apr 2011 09:39:49 +0200
From: A Mennucc <mennucc1@debian.org>
To: debian-private@lists.debian.org
Il 19/04/2011 18:17, martin f krafft ha scritto:
> Dear Debian colleagues,
>
> I have the sad task to communicate to you the news of the death of
> Adrian von Bidder (avbidder, cmot), who passed away last Sunday,
> most probably of a heart attack.
I had contacted Adrian regarding the Debian umbrella.
So I had also a chance of seeing a picture of him
http://blog.fortytwo.ch/archives/80-Yay!-Debian-Logo!.html
In that picture he seemed quite happy and young.
His death is quite shocking and sad.
a.
There is a
Decklin Foster profile on Youtube that hasn't been used for nine
years. There are four subscribers. One of the videos has the
comment:
Mixed these together on my show (editsradio.org) this week and really liked the result, so here it is on its own, slowed down and a little extended.
Photo taken at the Wilbur Theater in Boston on 2012-07-31.
The last snapshot of
editsradio.org is on 6 April 2015. After that, the content is
changed to Arabic. From 15 August 2015, it is redirecting to another site,
also in Arabic, at
http://www.17serialbaran.org.
It would be extremely offensive to ask such a question in any other
group of people but in the world of
Debianism and
Zizian phenomena, there are a disproportionate number of people who
are living such lifestyles.
Chris Gleason was born in Lowell, Massachusetts. Gleason's career experience includes working as a technology consultant. He served in the U.S. Army National Guard from 1989 to 1999. Gleason earned a bachelor's degree from the University of Massachusetts, Lowell in 1996. Gleason has been affiliated with Caribbean Christian Center for the Deaf, Michigan -Make-A-Wish, Seniors Helping Seniors.
In the recent UK elections, journalists and researchers found various
examples of candidates who didn't really exist. At least one political
party was accused of making up fake candidates to make their party
look bigger and attract more donations.
I have the impression the
Chris Gleason in
Florida is a different
person but I'm not ruling out the possibility it is a fake profile
or an alter-ego of
Chris Gleason, wife of
Decklin.
The Committee on House Administration, the Committee on the Judiciary, and the
Committee on Oversight and Government Reform are charged with ensuring the integrity of American elections. To that end, the Committees are examining allegations that ActBlue, a leading political fundraising organization, allowed bad actors, including foreign actors, to exploit its online platform to make fraudulent political donations.
CEO at NextMed Holdings, LLC CEO at Translational Analytics and Statistics, LLC
Chris Gleason is a board member at Our Mayberry, a company focused on revolutionizing charitable giving and fundraising.1 He is a lawyer, entrepreneur, and community philanthropist with multiple leadership roles in charities helping children.3 Gleason has also been involved in various business ventures and has held executive positions in different companies.
In addition to his role at Our Mayberry, Gleason has served as a board member for the Goldwater Institute since 2013.5 He was also recently appointed as the president and CEO of Moximed, a medical device company, in June 2024.2
Gleason has a background in sales leadership, having previously worked as VP of sales at Relievant and VP of sales of interventional urology at Teleflex.2 He has also been involved in political activities, receiving income from Election Watch, a Wisconsin-based group, in 2024.4
It's worth noting that Gleason has recently entered the political arena, running for the position of Pinellas County Supervisor of Elections in Florida for the 2024 election. His campaign has been controversial, as he has made unsubstantiated claims about election fraud and criticized the incumbent, Julie Marcus.
In the case of another Debian Developer,
Paul Tagliamonte, he really was working in the White House and the
Pentagon. We have a photo to prove it:
Chris Gleason's campaign web site has the title
Whistleblower in big letters. This implies he was an insider
or he was connected to an insider, in other words, his claim to be
a whistleblower encourages us to ask about the bizarre possibility that he
really is or was the transgender wife of
ActBlue's missing director of
information technology,
Decklin Foster.
Here is one more interesting leak from the
debian-private leaked gossip network. It shows us that
Decklin Foster was in favor of the practice of dividing the community
and humiliating people. It looks like he supported the humiliation of
Sven Luther at the very time he was working in the Harvard Medical
School's depression research team. Sven's mother was dying at the time
this bun fight erupted.
Subject: Expulsion process: Sven Luther
Date: Thu, 01 Mar 2007 00:00:29 +0100
From: Joerg Jaspert <joerg@debian.org>
Organization: Goliath-BBS
To: debian-private@lists.debian.org
...
Now, the list of people who sent something in for the process:
Anthony - Requestor
Supporters, unordered:
srivasta@debian.org
mbanck@debian.org
tbm@cyrius.com
93sam@debian.org
fs@debian.org
jgoerzen@complete.org
fjp@debian.org
dilinger@debian.org
joeyh@debian.org
liw@iki.fi
stappers@stappers.nl
tolimar@debian.org
jeroen@wolffelaar.nl
tfheen@debian.org
micah@riseup.net
decklin@red-bean.com
tb@becket.net
tytso.mit.edu
The conflict between
Sven Luther and
Frans Pop appears to be a factor in the eventual suicide of
Frans Pop. The whole group failed.
Subject: [Very long] Post-partem rant and retrospective
Date: Thu, 31 May 2007 03:56:11 +0200
From: Frans Pop <elendil@planet.nl>
To: debian-private@lists.debian.org
I've decided to write this in a separate mail because I'm afraid this may get long. Quite a bit of this has been written before, but I hope some of you will bear with me.
[snip]
So, what has made me decide to leave the project. It's a combination of just plain emotional stress over the whole Sven Luther issue, frustration with the inability of the project to deal with that and with some other issues, and frustration with the fact that a fair number of members of the project seem to feel that as long as you don't upload packages with trojans, pretty much anything is OK.
and eventually....
Subject: Resignation
Date: Sun, 15 Aug 2010 21:41:18 +0200
From: Frans Pop <elendil@planet.nl>
To: debian-private@lists.debian.org
It's time to say goodbye. I don't want to say too much about it, except that I've been planning this for a long time.
Participating in Debian has been great.
...
At 11pm local time in eastern Australia, a huge fire broke out at
the Viva Energy refinery in Corio, Geelong.
There has been a near-total news vacuum. This may be deliberate or it
may be a consequence of cost-cutting that has replaced many journalists with
artificial intelligence. The few human journalists who remain in
the profession may have already gone to bed when the fire started.
