Welcome to the January 2024 report from the Reproducible Builds project. In these reports we outline the most important things that we have been up to over the past month. If you are interested in contributing to the project, please visit our Contribute page on our website.

---

How we executed a critical supply chain attack on PyTorch John Stawinski and Adnan Khan published a lengthy blog post detailing how they executed a supply-chain attack against PyTorch, a popular machine learning platform used by titans like Google, Meta, Boeing, and Lockheed Martin :

Our exploit path resulted in the ability to upload malicious PyTorch releases to GitHub, upload releases to [Amazon Web Services], potentially add code to the main repository branch, backdoor PyTorch dependencies the list goes on. In short, it was bad. Quite bad.

The attack pivoted on PyTorch s use of self-hosted runners as well as submitting a pull request to address a trivial typo in the project s README file to gain access to repository secrets and API keys that could subsequently be used for malicious purposes.

New Arch Linux forensic filesystem tool On our mailing list this month, long-time Reproducible Builds developer kpcyrd announced a new tool designed to forensically analyse Arch Linux filesystem images. Called archlinux-userland-fs-cmp, the tool is supposed to be used from a rescue image (any Linux) with an Arch install mounted to, [for example], /mnt. Crucially, however, at no point is any file from the mounted filesystem eval d or otherwise executed. Parsers are written in a memory safe language. More information about the tool can be found on their announcement message, as well as on the tool s homepage. A GIF of the tool in action is also available.

Issues with our SOURCE_DATE_EPOCH code? Chris Lamb started a thread on our mailing list summarising some potential problems with the source code snippet the Reproducible Builds project has been using to parse the SOURCE_DATE_EPOCH environment variable:

I m not 100% sure who originally wrote this code, but it was probably sometime in the ~2015 era, and it must be in a huge number of codebases by now. Anyway, Alejandro Colomar was working on the shadow security tool and pinged me regarding some potential issues with the code. You can see this conversation here.

Chris ends his message with a request that those with intimate or low-level knowledge of time_t, C types, overflows and the various parsing libraries in the C standard library (etc.) contribute with further info.

Distribution updates In Debian this month, Roland Clobus posted another detailed update of the status of reproducible ISO images on our mailing list. In particular, Roland helpfully summarised that all major desktops build reproducibly with bullseye, bookworm, trixie and sid provided they are built for a second time within the same DAK run (i.e. [within] 6 hours) . Additionally 7 of the 8 bookworm images from the official download link build reproducibly at any later time. In addition to this, three reviews of Debian packages were added, 17 were updated and 15 were removed this month adding to our knowledge about identified issues. Elsewhere, Bernhard posted another monthly update for his work elsewhere in openSUSE.

Community updates There were made a number of improvements to our website, including Bernhard M. Wiedemann fixing a number of typos of the term nondeterministic . [ ] and Jan Zerebecki adding a substantial and highly welcome section to our page about SOURCE_DATE_EPOCH to document its interaction with distribution rebuilds. [ ].
diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made a number of changes such as uploading versions 254 and 255 to Debian but focusing on triaging and/or merging code from other contributors. This included adding support for comparing eXtensible ARchive (.XAR/.PKG) files courtesy of Seth Michael Larson [ ][ ], as well considerable work from Vekhir in order to fix compatibility between various and subtle incompatible versions of the progressbar libraries in Python [ ][ ][ ][ ]. Thanks!

Reproducibility testing framework The Reproducible Builds project operates a comprehensive testing framework (available at tests.reproducible-builds.org) in order to check packages and other artifacts for reproducibility. In January, a number of changes were made by Holger Levsen:

• Debian-related changes:
  • Reduce the number of arm64 architecture workers from 24 to 16. [ ]
  • Use diffoscope from the Debian release being tested again. [ ]
  • Improve the handling when killing unwanted processes [ ][ ][ ] and be more verbose about it, too [ ].
  • Don t mark a job as failed if process marked as to-be-killed is already gone. [ ]
  • Display the architecture of builds that have been running for more than 48 hours. [ ]
  • Reboot arm64 nodes when they hit an OOM (out of memory) state. [ ]
• Package rescheduling changes:
  • Reduce IRC notifications to 1 when rescheduling due to package status changes. [ ]
  • Correctly set SUDO_USER when rescheduling packages. [ ]
  • Automatically reschedule packages regressing to FTBFS (build failure) or FTBR (build success, but unreproducible). [ ]
• OpenWrt-related changes:
  • Install the python3-dev and python3-pyelftools packages as they are now needed for the sunxi target. [ ][ ]
  • Also install the libpam0g-dev which is needed by some OpenWrt hardware targets. [ ]
• Misc:
  • As it s January, set the real_year variable to 2024 [ ] and bump various copyright years as well [ ].
  • Fix a large (!) number of spelling mistakes in various scripts. [ ][ ][ ]
  • Prevent Squid and Systemd processes from being killed by the kernel s OOM killer. [ ]
  • Install the iptables tool everywhere, else our custom rc.local script fails. [ ]
  • Cleanup the /srv/workspace/pbuilder directory on boot. [ ]
  • Automatically restart Squid if it fails. [ ]
  • Limit the execution of chroot-installation jobs to a maximum of 4 concurrent runs. [ ][ ]

Significant amounts of node maintenance was performed by Holger Levsen (eg. [ ][ ][ ][ ][ ][ ][ ] etc.) and Vagrant Cascadian (eg. [ ][ ][ ][ ][ ][ ][ ][ ]). Indeed, Vagrant Cascadian handled an extended power outage for the network running the Debian armhf architecture test infrastructure. This provided the incentive to replace the UPS batteries and consolidate infrastructure to reduce future UPS load. [ ] Elsewhere in our infrastructure, however, Holger Levsen also adjusted the email configuration for @reproducible-builds.org to deal with a new SMTP email attack. [ ]

Upstream patches The Reproducible Builds project tries to detects, dissects and fix as many (currently) unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:

• Bernhard M. Wiedemann:
  • cython (nondeterminstic path issue)
  • deluge (issue with modification time of .egg file)
  • gap-ferret, gap-semigroups & gap-simpcomp (nondeterministic config.log file)
  • grpc (filesystem ordering issue )
  • hub (random)
  • kubernetes1.22 & kubernetes1.23 (sort-related issue)
  • kubernetes1.24 & kubernetes1.25 (go -trimpath vs random issue)
  • libjcat (drop test files with random bytes)
  • luajit (Use new d option for deterministic bytecode output)
  • meson [ ][ ] (sort the results from Python filesystem call)
  • python-rjsmin (drop GCC instrumentation artifacts)
  • qt6-virtualkeyboard+others (bug parallelism/race)
  • SoapySDR (parallelism-related issue)
  • systemd (sorting problem)
  • warewulf (CPIO modification time issue, etc.)
• Chris Lamb:
  • #1060254 filed against mumble.
• James Addison:
  • guake ( Schroedinger file due to race condition)
  • qhelpgenerator-qt5 (timezone localization; fix also merged upstream for QT6)
  • sphinx (search index doctitle sorting)

Separate to this, Vagrant Cascadian followed up with the relevant maintainers when reproducibility fixes were not included in newly-uploaded versions of the mm-common package in Debian this was quickly fixed, however. [ ]

---

If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

• IRC: #reproducible-builds on irc.oftc.net.
• Mailing list: rb-general@lists.reproducible-builds.org
• Mastodon: @reproducible_builds
• Twitter: @ReproBuilds

This post should have marked the beginning of my yearly roundups of the favourite books and movies I read and watched in 2023. However, due to coming down with a nasty bout of flu recently and other sundry commitments, I wasn't able to undertake writing the necessary four or five blog posts In lieu of this, however, I will simply present my (unordered and unadorned) highlights for now. Do get in touch if this (or any of my previous posts) have spurred you into picking something up yourself

