Recent changes to this wiki. Not to be confused with my history.

Complete source to the wiki is available on gitweb or by cloning this site.

explain details of article and audience
diff --git a/services/drive-replacement.mdwn b/services/drive-replacement.mdwn
index 1317397..5bef3ff 100644
--- a/services/drive-replacement.mdwn
+++ b/services/drive-replacement.mdwn
@@ -1,4 +1,9 @@
-[[!meta title="Hard drive replacement"]]
+[[!meta title="Hard drive replacement procedure"]]
+
+This procedure describes a major disk replacement on a system with
+LUKS encryption and LVM, but without RAID-1 (which would be obviously
+much easier). It is specific to my setup but could be useful to others
+and is aimed at technical users familiar with the commandline.
 
  1. create parts with parted, mark a 8MB leading part with the
     `bios_grub` flag. parted complains about the partitions not being

fixup title
diff --git a/services/drive-replacement.mdwn b/services/drive-replacement.mdwn
index ce67ef5..1317397 100644
--- a/services/drive-replacement.mdwn
+++ b/services/drive-replacement.mdwn
@@ -1,4 +1,4 @@
-## Hard drive replacement
+[[!meta title="Hard drive replacement"]]
 
  1. create parts with parted, mark a 8MB leading part with the
     `bios_grub` flag. parted complains about the partitions not being

fix markup more
diff --git a/services/drive-replacement.mdwn b/services/drive-replacement.mdwn
index f9cfd93..ce67ef5 100644
--- a/services/drive-replacement.mdwn
+++ b/services/drive-replacement.mdwn
@@ -9,8 +9,7 @@
         cryptsetup -v --verify-passphrase luksFormat /dev/sdc3
         cryptsetup luksOpen /dev/sdc3 crucial_crypt
 
-    [[!tip """
-    
+    <span /><div class="tip">
     Note that newer versions of Debian (e.g. stretch and later) have
     good settings so you do not need to choose cipher settings and so
     on. But on older machines, you may want something like:
@@ -19,7 +18,7 @@
 
     I was also recommending `--use-random` here but I believe
     it is [not necessary anymore](https://media.ccc.de/v/32c3-7441-the_plain_simple_reality_of_entropy).
-    """]]
+    </div>
 
  3. initialize logical volumes
 

formatting fixes
diff --git a/services/drive-replacement.mdwn b/services/drive-replacement.mdwn
index eecda4b..f9cfd93 100644
--- a/services/drive-replacement.mdwn
+++ b/services/drive-replacement.mdwn
@@ -9,14 +9,17 @@
         cryptsetup -v --verify-passphrase luksFormat /dev/sdc3
         cryptsetup luksOpen /dev/sdc3 crucial_crypt
 
+    [[!tip """
+    
     Note that newer versions of Debian (e.g. stretch and later) have
     good settings so you do not need to choose cipher settings and so
     on. But on older machines, you may want something like:
     
-        --cipher aes-xts-plain64 --key-size 512 --hash sha1 --iter-time 5000
+        --cipher aes-xts-plain64 --key-size 512 --hash sha256 --iter-time 5000
 
     I was also recommending `--use-random` here but I believe
     it is [not necessary anymore](https://media.ccc.de/v/32c3-7441-the_plain_simple_reality_of_entropy).
+    """]]
 
  3. initialize logical volumes
 
@@ -37,9 +40,13 @@
 
  5. restore the root filesystem:
  
-        borg extract -e boot -e usr -e var -e home --verbose /media/sdc2/borg::marcos-2017-06-19
+        borg extract -e boot -e usr -e var -e home --progress /media/sdc2/borg::marcos-2017-06-19
+
+    [[!tip """note that `--progress` is available only in newer
+    versions of borg (1.1 and later)."""]]
 
-    or:
+    if borg is not available for some reason, the filesystem can also
+    be synchronized directly:
     
         rsync -vaHAx --inplace --delete --one-file-system / /mnt/
 
@@ -54,22 +61,21 @@
 
  5. change `/mnt/etc/crypttab` (make a copy in `/etc/crypttab.new`) to follow the new partition names:
     * make sure you have *NO TYPO* in the new line
-    * use `blkid` to get the UUID of the crypto device, example in my case:
-
-          blkid /dev/sda2 >> /etc/crypttab
+    * use `blkid` to get the UUID of the crypto device, e.g. `blkid /dev/sda3`
 
  8. restore everything from backups:
  
-        borg extract --verbose /media/sdc2/borg::marcos-2017-06-19
+        borg extract --progress /media/sdc2/borg::marcos-2017-06-19
 
-    or rsync from the live filesystem
+    or rsync from the live filesystem (see below).
  
  9. go to single user mode:
 
         shutdown now
 
- 10. sync from the live filesystem again, using `/root/sync.sh` - a
-     bunch of rsync for each partition, basically:
+ 10. sync from the live filesystem again, using
+     `/home/anarcat/bin/backup-rsync-mnt` - a bunch of rsync for each
+     partition, basically:
 
         rsync -vaHAx --inplace --delete /usr/ /mnt/usr/
 
@@ -83,7 +89,7 @@
         update-grub2
         grub-install /dev/sdc
 
- 12. reboot and pray
+    [[!important """the `fs.uuid` flag comes from the `/boot` device,
+    and can be found with the `blkid` command as well."""]]
 
-Note how the `load.cfg` grub configuration need to be updated with the
-new boot sector (`/boot` here).
+ 12. reboot and pray

cleanup after camping trip
diff --git a/pleinair/liste.mdwn b/pleinair/liste.mdwn
index bf945ea..5421f4b 100644
--- a/pleinair/liste.mdwn
+++ b/pleinair/liste.mdwn
@@ -33,6 +33,8 @@ toujours retourner sur l'ordinateur.
  * Sac a viande
  * Hamac et chaînes
  * Sac à dos, grand et/ou petit, ou valise
+ * Lampe de poche
+ * Lampe frontale
 
 ## Kit de survie
 
@@ -57,8 +59,6 @@ toujours retourner sur l'ordinateur.
  * Livre d'identification d'oiseaux, etc
  * # Téléphone d’urgence
  * Dictionnaire de traduction (e.g. fr-es)
- * Lampe de poche
- * Lampe frontale
 
 ## Équipement technique
 
@@ -72,8 +72,6 @@ toujours retourner sur l'ordinateur.
  * Crampons
  * Wetsuit
  * Tuba et masque
- * Lunettes de soleil
- * Sacs poubelle
  * Petits mousquetons ("not for climbing")
 
 ## Papiers et autres attaches
@@ -131,6 +129,8 @@ toujours retourner sur l'ordinateur.
  * Tampon à récurer avec éponge
  * Linge à vaisselle
  * Glacière
+ * Sacs poubelle / compost
+ * Tupperwares pour les restes
 
 ## Trousse de dépannage
 
@@ -150,9 +150,11 @@ toujours retourner sur l'ordinateur.
  * Papier de toilette
  * Serviettes sanitaires / keeper
  * Mouchoir de poche
- * Lunettes
  * Verres de contact & kit de nettoyage
+ * Lunettes
+ * Lunettes de soleil
  * Crème solaire
+ * Anti-moustique en crème ou vaporisateur
  * Savon
  * Dentifrice
  * Brosse à dents
@@ -184,6 +186,7 @@ toujours retourner sur l'ordinateur.
  * Maillot de bain
  * Serviette
  * Coupe-vent imperméable (gore-tex) / Anorak
+ * Pantalons de pluie
  * Sous-vêtements synthétique (haut & bas)
  * Manteau d'hiver
  * Pantalons de neige
@@ -194,6 +197,8 @@ toujours retourner sur l'ordinateur.
  * Mitaines et sous-mitaines
  * Foulard / Masque facial / Cache-cou
  * Lunettes de ski
+ * Chapeau
+ * Filet anti-moustique
 
 ## Trousse de premiers soins
 

update disk replacement procedure
introduce backup restoration and other changes following latest
attempt at disk replacement.
diff --git a/services/drive-replacement.mdwn b/services/drive-replacement.mdwn
index b1da201..eecda4b 100644
--- a/services/drive-replacement.mdwn
+++ b/services/drive-replacement.mdwn
@@ -1,29 +1,49 @@
 ## Hard drive replacement
 
- 1. create parts with parted, mark a 8MB leading part with the `bios_grub` flag
+ 1. create parts with parted, mark a 8MB leading part with the
+    `bios_grub` flag. parted complains about the partitions not being
+    optimal, and I haven't figure out how to fix that correctly.
+
  2. initialise crypt partition:
 
-        cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha1 --iter-time 5000 --use-random --verify-passphrase luksFormat /dev/sdc3
+        cryptsetup -v --verify-passphrase luksFormat /dev/sdc3
         cryptsetup luksOpen /dev/sdc3 crucial_crypt
 
+    Note that newer versions of Debian (e.g. stretch and later) have
+    good settings so you do not need to choose cipher settings and so
+    on. But on older machines, you may want something like:
+    
+        --cipher aes-xts-plain64 --key-size 512 --hash sha1 --iter-time 5000
+
+    I was also recommending `--use-random` here but I believe
+    it is [not necessary anymore](https://media.ccc.de/v/32c3-7441-the_plain_simple_reality_of_entropy).
+
  3. initialize logical volumes
 
         pvcreate /dev/mapper/crucial_crypt
         vgcreate marcossd1 /dev/mapper/crucial_crypt
-        lvcreate -L...
-        mkfs -t ext4 ...
 
+    repeat for every filesystem, use `vgdisplay -C` and `lvdisplay -C`
+    to inspect existing sizes:
+
+        lvcreate -L10G -n root marcossd1
+        mkfs /dev/mapper/marcoss1-root
+        # [...]
+  
  4. basic filesystem setup:
 
         mount /dev/mapper/marcossd1-root /mnt
+        mkdir /mnt/{dev,sys,proc,boot,usr,var,home,srv}
 
- 5. change `/mnt/etc/crypttab` (copy in in `/etc/crypttab.new`) - a few tricks:
-    * make sure you have *NO TYPO* in the new line
-    * use `blkid` to get the UUID of the crypto device, example in my case:
+ 5. restore the root filesystem:
+ 
+        borg extract -e boot -e usr -e var -e home --verbose /media/sdc2/borg::marcos-2017-06-19
 
-        blkid /dev/sda2 >> /etc/crypttab
+    or:
+    
+        rsync -vaHAx --inplace --delete --one-file-system / /mnt/
 
- 6. change `/mnt/etc/fstab` (copy in `/etc/fstab.new`)
+ 6. edit `/mnt/etc/fstab` (and keep a copy in `/etc/fstab.new`)
  7. mount all filesystems:
 
         mount -o bind /dev /mnt/dev
@@ -32,17 +52,26 @@
         mount -t sysfs sys /sys
         exit
 
- 8. sync all the data with `/root/sync.sh` - a bunch of rsync for each partition, basically:
+ 5. change `/mnt/etc/crypttab` (make a copy in `/etc/crypttab.new`) to follow the new partition names:
+    * make sure you have *NO TYPO* in the new line
+    * use `blkid` to get the UUID of the crypto device, example in my case:
 
-        rsync -vaHAx --inplace --delete /usr/ /mnt/usr/
+          blkid /dev/sda2 >> /etc/crypttab
 
+ 8. restore everything from backups:
+ 
+        borg extract --verbose /media/sdc2/borg::marcos-2017-06-19
+
+    or rsync from the live filesystem
+ 
  9. go to single user mode:
 
         shutdown now
 
- 10. sync again
+ 10. sync from the live filesystem again, using `/root/sync.sh` - a
+     bunch of rsync for each partition, basically:
 
-        /root/sync.sh
+        rsync -vaHAx --inplace --delete /usr/ /mnt/usr/
 
  11. install boot blocks
 

add more sellers
diff --git a/hardware/laptop.mdwn b/hardware/laptop.mdwn
index 568a47e..6848ae0 100644
--- a/hardware/laptop.mdwn
+++ b/hardware/laptop.mdwn
@@ -282,5 +282,6 @@ Fournisseurs
 ============
 
 * minifree: https://minifree.org/ coreboot + x200 t400
-* dantech: http://www.dantech.ca/?q=17--
-* https://www.toplaptop.ca/
+* dantech: http://www.dantech.ca/?q=17-- - local friendly folks
+* https://www.toplaptop.ca/ - local + cheap source of thinkpads
+* https://www.mikescomputershop.com/ - cheap canada seller

major upgrade of the ikiwiki platform
diff --git a/services/wiki.mdwn b/services/wiki.mdwn
index 14521f5..eadf7ff 100644
--- a/services/wiki.mdwn
+++ b/services/wiki.mdwn
@@ -130,7 +130,7 @@ On any given upgrade, the following patches need to be applied:
 
 There are two patches left:
 
