Recent changes to this wiki. Not to be confused with my history.

Complete source to the wiki is available on gitweb or by cloning this site.

another todo
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index a8e3efbd..6be6d8d1 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -242,6 +242,11 @@ I need to find alternatives to:
  * gtk-recordmydesktop
  * usbguard applet
 
+### Cool things I want to try
+
+ * sway
+ * figure out what else is new in bullseye?
+
 ### Packages mistakenly removed
 
  * inkscape

explicitly note missing packages
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 15e86f97..a8e3efbd 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -224,6 +224,24 @@ See also the official list of [known issues](https://www.debian.org/releases/bul
 
 ## Pending
 
+### Critical packages missing
+
+In the "removed packages" list above, i have decided to keep the
+following, even if they don't make it to bullseye:
+
+ * elpy - keeping until i switch to LSP? hopefully it will make it too
+ * syncmaildir - my email sync! maybe i can try another
+ * qalculate-gtk - it will get back on its feet, i'm sure
+
+I also particularly need to pay attention to usbguard, as it's quite
+possible I won't be able to do anything after reboot. :p
+
+I need to find alternatives to:
+
+ * gocode
+ * gtk-recordmydesktop
+ * usbguard applet
+
 ### Packages mistakenly removed
 
  * inkscape

disk space (mostly) resolved
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index c97043fa..15e86f97 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -224,39 +224,6 @@ See also the official list of [known issues](https://www.debian.org/releases/bul
 
 ## Pending
 
-### Too much stuff
-
-I have too much stuff on my computers. I was already a bit short on my
-`/` partition before the upgrade:
-
-    Filesystem                  Size  Used Avail Use% Mounted on
-    /dev/mapper/curie--vg-root   28G   25G  2.8G  90% /
-
-The upgrade downloaded ~7GB of Debian packages, and required an extra
-4.5GB of disk space! Clearly that wouldn't do here, so I had to expand
-the root partition, which ended up like this after the upgrade:
-
-    Filesystem                  Size  Used Avail Use% Mounted on
-    /dev/mapper/curie--vg-root   38G   25G   13G  67% /
-
-I'm surprised that Debian bullseye now would use an extra 4GB of disk
-space! The [disk](https://www.debian.org/releases/testing/amd64/ch03s04.en.html) [requirements](https://www.debian.org/releases/testing/amd64/apds02.en.html) don't seem to have changed in
-decades, yet I keep having to pile up more disk space only to store
-software... We'll see what the end result will be.
-
-Packages I could remove:
-
- * `php*` - maybe some leftover of a dev environment?
-
-After the complete upgrade procedure (but before removing the extra
-kernel):
-
-    Filesystem                  Size  Used Avail Use% Mounted on
-    /dev/mapper/curie--vg-root   38G   28G  9.1G  76% /
-
-So the upgrade *did* use about 3-4GB of disk space, which is quite
-significant!
-
 ### Packages mistakenly removed
 
  * inkscape
@@ -388,6 +355,41 @@ around packaging (which would fix this issue). It also meant it
 totally lost the mails, because postfix panicked and drop the mails
 when it couldn't generate a bounce either.
 
+### Not enough disk space
+
+I have too much stuff on my computers. I was already a bit short on my
+`/` partition before the upgrade:
+
+    Filesystem                  Size  Used Avail Use% Mounted on
+    /dev/mapper/curie--vg-root   28G   25G  2.8G  90% /
+
+The upgrade downloaded ~7GB of Debian packages, and required an extra
+4.5GB of disk space! Clearly that wouldn't do here, so I had to expand
+the root partition, which ended up like this after the upgrade:
+
+    Filesystem                  Size  Used Avail Use% Mounted on
+    /dev/mapper/curie--vg-root   38G   25G   13G  67% /
+
+I'm surprised that Debian bullseye now would use an extra 4GB of disk
+space! The [disk](https://www.debian.org/releases/testing/amd64/ch03s04.en.html) [requirements](https://www.debian.org/releases/testing/amd64/apds02.en.html) don't seem to have changed in
+decades, yet I keep having to pile up more disk space only to store
+software... We'll see what the end result will be.
+
+Packages I have removed:
+
+ * `php*` - maybe some leftover of a dev environment?
+
+After the complete upgrade procedure (but before removing the extra
+kernel):
+
+    Filesystem                  Size  Used Avail Use% Mounted on
+    /dev/mapper/curie--vg-root   38G   28G  9.1G  76% /
+
+So the upgrade *did* use about 3-4GB of disk space, which is quite
+significant!
+
+Maybe there's a way to figure out which package ate all that much?
+
 # Troubleshooting
 
 ## Upgrade failures

fix path to clean_conflicts (which was ran)
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index ffd9fe3f..c97043fa 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -96,7 +96,7 @@ after a reboot. And yes, that's even more dangerous.
         export DEBIAN_FRONTEND=noninteractive APT_LISTCHANGES_FRONTEND=none APT_LISTBUGS_FRONTEND=none &&
         apt full-upgrade -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' &&
         printf "\a" &&
-        /home/anarcat/src/koumbit-scripts/bin/clean_conflicts &&
+        /home/anarcat/src/koumbit-scripts/vps/clean_conflicts &&
         printf "End of Step 5\a\n"
 
  6. Post-upgrade procedures:

outline one problem with apt-list
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 251beb41..ffd9fe3f 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -483,7 +483,9 @@ this, since APT adopted the aptitude patterns:
 
     apt list '?obsolete'
 
-It's unclear how it differs from the above.
+It works well, and the output is digestible, but it will not catch
+versions on the local machine *newer* than in the archive, which might
+be a problem in some cases.
 
 # References
 

lack of time: mostly done, just need to reboot curie
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 4e7722dc..251beb41 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -265,11 +265,6 @@ significant!
 
 Workaround: `apt install $PACKAGE`
 
-### Lack of time
-
-Lacked the time to complete the upgrade on curie, at step 6. Still
-need to fix puppet at the very least, and the remaining stuff.
-
 ### Puppet breaks in bullseye/sid
 
 testing has this ... peculiar notion of itself. instead of announcing

more removed packages, kind of worrisome that smd thing
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 7fd600fd..4e7722dc 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -192,18 +192,29 @@ list.
 
 ## Removed packages
 
+ * [apt-venv](https://tracker.debian.org/pkg/apt-venv) was removed because of an [invalid email address](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979347),
+   seems silly but I guess it makes sense
+ * [debirf](https://tracker.debian.org/pkg/debirf) also had critical bugs, although there's still hope for
+   that guy
+ * [elpy](https://tracker.debian.org/pkg/elpy) is also [failing its test suite](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975535) but hopefully should
+   make it back when that's fixed (although switching to LSP is also
+   an option here)
  * [gocode was removed](https://bugs.debian.org/976642) along with elpa-company-go, need to switch
    to gopls
+ * [gtk-recordmydesktop](https://tracker.debian.org/pkg/gtk-recordmydesktop) - Python 2, dead upstream, see [bug 943983](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943983)
  * Python 2 support is removed! hopefully most of my stuff is already
    Python 3, but I did lose monkeysign and gameclock, as mentioned above
  * Mailman 2 is consequently removed
+ * [syncmaildir](https://tracker.debian.org/pkg/syncmaildir) has a [FTBFS](https://bugs.debian.org/975227) and has been removed from
+   testing, seems like it is in bad shape
+ * [qalculate-gtk](https://tracker.debian.org/pkg/qalculate-gtk), my dearest calculator, was dropped from testing
+   too! a team picked up the package, but too late it seems :/
  * usbguard-applet-qt - [removed 0.7.5](https://tracker.debian.org/news/1069337/accepted-usbguard-075ds-1-source-into-unstable/) from [usbguard](https://tracker.debian.org/pkg/usbguard)
    [upstream](https://usbguard.github.io/), with the idea that it was a proof of concept and
    would be maintained outside of the main tree, but no clear
    candidate has emerged just yet, see [this upstream issue](https://github.com/USBGuard/usbguard/issues/334), [this
    fork](https://github.com/pinotree/usbguard-applet-qt), [usbguard-gnome](https://github.com/6E006B/usbguard-gnome), [usbguard-notifier](https://github.com/Cropi/usbguard-notifier) and also
    [usbauth-all](https://github.com/kochstefan/usbauth-all), none packaged in Debian
- * [gtk-recordmydesktop](https://tracker.debian.org/pkg/gtk-recordmydesktop) - Python 2, dead upstream, see [bug 943983](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943983)
 
 See also the [noteworthy obsolete packages](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#noteworthy-obsolete-packages) list.
 

disk space update
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index f674905d..7fd600fd 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -218,12 +218,14 @@ See also the official list of [known issues](https://www.debian.org/releases/bul
 I have too much stuff on my computers. I was already a bit short on my
 `/` partition before the upgrade:
 
+    Filesystem                  Size  Used Avail Use% Mounted on
     /dev/mapper/curie--vg-root   28G   25G  2.8G  90% /
 
 The upgrade downloaded ~7GB of Debian packages, and required an extra
 4.5GB of disk space! Clearly that wouldn't do here, so I had to expand
 the root partition, which ended up like this after the upgrade:
 
+    Filesystem                  Size  Used Avail Use% Mounted on
     /dev/mapper/curie--vg-root   38G   25G   13G  67% /
 
 I'm surprised that Debian bullseye now would use an extra 4GB of disk
@@ -235,7 +237,16 @@ Packages I could remove:
 
  * `php*` - maybe some leftover of a dev environment?
 
-### Packages mistakenly removed:
+After the complete upgrade procedure (but before removing the extra
+kernel):
+
+    Filesystem                  Size  Used Avail Use% Mounted on
+    /dev/mapper/curie--vg-root   38G   28G  9.1G  76% /
+
+So the upgrade *did* use about 3-4GB of disk space, which is quite
+significant!
+
+### Packages mistakenly removed
 
  * inkscape
  * gnuradio

browserpass mostly resolved
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 99a3b6b3..f674905d 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -235,30 +235,6 @@ Packages I could remove:
 
  * `php*` - maybe some leftover of a dev environment?
 
-### Browserpass fails to upgrade
-
-Upgrade crashed on this:
-
-```
-dpkg: error processing archive /var/cache/apt/archives/webext-browserpass_3.7.2-1+b1_amd64.deb (--unpack):
- unable to open '/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/browserpass@maximbaz.com/icon.png.dpkg-new': No such file or directory
-Reinstalling /etc/chromium/native-messaging-hosts/com.dannyvankooten.browserpass.json that was moved away
-Errors were encountered while processing:
- /var/cache/apt/archives/webext-browserpass_3.7.2-1+b1_amd64.deb
-```
-
-This is [bug #982758](https://bugs.debian.org/982758). Workaround:
-
-    apt purge webext-browserpass
-
-If the upgrade crashed, purge the package with the same Dpkg options:
-
-    apt -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' purge webext-browserpass
-
-Once the upgrade is completed, just reinstall:
-
-    apt install webext-browserpass
-
 ### Packages mistakenly removed:
 
  * inkscape
@@ -350,6 +326,30 @@ the first place?
 
 ## Resolved
 
+### Browserpass fails to upgrade
+
+Upgrade crashed on this:
+
+```
+dpkg: error processing archive /var/cache/apt/archives/webext-browserpass_3.7.2-1+b1_amd64.deb (--unpack):
+ unable to open '/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/browserpass@maximbaz.com/icon.png.dpkg-new': No such file or directory
+Reinstalling /etc/chromium/native-messaging-hosts/com.dannyvankooten.browserpass.json that was moved away
+Errors were encountered while processing:
+ /var/cache/apt/archives/webext-browserpass_3.7.2-1+b1_amd64.deb
+```
+
+This is [bug #982758](https://bugs.debian.org/982758). Workaround:
+
+    apt purge webext-browserpass
+
+If the upgrade crashed, purge the package with the same Dpkg options:
+
+    apt -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' purge webext-browserpass
+
+Once the upgrade is completed, just reinstall:
+
+    apt install webext-browserpass
+
 ### i3-focus and rsendmail delivery failed
 
 I have this custom [i3-focus](https://gitlab.com/anarcat/scripts/blob/master/i3-focus) script to improve on the "alt-tab"

sort
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index c4f2c20b..99a3b6b3 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -127,90 +127,6 @@ after a reboot. And yes, that's even more dangerous.
         apt-forktracer | sort
         printf "All procedures completed\a\n" &&
 
-## Finding orphaned and weird packages
-
-The [apt-forktracer](https://owsiany.pl/apt-forktracer-page) call used to have many other different
-incantations, and it's not yet clear that it does everything we
-need. What we want to find are basically packages that are not
-"canonical Debian packages", which are shipped by the stable Debian
-distribution. Those are typically called "obsolete" packages in
-Debian, but that term is somewhat to narrow, as I also want to
-consider packages that were *never* part of Debian at all.
-
-Weirdly, the release notes suggest *three* different methods to do
-this, in different part of the documentation. (Filed this as a bug in
-[987017](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987017).)
-
-This section tries to figure out the right way forward. See also [step
-4.2.2](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#removing-non-debian-packages), [4.8](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#obsolete) and [this forum](https://askubuntu.com/questions/98223/how-do-i-get-a-list-of-obsolete-packages).
-
-### aptitude search 1
-
-This is the first way I found:
-
-    aptitude search '?narrow(?not(?archive("^[^n][^o][^w].*$")),?version(CURRENT))'
-
-This incantation comes from the
-[[cross-upgrade|services/upgrades/cross-architecture/]]
-documentation. It selects packages that are currently installed
-(`?narrow(...,?version(CURRENT))`) from an archive other than "now"
-(`?not(?archive("^[^n][^o][^w].*$")`). This was cargo-culted from
-[Ewan's cross-upgrading documentation](http://www.nanonanonano.net/linux/debian/crossgrading).
-
-Nowadays, the release notes actually suggest a similar pattern:
-
-    aptitude search '?narrow(?installed, ?not(?origin(Debian)))'
-
-### apt-show-versions
-
-I also found this somewhat works to find weird packages:
-
-    apt-show-versions | grep -v /bullseye
-
-This uses the more flexible [[!debpkg apt-show-version]] to list
-everything that is not in the `bullseye` repository. But the regex
-could hide third-party repositories that happen to reuse that
-codename. It can also yield strange results like:
-
-    linux-libc-dev:i386 not installed
-
-Those are presumably harmless, so this might be a better call:
-
-    apt-show-versions | grep -v /bullseye | grep -v 'not installed$'
-
-... to filter out those packages.
-
-### aptitude 2: ~obsolete
-
-Then the release notes also suggest this:
-
-    aptitude search '?obsolete'
-    
-This command has been recommended to [find obsolete packages](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#obsolete)
-[since buster](https://www.debian.org/releases/buster/amd64/release-notes/ch-upgrading.en.html#obsolete).
-
-### apt-forktracer
-
-This one is fairly new to the game, at least as far as I am concerned:
-
-    apt-forktracer | sort
-
-This will not find packages that are from a *newer* version (for
-example from "testing" in "stable").
-
-It's *also* recommended by the release notes. I've settled on it
-because its output is so much simpler, but I still need to compare the
-various results.
-
-### apt list
-
-Starting from bullseye, ironically, we have *another* way of doing
-this, since APT adopted the aptitude patterns:
-
-    apt list '?obsolete'
-
-It's unclear how it differs from the above.
-
 # Notable changes
 
 Here are some packages with notable version changes that I
@@ -468,6 +384,90 @@ If there's any trouble during reboots, you should use some recovery
 system. The [release notes actually have good documentation on
 that](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#recovery), on top of "use a live filesystem".
 
+## Finding orphaned and weird packages
+
+The [apt-forktracer](https://owsiany.pl/apt-forktracer-page) call above used to have many other different
+incantations, and it's not yet clear that it does everything we
+need. What we want to find are basically packages that are not
+"canonical Debian packages", which are shipped by the stable Debian
+distribution. Those are typically called "obsolete" packages in
+Debian, but that term is somewhat to narrow, as I also want to
+consider packages that were *never* part of Debian at all.
+
+Weirdly, the release notes suggest *three* different methods to do
+this, in different part of the documentation. (Filed this as a bug in
+[987017](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987017).)
+
+This section tries to figure out the right way forward. See also [step
+4.2.2](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#removing-non-debian-packages), [4.8](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#obsolete) and [this forum](https://askubuntu.com/questions/98223/how-do-i-get-a-list-of-obsolete-packages).
+
+### aptitude search 1
+
+This is the first way I found:
+
+    aptitude search '?narrow(?not(?archive("^[^n][^o][^w].*$")),?version(CURRENT))'
+
+This incantation comes from the
+[[cross-upgrade|services/upgrades/cross-architecture/]]
+documentation. It selects packages that are currently installed
+(`?narrow(...,?version(CURRENT))`) from an archive other than "now"
+(`?not(?archive("^[^n][^o][^w].*$")`). This was cargo-culted from
+[Ewan's cross-upgrading documentation](http://www.nanonanonano.net/linux/debian/crossgrading).
+
+Nowadays, the release notes actually suggest a similar pattern:
+
+    aptitude search '?narrow(?installed, ?not(?origin(Debian)))'
+
+### apt-show-versions
+
+I also found this somewhat works to find weird packages:
+
+    apt-show-versions | grep -v /bullseye
+
+This uses the more flexible [[!debpkg apt-show-version]] to list
+everything that is not in the `bullseye` repository. But the regex
+could hide third-party repositories that happen to reuse that
+codename. It can also yield strange results like:
+
+    linux-libc-dev:i386 not installed
+
+Those are presumably harmless, so this might be a better call:
+
+    apt-show-versions | grep -v /bullseye | grep -v 'not installed$'
+
+... to filter out those packages.
+
+### aptitude 2: ~obsolete
+
+Then the release notes also suggest this:
+
+    aptitude search '?obsolete'
+    
+This command has been recommended to [find obsolete packages](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#obsolete)
+[since buster](https://www.debian.org/releases/buster/amd64/release-notes/ch-upgrading.en.html#obsolete).
+
+### apt-forktracer
+
+This one is fairly new to the game, at least as far as I am concerned:
+
+    apt-forktracer | sort
+
+This will not find packages that are from a *newer* version (for
+example from "testing" in "stable").
+
+It's *also* recommended by the release notes. I've settled on it
+because its output is so much simpler, but I still need to compare the
+various results.
+
+### apt list
+
+Starting from bullseye, ironically, we have *another* way of doing
+this, since APT adopted the aptitude patterns:
+
+    apt list '?obsolete'
+
+It's unclear how it differs from the above.
+
 # References
 
  * [Official guide](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html) (WIP)

u2f oddity
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index ed8b5468..c4f2c20b 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -347,6 +347,7 @@ Once the upgrade is completed, just reinstall:
 
  * inkscape
  * gnuradio
+ * libu2f-host0 - need to test if u2f works without it in firefox/chrome
 
 Workaround: `apt install $PACKAGE`
 

browserpass workaround
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index eb7cbb63..ed8b5468 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -333,9 +333,15 @@ Errors were encountered while processing:
 
 This is [bug #982758](https://bugs.debian.org/982758). Workaround:
 
+    apt purge webext-browserpass
+
+If the upgrade crashed, purge the package with the same Dpkg options:
+
     apt -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' purge webext-browserpass
 
-Presumably it can be reinstalled after?
+Once the upgrade is completed, just reinstall:
+
+    apt install webext-browserpass
 
 ### Packages mistakenly removed:
 

more python libs fail
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 2d582343..eb7cbb63 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -105,6 +105,10 @@ after a reboot. And yes, that's even more dangerous.
         puppet agent --enable &&
         puppet agent -t --noop &&
         (puppet agent -t || true) &&
+        : reinstall Python packages to follow Python upgrade &&
+        for package in rsendmail pubpaste ; do
+            cd ~/src/$package && pip3 install .
+        done &&
         systemctl start apt-daily.timer &&
         printf "End of Step 6\a\n" &&
         shutdown -r +1 "rebooting to get rid of old kernel image..."
@@ -423,7 +427,7 @@ the first place?
 
 ## Resolved
 
-### i3-focus failed
+### i3-focus and rsendmail delivery failed
 
 I have this custom [i3-focus](https://gitlab.com/anarcat/scripts/blob/master/i3-focus) script to improve on the "alt-tab"
 behavior, which depends on a python library not in Debian. I have this
@@ -436,6 +440,14 @@ upgrade. Doing this fixed it:
     .virtualenvs/i3_py/bin/pip3 install i3_py
     rm -rf .virtualenvs/i3_py.orig
 
+This is presumably because Python libraries get installed in a
+version-specific directory...
+
+Note that this also crashed [rsendmail](https://gitlab.com/anarcat/rsendmail) which I really need to get
+around packaging (which would fix this issue). It also meant it
+totally lost the mails, because postfix panicked and drop the mails
+when it couldn't generate a bounce either.
+
 # Troubleshooting
 
 ## Upgrade failures

puppet snafu
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index c3218e04..2d582343 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -345,6 +345,82 @@ Workaround: `apt install $PACKAGE`
 Lacked the time to complete the upgrade on curie, at step 6. Still
 need to fix puppet at the very least, and the remaining stuff.
 
