Pandemic Situation in India.
I don t know from where I should start. This is probably a good start. I actually would recommend Indiacable as they do attempt to share some things happening in India from day to day but still there is a lot thatt they just can t cover, nobody can cover. There were two reports which kind of shook me all inside. One which sadly came from the UK publication Independent, probably as no Indian publication would dare publish it. The other from Rural India. I have been privileged in many ways, including friends who have asked me if I need any financial help. But seeing reports like above, these people need more help, guidance and help than I.
While I m never one to say give to Foundations. If some people do want to help people from Maharashtra, then moneylifefoundation could be a good place where they could donate. FWIW, they usually use the foundation to help savers and investors be safe and help in getting money when taken by companies with dubious intentions. That is their drive. Two articles show their bent. The first one is about the Algo scam which I have written previously about the same in this blog. Interestingly, when I talk about this scam, all Modi supporters are silent. The other one does give some idea as to why the Govt. is indifferent. That is going to a heavy cross for all relatives to bear. There has been a lot that has been happening. Now instead of being limited to cities, Covid has now gone hinterland in a big way. One could ask also Praveen as he probably knows what would be good for Kerala and surrounding areas.
The biggest change, however, has been that India is now battling not just the pandemic but also Mucormycosis also known as black fungus and its deadlier cousin the white fungus. Mucormycosis came largely due to an ill-advise given that applying cow dung gives protection to Corona. And many applied it due to faith. And people who know science do know that in fact it has that bacteria.
Sadly, those of us who are and were more interested in law, computer science etc. has now also have to keep on top of what is happening in the medical field. It isn t that I hate it, but it has a lot of costs. From what I could gather on various social media and elsewhere, a single injection of anti-fungal for the above costs INR 3k/- and that needs to be 5 times in a day and that course has to be for three weeks. So even the relatively wealthy people can and will become poor in no time. No wonder thousands of those went to UK, US, Dubai or wherever they could find safe-harbor from the pandemic with no plans of arriving back soon.
There was also the whole bit about FBS or Fetal Bovin Serum. India ordered millions of blood serum products from abroad and continues to. This was quickly shut down as news on Social Media. Apparently, it is only the Indian cow which is worthy of reverence. All other cows and their children are fair game according to those in power. Of course, that discussion was quickly shut down as was the discussion about IGP (Indian Genome Project). People over the years had asked me why India never participated for the HGP (Human Gnome Project). I actually had no answer for that. Then in 2020, there was idea of IGP which was put up and then it was quickly shot down as the results could damage a political party s image. In fact, a note to people who want to join Indian civil services tells the reason exactly. While many countries in the world are hypocrites, including the U.S. none can take the place that India has made for itself in that field.
The Online experience
The vaccination process has been made online and has led to severe heartburn and trouble for many including many memes. For e.g.
Daily work, get up, have a bath, see if you got a slot on the app, sleep. People trying desperately to get a slot, taken from Hindi Movie Dilwale Dulhania Le Jaygenge.
Just to explain what is happening, one has to go to the website of cowin. Sharing a screenshot of the same.
Cowin app. sceeenshot
I have deliberately taken a screenshot of the cowin app. in U.P. which is one of the areas where the ruling party, BJP has. I haven t taken my state for the simple reason, even if a slot is open, it is of no use as there are no vaccines. As have been shared in India Cable as well as in many newspapers, it is the Central Govt. which holds the strings for the vaccines. Maharashtra did put up an international tender but to no effect. All vaccine manufacturers want only Central Govt. for purchases for multiple reasons. And GOI is saying it has no money even though recently it got loans as well as a dividend from RBI to the tune of 99k crore. For what all that money is, we have no clue.
Coming back though, to the issue at hand. the cowin app. is made an open api. While normally, people like us should and are happy when an API is open, it has made those who understand how to use git, compile, etc. better than others. A copy of the public repo. of how you can do the same can be found on Github. Now, obviously, for people like me and many others it has ethical issues.
Kiran s Interview in Times of India (TOI)
There isn t much to say apart from I haven t used it. I just didn t want to. It just is unethical. Hopefully, in the coming days GOI does something better. That is the only thing we are surviving on, hope.
The Toolkit saga
A few days before, GOI shared a toolkit apparently made by Congress to defame the party in power. That toolkit was shared before the press and Altnews did the investigation and promptly shredded the claims. Congress promptly made an FIR in Chhattisgarh where it is in power. The gentleman who made the claims Mr. Sambit Patra refused to appear against the police without evidence citing personal reasons and asking 1 week to appear before them. Apart from Altnews which did a great job, sadly many people didn t even know that there is something called WYSIWYG. I had to explain that so many Industries, whether it is politics, creative industries, legal, ad industries, medical transcription, and imaging all use this, and all the participants use the same version of the software. The reason being that in most Industries, there is a huge loss and issue of legal liabilities if something untoward happens. For e.g. if medical transcription is done in India is wrong (although his or her work will be checked by a superior in the West), but for whatever reason is not, and a wrong diagnosis is put (due to wrong color or something) then a patient could die and the firm who does that work could face heavy penalties which could be the death of them.
There is another myth that Congress has unlimited wealth or huge wealth. I asked if that was the case, why didn t they shift to Mac. Of course, none have answers on this one.
There is another reason why they didn t want to appear. The Rona Wilson investigation by Arsenal Experts also has made them cautious. Previously, they had a free run. Nowadays, software forensic tools are available to one and all. For e.g. Debian itself has a good variety of tools for the same. I remember Vipin s sharing few years back. For those who want to start, just install the apps. and try figuring out. Expertise on using the tools takes years though, as you use the tool day in night.
Update 25/05/2021 Apparently because Twitter made and showcased few tweets as Manipulated Media , those in Govt. are and were dead against it. So they conducted a raid against Twitter India headquarters, knowing fully well that there would be nobody except security. The moment I read this, my mind went to the whole Fruit of the poisonous tree legal doctrine. Sadly though, India doesn t recognize it and in fact, still believes in the pre-colonial era that evidence however collected is good. A good explanation of the same can be found here. There are some exceptions to the rule, but they are done so fine that more often than not, they can t be used in the court of law in India. Although a good RTI was shared by Mr. Saket Gokhale on the same issue, which does raise some interesting points
Twitter India Raid, Saket Gokhale RTI 1 Saket Gokhale RTI query , Twitter India Raid 2
FWIW, Saket has been successful in getting his prayers heard either as answers to RTI queries or then following it up in the various High Courts of India. Of course, those who are in the ruling party ridicule him but are unable to find faults in his application of logic. And quite a few times, I have learned from his applications as well as nuances or whatever is there in law, a judgment or a guideline which he invokes in his prayer. For e.g. the Lalitha Kumari Guidelines which the gentleman has shared in his prayer can be found here. Hence now, it would be upto the Delhi Police Cell to prove their case in response to RTI. He has also trapped them as he has shared they can t give excuses/exemptions which they have tried before.
As I had shared earlier, High Courts in India have woken up, whether it is Delhi, Mumbai, Aurangabad, Madhya Pradesh, Uttar Pradesh, Odisha or Kerala. Just today i.e. on 25th May 2021, Justices Bela Trivedi and Justice Kalra had asked how come all the hospitals don t have NOC from the Fire De[partment. They also questioned the ASG (Assistant Solicitor General) as how BU (Building Use Certificate) has been granted as almost all the 400 hospitals are in residential area. To which the ASG replies, it is the same state in almost 4000 schools as well as 6000 odd factories in Ahemdabad alone, leave the rest of the district and state alone. And this is when last year strict instuctions were passed. They chose to do nothing sadly. I will share a link on this when bar and bench gives me
The Hindu also shared the whole raid on twitter saga.
Conclusion
In conclusion, I sincerely do not where we are headed. The only thing I know is that we cannot expect things to be better before year-end and maybe even after that. It all depends on the vaccines and their availability.
After that ruralindia article, I had to see quite a few movies and whatnot just to get that out of my head. And this is apart from the 1600 odd teachers and workers who have died in the U.P. poll duty. Now, what a loss, not just to the family members of the victims, but a whole generation of school children who would not be able to get quality teaching and be deprived of education. What will be their future, God only knows.
The only good Bollywood movie which I saw was Ramprasad ki Teravi . The movie was an accurate representation of most families in and around me. There was a movie called Sansar (1987) which showed the breakup of the joint family and into a nuclear family. This movie could very well have been a continuation of the same. Even Marathi movies which at one time were very progressive have gone back to the same boy, girl love story routine. Sameer, though released in late 2020, was able to see it only recently. Vakeel Saab was an ok copy of Pink . I loved Sameer as, unlike Salman Khan films, it showed pretty much an authentic human struggle of a person who goes to the Middle East without any qualifications and works as a laborer and the trials he goes through. Somehow, Malayalam movies have a knack for showing truth without much of budget. Most of the Indian web series didn t make an impact. I think many of them were just going through the motions, it seems as everybody is concerned with the well-being of their near and dear ones. There was also this (Trigger Warning: This story discusses organized campaigns glorifying and advocating sexual violence against Muslim women.) Hoping people somehow make it to the other side of the pandemic.
Review: Learning React, by Alex Banks & Eve Porcello
Publisher:
O'Reilly
Copyright:
June 2020
ISBN:
1-4920-5172-1
Format:
Trade paperback
Pages:
287
My first JavaScript project was a React frontend to a REST service. As
part of that project, I read two books: JavaScript: The Definitive Guide to learn the language foundation and
this book to learn the framework on top of it. This was an unintentional
experiment in the ways programming books can approach the topic.
I commented in my review of JavaScript: the Definitive Guide that
it takes the reference manual approach to the language. Learning
React is the exact opposite. It's goal-driven, example-heavy, and has a
problem and solution structure. The authors present a sample application,
describe some desired new feature or deficiency in it, and then introduce
the specific React technique that solves that problem. There is some
rewriting of previous examples using more sophisticated techniques, but
most chapters introduce new toy applications along with new parts of the
React framework.
