Given news that ISC's DHCP suite is getting deprecated by upstream and seeing how dhclient has never worked properly for DHCPv6, I decided to look into alternatives. ISC itself recommends Roy Maple's dhcpcd as a migration path. Sadly, Debian's package had been left unattended for a good 2 years. After refactoring the packaging, updating to the latest upstream and performing one NMU, I decided to adopt the package.
Numerous issues were exposed in the process:
Upstream's ./configure makes BSD assumptions. No harm done, but still...
Upstream's ./configure is broken. --prefix does not propagate to all components. For instance, I had to manually specify the full path for manual pages. Patches are welcome.
Debian had implemented custom exit hooks for all its NTP packages. Since then, upstream has implemented this in a much more concise way. All that's missing upstream is support for timesyncd. Patches are welcome.
I'm still undecided on whether --prefix should assume / or /usr for networking binaries on a Debian system. Feedback is welcome.
The previous maintainer had implemented plenty of transitional measures in maintainer scripts such as symbolically linking /sbin/dhcpcd and /usr/sbin/dhcpcd. Most of this can probably be removed, but I haven't gotten around verifying this. Feedback and patches are welcome.
The previous maintainer had created an init.d script and systemd unit. Both of these interfere with launching dhcpcd using ifupdown via /etc/network/interfaces which I really need for configuring a router for IPv4 MASQ and IPv6 bridge. I solved this by putting them in a separate package and shipping the rest via a new binary target called dhcpcd-base along a logic similar to dnsmasq.
DHCPv6 Prefix Delegation mysteriously reports enp4s0: no global addresses for default route after a reboot. Yet if I manually restart the interface, none of this appears. Help debuging this is welcome.
Support for Predictable Interface Names was missing because Debian's package didn't Build-Depends on libudev-dev. Fixed.
Support for priviledge separation was missing because Debian's package did not ./configure this or create a system user for this. Fixed.
I am pondering moving the Debian package out of the dhcpcd5 namespace back into the dhcpcd namespace. The 5 was the result of an upstream fork that happened a long time ago and the original dhcpcd package no longer is in the Debian archive. Feedback is welcome on whether this would be desirable.
The key advantage of dhcpcd over dhclient is that works as a dual-stack DHCP client by design. With privilege separation enabled, this means separate child processes handling IPv4 and IPv6 configuration and passing the received information to the parent process to configure networking and update /etc/resolv.conf with nameservers for both stacks. Additionally, /etc/network/interfaces no longer needs separate inet and inet6 lines for each DHCP interface, which makes for much cleaner configuration files.
A secondary advantage is that the dual-stack includes built-in fallback to Bonjour for IPv4 and SLAAC for IPv6. Basically, unless the interface needs a static IP address, this client handles network configuration in a smart and transparent way.
A third advantage is built-in support for DHCPv6 Prefix Delegation. Enabling this requires just two lines in the configuration file.
In the long run, I feel that dhcpcd-base should probably replace isc-dhcp-client as the default DHCP client with priority Important. Adequate IPv6 support should come out of the box on a standard Debian installation, yet dhclient never got around implementing that properly.
The internet, it s that thing that acts up all the time, right?
As said in my first post, I abandoned the idea to interview children
younger than 9 years because it seems they are not necessarily aware
that they are using the internet. But it turns out that some do have
heard about the internet. My friend Anna, who has 9 younger siblings,
tried to win some of her brothers and sisters for an interview with me.
At the dinner table, this turned into a discussion and she sent me an
incredibly funny video where two of her brothers and sisters, aged 5 and
6, discuss with her about the internet. I won t share the video for
privacy reasons besides, the kids speak in the wondrous
dialect of Vorarlberg, a region in western Austria, close to the border
with Liechtenstein.
Here s a transcription of the dinner table discussion:
Anna: what is the internet?
both children: (shouting as if it was a game of who gets it first) photo! mobile! device! camera!
Anna: But one can have a camera without the internet
M.: Internet is the mobile phone charger! Mobile phone full!
J.: Internet is internet is
M.: I know! Internet is where you can charge something, the mobile phone and
Anna: You mean electricity?
M.: Yeah, that is the internet, electricity!
Anna: (laughs), Yes, the internet works a bit similarly, true.
J.: It s the electricity of the house!
Anna: The electricity of the house
(everyone is talking at the same time now.)
Anna: And what s WiFi?
M.: WiFi it s the TV!
Anna (laughs)
M.: WiFi is there so it doesn t act up!
Anna (laughs harder)
J. (repeats what M. just said): WiFi is there so it doesn t act up!
Anna: So that what doesn t act up?
M.: (moves her finger wildly drawing a small circle in the air) So that it doesn t spin!
Anna: Ah?
M.: When one wants to watch something on Youtube, well then that the thing doesn t spin like that!
Anna: Ahhh! so when you use Youtube, you need the internet, right?
J.: Yes, so that one can watch things.
I really like how the kids associate the internet with a thing that
works all the time, except for when it doesn t work. Then they notice:
The internet is acting up! Probably, when that happens, parents or
older siblings say: the internet is acting up or let me check why the
internet acts up again and maybe they get up from the sofa, switch a
home router on and off again, which creates this association with
electricity.
(Just for the sake of clarity for fellow multilingualist readers, the
kids used the German word spinnen , which I translated to acting up .
In French that would be d conner .)
WiFi for everyone!
I interviewed another of Anna s siblings, a 10 year old boy. He told me
that he does not really use the internet by himself yet, and does not
own any internet capable device. He watches when older family members
look up stuff on Google, or put on a video on Youtube, Netflix, or
Amazon he knew all these brand names though. In the living room,
there s Alexa, he told me, and he uses the internet by asking Alexa to
play music.
Then I say: Alexa, play this song!
Interestingly, he knew that, in order to listen to a CD, the internet
was not needed.
When asked how a drawing would look like that explains the internet, he
drew a scheme of the living room at home, with the TV, Alexa, and some
kind of WiFi dongle, maybe a repeater. (Unfortunately I did not manage to get his
drawing.)
If he could ask a wise and friendly dragon one thing about the internet
that he always wanted to know, he would ask How much internet can one
have and what are all the things one can do with the internet?
If he could change the internet for the better for everyone, he would
build a gigantic building which would provide the entire world with
WiFi.
Cut out the stupid stuff from the internet
His slightly older sister does own a laptop and a smartphone. She uses
the internet to watch movies, or series, to talk with her friends, or to
listen to music.
When asked how she would explain the internet to an alien, she said that
one can do a lot of things on the internet, but on the internet there
can be stupid things, but also good things, one can learn stuff on the
internet, for example how to do crochet.
Most importantly, she noticed that
one needs the internet nowadays.
Her drawing shows how she uses the internet: calls using WhatsApp,
watching movies online, and a laptop with open windows on the screen.
She would ask the dragon that can explain one thing she always wanted to know about
the internet:
What is the internet? How does it work at all? How does it function?
What she would change has to do with her earlier remark about stupid
things:
I would make it so that there are less stupid things. It would be good
to use the internet for better things, but not for useless things,
that one doesn t actually need.
When I asked her what she meant by stupid things , she replied:
Useless videos where one talks about nonsense. And one can also google
stupid things, for example how long will i be alive? and stuff like
that.
Patterns
From the interviews I made until now, there seems to be a cut between
then age where kids don t own a device and use the internet to watch
movies, series or listen to music and the age where they start owning a
device and then they start talking to their friends, and create accounts
on social media. This seems to happen roughly at ages 9-10.
I m still surprised at the amount of ideas that kids have, when asked
what they would change on the internet if they could. I m sure
there s more if one goes looking for it.
Thanks
Thanks to my friends who made all these interviews possible either by
allowing me to meet their children, or their younger siblings: Anna,
Christa, Aline, Cindy, and Martina.
Welcome to the April 2022 report from the Reproducible Builds project! In these reports, we try to summarise the most important things that we have been up to over the past month. If you are interested in contributing to the project, please take a few moments to visit our Contribute page on our website.
News
Cory Doctorow published an interesting article this month about the possibility of Undetectable backdoors for machine learning models. Given that machine learning models can provide unpredictably incorrect results, Doctorow recounts that there exists another category of adversarial examples that comprise a gimmicked machine-learning input that, to the human eye, seems totally normal but which causes the ML system to misfire dramatically that permit the possibility of planting undetectable back doors into any machine learning system at training time .
Chris Lamb published two supporter spotlights on our blog: the first about Amateur Radio Digital Communications (ARDC) and the second about the Google Open Source Security Team (GOSST).
Piergiorgio Ladisa, Henrik Plate, Matias Martinez and Olivier Barais published a new academic paper titled A Taxonomy of Attacks on Open-Source Software Supply Chains (PDF):
This work proposes a general taxonomy for attacks on open-source supply chains, independent of specific programming languages or ecosystems, and covering all supply chain stages
from code contributions to package distribution. Taking the form of an attack tree, it covers 107 unique vectors, linked to 94 real-world incidents, and mapped to 33 mitigating safeguards.
This dissertation starts from the first link in the software supply chain, developers . Since many developers do not update their vulnerable software libraries, thus exposing the user of their code to security risks. To understand how they choose, manage and update the libraries, packages, and other Open-Source Software (OSS) that become the building blocks of companies completed products consumed by end-users, twenty-five semi-structured interviews were conducted with developers of both large and small-medium enterprises in nine countries. All interviews were transcribed, coded, and analyzed according to applied thematic analysis
Upstream news
Filippo Valsorda published an informative blog post recently called How Go Mitigates Supply Chain Attacks outlining the high-level features of the Go ecosystem that helps prevent various supply-chain attacks.
There was new/further activity on a pull request filed against openssl by Sebastian Andrzej Siewior in order to prevent saved CFLAGS (which may contain the -fdebug-prefix-map=<PATH> flag that is used to strip an arbitrary the build path from the debug info if this information remains recorded then the binary is no longer reproducible if the build
directory changes.
Events
The Linux Foundation s SupplyChainSecurityCon, will take place June 21st 24th 2022, both virtually and in Austin, Texas. Long-time Reproducible Builds and openSUSE contributor Bernhard M. Wiedemann learned that he had his talk accepted, and will speak on Reproducible Builds: Unexpected Benefits and Problems on June 21st.
There will be an in-person Debian Reunion in Hamburg, Germany later this year, taking place from 23 30 May. Although this is a Debian event, there will be some folks from the broader Reproducible Builds community and, of course, everyone is welcome. Please see the event page on the Debian wiki for more information. 41 people have registered so far, and there s approx 10 on-site beds still left.
The minutes and logs from our April 2022 IRC meeting have been published. In case you missed this one, our next IRC meeting will take place on May 31st at 15:00 UTC on #reproducible-builds on the OFTC network.