+### Puppet breaks in bullseye/sid
+
+testing has this ... peculiar notion of itself. instead of announcing
+itself like a normal Debian stable release, for example:
+
+    anarcat@angela:~(main)$ lsb_release -a
+    No LSB modules are available.
+    Distributor ID:	Debian
+    Description:	Debian GNU/Linux 10 (buster)
+    Release:	10
+    Codename:	buster
+
+It is kind of unsure about its identity:
+
+    vagrant@testing:~$ lsb_release -a
+    No LSB modules are available.
+    Distributor ID:	Debian
+    Description:	Debian GNU/Linux bullseye/sid
+    Release:	testing/unstable
+    Codename:	n/a
+
+When you know how Debian works (that `testing` is really just an old,
+partial copy of `unstable`), that makes sense. But when you create
+Puppet manifests, you expect stuff like:
+
+    if $facts['os']['release']['major'] < 11 {
+        # stuff before bullseye
+    } else {
+        # stuff after bullseye
+    }
+
+To just work. But they don't. In bullseye/sid/testing/unstable,
+however you want to call it, `os.release.major` is actually
+"bullseye/sid". Not "bullseye", not "sid", and, of course, not
+"11". "bullseye/sid". So obviously that just totally breaks when
+comparing to "11".
+
+I tried patching `/etc/os-release`:
+
+    cat >> /etc/os-release <<EOF
+    VERSION_ID="11"
+    VERSION="11 (bullseye)"
+    VERSION_CODENAME=bullseye
+    EOF
+
+But that doesn't seem to work: it looks like `facter -p`, at least,
+takes the major/minor information from... `/etc/debian_version`! So
+you actually need to do this to fix your manifests:
+
+    echo 11.0 > /etc/debian_version
+
+But that's really... quite a hack. To workaround this from the Puppet
+side, I ended up doing this ugly kludge:
+
+    # remove packages gone from bullseye
+    #
+    # XXX: we should really use < 11 here, but os.release.major is
+    # actually "bullseye/sid" now? ouch?
+    #
+    # remove this when we stop supporting buster
+    $bullseye_removed = $facts['os']['distro']['codename'] ? {
+      'bullseye/sid' => absent,
+      'bullseye' => absent,
+      default => present,
+    }
+    package { 'gtk-recordmydesktop':
+      ensure => $bullseye_removed,
+    }
+
+It's unclear to me here where the fault lies. On the one hand, it
+seems that Puppet shouldn't change the type of one of its core facts,
+but on the other, `/etc/debian_version` *is* `bullseye/sid`, a string
+and not a version, in testing/unstable in Debian... Garbage-in,
+garbage-out? Why don't we set a real version number there in Debian in
+the first place?
+
 ## Resolved
 
 ### i3-focus failed

more removed stuff
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 8d370bc1..c3218e04 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -277,9 +277,13 @@ list.
  * Python 2 support is removed! hopefully most of my stuff is already
    Python 3, but I did lose monkeysign and gameclock, as mentioned above
  * Mailman 2 is consequently removed
- * usbguard-applet-qt
- * qemu-kvm
- * gtk-recordmydesktop
+ * usbguard-applet-qt - [removed 0.7.5](https://tracker.debian.org/news/1069337/accepted-usbguard-075ds-1-source-into-unstable/) from [usbguard](https://tracker.debian.org/pkg/usbguard)
+   [upstream](https://usbguard.github.io/), with the idea that it was a proof of concept and
+   would be maintained outside of the main tree, but no clear
+   candidate has emerged just yet, see [this upstream issue](https://github.com/USBGuard/usbguard/issues/334), [this
+   fork](https://github.com/pinotree/usbguard-applet-qt), [usbguard-gnome](https://github.com/6E006B/usbguard-gnome), [usbguard-notifier](https://github.com/Cropi/usbguard-notifier) and also
+   [usbauth-all](https://github.com/kochstefan/usbauth-all), none packaged in Debian
+ * [gtk-recordmydesktop](https://tracker.debian.org/pkg/gtk-recordmydesktop) - Python 2, dead upstream, see [bug 943983](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943983)
 
 See also the [noteworthy obsolete packages](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#noteworthy-obsolete-packages) list.
 

link to journald.conf(5) for details on storage
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 5f6540ef..8d370bc1 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -214,7 +214,7 @@ noticed.
 
  * [driverless scanning and printing](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-whats-new.en.html#driverless-operation)
  * persistent systemd journal, which might have some privacy issues
-   (`rm -rf /var/log/journal` to disable)
+   (`rm -rf /var/log/journal` to disable, see [journald.conf(5)](https://manpages.debian.org/bullseye/systemd/journald.conf.5.en.html))
  * last release to support non-merged /usr
  * security archive changed to `deb https://deb.debian.org/debian-security bullseye-security main contrib` (covered by script above)
  * the Intel VA-API driver might give performance boosts and battery

puppet should be a noop, abort otherwise
at least that way we can see what's up
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 09bbd853..5f6540ef 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -103,7 +103,7 @@ after a reboot. And yes, that's even more dangerous.
 
         apt-get update --allow-releaseinfo-change &&
         puppet agent --enable &&
-        (puppet agent -t || true) &&
+        puppet agent -t --noop &&
         (puppet agent -t || true) &&
         systemctl start apt-daily.timer &&
         printf "End of Step 6\a\n" &&

upgrade not finished
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 7970b0a0..09bbd853 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -277,6 +277,9 @@ list.
  * Python 2 support is removed! hopefully most of my stuff is already
    Python 3, but I did lose monkeysign and gameclock, as mentioned above
  * Mailman 2 is consequently removed
+ * usbguard-applet-qt
+ * qemu-kvm
+ * gtk-recordmydesktop
 
 See also the [noteworthy obsolete packages](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#noteworthy-obsolete-packages) list.
 
@@ -326,8 +329,33 @@ This is [bug #982758](https://bugs.debian.org/982758). Workaround:
 
 Presumably it can be reinstalled after?
 
+### Packages mistakenly removed:
+
+ * inkscape
+ * gnuradio
+
+Workaround: `apt install $PACKAGE`
+
+### Lack of time
+
+Lacked the time to complete the upgrade on curie, at step 6. Still
+need to fix puppet at the very least, and the remaining stuff.
+
 ## Resolved
 
+### i3-focus failed
+
+I have this custom [i3-focus](https://gitlab.com/anarcat/scripts/blob/master/i3-focus) script to improve on the "alt-tab"
+behavior, which depends on a python library not in Debian. I have this
+virtualenv to deploy it, but somehow it failed after the
+upgrade. Doing this fixed it:
+
+    mv .virtualenvs/i3_py/ .virtualenvs/i3_py.orig
+    python3 -m venv --system-site-packages ~/.virtualenvs/i3_py
+    cp .virtualenvs/i3_py.orig/bin/activate_this.py .virtualenvs/i3_py/bin/
+    .virtualenvs/i3_py/bin/pip3 install i3_py
+    rm -rf .virtualenvs/i3_py.orig
+
 # Troubleshooting
 
 ## Upgrade failures

toc
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index c3b496ea..7970b0a0 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -1,6 +1,6 @@
 [[!meta title="Bullseye upgrade"]]
 
-[[!toc]]
+[[!toc levels=3]]
 
 It's Debian major upgrade time again! My personal policy is generally
 to upgrade slightly before or during the freeze. This time I feel

start tracking new interesting packages
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 91625db6..c3b496ea 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -223,6 +223,10 @@ noticed.
    from its `$y$` prefix), a major change from the previous default,
    SHA-512 (recognizable from its `$6$` prefix, see [crypt(5)](https://manpages.debian.org/crypt.5))
 
+## New packages
+
+ * the Wayland rewrite of [i3](https://i3wm.org/), [sway](http://swaywm.org/)
+
 ## My packages
 
 In packages I maintain, those are the important changes:

major issue with browserpass upgrade
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 1765c745..91625db6 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -246,6 +246,7 @@ This table summarizes package version changes I find interesting.
 
 | Package     | Buster | Bullseye | Notes                                                                                                         |
 |-------------|--------|----------|---------------------------------------------------------------------------------------------------------------|
+| Browserpass | 2.0    | 3.7      | Major usability improvements                                                                                  |
 | Docker      | 18     | 20       | Docker made it for a second release                                                                           |
 | Emacs       | 26     | 27       | JSON parsing for LSP? ~/.config/emacs/? harfbuzz?? oh my! [details](https://emacsredux.com/blog/2020/08/13/emacs-27-1/)                                        |
 | Firefox     | 68     | 78       | 78 was already in buster-updates                                                                              |
@@ -303,6 +304,24 @@ Packages I could remove:
 
  * `php*` - maybe some leftover of a dev environment?
 
+### Browserpass fails to upgrade
+
+Upgrade crashed on this:
+
+```
+dpkg: error processing archive /var/cache/apt/archives/webext-browserpass_3.7.2-1+b1_amd64.deb (--unpack):
+ unable to open '/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/browserpass@maximbaz.com/icon.png.dpkg-new': No such file or directory
+Reinstalling /etc/chromium/native-messaging-hosts/com.dannyvankooten.browserpass.json that was moved away
+Errors were encountered while processing:
+ /var/cache/apt/archives/webext-browserpass_3.7.2-1+b1_amd64.deb
+```
+
+This is [bug #982758](https://bugs.debian.org/982758). Workaround:
+
+    apt -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' purge webext-browserpass
+
+Presumably it can be reinstalled after?
+
 ## Resolved
 
 # Troubleshooting

more notable changes
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 00808b8f..1765c745 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -212,6 +212,9 @@ It's unclear how it differs from the above.
 Here are some packages with notable version changes that I
 noticed.
 
+ * [driverless scanning and printing](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-whats-new.en.html#driverless-operation)
+ * persistent systemd journal, which might have some privacy issues
+   (`rm -rf /var/log/journal` to disable)
  * last release to support non-merged /usr
  * security archive changed to `deb https://deb.debian.org/debian-security bullseye-security main contrib` (covered by script above)
  * the Intel VA-API driver might give performance boosts and battery

rearrange notable section, add issue
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index cd09c911..00808b8f 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -220,6 +220,8 @@ noticed.
    from its `$y$` prefix), a major change from the previous default,
    SHA-512 (recognizable from its `$6$` prefix, see [crypt(5)](https://manpages.debian.org/crypt.5))
 
+## My packages
+
 In packages I maintain, those are the important changes:
 
  * [charybdis](https://tracker.debian.org/pkg/charybdis) is not going to ship with bullseye at all, it has
@@ -235,9 +237,9 @@ In packages I maintain, those are the important changes:
  * [feed2exec](https://feed2exec.readthedocs.io/), [undertime](https://gitlab.com/anarcat/undertime/), [linkchecker](https://linkchecker.github.io/linkchecker), and
    [stressant](https://stressant.readthedocs.io/) are still alive and most are seeing modest upgrades
 
-Note that this table may not be up to date with the current bullseye
-release. See the [official release notes](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-whats-new.en.html#newdistro) for a more up to date
-list.
+## Updated packages
+
+This table summarizes package version changes I find interesting.
 
 | Package     | Buster | Bullseye | Notes                                                                                                         |
 |-------------|--------|----------|---------------------------------------------------------------------------------------------------------------|
@@ -256,6 +258,18 @@ list.
 [8.1]: http://www.openssh.com/txt/release-8.1
 [8.2]: http://www.openssh.com/txt/release-8.2
 
+Note that this table may not be up to date with the current bullseye
+release. See the [official release notes](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-whats-new.en.html#newdistro) for a more up to date
+list.
+
+## Removed packages
+
+ * [gocode was removed](https://bugs.debian.org/976642) along with elpa-company-go, need to switch
+   to gopls
+ * Python 2 support is removed! hopefully most of my stuff is already
+   Python 3, but I did lose monkeysign and gameclock, as mentioned above
+ * Mailman 2 is consequently removed
+
 See also the [noteworthy obsolete packages](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#noteworthy-obsolete-packages) list.
 
 # Issues
@@ -264,13 +278,27 @@ See also the official list of [known issues](https://www.debian.org/releases/bul
 
 ## Pending
 
-### Removed packages
+### Too much stuff
 
- * [gocode was removed](https://bugs.debian.org/976642) along with elpa-company-go, need to switch
-   to gopls
- * Python 2 support is removed! hopefully most of my stuff is already
-   Python 3, but I did lose monkeysign and gameclock, as mentioned above
- * Mailman 2 is consequently removed
+I have too much stuff on my computers. I was already a bit short on my
+`/` partition before the upgrade:
+
+    /dev/mapper/curie--vg-root   28G   25G  2.8G  90% /
+
+The upgrade downloaded ~7GB of Debian packages, and required an extra
+4.5GB of disk space! Clearly that wouldn't do here, so I had to expand
+the root partition, which ended up like this after the upgrade:
+
+    /dev/mapper/curie--vg-root   38G   25G   13G  67% /
+
+I'm surprised that Debian bullseye now would use an extra 4GB of disk
+space! The [disk](https://www.debian.org/releases/testing/amd64/ch03s04.en.html) [requirements](https://www.debian.org/releases/testing/amd64/apds02.en.html) don't seem to have changed in
+decades, yet I keep having to pile up more disk space only to store
+software... We'll see what the end result will be.
+
+Packages I could remove:
+
+ * `php*` - maybe some leftover of a dev environment?
 
 ## Resolved
 

add lead
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 74228f78..cd09c911 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -2,11 +2,33 @@
 
 [[!toc]]
 
+It's Debian major upgrade time again! My personal policy is generally
+to upgrade slightly before or during the freeze. This time I feel
+almost late because it seems we'll be releasing in almost a month now
+(May 2021, it's April 2021 now).
+
+This document contains my upgrade procedure, notable changes in the
+new version, issues I have stumbled upon (and possibly fixed), and
+troubleshooting instructions.
+
+It does not hope to replace the official documentation: it is a
+personal, living document that I have started keeping from [[jessie]].
+
 # Procedure
 
-WARNING: this procedure hasn't been tested.
+This procedure is designed to be applied, in batch, on multiple
+servers. Do NOT follow this procedure unless you are familiar with the
+command line and the Debian upgrade process. It has been crafted by
+and for experienced system administrators that have dozens if not
+hundreds of servers to upgrade.
 
-[TPA guide]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/upgrades/bullseye
+In particular, it runs almost completely unattended: configuration
+changes are not prompted during the upgrade, and just not applied at
+all, which *will* break services in many cases. I use a
+[clean-conflicts](https://gitlab.com/anarcat/koumbit-scripts/-/blob/master/vps/clean_conflicts) script to do this all in one shot to shorten the
+upgrade process (without it, configuration file changes stop the
+upgrade at more or less random times). Then those changes get applied
+after a reboot. And yes, that's even more dangerous.
 
  1. Preparation:
 
@@ -273,3 +295,5 @@ that](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.
  * [DSA guide](https://dsa.debian.org/howto/upgrade-to-bullseye/) (WIP, reviewed)
  * [TPA guide][] (N/A yet)
  * [Solution proposal to automate this](https://wiki.debian.org/AutomatedUpgrade)
+
+[TPA guide]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/upgrades/bullseye

it's n+1 now
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 85eeadc3..74228f78 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -205,7 +205,7 @@ In packages I maintain, those are the important changes:
    [solanum](https://solanum.chat/), which should hopefully make it to bullseye-backports
    eventually
  * [gameclock](https://tracker.debian.org/pkg/gameclock) was removed from Debian: it's an old program which I
-   would need to rewrite to port *both* to Python 2 and GTK 2, and I
+   would need to rewrite to port *both* to Python 3 and GTK 3, and I
    just can't find the time. quite sad.
  * [monkeysign](https://tracker.debian.org/pkg/monkeysign) is also going away, but thankfully there are
    alternatives: caff still exists (in [signing-party](https://tracker.debian.org/pkg/signing-party)), as do
@@ -247,7 +247,7 @@ See also the official list of [known issues](https://www.debian.org/releases/bul
  * [gocode was removed](https://bugs.debian.org/976642) along with elpa-company-go, need to switch
    to gopls
  * Python 2 support is removed! hopefully most of my stuff is already
-   Python 2, but I did lose monkeysign and gameclock, as mentioned above
+   Python 3, but I did lose monkeysign and gameclock, as mentioned above
  * Mailman 2 is consequently removed
 
 ## Resolved

just skip listchanges as well
This takes a Loooooong time in a major release, as it basically needs
to uncompress *all* .debs! So just skip it.
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 354340d0..85eeadc3 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -71,7 +71,7 @@ WARNING: this procedure hasn't been tested.
 
  5. Actual upgrade run:
 
-        export DEBIAN_FRONTEND=noninteractive APT_LISTCHANGES_FRONTEND=mail APT_LISTBUGS_FRONTEND=none &&
+        export DEBIAN_FRONTEND=noninteractive APT_LISTCHANGES_FRONTEND=none APT_LISTBUGS_FRONTEND=none &&
         apt full-upgrade -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' &&
         printf "\a" &&
         /home/anarcat/src/koumbit-scripts/bin/clean_conflicts &&

more sources.list stuff
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 8dc378e6..354340d0 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -38,10 +38,15 @@ WARNING: this procedure hasn't been tested.
         puppet agent --disable "running major upgrade" &&
         : Check for pinned, on hold, packages, and possibly disable &&
         rm -f /etc/apt/preferences /etc/apt/preferences.d/* &&
-        rm -f /etc/apt/sources.list.d/testing.list &&
-        rm -f /etc/apt/sources.list.d/buster-backports.list &&
         rm -f /etc/apt/sources.list.d/backports.debian.org.list &&
+        rm -f /etc/apt/sources.list.d/backports.list &&
+        rm -f /etc/apt/sources.list.d/bullseye.list &&
+        rm -f /etc/apt/sources.list.d/buster-backports.list &&
+        rm -f /etc/apt/sources.list.d/experimental.list &&
+        rm -f /etc/apt/sources.list.d/incoming.list &&
         rm -f /etc/apt/sources.list.d/proposed-updates.list &&
+        rm -f /etc/apt/sources.list.d/sid.list &&
+        rm -f /etc/apt/sources.list.d/testing.list &&
         apt update && apt -y upgrade &&
         : list kernel images and purge unused packages &&
         dpkg -l 'linux-image-*' &&

use source path for clean conflicts
it's usually not deployed in /opt
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 3bc771b8..8dc378e6 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -68,7 +68,8 @@ WARNING: this procedure hasn't been tested.
 
         export DEBIAN_FRONTEND=noninteractive APT_LISTCHANGES_FRONTEND=mail APT_LISTBUGS_FRONTEND=none &&
         apt full-upgrade -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' &&
-        /opt/bin/clean_conflicts &&
+        printf "\a" &&
+        /home/anarcat/src/koumbit-scripts/bin/clean_conflicts &&
         printf "End of Step 5\a\n"
 
  6. Post-upgrade procedures:

disable list-bugs, we're (over) confident
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index f3059a53..3bc771b8 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -66,7 +66,7 @@ WARNING: this procedure hasn't been tested.
 
  5. Actual upgrade run:
 
-        export DEBIAN_FRONTEND=noninteractive APT_LISTCHANGES_FRONTEND=mail &&
+        export DEBIAN_FRONTEND=noninteractive APT_LISTCHANGES_FRONTEND=mail APT_LISTBUGS_FRONTEND=none &&
         apt full-upgrade -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' &&
         /opt/bin/clean_conflicts &&
         printf "End of Step 5\a\n"

fix sources.list rewrite
we were rewriting the -security line before it matched
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 56f0ab66..f3059a53 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -54,8 +54,8 @@ WARNING: this procedure hasn't been tested.
     download packages:
 
         systemctl stop apt-daily.timer &&
+        sed -i 's#buster/updates#bullseye-security#' /etc/apt/sources.list $(ls /etc/apt/sources.list.d/*) &&
         sed -i 's/buster/bullseye/g' /etc/apt/sources.list $(ls /etc/apt/sources.list.d/*) &&
-        sed -i 's,buster/updates,bullseye-security,' /etc/apt/sources.list $(ls /etc/apt/sources.list.d/*) &&
         apt update &&
         ( apt -o APT::Get::Trivial-Only=true dist-upgrade || true ) &&
         df -h &&

more bullseye docs
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index e9d190f0..56f0ab66 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -163,6 +163,9 @@ This one is fairly new to the game, at least as far as I am concerned:
 
     apt-forktracer | sort
 
+This will not find packages that are from a *newer* version (for
+example from "testing" in "stable").
+
 It's *also* recommended by the release notes. I've settled on it
 because its output is so much simpler, but I still need to compare the
 various results.
@@ -181,8 +184,6 @@ It's unclear how it differs from the above.
 Here are some packages with notable version changes that I
 noticed.
 
- * Python 2 support is removed!
- * Mailman 2 is consequently removed
  * last release to support non-merged /usr
  * security archive changed to `deb https://deb.debian.org/debian-security bullseye-security main contrib` (covered by script above)
  * the Intel VA-API driver might give performance boosts and battery
@@ -235,6 +236,14 @@ See also the official list of [known issues](https://www.debian.org/releases/bul
 
 ## Pending
 
+### Removed packages
+
+ * [gocode was removed](https://bugs.debian.org/976642) along with elpa-company-go, need to switch
+   to gopls
+ * Python 2 support is removed! hopefully most of my stuff is already
+   Python 2, but I did lose monkeysign and gameclock, as mentioned above
+ * Mailman 2 is consequently removed
+
 ## Resolved
 
 # Troubleshooting

apt-list is a thing too now
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 63337bdf..e9d190f0 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -152,7 +152,7 @@ Those are presumably harmless, so this might be a better call:
 
 Then the release notes also suggest this:
 
-    aptitude search '~obsolete'
+    aptitude search '?obsolete'
     
 This command has been recommended to [find obsolete packages](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#obsolete)
 [since buster](https://www.debian.org/releases/buster/amd64/release-notes/ch-upgrading.en.html#obsolete).
@@ -167,6 +167,15 @@ It's *also* recommended by the release notes. I've settled on it
 because its output is so much simpler, but I still need to compare the
 various results.
 