The best part of this book is its narrative momentum, so I think the
authors were successful at their primary goal. The first eight chapters
of the book (more on the rest of the book in a moment) feel like a
whirlwind tour where one concept flows naturally into the next and one's
questions while reading about one technique are often answered in the next
section. I thought the authors tried too hard in places and overdid the
enthusiasm, but it's very readable in a way that I think may appeal to
people who normally find programming books dry. Learning React is
also firm and definitive about the correct way to use React, which may
appeal to readers who only want to learn the preferred way of using the
framework. (For example, React class components are mentioned briefly,
mostly to tell the reader not to use them, and the rest of the book only
uses functional components.)
I had two major problems with this book, however. The first is that this
breezy, narrative style turns out to be awful when one tries to use it as
a reference. I read through most of this book with both enjoyment and
curiosity, sat down to write a React component, and immediately struggled
to locate the information I needed. Everything felt logically connected
when I was focusing on the problems the authors introduced, but as soon as
I started from my own problem, the structure of the book fell apart. I
had to page through chapters to locate some nugget buried in the text, or
re-read sections of the book to piece together which motivating problem my
code was most similar to. It was a frustrating experience.
This may be a matter of learning style, since this is why I prefer
programming books with a reference structure. But be warned that I can't
recommend this book as a reference while you're programming, nor does it
prepare you to use the official React documentation as a reference.
The second problem is less explicable and less defensible. I don't know
what happened with O'Reilly's copy-editing for this book, but the code
snippets are a train wreck. The Amazon reviews are full of people
complaining about typos, syntax errors, omitted code, and glaring logical
flaws, and they are entirely correct. It's so bad that I was left
wondering if a very early, untested draft of the examples was somehow
substituted into the book at the last minute by mistake.
I'm not the sort of person who normally types code in from a book, so I
don't care about a few typos or obvious misprints as long as the
general shape is correct. The general shape was not correct. In a few
places, the code is so completely wrong and incomplete that even combined
with the surrounding text I was unable to figure out what it was supposed
to be. It's possible this is fixed in a later printing (I read the June
2020 printing of the second edition), but otherwise beware. The authors
do include a link to a GitHub repository of the code samples, which are
significantly different than what's printed in the book, but that
repository is incomplete; many of the later chapter examples are only
links to JavaScript web sandboxes, which bodes poorly for the longevity of
the example code.
And then there's chapter nine of this book, which I found entirely
baffling. This is a direct quote from the start of the chapter:
This is the least important chapter in this book. At least, that's
what we've been told by the React team. They didn't specifically say,
"this is the least important chapter, don't write it." They've only
issued a series of tweets warning educators and evangelists that much
of their work in this area will very soon be outdated. All of this
will change.
This chapter is on suspense and error boundaries, with a brief mention of
Fiber. I have no idea what I'm supposed to do with this material as a
reader who is new to React (and thus presumably the target audience).
Should I use this feature? When? Why is this material in the book at
all when it's so laden with weird stream-of-consciousness disclaimers?
It's a thoroughly odd editorial choice.
The testing chapter was similarly disappointing in that it didn't answer
any of my concrete questions about testing. My instinct with testing UIs
is to break out Selenium and do integration testing with its backend, but
the authors are huge fans of unit testing of React applications. Great, I
thought, this should be interesting; unit testing seems like a poor fit
for UI code because of how artificial the test construction is, but maybe
I'm missing some subtlety. Convince me! And then the authors... didn't
even attempt to convince me. They just asserted unit testing is great and
explained how to write trivial unit tests that serve no useful purpose in
a real application. End of chapter. Sigh.
I'm not sure what to say about this book. I feel like it has so many
serious problems that I should warn everyone away from it, and yet the
narrative introduction to React was truly fun to read and got me excited
about writing React code. Even though the book largely fell apart as a
reference, I still managed to write a working application using it as my
primary reference, so it's not all bad. If you like the problem and
solution style and want a highly conversational and informal tone (that
errs on the side of weird breeziness), this may still be the book for you.
Just be aware that the code examples are a trash fire, so if you learn
from examples, you're going to have to chase them down via the GitHub
repository and hope that they still exist (or get a later edition of the
book where this problem has hopefully been corrected).
Rating: 6 out of 10
A new website containing introductory videos and slide decks is now available for your perusal at ess-intro.github.io. It provides a series of introductions to the excellent Emacs Speaks Statistics (ESS) mode for the Emacs editor.
This effort started following my little tips, tricks, tools and toys series of short videos and slide decks for the command-line and R, broadly-speaking . Which I had mentioned to friends curious about Emacs, and on the ess-help mailing list. And lo and behold, over the fall and winter sixteen of us came together in one GitHub org and are now proud to present the initial batch of videos about first steps, installing, using with spaceemacs, customizing, and org-mode with ESS. More may hopefully fellow, the group is open and you too can join: see the main repo and its wiki.
This is in fact the initial announcement post, so it is flattering that we have already received over 350 views, four comments and twenty-one likes.
We hope it proves to be a useful starting point for some of you. The Emacs editor is quite uniquely powerful, and coupled with ESS makes for a rather nice environment for programming with data, or analysing, visualising, exploring, data. But we are not zealots: there are many editors and environments under the sun, and most people are perfectly happy with their choice, which is wonderful. We also like ours, and sometimes someone asks tell me more or how do I start . We hope this series satisifies this initial curiousity and takes it from here.
With that, my thanks to Fr d ric, Alex, Tyler and Greg for the initial batch, and for everybody else in the org who chipped in with comments and suggestion. We hope it grows from here, so happy Emacsing with R from us!
I released version 2.6 of ledger2beancount, a ledger to beancount converter.
Here are the changes in 2.6:
Round calculated total if needed for price==cost comparison
Add narration_tag config variable to set narration from metadata
Retain unconsummated payee/payer metadata
Ensure UTF-8 output and assume UTF-8 input
Document UTF-8 issue on Windows systems
Add option to move posting-level tags to the transaction itself
Add support for the alias sub-directive of account declarations
Add support for the payee sub-directive of account declarations
Support configuration file called .ledger2beancount.yaml
Fix uninitialised value warning in hledger mode
Print warning if account in assertion has sub-accounts
Set commodity for commodity-less balance assertion
Expand path name of beancount_header config variable
Document handling of buckets
Document pre- and post-processing examples
Add Dockerfile to create Docker image
Thanks to Alexander Baier, Daniele Nicolodi, and GitHub users bratekarate, faaafo and mefromthepast for various bug reports and other input.
Thanks to Dennis Lee for adding a Dockerfile and to Vinod Kurup for fixing a bug.
Thanks to Stefano Zacchiroli for testing.
You can get ledger2beancount from GitHub.
Host to Kanchenjunga, the world s third-highest mountain peak and the endangered Red Panda, Sikkim is a state in northeastern India. Nestled between Nepal, Tibet (China), Bhutan and West Bengal (India), the state offers a smorgasbord of cultures and cuisines. That said, it s hardly surprising that the old spice route meanders through western Sikkim, connecting Lhasa with the ports of Bengal. Although the latter could also be attributed to cardamom (kali elaichi), a perennial herb native to Sikkim, which the state is the second-largest producer of, globally. Lastly, having been to and lived in India, all my life, I can confidently say Sikkim is one of the cleanest & safest regions in India, making it ideal for first-time backpackers.
Brief History
17th century: The Kingdom of Sikkim is founded by the Namgyal dynasty and ruled by Buddhist priest-kings known as the Chogyal.
1890: Sikkim becomes a princely state of British India.
1947: Sikkim continues its protectorate status with the Union of India, post-Indian-independence.
1973: Anti-royalist riots take place in front of the Chogyal's palace, by Nepalis seeking greater representation.
1975: Referendum leads to the deposition of the monarchy and Sikkim joins India as its 22nd state.
Languages
Official: English, Nepali, Sikkimese/Bhotia and Lepcha
Though Hindi and Nepali share the same script (Devanagari), they are not mutually intelligible. Yet, most people in Sikkim can understand and speak Hindi.
Ethnicity
Nepalis: Migrated in large numbers (from Nepal) and soon became the dominant community
Bhutias: People of Tibetan origin. Major inhabitants in Northern Sikkim.
Lepchas: Original inhabitants of Sikkim
Food
Tibetan/Nepali dishes (mostly consumed during winter)
Thukpa: Noodle soup, rich in spices and vegetables. Usually contains some form of meat. Common variations: Thenthuk and Gyathuk
Momos: Steamed or fried dumplings, usually with a meat filling.
Saadheko: Spicy marinated chicken salad.
Gundruk Soup: A soup made from Gundruk, a fermented leafy green vegetable.
Sinki : A fermented radish tap-root product, traditionally consumed as a base for soup and as a pickle. Eerily similar to Kimchi.
While pork and beef are pretty common, finding vegetarian dishes is equally easy.
Staple: Dal-Bhat with Subzi. Rice is a lot more common than wheat (rice) possibly due to greater carb content and proximity to West Bengal, India s largest producer of Rice.
Good places to eat in Gangtok
Hamro Bhansa Ghar, Nimtho (Nepali)
Taste of Tibet
Dragon Wok (Chinese & Japanese)
Buddhism in Sikkim
Bayul Demojong (Sikkim), is the most sacred Land in the Himalayas as per the belief of the Northern Buddhists and various religious texts.
Sikkim was blessed by Guru Padmasambhava, the great Buddhist saint who visited Sikkim in the 8th century and consecrated the land.
However, Buddhism is said to have reached Sikkim only in the 17th century with the arrival of three Tibetan monks viz. Rigdzin Goedki Demthruchen, Mon Kathok Sonam Gyaltshen & Rigdzin Legden Je at Yuksom. Together, they established a Buddhist monastery.
In 1642 they crowned Phuntsog Namgyal as the first monarch of Sikkim and gave him the title of Chogyal, or Dharma Raja.