Books

Peter Watts: Blindsight (2006) Reymer Banham: Los Angeles: The Architecture of Four Ecologies (2006) Joanne McNeil: Lurking: How a Person Became a User (2020) J. L. Carr: A Month in the Country (1980) Hilary Mantel: A Memoir of My Former Self: A Life in Writing (2023) Adam Higginbotham: Midnight in Chernobyl (2019) Tony Judt: Postwar: A History of Europe Since 1945 (2005) Tony Judt: Reappraisals: Reflections on the Forgotten Twentieth Century (2008) Peter Apps: Show Me the Bodies: How We Let Grenfell Happen (2021) Joan Didion: Slouching Towards Bethlehem (1968)Erik Larson: The Devil in the White City (2003)

Films Recent releases

• The Blue Caftan (Maryam Touzani, 2022)
• The Eight Mountains (Felix van Groeningen & Charlotte Vandermeersch, 2022)
• Evil Does Not Exist (Ryusuke Hamaguchi, 2023)
• Killers of the Flower Moon (Martin Scorcese, 2023)
• Monster (Hirokazu Kore-eda, 2023)
• Passages (Ira Sachs, 2023)
• Poor Things (Yorgos Lanthimos, 2023)
• The Tuba Thieves (Alison O Daniel, 2023)
• Theater Camp (Molly Gordon and Nick Lieberman, 2023)
• T R (Todd Field, 2022)

Unenjoyable experiences included Alejandro G mez Monteverde's Sound of Freedom (2023), Alex Garland's Men (2022) and Steven Spielberg's The Fabelmans (2022).
Older releases (Films released before 2022, and not including rewatches from previous years.)

• Brief Encounter (David Lean, 1945)
• Clouds of Sils Maria (Olivier Assayas, 2014)
• Daisy Miller (Peter Bogdanovich, 1974)
• First Reformed (Paul Schrader, 2017)
• Forbidden Games (Ren Cl ment, 1952)
• La Noire de... (Ousmane Semb ne, 1966)
• The Queen of Spades (Thorold Dickinson, 1949)
• The River (Jean Renoir, 1951)
• Topsy-Turvy (Mike Leigh, 1999)
• Le Trou (Jacques Becker, 1960)

Distinctly unenjoyable watches included Ocean's Eleven (1960), El Topo (1970), L olo (1992), Hotel Mumbai (2018), Bulworth (1998) and and The Big Red One (1980).

Welcome to the October 2020 report from the Reproducible Builds project. In our monthly reports, we outline the major things that we have been up to over the past month. As a brief reminder, the motivation behind the Reproducible Builds effort is to ensure flaws have not been introduced in the binaries we install on our systems. If you are interested in contributing to the project, please visit our main website.

General On Saturday 10th October, Morten Linderud gave a talk at Arch Conf Online 2020 on The State of Reproducible Builds in Arch. The video should be available later this month, but as a teaser:

The previous year has seen great progress in Arch Linux to get reproducible builds in the hands of the users and developers. In this talk we will explore the current tooling that allows users to reproduce packages, the rebuilder software that has been written to check packages and the current issues in this space.

During the Reproducible Builds summit in Marrakesh in 2019, developers from the GNU Guix, NixOS and Debian distributions were able to produce a bit-for-bit identical GNU Mes binary despite using three different versions of GCC. Since this summit, additional work resulted in a bit-for-bit identical Mes binary using tcc, and last month a fuller update was posted to this effect by the individuals involved. This month, however, David Wheeler updated his extensive page on Fully Countering Trusting Trust through Diverse Double-Compiling, remarking that:

GNU Mes rebuild is definitely an application of [Diverse Double-Compiling]. [..] This is an awesome application of DDC, and I believe it s the first publicly acknowledged use of DDC on a binary

There was a small, followup discussion on our mailing list. In openSUSE, Bernhard M. Wiedemann published his monthly Reproducible Builds status update. This month, the Reproducible Builds project restarted our IRC meetings, managing to convene twice: the first time on October 12th (summary & logs), and later on the 26th (logs). As mentioned in previous reports, due to the unprecedented events throughout 2020, there will be no in-person summit event this year. On our mailing list this month El as Alejandro posted a request for help with a local configuration

Debian-related work In August, Lucas Nussbaum performed an archive-wide rebuild of packages to test enabling the reproducible=+fixfilepath Debian build flag by default. Enabling this fixfilepath feature will likely fix reproducibility issues in an estimated 500-700 packages. However, this month Vagrant Cascadian posted to the debian-devel mailing list:

It would be great to see the reproducible=+fixfilepath feature enabled by default in dpkg-buildflags, and we would like to proceed forward with this soon unless we hear any major concerns or other outstanding issues. [ ] We would like to move forward with this change soon, so please raise any concerns or issues not covered already.

Debian Developer Stuart Prescott has been improving python-debian, a Python library that is used to parse Debian-specific files such as changelogs, .dscs, etc. In particular, Stuart is working on adding support for .buildinfo files used for recording reproducibility-related build metadata:

This can mostly be a very thin layer around the existing Deb822 types, using the existing Changes code for the file listings, the existing PkgRelations code for the package listing and gpg_* functions for signature handling.

A total of 159 Debian packages were categorised, 69 had their categorisation updated, and 33 had their classification removed this month, adding to our knowledge about identified issues. As part of this, Chris Lamb identified and classified two new issues: build_path_captured_in_emacs_el_file and rollup_embeds_build_path.

Software development This month, we tried to fix a large number of currently-unreproducible packages, including:

• Bernhard M. Wiedemann:
  • go (version 1.15.3 has improved reproducibility over 1.14)
  • goxel (sort SCons-related filesystem ordering issue)
  • lal (rework an old date-related patch)
  • lalmetaio (date)
  • libsemigroups (build failure in single-CPU mode)
  • memcached (build failure in 2025 due to expired SSL certificate)
  • octant (SUSE-specific date issue)
  • openmpi4 (date-related problem, revive old patch)
  • sbcl (datetime and hostname issue)
  • selinux-policy/policycoreutils (date-related issue in timezone)
• Chris Lamb:
  • #970383 filed against evince (forwarded upstream).
  • #971527 filed against libsass-python (forwarded upstream).
  • #972077 filed against pitivi.
  • #972078 filed against sound-juicer.
  • #972147 filed against pcbasic.
  • #972336 filed against ora2pg (forwarded upstream).
  • #972378 filed against fckit.
  • #972493 filed against gita.
  • #972494 filed against libgrokj2k.
  • #972496 filed against softether-vpn.
  • #972559 filed against perl.
  • #972561 filed against ruby-appraiser.
  • #972562 filed against gmerlin-avdecoder.
  • #972631 filed against node-proxy.
  • #972668 filed against yard.
  • #972861 filed against emacs.
  • #972930 filed against netcdf-parallel.
  • #965255 re-opened with new patch dh-fortran-mod.

Bernhard M. Wiedemann also reported three issues against bison, ibus and postgresql12.

Tools diffoscope is our in-depth and content-aware diff utility. Not only could you locate and diagnose reproducibility issues, it provides human-readable diffs of all kinds too. This month, Chris Lamb uploaded version 161 to Debian (later backported by Mattia Rizzolo), as well as made the following changes:

• Move test_ocaml to the assert_diff helper. [ ]
• Update tests to support OCaml version 4.11.1. Thanks to Sebastian Ramacher for the report. (#972518)
• Bump minimum version of the Black source code formatter to 20.8b1. (#972518)

In addition, Jean-Romain Garnier temporarily updated the dependency on radare2 to ensure our test pipelines continue to work [ ], and for the GNU Guix distribution Vagrant Cascadian diffoscope to version 161 [ ]. In related development, trydiffoscope is the web-based version of diffoscope. This month, Chris Lamb made the following changes:

• Mark a --help-only test as being a superficial test. (#971506)
• Add a real, albeit flaky, test that interacts with the try.diffoscope.org service. [ ]
• Bump debhelper compatibility level to 13 [ ] and bump Standards-Version to 4.5.0 [ ].