- * [[!iki todo/toc-with-human-readable-anchors]] and [[!iki plugins/contrib/i18nheadinganchors]]
+ * [[!iki todo/toc-with-human-readable-anchors]] (merged, not released) and [[!iki plugins/contrib/i18nheadinganchors]]
  * [[!iki bugs/footnotes-look-weird]]
  * [[!iki todo/git-annex_support]]
  * [[!iki todo/admonitions]]
@@ -140,7 +140,7 @@ I dropped the [[!iki bugs/notifyemail fails with some openid providers]] patch b
 To apply this patch:
 
     cd src/ikiwiki
-    release=debian/3.20141016.4
+    release=debian/3.20170111
     git rebase $release dev/git-annex-support
     git diff $release..dev/git-annex-support | ( cd /usr/share/perl5 ; sudo patch -p1 --dry-run )
     git diff $release..dev/git-annex-support | ( cd /usr/share/perl5 ; sudo patch -p1 )
@@ -151,11 +151,11 @@ To apply this patch:
     git diff $release..i18n-headinganchors | ( cd /usr/share/perl5 ; sudo patch -p1 --dry-run )
     git diff $release..i18n-headinganchors | ( cd /usr/share/perl5 ; sudo patch -p1  )
     # not sure about that rebase
-    git rebase origin/master admonitions
-    git diff origin/master..admonitions IkiWiki/Plugin/admonition.pm | ( cd /usr/share/perl5 ; sudo patch -p1 --dry-run )
-    git diff origin/master..admonitions IkiWiki/Plugin/admonition.pm | ( cd /usr/share/perl5 ; sudo patch -p1 )
-    git diff origin/master..admonitions doc/style.css | ( cd /usr/share/ikiwiki/basewiki ; sudo patch -p2 --dry-run )
-    git diff origin/master..admonitions doc/style.css | ( cd /usr/share/ikiwiki/basewiki ; sudo patch -p2 )
+    git rebase $release admonitions
+    git diff $release..admonitions IkiWiki/Plugin/admonition.pm | ( cd /usr/share/perl5 ; sudo patch -p1 --dry-run )
+    git diff $release..admonitions IkiWiki/Plugin/admonition.pm | ( cd /usr/share/perl5 ; sudo patch -p1 )
+    git diff $release..admonitions doc/style.css | ( cd /usr/share/ikiwiki/basewiki ; sudo patch -p2 --dry-run )
+    git diff $release..admonitions doc/style.css | ( cd /usr/share/ikiwiki/basewiki ; sudo patch -p2 )
 
 ### New feature: markdown WYSIWYG!
 
@@ -187,6 +187,13 @@ patching file templates/albumprev.tmpl
 patching file templates/albumviewer.tmpl
 """]]
 
+2017-06-19: major upgrade
+-------------------------
+
+upgraded to the upstream 3.20170111 release using backports in
+preperation for the stretch upgrade. patches reapplied as they are not
+factored in upstream yet.
+
 2017-04-19: ikiwiki-hosting upgrade
 -----------------------------------
 

