The American moral and social philosopher Eric Hoffer reportedly said that every great cause begins as a movement, becomes a business, and eventually degenerates into a racket. The reform movement to make healthcare safer is clearly a great cause, but patient safety efforts are increasingly following Hoffer's path.

• http://localhost/
• http://foo.localhost/
• http://127.0.0.1/
• http://0177.0000.0000.0001/ (127.0.0.1 in octal)
• http://0x7F000001/ (127.0.0.1 in hex)
• http://2130706433/ (127.0.0.1 in decimal)
• http://[::ffff:127.0.0.1]/ (IPv4-mapped IPv6 address)
• http://[::ffff:7f00:1]/ (alternate of IPv4-mapped IPv6 address)
• http://[0000:0000:0000:0000:0000:ffff:7f00:0001]/ (fully-expanded IPv4-mapped IPv6 address)
• http://[::1]/
• http://[0000:0000:0000:0000:0000:0000:0000:0001]/ (fully-expanded form of [::1])

• http://0.0.0.0/
• http://0000.0000.0000.0000/ (0.0.0.0 in octal)
• http://0x00000000/(0.0.0.0 in hex)
• http://0/ (0.0.0.0 in decimal)
• http://[::ffff:0.0.0.0]/ (IPv4-mapped IPv6 address)
• http://[::ffff:0000:0000]/ (alternate form of IPv4-mapped IPv6 address)
• http://[0000:0000:0000:0000:0000:ffff:0000:0000]/ (fully-expanded IPv4-mapped IPv6 address)
• http://[::]/
• http://[0000:0000:0000:0000:0000:0000:0000:0000]/ (fully-expanded form of [::])

DNS-based Of course, another way to encode these numerical URLs is to create A / AAAA records for them under a domain you control. I've done this under my personal domain:

• http://t127.fmarier.org/ (127.0.0.1)
• http://t1aaaa.fmarier.org/ ([::1])
• http://t0.fmarier.org/ (0.0.0.0)
• http://t0aaaa.fmarier.org/ ([::])
• http://t127aaaam.fmarier.org/ ([::ffff:7f00:1])
• http://t0aaaam.fmarier.org/ ([::ffff:0000:0000])

For these to work, you'll need to:

• Make sure you can connect to IPv6-only hosts, for example by connecting to an appropriate VPN if needed.
• Put nameserver 8.8.8.8 in /etc/resolv.conf since you need a DNS server that will not filter these localhost domains. (For example, Unbound will do that if you use private-address: 127.0.0.0/8 in the server config.)
• Go into chrome://settings/security and disable Always use secure connections to make sure the OS resolver is used.
• Turn off the chrome://flags/#block-insecure-private-network-requests flag since that security feature (CORS-RFC1918) is designed to protect against these kinds of requests.

127.0.0.0/8 subnet Technically, the entire 127.0.0.0/8 subnet can used to refer to the local machine. However, it's not a reliable way to portscan a machine from a web browser because it only catches the services that listen on all interfaces (i.e. 0.0.0.0). For example, on my machine, if I nmap 127.0.0.1, I get:

PORT     STATE SERVICE   VERSION
22/tcp   open  ssh       OpenSSH 8.2p1
25/tcp   open  smtp      Postfix smtpd

whereas if I nmap 127.0.1.25, I only get:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1

That's because I've got the following in /etc/postfix/main.cf:

inet_interfaces = loopback-only

which I assume is explicitly binding 127.0.0.1. Nevertheless, it would be good to get that fixed in Brave too.

TL;DR: Science simply does not support binary sexes or binary genders. Truth is a bit more complicated.

• Final comments:

• Useful sources and further reading:

• About me:

• The educated general reader interested in a case study involving error handling, stability, API design, and/or Rust.
• Rust users who have tripped over these changes. If this is you, you can cut to the chase and skip to How to fix.

1. Avoid making changes which would contradict the previously-published documentation of Rust's language and features.
2. Tell you if you accidentally rely on properties which are not part of the published documentation.

    if error.kind() == ErrorKind::NotFound   ...
  

    match error.kind()  
      ErrorKind::NotFound => use_default_configuration(),
      _ => panic!("could not read config file  :  ", &file, &error),
     
  

Errors that are Other now may move to a different or a new ErrorKind variant in the future.

• https://wiki.debian.org/DebianEvents/de/2021/DebianReunionHamburg#Dates_and_format_of_the_event
• https://wiki.debian.org/DebianEvents/de/2021/DebianReunionHamburg#Covid_things
• https://wiki.debian.org/DebianEvents/de/2021/DebianReunionHamburg#Call_for_papers
• https://wiki.debian.org/DebianEvents/de/2021/DebianReunionHamburg#Registration - registration is mandatory for this event!