Debian
Roland Clobus wrote another in-depth status update about the status of live Debian images, summarising the current situation that all major desktops build reproducibly with bullseye, bookworm and sid, including the Cinnamon desktop on bookworm and sid, but at a small functionality cost: 14 words will be incorrectly abbreviated . This work incorporated:
Reporting an issue about unnecessarily modified timestamps in the daily Debian installer images. []
Reporting a bug against the debian-installer: in order to use a suitable kernel version. (#1006800)
Reporting a bug in: texlive-binaries regarding the unreproducible content of .fmt files. (#1009196)
Adding hacks to make the Cinnamon desktop image reproducible in bookworm and sid. []
Added a script to rebuild a live-build ISO image from a given timestamp. [
Upstream patches
The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
diffoscopediffoscope is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats. This month, Chris Lamb prepared and uploaded versions 210 and 211 to Debian unstable, as well as noticed that some Python .pyc files are reported as data, so we should support .pyc as a fallback filename extension [].
In addition, Mattia Rizzolo disabled the Gnumeric tests in Debian as the package is not currently available [] and dropped mplayer from Build-Depends too []. In addition, Mattia fixed an issue to ensure that the PATH environment variable is properly modified for all actions, not just when running the comparator. []
Testing framework
The Reproducible Builds project runs a significant testing framework at tests.reproducible-builds.org, to check packages and other artifacts for reproducibility. This month, the following changes were made:
Daniel Golle:
Prefer a different solution to avoid building all OpenWrt packages; skip packages from optional community feeds. []
Holger Levsen:
Detect Python deprecation warnings in the node health check. []
Detect failure to build the Debian Installer. []
Mattia Rizzolo:
Install disorderfs for building OpenWrt packages. []
Don t build all packages whilst the core packages are not yet reproducible. []
Add a missing RUN directive to node_cleanup. []
Be less verbose during a toolchain build. []
Use disorderfs for rebuilds and update the documentation to match. [][][]
Roland Clobus:
Publish the last reproducible Debian ISO image. []
Use the rebuild.sh script from the live-build package. []
Lastly, node maintenance was also performed by Holger Levsen [][].
If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:
TL;DR: firmware support in Debian sucks, and we need to change
this. See the "My preference, and rationale" Section below.
In my opinion, the way we deal with (non-free) firmware in Debian is a
mess, and this is hurting many of our users daily. For a long time
we've been pretending that supporting and including (non-free)
firmware on Debian systems is not necessary. We don't want to have
to provide (non-free) firmware to our users, and in an ideal world we
wouldn't need to. However, it's very clearly no longer a sensible path
when trying to support lots of common current hardware.
Background - why has (non-free) firmware become an issue?
Firmware is the low-level software that's designed to make
hardware devices work. Firmware is tightly coupled to the hardware,
exposing its features, providing higher-level functionality and
interfaces for other software to use. For a variety of reasons, it's
typically not Free Software.
For Debian's purposes, we typically separate firmware from
software by considering where the code executes (does it run on a
separate processor? Is it visible to the host OS?) but it can be
difficult to define a single reliable dividing line here. Consider the
Intel/AMD CPU microcode packages, or the U-Boot firmware packages as
examples.
In times past, all necessary firmware would normally be included
directly in devices / expansion cards by their vendors. Over time,
however, it has become more and more attractive (and therefore more
common) for device manufacturers to not include complete firmware
on all devices. Instead, some devices just embed a very simple set
of firmware that allows for upload of a more complete firmware "blob"
into memory. Device drivers are then expected to provide that blob
during device initialisation.
There are a couple of key drivers for this change:
Cost: it's typically cheaper to fit smaller flash memory (or no
flash at all) onto a device. The cost difference may seem small in
many cases, but reducing the bill of materials (BOM) even by a few
cents can make a substantial difference to the economics of a
product. For most vendors, they will have to implement device
drivers anyway and it's not difficult to include firmware in that
driver.
Flexibility: it's much easier to change the behaviour of a device by
simply changing to a different blob. This can potentially cover lots
of different use cases:
separating deadlines for hardware and software in manufacturing
(drivers and firmware can be written and shipped later);
bug fixes and security updates (e.g. CPU microcode changes);
changing configuration of a device for different users or products
(e.g. potentially different firmware to enable different
frequencies on a radio product);
changing fundamental device operation (e.g. switching between RAID
and JBOD functionality on a disk controller).
Due to these reasons, more and more devices in a typical computer now
need firmware to be uploaded at runtime for them to function
correctly. This has grown:
Going back 10 years or so, most computers only needed firmware
uploads to make WiFi hardware work.
A growing number of wired network adapters now demand firmware
uploads. Some will work in a limited way but depend on extra
firmware to allow advanced features like TCP segmentation offload
(TSO). Others will refuse to work at all without a firmware upload.
More and more graphics adapters now also want firmware uploads to
provide any non-basic functions. A simple basic (S)VGA-compatible
framebuffer is not enough for most users these days; modern desktops
expect 3D acceleration, and a lot of current hardware will not
provide that without extra firmware.
Current generations of common Intel-based laptops also need firmware
uploads to make audio work (see the firmware-sof-signed package).
At the beginning of this timeline, a typical Debian user would be able
to use almost all of their computer's hardware without needing any
firmware blobs. It might have been inconvenient to not be able to use
the WiFi, but most laptops had wired ethernet anyway. The WiFi could
always be enabled and configured after installation.
Today, a user with a new laptop from most vendors will struggle to
use it at all with our firmware-free Debian installation media. Modern
laptops normally don't come with wired ethernet now. There won't be
any usable graphics on the laptop's screen. A visually-impaired user
won't get any audio prompts. These experiences are not acceptable, by
any measure. There are new computers still available for purchase
today which don't need firmware to be uploaded, but they are growing
less and less common.
Current state of firmware in Debian
For clarity: obviously not all devices need extra firmware
uploading like this. There are many devices that depend on firmware
for operation, but we never have to think about them in normal
circumstances. The code is not likely to be Free Software, but it's
not something that we in Debian must spend our time on as we're not
distributing that code ourselves. Our problems come when our user
needs extra firmware to make their computer work, and they need/expect
us to provide it.
We have a small set of Free firmware binaries included in Debian main,
and these are included on our installation and live media. This is
great - we all love Free Software and this works.
However, there are many more firmware binaries that are not
Free. If we are legally able to redistribute those binaries, we
package them up and include them in the non-free section of the
archive. As Free Software developers, we don't like providing or
supporting non-free software for our users, but we acknowledge that
it's sometimes a necessary thing for them. This tension is
acknowledged in the Debian Free Software Guidelines.
This tension extends to our installation and live media. As non-free
is officially not considered part of Debian, our official
media cannot include anything from non-free. This has been a
deliberate policy for many years. Instead, we have for some time been
building a limited parallel set of "unofficial non-free" images which
include non-free firmware. These non-free images are produced by the
same software that we use for the official images, and by the same
team.
There are a number of issues here that make developers and users
unhappy:
Building, testing and publishing two sets of images takes more
effort.
We don't really want to be providing non-free images at all, from a
philosophy point of view. So we mainly promote and advertise
the preferred official free images. That can be a cause of
confusion for users. We do link to the non-free images in various
places, but they're not so easy to find.
Using non-free installation media will cause more installations to
use non-free software by default. That's not a great story for us,
and we may end up with more of our users using non-free software
and believing that it's all part of Debian.
A number of users and developers complain that we're wasting their
time by publishing official images that are just not useful for a
lot (a majority?) of users.
We should do better than this.
Options
The status quo is a mess, and I believe we can and should do
things differently.
I see several possible options that the images team can choose from
here. However, several of these options could undermine the principles
of Debian. We don't want to make fundamental changes like that
without the clear backing of the wider project. That's why I'm writing
this...
Keep the existing setup. It's horrible, but maybe it's the best we
can do? (I hope not!)
We could just stop providing the non-free unofficial images
altogether. That's not really a promising route to follow - we'd be
making it even harder for users to install our software. While
ideologically pure, it's not going to advance the cause of Free
Software.
We could stop pretending that the non-free images are unofficial,
and maybe move them alongside the normal free images so they're
published together. This would make them easier to find for people
that need them, but is likely to cause users to question why we
still make any images without firmware if they're otherwise
identical.
The images team technically could simply include non-free into
the official images, and add firmware packages to the input lists
for those images. However, that would still leave us with problem 3
from above (non-free generally enabled on most installations).
We could split out the non-free firmware packages into a new
non-free-firmware component in the archive, and allow a
specific exception only to allow inclusion of those packages on
our official media. We would then generate only one set of official
media, including those non-free firmware packages.
(We've already seen various suggestions in recent years to split
up the non-free component of the archive like this, for example
into non-free-firmware, non-free-doc, non-free-drivers,
etc. Disagreement (bike-shedding?) about the split caused us to not
make any progress on this. I believe this project should be picked
up and completed. We don't have to make a perfect solution here
immediately, just something that works well enough for our needs
today. We can always tweak and improve the setup incrementally if
that's needed.)
These are the most likely possible options, in my opinion. If you have
a better suggestion, please let us know!
I'd like to take this set of options to a GR, and do it soon. I want
to get a clear decision from the wider Debian project as to how to
organise firmware and installation images. If we do end up changing
how we do things, I want a clear mandate from the project to do that.
My preference, and rationale
Mainly, I want to see how the project as a whole feels here - this
is a big issue that we're overdue solving.
What would I choose to do? My personal preference would be to go
with option 5: split the non-free firmware into a special new
component and include that on official media.
Does that make me a sellout? I don't think so. I've been
passionately supporting and developing Free Software for more than
half my life. My philosophy here has not changed. However, this is a
complex and nuanced situation. I firmly believe that sharing software
freedom with our users comes with a responsibility to also make
our software useful. If users can't easily install and use Debian,
that helps nobody.
By splitting things out here, we would enable users to install and use
Debian on their hardware, without promoting/pushing higher-level
non-free software in general. I think that's a reasonable compromise.
This is simply a change to recognise that hardware requirements have
moved on over the years.
Further work
If we do go with the changes in option 5, there are other things we
could do here for better control of and information about non-free
firmware:
Along with adding non-free firmware onto media, when the installer
(or live image) runs, we should make it clear exactly which
firmware packages have been used/installed to support detected
hardware. We could link to docs about each, and maybe also to
projects working on Free re-implementations.
Add an option at boot to explicitly disable the use of the non-free
firmware packages, so that users can choose to avoid them.
Acknowledgements
Thanks to people who reviewed earlier versions of this document and/or
made suggestions for improvement, in particular:
Welcome to the March 2022 report from the Reproducible Builds project! In our monthly reports we outline the most important things that we have been up to over the past month.
The in-toto project was accepted as an incubating project within the Cloud Native Computing Foundation (CNCF). in-toto is a framework that protects the software supply chain by collecting and verifying relevant data. It does so by enabling libraries to collect information about software supply chain actions and then allowing software users and/or project managers to publish policies about software supply chain practices that can be verified before deploying or installing software. CNCF foundations hosts a number of critical components of the global technology infrastructure under the auspices of the Linux Foundation. (View full announcement.)