+### apt list
+
+Starting from bullseye, ironically, we have *another* way of doing
+this, since APT adopted the aptitude patterns:
+
+    apt list '?obsolete'
+
+It's unclear how it differs from the above.
+
 # Notable changes
 
 Here are some packages with notable version changes that I

switch to forktracer and discuss alternatives
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index c1823c7d..63337bdf 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -47,7 +47,7 @@ WARNING: this procedure hasn't been tested.
         dpkg -l 'linux-image-*' &&
         : look for packages from backports, other suites or archives &&
         : if possible, switch to official packages by disabling third-party repositories &&
-        apt-forktracer &&
+        apt-forktracer | sort &&
         printf "End of Step 3\a\n"
 
  4. Check free space, see [this guide to free up space][] and
@@ -92,22 +92,53 @@ WARNING: this procedure hasn't been tested.
         # review and purge older kernel if the new one boots properly
         dpkg -l 'linux-image*'
         # review packages that are not in the new distribution
-        aptitude search '?narrow(?not(?archive("^[^n][^o][^w].*$")),?version(CURRENT))'
+        apt-forktracer | sort
         printf "All procedures completed\a\n" &&
 
-TODO: update this.
+## Finding orphaned and weird packages
 
-The last incantation comes from the
+The [apt-forktracer](https://owsiany.pl/apt-forktracer-page) call used to have many other different
+incantations, and it's not yet clear that it does everything we
+need. What we want to find are basically packages that are not
+"canonical Debian packages", which are shipped by the stable Debian
+distribution. Those are typically called "obsolete" packages in
+Debian, but that term is somewhat to narrow, as I also want to
+consider packages that were *never* part of Debian at all.
+
+Weirdly, the release notes suggest *three* different methods to do
+this, in different part of the documentation. (Filed this as a bug in
+[987017](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987017).)
+
+This section tries to figure out the right way forward. See also [step
+4.2.2](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#removing-non-debian-packages), [4.8](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#obsolete) and [this forum](https://askubuntu.com/questions/98223/how-do-i-get-a-list-of-obsolete-packages).
+
+### aptitude search 1
+
+This is the first way I found:
+
+    aptitude search '?narrow(?not(?archive("^[^n][^o][^w].*$")),?version(CURRENT))'
+
+This incantation comes from the
 [[cross-upgrade|services/upgrades/cross-architecture/]]
 documentation. It selects packages that are currently installed
 (`?narrow(...,?version(CURRENT))`) from an archive other than "now"
 (`?not(?archive("^[^n][^o][^w].*$")`). This was cargo-culted from
-[Ewan's cross-upgrading documentation](http://www.nanonanonano.net/linux/debian/crossgrading). Another way to do this is
-with [[!debpkg apt-show-version]]:
+[Ewan's cross-upgrading documentation](http://www.nanonanonano.net/linux/debian/crossgrading).
+
+Nowadays, the release notes actually suggest a similar pattern:
+
+    aptitude search '?narrow(?installed, ?not(?origin(Debian)))'
+
+### apt-show-versions
+
+I also found this somewhat works to find weird packages:
 
     apt-show-versions | grep -v /bullseye
 
-... although that yields strange results like:
+This uses the more flexible [[!debpkg apt-show-version]] to list
+everything that is not in the `bullseye` repository. But the regex
+could hide third-party repositories that happen to reuse that
+codename. It can also yield strange results like:
 
     linux-libc-dev:i386 not installed
 
@@ -115,16 +146,26 @@ Those are presumably harmless, so this might be a better call:
 
     apt-show-versions | grep -v /bullseye | grep -v 'not installed$'
 
-Update: the first incantation was updated to use `apt-forktracer`
-instead.
+... to filter out those packages.
+
+### aptitude 2: ~obsolete
+
+Then the release notes also suggest this:
+
+    aptitude search '~obsolete'
+    
+This command has been recommended to [find obsolete packages](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#obsolete)
+[since buster](https://www.debian.org/releases/buster/amd64/release-notes/ch-upgrading.en.html#obsolete).
+
+### apt-forktracer
 
-TODO: also consider [obsolete packages](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#obsolete)? This command was actually
-introduced in the buster release notes:
+This one is fairly new to the game, at least as far as I am concerned:
 
-    aptitude search '~o'
+    apt-forktracer | sort
 
-... but it's possibly cruft that could be replaced by `apt-forktracer`
-or `apt list ~obsolete` as well. See also [step 4.2.2](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#removing-non-debian-packages) and [this forum](https://askubuntu.com/questions/98223/how-do-i-get-a-list-of-obsolete-packages).
+It's *also* recommended by the release notes. I've settled on it
+because its output is so much simpler, but I still need to compare the
+various results.
 
 # Notable changes
 

reviewed the TPA buster procedure
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 620ffe01..c1823c7d 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -4,8 +4,7 @@
 
 # Procedure
 
-WARNING: this procedure hasn't been tested. Also compare with the [TPA
-guide][] before running.
+WARNING: this procedure hasn't been tested.
 
 [TPA guide]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/upgrades/bullseye
 

trivial ordering?
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 7da2a9f3..620ffe01 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -85,8 +85,8 @@ guide][] before running.
  7. Post-upgrade checks:
 
         apt purge $(dpkg -l | awk '/^rc/ { print $2 }') # purge removed packages
-        apt purge $(deborphan --guess-dummy)
         apt autoremove -y --purge
+        apt purge $(deborphan --guess-dummy)
         while deborphan -n | grep -q . ; do apt purge $(deborphan -n); done
         apt autoremove -y --purge
         apt clean

reboot in post
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 259af78d..7da2a9f3 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -80,6 +80,7 @@ guide][] before running.
         (puppet agent -t || true) &&
         systemctl start apt-daily.timer &&
         printf "End of Step 6\a\n" &&
+        shutdown -r +1 "rebooting to get rid of old kernel image..."
 
  7. Post-upgrade checks:
 
@@ -89,8 +90,7 @@ guide][] before running.
         while deborphan -n | grep -q . ; do apt purge $(deborphan -n); done
         apt autoremove -y --purge
         apt clean
-        reboot
-        # review and purge older kernel once the new one boots properly
+        # review and purge older kernel if the new one boots properly
         dpkg -l 'linux-image*'
         # review packages that are not in the new distribution
         aptitude search '?narrow(?not(?archive("^[^n][^o][^w].*$")),?version(CURRENT))'

disable and re-enable puppet and auto-upgrades
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 7b69542f..259af78d 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -36,6 +36,7 @@ guide][] before running.
 
  3. Perform any pending upgrade and clear out old pins:
 
+        puppet agent --disable "running major upgrade" &&
         : Check for pinned, on hold, packages, and possibly disable &&
         rm -f /etc/apt/preferences /etc/apt/preferences.d/* &&
         rm -f /etc/apt/sources.list.d/testing.list &&
@@ -53,6 +54,7 @@ guide][] before running.
  4. Check free space, see [this guide to free up space][] and
     download packages:
 
+        systemctl stop apt-daily.timer &&
         sed -i 's/buster/bullseye/g' /etc/apt/sources.list $(ls /etc/apt/sources.list.d/*) &&
         sed -i 's,buster/updates,bullseye-security,' /etc/apt/sources.list $(ls /etc/apt/sources.list.d/*) &&
         apt update &&
@@ -70,7 +72,16 @@ guide][] before running.
         /opt/bin/clean_conflicts &&
         printf "End of Step 5\a\n"
 
- 5. Post-upgrade checks:
+ 6. Post-upgrade procedures:
+
+        apt-get update --allow-releaseinfo-change &&
+        puppet agent --enable &&
+        (puppet agent -t || true) &&
+        (puppet agent -t || true) &&
+        systemctl start apt-daily.timer &&
+        printf "End of Step 6\a\n" &&
+
+ 7. Post-upgrade checks:
 
         apt purge $(dpkg -l | awk '/^rc/ { print $2 }') # purge removed packages
         apt purge $(deborphan --guess-dummy)

trivial-only can fail, apparently
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 90506718..7b69542f 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -55,7 +55,9 @@ guide][] before running.
 
         sed -i 's/buster/bullseye/g' /etc/apt/sources.list $(ls /etc/apt/sources.list.d/*) &&
         sed -i 's,buster/updates,bullseye-security,' /etc/apt/sources.list $(ls /etc/apt/sources.list.d/*) &&
-        apt update && apt -o APT::Get::Trivial-Only=true dist-upgrade && df -h &&
+        apt update &&
+        ( apt -o APT::Get::Trivial-Only=true dist-upgrade || true ) &&
+        df -h &&
         apt -y -d full-upgrade &&
         printf "End of Step 4\a\n"
 

cleaner way to do the aptitude backup
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 18199111..90506718 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -20,9 +20,7 @@ guide][] before running.
 
         ( 
           umask 0077 &&
-          tar cf /var/backups/pre-bullseye-backup.tar /etc /var/lib/dpkg /var/lib/apt/extended_states /var/cache/debconf &&
-          ( tar -A -f /var/backups/pre-bullseye-backup.tar /var/lib/aptitude/pkgstates || true ) &&
-          gzip /var/backups/pre-bullseye-backup.tar &&
+          tar cfz /var/backups/pre-bullseye-backup.tgz /etc /var/lib/dpkg /var/lib/apt/extended_states /var/cache/debconf $( [ -e /var/lib/aptitude/pkgstates ] && echo /var/lib/aptitude/pkgstates ) &&
           dpkg --get-selections "*" > /var/backups/dpkg-selections-pre-bullseye.txt &&
           debconf-get-selections > /var/backups/debconf-selections-pre-bullseye.txt
         ) &&

import bell hack from TPA
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index e46c1bae..18199111 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -34,7 +34,7 @@ guide][] before running.
         find /etc -name '*.dpkg-*' -o -name '*.ucf-*' -o -name '*.merge-error' &&
         : run backups &&
         /home/anarcat/bin/backup-$(hostname) &&
-        echo End of Step 2
+        printf "End of Step 2\a\n"
 
  3. Perform any pending upgrade and clear out old pins:
 
@@ -50,7 +50,7 @@ guide][] before running.
         : look for packages from backports, other suites or archives &&
         : if possible, switch to official packages by disabling third-party repositories &&
         apt-forktracer &&
-        echo End of Step 3
+        printf "End of Step 3\a\n"
 
  4. Check free space, see [this guide to free up space][] and
     download packages:
@@ -59,16 +59,16 @@ guide][] before running.
         sed -i 's,buster/updates,bullseye-security,' /etc/apt/sources.list $(ls /etc/apt/sources.list.d/*) &&
         apt update && apt -o APT::Get::Trivial-Only=true dist-upgrade && df -h &&
         apt -y -d full-upgrade &&
-        echo End of Step 4
+        printf "End of Step 4\a\n"
 
 [this guide to free up space]: http://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#sufficient-space
 
- 6. Actual upgrade run:
+ 5. Actual upgrade run:
 
         export DEBIAN_FRONTEND=noninteractive APT_LISTCHANGES_FRONTEND=mail &&
         apt full-upgrade -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' &&
         /opt/bin/clean_conflicts &&
-        echo 'End step 6'
+        printf "End of Step 5\a\n"
 
  5. Post-upgrade checks:
 
@@ -83,6 +83,7 @@ guide][] before running.
         dpkg -l 'linux-image*'
         # review packages that are not in the new distribution
         aptitude search '?narrow(?not(?archive("^[^n][^o][^w].*$")),?version(CURRENT))'
+        printf "All procedures completed\a\n" &&
 
 TODO: update this.
 

cosmetic
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 1abaddf2..e46c1bae 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -149,18 +149,18 @@ Note that this table may not be up to date with the current bullseye
 release. See the [official release notes](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-whats-new.en.html#newdistro) for a more up to date
 list.
 
-| Package     | Buster  | Bullseye | Notes                                                                                                         |
-| -------     | ------- | ------   | -----                                                                                                         |
-| Docker      | 18      | 20       | Docker made it for a second release                                                                           |
-| Emacs       | 26      | 27       | JSON parsing for LSP? ~/.config/emacs/? harfbuzz?? oh my! [details](https://emacsredux.com/blog/2020/08/13/emacs-27-1/)                                        |
-| Firefox     | 68      | 78       | 78 was already in buster-updates                                                                              |
-| GNOME       | 3.30    | 3.38     | Missed the "GNOME 40" release                                                                                 |
-| Inkscap     | 0.92    | 1.0      | Finally, 1.0!                                                                                                 |
-| Libreoffice | 6.2     | 7.0      |                                                                                                               |
-| OpenSSH     | 7.9     | 8.4      | [FIDO/U2F, Include][8.2], [signatures][8.1], [quantum-resistant key exchange, key fingerprint as confirmation][8.0] |
-| Postgresql  | 11      | 13       |                                                                                                               |
-| Python      | 3.7     | 3.9      | walrus operator, importlib.metadata, dict unions, zoneinfo                                                    |
-| Puppet      | 5.5     | 5.5      | Missed the Puppet 6 (and 7!) releases                                                                         |
+| Package     | Buster | Bullseye | Notes                                                                                                         |
+|-------------|--------|----------|---------------------------------------------------------------------------------------------------------------|
+| Docker      | 18     | 20       | Docker made it for a second release                                                                           |
+| Emacs       | 26     | 27       | JSON parsing for LSP? ~/.config/emacs/? harfbuzz?? oh my! [details](https://emacsredux.com/blog/2020/08/13/emacs-27-1/)                                        |
+| Firefox     | 68     | 78       | 78 was already in buster-updates                                                                              |
+| GNOME       | 3.30   | 3.38     | Missed the "GNOME 40" release                                                                                 |
+| Inkscap     | 0.92   | 1.0      | Finally, 1.0!                                                                                                 |
+| Libreoffice | 6.2    | 7.0      |                                                                                                               |
+| OpenSSH     | 7.9    | 8.4      | [FIDO/U2F, Include][8.2], [signatures][8.1], [quantum-resistant key exchange, key fingerprint as confirmation][8.0] |
+| Postgresql  | 11     | 13       |                                                                                                               |
+| Python      | 3.7    | 3.9      | walrus operator, importlib.metadata, dict unions, zoneinfo                                                    |
+| Puppet      | 5.5    | 5.5      | Missed the Puppet 6 (and 7!) releases                                                                         |
 
 [8.0]: http://www.openssh.com/txt/release-8.0
 [8.1]: http://www.openssh.com/txt/release-8.1

note some changes
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 2c7487bf..1abaddf2 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -149,18 +149,22 @@ Note that this table may not be up to date with the current bullseye
 release. See the [official release notes](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-whats-new.en.html#newdistro) for a more up to date
 list.
 
-| Package     | Buster  | Bullseye | Notes                                 |
-| -------     | ------- | ------   | -----                                 |
-| Docker      | 18      | 20       | Docker made it for a second release   |
-| Emacs       | 26      | 27       | TODO                                  |
-| Firefox     | 68      | 78       | 78 was already in buster-updates      |
-| GNOME       | 3.30    | 3.38     | Missed the "GNOME 40" release         |
-| Inkscap     | 0.92    | 1.0      | Finally, 1.0!                         |
-| Libreoffice | 6.2     | 7.0      |                                       |
-| OpenSSH     | 7.9     | 8.4      | TODO                                  |
-| Postgresql  | 11      | 13       | TODO                                  |
-| Python      | 3.7     | 3.9      | TODO                                  |
-| Puppet      | 5.5     | 5.5      | Missed the Puppet 6 (and 7!) releases |
+| Package     | Buster  | Bullseye | Notes                                                                                                         |
+| -------     | ------- | ------   | -----                                                                                                         |
+| Docker      | 18      | 20       | Docker made it for a second release                                                                           |
+| Emacs       | 26      | 27       | JSON parsing for LSP? ~/.config/emacs/? harfbuzz?? oh my! [details](https://emacsredux.com/blog/2020/08/13/emacs-27-1/)                                        |
+| Firefox     | 68      | 78       | 78 was already in buster-updates                                                                              |
+| GNOME       | 3.30    | 3.38     | Missed the "GNOME 40" release                                                                                 |
+| Inkscap     | 0.92    | 1.0      | Finally, 1.0!                                                                                                 |
+| Libreoffice | 6.2     | 7.0      |                                                                                                               |
+| OpenSSH     | 7.9     | 8.4      | [FIDO/U2F, Include][8.2], [signatures][8.1], [quantum-resistant key exchange, key fingerprint as confirmation][8.0] |
+| Postgresql  | 11      | 13       |                                                                                                               |
+| Python      | 3.7     | 3.9      | walrus operator, importlib.metadata, dict unions, zoneinfo                                                    |
+| Puppet      | 5.5     | 5.5      | Missed the Puppet 6 (and 7!) releases                                                                         |
+
+[8.0]: http://www.openssh.com/txt/release-8.0
+[8.1]: http://www.openssh.com/txt/release-8.1
+[8.2]: http://www.openssh.com/txt/release-8.2
 
 See also the [noteworthy obsolete packages](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#noteworthy-obsolete-packages) list.
 

fix link
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 210d6c78..2c7487bf 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -7,6 +7,8 @@
 WARNING: this procedure hasn't been tested. Also compare with the [TPA
 guide][] before running.
 
+[TPA guide]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/upgrades/bullseye
+
  1. Preparation:
 
         : reset to the default locale
@@ -189,5 +191,5 @@ that](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.
  * [Release notes](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-whats-new.en.html) (WIP)
  * [Koumbit guide](https://wiki.koumbit.net/BullseyeUpgrade) (N/A yet)
  * [DSA guide](https://dsa.debian.org/howto/upgrade-to-bullseye/) (WIP, reviewed)
- * [TPA guide](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/upgrades/bullseye) (N/A yet)
+ * [TPA guide][] (N/A yet)
  * [Solution proposal to automate this](https://wiki.debian.org/AutomatedUpgrade)

bakunin
diff --git a/fortunes.txt b/fortunes.txt
index 8424d1a5..63a35904 100644
--- a/fortunes.txt
+++ b/fortunes.txt
@@ -1158,3 +1158,11 @@ ajouter, mais lorsqu'il n'y a plus rien à retirer.
 %
 The palest ink is better than the most capricious memory.
                         - ancient Chinese proverb
+%
+When the people are being beaten with a stick, they are not much
+happier if it is called "the People's Stick."
+                        - Mikhail Bakunin
+%
+No theory, no ready-made system, no book that has ever been written
+will save the world. I cleave to no system. I am a true seeker.
+                        - Mikhail Bakunin

link to tpa
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 92e77949..210d6c78 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -4,8 +4,8 @@
 
 # Procedure
 
-WARNING: copy-pasted from buster, do not follow. Review the official
-guide first.
+WARNING: this procedure hasn't been tested. Also compare with the [TPA
+guide][] before running.
 
  1. Preparation:
 
@@ -189,4 +189,5 @@ that](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.
  * [Release notes](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-whats-new.en.html) (WIP)
  * [Koumbit guide](https://wiki.koumbit.net/BullseyeUpgrade) (N/A yet)
  * [DSA guide](https://dsa.debian.org/howto/upgrade-to-bullseye/) (WIP, reviewed)
+ * [TPA guide](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/upgrades/bullseye) (N/A yet)
  * [Solution proposal to automate this](https://wiki.debian.org/AutomatedUpgrade)
diff --git a/services/upgrades/buster.mdwn b/services/upgrades/buster.mdwn
index 841b7db5..d34e44f6 100644
--- a/services/upgrades/buster.mdwn
+++ b/services/upgrades/buster.mdwn
@@ -645,4 +645,5 @@ References
  * [Release notes](https://www.debian.org/releases/buster/amd64/release-notes/ch-whats-new.en.html)
  * [Koumbit guide](https://wiki.koumbit.net/BusterUpgrade)
  * [DSA guide](https://dsa.debian.org/howto/upgrade-to-buster/)
+ * [TPA guide](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/upgrades/buster)
  * [Solution proposal to automate this](https://wiki.debian.org/AutomatedUpgrade)

changes in *my* packages
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 2f12092c..92e77949 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -128,6 +128,21 @@ noticed.
    from its `$y$` prefix), a major change from the previous default,
    SHA-512 (recognizable from its `$6$` prefix, see [crypt(5)](https://manpages.debian.org/crypt.5))
 
+In packages I maintain, those are the important changes:
+
+ * [charybdis](https://tracker.debian.org/pkg/charybdis) is not going to ship with bullseye at all, it has
+   been abandoned upstream and forked by OFTC and Freenode into
+   [solanum](https://solanum.chat/), which should hopefully make it to bullseye-backports
+   eventually
+ * [gameclock](https://tracker.debian.org/pkg/gameclock) was removed from Debian: it's an old program which I
+   would need to rewrite to port *both* to Python 2 and GTK 2, and I
+   just can't find the time. quite sad.
+ * [monkeysign](https://tracker.debian.org/pkg/monkeysign) is also going away, but thankfully there are
+   alternatives: caff still exists (in [signing-party](https://tracker.debian.org/pkg/signing-party)), as do
+   [pius](https://tracker.debian.org/pius) and [GNOME Keysign](https://wiki.gnome.org/Apps/Keysign)
+ * [feed2exec](https://feed2exec.readthedocs.io/), [undertime](https://gitlab.com/anarcat/undertime/), [linkchecker](https://linkchecker.github.io/linkchecker), and
+   [stressant](https://stressant.readthedocs.io/) are still alive and most are seeing modest upgrades
+
 Note that this table may not be up to date with the current bullseye
 release. See the [official release notes](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-whats-new.en.html#newdistro) for a more up to date
 list.

two more notable changes
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 5da19090..2f12092c 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -122,6 +122,11 @@ noticed.
  * Mailman 2 is consequently removed
  * last release to support non-merged /usr
  * security archive changed to `deb https://deb.debian.org/debian-security bullseye-security main contrib` (covered by script above)
+ * the Intel VA-API driver might give performance boosts and battery
+   savings when playing video, see [this note](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#new-vaapi-default-driver)
+ * [password hashes have changed](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#pam-default-password) to [yescrypt](https://www.openwall.com/yescrypt/) (recognizable
+   from its `$y$` prefix), a major change from the previous default,
+   SHA-512 (recognizable from its `$6$` prefix, see [crypt(5)](https://manpages.debian.org/crypt.5))
 
 Note that this table may not be up to date with the current bullseye
 release. See the [official release notes](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-whats-new.en.html#newdistro) for a more up to date

some troubleshooting pointers
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 494cd618..5da19090 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -150,6 +150,19 @@ See also the official list of [known issues](https://www.debian.org/releases/bul
 
 ## Resolved
 
+# Troubleshooting
+
+## Upgrade failures
+
+Instructions on errors during upgrades can be found in [the release
+notes troubleshooting section](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#trouble).
+
+## Reboot failures
+
+If there's any trouble during reboots, you should use some recovery
+system. The [release notes actually have good documentation on
+that](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#recovery), on top of "use a live filesystem".
+
 # References
 
  * [Official guide](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html) (WIP)

clear out proposed updates
We really need a sources.list parser..
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index b327f8b1..494cd618 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -41,6 +41,7 @@ guide first.
         rm -f /etc/apt/sources.list.d/testing.list &&
         rm -f /etc/apt/sources.list.d/buster-backports.list &&
         rm -f /etc/apt/sources.list.d/backports.debian.org.list &&
+        rm -f /etc/apt/sources.list.d/proposed-updates.list &&
         apt update && apt -y upgrade &&
         : list kernel images and purge unused packages &&
         dpkg -l 'linux-image-*' &&

look for config cruft *before* upgrades
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 18c0f317..b327f8b1 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -28,6 +28,8 @@ guide first.
         dpkg --audit &&
         : look for dkms packages and make sure they are relevant, if not, purge. &&
         dpkg -l '*dkms' || true &&
+        : look for leftover config files &&
+        find /etc -name '*.dpkg-*' -o -name '*.ucf-*' -o -name '*.merge-error' &&
         : run backups &&
         /home/anarcat/bin/backup-$(hostname) &&
         echo End of Step 2

clear out dummy packages
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 8d78dd41..18c0f317 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -68,6 +68,7 @@ guide first.
  5. Post-upgrade checks:
 
         apt purge $(dpkg -l | awk '/^rc/ { print $2 }') # purge removed packages
+        apt purge $(deborphan --guess-dummy)
         apt autoremove -y --purge
         while deborphan -n | grep -q . ; do apt purge $(deborphan -n); done
         apt autoremove -y --purge

clarify backup step
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 46d466e8..8d78dd41 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -28,6 +28,7 @@ guide first.
         dpkg --audit &&
         : look for dkms packages and make sure they are relevant, if not, purge. &&
         dpkg -l '*dkms' || true &&
+        : run backups &&
         /home/anarcat/bin/backup-$(hostname) &&
         echo End of Step 2
 

except it seems only aptitude knows about obsolete packages?
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 63353e75..46d466e8 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -100,6 +100,14 @@ Those are presumably harmless, so this might be a better call:
 Update: the first incantation was updated to use `apt-forktracer`
 instead.
 