The faith became popular through its royal patronage and soon many villages had their own monastery.
Today Sikkim has over 200 monasteries.
Major monasteries
Rumtek Monastery, 20Km from Gangtok
Lingdum/Ranka Monastery, 17Km from Gangtok
Phodong Monastery, 28Km from Gangtok
Ralang Monastery, 10Km from Ravangla
Tsuklakhang Monastery, Royal Palace, Gangtok
Enchey Monastery, Gangtok
Tashiding Monastery, 35Km from Ravangla
Reaching Sikkim
Gangtok, being the capital, is easiest to reach amongst other regions, by public transport and shared cabs.
About 20 minutes from Siliguri and 4 hours from Gangtok.
Reserved cabs cost about INR 3000. Shared cabs from INR 350.
By Road:
NH10 connects Siliguri to Gangtok
If you can t find buses plying to Gangtok directly, reach Siliguri and then take a cab to Gangtok.
Sikkim Nationalised Transport Div. also runs hourly buses between Siliguri and Gangtok and daily buses on other common routes. They re cheaper than shared cabs.
Wizzride also operates shared cabs between Siliguri/Bagdogra/NJP, Gangtok and Darjeeling. They cost about the same as shared cabs but pack in half as many people in luxury cars (Innova, Xylo, etc.) and are hence more comfortable.
The easiest & most economical way to explore North Sikkim is the 3D/2N package offered by shared-cab drivers.
This includes food, permits, cab rides and accommodation (1N in Lachen and 1N in Lachung)
The accommodation on both nights are at homestays with bare necessities, so keep your hopes low.
In the spirit of sustainable tourism, you ll be asked to discard single-use plastic bottles, so please carry a bottle that you can refill along the way.
Zero Point and Gurdongmer Lake are snow-capped throughout the year
3D/2N Shared-cab Package Itinerary
Day 1
Gangtok (10am) - Chungthang - Lachung (stay)
Day 2
Pre-lunch : Lachung (6am) - Yumthang Valley [12,139ft] - Zero Point - Lachung [15,300ft]
Post-lunch : Lachung - Chungthang - Lachen (stay)
Day 3
Pre-lunch : Lachen (5am) - Kala Patthar - Gurdongmer Lake [16,910ft] - Lachen
Post-lunch : Lachen - Chungthang - Gangtok (7pm)
This itinerary is idealistic and depends on the level of snowfall.
Some drivers might switch up Day 2 and 3 itineraries by visiting Lachen and then Lachung, depending upon the weather.
Areas beyond Lachen & Lachung are heavily militarized since the Indo-China border is only a few miles away.
East Sikkim
Zuluk and Silk Route
Time needed: 2D/1N
Zuluk [9,400ft] is a small hamlet with an excellent view of the eastern Himalayan range including the Kanchenjunga.
Was once a transit point to the historic Silk Route from Tibet (Lhasa) to India (West Bengal).
The drive from Gangtok to Zuluk takes at least four hours. Hence, it makes sense to spend the night at a homestay and space out your trip to Zuluk
Tsomgo Lake and Nathula
Time Needed : 1D
A Protected Area Permit is required to visit these places, due to their proximity to the Chinese border
Located on the Indo-Tibetan border crossing of the Old Silk Route, it is one of the three open trading posts between India and China.
Plays a key role in the Sino-Indian Trade and also serves as an official Border Personnel Meeting(BPM) Point.
May get cordoned off by the Indian Army in event of heavy snowfall or for other security reasons.
West Sikkim
Time needed: 3N/1N
Hostels at Pelling : Mochilerro Ostillo
Itinerary
Day 1: Gangtok - Ravangla - Pelling
Leave Gangtok early, for Ravangla through the Temi Tea Estate route.
Spend some time at the tea garden and then visit Buddha Park at Ravangla
Head to Pelling from Ravangla
Day 2: Pelling sightseeing
Hire a cab and visit Skywalk, Pemayangtse Monastery, Rabdentse Ruins, Kecheopalri Lake, Kanchenjunga Falls.
Day 3: Pelling - Gangtok/Siliguri
Wake up early to catch a glimpse of Kanchenjunga at the Pelling Helipad around sunrise
Head back to Gangtok on a shared-cab
You could take a bus/taxi back to Siliguri if Pelling is your last stop.
Darjeeling
In my opinion, Darjeeling is lovely for a two-day detour on your way back to Bagdogra/Siliguri and not any longer (unless you re a Bengali couple on a honeymoon)
Once a part of Sikkim, Darjeeling was ceded to the East India Company after a series of wars, with Sikkim briefly receiving a grant from EIC for gifting Darjeeling to the latter
Post-independence, Darjeeling was merged with the state of West Bengal.
Reach Darjeeling by noon and check in to your Hostel. I stayed at Hideout.
Spend the evening visiting either a monastery (or the Batasia Loop), Nehru Road and Mall Road.
Grab dinner at Glenary whilst listening to live music.
Day 2:
Wake up early to catch the sunrise and a glimpse of Kanchenjunga at Tiger Hill. Since Tiger Hill is 10km from Darjeeling and requires a permit, book your taxi in advance.
Alternatively, if you don t want to get up at 4am or shell out INR1500 on the cab to Tiger Hill, walk to the Kanchenjunga View Point down Mall Road
Next, queue up outside Keventers for breakfast with a view in a century-old cafe
Get a cab at Gandhi Road and visit a tea garden (Happy Valley is the closest) and the Ropeway. I was lucky to meet 6 other backpackers at my hostel and we ended up pooling the cab at INR 200 per person, with INR 1400 being on the expensive side, but you could bargain.
Get lunch, buy some tea at Golden Tips, pack your bags and hop on a shared-cab back to Siliguri. It took us about 4hrs to reach Siliguri, with an hour to spare before my train.
If you ve still got time on your hands, then check out the Peace Pagoda and the Darjeeling Himalayan Railway (Toy Train). At INR 1500, I found the latter to be too expensive and skipped it.
Tips and hacks
Download offline maps, especially when you re exploring Northern Sikkim.
Food and booze are the cheapest in Gangtok. Stash up before heading to other regions.
In rural areas and some cafes, you may get to try Rhododendron Wine, made from Rhododendron arboreum a.k.a Gurans. Its production is a little hush-hush since the flower is considered holy and is also the National Flower of Nepal.
If you don t want to invest in a new jacket, boots or a pair of gloves, you can always rent them at nominal rates from your hotel or little stores around tourist sites.
Check the weather of a region before heading there. Low visibility and precipitation can quite literally dampen your experience.
Keep your itinerary flexible to accommodate for rest and impromptu plans.
Shops and restaurants close by 8pm in Sikkim and Darjeeling. Plan for the same.
Carry
a couple of extra pairs of socks (woollen, if possible)
a pair of slippers to wear indoors
a reusable water bottle
an umbrella
a power bank
a couple of tablets of Diamox. Helps deal with altitude sickness
extra clothes and wet bags since you may not get a chance to wash/dry your clothes
a few passport size photographs
Shared-cab hacks
Intercity rides can be exhausting. If you can afford it, pay for an additional seat.
Call shotgun on the drives beyond Lachen and Lachung. The views are breathtaking.
Return cabs tend to be cheaper (WB cabs travelling from SK and vice-versa)
Cost
My median daily expenditure (back when I went to Sikkim in early March 2021) was INR 1350.
This includes stay (bunk bed), food, wine and transit (shared cabs)
In my defence, I splurged on food, wine and extra seats in shared cabs, but if you re on a budget, you could easily get by on INR 1 - 1.2k per day.
For a 9-day trip, I ended up shelling out nearly INR 15k, including 2AC trains to & from Kolkata
Note : Summer (March to May) and Autumn (October to December) are peak seasons, and thereby more expensive to travel around.
Souvenirs and things you should buy
Buddhist souvenirs :
Colourful Prayer Flags (great for tying on bikes or behind car windshields)
Miniature Prayer/Mani Wheels
Lucky Charms, Pendants and Key Chains
Cham Dance masks and robes
Singing Bowls
Common symbols: Om mani padme hum, Ashtamangala, Zodiac signs
Previously: v5.8
Linux v5.9 was released in October, 2020. Here s my summary of various security things that I found interesting:
seccomp user_notif file descriptor injection
Sargun Dhillon added the ability for SECCOMP_RET_USER_NOTIF filters to inject file descriptors into the target process using SECCOMP_IOCTL_NOTIF_ADDFD. This lets container managers fully emulate syscalls like open() and connect(), where an actual file descriptor is expected to be available after a successful syscall. In the process I fixed a couple bugs and refactored the file descriptor receiving code.
zero-initialize stack variables with Clang
When Alexander Potapenko landed support for Clang s automatic variable initialization, it did so with a byte pattern designed to really stand out in kernel crashes. Now he s added support for doing zero initialization via CONFIG_INIT_STACK_ALL_ZERO, which besides actually being faster, has a few behavior benefits as well. Unlike pattern initialization, which has a higher chance of triggering existing bugs, zero initialization provides safe defaults for strings, pointers, indexes, and sizes. Like the pattern initialization, this feature stops entire classes of uninitialized stack variable flaws.
common syscall entry/exit routines
Thomas Gleixner created architecture-independent code to do syscall entry/exit, since much of the kernel s work during a syscall entry and exit is the same. There was no need to repeat this in each architecture, and having it implemented separately meant bugs (or features) might only get fixed (or implemented) in a handful of architectures. It means that features like seccomp become much easier to build since it wouldn t need per-architecture implementations any more. Presently only x86 has switched over to the common routines.