Lastly, disorderfs version 0.5.10-2 was uploaded to Debian unstable by Holger Levsen, which enabled security hardening via DEB_BUILD_MAINT_OPTIONS [ ] and dropped debian/disorderfs.lintian-overrides [ ].

Website and documentation This month, a number of updates to the main Reproducible Builds website and related documentation were made by Chris Lamb:

• Add a citation link to the academic article regarding dettrace [ ], and added yet another supply-chain security attack publication [ ].
• Reformatted the Jekyll s Liquid templating language and CSS formatting to be consistent [ ] as well as expand a number of tab characters [ ].
• Used relative_url to fix missing translation icon on various pages. [ ]
• Published two announcement blog posts regarding the restarting of our IRC meetings. [ ][ ]
• Added an explicit note regarding the lack of an in-person summit in 2020 to our events page. [ ]

Testing framework The Reproducible Builds project operates a Jenkins-based testing framework that powers tests.reproducible-builds.org. This month, Holger Levsen made the following changes:

• Debian-related changes:
  • Refactor and improve the Debian dashboard. [ ][ ][ ]
  • Track bugs which are usertagged as filesystem , fixfilepath , etc.. [ ][ ][ ]
  • Make a number of changes to package index pages. [ ][ ][ ]
• System health checks:
  • Relax disk space warning levels. [ ]
  • Specifically detect build failures reported by dpkg-buildpackage. [ ]
  • Fix a regular expression to detect outdated package sets. [ ]
  • Detect Lintian issues in diffoscope. [ ]

• Misc:
  • Make a number of updates to reflect that our sponsor Profitbricks has renamed itself to IONOS. [ ][ ][ ][ ]
  • Run a F-Droid maintenance routine twice a month to utilise its cleanup features. [ ]
  • Fix the target name in OpenWrt builds to ath79 from ath97. [ ]
  • Add a missing Postfix configuration for a node. [ ]
  • Temporarily disable Arch Linux builds until a core node is back. [ ]
  • Make a number of changes to our thanks page. [ ][ ][ ]

Build node maintenance was performed by both Holger Levsen [ ][ ] and Vagrant Cascadian [ ][ ][ ], Vagrant Cascadian also updated the page listing the variations made when testing to reflect changes for in build paths [ ] and Hans-Christoph Steiner made a number of changes for F-Droid, the free software app repository for Android devices, including:

• Do not fail reproducibility jobs when their cleanup tasks fail. [ ]
• Skip libvirt-related sudo command if we are not actually running libvirt. [ ]
• Use direct URLs in order to eliminate a useless HTTP redirect. [ ]

---

If you are interested in contributing to the Reproducible Builds project, please visit the Contribute page on our website. However, you can also get in touch with us via:

• IRC: #reproducible-builds on irc.oftc.net.
• Mailing list: rb-general@lists.reproducible-builds.org
• Social media: @ReproBuilds, @reproducible_builds@fosstodon.org & Reddit

Changes

• how-can-i-help: fix home dir handling
• apt: fix crashes in daily script (1, 2)
• autorevision: sed format, generate logo
• https-everywhere: add cdimage/get/cloud
• myrepos: fix home dir handling, vis: pass arguments to the commands
• whowatch: cleanups (1, 2, 3)
• coreboot: intelmetool cleanups (1, 2, 3)
• iotop: fix crash when time goes backwards (1, 2)
• check-all-the-things: add leaktracer, tmperamental, pycodestyle, remove ghc-mod, add MIME types, update docs (1, 2), embed-dirs, proselint, fix formatting, portability, wording, cmdline, extensions, no matching files remarks, safety (tmp flag, root flag, luacheck, puppet-lint, epubcheck, erl_tidy, complexity, rpmlint, ocaml-lintian), release (1, 2)
• spelling dictionaries:
  • codespell: merory, dislaimer, cleean, accets, accet, skept, beetwen, bracese, gettetx, acknoledge(d), alternarive, architecure(s), architeture(s), archtecture(s), automaitc, automaitcally, backupped, bitwise-orring, buil, buipd, checkum(s), commmand, conent(s), confict(s/ed), consitency, continuting, corerct(ly), critcial, custome, damge, databse, deaemon, decleration, defninition(s), depency, derefencing, derivaties, divertion(s), documemt, dowgrade, dulicate, efective(ly), excplicit(ly), exlicite(ly), extrac, extracing, homapage, hopefuly, initalized, initliaze(d/r),inoquous, instad, installe, interst(s), japanses, keyowrd, likewis, meanin, meaninful, multilpe, necessay, negatve, objump, obselete, obsure, outweight(s), overide, packge, paralellization, paritial, pasteing, pathnme, piority, popullate(d), portguese, positve, processig, promt(s), psaswd, reapper(ed/ing), recusion, refector(ing), referene(s), reoport, scritpt(s), selecton(s), seperator(s), serach, silenty, simulantaneous(ly), situtation, soure(s), specidic, specifyied, spectular(ly), srcipt(s), statictic(s), symbsol(s), triggerd, unued, updat(s), updgrade, vietnamesea, was't, temmporary, rouge, certficate, documetnation, verticies, bultin, additionnal, messge, inlcude(d), firts, thant, differents, positionn, positionned, ressources, softwares, foppy, geometrie, cleanpu, cleanpus, hadling, syncting, conrtib, delivative(s), skelton, appliction(s), catched, downlod(s/ing), informations, complet(ly), aligne(ment)
  • lintian: merory, dislaimer, cleean, accets, accet, skept, beetwen, bracese, gettetx, alternarive, architecure(s), architeture(s), archtecture(s), automaitc(ly), backupped, bitwise-orring, buil, buipd, checkum(s), confict(ed/s), consitency, continuting, corerct(ly), critcial, custome, damge, databse, deaemon, decleration, defninition(s), derefencing, derivaties, divertion(s), documemt, dowgrade, dulicate, efective(ly), excplicit(ly), exlicite(ly), extrac(ing), homapage, initalizer, initliaze(d/r), inoquous, instad, installe, interst(s), japanses, keyowrd, likewis, meanin(ful), multilpe, necessay, negatve, objump, obselete, outweight(s), paralellization, paritial, pasteing, pathnme, piority, popullate(d), portguese, processig, promt, promts, psaswd, reapper(ed/ing), recusion, refector(ing), referene(s), reoport, scritpt(s), selecton(s), seperators, serach, silenty, simulantaneous(ly), situtation, specidic, specifyied, spectular(ly), srcipt(s), statictic(s), symbsol(s), triggerd, unued, updat(s), updgrade, vietnamesea, was't, temmporary, rouge, documetnation, bultin, firts, thant, positionn, foppy, geometrie, cleanpu, cleanpus, hadling, syncting, ubutunu, conrtib, delivative(s), skelton, downlod(s/ing), complet, aligne
• Debian derivatives census: prefer long options, minimise diff output
• Debian QA: httpredir.d.o to deb.d.o
• Debian PTS: abbreviate newcomer to NC, add help to bugs panel, rework the patches panel (1, 2, 3, 4, 5), move Ubuntu items, add UbuntuDiff link, add derivs patches link (1, 2), add possible patches, strip bad white-space
• Debian DNS: add cloud.debian.org
• Debian admin wiki: fix path
• Debian meta-packages: fix debian.org-sources.debian.org
• Debian website: update merchandise information (1, 2, 3), update donations information, fix version for jessie ISOs, update an email address, enable release notes links (1, 2, 3), update cdimage links to https, update planeta links to planet es
• Debian userdir-ldap: fix default keyrings
• Debian DNS helpers: use yaml.safe_load
• Debian Fastly: use yaml.safe_load
• Debian mini-nag: use yaml.safe_load
• Debian DSA misc: use yaml.safe_load
• Debian nagios: use yaml.safe_load
• Debian ud: disable guest RTC accounts
• Debian userdir-ldap: disable guest RTC accounts
• Debian NM: fix graphs location
• Debian package uploads: check-all-the-things 2017.05.20
• Debian wiki pages: AlejandroRios, BrenoLeitao, CategoryPackaging, DataBase/Oracle, DebianDocumentation, (fr, it), DebianMentorsNet, DebianResources (es, zh_CN), DebianSpanish/Devel, DebianTaiwan/ocf.tw/TrustedOrganizationCriteria, Derivatives (Integration, Census Template, BlankOn, Parsix, VoyageLinux, VyOS), Exploits, Glossary (ja), Hardware/Certification (1, 2), HidekiYamane/memo, InstallingDebianOn, KevinMark, MaliGraphics, MemberBenefits, Mobile/BoF201708, NotSoFAQ, PaulWise/InterestingSoftware, PortsDocs/BootstrappingFPC, Promote/ButtonsAndBanners, ReleaseParty (SuiteTemplate, Stretch (Germany/Berlin, Germany/Darmstadt, USA/Atlanta), ReproducibleBuilds, ReproducibleInstalls, research/publications, SuitesAndReposExtension, tahoma, Teams (Auditor/Organizations, ReleaseTeam/ReleaseCheckList), UnofficialRepositories, ZRam