Herv Boutemy posted to our mailing list with an announcement that the Java Reproducible Central has hit the milestone of 500 fully reproduced builds of upstream projects . Indeed, at the time of writing, according to the nightly rebuild results, 530 releases were found to be fully reproducible, with 100% reproducible artifacts.
GitBOM is relatively new project to enable build tools trace every source file that is incorporated into build artifacts. As an experiment and/or proof-of-concept, the GitBOM developers are rebuilding Debian to generate side-channel build metadata for versions of Debian that have already been released. This only works because Debian is (partial) reproducible, so one can be sure that that, if the case where build artifacts are identical, any metadata generated during these instrumented builds applies to the binaries that were built and released in the past. More information on their approach is available in README file in the bomsh repository.
Ludovic Courtes has published an academic paper discussing how the performance requirements of high-performance computing are not (as usually assumed) at odds with reproducible builds. The received wisdom is that vendor-specific libraries and platform-specific CPU extensions have resulted in a culture of local recompilation to ensure the best performance, rendering the property of reproducibility unobtainable or even meaningless. In his paper, Ludovic explains how Guix has:
[ ] implemented what we call package multi-versioning for C/C++ software that lacks function multi-versioning and run-time dispatch [ ]. It is another way to ensure that users do not have to trade reproducibility for performance. (full PDF)
Kit Martin posted to the FOSSA blog a post titled The Three Pillars of Reproducible Builds. Inspired by the shock of infiltrated or intentionally broken NPM packages, supply chain attacks, long-unnoticed backdoors , the post goes on to outline the high-level steps that lead to a reproducible build:
It is one thing to talk about reproducible builds and how they strengthen software supply chain security, but it s quite another to effectively configure a reproducible build. Concrete steps for specific languages are a far larger topic than can be covered in a single blog post, but today we ll be talking about some guiding principles when designing reproducible builds. []
Events
There will be an in-person Debian Reunion in Hamburg, Germany later this year, taking place from 23 30 May. Although this is a Debian event, there will be some folks from the broader Reproducible Builds community and, of course, everyone is welcome. Please see the event page on the Debian wiki for more information.
Bernhard M. Wiedemann posted to our mailing list about a meetup for Reproducible Builds folks at the openSUSE conference in Nuremberg, Germany.
It was also recently announced that DebConf22 will take place this year as an in-person conference in Prizren, Kosovo. The pre-conference meeting (or Debcamp ) will take place from 10 16 July, and the main talks, workshops, etc. will take place from 17 24 July.
Johannes Schauer Marin Rodrigues posted to the debian-devel list mentioning that he exploited the property of reproducibility within Debian to demonstrate that automatically converting a large number of packages to a new internal source version did not change the resulting packages. The proposed change could therefore be applied without causing breakage:
So now we have 364 source packages for which we have a patch and for which we can show that this patch does not change the build output. Do you agree that with those two properties, the advantages of the 3.0 (quilt) format are sufficient such that the change shall be implemented at least for those 364? []
Tooling
diffoscope is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats. This month, Chris Lamb prepared and uploaded versions 207, 208 and 209 to Debian unstable, as well as made the following changes to the code itself:
Update minimum version of Black to prevent test failure on Ubuntu jammy. []
Brent Spillner also worked on adding graceful handling for UNIX sockets and named pipes to diffoscope. [][][]. Vagrant Cascadian also updated the diffoscope package in GNU Guix. [][]
reprotest is the Reproducible Build s project end-user tool to build the same source code twice in widely different environments and checking whether the binaries produced by the builds have any differences. This month, Santiago Ruano Rinc n added a new --append-build-command option [], which was subsequently uploaded to Debian unstable by Holger Levsen.
Upstream patches
The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
Testing framework
The Reproducible Builds project runs a significant testing framework at tests.reproducible-builds.org, to check packages and other artifacts for reproducibility. This month, the following changes were made:
Holger Levsen:
Replace a local copy of the dsa-check-running-kernel script with a packaged version. []
Don t hide the status of offline hosts in the Jenkins shell monitor. []
Detect undefined service problems in the node health check. []
Update the sources.lst file for our mail server as its still running Debian buster. []
Add our mail server to our node inventory so it is included in the Jenkins maintenance processes. []
Remove the debsecan package everywhere; it got installed accidentally via the Recommends relation. []
Document the usage of the osuosl174 host. []
Regular node maintenance was also performed by Holger Levsen [], Vagrant Cascadian [][][] and Mattia Rizzolo.
If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:
In 2021, I finished and reviewed 43 books, yet another (tiny) increase
over 2020 and once again the best year for reading since 2012 (which was
the last time I averaged 5 books a month). The year got off to a good
reading start and closed strong, but once again had sags in the spring and
summer when I got behind on reviews and fell out of the habit of reading
daily. This year, at least, the end-of-year catch-up was less dramatic;
all but two of the books I reviewed in December were finished in December.
The best books I read this year were Naomi Novik's magic boarding school
fantasies A Deadly
Education and The
Last Graduate, which I rated a 9 and a 10 respectively. Memorable
characters, some great world-building, truly exceptional characterization
of a mother/daughter relationship, adroit avoidance of genre pitfalls, and
two of my favorite fictional tropes: for me, this series has it all. The
third and concluding book of that series is my most anticipated book of
2022.
My large reviewing project of this year was a complete re-read of
C.S. Lewis's The Chronicles of Narnia, starting with my
1000th published review.
As you can see, I have a lot of opinions about those books; they were a
huge part of my childhood, and I'd been talking about writing those
reviews for years. They were the longest reviews I've published and,
unusually for me, full-spoiler reviews, and they took up a lot of my
reviewing energy for the year. Of the seven books in the series, I was
pleased to see that The Voyage of the Dawn Treader and
The Magician's
Nephew held up and are still very much worth reading. The Voyage
of the Dawn Treader, in particular, is an exceptional sense-of-wonder
fantasy novel with a story structure that remains rare.
The best non-fiction book I read in 2021 is a prosaic choice that's only
of specialist interest, but JavaScript: The Definitive Guide is precisely the type of
programming language manual that I look for when learning a new language.
It taught me what I was hoping to learn when I picked it up.
Honorable mentions are a crowded field this year; I read a lot of books
that were good but not great. Worth calling out are Arkady Martine's
A Desolation Called
Peace (sequel to the excellent
A Memory Called
Empire), if for nothing else than Three Seagrass; Micaiah Johnson's
impressive debut The
Space Between Worlds; and Becky Chambers's last Wayfarer novel,
The Galaxy, and the
Ground Within. On the non-fiction side, Allie Brosh's
Solutions and Other
Problems is a much harder and sadder book than the exceptional
Hyperbole and a
Half, but it was still very much worth reading.
This was another year spent reading mostly recently-published books,
without much backfill of either award winners or my existing library. In
2022, I hope to balance keeping up with new books of interest with
returning to series I left unfinished, award lists I left only partly
explored, and books I snapped up in earlier years and then never got
around to.
The full analysis includes some
additional personal reading statistics, probably only of interest to me.
Arch Linux uses libarchive (bsdtar) in its build environment. The default tar
program installed is GNU tar. It is possible to create a source distribution
which leads to different files seen by the build environment than compared to
a careful reviewer and other Linux distributions.
Samanta notes that addressing the tar utilities themselves will not be a
sufficient fix:
I have submitted bug reports and patches to some projects but eventually I
had to conclude that the problem itself cannot be fixed by these
implementations alone. The best choice for these tools would be to only allow
archives which are fully compatible to standards but this in turn would
render a lot of archives broken.
Reproducible builds, with its twin ideas of reaching consensus on the build outputs as well as precisely recording and describing the build environment, would help address this problem at a higher level.
Codethink announced that they had achieved ISO-26262 ASIL D Tool Certification, a way of determining specific safety standards for software. Codethink used open source tooling to achieve this, but they also leverage:
Reproducibility, repeatability and traceability of builds, drawing heavily on best-practices championed by the Reproducible Builds project.
PackagingCon is a conference for developers of package management software, their communities and other stakeholders. This virtual event, which will take place on the 9th and 10th November 2021, has a mission is to bring different ecosystems together . The schedule for the event is now available to view online.
In addition, Trevor Rosen from SolarWinds presented at the Linux Foundation s Supply Chain Security Con last month on incorporating in-toto into their build system. in-toto a framework to secure the integrity of software supply chains. Trevor also discusses building everything twice to validate the first build la reproducible builds. (PDF slides)
Jeremiah announced the release of version 1.4 of stage0-posix, part of a broader effort to provide an ultra-minimal bootstrap seed to increase trust in our software stack.
Fredrik Str mberg offered an update on the Sigsum project and some specific milestones within transparency logging efforts: after a year of design iterations we have not only designed a transparency log but also decided to turn it into a project of its own .
There were quite a few changes to the Reproducible Builds website and documentation this month as well, including Feng Chai updating some links on our publications page [] and marco updated our project metadata around the Bitcoin Core building guide [].
Lastly, we ran another productive meeting on IRC during October. A full set of notes from the meeting is available to view.
Distribution work
Qubes was heavily featured in the latest edition of Linux Weekly News, and a significant section was dedicated to discussing reproducibility. For example, it was mentioned that the Qubes project has been working on incorporating reproducible builds into its continuous integration (CI) infrastructure . But the LWN article goes on to describe that:
The current goal is to be able to build the Qubes OS Debian templates solely from packages that can be built reproducibly. Templates in Qubes OS are VM images that can be used to start an application qube quickly based on the template. The qube will have read-only access to the root filesystem of the template, so that the same root filesystem can be shared with multiple application qubes. There are official templates for several variants of both Fedora and Debian, as well as community maintained templates for several other distributions.
You can view the whole article on LWN, and Fr d ric also published a lengthy summary about their work on reproducible builds in Qubes as well for those wishing to learn more.
In Debian this month, 133 reviews of Debian packages were added, 81 were updated and 24 were removed this month, adding to Debian s ever-growing knowledge about identified issues. A number of issues were categorised and added by Chris Lamb and Vagrant Cascadian too [][][]. In addition, work on alternative snapshot service has made progress by Fr d ric Pierret and Holger Levsen this month, including moving from the existing host (snapshot.notset.fr) to snapshot.reproducible-builds.org (more info) thanks to OSUOSL for the machine and hosting and Debian for the disks.
Finally, Bernhard M. Wiedemann posted his monthly reproducible builds status report.
diffoscopediffoscope is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats. This month, Chris Lamb made the following changes, including preparing and uploading versions 186, 187, 188 and 189 to Debian
New features:
Add support for Python Sphinx inventory files (usually named objects.inv on-disk). []
Add support for comparing .pyc files. Thanks to Sergei Trofimovich for the inspiration. []
Try some alternative suffixes (e.g. .py) to support distributions that strip or retain them. [][]
Bug fixes:
Fix Python decompilation tests under Python 3.10+ [] and for Python 3.7 [].