• biboumi, XMPP gateway to connect to IRC servers: 8.3 9.0
  The biggest change for users is SASL support: A new field in the Configure ad-hoc command lets you set a password that will be used to authenticate to the nick service, instead of using the cumbersome NickServ method.
  Many more changes are listed in the changelog.
• Dino, modern XMPP client: 0.0.git20181129 0.2.0
  Dino in Debian 10 was practically a technology preview. In Debian 11 it is already a fully usable client, supporting OMEMO encryption, file upload, image preview, message correction and many more features in a clean and beautiful user interface.
• ejabberd, the extensible realtime platform: 18.12.1 21.01.
  Probably the most important improvement for end-users is XEP-0215 support to facilitate modern WebRTC-style audio/video calls. ejabberd also integrates more nicely with systemd (e.g., the watchdog feature if supported, now). Apart from that, a new configuration validator was introduced, which brings a more flexible (but mostly backwards-compatible) syntax. Also, error reporting in case of misconfiguration should be way more helpful, now. As a new authentication backend, JSON Web Tokens (JWT) can be used. In addition to the XMPP and SIP support, ejabberd now includes a full-blown MQTT server. A large number of smaller features has been added, performance was improved in many ways, and several bugs were fixed. See the long list of changes.
• Gajim, a GTK+-based Jabber client: 1.1.2 1.3.1
  The new Debian release brings many improvements. Gajim s network code has been completely rewritten, which leads to faster connections, better recovery from network loss, and less network related hiccups. Customizing Gajim is now easier than ever. Thanks to the new settings backend and a completely reworked Preferences window, you can adapt Gajim to your needs in just a few seconds.
  Good for newcomers: account creation is now a lot easier with Gajim s new assistant. The new Profile window gives you many options to tell people more about yourself. You can now easily crop your own profile picture before updating it.
  Group chats actions have been reorganized. It s now easier to send invitations or change your nickname for example. Gajim also received support for chat markers, which enables you to see how far your contact followed the conversation. But this is by far not everything the new release brings. There are many new and helpful features, such as pasting images from your clipboard directly into the chat or playing voice messages directly from the chat window.
  Read more about the new Gajim release in Debian 11 here.
  Furthermore, three more Gajim plugins are now in Debian: gajim-lengthnotifier, gajim-openpgp for OX (XEP-0373: OpenPGP for XMPP) and gajim-syntaxhighlight.
• NEW Kaidan Simple and user-friendly Jabber/XMPP client 0.7.0
  Kaidan is a simple, user-friendly and modern XMPP chat client. The user interface makes use of Kirigami and QtQuick, while the back-end of Kaidan is entirely written in C++ using Qt and the Qt-based XMPP library QXmpp. Kaidan runs on mobile and desktop systems including Linux, Windows, macOS, Android, Plasma Mobile and Ubuntu Touch.
• mcabber, small Jabber (XMPP) console client: 1.1.0 1.1.2
  A theme for 256 color terminals is now included, the handling of carbon message copies has been improved, and various minor issues have been fixed.
• Poezio, Console-based XMPP client: 0.12.1 0.13.1
  This new release brings many improvements, such as Message Archive (XEP-0313) support, initial support for OMEMO (XEP-0384) through a plugin, HTTP File Upload support, Consitent Color Generation (XEP-0392), and plenty of internal changes and bug fixes. Not all changes in 0.13 and 0.13.1 can be listed, see the CHANGELOG for a more extensive summary.
• Profanity, the console based XMPP client: 0.6.0 0.10.0
  We can not list all changes which have been done, but here are some highlights.
  Support of OMEMO Encryption (XEP-0384). Consistent Color Generation (XEP-0392), be aware of the changes in the command to standardize the names of commands. A clipboard feature has been added. Highlight unread messages with a different color in /wins. Keyboard switch to select the next window with unread messages with alt + a. Support for Last Message Correction (XEP-0308), Allow UTF-8 symbols as OMEMO/OTR/PGP indicator char. Add option to open avatars directly (XEP-0084). Add option to define a theme at startup and some changes to improve themes. Add possibility to easily open URLs. Add experimental OX (XEP-0373, XEP-0374) support. Add OMEMO media sharing support, ...
  There is also a Profanity light package in Debian now, the best option for systems with tight limits on resources.
• Prosody, the lightweight extensible XMPP server: 0.11.2 0.11.9
  Upgrading to the latest stable release of Prosody brings a whole load of improvements in the stability, usability and performance departments. It especially improves the performance of websockets, and PEP performance for users with many contacts. It includes interoperability improvements for a range of clients.
• prosody-modules, community modules and extensions for Prosody: 0.0~hg20190203 0.0~hg20210130
  The ever-growing collection of goodies to plug into Prosody has a number of exciting additions, including a suite of modules to handle invite-based account registration, and others for moderating messages in group chats (e.g. for removal of spam/abuse), server-to-server federation over Tor and client authentication using certificates. Many existing community modules received updates as well.
• Psi, Qt-based XMPP client: 1.3 1.5
  The new version contains important bug fixes.
• salutatoi, multi-frontends, multi-purposes communication tool: 0.7.0a4 0.8.0~hg3453
  This version is now fully running on Python 3, and has full OMEMO support (one2one, groups and files). The CLI frontend (jp) has among new commands a "jp file get" one which is comparable to wget with OMEMO support. A file sharing component is included, with HTTP Upload and Jingle support. For a list of other improvements, please consult the changelog.
  Note, that the upstream project has been renamed to "Libervia".
• NEW sms4you, Personal gateway connecting SMS to XMPP or email 0.0.7
  It runs with a GSM device over ModemManager and uses a lightweight XMPP server or a single email account to handle communication in both directions.
• NEW xmppc, XMPP Command Line Client 0.1.0
  xmppc is a new command line tool for XMPP. It supports some basic features of XMPP (request your roster, bookmarks, OMEMO Devices and fingerprints). You can send messages with both legacy PGP (XEP-0027) and the new OX (XEP-0373: OpenPGP for XMPP).

All of the faces they could see were certainly nice. Both the men and women looked kind and wise, and they seemed to come of a handsome race. But after the children had gone a few steps down the room they came to faces that looked a little different. These were very solemn faces. You felt you would have to mind your P's and Q's, if you ever met living people who looked like that. When they had gone a little farther, they found themselves among faces they didn't like: this was about the middle of the room. The faces here looked very strong and proud and happy, but they looked cruel. A little further on, they looked crueller. Further on again, they were still cruel but they no longer looked happy. They were even despairing faces: as if the people they belonged to had done dreadful things and also suffered dreadful things.

Make your choice, adventurous Stranger;
Strike the bell and bide the danger,
Or wonder, till it drives you mad,
What would have followed if you had.

Now the trouble about trying to make yourself stupider than you really are is that you very often succeed.

Debian

This was my 29th month of actively contributing to Debian. I became a DM in late March 2019 and a DD on Christmas 19! \o/ Interesting month, surprisingly. Lots of things happening and lots of moving parts; becoming the new normal , I believe. Anyhow, working on Ubuntu full-time has its own advantage and one of them is being able to work on Debian stuff! So whilst I couldn t upload a lot of packages because of the freeze, here s what I worked on:

Uploads and bug fixes:

• ruby-rack-cors (1.0.2-1+deb10u1) - Fix for CVE-2019-18978/#944849.
• rails (2:6.0.3.7+dfsg-1) - New upstream version, fixing CVE-2021-22904, CVE-2021-22902, and CVE-2021-22885 /#988214.
• ruby-marcel (1.0.1+dfsg-2) - Upload to unstable for rails.
• python-aws-requests-auth (0.4.3-2) - Enable build-time tests.
• gist (6.0.0-2) - Add patch to skip test when $HTTP_PROXY isn t set.
• php-cache-lite (1.8.3-1) - New upstream version, fixing FTBFS w/ PHP 8.0.
• Sponsored upload of htmldoc (1.9.3-1+deb10u1) to buster-pu, fixing CVE-2019-19630 and CVE-2021-20308 for H vard Flaget Aasen.
• Sponsored upload of libbusiness-us-usps-webtools-perl (1.125-1) to unstable, fixing #988330 for Yadd.
• Sponsored upload of radsecproxy (1.8.2-4) to unstable, fixing CVE-2021-32642 for Sven Hartge.

Other $things:

• Mentoring for newcomers and assisting people in BSP.
• Moderation of -project mailing list.