The national broadcaster, the ABC, was quick to include it in their
list of breaking news items but without much detail. About three hours
after the fire started, it was present on the web site of 9 News but
not visible on the web sites of 7 News, Herald Sun or The Age. About
five hours after the fire started, the local newspaper Geelong Advertiser
included it in their
Facebook account.
The story is newsworthy for a number of reasons.
Australia previously had eight refineries but six of them were
phased out and never replaced.
Australia relies on foreign refineries for over eighty percent of
fuel. With the Corio refinery out of action, there is only one domestic
refinery left. Therefore, it is surprising the news media have been
so slow to pick up the story.
The next big reason it is newsworthy is the war in
Iran.
None of the news reports have commented on the fact that
Richard Marles, the deputy prime minister and the minister for defence
is the local member of parliament for the region where the refinery
is located.
In the news vacuum, people have been quick to share rumours on
social control media. Some people are speculating about the
prospect of a drone attack. In Europe last year there were reports about
Russian drones launched from cargo ships in international waters and
interfering with European airports. Other reports have speculated about
cargo ships using their anchors to sabotage pipelines and communications
cables on the sea floor.
France intercepted and seized a ship connected with
Russia.
Another user on
social control media has commented that there was a technical incident
at the plant earlier in the day and the fire could be nothing more
than an accident.
People would be wise not to jump to conclusions. Even if it is a
terror attack, it may not be
Iran. In recent news reports,
Russia announced they had the right to attack any countries who
are sending support to
Ukraine. The French company Thales manufacturers the BushMaster
armored personnel carriers in
Bendigo and the government donated some of them to
Ukraine. Low cost cardboard drones manufactured in
Australia have also been donated to
Ukraine.
There's a disconnect in the AI Engineering space right now and I think that the
open source community has alread risen to the occasion to bridge the gap, but
I don't see any signal that it's well understood or widely adopted.
The industry is overwhelmingly focused on building agents from
scratch via custom frameworks, bespoke orchestration layers, hand-rolled
tool-calling loops, etc. when many of the hard problems have already been solved
in that layer of the stack. The building block exists. It's open source. It's called
goose.
I think for over 90% of use cases, if you're spending your time implementing an
agent from scratch, you're already behind or potentially have already lost the race.
My hypothesis is that Goose is the building block. It's the small, composable
thing that becomes powerful when you wrap it in what the industry is rapidly agreeing
is called the Harness.
The composable agent you didn't know you needed
Most people hear "goose" and think either "another AI coding assistant" or "another
AI chatbot" (depending on how they came across goose and how they use it). That
misunderstanding is the problem. Goose is not a coding assistant. It is not a
chatbot. It is not a Claude Code competitor, though it can be configured to act
as all of those things. At its core, goose is a small, configurable agent
runtime with an extension-based architecture that can be composed into virtually
anything.
It operates on three components:
Interface: Desktop app or CLI/TUI that collects user input and displays
output.
Agent: The core logic engine that manages the interactive loop: sending
requests to LLM providers, orchestrating tool calls, and handling context
revision.
Extensions: Pluggable components built on the Model Context Protocol
(MCP) that provide specific tools and
capabilities.
A small core with a lot of power delivered through native extensions, external
plugins, and configuration options. The agent core itself is minimal, it's an
interactive loop plus context management. That's it. All capabilities come
through the extension system.
You can strip goose down to nothing. No external capabilities. No tool calling.
No skills. No plugins. You can even configure it so it cannot access the
internet, only the inference service to talk to the model (which can be local).
At that point, it's a plain chatbot with no agency whatsoever.
Or you can go the other direction entirely.
From zero to everything
Configure goose with the Developer extension, Computer Controller, Memory,
and a handful of MCP servers and you have a working replacement for
Claude Code,
Codex,
Gemini CLI,
OpenCode,
or any other similar tool. Same capabilities, no vendor lock-in, and you choose
your own inference provider from over 25 options (at the time of this writing)including
Anthropic,
OpenAI,
Google Gemini,
Groq,
Mistral,
and more. You can run fully local inference via goose's native inference
provider, or offload to Ollama, RamalamaLM Studio, or
Docker Model Runner. The full list
of providers is in the
goose documentation.
If you put this together, you're well on your way to unlocking the full potential
but you're just getting started.
Recipes: reproducible, composable workflows
Where goose gets interesting is its composition model.
Goose Recipes are reusable,
shareable workflow definitions that package together instructions, extensions,
parameters, provider settings, retry logic, and structured response schemas. A
recipe can be as simple as a single prompt with a specific extension configuration.
Alternatively it can be sophisticated, composed of subrecipes where each subrecipe is
effectively another goose agent with its own configuration: its own extensions,
plugins, inference provider, system prompt, and skills.
Subrecipes run in isolated sessions with no shared conversation history, memory,
or state. The main recipe's agent decides when to invoke them, can run them
sequentially or in parallel, and chains their outputs through conversation
context. Compositional agent orchestration without writing a single line of
framework code.
You're not writing an orchestration layer. You're not building a DAG executor.
You're not implementing tool-calling logic. You're writing YAML that describes
what you want done and goose handles the how.
Goosetown: multi-agent orchestration, no framework required
If want to take this all the way to the extreme of a fully autonomous software
factory like the one Steve Yegge outlines in his now infamous blog post,
"Welcome to Gas Town",
and implemented via his Gastown project.
Gastown is a multi-agent workspace
manager for orchestrating Claude Code, GitHub Copilot, Codex, Gemini, and other
AI agents with persistent work tracking. It's a Go application with concepts
like Mayors, Rigs, Polecats, Hooks, Convoys, and Beads. It's a real engineering
effort to coordinate 20-30 agents on a codebase.
You can do exactly that by using goose as the building block. The open source
community did it. They looked at Gastown and re-implemented its core concepts using goose's
native capabilities. The result is
Goosetown. Goosetown is a multi-agent
coordination system that orchestrates "flocks" of AI agents (researchers,
writers, workers, reviewers) to decompose and execute complex tasks. Goosetown
uses goose's subagent delegation, skills system for role-based specialization,
inter-agent communication via a broadcast channel called the "Town Wall," and
multi-model support for adversarial cross-reviews where different LLMs review
each other's work.
If you look at the code, it's just a few flat files, some shell scripts,
some skills markdown, and some agent definitions.