Don t raise a traceback if we cannot unmarshal Python bytecode. This is in order to support Python 3.7 failing to load .pyc files generated with newer versions of Python. []
Skip Python bytecode testing where we do not have an expected diff. []
Codebase improvements:
Use our file_version_is_lt utility instead of accepting both versions of uImage expected diff. []
Split out a custom call to assert_diff for a .startswith equivalent. []
Use skipif instead of manual conditionals in some tests. []
In addition, Jelle van der Waa added external tool references for Arch Linux for ocamlobjinfo, openssl and ffmpeg [][][] and added Arch Linux as a Continuous Integration (CI) test target. [] and Vagrant Cascadian updated the testsuite to skip Python bytecode comparisons when file(1) is older than 5.39. [] as well as added external tool references for the Guix distribution for dumppdf and ppudump. [][]. Vagrant Cascadian also updated the diffoscope package in GNU Guix [][].
Lastly, Guangyuan Yang updated the FreeBSD package name on the website [], Mattia Rizzolo made a change to override a new Lintian warning due to the new test files [], Roland Clobus added support to detect and log if the GNU_BUILD_ID field in an ELF binary been modified [], Sandro J ckel updated a number of helpful links on the website [] and Sergei Trofimovich made the uImage test output support file() version 5.41 [].
reprotestreprotest is the Reproducible Build s project end-user tool to build same source code twice in widely differing environments, checking the binaries produced by the builds for any differences.
This month, reprotest version 0.7.18 was uploaded to Debian unstable by Holger Levsen, which also included a change by Holger to clarify that Python 3.9 is used nowadays [], but it also included two changes by Vasyl Gello to implement realistic CPU architecture shuffling [] and to log the selected variations when the verbosity is configured at a sufficiently high level []. Finally, Vagrant Cascadian updated reprotest to version 0.7.18 in GNU Guix.
Upstream patches
The Reproducible Builds project detects, dissects and attempts to fix unreproducible packages. We try to send all of our patches upstream where appropriate. We authored a large number of such patches this month, including:
Testing framework
The Reproducible Builds project runs a testing framework at tests.reproducible-builds.org, to check packages and other artifacts for reproducibility. This month, the following changes were made:
Handle schroot errors when invoking diffoscope instead of masking them. [][]
Declare and define some variables separately to avoid masking the subshell return code. []
Fix variable name. []
Improve log reporting. []
Execute apt-get update with the -q argument to get more decent logs. []
Set the Debian HTTP mirror and proxy for snapshot.reproducible-builds.org. []
Install the libarchive-tools package (instead of bsdtar) when updating Jenkins nodes. []
Be stricter about errors when starting the node agent [] and don t overwrite NODE_NAME so that we can expect Jenkins to properly set for us [].
Explicitly warn if the NODE_NAME is not a fully-qualified domain name (FQDN). []
Document whether a node runs in the future. []
Disable postgresql_autodoc as it not available in bullseye. []
Don t be so eager when deleting schroot internals, call to schroot -e to terminate the schroots instead. []
Only consider schroot underlays for deletion that are over a month old. [][]
Only try to unmount /proc if it s actually mounted. []
Move the db_backup task to its own Jenkins job. []
Lastly, Vasyl Gello added usage information to the reproducible_build.sh script [].
Contributing
If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:
The goal behind reproducible builds is to ensure that no deliberate flaws have been introduced during compilation processes via promising or mandating that identical results are always generated from a given source. This allowing multiple third-parties to come to an agreement on whether a build was compromised or not by a system of distributed consensus.
In these reports we outline the most important things that have been happening in the world of reproducible builds in the past month:
First mentioned in our March 2021 report, Martin Heinz published two blog posts on sigstore, a project that endeavours to offer software signing as a public good, [the] software-signing equivalent to Let s Encrypt . The two posts, the first entitled Sigstore: A Solution to Software Supply Chain Security outlines more about the project and justifies its existence:
Software signing is not a new problem, so there must be some solution already, right? Yes, but signing software and maintaining keys is very difficult especially for non-security folks and UX of existing tools such as PGP leave much to be desired. That s why we need something like sigstore - an easy to use software/toolset for signing software artifacts.
Some time ago I checked Signal s reproducibility and it failed. I asked others to test in case I did something wrong, but nobody made any reports. Since then I tried to test the Google Play Store version of the apk against one I compiled myself, and that doesn t match either.
BitcoinBinary.org was announced this month, which aims to be a repository of Reproducible Build Proofs for Bitcoin Projects :
Most users are not capable of building from source code themselves, but we can at least get them able enough to check signatures and shasums. When reputable people who can tell everyone they were able to reproduce the project s build, others at least have a secondary source of validation.
Related to this, there was continuing discussion on how to embed/encode the build metadata for the Debian live images which were being worked on by Roland Clobus.
Ariadne Conill published another detailed blog post related to various security initiatives within the Alpine Linux distribution. After summarising some conventional security work being done (eg. with sudo and the release of OpenSSH version 3.0), Ariadne included another section on reproducible builds: The main blocker [was] determining what to do about storing the build metadata so that a build environment can be recreated precisely .
Finally, Bernhard M. Wiedemann posted his monthly reproducible builds status report.
Community news
On our website this month, Bernhard M. Wiedemann fixed some broken links [] and Holger Levsen made a number of changes to the Who is Involved? page [][][]. On our mailing list, Magnus Ihse Bursie started a thread with the subject Reproducible builds on Java, which begins as follows:
I m working for Oracle in the Build Group for OpenJDK which is primary responsible for creating a built artifact of the OpenJDK source code. [ ] For the last few years, we have worked on a low-effort, background-style project to make the build of OpenJDK itself building reproducible. We ve come far, but there are still issues I d like to address. []
diffoscopediffoscope is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats. This month, Chris Lamb prepared and uploaded versions 183, 184 and 185 as well as performed significant triaging of merge requests and other issues in addition to making the following changes:
New features:
Support a newer format version of the R language s .rds files. []
Don t call close_archive when garbage collecting Archive instances, unless open_archive definitely returned successfully. This prevents, for example, an AttributeError where PGPContainer s cleanup routines were rightfully assuming that its temporary directory had actually been created. []
Fix (and test) the comparison of R language s .rdb files after refactoring temporary directory handling. []
Ensure that RPM archives exists in the Debian package description, regardless of whether python3-rpm is installed or not at build time. []
Codebase improvements:
Use our assert_diff routine in tests/comparators/test_rdata.py. []
Move diffoscope.versions to diffoscope.tests.utils.versions. []
Reformat a number of modules with Black. [][]
However, the following changes were also made:
Mattia Rizzolo:
Fix an autopkgtest caused by the androguard module not being in the (expected) python3-androguard Debian package. []
Appease a shellcheck warning in debian/tests/control.sh. []
Ignore a warning from h5py in our tests that doesn t concern us. []
Drop a trailing .1 from the Standards-Version field as it s required. []
Zbigniew J drzejewski-Szmek:
Stop using the deprecated distutils.spawn.find_executable utility. [][][][][]
Adjust an LLVM-related test for LLVM version 13. []
Update invocations of llvm-objdump. []
Adjust a test with a one-byte text file for file version 5.40. []
And, finally, Benjamin Peterson added a --diff-context option to control unified diff context size [] and Jean-Romain Garnier fixed the Macho comparator for architectures other than x86-64 [].
Upstream patches
The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
#990246 filed against vlc (forwarded upstream [][])
Testing framework
The Reproducible Builds project runs a testing framework at tests.reproducible-builds.org, to check packages and other artifacts for reproducibility. This month, the following changes were made:
Holger Levsen:
Drop my package rebuilder prototype as it s not useful anymore. []
Schedule old packages in Debian bookworm. []
Stop scheduling packages for Debian buster. [][]
Don t include PostgreSQL debug output in package lists. []
Detect Python library mismatches during build in the node health check. []
Update a note on updating the FreeBSD system. []
Mattia Rizzolo:
Silence a warning from Git. []
Update a setting to reflect that Debian bookworm is the new testing. []
Upgrade the PostgreSQL database to version 13. []
Roland Clobus (Debian live image generation):
Workaround non-reproducible config files in the libxml-sax-perl package. []
Use the new DNS for the snapshot service. []
Vagrant Cascadian:
Also note that the armhf architecture also systematically varies by the kernel. []
Contributing
If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:
Debian 11 (codename Bullseye) was recently released. This was the smoothest upgrade I've experienced in some 20 years as a Debian user. In my haste, I completely forgot to first upgrade dpkg and apt, doing a straight dist-upgrade. Nonetheless, everything worked out of the box. No unresolved dependency cycles. Via my last-mile Gigabit connection, it took about 5 minutes to upgrade and reboot. Congratulations to everyone who made this possible!
Since the upgrade, only a handful of bugs were found. I filed bug reports. Over these past few days, maintainers have started responding. In once particular case, my report exposed a CVE caused by copy-pasted code between two similar packages. The source package fixed their code to something more secure a few years ago, while the destination package missed it. The situation has been brought to Debian's security team's attention and should be fixed over the next few days.
Afterthoughts
Having recently experienced hard-disk problems on my main desktop, upgrading to Bullseye made me revisit a few issues. One of these was the possibility of transiting to BTRFS. Last time I investigated the possibility was back when Ubuntu briefly switched their default filesystem to BRTFS. Back then, my feeling was that BRTFS wasn't ready for mainstream. For instance, the utility to convert an EXT2/3/4 partition to BTRFS corrupted the end of the partition. No thanks. However, in recent years, many large-scale online services have migrated to BRTFS and seem to be extremely happy with the result. Additionally, Linux kernel 5 added useful features such as background defragmentation. This got me pondering whether now would be a good time to migrate to BRTFS. Sadly it seems that the stock kernel shipping with Bullseye doesn't have any of these advanced features enabled in its configuration. Oh well.
Geode
The only point that has become problematic is my Geode hosts. For one things, upstream Rust maintainers have decided to ignore the fact that i686 is a specification and arbitrarily added compiler flags for more recent x86-32 CPUs to their i686 target. While Debian Rust maintainers have purposely downgraded the target, RustC still produces binaries that the Geode LX (essentially an i686 without PAE) cannot process. This affects fairly basic packages such as librsvg, which breaks SVG image support for a number of dependencies. Additionally, there's been persistent problems with systemd crashing on my Geode hosts whenever daemon-reload is issued. Then, a few days ago, problems started occurring with C++ binaries, because GCC-11 upstream enabled flags for more recent CPUs in their default i686 target. While I realize that SSE and similar recent CPU features produce better binaries, I cannot help but feel that treating CPU targets as anything else than a specification is a mistake. i686 is a specification. It is not a generic equivalent to x86-32.
I first started using Debian sometime in the mid 90s and started contributing as a developer and package maintainer more than two decades years ago. My first very first scholarly publication, collaborative work led by Martin Michlmayr that I did when I was still an undergrad at Hampshire College, was about quality and the reliance on individuals in Debian. To this day, many of my closest friends are people I first met through Debian. I met many of them at Debian s annual conference DebConf.