Issues

• Crashes in evolution, gnome-disk-utility
• Debian testing removal of check-all-the-things (1, 2)
• Move firefoxdriver from Debian non-free to main
• Normal issues in gnome-shell-timer
• Features in tmperamental, installation-birthday, multistrap, dnssec-trigger
• Broken source packages in Devuan (firejail)
• Broken bug handling in Devuan BTS
• Incorrect redirects in Devuan archive
• Typos in hadori
• Documentation issues in leaktracer, hlint
• Shell issues in leaktracer, tmperamental
• Security issues in cme (expanded from issues reported by Jakub Wilk), node-brace-expansion, MoinMoin Color2 macro, pastebinit
• Minor issues in dman
• Outdated info in www.debian.org
• Warnings in intelmetool
• Missing dependencies in samba-common-bin

Review

• Spam: reported 3 LWN comments, 4 Debian bug reports and 224 Debian mailing list posts
• Debian wiki: RecentChanges for the month
• Debian screenshots:
  • approved ansiweather, asunder, batmon.app, binstats, blinken, boomaga, caca-utils, camera.app, catimg, fontmanager.app, gnome-maps, gnunet-gtk, goldendict, handbrake, heaptrack-gui, iagno, irussian, kapman, katarakt, kolourpaint, kup-backup, lcrt, libts-bin, nuttcp, out-of-order, paris-traceroute, parole, pdmenu, pnmixer, polari, pong2, potool, psensor, qspeakers, quicktime-x11utils, qv4l2, radeontool, radeontop, read-edid, runlim, scram, screenfetch, silversearcher-ag, slmon, smem, smemcap, sndfile-programs, strace, subnetcalc, sweeper, symlinks, sysinfo, tiptop, trabucco, tree, unicode, wmfsm, wmgtemp, xara-gtk, xsysinfo,
  • deleted nsis (not a screenshot),
  • rejected gtkwave/gwave/jed/ktuberling/jaxe/irsim/algobox/qrouter/webcamoid/luminance-hdr/ricochet-im (copied from upstream), yosys (web page screenshot), xdu (not a useful screenshot), libts-bin (not a screenshot)
  • approved deletion of arandr (copied from upstream, also "Doesn't represent true program.") pennmush (logo not a screenshot)
  • approved deletion (despite bogus reason) of qspeakers (window decorations fine, duplicate)
  • rejected deletion (despite valid reason) of borgbackup (no other screenshots)
  • rejected deletion of synaptic (garbage in reason field)

Administration

• Debian: discuss mail bounces with a hoster, check perms of LE results, add 1 user to a group, re-sent some TLS cert expiry mail, clean up mail bounce flood, approve some debian.net TLS certs, do the samhain dance thrice, end 1 samhain mail flood, diagnose/fix LDAP update issue, relay DebConf cert expiry mails, reboot 2 non-responsive VM, merged patches for debian.org-sources.debian.org meta-package,
• Debian mentors: lintian/security updates & reboot
• Debian wiki: delete stray tmp file, whitelist 14 email addresses, disable 1 accounts with bouncing email, ping 3 persons with bouncing email
• Debian website: update/push index/CD/distrib
• Debian QA: deploy my changes, disable some removed suites in qadb
• Debian PTS: strip whitespace from existing pages, invalidate sigs so pages get a rebuild
• Debian derivatives census: deploy changes
• Openmoko: security updates & reboots.

Communication

• Invite Purism (on IRC), XBian (also on IRC), DuZeru to the Debian derivatives census
• Respond to the shutdown of Parsix
• Report BlankOn fileserver and Huayra webserver issues
• Organise a transition of Ubuntu/Endless Debian derivatives census maintainers
• Advocate against Debian having a monopoly on hardware certification
• Advocate working with existing merchandise vendors
• Start a discussion about Debian membership in other organisations
• Advocate for HPE to join the LVFS & support fwupd

Sponsors All work was done on a volunteer basis.

Changes

• gitk: colour of remote refs
• https-everywhere: Update Debian rules
• check-all-the-things: release, security fix, reset terminal modes, allow running removed checkers, regression fix (quote fix), TODO items (for deep-text-corrector, sblint, decopy, Coala Bear & dangerous Python checks)
• devscripts: fix grep-excuses warning
• autorevision: build correctness, tarball reproducibility (due to gzip & AUTHORS.txt)
• whowatch: parameter correctness (for NULL, int), spelling/grammar/typos, https, remove dead links & restore terminal status on exit
• spelling dictionaries:
  • codespell: recod, undefuned, normaly, uner, buid, stength, privide, decstiption(s), revrese, lightweigh, multible, asbtraction, resulution, meatadata, seriuos, transalte, interractive, timestan, partiton, databas, claculate, patern, substiution, freee, operatation(s), ambigous, clasified, coypright, previlege, gental, bacup & detction
  • lintian: recod, undefuned, uner, buid, stength, privide, dimentional, decstiption(s), revrese, lightweigh, asbtraction, resulution, FTBS, meatadata, seriuos, transalte, interractive, timestan, partiton, databas, claculate, patern, substiution, freee, operatation(s), previlege, gental, bacup & detction
• Debian timeline: latest bug milestones
• Debian bits: FOSDEM draft fixes
• Planet Debian derivatives: add Netrunner & update BlankOn logo
• Debian buildd website: plain text logs (1 2 3)
• Debian uscan multi-redirector: add github package.json/cmake checker & remove gitorious
• Debian packages website: update manual pages patch to use https, merge patches (1 2)
• Debian website: fix security Makefiles for DLAs (for 2017, 2016, 2015, 2014), derivatives (wording/formatting fixes 1, 2), build by default), link fixes (for CD brokenness, stability, gitweb to cgit)
• Debian wiki pages: AlejandroRios, ChrootOnAndroid, CopyrightReviewTools, CrossCompiling, CrossGrading, DebianBootstrap, DebianDay, (2017), DebianEvents (Asia, oc) DebianScience, DebianWiki/Browsing, dedup.debian.net, Derivatives/Census (AstraLinux, BlankOn, Netrunner, SalentOS, SerbianLinux, Symbiosis, Template), EmbeddedCodeCopies, ExternalEntities, Fonts, fr/GraphicsCard, fr/Intel HD Graphics, FrontPage, gobby.debian.org, HP/ProLiant, Ideas, InstallingDebianOn, TurrisOmnia (1 2), InterWikiMap, josch/notes, LVM, Merchandise/BoFDebConf10, Mobile (1 2), NewArchiveSections, PaulWise/InterestingSoftware, PortTemplate, ppc64el, PressCoverage2017, PressCoverage, redmine, ReproducibleBuilds/History, Services/Debian Packages, SponsorChecklist, Sprints (2017/DebianMed2017 (1 2)), SystemBuildTools, systemd, Teams/Dpkg/FAQ, ThisWeekInDebian, WhyDebian, Year
• File Formats wiki pages: ACE, File_identification_software, File_command
• Debian package uploads: autorevision 1.20-1, check-all-the-things 2017.01.15 & openchange 1:2.2-6+deb8u1