update network plan after internal move
things that were done actually before the move:
* roadkiller replaced with octavia
* secondary switch removed
* plastik replaced with dawkins
after the move:
* dawkins removed
diff --git "a/services/r\303\251seau/plan.dia" "b/services/r\303\251seau/plan.dia"
index 6e53844..dda5eed 100644
Binary files "a/services/r\303\251seau/plan.dia" and "b/services/r\303\251seau/plan.dia" differ
diff --git "a/services/r\303\251seau/plan.svg" "b/services/r\303\251seau/plan.svg"
index bce4c8f..0cedaf5 100644
--- "a/services/r\303\251seau/plan.svg"
+++ "b/services/r\303\251seau/plan.svg"
@@ -1,331 +1,247 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.0//EN" "http://www.w3.org/TR/2001/PR-SVG-20010719/DTD/svg10.dtd">
 <svg width="17cm" height="23cm" viewBox="330 3 331 454" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
-  <g>
-    <path style="fill: #b6c7c9" d="M 584.709 165.832 L 584.642,162.915 L 584.407,159.997 L 583.97,157.132 L 583.365,154.266 L 582.558,151.349 L 581.651,148.534 L 580.508,145.77 L 579.231,143.058 L 577.853,140.346 L 576.24,137.787 L 574.526,135.228 L 572.643,132.823 L 570.593,130.418 L 568.442,128.166 L 566.157,125.965 L 563.703,123.918 L 561.183,121.922 L 558.561,120.08 L 555.805,118.34 L 552.948,116.753 L 549.99,115.218 L 546.932,113.939 L 543.874,112.659 L 540.681,111.585 L 537.42,110.612 L 534.16,109.793 L 530.833,109.128 L 527.472,108.668 L 524.077,108.258 L 520.649,108.053 L 517.221,107.951 L 517.221,107.951 L 513.826,108.053 L 510.365,108.258 L 507.004,108.668 L 503.643,109.128 L 500.282,109.793 L 497.022,110.612 L 493.761,111.585 L 490.602,112.659 L 487.476,113.939 L 484.485,115.218 L 481.527,116.753 L 478.704,118.34 L 475.915,120.08 L 473.293,121.922 L 470.739,123.918 L 468.285,125.965 L 466,128.166 L 463.849,130.418 L 461.799,132.823 L 459.916,135.228 L 458.202,137.787 L 456.623,140.346 L 455.177,143.058 L 453.967,145.77 L 452.825,148.534 L 451.884,151.349 L 451.077,154.266 L 450.539,157.132 L 450.102,159.997 L 449.8,162.915 L 449.766,165.832 L 449.766,165.832 L 449.8,168.8 L 450.102,171.717 L 450.539,174.634 L 451.077,177.5 L 451.884,180.366 L 452.825,183.18 L 453.967,185.944 L 455.177,188.707 L 456.623,191.369 L 458.202,193.927 L 459.916,196.486 L 461.799,198.943 L 463.849,201.297 L 466,203.549 L 468.285,205.749 L 470.739,207.847 L 473.293,209.741 L 475.915,211.686 L 478.704,213.426 L 481.527,215.012 L 484.485,216.445 L 487.476,217.827 L 490.602,219.055 L 493.761,220.13 L 497.022,221.102 L 500.282,221.921 L 503.643,222.535 L 507.004,223.047 L 510.365,223.507 L 513.826,223.661 L 517.221,223.712 L 517.221,223.712 L 520.649,223.661 L 524.077,223.507 L 527.472,223.047 L 530.833,222.535 L 534.16,221.921 L 537.42,221.102 L 540.681,220.13 L 543.874,219.055 L 546.932,217.827 L 549.99,216.445 L 552.948,215.012 L 555.805,213.426 L 558.561,211.686 L 561.183,209.741 L 563.703,207.847 L 566.157,205.749 L 568.442,203.549 L 570.593,201.297 L 572.643,198.943 L 574.526,196.486 L 576.24,193.927 L 577.853,191.369 L 579.231,188.707 L 580.508,185.944 L 581.651,183.18 L 582.558,180.366 L 583.365,177.5 L 583.97,174.634 L 584.407,171.717 L 584.642,168.8 L 584.709,165.832z"/>
-    <path style="fill: #b6c7c9" d="M 478.94 196.23 L 478.872,193.313 L 478.637,190.396 L 478.368,187.53 L 477.898,184.613 L 477.293,181.747 L 476.553,178.933 L 475.679,176.169 L 474.738,173.457 L 473.663,170.745 L 472.453,168.186 L 471.142,165.627 L 469.697,163.222 L 468.084,160.816 L 466.437,158.565 L 464.689,156.364 L 462.807,154.317 L 460.925,152.321 L 458.841,150.479 L 456.757,148.739 L 454.539,147.203 L 452.321,145.617 L 450.002,144.235 L 447.582,143.058 L 445.162,141.983 L 442.675,141.011 L 440.154,140.192 L 437.6,139.527 L 435.012,139.066 L 432.457,138.657 L 429.836,138.401 L 427.214,138.35 L 427.214,138.35 L 424.593,138.401 L 421.971,138.657 L 419.349,139.066 L 416.795,139.527 L 414.207,140.192 L 411.686,141.011 L 409.233,141.983 L 406.813,143.058 L 404.427,144.235 L 402.108,145.617 L 399.822,147.203 L 397.671,148.739 L 395.52,150.479 L 393.504,152.321 L 391.588,154.317 L 389.706,156.364 L 387.958,158.565 L 386.277,160.816 L 384.698,163.222 L 383.286,165.627 L 381.942,168.186 L 380.765,170.745 L 379.656,173.457 L 378.682,176.169 L 377.841,178.933 L 377.102,181.747 L 376.497,184.613 L 376.06,187.53 L 375.724,190.396 L 375.522,193.313 L 375.455,196.23 L 375.455,196.23 L 375.522,199.199 L 375.724,202.116 L 376.06,205.033 L 376.497,207.899 L 377.102,210.764 L 377.841,213.579 L 378.682,216.343 L 379.656,219.055 L 380.765,221.767 L 381.942,224.326 L 383.286,226.885 L 384.698,229.29 L 386.277,231.696 L 387.958,233.947 L 389.706,236.148 L 391.588,238.195 L 393.504,240.14 L 395.52,241.982 L 397.671,243.824 L 399.822,245.411 L 402.108,246.844 L 404.427,248.277 L 406.813,249.454 L 409.233,250.528 L 411.686,251.501 L 414.207,252.268 L 416.795,252.934 L 419.349,253.446 L 421.971,253.906 L 424.593,254.06 L 427.214,254.111 L 427.214,254.111 L 429.836,254.06 L 432.457,253.906 L 435.012,253.446 L 437.6,252.934 L 440.154,252.268 L 442.675,251.501 L 445.162,250.528 L 447.582,249.454 L 450.002,248.277 L 452.321,246.844 L 454.539,245.411 L 456.757,243.824 L 458.841,241.982 L 460.925,240.14 L 462.807,238.195 L 464.689,236.148 L 466.437,233.947 L 468.084,231.696 L 469.697,229.29 L 471.142,226.885 L 472.453,224.326 L 473.663,221.767 L 474.738,219.055 L 475.679,216.343 L 476.553,213.579 L 477.293,210.764 L 477.898,207.899 L 478.368,205.033 L 478.637,202.116 L 478.872,199.199 L 478.94,196.23z"/>
-    <path style="fill: #b6c7c9" d="M 413.703 255.339 L 413.669,252.934 L 413.569,250.528 L 413.333,248.123 L 413.031,245.769 L 412.594,243.517 L 412.09,241.163 L 411.552,238.86 L 410.913,236.66 L 410.174,234.459 L 409.334,232.361 L 408.426,230.365 L 407.452,228.318 L 406.41,226.373 L 405.301,224.48 L 404.091,222.74 L 402.847,221.102 L 401.57,219.413 L 400.225,217.929 L 398.78,216.496 L 397.301,215.166 L 395.789,213.989 L 394.209,212.863 L 392.63,211.89 L 390.983,211.02 L 389.302,210.202 L 387.622,209.587 L 385.908,208.973 L 384.126,208.615 L 382.379,208.308 L 380.665,208.154 L 378.883,208.052 L 378.883,208.052 L 377.102,208.154 L 375.321,208.308 L 373.573,208.615 L 371.859,208.973 L 370.111,209.587 L 368.397,210.202 L 366.75,211.02 L 365.137,211.89 L 363.49,212.863 L 361.91,213.989 L 360.398,215.166 L 358.919,216.496 L 357.508,217.929 L 356.13,219.413 L 354.852,221.102 L 353.609,222.74 L 352.432,224.48 L 351.29,226.373 L 350.248,228.318 L 349.273,230.365 L 348.366,232.361 L 347.593,234.459 L 346.853,236.66 L 346.215,238.86 L 345.61,241.163 L 345.106,243.517 L 344.736,245.769 L 344.433,248.123 L 344.164,250.528 L 344.03,252.934 L 344.03,255.339 L 344.03,255.339 L 344.03,257.642 L 344.164,260.047 L 344.433,262.401 L 344.736,264.756 L 345.106,267.161 L 345.61,269.413 L 346.215,271.664 L 346.853,273.916 L 347.593,276.117 L 348.366,278.215 L 349.273,280.262 L 350.248,282.258 L 351.29,284.203 L 352.432,286.045 L 353.609,287.785 L 354.852,289.474 L 356.13,291.163 L 357.508,292.595 L 358.919,294.028 L 360.398,295.359 L 361.91,296.587 L 363.49,297.713 L 365.137,298.685 L 366.75,299.555 L 368.397,300.323 L 370.111,300.988 L 371.859,301.551 L 373.573,302.012 L 375.321,302.268 L 377.102,302.421 L 378.883,302.524 L 378.883,302.524 L 380.665,302.421 L 382.379,302.268 L 384.126,302.012 L 385.908,301.551 L 387.622,300.988 L 389.302,300.323 L 390.983,299.555 L 392.63,298.685 L 394.209,297.713 L 395.789,296.587 L 397.301,295.359 L 398.78,294.028 L 400.225,292.595 L 401.57,291.163 L 402.847,289.474 L 404.091,287.785 L 405.301,286.045 L 406.41,284.203 L 407.452,282.258 L 408.426,280.262 L 409.334,278.215 L 410.174,276.117 L 410.913,273.916 L 411.552,271.664 L 412.09,269.413 L 412.594,267.161 L 413.031,264.756 L 413.333,262.401 L 413.569,260.047 L 413.669,257.642 L 413.703,255.339z"/>
-    <path style="fill: #b6c7c9" d="M 469.966 300.835 L 469.932,298.225 L 469.697,295.666 L 469.327,293.056 L 468.89,290.497 L 468.285,287.99 L 467.579,285.482 L 466.672,283.025 L 465.731,280.62 L 464.588,278.368 L 463.378,276.014 L 462,273.763 L 460.555,271.664 L 459.009,269.566 L 457.328,267.468 L 455.547,265.574 L 453.665,263.732 L 451.682,262.043 L 449.598,260.354 L 447.481,258.87 L 445.263,257.386 L 442.943,256.107 L 440.591,254.878 L 438.171,253.804 L 435.717,252.831 L 433.197,252.013 L 430.609,251.347 L 428.054,250.733 L 425.433,250.221 L 422.811,249.914 L 420.156,249.71 L 417.467,249.658 L 417.467,249.658 L 414.812,249.71 L 412.191,249.914 L 409.502,250.221 L 406.914,250.733 L 404.292,251.347 L 401.772,252.013 L 399.251,252.831 L 396.764,253.804 L 394.344,254.878 L 392.025,256.107 L 389.706,257.386 L 387.487,258.87 L 385.336,260.354 L 383.286,262.043 L 381.303,263.732 L 379.421,265.574 L 377.64,267.468 L 375.959,269.566 L 374.38,271.664 L 372.934,273.763 L 371.556,276.014 L 370.313,278.368 L 369.237,280.62 L 368.263,283.025 L 367.355,285.482 L 366.616,287.99 L 366.078,290.497 L 365.574,293.056 L 365.238,295.666 L 365.036,298.225 L 364.969,300.835 L 364.969,300.835 L 365.036,303.394 L 365.238,306.004 L 365.574,308.562 L 366.078,311.121 L 366.616,313.629 L 367.355,316.137 L 368.263,318.644 L 369.237,321.05 L 370.313,323.352 L 371.556,325.604 L 372.934,327.856 L 374.38,330.005 L 375.959,332.155 L 377.64,334.202 L 379.421,336.095 L 381.303,337.887 L 383.286,339.627 L 385.336,341.264 L 387.487,342.799 L 389.706,344.284 L 392.025,345.563 L 394.344,346.791 L 396.764,347.815 L 399.251,348.787 L 401.772,349.606 L 404.292,350.322 L 406.914,350.988 L 409.502,351.448 L 412.191,351.755 L 414.812,351.96 L 417.467,351.96 L 417.467,351.96 L 420.156,351.96 L 422.811,351.755 L 425.433,351.448 L 428.054,350.988 L 430.609,350.322 L 433.197,349.606 L 435.717,348.787 L 438.171,347.815 L 440.591,346.791 L 442.943,345.563 L 445.263,344.284 L 447.481,342.799 L 449.598,341.264 L 451.682,339.627 L 453.665,337.887 L 455.547,336.095 L 457.328,334.202 L 459.009,332.155 L 460.555,330.005 L 462,327.856 L 463.378,325.604 L 464.588,323.352 L 465.731,321.05 L 466.672,318.644 L 467.579,316.137 L 468.285,313.629 L 468.89,311.121 L 469.327,308.562 L 469.697,306.004 L 469.932,303.394 L 469.966,300.835z"/>
-    <path style="fill: #b6c7c9" d="M 595.969 327.293 L 595.834,324.171 L 595.565,321.05 L 595.028,318.03 L 594.322,315.011 L 593.448,311.991 L 592.372,309.074 L 591.095,306.208 L 589.616,303.291 L 587.936,300.477 L 586.121,297.764 L 584.071,295.154 L 581.92,292.595 L 579.567,290.088 L 577.08,287.683 L 574.358,285.38 L 571.602,283.23 L 568.644,281.132 L 565.552,279.187 L 562.392,277.396 L 559.032,275.707 L 555.637,274.121 L 552.108,272.739 L 548.512,271.408 L 544.781,270.283 L 541.05,269.259 L 537.219,268.44 L 533.387,267.724 L 529.421,267.212 L 525.556,266.854 L 521.557,266.547 L 517.591,266.547 L 517.591,266.547 L 513.625,266.547 L 509.659,266.854 L 505.726,267.212 L 501.828,267.724 L 497.929,268.44 L 494.131,269.259 L 490.367,270.283 L 486.703,271.408 L 483.04,272.739 L 479.578,274.121 L 476.116,275.707 L 472.823,277.396 L 469.63,279.187 L 466.571,281.132 L 463.613,283.23 L 460.79,285.38 L 458.135,287.683 L 455.648,290.088 L 453.262,292.595 L 451.077,295.154 L 449.06,297.764 L 447.279,300.477 L 445.599,303.291 L 444.12,306.208 L 442.843,309.074 L 441.734,311.991 L 440.86,315.011 L 440.12,318.03 L 439.616,321.05 L 439.314,324.171 L 439.213,327.293 L 439.213,327.293 L 439.314,330.261 L 439.616,333.383 L 440.12,336.402 L 440.86,339.473 L 441.734,342.492 L 442.843,345.409 L 444.12,348.275 L 445.599,351.192 L 447.279,354.007 L 449.06,356.719 L 451.077,359.329 L 453.262,361.991 L 455.648,364.396 L 458.135,366.801 L 460.79,369.053 L 463.613,371.305 L 466.571,373.352 L 469.63,375.296 L 472.823,377.088 L 476.116,378.828 L 479.578,380.312 L 483.04,381.745 L 486.703,383.024 L 490.367,384.15 L 494.131,385.225 L 497.929,385.992 L 501.828,386.709 L 505.726,387.272 L 509.659,387.63 L 513.625,387.937 L 517.591,387.937 L 517.591,387.937 L 521.557,387.937 L 525.556,387.63 L 529.421,387.272 L 533.387,386.709 L 537.219,385.992 L 541.05,385.225 L 544.781,384.15 L 548.512,383.024 L 552.108,381.745 L 555.637,380.312 L 559.032,378.828 L 562.392,377.088 L 565.552,375.296 L 568.644,373.352 L 571.602,371.305 L 574.358,369.053 L 577.08,366.801 L 579.567,364.396 L 581.92,361.991 L 584.071,359.329 L 586.121,356.719 L 587.936,354.007 L 589.616,351.192 L 591.095,348.275 L 592.372,345.409 L 593.448,342.492 L 594.322,339.473 L 595.028,336.402 L 595.565,333.383 L 595.834,330.261 L 595.969,327.293z"/>