Given my strong connections to Debian, I find it somewhat surprising that although all of my academic research has focused on peer production, free culture, and free software, I haven t actually published any Debian related research since that first paper with Martin in 2003!
So it felt like coming full circle when, several days ago, I was able to sit in the virtual DebConf audience and watch two of my graduate student advisees Kaylea Champion and Wm Salt Hale present their research about Debian at DebConf21.
Salt presented his masters thesis work which tried to understand the social dynamics behind organizational resilience among free software projects. Kaylea presented her work on a new technique she developed to identifying at risk software packages that are lower quality than we might hope given their popularity (you can read more about Kaylea s project in our blog post from earlier this year).
If you missed either presentation, check out the blog post my research collective put up or watch the videos below. If you want to hear about new work we re doing including work on Debian you should follow our research group blog, and/or follow or engage with us in the Fediverse (@communitydata@social.coop), or on Twitter (@comdatasci).
And if you re interested in joining us perhaps to do more research on FLOSS and/or Debian and/or a graduate degree of your own? please be in touch with me directly!
I'm creating a program that uses the web browser for its user interface, and
I'm reasonably sure I'm not the first person doing this.
Normally such a problem would listen to a port on localhost, and tell the
browser to connect to it. Bonus points for
listening to a randomly allocated free port,
so that one does not need to involve some amount of luck to get the program
started.
However, using a local port still means that any user on the local machine can
connect to it, which is generally a security issue.
A possible solution would be to use AF_UNIX Unix Domain Sockets, which are
supported by various web servers, but as far as I understand not currently by
browsers. I checked Firefox and Chrome,
and they currently seem to fail to even acknowledge the use case.
I'm reasonably sure I'm not the first person doing this, and yes, it's intended
as an understatement.
So, dear Lazyweb, is there a way to securely use a browser as a UI for a
user's program, without exposing access to the backend to other users in the
system?
Access token in the URL
Emanuele Di Giacomo suggests to add an access
token to the URL that gets passed to the browser.
This would work to protect access on localhost: even if the application cannot
use HTTPS, other users cannot see packets that go through the local interface,
so both the access token and the session cookie that one could send afterwards
would be protected.
Network namespaces
I thought about isolating server and browser in a private network namespace
with something like unshare(1), but it seems to require root.
Johannes Schauer Marin Rodrigues wrote to correct that:
It's possible to unshare the network namespace by first unsharing the user
namespace and thus becoming root which is possible without being root since
#898446 got fixed.
For example you can run this as the normal user:
lxc-usernsexec -- lxc-unshare -s NETWORK -- ip addr
If you don't want to depend on lxc, you can write a wrapper in Perl or Python.
I have a Perl implementation of that in mmdebstrap.
Firewalling
Martin Schuster wrote to suggest another option:
I had the same issue. My approach was "weird", but worked:
Block /outgoing/ connections to the port, unless the uid is correct.
That might be counter-intuitive, but of course all connections
/to/ localhost will be done /from/ localhost also.
Something like:
iptables -A OUTPUT -p tcp -d localhost --dport 8123 -m owner --uid-owner joe -j ACCEPTiptables -A OUTPUT -p tcp -d localhost --dport 8123 -j REJECT
BBI Kenya and live Supreme Court streaming on YT
The last few weeks have been unrelenting as all sorts of news have been coming in, mostly about the downturn in the Economy, Islamophobia in India on the rise, Covid, and electioneering. However, in the last few days, Kenya surpassed India in live-streaming proceeds in a Court of Appeals about BBI or Building Bridges Initiative. A background filler article on the topic can be found in BBC. The live-streaming was done via YT and if wants to they can start from
https://www.youtube.com/watch?v=JIQzpmVKvro
One can also subscribe to K24TV which took the initiative of sharing the proceedings with people worldwide. If K24TV continues to share SC proceedings of Kenya, that would add to the soft power of Kenya. I will not go into the details of the case as Gautam Bhatia who has been following the goings-on in Kenya is a far better authority on the subject. In fact, just recently he shared about another Kenyan judgment from a trial which can be seen here. He has shared the proceedings and some hot takes on the Twitter thread started by him. Probably after a couple of weeks or more when he has processed what all has happened there, he may also share some nuances although many of his thoughts would probably go to his book on Comparative Constitutional Law which he hopes to publish maybe in 2021/2022 or whenever he can. Such televised proceedings are sure to alleviate the standing of Kenya internationally. There has been a proposal to do similar broadcasts by India but with surveillance built-in, so they know who is watching. The problems with the architecture and the surveillance built-in have been shared by Srinivas Kodali or DigitalDutta quite a few times, but that probably is a story for another day.
Uttar Pradesh Population Control BillHindus comprise 83% of Indian couples with more than two child children
The U.P. Population Bill came and it came with lot of prejudices. One of the prejudices is the idea that Muslims create or procreate to have the most children. Even with data is presented as shared above from NFHS National Family Health Survey which is supposed to carry our surveys every few years did the last one around 4 years back. The analysis from it has been instrumental not only in preparing graphs as above but also sharing about what sort of death toll must have been in rural India. And as somebody who have had the opportunity in the past, can vouch that you need to be extremely lucky if something happens to you when you are in a rural area.
Even in places like Bodh Gaya (have been there) where millions of tourists come as it is one of the places not to be missed on the Buddhism tourist circuit, the medical facilities are pretty underwhelming. I am not citing it simply because there are too many such newspaper reports from even before the pandemic, and both the State and the Central Govt. response has been dismal. Just a few months back, they were recalled. There were reports of votes being bought at INR 1000/- (around $14) and a bottle or two of liquor. There used to be a time when election monitoring whether national or state used to be a thing, and you had LTO s (Long-time Observers) and STO s (Short-Term Observers) to make sure that the election has been neutral. This has been on the decline in this regime, but that probably is for another time altogether. Although, have to point out the article which I had shared a few months ago on the private healthcare model is flawed especially for rural areas. Instead of going for cheap, telemedicine centers that run some version of a Linux distro. And can provide a variety of services, I know Kerala and Tamil Nadu from South India have experimented in past but such engagements need to be scaled up. This probably will come to know when the next time I visit those places (sadly due to the virus, not anytime soonish.:( ) .
Going back to the original topic, though, I had shared Hans Rosling s famous Ted talk on population growth which shows that even countries which we would not normally associate with family planning for e.g. the middle-east and Africa have also been falling quite rapidly. Of course, when people have deeply held prejudices, then it is difficult. Even when sharing China as to how they had to let go of their old policy in 2016 as they had the thing for leftover men . I also shared the powerful movie So Long my Son. I even shared how in Haryana women were and are trafficked and have been an issue for centuries but as neither suits the RW propaganda, they simply refuse to engage. They are more repulsed by people who publish this news rather than those who are actually practicing it, as that is culture . There is also teenage pregnancy, female infanticide, sex-selective abortion, etc., etc. It is just all too horrible to contemplate.
Personal anecdote I know a couple, or they used to be a couple, where the gentleman wanted to have a male child. It was only after they got an autistic child, they got their DNA tested and came to know that the gentleman had a genetic problem. He again forced and had another child, and that too turned out to be autistic. Finally, he left the wife and the children, divorced them and lived with another woman. Almost a decade of the wife s life was ruined. The wife before marriage was a gifted programmer employed at IBM. This was an arranged marriage. After this, if you are thinking of marrying, apart from doing astrology charts, also look up DNA compatibility charts. Far better than ruining yours or the women s life. Both the children whom I loved are now in heaven, god bless them
If one wants to, one can read a bit more about the Uttar Pradesh Population bill here. The sad part is that the systems which need fixing, nobody wants to fix. The reason being simple. If you get good health service by public sector, who will go to the private sector. In Europe, AFAIK they have the best medical bang for the money. Even the U.S. looks at Europe and hopes it had the systems that Europe has but that again is probably for another day.
South Africa and India long-lost brothers.
As had shared before, after the 2016 South African Debconf convention, I had been following South Africa. I was happy when FeesMustFall worked and in 2017 the then ANC president Zuma declared it in late 2017. I am sure that people who have been regular visitors to this blog know how my position is on student loans. They also must be knowing that even in U.S. till the 1970s it had free education all the way to be a lawyer and getting a lawyer license. It is only when people like Thurgood Marshall, Martin Luther King Jr., and others from the civil rights movement came out as a major force that the capitalists started imposing fees. They wanted people who could be sold to corporate slavery, and they won. Just last week, Biden took some steps and canceled student loans and is working on steps towards broad debt forgiveness.
Interestingly, NASA has an affirmative diversity program for people from diverse backgrounds, where a couple of UC (Upper Caste) women got the job. While they got the job, the RW (Right-Wing) was overjoyed as they got jobs on merit . Later, it was found that both the women were the third or fourth generation of immigrants in U.S.
NASA Federal Equal Opportunity Policy Directive NPD 3713 2H
Going back to the original question and topic, while there has been a concerning spate of violence, some calling it the worst sort of violence not witnessed since 1994. The problem, as ascertained in that article, is the same as here in India or elsewhere.
Those, again, who have been on my blog know that merit 90% of the time is a function of privilege and there is a vast amount of academic literature which supports that.
If, for a moment, you look at the data that is shared in the graph above which shows that 83% of Hindus and 13% of Muslims have more than 2 children, what does it show, it shows that 83+13 = 96% of the population is living in insecurity. The 5% are the ones who have actually consolidated more power during this regime rule in India. Similarly, from what I understood living in Cape Town for about a month, it is the Dutch Afrikaans as they like to call themselves and the immigrants who come from abroad who have enjoyed the fruits of tourism and money and power while the rest of the country is dying due to poverty. It is the same there, it is the same here. Corruption is also rampant in both countries, and the judiciary is virtually absent from both communities in India and SA. Interestingly, South Africa and India have been at loggerheads, but I suspect that is more due to the money and lobbying power by the Dutch. Usually, those who have money power, do get laws and even press on their side, and it is usually the ruling party in power. I cannot help but share about the Gupta brothers and their corruption as I came to know about it in 2016. And as have shared that I m related to Gupta s on my mother s side, not those specific ones but Gupta as a clan. The history of the Gupta dynasty does go back to the 3rd-4th century.
Equally interesting have been Sonali Ranade s series of articles which she wrote in National Herald, the latest on exports which is actually the key to taking India out of poverty rather than anything else. While in other countries Exporters are given all sort of subsidies, here it is being worked as how to give them less. This was in Economic times hardly a week back Export incentive schemes being reduced
I can t imagine the incredible stupidity done by the Finance Minister. And then in an attempt to prove that, they will attempt to present a rosy picture with numbers that have nothing to do with reality.