Issues

• Security migration for check-all-the-things
• GPL violations due to embedded copies of Liberation Fonts in emscripten, freedink, gargoyle-free, gcstar, manaplus, minetest, pcs & zygrib
• Outdated embedded unicode-data copies in boost1.62 & boost1.63
• Crash in liferea
• Regression in coreutils date
• Missing conffile removal in dnssec-trigger & xtightvncviewer
• gitorious redirector usage in fgrun & spectacle
• Annoying issues in hexchat autorejoin, totem & a podcast & gdb messages
• Cosmetic issues in parcimonie menu, gitk colours & aptitude debtags
• Features in duck, apt-file, needrestart, packages.debian.org & aptitude
• An already implemented feature in needrestart

Review

• Spam: report spam in 6 Debian bugs, 132 Debian mails and one LWN comment
• Patches: point out extraneous whitespace changes in a codespell PR
• Debian packages: reviewed and sponsored fsprotect 1.0.7
• Debian wiki: RecentChanges for the month, feedback on InstallDebianWithoutLiveCD article
• Debian screenshots:
  • Approved screenshots of ngraph-gtk lightdm-gtk-greeter-settings kalgebra qtile patat toilet sagemath (2) w3c-markup-validator pentobi pentobi-kde-thumbnailer zygrib (2) sauerbraten kmail aiscm (5) codeblocks lxqt libreoffice-help-es inkscape synaptic thunar gimp midori filezilla libreoffice pluma qupzilla gnome-2048 simplescreenrecorder gerbv keepassx gcstar confclerk onionshare blockout2 subuser dosbox zsnes dosemu lmarbles klickety geda-gattrib katomic kiki-the-nano-bot freedm frogatto (2)
  • Approved removal of screenshots: seaview screenshot contained advertising, mupen64plus/mupen64plus-audio-all were weird screenshots with multiple OS windows overlaid & mkgmap was a screenshot of the OSM wiki instead of the software
  • Rejected screenshots: gccgo looked like a Thai mobile phone screenshot, python-stem was a screenshot for OPENDIME USB, seaview was downloaded from elsewhere and not an authentic screenshot & fbreader contained non-free ebook contents

Administration

• Debian: reboot 1 non-responsive VM, redirect 2 users to support channels, redirect 1 contributor to xkb upstream, redirect 1 potential contributor, redirect 1 bug reporter to mirror team, ping 7 folks about restarting processes with upgraded libs, manually restart the sectracker process due to upgraded libs, restart the package tracker process due to upgraded libs, investigate failures connecting to the XMPP service, investigate /dev/shm issue on abel.d.o, clean up after rename of the fedmsg group.
• Debian mentors: lintian/security updates & reboot
• Debian packages: deploy 2 contributions to the live server
• Debian wiki: unblacklist 1 IP address, whitelist 10 email addresses, disable 18 accounts with bouncing email, update email for 2 accounts with bouncing email, reported 1 Debian member as MIA, redirect 1 user to support channels, add 4 domains to the whitelist.
• Reproducible builds: rescheduled Debian pyxplot:amd64/unstable for themill.
• Openmoko: security updates & reboots.

Debian derivatives

• Send the annual activity ping mail.
• Happy new year messages on IRC, forward to the list.
• Note that SerbianLinux does not provide source packages.
• Expand URL shortener on SerbianLinux page.
• Invite PelicanHPC, Netrunner, DietPi, Hamara Linux (on IRC), BitKey to the census.
• Add research publications link to the census template
• Fix Symbiosis sources.list
• Enquired about SalentOS downtime
• Fixed and removed some 404 BlankOn links (blog, English homepage)
• Fixed changes to AstraLinux sources.list
• Welcome Netrunner to the census

Sponsors I renewed my support of Software Freedom Conservancy. The openchange 1:2.2-6+deb8u1 upload was sponsored by my employer. All other work was done on a volunteer basis.