---

Ubuntu

This was my 4th month of actively contributing to Ubuntu. Now that I ve joined Canonical to work on Ubuntu full-time, there s a bunch of things I do! \o/ This month, by all means, was dedicated mostly to PHP 8.0, transitioning from PHP 7.4 to 8.0. Naturally, it had so many moving parts and moments of utmost frustration, shared w/ Bryce. :D So even though I can t upload anything, I worked on the following stuff & asked for sponsorship.
But before, I d like to take a moment to stress how kind and awesome Gianfranco Costamagna, a.k.a. LocutusOfBorg is! He s been sponsoring a bunch of my things & helping with re-triggers, et al. Thanks a bunch, Gianfranco; beers on me whenever we meet!

Merges:

• [2021-05-05] ruby2.7 (2.7.3-2ubuntu1).
• [2021-05-11] exim4 (4.94.2-2ubuntu1).
• [2021-05-17] openvpn (2.5.1-3ubuntu1).
• [2021-05-19] autofs (5.1.7-1).
• [2021-05-25] xterm (366-1ubuntu1).

Uploads & Syncs:

• [2021-05-20] php-net-url2/2.2.1-0.2build2 - no-change rebuild.
• [2021-05-26] phpmyadmin/4:5.0.4+dfsg2-2ubuntu1 - fix build w/ PHP 8.
• [2021-05-26] php-async-aws-core/1.7.2-1build1 - no-change rebuild.
• [2021-05-26] php-async-aws-ses/1.3.0-1build1 - no-change rebuild.
• [2021-05-26] php-async-aws-sqs/1.3.2-1build1 - no-change rebuild.
• [2021-05-26] php-http-interop-http-factory-tests/0.9.0-1build1 - no-change rebuild.
• [2021-05-26] php-twig/3.3.2-1 - sync d from experimental.
• [2021-05-26] php-doctrine-cache/1.10.2-2ubuntu1 - fix build w/ PHP 8.
• [2021-05-26] php-symfony-contracts/2.4.0-1 - sync d from experimental.
• [2021-05-26] php-phpseclib/2.0.30-2ubuntu1 - fix build w/ PHP 8.
• [2021-05-27] php-email-validator/3.1.1-2 - sync d from experimental.
• [2021-05-27] php-async-aws-core/1.10.0-1 - sync d from experimental.
• [2021-05-27] php-async-aws-ses/1.4.0-1 - sync d from experimental.
• [2021-05-27] php-async-aws-sqs/1.5.0-1 - sync d from experimental.
• [2021-05-27] libphp-swiftmailer/6.2.4-1ubuntu1 - fix build w/ PHP 8.
• [2021-05-27] phpunit/9.5.4-1 - sync d from experimental.
• [2021-05-27] php-psr-cache/3.0.0-1 - sync d from experimental.
• [2021-05-27] php-psr-container/2.0.1-1 - sync d from experimental.
• [2021-05-28] php-wmerrors/2.0.0~git20190628.183ef7d-2ubuntu1 - fix build w/ PHP 8.
• [2021-05-28] php-monolog/2.2.0-1 - sync d from experimental.
• [2021-05-28] php-amqplib/3.0.0-1 - sync d from experimental.
• [2021-05-28] php-cache-lite/1.8.3-1 - uploaded to Debian.
• [2021-05-28] php-cache-lite/1.8.3-1 - sync d from experimental.
• [2021-05-29] php-symfony-contracts/2.4.0-1ubuntu1 - fix build w/ PHP 8.
• [2021-05-31] php-symfony-contracts/2.4.0-1ubuntu2 - fix build w/ php-cache-container.

MIRs:

• [2021-05-16] LP: #1915445/python-aws-requests-auth.
• [2021-05-20] LP: #1152187/systemd-container.
• [2021-05-31] LP: #1930207/prips.

Seed Operations:

• [2021-05-31] MP #403505/systemd-container for Bionic.
• [2021-06-01] MP #403562/prips for Impish.

---

Debian (E)LTS

Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success. And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support). This was my twentieth month as a Debian LTS and eleventh month as a Debian ELTS paid contributor.
I was assigned 29.75 hours for LTS and 40.00 hours for ELTS and worked on the following things:

LTS CVE Fixes and Announcements:

• Issued DLA 2654-1, fixing CVE-2021-29472, for composer.
  For Debian 9 stretch, these problems have been fixed in version 1.2.2-1+deb9u1.
• Issued DLA 2655-1, fixing CVE-2021-22885 and CVE-2021-22904, for rails.
  For Debian 9 stretch, these problems have been fixed in version 2:4.2.7.1-1+deb9u5.
• Issued DLA 2656-1, fixing CVE-2021-3504, for hivex.
  For Debian 9 stretch, these problems have been fixed in version 1.3.13-2+deb9u1.
• Issued DLA 2659-1, fixing CVE-2018-10196 and CVE-2020-18032, for graphviz.
  For Debian 9 stretch, these problems have been fixed in version 2.38.0-17+deb9u1.
• Issued DLA 2662-1, fixing CVE-2021-32027 and CVE-2021-32028, for postgresql-9.6.
  For Debian 9 stretch, these problems have been fixed in version 9.6.22-0+deb9u1. This update for done by the maintainer, Christoph Berg. I just took care of announcing and publishing the update.
• Uploaded ruby-rack-cors to buster-security, fixing CVE-2019-18978. For Debian 10 buster, these problems have been fixed in version 1.0.2-1+deb10u1.
• Issued DLA 2663-1, fixing CVE-2021-22204, for libimage-exiftool-perl.
  For Debian 9 stretch, these problems have been fixed in version 10.40-1+deb9u1.

ELTS CVE Fixes and Announcements:

• Issued ELA 425-1, fixing CVE-2021-22885 and CVE-2021-22904, for rails.
  For Debian 8 jessie, these problems have been fixed in version 2:4.1.8-1+deb8u9.
• Uploaded rails to unstable, fixing CVE-2021-22885, CVE-2021-22902, and CVE-2021-22904.
  For Debian sid, these problems have been fixed in version 2:6.0.3.7+dfsg-1.
• Issued ELA 426-1, fixing CVE-2021-3504, for hivex.
  For Debian 8 jessie, these problems have been fixed in version 1.3.10-2+deb8u3.
• Issued ELA 428-1, fixing CVE-2018-10196 and CVE-2020-18032, for graphviz.
  For Debian 8 jessie, these problems have been fixed in version 2.38.0-7+deb8u1.
• Issued ELA 430-1, fixing CVE-2021-22204, for libimage-exiftool-perl.
  For Debian 8 jessie, these problems have been fixed in version 9.74-1+deb8u1.