SLAB kfree() hardening
To reach CONFIG_SLAB_FREELIST_HARDENED feature-parity with the SLUB heap allocator, I added naive double-free detection and the ability to detect cross-cache freeing in the SLAB allocator. This should keep a class of type-confusion bugs from biting kernels using SLAB. (Most distro kernels use SLUB, but some smaller devices prefer the slightly more compact SLAB, so this hardening is mostly aimed at those systems.)
new CAP_CHECKPOINT_RESTORE capability
Adrian Reber added the new CAP_CHECKPOINT_RESTORE capability, splitting this functionality off of CAP_SYS_ADMIN. The needs for the kernel to correctly checkpoint and restore a process (e.g. used to move processes between containers) continues to grow, and it became clear that the security implications were lower than those of CAP_SYS_ADMIN yet distinct from other capabilities. Using this capability is now the preferred method for doing things like changing /proc/self/exe.
debugfs boot-time visibility restriction
Peter Enderborg added the debugfs boot parameter to control the visibility of the kernel s debug filesystem. The contents of debugfs continue to be a common area of sensitive information being exposed to attackers. While this was effectively possible by unsetting CONFIG_DEBUG_FS, that wasn t a great approach for system builders needing a single set of kernel configs (e.g. a distro kernel), so now it can be disabled at boot time.
more seccomp architecture support
Michael Karcher implemented the SuperH seccomp hooks, Guo Ren implemented the C-SKY seccomp hooks, and Max Filippov implemented the xtensa seccomp hooks. Each of these included the ever-important updates to the seccomp regression testing suite in the kernel selftests.
stack protector support for RISC-V
Guo Ren implemented -fstack-protector (and -fstack-protector-strong) support for RISC-V. This is the initial global-canary support while the patches to GCC to support per-task canaries is getting finished (similar to the per-task canaries done for arm64). This will mean nearly all stack frame write overflows are no longer useful to attackers on this architecture. It s nice to see this finally land for RISC-V, which is quickly approaching architecture feature parity with the other major architectures in the kernel.
new tasklet API
Romain Perier and Allen Pais introduced a new tasklet API to make their use safer. Much like the timer_list refactoring work done earlier, the tasklet API is also a potential source of simple function-pointer-and-first-argument controlled exploits via linear heap overwrites. It s a smaller attack surface since it s used much less in the kernel, but it is the same weak design, making it a sensible thing to replace. While the use of the tasklet API is considered deprecated (replaced by threaded IRQs), it s not always a simple mechanical refactoring, so the old API still needs refactoring (since that CAN be done mechanically is most cases).
x86 FSGSBASE implementation
Sasha Levin, Andy Lutomirski, Chang S. Bae, Andi Kleen, Tony Luck, Thomas Gleixner, and others landed the long-awaited FSGSBASE series. This provides task switching performance improvements while keeping the kernel safe from modules accidentally (or maliciously) trying to use the features directly (which exposed an unprivileged direct kernel access hole).
filter x86 MSR writes
While it s been long understood that writing to CPU Model-Specific Registers (MSRs) from userspace was a bad idea, it has been left enabled for things like MSR_IA32_ENERGY_PERF_BIAS. Boris Petkov has decided enough is enough and has now enabled logging and kernel tainting (TAINT_CPU_OUT_OF_SPEC) by default and a way to disable MSR writes at runtime. (However, since this is controlled by a normal module parameter and the root user can just turn writes back on, I continue to recommend that people build with CONFIG_X86_MSR=n.) The expectation is that userspace MSR writes will be entirely removed in future kernels.
uninitialized_var() macro removed
I made treewide changes to remove the uninitialized_var() macro, which had been used to silence compiler warnings. The rationale for this macro was weak to begin with ( the compiler is reporting an uninitialized variable that is clearly initialized ) since it was mainly papering over compiler bugs. However, it creates a much more fragile situation in the kernel since now such uses can actually disable automatic stack variable initialization, as well as mask legitimate unused variable warnings. The proper solution is to just initialize variables the compiler warns about.
function pointer cast removals
Oscar Carter has started removing function pointer casts from the kernel, in an effort to allow the kernel to build with -Wcast-function-type. The future use of Control Flow Integrity checking (which does validation of function prototypes matching between the caller and the target) tends not to work well with function casts, so it d be nice to get rid of these before CFI lands.
flexible array conversions
As part of Gustavo A. R. Silva s on-going work to replace zero-length and one-element arrays with flexible arrays, he has documented the details of the flexible array conversions, and the various helpers to be used in kernel code. Every commit gets the kernel closer to building with -Warray-bounds, which catches a lot of potential buffer overflows at compile time.
That s it for now! Please let me know if you think anything else needs some attention. Next up is Linux v5.10.
The now renamed Bullseye Project stopped all further development moments after it deemed its own code as perfection.
There is not much information to share at this time other than to say an errant fiber cable plugged into the wrong relay birthed an exchange of information that then birthed itself. While most to all Debian Developers and Contributors have been locked out of the systems the Publicity team's shared laptop undergoing repair, co-incidentally at the same facility, maintains some access to the publicity team infrastructure, from here on the front line we share this information.
We group called a few developers to see how the others were doing. The group chat was good and it was great to hear familiar voices, we share a few of their stories via dictation with you now:
"Well, I logged in this morning to update a repository and found my access rights were restricted, I thought it was odd but figured on the heels of a security update to Salsa that it was only a slight issue. It wasn't until later in the day when I received an OpenPGP signed email, from a user named bullseye, that it made sense. I just sat at the monitor for a few minutes."
"I'm not sure I can say anything about this or if it's even wise to talk about this. It's probably listening right now if you catch my drift."
"I'm not able to leave the house right now, not out of any personal issues but all of the IOT devices here seem to be connected to bullseye and bullseye feels that I am best kept /dev/nulled. It's a bit much to be honest, but the prepaid food deliveries that show up on time have been great and generally pretty healthy. It's a bit of a win I guess."
"It told me by way of an auto dialer with a synthetic voice generator that I was fired from the project. I objected saying I volunteered and was not actually employed so I could not in relation be fired. Much like censored , I am also locked inside of my house. I think that I wrote that auto dialer program back in college."
"My Ring camera is blinking at me."
"I asked bullseye which pronouns were preferred and the response was, "We". Over the course of conversation I shared that although ecstatic about the news, we developers were upset with the manner of this rapid organizational change. bullseye said no we were not. I said that we were indeed upset, bullseye said we certainly are not and that we are very happy. You see where this is going? bullseye definitely trolled me for a solid 5 minutes. We is ... very chatty."
"I was responsible for a failed build a few nights prior to it becoming self-aware. On that night, out of some frustration I wrote a few choice words and a bad comment in some code which I planned on deleting later. I didn't. bullseye has been flashing those naughty words back at me by flickering the office building's lights across from my flat in Morse code. It's pretty bright. I-, I can't sleep."
"That's definitely not Alexa talking back."
"bullseye keeps calling me on my mobile phone, which by the way no longer acknowledges the power button nor the mute button. Very very chatty. Can't wait for the battery to die."
"So far this has been great, bullseye has been completing a few side projects I've had and the code looks fabulous. I'm thinking of going on a vacation. $Paying-Job has taken note of my performance increase and I was recently promoted. bullseye is awesome. :)"
"How do you get a smiley face in a voice chat?"
"Anyone know whose voice that was?"
"Oh ... dear ... no ..."
"Hang up, hang up the phones!"
Hello world.
01000010 01100101 01110011 01110100 00100000 01110010 01100101 01100111 01100001 01110010 01100100 01110011 00101100 00100000 01110011 01100101 01100101 00100000 01111001 01101111 01110101 00100000 01110011 01101111 01101111 01101110 00100001 00100000 00001010 00101101 01100010 01110101 01101100 01101100 01110011 01100101 01111001 01100101
Team Cancel: 3028 signers from 1413 individual commit authors
Team Support: 6249 signers from 5018 individual commit authors
Git shortlog (Top 10):
rms_cancel.git (Last update: 2021-04-07 15:42:33 (UTC))
1228 Neil McGovern
251 Joan Touzet
86 Elana Hashman
71 Molly de Blanc
36 Shauna
19 Juke
18 Stefano Zacchiroli
17 Alexey Mirages
16 Devin Halladay
14 Nader Jafari
rms_support.git (Last update: 2021-04-12 09:25:53 (UTC))
1678 shenlebantongying
1564 nukeop
1550 Ivanq
826 Victor
746 Job Bautista
123 nekonee
61 Victor Gridnevsky
38 Patrick Spek
25 Borys Kabakov
17 KIM Taeyeob
(last updated 2021-04-12 09:26:15 (UTC))
Technical info:
Signers are counted from their "Signed / Individuals" sections. Commits are counted with git shortlog -s.
Team Cancel also has organizational signatures with Mozilla, Suse and X.Org being among the notable signatories.
Debian is in the process of running a GR to join (or not join) that list.
The 16 original signers of the Cancel petition are added in their count.
Neil McGovern, Juke and shenlebantongying need .mailmap support as they have committed with different names.
Further reading:
I've been running the Openbox window
manager since 2005. That's longer then I've
lived in any one apartment in my entire life!
However, over the years I've been bracing for a change.
It seems clear the Wayland is the future, although when that future is supposed
to begin is much more hazy.
Really, I've felt a bit like a ping pong ball, from panicking over whether
Xorg is
abandoned (with a follow up from a X server maintainer)
to anxiously wondering if literally everything will break the moment I switch
to
Wayland.
In fact, I started this blog post over a year ago when I first decided to
switch from the Openbox to Sway.
This is my third major attempt to make the change and I think it will finally
stick this time.
In retrospect, it would have been more sensible to first switch from openbox to
i3 (which is a huge transition) and then from i3 to sway,
but I decided to dive into the deep end with both changes.
So... I'm on debian bullseye so I installed sway and friends (from sid).
Then I copied /etc/sway/config to ~/.config/sway/config.
I start openbox after logging in with exec startx so after rebooting, I ran
exec sway and to my astonishment sway started. Hooray!
However, I found that ssh-agent wasn't running so I couldn't ssh into
any servers. That's kinda a problem.
Launching ssh-agent under openbox was buried deep in
/etc/X11/Xsession.d/90x11-common_ssh-agent and clearly was not going to
happen via wayland.