Interestingly enough, India at one time was a major exporter of apples, especially from Kashmir. Now instead of exporting, we are importing them from Afghanistan as well as Belgium and now even from the UK. Those who might not want to use the Twitter link could use this article. Of course, what India got out of this trade deal is not known. One can see that the UK got the better deal from this. Instead of investing in our own capacity expansion, we are investing in increasing the capacity of others. This is at the time when due to fuel price hike (Central taxes 66%) demand is completely flat. And this is when our own CEA (Chief Economic Adviser) tells us that growth will be at the most 6-7% and that too in 2023-2024 while currently, the inflation rate is around 12%. Is it then any wonder that almost 70% are living on Govt. ration and people in the streets of Kolkata, Assam, and other places have to sell kidneys to make sure they have some money for their kids for tomorrow. Now I have nothing against the UK but trade negotiation is an art. Sadly, this has been going on for the last few years. The politicians in India fool the public by always telling of future trade deals. Sadly, as any businessman knows, once you have compromised, you always have to compromise. And the more you compromise, the more you weaken the hand for any future trade deals. IIT pupil tries to sell kidney to repay loan, but no takers for Dalit organ.
The above was from yesterday s Times of India. Just goes to show how much people are suffering. There have been reports in vernacular papers of quite a few people from across regions and communities are doing this so they can live without pain a bit.
Almost all the time, the politicians are saved as only few understand international trade, the diplomacy and the surrounding geopolitics around it. And this sadly, is as much to do with basic education as much as it is to any other factor
Suli Deals
About a month back on the holy day of Ramzan or Ramadan as it is known in the west, which is beloved by Muslims, a couple of Muslim women were targeted and virtually auctioned. Soon, there was a flood and a GitHub repository was created where hundreds of Muslim women, especially those who have a voice and fearlessly talk about their understanding about issues and things, were being virtually auctioned. One week after the FIR was put up, to date none of the people mentioned in the FIR have been arrested. In fact, just yesterday, there was an open letter which was published by livelaw. I have saved a copy on WordPress just in case something does go wrong. Other than the disgust we feel, can t say much as no action being taken by GOI and police.
IT Rules 2021 and Big Media
After almost a year of sleeping when most activists were screaming hoarsely about how the new IT rules are dangerous for one and all, big media finally woke up a few weeks back and listed a writ petition in Madras High Court of the same. Although to be frank, the real writ petition was filed In February 2021, classical singer, performer T.M. Krishna in Madras High Court. Again, a copy of the writ petition, I have hosted on WordPress. On 23rd June 2021, a group of 13 media outlets and a journalist have challenged the IT Rules, 2021.
The Contention came from Digital News Publishers Association which is made up of the following news companies: ABP Network Private Limited, Amar Ujala Limited, DB Corp Limited, Express Network Pvt Ltd, HT Digital Streams Limited, IE Online Media Services Pvt Ltd, Jagran Prakashan Limited, Lokmat Media Private Limited, NDTV Convergence Limited, TV Today Network Limited, The Malayala Manorama Co (P) Ltd, Times Internet Limited, and Ushodaya Enterprises Private Limited. All the above are heavyweights in the markets where they operate. The reason being simple, when these media organizations came into being, the idea was to have self-regulation, which by and large has worked. Now, the present Govt. wants each news item to be okayed by them before publication. This is nothing but blatant misuse of power and an attempt at censorship. In fact, the Tamil Nadu BJP president himself made a promise of the same. And of course, what is true and what is a lie, only GOI knows and will decide for the rest of the country. If somebody remembers Joseph Goebbels at this stage, it is merely a coincidence. Anyways, 3 days ago Supreme Court on 14th July the Honorable Supreme Court asked the Madras High Court to transfer all the petitions to SC. This, the Madras High Court denied as cited/shared by Meera Emmanuel, a reporter who works with barandbench. The Court says nothing doing, let this happen and then the SC can entertain the motion of doing it that level. At the same time, they would have the benefit of Madras High Court opinion as well. It gave the center two weeks to file a reply. So, either of end-week of July or latest by August first week, we might be able to read the Center s reply on the same. The SC could do a forceful intervention, but it would lead to similar outrage as has been witnessed in the past when a judge commented that if the SC has to do it all, then why do we need the High Courts, district courts etc. let all the solutions come from SC itself. This was, admittedly, frustration on the part of the judge, but due in part to the needless intervention of SC time and time again. But the concerns had been felt around all the different courts in the country.
Sedition Law
A couple of days ago, the Supreme Court under the guidance of Honorable CJI NV Ramanna, entertained the PIL filed by Maj Gen S G Vombatkere (Retd.) which asked simply that the sedition law which was used in the colonial times by the British to quell dissent by Mahatma Gandhi and Bal Gangadhar Tilak during the Indian freedom struggle. A good background filler article can be found on MSN which tells about some recent cases but more importantly how historically the sedition law was used to quell dissent during India s Independence. Another article on MSN actually elaborates on the PIL filed by Maj Gen S. G. Vombatkere. Another article on MSN tells how sedition law has been challenged and changed in 10 odd countries. I find it equally sad and equally hilarious that the Indian media whose job is to share news and opinion on this topic is being instead of being shared more by MSN. Although, I would be bereft of my duty if I did not share the editorial on the same topic by the Hindu and Deccan Chronicle. Also, an interesting question to ask is, are there only 10 countries in the world that have sedition laws? AFAIK, there are roughly 200 odd countries as recognized by WTO. If 190 odd countries do not have sedition laws, it also tells a lot about them and a lot about the remaining 10. Also, it came to light that police are still filing laws under sec66A which was declared null and void a few years ago. It was replaced with section 124A if memory serves right and it has more checks and balances.
Danish Siddiqui, Pulitzer award-winning and death in Afghanistan
Before I start with Danish Siddiqui, let me share an anecdote that I think I have shared on the blog years ago about how photojournalists are. Again, those who know me and those who follow me know how much I am mad both about trains and planes (civil aviation). A few months back, I had shared a blog post about some of the biggest railway systems in the world which shows that privatization of Railways doesn t necessarily lead to up-gradation of services but definitely leads to an increase in tariff/fares. Just had a conversation couple of days ago on Twitter and realized that need to also put a blog post about civil aviation in India and the problems it faces, but I digress.
This was about a gentleman who wanted to take a photo of a particular train coming out of a valley at a certain tunnel at two different heights, one from below and one from above the train. This was several years ago, and while I did share that award-winning photograph then, it probably would take me quite a bit of time and effort to again look it up on my blog and share.
The logistics though were far more interesting and intricate than I had first even thought of. We came around a couple of days before the train was supposed to pass that tunnel and the valley. More than half a dozen or maybe more shots were taken throughout the day by the cameras. The idea was to see how much light was being captured by the cameras and how much exposure was to be given so that the picture isn t whitened out or is too black.
Weather is the strangest of foes for a photojournalist or even photographers, and the more you are in nature, the more unpredictable it is and can be. We were also at a certain height, so care had to be taken in case light rainfall happens or dew falls, both not good for digital cameras.
And dew is something which will happen regardless of what you want. So while the two days our gentleman cameraman fiddled with the settings to figure out correct exposure settings, we had one other gentleman who was supposed to take the train from an earlier station and apprise us if the train was late or not.
The most ideal time would be at 0600 hrs. When the train would enter the tunnel and come out and the mixture of early morning sun rays, dew, the flowers in the valley, and the train would give a beautiful effect. We could stretch it to maybe 0700 hrs.
Anything after that would just be useless, as it wouldn t have the same effect. And of all this depended on nature. If the skies were to remain too dark, nothing we could do about it, if the dewdrops didn t fall it would all be over.
On the day of the shoot, we were told by our compatriot that the train was late by half an hour. We sank a little on hearing that news. Although Photoshop and others can do touch-ups, most professionals like to take as authentic a snap as possible. Everything had been set up to perfection. The wide-angle lenses on both the cameras with protections were set up. The tension you could cut with a knife. While we had a light breakfast, I took a bit more and went in the woods to shit and basically not be there. This was too tensed up for me. Returned an hour to find everybody in a good mood. Apparently, the shoot went well. One of the two captured it for good enough. Now, this is and was in a benign environment where the only foe was the environment. A bad shot would have meant another week in the valley, something which I was not looking forward to. Those who have lived with photographers and photojournalists know how self-involved they can be in their craft, while how grumpy they can be if they had a bad shoot. For those, who don t know, it is challenging to be friends with such people for a long time. I wish they would scream more at nature and let out the frustrations they have after a bad shoot. But again, this is in a very safe environment.
Now let s cut to Danish Siddiqui and the kind of photojournalism he followed. He followed a much more riskier sort of photojournalism than the one described above. Krittivas Mukherjee in his Twitter thread shared how reporters in most advanced countries are trained in multiple areas, from risk assessment to how to behave in case you are kidnapped, are in riots, hostage situations, etc. They are also trained in all sorts of medical training from treating gunshot wounds, CPR, and other survival methods. They are supposed to carry medical equipment along with their photography equipment. Sadly, these concepts are unknown in India. And even then they get killed. Sadly, he attributes his death to the thrill of taking an exclusive photograph. And the gentleman s bio reads that he is a diplomat. Talk about tone-deafness
On another completely different level was Karen Hao who was full of empathy as she shared the humility, grace, warmth and kinship she describes in her interaction with the photojournalist. His body of work can be seen via his ted talk in 2020 where he shared a brief collage of his works. Latest, though in a turnaround, the Taliban have claimed no involvement in the death of photojournalist Danish Siddiqui. This could be in part to show the Taliban in a more favorable light as they do and would want to be showcased as progressive, even though they are forcing that all women within a certain age become concubines or marry the fighters and killing the minority Hazaras or doing vile deeds with them. Meanwhile, statements made by Hillary Clinton almost a decade, 12 years ago have come back into circulation which stated how the U.S. itself created the Taliban to thwart the Soviet Union and once that job was finished, forgot all about it. And then in 2001, it landed back in Afghanistan while the real terrorists were Saudi. To date, not all documents of 9/11 are in the public domain. One can find more information of the same here. This is gonna take probably another few years before Saudi Arabia s whole role in the September 11 attacks will be known.
Last but not the least, came to know about the Pegasus spyware and how many prominent people in some nations were targeted, including in mine India. Will not talk more as it s already a big blog post and Pegasus revelations need an article on its own.
"Again, we see there is nothing you can possess which I cannot take away."
The cinema was a rare and expensive treat in my youth, so I first came across Raiders of the Lost Ark by recording it from television onto a poor quality VHS. I only mention this as it meant I watched a slightly different film to the one intended, as my copy somehow missed off the first 10 minutes. For those not as intimately familiar with the film as me, this is just in time to see a Belloq demand Dr. Jones hand over the Peruvian head (see above), just in time to learn that Indy loathes snakes, and just in time to see the inadvertent reproduction of two Europeans squabbling over the spoils of a foreign land.
What this truncation did to my interpretation of the film (released thirty years ago today on June 19th 1981) is interesting to explore. Without Jones' physical and moral traits being demonstrated on-screen (as well as missing the weighing the gold head and the rollercoaster boulder scene), it actually made the idea of 'Indiana Jones' even more of a mythical archetype. The film wisely withholds Jones' backstory, but my directors cut deprived him of even more, and counterintuitively imbued him with even more of a legendary hue as the elision made his qualities an assumption beyond question. Indiana Jones, if you can excuse the clich , needed no introduction at all.