All of this built on top of goose. Not alongside it. Not wrapping it. On it.
Using the primitives goose already provides: skills, subagents, extensions, and
recipes.
Goose as a service
Goose also runs as a daemon, exposing itself to other applications via the
Agent Client Protocol (ACP)
(a standardized JSON-RPC protocol developed by Zed Industries).
ACP does for AI agents what LSP did for language servers. ACP decouples agents
from editors and frontends, so goose can be embedded directly into Zed, JetBrains, Neovim, or
any ACP-compatible environment.
The composability runs both directions. Goose can also consume other ACP
agents as providers, routing its LLM calls through Claude Code, Codex, or
Gemini while keeping its own extension ecosystem and UI. As Adrian Cole wrote
in his blog post
"How to Break Up with Your Agent":
"Pick the UI you like. Pick the agent you like. They don't have to be the
same thing."
This bidirectional composability — goose as a component and goose as an
orchestrator — is what separates it from other agent tools.
Open governance, no vendor lock-in
Goose is fully open source under the leadership of the
Agentic AI Foundation (AAIF), which provides
vendor-neutral governance under the umbrella of the
Linux Foundation. AAIF also hosts the
Model Context Protocol (MCP) itself, so
the standards goose builds on are governed with the same neutrality.
This matters. When you build your workflows on goose, you're building on a
foundation governed by a neutral body with a Governing Board, a Technical
Committee, and a transparent contribution model. This is the same open,
collaborative, and neutral model that made Linux and Kubernetes into reliable
core components of the entire software industry, and it's the same reason I
think it's worth investing time and energy into.
It's no secret I'm an open source nerd, and goose checks all the boxes.
The harness is the thing
We've collectively been on a journey. First it was Prompt Engineering, crafting the right
words to get the right output. Then it was Context Engineering, making sure the
model has the right information at the right time. Now, it seems we've arrived
at the next turn in this adventure we all find ourselves in: Harness Engineering.
Ralph Bean nails this in his blog post
"What Even Is the Harness?".
The harness is the enablement layer. It's everything you add to the agent runtime
that gives you control over your outcomes:
"Harness — the enablement layer. AGENTS.md files, skills, custom tools,
hand-crafted linters, system prompts for task-oriented agents. These are the
things you engineer, iteratively, to increase the chances the agent gets
things right. This is what Birgitta Böckeler calls the user harness and is
where Mitchell Hashimoto's attention lives."
—Ralph Bean
Read that again. The harness is not the agent. The harness is what you add to
the agent. The AGENTS.md files. The skills. The custom MCP tools. The
hand-crafted linters. The system prompts. The recipes and subrecipes. The
extension configurations. The provider choices. The permission policies.
This is where your engineering effort belongs. Not in building the interactive
loop, or implementing tool-calling JSON parsing, or writing context window
management, or building MCP client libraries. Goose already does all of that and
does so with the full backing of the AAIF, the Linux Foundation, and a vibrant
open source community.
In most cases, and I'd argue almost all cases, your job is to build the harness.
The 90% argument
I think for over 90% of use cases where someone is building an
agent today, goose is a better starting point than a blank text editor or a vibe
coding session (are we calling it Agentic Engineering yet?).
If you need a coding assistant, goose does that. If you need a research agent,
configure goose with web scraping extensions and a research-focused recipe or skill.
If you need a CI/CD bot, run goose in daemon mode with ACP or orchestrate it with
scripts/recipes in your CI job runner of choice. If you need multi-agent
orchestration, compose goose instances with subrecipes or build a
Goosetown-style flock. If you need local-only, air-gapped inference, point
goose at Ollama, Ramalama, LM Studio, or its native inference provider. If you
need to integrate with your existing editor, goose speaks ACP natively or you
can set GOOSE_PROMPT_EDITOR
and run the whole flow from inside your editor of choice. If you need vendor-neutral
governance, it's under the Linux Foundation umbrella via AAIF.
The remaining 10%? Those are the genuinely novel agent architectures, the
research projects pushing boundaries, the use cases where you do need to control
every byte of the agent loop. For those, build from scratch. For everything else,
build the harness. I'm not saying you can't build agents from scratch. I'm simply
suggesting that you probably don't need to.
A call to action
If you're a professional technologist or an aspiring AI Engineer, I'd encourage
you to shift your mental model. Stop thinking about building agents. Start
thinking about harnessing them. At this point in the AI hype cycle, the agent
is mature enough to be the commodity. The harness is your competitive advantage.
Install goose. Strip it down to
nothing and build it back up. Write a recipe. Compose some subrecipes. Add
skills. Configure extensions. Point it at different providers. Run it as a
daemon. Embed it in your editor. Build a flock. Engineer the harness.
The hypervisor is an old Fedora install that I first upgraded to Fedora 43.
I used nmcli to remove all connections (I was in via telnet and a serial concentrator) and then added a bridge. I had to figure out which of the interfaces was actually attached to the outside world, which I did by re-creating an ethernet connection, and bringing it up, then deleting the connection. That device becomes the bridge-slave-device.
So, after a bunch of nmcli con del commands to get to a baseline, I ran:
nmcli con add type bridge con-name virbr0 ifname virbr0
nmcli connection modify virbr0 ipv4.method auto
nmcli connection add type bridge-slave ifname enP5p1s0f0np0 master virbr0 con-name enP5p1s0f0np0
nmcli con up virbr0
And this should be enough to recreate.
I also had to create a permission for the bridge-helper to allow connection from userland:
I had to create he directory and then edit the file in :
Edit: I recently wanted to make it so a non-root user can also connect to the network. It looks like I need to add a capability to the bridge helper binary:
This post attempts to explain how Huion tablet devices currently integrate into the desktop stack. I'll touch a bit on the Huion driver and the OpenTablet driver but primarily this explains the intended integration[1]. While I have access to some Huion devices and have seen reports from others, there are likely devices that are slightly different. Huion's vendor ID is also used by other devices (UCLogic and Gaomon) so this applies to those devices as well.
This post was written without AI support, so any errors are organic artisian hand-crafted ones. Enjoy.