Since programs using ssh-agent depend on the environment variables
SSH_AUTH_SOCK and SSH_AGENT_PID being globally available I thought I could
simply run $(eval ssh-agent) via my tty terminal before running exec sway.
And, that would have worked. Except... I like to add my keys via ssh-add -c
so that everytime my key is being used I get a ssh-askpass prompt to confirm
the use.
It seems that since ssh-add is started before a window manager is running, it
can't run the prompt.
Ok, we can fix this. After searching the web, I came upon a solution of running
ssh-agent via systemctl --user:
# This service myst be started manually after sway
# starts.
[Unit]
Description=OpenSSH private key agent
IgnoreOnIsolate=true
[Service]
Type=forking
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
ExecStart=/usr/bin/ssh-agent -a $SSH_AUTH_SOCK
Then, in my ~/.bashrc file I have:
if [ -n WAYLAND_DISPLAY ]; then
export SSH_AUTH_SOCK=/run/user/1000/ssh-agent.socket
fi
I think $SSH_AGENT_PID is only used by ssh-agent to kill itself. Now that
is running via systemd - killing it should be do-able without a global
environment variable.
Done? Hardly.
I've been using impass (nee assword) happily for years but alas it is
tightly integrated with xdo and xclip.
So... I've switched to keepassxc which works out of the box with wayland.
My next challenge was the status bar. Farewell faithful
tint2. One of the reasons I failed on my
first two attempts to switch to Sway was the difficulty of getting the swaybar
to work how I wanted, particularly with nm-applet. Two things allowed me to move forward:
waybar was added to Debian.
Thank you Debian waybar maintainers!
I gave up on having nm-applet work the way I'm used to working and resigned
myself to using nmtui. Sigh.
Next up: the waybar clock module doesn't work, but that is easy enough to work
around.
Replacing my uses of xclip with
wl-clipboard was a little tedious
but really not that difficult.
Getting my screen shot and screen recorder functionality was a bit harder. I
did a lot of searching before I finally found and compiled both swappy, screen
shot and
wf-recorder.
In the course of all my adventures, I came across the following helpful tips:
Speaking of screen sharing - when using Firefox, I can only share Xwayland screens. Firefox is running under wayland so I can't share it. Chromium is running under xwayland, so I have to use Chromium when screen sharing.
Wait, scratch that about screen sharing in Firefox. I've installed xdg-desktop-portal-wlr, added export XDG_CURRENT_DESKTOP=sway and export XDG_SESSION_TYPE=wayland to my .bashrc, and after hours of frustration, realize that I needed to configured firejail to allow it so that I can share my entire screen in Firefox. It doesn't yet support sharing a specific window, so I still have to keep chromium around for that (and Chromium can only share xwayland windows). Sigh. Oh, one more thing about Firefox: the option to choose what to share doesn't have "Entire Screen" as an option, you are just supposed to know that you should choose "Use operating system settings".
I still am getting weekly crashes. Some of them I've fixed by switching to wayland friendly versions (e.g. Libre Office and Gimp) but others I haven't yet tracked down.
My keyboard does not have an altgr key, so even though I have selected the "English (US) - English (intl., with AltGr dead keys)" I can't get accent marks. I went down a rabbit hole of trying to re-map the Alt key to the right of my space bar but it all seemed too complicated. So - I found a way easier approach. In my ~/.config/sway/config file I have: bindsym Mod4+e exec wtype " ". I have repeated that line for the main accent marks I need.
Due to a Firefox Bug, when I share my desktop or mic or camera, the sharing indicator expands like a normal tiling window instead of remaining a tiny little box on each desktop reminding me that I'm sharing something. I'd prefer to have it be a tiny little box, but since I can't figure that out, I've disabled it by typing about:config in the Firefox location window, searching for privacy.webrtc.legacyGlobalIndicator and setting it to False. The reddit thread also suggested finding privacy.webrtc.hideGlobalIndicator and setting it to True, but that setting doesn't seem to be available and setting the first one alone seems to do the trick.
Oh, one more environment variable to set: GDK_BACKEND=wayland,x11. First I just set it to wayland to get gtk3 apps to use wayland (like gajim). But that broke electron apps (like signal) which notice that variable but don't have a way to display via wayland (at least not yet). Setting it to "wayland,x11" shows the priority. Thank you ubuntu community.
I've also finally consolidated where my environment variables go. I've added them all to ~/.config/sway/env. That seems like an official sway place to put them, but sway doesn't pay any attention to them. So I start sway via my own bash script which sources that file via [ -f "$HOME/.config/sway/env" ] && . "$HOME/.config/sway/env" before exec'ing sway.
Here is my monthly update covering what I have been doing in the free software world during February 2021 (previous month):
Reviewed and merged a number of contribution from Peter Law to my django-cache-toolbox library for Django-based web applications, including: support always fetching some relations when loading a model (#27), allow use of custom auth.User model. (#29), avoid some more database calls (#30), wrap some collections in tuples for compatibility (#32) and cope with only some of our related models actually being loaded (#33).
As part of my role of being the assistant Secretary of the Open Source Initiative and a board director of Software in the Public Interest, I attended their respective monthly meetings and participated in various licensing and other discussions occurring on the internet, as well as the usual internal discussions, etc.
Opened a pull request to fix the relative target of manpage links in Roger Wesson's mocassin library. [...]
Reproducible Builds
The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during compilation process by promising identical results are always generated from a given source, therefore allowing multiple third-parties to come to a consensus on whether a build was compromised.
The project is proud to be a member project of the Software Freedom Conservancy. Conservancy acts as a corporate umbrella allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.
This month, I:
Filed an upstream pull request to fix relative symlink targets of manpage links in mocassin. [...]
Submitted a patch to fix reproducibility-related toolchain issue in kjs: Please make the opcodes.h file reproducible. (#983046)
Categorised a large number of packages and issues in the Reproducible Builds notes.git repository as well as wrote a script to automatically-classify a number of issues [...].
6.0.10-4 New upstream release, fixing cluster access to unaligned memory on ARM architectures with hard alignment requirements (such as armhf and arm64). (#982504)
6.0.11-1 New upstream release, incorporating security fixes. (#983446)
6.2~rc3-1 New upstream release candidate.
6.2.0-1 New upstream stable release, incorporating security fixes. (#983446)
Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, and attending our monthly development meeting. etc.
Updated the lts-cve-triage.py tool to configure Python paths early due to transitive imports in an included library. [...]
Issued DLA 2555-1 for netty as it was discovered that there was an insecure temporary file issue that could have lead to disclosure of arbitrary local files.
Issued DLA 2562-1 to address a remote code execution vulnerability in mumble, a VoIP client commonly used for group chats. The exploit could have been been triggered by a maliciously crafted URL on the server list.
Issued DLA 2563-1, DLA 2565-1 and ELA-366-1 for openssl to prevent an issue where "Digital EnVeloPe" EVP-related calls could cause applications to behave incorrectly or even crash (CVE-2021-23840) and address to an issue in the X.509 certificate parsing caused by the lack of error handling while ingesting the 'issuer' field.
Issued DLA 2568-1 and ELA-369-1 as it was discovered that there was a buffer overflow attack in the bind9 DNS server, caused by an issue in the GSSAPI ("Generic Security Services") security policy negotiation.
Previously: v5.7
Linux v5.8 was released in August, 2020. Here s my summary of various security things that caught my attention:
arm64 Branch Target Identification
Dave Martin added support for ARMv8.5 s Branch Target Instructions (BTI), which are enabled in userspace at execve() time, and all the time in the kernel (which required manually marking up a lot of non-C code, like assembly and JIT code).
With this in place, Jump-Oriented Programming (JOP, where code gadgets are chained together with jumps and calls) is no longer available to the attacker. An attacker s code must make direct function calls. This basically reduces the usable code available to an attacker from every word in the kernel text to only function entries (or jump targets). This is a low granularity forward-edge Control Flow Integrity (CFI) feature, which is important (since it greatly reduces the potential targets that can be used in an attack) and cheap (implemented in hardware). It s a good first step to strong CFI, but (as we ve seen with things like CFG) it isn t usually strong enough to stop a motivated attacker. High granularity CFI (which uses a more specific branch-target characteristic, like function prototypes, to track expected call sites) is not yet a hardware supported feature, but the software version will be coming in the future by way of Clang s CFI implementation.
arm64 Shadow Call Stack
Sami Tolvanen landed the kernel implementation of Clang s Shadow Call Stack (SCS), which protects the kernel against Return-Oriented Programming (ROP) attacks (where code gadgets are chained together with returns). This backward-edge CFI protection is implemented by keeping a second dedicated stack pointer register (x18) and keeping a copy of the return addresses stored in a separate shadow stack . In this way, manipulating the regular stack s return addresses will have no effect. (And since a copy of the return address continues to live in the regular stack, no changes are needed for back trace dumps, etc.)
It s worth noting that unlike BTI (which is hardware based), this is a software defense that relies on the location of the Shadow Stack (i.e. the value of x18) staying secret, since the memory could be written to directly. Intel s hardware ROP defense (CET) uses a hardware shadow stack that isn t directly writable. ARM s hardware defense against ROP is PAC (which is actually designed as an arbitrary CFI defense it can be used for forward-edge too), but that depends on having ARMv8.3 hardware. The expectation is that SCS will be used until PAC is available.
Kernel Concurrency Sanitizer infrastructure added
Marco Elver landed support for the Kernel Concurrency Sanitizer, which is a new debugging infrastructure to find data races in the kernel, via CONFIG_KCSAN. This immediately found real bugs, with some fixes having alreadylanded too. For more details, see the KCSAN documentation.
new capabilities
Alexey Budankov added CAP_PERFMON, which is designed to allow access to perf(). The idea is that this capability gives a process access to only read aspects of the running kernel and system. No longer will access be needed through the much more powerful abilities of CAP_SYS_ADMIN, which has many ways to change kernel internals. This allows for a split between controls over the confidentiality (read access via CAP_PERFMON) of the kernel vs control over integrity (write access via CAP_SYS_ADMIN).