Good artists copy, great artists steal. And oh boy, does Raiders steal. I've watched this film about twenty times over the past two decades and it's now firmly entered into my personal canon. But watching it on its thirtieth anniversary was different not least because I could situate it in a broader cinematic context. For example, I now see the Gestapo officer in Major Strasser from Casablanca (1942), in fact just as I can with many of Raiders' other orientalist tendencies: not only in its breezy depictions of backwards sand people, but also of North Africa as an entrep t and playground for a certain kind of Western gangster. The opening as well, set in an equally reductionist pseudo-Peru, now feels like Werner Herzog's Aguirre, the Wrath of God (1972) but without, of course, any self-conscious colonial critique.
The imagery of the ark appears to be borrowed from James Tissot's The Ark Passes Over the Jordan, part of the fin de siecle fascination with the occult and (ironically enough given the background of Raiders' director), a French Catholic revival.
I can now also appreciate some of the finer edges that make this film just so much damn fun to watch. For instance, the comic book conceit that Jones and Belloq are a 'shadowy reflection' of one other and that they need 'only a nudge' to make one like the other. As is the idea that Belloq seems to be actually enjoying being evil. I also spotted Jones rejecting the martini on the plane. This feels less like a comment on corrupting effect of alcohol (he drinks rather heavily elsewhere in the film), but rather a subtle distancing from James Bond. This feels especially important given that the action-packed cold open is, let us be honest for a second, ripped straight from the 007 franchise.
John William's soundtracks are always worth mentioning. The corny Raiders March does almost nothing for me, but the highly-underrated 'Ark theme' certainly does. I delight in its allusions to Gregorian chant, the diabolus in musica and the Hungarian minor scale, fusing the Christian doctrine of the Holy Trinity (the stacked thirds, get it?), the ars antiqua of the Middle Ages with an 'exotic' twist that the Russian Five associated with central European Judaism.
The best use of the ark leitmotif is, of course, when it is opened. Here, Indy and Marion are saved by not opening their eyes whilst the 'High Priest' Belloq and the rest of the Nazis are all melted away. I'm no Biblical scholar, but I'm almost certain they were alluding to Leviticus 16:2 here:
The Lord said to Moses: Tell your brother Aaron that he is not to come whenever he chooses into the Most Holy Place behind the curtain in front of the atonement cover on the ark, or else he will die, for I will appear in the cloud above the mercy seat.
But would it be too much of a stretch to also see the myth of Orpheus and Eurydices too? Orpheus's wife would only be saved from the underworld if he did not turn around until he came to his own house. But he turned round to look at his wife, and she instantly slipped back into the depths:
For he who overcome should turn back his gaze
Towards the Tartarean cave,
Whatever excellence he takes with him
He loses when he looks on those below.
Perhaps not, given that Marion and the ark are not lost in quite the same way. But whilst touching on gender, it was interesting to update my view of archaeologist Ren Belloq. To countermand his slight queer coding (a trope of Disney villains such as Scar, Jafar, Cruella, etc.), there is a rather clumsy subplot involving Belloq repeatedly (and half-heartedly) failing to seduce Marion. This disavows any idea that Belloq isn't firmly heterosexual, essential for the film's mainstream audience, but it is especially important in Raiders because, if we recall the relationship between Belloq and Jones: 'it would take only a nudge to make you like me'. (This would definitely put a new slant on 'Top men'.)
However, my favourite moment is where the Nazis place the ark in a crate in order to transport it to the deserted island. On route, the swastikas on the side of the crate spontaneously burn away, and a disturbing noise is heard in the background. This short scene has always fascinated me, partly because it's the first time in the film that the power of the ark is demonstrated first-hand but also because gives the object an other-worldly nature that, to the best of my knowledge, has no parallel in the rest of cinema.
Still, I had always assumed that the Aak disfigured the swastikas because of their association with the Nazis, interpreting the act as God's condemnation of the Third Reich. But now I catch myself wondering whether the ark would have disfigured any iconography as a matter of principle or whether their treatment was specific to the swastika. We later get a partial answer to this question, as the 'US Army' inscriptions in the Citizen Kane warehouse remain untouched.
Far from being an insignificant concern, the filmmakers appear to have wandered into a highly-contested theological debate. As in, if the burning of the swastika is God's moral judgement of the Nazi regime, then God is clearly both willing and able to intervene in human affairs. So why did he not, to put it mildly, prevent Auschwitz? From this perspective, Spielberg appears to be limbering up for some of the academic critiques surrounding Holocaust representations that will follow Schindler's List (1993).
Given my nostalgic and somewhat ironic attachment to Raiders, it will always be difficult for me to objectively appraise the film. Even so, it feels like it is underpinned by an earnest attempt to entertain the viewer, largely absent in the affected cynicism of contemporary cinema. And when considered in the totality of Hollywood's output, its tonal and technical flaws are not actually that bad or at least Marion's muddled characterisation and its breezy chauvinism (for example) clearly have far worse examples.
Perhaps the most remarkable thing about the film in 2021 is that it hasn't changed that much at all. It spawned one good sequel (The Last Crusade), one bad one (The Temple of Doom), and one hardly worth mentioning at all, yet these adventures haven't affected the original Raiders in any meaningful way. In fact, if anything has affected the original text it is, once again, George Lucas himself, as knowing the impending backlash around the Star Wars prequels adds an inadvertent paratext to all his earlier works.
Yet in a 1978 discussion prior to the creation of Raiders, you can get a keen sense of how Lucas' childlike enthusiasm will always result in something either extremely good or something extremely bad somehow no middle ground is quite possible. Yes, it's easy to rubbish his initial ideas 'We'll call him Indiana Smith! but hasn't Lucas actually captured the essence of a heroic 'Americana' here, and that the final result is simply a difference of degree, not kind?
"Again, we see there is nothing you can possess which I cannot take away."
The cinema was a rare and expensive treat in my youth, so I first came across Raiders of the Lost Ark by recording it from television onto a poor quality VHS. I only mention this as it meant I watched a slightly different film to the one intended, as my copy somehow missed off the first 10 minutes. For those not as intimately familiar with the film as me, this is just in time to see a Belloq demand Dr. Jones hand over the Peruvian head (see above), just in time to learn that Indy loathes snakes, and just in time to see the inadvertent reproduction of two Europeans squabbling over the spoils of a foreign land.
What this truncation did to my interpretation of the film (released thirty years ago today on June 19th 1981) is interesting to explore. Without Jones' physical and moral traits being demonstrated on-screen (as well as missing the weighing the gold head and the rollercoaster boulder scene), it actually made the idea of 'Indiana Jones' even more of a mythical archetype. The film wisely withholds Jones' backstory, but my directors cut deprived him of even more, and counterintuitively imbued him with even more of a legendary hue as the elision made his qualities an assumption beyond question. Indiana Jones, if you can excuse the clich , needed no introduction at all.
Good artists copy, great artists steal. And oh boy, does Raiders steal. I've watched this film about twenty times over the past two decades and it's now firmly entered into my personal canon. But watching it on its thirtieth anniversary was different not least because I could situate it in a broader cinematic context. For example, I now see the Gestapo officer in Major Strasser from Casablanca (1942), in fact just as I can with many of Raiders' other orientalist tendencies: not only in its breezy depictions of backwards sand people, but also of North Africa as an entrep t and playground for a certain kind of Western gangster. The opening as well, set in an equally reductionist pseudo-Peru, now feels like Werner Herzog's Aguirre, the Wrath of God (1972) but without, of course, any self-conscious colonial critique.
The imagery of the ark appears to be borrowed from James Tissot's The Ark Passes Over the Jordan, part of the fin de siecle fascination with the occult and (ironically enough given the background of Raiders' director), a French Catholic revival.
I can now also appreciate some of the finer edges that make this film just so much damn fun to watch. For instance, the comic book conceit that Jones and Belloq are a 'shadowy reflection' of one other and that they need 'only a nudge' to make one like the other. As is the idea that Belloq seems to be actually enjoying being evil. I also spotted Jones rejecting the martini on the plane. This feels less like a comment on corrupting effect of alcohol (he drinks rather heavily elsewhere in the film), but rather a subtle distancing from James Bond. This feels especially important given that the action-packed cold open is, let us be honest for a second, ripped straight from the 007 franchise.
John William's soundtracks are always worth mentioning. The corny Raiders March does almost nothing for me, but the highly-underrated 'Ark theme' certainly does. I delight in its allusions to Gregorian chant, the diabolus in musica and the Hungarian minor scale, fusing the Christian doctrine of the Holy Trinity (the stacked thirds, get it?), the ars antiqua of the Middle Ages with an 'exotic' twist that the Russian Five associated with central European Judaism.
The best use of the ark leitmotif is, of course, when it is opened. Here, Indy and Marion are saved by not opening their eyes whilst the 'High Priest' Belloq and the rest of the Nazis are all melted away. I'm no Biblical scholar, but I'm almost certain they were alluding to Leviticus 16:2 here:
The Lord said to Moses: Tell your brother Aaron that he is not to come whenever he chooses into the Most Holy Place behind the curtain in front of the atonement cover on the ark, or else he will die, for I will appear in the cloud above the mercy seat.
But would it be too much of a stretch to also see the myth of Orpheus and Eurydices too? Orpheus's wife would only be saved from the underworld if he did not turn around until he came to his own house. But he turned round to look at his wife, and she instantly slipped back into the depths:
For he who overcome should turn back his gaze
Towards the Tartarean cave,
Whatever excellence he takes with him
He loses when he looks on those below.
Perhaps not, given that Marion and the ark are not lost in quite the same way. But whilst touching on gender, it was interesting to update my view of archaeologist Ren Belloq. To countermand his slight queer coding (a trope of Disney villains such as Scar, Jafar, Cruella, etc.), there is a rather clumsy subplot involving Belloq repeatedly (and half-heartedly) failing to seduce Marion. This disavows any idea that Belloq isn't firmly heterosexual, essential for the film's mainstream audience, but it is especially important in Raiders because, if we recall the relationship between Belloq and Jones: 'it would take only a nudge to make you like me'. (This would definitely put a new slant on 'Top men'.)
However, my favourite moment is where the Nazis place the ark in a crate in order to transport it to the deserted island. On route, the swastikas on the side of the crate spontaneously burn away, and a disturbing noise is heard in the background. This short scene has always fascinated me, partly because it's the first time in the film that the power of the ark is demonstrated first-hand but also because gives the object an other-worldly nature that, to the best of my knowledge, has no parallel in the rest of cinema.
Still, I had always assumed that the Aak disfigured the swastikas because of their association with the Nazis, interpreting the act as God's condemnation of the Third Reich. But now I catch myself wondering whether the ark would have disfigured any iconography as a matter of principle or whether their treatment was specific to the swastika. We later get a partial answer to this question, as the 'US Army' inscriptions in the Citizen Kane warehouse remain untouched.