Other (E)LTS Work:

• Front-desk duty from 24-05 until 30-05 for both LTS and ELTS.
• Triaged rails, libimage-exiftool-perl, hivex, graphviz, glibc, libexosip2, impacket, node-ws, thunar, libgrss, nginx, postgresql-9.6, ffmpeg, composter, and curl.
• Mark CVE-2019-9904/graphviz as ignored for stretch and jessie.
• Mark CVE-2021-32029/postgresql-9.6 as not-affected for stretch.
• Mark CVE-2020-24020/ffmpeg as not-affected for stretch.
• Mark CVE-2020-22020/ffmpeg as postponed for stretch.
• Mark CVE-2020-22015/ffmpeg as ignored for stretch.
• Mark CVE-2020-21041/ffmpeg as postponed for stretch.
• Mark CVE-2021-33574/glibc as no-dsa for stretch & jessie.
• Mark CVE-2021-31800/impacket as no-dsa for stretch.
• Mark CVE-2021-32611/libexosip2 as no-dsa for stretch.
• Mark CVE-2016-20011/libgrss as ignored for stretch.
• Mark CVE-2021-32640/node-ws as no-dsa for stretch.
• Mark CVE-2021-32563/thunar as no-dsa for stretch.
• [LTS] Help test and review bind9 update for Emilio.
• [LTS] Suggest and add DEP8 tests for bind9 for stretch.
• [LTS] Sponsored upload of htmldoc to buster for Havard as a consequence of #988289.
• [ELTS] Fix triage order for jetty and graphviz.
• [ELTS] Raise issue upstream about cloud-init; mock tests instead.
• [ELTS] Write to private ELTS list about triage ordering.
• [ELTS] Review Emilio s new script and write back feedback, mentioning extra file created, et al.
• [ELTS/LTS] Raise upgrade problems from LTS -> LTS+1 to the list. Thread here.
  • Further help review and raise problems that could occur, et al.
• [LTS] Help explain path forward for firmware-nonfree update to Ola. Thread here.
• [ELTS] Revert entries of TEMP-0000000-16B7E7 and TEMP-0000000-1C4729; CVEs assigned & fix ELTS tracker build.
• Auto EOL ed linux, libgrss, node-ws, and inspircd for jessie.
• Attended monthly Debian LTS meeting, which didn t happen, heh.
• Answered questions (& discussions) on IRC (#debian-lts and #debian-elts).
• General and other discussions on LTS private and public mailing list.

---

Until next time.
:wq for today.

Pandemic Situation in India. I don t know from where I should start. This is probably a good start. I actually would recommend Indiacable as they do attempt to share some things happening in India from day to day but still there is a lot thatt they just can t cover, nobody can cover. There were two reports which kind of shook me all inside. One which sadly came from the UK publication Independent, probably as no Indian publication would dare publish it. The other from Rural India. I have been privileged in many ways, including friends who have asked me if I need any financial help. But seeing reports like above, these people need more help, guidance and help than I. While I m never one to say give to Foundations. If some people do want to help people from Maharashtra, then moneylifefoundation could be a good place where they could donate. FWIW, they usually use the foundation to help savers and investors be safe and help in getting money when taken by companies with dubious intentions. That is their drive. Two articles show their bent. The first one is about the Algo scam which I have written previously about the same in this blog. Interestingly, when I talk about this scam, all Modi supporters are silent. The other one does give some idea as to why the Govt. is indifferent. That is going to a heavy cross for all relatives to bear. There has been a lot that has been happening. Now instead of being limited to cities, Covid has now gone hinterland in a big way. One could ask also Praveen as he probably knows what would be good for Kerala and surrounding areas. The biggest change, however, has been that India is now battling not just the pandemic but also Mucormycosis also known as black fungus and its deadlier cousin the white fungus. Mucormycosis came largely due to an ill-advise given that applying cow dung gives protection to Corona. And many applied it due to faith. And people who know science do know that in fact it has that bacteria. Sadly, those of us who are and were more interested in law, computer science etc. has now also have to keep on top of what is happening in the medical field. It isn t that I hate it, but it has a lot of costs. From what I could gather on various social media and elsewhere, a single injection of anti-fungal for the above costs INR 3k/- and that needs to be 5 times in a day and that course has to be for three weeks. So even the relatively wealthy people can and will become poor in no time. No wonder thousands of those went to UK, US, Dubai or wherever they could find safe-harbor from the pandemic with no plans of arriving back soon. There was also the whole bit about FBS or Fetal Bovin Serum. India ordered millions of blood serum products from abroad and continues to. This was quickly shut down as news on Social Media. Apparently, it is only the Indian cow which is worthy of reverence. All other cows and their children are fair game according to those in power. Of course, that discussion was quickly shut down as was the discussion about IGP (Indian Genome Project). People over the years had asked me why India never participated for the HGP (Human Gnome Project). I actually had no answer for that. Then in 2020, there was idea of IGP which was put up and then it was quickly shot down as the results could damage a political party s image. In fact, a note to people who want to join Indian civil services tells the reason exactly. While many countries in the world are hypocrites, including the U.S. none can take the place that India has made for itself in that field.

The Online experience The vaccination process has been made online and has led to severe heartburn and trouble for many including many memes. For e.g.

Daily work, get up, have a bath, see if you got a slot on the app, sleep.

People trying desperately to get a slot, taken from Hindi Movie Dilwale Dulhania Le Jaygenge.

Just to explain what is happening, one has to go to the website of cowin. Sharing a screenshot of the same.

Cowin app. sceeenshot

I have deliberately taken a screenshot of the cowin app. in U.P. which is one of the areas where the ruling party, BJP has. I haven t taken my state for the simple reason, even if a slot is open, it is of no use as there are no vaccines. As have been shared in India Cable as well as in many newspapers, it is the Central Govt. which holds the strings for the vaccines. Maharashtra did put up an international tender but to no effect. All vaccine manufacturers want only Central Govt. for purchases for multiple reasons. And GOI is saying it has no money even though recently it got loans as well as a dividend from RBI to the tune of 99k crore. For what all that money is, we have no clue. Coming back though, to the issue at hand. the cowin app. is made an open api. While normally, people like us should and are happy when an API is open, it has made those who understand how to use git, compile, etc. better than others. A copy of the public repo. of how you can do the same can be found on Github. Now, obviously, for people like me and many others it has ethical issues.

Kiran s Interview in Times of India (TOI) There isn t much to say apart from I haven t used it. I just didn t want to. It just is unethical. Hopefully, in the coming days GOI does something better. That is the only thing we are surviving on, hope.