+TODO: also consider [obsolete packages](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#obsolete)? This command was actually
+introduced in the buster release notes:
+
+    aptitude search '~o'
+
+... but it's possibly cruft that could be replaced by `apt-forktracer`
+or `apt list ~obsolete` as well. See also [step 4.2.2](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#removing-non-debian-packages) and [this forum](https://askubuntu.com/questions/98223/how-do-i-get-a-list-of-obsolete-packages).
+
 # Notable changes
 
 Here are some packages with notable version changes that I

remove uses of aptitude, if we can help it
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index bc8db82a..63353e75 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -66,7 +66,7 @@ guide first.
 
  5. Post-upgrade checks:
 
-        aptitude purge ~c # purge removed packages
+        apt purge $(dpkg -l | awk '/^rc/ { print $2 }') # purge removed packages
         apt autoremove -y --purge
         while deborphan -n | grep -q . ; do apt purge $(deborphan -n); done
         apt autoremove -y --purge

add tweak for security sources
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 8e333eed..bc8db82a 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -50,6 +50,7 @@ guide first.
     download packages:
 
         sed -i 's/buster/bullseye/g' /etc/apt/sources.list $(ls /etc/apt/sources.list.d/*) &&
+        sed -i 's,buster/updates,bullseye-security,' /etc/apt/sources.list $(ls /etc/apt/sources.list.d/*) &&
         apt update && apt -o APT::Get::Trivial-Only=true dist-upgrade && df -h &&
         apt -y -d full-upgrade &&
         echo End of Step 4
@@ -107,7 +108,7 @@ noticed.
  * Python 2 support is removed!
  * Mailman 2 is consequently removed
  * last release to support non-merged /usr
- * security archive changed to `deb https://deb.debian.org/debian-security bullseye-security main contrib`
+ * security archive changed to `deb https://deb.debian.org/debian-security bullseye-security main contrib` (covered by script above)
 
 Note that this table may not be up to date with the current bullseye
 release. See the [official release notes](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-whats-new.en.html#newdistro) for a more up to date

remove the -dbg step
leftover from stretch, should have been fixed in buster
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index bd65ea68..8e333eed 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -65,7 +65,6 @@ guide first.
 
  5. Post-upgrade checks:
 
-        dpkg -l '*-dbg' # look for dbg package and possible replace with -dbgsym
         aptitude purge ~c # purge removed packages
         apt autoremove -y --purge
         while deborphan -n | grep -q . ; do apt purge $(deborphan -n); done

release notes advise full-upgrade now, use that
also just do the download bit with full-upgrade, no need to do it in
two steps.
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 0a51c71c..bd65ea68 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -51,7 +51,7 @@ guide first.
 
         sed -i 's/buster/bullseye/g' /etc/apt/sources.list $(ls /etc/apt/sources.list.d/*) &&
         apt update && apt -o APT::Get::Trivial-Only=true dist-upgrade && df -h &&
-        apt -y -d upgrade && apt -y -d dist-upgrade &&
+        apt -y -d full-upgrade &&
         echo End of Step 4
 
 [this guide to free up space]: http://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#sufficient-space
@@ -59,7 +59,7 @@ guide first.
  6. Actual upgrade run:
 
         export DEBIAN_FRONTEND=noninteractive APT_LISTCHANGES_FRONTEND=mail &&
-        apt dist-upgrade -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' &&
+        apt full-upgrade -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' &&
         /opt/bin/clean_conflicts &&
         echo 'End step 6'
 

atx settext blah
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 407b4996..0a51c71c 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -2,8 +2,7 @@
 
 [[!toc]]
 
-Procedure
-=========
+# Procedure
 
 WARNING: copy-pasted from buster, do not follow. Review the official
 guide first.
@@ -101,8 +100,7 @@ Those are presumably harmless, so this might be a better call:
 Update: the first incantation was updated to use `apt-forktracer`
 instead.
 
-Notable changes
-===============
+# Notable changes
 
 Here are some packages with notable version changes that I
 noticed.
@@ -131,19 +129,15 @@ list.
 
 See also the [noteworthy obsolete packages](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#noteworthy-obsolete-packages) list.
 
-Issues
-======
+# Issues
 
 See also the official list of [known issues](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html).
 
-Pending
--------
+## Pending
 
-Resolved
---------
+## Resolved
 
-References
-==========
+# References
 
  * [Official guide](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html) (WIP)
  * [Release notes](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-whats-new.en.html) (WIP)

follow bullseye properly
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 0bf6e6e2..407b4996 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -8,19 +8,22 @@ Procedure
 WARNING: copy-pasted from buster, do not follow. Review the official
 guide first.
 
- 1. Preperation:
+ 1. Preparation:
 
         : reset to the default locale
         export LC_ALL=C.UTF-8 &&
         sudo apt install ttyrec screen debconf-utils apt-show-versions deborphan apt-forktracer &&
-        sudo ttyrec -e screen /var/log/upgrade-buster.ttyrec
+        sudo ttyrec -e screen /var/log/upgrade-bullseye.ttyrec
 
  2. Backups and checks:
 
-        ( umask 0077 &&
-          tar cfz /var/backups/pre-buster-backup.tgz /etc /var/lib/dpkg /var/lib/apt/extended_states /var/lib/aptitude/pkgstates /var/cache/debconf &&
-          dpkg --get-selections "*" > /var/backups/dpkg-selections-pre-buster.txt &&
-          debconf-get-selections > /var/backups/debconf-selections-pre-buster.txt
+        ( 
+          umask 0077 &&
+          tar cf /var/backups/pre-bullseye-backup.tar /etc /var/lib/dpkg /var/lib/apt/extended_states /var/cache/debconf &&
+          ( tar -A -f /var/backups/pre-bullseye-backup.tar /var/lib/aptitude/pkgstates || true ) &&
+          gzip /var/backups/pre-bullseye-backup.tar &&
+          dpkg --get-selections "*" > /var/backups/dpkg-selections-pre-bullseye.txt &&
+          debconf-get-selections > /var/backups/debconf-selections-pre-bullseye.txt
         ) &&
         apt-mark showhold &&
         dpkg --audit &&
@@ -34,7 +37,7 @@ guide first.
         : Check for pinned, on hold, packages, and possibly disable &&
         rm -f /etc/apt/preferences /etc/apt/preferences.d/* &&
         rm -f /etc/apt/sources.list.d/testing.list &&
-        rm -f /etc/apt/sources.list.d/stretch-backports.list &&
+        rm -f /etc/apt/sources.list.d/buster-backports.list &&
         rm -f /etc/apt/sources.list.d/backports.debian.org.list &&
         apt update && apt -y upgrade &&
         : list kernel images and purge unused packages &&
@@ -47,12 +50,12 @@ guide first.
  4. Check free space, see [this guide to free up space][] and
     download packages:
 
-        sed -i 's/stretch/buster/g' /etc/apt/sources.list $(ls /etc/apt/sources.list.d/*) &&
+        sed -i 's/buster/bullseye/g' /etc/apt/sources.list $(ls /etc/apt/sources.list.d/*) &&
         apt update && apt -o APT::Get::Trivial-Only=true dist-upgrade && df -h &&
         apt -y -d upgrade && apt -y -d dist-upgrade &&
         echo End of Step 4
 
-[this guide to free up space]: http://www.debian.org/releases/buster/amd64/release-notes/ch-upgrading.en.html#sufficient-space
+[this guide to free up space]: http://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#sufficient-space
 
  6. Actual upgrade run:
 
@@ -85,7 +88,7 @@ documentation. It selects packages that are currently installed
 [Ewan's cross-upgrading documentation](http://www.nanonanonano.net/linux/debian/crossgrading). Another way to do this is
 with [[!debpkg apt-show-version]]:
 
-    apt-show-versions | grep -v /buster
+    apt-show-versions | grep -v /bullseye
 
 ... although that yields strange results like:
 
@@ -93,7 +96,7 @@ with [[!debpkg apt-show-version]]:
 
 Those are presumably harmless, so this might be a better call:
 
-    apt-show-versions | grep -v /buster | grep -v 'not installed$'
+    apt-show-versions | grep -v /bullseye | grep -v 'not installed$'
 
 Update: the first incantation was updated to use `apt-forktracer`
 instead.
@@ -109,7 +112,7 @@ noticed.
  * last release to support non-merged /usr
  * security archive changed to `deb https://deb.debian.org/debian-security bullseye-security main contrib`
 
-Note that this table is not up to date with the current buster
+Note that this table may not be up to date with the current bullseye
 release. See the [official release notes](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-whats-new.en.html#newdistro) for a more up to date
 list.
 

buster was released (!)
diff --git a/services/upgrades/buster.mdwn b/services/upgrades/buster.mdwn
index b5021152..841b7db5 100644
--- a/services/upgrades/buster.mdwn
+++ b/services/upgrades/buster.mdwn
@@ -114,9 +114,9 @@ list.
 | Package     | Stretch | Buster | Notes                                |
 | -------     | ------- | ------ | -----                                |
 | Docker      | N/A     | 18     | Finally, Docker is back in Debian?   |
-| Emacs       | 24.5    | 25.2   |                                      |
+| Emacs       | 24.5    | 26     |                                      |
 | Firefox     | 52      | 60     | Major upgrade, the "Quantum" release |
-| GNOME       | 3.22    | 3.28   |                                      |
+| GNOME       | 3.22    | 3.30   |                                      |
 | Libreoffice | 5.2     | 6.2    |                                      |
 
 Many packages were removed from Buster. I've built an [exhaustive
@@ -641,10 +641,6 @@ udev fixed the issue:
 References
 ==========
 
-Note: the official upgrade guide and release notes not available at
-the time of writing (2019-04-08) as the documentation is usually
-written during the freeze and buster is not there yet.
-
  * [Official guide](https://www.debian.org/releases/buster/amd64/release-notes/ch-upgrading.en.html)
  * [Release notes](https://www.debian.org/releases/buster/amd64/release-notes/ch-whats-new.en.html)
  * [Koumbit guide](https://wiki.koumbit.net/BusterUpgrade)

bullseye upgrade notes, incomplete
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
new file mode 100644
index 00000000..0bf6e6e2
--- /dev/null
+++ b/services/upgrades/bullseye.mdwn
@@ -0,0 +1,149 @@
+[[!meta title="Bullseye upgrade"]]
+
+[[!toc]]
+
+Procedure
+=========
+
+WARNING: copy-pasted from buster, do not follow. Review the official
+guide first.
+
+ 1. Preperation:
+
+        : reset to the default locale
+        export LC_ALL=C.UTF-8 &&
+        sudo apt install ttyrec screen debconf-utils apt-show-versions deborphan apt-forktracer &&
+        sudo ttyrec -e screen /var/log/upgrade-buster.ttyrec
+
+ 2. Backups and checks:
+
+        ( umask 0077 &&
+          tar cfz /var/backups/pre-buster-backup.tgz /etc /var/lib/dpkg /var/lib/apt/extended_states /var/lib/aptitude/pkgstates /var/cache/debconf &&
+          dpkg --get-selections "*" > /var/backups/dpkg-selections-pre-buster.txt &&
+          debconf-get-selections > /var/backups/debconf-selections-pre-buster.txt
+        ) &&
+        apt-mark showhold &&
+        dpkg --audit &&
+        : look for dkms packages and make sure they are relevant, if not, purge. &&
+        dpkg -l '*dkms' || true &&
+        /home/anarcat/bin/backup-$(hostname) &&
+        echo End of Step 2
+
+ 3. Perform any pending upgrade and clear out old pins:
+
+        : Check for pinned, on hold, packages, and possibly disable &&
+        rm -f /etc/apt/preferences /etc/apt/preferences.d/* &&
+        rm -f /etc/apt/sources.list.d/testing.list &&
+        rm -f /etc/apt/sources.list.d/stretch-backports.list &&
+        rm -f /etc/apt/sources.list.d/backports.debian.org.list &&
+        apt update && apt -y upgrade &&
+        : list kernel images and purge unused packages &&
+        dpkg -l 'linux-image-*' &&
+        : look for packages from backports, other suites or archives &&
+        : if possible, switch to official packages by disabling third-party repositories &&
+        apt-forktracer &&
+        echo End of Step 3
+
+ 4. Check free space, see [this guide to free up space][] and
+    download packages:
+
+        sed -i 's/stretch/buster/g' /etc/apt/sources.list $(ls /etc/apt/sources.list.d/*) &&
+        apt update && apt -o APT::Get::Trivial-Only=true dist-upgrade && df -h &&
+        apt -y -d upgrade && apt -y -d dist-upgrade &&
+        echo End of Step 4
+
+[this guide to free up space]: http://www.debian.org/releases/buster/amd64/release-notes/ch-upgrading.en.html#sufficient-space
+
+ 6. Actual upgrade run:
+
+        export DEBIAN_FRONTEND=noninteractive APT_LISTCHANGES_FRONTEND=mail &&
+        apt dist-upgrade -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' &&
+        /opt/bin/clean_conflicts &&
+        echo 'End step 6'
+
+ 5. Post-upgrade checks:
+
+        dpkg -l '*-dbg' # look for dbg package and possible replace with -dbgsym
+        aptitude purge ~c # purge removed packages
+        apt autoremove -y --purge
+        while deborphan -n | grep -q . ; do apt purge $(deborphan -n); done
+        apt autoremove -y --purge
+        apt clean
+        reboot
+        # review and purge older kernel once the new one boots properly
+        dpkg -l 'linux-image*'
+        # review packages that are not in the new distribution
+        aptitude search '?narrow(?not(?archive("^[^n][^o][^w].*$")),?version(CURRENT))'
+
+TODO: update this.
+
+The last incantation comes from the
+[[cross-upgrade|services/upgrades/cross-architecture/]]
+documentation. It selects packages that are currently installed
+(`?narrow(...,?version(CURRENT))`) from an archive other than "now"
+(`?not(?archive("^[^n][^o][^w].*$")`). This was cargo-culted from
+[Ewan's cross-upgrading documentation](http://www.nanonanonano.net/linux/debian/crossgrading). Another way to do this is
+with [[!debpkg apt-show-version]]:
+
+    apt-show-versions | grep -v /buster
+
+... although that yields strange results like:
+
+    linux-libc-dev:i386 not installed
+
+Those are presumably harmless, so this might be a better call:
+
+    apt-show-versions | grep -v /buster | grep -v 'not installed$'
+
+Update: the first incantation was updated to use `apt-forktracer`
+instead.
+
+Notable changes
+===============
+
+Here are some packages with notable version changes that I
+noticed.
+
+ * Python 2 support is removed!
+ * Mailman 2 is consequently removed
+ * last release to support non-merged /usr
+ * security archive changed to `deb https://deb.debian.org/debian-security bullseye-security main contrib`
+
+Note that this table is not up to date with the current buster
+release. See the [official release notes](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-whats-new.en.html#newdistro) for a more up to date
+list.
+
+| Package     | Buster  | Bullseye | Notes                                 |
+| -------     | ------- | ------   | -----                                 |
+| Docker      | 18      | 20       | Docker made it for a second release   |
+| Emacs       | 26      | 27       | TODO                                  |
+| Firefox     | 68      | 78       | 78 was already in buster-updates      |
+| GNOME       | 3.30    | 3.38     | Missed the "GNOME 40" release         |
+| Inkscap     | 0.92    | 1.0      | Finally, 1.0!                         |
+| Libreoffice | 6.2     | 7.0      |                                       |
+| OpenSSH     | 7.9     | 8.4      | TODO                                  |
+| Postgresql  | 11      | 13       | TODO                                  |
+| Python      | 3.7     | 3.9      | TODO                                  |
+| Puppet      | 5.5     | 5.5      | Missed the Puppet 6 (and 7!) releases |
+
+See also the [noteworthy obsolete packages](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#noteworthy-obsolete-packages) list.
+
+Issues
+======
+
+See also the official list of [known issues](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html).
+
+Pending
+-------
+
+Resolved
+--------
+
+References
+==========
+
+ * [Official guide](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html) (WIP)
+ * [Release notes](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-whats-new.en.html) (WIP)
+ * [Koumbit guide](https://wiki.koumbit.net/BullseyeUpgrade) (N/A yet)
+ * [DSA guide](https://dsa.debian.org/howto/upgrade-to-bullseye/) (WIP, reviewed)
+ * [Solution proposal to automate this](https://wiki.debian.org/AutomatedUpgrade)

trying out another firefox extension
diff --git a/software/desktop/firefox.mdwn b/software/desktop/firefox.mdwn
index 2aa8fb00..736bd854 100644
--- a/software/desktop/firefox.mdwn
+++ b/software/desktop/firefox.mdwn
@@ -69,6 +69,9 @@ I am testing those and they might make it to the top list once I'm happy:
    rules](https://news.ycombinator.com/item?id=26120168))
  * [Open in Browser](https://addons.mozilla.org/en-US/firefox/addon/open-in-browser/) (no deb, [source](https://github.com/Rob--W/open-in-browser)) - reopen the file in the
    browser instead of downloading
+ * [Popup window](https://addons.mozilla.org/en-US/firefox/addon/popup-window/) (no deb, [source](https://github.com/ettoolong/PopupWindow)) - open the link in a
+   pop-up, useful to have an "app-like" window for a website (I use
+   this for videoconferencing in a second tab)
  * [Smart HTTPS](https://addons.mozilla.org/en-US/firefox/addon/smart-https-revived/) (no deb, [source](https://github.com/ilGur1132/Smart-HTTPS)) - some use [HTTPS
    everywhere](https://www.eff.org/https-everywhere) but i find that one works too and doesn't require
    sites to be added to a list. nowadays, https URLs match http URLs

monitor setup update
diff --git a/hardware/monitor.mdwn b/hardware/monitor.mdwn
index 220b27f9..4f762a04 100644
--- a/hardware/monitor.mdwn
+++ b/hardware/monitor.mdwn
@@ -34,7 +34,7 @@ HP L2245wg
  * LCD
 
 Update: replaced with the LG Flatron Wid L204WTX-SF, on an "arm",
-because the HP was getting finnicky: it would "short" and blank out,
+because the HP was getting finicky: it would "short" and blank out,
 get all "fuzzy" and weird. The new monitor looks *much* better.
 
 [Upstream](https://support.hp.com/us-en/product/hp-l2245wg-22-inch-widescreen-lcd-monitor/3758498/manuals), [manual](http://h10032.www1.hp.com/ctg/Manual/c01555675), [specs](https://www.cnet.com/products/hp-l2245wg/).
@@ -47,15 +47,16 @@ what works and doesn't, in descending order of (totally subjective)
 "quality":
 
  * [Samsung B2330H](https://www.samsung.com/us/business/support/owners/product/b2330-series-b2330hd/) 1920x1080@60Hz, 23", 70,000:1, 5ms, VGA, HDMI,
-   DVI, gigantic, molten hole in the back, but works
+   DVI, gigantic, molten hole in the back, but works (lent to a
+   coworker)
  * [LG Flatron Wide L204WTX-SF](https://www.lg.com/ca_en/support/product/lg-L204WTX-SF) 1680x1050@60Hz, 20", 2000:1, 5ms,
    VGA, DVI, looks great, one dead pixel
  * [Acer X193w](https://www.cnet.com/products/acer-x193w-lcd-monitor/) 1440x900@75Hz, 2000:1, 5ms VGA, DVI, clean and
    simple, top partially melted
- * [Acer P186HV](https://productz.com/en/acer-p186hv/p/JJ3rY) 133x768@60Hz, 18.5", 5000:1, 5ms, VGA, display
+ * [Acer P186HV](https://productz.com/en/acer-p186hv/p/JJ3rY) 1366x768@60Hz, 18.5", 5000:1, 5ms, VGA, display
    looks dusty (physically and in the image)
  * [Dell 1704FPvt](https://www.dell.com/downloads/global/products/monitors/en/spec_1704fp_en.pdf) 1280x1024@60Hz, 17", 1000:1, 25ms, VGA, DVI, USB
-   4-port hub, looks square, rotating
+   4-port hub, looks square, rotating (used as a console for a server)
  * [Toshiba 19AV500U](https://productz.com/en/toshiba-19av500u/p/eWMGr#full-specs) 1440x900, 19", VGA, HDMI, "component",
    antenna coax (it's a TV!), can't make it work in Linux
 

fedora too
diff --git a/blog/2019-09-16-fsf-resignations.mdwn b/blog/2019-09-16-fsf-resignations.mdwn
index 37f74e84..5ff3fbc3 100644
--- a/blog/2019-09-16-fsf-resignations.mdwn
+++ b/blog/2019-09-16-fsf-resignations.mdwn
@@ -189,5 +189,6 @@ to say that I won't attend LibrePlanet either any time soon. See also:
  * [Outreachy bars FSF from participation in its program](https://www.outreachy.org/blog/2021-03-23/fsf-participation-barred/)
  * [Open Source Initiative calls for removal and work to address harm](https://opensource.org/OSI_Response)
  * [FSFE dissociates from FSF](https://fsfe.org/news/2021/news-20210324-01.html)
+ * [Fedora dissociates from FSF](https://fedoramagazine.org/fedora-council-statement-on-richard-stallman-rejoining-fsf-board/)
 
 [[!tag debian-planet python-planet fsf gnu libreplanet free-software ethics]]

approve comment
diff --git a/blog/2021-03-19-dtach-screen-security/comment_1_c72f0ecb04aed724739af16e457f2da9._comment b/blog/2021-03-19-dtach-screen-security/comment_1_c72f0ecb04aed724739af16e457f2da9._comment
new file mode 100644
index 00000000..26f33822
--- /dev/null
+++ b/blog/2021-03-19-dtach-screen-security/comment_1_c72f0ecb04aed724739af16e457f2da9._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ ip="180.94.213.2"
+ claimedauthor="Norbert"
+ subject="What about dtach fork with newer releases"
+ date="2021-04-02T04:59:23Z"
+ content="""
+Thanks for that blog, sounds really interesting - I guess lots of people are running something like tmux/*irc.
+
+Searching around for dtach I realized there is a fork of the original repo that includes several fixes and has a \"release\" 0.10 just 2 month ago. It also deals with ANSI sequences etc, so you might have better success with that one: https://github.com/xPMo/dtach (not related in anyway to me, just found it)
+"""]]

more rms news
diff --git a/blog/2019-09-16-fsf-resignations.mdwn b/blog/2019-09-16-fsf-resignations.mdwn
index 57845041..37f74e84 100644
--- a/blog/2019-09-16-fsf-resignations.mdwn
+++ b/blog/2019-09-16-fsf-resignations.mdwn
@@ -183,8 +183,11 @@ Software foundation, and he announced it during his LibrePlanet speech
 no less. So I guess I will send them this letter after all. Needless
 to say that I won't attend LibrePlanet either any time soon. See also:
 
- * [RMS open letter](https://rms-open-letter.github.io/) (which I just signed)
+ * [RMS open letter](https://rms-open-letter.github.io/) (which I just
+   signed, along with major free software organizations and hundreds
+   of people)
  * [Outreachy bars FSF from participation in its program](https://www.outreachy.org/blog/2021-03-23/fsf-participation-barred/)
  * [Open Source Initiative calls for removal and work to address harm](https://opensource.org/OSI_Response)
+ * [FSFE dissociates from FSF](https://fsfe.org/news/2021/news-20210324-01.html)
 
 [[!tag debian-planet python-planet fsf gnu libreplanet free-software ethics]]

another
diff --git a/blog/2019-09-16-fsf-resignations.mdwn b/blog/2019-09-16-fsf-resignations.mdwn
index 3ea380a9..57845041 100644
--- a/blog/2019-09-16-fsf-resignations.mdwn
+++ b/blog/2019-09-16-fsf-resignations.mdwn
@@ -185,5 +185,6 @@ to say that I won't attend LibrePlanet either any time soon. See also:
 
  * [RMS open letter](https://rms-open-letter.github.io/) (which I just signed)
  * [Outreachy bars FSF from participation in its program](https://www.outreachy.org/blog/2021-03-23/fsf-participation-barred/)
+ * [Open Source Initiative calls for removal and work to address harm](https://opensource.org/OSI_Response)
 
 [[!tag debian-planet python-planet fsf gnu libreplanet free-software ethics]]

more refs
diff --git a/blog/2019-09-16-fsf-resignations.mdwn b/blog/2019-09-16-fsf-resignations.mdwn
index 5fe63a82..3ea380a9 100644
--- a/blog/2019-09-16-fsf-resignations.mdwn
+++ b/blog/2019-09-16-fsf-resignations.mdwn
@@ -181,6 +181,9 @@ friends left the FSF because they must be living through hell now.
 Update 2, 2021-03-23: RMS was reinstated on the board of the Free
 Software foundation, and he announced it during his LibrePlanet speech
 no less. So I guess I will send them this letter after all. Needless
-to say that I won't attend LibrePlanet either any time soon.
+to say that I won't attend LibrePlanet either any time soon. See also:
+
+ * [RMS open letter](https://rms-open-letter.github.io/) (which I just signed)
+ * [Outreachy bars FSF from participation in its program](https://www.outreachy.org/blog/2021-03-23/fsf-participation-barred/)
 
 [[!tag debian-planet python-planet fsf gnu libreplanet free-software ethics]]

FSF reinstated RMS, and I quit for real this time.
diff --git a/blog/2019-09-16-fsf-resignations.mdwn b/blog/2019-09-16-fsf-resignations.mdwn
index e23568b6..5fe63a82 100644
--- a/blog/2019-09-16-fsf-resignations.mdwn
+++ b/blog/2019-09-16-fsf-resignations.mdwn
@@ -178,4 +178,9 @@ friends left the FSF because they must be living through hell now.
 [from MIT]: https://www.stallman.org/archives/2019-jul-oct.html#16_September_2019_(Resignation)
 [resigned from the FSF]: https://www.fsf.org/news/richard-m-stallman-resigns
 
+Update 2, 2021-03-23: RMS was reinstated on the board of the Free
+Software foundation, and he announced it during his LibrePlanet speech
+no less. So I guess I will send them this letter after all. Needless
+to say that I won't attend LibrePlanet either any time soon.
+
 [[!tag debian-planet python-planet fsf gnu libreplanet free-software ethics]]

add toc
diff --git a/blog/2021-03-22-email-crash.md b/blog/2021-03-22-email-crash.md
index 5c0c492a..1a5209d8 100644
--- a/blog/2021-03-22-email-crash.md
+++ b/blog/2021-03-22-email-crash.md
@@ -5,6 +5,8 @@ uncertain, but possibly a combination of a dead CMOS battery, systemd
 `OnCalendar=daily`, a (locking?) bug in syncmaildir, and generally, a
 system too exotic and complicated.
 
+[[!toc]]
+
 # The crash
 
 So I somehow lost half my mail:

report on my latest crash
diff --git a/blog/2021-03-22-email-crash.md b/blog/2021-03-22-email-crash.md
index 367f2ffa..5c0c492a 100644
--- a/blog/2021-03-22-email-crash.md
+++ b/blog/2021-03-22-email-crash.md
@@ -1,3 +1,9 @@
+[[!meta title="Major email crash with syncmaildir"]]
+
+TL:DR; lost half my mail (150,000 messages, ~6GB) last night. Cause
+uncertain, but possibly a combination of a dead CMOS battery, systemd
+`OnCalendar=daily`, a (locking?) bug in syncmaildir, and generally, a
+system too exotic and complicated.
 
 # The crash
 
@@ -18,6 +24,13 @@ Those are three different machines:
  * curie: my workstation, mostly always on
  * marcos: my mail server, always on
 
+Those mails are synchronized using a [[rather exotic
+system|services/mail#delivery-and-retrieval-over-SSH]] based on SSH,
+[syncmaildir][] and [rsendmail][].
+
+[rsendmail]: https://gitlab.com/anarcat/rsendmail
+[syncmaildir]: https://github.com/gares/syncmaildir
+
 The anomaly started on curie:
 
     -- Reboot --
@@ -50,9 +63,8 @@ universe for some reason:
     mar 22 16:21:35 curie smd-push[9374]: register: smd-client@smd-server-register: TAGS: stats::new-mails(0), del-mails(0), bytes-received(0), xdelta-received(215)
     mar 22 16:21:35 curie systemd[3199]: smd-push.service: Succeeded.
 
-Notice the `del-mails(293920)` there: that can't be right.. it's
-either 300,000 mails destroyed (it's basically my entire mail spool),
-or (more likely) 300KB of mails...
+Notice the `del-mails(293920)` there: it is actively trying to destroy
+basically *every* email in my mail spool.
 
 Then somehow `push` and `pull` started both at once:
 
@@ -79,7 +91,8 @@ Then somehow `push` and `pull` started both at once:
     mar 22 16:22:00 curie systemd[3199]: smd-push.service: Failed with result 'exit-code'.
     mar 22 16:22:00 curie systemd[3199]: Failed to start push emails with syncmaildir.
 
-There it seems `push` tried to destroy the universe again.
+There it seems `push` tried to destroy the universe again:
+`del-mails(293920)`.
 
 Interestingly, the push started again in parallel with the pull, right
 that minute:
@@ -131,9 +144,8 @@ This pattern repeats until 16:35, when that locking issue silently recovered som
     mar 22 16:36:37 curie systemd[3199]: Started pull emails with syncmaildir.
 
 ... notice that huge `xdelta-received` there, that's 7GB right
-there. Mysteriously, the curie mail spool survived this.
-
-this immediately started failing again:
+there. Mysteriously, the curie mail spool survived this, possibly
+because `smd-pull` started failing again:
 
     mar 22 16:38:00 curie systemd[3199]: Starting pull emails with syncmaildir...
     mar 22 16:38:00 curie smd-pull[23556]: 21887 ?        00:00:00 smd-push
@@ -144,10 +156,9 @@ this immediately started failing again:
     mar 22 16:38:00 curie systemd[3199]: smd-pull.service: Failed with result 'exit-code'.
     mar 22 16:38:00 curie systemd[3199]: Failed to start pull emails with syncmaildir.
 
-that could have been when i got on angela to check my mail, and it was
-busy doing the nasty removal stuff.
-
-although the times don't match... here's when angela came back online:
+That could have been when i got on angela to check my mail, and it was
+busy doing the nasty removal stuff... although the times don't
+match. Here is when angela came back online:
 
     anarcat@angela:~(main)$ last
     anarcat  :0           :0               Mon Mar 22 19:57   still logged in
@@ -155,7 +166,7 @@ although the times don't match... here's when angela came back online:
     anarcat  :0           :0               Mon Mar 22 17:43 - 18:47  (01:03)
     reboot   system boot  5.10.0-0.bpo.3-a Mon Mar 22 17:39   still running
 
-then finally it failed with:
+Then finally the sync on curie started failing with:
 
     mar 22 16:46:35 curie systemd[3199]: Starting pull emails with syncmaildir...
     mar 22 16:46:42 curie smd-pull[27455]: smd-server: ERROR: Client aborted, removing /home/anarcat/.smd/curie-anarcat__Maildir.db.txt.new and /home/anarcat/.smd/curie-anarcat__Maildir.db.txt.mtime.new
@@ -172,10 +183,10 @@ then finally it failed with:
     mar 22 16:46:42 curie systemd[3199]: smd-pull.service: Failed with result 'exit-code'.
     mar 22 16:46:42 curie systemd[3199]: Failed to start pull emails with syncmaildir.
 
-and it's been stuck on this ever since. this is, presumably, a good
-thing because those emails are not being destroyed.
+It went on like this until I found the problem. This is, presumably, a
+good thing because those emails were not being destroyed.
 
-on angela, things looked like this:
+On angela, things looked like this:
 
     -- Reboot --
     mar 22 17:39:29 angela systemd[1677]: Started run notmuch new at least once a day.
@@ -205,26 +216,26 @@ on angela, things looked like this:
     mar 22 17:43:33 angela systemd[1677]: smd-push.service: Succeeded.
     mar 22 17:43:33 angela systemd[1677]: Started push emails with syncmaildir.
 
-notice on that first failure, how long it took to get the first error:
-it failed after 3 minutes! presumably that's when it started deleting
-all that mail. and this is during `pull`, not `push`, so the error
-didn't come from there.
-
-so uh. yeah. bad.
+Notice how long it took to get the first error, in that first failure:
+it failed after 3 minutes! Presumably that's when it started deleting
+all that mail. And this is during `pull`, not `push`, so the error
+didn't come from angela.
 
 # Affected data
 
 It seems 2GB of mail from my main INBOX was destroyed. Another 2.4GB
-of spam was also destroyed. 700MB of Sent mail. The rest is hard to
-figure out, because the folders are actually still there, just
-smaller. I don't really archive my mail anymore, so everything
-is in INBOX...
+of spam (kept for training purposes) was also destroyed, along with
+700MB of Sent mail. The rest is hard to figure out, because the
+folders are actually still there, just smaller. So I relied on `ncdu`
+to figure out the size changes.
 
-So I relied on `ncdu` to figure out the size changes. Some archives,
-old mailboxes...
+(Note that I don't really archive (or delete much of) my mail since I
+use [notmuch](https://notmuchmail.org/), which is why the INBOX is so
+large...)
 
-Concretely, according to `notmuch-new.service` which still
-periodically runs on marcos to keep an up to date index there:
+Concretely, according to the `notmuch-new.service` which still runs
+periodically on marcos, here are the changes that happened on the
+server:
 
     mar 22 16:17:12 marcos notmuch[10729]: Added 7 new messages to the database. Removed 57985 messages. Detected 1372 file renames.
     mar 22 16:22:43 marcos notmuch[12826]: No new mail. Removed 143842 messages. Detected 6072 file renames.
@@ -240,26 +251,28 @@ That is basically the entire mail spool destroyed at first (283 898
 messages), and then bits and pieces of it progressively re-added (134
 645 messages), somehow, so 149 253 mails were lost, presumably.
 
-# Actions taken
+# Recovery
 
 I disabled the services all over the place:
 
     systemctl --user --now disable smd-pull.service smd-pull.timer smd-push.service smd-push.timer notmuch-new.service notmuch-new.timer
 
-(Well, technically, I did that on angela, as I thought the problem was
-there. Luckily, curie kept going but it seems like it was
-harmless. Mostly. Who knows.)
+(Well, technically, I did that only on angela, as I thought the
+problem was there. Luckily, curie kept going but it seems like it was
+harmless.)
 
 I made a backup of the mail spool on curie:
 
     tar cf - Maildir/ | pv -s 14G | gzip -c > Maildir.tgz
 
-Then I crossed my fingers and ran `smd-push -v -s`, which started
-happily restoring mail. It failed a few times on weird cases of files
-being duplicates, but I resolved this by following the
-instructions. Or mostly: I actually deleted the files instead of
-moving them, which made smd even unhappier (if there ever was such a
-thing).
+Then I crossed my fingers and ran `smd-push -v -s`, as that was
+suggested by `smd` error codes themselves. That thankfully started
+restoring mail. It failed a few times on weird cases of files being
+duplicates, but I resolved this by following the instructions. Or
+mostly: I actually deleted the files instead of moving them, which
+made `smd` even unhappier (if there ever was such a thing). I had to
+recreate some of those files, so, lesson learned: do follow the advice
+`smd` gives you, even if it seems useless or strange.
 
 But then `smd-push` was humming along, uploading tens of thousands of
 messages, saturating the upload in the office, refilling the mail
@@ -362,7 +375,8 @@ On curie:
      Total disk usage:  13,3 GiB  Apparent size:  12,6 GiB  Items: 342465
 
 Interestingly, there are more files, but less disk usage. It's
-possible the notmuch database there is more efficient.
+possible the notmuch database there is more efficient. So maybe
+there's nothing to worry about.
 
 Last night's marcos backup has:
 
@@ -370,8 +384,8 @@ Last night's marcos backup has:
      341k 0:00:16 [20,4k/s] [                             <=>                                                                                                                                     ]
     341040
 
-341040 files seems about right, considering some mail was delivered
-during the day. An audit can be performed with `hashdeep`:
+... 341040 files, which seems about right, considering some mail was
+delivered during the day. An audit can be performed with `hashdeep`:
 
     borg mount /media/sdb2/borg/::marcos-auto-2021-03-22 /mnt
     hashdeep -c sha256 -r /mnt/home/anarcat/Maildir | pv -l -s 341k > Maildir-backup-manifest.txt

(Diff truncated)
some issues with the dtach hack
diff --git a/blog/2021-03-19-dtach-screen-security.md b/blog/2021-03-19-dtach-screen-security.md
index 97b8081d..f4e11635 100644
--- a/blog/2021-03-19-dtach-screen-security.md
+++ b/blog/2021-03-19-dtach-screen-security.md
@@ -125,4 +125,68 @@ It also includes instructions on how to setup your SSH keys.
 
 Enjoy, and let me know if (or rather, how) I messed up.
 
+# Updates
+
+ 1. it seems that dtach is not very active upstream: the last release
+    ([0.9](https://github.com/crigler/dtach/releases/tag/v0.9)) is from 2016, and the last commit (at the time of
+    writing) is from 2017
+
+ 2. dtach is not necessarily safer than screen or tmux from arbitrary
+    input from the outside, in fact there was a vulnerability on dtach
+    [CVE-2012-3368](https://security-tracker.debian.org/tracker/CVE-2012-3368) that led to an attacker accessing stack memory
+    (but maybe not code execution)
+
+ 3. after writing the Puppet module and publishing this article, I
+    started to get weird behavior from dtach: i would leave the office
+    at night and then return the next morning to find that I was timed
+    out on servers. from my perspective, `irssi` noticed only when I
+    re-attached the session:
+    
+        09:39:51 -!- Irssi: warning Broken pipe
+        09:39:51 -!- Irssi: warning SSL write error: Broken pipe
+        09:39:51 -!- Irssi: warning SSL write error: Broken pipe
+        09:39:51 -!- Irssi: warning SSL write error: Broken pipe
+        09:39:51 -!- Irssi: warning SSL write error: Broken pipe
+        09:39:51 [bitlbee] -!- Irssi: Connection lost to localhost
+        09:39:51 -!- Irssi: warning SSL write error: Broken pipe
+        09:39:51 [gitter] -!- Irssi: Connection lost to irc.gitter.im
+        09:39:51 [OFTC] -!- Irssi: Connection lost to irc.oftc.net
+        09:42:34 [IMC] -!- Irssi: Connection lost to irc.indymedia.org
+        09:42:34 -!- Irssi: Connection lost to irc.hackint.org
+        09:42:34 -!- Irssi: Connection lost to chat.freenode.net
+        09:42:34 -!- dtach_away: Set away
+
+    from the outside I actually timed out a few minutes after I
+    detached, which also makes for a weird asymmetry:
+    
+        22:31:00 -!- anarcat [~anarcat@ocean] has quit [Ping timeout: 250 seconds]
+
+    that is eleven hours before the error I get.
+
+ 4. the mosh wrapper script seems to not work as well as it did
+    before. somehow just running `mosh $server` *hangs* with a blank
+    screen instead of instantly rejoining the session. I'm not sure it
+    is related to the timeout problem but I did rewrite the wrapper
+    before publication. this is the old version:
+    
+        #!/bin/sh
+
+        # inspired by https://serverfault.com/questions/749474/ssh-authorized-keys-command-option-multiple-commands
+
+        command="dtach -a /run/anarcat-irc/dtach-irssi.socket"
+
+        case "$SSH_ORIGINAL_COMMAND" in
+            mosh-server*)
+        	exec mosh-server -- $command
+        	;;
+            *)
+        	exec $command
+        	;;
+        esac
+
+    I'm thinking of trying that one out for a while to see if it's
+    related. The weirdest thing is that mosh "un-hangs" if i reattach
+    with plain `ssh`, so there's definitely something fishy going on
+    here.
+
 [[!tag debian debian-planet systemd irssi irc security python-planet hack]]

more mail crashes, more fun
diff --git a/blog/2021-03-22-email-crash.md b/blog/2021-03-22-email-crash.md
new file mode 100644
index 00000000..367f2ffa
--- /dev/null
+++ b/blog/2021-03-22-email-crash.md
@@ -0,0 +1,431 @@
+
+# The crash
+
+So I somehow lost half my mail:
+
+    anarcat@angela:~(main)$ du -sh Maildir/
+    7,9G	Maildir/
+
+    anarcat@curie:~(main)$ du -sh Maildir
+    14G     Maildir
+
+    anarcat@marcos:~$ du -sh Maildir
+    8,0G    Maildir
+
+Those are three different machines:
+
+ * angela: my laptop, not always on
+ * curie: my workstation, mostly always on
+ * marcos: my mail server, always on
+
+The anomaly started on curie:
+
+    -- Reboot --
+    mar 22 16:13:00 curie systemd[3199]: Starting pull emails with syncmaildir...
+    mar 22 16:13:00 curie smd-pull[4801]: rm: impossible de supprimer '/home/anarcat/.smd/workarea/Maildir': Le dossier n'est pas vide
+    mar 22 16:13:00 curie systemd[3199]: smd-pull.service: Main process exited, code=exited, status=1/FAILURE
+    mar 22 16:13:00 curie systemd[3199]: smd-pull.service: Failed with result 'exit-code'.
+    mar 22 16:13:00 curie systemd[3199]: Failed to start pull emails with syncmaildir.
+    mar 22 16:14:00 curie systemd[3199]: Starting pull emails with syncmaildir...
+    mar 22 16:14:00 curie smd-pull[7025]:  4091 ?        00:00:00 smd-push
+    mar 22 16:14:00 curie smd-pull[7025]: Already running.
+    mar 22 16:14:00 curie smd-pull[7025]: If this is not the case, remove /home/anarcat/.smd/lock by hand.
+    mar 22 16:14:00 curie smd-pull[7025]: any: smd-pushpull@localhost: TAGS: error::context(locking) probable-cause(another-instance-is-running) human-intervention(necessary) suggested-actions(run(kill 4091) run(rm /home/anarcat/.smd/lock))
+    mar 22 16:14:00 curie systemd[3199]: smd-pull.service: Main process exited, code=exited, status=1/FAILURE
+    mar 22 16:14:00 curie systemd[3199]: smd-pull.service: Failed with result 'exit-code'.
+    mar 22 16:14:00 curie systemd[3199]: Failed to start pull emails with syncmaildir.
+
+Then it seems like smd-push (from curie) started destroying the
+universe for some reason:
+
+    mar 22 16:20:00 curie systemd[3199]: Starting pull emails with syncmaildir...
+    mar 22 16:20:00 curie smd-pull[9319]:  4091 ?        00:00:00 smd-push
+    mar 22 16:20:00 curie smd-pull[9319]: Already running.
+    mar 22 16:20:00 curie smd-pull[9319]: If this is not the case, remove /home/anarcat/.smd/lock by hand.
+    mar 22 16:20:00 curie smd-pull[9319]: any: smd-pushpull@localhost: TAGS: error::context(locking) probable-cause(another-instance-is-running) human-intervention(necessary) suggested-actions(ru
+    mar 22 16:20:00 curie systemd[3199]: smd-pull.service: Main process exited, code=exited, status=1/FAILURE
+    mar 22 16:20:00 curie systemd[3199]: smd-pull.service: Failed with result 'exit-code'.
+    mar 22 16:20:00 curie systemd[3199]: Failed to start pull emails with syncmaildir.
+    mar 22 16:21:34 curie smd-push[4091]: default: smd-client@smd-server-anarcat: TAGS: stats::new-mails(0), del-mails(293920), bytes-received(0), xdelta-received(26995)
+    mar 22 16:21:35 curie smd-push[9374]: register: smd-client@smd-server-register: TAGS: stats::new-mails(0), del-mails(0), bytes-received(0), xdelta-received(215)
+    mar 22 16:21:35 curie systemd[3199]: smd-push.service: Succeeded.
+
+Notice the `del-mails(293920)` there: that can't be right.. it's
+either 300,000 mails destroyed (it's basically my entire mail spool),
+or (more likely) 300KB of mails...
+
+Then somehow `push` and `pull` started both at once:
+
+    mar 22 16:21:35 curie systemd[3199]: Started push emails with syncmaildir.
+    mar 22 16:21:35 curie systemd[3199]: Starting push emails with syncmaildir...
+    mar 22 16:22:00 curie systemd[3199]: Starting pull emails with syncmaildir...
+    mar 22 16:22:00 curie smd-pull[10333]:  9455 ?        00:00:00 smd-push
+    mar 22 16:22:00 curie smd-pull[10333]: Already running.
+    mar 22 16:22:00 curie smd-pull[10333]: If this is not the case, remove /home/anarcat/.smd/lock by hand.
+    mar 22 16:22:00 curie smd-pull[10333]: any: smd-pushpull@localhost: TAGS: error::context(locking) probable-cause(another-instance-is-running) human-intervention(necessary) suggested-actions(r
+    mar 22 16:22:00 curie systemd[3199]: smd-pull.service: Main process exited, code=exited, status=1/FAILURE
+    mar 22 16:22:00 curie systemd[3199]: smd-pull.service: Failed with result 'exit-code'.
+    mar 22 16:22:00 curie systemd[3199]: Failed to start pull emails with syncmaildir.
+    mar 22 16:22:00 curie smd-push[9455]: smd-client: ERROR: Data transmission failed.
+    mar 22 16:22:00 curie smd-push[9455]: smd-client: ERROR: This problem is transient, please retry.
+    mar 22 16:22:00 curie smd-push[9455]: smd-client: ERROR: server sent ABORT or connection died
+    mar 22 16:22:00 curie smd-push[9455]: smd-server: ERROR: Unable to open Maildir/.kobo/cur/1498563708.M122624P22121.marcos,S=32234,W=32792:2,S: Maildir/.kobo/cur/1498563708.M122624P22121.marco
+    mar 22 16:22:00 curie smd-push[9455]: smd-server: ERROR: The problem should be transient, please retry.
+    mar 22 16:22:00 curie smd-push[9455]: smd-server: ERROR: Unable to open requested file.
+    mar 22 16:22:00 curie smd-push[9455]: default: smd-client@smd-server-anarcat: TAGS: stats::new-mails(0), del-mails(293920), bytes-received(0), xdelta-received(26995)
+    mar 22 16:22:00 curie smd-push[9455]: default: smd-client@smd-server-anarcat: TAGS: error::context(receive) probable-cause(network) human-intervention(avoidable) suggested-actions(retry)
+    mar 22 16:22:00 curie smd-push[9455]: default: smd-server@localhost: TAGS: error::context(transmit) probable-cause(simultaneous-mailbox-edit) human-intervention(avoidable) suggested-actions(r
+    mar 22 16:22:00 curie systemd[3199]: smd-push.service: Main process exited, code=exited, status=1/FAILURE
+    mar 22 16:22:00 curie systemd[3199]: smd-push.service: Failed with result 'exit-code'.
+    mar 22 16:22:00 curie systemd[3199]: Failed to start push emails with syncmaildir.
+
+There it seems `push` tried to destroy the universe again.
+
+Interestingly, the push started again in parallel with the pull, right
+that minute:
+
+    mar 22 16:22:00 curie systemd[3199]: Starting push emails with syncmaildir...
+
+... but didn't complete for a while, here's `pull` trying to start
+again:
+
+    mar 22 16:24:00 curie systemd[3199]: Starting pull emails with syncmaildir...
+    mar 22 16:24:00 curie smd-pull[12051]: 10466 ?        00:00:00 smd-push
+    mar 22 16:24:00 curie smd-pull[12051]: Already running.
+    mar 22 16:24:00 curie smd-pull[12051]: If this is not the case, remove /home/anarcat/.smd/lock by hand.
+    mar 22 16:24:00 curie smd-pull[12051]: any: smd-pushpull@localhost: TAGS: error::context(locking) probable-cause(another-instance-is-running) human-intervention(necessary) suggested-actions(run(kill 10466) run(rm /home/anarcat/.smd/lock))
+    mar 22 16:24:00 curie systemd[3199]: smd-pull.service: Main process exited, code=exited, status=1/FAILURE
+    mar 22 16:24:00 curie systemd[3199]: smd-pull.service: Failed with result 'exit-code'.
+    mar 22 16:24:00 curie systemd[3199]: Failed to start pull emails with syncmaildir.
+
+... and the long push finally resolving:
+
+    mar 22 16:24:00 curie smd-push[10466]: smd-client: ERROR: Data transmission failed.
+    mar 22 16:24:00 curie smd-push[10466]: smd-client: ERROR: This problem is transient, please retry.
+    mar 22 16:24:00 curie smd-push[10466]: smd-client: ERROR: server sent ABORT or connection died
+    mar 22 16:24:00 curie smd-push[10466]: smd-client: ERROR: Data transmission failed.
+    mar 22 16:24:00 curie smd-push[10466]: smd-client: ERROR: This problem is transient, please retry.
+    mar 22 16:24:00 curie smd-push[10466]: smd-client: ERROR: server sent ABORT or connection died
+    mar 22 16:24:00 curie smd-push[10466]: smd-server: ERROR: Unable to open Maildir/.kobo/cur/1498563708.M122624P22121.marcos,S=32234,W=32792:2,S: Maildir/.kobo/cur/1498563708.M122624P22121.marcos,S=32234,W=32792:2,S: No such file or directory
+    mar 22 16:24:00 curie smd-push[10466]: smd-server: ERROR: The problem should be transient, please retry.
+    mar 22 16:24:00 curie smd-push[10466]: smd-server: ERROR: Unable to open requested file.
+    mar 22 16:24:00 curie smd-push[10466]: default: smd-client@smd-server-anarcat: TAGS: stats::new-mails(0), del-mails(293920), bytes-received(0), xdelta-received(26995)
+    mar 22 16:24:00 curie smd-push[10466]: default: smd-client@smd-server-anarcat: TAGS: error::context(receive) probable-cause(network) human-intervention(avoidable) suggested-actions(retry)
+    mar 22 16:24:00 curie smd-push[10466]: default: smd-server@localhost: TAGS: error::context(transmit) probable-cause(simultaneous-mailbox-edit) human-intervention(avoidable) suggested-actions(retry)
+    mar 22 16:24:00 curie systemd[3199]: smd-push.service: Main process exited, code=exited, status=1/FAILURE
+    mar 22 16:24:00 curie systemd[3199]: smd-push.service: Failed with result 'exit-code'.
+    mar 22 16:24:00 curie systemd[3199]: Failed to start push emails with syncmaildir.
+    mar 22 16:24:00 curie systemd[3199]: Starting push emails with syncmaildir...
+
+This pattern repeats until 16:35, when that locking issue silently recovered somehow:
+
+    mar 22 16:35:03 curie systemd[3199]: Starting pull emails with syncmaildir...
+    mar 22 16:35:41 curie smd-pull[20788]: default: smd-client@localhost: TAGS: stats::new-mails(5), del-mails(1), bytes-received(21885), xdelta-received(6863398)
+    mar 22 16:35:42 curie smd-pull[21373]: register: smd-client@localhost: TAGS: stats::new-mails(0), del-mails(0), bytes-received(0), xdelta-received(215)
+    mar 22 16:35:42 curie systemd[3199]: smd-pull.service: Succeeded.
+    mar 22 16:35:42 curie systemd[3199]: Started pull emails with syncmaildir.
+    mar 22 16:36:35 curie systemd[3199]: Starting pull emails with syncmaildir...
+    mar 22 16:36:36 curie smd-pull[21738]: default: smd-client@localhost: TAGS: stats::new-mails(0), del-mails(0), bytes-received(0), xdelta-received(214)
+    mar 22 16:36:37 curie smd-pull[21816]: register: smd-client@localhost: TAGS: stats::new-mails(0), del-mails(0), bytes-received(0), xdelta-received(215)
+    mar 22 16:36:37 curie systemd[3199]: smd-pull.service: Succeeded.
+    mar 22 16:36:37 curie systemd[3199]: Started pull emails with syncmaildir.
+
+... notice that huge `xdelta-received` there, that's 7GB right
+there. Mysteriously, the curie mail spool survived this.
+
+this immediately started failing again:
+
+    mar 22 16:38:00 curie systemd[3199]: Starting pull emails with syncmaildir...
+    mar 22 16:38:00 curie smd-pull[23556]: 21887 ?        00:00:00 smd-push
+    mar 22 16:38:00 curie smd-pull[23556]: Already running.
+    mar 22 16:38:00 curie smd-pull[23556]: If this is not the case, remove /home/anarcat/.smd/lock by hand.
+    mar 22 16:38:00 curie smd-pull[23556]: any: smd-pushpull@localhost: TAGS: error::context(locking) probable-cause(another-instance-is-running) human-intervention(necessary) suggested-actions(run(kill 21887) run(rm /home/anarcat/.smd/lock))
+    mar 22 16:38:00 curie systemd[3199]: smd-pull.service: Main process exited, code=exited, status=1/FAILURE
+    mar 22 16:38:00 curie systemd[3199]: smd-pull.service: Failed with result 'exit-code'.
+    mar 22 16:38:00 curie systemd[3199]: Failed to start pull emails with syncmaildir.
+
+that could have been when i got on angela to check my mail, and it was
+busy doing the nasty removal stuff.
+
+although the times don't match... here's when angela came back online:
+
+    anarcat@angela:~(main)$ last
+    anarcat  :0           :0               Mon Mar 22 19:57   still logged in
+    reboot   system boot  5.10.0-0.bpo.3-a Mon Mar 22 19:57   still running
+    anarcat  :0           :0               Mon Mar 22 17:43 - 18:47  (01:03)
+    reboot   system boot  5.10.0-0.bpo.3-a Mon Mar 22 17:39   still running
+
+then finally it failed with:
+
+    mar 22 16:46:35 curie systemd[3199]: Starting pull emails with syncmaildir...
+    mar 22 16:46:42 curie smd-pull[27455]: smd-server: ERROR: Client aborted, removing /home/anarcat/.smd/curie-anarcat__Maildir.db.txt.new and /home/anarcat/.smd/curie-anarcat__Maildir.db.txt.mtime.new
+    mar 22 16:46:42 curie smd-pull[27455]: smd-client: ERROR: Failed to copy Maildir/.debian/cur/1613401668.M901837P27073.marcos,S=3740,W=3815:2,S to Maildir/.koumbit/cur/1613401640.M415457P27063.marcos,S=3790,W=3865:2,S
+    mar 22 16:46:42 curie smd-pull[27455]: smd-client: ERROR: The destination already exists but its content differs.
+    mar 22 16:46:42 curie smd-pull[27455]: smd-client: ERROR: To fix this problem you have two options:
+    mar 22 16:46:42 curie smd-pull[27455]: smd-client: ERROR: - rename Maildir/.koumbit/cur/1613401640.M415457P27063.marcos,S=3790,W=3865:2,S by hand so that Maildir/.debian/cur/1613401668.M901837P27073.marcos,S=3740,W=3815:2,S
+    mar 22 16:46:42 curie smd-pull[27455]: smd-client: ERROR:   can be copied without replacing it.
+    mar 22 16:46:42 curie smd-pull[27455]: smd-client: ERROR:   Executing `cd; mv -n "Maildir/.koumbit/cur/1613401640.M415457P27063.marcos,S=3790,W=3865:2,S" "Maildir/.koumbit/cur/1616446002.1.localhost"` should work.
+    mar 22 16:46:42 curie smd-pull[27455]: smd-client: ERROR: - run smd-push so that your changes to Maildir/.koumbit/cur/1613401640.M415457P27063.marcos,S=3790,W=3865:2,S
+    mar 22 16:46:42 curie smd-pull[27455]: smd-client: ERROR:   are propagated to the other mailbox
+    mar 22 16:46:42 curie smd-pull[27455]: default: smd-client@localhost: TAGS: error::context(copy-message) probable-cause(concurrent-mailbox-edit) human-intervention(necessary) suggested-actions(run(mv -n "/home/anarcat/.smd/workarea/Maildir/.koumbit/cur/1613401640.M415457P27063.marcos,S=3790,W=3865:2,S" "/home/anarcat/.smd/workarea/Maildir/.koumbit/tmp/1613401640.M415457P27063.marcos,S=3790,W=3865:2,S") run(smd-push default))
+    mar 22 16:46:42 curie systemd[3199]: smd-pull.service: Main process exited, code=exited, status=1/FAILURE
+    mar 22 16:46:42 curie systemd[3199]: smd-pull.service: Failed with result 'exit-code'.
+    mar 22 16:46:42 curie systemd[3199]: Failed to start pull emails with syncmaildir.
+
+and it's been stuck on this ever since. this is, presumably, a good
+thing because those emails are not being destroyed.
+
+on angela, things looked like this:
+
+    -- Reboot --
+    mar 22 17:39:29 angela systemd[1677]: Started run notmuch new at least once a day.
+    mar 22 17:39:29 angela systemd[1677]: Started run smd-pull regularly.
+    mar 22 17:40:46 angela systemd[1677]: Starting pull emails with syncmaildir...
+    mar 22 17:43:18 angela smd-pull[3916]: smd-server: ERROR: Unable to open Maildir/.tor/new/1616446842.M285912P26118.marcos,S=8860,W=8996: Maildir/.tor/new/1616446842.M285912P26118.marcos,S=886
+    0,W=8996: No such file or directory
+    mar 22 17:43:18 angela smd-pull[3916]: smd-server: ERROR: The problem should be transient, please retry.
+    mar 22 17:43:18 angela smd-pull[3916]: smd-server: ERROR: Unable to open requested file.
+    mar 22 17:43:18 angela smd-pull[3916]: smd-client: ERROR: Data transmission failed.
+    mar 22 17:43:18 angela smd-pull[3916]: smd-client: ERROR: This problem is transient, please retry.
+    mar 22 17:43:18 angela smd-pull[3916]: smd-client: ERROR: server sent ABORT or connection died
+    mar 22 17:43:18 angela smd-pull[3916]: default: smd-server@smd-server-anarcat: TAGS: error::context(transmit) probable-cause(simultaneous-mailbox-edit) human-intervention(avoidable) suggested
+    -actions(retry)
+    mar 22 17:43:18 angela smd-pull[3916]: default: smd-client@localhost: TAGS: error::context(receive) probable-cause(network) human-intervention(avoidable) suggested-actions(retry)
+    mar 22 17:43:18 angela systemd[1677]: smd-pull.service: Main process exited, code=exited, status=1/FAILURE

(Diff truncated)
switched monitors
diff --git a/hardware/monitor.mdwn b/hardware/monitor.mdwn
index 7475ba2c..220b27f9 100644
--- a/hardware/monitor.mdwn
+++ b/hardware/monitor.mdwn
@@ -33,6 +33,10 @@ HP L2245wg
  * 2 USB
  * LCD
 
+Update: replaced with the LG Flatron Wid L204WTX-SF, on an "arm",
+because the HP was getting finnicky: it would "short" and blank out,
+get all "fuzzy" and weird. The new monitor looks *much* better.
+
 [Upstream](https://support.hp.com/us-en/product/hp-l2245wg-22-inch-widescreen-lcd-monitor/3758498/manuals), [manual](http://h10032.www1.hp.com/ctg/Manual/c01555675), [specs](https://www.cnet.com/products/hp-l2245wg/).
 
 Old monitors
@@ -45,7 +49,7 @@ what works and doesn't, in descending order of (totally subjective)
  * [Samsung B2330H](https://www.samsung.com/us/business/support/owners/product/b2330-series-b2330hd/) 1920x1080@60Hz, 23", 70,000:1, 5ms, VGA, HDMI,
    DVI, gigantic, molten hole in the back, but works
  * [LG Flatron Wide L204WTX-SF](https://www.lg.com/ca_en/support/product/lg-L204WTX-SF) 1680x1050@60Hz, 20", 2000:1, 5ms,
-   VGA, DVI, looks great
+   VGA, DVI, looks great, one dead pixel
  * [Acer X193w](https://www.cnet.com/products/acer-x193w-lcd-monitor/) 1440x900@75Hz, 2000:1, 5ms VGA, DVI, clean and
    simple, top partially melted
  * [Acer P186HV](https://productz.com/en/acer-p186hv/p/JJ3rY) 133x768@60Hz, 18.5", 5000:1, 5ms, VGA, display

more devices
diff --git a/hardware/server/marcos.mdwn b/hardware/server/marcos.mdwn
index 5d7e7036..cf5cc437 100644
--- a/hardware/server/marcos.mdwn
+++ b/hardware/server/marcos.mdwn
@@ -264,8 +264,12 @@ the cluster, as 6 drives going full spin will generate a lot of I/O.
 
 ## Helios
 
-In pre-order: https://kobol.io/helios4/ Interesting alternative to the
-gnubee (more powerful, among other things).
+<https://kobol.io/helios4/>
+
+Interesting alternative to the gnubee (more powerful, among other
+things).
+
+Reviews: [hardware](https://hya.sk/blog/posts/helios64-hardware/), [software](https://hya.sk/blog/posts/helios64-software/).
 
 ## Supermicro
 
@@ -374,6 +378,12 @@ It's unclear if I could just migrate marcos to this platform as is,
 and the prices might be slightly higher than what I would get when
 building it from scratch...
 
+## Pine 64
+
+They have SBCs of course -- that's how they started -- but also a neat
+little [NAS case](https://wiki.pine64.org/wiki/NASCase). Make sure you also get [all the parts needed](https://wiki.pine64.org/wiki/NASCase#What_other_bare-minimum_things_do_I_need_for_a_NAS_build.3F).
+
+
 ## Ten64
 
 https://www.crowdsupply.com/traverse-technologies/ten64/updates/building-a-nas-with-ten64-and-rockstor-and-new-turnkey-nas-bundle

typo
diff --git a/blog/2021-03-19-dtach-screen-security.md b/blog/2021-03-19-dtach-screen-security.md
index d64c1fa7..97b8081d 100644
--- a/blog/2021-03-19-dtach-screen-security.md
+++ b/blog/2021-03-19-dtach-screen-security.md
@@ -48,7 +48,7 @@ separate user altogether. This requires me to create another user, say
     adduser foo-irc
 
 ... and run it as a `systemd` service, because how else are you going
-to start this thing anyways, `cron`? I came up with this something
+to start this thing anyways, `cron`? I came up with something
 like this unit file:
 
     [Unit]

passwordless
diff --git a/blog/2021-03-19-dtach-screen-security.md b/blog/2021-03-19-dtach-screen-security.md
index 79061ee1..d64c1fa7 100644
--- a/blog/2021-03-19-dtach-screen-security.md
+++ b/blog/2021-03-19-dtach-screen-security.md
@@ -95,6 +95,25 @@ and see what sticks. At this point, the unit file becomes too long to
 just maintain in a blog post (which would be silly, but not unheard
 of), so just [look at this git repository instead](https://gitlab.com/anarcat/puppet-dtach/-/blob/main/files/irssi@.service).
 
+# Password-less remote irssi
+
+The neat thing with this hardening is that I now feel comfortable
+enough with the setup to just add a password-less SSH key to that
+(basically throwaway) account: worst that can happen if someone gets a
+hold of that SSH key is they land in a heavily sandboxed `irssi`
+session. So yay, no password to jump on chat. Like a real client or
+something.
+
+Just make sure to secure the SSH key you'll deploy in
+`authorized_keys` with:
+
+    restrict,pty,command="dtach -a /run/foo-irc/dtach-irssi.socket" [...]
+
+Obviously, make sure the keys are not writable by the user, by placing
+it somewhere outside their home, which might require hacking at your
+server's SSH configuration. Because otherwise a compromised user will
+be able to change his own `authorized_keys`, which could be bad.
+
 # Configuration management
 
 And at this point, you may have noticed that you shouldn't actually

to what
diff --git a/blog/2021-03-19-dtach-screen-security.md b/blog/2021-03-19-dtach-screen-security.md
index 34091d42..79061ee1 100644
--- a/blog/2021-03-19-dtach-screen-security.md
+++ b/blog/2021-03-19-dtach-screen-security.md
@@ -25,7 +25,7 @@ IRC](https://anarc.at/blog/2019-03-05-report/#using-dtach-instead-of-screen-for-
 that I didn't actually *need* multiplexing to run my long-running IRC
 session: I just needed to be able to reattach to the terminal. That's
 what `dtach` does. No windows, no panes, and, especially, no way to
-start a new shell, which is exactly the kind of hardening I needed to.
+start a new shell, which is exactly the kind of hardening I need.
 
 So I came up with this, to start `irssi`:
 

toc
diff --git a/blog/2021-03-19-dtach-screen-security.md b/blog/2021-03-19-dtach-screen-security.md
index f6785ef4..34091d42 100644
--- a/blog/2021-03-19-dtach-screen-security.md
+++ b/blog/2021-03-19-dtach-screen-security.md
@@ -16,6 +16,8 @@ After all, it's not because we found this flaw in `screen` that it
 doesn't exist in `tmux` (or your favorite terminal emulator, for that
 matter, a much scarier thought).
 
+[[!toc]]
+
 # Hardening my bouncer
 
 Back in March 2019, I had already [switched away from screen for

edit myself
diff --git a/blog/2021-03-19-dtach-screen-security.md b/blog/2021-03-19-dtach-screen-security.md
index 0a5985ea..f6785ef4 100644
--- a/blog/2021-03-19-dtach-screen-security.md
+++ b/blog/2021-03-19-dtach-screen-security.md
@@ -2,18 +2,28 @@
 
 A recent [vulnerability in GNU screen](https://security-tracker.debian.org/tracker/CVE-2021-26937) caused some people to
 reconsider their commitment to the venerable terminal multiplexing
-program, typically used by thousands of old sysadmins around the world
-to run long-standing processes and, particularly, IRC sessions.
+program. [GNU screen](https://savannah.gnu.org/projects/screen) is probably used by thousands of old
+sysadmins around the world to run long-standing processes and,
+particularly, IRC sessions, which are especially vulnerable to
+arbitrary garbage coming on ... screen, so to speak.
+
+So this vulnerability matters, and you should definitely pay attention
+to it. If you haven't switched to [tmux](https://github.com/tmux/tmux) yet, now might be a good
+time to get your fingers trained. But don't switch to it just yet for
+your IRC session, and read on for a better, more secure solution.
+
+After all, it's not because we found this flaw in `screen` that it
+doesn't exist in `tmux` (or your favorite terminal emulator, for that
+matter, a much scarier thought).
 
 # Hardening my bouncer
 
 Back in March 2019, I had already [switched away from screen for
-IRC](https://anarc.at/blog/2019-03-05-report/#using-dtach-instead-of-screen-for-my-irc-bouncer), but not to [tmux](https://github.com/tmux/tmux) like many did, but to [dtach](http://dtach.sourceforge.net/). I
-figured that I didn't actually *need* multiplexing to run my
-long-running IRC session: I just needed to be able to reattach to the
-terminal. That's what `dtach` does. No windows, no panes, and,
-especially, no way to start a new shell, which is exactly the kind of
-hardening I needed to.
+IRC](https://anarc.at/blog/2019-03-05-report/#using-dtach-instead-of-screen-for-my-irc-bouncer), but not to `tmux` like many did, but to [dtach](http://dtach.sourceforge.net/). I figured
+that I didn't actually *need* multiplexing to run my long-running IRC
+session: I just needed to be able to reattach to the terminal. That's
+what `dtach` does. No windows, no panes, and, especially, no way to
+start a new shell, which is exactly the kind of hardening I needed to.
 
 So I came up with this, to start `irssi`:
 
@@ -23,19 +33,21 @@ To attach:
 
     dtach -a /run/$USER/dtach-irssi.socket
 
-Fairly simple no? Already one attack vector gone.
+Fairly simple no? Already one attack vector gone: evil attacker can't
+get a new shell through my terminal multiplexer, yay.
 
 # Splitting into another user
 
 But why stop there! Why am I running `irssi` as my main user anyways!
-Let's take the lessons from good UNIX security, and run this as a
-separate user. This requires me to create another user, say
+Let's take the [lessons from good UNIX security](https://en.wikipedia.org/wiki/Privilege_separation), and run this as a
+separate user altogether. This requires me to create another user, say
 `foo-irc`:
 
     adduser foo-irc
 
-... and run it as a systemd service (because why not). Then
-I come up with this unit file:
+... and run it as a `systemd` service, because how else are you going
+to start this thing anyways, `cron`? I came up with this something
+like this unit file:
 
     [Unit]
     Description=IRC screen session
@@ -56,11 +68,11 @@ this in `/etc/systemd/system/irssi@.service`, then you run:
 
     systemctl daemon-reload
 
-And then instanciate that template:
+And then, not sure about this bit, instantiate that template:
 
     systemctl enable irssi@foo-irc.service
 
-And then this should start the irssi session:
+And then this should start the `irssi` session:
 
     systemctl start irssi@foo-irc.service
 
@@ -68,27 +80,28 @@ To access the session:
 
     sudo -u foo-irc dtach -a /run/foo-irc/dtach-irssi.socket
 
-Obviously, you will probably need to migrate your irssi configuration
-over, otherwise you'll end up with a blank, old-school irssi. Take a
-moment to savor the view though. Nostalgia. Ah.
+Obviously, you will probably need to migrate your `irssi`
+configuration over, otherwise you'll end up with a blank, old-school
+`irssi`. Take a moment to savor the view though. Nostalgia. Ah.
 
 # Hardening irssi
 
 But this is still not enough. That pesky `foo-irc` user can still
-launch arbitrary commands, thanks to irssi `/exec` (and a generous
+launch arbitrary commands, thanks to `irssi` `/exec` (and a generous
 Perl scripting environment). Let's throw the entire kitchen sink at it
-and see what stinks. At this point, the unit file becomes too long to
-just list here, so just [look at this git repository instead](https://gitlab.com/anarcat/puppet-dtach/-/blob/main/files/irssi@.service).
+and see what sticks. At this point, the unit file becomes too long to
+just maintain in a blog post (which would be silly, but not unheard
+of), so just [look at this git repository instead](https://gitlab.com/anarcat/puppet-dtach/-/blob/main/files/irssi@.service).
 
 # Configuration management
 
-And at this point, you will have noticed that you shouldn't actually
-followed my instructions to the letter, and just use [this neat little
-Puppet module](https://gitlab.com/anarcat/puppet-dtach/) which does all of the above, but also include some
-little wrapper so that `mosh` still works.
+And at this point, you may have noticed that you shouldn't actually
+followed my instructions to the letter. Instead, just use [this neat
+little Puppet module](https://gitlab.com/anarcat/puppet-dtach/) which does all of the above, but also include
+some little wrapper so that `mosh` still works.
 
 It also includes instructions on how to setup your SSH keys.
 
-Enjoy.
+Enjoy, and let me know if (or rather, how) I messed up.
 
 [[!tag debian debian-planet systemd irssi irc security python-planet hack]]

another hack
diff --git a/blog/2021-03-19-dtach-screen-security.md b/blog/2021-03-19-dtach-screen-security.md
new file mode 100644
index 00000000..0a5985ea
--- /dev/null
+++ b/blog/2021-03-19-dtach-screen-security.md
@@ -0,0 +1,94 @@
+[[!meta title="Securing my IRC (irssi, screen) session with dtach and systemd"]]
+
+A recent [vulnerability in GNU screen](https://security-tracker.debian.org/tracker/CVE-2021-26937) caused some people to
+reconsider their commitment to the venerable terminal multiplexing
+program, typically used by thousands of old sysadmins around the world
+to run long-standing processes and, particularly, IRC sessions.
+
+# Hardening my bouncer
+
+Back in March 2019, I had already [switched away from screen for
+IRC](https://anarc.at/blog/2019-03-05-report/#using-dtach-instead-of-screen-for-my-irc-bouncer), but not to [tmux](https://github.com/tmux/tmux) like many did, but to [dtach](http://dtach.sourceforge.net/). I
+figured that I didn't actually *need* multiplexing to run my
+long-running IRC session: I just needed to be able to reattach to the
+terminal. That's what `dtach` does. No windows, no panes, and,
+especially, no way to start a new shell, which is exactly the kind of
+hardening I needed to.
+
+So I came up with this, to start `irssi`:
+
+    dtach -N /run/$USER/dtach-irssi.socket irssi
+
+To attach:
+
+    dtach -a /run/$USER/dtach-irssi.socket
+
+Fairly simple no? Already one attack vector gone.
+
+# Splitting into another user
+
+But why stop there! Why am I running `irssi` as my main user anyways!
+Let's take the lessons from good UNIX security, and run this as a
+separate user. This requires me to create another user, say
+`foo-irc`:
+
+    adduser foo-irc
+
+... and run it as a systemd service (because why not). Then
+I come up with this unit file:
+
+    [Unit]
+    Description=IRC screen session
+    After=network.target
+
+    [Service]
+    Type=simple
+    Environment="TERM=screen.xterm-256color"
+    User=%i
+    RuntimeDirectory=%i
+    ExecStart=-/usr/bin/dtach -N /run/%i/dtach-irssi.socket irssi
+    ExecStop=-/bin/sh -c 'echo /quit stopping service... | exec /usr/bin/dtach -p /run/%i/dtach-irssi.socket'
+    ExecReload=-/bin/sh -c 'echo /restart | exec /usr/bin/dtach -p /run/%i/dtach-irssi.socket'
+
+Notice this is a service template, because of the `%i` stuff. I don't
+actually remember how to enable this thing, but let's say you drop
+this in `/etc/systemd/system/irssi@.service`, then you run:
+
+    systemctl daemon-reload
+
+And then instanciate that template:
+
+    systemctl enable irssi@foo-irc.service
+
+And then this should start the irssi session:
+
+    systemctl start irssi@foo-irc.service
+
+To access the session:
+
+    sudo -u foo-irc dtach -a /run/foo-irc/dtach-irssi.socket
+
+Obviously, you will probably need to migrate your irssi configuration
+over, otherwise you'll end up with a blank, old-school irssi. Take a
+moment to savor the view though. Nostalgia. Ah.
+
+# Hardening irssi
+
+But this is still not enough. That pesky `foo-irc` user can still
+launch arbitrary commands, thanks to irssi `/exec` (and a generous
+Perl scripting environment). Let's throw the entire kitchen sink at it
+and see what stinks. At this point, the unit file becomes too long to
+just list here, so just [look at this git repository instead](https://gitlab.com/anarcat/puppet-dtach/-/blob/main/files/irssi@.service).
+
+# Configuration management
+
+And at this point, you will have noticed that you shouldn't actually
+followed my instructions to the letter, and just use [this neat little
+Puppet module](https://gitlab.com/anarcat/puppet-dtach/) which does all of the above, but also include some
+little wrapper so that `mosh` still works.
+
+It also includes instructions on how to setup your SSH keys.
+
+Enjoy.
+
+[[!tag debian debian-planet systemd irssi irc security python-planet hack]]

more lsp ideas
diff --git a/blog/lsp-in-debian.md b/blog/lsp-in-debian.md
index 079ee040..92b179d2 100644
--- a/blog/lsp-in-debian.md
+++ b/blog/lsp-in-debian.md
@@ -61,21 +61,44 @@ e.g. `black` support).
 
 # Remaining work
 
+## Puppet and Ruby
+
 I still have to figure how to actually use this: I mostly spend my
 time in Puppet these days, there is no server listed in the [Emacs
-lsp-mode language list](https://emacs-lsp.github.io/lsp-mode/page/languages/), but there *is* one listed over at the
-[upstream language list](https://microsoft.github.io/language-server-protocol/implementors/servers/), the [puppet-editor-services](https://github.com/puppetlabs/puppet-editor-services)
+lsp-mode language list][], but there *is* one listed over at the
+[upstream language list][], the [puppet-editor-services](https://github.com/puppetlabs/puppet-editor-services)
 server. But it's not packaged in Debian, and seems
 somewhat... involved. Would still be a huge boost. The [Voxpupuli
 team](https://voxpupuli.org/) have [vim install instructions](https://voxpupuli.org/blog/2019/04/08/puppet-lsp-vim/) which also suggest
 installing [solargraph](https://github.com/castwide/solargraph), the Ruby language server, also not
 packaged in Debian.
 
+[Emacs lsp-mode language list]: https://emacs-lsp.github.io/lsp-mode/page/languages/
+[upstream language list]: https://microsoft.github.io/language-server-protocol/implementors/servers/
+
+## Python
+
 When I'm not in Puppet land, I'm mostly in Python, and there I am
 usually in [Elpy](https://elpy.readthedocs.io/). It's unclear to me if LSP totally replaces Elpy,
 or if they work alongside each other, so that's another thing I need
 to look into.
 
+## Bash
+
+I guess I do a bit of shell scripting from time to time nowadays, even
+though I don't like it. So the [bash-language-server](https://github.com/bash-lsp/bash-language-server) may prove
+useful as well.
+
+## Other languages
+
+Here are more language servers available:
+
+ * [upstream language list][]: all servers known to upstream
+ * [Emacs lsp-mode language list][]: all servers known to the Emacs
+   mode
+
+## Overall
+
 Basically, I'm not using this at all right now and those are just
 notes...
 

another recorder idea
diff --git a/hardware/audio.mdwn b/hardware/audio.mdwn
index af123d06..7f97a197 100644
--- a/hardware/audio.mdwn
+++ b/hardware/audio.mdwn
@@ -111,6 +111,12 @@ complicated:
  * nowadays most mixers have USB outputs so even a [Behringer Xenyx
    1222](https://www.bhphotovideo.com/c/product/927278-REG/behringer_qx1222usb_xenyx_x1222usb_16_input_usb.html) has USB, which could be a good solution. below 12
    channels, there's no slider which is annoying
+ * another idea altogether: small recorders like the [Zoom H5](https://zoomcorp.com/en/us/handheld-recorders/handheld-recorders/h5/) can
+   actually do 4-track recording, and has XLR inputs (with phantom
+   power) although only two of those (typically, for stereo
+   recordings). it also shows up as an audio device in Linux, but the
+   main thing with those devices is just live recording on the SD
+   card. [jgoerzen loves his](https://floss.social/@jgoerzen/105914396057648649).
 
 # Mixers
 

headings
diff --git a/hardware/audio.mdwn b/hardware/audio.mdwn
index 8524bc24..af123d06 100644
--- a/hardware/audio.mdwn
+++ b/hardware/audio.mdwn
@@ -1,7 +1,6 @@
 [[!toc levels=3]]
 
-Headphones and mikes
-====================
+# Headphones and mikes
 
 This is my current audio hardware line up, yes I kind of splurged on
 this at some point:
@@ -72,8 +71,7 @@ I also have many headphones-only gizmos:
 Note that some devices do not have audio jacks anymore, see this [An
 Ode to the Headphone Jack](https://medium.com/@cvneutron/an-ode-to-the-headphone-jack-6415ea80a732) for the history.
 
-Other ideas
------------
+## Other ideas
 
 Other over-the-ears headphones:
 
@@ -94,8 +92,7 @@ consider:
  * [Blue audio Yeticaster](https://www.bluemic.com/en-us/products/yeticaster/) ([200$USD B&H](https://www.bhphotovideo.com/c/product/1385877-REG/blue_yeticaster_prodessional_broadcast_bundle.html?fromDisList=y)), includes boom, cable
    management, and excellent audio, [recommended by jvoisin](https://dustri.org/b/my-writing-code-from-home-setup.html)
 
-XLR jacks and recording
-=======================
+# XLR jacks and recording
 
 I have thought of getting a Shure SM58 as a mike and plug it in, but
 it requires converting the XLR connector into a 1/8" jack, and that's
@@ -115,8 +112,7 @@ complicated:
    1222](https://www.bhphotovideo.com/c/product/927278-REG/behringer_qx1222usb_xenyx_x1222usb_16_input_usb.html) has USB, which could be a good solution. below 12
    channels, there's no slider which is annoying
 
-Mixers
-======
+# Mixers
 
 A&H seems to be the top of the line in build quality, but it's more
 expensive. The [ZED-12FX](https://www.long-mcquade.com/73151/Pro-Audio---Recording/Mixers/Allen---Heath/ZED-12FX-Mixer-with-USB-Connection-and-Effects.htm) is 700$CAD with 6 XLR/TRS and 3 line in,
@@ -173,8 +169,7 @@ match. See also [this discussion](https://linuxmusicians.com/viewtopic.php?f=6&t
 
 [Soundcraft EPM8]: https://www.soundcraft.com/en-US/products/epm8
 
-Speakers
-========
+# Speakers
 
 Entry level for JBL is the EON 610 for [580$ at Redone][]: 1000W
 active speaker, prices go up as we crack the speaker size. Diplomate
@@ -197,8 +192,7 @@ suspicious.
 [Thump12A 1300W 12"]: https://www.long-mcquade.com/91763/Pro-Audio---Recording/PA-Speaker-Cabinets/Mackie/Thump12A-1300W-12---Powered-Loudspeaker.htm
 [12" 200W]: https://www.long-mcquade.com/366/Pro_Audio_Recording/PA_Cabinets/Yorkville_Sound/NX_Series_Powered_Loudspeaker_-_12_inch_Woofer_-_200_Watts.htm
 
-Setup
-=====
+# Setup
 
 Our final setup would look something like this:
 
@@ -270,8 +264,7 @@ and a more elaborate audio interface.
 
 [Soundcraft Notepad 102]: https://www.soundcraft.com/products/notepad-102
 
-Shops
-=====
+# Shops
 
 This list was built mostly for rentals, but also features shops that
 sell the gear:

one more spec
diff --git a/hardware/phone/fairphone2.mdwn b/hardware/phone/fairphone2.mdwn
index b2a8da16..990b7d4d 100644
--- a/hardware/phone/fairphone2.mdwn
+++ b/hardware/phone/fairphone2.mdwn
@@ -190,8 +190,11 @@ Specifications
  * 3.5mm audio jack
  * Micro-USB 2.0
  * 5" screen, 143 mm x 73 mm x 11 mm, gorilla glass 3
+ * Weight: 148 g (phone) + 20 g (external case)
  * Battery: 2420 mAh at 3.8V (9.2 Wh) - REMOVABLE!!
 
+See also the great [iFixit specs](https://www.ifixit.com/Device/Fairphone_2#Section_Technical_Specifications).
+
 Operating system
 ================
 

more fonts
diff --git a/blog/2020-03-10-font-changes.mdwn b/blog/2020-03-10-font-changes.mdwn
index 386ac46c..6b903c38 100644
--- a/blog/2020-03-10-font-changes.mdwn
+++ b/blog/2020-03-10-font-changes.mdwn
@@ -32,13 +32,16 @@ alternatives. I found the following packages in debian:
  * [fonts-monoid](https://tracker.debian.org/fonts-monoid): ligatures, feels much "thinner" than jetbrains
  * [fonts-mononoki](https://tracker.debian.org/fonts-mononoki): no ligatures, looks good, suggested by the
    fonts team as part of [fonts-recommended](https://tracker.debian.org/fonts-recommended)
+ * [fonts-agave](https://tracker.debian.org/pkg/fonts-agave):
+   recommended by tarzeau
 
 Those are also "programmer fonts" that caught my interest but somehow
 didn't land in Debian yet:
 
  * [sudo](https://www.kutilek.de/sudo-font/): personal project, no ligatures
  * [Iosevka](https://typeof.net/Iosevka/): ligatures, multilingual
- * [Adobe's source code pro](http://adobe-fonts.github.io/source-code-pro/): [WNPP](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736681)
+ * [Adobe's source code pro](http://adobe-fonts.github.io/source-code-pro/): [RFP](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736681)
+ * [spleen](https://github.com/fcambus/spleen): [RFS](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985447)
 
 Because Fira code had ligatures, i ended up giving it a shot. I really
 like the originality of the font. See, for example, how the `@` sign

a proverb about documentation
Source:
https://about.gitlab.com/resources/downloads/ebook-remote-playbook.pdf
Confirmation:
https://ask.metafilter.com/247533/Is-this-really-an-ancient-Chinese-proverb
diff --git a/fortunes.txt b/fortunes.txt
index f91b075a..8424d1a5 100644
--- a/fortunes.txt
+++ b/fortunes.txt
@@ -1155,3 +1155,6 @@ You can't get to the moon by climbing successively taller trees.
 La perfection est atteinte, non pas lorsqu'il n'y a plus rien à
 ajouter, mais lorsqu'il n'y a plus rien à retirer.
                         - Antoine de Saint-Exupéry
+%
+The palest ink is better than the most capricious memory.
+                        - ancient Chinese proverb

clangd ... probably supports objc?
diff --git a/blog/lsp-in-debian.md b/blog/lsp-in-debian.md
index 1645299c..079ee040 100644
--- a/blog/lsp-in-debian.md
+++ b/blog/lsp-in-debian.md
@@ -47,7 +47,7 @@ the servers I currently know of in Debian:
 | package                   | languages          |
 |---------------------------|--------------------|
 | `ccls`                    | C, C++, ObjectiveC |
-| `clangd`                  | C, C++             |
+| `clangd`                  | C, C++, ObjectiveC |
 | `elpa-lsp-haskell`        | Haskell            |
 | `fortran-language-server` | Fortran            |
 | `gopls`                   | Golang             |

add notes from the voxpupuli instructions, thanks lelutin
diff --git a/blog/lsp-in-debian.md b/blog/lsp-in-debian.md
index a8dcc088..1645299c 100644
--- a/blog/lsp-in-debian.md
+++ b/blog/lsp-in-debian.md
@@ -66,7 +66,10 @@ time in Puppet these days, there is no server listed in the [Emacs
 lsp-mode language list](https://emacs-lsp.github.io/lsp-mode/page/languages/), but there *is* one listed over at the
 [upstream language list](https://microsoft.github.io/language-server-protocol/implementors/servers/), the [puppet-editor-services](https://github.com/puppetlabs/puppet-editor-services)
 server. But it's not packaged in Debian, and seems
-somewhat... involved. Would still be a huge boost.
+somewhat... involved. Would still be a huge boost. The [Voxpupuli
+team](https://voxpupuli.org/) have [vim install instructions](https://voxpupuli.org/blog/2019/04/08/puppet-lsp-vim/) which also suggest
+installing [solargraph](https://github.com/castwide/solargraph), the Ruby language server, also not
+packaged in Debian.
 
 When I'm not in Puppet land, I'm mostly in Python, and there I am
 usually in [Elpy](https://elpy.readthedocs.io/). It's unclear to me if LSP totally replaces Elpy,

typo, tx pabs
diff --git a/blog/lsp-in-debian.md b/blog/lsp-in-debian.md
index 55dfb9ad..a8dcc088 100644
--- a/blog/lsp-in-debian.md
+++ b/blog/lsp-in-debian.md
@@ -56,7 +56,7 @@ the servers I currently know of in Debian:
 There might be more such packages, but those are surprisingly hard to
 find. I found a few with `apt search "Language Server Protocol"`, but
 that didn't find `ccls`, for example, because that just said "Language
-Server" in the description (which also found a few more pytls plugins,
+Server" in the description (which also found a few more `pyls` plugins,
 e.g. `black` support).
 
 # Remaining work

fix closing tag
diff --git a/blog/lsp-in-debian.md b/blog/lsp-in-debian.md
index 5bc7467e..55dfb9ad 100644
--- a/blog/lsp-in-debian.md
+++ b/blog/lsp-in-debian.md
@@ -39,7 +39,7 @@ provide the magic.
 
 # Servers setup
 
-The Emacs package provides a way (<kbd>M-x lsp-install-server</kdb>)
+The Emacs package provides a way (<kbd>M-x lsp-install-server</kbd>)
 to install *some* of them, but I prefer to manage those tools (just
 like `lsp-mode` itself) through Debian packages if possible. Those are
 the servers I currently know of in Debian:

some notes on LSP
diff --git a/blog/lsp-in-debian.md b/blog/lsp-in-debian.md
new file mode 100644
index 00000000..5bc7467e
--- /dev/null
+++ b/blog/lsp-in-debian.md
@@ -0,0 +1,79 @@
+The [Language Server Protocol](https://microsoft.github.io/language-server-protocol/) (LSP) is a neat mechanism that
+provides a common interface to what used to be language-specific
+lookup mechanisms (like, say, running a Python interpreter in the
+background to find function definitions). There *is* also [ctags](https://en.wikipedia.org/wiki/Ctags)
+shipped with UNIX since forever, but that doesn't support looking
+*backwards* ("who uses this function") or linting. In short, LSP
+rocks, and how do I use it right now in my editor of choice (Emacs, in
+my case) and OS (Debian) please?
+
+# Editor (emacs) setup
+
+First, you need to setup your editor. The [Emacs LSP mode](https://emacs-lsp.github.io/) has
+pretty good [installation instructions](https://emacs-lsp.github.io/lsp-mode/page/installation/) which, for me, currently
+mean:
+
+    apt install elpa-lsp-mode
+
+and this `.emacs` snippet:
+
+    (use-package lsp-mode
+      :commands (lsp lsp-deferred)
+      :demand t
+      :init
+      (setq lsp-keymap-prefix "C-c l")
+      :config
+      (setq lsp-auto-configure t))
+
+Note: this configuration might have changed since I wrote this, see
+[my init.el configuration for the most recent config](https://gitlab.com/anarcat/emacs-d/blob/master/init.el). Extras I'm
+considering:
+
+    (lsp-mode . lsp-enable-which-key-integration)
+    :hook (python-mode . lsp-deferred) ; and other modes...
+
+This won't do anything by itself: Emacs will need *something* to talk
+with to provide the magic. Those are called "servers" and are
+basically different programs, for each programming language, that
+provide the magic. 
+
+# Servers setup
+
+The Emacs package provides a way (<kbd>M-x lsp-install-server</kdb>)
+to install *some* of them, but I prefer to manage those tools (just
+like `lsp-mode` itself) through Debian packages if possible. Those are
+the servers I currently know of in Debian:
+
+| package                   | languages          |
+|---------------------------|--------------------|
+| `ccls`                    | C, C++, ObjectiveC |
+| `clangd`                  | C, C++             |
+| `elpa-lsp-haskell`        | Haskell            |
+| `fortran-language-server` | Fortran            |
+| `gopls`                   | Golang             |
+| `python3-pyls`            | Python             |
+
+There might be more such packages, but those are surprisingly hard to
+find. I found a few with `apt search "Language Server Protocol"`, but
+that didn't find `ccls`, for example, because that just said "Language
+Server" in the description (which also found a few more pytls plugins,
+e.g. `black` support).
+
+# Remaining work
+
+I still have to figure how to actually use this: I mostly spend my
+time in Puppet these days, there is no server listed in the [Emacs
+lsp-mode language list](https://emacs-lsp.github.io/lsp-mode/page/languages/), but there *is* one listed over at the
+[upstream language list](https://microsoft.github.io/language-server-protocol/implementors/servers/), the [puppet-editor-services](https://github.com/puppetlabs/puppet-editor-services)
+server. But it's not packaged in Debian, and seems
+somewhat... involved. Would still be a huge boost.
+
+When I'm not in Puppet land, I'm mostly in Python, and there I am
+usually in [Elpy](https://elpy.readthedocs.io/). It's unclear to me if LSP totally replaces Elpy,
+or if they work alongside each other, so that's another thing I need
+to look into.
+
+Basically, I'm not using this at all right now and those are just
+notes...
+
+[[!tag draft]]

approve comment
diff --git a/blog/2020-07-13-not-recommending-purism/comment_1_1543de9dfd2ee208459a4c487343f873._comment b/blog/2020-07-13-not-recommending-purism/comment_1_1543de9dfd2ee208459a4c487343f873._comment
new file mode 100644
index 00000000..6f43bd8e
--- /dev/null
+++ b/blog/2020-07-13-not-recommending-purism/comment_1_1543de9dfd2ee208459a4c487343f873._comment
@@ -0,0 +1,14 @@
+[[!comment format=mdwn
+ ip="99.121.215.28"
+ claimedauthor="Diane Trout"
+ subject="Hardware compariosn of pinephone, purism 5, and fairphone 3"
+ date="2021-03-10T20:51:51Z"
+ content="""
+iFixit posted a comparison of the repairability of the hardware between the pinephone, purism and fairphone.
+
+https://www.youtube.com/watch?v=RCccpgposh4
+
+It looked to me like the fairphone had the most advanced, repairable hardware of the choices.
+
+Unfortunately it's only available in the EU.
+"""]]

zutty 0.8 released with the missing features
diff --git a/blog/2018-05-04-terminal-emulators-2/comment_4_428ade819987668bfeb8603f4d6841dd._comment b/blog/2018-05-04-terminal-emulators-2/comment_4_428ade819987668bfeb8603f4d6841dd._comment
index 336c5ad9..6ff5cf18 100644
--- a/blog/2018-05-04-terminal-emulators-2/comment_4_428ade819987668bfeb8603f4d6841dd._comment
+++ b/blog/2018-05-04-terminal-emulators-2/comment_4_428ade819987668bfeb8603f4d6841dd._comment
@@ -13,12 +13,12 @@ If I would do this review again today, it seems I would definitely need to inclu
  * good font handling
  * written in plain C++
 
-Major blockers for adoption:
+<del>Major blockers for adoption:</del>
 
- * lack of scrollback
+ * scrollback support
  * [support for *BOTH* PRIMARY or CLIPBOARD](https://github.com/tomszilagyi/zutty/issues/9), which i use often in rxvt
 
-But author seems open to improvements, so who knows.
+<del>But author seems open to improvements, so who knows.</del> Update: both were implemented! Very nice! I guess my only concern at switching now would be whether it will survive the Wayland apocalypse (whether that will come or not... ;) In theory, since it relies so much on OpenGL, Wayland shouldn't be "that hard"...
 
 Anyways, author did an excellent [latency review](https://tomscii.sig7.se/2021/01/Typing-latency-of-Zutty) and [general comparison](https://tomscii.sig7.se/2020/12/A-totally-biased-comparison-of-Zutty) that is definitely worth a read if you liked this article.
 """]]

another gizmo
diff --git a/hardware/audio.mdwn b/hardware/audio.mdwn
index 0bb777c0..8524bc24 100644
--- a/hardware/audio.mdwn
+++ b/hardware/audio.mdwn
@@ -159,15 +159,20 @@ researched...
 Apparently, there's a "class compliant mode" which is compatible with
 ALSA, but it might be better to just use an analog mixer and feed the
 signal from each unmixed track into an USB audio interface like
-[this](https://www.long-mcquade.com/87374/Pro-Audio---Recording/Audio-Interfaces/Presonus/Studio-68-6-In-8-Out-USB-Audio-Interface.htm), instead of trying to shove everything into a single device.
-
-[Soundcraft EPM8]: https://www.soundcraft.com/en-US/products/epm8
+[this](https://www.long-mcquade.com/87374/Pro-Audio---Recording/Audio-Interfaces/Presonus/Studio-68-6-In-8-Out-USB-Audio-Interface.htm), instead of trying to shove everything into a single
+device.
 
 There was a lenghty conversation on the [Ardour forums](https://discourse.ardour.org/) about this
 topic, see:
 
 <https://discourse.ardour.org/t/hardware-mixer-recommendations-for-band-practice/100877/4>
 
+Update: `#debian-quebec` folks (tvaz, sten0) suggest looking at the
+[Motu brand](https://motu.com/), for example the [AVB 8A](https://motu.com/products/avb/8a) would be a good
+match. See also [this discussion](https://linuxmusicians.com/viewtopic.php?f=6&t=18046&hilit=tvaz&start=420), [and this](https://panther.kapsi.fi/posts/2020-02-02_motu_m4), [and this](https://linuxmusicians.com/viewtopic.php?f=6&t=18046&sid=b6155ce9b3142282113235dc8171a74f&start=525).
+
+[Soundcraft EPM8]: https://www.soundcraft.com/en-US/products/epm8
+
 Speakers
 ========
 

more audio stuff
diff --git a/hardware/audio.mdwn b/hardware/audio.mdwn
index 657c94ec..0bb777c0 100644
--- a/hardware/audio.mdwn
+++ b/hardware/audio.mdwn
@@ -26,7 +26,8 @@ this at some point:
    "fusionner" les deux, [40$USD B&H](https://www.bhphotovideo.com/c/product/1213105-REG/antlion_audio_gdl_0422_modmic_4_0_cardioid.html), setup on the HD 280: a
    little "dongly" lots of wires and the modmic hangs on the side (or
    is in your face) when not in use which is a bit annoying. good
-   quality mic otherwise
+   quality mic otherwise. also used their [usb soundcard](http://web.archive.org/web/20190804221209/https://antlionaudio.com/collections/accessories/products/antlion-audio-usb-sound-card), might be
+   crap, unsure.
  * [Blue designs snowball](https://www.bluedesigns.com/products/snowball/#): 70$, omni mike, USB, [50$USD B&H](https://www.bhphotovideo.com/c/product/836611-REG/Blue_SNOWBALL_ICE_Snowball_USB_Condenser_Microphone.html).
    great sound, but not directional enough: when you use them for
    videoconferencing, they do pick up more outside noise than a mic
@@ -90,6 +91,8 @@ consider:
    replacement by B&H staff
  * Shure SE215 ([99$USD B&H](https://www.bhphotovideo.com/c/product/758628-REG/Shure_SE215_CL_SE215_Sound_Isolating_In_Ear_Stereo.html) + [30$USD for the mic](https://www.bhphotovideo.com/c/product/1398214-REG/shure_rmce_uni_3_5mm_earphone_communication_cable.html)),
    recommended by B&H staff as a Mee Audio replacement
+ * [Blue audio Yeticaster](https://www.bluemic.com/en-us/products/yeticaster/) ([200$USD B&H](https://www.bhphotovideo.com/c/product/1385877-REG/blue_yeticaster_prodessional_broadcast_bundle.html?fromDisList=y)), includes boom, cable
+   management, and excellent audio, [recommended by jvoisin](https://dustri.org/b/my-writing-code-from-home-setup.html)
 
 XLR jacks and recording
 =======================

another interesting laptop
diff --git a/hardware/laptop.mdwn b/hardware/laptop.mdwn
index 34ad9c90..f1cfc4c5 100644
--- a/hardware/laptop.mdwn
+++ b/hardware/laptop.mdwn
@@ -33,6 +33,15 @@ Modèles
 
 Comparateur: https://www.thelaptoplist.com/
 
+Frame work
+----------
+
+<https://frame.work/>
+
+ * easily repairable (qrcodes pointing to repair guides!)
+ * modular ports, replacable mainboard
+ * no price announced yet (feb 2021)
+
 GPD pocket
 ----------
 

approve comment
diff --git a/blog/2021-01-13-new-phone/comment_1_7b83204f3d945ed62d1c64fcf5ae21c0._comment b/blog/2021-01-13-new-phone/comment_1_7b83204f3d945ed62d1c64fcf5ae21c0._comment
new file mode 100644
index 00000000..83be2275
--- /dev/null
+++ b/blog/2021-01-13-new-phone/comment_1_7b83204f3d945ed62d1c64fcf5ae21c0._comment
@@ -0,0 +1,50 @@
+[[!comment format=mdwn
+ ip="27.147.206.237"
+ claimedauthor="jidpat ch"
+ subject="CalyxOS on Pixel 4a"
+ date="2021-02-25T14:56:41Z"
+ content="""
+i started using it and enjoying it on my Pixel 4a. 
+i researched a lot to work on it. i know this CalyxOS purpose is to DE google function or skip all the alternative service of Regular android apps. What i am doing right now is. i am flashed sunfish-factory-2020.09.22.12.zip which is older than the current one. after start i went to microG settings first Cloud messaging off then Google Device Registration and Safetynet off . then i logged in with Google account. it worked. then download vanced YouTube and did logging there too. then i downloaded Google maps ( yes i need this app because its perfect maps to navigate) from Apk mirror latest one . and installed it. in location privacy i choose google maps too. after everythig setup i turned on only google device Registration. it helps me to locate my location in maps. after everything is done i updated to lates update of CalyxoS
+For Contact backup i am using 
+First of all, go to https://www.google.com/settings/security/lesssecureapps With your account and enable the setting
+When logging in with DAVDroid, Use \"Login with URL and user name\"
+-- Base URL: https://www.google.com/calendar/dav/your_gmail_id@gmail.com/events
+-- User name: your_gmail_id@gmail.com
+-- Password: Your Google account password
+after update i installed latest Google cam from apk mirror 
+Currently i am using these apps 
+Airdroid
+Amazon music
+Bitwarden ( for password management)
+Bluetooth Audio widget
+Google calender ( it supports ur google calender sync with the help of microG)
+Davx1
+Google Drive ( some work related drive)
+Energy Ring
+Facebook
+Frost
+Gboard (  i need emoji in my keyboard so i cannot deny this google app)
+instagram
+Google app ( it dosent work but i can have weather clock  widget  on home)
+keep notes
+Google maps
+messenger
+yandex music ( for my backup songs)
+Google photos
+protonVpn
+Spotify
+telegram ( from fdroid)
+truecaller
+Vanced youtube
+yahoo mail
+WhatsApp
+For Snapchat there is a trick ( I downloaded Huawei app gallery then installed its snapchat app and Huawei service core app ) and i can now login to snapchat.
+
+to erase google completely easily is hard for our daily life
+but i am trying to shift NextCloud Slowly .
+
+i dont need Google service or extra things but yes its a smooth ram and i  think i am getting more battery .
+
+one thing i am missing is in recent i cannot select text .
+"""]]

note that trantor could also do collection browsing
diff --git a/software/desktop/calibre.mdwn b/software/desktop/calibre.mdwn
index 70046f2e..5c940861 100644
--- a/software/desktop/calibre.mdwn
+++ b/software/desktop/calibre.mdwn
@@ -10,7 +10,7 @@ TL;DR: I'm considering replacing those various [Calibre][] compnents with...
  * ebook-viewer: using a Kobo or other ebook reader, possibly
    [Atril][] or [MuPDF][] on the desktop?
  * ebook-editor: [Sigil][].
- * collection browser: [Liber][]? see also [[services/bookmarks]]
+ * collection browser: [Liber][] or [trantor][]? see also [[services/bookmarks]]
  * metadata editor: no good alternative.
  * device synchronisation: [git-annex][]?
  * RSS reader: [feed2exec][], [wallabako][]
@@ -234,7 +234,9 @@ Calibre is...
    added by hand in the library. It somewhat assumes Calibre already
    exists, in a way, to properly curate the library and is more
    designed to be a search engine and book sharing system between
-   liber instances.
+   liber instances. This is something that [trantor][] might be better
+   at, although it doesn't use the Calibre database, so it might not
+   have as good metadata...
 
    This also connects with the more general "book inventory" problem I
    have which involves an inventory physical books and directory of

minimal could be replaced by ublock
diff --git a/software/desktop/firefox.mdwn b/software/desktop/firefox.mdwn
index 2f444d03..2aa8fb00 100644
--- a/software/desktop/firefox.mdwn
+++ b/software/desktop/firefox.mdwn
@@ -34,9 +34,6 @@ I have those extensions installed and use them very frequently:
  * [GhostText][] (no debian package, [#910289](https://bugs.debian.org/910289), [source](https://github.com/GhostText/GhostText))- "It's all text" replacement
  * [Livemarks](https://addons.mozilla.org/en-US/firefox/addon/livemarks/) (no deb, [source](https://github.com/nt1m/livemarks)) or [Awesome RSS](https://addons.mozilla.org/en-US/firefox/addon/awesome-rss/) (no deb,
    [source](https://github.com/shgysk8zer0/awesome-rss)) - replace the [Live bookmarks removal](https://support.mozilla.org/en-US/kb/live-bookmarks-migration)
- * [Minimal](https://addons.mozilla.org/en-US/firefox/addon/minimal-internet-experience/) ([homepage](https://minimal.community/)) - removes autoplay, search suggestions
-   and all sorts of junks from many websites (alternative:
-   [shutup](https://addons.mozilla.org/en-US/firefox/addon/shut-up-comment-blocker/), just for comments)
  * [uBlock Origin][] ([[!debpkg webext-ublock-origin desc="debian
    package"]], [source](https://github.com/gorhill/uBlock)) - making the web sane again
  * [Wallabager][] (no debian package, [source](https://github.com/wallabag/wallabagger)) - to YOLO a bunch
@@ -66,6 +63,10 @@ Ideally, all of those should be packaged for Debian.
 I am testing those and they might make it to the top list once I'm happy:
 
  * [display anchors](https://addons.mozilla.org/en-US/firefox/addon/display-_anchors/) (no deb, [source](https://github.com/Rob--W/display-anchors))
+ * [Minimal](https://addons.mozilla.org/en-US/firefox/addon/minimal-internet-experience/) ([homepage](https://minimal.community/)) - removes autoplay, search suggestions
+   and all sorts of junks from many websites (alternatives:
+   [shutup](https://addons.mozilla.org/en-US/firefox/addon/shut-up-comment-blocker/) for comments, uBlock origin dynamic rules, e.g. [those
+   rules](https://news.ycombinator.com/item?id=26120168))
  * [Open in Browser](https://addons.mozilla.org/en-US/firefox/addon/open-in-browser/) (no deb, [source](https://github.com/Rob--W/open-in-browser)) - reopen the file in the
    browser instead of downloading
  * [Smart HTTPS](https://addons.mozilla.org/en-US/firefox/addon/smart-https-revived/) (no deb, [source](https://github.com/ilGur1132/Smart-HTTPS)) - some use [HTTPS

Archival link:

The above link creates a machine-readable RSS feed that can be used to easily archive new changes to the site. It is used by internal scripts to do sanity checks on new entries in the wiki.

Created . Edited .