Disclaimer This is an attempt at humor and hence entirely fictional in nature. While some incidents depicted are true, the context and the story woven around them are by yours truly. None of the Mascots of Debian were hurt during the blog post. I also disavow any responsibility for any hurt (real or imagined) to any past, current and future mascots. The attempt should not be looked upon as demeaning people who are accused of false crimes, tortured and confessions eked out of them as this happens quite a lot (In India for sure, but guess it s the same world over in various degrees). The idea is loosely inspired by Chocolate:Deep Dark Secrets. (2005) On a more positive note, let s start Being a Sunday morning woke up late to find incessant knocking on the door, incidentally mum was not at home. Opening the door, found two official looking gentleman. They asked my name, asked my credentials, tortured and arrested me for Group conspiracy of Malicious Mischief in second and third degrees . The torture was done by means of making me forcefully watch endless reruns of Norbit . While I do love Eddie Murphy, this was one of his movies he could have done without. I guess for many people watching it once was torture enough. I *think* they were nominated for razzie awards dunno if they won it or not, but this is beside the point. Unlike the 20 years it takes for a typical case to reach to its conclusion even in the smallest court in India, due to the torture, I was made to confess (due to endless torture) and was given summary judgement. The judgement was/is as follows a. Do 100 hours of Community service in Debian in 2017. This could be done via blog posts, raising tickets in the Debian BTS or in whichever way I could be helpful to Debian. b. Write a confessional with some photographic evidence sharing/detailing some of the other members who were part of the conspiracy in view of the reduced sentence. So now, have been forced to write this confession As you all know, I won a bursary this year for debconf16. What is not known by most people is that I also got an innocuous looking e-mail titled Pollito for DPL . While I can t name all the names as investigation is still ongoing about how far-reaching the conspiracy is . The email was purportedly written by members of cabal within cabal which are in Debian. I looked at the email header to see if this was genuine and I could trace the origin but was left none the wiser, as obviously these people are far more technically advanced than to fall in simple tricks like this Anyways, secretly happy that I have been invited to be part of these elites, I did the visa thing, packed my bags and came to Debconf16. At this point in juncture, I had no idea whether it was real or I had imagined the whole thing. Then to my surprise saw this Just like the Illuminati the conspiracy was for all to see those who knew about it. Most people were thinking of it as a joke, but those like me who had got e-mails knew better. I knew that the thing is real, now I only needed to bide my time and knew that the opportunity would present itself. And few days later, sure enough, there was a trip planned for Table Mountain, Cape Town . Few people planned to hike to the mountain, while few chose to take the cable car till up the mountain. Quite a few people came along with us and bought tickets for the to and fro to the mountain and back. Incidentally, I was thinking if the South African Govt. were getting the tax or not. If you look at the ticket, there is just a bar-code. In India as well as the U.S. there is TIN Tax Identification Number Few links to share what it is all about . While these should be on all invoices, need to specially check when taking high-value items. In India as shared in the article the awareness, knowledge leaves a bit to be desired. While I m drifting from the incident, it would be nice if somebody from SA could share how things work there. Moving on, we boarded the cable car. It was quite spacious cable car with I guess around 30-40 people or some more who were able to see everything along with the controller. It was a pleasant cacophony of almost two dozen or more nationalities on this 360 degrees moving chamber. I was a little worried though as it essentially is a bucket and there is always a possibility that a severe wind could damage it. Later somebody did share that some frightful incidents had occurred not too long ago on the cable car. It took about 20-25 odd minutes to get to the top of table mountain and we were presented with views such as below The picture I am sharing is actually when we were going down as all the pictures of going up via the cable car were over-exposed. Also, it was pretty crowded on the way up then on the way down so handling the mobile camera was not so comfortable. Once we reached up, the wind was blowing at incredible speeds. Even with my jacket and everything I was feeling cold. Most of the group around 10-12 people looked around if we could find a place to have some refreshments and get some of the energy in the body. So we all ventured to a place and placed our orders I was introduced to Irish Coffee few years back and have had some incredible Irish Coffees in Pune and elsewhere. I do hope to be able to make Irish Coffee at home if and when I have my own house. This is hotter than brandy and is perfect if you are suffering from cold etc if done right, really needs some skills. This is the only drink which I wanted in SA which I never got right . As South Africa was freezing for me, this would have been the perfect antidote but the one there as well as elsewhere were all bleh. What was interesting though, was the coffee caller besides it. It looked like a simple circuit mounted on a PCB board with lights, vibrations and RFID and it worked exactly like that. I am guessing as and when the order is ready, there is an interrupt signal sent via radio waves which causes the buzzer to light and vibrate. Here s the back panel if somebody wants to take inspiration and try it as a fun project Once we were somewhat strengthened by the snacks, chai, coffee etc. we made our move to seeing the mountain. The only way to describe it is that it s similar to Raigad Fort but the plateau seemed to be bigger. The wikipedia page of Table Mountain attempts to share but I guess it s more clearly envisioned by one of the pictures shared therein. I have to say while Table Mountain is beautiful and haunting as it has scenes like these There is something there which pulls you, which reminds you of a long lost past. I could have simply sat there for hours together but as was part of the group had to keep with them. Not that I minded. The moment I was watching this, I was transported to some memories of the Himalayas about 20 odd years or so. In that previous life, I had the opportunity to be with some of the most beautiful women and also been in the most happening places, the Himalayas. I had shared years before some of my experiences I had in the Himalayas. I discontinued it as I didn t have a decent camera at that point in time. While I don t wanna digress, I would challenge anybody to experience the Himalayas and then compare. It is just something inexplicable. The beauty and the rawness that Himalayas shows makes you feel insignificant and yet part of the whole cosmos. What Paulo Cohello expressed in The Valkyries is something that could be felt in the Himalayas. Leh, Ladakh, Himachal , Garwhal, Kumaon. The list will go on forever as there are so many places, each more beautiful than the other. Most places are also extremely backpacker-friendly so if you ask around you can get some awesome deals if you want to spend more than a few days in one place. Moving on, while making small talk @olasd or Nicolas Dandrimont , the headmaster of our trip made small talk to each of us and eked out from all of us that we wanted to have Pollito as our DPL (Debian Project Leader) for 2017. Few pictures being shared below as supporting evidence as well While I do not know who further up than Nicolas was on the coup which would take place. The idea was this If the current DPL steps down, we would take all and any necessary actions to make Pollito our DPL. This has been taken from Pollito s adventure Being a responsible journalist, I also enquired about Pollito s true history as it would not have been complete without one. This is the e-mail I got from Gunnar Wolf, a friend and DD from Mexico

Turns out, Valessio has just spent a week staying at my house And
in any case, if somebody in Debian knows about Pollito s
childhood That is me. Pollito came to our lives when we went to Congreso Internacional de
Software Libre (CISOL) in Zacatecas city. I was strolling around the
very beautiful city with my wife Regina and our friend Alejandro
Miranda, and at a shop at either Ram n L pez Velarde or Vicente
Guerrero, we found a flock of pollitos. http://www.openstreetmap.org/#map=17/22.77111/-102.57145 Even if this was comparable to a slave market, we bought one from
them, and adopted it as our own. Back then, we were a young couple Well, we were not that young
anymore. I mean, we didn t have children. Anyway, we took Pollito with
us on several road trips, such as the only time I have crossed an
international border driving: We went to Encuentro Centroamericano de
Software Libre at Guatemala city in 2012 (again with Alejandro), and
you can see several Pollito pics at: http://gwolf.org/album/road-trip-ecsl-2012-guatemala-0 Pollito likes travelling. Of course, when we were to Nicaragua for
DebConf, Pollito tagged along. It was his first flight as a passenger
(we never asked about his previous life in slavery; remember, Pollito
trust no one). Pollito felt much welcome with the DebConf crowd. Of course, as
Pollito is a free spirit, we never even thought about forcing him to
come back with us. Pollito went to Switzerland, and we agreed to meet
again every year or two. It s always nice to have a chat with him. Hugs!

So with that backdrop I would urge fellow Debianities to take up the slogans LONG LIVE THE DPL ! LONG LIVE POLLITO ! LONG LIVE POLLITO THE DPL ! The first step to make Pollito the DPL is to ensure he has a @debian.org (pollito@debian.org) We also need him to be made a DD because only then can he become a DPL. In solidarity and in peace
Filed under: Miscellenous Tagged: #caller, #confession, #Debconf16, #debian, #Fiction, #history, #Pollito, #Pollito as DPL, #Table Mountain, Cabal, memories, south africa

There is this long-running workshop series Haskell in Leipzig, which is a meeting of all kinds of Haskell-interested folks (beginners, experts, developers, scientists), and for year s instance, HaL 2016, I have the honour of being the program committee chair. The original deadline passed last week, and after looking through the submissions it became clear that although the quality was good, the quantitiy was still lacking. I therefore extended the submission deadline by two weeks, until July 15th. So if you have something worth talking about, please do submit a proposal¹ and come to Leipzig!. Why should you submit here? Because it gives you a platform to talk about your ideas to an audience that usually does not consist just of your fellow speakers, as it is often with purely academic workshops, but real listeners of various kinds. And it is a fun event. And why should you come to Leipzig? Because of all the interesting talks and tutorials! Of course I cannot say a lot here yet, besides that our invited speaker Alejandro Russo from Chalmers and Gothenburg University will present his work on information-flow control in Haskell (i.e., SecLib, LIO, MAC, HLIO).

A couple of months ago, I was invited to give the starting course for the Masters degree in Free Software in the Universidad Andina Sim n Bol var university. UASB is a multinational university, with campuses in (at least) Ecuador, Chile, Bolivia and Colombia; I was doubtful at first regarding the seriousness of this proposal and the viability of the program, but time made my doubts disappear. Bolivia is going through an interesting process, as they have one of the strongest worded government mandates for migration to free software for the public administration in the next couple of years; this migration has prompted the interest of many professionals in the country. In particular, we have over 40 registered people for this Masters degree. Studying a Masters degree is a long-term commitment which signifies a big time investment, and although many of the student are quite new to the idea of free software, they are willing to spend this time (and money, as the university is privately owned and charges for its enrollment). I gave this class together with Alejandro Miranda (a.k.a. @pooka), as we have a very good pair-teaching dynamics; we had already given many conferences together, but this is the first time we had the opportunity to share a whole course and the experience was very good. We have read the students' logs, and many of them clearly agree with this. I had to skip two of the (ten) lessons, as I travelled from Mexico to Argentina halfway through it (of course, we brought the babies to meet my wife's family and friends!), so we had also the honor of having Esteban Lima fill in for those sessions. I am very happy and grateful that the University took care to record our presentations and intend to record and put online all of the classes; as we were the first in the program, there were some understandable hiccups and some sessions were lost, but most are available. Here they are, in case you are interested in refering to them:

Topic	Video (my server)	Video (Youtube)
Introduction to free software	Watch	Watch
History	Watch	Watch
Free culture	N/A	N/A
The effects of free software	Watch	Watch
Free software and open standards related to technologic soverignity	Watch	Watch
The free software ecosystem	Watch	Watch
Free software implementation in Bolivia	Watch	Watch
Introduction to intelectual property: Copyright, patents, trademarks, etc.	Watch	Watch
Who is "the community" and why do we speak about it?	Watch	Watch
Current status and challenges for the movement	N/A	N/A

We have yet another video file (which I have not fully followed through) titled ADSIB - Migration plan. It can also be downloaded from my server or watched online at Youtube. All in all: This was a great opportunity and a joy to do. I think the material we used and developed fit well what was expected from us, and we had fun giving somewhat heterodox readings on our movement.