The Toolkit saga A few days before, GOI shared a toolkit apparently made by Congress to defame the party in power. That toolkit was shared before the press and Altnews did the investigation and promptly shredded the claims. Congress promptly made an FIR in Chhattisgarh where it is in power. The gentleman who made the claims Mr. Sambit Patra refused to appear against the police without evidence citing personal reasons and asking 1 week to appear before them. Apart from Altnews which did a great job, sadly many people didn t even know that there is something called WYSIWYG. I had to explain that so many Industries, whether it is politics, creative industries, legal, ad industries, medical transcription, and imaging all use this, and all the participants use the same version of the software. The reason being that in most Industries, there is a huge loss and issue of legal liabilities if something untoward happens. For e.g. if medical transcription is done in India is wrong (although his or her work will be checked by a superior in the West), but for whatever reason is not, and a wrong diagnosis is put (due to wrong color or something) then a patient could die and the firm who does that work could face heavy penalties which could be the death of them. There is another myth that Congress has unlimited wealth or huge wealth. I asked if that was the case, why didn t they shift to Mac. Of course, none have answers on this one. There is another reason why they didn t want to appear. The Rona Wilson investigation by Arsenal Experts also has made them cautious. Previously, they had a free run. Nowadays, software forensic tools are available to one and all. For e.g. Debian itself has a good variety of tools for the same. I remember Vipin s sharing few years back. For those who want to start, just install the apps. and try figuring out. Expertise on using the tools takes years though, as you use the tool day in night. Update 25/05/2021 Apparently because Twitter made and showcased few tweets as Manipulated Media , those in Govt. are and were dead against it. So they conducted a raid against Twitter India headquarters, knowing fully well that there would be nobody except security. The moment I read this, my mind went to the whole Fruit of the poisonous tree legal doctrine. Sadly though, India doesn t recognize it and in fact, still believes in the pre-colonial era that evidence however collected is good. A good explanation of the same can be found here. There are some exceptions to the rule, but they are done so fine that more often than not, they can t be used in the court of law in India. Although a good RTI was shared by Mr. Saket Gokhale on the same issue, which does raise some interesting points

Twitter India Raid, Saket Gokhale RTI 1

Saket Gokhale RTI query , Twitter India Raid 2

FWIW, Saket has been successful in getting his prayers heard either as answers to RTI queries or then following it up in the various High Courts of India. Of course, those who are in the ruling party ridicule him but are unable to find faults in his application of logic. And quite a few times, I have learned from his applications as well as nuances or whatever is there in law, a judgment or a guideline which he invokes in his prayer. For e.g. the Lalitha Kumari Guidelines which the gentleman has shared in his prayer can be found here. Hence now, it would be upto the Delhi Police Cell to prove their case in response to RTI. He has also trapped them as he has shared they can t give excuses/exemptions which they have tried before. As I had shared earlier, High Courts in India have woken up, whether it is Delhi, Mumbai, Aurangabad, Madhya Pradesh, Uttar Pradesh, Odisha or Kerala. Just today i.e. on 25th May 2021, Justices Bela Trivedi and Justice Kalra had asked how come all the hospitals don t have NOC from the Fire De[partment. They also questioned the ASG (Assistant Solicitor General) as how BU (Building Use Certificate) has been granted as almost all the 400 hospitals are in residential area. To which the ASG replies, it is the same state in almost 4000 schools as well as 6000 odd factories in Ahemdabad alone, leave the rest of the district and state alone. And this is when last year strict instuctions were passed. They chose to do nothing sadly. I will share a link on this when bar and bench gives me The Hindu also shared the whole raid on twitter saga.

Conclusion In conclusion, I sincerely do not where we are headed. The only thing I know is that we cannot expect things to be better before year-end and maybe even after that. It all depends on the vaccines and their availability. After that ruralindia article, I had to see quite a few movies and whatnot just to get that out of my head. And this is apart from the 1600 odd teachers and workers who have died in the U.P. poll duty. Now, what a loss, not just to the family members of the victims, but a whole generation of school children who would not be able to get quality teaching and be deprived of education. What will be their future, God only knows. The only good Bollywood movie which I saw was Ramprasad ki Teravi . The movie was an accurate representation of most families in and around me. There was a movie called Sansar (1987) which showed the breakup of the joint family and into a nuclear family. This movie could very well have been a continuation of the same. Even Marathi movies which at one time were very progressive have gone back to the same boy, girl love story routine. Sameer, though released in late 2020, was able to see it only recently. Vakeel Saab was an ok copy of Pink . I loved Sameer as, unlike Salman Khan films, it showed pretty much an authentic human struggle of a person who goes to the Middle East without any qualifications and works as a laborer and the trials he goes through. Somehow, Malayalam movies have a knack for showing truth without much of budget. Most of the Indian web series didn t make an impact. I think many of them were just going through the motions, it seems as everybody is concerned with the well-being of their near and dear ones. There was also this (Trigger Warning: This story discusses organized campaigns glorifying and advocating sexual violence against Muslim women.) Hoping people somehow make it to the other side of the pandemic.

• An AWS account with admin rights
• Full control over the domain name you use to send your newsletter
• A baremetal or virtual Linux Debian server you have the root access to
• NodeJS installed (8x and 10x are ok with Mailtrain)
• A MySQL/MariaDB instance with the root access to
• Redis 3x (not 5) if you want to use Redis (not mandatory)

• Configure AWS SES
• Configure your server by:
  • configuring your database
  • install Mailtrain
  • configuring your web server
• Configure your Mailtrain setup

Ask AWS SES to verify a domain

Generate the DKIM settings

AWS SES pending verification

AWS SES SMTP settings and credentials

MariaDB [(none)]> create database mailtrain;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> CREATE USER 'mailtrain' IDENTIFIED BY 'V3rYD1fF1cUlTP4sSW0rd!';
Query OK, 0 rows affected (0.01 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON mailtrain.* TO 'mailtrain'@localhost IDENTIFIED BY 'V3rYD1fF1cUlTP4sSW0rd!';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> show databases;
+--------------------+
  Database            
+--------------------+
  information_schema  
  mailtrain           
  mysql               
  performance_schema  
+--------------------+
6 rows in set (0.00 sec)
MariaDB [(none)]> Bye

[mysql]
host="localhost"
user="mailtrain"
password="V3rYD1ff1culT!"
database="mailtrain"

screen
NODE_ENV=production npm start

groupadd mailtrain
useradd -g mailtrain
chown -R mailtrain:mailtrain /var/www/mailtrain 