-    <path style="fill: #b6c7c9" d="M 639.46 187.223 L 639.426,184.972 L 639.224,182.617 L 638.855,180.315 L 638.451,178.063 L 637.846,175.862 L 637.174,173.61 L 636.334,171.41 L 635.359,169.26 L 634.317,167.213 L 633.175,165.115 L 631.864,163.119 L 630.452,161.175 L 628.973,159.383 L 627.327,157.541 L 625.646,155.852 L 623.797,154.266 L 621.915,152.628 L 619.966,151.195 L 617.882,149.865 L 615.765,148.585 L 613.614,147.408 L 611.328,146.333 L 609.009,145.361 L 606.657,144.491 L 604.237,143.723 L 601.817,143.212 L 599.33,142.598 L 596.842,142.188 L 594.288,141.932 L 591.767,141.779 L 589.213,141.676 L 589.213,141.676 L 586.625,141.779 L 584.104,141.932 L 581.55,142.188 L 579.063,142.598 L 576.609,143.212 L 574.156,143.723 L 571.77,144.491 L 569.383,145.361 L 567.064,146.333 L 564.779,147.408 L 562.594,148.585 L 560.51,149.865 L 558.427,151.195 L 556.477,152.628 L 554.595,154.266 L 552.78,155.852 L 551.066,157.541 L 549.419,159.383 L 547.94,161.175 L 546.562,163.119 L 545.218,165.115 L 544.075,167.213 L 543.033,169.26 L 542.059,171.41 L 541.218,173.61 L 540.546,175.862 L 539.975,178.063 L 539.504,180.315 L 539.202,182.617 L 539.034,184.972 L 538.933,187.223 L 538.933,187.223 L 539.034,189.526 L 539.202,191.829 L 539.504,194.081 L 539.975,196.384 L 540.546,198.636 L 541.218,200.836 L 542.059,203.037 L 543.033,205.186 L 544.075,207.336 L 545.218,209.332 L 546.562,211.276 L 547.94,213.272 L 549.419,215.114 L 551.066,216.854 L 552.78,218.594 L 554.595,220.232 L 556.477,221.767 L 558.427,223.2 L 560.51,224.633 L 562.594,225.913 L 564.779,227.039 L 567.064,228.164 L 569.383,229.086 L 571.77,229.904 L 574.156,230.723 L 576.609,231.337 L 579.063,231.849 L 581.55,232.31 L 584.104,232.514 L 586.625,232.77 L 589.213,232.77 L 589.213,232.77 L 591.767,232.77 L 594.288,232.514 L 596.842,232.31 L 599.33,231.849 L 601.817,231.337 L 604.237,230.723 L 606.657,229.904 L 609.009,229.086 L 611.328,228.164 L 613.614,227.039 L 615.765,225.913 L 617.882,224.633 L 619.966,223.2 L 621.915,221.767 L 623.797,220.232 L 625.646,218.594 L 627.327,216.854 L 628.973,215.114 L 630.452,213.272 L 631.864,211.276 L 633.175,209.332 L 634.317,207.336 L 635.359,205.186 L 636.334,203.037 L 637.174,200.836 L 637.846,198.636 L 638.451,196.384 L 638.855,194.081 L 639.224,191.829 L 639.426,189.526 L 639.46,187.223z"/>
-    <path style="fill: #b6c7c9" d="M 653.71 245.718 L 653.609,243.415 L 653.475,241.112 L 653.139,238.86 L 652.702,236.609 L 652.097,234.306 L 651.425,232.156 L 650.618,229.904 L 649.643,227.806 L 648.601,225.657 L 647.459,223.661 L 646.148,221.614 L 644.736,219.72 L 643.291,217.929 L 641.644,216.036 L 639.964,214.398 L 638.216,212.709 L 636.334,211.174 L 634.317,209.741 L 632.334,208.359 L 630.217,207.08 L 628.066,205.903 L 625.814,204.828 L 623.529,203.907 L 621.176,203.037 L 618.756,202.269 L 616.336,201.655 L 613.883,201.143 L 611.362,200.683 L 608.875,200.478 L 606.354,200.324 L 603.833,200.222 L 603.833,200.222 L 601.279,200.324 L 598.792,200.478 L 596.271,200.683 L 593.818,201.143 L 591.364,201.655 L 588.911,202.269 L 586.524,203.037 L 584.205,203.907 L 581.886,204.828 L 579.634,205.903 L 577.483,207.08 L 575.366,208.359 L 573.316,209.741 L 571.4,211.174 L 569.518,212.709 L 567.669,214.398 L 565.989,216.036 L 564.409,217.929 L 562.964,219.72 L 561.552,221.614 L 560.275,223.661 L 559.065,225.657 L 558.023,227.806 L 557.116,229.904 L 556.276,232.156 L 555.536,234.306 L 554.998,236.609 L 554.561,238.86 L 554.225,241.112 L 554.024,243.415 L 553.99,245.718 L 553.99,245.718 L 554.024,248.021 L 554.225,250.375 L 554.561,252.627 L 554.998,254.878 L 555.536,257.13 L 556.276,259.331 L 557.116,261.583 L 558.023,263.681 L 559.065,265.728 L 560.275,267.826 L 561.552,269.771 L 562.964,271.716 L 564.409,273.558 L 565.989,275.349 L 567.669,277.089 L 569.518,278.675 L 571.4,280.262 L 573.316,281.695 L 575.366,283.025 L 577.483,284.305 L 579.634,285.482 L 581.886,286.557 L 584.205,287.529 L 586.524,288.45 L 588.911,289.218 L 591.364,289.73 L 593.818,290.344 L 596.271,290.702 L 598.792,291.009 L 601.279,291.163 L 603.833,291.214 L 603.833,291.214 L 606.354,291.163 L 608.875,291.009 L 611.362,290.702 L 613.883,290.344 L 616.336,289.73 L 618.756,289.218 L 621.176,288.45 L 623.529,287.529 L 625.814,286.557 L 628.066,285.482 L 630.217,284.305 L 632.334,283.025 L 634.317,281.695 L 636.334,280.262 L 638.216,278.675 L 639.964,277.089 L 641.644,275.349 L 643.291,273.558 L 644.736,271.716 L 646.148,269.771 L 647.459,267.826 L 648.601,265.728 L 649.643,263.681 L 650.618,261.583 L 651.425,259.331 L 652.097,257.13 L 652.702,254.878 L 653.139,252.627 L 653.475,250.375 L 653.609,248.021 L 653.71,245.718z"/>
-    <path style="fill: #b6c7c9" d="M 643.963 294.08 L 643.896,290.344 L 643.694,286.505 L 643.426,282.821 L 642.989,279.034 L 642.417,275.349 L 641.711,271.716 L 640.905,268.133 L 639.93,264.602 L 638.888,261.173 L 637.779,257.796 L 636.502,254.52 L 635.09,251.398 L 633.612,248.328 L 631.998,245.411 L 630.318,242.596 L 628.57,239.884 L 626.688,237.325 L 624.772,235.022 L 622.722,232.77 L 620.638,230.723 L 618.487,228.779 L 616.303,227.039 L 614.017,225.401 L 611.698,223.968 L 609.278,222.74 L 606.892,221.767 L 604.405,220.846 L 601.951,220.181 L 599.498,219.72 L 597.011,219.413 L 594.49,219.362 L 594.49,219.362 L 591.969,219.413 L 589.482,219.72 L 586.961,220.181 L 584.508,220.846 L 582.088,221.767 L 579.634,222.74 L 577.282,223.968 L 574.963,225.401 L 572.677,227.039 L 570.425,228.779 L 568.274,230.723 L 566.19,232.77 L 564.207,235.022 L 562.224,237.325 L 560.376,239.884 L 558.595,242.596 L 556.914,245.411 L 555.334,248.328 L 553.822,251.398 L 552.478,254.52 L 551.2,257.796 L 550.024,261.173 L 548.982,264.602 L 548.075,268.133 L 547.268,271.716 L 546.562,275.349 L 545.991,279.034 L 545.554,282.821 L 545.218,286.505 L 545.016,290.344 L 544.949,294.08 L 544.949,294.08 L 545.016,297.867 L 545.218,301.705 L 545.554,305.39 L 545.991,309.125 L 546.562,312.912 L 547.268,316.495 L 548.075,320.026 L 548.982,323.608 L 550.024,326.986 L 551.2,330.364 L 552.478,333.69 L 553.822,336.812 L 555.334,339.831 L 556.914,342.799 L 558.595,345.614 L 560.376,348.275 L 562.224,350.834 L 564.207,353.239 L 566.19,355.44 L 568.274,357.538 L 570.425,359.432 L 572.677,361.223 L 574.963,362.809 L 577.282,364.242 L 579.634,365.419 L 582.088,366.494 L 584.508,367.313 L 586.961,367.978 L 589.482,368.439 L 591.969,368.746 L 594.49,368.899 L 594.49,368.899 L 597.011,368.746 L 599.498,368.439 L 601.951,367.978 L 604.405,367.313 L 606.892,366.494 L 609.278,365.419 L 611.698,364.242 L 614.017,362.809 L 616.303,361.223 L 618.487,359.432 L 620.638,357.538 L 622.722,355.44 L 624.772,353.239 L 626.688,350.834 L 628.57,348.275 L 630.318,345.614 L 631.998,342.799 L 633.612,339.831 L 635.09,336.812 L 636.502,333.69 L 637.779,330.364 L 638.888,326.986 L 639.93,323.608 L 640.905,320.026 L 641.711,316.495 L 642.417,312.912 L 642.989,309.125 L 643.426,305.39 L 643.694,301.705 L 643.896,297.867 L 643.963,294.08z"/>
-    <path style="fill: #b6c7c9" d="M 601.212 249.096 L 601.077,245.257 L 600.674,241.573 L 600.035,237.734 L 599.162,234.05 L 598.019,230.365 L 596.607,226.68 L 594.96,223.098 L 593.045,219.567 L 590.961,216.138 L 588.608,212.812 L 585.987,209.485 L 583.197,206.312 L 580.172,203.344 L 576.946,200.376 L 573.517,197.51 L 569.955,194.849 L 566.157,192.341 L 562.191,189.936 L 558.124,187.684 L 553.856,185.586 L 549.453,183.692 L 544.949,181.901 L 540.345,180.315 L 535.639,178.933 L 530.799,177.756 L 525.892,176.681 L 520.952,175.862 L 515.944,175.197 L 510.902,174.634 L 505.827,174.378 L 500.685,174.276 L 500.685,174.276 L 495.61,174.378 L 490.535,174.634 L 485.493,175.197 L 480.452,175.862 L 475.511,176.681 L 470.604,177.756 L 465.798,178.933 L 461.093,180.315 L 456.421,181.901 L 451.984,183.692 L 447.582,185.586 L 443.28,187.684 L 439.179,189.936 L 435.28,192.341 L 431.449,194.849 L 427.853,197.51 L 424.492,200.376 L 421.232,203.344 L 418.207,206.312 L 415.451,209.485 L 412.829,212.812 L 410.51,216.138 L 408.393,219.567 L 406.443,223.098 L 404.83,226.68 L 403.452,230.365 L 402.242,234.05 L 401.368,237.734 L 400.73,241.573 L 400.326,245.257 L 400.225,249.096 L 400.225,249.096 L 400.326,252.831 L 400.73,256.618 L 401.368,260.354 L 402.242,264.141 L 403.452,267.826 L 404.83,271.46 L 406.443,274.991 L 408.393,278.573 L 410.51,282.053 L 412.829,285.38 L 415.451,288.604 L 418.207,291.777 L 421.232,294.847 L 424.492,297.764 L 427.853,300.579 L 431.449,303.291 L 435.28,305.85 L 439.179,308.255 L 443.28,310.507 L 447.582,312.503 L 451.984,314.499 L 456.421,316.188 L 461.093,317.774 L 465.798,319.207 L 470.604,320.435 L 475.511,321.459 L 480.452,322.329 L 485.493,322.994 L 490.535,323.455 L 495.61,323.813 L 500.685,323.864 L 500.685,323.864 L 505.827,323.813 L 510.902,323.455 L 515.944,322.994 L 520.952,322.329 L 525.892,321.459 L 530.799,320.435 L 535.639,319.207 L 540.345,317.774 L 544.949,316.188 L 549.453,314.499 L 553.856,312.503 L 558.124,310.507 L 562.191,308.255 L 566.157,305.85 L 569.955,303.291 L 573.517,300.579 L 576.946,297.764 L 580.172,294.847 L 583.197,291.777 L 585.987,288.604 L 588.608,285.38 L 590.961,282.053 L 593.045,278.573 L 594.96,274.991 L 596.607,271.46 L 598.019,267.826 L 599.162,264.141 L 600.035,260.354 L 600.674,256.618 L 601.077,252.831 L 601.212,249.096z"/>
-    <path style="fill: #b6c7c9" d="M 517.994 165.32 L 584.508,152.423 L 583.667,149.609 L 582.626,146.743 L 581.483,143.928 L 580.105,141.216 L 578.626,138.606 L 576.946,135.945 L 575.198,133.437 L 573.181,131.032 L 571.131,128.678 L 568.913,126.426 L 566.526,124.276 L 564.039,122.281 L 561.418,120.336 L 558.695,118.442 L 555.872,116.753 L 552.948,115.218 L 549.99,113.683 L 546.865,112.403 L 543.705,111.226 L 540.513,110.152 L 537.185,109.231 L 533.858,108.514 L 530.497,107.849 L 527.102,107.388 L 523.674,107.081 L 520.212,106.928 L 516.784,106.928 L 513.322,107.081 L 509.86,107.286 L 506.499,107.695 L 503.105,108.361 L 499.744,109.026 L 496.417,109.947 L 493.156,110.919 L 489.997,112.045 L 486.905,113.325 L 483.847,114.758 L 480.889,116.242 L 478.099,117.931 L 475.343,119.722 L 472.688,121.615 L 470.167,123.611 L 467.781,125.761 L 465.529,128.012 L 463.378,130.315 L 461.362,132.72 L 459.479,135.228 L 457.765,137.787 L 456.287,140.499 L 454.841,143.109 L 453.598,145.924 L 452.556,148.688 L 451.682,151.553 L 450.943,154.419 L 517.994,165.32z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #6c8f93" d="M 584.508 152.321 L 583.634,149.455 L 582.626,146.64 L 581.449,143.826 L 580.105,141.165 L 578.559,138.503 L 576.912,135.893 L 575.131,133.386 L 573.114,130.98 L 571.03,128.678 L 568.879,126.426 L 566.459,124.174 L 564.039,122.178 L 561.384,120.233 L 558.662,118.442 L 555.872,116.651 L 552.948,115.116 L 549.957,113.683 L 546.831,112.352 L 543.672,111.226 L 540.513,110.152 L 537.185,109.231 L 533.824,108.514 L 530.463,107.849 L 527.069,107.388 L 523.674,107.081 L 520.179,106.928 L 516.75,106.928 L 513.322,107.081 L 509.894,107.286 L 506.466,107.695 L 503.105,108.361 L 499.744,108.975 L 496.45,109.845 L 493.224,110.919 L 489.997,112.045 L 486.939,113.325 L 483.88,114.758 L 480.956,116.242 L 478.099,117.879 L 475.377,119.722 L 472.722,121.615 L 470.201,123.56 L 467.815,125.709 L 465.529,127.91 L 463.378,130.264 L 461.362,132.669 L 459.547,135.126 L 457.799,137.787 L 456.287,140.346 L 454.875,143.058 L 453.665,145.77 L 452.556,148.585 L 451.682,151.451 L 450.976,154.317"/>
-    <path style="fill: #b6c7c9" d="M 427.55 195.667 L 461.093,150.888 L 459.009,149.046 L 456.824,147.306 L 454.606,145.77 L 452.321,144.235 L 450.002,142.905 L 447.582,141.676 L 445.094,140.653 L 442.641,139.68 L 440.053,138.913 L 437.499,138.248 L 434.877,137.787 L 432.256,137.429 L 429.634,137.224 L 427.012,137.224 L 424.357,137.326 L 421.736,137.633 L 419.114,137.992 L 416.526,138.555 L 413.972,139.271 L 411.451,140.09 L 408.93,141.062 L 406.511,142.188 L 404.091,143.468 L 401.772,144.849 L 399.52,146.385 L 397.369,148.073 L 395.218,149.865 L 393.201,151.707 L 391.285,153.754 L 389.403,155.852 L 387.655,158.104 L 386.042,160.356 L 384.496,162.812 L 383.085,165.269 L 381.74,167.827 L 380.564,170.489 L 379.455,173.201 L 378.514,175.913 L 377.673,178.728 L 377.001,181.594 L 376.463,184.46 L 375.993,187.428 L 375.657,190.396 L 375.522,193.313 L 375.455,196.23 L 375.556,199.199 L 375.758,202.218 L 376.161,205.084 L 427.55,195.667z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #6c8f93" d="M 460.925 150.735 L 458.841,148.892 L 456.723,147.203 L 454.505,145.617 L 452.186,144.184 L 449.8,142.802 L 447.414,141.625 L 444.96,140.55 L 442.439,139.629 L 439.919,138.913 L 437.297,138.248 L 434.709,137.787 L 432.121,137.429 L 429.5,137.224 L 426.811,137.224 L 424.256,137.326 L 421.635,137.633 L 418.946,137.992 L 416.392,138.606 L 413.871,139.271 L 411.283,140.192 L 408.83,141.113 L 406.41,142.29 L 404.023,143.57 L 401.671,144.952 L 399.419,146.487 L 397.268,148.176 L 395.184,149.916 L 393.167,151.86 L 391.184,153.805 L 389.403,156.006 L 387.622,158.155 L 385.975,160.509 L 384.463,162.863 L 383.017,165.32 L 381.74,167.93 L 380.564,170.591 L 379.455,173.303 L 378.48,176.016 L 377.673,178.882 L 377.001,181.645 L 376.396,184.562 L 375.993,187.53 L 375.657,190.447 L 375.522,193.364 L 375.455,196.333 L 375.623,199.25 L 375.825,202.218 L 376.161,205.186"/>
-    <path style="fill: #b6c7c9" d="M 418.207 300.272 L 364.229,298.685 L 364.229,301.398 L 364.33,303.957 L 364.599,306.669 L 365.036,309.228 L 365.54,311.838 L 366.179,314.499 L 367.019,316.955 L 367.893,319.463 L 369.002,321.92 L 370.178,324.274 L 371.422,326.679 L 372.901,328.931 L 374.38,331.131 L 376.06,333.23 L 377.774,335.277 L 379.623,337.221 L 381.606,339.012 L 383.622,340.752 L 385.74,342.492 L 387.958,343.977 L 390.243,345.409 L 392.63,346.791 L 395.05,347.917 L 397.469,349.043 L 400.024,350.015 L 402.612,350.834 L 405.233,351.499 L 407.889,352.114 L 410.544,352.574 L 413.232,352.881 L 415.955,353.035 L 418.711,353.035 L 421.366,352.932 L 424.088,352.728 L 426.777,352.421 L 429.432,351.96 L 432.121,351.295 L 434.675,350.527 L 437.297,349.708 L 439.751,348.634 L 442.238,347.61 L 444.658,346.331 L 446.943,344.949 L 449.262,343.465 L 451.38,341.878 L 453.497,340.241 L 418.207,300.272z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #6c8f93" d="M 364.297 298.685 L 364.196,301.295 L 364.398,303.957 L 364.599,306.567 L 365.036,309.228 L 365.54,311.787 L 366.212,314.397 L 367.019,316.955 L 367.96,319.463 L 369.002,321.868 L 370.111,324.274 L 371.422,326.577 L 372.8,328.88 L 374.38,331.029 L 375.993,333.23 L 377.741,335.174 L 379.555,337.119 L 381.505,339.012 L 383.521,340.752 L 385.639,342.39 L 387.857,343.925 L 390.143,345.358 L 392.462,346.689 L 394.882,347.917 L 397.402,349.043 L 399.889,349.913 L 402.444,350.732 L 405.065,351.499 L 407.754,352.011 L 410.409,352.574 L 413.064,352.779 L 415.787,353.035 L 418.509,353.035 L 421.198,353.035 L 423.887,352.779 L 426.576,352.421 L 429.231,351.96 L 431.919,351.346 L 434.474,350.629 L 437.095,349.759 L 439.582,348.736 L 442.002,347.61 L 444.422,346.382 L 446.741,345.051 L 449.06,343.618 L 451.245,342.032 L 453.295,340.394"/>
-    <path style="fill: #b6c7c9" d="M 589.952 186.149 L 637.443,200.939 L 638.25,198.738 L 638.855,196.537 L 639.426,194.286 L 639.762,191.983 L 640.098,189.68 L 640.165,187.377 L 640.165,185.023 L 640.098,182.771 L 639.829,180.468 L 639.46,178.165 L 638.922,175.913 L 638.283,173.662 L 637.544,171.512 L 636.67,169.312 L 635.662,167.213 L 634.519,165.115 L 633.242,163.068 L 631.931,161.123 L 630.486,159.23 L 628.94,157.439 L 627.293,155.596 L 625.478,153.959 L 623.663,152.372 L 621.68,150.888 L 619.697,149.455 L 617.613,148.176 L 615.462,146.896 L 613.21,145.77 L 610.925,144.747 L 608.572,143.826 L 606.152,143.058 L 603.766,142.393 L 601.245,141.779 L 598.758,141.318 L 596.238,140.96 L 593.683,140.806 L 591.162,140.653 L 588.642,140.653 L 586.087,140.806 L 583.533,141.011 L 581.046,141.369 L 578.525,141.83 L 576.038,142.393 L 573.585,143.109 L 589.952,186.149z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #6c8f93" d="M 633.074 209.28 L 637.409,201.041 L 638.216,198.892 L 638.855,196.64 L 639.359,194.388 L 639.762,192.085 L 640.031,189.782 L 640.132,187.53 L 640.165,185.125 L 640.065,182.873 L 639.829,180.57 L 639.46,178.267 L 638.922,176.016 L 638.283,173.764 L 637.577,171.563 L 636.704,169.465 L 635.662,167.265 L 634.519,165.166 L 633.343,163.119 L 631.965,161.175 L 630.519,159.281 L 628.973,157.439 L 627.327,155.699 L 625.579,154.061 L 623.73,152.423 L 621.815,150.888 L 619.764,149.506 L 617.681,148.176 L 615.529,146.948 L 613.278,145.924 L 610.992,144.849 L 608.673,143.877 L 606.287,143.058 L 603.833,142.393 L 601.413,141.779 L 598.926,141.318 L 596.406,141.011 L 593.851,140.806 L 591.297,140.653 L 588.709,140.653 L 586.188,140.806 L 583.634,141.011 L 581.113,141.318 L 578.626,141.779 L 576.172,142.342 L 573.719,143.058"/>
-    <path style="fill: #b6c7c9" d="M 596.708 246.281 L 650.181,265.011 L 651.257,262.555 L 652.131,260.15 L 652.937,257.591 L 653.576,255.032 L 654.013,252.473 L 654.315,249.914 L 654.416,247.253 L 654.416,244.643 L 654.214,242.033 L 653.912,239.474 L 653.374,236.864 L 652.735,234.357 L 651.895,231.849 L 650.988,229.341 L 649.845,226.936 L 648.568,224.633 L 647.19,222.279 L 645.61,219.976 L 643.93,217.827 L 596.708,246.281z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #6c8f93" d="M 643.392 273.507 L 650.114,265.114 L 651.122,262.708 L 652.131,260.15 L 652.904,257.642 L 653.542,255.032 L 653.979,252.473 L 654.315,249.914 L 654.45,247.253 L 654.416,244.643 L 654.214,241.982 L 653.845,239.423 L 653.374,236.864 L 652.735,234.306 L 651.895,231.747 L 650.954,229.239 L 649.778,226.783 L 648.534,224.48 L 647.055,222.126 L 645.543,219.874 L 643.829,217.724 L 633.074,209.28"/>
-    <path style="fill: #b6c7c9" d="M 594.456 295.717 L 577.584,366.801 L 580.071,367.927 L 582.592,368.951 L 585.113,369.718 L 587.734,370.332 L 590.289,370.793 L 592.843,370.998 L 595.498,370.998 L 598.086,370.793 L 600.64,370.486 L 603.228,369.872 L 605.749,369.104 L 608.27,368.234 L 610.757,367.108 L 613.21,365.727 L 615.563,364.242 L 617.916,362.554 L 620.201,360.711 L 622.419,358.664 L 624.571,356.566 L 626.621,354.161 L 628.57,351.653 L 630.452,349.043 L 632.267,346.228 L 633.981,343.311 L 635.527,340.292 L 637.006,337.119 L 638.418,333.895 L 639.661,330.517 L 640.77,327.14 L 641.812,323.608 L 642.686,319.975 L 643.493,316.29 L 644.131,312.605 L 644.669,308.818 L 645.005,305.083 L 645.308,301.244 L 645.375,297.406 L 645.375,293.568 L 645.241,289.73 L 644.972,285.891 L 644.568,282.104 L 644.064,278.368 L 643.392,274.684 L 594.456,295.717z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #6c8f93" d="M 577.719 366.852 L 580.239,368.081 L 582.726,369.053 L 585.281,369.872 L 587.835,370.384 L 590.457,370.793 L 593.011,370.998 L 595.599,371.1 L 598.187,370.793 L 600.808,370.486 L 603.363,369.872 L 605.883,369.104 L 608.404,368.132 L 610.891,367.006 L 613.311,365.675 L 615.731,364.14 L 618.05,362.502 L 620.302,360.711 L 622.487,358.664 L 624.638,356.412 L 626.688,354.058 L 628.637,351.499 L 630.519,348.889 L 632.334,346.177 L 634.015,343.209 L 635.628,340.138 L 637.04,337.068 L 638.451,333.741 L 639.695,330.364 L 640.804,326.986 L 641.812,323.455 L 642.72,319.77 L 643.526,316.137 L 644.131,312.401 L 644.669,308.665 L 645.072,304.929 L 645.308,301.091 L 645.375,297.253 L 645.375,293.414 L 645.207,289.576 L 644.972,285.738 L 644.535,281.951 L 643.963,278.215 L 643.392,274.53"/>
-    <path style="fill: #b6c7c9" d="M 380.698 255.339 L 378.144,207.08 L 376.262,207.336 L 374.48,207.643 L 372.598,208.154 L 370.783,208.769 L 369.002,209.485 L 367.254,210.406 L 365.54,211.276 L 363.86,212.453 L 362.179,213.579 L 360.6,214.859 L 359.054,216.292 L 357.575,217.776 L 356.13,219.362 L 354.819,221.102 L 353.508,222.842 L 352.298,224.684 L 351.155,226.629 L 350.113,228.676 L 349.071,230.723 L 348.164,232.924 L 347.391,235.176 L 346.652,237.427 L 345.946,239.679 L 345.408,242.033 L 344.971,244.439 L 344.568,246.844 L 344.265,249.3 L 344.131,251.808 L 344.03,254.213 L 344.03,256.67 L 344.131,259.075 L 344.332,261.583 L 344.635,263.988 L 344.971,266.393 L 345.475,268.798 L 346.013,271.153 L 346.685,273.456 L 347.425,275.707 L 348.265,277.908 L 349.172,280.108 L 350.214,282.104 L 351.256,284.151 L 352.432,286.096 L 353.676,287.938 L 354.953,289.73 L 356.331,291.367 L 357.776,292.954 L 359.255,294.489 L 360.835,295.871 L 362.381,297.15 L 364.061,298.327 L 380.698,255.339z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #6c8f93" d="M 378.144 207.08 L 376.363,207.336 L 374.514,207.643 L 372.699,208.154 L 370.951,208.717 L 369.17,209.434 L 367.422,210.202 L 365.742,211.174 L 364.095,212.197 L 362.448,213.323 L 360.936,214.603 L 359.356,215.984 L 357.911,217.417 L 356.499,218.953 L 355.155,220.641 L 353.81,222.381 L 352.634,224.121 L 351.458,226.066 L 350.416,228.011 L 349.408,230.058 L 348.534,232.156 L 347.693,234.306 L 346.887,236.455 L 346.215,238.707 L 345.61,241.01 L 345.106,243.364 L 344.736,245.718 L 344.366,248.123 L 344.164,250.528 L 344.03,252.934 L 344.03,255.339 L 344.03,257.744 L 344.232,260.15 L 344.433,262.555 L 344.736,264.96 L 345.173,267.314 L 345.61,269.617 L 346.215,271.869 L 346.954,274.223 L 347.693,276.424 L 348.534,278.522 L 349.475,280.62 L 350.449,282.667 L 351.491,284.612 L 352.634,286.505 L 353.878,288.297 L 355.188,290.037 L 356.533,291.674 L 357.978,293.21 L 359.39,294.694 L 360.936,296.024 L 362.515,297.253 L 364.129,298.43"/>
-    <path style="fill: #b6c7c9" d="M 516.851 332.82 L 440.356,338.398 L 440.86,341.213 L 441.498,344.079 L 442.372,346.842 L 443.481,349.555 L 444.658,352.165 L 446.103,354.826 L 447.682,357.385 L 449.464,359.944 L 451.447,362.349 L 453.564,364.754 L 455.782,367.006 L 458.236,369.206 L 460.79,371.305 L 463.513,373.352 L 466.369,375.194 L 469.327,377.036 L 472.486,378.674 L 475.646,380.312 L 478.973,381.745 L 482.368,383.126 L 485.93,384.252 L 489.493,385.378 L 493.089,386.299 L 496.853,387.118 L 500.618,387.784 L 504.416,388.295 L 508.18,388.705 L 512.045,388.909 L 515.944,389.063 L 519.775,389.063 L 523.674,388.858 L 527.506,388.551 L 531.303,388.091 L 535.068,387.425 L 538.832,386.709 L 542.462,385.839 L 546.092,384.764 L 549.621,383.741 L 553.116,382.461 L 556.477,381.028 L 559.704,379.493 L 562.863,377.855 L 565.922,376.064 L 568.846,374.222 L 571.635,372.277 L 574.223,370.23 L 576.744,368.081 L 579.063,365.829 L 581.281,363.475 L 583.331,361.069 L 585.146,358.664 L 586.827,356.105 L 588.373,353.444 L 589.684,350.834 L 516.851,332.82z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #6c8f93" d="M 440.423 338.501 L 440.86,341.264 L 441.532,344.079 L 442.372,346.842 L 443.481,349.555 L 444.725,352.267 L 446.103,354.826 L 447.716,357.385 L 449.464,359.944 L 451.447,362.349 L 453.564,364.754 L 455.782,367.006 L 458.236,369.206 L 460.857,371.305 L 463.513,373.352 L 466.369,375.194 L 469.327,377.036 L 472.486,378.674 L 475.646,380.261 L 478.973,381.745 L 482.368,383.126 L 485.863,384.252 L 489.426,385.378 L 493.056,386.299 L 496.82,387.118 L 500.551,387.784 L 504.348,388.244 L 508.146,388.705 L 511.978,388.909 L 515.843,389.063 L 519.708,389.012 L 523.54,388.858 L 527.371,388.449 L 531.236,388.091 L 535.001,387.425 L 538.698,386.658 L 542.395,385.839 L 545.991,384.866 L 549.52,383.741 L 552.982,382.461 L 556.309,381.028 L 559.603,379.493 L 562.762,377.906 L 565.787,376.218 L 568.711,374.324 L 571.467,372.379 L 574.156,370.332 L 576.643,368.081 L 578.996,365.88 L 581.214,363.526 L 583.197,361.223 L 585.079,358.664 L 586.76,356.157 L 588.238,353.547 L 589.616,350.885"/>
-  </g>
-  <g>
-    <path style="fill: #0078aa" d="M 422.212 151.362 L 422.155,150.763 L 422.032,150.164 L 421.822,149.575 L 421.528,148.995 L 421.128,148.405 L 420.662,147.835 L 420.101,147.274 L 419.474,146.722 L 418.751,146.18 L 417.953,145.657 L 417.087,145.153 L 416.146,144.64 L 415.129,144.155 L 414.045,143.699 L 412.885,143.261 L 411.668,142.843 L 410.403,142.434 L 409.072,142.063 L 407.694,141.712 L 406.258,141.379 L 404.775,141.075 L 403.244,140.818 L 401.685,140.552 L 400.106,140.342 L 398.48,140.143 L 396.826,139.991 L 395.153,139.848 L 393.46,139.753 L 391.768,139.658 L 390.056,139.629 L 388.345,139.601 L 388.345,139.601 L 386.624,139.629 L 384.912,139.658 L 383.22,139.753 L 381.528,139.848 L 379.854,139.991 L 378.2,140.143 L 376.574,140.342 L 374.986,140.552 L 373.427,140.818 L 371.906,141.075 L 370.422,141.379 L 368.987,141.712 L 367.608,142.063 L 366.277,142.434 L 365.003,142.843 L 363.795,143.261 L 362.635,143.699 L 361.551,144.155 L 360.534,144.64 L 359.593,145.153 L 358.728,145.657 L 357.929,146.18 L 357.206,146.722 L 356.579,147.274 L 356.018,147.835 L 355.552,148.405 L 355.153,148.995 L 354.848,149.575 L 354.63,150.164 L 354.516,150.763 L 354.468,151.362 L 354.468,151.362 L 354.516,151.952 L 354.63,152.551 L 354.848,153.14 L 355.153,153.72 L 355.552,154.31 L 356.018,154.88 L 356.579,155.441 L 357.206,155.993 L 357.929,156.534 L 358.728,157.057 L 359.593,157.58 L 360.534,158.075 L 361.551,158.56 L 362.635,159.016 L 363.795,159.472 L 365.003,159.891 L 366.277,160.281 L 367.608,160.661 L 368.987,161.003 L 370.422,161.336 L 371.906,161.64 L 373.427,161.916 L 374.986,162.163 L 376.574,162.391 L 378.2,162.572 L 379.854,162.743 L 381.528,162.867 L 383.22,162.981 L 384.912,163.057 L 386.624,163.104 L 388.345,163.114 L 388.345,163.114 L 390.056,163.104 L 391.768,163.057 L 393.46,162.981 L 395.153,162.867 L 396.826,162.743 L 398.48,162.572 L 400.106,162.391 L 401.685,162.163 L 403.244,161.916 L 404.775,161.64 L 406.258,161.336 L 407.694,161.003 L 409.072,160.661 L 410.403,160.281 L 411.668,159.891 L 412.885,159.472 L 414.045,159.016 L 415.129,158.56 L 416.146,158.075 L 417.087,157.58 L 417.953,157.057 L 418.751,156.534 L 419.474,155.993 L 420.101,155.441 L 420.662,154.88 L 421.128,154.31 L 421.528,153.72 L 421.822,153.14 L 422.032,152.551 L 422.155,151.952 L 422.212,151.362z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #aae6ff" d="M 421.813 151.172 L 421.765,150.573 L 421.651,150.003 L 421.433,149.413 L 421.138,148.843 L 420.748,148.272 L 420.254,147.711 L 419.74,147.169 L 419.094,146.618 L 418.381,146.085 L 417.591,145.553 L 416.717,145.058 L 415.785,144.564 L 414.777,144.089 L 413.703,143.632 L 412.562,143.195 L 411.345,142.795 L 410.071,142.415 L 408.758,142.025 L 407.389,141.702 L 405.963,141.36 L 404.48,141.065 L 402.978,140.799 L 401.437,140.552 L 399.85,140.342 L 398.243,140.143 L 396.588,139.991 L 394.934,139.848 L 393.251,139.753 L 391.559,139.686 L 389.857,139.629 L 388.155,139.629 L 388.155,139.629 L 386.434,139.629 L 384.741,139.686 L 383.039,139.753 L 381.376,139.848 L 379.712,139.991 L 378.067,140.143 L 376.45,140.342 L 374.863,140.552 L 373.313,140.799 L 371.811,141.065 L 370.327,141.36 L 368.901,141.702 L 367.541,142.025 L 366.22,142.415 L 364.946,142.795 L 363.738,143.195 L 362.607,143.632 L 361.532,144.089 L 360.515,144.564 L 359.564,145.058 L 358.718,145.553 L 357.919,146.085 L 357.206,146.618 L 356.579,147.169 L 356.027,147.711 L 355.552,148.272 L 355.172,148.843 L 354.867,149.413 L 354.649,150.003 L 354.525,150.573 L 354.478,151.172 L 354.478,151.172 L 354.525,151.752 L 354.649,152.351 L 354.867,152.912 L 355.172,153.492 L 355.552,154.072 L 356.027,154.623 L 356.579,155.175 L 357.206,155.726 L 357.919,156.249 L 358.718,156.782 L 359.564,157.286 L 360.515,157.761 L 361.532,158.246 L 362.607,158.712 L 363.738,159.13 L 364.946,159.539 L 366.22,159.929 L 367.541,160.309 L 368.901,160.642 L 370.327,160.965 L 371.811,161.269 L 373.313,161.536 L 374.863,161.773 L 376.45,162.002 L 378.067,162.192 L 379.712,162.344 L 381.376,162.477 L 383.039,162.572 L 384.741,162.658 L 386.434,162.705 L 388.155,162.715 L 388.155,162.715 L 389.857,162.705 L 391.559,162.658 L 393.251,162.572 L 394.934,162.477 L 396.588,162.344 L 398.243,162.192 L 399.85,162.002 L 401.437,161.773 L 402.978,161.536 L 404.48,161.269 L 405.963,160.965 L 407.389,160.642 L 408.758,160.309 L 410.071,159.929 L 411.345,159.539 L 412.562,159.13 L 413.703,158.712 L 414.777,158.246 L 415.785,157.761 L 416.717,157.286 L 417.591,156.782 L 418.381,156.249 L 419.094,155.726 L 419.74,155.175 L 420.254,154.623 L 420.748,154.072 L 421.138,153.492 L 421.433,152.912 L 421.651,152.351 L 421.765,151.752 L 421.813,151.172"/>
-    <path style="fill: #0078aa" d="M 354.478 135.075 L 354.478,151.581 L 421.813,151.581 L 421.813,135.075 L 354.478,135.075z"/>
-    <path style="fill: #00b4ff" d="M 422.212 134.875 L 422.155,134.276 L 422.032,133.668 L 421.822,133.088 L 421.528,132.498 L 421.128,131.909 L 420.662,131.338 L 420.101,130.777 L 419.474,130.235 L 418.751,129.684 L 417.953,129.171 L 417.087,128.648 L 416.146,128.153 L 415.129,127.659 L 414.045,127.212 L 412.885,126.765 L 411.668,126.337 L 410.403,125.938 L 409.072,125.567 L 407.694,125.215 L 406.258,124.892 L 404.775,124.597 L 403.244,124.312 L 401.685,124.065 L 400.106,123.837 L 398.48,123.646 L 396.826,123.485 L 395.153,123.352 L 393.46,123.247 L 391.768,123.171 L 390.056,123.124 L 388.345,123.114 L 388.345,123.114 L 386.624,123.124 L 384.912,123.171 L 383.22,123.247 L 381.528,123.352 L 379.854,123.485 L 378.2,123.646 L 376.574,123.837 L 374.986,124.065 L 373.427,124.312 L 371.906,124.597 L 370.422,124.892 L 368.987,125.215 L 367.608,125.567 L 366.277,125.938 L 365.003,126.337 L 363.795,126.765 L 362.635,127.212 L 361.551,127.659 L 360.534,128.153 L 359.593,128.648 L 358.728,129.171 L 357.929,129.684 L 357.206,130.235 L 356.579,130.777 L 356.018,131.338 L 355.552,131.909 L 355.153,132.498 L 354.848,133.088 L 354.63,133.668 L 354.516,134.276 L 354.468,134.875 L 354.468,134.875 L 354.516,135.465 L 354.63,136.064 L 354.848,136.653 L 355.153,137.224 L 355.552,137.813 L 356.018,138.384 L 356.579,138.945 L 357.206,139.506 L 357.929,140.048 L 358.728,140.561 L 359.593,141.075 L 360.534,141.588 L 361.551,142.063 L 362.635,142.52 L 363.795,142.967 L 365.003,143.385 L 366.277,143.794 L 367.608,144.155 L 368.987,144.507 L 370.422,144.84 L 371.906,145.153 L 373.427,145.41 L 374.986,145.667 L 376.574,145.895 L 378.2,146.076 L 379.854,146.237 L 381.528,146.37 L 383.22,146.475 L 384.912,146.561 L 386.624,146.608 L 388.345,146.618 L 388.345,146.618 L 390.056,146.608 L 391.768,146.561 L 393.46,146.475 L 395.153,146.37 L 396.826,146.237 L 398.48,146.076 L 400.106,145.895 L 401.685,145.667 L 403.244,145.41 L 404.775,145.153 L 406.258,144.84 L 407.694,144.507 L 409.072,144.155 L 410.403,143.794 L 411.668,143.385 L 412.885,142.967 L 414.045,142.52 L 415.129,142.063 L 416.146,141.588 L 417.087,141.075 L 417.953,140.561 L 418.751,140.048 L 419.474,139.506 L 420.101,138.945 L 420.662,138.384 L 421.128,137.813 L 421.528,137.224 L 421.822,136.653 L 422.032,136.064 L 422.155,135.465 L 422.212,134.875z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #aae6ff" d="M 421.813 134.676 L 421.765,134.077 L 421.651,133.506 L 421.433,132.926 L 421.138,132.346 L 420.748,131.785 L 420.254,131.205 L 419.74,130.673 L 419.094,130.121 L 418.381,129.598 L 417.591,129.056 L 416.717,128.572 L 415.785,128.068 L 414.777,127.592 L 413.703,127.155 L 412.562,126.699 L 411.345,126.318 L 410.071,125.909 L 408.758,125.539 L 407.389,125.196 L 405.963,124.863 L 404.48,124.569 L 402.978,124.302 L 401.437,124.065 L 399.85,123.837 L 398.243,123.646 L 396.588,123.494 L 394.934,123.352 L 393.251,123.257 L 391.559,123.181 L 389.857,123.133 L 388.155,123.124 L 388.155,123.124 L 386.434,123.133 L 384.741,123.181 L 383.039,123.257 L 381.376,123.352 L 379.712,123.494 L 378.067,123.646 L 376.45,123.837 L 374.863,124.065 L 373.313,124.302 L 371.811,124.569 L 370.327,124.863 L 368.901,125.196 L 367.541,125.539 L 366.22,125.909 L 364.946,126.318 L 363.738,126.699 L 362.607,127.155 L 361.532,127.592 L 360.515,128.068 L 359.564,128.572 L 358.718,129.056 L 357.919,129.598 L 357.206,130.121 L 356.579,130.673 L 356.027,131.205 L 355.552,131.785 L 355.172,132.346 L 354.867,132.926 L 354.649,133.506 L 354.525,134.077 L 354.478,134.676 L 354.478,134.676 L 354.525,135.265 L 354.649,135.845 L 354.867,136.425 L 355.172,136.996 L 355.552,137.566 L 356.027,138.137 L 356.579,138.679 L 357.206,139.23 L 357.919,139.753 L 358.718,140.285 L 359.564,140.789 L 360.515,141.265 L 361.532,141.75 L 362.607,142.206 L 363.738,142.634 L 364.946,143.043 L 366.22,143.433 L 367.541,143.803 L 368.901,144.146 L 370.327,144.478 L 371.811,144.792 L 373.313,145.039 L 374.863,145.296 L 376.45,145.515 L 378.067,145.695 L 379.712,145.867 L 381.376,146 L 383.039,146.085 L 384.741,146.171 L 386.434,146.218 L 388.155,146.228 L 388.155,146.228 L 389.857,146.218 L 391.559,146.171 L 393.251,146.085 L 394.934,146 L 396.588,145.867 L 398.243,145.695 L 399.85,145.515 L 401.437,145.296 L 402.978,145.039 L 404.48,144.792 L 405.963,144.478 L 407.389,144.146 L 408.758,143.803 L 410.071,143.433 L 411.345,143.043 L 412.562,142.634 L 413.703,142.206 L 414.777,141.75 L 415.785,141.265 L 416.717,140.789 L 417.591,140.285 L 418.381,139.753 L 419.094,139.23 L 419.74,138.679 L 420.254,138.137 L 420.748,137.566 L 421.138,136.996 L 421.433,136.425 L 421.651,135.845 L 421.765,135.265 L 421.813,134.676"/>
-    <path style="fill: #000000" d="M 388.972 132.204 L 393.898,133.858 L 405.811,128.895 L 411.145,130.54 L 408.264,126.432 L 394.316,126.432 L 400.049,127.659 L 388.972,132.204z"/>
-    <path style="fill: #000000" d="M 386.909 136.739 L 381.994,135.075 L 370.489,140.048 L 364.746,138.384 L 367.608,142.919 L 381.994,142.919 L 375.823,141.265 L 386.909,136.739z"/>
-    <path style="fill: #000000" d="M 365.973 127.659 L 370.888,126.014 L 382.811,130.54 L 388.155,129.313 L 385.283,133.421 L 371.307,133.421 L 377.049,132.204 L 365.973,127.659z"/>
-    <path style="fill: #000000" d="M 410.318 141.674 L 405.383,143.328 L 393.898,138.384 L 388.155,140.048 L 391.026,135.902 L 405.383,135.902 L 399.231,137.138 L 410.318,141.674z"/>
-    <path style="fill: #ffffff" d="M 389.381 132.612 L 394.316,134.257 L 406.201,129.313 L 411.554,130.968 L 408.673,126.832 L 394.715,126.832 L 400.468,128.058 L 389.381,132.612z"/>
-    <path style="fill: #ffffff" d="M 387.328 137.138 L 382.383,135.493 L 370.888,140.438 L 365.145,138.793 L 368.017,143.328 L 382.383,143.328 L 376.232,141.674 L 387.328,137.138z"/>
-    <path style="fill: #ffffff" d="M 366.381 128.058 L 371.307,126.432 L 383.22,130.968 L 388.554,129.713 L 385.692,133.858 L 371.715,133.858 L 377.477,132.612 L 366.381,128.058z"/>
-    <path style="fill: #ffffff" d="M 410.717 142.101 L 405.811,143.746 L 394.316,138.793 L 388.554,140.438 L 391.425,136.33 L 405.811,136.33 L 399.65,137.557 L 410.717,142.101z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #aae6ff" d="M 354.478 134.676 L 354.478,151.153"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #aae6ff" d="M 421.813 134.676 L 421.813,151.153"/>
-  </g>
-  <line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="539.815" y1="59.8656" x2="465.169" y2="59.9832"/>
-  <g>
-    <path style="fill: #00b4ff" d="M 436.008 60.048 L 445.014,52.7662 L 465.806,52.7662 L 458.353,60.048 L 436.008,60.048z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #000000" d="M 436.008 60.048 L 445.014,52.7662 L 465.806,52.7662 L 458.353,60.048 L 436.008,60.048"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.1; stroke: #add6e7" d="M 436.008 60.048 L 445.014,52.7662 L 465.806,52.7662 L 458.353,60.048 L 436.008,60.048"/>