Just found out that I was cited academically for the first time: Pablo Buiras and Alejandro Russo s paper Lazy Programs Leak Secrets at NordSec2013 builds upon my work dup Explicit un-sharing in Haskell , which I had submitted to last year s Haskell symposium and Haskell Implementers Workshop, but eventually only published on arXiv.

Yesterday I went to FES Iztacala, the faculty where I worked between 1999 and 2003. It's nice to go visit some good friends (even if to talk for work issues). It is somewhat far from my usual roaming area (~25Km straight to the North), so I cannot do it as often as I'd like. But anyway - I had to be at work early in the morning, but leaving from here a bit early for lunchtime, and leaving home at ~14:30, I managed to arrive to Iztacala in ~75 minutes. Sustained cycling for 20 Km/h, even counting stops at traffic lights on the way, yay! Anyway, had a productive and fun evening there, but around 18:00 I decided to head back before night got me Specially for the first part of the way, as I'm not familiar with Atzcapozalco. Alejandro suggested me to go by the recently (some months ago) opened cycle path that covers 4Km and almost exactly crosses the delegation (each of the 16 constitutive parts of Distrito Federal, where an important part of Mexico City is located). The cycle path is a good initiative... But I must say, I'm very very glad I took it still with good daylight. As well as the Recreative cyclepath that goes to the South, until the border of Morelos state, this one was built over abandoned rail tracks. Good use for a vacant and useless public space Rail tracks which lay unclaimed in the city are uncomfortable to walk, and useless for anything else, so they basically mean a useless 2m-wide strip of common grounds. So, I welcome any initiatives that make it into a useful space again! And two meters are just enough for a comfortable cycling path - Yes, which will surely be shared with pedestrians, and sometimes becomes uncomfortable. But lets try it! However... When rail tracks are decomissioned and cycle paths built over them... the metal should be dismounted! Not only because of economic concerns (good metal used for rail tracks is much more expensive and useful than asphalt), but because if it stays there, it just becomes a danger. Specially, as is the case, if the asphalt is just deep enough to sometimes cover the tracks And sometimes not. Had I known, I would have taken several photographs of important mistakes in the rail layout. I know I was very close to having an accident at least once (this means, I lost balance and miraclously managed to slow down from ~15Km/h by running with the bike between my legs!), and got in uncomfortable situations several more times. For a good portion of the track, there is a train track running at about of its width, so I had to constantly ring the bell or shout whenever I saw pedestrians As changing from side to side to route around them would put both them and me in danger. Towards the Southern part of the cycle path, as it is a much more active industrial area, there are many places where multiple tracks cross each other under the thin asphalt, sometimes completely unpaved. In one of those points I even decided to step down of the bike and make ~20m walking. This cycle path seems like it was done in a great hurry to present a successful project to the Politicians in Charge, without much thought on what it requires to be really a good project. It provides, yes, a very useful and good mobility solution for cyclists in the North-West. But it is too dangerous... And I am not sure whether I'd take it again. Probably not. So, all in all...

• Thanks to the Atzcapozalco authorities who thought of the cyclists and claimed back unused public space for us all to enjoy!
• The job done was too hasty. Valuable money (selling the tracks) was lost by burying it under asphalt. But it was not enough asphalt It needs attention before somebody gets hurt (or, before more people I'd be surprised if nobody had yet felt adrenaline over there)
• I hope the entrant city government takes the self-powered vehicle promotion more seriously than the outgoing one Which has done great advances (such as the Ecobici program), but is still far from reaching its promises... As always, I know.
• I managed to get back home alive and complete, yay!
• Of course, the cycle path has been mapped into OpenStreetMap. My SportsTracker tracks are also there, but they require Flash (ugh): the way to Iztacala and the way back.

Oh, and lastly: Some might be surprised I'm using bits of Twitterspeak here. But well, I now have presence a bot repeating my posts over there, so I'd better get Alejandro to read this using the proper channels ;-)

Attachment	Size
Full video (Ogg Vorbis+Theora encoded)	81.19 MB

Finally! Last Friday, after two years worth of work, I finally got the first box of books for the Construcci n Colaborativa del Conocimiento (Collaborative Knowledge Construction) project I worked on as a coordinator together with Alejandro Miranda (pooka), and together with a large group of 11 authors: Translating over from the back cover text (and this is just a quick translation from me It reads better in Spanish ;-) ):

What defines us as humans is our ability, on one side, to
create knowledge, and on the other, to share or communicate it with our neighbors. Both features have worked together over tens of thousands of years, and, working together, have led the knowledge to transcend the individual, avoiding the need to rediscovery or reinvention of is already known. Sharing knowledge is what has taken our species to the dominant role it occupies today. But knowledge creation and sharing has seen a deep transformation in recent decades, thanks to the quick evolution of telecommunications, specially the massification of Internet and cellular telephony. We are transiting towards the so desired and at the same time so feared knowledge society. In this book, eleven authors from very different disciplinary backgrounds and geographic origins ellaborate on how a hyper-connected world has modified the basic rules of interaction in areas as diverse as artistic creation, social organizations, computer code development, education or the productive sector. This book is the result of a year worth of work for in the "Collaborative Construction of Knowledge" seminar, during which we
used the same new forms of knowledge production we have studied. The videos of the sessions, electronic participations and the full contents of this book are available under a permisive license at
http://seminario.edusol.info/seco3/

We will soon have the book ready in IIEc's e-store (which is mostly meant for national requests). I am also uploading the book to the lulu.com self-publishing service, and we are working on a epub-like edition. Right now it is still not available, but it should be there in some days. I will keep you posted. Meanwhile, the full contents can be read online at http://seminario.edusol.info/seco3

This weekend we'll be having the 4th version of the Colombian Mini-Debconf. It will be held in the Otraparte Museum, in the city of Medellin. The cool thing this year is that we'll be having mostly Debian contributors than just users, with the kind participation of Anibal Monsalve, who is currently in the country.

There will be several 10-min lightening talks, followed by a key signing party and some actual work in packaging, and of course we'll be having some beers with Debian friends.

More info (in Spanish): http://wiki.debian.org/DebianColombia/MiniDebconf2011

After >7 years of working on my own Linux machine, I now have to work on a Windows XP laptop for my new employer.

It's been almost a week and a half now, and I think I'm starting to get used to it (as far as a Gnome user can be), thanks to the following tools, that I had to install in order to survive and not getting mad:

• Firefox: for obvious reasons, the first thing is to get rid of IE.

• gVim: thank $DEITY there is a windows port for Vim.

• Putty: of course, I still need to log into several Linux machines.

• mRemote: its a wrapper around putty to handle several sessions, and also supports RDP and other protocols.

• WinSCP: just because mRemote doesn't support SCP.

• muCommander: to browse the file system in a decent way. It also supports SCP, but I haven't been able to customize it properly (opening files with gVim), so I'm not using it really.

• XChat: its always cool to hang around IRC.
  

• Pidgin: to deal with the social mess of chats/contacts out there.
  

There is also a GEdit for windows, but I seldom use it.