[Unit]
 Description=mailtrain
 After=network.target
[Service]
 Type=simple
 User=mailtrain
 WorkingDirectory=/var/www/mailtrain/
 Environment="NODE_ENV=production"
 Environment="PORT=3000"
 ExecStart=/usr/bin/npm run start
 TimeoutSec=15
 Restart=always
[Install]
 WantedBy=multi-user.target

systemctl daemon-reload
systemctl start mailtrain.service

map $http_upgrade $connection_upgrade  
  default upgrade;
  ''      close;
 
server  
  listen 80; 
  listen [::]:80;
  server_name mailtrain.toto.com;
  return 301 https://$host$request_uri;
 
server  
  listen 443 ssl;
  listen [::]:443 ssl;
  server_name mailtrain.toto.com;
  access_log /var/log/nginx/mailtrain.toto.com.access.log;
  error_log /var/log/nginx/mailtrain.toto.com.error.log;
  ssl_protocols TLSv1.2;
  ssl_ciphers EECDH+AESGCM:EECDH+AES;
  ssl_ecdh_curve prime256v1;
  ssl_prefer_server_ciphers on; 
  ssl_session_cache shared:SSL:10m;
  ssl_certificate     /etc/letsencrypt/live/mailtrain.toto.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/mailtrain.toto.com/privkey.pem;
  keepalive_timeout    70; 
  sendfile             on;
  client_max_body_size 0;
  root /var/www/mailtrain;
  location ~ /\.well-known\/acme-challenge  
    allow all;
   
  gzip on; 
  gzip_disable "msie6";
  gzip_vary on; 
  gzip_proxied any;
  gzip_comp_level 6;
  gzip_buffers 16 8k; 
  gzip_http_version 1.1;
  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
  add_header Strict-Transport-Security "max-age=31536000";
  location /   
    try_files $uri @proxy;
   
  location @proxy  
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_pass http://127.0.0.1:3000;
   
 

systemctl start nginx

Mailtrain mailer setup

Mailtrain to throttle sending emails to AWS SES

• Carl Chenet s blog
• Twitter account
• Mastodon account

#!/bin/bash
mkdir -p $ DESTDIR /etc/keys
cp /etc/keys/* $ DESTDIR /etc/keys

#!/bin/sh
GENKEY=ima.genkey
cat << __EOF__ >$GENKEY
[ req ]
default_bits = 1024
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = v3_usr
[ req_distinguished_name ]
O =  hostname 
CN =  whoami  signing key
emailAddress =  whoami @ hostname 
[ v3_usr ]
basicConstraints=critical,CA:FALSE
#basicConstraints=CA:FALSE
keyUsage=digitalSignature
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
#authorityKeyIdentifier=keyid,issuer
__EOF__
openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
                -out csr_ima.pem -keyout privkey_ima.pem
openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
                -CA ~/kern/linux-5.11.14/certs/signing_key.pem -CAkey ~/kern/linux-5.11.14/certs/signing_key.pem -CAcreateserial \
                -outform DER -out x509_evm.der

[    1.050321] integrity: Loading X.509 certificate: /etc/keys/x509_evm.der
[    1.092560] integrity: Loaded X.509 cert 'xev: etbe signing key: 99d4fa9051e2c178017180df5fcc6e5dbd8bb606'

[    1.049170] integrity: Loading X.509 certificate: /etc/keys/x509_ima.der
[    1.093092] integrity: Problem loading X.509 certificate -126

[    1.074759] integrity: Unable to open file: /etc/keys/x509_evm.der (-2)

• [1] https://sourceforge.net/p/linux-ima/wiki/Home/
• [2] https://tinyurl.com/yfvhqdjr
• [3] https://en.opensuse.org/SDB:Ima_evm

• [DLA 2606-1] lxml security update for one CVE
• [DSA 4880-1] lxml security update for one CVE
• [DLA 2611-1] ldb security update for two CVEs
• [DLA 2612-1] leptonlib security update for four CVEs

• ELA-388-1 for zeromq3
• ELA-390-1 for lxml
• ELA-391-1 for jasper
• ELA-393-1 for ldb
• ELA-394-1 for leptonlib

Install necessary packages in a VMInstall a throwaway VM with Vagrant.

apt install vagrant vagrant-libvirt
vagrant init debian/testing64

Bump the RAM and CPU of the VM, Kubernetes needs at least 2 gigs and 2 cores.

awk  -i inplace '1;/^Vagrant.configure\("2"\) do \ config/  print "  config.vm.provider :libvirt do  vm   vm.memory=2048 end" ' Vagrantfile
awk  -i inplace '1;/^Vagrant.configure\("2"\) do \ config/  print "  config.vm.provider :libvirt do  vm   vm.cpus=2 end" ' Vagrantfile

Start the VM, login, update the package index.

vagrant up
vagrant ssh
sudo apt update

Install a container engine, here we use docker.io, we could also use containerd (both are packaged in Debian) or cri-o.

sudo apt install --yes --no-install-recommends docker.io curl

Install kubernetes binaries. This will install kubelet, the system service which will manage the containers, and kubectl the user/admin tool to manage the cluster.

sudo apt install --yes kubernetes- node,client  containernetworking-plugins

Although it is not technically mandatory, we will use kubeadm, the most popular installer to create a Kubernetes cluster. Kubeadm is not packaged in Debian, we have to download an upstream binary.

wget https://dl.k8s.io/v1.20.5/kubernetes-server-linux-amd64.tar.gz

sha512sum kubernetes-server-linux-amd64.tar.gz
28529733bf34f5d5b72eabe30a81df98cc7f8e529590f807745cd67986a2c5c3eb86cebc7ecbcfc3df3c50416306e5d150948f2483933ea46c2aebaeb871ea8f  kubernetes-server-linux-arm64.tar.gz

sudo tar --directory=/usr/local/sbin --strip-components 3 -xaf kubernetes-server-linux-amd64.tar.gz kubernetes/server/bin/kubeadm
sudo chmod +x /usr/local/sbin/kubeadm 
sudo kubeadm version
kubeadm version: &version.Info Major:"1", Minor:"20", GitVersion:"v1.20.5", GitCommit:"6b1d87acf3c8253c123756b9e61dac642678305f", GitTreeState:"clean", BuildDate:"2021-03-18T01:08:27Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"linux/amd64" 

Add a kubelet systemd unit:

RELEASE_VERSION="v0.4.0"
curl -sSL "https://raw.githubusercontent.com/kubernetes/release/$ RELEASE_VERSION /cmd/kubepkg/templates/latest/deb/kubelet/lib/systemd/system/kubelet.service"   sudo tee /etc/systemd/system/kubelet.service
sudo systemctl enable kubelet

and a default config file for kubeadm

RELEASE_VERSION="v0.4.0"
sudo mkdir -p /etc/systemd/system/kubelet.service.d
curl -sSL "https://raw.githubusercontent.com/kubernetes/release/$ RELEASE_VERSION /cmd/kubepkg/templates/latest/deb/kubeadm/10-kubeadm.conf"   sudo tee /etc/systemd/system/kubelet.service.d/10-kubeadm.conf

finally we need to help kubelet find the components needed for container networking

echo 'KUBELET_EXTRA_ARGS="--cni-bin-dir=/usr/lib/cni"'   sudo tee /etc/default/kubelet

Create a clusterInitialize a cluster with kubeadm: this will download container images for the Kubernetes control plane (= the brain of the cluster), and start the containers via the kubelet service. Yes a good part of Kubernetes itself run in containers.

sudo kubeadm init --pod-network-cidr=10.244.0.0/16
...
...
Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

Follow the instructions from the kubeadm output, and verify you have a single node cluster, with the status NotReady.

kubectl get nodes 
NAME      STATUS     ROLES                  AGE    VERSION
testing   NotReady   control-plane,master   9m9s   v1.20.5

At that point you should also have a bunch of containers running on the node:

sudo docker ps --format ' .Names '
k8s_kube-apiserver_kube-apiserver-testing_kube-system_2711c230d39ccda1e74d1d6386a05cee_0
k8s_POD_kube-apiserver-testing_kube-system_2711c230d39ccda1e74d1d6386a05cee_0
k8s_etcd_etcd-testing_kube-system_4749b1bca3b1a73fd09c8e299d7030fe_0
k8s_POD_etcd-testing_kube-system_4749b1bca3b1a73fd09c8e299d7030fe_0
...