The graphics tablet stack
First, a short overview of the ideal graphics tablet stack in current desktops. At the bottom is the physical device which contains a significant amount of firmware. That device provides something resembling the HID protocol over the wire (or bluetooth) to the kernel. The kernel typically handles this via the generic HID drivers [2] and provides us with an /dev/input/event evdev node, ideally one for the pen (and any other tool) and one for the pad (the buttons/rings/wheels/dials on the physical tablet). libinput then interprets the data from these event nodes, passes them on to the compositor which then passes them via Wayland to the client. Here's a simplified illustration of this:
Unlike the X11 api, libinput's API works both per-tablet and per-tool basis. In other words, when you plug in a tablet you get a libinput device that has a tablet tool capability and (optionally) a tablet pad capability. But the tool will only show up once you bring it into proximity. Wacom tools have sufficient identifiers that we can a) know what tool it is and b) get a unique serial number for that particular device. This means you can, if you wanted to, track your physical tool as it is used on multiple devices. No-one [3] does this but it's possible. More interesting is that because of this you can also configure the tools individually, different pressure curves, etc. This was possible with the xf86-input-wacom driver in X but only with some extra configuration, libinput provides/requires this as the default behaviour.
The most prominent case for this is the eraser which is present on virtually all pen-like tools though some will have an eraser at the tail end and others (the numerically vast majority) will have it hardcoded on one of the buttons. Changing to eraser mode will create a new tool (the eraser) and bring it into proximity - that eraser tool is logically separate from the pen tool and can thus be configured differently. [4]
Another effect of this per-tool behaviour is also that we know exactly what a tool can do. If you use two different styli with different capabilities (e.g. one with tilt and 2 buttons, one without tilt and 3 buttons), they will have the right bits set. This requires libwacom - a library that tells us, simply: any tool with id 0x1234 has N buttons and capabilities A, B and C. libwacom is just a bunch of static text files with a C library wrapped around those. Without libwacom, we cannot know what any individual tool can do - the firmware and kernel always expose the capability set of all tools that can be used on any particular tablet. For example: wacom's devices support an airbrush tool so any tablet plugged in will announce the capabilities for an airbrush even though >99% of users will never use an airbrush [5].
The compositor then takes the libinput events, modifies them (e.g. pressure curve handling is done by the compositor) and passes them via the Wayland protocol to the client. That protocol is a pretty close mirror of the libinput API so it works mostly the same. From then on, the rest is up to the application/toolkit.
Notably, libinput is a hardware abstraction layer and conversion of hardware events into others is generally left to the compositor. IOW if you want a button to generate a key event, that's done either in the compositor or in the application/toolkit. But the current versions of libinput and the Wayland protocol do support all hardware features we're currently aware of: the various stylus types (including Wacom's lens cursor and mouse-like "puck" devices) and buttons, rings, wheels/dials, and touchstrips on pads. We even support the rather once-off Dell Canvas Totem device.
Huion devices
Huion's devices are HID compatible which means they "work" out of the box but they come in two different modes, let's call them firmware mode and tablet mode. Each tablet device pretends to be three HID devices on the wire and depending on the mode some of those devices won't send events.
Firmware mode
This is the default mode after plugging the device in. Two of the HID devices exposed look like a tablet stylus and a keyboard. The tablet stylus is usually correct (enough) to work OOTB with the generic kernel drivers, it exports the buttons, pressure, tilt, etc. The buttons and strips/wheels/dials on the tablet are configured to send key events. For example, the Inspiroy 2S I have sends b/i/e/Ctrl+S/space/Ctrl+Alt+z for the buttons and the roller wheel sends Ctrl-/Ctrl= depending on direction. The latter are often interpreted as zoom in/out so hooray, things work OOTB. Other Huion devices have similar bindings, there is quite some overlap but not all devices have exactly the same key assignments for each button. It does of course get a lot more interesting when you want a button to do something different - you need to remap the key event (ideally without messing up your key map lest you need to type an 'e' later).
The userspace part is effectively the same, so here's a simplified illustration of what happens in kernel land:
Any vendor-specific data is discarded by the kernel (but in this mode that HID device doesn't send events anyway).
Tablet mode
If you read a special USB string descriptor from the English language ID, the device switches into tablet mode. Once in tablet mode, the HID tablet stylus and keyboard devices will stop sending events and instead all events from the device are sent via the third HID device which consists of a single vendor-specific report descriptor (read: 11 bytes of "here be magic"). Those bits represent the various features on the device, including the stylus features and all pad features as buttons/wheels/rings/strips (and not key events!). This mode is the one we want to handle the tablet properly. The kernel's hid-uclogic driver switches into tablet mode for supported devices, in userspace you can use e.g. huion-switcher. The device cannot be switched back to firmware mode but will return to firmware mode once unplugged.
Once we have the device in tablet mode, we can get true tablet data and pass it on through our intended desktop stack. Alas, like ogres there are layers.
hid-uclogic and udev-hid-bpf
Historically and thanks in large parts to the now-discontinued digimend project, the hid-uclogic kernel driver did do the switching into tablet mode, followed by report descriptor mangling (inside the kernel) so that the resulting devices can be handled by the generic HID drivers. The more modern approach we are pushing for is to use udev-hid-bpf which is quite a bit easer to develop for. But both do effectively the same thing: they overlay the vendor-specific data with a normal HID report descriptor so that the incoming data can be handled by the generic HID kernel drivers. This will look like this:
Notable here: the stylus and keyboard may still exist and get event nodes but never send events[6] but the uclogic/bpf-enabled device will be proper stylus/pad event nodes that can be handled by libinput (and thus the rest), with raw hardware data where buttons are buttons.
Challenges
Because in true manager speak we don't have problems, just challenges. And oh boy, we collect challenges as if we'd be organising the olypmics.
hid-uclogic and libinput
First and probably most embarrassing is that hid-uclogic has a different way of exposing event nodes than what libinput expects. This is largely my fault for having focused on Wacom devices and internalized their behaviour for long years. The hid-uclogic driver exports the wheels and strips on separate event nodes - libinput doesn't handle this correctly (or at all). That'd be fixable but the compositors also don't really expect this so there's a bit more work involved but the immediate effect is that those wheels/strips will likely be ignored and not work correctly. Buttons and pens work.
udev-hid-bpf and huion-switcher
hid-uclogic being a kernel driver has access to the underlying USB device. The HID-BPF hooks in the kernel currently do not, so we cannot switch the device into tablet mode from a BPF, we need it in tablet mode already. This means a userspace tool (read: huion-switcher) triggered via udev on plug-in and before the udev-hid-bpf udev rules trigger. Not a problem but it's one more moving piece that needs to be present (but boy, does this feel like the unix way...).
Huion's precious product IDs
By far the most annoying part about anything Huion is that until relatively recently (I don't have a date but maybe until 2 years ago) all of Huion's devices shared the same few USB product IDs. For most of these devices we worked around it by matching on device names but there were devices that had the same product id and device name. At some point libwacom and the kernel and huion-switcher had to implement firmware ID extraction and matching so we could differ between devices with the same 0256:006d usb IDs. Luckily this seems to be in the past now with modern devices now getting new PIDs for each individual device. But if you have an older device, expect difficulties and, worse, things to potentially break after firmware updates when/if the firmware identification string changes. udev-hid-bpf (and uclogic) rely on the firmware strings to identify the device correctly.
edit: and of course less than 24h after posting this I process a bug report about two completely different new devices sharing one of the product IDs
udev-hid-bpf and hid-uclogic
Because we have a changeover from the hid-uclogic kernel driver to the udev-hid-bpf files there are rough edges on "where does this device go". The general rule is now: if it's not a shared product ID (see above) it should go into udev-hid-bpf and not the uclogic driver. Easier to maintain, much more fire-and-forget. Devices already supported by udev-hid-bpf will remain there, we won't implement BPFs for those (older) devices, doubly so because of the aforementioned libinput difficulties with some hid-uclogic features.
Reverse engineering required
The newer tablets are always slightly different so we basically need to reverse-engineer each tablet to get it working. That's common enough for any device but we do rely on volunteers to do this. Mind you, the udev-hid-bpf approach is much simpler than doing it in the kernel, much of it is now copy-paste and I've even had quite some success to get e.g. Claude Code to spit out a 90% correct BPF on its first try. At least the advantage of our approach to change the report descriptor means once it's done it's done forever, there is no maintenance required because it's a static array of bytes that doesn't ever change.
Plumbing support into userspace
Because we're abstracting the hardware, userspace needs to be fully plumbed. This was a problem last year for example when we (slowly) got support for relative wheels into libinput, then wayland, then the compositors, then the toolkits to make it available to the applications (of which I think none so far use the wheels). Depending on how fast your distribution moves, this may mean that support is months and years off even when everything has been implemented. On the plus side these new features tend to only appear once every few years. Nonetheless, it's not hard to see why the "just sent Ctrl=, that'll do" approach is preferred by many users over "probably everything will work in 2027, I'm sure".
So, what stylus is this?
A currently unsolved problem is the lack of tool IDs on all Huion tools. We cannot know if the tool used is the two-button + eraser PW600L or the three-button-one-is-an-eraser-button PW600S or the two-button PW550 (I don't know if it's really 2 buttons or 1 button + eraser button). We always had this problem with e.g. the now quite old Wacom Bamboo devices but those pens all had the same functionality so it just didn't matter. It would matter less if the various pens would only work on the device they ship with but it's apparently quite possible to use a 3 button pen on a tablet that shipped with a 2 button pen OOTB. This is not difficult to solve (pretend to support all possible buttons on all tools) but it's frustrating because it removes a bunch of UI niceties that we've had for years - such as the pen settings only showing buttons that actually existed. Anyway, a problem currently in the "how I wish there was time" basket.
Summary
Overall, we are in an ok state but not as good as we are for Wacom devices. The lack of tool IDs is the only thing not fixable without Huion changing the hardware[7]. The delay between a new device release and driver support is really just dependent on one motivated person reverse-engineering it (our BPFs can work across kernel versions and you can literally download them from a successful CI pipeline).
The hid-uclogic split should become less painful over time and the same as the devices with shared USB product IDs age into landfill and even more so if libinput gains support for the separate event nodes for wheels/strips/... (there is currently no plan and I'm somewhat questioning whether anyone really cares). But other than that our main feature gap is really the ability for much more flexible configuration of buttons/wheels/... in all compositors - having that would likely make the requirement for OpenTabletDriver and the Huion tablet disappear.
OpenTabletDriver and Huion's own driver
The final topic here: what about the existing non-kernel drivers?
Both of these are userspace HID input drivers which all use the same approach: read from a /dev/hidraw node, create a uinput device and pass events back. On the plus side this means you can do literally anything that the input subsystem supports, at the cost of a context switch for every input event. Again, a diagram on how this looks like (mostly) below userspace:
Note how the kernel's HID devices are not exercised here at all because we parse the vendor report, create our own custom (separate) uinput device(s) and then basically re-implement the HID to evdev event mapping. This allows for great flexibility (and control, hence the vendor drivers are shipped this way) because any remapping can be done before you hit uinput. I don't immediately know whether OpenTabletDriver switches to firmware mode or maps the tablet mode but architecturally it doesn't make much difference.
From a security perspective: having a userspace driver means you either need to run that driver daemon as root or (in the case of OpenTabletDriver at least) you need to allow uaccess to /dev/uinput, usually via udev rules. Once those are installed, anything can create uinput devices, which is a risk but how much is up for interpretation.
[1] As is so often the case, even the intended state does not necessarily spark joy
[2] Again, we're talking about the intended case here...
[3] fsvo "no-one"
[4] The xf86-input-wacom driver always initialises a separate eraser tool even if you never press that button
[5] For historical reasons those are also multiplexed so getting ABS_Z on a device has different meanings depending on the tool currently in proximity
[6] In our udev-hid-bpf BPFs we hide those devices so you really only get the correct event nodes, I'm not immediately sure what hid-uclogic does
[7] At which point Pandora will once again open the box because most of the stack is not yet ready for non-Wacom tool ids
Sorting a terabyte of data in the late 1990s meant serious hardware, serious
planning, and probably a serious budget approval process. Today you can do it
on a workstation before lunch. I wanted to know how fast, so I wrote
rustbucket to find out.
It’s a two-phase external sort implemented in Rust, built around io_uring,
and named for reasons that should be obvious to anyone who has spent time
with either Rust or storage systems.
Accessibility Conformance Reports basically document how our software measures up against accessibility standards like WCAG and Section 508. Since RHEL 10 is built on GNOME 47, this report is a good look at how our stack handles various accessibility things from screen readers to keyboard navigation.
Getting a desktop environment to meet these requirements is a huge task and it’s only possible because of the work done by our community in projects like: Orca, GTK, Libadwaita, Mutter, GNOME Shell, core apps, etc…
Kudos to everyone in the GNOME project that cares about improving accessibility. We all know there’s a long way to go before desktop computing is fully accessible to everyone, but we are surely working on that.
If you’re curious about the state of accessibility in the 47 release or how these audits work, you can find the full PDF here.
Cloudflare protège efficacement vos services… sauf si votre serveur reste accessible en direct. Dans cet article, on met en place Authenticated Origin Pulls pour garantir que seules les requêtes provenant de Cloudflare peuvent atteindre votre infrastructure, avec deux niveaux de sécurité.
ws: Prevent remote code execution with SSH argument injection [CVE-2026-4631]
Impact
Cockpit’s remote login feature passes user-supplied hostnames and usernames from
the web interface to the SSH client without validation or sanitization.
An attacker with network access to the Cockpit web service can craft a single
HTTP request to the login endpoint that injects malicious SSH options or shell
commands, achieving code execution on the Cockpit host without valid credentials.
The injection occurs during the authentication flow before any credential
verification takes place, meaning no login is required to exploit the vulnerability.
Affected systems
The affected Cockpit versions are Cockpit 326 up to and including Cockpit 359. (cockpit >= 326, cockpit <= 359)
A workaround is disabling LoginTo option in cockpit.conf,
this disables the direct login feature but it is still strongly recommended to upgrade to Cockpit 360.
Acknowledgments
Many thanks to Florian Kohnhäuser for reporting this issue!
After building a custom Qemu, there are a couple ways to run a VM to get to it. The older approach to VM management is to create a block device, run the VM with a boot device, do a full install and log in to the serial console. However, if you run the Qemu/KVM machine from the command lilne, hitting control C will stop your VM, and this is annoying. I have found it worth while to set up networking and then to SSH in to the machine.
My notes here suck. I am going to try and document what I have here working, and, over time, reverse engineer how I got here.
This is the command I use to run my virtual machine. This is on an AmpereOne test machine in my lab. You probably don’t have access to AARCH64 machines at this scale. Maybe someday….
The VM is running based on a cloud image I downloaded from Fedora. To get the Keys in the machine, I started by running it using libvirt and virt-install:
5: virbr0: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 0c:42:a1:5a:9b:36 brd ff:ff:ff:ff:ff:ff
inet 10.76.112.72/24 brd 10.76.112.255 scope global dynamic noprefixroute virbr0
valid_lft 12409sec preferred_lft 12409sec
inet6 fe80::7098:f305:ad32:181e/64 scope link noprefixroute
valid_lft forever preferred_lft forever
This took a bunch of trial and error to get right. I don’t know how much is specific to my environment, but I do know that the bridge IP address is how I log in to the machine.
Looking at how this is stored in /etc/NetworkManager/system-connections/virbr0.nmconnection
I know I got here by running nmcli commands, but they have long since fallen off my bash history, and I did not write them down.
One thing I can tell by the IP address that my VM gets is that it is talking to the same DHCP server as the Hypervisor.
I recently destroyed my previous VM that had NFS setup. I would like to get that working again, as that allowed me to sync the Kernel between the Hypervisor and the VM. But that is a tale for another day.
Dans cet article, je détaille la migration de mes DNS vers Cloudflare : configuration, mise en place du CDN, gestion des certificats avec Traefik et retour sur les problèmes rencontrés (ACME, SSH, mTLS). Un retour d’expérience concret avec les pièges à éviter.
For a couple of years, Andreas Schneider and I have been working on a project we call the ‘local authentication hub’: an effort to use the Kerberos protocol to track authentication and authorization context for applications, regardless of whether the system they run on is enrolled into a larger organizational domain or is standalone. We aim to reuse the code and experience we got while developing Samba and FreeIPA over the past twenty years.
Local authentication hub
The local authentication hub relies on a Kerberos KDC available on demand on each system. We achieved this by allowing MIT Kerberos to communicate over UNIX domain sockets. On Linux systems, systemd allows processes to be started on demand when someone connects to a UNIX domain socket, and MIT Kerberos 1.22 has support for this mode.
A KDC accessible over a UNIX domain socket is not very useful in itself: it is only available within the context of a single machine (or a single container, or pod, if UNIX domain sockets are shared across multiple containers). Otherwise, it is a fully featured KDC with its own quirks. And we can start looking at what could be improved based on the enhanced context locality we have achieved. For example, a KDB driver can see host-specific network interfaces and thus be able to react to requests such as host/<ip.ad.dr.ess>@LOCALKDC-REALM dynamically—something that a centrally-managed KDC would only do through statically registered service principal names (SPNs), which are a pain to update as machines move across networks.
Adding support for dynamic features means new code needs to be written. MIT Kerberos is written in C, so our choices are either to continue writing in C or to integrate with whatever new language we choose. Initially, we kept the local KDC database driver written in C and decided to build the infrastructure we need in Rust. The end goal is to have most bits written in Rust.
The local KDC database isn’t supposed to handle millions of principal entries, but even for millions of them, MIT Kerberos has a pretty good default database driver built on LMDB: klmdb. We wanted to get out of the data store business and instead focus on higher-level logic. Thus, we made the same change I made in Samba around 2003 for virtual file system modules: we introduced support for stackable KDB drivers. This is also a part of the MIT Kerberos 1.22 release: a KDB driver implementation can ask the KDC to load a different KDB driver and choose to delegate some requests to it. The local KDC driver is using klmdb for that purpose.
With the database handled for us by klmdb, we focused on the local KDC-specific logic. We wanted to dynamically discover user principals from the operating system so that administrators do not need to maintain separate databases for them. systemd provides a userdb API to query such information over a varlink interface (also available over a UNIX domain socket) in a structured way, using JSON format. Thus, the Kirmes project was born. Kirmes is a Rust data library backed by the userdb API. It handles varlink communication through the wonderful Zlink library and exposes both asynchronous and synchronous access to user and group information.
The local KDC database driver prototype used the Kirmes C API. We demonstrated it at FOSDEM 2025: a user lookup is done over varlink, and if a user is present on the system, their Kerberos key is then looked up in klmdb using a specially-formatted userdb:<username> principal. You still need to handle those keys somehow, but there is a way to avoid that: use RADIUS.
Pre-authentication
A bit of historical reference. In 2012, Red Hat collaborated with MIT to introduce a KDC-side implementation of RFC 6560 (the OTP pre-authentication mechanism; at that point implemented in a proprietary solution by the RSA corporation). This mechanism allowed the KDC to get a hint out of a KDB driver and ask a RADIUS server to authenticate the credentials provided by the Kerberos client. Unlike traditional Kerberos symmetric keys, in this case, the client is sending a plain-text credential over the Kerberos protocol, and this credential can be forwarded to the RADIUS server. The plain-text nature of the RADIUS credential requires the use of a secure communication channel, and a good part of RFC 6560 relies on Flexible Authentication Secure Tunneling (FAST, RFC6113), where a pre-existing Kerberos ticket is used to encrypt the content of that tunnel.
Since ~2013, FreeIPA has used this mechanism to provide multi-factor authentication mechanisms: HOTP/TOTP tokens, RADIUS proxying to remote servers, the OAuth2 device authorization grant flow, and FIDO2 tokens. The list of mechanisms can be extended, as long as the model fits into the somewhat constrained Kerberos exchange flow. FreeIPA handles all communication from the KDC side via a local UNIX domain socket-activated daemon, ipa-otpd, which performs a user principal lookup and then decides on the details of how that user will be authenticated.
For the local KDC case, we used a similar approach but wrote a simplified version, localkdc-pam-auth, which uses PAM to authenticate user credentials. It works well and allows for a drop-in replacement: once the local KDC is set up, users defined on the system will automatically be able to receive Kerberos tickets, with no need to change any passwords or migrate their credentials into the Kerberos KDC. All we need now is the business logic to guide the KDC to use the OTP pre-authentication mechanism so that our RADIUS ‘proxy’ (localkdc-pam-auth) gets activated. This logic is implemented and will be available in the first localkdc release soon.
API bindings
But back to the KDC side. As mentioned above, our goal was to write the local KDC database driver in a modern, safe language. Interfacing Rust with the MIT Kerberos KDC means building an interface that allows aligning code on both sides. This is what this blog is actually about (sorry for the long prelude…): how to make an MIT Kerberos KDB driver in Rust.
Today I published Kurbu5, a project that aims to provide these API bindings to Rust. The name is a transliteration of “krb5” into Mesopotamian cuneiform phonology: Kurbu-ḫamšat-qaqqadī—”The Blessed Five-Headed One”.
Creating API bindings is tedious work: there are many interfaces, each representing multiple functions and structures. MIT Kerberos has 12 interfaces which altogether expose roughly 117 methods that plugin authors implement, backed by around 70 supporting types (data structures passed into and out of those methods). It all sounds like a Tolkien tale: nine interfaces for core Kerberos functionality (checking password quality, mapping hostnames to Kerberos realms, mapping Kerberos principals to local accounts, selecting which credential cache to use, handling pre-authentication on both the client and server side, enforcing KDC policy, authorizing PKINIT certificates, and auditing events on the KDC side), the database backend interface, and two administrative interfaces. This is something that could be automated with agentic workflows—which I did to allow a parallel porting effort. The resulting agent instructions are useful artifacts in themselves: they show how to work when porting MIT Kerberos C code to Rust.
The result is split over several Rust crates to allow targeted reuse. The bulk of the code lives in three crates. The core Kerberos plugin crate (kurbu5-rs) is the largest at around 12,600 lines. The database backend crate (kurbu5-kdb-rs) follows at 5,600 lines, and the administration crate (kurbu5-kadm5-rs) at 3,100 lines. The remaining crates—the proc-macro derives and the raw FFI sys crates—are much smaller, with the sys crates being almost trivially thin (the KDB and kadm5 ones are under 40 lines each, since they mostly just re-export bindings from the main sys crate).
All crates are available on crates.io and share the same MIT license as the original MIT Kerberos.
kurbu5-sys — Raw FFI bindings to the MIT Kerberos libkrb5 and KDB plugin API
kurbu5-derive — Proc-macro derives for kurbu5-rs non-KDB plugin interfaces
kurbu5-rs — Safe, idiomatic Rust API for writing MIT Kerberos non-KDB plugin modules
kurbu5-kdb-sys — KDB plugin API re-export — thin wrapper over kurbu5-sys adding libkdb5 linkage
kurbu5-kdb-derive — Proc-macro derive for kurbu5-kdb-rs KDB driver plugins
kurbu5-kdb-rs — Safe, idiomatic Rust API for writing MIT Kerberos KDB driver plugins
kurbu5-kadm5-sys — KADM5 plugin API bindings — links libkadm5srv_mit and re-exports kurbu5-sys types
kurbu5-kadm5-derive — Proc-macro derives for kurbu5-kadm5-rs KADM5_AUTH and KADM5_HOOK plugin interfaces
kurbu5-kadm5-rs — Safe, idiomatic Rust API for writing MIT Kerberos KADM5_AUTH and KADM5_HOOK plugin modules
In the localkdc project, we use kurbu5 to build a KDB driver and provide our audit plugin. We also have an experimental re-implementation of the OTP pre-authentication mechanism, both client and KDC sides, that was used to test interoperability with MIT Kerberos versions. The core of the KDB driver is ~520 lines of heavily documented Rust code, mostly handling business logic.
In order to perform test driven development, you need a way to drive your code that can isolate behavior. Linux Kernel drivers that communicate with hardware devices can be hard to test: you might not have access to the hardware from your test systems, or the hardware may be flakey. I have such a set of issues with the Platform Communication Channel (PCC) drivers I am working with.
My primary work has been with a network driver that only exists on the newest hardware. However, I also need to be able to handle some drivers that would only work against old hardware. There are also PCC based drivers for hardware that my company does not support or have access to. I might want to make a test to ensure that changes to the Linux Kernel PCC driver does not change its behavior against these drivers. There exists no system where all of these drivers would be supported. But I can build one with Qemu.
The Qemu based driver might not completely simulate the hardware exactly as implemented, and that is OK: I want to be able to do things with Qemu I cannot do with current hardware. For example, the MCTP-over-PCC driver should be able to handle a wide array of messages, but the hardware I have access to only supports a very limited subset of message types.
I want this code to run on Aarch64 (ARM64) natively. That means that I run the machine specified in hw/arm/virt.c. Thus, the first line of my run script is:
../qemu/build/qemu-system-aarch64 -machine virt \
The device itself lives in hw/arm/pcc.c. It was originally called mctp-pcc.c, but I soon realized that there was no reason to make it MCTP specific. While the code is testing type 3/4 devices, I suspect it would work fine for a type 2 or other driver with a minimum of changes.
Every device has to hang off a bus. Thus I started by creating a device like this article suggests: off the system bus: SysBusDevice parent_obj; This differs from some of the other examples out there where you are create, say a PCIe device, as there is a way to dynamically load PCIe devices: you cannot dynamically load SysBus devices, at least not in the default AARCH64 Qemu virt machine. Thus, I have to modify the virt.c code to add in my device.
ACPI Tables
I had to generate two new ACPI Tables: Secondary System Descriptor Table (SSDT) and and Platform Communication Channel (PCCT.) These tables are gnenerated from a vall in virt.c to create_pcc_devices. This function probably should be moved to a pcc specific file so it could potentially be shared by other virtual machine types, but for now it co-exists in virt.c as well. For now it is hard coded to only build the one device. This is obviosuly not going to scale. I will talk about how to improve this at the end of the article.
The bulk of the code in the driver is for generating the entries for the PCCT. The data in the PCCT has the address of the shared memory registers and data buffer, and the IRQ ID used to communicate between the OS and the platform. THe information is stored in a structure called PcctExtMemSubtable, which will then be written to the PCCT using ACPI primitives. This structure is filled during the device realise function mctp_pcc_realize.
The SSDT is a bit more free form, and does not have a structure to support it, but probably should. Right now I am just writing the direct primitives for the entry.
Memory Mapped IO
Both the outbox and inbox channels are mapped to single, contiguous block of memory. When reads or writes happen, Qemu forwards them to custom functions. I can then use the memory offset to identify if this a register or if it is the shared buffer. One of these memory offsets is the doorbell, and is used to implement the IRQ processing.
Each machine type in Qemu has a memory map table. In virt.c it is called
static const MemMapEntry base_memmap[] = {...
I found a space in the middle of the table that was unclaimed and use it for both of the channels of the PCCT: the code looks like this:
[VIRT_MMIO] = { 0x0a000000, 0x00000200 },
/* ...repeating for a total of NUM_VIRTIO_TRANSPORTS, each of that size */
[VIRT_PCC] = { 0x0a008000, 0x00008000 },
[VIRT_PLATFORM_BUS] = { 0x0c000000, 0x02000000 },
There is enough room between VIRT_PCC and VIRT_PLATFORM_BUS for multiple PCC entries. NUM_VIRTIO_TRANSPORTS is set to 32 (0x20). Multipltied by 0x200 = 0x0a004000 there is still plenty of room beyond the end of that and 0x0a008000.
Mapping IRQs
Just as the machine has a mapping for memory mappied IO, the machine has a table for IRQs. For virt.c this table is defined as
Since NUM_SMMU_IRQS is defined as 4, we have enough room for 2 IRQs at 80.
The ARM64 Virtual machine uses a GIC. IT has an internal offset, so ID 1 inside Qemu because IRQ 33 inside the linux virtual machine. Thus the actual mapping takes place inside create_pcc_devices:
The outbox is designed to be triggered from the OS, and then to trigger it back once a message has been processed. The inbox is for sending messages to the OS.
One thing that is not well done yet is that these numbers are not then communicated to the Device: right now we you magic constants to keep them in sync. This is something to improve in the future.
Flattened Device Tree
Qemu has a standard way to represnt all hardware devices. Even though ACPI can play this role in a physical machine, Qemu goes with the more uniform FLattened Device Tree. Thus, for each device we create, we need to create a FDT entry. This includes knowing about the interrupts assigned.
When an interrupt comes from the OS to Qemu, I copy the contents of the shared buffer to a file in /tmp/pcc/outbox. I have written a program called PCCD which runs as an external process. PCCD uses Inotify to identify that a new file has been written and closed, and will then process the file. PCCD responds by posting a message to an inbox directory. Qemu also uses Inotify to identify that there is a new message, and stores it in the shared buffer. It then triggers an IRQ in the OS which tells the OS that there is a message to read. All files names are generated from timestamps.
Testing the system
I was able to reuse a shell script I had written for the MCTP over PCC driver to send messages to the Kernel. I copied this inside the VM. This is essentially the same test as I use to test the physical hardware implementation. However, now I can extend it to run messages that the Hardware does not implement. TO do this, I can implement the messages in PCCD.
Future Improvements
The PCCT itself could be thought of as a type of bus. It may make sense to create a new Bus Type to support it and the devices that hang off it. That would allow a way to scope in PCC specific behavior.
There is a mechanism to create DSDT entries for ACPI device interfaces. It loops through all the devices on a Bus and checks to see if the device implements the AcpiDeviceIf interface. If it does, it adds a couple functions to the device. While our devices are ACPI devices, we do not need those functions. Instead, we can take the pattern and create a PCC interface that allows the device to define its own values.
This interface could be hung off of the SystemBus, but then we need to enumerate each SystemBusDevice to see if it has this interface.
Both options seem viable.
The benefit to going with the PCCBus is we should be able to then make the devices loadable at run time via command line parameters. To do that with SystemBus would require a change to virt.c that might not be acceptable.
And I need a struct for the SSDT.
A huge Thank You to Greg Rose for his support and mentorship on this project.
This post discusses tools reluctantly written with AI assistance. If you don’t entertain
using them under any circumstance, and think even reading about them legally compromise
your ability to reimplement them yourselves, stop reading now
This is a follow-up to the original Sandogasa announcement. Before I ended up fedora-cve-triage to extract library crates and reuse them in the other Sandogasa tools, I already created two tools for managing CentOS Hyperscale SIG workflows, hs-intake and hs-relmon. It simply makes sense to also merge them back in and deduplicate functionalities.
This is an independent, censorship-resistant site run by volunteers. This site and the blogs of individual volunteers are not officially affiliated with or endorsed by the Fedora Project.
Poland. The Session is one of the oldest and biggest FLOSS-focused conferences in Poland. The event was organized by 
”
︎
comments? additions? reactions?
As always, comment on the fediverse: https://fosstodon.org/@nirik/116630715953443762