During DebConf, I managed to squeeze out of the middle of everything for long enough to write a column, a short article for a participation I have every three months, for Mexican Software Gur magazine. All in all, I liked the resulting text The current number's main topic is alternative user interfaces. I find it sometimes hard to define what Software Gur 's audience is Probably, project leaders in software development; not the actual developers, but people who actually understand about coding... but care more about The Big Picture, Processes, Architecture Engineering and Buzzword Compliance. It is an interesting magazine, all in all, but with a focus and viewpoint I often feel myself not precisely comfortable with. So, if this trimester's topic was alternative user interfaces, I decided to write on the history and future of the man-machine interface (Spanish only) (version in the magazine's site). My viewpoint comes from the fact that I do not believe we are in a state of so great, innovative changes that everybody is trumpeting, and I'd rather get others to really think on whether user interfaces have gone different in the last decades. Yes, there are many changes, but in form rather than essence. Anyway, I shared this text with some friends. Some days later, when I was back in Mexico, Pooka/Alejandro Miranda lent me a very interesting book: Hacer clic: Hacia Una Sociosemiotica De Las Interacciones Digitales (Do click: Towards a Socio-semiotics of Digital Interaction (Cibercultura)), by Carlos Scolari. I am not yet even halfway through it, but I am enjoying it This book speaks, so far, about the meanings of interfaces, and of the history of interfaces themselves, even forgetting that nowadays we (mostly) refer to interfaces as what we have between the man and the machine. Sadly, I cannot find this book in English, as it is very well worth a read. But if the topic sounds interesting and you can understand the language, don't hesitate and pick up the book. It gives an interesting insight on the topic, for a group of people (us techies) used to looking at things in a much more human-cognitive-process-oriented way. [update] I found this nice overview of the "Hacer clic" book, written as a presentation for the book. It explains precisely the part I am currently reading - The four metafora for interaction: Conversational, instrumental, superficial and spatial.

If you have seen me anywhere near my computer at DebConf, you probably have seen the face of a hurried, worried developer. Still, if you monitor my Debian-related activity, you will notice it is still quite low, even given my (much needed and very much enjoyed) vacations pre-DebConf. Yes, orga-team work is very time consuming, even if my role is far from central this year. And yes, DebCamp+DebConf are known for sucking time into social interaction, which is great but not so (formally) productive. And yes, I even took 1.5 days off to visit my family and a friend who live in the area... Still, I managed to release! \ / Release what? I have been working with Pooka for the last ~2 years on the Seminary on Collaborative Knowledge Construction. We assembled a group of ~10 speakers/authors, each of whom prepared a chapter for a book meant for publication. Pooka and me coordinated the work, which took a long time because it was also an interaction experiment (and because we both did it only in our free time). After the coordination work started fading, I took up the task of coming up with a way to translate it all into LaTeX (and fix a host of conversion bugs, and play with the available packages, and... Hey, I'm after all just a LaTeX newbie, and had to learn to tame the beast!), I stumbled upon that precious fact that makes so many projects release. I stumbled upon a deadline. We want to publish the book under the seal of IIEc-UNAM. Besides my workplace, it is a very well regarded university, and having its seal in our work is definitively a big plus. And the Publications Committee of my Institute is meeting this week - So I had to send our final manuscript by today. Having a deadline overlapping with DebConf sucks. But somehow, I managed to do the needed work to my complete satisfaction. The work is now in the Committee's hands, and I expect to have more news soon(ish). Oh, and where can you get our work? Well, if you register in our site, you will be able to read the whole contents. And once the book is approved and published, the whole work will be published online under a free (CC-BY-SA) license. BTW, that probably means I will have more time to fix my Debian bugs and pending stuff! \ /

After being away from home for almost two weeks (and, due to unforseen circumstances, having the longest time away from my mailbox I can recall in almost 15 years), last Monday I met with Pooka and Caro, originally just for lunch, but it evolved into an evening-long work session on the SECO3 project (which I continued long into the night But I'm drifting into offtopicness). Caro is now living again in Costa Rica, and to prove it, she brought us two delicious-smelling bags of coffee. Now, I know my cats like the smell of coffee, I know specially Santa loves to completely put her head inside my coffee cup and lick what's left of my espresso's foam But this was really surprising. It was not until today, three days later, I had the heart of bringing my coffee to the office where I'll enjoy it. It is so aromatic that Chupchic and Santa seemed to be taking turns to keep me from claiming the bag At all times, either (or both!) of them layed on top of my precious. It was not until today, when I gave them their breakfast, I was able to take the (still warm) bag of coffee and bring it to work.

Today is the last day of this conference, which has been a great experience of interaction between Central America and Caribbean communities. Yesterday we had packaging, BTS, kernel, pbuilder and quilt related talks. We also expanded the web of trust with a key signing party with almost 30 participants. Even a BoF about people interested in VoIP was held before going downtown to share some beers :)

This morning we had talks about hands on maintaining and translation tasks, we had also a group photo, and a quick visit to the Panama Canal.

Although it has been hard for me to and others to identify common areas of interest towards future work in Debian, it seems to me that these could be centered around l10n and i18n issues, along with packaging and digital inclusion projects.

Yesterday began the central america and caribbean MiniDebconf at Panama. Over 50 people from Mexico, Belice, Nicaragua, Guatemala, Costa Rica, Salvador, Colombia and Venezuela, among others, are here to share experiences around Free Software and Debian contributions. All this is possible to several sponsors from Panama and SPI, and the hard work from many people, specially Anto Recio, Mauro Rosero, Carolina Flores, Gunnar Wolf and the local team.

More info(in spanish), including live streaming url can be found on: http://softwarelibre.ca/wiki/MiniDebconf2010

update: Also, on a personal note, I'll take the chance of this event to start my transition to a stronger gpg key, so If you have signed my old one, please take a look at: http://people.debian.org/~alerios/key-transition-2010-03-20.txt

I must confess I don't remember who I got this invitation from. Anyway, if you are in the right geographic area, you might be interested. I will try to participate: This is a year-long seminar that will be held the second Thursday every month at Fonoteca Nacional (a place I have wanted to visit for a long time!), in Barrio de Santa Catarina, Coyoac n. Among the organizers they have Creative Commons Mexico. Free entrance (but limited space - so they ask interested people to confirm their presence by mail to bvallarta@conaculta.gob.mx). [update] I went with Pooka to the first session. We arrived almost 1hr late (due to me mistaking the schedule :-/ ) but it was interesting. Of course, quite biased towards the Google viewpoints, but interesting. We got the program for the next sessions So, mostly for myself to keep handy, here it goes:

Date	Title	Speakers
2010-03-11	Google and copyright	Manuel Tamez, Hugo Contreras, Mar a Fernanda Mendoza
2010-04-08	Generalities about rights on intelectual property	Jes s Parets, Guillermo Sol rzano, Jorge Mier y Concha
2010-05-13	Copyright's nature and competent authorites	Carmen Arteaga, Luis Schmidt, C sar Callejas
2010-06-10	Moral and patrimonial rights	Guillermo Pous, Eduardo de la Parra, Ram n Ob n
2010-07-08	Reproduction rights for audible material	lvaro Hegewisch, scar Javier Solorio, Marco Antonio Morales, Jos Ram n C rdeno
2010-08-12	Licenses and patrimonial right transmission. Works for hire, works done under laboral relationship, or carried out in official service	Dolores Franco, Jes s Mej a, Ra l Pastor
2010-09-09	Limits to explotation rights and literary plagiarism	Carmen Arteaga, Juan Ram n Ob n, Jorge Mier y Concha, C sar Callejas
2010-10-14	Copyright in a digital setting	Jes s Parets, Gast n Esquivel
2010-11-11	Law-regulated intelectual property rights	Rosalba Elizalde, Salvador Ortega, Gast n Esquivel, Manrique Moheno
2010-12-09	International protection and collective gestive societies	Horacio Rangel, Luis Schmidt, Jes s Mej a