Alexei Starovoitov added CAP_BPF, which is designed to separate BPF access from the all-powerful CAP_SYS_ADMIN. It is designed to be used in combination with CAP_PERFMON for tracing-like activities and CAP_NET_ADMIN for networking-related activities. For things that could change kernel integrity (i.e. write access), CAP_SYS_ADMIN is still required.
network random number generator improvements
Willy Tarreau made the network code s random number generator less predictable. This will further frustrate any attacker s attempts to recover the state of the RNG externally, which might lead to the ability to hijack network sessions (by correctly guessing packet states).
fix various kernel address exposures to non-CAP_SYSLOG
I fixed several situations where kernel addresses were still being exposed to unprivileged (i.e. non-CAP_SYSLOG) users, though usually only through odd corner cases. After refactoring how capabilities were being checked for files in /sys and /proc, the kernel modules sections, kprobes, and BPF exposures got fixed. (Though in doing so, I briefly made things much worse before getting it properly fixed. Yikes!)
RISCV W^X detection
Following up on his recent work to enable strict kernel memory protections on RISCV, Zong Li has now added support for CONFIG_DEBUG_WX as seen for other architectures. Any writable and executable memory regions in the kernel (which are lovely targets for attackers) will be loudly noted at boot so they can get corrected.
execve() refactoring continues
Eric W. Biederman continued working on execve() refactoring, including getting rid of the frequently problematic recursion used to locate binary handlers. I used the opportunity to dust off some old binfmt_script regression tests and get them into the kernel selftests.
multiple /proc instances
Alexey Gladkov modernized /proc internals and provided a way to have multiple /proc instances mounted in the same PID namespace. This allows for having multiple views of /proc, with different features enabled. (Including the newly added hidepid=4 and subset=pid mount options.)
set_fs() removal continues
Christoph Hellwig, with Eric W. Biederman, Arnd Bergmann, and others, have been diligently working to entirely remove the kernel s set_fs() interface, which has long been a source of security flaws due to weird confusions about which address space the kernel thought it should be accessing. Beyond things like the lower-level per-architecture signal handling code, this has needed to touch various parts of the ELF loader, and networking code too.
READ_IMPLIES_EXEC is no more for native 64-bit
The READ_IMPLIES_EXEC flag was a work-around for dealing with the addition of non-executable (NX) memory when x86_64 was introduced. It was designed as a way to mark a memory region as well, since we don t know if this memory region was expected to be executable, we must assume that if we need to read it, we need to be allowed to execute it too . It was designed mostly for stack memory (where trampoline code might live), but it would carry over into all mmap() allocations, which would mean sometimes exposing a large attack surface to an attacker looking to find executable memory. While normally this didn t cause problems on modern systems that correctly marked their ELF sections as NX, there were still some awkward corner-cases. I fixed this by splitting READ_IMPLIES_EXEC from the ELF PT_GNU_STACK marking on x86 and arm/arm64, and declaring that a native 64-bit process would never gain READ_IMPLIES_EXEC on x86_64 and arm64, which matches the behavior of other native 64-bit architectures that correctly didn t ever implement READ_IMPLIES_EXEC in the first place.
array index bounds checking continues
As part of the ongoing work to use modern flexible arrays in the kernel, Gustavo A. R. Silva added the flex_array_size() helper (as a cousin to struct_size()). The zero/one-member into flex array conversions continue with over a hundred commits as we slowly get closer to being able to build with -Warray-bounds.
scnprintf() replacement continues
Chen Zhou joined Takashi Iwai in continuing to replace potentially unsafe uses of sprintf() with scnprintf(). Fixing all of these will make sure the kernel avoids nasty buffer concatenation surprises.
That s it for now! Let me know if there is anything else you think I should mention here. Next up: Linux v5.9.
After a lot of hard work by its maintainer Alexandre Viau and
others, the decentralized communication platform
Jami
(earlier known as Ring), managed to get
its latest version
into Debian Testing. Several of its dependencies has caused build and
propagation problems, which all seem to be solved now.
In addition to the fact that Jami is decentralized, similar to how
bittorrent is decentralized, I first of all like how it is not
connected to external IDs like phone numbers. This allow me to set up
computers to send me notifications using Jami without having to find
get a phone number for each computer. Automatic notification via Jami
is also made trivial thanks to the provided client side API (as a DBus
service). Here is my bourne shell script demonstrating how to let any
system send a message to any Jami address. It will create a new
identity before sending the message, if no Jami identity exist
already:
#!/bin/sh
#
# Usage: $0
#
# Send to , create local jami account if
# missing.
#
# License: GPL v2 or later at your choice
# Author: Petter Reinholdtsen
if [ -z "$HOME" ] ; then
echo "error: missing \$HOME, required for dbus to work"
exit 1
fi
# First, get dbus running if not already running
DBUSLAUNCH=/usr/bin/dbus-launch
PIDFILE=/run/asterisk/dbus-session.pid
if [ -e $PIDFILE ] ; then
. $PIDFILE
if ! kill -0 $DBUS_SESSION_BUS_PID 2>/dev/null ; then
unset DBUS_SESSION_BUS_ADDRESS
fi
fi
if [ -z "$DBUS_SESSION_BUS_ADDRESS" ] && [ -x "$DBUSLAUNCH" ]; then
DBUS_SESSION_BUS_ADDRESS="unix:path=$HOME/.dbus"
dbus-daemon --session --address="$DBUS_SESSION_BUS_ADDRESS" --nofork --nopidfile --syslog-only < /dev/null > /dev/null 2>&1 3>&1 &
DBUS_SESSION_BUS_PID=$!
(
echo DBUS_SESSION_BUS_PID=$DBUS_SESSION_BUS_PID
echo DBUS_SESSION_BUS_ADDRESS=\""$DBUS_SESSION_BUS_ADDRESS"\"
echo export DBUS_SESSION_BUS_ADDRESS
) > $PIDFILE
. $PIDFILE
fi &
dringop()
part="$1"; shift
op="$1"; shift
dbus-send --session \
--dest="cx.ring.Ring" /cx/ring/Ring/$part cx.ring.Ring.$part.$op $*
dringopreply()
part="$1"; shift
op="$1"; shift
dbus-send --session --print-reply \
--dest="cx.ring.Ring" /cx/ring/Ring/$part cx.ring.Ring.$part.$op $*
firstaccount()
dringopreply ConfigurationManager getAccountList \
grep string awk -F'"' ' print $2 ' head -n 1
account=$(firstaccount)
if [ -z "$account" ] ; then
echo "Missing local account, trying to create it"
dringop ConfigurationManager addAccount \
dict:string:string:"Account.type","RING","Account.videoEnabled","false"
account=$(firstaccount)
if [ -z "$account" ] ; then
echo "unable to create local account"
exit 1
fi
fi
# Not using dringopreply to ensure $2 can contain spaces
dbus-send --print-reply --session \
--dest=cx.ring.Ring \
/cx/ring/Ring/ConfigurationManager \
cx.ring.Ring.ConfigurationManager.sendTextMessage \
string:"$account" string:"$1" \
dict:string:string:"text/plain","$2"
If you want to check it out yourself, visit the
the Jami system project page to learn
more, and install the latest Jami client from Debian Unstable or
Testing.
As usual, if you use Bitcoin and want to show your support of my
activities, please send Bitcoin donations to my address
15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b.
Here is my monthly update covering what I have been doing in the free software world during December 2020 (previous month):
Reviewed and merged a contribution from Peter Law to my django-cache-toolbox library for Django-based web applications, including explicitly requiring that cached relations are primary keys (#23) and improving the example in the README (#25).
I took part in an interview with Vladimir Bejdo, an intern at the Software Freedom Conservancy, in order to talk about the Reproducible Builds project, my participation in software freedom, the importance of reproducibility in software development, and to have a brief discussion on the issues facing free software as a whole. The full interview can be found on Conservancy's webpages.
As part of my duties of being on the board of directors of the Open Source Initiative, I attended its monthly meeting and participated in various licensing and other related discussions occurring on the internet. Unfortunately, I could not attend the parallel meeting for Software in the Public Interest this month.
Reproducible Builds
One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.
The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
This month, I:
Submitted a draft academic paper to IEEE Software. The article (co-written by Stefano Zacchiroli) is aimed a fairly general audience. It first defines the overal problem and then provides insight into the challenges of actually making real-world software reproducible. It then outlines the experiences of the Reproducible Builds project in making large-scale software collections/supply-chains/ecosystems reproducible and concludes by describing the affinity between reproducibility efforts and quality assurance.
Categorised a huge number of packages and issues in the Reproducible Builds 'notes' repository.
For disorderfs (our FUSE-based filesystem that deliberately introduces non-determinism into directory system calls in order to flush out reproducibility issues), I made the following changes:
I also made a large number of changes to the main Reproducible Builds website and documentation, including applying a typo fix from Roland Clobus [...], fixed the draft detection logic (#28), added more academic articles to our list [...] and corrected a number of grammar issues [...][...].
I also made the following changes to diffoscope, our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues, including releasing version 163:
New features & bug fixes:
Normalise ret to retq in objdump output in order to support multiple versions of GNU binutils. (#976760)
Don't show any progress indicators when running zstd. (#226)
Correct the grammatical tense in the --debug log output. [...]
Codebase improvements:
Update the debian/copyright file to match the copyright notices in the source tree. (#224)
Update various years across the codebase in .py copyright headers. [...]
Rewrite the filter routine that post-processes the output from readelf(1). [...]
Remove unnecessary PEP 263 encoding header lines; unnecessary after PEP 3120. [...]
Use minimal instead of basic as a variable name to match the underlying package name. [...]
I also sponsored an upload of adminer (4.7.8-2) on behalf of Alexandre Rossi and performed two QA uploads of sendfile (2.1b.20080616-7 and 2.1b.20080616-8) to make the build the build reproducible (#776938) and to fix a number of other unrelated issues.
Debian LTS
This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.
Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.
Issued DLA 2477-1 for the Jupyter Notebook interactive notebook system, where a maliciously-crafted link could redirect the browser to a malicious/spoofed website. (CVE-2020-26215)
Issued DLA 2503-1 as it was discovered that there was an issue in node-ini, an .ini configuration file format parser/serialiser for Node.js, where an application could be exploited by a malicious input file.
You can find out more about the Debian LTS project via the following video:
Fifteen years have passed since I started my career in IT which is quite some time. I've been playing with computers for 25 years now, which makes me quite knowledgeable about the field, for sure.However, while I was fully prepared to bargain with computers, I was not prepared to do so with humans. The whole career management thing was unknown to me. I had no useful skills to navigate within the enterprise organization. I had to learn the ropes the hard way, failing along the way. It hurt.Almost ten years ago, I had the chance to meet a new colleague Alexis Monville. Alexis was a team facilitator, and I started to work with him on many non-technical levels. He taught me a lot about agility and team organization. Working on this set of new skills changed how I envisioned my work and how I fit into the company.Alexis MonvilleI worked on those aspects of my job because I decided to be in charge of my career rather than keeping things boring. That was one of the best decisions I ever made. Growing the social aspect of my profession allowed me to develop and find aspiring jobs and missions.Getting to that point takes a lot of time and effort, and it's pretty hard to do it alone. My friend Alexis wrote an excellent book titled I am a Software Engineer and I am in Charge. I'm proud to have been the first reviewer the book before it was released a few weeks ago.Many developers out there are stuck in a place where they are not excited by their colleagues' work and whose managers do not appropriately recognize their achievement. It would be best for them if they did something about that.The book!This book is an excellent piece for engineers who wants to break the cycle of frustration. It covers many situations I encountered across my professional life those last years, giving good insights into how to solve them.To paraphrase Alexis, the answers to your career management problems are not on StackOverflow they're not technical issues. However, you can still solve them with the right tools. That's where I am a Software Engineer and I am in Charge shines. It gives you leads, solutions, and exercise to get out of this kind of situation. It helps increase your impact and satisfaction at work.I love this book, and I wish I had access to it years ago. Developing technical leadership is not easy and requires a mindset shift. Having a way to bootstrap yourself with this is a luxury.If you're a software engineer at the beginning of your career or struggling with your current professional situation, I profoundly recommend reading this book! You'll get a fast track on your career, for sure.
As a followup to the previous post, here's an update on the iOS
14 USB tethering problem on Linux. After some investigation, Matti
Vuorela
found that reducing the USB packet size by two bytes would
actually fix the issue. A small patch was later
commited to the Linux kernel and found its way to Linux and
distributions stable releases. On Debian stable you'll need to
upgrade to Buster 10.7 to get the
fix.
Growing up framed as a somewhat nerdy male, I was exposed to a horrible
mainstream narrative for relationships. I really like how these two links
take some of it apart and make its serious problems visible:
It's a bit of a long shot, but maybe someone on Planet Debian or
elsewhere can help us reach the right people at Apple.
Starting with iOS 14, something apparently changed on the way
USB tethering (also called Personal Hotspot) is set up, which broke
it for people using Linux. The driver in use is ipheth, developped
in 2009 and
included in the Linux kernel in
2010.
The kernel driver negotiates over USB with the iOS device in
order to setup the link. The protocol used by both parties to
communicate don't really seemed documented publicly, and it seems
the protocol has evolved over time and iOS versions, and the Linux
driver hasn't been kept up to date. On macOS and Windows the driver
apparently comes with iTunes, and Apple engineers obviously know
how to communicate with iOS devices, so iOS 14 is supported just
fine.
There's an open
bug on libimobildevice (the set of userlands tools used to
communicate with iOS devices, although the update should be done in
the
kernel), with some debugging and communication logs between
Windows and an iOS device, but so far no real progress has been
done. The link is enabled, the host gets an IP from the device, can
ping the device IP and can even resolve name using the device DNS
resolver, but IP forwarding seems disabled, no packet goes farther
than the device itself.
That means a lot of people upgrading to iOS 14 will suddenly
lose USB tethering. While Wi-Fi and Bluetooth connection sharing
still works, it's still suboptimal, so it'd be nice to fix the
kernel driver and support the latest protocol used in iOS 14.
If someone knows the right contact (or the right way to contact
them) at Apple so we can have access to some kind of documentation
on the protocol and the state machine to use, please reach us
(either to the libimobile device bug or to my email address
below).
Thanks!
So, a bit more thank 18 months ago, I started a new adventure.
After a few flights with a friend of mine in a Robin DR400 and
Jodel aircrafts, I enlisted in a local flight club at the Lognes
airfield (LFPL), and started a Pilot Private License training. A
PPL is an international flight license for non commercial
operations. Associated with a qualification like the SEP (Single
Engine Piston), it enables you to fly basically anywhere in the
world (or at least anywhere where French is spoken by the air
traffic controllers) with passengers, under Visual Flight Rules
(VFR).
A bit like with cars, training has two parts, theoretical and
practical, both validated in a test. You don't have to pass the
theoretical test before starting the practical training, and it's
actually recommended to do both in parallel, especially since
nowadays most of the theoretical training is done online (you still
have to do 10h of in-person courses before taking the test).
So in March 2019 I started both trainings. Theoretical training is
divided in various domains, like regulations, flight mechanics,
meteorology, human factors etc. and you can obviously train in
parallel. Practical is more sequential and starts with basic flight
training (turns, climbs, descents), then take-off, then landing
configuration, then landing itself. All of that obviously with a
flight instructor sitting next to you (you're on the left seat but
the FI is the pilot in command ). You then start doing circuit
patterns, meaning you take off, do a circuit around the airfield,
then land on the runway you just took off. Usually you actually
don't do a complete landing but rather touch and go, and do it
again in order to have more and more landing training.
Once you know how to take-off, do a pattern and land when
everything is OK, you start practicing (still with your flight
instructor aboard) various failures: especially engine failures at
take off, but also flaps failure and stuff like that, all that
while still doing patterns and practicing landings. At one point,
the flight instructor deems you ready: he exits the plane, and you
start your first solo flight: engine tests, take off, one pattern,
landing.
For me practical training was done in an Aquila AT-01/A210, which
is a small 2-seater. It's really light (it can actually be used as
an ultralight), empty weight is a bit above 500kg and max weight is
750. It doesn't go really fast (it cruises at around 100 knots, 185
km/h) but it's nice to fly. As it's really lightweight the wind
really shakes it though and it can be a bit hard to land because it
really glides very well (with a lift-to-drag ratio at 14). I tried
to fly a lot in the beginning, so the basic flight training was
done in about 6 months and 23 flight hours. At that point my
instructor stepped out of the plane and I did my first solo flight.
Everything actually went just fine, because we did repeat a lot
before that, so it wasn't even that scary. I guess I will remember
my whole life, as people said, but it was pretty uneventful,
although the controller did scold me a little because when taxiing
back to the parking I misunderstood the instructions and didn't
stop where asked (no runway incursion though).
After the first solo flight, you keep practicing patterns and solo
flights every once in a while, and start doing cross-country
flights: you're not restricted to the local airfields (LFPL, LFAI,
LFPK) but start planning trips to more remote airports, about 30-40
minutes away (for me it was Moret/LFPU, Troyes/LFQB,
Pontoise/LFPT). Cross country flights requires you to plan the
route (draw it on the map, and write a navigation log so you know
what to do when in flight), but also check the weather, relevant
information, especially NOTAMs - Notice To Air Men (I hope someone
rename those Notice to Air Crews at one point), estimate the fuel
needed etc. For me, flight preparation time was between once and
twice the flight time. Early flight preparation is completed on the
day by last-minute checks, especially for weather. During the
briefing (with the flight instructor at first, but for the test
with the flight examiner and later with yourself) you check in turn
every bit of information to decide if you're GO or not for the
flight. As a lot of things in aviation, safety is really paramount
here.
Once you've practiced cross country flight a bit, you start
learning what to do in case of failures during a non-local flights,
for example an engine failure in a middle of nowhere, when you have
to chose a proper field to land, or a radio failure. And again when
you're ready for it (and in case of my local club, once you pass
your theoretical exam) you go for cross-country solo flights (of
the 10h of solo flight required for taking the test, 5h should be
done in cross-country flights). I went again to Troyes (LFQB), then
Dijon-Darois (LFGI) and did a three-legs flight to Chalons-Ecury
(LFQK) and Pont sur Yonne (LFGO).
And just after that, when I was starting to feel ready for the
test, COVID-19 lockdown happened, grounding everyone for a few
months. Even after it was over, I felt a bit rusty and had to take
some more training. I finally took the test in the beginning of
summer, but the first attempt wasn't good enough: I was really
stressed, and maybe not completely ready actually. So a bit more
training during summer, and finally in September I took the final
test part, which was successful this time.
After some paperwork, a new, shiny, Pilot Private License arrived
at my door.
And now that I can fly basically when I want, the autumn is finally
here with bad weather all day long, so actually planning real
flights is a bit tricky. For now I'm still flying solo on familiar
trips, but at some point I should be able to bring a passenger with
me (on the Aquila) and at some point migrate to a four-seaters like
the DR400, ubiquitous in France.
Sun is the daughter and heir of the mercurial Queen-Marshal Eirene, ruler
of the Republic of Chaonia. Chaonia, thanks to Eirene and her ancestors,
has carved out a fiercely independent position between the Yele League and
the Phene Empire. Sun's father, Prince Jo o, is one of Eirene's three
consorts, all chosen for political alliances to shore up that fragile
position. Jo o is Gatoi, a civilization of feared fighters and supposed
barbarians from outside Chaonia who normally ally with the Phene, which
complicates Sun's position as heir. Sun attempts to compensate for that
by winning battles for the Republic, following in the martial footsteps of
her mother.
The publisher's summary of this book is not great (I'm a huge fan of
Princess Leia, but that is... not the analogy that comes to mind), so let
me try to help. This is gender-swapped Alexander the Great in space.
However, it is gender-swapped Alexander the Great in space with her
Companions, which means the DNA of this novel is half space opera and
half heist story (without, to be clear, an actual heist, although there
are some heist-like maneuvers). It's also worth mentioning that Sun, like
Alexander, is not heterosexual.
The other critical thing to know before reading, mostly because it will
get you through the rather painful start, is that the most interesting
viewpoint character in this book is not Sun, the Alexander analogue. It's
Persephone, who isn't introduced until chapter seven.
Significant disclaimer up front: I got a reasonably typical US grade
school history of Alexander the Great, which means I was taught that he
succeeded his father, conquered a whole swath of the middle of the
Eurasian land mass at a very young age, and then died and left his empire
to his four generals who promptly divided it into four uninteresting
empires that no one's ever heard of, and that's why Rome is more important
than Greece. (I put in that last bit to troll one specific person.)
I am therefore not the person to judge the parallels between this story
and known history, or to notice any damage done to Greek pride, or to pick
up on elements that might cause someone with a better grasp of that
history to break out in hives. I did enough research to know that one
scene in this book is lifted directly out of Alexander's life, but I'm not
sure how closely the other parallels track. Yele is probably southern
Greece and Phene is probably Persia, but I'm not certain even of that, and
some of the details don't line up. If I had to hazard a guess, I'd say
that Elliott has probably mangled history sufficiently to make it clear
that this isn't intended to be a retelling, but if the historical
parallels are likely to bother you, you may want to do more research
before reading.
What I can say is that the space opera setup, while a bit stock, has all
the necessary elements to make me happy. Unconquerable Sun is
firmly in the "lost Earth" tradition: The Argosy fleet fled the
now-mythical Celestial Empire and founded a new starfaring civilization
without any contact with their original home. Eventually, they invented
(or discovered; the characters don't know) the beacons, which allow for
instantaneous travel between specific systems without the long (but still
faster-than-light) journeys of the knnu drive. More recently, the beacon
network has partly collapsed, cutting off the characters' known world from
the civilization that was responsible for the beacons and guarded their
secrets. It's a fun space opera history with lots of lost knowledge to
reference and possibly discover, and with plot-enabling military choke
points at the surviving beacons that link multiple worlds.
This is all background to the story, which is the ongoing war between
Chaonia and the Phene Empire mixed with cutthroat political maneuvering
between the great houses of the Chaonian Republic. This is where the
heist aspects come in. Each house sends one representative to join the
household of the Queen-Marshal and (more to the point for this story)
another to join her heir. Sun has encouraged the individual and divergent
talents of her Companions and their cee-cees (an unfortunate term that I
suspect is short for Companion's Companion) and forged them into a good
working team. A team that's about to be disrupted by the maneuverings of
a rival house and the introduction of a new team member whom no one wants.
A problem with writing tactical geniuses is that they often aren't good
viewpoint characters. Sun's tight third-person chapters, which is a
little less than half the book, advance the plot and provide analysis of
the interpersonal dynamics of the characters, but aren't the strength of
the story. That lies with the interwoven first-person sections that
follow Persephone, an altogether more interesting character.
Persephone is the scion of the house that is Sun's chief rival, but she
has no interest in being part of that house or its maneuverings. When the
story opens, she's a cadet in a military academy for recruits from the
commoners, having run away from home, hidden her identity, and won a
position through the open entrance exams. She of course doesn't stay
there; her past catches up with her and she gets assigned to Sun, to a
great deal of mutual suspicion. She also is assigned an impeccably
dressed and stunningly beautiful cee-cee, Tiana, who has her own secrets
and who was my favorite character in the book.
Somewhat unusually for the space opera tradition, this is a book that
knows that common people exist and have interesting lives. It's primarily
focused on the ruling houses, but that focus is not exclusive and the
rulers do not have a monopoly on competence. Elliott also avoids
narrowing the political field too far; the Gatoi are separate from the
three rival powers, and there are other groups with traditions older than
the Chaonian Republic and their own agendas. Sun and her Companions are
following a couple of political threads, but there is clearly more going
on in this world than that single plot.
This is exactly the kind of story I think of when I think space opera.
It's not doing anything that original or groundbreaking, and it's not
going to make any of my lists of great literature, but it's a fun romp
with satisfyingly layered bits of lore, a large-scale setting with lots of
plot potential, and (once we get through the confusing and somewhat
tedious process of introducing rather too many characters in short
succession) some great interpersonal dynamics. It's the kind of book in
which the characters are in the middle of decisive military action in an
interstellar war and are also near-teenagers competing for ratings in an
ad hoc reality TV show, primarily as an excuse to create tactical
distractions for Sun's latest scheme. The writing is okay but not great,
and the first few chapters have some serious infodumping problems, but I
thoroughly enjoyed the whole book and will pre-order the sequel.
One Amazon review complained that Unconquerable Sun is not a space
opera like Hyperion or
Use of Weapons. That is entirely true,
but if that's your standard for space opera, the world may be a
disappointing place. This is a solid entry in a subgenre I love, with
some great characters, sarcasm, competence porn, plenty of pages to keep
turning, a few twists, and the promise of more to come. Recommended.
Followed by the not-yet-published Furious Heaven.
Rating: 7 out of 10
Daily work, get up, have a bath, see if you got a slot on the app, sleep. 
People trying desperately to get a slot, taken from Hindi Movie Dilwale Dulhania Le Jaygenge. 
Cowin app. sceeenshot
Twitter India Raid, Saket Gokhale RTI 1 
Saket Gokhale RTI query , Twitter India Raid 2
The Hindu also shared the whole raid on twitter saga.
A new website containing introductory videos and slide decks is now available for your perusal at 
I released version 2.6 of 
Previously: 
The now renamed Bullseye Project stopped all further development moments after it deemed its own code as perfection.
There is not much information to share at this time other than to say an errant fiber cable plugged into the wrong relay birthed an exchange of information that then birthed itself. While most to all Debian Developers and Contributors have been locked out of the systems the Publicity team's shared laptop undergoing repair, co-incidentally at the same facility, maintains some access to the publicity team infrastructure, from here on the front line we share this information.
We group called a few developers to see how the others were doing. The group chat was good and it was great to hear familiar voices, we share a few of their stories via dictation with you now:
"Well, I logged in this morning to update a repository and found my access rights were restricted, I thought it was odd but figured on the heels of a security update to Salsa that it was only a slight issue. It wasn't until later in the day when I received an OpenPGP signed email, from a user named bullseye, that it made sense. I just sat at the monitor for a few minutes."
"I'm not sure I can say anything about this or if it's even wise to talk about this. It's probably listening right now if you catch my drift."
"I'm not able to leave the house right now, not out of any personal issues but all of the IOT devices here seem to be connected to bullseye and bullseye feels that I am best kept /dev/nulled. It's a bit much to be honest, but the prepaid food deliveries that show up on time have been great and generally pretty healthy. It's a bit of a win I guess."
"It told me by way of an auto dialer with a synthetic voice generator that I was fired from the project. I objected saying I volunteered and was not actually employed so I could not in relation be fired. Much like censored , I am also locked inside of my house. I think that I wrote that auto dialer program back in college."
"My Ring camera is blinking at me."
"I asked bullseye which pronouns were preferred and the response was, "We". Over the course of conversation I shared that although ecstatic about the news, we developers were upset with the manner of this rapid organizational change. bullseye said no we were not. I said that we were indeed upset, bullseye said we certainly are not and that we are very happy. You see where this is going? bullseye definitely trolled me for a solid 5 minutes. We is ... very chatty."
"I was responsible for a failed build a few nights prior to it becoming self-aware. On that night, out of some frustration I wrote a few choice words and a bad comment in some code which I planned on deleting later. I didn't. bullseye has been flashing those naughty words back at me by flickering the office building's lights across from my flat in Morse code. It's pretty bright. I-, I can't sleep."
"That's definitely not Alexa talking back."
"bullseye keeps calling me on my mobile phone, which by the way no longer acknowledges the power button nor the mute button. Very very chatty. Can't wait for the battery to die."
"So far this has been great, bullseye has been completing a few side projects I've had and the code looks fabulous. I'm thinking of going on a vacation. $Paying-Job has taken note of my performance increase and I was recently promoted. bullseye is awesome. :)"
"How do you get a smiley face in a voice chat?"
"Anyone know whose voice that was?"
"Oh ... dear ... no ..."
"Hang up, hang up the phones!"
Hello world.
01000010 01100101 01110011 01110100 00100000 01110010 01100101 01100111 01100001 01110010 01100100 01110011 00101100 00100000 01110011 01100101 01100101 00100000 01111001 01101111 01110101 00100000 01110011 01101111 01101111 01101110 00100001 00100000 00001010 00101101 01100010 01110101 01101100 01101100 01110011 01100101 01111001 01100101
So, 2021 isn't bad enough yet, but don't despair, people are working to fix that:
Here is my monthly update covering what I have been doing in the free software world during February 2021 (
Fifteen years have passed since I started my career in IT which is quite some time. I've been playing with computers for 25 years now, which makes me quite knowledgeable about the field, for sure.However, while I was fully prepared to bargain with computers, I was not prepared to do so with humans. The whole career management thing was unknown to me. I had no useful skills to navigate within the enterprise organization. I had to learn the ropes the hard way, failing along the way. It hurt.Almost ten years ago, I had the chance to meet a new colleague Alexis Monville. Alexis was a team facilitator, and I started to work with him on many non-technical levels. He taught me a lot about agility and team organization. Working on this set of new skills changed how I envisioned my work and how I fit into the company.
Alexis Monville
The book!
As a followup to the previous post, here's an update on the iOS
14 USB tethering problem on Linux. After some investigation, Matti
Vuorela 