The kubelet service also needs an external network plugin to get the cluster in Ready state.

sudo systemctl status kubelet
...
Mar 28 09:28:43 testing kubelet[9405]: E0328 09:28:43.958059    9405 kubelet.go:2188] Container runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized

Let s add that network plugin. Download the flannel network plugin definition, and schedule flannel to run on all nodes of your cluster:

wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
kubectl apply --filename=kube-flannel.yml

After a dozen of seconds your node should be in ready status.

kubectl get nodes 
NAME      STATUS   ROLES                  AGE   VERSION
testing   Ready    control-plane,master   16m   v1.20.5

Deploy a test applicationOur node is now in Ready status, but we cannot run application on it, since we only have a master node, an administrative node which by default cannot run user applications.

kubectl describe node testing   grep ^Taints
Taints:             node-role.kubernetes.io/master:NoSchedule

Let s allow node testing to run user applications:

kubectl taint node testing node-role.kubernetes.io/master-

Deploy a nginx container:

kubectl run my-nginx-pod --image=docker.io/library/nginx --port=80 --labels="app=http-content" 

Create a Kubernetes service to access this pod externally:

cat service.yaml

apiVersion: v1
kind: Service
metadata:
  name: my-k8s-service
spec:
  type: NodePort
  ports:
    - port: 80
      nodePort: 30000
  selector:
    app: http-content 

kubectl create --filename service.yaml

Access the service via IP adress:

curl 192.168.121.63:30000
...
Thank you for using nginx.

NotesI will try to get this blog post in a Debian Wiki article, or maybe in the kubernetes-node documentation. Blog posts deprecate and disappear, wiki and project docs live longer.

• Nodes announce a variety of information essential to the DHT s function including their unique node identifiers (PeerIDs) and the CIDs of data that they re providing and because of this, information about which nodes are retrieving and/or reproviding which CIDs is publicly available.
• those DHT queries happen in public. Because of this, it s possible that third parties could be monitoring this traffic to determine what CIDs are being requested, when, and by whom.
• nodes unique identifiers are themselves public your PeerID is still a long-lived, unique identifier for your node. Keep in mind that it s possible to do a DHT lookup on your PeerID and, particularly if your node is regularly running from the same location (like your home), find your IP address Additionally, longer-term monitoring of the public IPFS network could yield information about what CIDs your node is requesting and/or reproviding and when.

• Synapse, the only currently viable Matrix server, is not ready. My Matrix instance hosts ONE person, me. Synapse uses many GB of RAM and 10+GB of disk space. Despite extensive tuning, nothing helped much. It s caused OOMs more than once. It can t be hosted on a Raspberry Pi or even one of the cheaper VPSs.
• Now then, how about choosing a Matrix instance? Well, you could just tell a person to use matrix.org. But then it spent a good portion of last year unable to federate with other popular nodes due to Synapse limitations. Or you could pick a random node, but will it be up when someone needs to say my car broke down? Some are run from a dorm computer, some by a team in a datacenter, some by one person with EC2, and you can t really know. Will your homeserver be stable and long-lived? Hard to say.
• Voice and video calling are not there yet in Matrix. Matrix has two incompatible video calling methods (Jitsi and built-in), neither work consistently well, both are hard to manage, and both have NAT challenges.
• Matrix is so hard to set up on a server that there is matrix-docker-ansible-deploy. This makes it much better, but it is STILL terribly hard to deploy, and very simple things like how do I delete a user or let me shrink down this 30GB database are barely there yet, if at all.
• Encryption isn t mandatory in Matrix. E2EE has been getting dramatically better in the last few releases, but it is still optional, especially for what people would call group chats (rooms). Signal is ALWAYS encrypted. Always. (Unless, I guess, you set it as your SMS provider on Android). You ve got to take the responsibility off the user to verify encryption status, and instead make it the one and only way to use the ecosystem.

• Dead-simple setup
• Store-and-forward delivery (devices need not be online simultaneously)
• Encrypted everything, including voice and video calls, and the ability to send photos and video encrypted

Timeline

January Ski weekend. Skiing is awesome! Cancelling a US work trip since there will be more opportunities soon (har har!).

February Ski vacation. Yep, skiing is awesome. Can t wait for next season (har har!). Discussions about Covid start in the office, but more is this scary or just interesting? (yes, this was before casualties). Then things start escalating, work-from-home at least partially, etc. etc. Definitely not just intersting anymore. In Garmin-speak, I got ~700+ intensity minutes in February (correlates with activity time, but depends on intensity of the effort whether 1:1 or 2 intensity minutes for one wall-clock minute).

March Sometimes during the month, my workplace introduces mandatory WFH. I remember being the last person in our team in the office, on the last day we were allowed to work, and cleaning my desk/etc., thinking all this, and we ll be back in 3 weeks or so . Har har! I buy a webcam, just in case WFH gets extended. And start to increase my sports - getting double the intensity minutes (1500+).

April Switzerland enters the first, hard, lockdown. Or was it late March? Not entirely sure, but in my mind March was the opening, and April was the first main course. It is challenging, having to juggle family and work and stressed schedule, but also interesting. Looking back, I think I liked April the most, as people were actually careful at that time. I continue upgrading my home office - new sound system, so that I don t have to plug in/plug out cables. 1700+ intensity minutes this month.

May Continued WFH, somewhat routine now. My then internet provider started sucking hard, so I upgrade with good results. I m still happy, half a year later (quite happy, even). Still going strong otherwise, but waiting for summer vacation, whatever it will be. A tiny bit more effort, so 1800 intensity minutes in May.