Far from being an insignificant concern, the filmmakers appear to have wandered into a highly-contested theological debate. As in, if the burning of the swastika is God's moral judgement of the Nazi regime, then God is clearly both willing and able to intervene in human affairs. So why did he not, to put it mildly, prevent Auschwitz? From this perspective, Spielberg appears to be limbering up for some of the academic critiques surrounding Holocaust representations that will follow Schindler's List (1993).
Given my nostalgic and somewhat ironic attachment to Raiders, it will always be difficult for me to objectively appraise the film. Even so, it feels like it is underpinned by an earnest attempt to entertain the viewer, largely absent in the affected cynicism of contemporary cinema. And when considered in the totality of Hollywood's output, its tonal and technical flaws are not actually that bad or at least Marion's muddled characterisation and its breezy chauvinism (for example) clearly have far worse examples.
Perhaps the most remarkable thing about the film in 2021 is that it hasn't changed that much at all. It spawned one good sequel (The Last Crusade), one bad one (The Temple of Doom), and one hardly worth mentioning at all, yet these adventures haven't affected the original Raiders in any meaningful way. In fact, if anything has affected the original text it is, once again, George Lucas himself, as knowing the impending backlash around the Star Wars prequels adds an inadvertent paratext to all his earlier works.
Yet in a 1978 discussion prior to the creation of Raiders, you can get a keen sense of how Lucas' childlike enthusiasm will always result in something either extremely good or something extremely bad somehow no middle ground is quite possible. Yes, it's easy to rubbish his initial ideas 'We'll call him Indiana Smith! but hasn't Lucas actually captured the essence of a heroic 'Americana' here, and that the final result is simply a difference of degree, not kind?
Having to participate in many online events since the COVID crisis started, I've come to notice that few of the online clients work properly on the current Firefox ESR found in Debian. A quick visit at WebRTC Test confirmed that none of the tests in the Network and Connectivity section pass. Meanwhile, a Windows 10 laptop running Edge via the same network works just fine, so I have to assume that either a Firefox or Debian packaging issue is to blame, but I wouldn't know where to start. Any help? Thanks!
Review: A Desolation Called Peace, by Arkady Martine
Series:
Teixcalaan #2
Publisher:
Tor
Copyright:
2021
ISBN:
1-250-18648-X
Format:
Kindle
Pages:
496
A Desolation Called Peace is a direct sequel to
A Memory Called Empire and picks up
shortly after that book's ending. It would completely spoil the first
book and builds heavily on previous events. This is not a series to read
out of order.
It's nearly impossible to discuss anything about the plot of this book
without at least minor spoilers for the previous book, so beware. If
you've not read A Memory Called Empire, I highly recommend it, and
you may want to skip this review until you have.
Mahit Dzmare has returned to Lsel Station and escaped, mostly, the pull of
the Teixcalaan Empire in all its seductive arrogance. That doesn't mean
Lsel Station is happy to see her. The maneuverings of the station council
were only a distant part of the complex political situation she was
navigating at the Teixcalaanli capital. Now home, it is far harder to
ignore powerful councilors who would be appalled by the decisions she
made. The ambassador to a hated foreign empire does not have many allies.
Yaotlek Nine Hibiscus, the empire's newest commander of
commanders, is the spear the empire has thrust towards a newly-discovered
alien threat. The aliens have already slaughtered all the inhabitants of
a mining outpost for no obvious reason, and their captured communications
are so strange as to provoke nausea in humans. Their cloaking technology
makes the outcome of pitched warfare dangerously uncertain. Nine Hibiscus
needs someone who can talk to aliens without mouths, and that means the
Information Ministry.
The Information Ministry means a newly promoted Three Seagrass, who is
suffering from insomnia, desperately bored, and missing Mahit
Dzmare. And who sees in Nine Hibiscus's summons an opportunity to address
several of those problems at once.
A Memory Called Empire had an SFnal premise and triggering plot
machinery, but it was primarily a city political thriller. A
Desolation Called Peace moves onto the more familiar SF ground of first
contact with a very alien species, but Martine makes the unusual choice of
revealing one of the secrets of the aliens to the reader at the start of
the book. This keeps the reader's focus more on the political maneuvering
than on the mystery, but with a classic first-contact communication
problem as the motivating backdrop.
That's only one of the threads of this book, though. Another is the
unfinished business between Three Seagrass and Mahit Dzmare, and between
Mahit Dzmare and the all-consuming culture of Teixcalaan. A third is the
political education of a very exceptional boy, whose mere existence is a
spoiler for A Memory Called Empire and therefore not something I
will discuss in detail. And then there are the internal politics of Lsel
Station, although I thought that was the least effective part of the book
and never reached a satisfying conclusion.
This is a lot to balance, and I think that's one of the reasons why
A Desolation Called Peace doesn't replicate the magic that made me
love A Memory Called Empire so much. Full-steam-ahead pacing with
characters who are thinking on their feet and taking desperate risks has a
glorious momentum. Here, there's too much going on (not to mention four
major viewpoint characters) to maintain the same pace. Once Mahit and
Three Seagrass get into the same room, there are moments that are as good
as the highlights of A Memory Called Empire, but it's not as
sustained as I was hoping for.
This book also spends more time on Mahit and Three Seagrass's
relationship, and despite liking both of the characters, this didn't
entirely work for me. Martine uses them to make a subtle and powerful
point about relationships across power gradients and the hurt that comes
from someone trivializing a conflict that is central to your identity. It
took me a while to understand the strength of Mahit's reaction, but it
eventually felt right. But that fight wasn't what I was looking for in
the book, and there was a bit too much of both of them failing (or
refusing) to communicate for my taste. I appreciated what Martine was
exploring, but personally I wanted a different sort of catharsis.
That said, this is still a highly enjoyable book. Nine Hibiscus is a
solid military SF character who is a good counterweight to the more
devious approaches of the other characters. I enjoyed the subplot of the
kid in the Teixcalaanli capital more than I expected, although it felt
more like setup for future novels than critical to the plot of this one.
And then there's Three Seagrass.
Three Seagrass always made decisions wholly and entire. All at once.
choosing information as her aptitudes. Choosing the position of
cultural liaison to the Lsel Ambassador. Choosing to trust her.
choosing to come here, to take this assignment entirely, completely,
and without pausing to look to see how deep the water was that she was
leaping into.
Every word of this is true, and it's so much fun to read. Three Seagrass
was a bit overshadowed in A Memory Called Empire, a supporting
character in someone else's story. Here, she has moments where she can
take the lead, and she's so delightfully different than Mahit. I loved
every moment of her viewpoint.
A Desolation Called Peace isn't as taut or as coherent as A
Memory Called Empire. The plot sags in a few places, and I think there
was a bit too much hopeless Lsel politics, nebulous alien horror, and
injured silence between characters. But the high points are nearly as
good as the high points of A Memory Called Empire and I adore these
characters. If you liked the first book, I think you'll like this one
too.
More, please!
Rating: 8 out of 10
I worked on research on FOSS foundations and published two reports:
Growing Open Source Projects with a Stable Foundation
This primer covers non-technical aspects that the majority of projects will have to consider at some point. It also explains how FOSS foundations can help projects grow and succeed.
This primer explains:
What issues and areas to consider
How other projects and foundations have approached these topics
What FOSS foundations bring to the table
How to choose a FOSS foundation
You can download Growing Open Source Projects with a Stable Foundation.
Research report
The research report describes the findings of the research and aims to help understand the operations and challenges FOSS foundations face.
This report covers topics such as:
Role and activities of foundations
Challenges faced and gaps in the service offerings
Operational aspects, including reasons for starting an org and choice of jurisdiction
Trends, such as the "foundation in a foundation" model
Recommendations for different stakeholders
You can download the research report.
Acknowledgments
This research was sponsored by Ford Foundation and Alfred P. Sloan Foundation. The research was part of their Critical Digital Infrastructure Research initiative, which investigates the role of open source in digital infrastructure.
Given news that ISC's DHCP suite is getting deprecated by upstream and seeing how dhclient has never worked properly for DHCPv6, I decided to look into alternatives. ISC itself recommends Roy Maple's dhcpcd as a migration path. Sadly, Debian's package had been left unattended for a good 2 years. After refactoring the packaging, updating to the latest upstream and performing one NMU, I decided to adopt the package.
Numerous issues were exposed in the process:
Engineers build systems. Good engineers always stress and focus efficiency of these systems.
Two recent examples of engineering thinking follow. One was in a 
I promised a follow up to my 
Her drawing shows how she uses the internet: calls using WhatsApp,
watching movies online, and a laptop with open windows on the screen.
She would ask the dragon that can explain one thing she always wanted to know about
the internet:
TL;DR: firmware support in Debian sucks, and we need to change
this. See the "My preference, and rationale" Section below.
In my opinion, the way we deal with (non-free) firmware in Debian is a
mess, and this is hurting many of our users daily. For a long time
we've been pretending that supporting and including (non-free)
firmware on Debian systems is not necessary. We don't want to have
to provide (non-free) firmware to our users, and in an ideal world we
wouldn't need to. However, it's very clearly no longer a sensible path
when trying to support lots of common current hardware.
Background - why has (non-free) firmware become an issue?
Firmware is the low-level software that's designed to make
hardware devices work. Firmware is tightly coupled to the hardware,
exposing its features, providing higher-level functionality and
interfaces for other software to use. For a variety of reasons, it's
typically not Free Software.
For Debian's purposes, we typically separate firmware from
software by considering where the code executes (does it run on a
separate processor? Is it visible to the host OS?) but it can be
difficult to define a single reliable dividing line here. Consider the
Intel/AMD CPU microcode packages, or the U-Boot firmware packages as
examples.
In times past, all necessary firmware would normally be included
directly in devices / expansion cards by their vendors. Over time,
however, it has become more and more attractive (and therefore more
common) for device manufacturers to not include complete firmware
on all devices. Instead, some devices just embed a very simple set
of firmware that allows for upload of a more complete firmware "blob"
into memory. Device drivers are then expected to provide that blob
during device initialisation.
There are a couple of key drivers for this change:
The following contributors got their Debian Developer accounts in the last two months:
I first started using 
Hindus comprise 83% of Indian couples with more than two child children
If one wants to, one can read a bit more about the Uttar Pradesh Population bill 
"Again, we see there is nothing you can possess which I cannot take away."
The imagery of the ark appears to be borrowed from James Tissot's The Ark Passes Over the Jordan, part of the fin de siecle fascination with the occult and (ironically enough given the background of Raiders' director), a French Catholic revival.
I worked on research on FOSS foundations and published two reports:
Growing Open Source Projects with a Stable Foundation
This primer covers non-technical aspects that the majority of projects will have to consider at some point. It also explains how FOSS foundations can help projects grow and succeed.
This primer explains:
