We Make Fedora

Fedora Community Blog: F44 Election Results

Sat, 13 Jun 2026 16:16:29 +0000

The F44 election cycle has concluded. Below are the results. We are posting the results early this year as we are currently on the eve of Flock to Fedora 2026 and the results were ready. Thank you to all candidates and voters, and congratulations to the newly elected members!

Results

Council

Two Council seats were open this election. A total of 204 voters participated in this election.

# votes	Candidate
958	Miro Hrončok
788	Aleksandra Fedorova
744	Fabio Valentini
637	Tomáš Hrčka
509	Vít Smolík
451	Akashdeep Dhar
337	Hristo Marinov

FESCo

Five FESCo seats were open this election. A total of 199 voters participated in this election

# votes	Candidate
771	Neal Gompa
700	Fabio Valentini
662	Michel Lind
604	Maxwell G
549	Simon de Vlieger
537	Adam Miller

Mindshare

Four Mindshare seats were open this election. A total of 154 voters participated in this election.

# votes	Candidate
419	Samyak Jain
396	Akashdeep Dhar
395	Luis Bazan
351	Mat H (Mat Holmes)
214	Kenz S (Makenzie Stewart)

EPEL Steering Committee

Four EPEL Steering Committee seats were open this election. As the amount of interviews submitted equaled the number of open seats, candidates who interviewed were automatically elected.

# votes	Candidate
Automatically Elected	Carl George
Automatically Elected	Diego Herrera
Automatically Elected	Jonathan Wright
Automatically Elected	Troy Dawson

The post F44 Election Results appeared first on Fedora Community Blog.

Tomasz Torcz: Small TLS settings modernization

Wed, 10 Jun 2026 11:48:25 +0000

Some time has passed since I've tightened TLS settings on my home server. Let's move it a notch higher, this time including home k3s cluster.

Use ECC certificates

In 2026, using elliptic curves cryptography certificates should be the norm. Fortunately, automatically obtaining them is easy. I'm using cert-manager for kubernetes ingresses. Switching to ECC is a just a matter of adding an algorithm annotation on Ingress:

annotations:
  cert-manager.io/cluster-issuer: "zerossl-production"
  cert-manager.io/private-key-algorithm: "ECDSA"

and removing the secret containing old cert and key.

Small caveat: FreeIPA still lags. While it supports ACME protocol, ECC through it is not possible, yet. I've left my internal domains with RSA certificates.

For the main server, I refresh certificates using small Ruby script. I had the change RSA.new(3072) to an EC key generation, rest happened automatically:

certificate_private_key = OpenSSL::PKey::EC.generate('prime256v1')
csr = Acme::Client::CertificateRequest.new(private_key: certificate_private_key, names: PIPEBREAKER_DOMAINS)

Use TLSv1.3 only

Last time I've limited support of Transport Layer Security to versions 1.2 and 1.3. Today, let's allow the latest only. I don't care about supporting Windows 7-era clients (years out of support).

Ingress on k3s is handled by Traefik. Simplest way to influence its config is by creating a global (named default) TLS configuration option:

apiVersion: traefik.io/v1alpha1
kind: TLSOption
metadata:
  name: default
  namespace: kube-system
spec:
  minVersion: VersionTLS13

That's all!

Change to nginx configuration on the main server is minimal, too. Version 1.2 is removed from the list, leaving only 1.3:

ssl_protocols TLSv1.3;

I have to tune Postfix and few other services TLS settings later.

065/100 of #100DaysToOffload

Fedora Community Blog: Onboarding a Forgejo-hosted project to Fedora Konflux

Tue, 09 Jun 2026 09:08:39 +0000

We, the Forge team, recently onboarded a Codeberg-hosted repo to the new Fedora Konflux instance.
This is a guide based on the onboarding experience, the steps and UI are similar in Fedora’s Forge.

Useful links

Konflux UI: https://konflux-ci.fedoraproject.org
Documentation: https://konflux-ci.dev/docs/
Cluster Console: https://console-openshift-console.apps.kflux-fedora-01.84db.p1.openshiftapps.com
Cluster API (for oc login): https://api.kflux-fedora-01.84db.p1.openshiftapps.com:6443

Step 1: Get access to the tenants-config GitLab repo

Konflux configuration is managed through GitOps in the
tenants-config
repo on GitLab. The UI is intended to be read-only — you should do everything through merge requests.

Sign in via SAML SSO at https://gitlab.com/groups/fedora/-/saml/sso to get
group membership.
Make sure you have at least a Guest role. Guest lets you approve MRs
but not merge them. Ask a maintainer to bump your role if needed.
Get yourself added to CODEOWNERS for your tenant’s directory
Example MR.

Step 2: Create your tenant namespace

Follow the instructions in the
tenants-config repo:

Run the create-tenant-resources playbook. It generates the namespace, RBAC
and quota resources.

You end up with three files:

ns.yaml — the namespace with a konflux-ci.dev/type: tenant label
rbac.yaml — a RoleBinding granting konflux-admin-user-actions to your FAS
user
kustomization.yaml — ties together the quota, RBAC, namespace and your
applications directory. Quota can be increased later.

Then run the update-tenant-apps playbook to generate an ArgoCD application
manifest per tenant directory and update the ArgoCD kustomization.

Example MR.

Step 3: Define your Applications and Components

This is where you tell Konflux what to build. We went with a Kustomize
Configuration-as-Code setup with three layers:

A shared base — a generic Component template with the git URL, provider
annotations (git-provider: forgejo, git-provider-url: https://codeberg.org),
pipeline config and the build.appstudio.openshift.io/request: configure-pac
annotation.
Per-application bases — an Application CR plus per-variant overrides (e.g.
rawhide vs. stable).
Per-environment overlays (staging/production) — patches for application names,
component names, context paths and Dockerfile paths.

Open a merge request with everything
Example MR.

Step 4: Add ImageRepository resources

Each Component needs a matching ImageRepository CR. If you don’t have one, the image controller
never provisions a Quay repo, spec.containerImage stays empty on the
Component, and the build service just sits there waiting. No webhook, no PaC PR,
nothing happens.

Example ImageRepository:

apiVersion: appstudio.redhat.com/v1alpha1
kind: ImageRepository
metadata:
  name: forge-rawhide-production
  namespace: fedora-infra-tenant
  annotations:
    image-controller.appstudio.redhat.com/update-component-image: "true"
  labels:
    appstudio.redhat.com/application: forge-production
    appstudio.redhat.com/component: forge-rawhide-production
spec:
  image:
    name: fedora-infra-tenant/forge-rawhide-production
    visibility: public

The update-component-image: "true" annotation is what tells the image
controller to write the Quay URL back to spec.containerImage on the Component.

Example MR. Do not merge yet.

Step 5: Create the SCM secret

Konflux needs a secret to authenticate with your Forgejo/Codeberg instance:

oc create secret generic pipelines-as-code-codeberg 
  -n {namespace} 
  --type=kubernetes.io/basic-auth 
  --from-literal=password={FORGEJO_TOKEN}

oc label secret pipelines-as-code-codeberg -n {namespace} 
  appstudio.redhat.com/credentials=scm 
  appstudio.redhat.com/scm.host=codeberg.org

The Konflux docs
say you need these token scopes:

issue: Read and Write
organization: Read
repository: Read and Write
user: Read

Don’t restrict the token to a specific repo — scopes like write:user aren’t
available with repo-scoped tokens on Forgejo. If you set the right scopes and
it still complains about insufficient permissions, try a token with everything
enabled.

Step 6: Merge and verify

With the secret in place, merge your MR. ArgoCD picks it up and syncs the
resources. Wait a few minutes, then check:

# Did containerImage get set?
oc get components -n {namespace} 
  -o custom-columns='NAME:.metadata.name,IMAGE:.spec.containerImage'

# Are the ImageRepositories ready?
oc get imagerepositories -n {namespace} 
  -o custom-columns='NAME:.metadata.name,STATE:.status.state'

# What does the PaC status say?
oc get components -n {namespace} 
  -o custom-columns='NAME:.metadata.name,STATUS:.metadata.annotations.build.appstudio.openshift.io/status'

If spec.containerImage is filled in and the status shows "state":"enabled",
you’re good.

Step 7: Handle the PaC pull requests

At this point Konflux opens PRs on your source repo with auto-generated Tekton
pipeline files in .tekton/. Two ways to go:

Merge them as-is if you’re happy with Konflux’s defaults.
Close them and use your own pipelines. If you already have .tekton/ files,
update them with:
application/component labels matching your Konflux component names
output-image pointing to quay.io/redhat-user-workloads/{namespace}/{component}
latest task bundle versions (grab the @sha256:... refs from the
Konflux-generated files)
serviceAccountName: build-pipeline-{component}

We went with the second option. We already had pipelines with custom version
tagging that we wanted to keep, so we pulled in the new task bundles and labels
from the generated files and left the rest alone.

Step 8: Re-triggering when things go wrong

The configure-pac annotation gets consumed on the first attempt. If it fails
(token issue, rate limit, whatever), you need to re-add it:

# One component
oc annotate component {component} -n {namespace} 
  build.appstudio.openshift.io/request=configure-pac --overwrite

# All of them
for comp in $(oc get components -n {namespace} -o name); do
  oc annotate $comp -n {namespace} 
    build.appstudio.openshift.io/request=configure-pac --overwrite
done

To sum it up, we created a tenant on Konflux-ci cluster, created applications and components and set a place where the images would be hosted. At the event of push to the codeberg repo main branch – the repo where we store the Forge Containerfiles, the pipeline gets triggered (scoped by the on-cel-expression to only those contexts where the change happened) and a fresh and tagged image appears on quay, ready for further testing and deployment.

Thanks to the Konflux Team for the Forgejo support!

The post Onboarding a Forgejo-hosted project to Fedora Konflux appeared first on Fedora Community Blog.

Michael Catanzaro: Please Do Not Ban AI-Assisted Issue Reports

Mon, 08 Jun 2026 21:30:42 +0000

Many GNOME projects have adopted a policy banning all contributions generated by LLMs. This policy was originally developed by Sophie for Loupe, but is now used in many other notable places:

This project does not allow contributions generated by large languages models (LLMs) and chatbots. This ban includes, but is not limited to, tools like ChatGPT, Claude, Copilot, DeepSeek, and Devin AI. We are taking these steps as precaution due to the potential negative influence of AI generated content on quality, as well as likely copyright violations.

This ban of AI generated content applies to all parts of the projects, including, but not limited to, code, documentation, issues, and artworks. An exception applies for purely translating texts for issues and comments to English.

AI tools can be used to answer questions and find information. However, we encourage contributors to avoid them in favor of using existing documentation and our chats and forums. Since AI generated information is frequently misleading or false, we cannot supply support on anything referencing AI output.

I won’t attempt to argue that you should allow use of AI for writing code. If you wish to ban LLM-generated code, fine. That’s probably inadvisable, but I am not going to object.

But this policy is far stricter than that. Notably, it strictly prohibits AI-generated content in issue reports (except to translate text). Don’t do this! Prohibiting bug reports is stupid and just makes your software worse. Please make sure your project’s AI policy allows for at least AI-generated static analysis results and AI-generated vulnerability reports. Otherwise, you prohibit entirely unobjectionable problem reports.

It’s hard to imagine what could possibly be the value of prohibiting valid bug reports. AI-generated static analysis works well: the AI is able to think about your code, follow execution paths, and automatically discard most false positives to avoid bothering you with them, and the quality of reports is generally pretty high. They are far from perfect, but the same is true of humans.

Here is a typical example of an AI-generated static analysis finding:

2. Resource leak in update_credentials_cb on gnutls_credentials_set failure

  File: tls/gnutls/gtlsconnection-gnutls.c:169-172

  When gnutls_credentials_set() fails, the function returns without calling g_gnutls_certificate_credentials_unref(credentials). The credentials was either freshly allocated or ref-bumped, so it leaks.

Pasting this into an issue report clearly violates the ban on AI-generated content. And yet, why would you not want to receive a clear and concrete bug report for memory leak?

I understand not all maintainers are fond of AI, but is your dislike really so extreme that you would choose to ignore valid problems and intentionally make your software worse? If not, then your AI policy should thoughtfully consider how to handle AI-generated content in issue reports. Certainly do not adopt a policy that outright bans all AI-generated content in issue reports.

As an issue reporter, you could theoretically take the problem found by the AI and rephrase all the words, then claim that it is no longer AI-generated content because it is rewritten. This is a waste of time and usually results in a lower-quality, less-detailed result, but you could plausibly do that. Or, if you want to go above and beyond, you could just jump ahead to creating a merge request. But realistically, if your project does not allow any use of AI in issue reports, it’s more likely that either (a) you won’t receive the issue report in the first place, or (b) you won’t receive such issue reports from experienced developers who read and respect your policy, while users who do not read your policy will continue to submit them.

What about security vulnerability reports? Since the start of this year, I have reviewed well over 100 vulnerability reports that I strongly suspect were generated by AI. To reach the “over 100” claim, I sadly only considered vulnerability reports submitted during a particularly heavy four week period, so this is an extremely loose lower bound. Suffice to say, I have seen a lot of them. The quality varies dramatically. Vulnerability reports are now often better or worse than before: better because an experienced human working with a good AI is able to find vulnerabilities that would have surely gone unnoticed without AI, and worse because an inexperienced human with a bad AI might create some pretty terrible issue reports, a significant proportion of which are just outright spam. Low-quality reports remain a problem, but nowadays most AI-generated issue reports are quite good.

Maintainers do not need to tolerate spammy vulnerability reports. If an issue report is bad, of course go ahead and close it. If it’s really bad, then I sometimes don’t even bother replying. But banning good vulnerability reports solely because some portion of the report was generated by AI is unacceptable. AI-assisted vulnerability reports are the new industry standard, and this is not likely to change. Prohibiting issue reports reduces the quality and safety of your software, punishing your users. This is too extreme.

Rajeesh K Nambiar: RIT Unny open source font

Mon, 08 Jun 2026 11:14:05 +0000

E.P. Unny is a notable Indian political cartoonist, who worked/works with famed Shankar’s Weekly and new papers such as The Hindu and Indian Express.

Since 2020, all his cartoons (also 2025, 2026 so far) are published — every week — open-access by Sayahna Foundation.

Unny was using a font based on his handwriting style for the cartoons, designed by K.H. Hussain of Rachana. Recently, a new font designed by Varshini KVSS & ‘Kandam Collective’ is developed by Rachana Institute of Typography to use in the cartoons, and it is released as open source — see the specimen and download links.

The character set of the font is Latin only. There are plenty of alternate glyphs (for upper case and lower cases of i, j, l, g, etc. — for instance check the double ‘l’ in ‘Intelligence’ on the specimen above). Such characters are rendered alternately to give a feel of the randomness that handwriting evokes.

The source (and issue tracking) are available at RIT fonts repository.

Dennis Gilmore: Accessing serial consoles on SBC’s

Sun, 07 Jun 2026 20:42:39 +0000

I have a bunch of different ARM SBCs, some Raspberry Pis, some Rockchip based, and some others. Some of them I have in 1U rack mount cases. Some in cases that I have 3d printed. They have all had a common issue. When something goes wrong, I need to unplug them, move them to my desk, and connect them to my desktop via a USB to tty adaptor. Aside from being inconvenient, it also meant I had to be home to debug what was happening.

I figured there had to be a better way. In the end, I used Claude to help me write a solution. What I came up with is a project to make an ESP32 Web Terminal. Using an ESP32 wired to the UART on the SBCs, I can securely access the serial console of my devices. I have used a couple of different ESP32 devices, from a USD$3 ESP32 C3 Mini to a USD$8 XIAO ESP32S3. all of which work well. For the Raspberry Pis, I purchased some premade JST SH1.0 mm 3 Pin Wire connector cables to plug into the uart port, and for other devices, I made some custom cables with 2.54 mm Dupont crimp pin connectors.

I have most of my SBC’s powered by PoE. In the pictured example, I soldered some headers onto the PCB for the PoE hat to use to provide a 5V power source to the ESP32, and it all runs self-contained in the rack-mount unit. I do want to work on making the connections a little neater and the housing better. But for now, this is functional. While the software on the ESP allows resetting the SBC and controlling the power, I do not currently have that wired up.

As for provisioning the ESPs, I run FreeIPA at home for authentication, and I have dogtag set up as a CA. When I have wired up and flashed a new board, it initially runs as an access point I connect to in order to set up my home network. Once it is connected to my network, I run an Ansible playbook to create and upload SSL certificates signed by my CA and change the admin password. That way, I can connect without any SSL warnings and use a known non-default password to log in. So far, I am quite happy with how they have performed. I still have some things I want to make better, and I also want to finish testing a setup where I connect to an SBC that exposes its serial port over USB. In theory, it should work with ESP32S3, I just need to test.

While it has added quite a few more devices to my network, it is useful to be able to access and debug what is happening without having to move devices and plug them into another computer. I have considered options for externally powering the ESPs and the best ways to connect the ESPs to the SBCs. I would like to at least be more robust with a 3d printed enclosure for the ESP. Each unit has cost me between USD$5 and USD$12, and each has acceptable performance. I have intentionally stuck to using small ESP’s, though it would work well with bigger devices also. Powering each through a shared power source would require additional circuitry to isolate them and prevent voltage leaks.

Kevin Fenzi: misc fedora bits first week of june 2026

Sat, 06 Jun 2026 17:56:41 +0000

Another busy week for me. Lots of little things all over the place.

mass update/reboots

We got everything updated and rebooted and cleaned up any messes from that (at least as far as I know). We did firmware updates on servers this time, and those always cause things to take much longer. Instead of a 'quick' 5m reboot of a server, it's more 20-25m to apply all the firmware updates and reboot a bunch of times. Ah well, it's good to be up to date.

We did have one arm server fail to come up after reboot. ;( It has a memory error, so we are having datacenter folks reseat all the memory (this happened once before and that cleared it up).

Some old long running tickets

I was able to try and move some old long running tickets over the finish line this week:

systemd-boot signing. This is all setup, but needs to be tweaked in the package and tested. Note that this is a self signed cert, but it will still hopefully help folks using systemd-boot.
Looked over a bunch of work from Stephen Gallagher to fix some dist-git repos that have commits that break git fsck. I hope I can finish this up early next week.

And a few new things

Got the drm-panic 'application' deployed. (I just deployed, the change owner did all the heavy lifting).
Setup a pagure-stg-ro01 machine to test a 'readonly' pagure instance.
Got koji upgraded to 1.36.0.
Got all koji builders, hubs and kojipkgs moved to fedora 44
Moved all our proxies to fedora 44
Moved all our compose hosts to fedora 44
Fixed some openshift apps that were still pulling from docker hub (and getting rate limited). I even moved greenwave to using a hummingbird memcached container. Works great!

flock

Flock is coming up fast now. I will be traveling to it starting next thursday. So expect me to be largely offline thursday and friday, and then only sporadically online while I am at flock.

Really looking forward to meeting up with folks and getting that good flock infusion of energy.

As always, comment on the fediverse: https://fosstodon.org/@nirik/116704516544974008

Fedora Community Blog: Community Update – Week 23 2026

Fri, 05 Jun 2026 10:00:00 +0000

This is a report created by CLE Team, which is a team containing community members working in various Fedora groups for example Infrastructure, Release Engineering, Quality etc. This team is also moving forward some initiatives inside Fedora project.

Week: 01 – 05 June 2026

Fedora Infrastructure

This team is taking care of day to day business regarding Fedora Infrastructure.
It’s responsible for services running in Fedora infrastructure.
Ticket tracker

Devise the flagging of inactive badges as a boolean column [Triaged]
feat: add legacy boolean column to badges [Approved]
Add unit tests for _serve_frontend path traversal safety [Suggested]
Add (or modify) methods to filter/modify the legacy status [Triaged] [Followup]
Moved fedora-badges to badges-assets [Repository] [Followup]
Mark the Pagure’s Fedora Badges repository as OBSOLETE [Commit] [Followup]
Revamp Fedora Badges Project (into develop) [Merged]
Port the project management aspect from Poetry to UV [Triaged A] [Triaged B]
Refreshed the Fedora Badges staging deployment [Resource]
Update badge rarity calculation [Reviewed] [Followup]
Modularize the dbapi module while retaining the references [Followup]
feat: normalize tags into separate tables [Review A] [Review B]
Readme.md file update [Closed] [Followup]
Update badge rarity calculation [Review A] [Review B]
rhel10 migration: tang servers
rhel10 migration: memcached instances
nftables cleanup, and table rename
discover why proxy11 struggles with restarting apache

CentOS Infra including CentOS CI

This team is taking care of day to day business regarding CentOS Infrastructure and CentOS Stream Infrastructure.
It’s responsible for services running in CentOS Infrastructure and CentOS Stream.
CentOS ticket tracker
CentOS Stream ticket tracker

RISC-V

This is the summary of the work done regarding the RISC-V architecture in Fedora.

F44: core rebuild is completed. Image generation and repo-creation needs some work. ‘omni’ kernels are being built and ‘kiwi descriptions’ (required for image generation) needs some RISC-V specific patching. We’re short on resources , so this delay is expected.
Conferences preparation:
- Prep for RISC-V Summit, meetings with hardware vendors, upstream meetings, and RISE
- Prepare updated material for Flock RISC-V update
[Hardware] We have one of the newest RVA23 boards (SpacemiT K3) in Fedora RISC-V Koji.
- Thanks to Jason Montleon. It’s his personal hardware. A CLE-sponsored Fedora K3 builder is on its way to him too, it’ll be wired into RISC-V Koji
[Hardware] Discussed with Jefro about potentially working with Scaleway to get some cloud builders via the RISE initiative. To be discussed at the RISC EU Summit.

AI

This is the summary of the work done regarding AI in Fedora.

t0xic0d3r helped draft the Fedora AI Developer Desktop Community Objective logic model [Draft]

QE

This team is taking care of quality of Fedora. Maintaining CI, organizing test days
and keeping an eye on overall quality of Fedora releases.

Reported bugs related to Thinkpad X1 Carbon Gen14, a laptop that could be in the next laptop models offering for RHatters. Both the microphone and camera are broken. Notified the CSB team and Mark Pearson from Lenovo.
We missed an installer crash in F44 KDE and other spins (but not Workstation), documented it and took follow-up steps to prevent it in the future. We have flagged before that having multiple installer UIs and storage paths raises the risk of this kind of situation
Ongoing tool tech debt and enhancement work: reviving and fixing issuebot, MCP server and devcontainer config for testdays-web, cloud automation now reporting to resultsdb
cloud automation found systemd bug at AWS
openQA: deployments upgraded to Fedora 44 and new os-autoinst packages, fedora-media-writer coverage extended, discovered multiple dependency bugs, dracut decryption bug, plymouth keyboard layout bug, KDE config panel layout bug

Forgejo

This team is working on introduction of https://forge.fedoraproject.org to Fedora
and migration of repositories from pagure.io.

Discussed the coordination process for the private issues
Enabled the members team to create repositories [Access]

EPEL

This team is working on keeping Epel running and helping package things.

Prepared EPEL 10.1 for move to archives
Package maintenance across multiple Fedora and EPEL packages
Quality work via bug reports and bodhi karma
Starting to onboard Pedro

UX

This team is working on improving User experience. Providing artwork, user experience,
usability, and general design services to the Fedora project

Finalizing Flock materials
- Everything for print sent to organisers
- Digital assets is now the focus

If you have any questions or feedback, please respond to this report or contact us on #admin:fedoraproject.org channel on matrix.

The post Community Update – Week 23 2026 appeared first on Fedora Community Blog.

Remi Collet: ⚙️ PHP version 8.4.22 and 8.5.7

Fri, 05 Jun 2026 04:40:00 +0000

RPMs of PHP version 8.5.7 are available in the remi-modular repository for Fedora â‰¥ 42 and Enterprise Linux â‰¥ 8 (RHEL, Alma, CentOS, Rocky...).

RPMs of PHP version 8.4.22 are available in the remi-modular repository for Fedora â‰¥ 42 and Enterprise Linux â‰¥ 8 (RHEL, Alma, CentOS, Rocky...).

â„¹ï¸� These versions are also available as Software Collections in the remi-safe repository.

â„¹ï¸� The packages are available for x86_64 and aarch64.

â„¹ï¸� There is no security fix this month, so no update for versions 8.2.31 and 8.3.31.

Version announcements:

â„¹ï¸� Installation: Use the Configuration Wizard and choose your version and installation mode.

Replacement of default PHP by version 8.5 installation (simplest):

On Enterprise Linux (dnf 4)

dnf module switch-to php:remi-8.5/common

On Fedora (dnf 5)

dnf module reset php
dnf module enable php:remi-8.5
dnf update

Parallel installation of version 8.5 as Software Collection

yum install php85

Replacement of default PHP by version 8.4 installation (simplest):

On Enterprise Linux (dnf 4)

dnf module switch-to php:remi-8.4/common

On Fedora (dnf 5)

dnf module reset php
dnf module enable php:remi-8.4
dnf update

Parallel installation of version 8.4 as Software Collection

yum install php84

And soon in the official updates:

Fedora Rawhide now has PHP version 8.5.7
Fedora 44 - PHP 8.5.7
Fedora 43 - PHP 8.4.22

âš ï¸� To be noticed :

EL-10 RPMs are built using RHEL-10.2
EL-9 RPMs are built using RHEL-9.8
EL-8 RPMs are built using RHEL-8.10
intl extension now uses libicu74 (version 74.2)
mbstring extension (EL builds) now uses oniguruma5php (version 6.9.10, instead of the outdated system library)
oci8 extension now uses the RPM of Oracle Instant Client version 23.26 on x86_64 and aarch64
A lot of extensions are also available; see the PHP extensions RPM status (from PECL and other sources) page

â„¹ï¸� Information:

Base packages (php)

Software Collections (php83 / php84 / php85)

Michel Alexandre Salim: Work-Life Balance 🏖️ with Sandogasa 👒 Hat-Track

Fri, 05 Jun 2026 00:00:00 +0000

Caveat lector

This post discusses tools reluctantly written with AI assistance. If you don’t entertain using them under any circumstance, and think even reading about them legally compromise your ability to reimplement them yourselves, stop reading now

Happy Friday! Of course it’s not Friday anymore in Asia, and if I finish this post in time, it’s still the work day in the Western Hemisphere.

When you work in a large distributed project, it’s not dissimilar to working in a large multinational company - there are too many people to know everyone (or at least not at once!) and you might not know where someone is and if you’re pinging them in the middle of the night.

Kiwi TCMS: Kiwi TCMS 16.0

Thu, 04 Jun 2026 23:18:00 +0000

Dear testers, we're happy to announce Kiwi TCMS version 16.0!

IMPORTANT:

This is a major version release which includes security related updates several improvements, backwards incompatible changes and new translations.

You can explore everything at https://public.tenant.kiwitcms.org!

---

Public container image (x86_64):
pub.kiwitcms.eu/kiwitcms/kiwi   latest  3b2c789666ec   867MB

IMPORTANT: version tagged and multi-arch container images are available only to subscribers!

Changes since Kiwi TCMS 15.4

Security

Update Django from 5.2.12 to 5.2.15
Upadate pillow from 11.3.0 to 12.1.1
Update node_modules/fast-uri from 3.1.0 to 3.1.2
Update node_modules/flatted from 3.3.3 to 3.4.2
Make /init-db/ page a no-op if already executed once. Fixes CVE-2026-49292

Improvements

Update Python runtime from 3.11 to 3.12
Update Node.js runtime from 16 to 22
Update Nginx runtime from 1.22 to 1.26
Update django-grappelli from 4.0.3 to 5.0.0
Update django-guardian from 3.3.0 to 3.3.1
Update django-tree-queries from 0.23.1 to 0.24.0
Update psycopg from 3.3.3 to 3.3.4
Update pygithub from 2.8.1 to 2.9.1
Update pygments from 2.19.2 to 2.20.0
Update python-gitlab from 8.1.0 to 8.4.0
Update tzdata from 2025.3 to 2026.2
Update node_modules/pdfmake from 0.3.6 to 0.3.7
Update node_modules/webpack-cli from 7.0.1 to 7.0.2
Update node_modules/webpack from 5.105.4 to 5.106.0
Display Last modified column in TestCase Search page. Closes Issue #4140
Remove requirement for setuptools<82. Fixes Issue #4299

Removals

Remove Bitbucket Issues integration because Atlassian has announced the removal of this feature

Release

pub.kiwitcms.eu/kiwitcms/kiwi container is now a rolling release
PyPI packages are uploaded to pkg.kiwitcms.eu. Closes Issue #3376

API

API method TestCase.filter() now returns the history_date field

Refactoring and testing

Update black from 25.12.0 to 26.5.1
Update locust from 2.43.3 to 2.44.1
Update codecov/codecov-action from 5 to 6
Merge Dockerfile.buildroot with Dockerfile. Closes Issue #3496
Replace pkg_resources discovery with importlib.metadata
GitLab Issues are now called Work Items

Translations

Changes since Kiwi TCMS Enterprise v15.3-mt

Based on Kiwi TCMS v16.0
Update Python runtime from 3.11 to 3.12
Update certbot from 5.4.0 to 5.6.0
Update django-prometheus from 2.4.1 to 2.5.0
Update kiwitcms-github-app from 2.1.0 to 2.2.2
Update kiwitcms-tenants from 4.4.1 to 4.4.4
Update kiwitcms-trackers-integration from 1.2.1 to 1.3.1
Update psycopg-pool from 3.3.0 to 3.3.1
Update sentry-sdk from 2.54.0 to 2.61.1
Update social-auth-kerberos from 0.3.0 to 0.3.2
Update social-auth-app-django from 5.7.0 to 5.9.0
Remove OpenResty override
Remove requirement for setuptools<82
Honor container ENV variable NGX_DENY_INCLUDE
Don't use legacy syntax in Dockerfile
Provide sample SSL configuration for Postgres and configure Kiwi TCMS to connect to it securely. Closes Issue #2413

Private container images

hub.kiwitcms.eu/kiwitcms/version          16.0 (aarch64)          d972a78b065c    04 Jun 2026     720MB
hub.kiwitcms.eu/kiwitcms/version          16.0 (x86_64)           876f5b848ee7    04 Jun 2026     701MB
hub.kiwitcms.eu/kiwitcms/enterprise       16.0-mt (aarch64)       25fc9c88a3b5    05 Jun 2026     925MB
hub.kiwitcms.eu/kiwitcms/enterprise       16.0-mt (x86_64)        3a7747c99b65    05 Jun 2026     904MB

IMPORTANT: version tagged, multi-arch and Enterprise container images are available only to subscribers!

How to upgrade

Follow the Upgrading instructions from our documentation.

Happy testing!

---

If you like what we're doing and how Kiwi TCMS supports various communities please help us grow!

Give â� on GitHub;
Join our newsletter and follow all news;
Become a subscriber and help us sustain development

Dave Airlie: Appearing on the Software Engineering Radio Podcast

noreply@blogger.com (Dave Airlie) — Thu, 04 Jun 2026 00:05:46 +0000

Software Engineering Radio is a podcast for people in IT/development with over 700 episodes across many topics over 20 years. They haven't touched on the Linux kernel much. I was invited on as part of my role at Red Hat as a Distinguished Engineer, but the podcast is really an insight into kernel maintenance, in graphics and beyond, touching on the scope and scale of the project.

It was my first time to record something that wasn't just me talking at a conference/meetup, and it was all very professional, with sound checks and brainstorming before hand.

The content is at a pretty broad and introductory level. We talked about kernel development processes, maintenance processes, and we touch on rust in the kernel a bit. It's mostly about the sheer size and scale of the project and how Linus releases things, how trees get to Linus and how the GPU work is done.

Hopefully you enjoy listening to it!

[1] https://se-radio.net/2026/06/se-radio-723-dave-airlie-on-linux-kernel-maintenance/

Cockpit Project: Cockpit 363

Thu, 04 Jun 2026 00:00:00 +0000

Cockpit is the modern Linux admin interface. We release regularly.

Here are the release notes from cockpit-files 41:

Files: Add editor shortcut for “Save”

You can now type “Ctrl-S” to save a file in the editor.

Thanks a lot @Leone25 for this contribution!

Try it out

cockpit-files 41 are available now:

Fedora Community Blog: F44 Elections Vote Now!

Mon, 01 Jun 2026 13:39:46 +0000

The F44 elections voting period is now open! The ballot boxes for this cycles elections are open from today, Monday June 1st until Friday, June 12th on the elections app. The ballot boxes will close on June 12th at 23:59:59 UTC.

For links to candidate interviews, please visit this post or the nominations wiki page of each election.

As the number of eligible candidates (4) equaled the number of open seats (4) for the EPEL Steering Committee, no ballot box is available for this election. Instead, these candidates are automatically elected by default.

Good luck to all of our candidates across Fedora Council, FESCo and Mindshare Committee during this election cycle!

The post F44 Elections Vote Now! appeared first on Fedora Community Blog.

Marcin 'hrw' Juszkiewicz: Arm desktop: so many cores, not enough speed

Mon, 01 Jun 2026 13:06:00 +0000

Using a system with 80 AArch64 cores can be a pleasure. Or a pain…

Multicore heaven?

Having 80 cores sounds nice, doesn’t it? But not so much during actual use…

You see, building Fedora packages was flying by. With all cores in use, ccache buffers filling up (in case of rebuilds), and 128 GB of RAM in constant use, etc.

But at the same time, 100% load on all cores means you cannot listen to music on Spotify or watch online videos, etc. All that because the CPU cores are occupied by the build processes.

I tried to use cgroups to limit cpu.max for each fedpkg mockbuild call. It did not help much: the audio was still jerky.

To compare: I wrote this post on a system powered by a Ryzen 5 3600 CPU while a package build was running in the background. All twelve CPU threads were 100% busy, yet the music did not skip.

All of this shows that cores-heavy CPUs are perhaps not a good choice for a desktop machine. Latencies, the scheduler and context switching — all of this introduces enough noise to make a desktop user suffer.

The lack of single-thread speed

Arm processors are good in many cases, as long as you do not need pure, single-thread, CPU power.

It is very noticeable in a web browser. For example, Bitwarden unlocks with a noticeable delay, while on a Ryzen 5 3600, it is nearly instant. And it feels even worse when you watch some YouTube videos like “who will make faster PC on a €100 budget”, and then you run the same browser benchmark and get worse results…

Many software builds also highlight this problem. I have a feeling that developers have grown used to a small number of fast CPU cores, which is the norm on the x86-64 architecture, and their code is written to take it for granted.

And then you look at your machine, where 70 cores do nothing, waiting for some code to finally compile or link. I have seen one software package where the bootstrap was composed of TWO source files. Both were over two megabytes in size and full of machine-generated C code. Two cores were kept busy for quite a while, while the other 78 had to wait.

Not much has changed since my the “From the diary of AArch64 porter — parallel builds” blog post from eight years ago.

Of course, there are also packages which will take all cores, whole memory and as much swap as possible, and do magic in nearly no time. When I started build of the PrusaSlicer package, I had to add some swap because Firefox was gone due to OOM. Having less than 2 GB of RAM per CPU core really sucks ;D

Summary

To use a desktop system you do not need many cores. As long as they are fast.

Kevin Fenzi: misc fedora bits the last week of may 2026

Sat, 30 May 2026 16:54:54 +0000

Another week has gone by, time for another longer form recap.

More rhel10 migrations

Some more rhel10 migrations this last week. This time our memcached instances, our tang servers and a few others. Slowly making progress, but this will get us down to the 'fun' ones: Database servers, virthosts that host important things, etc.

Fedora 42 eol

Tuesday was supposed to be the end of life for Fedora 42. For some reason, the date was set to be wed, and then there was some delays due to failed updates composes that pushed it to thursday. It's done however. Fedora 42 was a nice release, it served well. We still have just 3 Fedora 42 instances we need to move and we will do those next week...

Updated staging koji

I have updated our staging koji ( https://koji.stg.fedoraproject.org ) hub and builders all to Fedora 44 and the latest koji version (1.36.0). We have some non upstreamed patches for our theme, and koji upstream changed from cheeta to jinja2 for it's templates which completely broke that. I was able to use a clanker to rework the patch for jinja2 and then manually fix it from there to work. I'd say it was much quicker, but the process wasn't particularly satisfying. Anyhow, it's done and working as far as I have been able to test in staging.

Mass update/reboot cycle next week

We are going to apply updates all around and reboot things next week. There is a lot we hope to do on this outage:

rhel 9.8 and 10.2 came out, so we will be updating all rhel servers to those.
we will be upgrading the wiki servers from f42 to f44 (and newer mediawiki)
I hope to do some rhel10 reinstalls while we are in outage
Upgrade prod koji to 1.36.0 and f44 (hubs and builders)
There is a chance DC operations want us to move some servers from one set of racks to another to balance power usage out. Still to be determined if this happens.

So, it should be a busy week

Flock

The week after next, flock is already upon us! I hope to be there and able to catch up with old friends and new.

As always, comment on the fediverse: https://fosstodon.org/@nirik/116664633411162579

Fedora Community Blog: F44 Elections Interviews

Fri, 29 May 2026 23:03:10 +0000

The F44 election interviews are now live. With seats open across all leadership groups, this is one of our most popular election cycles yet! Use this post to navigate to candidates interview posts easily.

Voting will be open on Monday, June 1st and will close at 23:59 UTC on Friday, June 12th. Best of luck to all our candidates!

Fedora Council – 2 seats open

Fedora Engineering Steering Committee/FESCo – 5 seats open

Fedora Mindshare Committee – 4 seats open

EPEL Steering Committee – 4 seats

The post F44 Elections Interviews appeared first on Fedora Community Blog.

Jon Chiappetta: Lessons Learned From Implementing Multi-Threaded VPNs!

Fri, 29 May 2026 18:44:30 +0000

When reading packets or network data from a tunnel interface, the order in which they are read does matter as they can impact connectionless protocols and also cause stateful protocols to spend time re-ordering data! There were three techniques that I tried implementing to solve this issue:

Map a packet address to a thread index during the entire time of every connection state
Index and order every packet read by number and wait to write them out in the same sequence
Lock and time and order each threaded process just like many pistons firing inside of an engine block

Allan Day: GNOME Foundation Update, 2026-05-29

Fri, 29 May 2026 16:41:43 +0000

Welcome to another update about everything that’s been happening at the GNOME Foundation. As has become my custom, this post covers a two week period, this time from 18 May until today, 29 May. As usual the Foundation continues to be busy, with events, infra, governance, and accounting activities all happening simultaneously. Read on for more information!

Events

Linux App Summit (LAS) 2026 was held in Berlin over the 16-17 May weekend. I’ve heard quite a few reports now, and everyone seemed extremely positive about the event. Kristi wrote a nice summary if you want more details.

The GNOME Foundation had two team members on the ground helping with running the event, which we co-organize with KDE. I’d like to take this opportunity to give a big thank you to the event’s sponsors: openSUSE, Tuxedo, Nextcould and Codethink. This event wouldn’t be possible without your support.

In addition to LAS, work is continuing on arrangements for GUADEC 2026. The deadline for travel sponsorship applications has now passed, and the Travel Committee has met to decide who will be funded. Notifications will be going out soon.

Board Elections

The process is officially underway for this year’s Board elections. Terms on our Board of Directors are two years in length, and each year half the board seats are open for election. This year we have five seats being contested.

The 2026 election has a slightly different schedule to previous years. In the past, there was no gap between the candidacy period, in which people can announce their intention to run, and the voting period. This meant that there was little opportunity for last-minute candidates to participate in discussion prior to voting taking place.

To address this, we’ve added a one week discussion period to the schedule, which will run between 8 and 15 June, between the candidacy and voting periods. This will hopefully give us opportunity to have more structured and inclusive debate amongst the candidates. We are still figuring out what that might look like, so if people have ideas or want to help, let me know in the comments.

GNOME Fellowship

We are currently in the very final stages of confirming and announcing the successful candidates for the inaugural round of the Foundation’s Fellowship program. Expect an announcement very soon.

Got a Concern?

Last week we introduced a new policy for handling of concerns about the Foundation, which is now part of the project handbook.

The new policy covers how to report concerns about people who are working for the Foundation, either in a paid or voluntary capacity. It also covers more general concerns about the Foundation.

The main goals of the policy are to:

have a documented reporting procedure for those who have concerns relating to the Foundation
clarify how concerns will be responded to
provide reassurance for those reporting concerns, including that concern reports are welcome, are taken seriously, and will never result in retaliation

We hope that this policy will make it clear how you can inform us of a concern if you have one. We also want to emphasise that we want to hear concerns, so we can address them. Please do use the new reporting procedure.

Finance/Accounting

Work has continued on the finance and accounting operation over the past two weeks. Highlights include:

Our transition to a monthly rather than quarterly close reached a significant milestone this week, with the completion of our April finance reports within three weeks of the previous month end. This is probably the fastest ever turnaround for our finance operation, and is a huge win for us in being able to effectively manage our finances.
Following input from the board, corrections have now been sent to the accountants for our audit and annual tax filing.
Applications are still open for our Director of Finance and Operations part-time contract. Candidates have until 4 June to submit.
Finally, as I mentioned in my last update, we are in the process of retiring a number of finance platforms as we consolidate and streamline our operation. This week saw another platform retired, which brings the total number of eliminated platforms to four.

Infrastructure

Our infrastructure experienced a DDoS attack last weekend, which Bart and Andrea have been dealing with. Thankfully it seems that services weren’t too badly affected, and we’ve already improved our protection against similar attacks in the future.

Also on the infra side, Bart wasn’t at LAS this year, but he did spend some time writing two great posts about Flathub’s internals: How does Flathub even work? and Why are Flathub downloads so slow sometimes?. They’re a fascinating read if you’re interested in Flathub.

That’s it from me! As always, thanks for reading, and see you in two weeks.

Jon Chiappetta: A Year Of Three Websites

Fri, 29 May 2026 01:23:02 +0000

https://fossjon.com

https://xorcipher.com

https://icanhazdns.com

Jon Chiappetta: I Created A New Web Service For Command Lines – icanhazdns.com

Thu, 28 May 2026 22:21:17 +0000

It is inspired by icanhazip.com but it returns a little more information as well!

curl icanhazdns.com

Jon Chiappetta: EARTH-TO-APPLE – Curved Glass Is More Beautiful Than Curved Metal!

Thu, 28 May 2026 02:10:27 +0000

Please help me start a petition to Apple to bring back smaller sized phones with a pro screen and a flat metal ribbon which wraps the curved glass front and back like a beautiful diamond ring design should be! The iPhone 4S was soo close, all it needed was a full AOD screen with curved corners and edges…

Adam Young: Debugging Rust in Vim

Wed, 27 May 2026 22:34:57 +0000

On Fedora:

yum install termdebug

in ~/.vimrc

let g:termdebug_config = {}
let g:termdebug_config['command'] = 'rust-gdb'

packadd! termdebug

Inside vim:

Termdebug target/debug<executable>

Use Ctrl-W DownArrow to switch between windows

Use :Break to set a breakpoint in the code window

Use Ctrl-W UpArrow to go to the gdb window

use run to run the program and cont to continue after hitting a break point.

Jon Chiappetta: Upgrade Ubuntu To The Next Major Release via Command Line SSH/Screen

Wed, 27 May 2026 17:37:52 +0000

screen -dm -S up bash -c "do-release-upgrade -d -m server ; sleep 99999"

Bonus Command:

screen -p 0 -S test -X stuff 'echo "test" \n'

Fedora fans: آموزش نصب و راه اندازی MasterDnsVPN

Tue, 26 May 2026 14:03:18 +0000

MasterDnsVPN یک نرم‌افزار متن‌باز و پیشرفته برای DNS Tunneling است که با زبان Go توسعه داده شده و با کپسوله‌سازی ترافیک TCP داخل درخواست‌ها و پاسخ‌های DNS، امکان عبور از محدودیت‌ها و فیلترینگ شدید اینترنت را فراهم می‌کند. این پروژه با تمرکز بر پایداری، سرعت و عملکرد در شبکه‌های دارای Packet Loss بالا طراحی شده […]

The post آموزش نصب و راه اندازی MasterDnsVPN first appeared on طرفداران فدورا.

Kevin Fenzi: blood glucose monitoring with open source

Sun, 24 May 2026 16:34:14 +0000

Over a year ago now, I was diagnosed with Diabetes. I'm not going to go into too much about it here since there's tons of other online resources for it, but I wanted to share one particular area where I have been able to use serveral open source products to help monitoring and tracking my blood glucose levels.

Monitoring blood glucose is important information. Various things affect it and it's good to know what those are and how much they affect it. Some things affect it very quickly (exercise) and some more slowly (digesting food). Some foods affect levels dramatically, some not as much.

When I was first diganosed, the recommendation from my doctor was to use periodic blood tests to see what the levels were. This consists of a set of lancets, some monitoring strips and a reader. You poke your finger and draw a drop of blood on the strip, then put that in the reader and it gives you a reading. This is really quick accurate, but it has a lot of drawbacks:

You have to poke yourself all the time and it's painfull and anoying.
The reader has bluetooth (but the only thing that can connect to it is a closed source android app).
The closed source/non free android app requires you to make an account and then send all your readings to some company.
Its really not easy to test a lot, or when traveling.
You consume a lancet and a test strip for every test. They are small, but it's still consumable/waste.

I looked at getting a CGM (continous glucose monitor) which is a sensor you affix to your arm and it monitors all the time for a few weeks, when it needs to be replaced. This seemed much nicer, but it had drawbacks too:

More expensive
Still had a closed source/non free app that required you to make an account and upload all your data to them.
slightly less accurate

So, I just kept on with infrequent stick testing, until I noticed a post from Bradley Khun on the software freedom conservency blog:

https://sfconservancy.org/blog/2025/nov/06/juggluco-foss-continuous-glucose-montior-diabetes/

There was a open source android app to talk to these sensors!

So, a quick message to my doctor and a perscription in hand, I got some monitors to try out. Juggluco ( https://github.com/j-kaltes/Juggluco ) has kind of a odd interface, but it works great once you figure it out. The sensors seem like they would be painful to attach, but I really haven't noticed anything when applying them. They also make some 'covers' that fit over them to protect them from water/etc. They do look a bit ragged after 15 days, but I've not had one come off yet. Being able to have readings all the time has been very nice. Especially when traveling. It can even give you a 'estimated a1c' value (This is basically a trending for blood glucose over the last N months). You can see immediate results from exersize and can definitely see 1-2 hours after meals how much they affect things.

All my data is stored on my phone, which was ok, but I wanted to have a longer term/more stable backup of that data at least.

Google created a while back a setup in android for medical / heath data. "Health Connect" is surprisingly well setup. You (the user) can decide exactly what applications have permissions to write what health data and what applications have permissions to read that data. The idea being that you can decide to share some data with some application, or revoke it later if you choose to. All the data is still stored on the phone, this is just controlling access to it.

The android home assistant application has the ability (if you grant it to read health connect data. I then just set juggluco to write blood glucose values into health connect and allowed home assistant application to read that. A new sensor appears in home assistant. Now I can graph, run automations based on it, or do anything I can normally do with a sensor in home assistant. You can do the same with for example the 'steps' counter that android keeps automatically.

There is one slight gotcha in this setup that I discovered a few weeks ago. I went to go look at my longer term blood glucose trends, and... there was only 10 days of values in home assistant. ;( The home assistant android app doesn't keep long term statistics anoyingly. You can get around this by making a template sensor that just reads from the android app one and it will keep long term data (although the usual home assistant way of 1 datapoint per hour instead of all the datapoints, but that should be reasonable for long term trends).

Overall I think its a pretty nice setup now. I do wish the sensors lasted longer. They last for 15 days and then stop. I'm not sure if thats a limit of battery life, some kind of reading accuracy issue or just that they want you to buy more sensors.

comments? additions? reactions?

As always, comment on the fediverse: https://fosstodon.org/@nirik/116630715953443762

Kevin Fenzi: misc fedora bits third week of may 2026

Sat, 23 May 2026 17:50:26 +0000

Another saturday, time for another longer form weekly recap of what I have been up to in Fedora Infrastructure.

RHEL10 migrations

RHEL10 migrations are in full swing. Moving things we have that are on RHEL9 over to RHEL10 with clean re-installs. Mostly this is just pretty easy, but I did run into a few fun things:

One of our donated servers was really old and couldn't run RHEL10, so, the provider provisioned us a new(er) one. All good, but we like to do clean installs of our servers and this provider didn't happen to have a remote console, so it was kind of flying blind. First, the RHEL10 installer would hang on boot in systemd-gpt-auto-generator. My theory ( but I haven't tested it yet to be sure ) is that because they installed Fedora 44 on it, when it booted to the RHEL10 installer it would try and figure out the partitions, that would work, but then because there's no btrfs support it would get confused and hang. Next I ran into vnc being deprecated in rhel10.1. Fine, but, also no rdp kickstart directive available, you MUST pass inst.rdp on the boot line. Then of course various adventures in partitioning and such. I did finally get it done, but there was a lot of 'please reboot it' back and forth with the very patent provider.
I found another of our old machines ( which is due to be replaced this year, but with hardware prices and availablity I am not sure it actually will be ) is actually BIOS booting still. I just left it for now, if we don't end up replacing it I might reinstall uefi.
A few issues around our internal repo files and which things they were or should be pointing to (for minor releases, since 10.2 came out while I was in the middle of installing some things).

Anyhow, good progress being made on all the easy ones.

Flock coming up fast

https://fedoraproject.org/flock/2026/ is coming up fast. Just 3 weeks. This is our big conference of the year, will be great to meet up with folks and discuss everything.

comments? additions? reactions?

As always, comment on the fediverse: https://fosstodon.org/@nirik/116625217014724131

Remi Collet: 📝 Redis version 8.8

Sat, 23 May 2026 14:38:00 +0000

RPMs of Redis version 8.8 are available in the remi-modular repository for Fedora ≥ 43 and Enterprise Linux ≥ 8 (RHEL, Alma, CentOS, Rocky...).

1. Installation

Packages are available in the redis:remi-8.8 module stream.

1.1. Using dnf4 on Enterprise Linux

# dnf install https://rpms.remirepo.net/enterprise/remi-release-$(rpm -E %rhel).rpm
# dnf module switch-to redis:remi-8.8/common

1.2. Using dnf5 on Fedora

# dnf install https://rpms.remirepo.net/fedora/remi-release-$(rpm -E %fedora).rpm
# dnf module reset  redis
# dnf module enable redis:remi-8.8
# dnf install redis --allowerasing

You may have to remove the valkey-compat-redis compatibility package.

2. Modules

Some optional modules are also available:

RedisBloom as redis-bloom
RedisJSON as redis-json
RedisTimeSeries as redis-timeseries

These packages are weak dependencies of Redis, so they are installed by default (if install_weak_deps is not disabled in the dnf configuration).

The modules are automatically loaded after installation and service (re)start.

The modules are not available for Enterprise Linux 8.

3. Statistics

redis

redis-bloom

redis-json

redis-timeseries

Remi Collet: 🎲 PHP version 8.4.22RC1 and 8.5.7RC1

Fri, 22 May 2026 05:09:00 +0000

Release Candidate versions are available in the testing repository for Fedora and Enterprise Linux (RHEL / CentOS / Alma / Rocky and other clones) to allow more people to test them. They are available as Software Collections, for parallel installation, the perfect solution for such tests, and as base packages.

RPMs of PHP version 8.5.7RC1 are available

as base packages in the remi-modular-test for Fedora 42-44 and Enterprise Linux ≥ 8
as SCL in remi-test repository

RPMs of PHP version 8.4.22RC1 are available

as base packages in the remi-modular-test for Fedora 42-44 and Enterprise Linux ≥ 8
as SCL in remi-test repository

ℹ️ The packages are available for x86_64 and aarch64.

ℹ️ PHP version 8.3 is now in security mode only, so no more RC will be released.

ℹ️ Installation: follow the wizard instructions.

ℹ️ Announcements:

Parallel installation of version 8.5 as Software Collection:

yum --enablerepo=remi-test install php85

Parallel installation of version 8.4 as Software Collection:

yum --enablerepo=remi-test install php84

Update of system version 8.5:

dnf module switch-to php:remi-8.5
dnf --enablerepo=remi-modular-test update php\*

Update of system version 8.4:

dnf module switch-to php:remi-8.4
dnf --enablerepo=remi-modular-test update php\*

ℹ️ Notice:

version 8.5.4RC1 is in Fedora rawhide for QA
EL-10 packages are built using RHEL-10.1 and EPEL-10.1
EL-9 packages are built using RHEL-9.7 and EPEL-9
EL-8 packages are built using RHEL-8.10 and EPEL-8
oci8 extension uses the RPM of the Oracle Instant Client version 23.26 on x86_64 and aarch64
intl extension uses libicu 74.2
RC version is usually the same as the final version (no change accepted after RC, exception for security fix).
versions 8.4.19 and 8.5.4 are planed for March 12th, in 2 weeks.

Software Collections (php84, php85)

Base packages (php)

Michael Catanzaro: Single-Click Code Execution Exploit for Evince, Atril, and Xreader

Thu, 21 May 2026 20:49:51 +0000

CVE-2026-46529 is an argument injection vulnerability in Evince, Atril, and Xreader caused by missing shell quoting when composing a command line. The reporter, Jo達o Medeiros, has published a GitHub repo for the CVE and a blog post with the story of how he discovered the flaw and developed the exploit. He also created an Atril security advisory and an Evince issue report.

The vulnerability is fixed in:

Evince 48.4 (fix commit) (I originally reported that it is fixed in 48.2, but there was no successful release for that tag)
Atril 1.28.4 and 1.26.3 (fix commit)
Xreader 4.6.4 and 3.6.7 (fix commit)

If you use one of these PDF readers, update immediately. Or at least please be seriously paranoid about clicking on links in PDFs until you do update.

This vulnerability also affects Papers, but it’s probably not urgent to update Papers. (No, not because it uses Rust. Keep reading!)

The Flatpak sandbox could have drastically reduced the danger of this attack, limiting the compromise to only files that you had previously opened in the PDF reader. Sadly, Evince and Papers both use sandbox holes that render the sandbox totally meaningless. (Atril and Xreader are not available on Flathub.)

The Vulnerability

When you click on a link in a PDF, Evince may execute itself to display the link. Normally the command line used would look something like this:

/usr/bin/evince --named-dest=/home/foo/hello.pdf

But an evil PDF may trick Evince into executing a command that is quite different than expected:

/usr/bin/evince --named-dest= --gtk-module=/home/foo/evil.so /home/foo/hello.pdf

Oops. The first part of the command is always going to be /usr/bin/evince, but the evil PDF is nevertheless able to unexpectedly load a GTK module into Evince. The fix is to quote the untrusted input using g_shell_quote() to ensure it cannot “break out” of its intended context:

/usr/bin/evince --named-dest='/home/foo/hello.pdf'

Or:

/usr/bin/evince --named-dest=' --gtk-module=/home/foo/evil.so /home/foo/hello.pdf'

Much better: now the threat is neutralized. g_shell_quote() is safe to use even if the untrusted input itself contains quotes. (However, beware: this only works because GLib is parsing the command line itself, and GLib is not a real Unix shell. It’s not safe if the input is going to be passed to an actual Unix shell. It might not even be theoretically possible to do that safely, because it’s valid for filenames to contain entirely arbitrary characters!)

All GTK 3 apps support the --gtk-module command line argument for injecting a shared library into the application. The library may of course then execute whatever code it wants via its library constructor. But GTK 4 no longer has standard GTK command line flags, so this does not work for GTK 4 applications like Papers. It’s still possible to tell a GTK 4 app to load a GTK module, but only via environment variables, not via command line flags, and I don’t see any opportunity for the malicious command to set environment variables. It’s probably not possible to exploit this vulnerability in Papers: although it has the exact same vulnerability as the other PDF readers, the impact is different.

The Exploit

So far this looks like a pretty typical security bug. OK, so if you trick the user into downloading an archive (or perhaps a git repo) that contains both a malicious PDF and also a malicious shared library, then you can trick the PDF reader into loading the shared library and thereby execute arbitrary code. That’s a pretty bad foreseeable exploit, sure, but at least the attacker is at considerable risk of arousing suspicion if the user is trying to download a PDF and also receives a shared library. You’d have to try pretty hard to hide the library in a forest of other boring files if you want the attack to look convincing and unsuspicious. Right?

Nope.

Jo達o used Claude Opus 4.7 to develop a sophisticated script for building malicious polyglot PDFs that are simultaneously both valid PDF files and also valid ELF binaries, so the attacker only needs to trick the victim into downloading one evil PDF file. When the victim clicks on a link in that PDF, the PDF reader will dlopen the PDF itself. The PDF/ELF polyglot’s library constructor will then execute arbitrary code. Much less suspicious, and much scarier. Polyglot files are not entirely novel, but I’d still say this required substantial creativity and expertise from the AI, and substantial persistence from the human. Needless to say, very nice job to both Claude and Jo達o.

You can easily build your own malicious PDF using the provided script and sample GTK module. The script in the Evince and Atril issue reports requires that the attacker predict the absolute path that the malicious PDF file will be saved to; however, Jo達o’s blog post and GitHub repo refine the exploit to remove that requirement.

Thoughts on AI Vulnerability Reports

A human inspecting this code should have been able to find the parameter injection vulnerability, but that requires considerable time and effort, so unsurprisingly nobody did. We’re probably in for a rough time in the short term as the volume of AI-generated vulnerability findings remains temporarily very high and attackers have a much easier time crafting working exploits. But in the long term, I expect we are going to be much more secure than we were before, so this will be worth it.

A human working alone would have almost certainly stopped and moved on after finding the vulnerability. Claude allowed taking the investigation much farther. It’s highly unusual for a GNOME vulnerability report to come with a working exploit. This is a dangerous change. Perhaps it will be a one-time event, but I suspect we will be seeing more frequent exploits in the future.

Silver lining: the exploit helps us better appreciate the severity of the issue. It’s often hard to assess how bad a vulnerability is. If not for the weaponized exploit, I would have thought this bug was not very scary, and would have treated it as not a big deal. We would have fixed it, perhaps or perhaps not with a CVE ID, surely without any blog post or fanfare, and probably without distro security updates. But since there is an exploit, we instead had no doubt that this vulnerability was dangerous, and were able to handle it accordingly.

Several GNOME projects have begun outright prohibiting all AI-generated contributions, including issue reports, with no exception for vulnerability reports. Such policies are misguided and unacceptable. I can sort of understand why some projects might (misguidedly) wish to prohibit AI-generated code contributions. OK, fine. But blocking AI vulnerability reports will make GNOME less safe. AI-assisted vulnerability reporting is the new industry standard for good reason: it is highly effective.

Some humans are not good at preparing AI-assisted vulnerability reports and will spam maintainers with low-quality reports. Sometimes they will be outright bogus, although more often there may be valid underlying bugs with exaggerated severity claims or bad proof of concept demos. This is annoying, but bad issue reports are a cost we are just going to have to accept and deal with.

The quality level of AI vulnerability reports reviewed by conscientious humans — as well as AI assessments of AI vulnerability reports — is now often quite encouraging. But just like humans, AIs may also miss things, especially subtle distinctions that may be highly relevant. Although I�� quite impressed with these AIs, we still need experienced humans to review and manage reports. Please don’t abuse the technology by submitting vulnerability reports that you do not understand or have not validated. And certainly please do not allow an AI agent to interact with an issue tracker on your behalf!

For Security Geeks

This was my first time scoring a vulnerability using CVSS 4.0 rather than CVSS 3.1. It’s also the first time I wasn’t terribly confused about how to set the parameters, because the scoring guide contained answers to all of my questions. Nice. My CVSS vector for CVE-2026-46529 is CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, the base score is 8.4, and I’m pretty sure my choices for each parameter are good. By comparison, using CVSS 3.1 I came up with CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H and base score 7.8.

Richard Hughes: LVFS Sponsorship Announcement: HP

Wed, 20 May 2026 08:09:23 +0000

Some more great news: Iâ€™m pleased to announce that HP has also agreed to be premier sponsor for the Linux Vendor Firmware Service (LVFS) as part of our sustainability effort.

With the industry support from HP (and our existing sponsors of Lenovo, Dell, Framework, OSFF and of course Linux Foundation and Red Hat) we can turbo-charge the growth of the LVFS even more. Thanks!

Guillaume Kulakowski: Copyous : le gestionnaire de presse-papiers GNOME que j’attendais

Tue, 19 May 2026 17:04:00 +0000

À force d’utiliser des gestionnaires de presse-papiers au quotidien, difficile de revenir en arrière. Après GPaste puis CopyQ, j’ai découvert Copyous, une extension GNOME légère, rapide et parfaitement intégrée au bureau.

Gary Benson: Docker images by age or size

Tue, 19 May 2026 10:58:35 +0000

Files by age, newest first:

ls -lt

Docker images by age, newest first:

docker images --format "{{.CreatedAt}}\t{{.Repository}}:{{.Tag}}" | sort -r

Files by size, largest first:

ls -lS

Docker images by size, largest first:

docker images --format "{{.Size}}\t{{.Repository}}:{{.Tag}}" | sort -rh

Why why why??!

Guillaume Kulakowski: Ghostty : mon nouveau terminal sous Fedora 44

Sun, 17 May 2026 07:45:08 +0000

En migrant de Fedora 43 vers Fedora 44, j’en ai profité pour revoir mon terminal principal. Après GNOME Terminal, Tilix puis Ptyxis, j’ai finalement adopté Ghostty : un terminal moderne, rapide et minimaliste. Voici pourquoi ce choix m’a convaincu, ainsi que ma configuration complète avec thème Nord, Zsh et quelques ajustements utiles pour SSH.

Kevin Fenzi: misc fedora bits second week of may 2026

Sat, 16 May 2026 16:30:26 +0000

RHEL10 and Fedora44 migrations

Did a number of reinstalls for RHEL9 hosts moving to RHEL10 and some Fedora 42 hosts moving to Fedora 44. Most of these are pretty easy, just setup things and run ansible, but there's a few tricky hosts that are not in our main datacenter I've been trying to do.

This includes a donated server that was 12 years old. It's served long and well, but it's too old for RHEL10. Luckily the donating company was happy to provision us a newer/better host.

Coming up soon will be moving the koji builders from f43 to f44.

I'm hoping we can get the bulk of this done before flock.

502's and AI

For a while now we have had sporadic 502 ( thats "Bad Gateway") errors on koji and to a more limited extend on src.fedoraproject.org. They have been super hard to track down and we have tried a number of adjustments based on a number of theories.

This week, I decided to try and really find the cause, and why not also try some of these AI agents that are so good these days. So, I spent a lot of time on monday with claude trying to get somewhere. I found claude to be somewhat useful as a rubber duck and it did point me in some good directions at first. However, it seemed to loose track of context that happened in the very same session, like we determined that apache was not logging any 502's at all, but it kept asking me to enable apache debugging and look at apache logs. no. It also seemed amusingly unaware of anubis ("what is this anubis application?"). It also did help me actually make a patch for anubis to add debugging as I know not much about golang. I was able to add that and get more clarity as to what was happening. On the other side I felt... off after using it much of the day monday. It may have been the way I was using it, but it seemed like it was directing the conversation and it was easy for me to just go along, but actually figuring things out required me to think about how things were setup more and be more pointed in questions. I think if I hadn't known a lot about how things were setup, and just let it drive it would have resulted in no answers and a lot of wasted time/tokens/efforts. So, I am still somewhat of a skeptic. I think there are uses for AI, but it's a tool that isn't good for everything.

The actual problem is that on POST requests (only), sometimes, apache is sending a 200 back from the backend with the results of the request and anubis gets a EOL when reading it. This causes anubis to send the 502 back to the user.

I am not sure why this happens. Some possible theories:

There's a configuration problem with apache and somehow it's tearing down reverseproxy replies before anubis can finish reading them.
There's a bug in apache doing above.
There's a bug in go's proxy support thats causing it to not read some replies correctly.
something else

I did file an anubis bug, but unclear if anubis is really to blame here.

So, since this is only happening on POSTs, and since we already just ALLOW those in anubis (ie, it doesn't challenge on POSTs), I just set things to bypass anubus for POST requests (for koji.fedoraproject.org and src.fedoraproject.org).

This works around the bug/issue for now and users should no longer see 502s.

If you do see one, I am keeping the ticket about this open until monday: https://forge.fedoraproject.org/infra/tickets/issues/12913

kernel security updates whirlwind

There was a series of kernel security issues this week. I helped out pushing them out to stable updates in a timely manner, but also I have:

Added two more builders to the secure-boot channel. Should allow more kernel builds to happen and the ones that are to be faster.
For some reason (likely my fault) there were only a few ppc64le builders available in the secureboot channel. I added tons more. This was causing kernel builds to sometimes sit in buildSRPMfromSCM jobs to make the initial src.rpm. Should be better now

We put mitigations in place for hosts that have local users, but we will likely be doing a update/reboot cycle soon. Week after next perhaps?

s390x maintainer test instance

I decided to poke at the s390x maintainer test instance again. I had managed to get resources from the LinuxONE community cloud a long while back, but they do not offer (or have any plans to offer) Fedora instances.

I tried a number of kexec tricks to get a rhel9 instance to reboot into the fedora 44 installer without much luck. Finally I was able to get a script from Dan Horak that did all the right magic.

So, the instance installed just fine after that and I got it all setup.

s390x-test01.fedorainfracloud.org should be available for packagers to test package builds on now.

comments? additions? reactions?

As always, comment on the fediverse: https://fosstodon.org/@nirik/116585359828306662

Allan Day: GNOME Foundation Update, 2026-05-15

Fri, 15 May 2026 16:41:52 +0000

Welcome to another GNOME Foundation update post! Today’s installment covers highlights from what’s happened over the past two weeks.

LAS 2026

Linux Apps Summit 2026 starts tomorrow! The organizing team, which includes members from both GNOME and KDE, has been hard at work and is on the ground in Berlin making final preparations. The schedule looks great, and it promises to be a well-attended event.

The talks are being streamed this year, so make sure to watch our social media for details, and tune in live to hear the talks.

GUADEC 2026

Preparations are continuing for July’s GUADEC. The call for Birds of a Feather sessions is currently open. If you want to hold an informal discussion or working session, please fill out the form before 5th June.

Applications are still open for travel funding for GUADEC. The deadline for submissions is 24th May – that’s just over one week.

Board meeting

This week the Board of Directors had its regular meeting for May. A summary:

The Board authorized the closure of a bank account which we are no longer using.
I gave an update on operations over the past month, and got feedback from the Board
Felipe Borges from the Internship Committee joined, to give a report. The Board discussed how we can best support the committee.
Deepa gave a finance report, which included numbers from January and February. The main news here was that our finances are running close to what was projected for this year’s budget.
The Board discussed the draft of the report from the audit we recently underwent, as well as the draft of our latest annual tax filing. This is a routine part of the Board’s work, as it is required to perform a review before these documents are finalized.

Office transitions

Our long-running effort to enhance our internal accounting processes has continued over the past two weeks. A notable development has been the retirement of several finance platforms, which have been effectively replaced by the new payments platform that we adopted in January. This platform reduction will reduce operational complexity, as well as workloads. It is still ongoing – we have an additional two more platforms that are currently in the process of being retired.

Another highlight has been the launch of a search for a new member to join our finance and operations team. This is a part-time, contract-based role, which has been shaped in close consultation with Dawn Matlak, who is supporting our finance and accounting operations on a temporary basis, and has already been factored into our budget projections.

We are looking for someone at director level who brings substantial nonprofit finance experience — including audit preparation and compliance experience — which reflects how much the Foundation’s operational and regulatory requirements have grown, particularly in the run up to and following our audit last March, and will provide in-house expertise which will reduce our reliance on external consultants. You can read the full posting here.

Thanks for reading, and see you in two week’s time!

Kamil Páral: Heroes of Fedora Quality for Fedora 44

Fri, 15 May 2026 08:46:46 +0000

Fedora 44 is out, and in this post we’d like to highlight the top Fedora Quality contributors who helped us reach the finish line. Releasing Fedora is a shared effort, and Fedora wouldn’t be a high-quality distribution without its community. Every single person who helped us detect and resolve issues, or verify that things work as expected, deserves our gratitude, thank you!

If you haven’t participated yet in testing Fedora, perhaps you’d like to give it a try? We gladly welcome everyone. Please look at our Fedora Quality homepage.

Test cases validation

Our release validation efforts consist of running lots of test cases on the upcoming Fedora release composes. Here’s an example of a Fedora 44 release candidate. We have lots of tables like these, see Fedora 44 test results. All test cases which are not automated yet (or which are intentionally manual) need to be verified by people.

Test period: Fedora 44 branch time – Fedora 44 Final release
Contributors: 19
Test cases executed: 1380
Unique referenced bugs: 20

Name	Test cases executed	Referenced bugs¹
derekenz	468	2365456 2438905 2444046 2448211 2456542 2458714 (6)
lruzicka	132	2442593 2442988 2444078 2458907 (4)
geraldosimiao	132	2444046 (1)
psklenar	112
kparal	106
nielsenb	81	2442689 2448757 (2)
aggraxis	70
jlinton	58	2183626 2402621 2444775 2444776 2457333 2457336 (6)
robatino	56
jcline	36
abhis3k	35
xariann	20
osalbahr	19
jgroman	15
pboy	15
ahmedalmeleh	9
korora	8
adamwill	5	2448283 2453216 (2)
supakeen	3

¹ This is a list of bug reports referenced in test cases results. The bug itself may not be created by the same person.

Reporting bugs

When a new problem is found, we rely on people reporting it. Not every problem can be fixed, but the better data we have, the better we can prioritize and focus on the most important ones. Especially serious bugs can be even proposed as release blockers.

Test period: Fedora 44 branch time – Fedora 44 Beta (2026-02-03 – 2026-03-10)
Contributors: 84
Bug reports submitted: 182

Name	Bug reports submitted¹	Excess reports²	Accepted blockers³
Lukas Ruzicka	20	9 (45%)	1
Petr Sklenar	16	1 (6%)	1
Adam Williamson	9	1 (11%)	2
Steven Hollingsworth	9	0 (0%)	0
Steve Cossette	7	0 (0%)	0
Kamil PÃ¡ral	6	1 (17%)	0
Mr. Beedell, Jared Richard William	5	0 (0%)	0
Akira TAGOH	4	1 (25%)	0
Jeremy Linton	4	1 (25%)	0
lpavan at redhat.com	4	0 (0%)	0
Neal Gompa	4	0 (0%)	0
Adrian Vovk	3	0 (0%)	0
gav at gavworld.co.uk	3	0 (0%)	0
LaurenÈ›iu Nicola	3	0 (0%)	0
Matt Fagnani	3	0 (0%)	0
Osama Albahrani	3	0 (0%)	0
Than Ngo	3	0 (0%)	0
…and also 67 other reporters who created less than 3 reports each, but 76 reports combined!

Test period: Fedora 44 Beta – Fedora 44 Final release (2026-03-10 – 2026-04-28)
Contributors: 252
Bug reports submitted: 426

Name	Bug reports submitted¹	Excess reports²	Accepted blockers³
Davide Repetto	18	1 (6%)	0
Petr Sklenar	18	2 (11%)	0
Fabio Valentini	12	0 (0%)	0
Kamil PÃ¡ral	11	5 (45%)	1
Adam Williamson	10	0 (0%)	3
Ricardo Ramos	7	0 (0%)	0
Lukas Ruzicka	6	1 (17%)	1
Matt Fagnani	6	0 (0%)	0
Calum Chisholm	5	0 (0%)	0
lray+redhatbugzilla at mailbox.org	5	0 (0%)	0
Andrey Motoshkov	4	0 (0%)	0
Artem S. Tashkinov	4	1 (25%)	0
Brian Morrison	4	0 (0%)	0
Chang Qian	4	0 (0%)	0
Derek Enz	4	2 (50%)	0
Dominic	4	0 (0%)	0
iltis at posteo.de	4	0 (0%)	0
Jan Macku	4	0 (0%)	0
Jeremy Nickurak	4	0 (0%)	0
kxra at riseup.net	4	0 (0%)	0
Luke	4	0 (0%)	0
Mr. Beedell, Jared Richard William	4	0 (0%)	0
Steven Hollingsworth	4	0 (0%)	0
tk2345_ at outlook.com	3	0 (0%)	1
Alan Altmann	3	1 (33%)	0
anotheruser	3	0 (0%)	0
Cristian Ciupitu	3	0 (0%)	0
Eugene Mah	3	0 (0%)	0
Jonathan S.	3	0 (0%)	0
speedlemma at gmail.com	3	2 (67%)	0
Steve Cossette	3	0 (0%)	0
…and also 221 other reporters who created less than 3 reports each, but 252 reports combined!

¹ The total number of new bug reports (including “excess reports”). Reopened reports or reports with a changed version are not included, because it was not technically easy to retrieve those. This is one of the reasons why you shouldn’t take the numbers too seriously, but just as interesting and fun data.
² Excess reports are those that were closed as NOTABUG, WONTFIX, WORKSFORME, CANTFIX or INSUFFICIENT_DATA. Excess reports are not necessarily a bad thing, but they make for interesting statistics. Close manual inspection is required to separate valuable excess reports from those which are less valuable.
³ This only includes reports that were created by that particular user and accepted as blockers afterwards. The user might have proposed other people’s reports as blockers, but this is not reflected in this number.

Testing proposed updates

When software packages are updated in Fedora (bringing bug fixes and new features), they are not released to end users immediately. They first go to the updates-testing repository, where they undergo automated testing, and also await manual feedback from human testers. This feedback can be provided through Bodhi, either by using its web interface or CLI tools, see instructions. Alerting package maintainers by posting a negative feedback with a problem description can stop the update from reaching general audience and causing issues to all our users. Testing proposed updates is a simple, yet vital process for keeping Fedora releases of high quality during their whole lifecycle. It is used both for already stable and in-development Fedora releases.

Test period: Fedora 44 branch time – Fedora 44 Final release (2026-02-03 – 2026-04-28)
Contributors: 147
Updates commented¹: 1428

Name	Updates commented
Geraldo S. SimiÃ£o Kutz (geraldosimiao)	307
Filipe Rosset (filiperosset)	185
Eugene Mah (imabug)	98
Derek Enz (derekenz)	88
anotheruser	78
bojan	71
Ian Laurie (nixuser)	66
Kamil PÃ¡ral (kparal)	37
Neal Gompa (ngompa)	35
Fabio Valentini (decathorpe)	33
FrantiÅ¡ek Zatloukal (frantisekz)	31
Xariann Cat (xariann)	25
ramot	24
Cristian Ciupitu (ciupicri)	23
Ankur Sinha (ankursinha)	20
Adam Williamson (adamwill)	17
Alex Gurenko (agurenko)	15
Benjamin Beasley (music)	14
LukÃ¡Å¡ RÅ¯Å¾iÄ�ka (lruzicka)	11
Simon de Vlieger (supakeen)	9
Michel Lind (salimma)	9
brett h (bretth)	9
Dennis Gilmore (ausil)	8
Paul Whalen (pwhalen)	7
Wasser Mai (wasser19641)	7
Peter Robinson (pbrobinson)	7
Lukas Slebodnik (lslebodn)	7
Colin Thomson (g6avk)	6
Juha Uotila (inffy)	6
Steve Cossette (farchord)	5
markec	5
…and also 116 other testers who commented on less than 5 updates each, but 165 comments combined!

¹ If a person provides multiple comments to a single update, it is considered as a single comment. Karma value is not taken into account.

Test days participation

Test Days are events which are partly focused on testing Changes planned for an upcoming Fedora release, but they also regularly test important areas of the Fedora distribution, like upgrades, internationalization, graphical drivers, desktop environments, kernel updates, and others. The upcoming and past events can be seen in our Testdays app.

Test period: Fedora 44 branch time – Fedora 44 Final release
Contributors: 98
Test cases executed: 698

Name	Test cases executed
lpavan	42
mcrha	36
adriend	34
tagoh	27
pnemade	23
16levels	23
lruzicka	17
stransky	16
michal odehnal	16
pschindl	15
jgrulich	15
alciregi	15
psklenar	12
dkricka	12
jpb21	12
romangherta	12
royboy626	11
twinkle28	11
vhumpa	11
alangm1001	11
pyadav	10
rduda	10
paolojr	10
dtunma	10
bittin	9
pauloheaven	9
jgroman	8
derekenz	8
gornikfan	8
tdawson	8
vsembiba	8
mkasik	8
clnetbox	8
mzink	8

…and also 64 other testers who executed less than 8 updates each

We sincerely thank all contributors!

Are you also interested to help? Please look at our Fedora Quality homepage.

Tomas Tomecek: Deploying agents to OpenShift, again (part 2)

Thu, 14 May 2026 06:19:00 +0000

This is a follow-up to the previous article.

I find it so funny that I estimated the test deployment at 3 story points; at this point I’m at like 40 with the amount of work I put into this.

But thanks to Claude it’s pretty fast to diagnose and solve problems.

This time I even let it run oc commands, even oc rsh, but I never allowed commands that would change things or write to remote services. Everything stayed local.

Here comes Claude’s writeup.

Michael Catanzaro: Flatpak Sandbox Escape via Yelp

Mon, 11 May 2026 14:12:53 +0000

Yelp 49.1 fixes a significant Flatpak sandbox escape related to last year’s CVE-2025-3155. CVE assignment for this new issue is currently pending.

This is not a bug in Flatpak. Flatpak allows sandboxed applications to open URIs or files, meaning the sandboxed application may use a URI or file path to launch another application to open the URI or file. This is brokered via the OpenURI portal. The portal or the app may decide to require user interaction to decide which app to launch, but user interaction is generally not required. This is necessary: you would get pretty frustrated if you were prompted to select which app to use every time you click on a link or try to open something! Accordingly, unsandboxed applications that are installed on the host system are somewhat risky: any malicious sandboxed app may launch an unsandboxed app using a malicious file, generally with no user interaction required. Unsandboxed applications installed on the host OS are inherently part of the attack surface of the Flatpak sandbox.

In this case, a sandboxed application may launch Yelp to open a malicious help file. The help file can then exfiltrate arbitrary files from your host OS to a web server by using a CSS stylesheet embedded in an SVG. Suffice to say the attack is pretty clever, and certainly more impactful than the typical boring memory safety bugs I more commonly see.

This bug was discovered by Codean Labs, which performed a security audit of Flatpak and several GNOME projects thanks to generous sponsorship by the Sovereign Tech Resilience program of Germany’s Sovereign Tech Agency.

Tomas Tomecek: AI tools feel like heroin for productivity

Sun, 10 May 2026 06:00:00 +0000

This is my personal opinion and I’m going straight to the point, no intro.

AI assistants such as Claude Code, Cursor, OpenCode, OpenClaw, and others are so addictive for anyone who loves building things.

Software engineers are not going anywhere. Instead, we’re getting excavators and ditching our shovels.

I authored 192 commits this year (as of May 2026) without writing a single feature solely myself. I still edit files, but mostly out of convenience. If I need just one or two lines changed, it’s faster doing it myself than asking Claude.

I guess this was an intro ðŸ¤¦

Remi Collet: 🛡️ PHP version 8.2.31, 8.3.31, 8.4.21 and 8.5.6

Fri, 08 May 2026 05:52:00 +0000

RPMs of PHP version 8.5.6 are available in the remi-modular repository for Fedora â‰¥ 42 and Enterprise Linux â‰¥ 8 (RHEL, Alma, CentOS, Rocky...).

RPMs of PHP version 8.4.21 are available in the remi-modular repository for Fedora â‰¥ 42 and Enterprise Linux â‰¥ 8 (RHEL, Alma, CentOS, Rocky...).

RPMs of PHP version 8.3.31 are available in the remi-modular repository for Fedora â‰¥ 42 and Enterprise Linux â‰¥ 8 (RHEL, Alma, CentOS, Rocky...).

RPMs of PHP version 8.2.31 are available in the remi-modular repository for Fedora â‰¥ 42 and Enterprise Linux â‰¥ 8 (RHEL, Alma, CentOS, Rocky...).

â„¹ï¸� These versions are also available as Software Collections in the remi-safe repository.

â„¹ï¸� The packages are available for x86_64 and aarch64.

ğŸ›¡ï¸� These Versions fix 8 to 13 security bugs (CVE-2026-6735, CVE-2026-7259, CVE-2025-14179, CVE-2026-6722, CVE-2026-7261, CVE-2026-7262, CVE-2026-7568, CVE-2026-7258, CVE-2026-6104, CVE-2026-42371, CVE-2026-7263, CVE-2026-29078, CVE-2026-29079), so the update is strongly recommended.

Version announcements:

â„¹ï¸� Installation: Use the Configuration Wizard and choose your version and installation mode.

Replacement of default PHP by version 8.5 installation (simplest):

On Enterprise Linux (dnf 4)

dnf module switch-to php:remi-8.5/common

On Fedora (dnf 5)

dnf module reset php
dnf module enable php:remi-8.5
dnf update

Parallel installation of version 8.5 as Software Collection

yum install php85

Replacement of default PHP by version 8.4 installation (simplest):

On Enterprise Linux (dnf 4)

dnf module switch-to php:remi-8.4/common

On Fedora (dnf 5)

dnf module reset php
dnf module enable php:remi-8.4
dnf update

Parallel installation of version 8.4 as Software Collection

yum install php84

And soon in the official updates:

Fedora Rawhide now has PHP version 8.5.6
Fedora 44 - PHP 8.5.6
Fedora 43 - PHP 8.4.21
Fedora 42 - PHP 8.4.21

âš ï¸� To be noticed :

EL-10 RPMs are built using RHEL-10.1
EL-9 RPMs are built using RHEL-9.7
EL-8 RPMs are built using RHEL-8.10
intl extension now uses libicu74 (version 74.2)
mbstring extension (EL builds) now uses oniguruma5php (version 6.9.10, instead of the outdated system library)
oci8 extension now uses the RPM of Oracle Instant Client version 23.26 on x86_64 and aarch64
A lot of extensions are also available; see the PHP extensions RPM status (from PECL and other sources) page

â„¹ï¸� Information:

Base packages (php)

Software Collections (php83 / php84 / php85)

Stephen Gallagher: Sausage Factory: Fedora ELN Rebuild Strategy (2026 Edition)

Thu, 07 May 2026 18:03:40 +0000

The Rebuild Algorithm

Slow and Steady Wins the Race

The Fedora ELN SIG maintains a tool called ELNBuildSync (or EBS) which is responsible for monitoring traffic on the Fedora Messaging Bus and listening for Koji tagging events. When a package is tagged into Rawhide (meaning it has passed Fedora QA Gating and is headed to the official repositories), EBS checks whether it’s on the list of packages targeted for Fedora ELN or ELN Extras and enqueues it for the next batch of builds.

A batch begins when there are one or more enqueued builds and at least sixty wallclock seconds have passed since a build has been enqueued. This allows EBS to capture events such as a complete side-tag being merged into Rawhide at once; it will always rebuild those together in a batch. Once a batch begins, EBS stops accepting messages from the Fedora Messaging Bus. The messages remain enqueued and awaiting processing. When the current batch is complete, EBS will resume accepting messages and a new batch will begin.

The first thing that is done when processing a batch is to create a new side-tag derived from the ELN buildroot. Into the new target associated with this side-tag (which will be referred to as the “build tag” from now on), EBS will tag most¹ of the Rawhide builds. It will then wait until Koji has regenerated the buildroot for the batch tag before triggering the rebuild of the batched packages. This strategy avoids most of the ordering issues (particularly bootstrap loops) inherent in rebuilding a side-tag, because we can rely on the Rawhide builds having already succeeded.

Once the preparations are complete, we divide the batch up into one or more “batch slices”. The EBS configuration file contains information about certain packages that must be built and added to the buildroot before or after other packages. (Most packages will be part of the same primary slice, but some packages must be built early, such as llvm). EBS triggers all of the builds for a batch slice in the side-tag concurrently, sourcing the content from the git commit that was used to build the triggering Rawhide build. This is to ensure we are building the same content, in case dist-git has received subsequent changes. EBS monitors these builds for completion. Internally, we call these “rebuild attempts”.

Once all of the tasks in a rebuild attempt have completed (successfully or not), EBS will trigger another rebuild attempt of the failures. While a heavyweight solution, this helps us avoid failures due to infrastructure outages, flaky tests and bootstrapping issues not covered by the Rawhide build tagging. Rebuild attempts will continue to be initiated until the same number of failures occurs twice in a row. At that point, we assume they are legitimate build issues and we continue on.

Once all of the rebuild attempts have concluded, EBS moves on to the next slice in order until they have all completed, at which point, the next phase of operation begins: errata creation.

In earlier versions of ELNBuildSync, EBS would now tag all successful builds into the eln-updates-candidate tag and then remove the build tag. The effect of this would be to trigger Bodhi to generate an erratum for each individual package in the batch.

In modern versions of ELNBuildSync, it will now create a second² side-tag (call it the “errata tag”). EBS then tags all of the successful package builds from the batch into this new errata tag. This ensures that the tag contains only the new ELN builds and none of the Rawhide packages that were tagged into the build tag. From there, EBS talks to Bodhi via its public API and requests that a single Bodhi update erratum be created for all of the packages in this errata tag. This is done to reduce the load on Fedora QA, as the infrastructure there is far better equipped to deal with a single update of a few hundred packages than it is with a few hundred separate updates.

At this point, the batch is complete and EBS moves on to preparing another batch, if there are packages waiting.

History

In its first incarnation, ELNBuildSync (at the time known as DistroBuildSync) was very simplistic. It listened for tag events on Rawhide, checked them against its list and then triggered a build in the ELN target. Very quickly, the ELN SIG realized that this had significant limitations, particularly in the case of packages building in side-tags (which was becoming more common as the era of on-demand side-tags began). One of the main benefits of side-tags is the ability to rebuild packages that depend on one another in the proper order; this was lost in the BuildSync process and many times builds were happening out of order, resulting in packages with the same NVR as Rawhide but incorrectly built against older versions of their dependencies.

Initially, the ELN SIG tried to design a way to exactly mirror the build process in the side-tags, but that resulted in its own new set of problems. First of all, it would be very slow; the only way to guarantee that side-tags are built against the same version of their dependencies as the Rawhide version would be to perform all of those builds serially. Secondly, even determining the order of operations in a side-tag after it already happened turned out to be prohibitively difficult.

Instead, the ELN SIG recognized that the Fedora Rawhide packagers had already done the hardest part. Instead of trying to replicate their work in an overly-complicated manner, instead the tool would just take advantage of the existing builds. Now, prior to triggering a build for ELN, the tool would first tag the current Rawhide builds into ELN and wait for them to be added to the Koji buildroot. This solved about 90% of the problems in a generic manner without engineering an excessively complicated side-tag approach. Naturally, it wasn’t a perfect solution, but it got a lot further. (See below for “Why are some package not tagged into the batch side-tag?” for more details.

A more recent modification to this strategy came about as CentOS Stream 10 started to come into the picture. With the intent to bootstrap CS 10 initially from ELN, tagging Rawhide packages to the ELN tag suddenly became a problem, as CS 10 needs to use that tag event as its trigger. The solution here was not to tag Rawhide builds into Fedora ELN directly, but instead to create a new ELN side-tag target where we could tag them, build the ELN packages there and then tag the successful builds into ELN. As a result, CS 10 builds were only triggered on ELN successes.

In late 2025, Fedora QA came to the ELN SIG and requested that we find some way to reduce the number of individual errata we were generating, as when they attempted to turn on automated testing for ELN, the result was an overload and significant queuing around mass-rebuilds and other large batches. When it got to the point that the Standard Operating Procedure for mass-rebuilds included disabling all the tests for ELN, it became clear that changes were needed and EBS was modified to start directly requesting errata for all the builds in the batch instead.

Frequently Asked Questions

Why does it sometimes take a long time for my package to be rebuilt?

Not all batches are created equal. Sometimes, there will be an ongoing batch with one or more packages whose build takes a very long time to complete. (e.g. gcc, firefox, LibreOffice). This can lead to up to a day’s lag in even getting enqueued. Even if your package was part of the same batch, it will still wait for all packages in the batch to complete before the tag occurs.

As of this writing, we are currently investigating having certain extremely large packages built and tagged directly and without batching in order to shorten the average batch time.

Why do batches not run in parallel?

Simply put, until the previous batch is complete, there’s no way to know if a further batch relies on one or more changes from the previous batch. This is a problem we’re hoping might have a solution down the line, if it becomes possible to create “nested” side-tags (side-tags derived from another side-tag instead of a base tag). Today however, serialization is the only safe approach.

Why are some packages not tagged into the batch side-tag?

Some packages have known incompatibilities, such as libllvm and OCAML. The libraries produced in the ELN build and Rawhide build are API or ABI incompatible and therefore cannot be tagged in safely. We have to rely on the previous ELN version of the build in the buildroot.

Why do you not tag successes back into ELN immediately?

Despite the fact that we do not block ELN builds going to the stable repository based on test results, we do want to know about and address any issues revealed. Many packages are interdependent and it’s far simpler to test the result of all the builds collectively, once we know they have all been rebuilt.

There are certain packages that we exclude from this so that the Rawhide package is not used in the ELN buildroot; see the skip_tag section of the configuration file for the current set. ︎
In the case of very large batches (such as mass-rebuilds), the set of packages may be split into more than one Bodhi update, to avoid in overtaxing things. ︎

Richard Hughes: LVFS Sponsorship Announcement

Wed, 06 May 2026 12:13:21 +0000

Some great news: Iâ€™m pleased to announce that both Dell and Lenovo have agreed to be premier sponsors for the Linux Vendor Firmware Service (LVFS) as part of our new sustainability effort.

Over 145 million firmware updates have been deployed now, from over a hundred different vendors to millions of different Linux devices.
With the huge industry support from Lenovo and Dell (and our existing sponsors of Framework, OSFF, and of course both the Linux Foundation and Red Hat) we can build this ecosystem stronger and higher than before; we can continue the great work we’ve done long into the future.

Marcin 'hrw' Juszkiewicz: New Fedora package: fedora-active-user

Mon, 04 May 2026 06:37:00 +0000

During my work on the RISC-V 64-bit architecture port of Fedora, I created several pull requests to Fedora packages. And some were stalled…

Non-responsive maintainer process

Fedora project has a process called ‘non-responsive maintainer’. You check is maintainer on vacation, check latest activity and open a bug asking for action.

The problem was that it linked to fedora_active_user.py script which does not work since Fedora 41. During cycle of that release the python-fedora package got retired and no one updated the script.

Let me look

As my actions brought some complains (and some discussions) I decided to take a look at the script and make it work with current Fedora releases. Created pull request, mailed original author etc.

There was no answer of any kind so I decided to take over maintaining the script. Rewrote it to be Python 3 only, moved from urllib to requests, refactored some repeated code into functions etc.

Then started checking service by service how to get things working better. Turned out that script had several assumptions which not always apply.

FAS has separate email for Bugzilla

Fedora Accounts Service (FAS) has a separate field for the Bugzilla email. I did not had to look for testing accounts for this because that’s my case — I use ‘short’ Red Hat email in Bugzilla due to Single Sign-On (SSO) service we use and my ‘long’ one for the rest. So fedora-active-user script grabs user information from FAS and checks for separate Bugzilla email and use it if present.

FAS query requires Kerberos

To query FAS you need Kerberos ticket. Both urllib and requests packages have a way to use it for authentication — one extra package is needed to make it work.

Lack of valid ticket is caught and info is provided to the user.

Bugzilla is tricky

Querying Bugzilla service is the trickiest part. You can request data but there is no warranty that you get the latest one. Sure, there is the ‘order’ field for a query but it feels like a mere suggestion. It is nothing strange to get 2008 entries next to 2023 ones.

Wanna help?

For now, I am hosting fedora-active-user on GitHub. Will move it to Fedora Forge later this year. Feel free to open issues, send pull requests if you have suggestions or changes.

Current version is not the best one. It is a bit better than it was two weeks ago.

At the moment package is present in Fedora rawhide. I am waiting for branches for stable releases and updates will follow.

Example output

$ fedora-active-user --user hrw

Last action on koji:
   2026-05-04 built fedora-active-user-26.05.04-1.fc45
   2024-09-12 built python-system-calls-6.11.0-1.fc42
   2024-01-08 built python-system-calls-6.7.0-1.fc40
   2023-09-18 built python-system-calls-6.6.0-1.fc40
   2023-05-08 built python-system-calls-6.4.0-2.fc39
   2022-08-06 built python-system-calls-5.19.0-2.fc37
   2022-07-25 built python-system-calls-5.19.0-1.fc36
   2022-07-25 built python-system-calls-5.19.0-1.fc37
   2022-01-10 built python-system-calls-5.16.2-1.fc36
   2021-11-15 built python-system-calls-5.16.0-1.fc35

Last package updates on bodhi:
   2026-05-04 fedora-active-user-26.05.04-1.fc45
   2024-09-12 python-system-calls-6.11.0-1.fc42
   2024-01-08 python-system-calls-6.7.0-1.fc40
   2023-09-18 python-system-calls-6.6.0-1.fc40
   2023-05-08 python-system-calls-6.4.0-2.fc39
   2022-08-06 python-system-calls-5.19.0-2.fc37
   2022-07-25 python-system-calls-5.19.0-1.fc36
   2022-07-25 python-system-calls-5.19.0-1.fc37
   2022-01-10 python-system-calls-5.16.2-1.fc36
   2021-11-15 python-system-calls-5.16.0-1.fc35
   2021-11-15 python-system-calls-5.16.0-1.fc36
   2021-09-21 python-system-calls-5.15.5-1.fc36

Last actions performed according to fedmsg:
   2026-05-04 hrw commented on the pull-request rpms/prusa-slicer#67
   2026-05-04 hrw's Badges rank changed from 272 to 260
   2026-05-04 hrw was awarded the badge `Missed the Train`
   2026-05-04 hrw commented on update fedora-active-user-26.05.04-1.fc45 (karma: 0)
   2026-05-04 fedora-active-user-26.05.04-1.fc45 was tagged into f45 by bodhi
   2026-05-04 fedora-active-user-26.05.04-1.fc45 was untagged from f45-updates-candid
   2026-05-04 hrw's fedora-active-user-26.05.04-1.fc45 bodhi update has met stable te
   2026-05-04 fedora-active-user-26.05.04-1.fc45 was untagged from f45-updates-testin
   2026-05-04 fedora-active-user-26.05.04-1.fc45 was tagged into f45-updates-testing-
   2026-05-04 fedora-active-user-26.05.04-1.fc45 was untagged from f45-signing-pendin

Last emails on Fedora mailing lists:
   2026-04-29 mjuszkiewicz@redhat.com as Marcin Juszkiewicz mailed devel@lists.fedora
   2026-04-17 mjuszkiewicz@redhat.com as Marcin Juszkiewicz mailed devel@lists.fedora
   2026-04-17 mjuszkiewicz@redhat.com as Marcin Juszkiewicz mailed devel@lists.fedora
   2026-04-17 mjuszkiewicz@redhat.com as Marcin Juszkiewicz mailed devel@lists.fedora
   2026-04-17 mjuszkiewicz@redhat.com as Marcin Juszkiewicz mailed devel@lists.fedora
   2026-04-17 mjuszkiewicz@redhat.com as Marcin Juszkiewicz mailed devel@lists.fedora
   2026-04-17 mjuszkiewicz@redhat.com as Marcin Juszkiewicz mailed devel@lists.fedora
   2026-04-17 mjuszkiewicz@redhat.com as Marcin Juszkiewicz mailed devel@lists.fedora
   2026-04-17 mjuszkiewicz@redhat.com as Marcin Juszkiewicz mailed devel@lists.fedora
   2026-04-17 mjuszkiewicz@redhat.com as Marcin Juszkiewicz mailed devel@lists.fedora

Bugzilla activity (may not be the latest):
   No activity found on Bugzilla

Looks like I still need to work on querying Bugzilla ;D

Allan Day: GNOME Foundation Update, 2026-05-01

Fri, 01 May 2026 10:34:10 +0000

It’s the first day of May, and it’s time for another update on what’s been happening at the GNOME Foundation. It’s been two weeks since my last post, and this update covers highlights of what we’ve been doing since then.

Remembering Seth Nickell

This week we received the very sad news of the death of Seth Nickell. It’s been a long time since Seth was active in the GNOME project, so many of our members won’t be familiar with him or his work. However, Seth played an important part in GNOME’s history, and was a special and unique character.

Jonathan wrote a wonderful post about Seth, with some great stories. Federico migrated the memorial page from the old wiki to the handbook, and added Seth there (work is currently ongoing to develop that page). Seth’s death has also been covered by LWN, which includes dedications from GNOME contributors.

Whether you knew Seth or came to GNOME after his time, I think we can all appreciate the contributions that he made, which live on in the project and wider ecosystem to this day.

GNOME Fellowship

Applications for the first round of the new GNOME Fellowship program closed last week, on 20th April. We had a great response and received some excellent proposals, and now we have the tough job of deciding who is going to receive support through the program.

To that end, the Fellowship Committee met this week to review the proposals and begin the selection process. We have identified a shortlist of candidates, and will be meeting again next week to narrow the selection further.

Since this is the first round of the Fellowship, we are establishing the selection process as we go. Hopefully we’ll get to put this to use again in future Fellowship rounds!

Conferences

Linux App Summit (LAS) will be held in Berlin on 16-17 May – that’s in a little over two weeks! The schedule has been finalized and looks great, and this year’s LAS is shaping up to be a fantastic event. Please do consider going, and please do register!

Due to high demand, the organizing team have decided to stream the talks from this year, so look out for details about remote participation.

Aside from LAS, preparations for July’s GUADEC conference continue to be worked on. Travel sponsorship is still available if you need assistance in order to attend, so do consider applying for that.

Office transitions ongoing

Work to update many of our backoffice systems and processes has continued at a steady pace over the past fortnight. Many of the big moves are done (new payments system, email accounts, mailing system, accounting procedures, credit card platform), and we are now firmly in the final stages, making sure that our new address is used everywhere, emails are going to the right places, recurring payments are transferred over to new credit cards, and vendors are setup on the new payments system.

The value of this work is already showing, with smoother accounting procedures, more up to date finance reports, and better tracking of incoming queries.

That’s it for this update. Thanks for reading, and take care.

Felipe Borges: Let’s Welcome Our Google Summer of Code 2026 Contributors!

Thu, 30 Apr 2026 21:05:07 +0000

GNOME is once again participating in GSoC. This year, we have 6 contributors working on adding Debug Adapter Protocol support to GJS, incorporating vocab-style puzzles into GNOME Crosswords, creating a native GTK4/Rust rewrite of the Pitivi timeline ruler, porting gitg to GTK4, implementing app uninstallation in the GNOME Shell app grid, and enabling recovery from GPU resets.

As we onboard the contributors, we will be adding them to Planet GNOME, where you can get to know them better and follow their project updates.

GSoC is a great opportunity to welcome new people into our project. Please help them get started and make them feel at home in our community!

Special thanks to our community mentors, who are donating their time and energy to help welcome and guide our new contributors: Philip Chimento, Jonathan Blandford, Yatin, Alex Băluț, Alberto Fanjul, Adrian Vovk, Jonas Ådahl, and Robert Mader.

For more information, visit https://summerofcode.withgoogle.com/programs/2026/organizations/gnome-foundation

Daniel Pocock: (Trigger Warning) Jeremy Bicha & Debian-Edu, TecKids, Ubuntu incest scandal at DebConf25

Thu, 30 Apr 2026 11:30:00 +0000

Trigger warning: this is a report about how Debianism prefers abusers to those who consistently and compassionately helped victims of abuse.

Those who dare to look up the public court records about Jeremy Bicha have been shocked and in some cases unable to sleep after reading how he exploited every bodily orifice of his little sisters when they were six and nine years old. Yet I feel a possibility that Jeremy Bicha himself is now being exploited to make us feel shock and to soften us up for future revelations about unnamed oligarchs in the open source eco-system. There have been many falsified rumours about abuse over the years, such as the conspiracy against Dr Jacob Appelbaum. Whenever we get to the point that the leader of some so-called community really is put on trial for real abuse, the victims are unlikely to have suffered as extensively as Bicha's little sisters.

I didn't write and publish this report to start a lynching against Jeremy Bicha himself. He has confessed his crimes which is much more than can be said for other sex pests. The real reason for the report is to look at the decisions that organisations have made putting a registered sex offender on a pedestal but in the case of commercial rivals or people who made mistakes with pronouns, we are being censored and harassed by the oligarchs for the most mundane mistakes.

The BBC is in fresh trouble over their pre-existing knowledge of a scandal involving Scott Mills. It was a major story in the UK the week before Easter and then it disappeared. I suspect that sooner or later we will hear more details.

Almost every day there is a fresh news report about Jeffrey Epstein. During the trial of Ghislaine Maxwell, she told us her partner, Epstein, needed to be with a woman at least three times per day. People with children or teenage daughters will feel very uncomfortable about having these men around. Less than two percent of Debian Developers are female but at DebConf almost one in three participants is in the gay/transgender/Zizian set. In the wider population it is only one in ten people.

These people don't have children. They don't think about having children. They don't spend a lot of time thinking about the risks. Having a registered sex offender present at the after-party may be on the bucket list for some of these people. They are willing to risk other people's children and tarnish Debian's reputation so they can have something unusual at the after-party.

For people who do have children, they don't go to the DebConf orgy groups but they do stay up all night reading through reports like this to try and work out whether the risk is acceptable or not.

The Debian Suicide Cluster correlates with a culture of violence and humiliations. Coincidentally, rape and abuse are also about violence and humiliation. Adding a registered sex offender to the group only reinforces those existing Debian character traits when we need to be looking for the opposite, people who serve to neutralise those cultural defects.

News that a Registered Sex Offender(TM) was invited to speak at DebConf25 in France is not a random accident. Certain groups like Debianism have been overcome by fringe diversity movements. Over the years, we've seen the same people using their authority to humiliate fellow volunteers in much the same way that paedophiles humiliate children. Statistically, we can be certain there are similar men in the same group. Jeremy Bicha was the thin end of the wedge. By putting a known offender on a pedestal and claiming they are helping him, they are clearing a path for other more cunning characters to be given a platform.

The people who control Debianism mailing lists have a nasty habit of censoring any concerns about the phenomena. They believe everybody agrees with their worldview. They are living in a bubble. Sooner or later, there will be a person or an incident that is so bad that it is the end of Debian. Society at large simply doesn't accept some of the things these people do.

Moreover, certain companies would like to see Debian fail. They will give enough money to the diversity budget to create a scandal and then those companies will get out of the way as quickly as possible.

The Debian Social Contract tells us, in point three, We will not hide problems.

In the case of the registered sex offender invited to speak at DebConf25 in France, all discussion has been deliberately shut down. Video of the talk is not hosted with video of the other talks. People are scouring the official photo gallery to see if Jeremy Bicha was really there at all and who sat next to him.

This situation and the manner in which Debianists are hiding it reveals the real definiton of diversity and the real use of diversity funds.

Phil O'Donnell is a priest who quit and became a whistleblower. In his testimony to the state inquiry, he tells us:

This resulted in â€œJackâ€� ringing me in an extremely distressed state. His words on the phone were, â€œI think it would have been better to hear my mother had diedâ€�. He was a relatively early victim of [Fr Kevin] Oâ€™Donnell and his abuse was reported to the Cathedral in 1958. This allegation was investigated at the time by both the then Vicar-General, Laurie Moran, and the then Auxiliary Bishop of Melbourne, Arthur Fox. Nothing eventuated from this investigation.

A recent report from Lunduke has the title Fedora's Code of Conduct: 200 Day Response Time, Only Protects You if Red Hat Likes You.

In 1962, Stanley Kubrick released the controversial film Lolita.

Charles Manson was using women in his cult, the Manson Family, to murder people. He hoped that by committing these violent murders he could start riots, like the modern day phenomena of #MeToo mobs on social control media. On 9 August 1969, they killed the actress Sharon Tate, who was the wife of film director Roman Polanski.

Debian's Jeremy Bicha ordination has curious parallels to the mistakes made by the Catholic Church when handling real abuse complaints. In the 1960s, the wedding of my aunt was conducted by a bishop rather than an ordinary priest. Coincidentally, it was the same bishop mentioned above. As well as the missed opportunity to protect children from Fr Kevin O'Donnell, another court case revealed Bishop Arthur Fox was accused of ordaining at least one known paedophile, just as Debianists have now ordained a registered sex offender by telling everybody that he is a Debian Developer.

In the 1970s, Bishop Fox was the Bishop of Sale. On 3 July 1972, when he was in his early forties, Hourigan wrote to Bishop Fox asking that he be accepted to study for the priesthood. In the letter Hourigan set out what he said were two â€˜flies in the ointmentâ€™. The first related to an issue with Houriganâ€™s back, and is of little moment. The second was a disclosure (referred to by the judge as â€˜the disclosureâ€™) that on three separate occasions, occurring at two separate boarding schools in Papua New Guinea at which he was working, boys in his care who, he said, he had occasion to punish for misbehaviour, responded by complaining to a priest that he had treated them harshly and that he was a homosexual. A short time after the second and third complaints, Hourigan left the second boarding school and returned to Australia.

The implication is that Bishop Fox had personal knowledge of the disclosure and history of abuse before he ever ordained Fr Hourigan.

Between the 1960s and 1980s, groups were formed in various countries with their primary purpose being to lower or abolish the age of consent. In the USA, it was the North American Man/Boy Love Association (NAMBLA). In the UK, the Paedophile Information Exchange (PIE) was formed in 1974. The group recruited young law students keen to advocate for what they felt was a pressing human rights issue.

Britain's National Council for Civil Liberties (NCCL), known today as Liberty, had a very open attitude to memberships and affiliations. PIE and many other fringe groups became members of NCCL / Liberty and regularly attended the annual general meetings where they rubbed shoulders with lawyers and lobbyists from a range of different movements.

The Conversation tells us the British Communist Party was also affiliated with NCCL / Liberty. People have been scouring old copies of British tabloid newspapers to find evidence of similar diversity fringe groups promoting incest, canabalism and bestiality. NCCL / Liberty was not endorsing any of these groups and the PIE was no more or less special than any other diversity fringe group.

In the same era, Tom O'Carroll, leader of the PIE and Robert Lamb, father of Debian's future leader Chris Lamb both graduated from the University of Cambridge. Robert Lamb went to work for Roger Ellis QC at 13 King's Bench West (13KBW) Chambers.

The manner in which the paedophile advocacy groups participated in the NCCL / Liberty and the legal profession can be summarised by the expression I don't agree with what you say but I will defend to the death your right to say it.

As the saying goes, all good things must come to an end. By the 1980s, governments around the world had developed strategies to shut down and outlaw groups like PIE.

The eradication of these groups was significant because it forced the pro-abuse lobby to look for more discrete ways to achieve their unholy objectives. In other words, they have to join other groups like the Catholic Church and the Debian Project in the hope they will gain credibility, access to children or both.

Between 1977 and 1978, Roman Polanski, whose wife had been murdered by the Manson Family cult, was prosecuted for drugging and raping a 13-year-old girl. He fled America to live in France and evade a likely jail sentence. As he was born in France he can't be extradited to America. He continued his career in France and received numerous awards for his work. Many professionals in the movie industry have publicly indicated support for Polanski, despite the very serious crime he committed against a child.

Between 1978 and 1982, in another Catholic abuse situation where the victim agreed to waive anonymity, David Ridsdale was abused by his uncle, the priest Gerald Ridsdale. Under Australian law, when the uncle is found guilty of such an offence, their identity and their conviction can not be reported in the media as it would compromise the identity of the victim. Nonetheless, David Ridsdale waived his right to anonymity and so it could be reported that Gerald Ridsdale, who was the worst offender in the country, had even committed abuse against one of his own relatives.

Jeremy Bicha was born on 12 August 1984.

In 1988, Katharine (Kath) Thornton and Christian Porter participated in Australia's national high school debating team. The former alleges she was abused by the latter. She took her own life. He became the Attorney General. Federal Court judges published her accusations in full, bypassing Australia's strict defamation laws. Related: ABC News report.

The media originally obfuscated the name and face of the victim but it wasn't long before everybody knew. She had created the dossier, started a conversation with the police and then she committed suicide. Eventually the Federal Court judges decided to publish everything for the public to make up our own minds.

I selected those portions of the document to emphasize the striking similarities between Katharine Thornton's abuse report and the acts that Jeremy Bicha admitted inflicting on his sisters.

According to the summary of the complaint on the Manatee County Courthouse web site, the abuse occurred between 1995 and 1999, in other words, when Jeremy Bicha was only between eleven and fifteen years of age himself. One of his sisters was nine and another was only six when these horrible crimes took place.

In the court documents, Jeremy Bicha told prosecutors his parents were very strict and kept all the siblings together at home. In countries with urban sprawl and a car culture, which includes Australia, a teenage boy starting high school has no way to meet friends of the same age unless an adult is willing to drive him there and bring him back home. Europeans who live in apartments and terrace houses are much closer together. Therefore, people who haven't lived in urban sprawl can't fully appreciate the impact it has on childhood.

In 1997, Adrian Lyne produced a fresh version of the film Lolita.

Shortly after that, I was photographed in Australia's Parliament House, Canberra with Natasha Stott-Despoja. After leaving her job as a senator, Natasha was appointed as Australia's ambassador for women and girls. She was subsequently appointed to represent Australia on the UN CEDAW committee. CEDAW is the Convention on the Elimination of All Forms of Discrimination Against Women. The committee is one of the most influential international bodies concerned with the status and wellbeing of women. The photograph was taken during the same period of time where Jeremy Bicha admits abusing his little sisters.

In the early days of Debianism, many young teenage males were exploited. Ringleaders have been interchangeably presenting Debianism as a hobby, as a philosophical mission and as an activity that people undertake while being paid by an external employer like Freexian. Ringleaders pivot between these definitions of Debianism depending upon which definition is most convenient for the ringleaders themselves in any particular situation or dispute.

They used the appeal of a philosophical mission to recruit numerous teenagers, mostly boys in their mid-teens, who were starstruck by the names of companies like Pixar, where Bruce Perens worked. These teenagers didn't really appreciate the extent to which they were working alongside people who were being paid six-figure salaries to do similar tasks. I'm talking about Joel "Espy" Klecker, Shaya Potter and Chris Rutter. Klecker was doing this unpaid work while he was in bed dying of a terminal illness ( detailed report). Shaya Potter appears to be the first documented case of somebody expelled after he had already resigned. Chris Rutter even had servers for unpaid Debianism work installed at his high school. He was observed working long hours to meet his obligations to Debianists shortly before walking in front of a car. These may be the three most prominent teenagers in the early days of Debianism and it is disturbing to see that two died while one was subject to gaslighting and ostracized.

Here is a debian-private leaked message where the underage phenomena is mentioned explicitly:

Subject: Re: why I want the archives on me (was Re: spotter@debian.org)
Date: Tue, 17 Nov 1998 12:56:41 -0500
From: Shaya Potter <spotter@ymail.yu.edu>
To: joost@pc47.mpn.cp.philips.com
CC: debian-private@lists.debian.org

----- Original Message -----
From: <joost@pc47.mpn.cp.philips.com>

>
>On Tue, 17 Nov 1998, Shaya Potter wrote:
>
>> Now that this is out of the way, I'd like to publicly ask if I can have
an
>> archive of all the communication that went on in regard to me.
>
>Strictly speaking I tend to disagree that you or anybody has an a-priori
>right to know what is being said and told on debian-private.  It is simply
>a private list.  Things would be different if you were mentioned in a
>public list without being able to respond.  But that is in all aspects
>clearly not the current situation.

First, I never said I have a right.  In many ways I think i don't have a
right, or even if I did, I don't deserve it.  I don't think my statements
have implied that I believe I have a right to demand that it be given to me.

I do have a right to ask that it be done.  Debian has a right to say yes or
no.

>
>(Nevertheless, I think that it would be considerate to cc: you in
>any discussion that involves you in a very personal manner - this has
>IMHO until now hardly been the case though.)

It hasn't?  Than how did the decision to expell me come about?  Who told
people who made the decision what happened?  Was this all done in private
mail?

>
>If a non-subscriber of debian-private must share in the conversation on
>debian-private, then this should IMHO be done by adding that person to the
>clearly visible cc: line of the header of any messages to be "published."
>That way, it will be adequately clear that the correspondence leaves the
>realm of debian-private and thus everybody can conclude that normal
>confidentiality can not be expected.  AFAIK respect for the confidential
>nature of debian-private is a prerequisite for subscription to this list.

I would have respected the confidentiality, as I have made it known that I
don't want this to spread, as I am embarrased by my actions.

>
>Practically speaking, I disagree that the underlying case generally
>concerns you. What matters here is not who Shaya Potter personally is or
>what particularly Shaya Potter did. The discussion is about how issues
>like the one involving you relate to Debian.  This discussion does not
>involve you personally.

I don't want the entire discussion, I just want to see the parts that touch
on me personally.  I don't care for the rest, of what about underage
developers and the like....

>
>> I was told that it would not be a star chamber, and that I'd be cc'd in
>> on all the corrospondace.  That didn't occur.
>
>There was no "star chamber."  You have already been generously cc:'-ed.

I was?  The only cc:'s I ever got were in response to me starting a thread.
That implies to me, that acc. to what you were saying, that no discussion
on -private occured that I didn't start.  However, I know this not to be the
case, as before I was unsubscribed from -private, I saw a thread or 2
started that dealt with me.

>
>IMHO you do not have a right to be cc:-'ed on the _general_ discussion
>which does not particularly (personally) involve you.

never said I did.

>
>> Also, I really have no idea of what discussion went on, if mistruthes
>> were spread about the incident (as in reality, I'm the only one that
>> knows completely what happened, and no one really ever asked me for the
>> full story).
>
>If this worries you so much, then I seriously wonder why you did not
>immediately relate it to debian-private when the issue arose in the first
>place?

I did apologize on -private right away, however, I didn't want to spread
what I did.  I specifically told people that I would rather this not be
discussed on -private and have me showed the door quietly, and told never to
come back.  That didn't happen, it was discussed on -private.  I don't know
what was discussed in relation to me, so I want to be informed.

>
>Again, the discussion is not yours.  Again, you are not personally
>involved.  Your only "role" in the discussion is that you have created a
>precedent.  I thinks we can all agree that we would rather have had you
>not be a precedent case, but it happened.  I'm very sorry, but you'll
>have to blame yourself for that.

Trust me, I've blamed myself a lot for this.  If you seen any of my
corrospondance you would know this.  I don't blame anyone for my
predicament, but myself.

>Discussion on debian-private does not count as a statement from Debian.
>So there simply were no statements.  I'm not really in favor of making any
>strong or overly verbose statements either.  If there ever is to be a
>statement from Debian about an issue such as the current one involving
>Shaya, I think that person should be briefed thoroghly beforehand.

I'm not talking about a debian statement.  I don't want a public statement,
and I know a lot of people from debian don't want one either (though some
might).  What I meant by statements, was statements that individuals made,
that might be incorrect, or inacurate.

>Shaya, can you please just put this to a rest?  IMHO it is not very
>productive for anybody.  And please take it from me that you have no
>reason to be concerned that you have been in a "star chamber."

I am not worried about a star chamber, I would have prefered it in many
ways.  However, at least with a star chamber you usually get to see the case
presented against you, even though you don't have the ability to defend
yourself.  As I said many times, my case is indefensable, so that wouldn't
bother me.

Shaya

Joel "Espy" Klecker, Shaya Potter and Chris Rutter, due to their youth and inexperience, didn't realize what they were doing was work. They didn't realize it is normal to be paid.

We find exactly the same phenomena in the Jeremy Bicha abuse testimony. His sister tells us she was too young to know the words for what he was doing in her underpants.

It is scary how this type of paedophile and Debianism at large has exploited naivitÃ© to gain an unfair advantage over young victims.

In October 1999 the role of teenagers was back in the spotlight:

Subject: Debian Death March
Date: Thu, 7 Oct 1999 17:41:25 -0700 (PDT)
From: Jonathan Walther <krooger@debian.org>
To: debian-private@lists.debian.org

Guys.  Is Debian still the hippest, coolest, happeningest distribution
around, or are we a dinosaur lost in the forest?

The posts I've read on this list today reek of a Death March.

Yes, many of the Debian originals have moved on, retired, or fallen
quiescent.  Others of us have had sudden changes in our life; new jobs, loss
of jobs, loss of internet access, newborn infants, need to spend time with
spouses and loved ones.

Many of the rest have gotten tired.  The friends they joined this marvelous
big project with are no longer around...  The stress of mentoring up a new
generation of package maintainers, and hopefully core developers falls on
their already burdened shoulders, taking away from their time spent coding.

As social scientists know, the future is the children.  Or in our case, the
future is the teenage "hackers" getting their first computer, going in their
first irc chatroom, using their first nuker... and realizing there is
something far more interesting, constructive and beautiful beyond the raw
violence of their little world.  An ordered system of many parts, of many
people collaborating in peace, cooperating on a scale that they will take
for granted, because we have made it seem so natural, but which makes any
sane adult boggle at our achievement.

[ ... snip ... ]

In 1999, Red Hat made their Initial Public Offering (IPO) on the stock market. Debian Developers were invited to buy some of the shares but inexperienced investors, which includes the underage developers, were excluded by the manner in which the IPO was conducted.

Given that Debianism has the exploitation of youth in its DNA, it is really sad to see that a registered sex offender and various characters with similar tendencies were put up on a pedestal in the era of Chris Lamb.

In 2002, the Boston Globe's Spotlight team published their reports about the Catholic abuse crisis. The reports were not simply about the actions of individual paedophiles. The journalists went to great lengths to examine how the institution had ordained the wrong people and stonewalled victims. In the Debian harassment culture, we see much the same thing. People who ask questions are censored on the mailing lists. The leaders stonewall and refuse to answer questions or provide reports about the Debian suicide cluster and their knowledge of Jeremy Bicha's history.

In 2004, we had the first discussion about offering financial incentives to transgender people. It is an ethical and moral minefield:

Subject: Re: Nut-case of the day - Was: [Fwd: URGENT: This is potentially a threat to your and others personal security]
Date: Tue, 6 Jan 2004 12:53:33 -0700
From: Joel Baker <fenton@debian.org>
To: debian-private@lists.debian.org

On Tue, Jan 06, 2004 at 03:28:03PM +1100, Russell Coker wrote:
> On Tue, 6 Jan 2004 15:23, Joel Baker <fenton@debian.org> wrote:
> > I could probably arrange for Debian to have a TG developer, but somehow,
> > this doesn't seem like a primary qualification; we don't have quotas. :)
> 
> If they can code well or can be taught to code well then please get them in!
> 
> Especially if they have some skills at kernel coding.  I think that we could 
> do with having more skilled developers dealing with the kernel patch 
> packages.

What I didn't mention is that it would probably involve me bribing her to
deal with it; she doesn't find Debian to be quite worthwhile enough on its
own merits (she likes it, she just likes FreeBSD better, and has little
enough time to spare overall that short of someone making it worth giving
up what else she does, it isn't worth it).

This would be the primary reason she isn't already a DD, since the only
part of NM that would pose any issue at all is the wait (I can sign her
trivially, and passing the requirements is a no-brainer). But we don't
really need another developer not doing much most of the time, and I
have better uses of the money than paying her to work on it. :)
-- 
Joel Baker <fenton@debian.org>                                        ,''`.
Debian GNU/NetBSD(i386) porter                                       : :' :
                                                                     `. `'
				                                       `-

In 2006, Red Hat opened their main research site in Brno, a small city in the Czech Republic. The Czech Republic had joined the European Union (EU) in 2004. Thanks to the Freedom of Movement policy of EU countries, Red Hat could employ young male graduates from any other EU country and bring them to work in Brno without any uncertainty about residence permits and visas. Over the years, thousands of young and predominantly male engineers came to work for various multinational companies in this remote part of the Czech Republic. At the same time, young women from eastern European countries were all leaving small cities like Brno and either moving to the capital, Prague or moving to other cities like London, Paris and Berlin. These arrangements created a huge imbalance. Thousands of highly paid young single men found themselves competing for the very small group of women who decided not to leave. A lot of the companies started talking about the need for diversity programs. While nobody says it out loud, it looks like these programs are intended to increase the size of the dating pool in these offshore centers. Official statistics tell us that Brno has the highest suicide rate in the country.

When eastern European countries joined the EU, some of the western countries like Germany and France introduced a temporary delay on Freedom of Movement for workers. The delay didn't apply to Freedom of Movement for wives and girlfriends. This table shows us that workers from Czech Republic could go to the UK immediately after joining the EU in 2004 but they could not take jobs in France until 2008 or Germany until 2011. As a consequence, young women could use Freedom of movement to marry somebody in a rich country but many young men had to stay in the Czech Republic. The young men who remained found themselves in direct competition against the Red Hat workforce for the last girlfriends who remained in Brno.

During that period, I was living to the north of London near to Luton airport. Thousands of people from eastern Europe were arriving every day on the low cost airlines. It was fairly easy to distinguish the tourists from the people who were relocating. The people relocating under Freedom of Movement had typically purchased the maximum luggage allowance and arrived with their whole life in a suitcase that was so overloaded it looked like it was about to burst. In particular, a lot of the women who arrived like this were making the move alone with no safety net. Their plan was to get off the plane and find a room, a job and a husband. These are the women who the Red Hat employees in Brno missed out on.

During the Cold War, the UK, out of all the western countries, had developed a unique, mythical fairytale status in the minds of people from eastern European countries. This was captured in James Bond movies and John le CarrÃ© spy novels where the fictional women of eastern European communist countries spoke in glowing terms of the new lives they dreamed about having in London.

In January 2006, Raphael Hertzog infamously used the debian-devel-announce email list to promote a message about an external product, Ubuntu that not everybody is interested in. Andrew Suffield adapted the subject line of Hertzog's email to promote lesbians instead of Ubuntu. Some people speculate Suffield chose the word lesbian because it looks a little bit like the word Debian and there are a disproportionate number of LGBT people lurking in the mailing lists.

The original message has been censored but it is easy to find here in the Wayback Machine.

To: debian-devel-announce@lists.debian.org
Subject: For those who care about their packages in Ubuntu
From: Raphael Hertzog <hertzog@debian.org>
Date: Fri, 13 Jan 2006 23:35:24 +0100

Hello fellow Debian developers,

let me explain shortly why I'll speak of Ubuntu on a Debian announce
list. I know that many of you do not like the Canonical marketing saying
that "Ubuntu is contributing back" because the most visible official
contribution is scott's patch repository and that all other successful
collaboration has been made at the level of individual developers who are
"friendly to Debian" and not because Canonical's policy ask them to do
so.

[ ... snip ... ]

and Andrew Suffield:

To: debian-devel-announce@lists.debian.org
Subject: For those who care about lesbians
From: Andrew Suffield <asuffield@debian.org>
Date: Sat, 14 Jan 2006 15:00:40 +0000

Since this sort of thing is apparently okay nowadays, and I know that
a lot of you like looking at lesbians, I'd like to share this with
you:

http://www.flickr.com/photos/63978244@N00/81351129/in/photostream/

[And for the sarcasm-impaired: debian-devel-announce is for Debian
development, not anything that you (or any other group of people)
happen to be interested in. Don't post irrelevant stuff here. It would
be a real shame if the list had to be moderated because people can't
exercise good judgement. Anything sent here should be of interest to
an overwhelming majority of Debian developers, *at least* - if you're
using phrases like "for those who care about X", it belongs somewhere
else, like X-announce.]

-- 
  .''`.  ** Debian GNU/Linux ** | Andrew Suffield
 : :' :  http://www.debian.org/ |
 `. `'                          |
   `-             -><-          |

The message links to this image. It is off-topic but the content is not illegal in any western countries.

Excuse the pun, the tit-for-tat continued with even more messages based on the same subject line template:

Not long after that, in May 2006, DebConf6 took place in Mexico. One of the candidates in recent Debianism elections, Jonathan Walther (Ted), brought a local woman, Hilda, to the conference dinner. People quickly started the rumour that Hilda was a prostitute. Nonetheless, she was the local dentist. To this day, dozens of messages about the rumour are present online in various web sites and debian-private archives. ( more details about the rumours and DebConf6 fight).

To understand why there was so much gossip and aggression at the DebConf6 dinner, you need to look at who really slept with who and then read the story again. The leaked room list tells us that Holger was sleeping with Amaya. Amaya helped start the rumour and Holger is the one who ended up exerting physical pressure on the victim, Jonathan Walther (Ted). When people are sleeping together, they don't always behave rationally any more.

From: Joerg Jaspert <joerg@debconf.org>
To: rooms@debconf.org
Subject: Re: [Debconf-announce] Room allocation
In-Reply-To: <20060328120500.GA10651@localhost> (Margarita Manterola's message
        of "Tue, 28 Mar 2006 09:05:00 -0300")
Organization: Goliath-BBS

[ ... snip ... ]

>  * Who you would NOT like to share the room with.

I dont care that much who is in my room, as long as its not
Jonathan/Ted "krooger" Walther or Jeroen van Wolffelaar or Amaya.

[ ... snip ... ]

Date: Fri, 31 Mar 2006 17:39:37 +0200
From: Adeodato =?utf-8?B?U2ltw7M=?= <dato@net.com.org.es>
To: rooms@debconf.org
Cc: Holger Levsen <debian@layer-acht.org>,
        Jesus Climent <jesus.climent@hispalinux.es>,
        Amaya Rodrigo <amaya@debian.org>,
        Alberto =?utf-8?B?R29uesOhbGV6?= Iniesta <agi@inittab.org>,
        Marcela Tiznado <mtiznado@linux.org.ar>,
        Isaac Clerencia <isaac@debian.org>,
        Jacobo =?utf-8?Q?Tarr=C3=ADo?= Barreiro <jacobo@debian.org>,
        Javier Fernandez-Sanguino <jfs@computer.org>,
        Ana Beatriz Guerrero =?utf-8?B?TMOzcGV6?= <ana@ekaia.org>
Subject: Room preferences for a bunch of ~Spanish people

Hey marga!

  Some (mostly) Spanish people have been talking among us, and we'd like
  to share room at DebConf. We've thought that it'll be easier for you
  if we just write you one mail saying who we are, instead of each of us
  mailing you privately with our preferences. :)

  So, we'd like:

    - a 6-sized room for both DebCamp and DebConf (from 5th to the end)
    - a 4-sized room for DebConf only (from 13th to the end)

  The involved people (in order of arrival, all of them CC'ed) are:

    Holger Levsen <debian@layer-acht.org>
    Jesus Climent <jesus.climent@hispalinux.es>
    Amaya Rodrigo <amaya@debian.org>
    Alberto Gonz=C3=A1lez Iniesta <agi@inittab.org>
    Adeodato Sim=C3=B3 <dato@net.com.org.es>
    Marcela Tiznado <mtiznado@linux.org.ar>

    Isaac Clerencia <isaac@debian.org>
    Jacobo Tarr=C3=ADo Barreiro <jacobo@debian.org>
    Javier Fernandez-Sanguino <jfs@computer.org>
    Ana Beatriz Guerrero L=C3=B3pez <ana@ekaia.org>

  Thanks in advance,

From the DebConf8 room list:

In 2006, the GNOME people created the Outreach Program for Women (OPW), which was subsequently renamed to Outreachy. The program pays young female interns to associate with the developers. The women are not expected and not always trusted to do development work themselves. Many of the women were offered free trips to conferences all over the world.

By December 2006, the Debianists had admitted they need professional help from a psychiatrist or occupational therapist to deal with the toxic culture.

Subject: Total world domination through therapy and free software!
Date: Sun, 31 Dec 2006 13:25:08 +0100
From: Amaya <amaya@debian.org>
Organization: Debian - http://www.debian.org/
To: debian-private@lists.debian.org

Russell Coker wrote:
> True.  But we can only change some things and only in some areas.

Sure, we are just humans :)

> I will always have little sympathy for someone who complains bitterly
> about unfairness when by any objective metric they would be regarded
> as being in the most fortunate few percent of the world's population.

Yes, as in having clean tab water. Ack.

> Do you think it might be beneficial to have some group sessions at
> Deb-conf's to help us deal with these things?

I strongly believe in the group sauna effect :)

> Debian has a huge pile of money that is apparently not being spent,
> booking a good psychiatrist for a day for every DebConf would not make
> much of an impact on Debian finances and might have a good impact on
> productivity.

s/psychiatrist/therapist/ Maybe someone that is experienced in large voluntary communities could
give a talk, or workshop, or both.

It would be interesting to know wether anyone knows a person that could
help us this way. I could talk to some people if the idea doesn't look
stupid to the rest you the people reading this.

-- 
  Â·''`.             If I can't dance to it, it's not my revolution
 : :' :                                            -- Emma Goldman
 `. `'           Proudly running Debian GNU/Linux (unstable)
   `-     www.amayita.com  www.malapecora.com  www.chicasduras.com

In 2007, Jeremy Bicha joined the US Navy. The Navy is a very large organisation. The Navy recruited 37,000 personnel in the same year. They had no way to know about Jeremy Bicha's childhood.

By 2008, they were already talking about how they would recruit people's teenage children. This was well before the Debian pregnancy cluster started producing said children.

Subject: Re: [VAC] Going to the chapel ...
Date: Tue, 22 Jul 2008 16:12:29 +0200
From: Lionel Elie Mamane <lionel@mamane.lu>
To: debian-private@lists.debian.org

On Sat, Jun 28, 2008 at 03:29:27PM +1000, Russell Coker wrote:

> On Saturday 28 June 2008 14:32, Benjamin Seidenberg
> <benjamin@debian.org> wrote:

>> The question is, will we accept parental signatures on the GPG keys?

> Why wouldn't you accept a parental signature? (...)

> Advocacy however is a different matter.  We want advocates to not be
> excessively biased, and I'm sure that while growing up we have all
> seen adequate evidence of parents who think that their children are
> angels while everyone else knows the truth...

> Of course if a parent was to quietly encourage the NM people to keep
> their child in the queue for an extra year or two then I think we
> should accept such a recommendation.

I fail to see why this is obviously desirable; parents can also be
biased in the other direction, that is think their late teenage
children are like one-year olds that cannot cross the street without
their supervision.

--
Lionel

Around the same time, in June 2008, Jeffrey Epstein made a guilty plea on two charges in state court. He was sentenced to 18 months in a county jail, which is less onerous than a state prison. He was authorised to participate in a work release program whereby he could leave the prison for sixteen hours per day, six days per week. It is rumoured that he was unhappy with his probation officer and exploited political connections to have the probation officer moved elsewhere.

Jeffrey Epstein worked as a schoolteacher before getting into finance. Therefore, he is far more culpable than a twelve-year-old juvenile offender like Jeremy Bicha.

From 25 to 27 September 2009, Taiwan hosted the International Conference on Open Source. One of the Debian Account Managers, Joerg Jaspert, travelled there and brought an Asian woman, Pei-Hua Tseng, back to Germany to marry him. He admits that he was presenting himself as a Debian Developer at the conference:

"I first met my wife at the â€œInternational Conference on OpenSourceâ€� 2009 in Taiwan. So OpenSource, Debian and me being some tiny wheel in the system wasnâ€™t entirely news to her."

If any other random developer meets a woman at a conference they are insulted and told that relationships are a bad thing. Yet for the oligarchs representing Debian at events, it is open season on women. This relationship helped bootstrap the Debian pregnancy cluster.

In 2010, Jeremy Bicha's older sister went to Bob Jones university. The on-campus therapist gave her bad advice. The sister went to a more victim-oriented off-campus center, Julie Valentine Center. After counselling there, the victim and another sister, who is also a victim, reported the abuse to police.

US Navy investigators immediately questioned Jeremy Bicha. He admitted the allegations about his childhood are true. He was immediately terminated from Navy employment.

In August 2010, DebConf10 was in New York City. By this stage, we can see Debianism had well and truly adopted a cult lifestyle. A group of couples share rooms. They pretend we have no money while keeping it for themselves. They are pretending that bringing your wife is diversity.

On 15 August 2010, the night before Debian Day, the volunteer Frans Pop sent us his resignation / suicide note.

On 17 April 2011, the day that Carla and I got married, Adrian von Bidder-Senn died in Basel, Switzerland. People discussed it like a copycat suicide. This is a horrific thing to recall on your wedding anniversary each year.

Shortly after Adrian von Bidder-Senn died, his wife, Diana von Bidder-Senn sent an email revealing she was oblivious to what he was doing on his computer. In hindsight, we can see that both Adrian and Diana were tricked by Debianism in different ways:

Subject: Re: condolences for Adrian
Date: Mon, 25 Apr 2011 15:02:18 +0200
From: Diana von Bidder <diana@fortytwo.ch>
To: Stefano Zacchiroli <leader@debian.org>

Dear Stefano
Thank you for your wonderful mail! Yes Debian and people were very
important to Adrian. I was glad that he was not only sitting alone in
front of his computer but to know that there are people out there that
estimate him and are his friends even if most of you did not know each
other personally.
The way you describe him (empathy, calm, insight, ... - just the Adrian
I know) assures me on how good friends of Adrian are out there. And I
will always continue to think of this (in a good way!) when continuing
to use debian (which I became quite fond of because of Adrian). 
It's a pity that he couldn't go to Banja Luca anymore which he did so
much look forward to. Anyway, I wish you all the best and hope you
continue your good work.

- Diana

The family asked for donations to AMICA Schweiz, a charity that helps women abused during the conflict in the Balkan countries. People argued about it on debian-private.

Two hundred Swiss francs is a trivial sum compared to the $120,000 given to lawyers and WIPO UDRP to stop people talking about the deaths.

Subject: Re: Death of Adrian von Bidder
Date: Thu, 21 Apr 2011 08:56:04 +0200
From: Andreas Tille <andreas@an3as.eu>
To: debian-private@lists.debian.org

Hi,

I admit that e-mails about emotions tend to be turned into flames
and I do not want this here.

On Thu, Apr 21, 2011 at 07:24:59AM +0200, martin f krafft wrote:
> I suggest that we donate 200 CHF from the project (price of a nice
> wreath with writing). If there are other donators, please get in
> touch with me.

The donators of the Debian project intend to spend money for the
development of the Debian project.  If we spend Debian money for a
wreath (or any form of replacement donation) this is not related to the
development of Debian.  It is rather *us* *people* who say goodby to
a friend.  So the money should not come from project funds but rather
from single developers.

Saying this I would like to vote against spending Debian money but
rather doing a separate collection.  I could live with some kind of "de
facto" collection like this:  I will ask for Debian money for DebConf.
In case Debian project money is really spended for Adrian's funeral I'd
simply ask for 10Euro less than I would have done otherwise.

Please do not get me wrong: I'm in any case for showing that the Debian
community is sad about the dead of Adrian.  But I'm not convinced that
this purpose is in the interest of our donators and it finally comes
quite cheap for us individuals to simply spend Debian money.

Kind regards

       Andreas.

-- 
http://fam-tille.de

In December 2011, Martin Krafft describes Debianism itself as a teenage culture. His fingers get a mention in the email signature:

Subject: Mooing solves everything
Date: Wed, 7 Dec 2011 22:14:13 +0100
From: martin f krafft <madduck@debian.org>
Reply-To: madduck@debian.org
Organization: The Debian project
To: debian private list <debian-private@lists.debian.org>

[Writing to -private with Reply-To set, because this is clearly
a classified topic]

We know about super cow powers and swallowed elephants, and the
power of the Mooing.

What I want to do is collect cow-related stories of relevance to our
project, to prevent an inside joke from dying as Debian prepares to
exit teenagehood.

So, please hit me. What does Debian have to do with mooing?

-- 
 .''`.   martin f. krafft <madduck@d.o>      Related projects:
: :'  :  proud Debian developer               http://debiansystem.info
`. `'`   http://people.debian.org/~madduck    http://vcs-pkg.org
  `-  Debian - when you have better things to do than fixing systems
 on the other hand, you have different fingers.

At the same time, in December 2011, a young transgender straight out of an elite French high school was given a paid job in a student-run Internet Service Provider, the CR@NS network at ENS Cachan. One of the older students, Debian Developer Nicolas Dandrimont, was dating this vulnerable young person at the same time as paying them and trying to help them get Outreachy money. Recall the original discussion about offering money for transgender participation many years prior. Offering these people moral support may be acceptable but offering large sums of "diversity" money at a point when they are unsure of their identity appears to be highly unethical.

On 31 March 2012, Jeremy Bicha requested to be authorised as a Debian Maintainer. His request received advocacies from Jordi Mallach and Martin Pitt.

Subject: DM application of Jeremy Bicha
Date: Fri, 30 Mar 2012 18:58:41 -0400
From: Jeremy Bicha <jbicha@ubuntu.com>
To: debian-newmaint@lists.debian.org
CC: Jordi Mallach <jordi@debian.org>, Michael Biebl <biebl@debian.org>,
Sebastien Bacher <seb128@debian.org>, Martin Pitt <mpitt@debian.org>

This is my declaration of intent to become a Debian Maintainer
<URL:http://wiki.debian.org/DebianMaintainer>.

I have read the Social Contract, Debian Free Software Guidelines and
Debian Machine Usage Policy and agree with all of them.

Currently, I maintain the package kabikaboo
and I coâ€�maintain the GNOME packages with the Debian GNOME Team.

My GnuPG key EBFE6C7D is signed by the Debian Developer Andres Mejia.

I look forward to becoming a Debian Maintainer. Thanks for your attention.

Jeremy Bicha

-- 
To UNSUBSCRIBE, email to debian-newmaint-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
Archive: http://lists.debian.org/4F763AA1.1050503@ubuntu.com

The first advocacy:

Subject: Re: DM application of Jeremy Bicha
Date: Sat, 31 Mar 2012 10:58:40 +0200
From: Jordi Mallach <jordi@canonical.com>
Organization: SinDominio
To: Jeremy Bicha <jbicha@ubuntu.com>
CC: debian-newmaint@lists.debian.org, Michael Biebl <biebl@debian.org>, Sebastien Bacher <seb128@debian.org>, Martin Pitt <mpitt@debian.org>

Hello!

On Fri, Mar 30, 2012 at 06:58:41PM -0400, Jeremy Bicha wrote:
> This is my declaration of intent to become a Debian Maintainer
> <URL:http://wiki.debian.org/DebianMaintainer>.
> 
> I have read the Social Contract, Debian Free Software Guidelines and
> Debian Machine Usage Policy and agree with all of them.
> 
> Currently, I maintain the package kabikaboo
> and I coâ€�maintain the GNOME packages with the Debian GNOME Team.
> 
> My GnuPG key EBFE6C7D is signed by the Debian Developer Andres Mejia.
> 
> I look forward to becoming a Debian Maintainer. Thanks for your attention.

I've been silently waiting for this email to hit my inbox for some time
now, and I'm very, very happy Jeremy has taken this step forward.

Jeremy is an Ubuntu member and is very involved, as far as I can tell, in
Ubuntu Core packaging. For a long time, though, he has been working with
the Debian GNOME team, which helps us reduce the delta with Ubuntu, get
new blood in the team (something that's really appreciated) and generally
have another voice to discuss Debianâ†�â†’Ubuntu matters wrt GNOME.

Jeremy is part of our team, and it's only natural he becomes (at least!) a
Debian Maintainer.

Jordi
-- 
Jordi Mallach PÃ©rez  --  Debian developer     http://www.debian.org/
jordi@sindominio.net     jordi@debian.org     http://www.sindominio.net/
GnuPG public key information available at http://oskuro.net/

The second advocacy:

Subject: Re: DM application of Jeremy Bicha
Date: Tue, 3 Apr 2012 07:24:13 +0200
From: Martin Pitt <mpitt@debian.org>
To: Jeremy Bicha <jbicha@ubuntu.com>
CC: debian-newmaint@lists.debian.org, Jordi Mallach <jordi@debian.org>, Michael Biebl <biebl@debian.org>, Sebastien Bacher <seb128@debian.org>

Hello Jeremy,

Jeremy Bicha [2012-03-30 18:58 -0400]:
> This is my declaration of intent to become a Debian Maintainer
> <URL:http://wiki.debian.org/DebianMaintainer>.
> 
> I have read the Social Contract, Debian Free Software Guidelines and
> Debian Machine Usage Policy and agree with all of them.
> 
> Currently, I maintain the package kabikaboo
> and I coâ€�maintain the GNOME packages with the Debian GNOME Team.

I've seen your great activity in both Debian's and Ubuntu's GNOME
team. You have demonstrated the ability to deal with nontrivial
packaging situations, a sustained enthusiasm and dedication, and good
collaboration with upstream as well. I fully support your application
for DM, thanks!

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

On 15 May 2012, minutes of the GNOME Foundation tell us that Jeremy Bicha was one of six people given voting rights in the foundation. Many open source developers have never had the right to vote in any of these incorporated bodies. It appears that Jeremy Bicha was able to renew his membership and thereby maintain this status even during his subsequent prison term.

On 4 June 2012, Jeremy Bicha became part of the Masters of the Universe (MOTU) group in Ubuntu.

In April 2013, the Debianists decided to start offering money to young women under the disguise of Outreach Program for Women (OPW), which was later renamed to Outreachy. The Debian constitution explicitly says that contributors must be volunteers. Therefore, the payments to these young women are illegal under the constitution and may be illegal in other ways too.

...

3.2. Composition and appointment

Developers are volunteers who agree to further the aims of the Project insofar as they participate in it, and who maintain package(s) for the Project or do other work which the Project Leader's Delegate(s) consider worthwhile.
...

Here is one of the early advertising banners promoting the illegal payment of $4,500. The GNOME Foundation logo is on the woman's foot. It is an uncanny coincidence the logo strongly hints at the unison of male and female genitalia:

In July 2013, I publicly resigned from the Australian Labor Party (ALP) due to abuse of female asylum seekers from Iran. In the resignation email, which was leaked to Australian political news site Crikey, I compared the scandal to the Catholic abuse scandal. I think this may be the first time my name was on the public record as a supporter of victims. This was well before the Spotlight movie and the #MeToo phenomena, therefore, it can't be suggested that those latter revelations influenced the strong words used in my resignation in 2013.

In September 2013, Jeremy Bicha was convicted and sentenced to three years in a state prison. The state prison is a far more onerous punishment than the county jail where Jeffrey Epstein was briefly incarcerated. The duration of Jeremy Bicha's sentence is double the 18 month sentence imposed on Epstein.

At the sentencing, Bicha's defence lawyer asked the judge not to put his name on the list of registered sex offenders. This is a controversial topic. The police have also asked the judges not to automatically put every criminal like this on the list. The more pragmatic police commanders want these lists of registered sex offenders used for those pathological predators who never truly change their ways. Looking at the allegations against Bicha, he personally stopped offending at 15, during his childhood and there is no evidence he is committing similar crimes as an adult. To put it another way, if a child goes missing, the local police want to be looking at a list of the top twenty lifetime sex offenders who are dangerous enough to deserve a house call. If the police are confronted with a list of over a thousand registered sex offenders in their district they have no way to know which of those people to visit first.

In October 2013, WORLD published a report about the case with an emphasis on the failure of adults, including the parents, a pastor and a schoolteacher who all failed to help the sisters during their childhood.

The story was syndicated widely and an extract containing Bicha's name is on the Bishop-Accountability.org web site.

In Australia and other countries, the media is normally prohibited from publishing the names of juvenile offenders. In a way, the young boys are considered victims of their parents' failures. On that basis, they have a right to privacy equivalent to the rights of the abuse victims. Nonetheless, this type of restriction doesn't appear to be applicable in the United States. Nonetheless, if the local pastor and schoolteacher were not part of the story, it is unlikely the newspapers would publish the story at all.

In November 2013, Paul Tagliamonte sent the following message to the leaked debian-private email list. It concerns a young woman who applied for the OPW / Outreachy money. Why are these men always thinking about the age-of-consent when women are mentioned?

 
Subject: Re: OPW Student in Kingston, Jamaica
Date: Mon, 25 Nov 2013 13:39:12 -0500
From: Paul Tagliamonte <paultag@debian.org>
To: Joachim Breitner <nomeata@debian.org>
CC: debian-private@lists.debian.org

On Mon, Nov 25, 2013 at 06:37:36PM +0000, Joachim Breitner wrote:
> Hi,
> 
> Am Montag, den 25.11.2013, 13:18 -0500 schrieb Paul Tagliamonte:
> > She's got a PhD, so I think this could also be a good beersigning, if
> > she drinks.
> 
> not having a PhD yet I wonder what expects me: Will I be a better
> drinker after I get the degree? Or a better keysigner? /me is confused.

It simply means she's likely of age in her jurisdiction. All I was
saying is that she's not a high school student.

Cheers,
  Paul

-- 
 .''`.  Paul Tagliamonte <paultag@debian.org>
: :'  : Proud Debian Developer
`. `'`  4096R / 8F04 9AD8 2C92 066C 7352  D28A 7B58 5B30 807C 2A87
 `-     http://people.debian.org/~paultag

On 16 January 2014, this appeared in a discussion about bug report 735031 (censorship):

Subject: Re: Bug#735031: lists.debian.org: arbitrary bans
Date: Thu, 16 Jan 2014 11:44:29 -0500
From: Yaroslav Halchenko <debian@onerussian.com>
To: debian-private@lists.debian.org

On Thu, 16 Jan 2014, Antoine BeauprÃ© wrote:
> >> If you believe such language is acceptable, and within social norms,
> >> and you are sure you would be unhappy in a community which rejects
> >> these things, may I gently suggest you find another community?

> > is, to my mind, much ruder and more offensive than anything in either
> > Norbert Preining's message or the cited messages of Jordon Bedwell.

> No, it is not. Norbert took the liberty of comparing people to Pol
> Pot. Jordon made sexist comments about "teenage girls" or calling people
> "asses".

I once (after being with the project for many years) have been called a
"random guy" by another respectful DD, while I was trying to improve the
state of one of the packages in the archive.  I was offended, probably
even more than those teenage girls in a single random technical thread.

Should I also have sought him being banned?  I do not think so.

IMHO the balance here is too fragile, and excessive abstraction away
from the technical merits could IMHO hurt the project more than to help
our community (which is like a homeland and many other social entities
to me).

Just my 1cent
-- 
Yaroslav O. Halchenko, Ph.D.
http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org
Senior Research Associate,     Psychological and Brain Sciences Dept.
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834                       Fax: +1 (603) 646-1419
WWW:   http://www.linkedin.com/in/yarik

In April 2014, Manatee Glens Rape Crisis Center organised a march and the sister, Jennifer (Jen) Bicha gave a speech. News report about the march.

Around the same time, the GRACE web site published a report by Jennifer Bicha under the heading Sexually Assaulted in a Christian Home. They highlighted the following quote:

The next time you defend a predator and say, â€™Oh, he was just a child,â€™ remember the faces of the innocent little ones whose childhood was stolen.

I have mixed feelings about that. It was not "just a child". As the judge told us, it was the child and the negligent adults together who left Jennifer Bicha to suffer this torture. Many other legal cases have made similar conclusions, including one high profile case where they recently decided parents were guilty when their child engaged in a schoolyard shooting spree.

On 3-4 May 2014, the first OSCAL conference took place in Tirana, Albania. ( Fedora wiki page). Photos released by the conference organizers suggest over eighty percent of the participants were young women. In every other country, we would normally see the gender statistics reversed. In Albania various theories have appeared about why large numbers of women came to these events. Some of the women have ended up moving to the city of Brno in the Czech Republic.

On 13 July 2014, Italian newspaper La Repubblica publishes a report about an interview between Pope Francis and editor Eugenio Scalfari. The late Pope Francis allegedly told Eugenio Scalfari that his own advisors have suggested that two percent is an accurate estimate of the number of priests who are paedophiles. He deplores their behaviour but on the other hand he insists it is no higher than the percentage of paedophiles in any other profession.

"Among the 2% who are paedophiles are priests, bishops and cardinals. Others, more numerous, know but keep quiet. They punish without giving the reason,"

"I find this state of affairs intolerable,"

The comment about punishments resonates with many of the Debianism scandals over the years.

Likewise, the two percent estimate can be applied to large free software organisations like Debianism and the FSFE misfits. These groups typically have a few hundred core participants and a few thousand loosely affiliated contributors. In the recent Debianism election, a thousand people were registered to vote. Two percent of that is twenty paedophiles.

Jennifer Bicha, sister of Jeremy Bicha, had sought help from an on-campus therapist and the support she received was very poor. The campus, Bob Jones University, undertook an investigation, culminating in the GRACE report. WYFF News interviewed Jennifer Bicha about her experience with Bob Jones University and other supports she had reached out to. She is also on Youtube for those who are geoblocked. The focus of these news reports is not really Jeremy Bicha himself but the failure to support victims. Nonetheless, Jeremy Bicha was regularly in news reports due to these wider circumstances. Therefore, it is shameful that he has come into GNOME, Ubuntu & Debianism without anybody having a public discussion about risk to victims.

The same news network published a detailed article on their web site.

Jennifer Bicha spoke at a fundraising event for the Julie Valentine Rape Crisis Center. This lead to another news report in Greenville Online. ( alternative link). Jeremy Bicha's name is not mentioned in this report.

In August 2015, according to reports from the high-profile hush-money trial, Donald Trump, his lawyer Michael Cohen and National Enquirer editor David Pecker had a meeting and agreed on a catch-and-kill plan. It was alleged that if any woman tried to sell a story about Donald Trump, Pecker would buy exclusive rights to the story and then keep the story hidden until after the election. Similar plots have been created in open source software communities. Debianists created the "anti-harassment" team. Fedora has a "Community Team". These teams pretend to listen to complaints. If a woman ever makes a complaint about one of the oligarchs or the men employed by the controlling corporations then the story is covered up. The woman who made the complaint will receive a polite response but she will not be invited to any more events. The same theme emerged in the Harvey Weinsten saga. Harvey Weinsten's team was afraid some women posed a risk. They told other movie producers to avoid the women and lock them out of the industry. Eventually, Lord of the Rings director Peter Jackson admitted he had excluded some actresses after receiving Harvey Weinsten's warnings to avoid them. This is the same phenomena described by Lunduke in his report Fedora's Code of Conduct: 200 Day Response Time, Only Protects You if Red Hat Likes You.

In November 2015, the movie Spotlight was released in cinemas. It is a biographical film based on the 2002 Spotlight investigation that exposed the phenomena of clerical abuse in Boston. A lot of Catholics and people from other religions have watched the film. In one of the key scenes in the movie, they discuss the research of Richard Sipe, who suggests that two percent of men in the general population are paedophiles but the rate in the Catholic abuse context is alleged to be six percent. Many people have speculated whether or not the figure is true and whether the church is really responsible for it or whether it is some factor out of their control.

There are approximately one thousand developers in Debianism today. If two percent are paedophiles that would be twenty men. We only know the identity of one, Jeremy Bicha. Who are the other nineteen? We have evidence about Elio Qoshi's underage girlfriend but in that case, Qoshi is not a Debian Developer so he is not in the same group for statistical purposes.

Looking at the culture of Debianism, it has some awkward similarities to the Catholic abuse crisis. Therefore, we need to consider the possibility that the percentage of Debian Developers who are paedophiles, like the percentage of priests, may be above the two percent average for the population. If six percent of Debian Developers are paedophiles, that is sixty paedophiles.

On 12 March 2016, Jeremy Bicha was released from prison under supervision / parole until 11 March 2021.

Three months later, there was a hysterical fuss about Dr Jacob Appelbaum. The registered sex offender was welcomed, despite a real conviction for real abuse, while Dr Jacob Appelbaum was punished for no other reason than gossip in social control media.

Subject: Jacob Appelbaum and harrassement
Date: Wed, 15 Jun 2016 13:48:53 +0200
From: Mehdi Dogguy <leader@debian.org>
To: debian-private@lists.debian.org

Hi all,

Jacob Appelbaum is currently facing some serious accusations in other
communities, and DAMs are aware of at least two Debian Developers who
have lived and have witnessed situations that are a clear case for
worry.

[ ... snip defamation crap ... ]

None of the emails really tells us what is a "clear case for worry", to this day, it is still not clear at all.

In contrast, the accusations against Jeremy Bicha were very clear. He is accused of abusing his little sisters and at least two other victims. He admitted these accusations too.

Notice it is a lot like the vendetta against Ted Walther from DebConf6. He never committed any crime but after somebody spread a rumour that his female friend was a prostitute, it took barely one hour for the whole conference dinner to turn against him and erupt into violence.

In both the case of Ted Walther (2006) and Dr Jacob Appelbaum (2016), the rogue Debianists have been far too arrogant to admit the rumours were falsified and give these men and their families the apology they deserve. Yet they are asking us to ignore the very real abuse convictions against Jeremy Bicha and welcome him with open arms.

In April 2017, Chris Lamb was elected for the first time as the leader of Debianism. One week later, the Fellowship elected me as their representative to the FSFE misfits in Berlin. From this point on, Chris Lamb appeared to be jealous and resentful that another Debian Developer was in a leadership position in the community. Today, we see a similar rivalry between the US President Donald Trump and the other American head of state, Pope Leo from Chicago. When women had complaints about certain oligarchs, they had a choice between going to Chris Lamb or telling me about it in my capacity as Fellowship representative. Women were coming to me with evidence about problems in the community. Some of the large corporations would have preferred to see those women reporting problems through channels controlled by the corporations.

On 11 May 2017, while on parole, Jeremy Bicha submitted an application to become a Debian Developer. The email advocacies are available online.

To: Jeremy Bicha <jbicha@ubuntu.com>
Cc: debian-newmaint@lists.debian.org, nm@debian.org, archive-184@nm.debian.org
Subject: Re: Jeremy Bicha: Declaration of intent
From: Andreas Henriksson <andreas@fatal.se>
Date: Fri, 12 May 2017 08:55:11 +0200

Hello!

I have personally worked with Jeremy Bicha <jbicha@ubuntu.com> in the
pkg-gnome team where he has been an outstanding contributor for a
sufficiently long time and I know jbicha having full unsupervised
unrestricted upload access to the archive would benefit us in the
team and likely also Debian as a whole on an even wider scale
than before.
I'm aware Jeremy is also very active in Ubuntu and GNOME upstream.
I find it that Jeremy is very good at interacting with upstream as
well as avoiding/resolving conflict or disagreeing opinions, which
means he has atleast two skills that I think we should have more
people like in Debian.

For any AM tasked to question Jeremy I would say you can skip
any regular packaging related questions. If you want to give
him some challange you might want to focus on a more complicated
philosophical question or ask him specifically about Debian
infrastructure and procedures related to those (as he mainly
uploads to Ubuntu and AFAIK has only very limited usaged his
DM privilegies because of the pkg-gnome streamlined sponsorship
workflow).

But to be frank, please consider just fast-forwarding jbicha through
the entire process because any potential knowledge-gap he might
have I'm more than sure we can discuss and handle those within
the pkg-gnome team which has many very experienced DDs that would
happily assist jbicha if needed.

Regards,
Andreas Henriksson

Here is the other advocacy:

To: debian-newmaint@lists.debian.org
Cc: Jeremy Bicha <jbicha@ubuntu.com>, nm@debian.org, archive-184@nm.debian.org
Subject: Jeremy Bicha: Advocate
From: Gianfranco Costamagna <locutusofborg@debian.org>
Date: Fri, 12 May 2017 09:25:12 -0000

I support Jeremy Bicha <jbicha@ubuntu.com>'s request to become Debian Developer, uploading.
I have worked with Jeremy Bicha for quite some time, even if I sponsored just a few packages for him (in Debian).

His work is excellent, he really cares about keeping is packages in a good shape, he cares about transitions and he is quick in reacting when problems are found.

Debian will benefit a lot from his work.

I have personally worked with Jeremy Bicha <jbicha@ubuntu.com> (key 4D0BE12F0E4776D8AACE9696E66C775AEBFE6C7D) for X time,
and I know Jeremy Bicha can be trusted to be a full member of Debian, and have unsupervised, unrestricted upload rights, right now.  

Thanks Jeremy for finally starting the process!

Gianfranco

Those are very positive things to write about somebody who has just been released from prison on parole.

Andreas Henriksson does not reveal his employer details or affiliation with Ubuntu, Canonical or GNOME. Gianfranco Costamagna reveals he works for Datalogic. They are based in the city of Bologna, Italy, the same city where Enrico Zini is located. Did Gianfranco Costamagna exercise any personal connections with Enrico Zini to have the Debian Account Managers approve the registered sex offender while he was still on parole?

On the weekend of 13 and 14 May 2017, the fourth OSCAL conference took place in Tirana, Albania. A girl of fifteen or sixteen years of age created an online profile for herself in the Discourse forum software used by the Albanian Open Labs group. We subsequently learnt this was the girlfriend of Elio Qoshi, one of the Albanian ringleaders.

Justin Flory, an employee of UNICEF who is closely affiliated with Red Hat, was pictured lying on the ground with Elio Qoshi at his feet.

Chris Lamb, then leader of Debianism, was pictured at the Red Hat table alongside Elio Qoshi.

At exactly the same time they are processing Jeremy Bicha's ordination as a Debian Developer, we saw Dominik George going through exactly the same process. Messages about Dominik George explicitly refer to children:

To: Dominik George <nik@naturalnet.de>
Cc: debian-newmaint@lists.debian.org, nm@debian.org, archive-175@nm.debian.org
Subject: Re: Dominik George: Declaration of intent
From: Holger Levsen <holger@layer-acht.org>
Date: Mon, 15 May 2017 14:09:15 +0000

Hi,

sorry for the delay in writing thisâ€¦!

On Mon, Apr 24, 2017 at 06:54:13PM -0000, Dominik George wrote:
> I would like to apply to change my status in Debian to Debian Developer, uploading.

yay, this is pretty good news for Debian and for Debian Edu and probably a
bunch of others! :-)

I've met Dominik the first time for "real" (*) at the Debian Edu gathering
in Oslo in December 2016 where I could see him working & discussing and also
learned a few things he does outside Debian, which also involves computers,
kids & schools.

(*) we've briefly bumped into each other before and said hi or so :)
    http://layer-acht.org/thinking/blog/20161221-debian-edu-sprint-in-oslo/
    shows him wearing a DebConf15 t-shirt, so you might met him too ;)

Not related to Debian, but very much showing his dedications,
is that he is involved in another project with kids + young adults, which 
in the last years brought 20-30 young adults to the chaos communication congress:
https://www.teckids.org/hacknfun_2016_xmas.htm

The technical discussions we had in Oslo, plus the ones I've seen on IRC,
plus the questions he had and the attitudes he showed make me believe that
Dominik will be a great DD and contributor to our project and beyond! 

I cannot fully vouch for him technically, as we work on different areas in 
Debian Edu and I've only reviewed bits of his work, but I'm confident he'll
manage NM well! So I'm much looking forward to him becoming a DD!

-- 
cheers,
	Holger

On 29 May 2017, Jonathan Wiltshire of the Debian Account Managers team writes:

I will progress this application and assign an application manager shortly, but the key issues need to be resolved before the application can be finalised. Please work with your AM on that.

Where he writes "key issues", he is referring to issues with the PGP key. There is no reference to the abuse.

On 7 June 2017, Jeremy Bicha became a Core Dev in the world of Ubuntu.

On 8 August 2017, the Application Manager, Gunnar Wolf, who is also one of the Debian keyring managers, wrote the following:

Subject: Jeremy Bicha: Application Manager report
Date: Tue, 08 Aug 2017 21:09:52 -0000
From: Gunnar Wolf <gwolf@gwolf.org>
To: debian-newmaint@lists.debian.org
CC: Jeremy Bicha <jbicha@ubuntu.com>, archive-184@nm.debian.org,
nm@debian.org

I have reviewed Jeremy Bicha's answers for the NM process, and am more
than satisfied by them. I have also been approached in DebConf by his
team mates, who very strongly recommended him as a DD. I am of the
opinion the project will win quite a bit having him as a full DD with
unimpended upload rights.

Gunnar Wolf (via nm.debian.org)
-- 
https://nm.debian.org/process/184

People are cheering him on:

Subject: Re: Jeremy Bicha: Application Manager report
Date: Tue, 8 Aug 2017 18:17:15 -0400
From: Andrew Shadura <andrew@shadura.me>
To: debian-newmaint@lists.debian.org
CC: Gunnar Wolf <gwolf@gwolf.org>, Jeremy Bicha <jbicha@ubuntu.com>

On 8 August 2017 at 17:09, Gunnar Wolf <gwolf@gwolf.org> wrote:
> I have reviewed Jeremy Bicha's answers for the NM process, and am more
> than satisfied by them. I have also been approached in DebConf by his
> team mates, who very strongly recommended him as a DD. I am of the
> opinion the project will win quite a bit having him as a full DD with
> unimpended upload rights.

Yay! Congrats! :)

-- 
Cheers,
  Andrew

From 14 to 18 July 2017, the Digital-Born Media Carnival was held in Kotor, Montenegro. Some of the women from open source software groups in Kosovo and Albania attended. Kotor is an ancient seaside village without any modern high-rise tourist accommodation. Visitors stay in bed and breakfast accommodation or holiday houses. On the last night of the carnival, there was a party by the waterside. The next morning, as we were departing, I saw one of the Albanian women coming out of a holiday house that had been rented by a group of men from another country. There was a bit of hand-holding and a kiss goodbye. Every time the woman is selected for an internship or a conference speaking opportunity, over and above every other woman in the community, I remember that last day in Kotor.

If you are involved in a sports club and you observe somebody had a one night stand with another member you might not feel any need to mention it or cause embarassment. However, open source software hobbyists are claiming to be a model of integrity, merit and security. Social engineering attacks are often rated as the biggest risk to modern organisations and their IT systems.

Shortly after that, the Open Labs non-profit in Albania had their birthday party in the hackerspace. At least two underage people were there and at least one of the other women identified them to me. Separately, women had told me that the youngest girl was dating the co-founder of the group Elio Qoshi. They told me a lot of things about Elio Qoshi, I observed some of those things with my own eyes and I observed written evidence in requests for travel funding that confirmed what the women had told me in person. Eighty percent of the group were female but a lot of the money did not go into the non-profit bank account. The money was managed by an accountant but there were rumours that the same accountant was also managing the bank accounts for Elio Qoshi consulting company. The women on the committee had never seen a balance sheet or a profit & loss statement for the non-profit entity.

In September 2017, they promoted an event called FOSSCamp. Instead of organising it in Albania, they decided to organise it in a more expensive destination, Greece and they asked bigger organisations to pay the travel expenses for a group of people, many of them who were simultaneously members of the non-profit but also employees of Elio Qoshi's commercial enterprise. Questioning them about the event budget, we reached the point where Elio Qoshi admitted that one of the amounts charged to the bigger organisations like Debian was really a payment for his effort organising the event. The women who collaborated on the organisation did not receive any equivalent payment. Yet each woman was asked to send a request to Debian, Mozilla, Wikimedia and maybe other organisations asking for diversity funds to pay the bus fares, ferry tickets, accommodation and management fee.

In the photos from the conference in May 2017, we could see over twenty young female students participating. Yet women told me that access to the trip to Greece was more tightly controlled. Women needed to get permission to join this trip.

Various people noticed that two or three men were acting as gatekeepers and rationing funding and travel opportunities for all the women. Chris Lamb and I were both warned that something dishonest was happening. I asked questions but Lamb didn't want to spoil whatever was going on there.

Here is an example where one of the men is giving one of the women, Anisa Kuci, permission to go on the trip to Greece:

Subject: Re: Debian at FOSScamp - funding request
Date: Sun, 13 Aug 2017 19:01:58 +0300 (EEST)
From: Giannis Konstantinidis <giannis@konstantinidis.cc>
To: Chris Lamb <lamby@debian.org>, Silva Arapi <silva.arapi@gmail.com>
CC: leader@debian.org, treasurer@debian.ch, auditor@debian.org,
daniel@pocock.pro, Redon Skikuli <redon@skikuli.com>, ping@anisakuci.com

Hey everyone,
just wish to inform you that unfortunately, due to unforeseen external
factors, I won't be able to make it. I'd like to thank the Debian
community for the generous support. We will stay in touch.

To make sure Debian makes the maximum possible impact at FOSSCamp, I'd
like to sugggest Anisa Kuci (cc'ed ) takes my place. Anisa has been a
longtime experienced member of Open Labs Hackerspace, co-organized OSCAL
and is very much interested in further contributing to Debian.

Thanks once more. I wish the best success to Debian and your
participation FOSSCamp.

Kind regards,
-Giannis K.

Something was not right about this. It is clear that Chris Lamb, as the leader of Debianism, had been informed about it since this moment in time or earlier.

Some women see this type of thing as a sport and they actively seek to join organisations where they can take shortcuts. Other women were attracted by the promise of an educational or philosophical project, they contributed their time and skill helping one or two events in Albania and then discovered that to qualify for a trip abroad, they had to do the same things the girlfriends were willing to do. Some of the women felt even more strongly about this, as it impacts their professional relationships and job searching, they feel the male gatekeepers are blackmailing them for sex.

On 9 August 2017, looking at process 184 for Jeremy Bicha in the New Maintainer portal, we can see the process was frozen for review at the last minute. Yet this freeze was unblocked again less than three days later by Jonathan Wiltshire of the Debian Account Managers.

On 12 August 2017, minutes after the process was unfrozen, Jonathan McDowell added Jeremy Bicha's key to the Debian keyring.

In September 2017, Jeremy Bicha introduced himself on the debian-private (leaked) gossip network. He stated he is from Florida and presented himself as a victim of a woman called Irma (the hurricane):

Subject: 	Re: Irma
Date: 	Sun, 10 Sep 2017 13:52:08 -0400
From: 	Jeremy Bicha <jbicha@debian.org>
To: 	debian-private@lists.debian.org

On Sep 8, 2017 15:55, "Jeremy Bicha" <jbicha@debian.org> wrote:

    I intend to follow-up on this list on Monday to let you know I'm ok.


Monday is probably too optimistic because of widespread power outages, but I'll check in when I can.

Jeremy Bicha

On 20 September 2017, Elio Qoshi publishes a blog post about resigning as a Fedora Ambassador. Other volunteers did not receive any warning from Red Hat about Elio Qoshi's underage girlfriend and the complaints from other women.

On 12 October 2017 I sent Mozilla a protected whistleblower complaint about the harassment and underage issues. The date is 12 October 2017 so the misfits publishing alternative statements about harassment with dates later than this are lying. I have redacted the section that identifies underage victims. There were a series of interactions with Mozilla about the scandal. I was a witness and Elio Qoshi was clearly the suspect.

Subject: Open Labs / Tirana issues
Date: Thu, 12 Oct 2017 18:15:17 +0200
From: Daniel Pocock <daniel@pocock.pro>
To: Larissa Shapiro <lshapiro@mozilla.com>
CC: Kristi Progri <kristi@kristiprogri.com>

Hi Larissa,

I understand you have received some feedback about issues in Tirana

I was there from 27 September - 5 October and observed some of the
troublesome behavior and the impact on people like Kristi.

The behavior towards Kristi and some of the other women is wrong.  I can
also see a danger that challenging the people or their behavior may
split the Open Labs group.  Nonetheless, I suggested to Kristi and Anisa
that they should put their own wellbeing first.

I sent a funding request to the Outreachy organizers to sponsor Kristi's
trip to Prishtina where she gave a talk at our Mini DebConf.  When I
mentioned this funding in the hackerspace, Redon queried this quite
strongly.  I don't feel it is any of his business though if I want to
recommend somebody for funding.  The following day, Kristi told me that
Redon had called her and shouted at her.  The shouting was apparently
witnessed by other women in the hackerspace with Redon.  I reported the fact there are problems in the Debian anti-harassment process.

Various people told me that travel sponsorship should be "shared" and
this attitude seems to be connected with Redon's behavior.

I've told Kristi that she did nothing wrong and did not deserve to be
shouted at.

Another problem that occurred to me is that one person who received

Mozilla travel funding, [ .. redacted ..], is 16 years old and is not
legally an adult.

[ .. redacted .. ]

Regards,

Daniel

The discussion continued. The underage risk was acknowledged on the Mozilla side:

Subject: Re: Open Labs / Tirana issues
Date: Fri, 13 Oct 2017 23:12:14 +0200
From: Daniel Pocock <daniel@pocock.pro>
To: Emma Irwin <eirwin@mozilla.com>, Larissa Shapiro <lshapiro@mozilla.com>
CC: Kristi Progri <kristi@kristiprogri.com>

[ .. redacted .. ]

> I can comment on under-aged contributors - we do have those from time to
> time, and usually on trips at least parents or chaperon are required.
> 

Having underage contributors is not an issue itself and I have no
objection to that.

The issue arises when other groups or businesses align themselves with
local Mozilla groups and seek to benefit from those contributors.  I'm
not sure how to deal with that risk completely but there are probably
some things Mozilla could do in that area.

Regards,

Daniel

The discussion about underage continued in more emails:

Subject: Re: Open Labs / Tirana issues
Date: Sat, 14 Oct 2017 08:27:24 +0200
From: Daniel Pocock <daniel@pocock.pro>
To: Larissa Shapiro <lshapiro@mozilla.com>, Emma Irwin <eirwin@mozilla.com>
CC: Kristi Progri <kristi@kristiprogri.com>

On 14/10/17 01:51, Larissa Shapiro wrote:
> I'm not sure, but I can seek legal advice on this matter. In my view,
> there is the potential there for other organizations to take advantage
> of these kids.
> 

Even if there is no legal problem (in some countries the laws are very
weak), there is also a risk to the reputation of Mozilla and free
software in general.

I wonder if there are other organizations concerned with children's
safety who can help free software organizations develop a reasonable
approach to this risk?

I realize no organization can stamp this out 100%, but there may also be
some little things that can be done to help reduce risk.  E.g. maybe
when Mozilla funds travel, requiring the parents to fill out a chaperon
form that must be submitted with receipts, so Mozilla gets the parent's
contact details and the parents see some child safety text on the form.
Somebody trustworthy could sporadically contact parents and the underage
contributors to sniff out any hints of trouble.

Regards,

Daniel

A few weeks later...

Subject: 	Re: Open Labs / Tirana issues
Date: 	Wed, 20 Dec 2017 09:19:39 -0800
From: 	Emma Irwin <eirwin@mozilla.com>
To: 	Daniel Pocock <daniel@pocock.pro>

Hi Daniel,

Would you be willing to talk to Marta (HR Investigator) and myself about Redon & Elio and your experiences and what you have witnessed?

Thank you

Having informed at least three other organisations who funded this racket, including Debian and Mozilla, my conscience is clean. Nobody can accuse me of protecting an abuser.

On 25 February 2018, Jeremy Bicha submits an advocacy for another Ubuntu developer, Tim Lunn to become a Debian Developer:

Subject: Tim Lunn: Advocate
Date: Sun, 25 Feb 2018 15:07:40 -0000
From: Jeremy Bicha <jbicha@debian.org>
To: debian-newmaint@lists.debian.org
CC: Tim Lunn <tim@feathertop.org>, archive-455@nm.debian.org

For https://nm.debian.org/process/455/ on 25 February 2018 :
I support Tim Lunn <tim@feathertop.org>'s request to become Debian
Maintainer.

I first started working with Tim in 2012 on packaging for the Ubuntu GNOME
project. Without Tim, Ubuntu GNOME would not have survived.

Tim and I have been interested for a while in reducing the diff and
duplication of work between Debian and Ubuntu with GNOME packages. Tim
getting upload rights to these packages will help with this goal and will
help make Debian GNOME better for our users.

I have personally worked with Tim Lunn <tim@feathertop.org>
(key 0E0880479A6F1063372395275B39C0A1153ACABA) for several years, and I
know Tim Lunn can be trusted to have upload rights for their own packages,
right now.

Thanks,
Jeremy Bicha

Tim Lunn's page on the Ubuntu wiki suggests he is from Australia. We will find out later about his proximity to a murder trial.

In early March 2018, I posted a message in the Albanian open labs forum asking why some of the money from the non-profit Open Labs group was being diverted to a private company, Ura Design, controlled by Elio Qoshi. I had observed the women were doing all the work for free in the non-profit association but some of the men were getting financial benefits out of that work.

The Albanian ringleader Elio Qoshi admits complaining to Chris Lamb, leader of Debianism, to help cover up the conflicts of interest. In fact, the relationship between Open Labs and Ura Design was analogous to the relationship between Debian and Freexian. Although in this case, it was worse, because there was also the underage problem. Would the leader of Debianism put the protection of an Albanian pimp with an underage girlfriend ahead of the work done by a real Debian Developer?

Subject: 	[English] FOSScamp 2017 @ Syros, Greece
Date: 	Mon, 05 Mar 2018 12:16:45 +0000
From: 	Elio Qoshi <info@openlabs.cc>
Reply-To: 	Open Labs Hackerspace Forum <forum+ecf37220dfcc7e2ec1a56392b7b00781@openlabs.cc>
To: 	daniel@pocock.pro

[ ... snip ... ]

I will try to keep this short but Iâ€™m not sure how much I will succeed in that, as this will definitely be the last reply from my side here. I have reached out to the Debian Project Leader to close this issue once and for all.

[ ... snip ... ]

On 5 March 2018 I wrote to women from Albania asking them to share copies of evidence about Elio Qoshi hurting and exploiting women. The Debianism leader Chris Lamb immediately barged in with the comments:

Subject: Re: "free travel"
Date: Mon, 05 Mar 2018 16:40:00 +0000
From: Chris Lamb 
To: Daniel Pocock , Anisa KuÃ§i 
CC: leader@debian.org, larjona@debian.org, antiharassment@debian.org

[Adding antiharrassment to CC]

Daniel Pocock wrote:

> If Elio or anybody else has made any other comments like this on the 
> private members channel or Telegram and you want to discuss them with me 

[..]

Anisa, please feel to drop Daniel from any replies you wish to make, if
you even wish to do so.

(Daniel, thank you for your concern but we have got it from this point
onwards. There will be no need for you to reply further on this thread.)

Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

This is the catch-and-kill strategy that had been described earlier. When women had a story about Donald Trump, they were encouraged to give the story to the National Enquirer and not talk to anybody else. What we see is the leader of Debianism knew about Elio Qoshi and he didn't want me, as the Fellowship representative, making an independent assessment of the underage scandal.

In the Catholic abuse crisis many senior cardinals and bishops are alleged to have known about abuse and failed to protect people. In the specific case of Gerald Ridsdale described earlier, one of the victims, his nephew David Ridsdale told the Royal Commission that the late Cardinal George Pell had offered him a bribe for silence. The woman corresponding with Chris Lamb and I was Anisa Kuci. She was given a series of free trips around the world, internships and eventually a job at GNOME.

Chris Lamb was observed to be close to Neil McGovern who was the Executive Director of GNOME in that era. Are we to believe neither of those men knew that a member of the Debian GNOME packaging team was a registered sex offender being put onto the Debianism keyring during Chris Lamb's tenure as leader?

At the time of that exchange, Anisa Kuci ignored Chris Lamb's condescending words and replied in full:

Subject: 	Re: "free travel"
Date: 	Mon, 5 Mar 2018 23:51:28 +0100
From: 	Anisa Kuci <anisakuci9@gmail.com>
To: 	larjona@debian.org
CC: 	Chris Lamb <lamby@debian.org>, Daniel Pocock <daniel@pocock.pro>,
leader@debian.org, antiharassment@debian.org

Hello Chris, Daniel, Laura,

Thank you very much for being so supportive.

I read the comments on the thread and to be honest I am really sad that
Elio [Qoshi] said that. It is not true at all.

They (Elio [Qoshi] & Redon) pretend to support women but on the other hand their
behavior towards many of us shows the opposite.

Daniel I feel bad because you have encouraged and helped not only me,
but so many other people, no matter if they are Open Labs members or
not, and also all the attendees from Kosova to learn new things, to work
and improve their skills and knowledge. They are doubting your good
intentions just to remove the attention from the shady things that they
are doing.

The free travel comment is really offensive to me and i feel it should
be offensive to every woman who is part of the community.
I have been contributing and supporting Open Labs since its early days,
and I have put a lot of effort and time, I do this because I believe in
what it is meant to stand for and without waiting something in exchange,
but the situation lately has been not very positive. Daniel has been
present by chance in few cases where situations have been very hard to
go through.

I would definitely like to talk to any of you and tell you more about
everything that is happening here, its fine to me whether it is a video
call, call or just emails.
Please tell me what would be more convenient to you.

King greetings,
Anisa

On 17 March 2018, Jeremy Bicha pushes an update to hyperkitty and it includes collaboration with Jonas Meurer and Pierre-Elliott BÃ©cue. The latter was an employee of ANSSI, the French government's agency for cybersecurity. Did BÃ©cue realize Jeremy Bicha was on parole or was he blinded by all the fanfare about diversity?

Subject: [ubuntu/bionic-proposed] hyperkitty 1.1.4-4 (Accepted)
From: Jeremy Bicha <jeremy@bicha.net>
Date: Sat Mar 17 17:49:53 UTC 2018

hyperkitty (1.1.4-4) unstable; urgency=medium

  [ Jonas Meurer ]
  * d/control:
    - Don't recommend mailman3, recommend mailman3-web instead.

  [ Pierre-Elliott BÃ©cue ]
  * d/rules:
    - Remove the embedded fonts that are in other packages. Same for
      bootstrap.js{,.min}
    - Add upstream's changelog to the package
    - Move django's static files in /usr/share/python-django-hyperkitty
  * d/control:
    - Add dependency on the font/js packages required by the rules change
  * wrap-and-sort
  * Add d/s/lintian-overrides to give intel on the current python3 missing
    package status.

Date: 2018-03-17 04:30:11.786430+00:00
Signed-By: Jeremy Bicha <jeremy@bicha.net>
https://launchpad.net/ubuntu/+source/hyperkitty/1.1.4-4

In April 2018, according to a report in Business Insider, there was a meeting between IBM's CEO Ginni Rometty and Jim Whitehurst, who was CEO of Red Hat. This lunch has been identified as the moment both companies were put on the trajectory for a merger.

In May 2018, immediately after that lunch, the FSFE misfits modified their constitution to remove the elections for Fellowship representatives. I was the last person elected as a Fellowship representative before the democracy was trashed. The FSFE misfits count Google and Red Hat as significant sponsors and they didn't want the Fellows to have a voice if that voice may not be identical to the voice of the corporate overlords.

In June 2018, the women from Albania were offered sponsorship for travel to DebConf18 in Taiwan. For the cost of transporting one woman from Albania to Taiwan, you could transport five women from countries that are much closer in south-east Asia.

When male interns are offered the same sponsorship funds to attend DebConf, they are asked to pay for the flights themselves and then wait until after the conference to get reimbursement. There are examples of email from male interns still waiting for their money three or four months after the conference. The women from Albania told the Debianists somebody has to buy the tickets for them, in advance. Martin Michlmayr, the treasurer, did just that:

Subject: Re: [rt.debian.org #7328] DebConf travel pre-payment requests
From: Martin Michlmayr
Time: Fri Jun 29 08:56:42 2018

* Hector Oron [2018-06-28 10:55]:
> I added Martin to the list, he'll be taking care of flight ticket
> purchase if you send him flight details.

This has been taken care of.

--
Martin Michlmayr
https://www.cyrius.com/

Here is an example from a male intern who was waiting for payment long after DebConf15 finished:

Subject: Re: [Soc-coordination] DebConf travel / GSoC student payments?
Date: Wed, 25 Nov 2015 00:25:18 +0530
From: Komal Sukhani <komaldsukhani@gmail.com>
To: Michael Schultheiss <schultmc@spi-inc.org>
CC: treasurer@spi-inc.org, soc-coordination@lists.alioth.debian.org

Hi Michael,

I still don't got the DebConf travel reimbursement. Have you made the payment?

Sorry for trouble.

On Mon, Nov 2, 2015 at 9:54 AM, Michael Schultheiss <mailto:schultmc@spi-inc.org> wrote:

    Apologies for the delays in payments. I should have the payments processed this week and payments shoud be received in approximately 1-2 weeks.

Pictures appeared during the conference showing us Lior Kaplan from Israel with his arm around a young woman. This is the same woman who had her ticket purchased in advance.

In July 2018 Enrico Zini gave a talk titled "Multiple People" at DebConf18 in Taiwan. There have been a series of these talks over the years where these men seek out introverted young male developers who lack confidence. Remember the case of the young French transgender recruited straight out of high school. This slide appears to be telling us that paedophiles and registered sex offenders are welcome:

Spectrum (Enrico Zini)

Every color is ok.

Think about who you are,
not about who you should be.

In July 2018, Debianists were having a discussion about whether the weboob package should remain in Debian or be removed. Here is one of the private emails about it. Notice they want to remove the package that makes vague references to female anatomy but they welcomed the guy who is on parole for sex crime against his little sisters.

Subject: Re: weboob package
Date: Thu, 12 Jul 2018 16:24:28 +0200
From: Ansgar Burchardt <ansgar@debian.org>
To: debian-private@lists.debian.org

On Thu, 2018-07-12 at 14:48 +0100, Ian Jackson wrote:
> Colin Watson writes ("Re: weboob package"):
> > (I haven't decided what I think should be done about it; certainly
> > if I
> > were the maintainer I'd want to disassociate myself from it as
> > quickly
> > as possible ... but the quoted text is a terrible argument.)
> 
> Quite.
> 
> What on earth could one do as the maintainer of such a thing ?  Write
> some kind of machinery (a git-filter-branch construction maybe) to
> automatically rename all this arseholery ?

Oh, come on.  It's not like they liken setting up an interrupt handler
with rape like, for example, Xen does.  I would certainly think less of
those who associate themselves with this kind of thing.

There is no incest sex involved either (unlike for example [1]). No
glorification of genocide, ethnical cleansings or such either (same
file as [1]).  (Hmm, I wonder what happens when one submits a patch for
that...)

Sadly we are associated with it, by virtue of packaging it, and thus
promoting it. And I'm ashamed and embarrassed to be associated with
such hateful content.

> I also note that the upstream webpage lists the logos of a number of
> companies, which I hope have some kind of corporate
> not-looking-like-a-total-wazzock policy.  I CBA to complain to them,
> but maybe someone would like to start a fire on Twitter.

Yes, please go and start a nice shitstorm. A great idea, brilliant.

Ansgar

  [1] https://sources.debian.org/src/bible-kjv/4.30/bible.rawtext/#L495

One of those in favor of the weboob package was Axel Beckert from the elite Swiss university ETH Zurich:

Subject: Re: weboob package
Date: Fri, 13 Jul 2018 14:29:58 +0200
From: Axel Beckert <abe@debian.org> [ ETH Zurich ]
Organization: The Debian Project
To: debian-private@lists.debian.org

Hi,

Jonathan Dowland wrote:
> Yesterday I stumbled across the "weboob" package for the first time,
> which includes a slew of binaries with names similar to the following:
[...]

So what? I don't see any problem with that. (And I don't see why
there's a thread on debian-private about it.)

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Develoober, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Jeremy Bicha himself weighed in on the discussion after Ansgar brought up the incest:

Subject: Re: weboob package
Date: Thu, 12 Jul 2018 10:53:32 -0400
From: Jeremy Bicha <jbicha@debian.org>
To: ansgar@debian.org
CC: debian-private@lists.debian.org

On Thu, Jul 12, 2018 at 10:24 AM Ansgar Burchardt <ansgar@debian.org> wrote:
> There is no incest sex involved either (unlike for example [1]). No
> glorification of genocide, ethnical cleansings or such either (same
> file as [1]).  (Hmm, I wonder what happens when one submits a patch for
> that...)
>
> Sadly we are associated with it, by virtue of packaging it, and thus
> promoting it. And I'm ashamed and embarrassed to be associated with
> such hateful content.

Please stop.

At a minimum, if you are serious about removing Bible texts from
Debian, please start a separate thread instead of derailing this
topic. But I think you may have trouble finding consensus for that
viewpoint and I expect it will stir up lots of conflict.

Thanks,
Jeremy Bicha

This is the reality of the so-called diversity in Debianism: gay male employees in a range of companies and universities discussing female anatomy with a registered sex offender during their working hours.

Dr Richard Stallman (RMS) was accused of participating in some unpleasant discussions when he was at MIT. Yet the debian-private discussions, where university staff rub shoulders with Jeremy Bicha, while he is still on parole, appear to be far more scandalous. Why do the snobby people attack Dr Richard Stallman (RMS) but go out of their way to protect Jeremy Bicha, the registered sex offender?

In September 2018, I completely resigned from my role as Fellowship representative to the FSFE misfits. I discontinued all involvement with the group and I encouraged other people to resign too. Therefore, as I resigned and made the resignation public, there was no way I had any involvement in the subsequent scandals with women hired in 2019. Those women were only hired after I resigned. All the complaints made by women concern psychological abuse from Matthias Kirschner.

On 28 October 2018, Red Hat announced the merger with IBM. The developers who got shares very early thanks to the 1999 share offer, which excluded the teenage volunteers, made a lot of money. It looks like they didn't want reports from the Albanian female whistleblowers to become a public news story and undermine the $34 billion price tag for the transaction.

In November 2018, the Wayback Machine captured a snapshot of the team in Elio Qoshi's private company Ura Design. We can see the underage girl, who may be 17 by this point in the story, is now being paid to be a system administrator. System administrators normally have access to all the data in a company, including the emails of their own bosses and their colleagues. In small IT companies like this the director normally keeps the system administrator powers for himself. It is worth remembering the incident from the team St Kilda in Australian football. One of the players was dating the woman known as the St Kilda schoolgirl, Kimberley Ametoglou (Kim Duthie). Kim was not really from St Kilda, she was from Frankston, like Julian Assange. She expertly extracted all the nude photos of the players from her boyfriend's computer and published them in what came to be known as dikileaks. It seems highly unlikely Elio Qoshi was giving his underage girlfriend access to all his files and emails. In practice, this appears to be a case of privilege escalation. The men would put the pictures of the young women on a web site like this to help the women create an online profile. The women would apply to bigger organisations for travel grants and speaking opportunities at community conferences.

This is a photo from the OSCAL conference in Albania in 2016. There are so many more women than men in the photo. What is the real reason more women than men were coming to the OSCAL conferences? Young female students in Albania earn approximately ten euros per day working in shops and restaurants. Did somebody pay these girls to attend conferences and make it look like a real community? One of the women was told that an Outreachy internship would be too difficult for her but one of the men offered to help her submit the application if she gave him half the salary.

Early in 2019, the FSFE misfits hired two women, Susanne Eiswirt and Galia Mancheva. Within a year, Matthias Kirschner had sacked them both again. Galia Mancheva took him to court and wrote a damning testimony about the culture of psychological abuse in the FSFE "community":

Even after my lawyer warned him to terminate all attempts to communicate with me and send someone else to pick up my work laptop, he came in person to my house, and was very irritated that I was not alone.

What these incidents reveal is the oligarchs in these groups have come to view the volunteers and the female subordinates as possessions. The oligarchs feel they have some God-given authority to make decisions about the lives of those around them.

Here is a picture of Matthias Kirschner with the young girls in Albania:

In late 2018 or early 2019 one of the Albanian female whistleblowers was given a job at the GNOME Foundation. Kristi Progri has been a member of the committee in the non-profit Open Labs hackerspace in Albania. She had been one of the organisers of the OSCAL conferences. She seems to know the identity of every man who visited Albania for these conferences. She knows the age of every young woman who participated in the conferences. Ever since she started receiving a salary from GNOME Foundation, there has been no more evidence about Elio Qoshi and the underage relationships.

On 2 February 2019, at the FOSDEM conference in Brussels, Belgium, Molly de Blanc gave a talk about how companies can bully volunteers with Code of Conduct gaslighting. In the slides for her talk, she had selected an infamous graphic of a cat behind bars:

In 2019, Google decided to reduce the salaries for Google Summer of Code (GSoC) interns from $6,000 down to as little as $3,000 based on each intern's country and a formula for purchasing power parity. However, the parallel Outreachy internships, which only pay money to single young women and don't require the women to write any code, have continued increasing their salaries a little bit almost every year. For example, a slim and attractive single young woman in Russia, eastern Europe, India or Brazil is offered $3,000 to participate in Google Summer of Code but if the same woman wins an Outreachy internship, she gets $6,000 and a lot of free trips.

In February 2019, journalist Frederic Martel released his book In the Closet of the Vatican. He alleges that eighty percent of priests in the Vatican are homosexual. In some open source software groups, including Debianism, we seem to be looking at a prevelance of homosexuality that is higher than what is normal for the community at large.

Most gay men are not paedophiles. It is wrong to suggest they would be. Nonetheless, when a group presents itself as gay-friendly or when a group provides an opportunity for gay men to gain more respect from society, as is the case with both the Catholic church and Debianism, paedophiles appear to be attracted to the same group. Therefore, we have to be even more vigilant.

In June 2019, the diversity crowd hijacked the Debian web site and replaced the logo colours with the colours for Pride month. The majority of developers did not consent to this:

To: debian-project@lists.debian.org
Subject: Debian supports pridemonth?
From: Gerardo Ballabio <gerardo.ballabio@gmail.com>
Date: Fri, 28 Jun 2019 11:48:18 +0200

Hello all,
I've just seen this on https://micronews.debian.org/ :

"In support of #pridemonth, Debian changes its website logo. The
Debian Project welcomes and encourages participation by everyone
https://www.debian.org/intro/diversity "

May I please ask who decided that and where was it discussed? (I can't
find anything about it at least on -project.)

I do not think that this is appropriate. Welcoming diversity is one
thing, supporting pridemonth is another thing. Pridemonth is a set of
events with a definite political connotation. I don't think that
Debian should take sides on any specific political issues (except of
course issues that have a relation to free software), especially if
that hasn't been discussed at large among project members and there
isn't a clear consensus.

Is it just me (and am I being blatantly wrong, if so please enlighten
me) or do others share my concern?

Thanks
Gerardo

(Not subscribed, please keep me Cc:d)

It feels creepy when these things happen. The people who do these things don't care about consent. They feel that what is good for them is good for everybody else too.

In the US Civil Rights movement, there were groups like the Black Panthers who were very similar to the Zizian diversity gang in open source software communities. These people do as they please and they don't care about the law or the impact on the lives of those they hurt.

In July 2019, the Debianism annual conference DebConf19 was in Brazil. At the conference dinner, the leader of Debianism, Chris Lamb, had four women from Albania and Kosovo seated next to him.

Why did they want so many women from Albania and Kosovo to visit DebConf two years in a row? Was it some kind of bribe or hush money arrangement to prevent further discussion about the former Fedora Ambassador, who had been photographed with Chris Lamb in 2017?

On 2 August 2019, Molly de Blanc was invited to give a keynote speech at FrOSCon in Germany. It is rumoured that Molly de Blanc was the girlfriend of former Debianism leader Chris Lamb, a.k.a., Mollamby.

In her talk, she displays a hand-drawn slide where we can see three selfish people like herself pushing one of the developers. This is how the selfish people get things without paying for them. They use gossip and violence, just like the fight at DebConf6.

Molly de Blanc: Well we can use our collective power to push others

On 10 August 2019, Jeffrey Epstein committed suicide in his prison cell.

In August 2019, the GNOME annual conference GUADEC was organised in the city of Thessaloniki in the north of Greece. It is very close to Albania and women from the nearby Balkan countries were brought to the conference on busses.

On 17 September 2019, Dr Sally Muytjens completed her PhD thesis on the topic An exploration of the existence of clergy child sexual abuse dark networks within the Victorian Catholic Church. It is extremely relevant to the phenomena we see today in Debianism. Various people have publicly praised a registered sex offender and helped him recycle his reputation at exactly the same time they are trashing the reputations of honest developers. The blackmail tactics they use, the games they play with the vocabulary of abuse and the way they operate in packs to reinforce their worldview all resonate with the scandals the church has been working so hard to move away from.

In the context of police corruption networks, this code of silence extended to â€œprohibiting disclosing perjury or other misconduct by fellow officers, or even testifying truthfully if the facts would implicate the conduct of a fellow officerâ€� (Chin and Zhang 2008, 238). Merrington (2017, 61) found that police corruption networks exploit the light networkâ€™s resources to facilitate DN operations. Research on a sports doping network showed that protecting the network included inflicting harm through bribery, bullying and threats and enforced a code of silence (USADA 2012 cited in Bell, TenHave and Lauchs 2016, 60). A code of silence or omerta was created by the Italian mafia and is applied to mafia members and anyone who witnesses mafia criminal activity to ensure silence regarding their illicit activities (UNODC 2008 cited in Bell, Ten-Have and Lauchs 2016). Omerta extended to a refusal to give evidence to the police (Fielding 2017,17). Similar methods were utilised by clergy perpetrator networks within the Victorian Catholic Church to maintain silence and, hence, resilience of the network of clergy CSA.

The 80,000 messages on debian-private and similar archives in the FSFE misfits, GNOME and Mozilla are analogous to the code of silence in other institutions.

In the Albanian scandal, the unpaid female volunteers were asked to sign a Non-Disclosure Agreement (NDA) even before they were abused. In other contexts, such agreements only appear after the abuse and during negotiation of the settlement.

In November 2019, Anisa Kuci, the Albanian woman who was seated closest to Chris Lamb at the DebConf19 conference dinner was awarded a $6,000 Outreachy internship. The woman had previously worked as a waitress and had no software development experience.

Remember the teenage boys doing unpaid work to bootstrap Debianism back in the 1990s. Joel "Espy" Klecker, Shaya Potter and Chris Rutter. They did a huge amount of technical work, they received no payments and some of them died. When these women from eastern Europe arrived people started popping champagne and opening the chequebook:

In January 2020, Joerg Jaspert from the Debian Account Managers cyberbullies was appointed as a parent representative at Dalbergschule in Fulda, Germany. Is it appropriate for any Debian Developer to have such a role in a school, even as a volunteer, while the organisation is refusing to discuss the concerns about their registered sex offender?

At the end of August 2020, we saw Matthew Garrett went wild spreading false accusations that Dr Jacob Appelbaum is a rapist, all the while, Debianists were protecting a real rapist.

Matthew Garrett spread dozens of message like this without any evidence:

Subject: Re: expulsions vs Reproducible Builds
Date: Tue, 1 Sep 2020 09:52:17 +0100
From: Matthew Garrett <mjg59@srcf.ucam.org>
Reply-To: discussion@lists.fsfellowship.eu
To: discussion@lists.fsfellowship.eu

On Tue, Sep 01, 2020 at 10:26:40AM +0200, Debian Community News Team wrote:

> a) The different approaches taken to complaints about Appelbaum and
> Lange, even though both complaints arrived at the same time.

One of these complaints involved multiple accusations of rape and sexual assault. The other involved an accusation of aggressive and disrespectful behaviour. Do you believe that these things are equivalent?

-- 
Matthew Garrett | mjg59@srcf.ucam.org

Subject: Re: expulsions vs Reproducible Builds
Date: Wed, 2 Sep 2020 00:40:21 +0100
From: Matthew Garrett <mjg59@srcf.ucam.org>
Reply-To: discussion@lists.fsfellowship.eu
To: discussion@lists.fsfellowship.eu

On Tue, Sep 01, 2020 at 05:59:46PM -0500, quiliro wrote:
> Matthew Garrett <mjg59@srcf.ucam.org> writes:
> > The Universal Declaration of Human Rights does not require that a 
> > volunteer organisation grant membership to a rapist, even if said rapist 
> > has not been found guilty in a court of law.
> Are you aserting that Jacob Appelbaum is guilty or are you talking about
> someone else? If you cannot prove something, it is a lie.

I am asserting that he's a rapist, an assertion that is backed up by an array of publicly available evidence.

-- 
Matthew Garrett | mjg59@srcf.ucam.org

These people think that by forming together like a pack of dogs and repeating the same rumour over and over again they can trick the whole world to believe it.

One of the reason dishonest people like Matthew Garrett make such outrageous lies is to cover up the fact the "diversity" team was bringing real paedophiles into the world of open source software. This is a classic trick that every junior magician knows: make the audience look in some other direction while you discretely move around the evidence.

At some point in 2021, Elio Qoshi joined Canonical Ltd, the company making Ubuntu, as an employee. It looks like he was employed there for a number of years but eventually they removed him in about 2025. They didn't make any comment about why he was terminated. It looks like it happened around the same time they eventually cut ties with Jeremy Bicha in 2025. Here is a screenshot of his LinkedIn profile when he was in Canonical Ltd:

On 11 March 2021, Jeremy Bicha's parole period finished at about the same time the Albanian former Fedora Ambassador Elio Qoshi was given a job at Canonical Ltd. An uncanny coincidence indeed.

Between July and October 2021, the web site of Justin Flory told us he was living in Albania (Wayback Machine snapshot). Shortly after that, Justin W Flory changed his name to Justin W Wheeler, changed his employer from UNICEF to Red Hat and removed the reference to Albania from his blog.

Why are the companies supporting the Albanians like this? Quite simply, Elio Qoshi knows the identity of every male developer who visited the conferences in Albania. He knows who they spoke to. Most men who look for a wife in these countries are looking for an adult. If one or two men were looking for something less than legal then they may well have asked Elio Qoshi, who had his own underage girlfriend, to help them find what they wanted. He is one of the few people who would know who those men are and what they did. The controlling corporations don't know what he knows and they probably don't want to know either. But what they do know is that as long as he is on somebody's payroll, the secrets will stay buried.

Late in 2021, the FSFE misfits announced a program called Youth Hacking for Freedom (YH4F) to recruit underage people between thirteen and seventeen years of age to work for free. Having resigned from the FSFE, I had grave concerns for the welfare of children and I published the blog Google, FSFE & Child Labor.

Shortly after that, IBM Red Hat began a legal case to seize the domain name WeMakeFedora.org. They used my blog Google, FSFE & Child Labor as their evidence that I was publishing "critical commentary". The legal panel ruled in my favor and moreover, ruled that IBM Red Hat was using the legal process to harass me. See the legal documents here. In hindsight, now that everybody knows the truth about Elio Qoshi and Jeremy Bicha, people can see that I had good reason to publish the grave concerns I have about the FSFE misfits recruiting children to do unpaid work.

In January 2022, Canonical, the company of Mark Shuttleworth, decided to employ Jeremy Bicha. It is not clear if he was previously being paid as a subcontractor while in prison or on parole. It appears that the move to permanent employment coincided with the end of his parole period in 2021. Did the company know he was on parole while interacting with their developers?

In February 2022, people noticed the speaker profile for Elio Qoshi had been removed from the web site of the FOSDEM conference. No explanation was given. When FOSDEM removed him, other volunteers were never officially warned about the issues with underage girls and harassment.

On 14 June 2022, Anisa Kuci, the waitress from Albania who sat next to Chris Lamb at the DebConf19 conference dinner is given voting rights in the GNOME Foundation. Many real developers do not have voting rights in these associations and foundations. The oligarchs appear to be stacking the associations with personal friends who will vote for the same oligarchs to keep their positions on the board every year.

The woman eventually appears to become an employee of the association as well. However, it is not clear if she was on the payroll at the time the oligarchs made her a voting member.

From 20 to 25 July 2022, GNOME's annual conference GUADEC is in Mexico during the same week that DebConf22 is in Kosovo. The two women from Albania could take the bus to Kosovo for fifteen euros each but somebody buys them tickets for flights from Albania to Mexico. The money paid for these flights could have been used to buy bus tickets for twenty more women from local universities in central American countries close to Mexico.

In his DebConf22 profile, with three talks, Jeremy Bicha tells us:

Jeremy is a member of the Debian GNOME and Canonical Desktop teams. He lives in Florida and this will be the first DebConf he has attended. [in the year after his probation finished]

Fact checking, over 20,000 women in Kosovo reported being victim of rape as a war crime back in the late 1990s.

Many of the young women I met at events in Kosovo appear to have been born at the time of the war.

On 11 September 2022, the anniversary of a notorious terror attack, Axel Beckert asked the Swiss police to take sides with Jeremy Bicha, Elio Qoshi and all help cover up the death of Adrian von Bidder on our wedding day because his wife wanted to be Mayor of Basel.

The abuse details can be found in a report that Amnesty International prepared about the case of Trevor Kitchen:

Trevor Kitchen, a 41-year-old British citizen resident in Switzerland, was arrested by police in Chiasso (canton of Ticino) on the morning of 25 December 1992 in connection with offences of defamation and insults against private individuals. In a letter addressed to the Head of the Federal Department of Justice and Police in Berne and to the Tribunal in Bellinzona (Ticino) on 3 June 1993 he alleged that two police officers arrested him in a bar in Chiasso and, after handcuffing him, accompanied him to their car in the street outside. They then bent him over the car and hit him around the head approximately seven times and carried out a body search during which his testicles were squeezed. He claimed he was then punched hard between the shoulder blades several times. He said he offered no resistance during the arrest.

He was then taken to a police station in Chiasso where he was questioned in Italian (a language he does not understand) and stated that during the questioning "The same policeman that arrested me came into the office to shout at me and hit me once again around the head. Another policeman forced me to remove all of my clothes. I was afraid that they would use physical force again; they continued to shout at me. The one policeman was pulling at my clothes and took my trouser belt off and removed my shoe laces. Now I stood in the middle of an office completely naked (for 10 minutes) with the door wide open and three policemen staring at me, one of the policemen put on a pair of rubber surgical gloves and instructed me to crouch into a position so that he could insert his fingers into my anus, I refused and they all became angry and started shouting and demonstrating to me the position which they wanted me to take, laughing, all were laughing, these police were having a good time. They pointed at my penis, making jokes, hurling abuse and insults at me, whilst I stood completely still and naked. Finally, when they finished laughing, one of the policemen threw my clothes onto the floor in front of me. I got dressed."

He was transferred to prison some hours later and in his letter claimed that during the night he started to experience severe pains in his chest, back and arms. He asked a prison guard if he could see a doctor but the request was refused and he claimed the guard kicked him. He was released on 30 December 1993. Medical reports indicated that since his release he had been experiencing recurrent pain in the area of his chest and right shoulder and had been receiving physiotherapy for an injury to the upper thoracic spine and his right shoulder girdle.

Volunteers discovered over $120,000 was taken out of Debian bank accounts and used for legal fees to try and have me molested or killed. Why did they spend so much money on this vendetta? They are terrified about people who express concern about abuse. They paid $120,000 in legal fees because they feel more comfortable with Jeremy Bicha, the man who raped his little sisters, than with the independent volunteer elected by the Fellowship in 2017.

On 13 October 2022, the GNOME board minutes tell us they decided to add Jeremy Bicha to the Release Team.

In November 2022, Jeremy Bicha writes an advocacy for Matthias Geiger to become a Debian Maintainer:

Subject: Matthias Geiger: Advocate
Date: Thu, 10 Nov 2022 13:26:16 -0000
From: Jeremy Bicha (via nm.debian.org) <nm@debian.org>
Reply-To: debian-newmaint@lists.debian.org, Matthias Geiger
  <matthias.geiger1024@tutanota.de>, archive-1128@nm.debian.org,
  Jeremy Bicha <jbicha@debian.org>
To: debian-newmaint@lists.debian.org
CC: Matthias Geiger <matthias.geiger1024@tutanota.de>,
  archive-1128@nm.debian.org, Jeremy Bicha <jbicha@debian.org>

For nm.debian.org, at 2022-11-10:
I support Matthias Geiger <matthias.geiger1024@tutanota.de>'s request to
become a Debian Maintainer.

I have sponsored numerous uploads for Matthias including 6 new source
packages. He has prepared many new packages with a particular focus on
GNOME apps and Rust libraries to build GNOME apps. Creating new packages
is one of the more complex packaging tasks for Debian. His work has been
consistently high quality. We have also worked together to improve the
initial packaging.
Beyond packaging skills, Matthias has been pleasant to communicate with.

I have personally worked with Matthias Geiger
<matthias.geiger1024@tutanota.de>
(key C2E1A6CBFDECE511A8A4176D18BD106B3B6C5475) for 7 months, and I know
Matthias Geiger
can be trusted to have upload rights for their own packages, right now.

Jeremy Bicha (via nm.debian.org)

In January 2023, the late Cardinal George Pell, former treasurer of the Vatican, appeared in news reports from Rome talking about the death of Pope Benedict. The news reports prompted me to look at the unredacted Case Study 35 about the Archdiocese of Melbourne. I was shocked to see the similarities to the Debianism culture and social engineering attacks. I printed a lot of the evidence about Enrico Zini blackmailing and defaming people over so many years. On 10 January 2023, I drove across the Great St Bernard Pass to Aosta in Italy. I walked in to the Carabinieri station and explained the similarities between the exploitation of victims in Debianism and in the Catholic abuse crisis. In the same hour that I was in the Carabinieri station, as a witness to these crimes, unbeknownst to me, Cardinal George Pell was having surgery in Rome. He died four hours later.

Authorities in Australia pretended the crisis died with Cardinal George Pell. He had avoided certain questions and surely there is nobody else left alive who knows the answers to those questions.

On 1 March 2023, minutes of a GNOME Foundation Executive Committee meeting capture the names of Anisa Kuci and Sonny Piers together for the first time. At this point, she is not on the list of people receiving payments from GNOME Foundation. There are serious ethical concerns when members of the CoC-committee are physically intimate with the very people they are making up rumours about. Likewise, there are serious ethical concerns when staff members are able to intercept and suppress CoC-committee complaints about their workmates and their own boss. We already discussed the way these CoC schemes are similar to the catch-and-kill strategy the National Enquirer used to purchase and suppress stories about Donald Trump. These financial and sexual conflicts of interest are even more disturbing when the conflicts of interest are totally hidden from the victims of defamation created by these gangsters.

It appears there are now two women from Albania who were being paid to work on the organisation of GUADEC and assist other events like DebConf. Up to this point, the organisations had always insisted that if volunteers wanted an event they have to organise it themselves. Nobody had any public discussion about changing the strategy and having a mix of volunteers and paid event staff. It is vital to ask the question: did the oligarchs create these jobs because the community chose to change the strategy or did these jobs get created because somebody wanted these two specific girls from Albania to have jobs?

GNOME hired the first girl at the end of 2018. Some time later, the other girl went to Outreachy, then she went to Wikimedia Italia, an organisation that relies on a lot of volunteers who don't get paid. A list of her past relationships was circulated and the people doing unpaid work became upset. Shortly after that, it looks like GNOME took her on their payroll. The fact that GNOME has ended up with two girls from the same Albanian background adds weight to the argument that the jobs were created for these specific girls rather than to fill some general need.

Remember, in 2018 and 2019, these are the same girls who asked the Debianists to buy their travel tickets in advance while all the other young interns had to buy tickets with their own money and wait for reimbursement.

Before Boris Johnson became prime minister of the UK, he served as the mayor of London. Various people have come forward with evidence that he tried to have specific women assigned to jobs rather than the normal process of advertising the job and choosing the best candidate. The pattern was repeated when he was prime minister and his girlfriend, now wife, was proposed for a job in the Foreign Office.

On 19 April 2023, Anisa Kuci, the waitress from Albania who sat closest to Chris Lamb at the DebConf19 conference dinner goes for the CoC-committee in the GNOME Foundation forum, which runs on Discourse software.

Why did Kristi Progri get a big title, Director of Project Management but when Anisa Kuci joined GNOME they call her an Administrative Assistant? Both girls grew up together in the same building. They both joined the Open Labs group together. Either one job title is being overstated or the other job title is understated. It looks like the job for the second girl was only created as part of the catch-and-kill strategy to keep women on side so they won't repeat the things they told me in 2017 and 2018 about the Fedora Ambassador Elio Qoshi.

What is the Code of Conduct gaslighting all about anyway? This is the stuff of cults. People are supposed to smile and pretend everything is alright even when something bad happens. Remember the story of Adrian von Bidder's death on our wedding day? We are expected to keep smiling. If a rape victim sees Jeremy Bicha in the bunk beds at DebConf, is she allowed to talk about her concerns? Of course not. The Code of Conduct gaslighting doesn't care how she feels.

On 21 April 2023, Elio Qoshi publishes a blog about his job at Canonical Ltd, makers of Ubuntu. The blog is about How we designed the new Ubuntu Desktop installer.

On 10 May 2023, Jeremy Bicha writes another advocacy for Matthias Geiger to be promoted from Debian Maintainer to Debian Developer:

Subject: Matthias Geiger: Advocate
Date: Wed, 10 May 2023 15:06:23 -0000
From: Jeremy Bicha (via nm.debian.org) <nm@debian.org>
Reply-To: debian-newmaint@lists.debian.org,
  Matthias Geiger <matthias.geiger1024@tutanota.de>,
  archive-1181@nm.debian.org,
  Jeremy Bicha <jbicha@debian.org>
To: debian-newmaint@lists.debian.org
CC: Matthias Geiger <matthias.geiger1024@tutanota.de>,
  archive-1181@nm.debian.org,
  Jeremy Bicha <jbicha@debian.org>

For nm.debian.org, at 2023-05-10:
I support Matthias Geiger <matthias.geiger1024@tutanota.de>'s request to
become a Debian Developer, uploading.
I have worked with Matthias Geiger on GNOME packages since March 2022.
Matthias has created new Debian packages
for several GNOME related apps and libraries and maintained them well
ever since.

Matthias has been very instrumental in doing the major prerequisite work
to get newer GNOME apps written in Rust
into Debian Trixie. This is very complicated but important work.

I have personally worked with Matthias Geiger
<matthias.geiger1024@tutanota.de>
(key C2E1A6CBFDECE511A8A4176D18BD106B3B6C5475) for 14 months, and I know
Matthias Geiger
can be trusted to be a full member of Debian, and have unsupervised,
unrestricted upload rights, right now.

Jeremy Bicha (via nm.debian.org)

Matthias Geiger is a very common name. Jeremy Bicha has vouched for him but neither of them have told us if they have any conflicts of interest, for example, if they both work for the same employer, Canonical Ltd or if they ever shared a prison cell together.

On 26 July 2023, Jeremy Bicha gave a talk at GUADEC in Latvia on the topic How GNOME Gets into Ubuntu. Here are some of the slides, with his sister's testimony superimposed over them:

On 11 September 2023, Jeremy Bicha writes an advocacy for Amin Bandali. This time he reveals that they are both working at the same company, Canonical Ltd, the maker of Ubuntu. Some people have serious ethical concerns about Ubuntu developers and co-workers writing references for each other like this because they are under pressure to serve the needs of their company rather than being objective about Debian.

Subject: Amin Bandali: Advocate
Date: Mon, 11 Sep 2023 14:15:25 -0000
From: Jeremy Bicha (via nm.debian.org) <nm@debian.org>
Reply-To: debian-newmaint@lists.debian.org,
  Amin Bandali <bandali@gnu.org>,
  archive-1211@nm.debian.org,
  Jeremy Bicha <jbicha@debian.org>
To: debian-newmaint@lists.debian.org
CC: Amin Bandali <bandali@gnu.org>,
  archive-1211@nm.debian.org,
  Jeremy Bicha <jbicha@debian.org>

For nm.debian.org, at 2023-09-11:
I support Amin Bandali <bandali@gnu.org>'s request to become a Debian
Developer, uploading.

I have personally worked with Amin Bandali <bandali@gnu.org>
(key BE6273738E616D6D1B3A08E8A21A020248816103) on the Debian GNOME team
since the end of 2022. He has packaged updates for a variety of GNOME
packages. Earlier this year, he officially joined the Debian GNOME team
and has been entrusted with DM upload rights to several packages. He has
used those upload rights well.

Amin Bandali also has interest and skill with troubleshooting build
issues on non-amd64 architectures which is why he is not just a DM, but
a "DM with guest account".

Amin Bandali is a coworker with me at Canonical since late 2022. His
primary job duties are not .deb packaging for Debian and he was already
maintaining packages in Debian before joining Canonical.

I firmly believe that the Debian Project will benefit from granting
Debian Developer, uploading status to Amin Bandali. I know Amin Bandali
can be trusted to be a full member of Debian, and have unsupervised,
unrestricted upload rights, right now.

Jeremy Bicha (via nm.debian.org)

Oddly enough, those messages were exchanged at the same time as DebConf23 in India. On 9 September 2023, I sent the coroner for Cambridgeshire a written warning about the risk for health and safety in Debianism, with a reference to the culture and the blackmail behaviour:

Subject: Re: Inquest Christopher Rutter - Information Request
Date: Sat, 9 Sep 2023 18:59:26 +0200
From: Daniel Pocock <daniel@pocock.pro>
To: Coroners <Coroners@cambridgeshire.gov.uk>

Hi [redacted],

I've updated the document with some extra email evidence and two more
deaths, both of those being under management from a doctoral candidate
at Cambridge.

Based on my own experience of both Debian culture, the Pell situation
and the evidence in these emails, I feel that there is an ongoing risk
to the health of people who engage with this culture.

Please kindly confirm if the coroner can escalate this to the relevant
people or whether you need somebody to present the document in person.

Regards,

Daniel

Abraham Raji died three days later. It is the first case of somebody dying at DebConf. It was anticipated, therefore, it was avoidable.

During 2023, there was a high profile underage rape and incest prosecution in South Australia. A bakery on the Eyre Peninsula had recruited fifteen-year-old girls to do some baking, smile at the customers and help the owner have more children. The man in charge and his wife were both convicted. Three children were born in one seven month period. The baker's father had shared one of the girls. There are thirteen children and they need to make DNA tests to verify which man is responsible for each of them. Newspapers described it as a cult-like living arrangement but it is not uncommon for workers to live with their boss when in a remote location like this. When you look at the remoteness of the location and the nature of such jobs where the young girls are living at their workplace, it has some similarity to the situation where Jeremy Bicha and his little sisters were living a life that was isolated from other children.

In May 2024, a news report from Australia tells us that Timothy / Tim Lunn, an IT specialist was called as a witness in the high profile Gregory Lynn murder trial in the Supreme Court of Victoria. Yet if Mr Lunn himself had been associating with a registered sex offender on parole in Florida, is it fair for him to be trusted in a judicial process as serious as a murder trial?

Also in May 2024, minutes of the GNOME Foundation board have been redacted to hide discussions about Sonny Piers and the "staffing", which really means the hush money being paid to the Albanian female whistleblowers. Sonny Piers was secretly expelled at this point but it is redacted in the minutes.

On 21 June 2024, immediately after GNOME Foundation expelled and censored Sonny Piers, the web site for the Open Labs non-profit with all the girls in Tirana, Albania is completely taken offline. The group uses their Facebook account to post a message telling us that they decided to close the organisation without giving us the real reason.

On 18 July 2024, immediately after they shut down the Open Labs web site and discussion forum in Albania, an anonymous account is created in the GNOME Foundation forum on Discourse. The account is used to post a hideous defamation about Sonny Piers, who they had expelled with a secret trial in May. Dozens of discussions and news reports appear about Sonny Piers being banned from GNOME. The girls are insisting that everybody should know they decided to humiliate Sonny but nobody is allowed to ask why the girls are obsessed with humiliating him. Whenever messages like this appear, they always hint at some sort of bad sexual etiquette. As we saw with every other case, such as Ted Walther in 2006 and Dr Jacob Appelbaum in 2016, these rumours are not only false but they have been deliberately fabricated by some chronically dishonest people intent on harming male volunteers and our families.

The defamation message about Sonny Piers explicitly mentions "Code of Conduct" but what they really mean is "Code of Silence". They are doing all this to stop Sonny Piers talking about payments to one of the Albanian girls or something similar to that.

Sonny Piers writes a response on his own blog three days later:

I am no longer a member of the board of directors of the GNOME Foundation since May 2024. The process and decision shocked me. I know people are looking for answers, but I want to protect people involved and the project/foundation. It was never an interpersonal conflict for me.

Remember, Sonny Piers has been doing voluntary work for twenty years and he contributed substantial intellectual property. The Albanian girls who were secretly added to the GNOME payroll only work when they receive money and they only go to events when somebody, usually the male oligarchs, buy the tickets for them.

The community had elected Sonny Piers to the board. As a member of the board it is absolutely certain he saw privileged information about the payments to Albanian female whistleblowers. However, he may not have been told the real reason for those payments. He may have asked questions about why the same girls are selected for every diversity grant. All this happened in GNOME Foundation immediately after the controlling corporations shut down the Open Labs group in Albania. Follow the money / girls.

Back in the communist era, Albania was run by a totalitarian dictator, Enver Hoxha. Among other things, he had banned all western pop music. When Kylie Minogue from Australia became the Princess of Pop, she immediately went to the top of the list of singers banned in Albania until communism ended in 1991.

The GNOME Foundation hired two girls from Albania. Now we see the policies of Enver Hoxha and totalitarianism being reincarnated in a non-profit voluntary organisation. History is repeating itself.

Jeremy Bicha had engaged in real abuse of his little sisters when they were six and nine years old. As a voting member of the GNOME Foundation and a member of the Release Team he has a higher status than Sonny Piers. Why can people go to the web site of the Manatee County Court and read all the details about real abuse of the little sisters but we are not allowed to know anything about the questions Sonny Piers was asking at board meetings?

Here is an example of the things Jeremy Bicha was convicted for:

Reading comments like that reminded me of the way misfits on debian-private (leaked) discussed the words used by the parents of Frans Pop after he committed suicide:

Subject: Re: Death of Frans Pop
Date: Sat, 21 Aug 2010 13:39:21 +0100
From: Colin Watson <cjwatson@debian.org>
To: debian-private@lists.debian.org

On Sat, Aug 21, 2010 at 01:52:33PM +0200, Ludovic Brenta wrote:
> Steve McIntyre <steve@einval.com> writes:
> > "Yesterday morning our son Frans Pop has died. He took his own life,
> > in a well-considered, courageous, and considerate manner. During the
> > last years his main concern was his work for Debian. I would like to
> > ask you to inform those members of the Debian community who knew him
> > well."
>
> Does that imply he took his own life *because* of Debian, which was "his
> main concern"?

This is probably the wrong thread for linguistics, but that phrase would
normally just indicate that Debian was his main interest.  In
http://oxforddictionaries.com/view/entry/m_en_gb0169810 under "noun",
this would be sense 2 rather than sense 1.

--
Colin Watson                                       [cjwatson@debian.org]

What is so much more sensitive about the Sonny Piers drama that GNOME will not tell us? Did he do something that is even worse than raping a little girl? Or did he stumble onto an inconvenient truth about Albanian girls that must be hidden from the community at all costs?

My suspicion is that this is more than somebody's sex life at stake. It is not unusual for people to hook up with their colleagues in student unions and open source software conferences. Some of the women have told me they were under pressure to lie. Paying women to create or repeat a lie, knowing it is a lie, undermines trust in the whole organisation that paid for those lies.

Software producers are particularly keen to maintain the trust of the community. The moment people stop trusting the GNOME developers everybody will abandon the project. How could we trust these developers if they used the foundation's funds to make payments to a woman who spread a lie or defamation?

After you pay a woman to lie, you can't sack that woman. You have to keep her on the payroll until she's ready to have children and become a stay-home mother.

I suspect that is why Anisa Kuci was immediately given a job at GNOME after the end of her relationship with Wikimedia Italia. Somebody didn't want to see her join some random employer where random developers will ask her to disclose details about the conspiracies at DebConf19.

It is important to reflect on these secrecy tactics. These tactics create the type of environment where real abusers can thrive.

On 2 August 2024, Andreas Tille, then leader of Debianism, wrote in his Bits from DPL:

Nominating Jeremy BÃcha for GNOME Advisory Board

I've nominated Jeremy BÃcha to GNOME Advisory Board. Jeremy has volunteered to represent Debian at GUADEC in Denver.

Sonny Piers, like other victims, was censored and humiliated indefinitely while the registered sex offender is put up on a pedestal to supposedly be the representative of the rest of us. I certainly didn't consent to him speaking for me.

Furthermore, how can a Canonical Ltd employee be representing the interests of both Debianism and the Ubuntu misfits at the GNOME Advisory Board? The conflict of interest is enormous. It isn't possible for him to do both at the same time.

On 17 November 2024, there was a MiniDebConf in Toulouse, France. In the video, we can see Pierre-Elliott BÃ©cue wearing a t-shirt with the expression Losing my mind, one kid at a time and a picture of a child sitting on a man's shoulders. Most people will see a normal parent-child relationship in the picture but about two percent of men see something else.

On 6 January 2025, Justin W. Flory / Wheeler registers the domain name jwheel.org. On 11 February 2025, the Wayback Machine captures the last snapshot of his web site at jwf.io using the name Justin W. Flory. On 17 February 2025, in the next snapshot captured by the Wayback Machine, we can see him using a new name, Justin W. Wheeler. It begs the question: why did he leave the USA and move to eastern Europe? Why did he have to change his name after spending time in Albania? Why was he moved from a job at UNICEF to the IBM Red Hat payroll around the same time the Albanian female whistleblowers were put on the GNOME Foundation payroll?

In March 2025, shortly before DebConf25, we saw Jeremy Bicha began contributing to the Debian-Edu project. That is the derivative of Debian created to meet the needs of the education industry. Why does he have schools on his mind? Jeremy Bicha's status as a registered sex offender is intended to prevent him being employed inside a school. By collaborating on Debian-Edu, he gains credibility that allows him to interact with schools as a volunteer. This looks like privilege escalation. He was engaged in this while he was an employee of Canonical Ltd and Ubuntu.

Look at his collaborators on debian-edu. Some of the people we discussed previously are also there: Holger Levsen, one of the protagonists of the DebConf6 violence. The founder of Teckids, who joined Debianism at the same time as Jeremy Bicha, is Dominik George.

At DebConf25 in Brest, France, the GNOME talk from Jeremy Bicha was scheduled for 14 July, the French national holiday. In France, the day normally starts with parades by the military and the emergency services, including the police. Therefore, people were asked to choose between applauding the police as they marched through Brest or watching a registered sex offender giving a talk in the university campus.

To make matters worse, president of Debian France is Pierre-Elliott BÃ©cue, a former employee of ANSSI, the cybersecurity arm of the French military.

On 14 July each year in Brest, the military parade in Cours Dajot begins at 11:00

The talk by Jeremy Bicha is listed in the DebConf25 schedule at 18:00 on the same day.

Did the conference organisers know about this risk in advance? As we can see above, incest had been mentioned on debian-private as early as 2018.

In the first week of July 2025, Jeremy Bicha made some Nazi comment on the XLibre project wiki. On 4 July 2025, it was discussed in this Github issue.

People started investigating all the participants in the argument. On 7 July 2025, this forum post mentions the sex crime. On 8 July 2025, Bryan Lunduke used his account on Twitter/X to tell us he had found the conviction. It is not clear if he was the first to find it. On 11 July 2025, a lengthy post appears on Telegram.

On 14 July 2025, Fandom Pulse discusses the way people tolerate the registered sex offender but not Dr Richard Stallman. Bryan Lunduke blogged Registered Sex Offender Speaking at Debian Conference This Week. He followed up the next day with Registered Sex Offender No Longer Working at Canonical. On 16 July 2025, somebody posted the Fandom Pulse link in Hacker News and somebody else censored the link because the Hacker News people are in the same snobby set who prefer the registered sex offender over Dr Richard Stallman. Remember, this was a scandal that started with a comment about who is a Nazi. On 17 July 2025, Techrights gave their view on the scandal.

On 9 August 2025, it was mentioned again in Hacker News in this thread and somebody from the snobby set removed the link again but the comments remain.

Talks at the conference were video recorded and published online but the registered sex offender video is missing from the collection.

Putting this type of diversity on display at a prominent event feels like the thin end of the wedge. Brest is a city known for its strong naval history. Jeremy Bicha had been discharged from the US Navy after they found out. Like the rogue Russian spy-ships who periodically sail the English channel, Debianists have decided to test the waters of diversity by putting this man on display. They wanted to see how the public reacts. They want us to know this is the new normal. The victims were only six and nine years old. On the scale of sexual offences, these were some of the worst. By putting this out in the open, they make it easier to bring in offenders who have less serious crimes.

Back in the 1970s, people like this tried to create organizations like the Paedophile Information Exchange (PIE) where their cause was published in broad daylight. Within a few years these organisations had been outlawed. The lesson they have learnt from those prosecutions is the need to affiliate themselves with more general causes like diversity and then expand the definition of diversity to include, by stealth, all kinds of people who are irreconcilably incompatible with the rest of us.

We already looked at the prosecution of Matthias Kirschner for the psychological abuse of Galia Mancheva. Sooner or later another oligarch will face one of these prosecutions. If it is somebody the cabal wants to protect, they can remind us how Jeremy Bicha came to DebConf25 and it didn't kill anybody. They will remind us the diversity statement says anybody is welcome as long as you display total submission to their CoC.

The revelations about Jeremy Bicha's abuse of his little sisters sparked an uproar. People wanted to know why Bicha was sent to prison for three years but Sonny Piers had been given a lifetime punishment in the GNOME Discourse forum. Ten days after the scheduled talk at DebConf25, there was a new post in the GNOME Discourse forum about Sonny Piers.

This time, instead of using an anonymous account, Robert McQueen has written the post under his own name. He tells us the punishment has been reduced:

The Board is providing this information to clarify the decisions made in this case, and to eliminate any uncertainty within the GNOME community about the matter.

In fact, the very long post does not include any example of the questions Sonny Piers asked about the Albanian women. Therefore, we all remain totally in the dark.

the Board also voted that Sonny will not be eligible for appointment in any position of authority within the Foundation, or to act as an agent on behalf of the organization, or to have paid work with the GNOME Foundation. This means that he will be unable to be a committee member, director, officer, staff member or contractor, or officially represent the GNOME Foundation to other entities. The Board resolution put these restrictions in place on an indefinite basis.

The board and Robert McQueen are telling us that Sonny Piers is permitted to return to GNOME but he will always have a lower status than the registered sex offender. Think about how that feels.

Turn that statement on its head: why does Robert McQueen feel more comfortable with the Ubuntu man who popped the cherry of a six year old than he does with an independent developer who the community voted onto the board?

On 4 April 2026, Oscar Langley asked about it in the election discussion for the next leader of Debianism. None of the candidates would reply to questions about child safety.

Subject: 	DebConf25 decisions affecting Child Safety and talk scheduling
Date: 	Sat, 4 Apr 2026 11:01:37 +0000
From: 	Oscar Langley <oscar.langley@hotmail.com>
To: 	debian-vote@lists.debian.org <debian-vote@lists.debian.org>

I understand this topic may be somewhat tangential to the election mailing list, but I reviewed the list of voters in this year's DPL election and discovered that Jeremy Bicha is a Debian developer who cast a ballot: https://vote.debian.org/~secretary/leader2026/voters.txt

If you search up his name on Google, the very first result is his profile on Florida's Sexual Offender and Predator System, as he molested multiple preteen girls throughout the 1990's and confessed to all this in court.
https://offender.fdle.state.fl.us/offender/sops/flyer.jsf?personId=85068
https://wng.org/articles/the-high-cost-of-negligence-1617309216

Being a child molester is most likely a violation of the Debian Code of Conduct, and if it is not, it is reprehensible enough to call into question his continued status as a member of the project.

Additionally, there are two more important questions about Bicha's relationship with the Debian Project that have yet to be answered. Bicha was due to speak at DebConf25 last year, an event that children were permitted to attend. The livestream also experienced technical issues when his talk was about to start, leaving it unclear whether he actually spoke.

The two questions are:

1. What factors led to the decision to allow children in the presence of Bicha?

2. Was Bicha' talk was canceled, or did it indeed take place but was simply never streamed?

And a third question is begged:

3. Why hasn't the Debian Project cut ties with Bicha?

but one person made a reply praising the extreme definition of diversity:

Subject: 	Wasn't sure where to send but thank you...
Date: 	Wed, 8 Apr 2026 12:08:58 -0400
From: 	Star Light Catcher <catcherstarlight@gmail.com>
To: 	debian-project@lists.debian.org

I would just like to say, I would sometimes browse the reddits for Linux and in the general Linux reddit I saw someone saying the project was "in trouble" and worried I went to the Debian reddit to look into it... And what I'm very sad to say I found was people being very cruel and closed minded about the fact that the project seems to be valuing inclusion and bringing in new voices and talents to the FOSS community and the Debian project... So, I no longer really read reddit for Linux news but I very much wanted to say how much I've adored using Debian these past 8 months since switching to Linux. It's been rock solid, my best experience on Linux ever (and despite only switching 8 months ago I had tried Linux many times since 2010! Tons of different distros!) Debian has been genuinely an oasis from so much of what is wrong about modern tech, all while being built on what is obviously such a solid foundation I can't see myself switching back to Distros which genuinely often seemed to nuke themselves with little cause from me, and I've done plenty of things to ride my installs of Debian hard and it's never faltered at all.

And about the people behind the Debian project... In a time of increasing authoritarianism and such a huge increase to push minorities even further to the fringes... Debian embracing diversity during all of this... It warms this trans woman's heart who has felt such a sense of dread at the way the world is going. So thank y'all genuinely. Linux users are known to distrohop but... I can't imagine ever needing anything but the Universal Operating System ever again ğŸ«‚ and what brings me such joy is that it feels that it's not just universal, as in, for all devices, but universal, as in /for everyone/. ğŸ’œ

Thank you for all you do, I plan to up my donation when I can,
Star Elizabeth Wilkerson ğŸ¦„â�ï¸�

17 to 20 April 2026, it was discussed and then suppressed in the Arch wiki.

Ben Carroll is the Deputy Premier and Education Minister for the State of Victoria. On Mother's Day in 2024, he posted a picture of himself with his local priest, who I'll simply refer to as Father X:

In 1994, the Archdiocese of Melbourne had to exfiltrate another priest, Fr Barry Robinson, from Boston. Father X was tasked with the mission. In particular, the scope of his mission was far bigger than the exfiltration. Father X was also asked to look at the crisis in Boston and report back to his superiors in Australia. This was eight years before the Spotlight news reports raised public awareness of the scandal. The priest who gives communion to Victoria's Education minister had himself learnt about the extent of the global crisis and expressed concern about warehousing paedophiles:

These letters resonate with our observations of Jeremy Bicha in the world of Debianism. The same people attacked every volunteer who ever asked serious ethical questions, they attacked my family when my father died but they welcome a registered sex offender with open arms.

After returning from Boston, Fr Barry Robinson had lived in the same house as Father X while the US authorities continued their investigation. Fr Barry Robinson had admitted abuse but they decided not to prosecute him at all. The church decided to ignore his admission and put him back into practice:

In 2024, another lawsuit cast attention on the use of scholarships for the two children of a victim. People gain status in society through attending these elite high schools. There is a risk that this perpetuates the culture of silence. It is analogous to the manner in which some open source software organisations are giving people internships, big titles and speaking opportunities so they will stay silent about abuse in Albania

Here is the redacted deed that mentions scholarships:

On the GNOME web site, we can see that one of the Albanian female whistleblowers has asked to hide her name. Is this because of Sonny Piers, because of Jeremy Bicha or because of Elio Qoshi?

In February 2025, The Monthly published and then almost immediately took down an article by Louise Milligan titled The True Legacy of the Rapist George Pell. The late Cardinal Pell had been successful in his appeal and the conviction had been overturned by the High Court. Therefore, calling him a rapist is a very strong defamation. Nonetheless, copies of the article are easily found online.

The Debian Diversity statement tells us the definition of diversity is very large. A lot like the National Council of Civil Liberties in the 1970s, the Diversity Statement says anyone is welcome (up to the day when you ask an ethical question). At DebConf25, they demonstrated the definition of anyone includes registered sex offenders. He is not the only one and he won't be the last one.

Please watch my crowdfunding video to learn more about the lawsuit in US federal court.

Andreas Schneider: Announcing Sigrún (Run a command)

Mon, 27 Apr 2026 12:15:56 +0000

Some time ago I used a feature in KDE called “Run a command” when an event triggered. It triggered for me when a calendar event fired and used Piper TTS to read the event to me out loud. A small popup and a pling don’t work for me.

I tried to get the feature back into KDE, but since the merge request isn’t going anywhere and people don’t give details how to implement it correctly I wrote Sigrun now. It is named after a Norse Valkyrie and is short for Signal Run.

It is a systemd service running as a user and listening on DBus signals. Once it finds a configured one, it runs its command. The desktop doesn’t matter.

Here is the rule that reads my calendar reminders aloud via kde-tts.py:

[[rule]]
name = "calendar-tts"

[rule.event]
type = "notification"

[rule.filter]
app_name = "kalendarac"
summary = "Meeting.*"

[rule.filter.hints]
"x-kde-eventId" = "reminder"

[rule.action]
command = "/usr/local/bin/kde-tts.py"
args = ["-t", "{summary}", "-d", "{body}"]

Tomas Tomecek: Deploying agents to OpenShift, again (part 1)

Mon, 27 Apr 2026 06:00:00 +0000

We have a set of agents to work on packages in RHEL and CentOS Stream: packit/ai-workflows.

They were already running pretty well in an OpenShift cluster last fall. Now we switched clusters so I worked on deploying them, again.

Daniel Pocock: Predicted: Cole Thomas Allen, gay or transgender boyfriend rumours

Sun, 26 Apr 2026 12:00:00 +0000

What appears to be an attempt to assassinate the US President Donald Trump has dominated the news today. There are numerous people on social control media suggesting the suspect, Cole Thomas Allen, may be gay or transgender, like the Zizian problems. Some people make comments about a handwritten note left for his transgender partner.

In fact, these comments appear to be identical to the description of Tyler Robinson, the man who assassinated Charlie Kirk. They are not necessarily fake news. We simply don't have enough information to say if the rumours are fake or if they are true.

Nonetheless, this phenomena was anticipated in the US federal lawsuit 1:25-CV-03883-UA submitted in the Southern District of New York on 6 May 2025. Here is a copy of paragraph 496:

496. The plaintiff and other victims feel great apprehension, based on what happened to Dr Appelbaum's home, based on the drawings of civil disorder, based on the way the Zizian group behaved, that if these vigilantee tendencies are not constrained then they will again manifest themselves in physical acts of vandalism or violence.

Please watch my video about the law suit.

Kushal Das: A git sign bug

Sun, 26 Apr 2026 08:58:55 +0000

While working on the new git signing feature for tumpa-cli I noticed that some of the commits can not be verified. For a moment I freaked out and then thought it must be a problem in my code. But, I could not dig enough. Opus 4.7 helped me to find the eaxct commit in git's history and a reproducer. I reported the issue to the maintainers and they are working on a fix.

\xc2\xa7 aka ยง was the cause for me.

	msg.txt body	sign stdin (tee'd)	stored commit body	verify
git 2.43 (host)	`... 20 a7 0a`	`... 20 c2 a7 0a`	`... 20 c2 a7 0a`	OK
git 2.53 (CI, docker)	`... 20 a7 0a`	`... 20 a7 0a`	`... 20 c2 a7 0a`	BAD

git 2.43 transcoded the message to UTF-8 BEFORE calling the signer; signer and storage saw the same bytes (c2 a7). git 2.53 hands the signer the RAW bytes (a7) and transcodes only on the way to the commit object (c2 a7). The invariant "bytes fed to gpg.program at sign time equal the bytes a verifier sees when it reads the commit back" is broken.

git config i18n.commitEncoding iso-8859-1 is supposed to be the configuration if we have non UTF-8 characters. But, I never knew about this configuration before I found the bug.

I want to thank my friends in Anthropic for letting me use the tools and techonology to keep building.

Luca Ciavatta: An Introduction to the Linux Operating System

Sat, 25 Apr 2026 15:05:39 +0000

The Linux operating system represents one of the most significant technological achievements in modern computing. From powering enterprise-grade servers to running embedded systems and smartphones, Linux has become a cornerstone of digital infrastructure. Unlike proprietary operating systems, Linux is open-source, meaning its source code is freely available, modifiable, and distributable. This openness has fostered a global ecosystem of developers, organizations, and communities contributing to its rapid evolution.

Originally created in 1991 by Linus Torvalds, Linux was inspired by UNIX, a multi-user, multitasking operating system developed in the 1970s at AT&T Bell Labs . Today, Linux is not just an operating system but a family of systems—commonly referred to as distributions—that serve a wide variety of computing needs.

Linus Torvalds | Linux was inspired by UNIX

Historical Background

UNIX Foundations

To understand Linux, one must first examine UNIX. UNIX introduced key principles such as modular design, multi-user capabilities, and multitasking, which influenced nearly all modern operating systems . These principles include:

Separation of concerns
Use of simple tools that perform specific tasks
File-based abstraction of system resources

Linux adopted these design philosophies while remaining independent in implementation.

Birth of Linux

Linus Torvalds developed the Linux kernel as a personal project while studying at the University of Helsinki. Initially intended as a free alternative to MINIX, Linux quickly attracted contributions from developers worldwide.

The GNU Project, which had already developed essential tools like compilers and shells, complemented the Linux kernel. Together, they formed what is commonly referred to as a GNU/Linux system.

Growth and Adoption

Over time, Linux evolved from a hobbyist system into a dominant force in computing:

Late 1990s: Adoption in server environments
Early 2000s: Enterprise support (e.g., Red Hat, SUSE)
2010s onward: Dominance in cloud computing, mobile (Android), and DevOps

Today, Linux powers the majority of web servers, supercomputers, and cloud infrastructures.

Linux | A Terminal session

What is Linux?

Linux is often described as a Unix-like operating system, but technically it refers to the kernel, the core component responsible for managing hardware resources and enabling communication between software and hardware .

A complete Linux operating system includes:

The Linux kernel
System libraries
Shell interfaces
Utilities and applications

These components together form a fully functional computing environment.

Architecture of Linux

Linux follows a layered architecture that separates concerns and ensures modularity. The primary components include:

Kernel

The kernel is the heart of the system. Its responsibilities include:

Process management
Memory management
Device drivers
File system management

It ensures that multiple applications can run concurrently without interfering with each other .

Linux uses a monolithic kernel architecture, meaning that most services run in kernel space, offering high performance but requiring careful design to maintain stability.

Linux | Architecture of Linux

System Libraries

System libraries provide an interface between applications and the kernel. They simplify development by offering reusable functions for common operations.

For example:

File I/O operations
Memory allocation
Process control

These libraries abstract low-level kernel interactions.

Shell

The shell is the command-line interface (CLI) that allows users to interact with the system. It interprets commands and executes them through the kernel.

Popular shells include:

Bash
Zsh
Fish

The shell is particularly powerful in Linux due to scripting capabilities.

Hardware Layer

This layer includes physical components such as:

CPU
RAM
Storage devices
Input/output devices

The kernel communicates with hardware via device drivers.

System Utilities

System utilities are essential tools for managing the system:

Package managers (APT, DNF)
Monitoring tools (top, htop)
File management tools (ls, cp, rm)

These utilities simplify system administration tasks.

Ubuntu | A popular Linux distro

Linux Distributions

A Linux distribution (distro) is a complete operating system built around the Linux kernel, bundled with software, libraries, and tools.

Key Components of a Distribution

Kernel
Package manager
Desktop environment (optional)
Default applications

Popular Distributions

There are over 600 Linux distributions available . Some widely used examples include:

Ubuntu – beginner-friendly
Debian – stable and reliable
Fedora – cutting-edge technology
Arch Linux – highly customizable
Kali Linux – cybersecurity-focused
openSUSE – top notch European distro

Each distribution is tailored to specific use cases, such as servers, desktops, or embedded systems.

Key Features of Linux

Open Source

Linux is distributed under open-source licenses, allowing users to:

Modify source code
Redistribute software
Customize systems

This fosters innovation and collaboration.

Multiuser and Multitasking

Linux supports multiple users simultaneously and can run multiple processes concurrently, ensuring efficient resource utilization.

Security

Linux is known for its strong security model:

User permission systems
File access controls
SELinux and AppArmor frameworks

These features make Linux ideal for servers and enterprise environments.

Stability and Performance

Linux systems are highly stable and can run for long periods without rebooting. This makes them suitable for mission-critical applications.

Portability

Linux runs on a wide range of hardware architectures, including:

x86
ARM
RISC-V

Linux File System

Linux uses a hierarchical file system structure rooted at /.

Directory Structure

Key directories include:

/home – user files
/etc – configuration files
/bin – essential binaries
/var – variable data (logs, caches)

File Permissions

Each file has permissions for:

Owner
Group
Others

Permissions include read (r), write (w), and execute (x).

Linux Commands and CLI

The command-line interface is a defining feature of Linux.

Common Commands

ls – list files
cd – change directory
pwd – print working directory
cp, mv, rm – file operations

Advanced Tools

grep – text search
awk, sed – text processing
top – process monitoring

Mastering these commands enables efficient system management .

Package Management

Linux distributions use package managers to install and manage software.

Examples

APT (Debian-based systems)
DNF (Fedora-based systems)
Pacman (Arch Linux)
Zypper (openSUSE)

Advantages

Dependency resolution
Easy updates
Secure repositories

Applications of Linux

Linux is used across diverse domains:

Servers and Cloud Computing

Linux powers most web servers and cloud platforms due to its stability and security .

Software Development

Developers prefer Linux for:

Native support for programming languages
Powerful command-line tools
Integration with DevOps pipelines

Cybersecurity

Distributions like Kali Linux are widely used for penetration testing and digital forensics.

Embedded Systems and IoT

Linux runs on routers, smart devices, and industrial systems due to its lightweight nature.

Supercomputers

Most of the world’s supercomputers run Linux because of its scalability and performance.

Advantages and Disadvantages

Advantages

Free and open-source
High security
Customizable
Strong community support

Disadvantages

Steep learning curve for beginners
Limited support for some proprietary software
Hardware compatibility issues (rare but possible)

Linux vs Other Operating Systems

Linux vs Windows

Feature	Linux	Windows
Cost	Free	Paid
Customization	High	Limited
Security	Strong	Moderate
Ease of Use	Moderate	High

Linux vs macOS

macOS is Unix-based (BSD) but proprietary, while Linux is open-source and more customizable.

Linux in Modern Computing

Linux plays a central role in:

Cloud computing (AWS, Azure, Google Cloud)
Containerization (Docker, Kubernetes)
Artificial Intelligence and machine learning
Edge computing

Its flexibility makes it indispensable in modern IT infrastructures.

Future of Linux

The future of Linux is promising, driven by:

Growth in cloud computing
Expansion of IoT devices
Increased demand for open-source solutions

Emerging trends include:

Integration with AI systems
Enhanced security frameworks
Improved user-friendly distributions

Conclusion

Linux is more than just an operating system—it is a paradigm of open collaboration and technological innovation. Its modular architecture, flexibility, and robustness make it suitable for virtually every computing environment, from embedded devices to supercomputers.

As technology continues to evolve, Linux remains at the forefront, powering critical systems and enabling innovation across industries. For computer scientists, developers, and IT professionals, understanding Linux is not just beneficial—it is essential.

References

An introduction to Linux – IBM | https://www.ibm.com/think/topics/linux

What is Linux? – OpenSource | https://opensource.com/resources/linux

Looking to get started in Linux? – Linux.Com | https://www.linux.com/what-is-linux/

What Is Linux – GeeksForGeeks | https://www.geeksforgeeks.org/linux-unix/what-is-linux/

Linux Operating System – RedHat | https://www.redhat.com/en/topics/linux/what-is-linux

The post An Introduction to the Linux Operating System appeared first on cialu.net.

Michael Catanzaro: git config am.threeWay

Fri, 24 Apr 2026 22:57:22 +0000

If you work with patches and git am, then you’re probably used to seeing patches fail to apply. For example:

$ git am CVE-2025-14512.patch
Applying: gfileattribute: Fix integer overflow calculating escaping for byte strings
error: patch failed: gio/gfileattribute.c:166
error: gio/gfileattribute.c: patch does not apply
Patch failed at 0001 gfileattribute: Fix integer overflow calculating escaping for byte strings
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"

This is sad and frustrating because the entire patch has failed, and now you have to apply the entire thing manually. That is no good.

Here is the solution, which I wish I had learned long ago:

$ git config --global am.threeWay true

This enables three-way merge conflict resolution, same as if you were using git cherry-pick or git merge. For example:

$ git am CVE-2025-14512.patch
Applying: gfileattribute: Fix integer overflow calculating escaping for byte strings
Using index info to reconstruct a base tree...
M	gio/gfileattribute.c
Falling back to patching base and 3-way merge...
Auto-merging gio/gfileattribute.c
CONFLICT (content): Merge conflict in gio/gfileattribute.c
error: Failed to merge in the changes.
Patch failed at 0001 gfileattribute: Fix integer overflow calculating escaping for byte strings
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"

Now you have merge conflicts, which you can handle as usual. This seems like a better default for pretty much everybody, so if you use git am, you should probably enable it.

I’ve no doubt that many readers will have known about this already, but it’s new to me, and it makes me happy, so I wanted to share. You’re welcome, Internet!

Tadej Janež: Modernize your Bash prompt colors

Fri, 24 Apr 2026 16:52:00 +0000

Do you still use the default green-colored Bash prompt?

Then it's time to upgrade to a much improved shell UX using the Bash Color Prompt (bcp).

Results:

Before

After

Motivation: dealing with multiple Toolbox containers¶

Lately, I've been getting annoyed by my current Bash prompt offering me a poor UX when dealing with multiple Toolbox containers. The prompt lacked crucial information: to which of the running containers a given shell belongs to?

I did a quick search to see if there's an easy fix I'm missing out but it turned out there is a long-standing desire to improve Toolbox's UX in this respect and multiple approaches have been discussed/tried. Here are some relevant tickets:

Making Toolbox containers set container name as hostname: Rejected as unsuitable.
Offer a better way to visually distinguish between containers: Currently still open.
Expose the name of the current toolbox container: Closed, but one still needs to manually extract information from /run/.containerenv file and set the Bash prompt according to it.

Discovering the old and new version of Bash Color Prompt¶

After looking around on how to update my Bash prompt to become "container name"-aware, I came across Fedora's shell-color-prompt package which was conveniently just a dnf install bash-color-prompt away (strangely, the source package is named shell-color-prompt while the binary package is named bash-color-prompt, see also RHBZ #2291024).

My attempts at configuring the Bash prompt to be "container name"-aware with the help of shell-color-prompt didn't look very promising.

I had a little epiphany when discovering that shell-color-prompt's maintainer, Jens Petersen, recently wrote a replacement for it: namely Bash Color Prompt (bcp). Jens describes it as having a cleaner declarative approach for creating one's custom Bash prompt.

Setting up the new version of Bash Color Prompt¶

Seeing how easy Bash Color Prompt (bcp)'s example.bashrc.sh looked like, I decided to give it a try.

It worked and its declarative approach at creating a custom Bash prompt was really easy to follow and tailor to my needs.

Currently, until the new version of Bash Color Prompt (bcp) is packaged in Fedora (and other distributions), a simple way to install it is to just grab the bash-color-prompt.sh file directly from its GitHub repository and put it somewhere in your home directory.

Afterwards, just source and configure it in your .bashrc file. Here is how I've done it:

# Use the new Bash Color Prompt (bcp) by Jens Petersen (Red Hat) to handle PS1.
# NOTE: Temporarily, I've just copied the script from:
# https://github.com/juhp/bash-color-prompt/blob/main/bash-color-prompt.sh
if [ -f $HOME/bash-color-prompt.sh ]; then
    source $HOME/bash-color-prompt.sh
fi
# Configure bcp.
bcp_layout() {
    local exit_code=$1

    # hexagon
    bcp_container

    # opening [
    bcp_append "["

    # user@host or user@container(host)
    local user_color="green"
    if [[ $EUID -eq 0 ]]; then user_color="red"; fi
    local machine="\h"
    if [ -f /run/.containerenv ]; then
        container_name=$(grep -oP '(?<=name=")[^"]+' /run/.containerenv)
        machine="$container_name(\h)"
    fi
    bcp_append "\u@$machine " "$user_color;bold"
    bcp_title "\u@$machine:\w"

    # directory
    bcp_append "\w" "blue"

    # git status
    bcp_git_branch " " "magenta" "yellow"

    # status indicator
    if [[ $exit_code -ne 0 ]]; then
        bcp_append " âœ˜$exit_code" "red;bold"
    fi

    # actual prompt char
    bcp_append "]\$ " "default"
}
# Initialize bcp.
bcp_init

Remi Collet: 🎲 PHP version 8.4.21RC1 and 8.5.6RC1

Fri, 24 Apr 2026 04:58:00 +0000

RPMs of PHP version 8.5.6RC1 are available

as base packages in the remi-modular-test for Fedora 42-44 and Enterprise Linux ≥ 8
as SCL in remi-test repository

RPMs of PHP version 8.4.21RC1 are available

as base packages in the remi-modular-test for Fedora 42-44 and Enterprise Linux ≥ 8
as SCL in remi-test repository

ℹ️ The packages are available for x86_64 and aarch64.

ℹ️ PHP version 8.3 is now in security mode only, so no more RC will be released.

ℹ️ Installation: follow the wizard instructions.

ℹ️ Announcements:

Parallel installation of version 8.5 as Software Collection:

yum --enablerepo=remi-test install php85

Parallel installation of version 8.4 as Software Collection:

yum --enablerepo=remi-test install php84

Update of system version 8.5:

dnf module switch-to php:remi-8.5
dnf --enablerepo=remi-modular-test update php\*

Update of system version 8.4:

dnf module switch-to php:remi-8.4
dnf --enablerepo=remi-modular-test update php\*

ℹ️ Notice:

version 8.5.4RC1 is in Fedora rawhide for QA
EL-10 packages are built using RHEL-10.1 and EPEL-10.1
EL-9 packages are built using RHEL-9.7 and EPEL-9
EL-8 packages are built using RHEL-8.10 and EPEL-8
oci8 extension uses the RPM of the Oracle Instant Client version 23.9 on x86_64 and aarch64
intl extension uses libicu 74.2
RC version is usually the same as the final version (no change accepted after RC, exception for security fix).
versions 8.4.19 and 8.5.4 are planed for March 12th, in 2 weeks.

Software Collections (php84, php85)

Base packages (php)

Adam Young: Selecting a subset of files for ctags

Thu, 23 Apr 2026 17:11:24 +0000

I usually don’t want all of the files in the linux Kernel for my ctags. Sometimes I want a cvery small subset: a set of C files and the included header files.

#!/bin/sh

for CFILE in drivers/net/mctp/mctp-pcc.c drivers/mailbox/mailbox.c drivers/mailbox/pcc.c drivers/mailbox/mailbox.h
do
        echo $CFILE
        for HFILE in `grep "#include <" $CFILE | cut -f2 -d '<' | sed 's/.$//' `
                do
                        echo include/$HFILE
                done
done

Call it using

 ctags ` ~/ctag-select.sh | sort -u `

Guillaume Kulakowski: mTLS avec Cloudflare : mise en œuvre et intégration avec Prometheus

Thu, 23 Apr 2026 06:33:26 +0000

Dans cet article, je détaille la mise en place d’une authentification mTLS avec Cloudflare afin de sécuriser l’accès à mes métriques Prometheus. Un cas concret avec reverse proxy Apache et intégration dans Grafana.

Tony Asleson: RasterLab: Building an Image Editor with Claude Code

asleson@gmail.com (tony dot (Tony Asleson) — Thu, 23 Apr 2026 00:00:00 +0000

The question was simple enough: How good of an image editor can you build with $20 worth of Claude Code Pro subscription?

The answer, after one month and roughly that budget, is: surprisingly good, occasionally wrong about performance, and frustratingly confident about things it hadn’t measured.

RasterLab is a non-destructive RAW image editor written in Rust, built almost entirely by Claude Code. Not prototyped by it, not scaffolded by it — actually built by it, with me driving direction and reviewing the output. One month, four weekly usage blocks, one image editor.

Mark J. Wielaard: Anticipating Valgrind 3.27.0

Mon, 20 Apr 2026 16:10:19 +0000

We’ll release Valgrind 3.27.0 later today. While making sure the NEWS file was up to date I wrote about all the contributions made this release.

Thanks all, and apologies if I missed something or someone.

Aaron Merey added two new options to helgrind.

To control helgrind tracing of internal synchronization, threading and memory events use –show-events=1|2|3.

Use –track-destroy=no|yes|all to checks for missing pthread_mutex_destroy and pthread_rwlock_destroy calls. With yes, helgrind warns when pthread_mutex_init or pthread_rwlock_init is called on the address of a live (undestroyed) lock. With all, Helgrind also reports undestroyed locks at process exit.

Valgrind has separate VEX IR translators for AMD64 and x86 (32 bit) code. While the AMD64 translator has seen support for new encodings and instruction sets, the x86 translator has not.

Alexandra Hájková decided to port the SSE4.1 instruction set from the AMD64 translator to the x86 translator and add backend support. This is ongoing work, see the bug dependency tree.

But many more 32bit programs using SSE4.1 should now run under Valgrind.

Andreas Arnez and Florian Krohm did a lot of work on the s390x support.

Andreas added support for new s390x z/Architecture features from the 15th edition. This enables running binaries compiled with -march=arch15 or -march=z17 and exploiting the new MSA extensions 10-13.

Florian Krohm integrated binutils objdump for s390x disassembly in VEX. And did a lot of s390x code and facilities cleanups.
s390x machine models older than z196 are no longer supported.

Andreas also showed there are still meaningful optimizations to be made on how memcheck tracks undefinedness bits as outlined in the original “Using Valgrind to detect undefined value errors with bit-precision” paper.

His optimization of memcheck instrumenting a bitwise AND/OR with a constant is clever and simplifies the generated code.

Martin Cermak maintains the Linux Test Program (LTP) valgrind integration, which checks our syscall wrappers work correctly. And he makes sure newer linux syscalls are wrapped. Valgrind 3.27.0 adds support for file_getattr, file_setattr, lsm_get_self_attr, lsm_set_self_attr, lsm_list_modules. And corrects various syscall and ioctl corner cases.

Martin also added Valgrind address space manager support for tracking linux kernel lightweight guard pages, created through madvise (MADV_GUARD_INSTALL).

These guard pages are very low overhead for the kernel because they aren’t tracked as separate VMAs and don’t show up in the process proc maps. But Valgrind does still need to know whether the addresses are accessible. A new –max-guard-pages option controls the memory Valgrind reserves for tracking these pages.

Paul Floyd had more commits than all others combined for this release. Paul takes care of the alternative toolchains, Solaris/illumos, FreeBSD and Darwin/MacOS ports.

Tested Oracle Solaris 11.4, OpenIndiana Hipster and OmniOS.
FreeBSD works on both amd64 and arm64, support for 16.0-CURRENT has been added.

Supported MacOS versions, 10.13 (bug fixes), 10.14, 10.15, 11.0 (Intel only), 12.0 (Intel only), 13.0 (Intel only, preliminary). No arm64 support yet.

A lot of code in valgrind 3.27.0 to support MacOS was previously maintained by Louis Brunner out of tree.

There are two new client requests (macros defined in valgrind.h)

VALGRIND_REPLACES_MALLOC Returns 1 if the tool replaces malloc (e.g., memcheck). Returns 0 if the tool does not replace malloc (e.g., cachegrind and callgrind) or if the executable is not running under Valgrind.
VALGRIND_GET_TOOLNAME Get the running tool name as a string. Takes two arguments, an input buffer pointer and the length of that buffer.

Allan Day: GNOME Foundation Update, 2026-04-17

Fri, 17 Apr 2026 15:22:14 +0000

Welcome to another update about everything that’s been happening at the GNOME Foundation. It’s been four weeks since my last post, due to a vacation and public holidays, so there’s lots to cover. This period included a major announcement, but there’s also been a lot of other notable work behind the scenes.

Fellowship & Fundraising

The really big news from the last four weeks was the launch of our new Fellowship program. This is something that the Board has been discussing for quite some time, so we were thrilled to be able to make the program a reality. We are optimistic that it will make a significant difference to the GNOME project.

If you didn’t see it already, check out the announcement for details. Also, if you want to apply to be our first Fellow, you have just three days until the application deadline on 20th April!

donate.gnome.org has been a great success for the GNOME Foundation, and it is only through the support of our existing donors that the Fellowship was possible. Despite these amazing contributions, the GNOME Foundation needs to grow our donations if we are going to be able to support future Fellowship rounds while simultaneously sustaining the organisation.

To this end, there’s an effort happening to build our marketing and fundraising effort. This is primarily taking place in the GNOME Engagement Team, and we would love help from the community to help boost our outbound comms. If you are interested, please join the Engagement space and look out for announcements.

Also, if you haven’t already, and are able to do so: please donate!

Conferences

We have two major events coming up, with Linux App Summit in May and GUADEC in July, so right now is a busy time for conferences.

The schedules for both of these upcoming events are currently being worked on, and arrangements for catering, photographers, and audio visual services are all in the process of being finalized.

The Travel Committee has also been busy handling GUADEC travel requests, and has sent out the first batch of approvals. There are some budget pressures right now due to rising flight prices, but budget has been put aside for more GUADEC travel, so please apply if you want to attend and need support.

April 2026 Board Meeting

This week was the Board’s regular monthly meeting for April. Highlights from the meeting included:

I gave a general report on the Foundation’s activities, and we discussed progress on programs and initiatives, including the new Fellowship program and fundraising.
Deepa gave a finance report for October to December 2025.
Andrea Veri joined us to give an update on the Membership & Elections Committee, as well as the Infrastructure team. Andrea has been doing this work for a long time and has been instrumental in helping to keep the Foundation running, so this was a great opportunity to thank him for his work.
One key takeaway from this month’s discussion was the very high level of support that GNOME receives from our infrastructure partners, particularly AWS and also Fastly. We are hugely appreciative of this support, which represents a major financial contribution to GNOME, and want to make sure that these partners get positive exposure from us and feel appreciated.
We reviewed the timeline for the upcoming 2026 board elections, which we are tweaking a little this year, in order to ensure that there is opportunity to discuss every candidacy, and reduce some unnecessary delay in final result.

Infrastructure

As usual, plenty has been happening on the infrastructure side over the past month. This has included:

Ongoing work to tune our Fastly configuration and managing the resource usage of GNOME’s infra.
Deployment of a LiberaForms instance on GNOME infrastructure. This is hooked up to GNOME’s SSO, so is available to anyone with an account who wants to use it – just head over to forms.gnome.org to give it a try.
Changes to the Foundation’s internal email setup, to allow easier management of the generic contact email addresses, as well as better organisation of the role-based email addresses that we have.
New translation support for donate.gnome.org.
Ongoing work in Flathub, around OAuth and flat-manager.

Admin & Finance

On the accounting side, the team has been busy catching up on regular work that got put to one side during last month’s audit. There were some significant delays to our account process as a result of this, but we are now almost up to date.

Reorganisation of many of our finance processes has also continued over the past four weeks. Progress has included a new structure and cadence for our internal accounting calls, continued configuration of our new payments platform, and new forms for handling reimbursement requests.

Finally, we have officially kicked off the process of migrating to our new physical mail service. Work on this is ongoing and will take some time to complete. Our new address is on the website, if anyone needs it.

That’s it for this report! Thanks for reading, and feel free to use the comments if you have questions!