June Switzerland relaxes the lock down, but not my company, so as the rest of the family goes out and about, I start feeling alone in the apartment. And somewhat angry at it, which impacts my sports (counter-intuitively), so I only get 1500 intensity minutes. I go and buy a coffee machine a real one, that takes beans and grinds them, so I get to enjoy the smell of freshly-ground coffee and the fun of learning about coffee beans, etc. But it occupies the time. On the work/job front, I think at this time I finally got a workstation for home, instead of a laptop (which was ultra-portable too), so together with the coffee machine, it feels like a normal work environment. Well, modulo all the people. At least I m not crying anymore every time I open a new tab in Chrome

July Situation is slowly going better, but no, not my company. Still mandatory WFH, with (if I recall correctly) one day per week allowed, and no meeting other people. I get angrier, but manage to channel my energy into sports, almost doubly my efforts in July - 2937 intensity minutes, not quite reaching the 3000 magic number. I buy more stuff to clean and take care of my bicycles, which I don t really use. So shopping therapy too.

August The month starts with a one week family vacation, but I take a bike too, so I manage to put in some effort (it was quite nice riding TBH). A bit of changes in the personal life (nothing unexpected), which complicates things a bit, but at this moment I really thought Switzerland is going to continue to decrease in infections/R-factor/etc. so things will get back to normal, right? My company expands a bit the work-from-office part, so I m optimistic. Sports wise, still going strong, 2500 intensity minutes, preparing for the single race this year.

September The personal life changes from August start to stabilise, so things become again routine, and I finally get to do a race. Life was good for an extended weekend (well, modulo race angst, but that s part of the fun), and I feel justified to take it slow the week after the race. And the week after that too. I end up the month with close, but not quite, 1900 intensity minutes.

October October starts with school holidays and a one week family vacation, but I feel demotivated. Everything is closing down again (well, modulo schools), and I actually have difficulty getting re-adjusted to no longer being alone in the apartment during the work hours. I only get ~1000 intensity minutes in October, mainly thanks to good late autumn weather and outside rides. And I start playing way more computer games. I also sell my PS4, hoping to get a PS5 next month.

November November continues to suck. I think my vacation in October was actually detrimental - it broke my rhythm, I don t really do sport anymore, not consistently at least, so I only get 700+ intensity minutes. And I keep playing computer games, even if I missed the PS5 ordering window; so I switch to PC gaming. My home office feels very crowded, so as kind of anti-shopping therapy, I sell tons of smallish stuff; can t believe how much crap I kept around while not really using it. I also manage to update/refresh all my Debian packages, since next freeze approaches. Better than for previous releases, so it feels good.

December December comes, end of the year, the much awaited vacation - which we decide to cancel due to the situation in whole of Switzerland (and neighbouring countries). I basically only play computer games, and get grand total of 345 activity minutes this month. And since my weight is inversely correlated to my training, I m basically back at my February weight, having lost all the gains I made during the year. I mean, having gained back all the fat I lost. Err, you know what I mean; I m back close to my high-watermark, which is not good.

Conclusion I was somehow hoping that the end of the year will allow me to reset and restart, but somehow - a few days into January - it doesn t really feel so. My sleep schedule is totally ruined, my motivation is so-so, and I think the way I crashed in October was much harder/worse than I realised at the time, but in a way expected for this crazy year. I have some projects for 2021 - or at least, I m trying to make up a project list - in order to get a bit more structure in my continued stuck inside the house part, which is especially terrible when on-call. I don t know how the next 3-6 months will evolve, but I m thankful that so far, we are all healthy. Actually, me personally I ve been healthier physically than in other years, due to less contact with other people. On the other side, thinking of all the health-care workers, or even service workers, my IT job is comfy and all I am is a spoiled person (I could write many posts on specifically this topic). I really need to up my willpower and lower my spoil level. Hints are welcome :( Wish everybody has a better year in 2021.

• .dsc (as a generic deb822 file)
• .buildinfo and .changes (as a generic deb822 provided the base name looks like it follows the package_version_arch pattern)
• debian/copyright (as a DEP-5 / machine-readable copyright file if the Format field exists).

Files:
 <md5> <size> filename
Checksums-Sha256:
 <sha256> <size> filename

Files: <md5> <size> filename
Checksums-Sha256: <sha256> <size> filename

contact=ads@fmarier.org

• https://feeding.cloud.geek.nz/ads.txt
• https://fmarier.org/ads.txt

Specification The key parts of the specification for our purposes are:

[3.1] If the server response indicates the resource does not exist (HTTP Status Code 404), the advertising system can assume no declarations exist and that no advertising system is unauthorized to buy and sell ads on the website. [3.2.1] Some publishers may choose to not authorize any advertising system by publishing an empty ads.txt file, indicating that no advertising system is authorized to buy and sell ads on the website. So that consuming systems properly read and interpret the empty file (differentiating between web servers returning error pages for the /ads.txt URL), at least one properly formatted line must be included which adheres to the format specification described above.

As you can see, the specification sadly ignores RFC8615 and requires that the ads.txt file be present directly in the root of your web server, like the venerable robots.txt file, but unlike the newer security.txt standard. If you don't want to provide an email address in your ads.txt file, the specification recommends using the following line verbatim:

placeholder.example.com, placeholder, DIRECT, placeholder

Validation A number of online validators exist, but I used the following to double-check my setup:

• https://adstxt.guru/validator/url/?url=https%3A%2F%2Ffeeding.cloud.geek.nz%2Fads.txt
• https://www.adstxtgenerator.com/validator/results/?site=feeding.cloud.geek.nz

cat <<END > /etc/apt/sources.list.d/bullseye.list
deb http://deb.debian.org/debian/ bullseye main
END
cat <<END > /etc/apt/preferences.d/pin-rpki
# by default do not install anything from bullseye
Package: *
Pin: release bullseye
Pin-Priority: 100
Package: fort-validator rpki-trust-anchors
Pin: release bullseye
Pin-Priority: 990
END
apt update

apt install curl ca-certificates

echo 'rpki-trust-anchors rpki-trust-anchors/get_arin_tal boolean true' \
    debconf-set-selections

apt install fort-validator

cat <<END > /etc/apt/sources.list.d/bullseye.list
deb http://deb.debian.org/debian/ bullseye main
END
cat <<END > /etc/apt/preferences.d/pin-rpki
# by default do not install anything from bullseye
Package: *
Pin: release bullseye
Pin-Priority: 100
Package: gortr rpki-client rpki-trust-anchors
Pin: release bullseye
Pin-Priority: 990
END
apt update

apt install curl ca-certificates

echo 'rpki-trust-anchors rpki-trust-anchors/get_arin_tal boolean true' \
    debconf-set-selections

apt install rpki-client gortr

echo 'OPTIONS=-j' > /etc/default/rpki-client

systemctl start rpki-client &

echo 'GORTR_ARGS=-bind :323 -verify=false -checktime=false -cache /var/lib/rpki-client/json' > /etc/default/gortr

systemctl restart gortr