-    <path style="fill: #005a80" d="M 458.353 67.2865 L 465.806,59.2394 L 465.806,52.7783 L 458.353,60.0471 L 458.353,67.2856 L 458.353,67.2865z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #000000" d="M 458.353 67.2865 L 465.806,59.2394 L 465.806,52.7783 L 458.353,60.0471 L 458.353,67.2856 L 458.353,67.2865"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.1; stroke: #add6e7" d="M 458.353 67.2865 L 465.806,59.2394 L 465.806,52.7783 L 458.353,60.0471 L 458.353,67.2856"/>
-    <path style="fill: #0096d4" d="M 436.039 67.2934 L 458.353,67.2934 L 458.353,60.048 L 436.039,60.048 L 436.039,67.2934z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #000000" d="M 436.039 67.2934 L 458.353,67.2934 L 458.353,60.048 L 436.039,60.048 L 436.039,67.2934"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.1; stroke: #add6e7" d="M 436.039 67.2934 L 458.353,67.2934 L 458.353,60.048 L 436.039,60.048 L 436.039,67.2934"/>
-    <path style="fill: #ffffff" d="M 448.194 64.0642 L 439.471,64.0694 L 439.471,63.0039 L 448.194,63.0005 L 448.198,61.34 L 452.074,63.5341 L 448.198,65.7281 L 448.194,64.0642z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #add6e7" d="M 448.194 64.0642 L 439.471,64.0694 L 439.471,63.0039 L 448.194,63.0005 L 448.198,61.34 L 452.074,63.5341 L 448.198,65.7281 L 448.194,64.0642"/>
-    <path style="fill: #ffffff" d="M 440.429 63.0048 L 440.425,61.3443 L 436.549,63.5384 L 440.425,65.7324 L 440.429,64.0685 L 440.429,63.0048z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #add6e7" d="M 440.429 63.0048 L 440.425,61.3443 L 436.549,63.5384 L 440.425,65.7324 L 440.429,64.0685 L 440.429,63.0048"/>
-    <path style="fill: #ffffff" d="M 457.386 63.0048 L 457.383,61.3443 L 453.507,63.5384 L 457.383,65.7324 L 457.386,64.0685 L 457.386,63.0048z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #add6e7" d="M 457.386 63.0048 L 457.383,61.3443 L 453.507,63.5384 L 457.383,65.7324 L 457.386,64.0685 L 457.386,63.0048"/>
-  </g>
-  <line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="445.67" y1="67.3281" x2="402.603" y2="124.228"/>
-  <text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="447.212" y="79.267">
-    <tspan x="447.212" y="79.267">modem</tspan>
-    <tspan x="447.212" y="95.267">VDSL</tspan>
-    <tspan x="447.212" y="111.267">SmartRG</tspan>
-  </text>
-  <g>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.8; stroke: #00aed9" d="M 514.769 308.067 L 514.769,290.135"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 4; stroke: #00aed9" d="M 514.769 307.777 L 514.769,295.477"/>
-    <path style="fill: #000000" d="M 515.29 291.858 L 514.194,291.858 L 514.194,289.666 L 515.29,289.666 L 515.29,291.858z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #00aed9" d="M 515.29 291.858 L 514.194,291.858 L 514.194,289.666 L 515.29,289.666 L 515.29,291.858"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.8; stroke: #00aed9" d="M 488.19 308.067 L 488.19,290.135"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 4; stroke: #00aed9" d="M 488.19 307.777 L 488.19,295.477"/>
-    <path style="fill: #000000" d="M 488.71 291.858 L 487.614,291.858 L 487.614,289.666 L 488.71,289.666 L 488.71,291.858z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #00aed9" d="M 488.71 291.858 L 487.614,291.858 L 487.614,289.666 L 488.71,289.666 L 488.71,291.858"/>
-    <path style="fill: #00aed9" d="M 522.204 310.343 C 522.204,314.673 513.179,318.182 502.045,318.182 C 490.911,318.182 481.886,314.673 481.886,310.343 L 481.886,321.826 C 481.886,326.156 490.911,329.666 502.045,329.666 C 513.179,329.666 522.204,326.156 522.204,321.826 L 522.204,310.343z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.8; stroke: #ffffff" d="M 522.204 310.343 C 522.204,314.673 513.179,318.182 502.045,318.182 C 490.911,318.182 481.886,314.673 481.886,310.343 L 481.886,321.826 C 481.886,326.156 490.911,329.666 502.045,329.666 C 513.179,329.666 522.204,326.156 522.204,321.826 L 522.204,310.343"/>
-    <path style="fill: #00aed9" d="M 502.045 318.182 C 513.179,318.182 522.204,314.673 522.204,310.343 C 522.204,306.013 513.179,302.503 502.045,302.503 C 490.911,302.503 481.886,306.013 481.886,310.343 C 481.886,314.673 490.911,318.182 502.045,318.182z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.8; stroke: #ffffff" d="M 502.045 318.182 C 513.179,318.182 522.204,314.673 522.204,310.343 C 522.204,306.013 513.179,302.503 502.045,302.503 C 490.911,302.503 481.886,306.013 481.886,310.343 C 481.886,314.673 490.911,318.182 502.045,318.182"/>
-    <path style="fill: #ffffff" d="M 497.441 307.278 L 499.106,309.775 L 492.813,311.229 L 494.187,310.085 L 484.46,308.422 L 486.901,306.593 L 496.286,308.182 L 497.441,307.278z"/>
-    <path style="fill: #ffffff" d="M 506.299 313.332 L 505.162,310.759 L 510.839,309.624 L 509.854,310.506 L 519.317,312.122 L 517.048,313.938 L 507.64,312.173 L 506.299,313.332z"/>
-    <path style="fill: #ffffff" d="M 503.194 305.914 L 509.553,304.174 L 509.628,306.9 L 508.039,306.596 L 504.934,309.169 L 501.974,308.738 L 505.176,306.22 L 503.194,305.914z"/>
-    <path style="fill: #ffffff" d="M 500.469 315.68 L 494.414,316.815 L 494.187,314.015 L 495.927,314.392 L 499.26,311.546 L 502.21,312.046 L 498.653,315.15 L 500.469,315.68z"/>
-  </g>
-  <text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="502.046" y="341.566">
-    <tspan x="502.046" y="341.566">plastik</tspan>
-    <tspan x="502.046" y="357.566">TP-Link 1043D</tspan>
-    <tspan x="502.046" y="373.566">CrapN6</tspan>
-  </text>
-  <text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:700" x="510.608" y="254.27">
-    <tspan x="510.608" y="254.27">LAN</tspan>
-  </text>
-  <g>
-    <path style="fill: #0096d4" d="M 442.494 216.486 L 442.494,234.849 L 515.139,234.849 L 515.139,216.486 L 442.494,216.486z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #aae6ff" d="M 442.494 216.486 L 442.494,234.849 L 515.139,234.849 L 515.139,216.486 L 442.494,216.486"/>
-    <path style="fill: #005a80" d="M 515.139 216.486 L 537.634,194.849 L 537.634,213.213 L 515.139,234.849 L 515.139,216.486z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #aae6ff" d="M 515.139 216.486 L 537.634,194.849 L 537.634,213.213 L 515.139,234.849 L 515.139,216.486"/>
-    <path style="fill: #00b4ff" d="M 515.139 216.486 L 537.634,194.849 L 464.94,194.849 L 442.494,216.486 L 515.139,216.486z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #aae6ff" d="M 515.139 216.486 L 537.634,194.849 L 464.94,194.849 L 442.494,216.486 L 515.139,216.486"/>
-    <path style="fill: #000000" d="M 488.048 206.006 L 485.42,208.585 L 503.899,208.585 L 501.271,211.891 L 516.461,207.94 L 508.544,204.684 L 506.544,206.006 L 488.048,206.006z"/>
-    <path style="fill: #000000" d="M 497.304 197.477 L 494.659,200.089 L 513.155,200.089 L 509.849,203.362 L 525.701,198.8 L 517.122,195.494 L 515.833,197.477 L 497.304,197.477z"/>
-    <path style="fill: #000000" d="M 481.436 213.213 L 484.13,210.568 L 464.94,210.568 L 468.246,207.296 L 453.023,211.213 L 460.973,214.519 L 462.312,213.213 L 481.436,213.213z"/>
-    <path style="fill: #000000" d="M 490.048 203.99 L 492.692,201.428 L 474.196,201.428 L 477.519,198.122 L 461.634,202.701 L 470.213,206.006 L 471.535,203.99 L 490.048,203.99z"/>
-    <path style="fill: #ffffff" d="M 488.709 206.618 L 486.081,209.246 L 504.577,209.246 L 501.932,212.535 L 517.122,208.585 L 509.172,205.329 L 507.221,206.618 L 488.709,206.618z"/>
-    <path style="fill: #ffffff" d="M 497.965 198.122 L 495.32,200.734 L 513.816,200.734 L 510.511,203.99 L 526.378,199.411 L 517.8,196.155 L 516.461,198.122 L 497.965,198.122z"/>
-    <path style="fill: #ffffff" d="M 482.097 213.858 L 484.742,211.213 L 465.618,211.213 L 468.874,207.94 L 453.701,211.891 L 461.634,215.163 L 462.94,213.858 L 482.097,213.858z"/>
-    <path style="fill: #ffffff" d="M 490.676 204.684 L 493.354,202.039 L 474.825,202.039 L 478.147,198.8 L 462.312,203.362 L 470.891,206.618 L 472.18,204.684 L 490.676,204.684z"/>
-  </g>
-  <g>
-    <path style="fill: #1c97cd" d="M 554.055 258.822 L 554.055,279.655 L 615.255,279.655 L 615.255,258.822 L 554.055,258.822z"/>
-    <path style="fill: #8dcaef" d="M 554.055 279.942 L 554.323,279.655 L 554.323,258.822 L 553.768,258.822 L 553.768,279.655 L 554.055,279.942z"/>
-    <path style="fill: #8dcaef" d="M 615.541 279.655 L 615.255,279.378 L 554.055,279.378 L 554.055,279.942 L 615.255,279.942 L 615.541,279.655z"/>
-    <path style="fill: #8dcaef" d="M 615.255 258.554 L 614.995,258.822 L 614.995,279.655 L 615.541,279.655 L 615.541,258.822 L 615.255,258.554z"/>
-    <path style="fill: #8dcaef" d="M 553.768 258.822 L 554.055,259.109 L 615.255,259.109 L 615.255,258.554 L 554.055,258.554 L 553.768,258.822z"/>
-    <path style="fill: #076086" d="M 615.255 258.822 L 633.911,240.22 L 633.911,261.071 L 615.255,279.655 L 615.255,258.822z"/>
-    <path style="fill: #8dcaef" d="M 634.189 240.22 L 633.714,240.023 L 615.076,258.634 L 615.461,259.028 L 634.117,240.417 L 634.189,240.22z"/>
-    <path style="fill: #8dcaef" d="M 634.117 261.268 L 634.189,261.071 L 634.189,240.22 L 633.634,240.22 L 633.634,261.071 L 634.117,261.268z"/>
-    <path style="fill: #8dcaef" d="M 614.995 279.655 L 615.461,279.852 L 634.117,261.268 L 633.714,260.873 L 615.076,279.467 L 614.995,279.655z"/>
-    <path style="fill: #8dcaef" d="M 615.076 258.634 L 614.995,258.822 L 614.995,279.655 L 615.541,279.655 L 615.541,258.822 L 615.076,258.634z"/>
-    <path style="fill: #3cafe4" d="M 615.255 258.822 L 633.911,240.22 L 572.684,240.22 L 554.055,258.822 L 615.255,258.822z"/>
-    <path style="fill: #8dcaef" d="M 633.911 239.942 L 633.714,240.023 L 615.076,258.634 L 615.461,259.028 L 634.117,240.417 L 633.911,239.942z"/>
-    <path style="fill: #8dcaef" d="M 572.478 240.023 L 572.684,240.497 L 633.911,240.497 L 633.911,239.942 L 572.684,239.942 L 572.478,240.023z"/>
-    <path style="fill: #8dcaef" d="M 554.055 259.109 L 554.234,259.028 L 572.881,240.417 L 572.478,240.023 L 553.849,258.634 L 554.055,259.109z"/>
-    <path style="fill: #8dcaef" d="M 615.461 259.028 L 615.255,258.554 L 554.055,258.554 L 554.055,259.109 L 615.255,259.109 L 615.461,259.028z"/>
-    <path style="fill: #000000" d="M 576.948 254.299 L 576.939,254.434 L 576.921,254.541 L 576.867,254.658 L 576.822,254.774 L 576.751,254.882 L 576.67,254.998 L 576.571,255.105 L 576.464,255.222 L 576.356,255.303 L 576.204,255.419 L 576.061,255.509 L 575.909,255.616 L 575.729,255.697 L 575.55,255.804 L 575.353,255.867 L 575.156,255.947 L 574.941,256.037 L 574.717,256.118 L 574.493,256.171 L 574.252,256.243 L 574.019,256.297 L 573.741,256.368 L 573.481,256.413 L 573.222,256.449 L 572.935,256.512 L 572.657,256.539 L 572.362,256.565 L 572.093,256.592 L 571.789,256.619 L 571.484,256.637 L 571.162,256.637 L 570.857,256.646 L 570.562,256.637 L 570.23,256.637 L 569.917,256.619 L 569.639,256.592 L 569.335,256.565 L 569.03,256.539 L 568.77,256.512 L 568.484,256.449 L 568.215,256.413 L 567.955,256.368 L 567.686,256.297 L 567.436,256.243 L 567.203,256.171 L 566.979,256.118 L 566.755,256.037 L 566.54,255.947 L 566.334,255.867 L 566.155,255.804 L 565.967,255.697 L 565.797,255.616 L 565.635,255.509 L 565.501,255.419 L 565.349,255.303 L 565.223,255.222 L 565.116,255.105 L 565.026,254.998 L 564.955,254.882 L 564.883,254.774 L 564.838,254.658 L 564.785,254.541 L 564.749,254.434 L 564.749,254.299 L 564.749,254.183 L 564.785,254.066 L 564.838,253.932 L 564.883,253.825 L 564.955,253.717 L 565.026,253.601 L 565.116,253.493 L 565.223,253.395 L 565.349,253.287 L 565.501,253.18 L 565.635,253.09 L 565.797,253.001 L 565.967,252.902 L 566.155,252.813 L 566.334,252.732 L 566.54,252.642 L 566.755,252.562 L 566.979,252.481 L 567.203,252.418 L 567.436,252.365 L 567.686,252.302 L 567.955,252.23 L 568.215,252.195 L 568.484,252.141 L 568.77,252.087 L 569.03,252.06 L 569.335,252.033 L 569.639,252.006 L 569.917,251.98 L 570.23,251.971 L 570.562,251.953 L 570.857,251.953 L 571.162,251.953 L 571.484,251.971 L 571.789,251.98 L 572.093,252.006 L 572.362,252.033 L 572.657,252.06 L 572.935,252.087 L 573.222,252.141 L 573.481,252.195 L 573.741,252.23 L 574.019,252.302 L 574.252,252.365 L 574.493,252.418 L 574.717,252.481 L 574.941,252.562 L 575.156,252.642 L 575.353,252.732 L 575.55,252.813 L 575.729,252.902 L 575.909,253.001 L 576.061,253.09 L 576.204,253.18 L 576.356,253.287 L 576.464,253.395 L 576.571,253.493 L 576.67,253.601 L 576.751,253.717 L 576.822,253.825 L 576.867,253.932 L 576.921,254.066 L 576.939,254.183 L 576.948,254.299z"/>
-    <path style="fill: #ffffff" d="M 576.948 253.153 L 576.939,253.269 L 576.921,253.395 L 576.867,253.511 L 576.822,253.628 L 576.751,253.735 L 576.67,253.852 L 576.571,253.959 L 576.464,254.066 L 576.356,254.183 L 576.204,254.272 L 576.061,254.362 L 575.909,254.47 L 575.729,254.55 L 575.55,254.64 L 575.353,254.72 L 575.156,254.801 L 574.941,254.882 L 574.717,254.962 L 574.493,255.034 L 574.252,255.105 L 574.019,255.159 L 573.741,255.222 L 573.481,255.258 L 573.222,255.303 L 572.935,255.356 L 572.657,255.392 L 572.362,255.419 L 572.093,255.446 L 571.789,255.473 L 571.484,255.473 L 571.162,255.5 L 570.857,255.5 L 570.562,255.5 L 570.23,255.473 L 569.917,255.473 L 569.639,255.446 L 569.335,255.419 L 569.03,255.392 L 568.77,255.356 L 568.484,255.303 L 568.215,255.258 L 567.955,255.222 L 567.686,255.159 L 567.436,255.105 L 567.203,255.034 L 566.979,254.962 L 566.755,254.882 L 566.54,254.801 L 566.334,254.72 L 566.155,254.64 L 565.967,254.55 L 565.797,254.47 L 565.635,254.362 L 565.501,254.272 L 565.349,254.183 L 565.223,254.066 L 565.116,253.959 L 565.026,253.852 L 564.955,253.735 L 564.883,253.628 L 564.838,253.511 L 564.785,253.395 L 564.749,253.269 L 564.749,253.153 L 564.749,253.036 L 564.785,252.92 L 564.838,252.813 L 564.883,252.678 L 564.955,252.562 L 565.026,252.454 L 565.116,252.347 L 565.223,252.23 L 565.349,252.141 L 565.501,252.033 L 565.635,251.944 L 565.797,251.836 L 565.967,251.747 L 566.155,251.666 L 566.334,251.577 L 566.54,251.496 L 566.755,251.415 L 566.979,251.362 L 567.203,251.272 L 567.436,251.218 L 567.686,251.156 L 567.955,251.084 L 568.215,251.048 L 568.484,250.994 L 568.77,250.941 L 569.03,250.914 L 569.335,250.887 L 569.639,250.851 L 569.917,250.833 L 570.23,250.824 L 570.562,250.824 L 570.857,250.824 L 571.162,250.824 L 571.484,250.824 L 571.789,250.833 L 572.093,250.851 L 572.362,250.887 L 572.657,250.914 L 572.935,250.941 L 573.222,250.994 L 573.481,251.048 L 573.741,251.084 L 574.019,251.156 L 574.252,251.218 L 574.493,251.272 L 574.717,251.362 L 574.941,251.415 L 575.156,251.496 L 575.353,251.577 L 575.55,251.666 L 575.729,251.747 L 575.909,251.836 L 576.061,251.944 L 576.204,252.033 L 576.356,252.141 L 576.464,252.23 L 576.571,252.347 L 576.67,252.454 L 576.751,252.562 L 576.822,252.678 L 576.867,252.813 L 576.921,252.92 L 576.939,253.036 L 576.948,253.153z"/>
-    <path style="fill: #1f1a17" d="M 592.03 262.02 L 592.075,262.02 L 592.174,262.02 L 592.254,262.038 L 592.326,262.038 L 592.407,262.065 L 592.505,262.083 L 592.541,262.092 L 592.604,262.118 L 592.639,262.136 L 592.693,262.181 L 592.738,262.208 L 592.792,262.244 L 592.837,262.262 L 592.863,262.315 L 592.917,262.36 L 592.953,262.414 L 592.989,262.468 L 593.025,262.539 L 593.06,262.593 L 593.078,262.665 L 593.096,262.736 L 593.141,262.817 L 593.32,266.247 L 599.33,267.242 L 599.921,265.952 L 598.425,261.832 L 597.718,261.662 L 597.01,261.491 L 596.321,261.348 L 595.658,261.223 L 595.013,261.097 L 594.386,260.999 L 593.759,260.9 L 593.177,260.82 L 592.604,260.748 L 592.048,260.676 L 591.502,260.623 L 590.983,260.578 L 590.49,260.542 L 590.024,260.497 L 589.567,260.497 L 589.146,260.47 L 588.725,260.453 L 588.34,260.444 L 587.964,260.444 L 587.642,260.444 L 587.328,260.444 L 587.015,260.444 L 586.773,260.453 L 586.54,260.453 L 586.119,260.497 L 585.832,260.497 L 585.671,260.524 L 585.6,260.524 L 585.895,260.524 L 585.859,260.524 L 585.707,260.497 L 585.474,260.497 L 585.143,260.453 L 584.955,260.453 L 584.74,260.444 L 584.48,260.444 L 584.22,260.444 L 583.925,260.444 L 583.62,260.444 L 583.289,260.453 L 582.913,260.47 L 582.536,260.497 L 582.124,260.497 L 581.695,260.542 L 581.265,260.578 L 580.781,260.623 L 580.297,260.676 L 579.769,260.748 L 579.232,260.82 L 578.685,260.9 L 578.094,260.999 L 577.503,261.097 L 576.867,261.223 L 576.222,261.348 L 575.559,261.491 L 574.888,261.662 L 574.162,261.832 L 572.675,265.952 L 573.266,267.242 L 579.258,266.247 L 579.455,262.817 L 579.482,262.736 L 579.509,262.665 L 579.536,262.593 L 579.563,262.539 L 579.608,262.468 L 579.626,262.414 L 579.679,262.36 L 579.715,262.315 L 579.751,262.262 L 579.814,262.244 L 579.841,262.208 L 579.894,262.181 L 579.939,262.136 L 579.993,262.118 L 580.029,262.092 L 580.073,262.083 L 580.172,262.065 L 580.27,262.038 L 580.342,262.038 L 580.414,262.02 L 580.521,262.02 L 580.557,262.02 L 592.03,262.02z"/>
-    <path style="fill: #1f1a17" d="M 592.586 265.092 L 592.201,265.468 L 592.201,278.285 L 592.953,278.285 L 592.953,265.468 L 592.586,265.092 L 592.953,265.468 L 592.953,265.092 L 592.586,265.092z"/>
-    <path style="fill: #1f1a17" d="M 579.626 265.468 L 580.011,265.844 L 592.586,265.844 L 592.586,265.092 L 580.011,265.092 L 579.626,265.468 L 580.011,265.092 L 579.626,265.092 L 579.626,265.468z"/>
-    <path style="fill: #1f1a17" d="M 580.011 278.661 L 580.378,278.285 L 580.378,265.468 L 579.626,265.468 L 579.626,278.285 L 580.011,278.661 L 579.626,278.285 L 579.626,278.661 L 580.011,278.661z"/>
-    <path style="fill: #1f1a17" d="M 592.953 278.285 L 592.586,277.909 L 580.011,277.909 L 580.011,278.661 L 592.586,278.661 L 592.953,278.285 L 592.586,278.661 L 592.953,278.661 L 592.953,278.285z"/>
-    <path style="fill: #000000" d="M 584.776 277.336 L 580.906,266.418 L 583.289,266.418 L 586.056,274.461 L 588.708,266.418 L 591.063,266.418 L 587.158,277.336 L 584.776,277.336z"/>
-    <path style="fill: #ffffff" d="M 591.627 261.733 L 591.672,261.733 L 591.771,261.733 L 591.833,261.733 L 591.941,261.742 L 592.021,261.769 L 592.102,261.796 L 592.156,261.814 L 592.201,261.832 L 592.254,261.868 L 592.29,261.868 L 592.353,261.912 L 592.398,261.939 L 592.433,261.993 L 592.478,262.02 L 592.514,262.065 L 592.541,262.118 L 592.604,262.181 L 592.622,262.244 L 592.657,262.307 L 592.693,262.36 L 592.711,262.441 L 592.738,262.513 L 592.935,265.952 L 598.927,266.964 L 599.536,265.647 L 598.022,261.536 L 597.324,261.348 L 596.616,261.196 L 595.935,261.062 L 595.273,260.936 L 594.619,260.82 L 593.983,260.712 L 593.374,260.623 L 592.765,260.524 L 592.201,260.453 L 591.645,260.399 L 591.117,260.327 L 590.597,260.291 L 590.078,260.247 L 589.612,260.229 L 589.164,260.193 L 588.725,260.175 L 588.322,260.166 L 587.937,260.166 L 587.579,260.148 L 587.23,260.148 L 586.907,260.148 L 586.621,260.166 L 586.352,260.166 L 586.119,260.175 L 585.725,260.193 L 585.447,260.202 L 585.268,260.229 L 585.214,260.229 L 585.501,260.229 L 585.456,260.229 L 585.322,260.202 L 585.089,260.193 L 584.758,260.175 L 584.552,260.166 L 584.328,260.166 L 584.086,260.148 L 583.808,260.148 L 583.54,260.148 L 583.208,260.166 L 582.877,260.166 L 582.528,260.175 L 582.142,260.193 L 581.739,260.229 L 581.309,260.247 L 580.862,260.291 L 580.396,260.327 L 579.894,260.399 L 579.384,260.453 L 578.846,260.524 L 578.282,260.623 L 577.709,260.712 L 577.1,260.82 L 576.482,260.936 L 575.819,261.062 L 575.156,261.196 L 574.476,261.348 L 573.759,261.536 L 572.281,265.647 L 572.881,266.964 L 578.855,265.952 L 579.07,262.513 L 579.079,262.441 L 579.106,262.36 L 579.133,262.307 L 579.16,262.244 L 579.205,262.181 L 579.232,262.118 L 579.276,262.065 L 579.312,262.02 L 579.357,261.993 L 579.402,261.939 L 579.438,261.912 L 579.491,261.868 L 579.536,261.868 L 579.59,261.832 L 579.626,261.814 L 579.679,261.796 L 579.769,261.769 L 579.867,261.742 L 579.957,261.733 L 580.011,261.733 L 580.118,261.733 L 580.154,261.733 L 591.627,261.733z"/>
-    <path style="fill: #ffffff" d="M 592.174 264.805 L 591.815,265.173 L 591.815,277.989 L 592.541,277.989 L 592.541,265.173 L 592.174,264.805 L 592.541,265.173 L 592.541,264.805 L 592.174,264.805z"/>
-    <path style="fill: #ffffff" d="M 579.232 265.173 L 579.608,265.549 L 592.174,265.549 L 592.174,264.805 L 579.608,264.805 L 579.232,265.173 L 579.608,264.805 L 579.232,264.805 L 579.232,265.173z"/>
-    <path style="fill: #ffffff" d="M 579.608 278.366 L 579.975,277.989 L 579.975,265.173 L 579.232,265.173 L 579.232,277.989 L 579.608,278.366 L 579.232,277.989 L 579.232,278.366 L 579.608,278.366z"/>
-    <path style="fill: #ffffff" d="M 592.541 277.989 L 592.174,277.613 L 579.608,277.613 L 579.608,278.366 L 592.174,278.366 L 592.541,277.989 L 592.174,278.366 L 592.541,278.366 L 592.541,277.989z"/>
-    <path style="fill: #ffffff" d="M 584.364 277.04 L 580.503,266.14 L 582.877,266.14 L 585.653,274.183 L 588.296,266.14 L 590.651,266.14 L 586.755,277.04 L 584.364,277.04z"/>
-  </g>
-  <line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="521.685" y1="228.569" x2="565.1" y2="247.401"/>
-  <text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="584.65" y="291.842">
-    <tspan x="584.65" y="291.842">Cisco</tspan>
-    <tspan x="584.65" y="307.842">ATA-186</tspan>
-  </text>
-  <g>
-    <path style="fill: #b7b79d" d="M 578.572 176.18 L 618.541,176.18 L 618.541,183.566 L 578.572,183.566 L 578.572,176.18z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #494936" d="M 578.572 176.18 L 618.541,176.18 L 618.541,183.566 L 578.572,183.566 L 578.572,176.18"/>
-    <path style="fill: #c9c9b6" d="M 578.572 176.18 L 582.81,172.162 L 622.779,172.162 L 618.541,176.18 L 578.572,176.18z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #494936" d="M 578.572 176.18 L 582.81,172.162 L 622.779,172.162 L 618.541,176.18 L 578.572,176.18"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 2.12; stroke: #000000" d="M 616.305 179.543 L 606.714,179.543"/>
-    <path style="fill: #7a7a5a" d="M 618.541 183.566 L 622.779,179.316 L 622.779,172.162 L 618.541,176.18 L 618.541,183.566z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #494936" d="M 618.541 183.566 L 622.779,179.316 L 622.779,172.162 L 618.541,176.18 L 618.541,183.566"/>
-    <path style="fill: #c9c9b6" d="M 578.799 188.252 L 583.257,182.666 L 614.076,182.666 L 609.617,188.252 L 578.799,188.252z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #494936" d="M 578.799 188.252 L 583.257,182.666 L 614.076,182.666 L 609.617,188.252 L 578.799,188.252"/>
-    <path style="fill: #7a7a5a" d="M 609.617 189.366 L 614.076,184.681 L 614.076,182.666 L 609.617,188.252 L 609.617,189.366z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #494936" d="M 609.617 189.366 L 614.076,184.681 L 614.076,182.666 L 609.617,188.252 L 609.617,189.366"/>
-    <path style="fill: #b7b79d" d="M 578.799 188.252 L 609.617,188.252 L 609.617,189.366 L 578.799,189.366 L 578.799,188.252z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #494936" d="M 578.799 188.252 L 609.617,188.252 L 609.617,189.366 L 578.799,189.366 L 578.799,188.252"/>
-    <path style="fill: #000000" d="M 584.598 175.292 L 587.955,172.162 L 616.305,172.162 L 613.188,175.292 L 584.598,175.292z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #000000" d="M 584.598 175.292 L 587.955,172.162 L 616.305,172.162 L 613.188,175.292 L 584.598,175.292"/>
-    <path style="fill: #c9c9b6" d="M 584.372 152.269 L 587.508,149.366 L 615.87,149.366 L 612.734,152.269 L 584.372,152.269z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #494936" d="M 584.372 152.269 L 587.508,149.366 L 615.87,149.366 L 612.734,152.269 L 584.372,152.269"/>
-    <path style="fill: #b7b79d" d="M 584.372 152.269 L 612.961,152.269 L 612.961,174.838 L 584.372,174.838 L 584.372,152.269z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #494936" d="M 584.372 152.269 L 612.949,152.269 L 612.949,174.832 L 584.372,174.832 L 584.372,152.269"/>
-    <path style="fill: #ffffff" d="M 586.828 155.166 L 610.499,155.166 L 610.499,172.603 L 586.828,172.603 L 586.828,155.166z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #494936" d="M 586.828 155.166 L 610.499,155.166 L 610.499,172.597 L 586.828,172.597 L 586.828,155.166"/>
-    <path style="fill: #7a7a5a" d="M 612.734 174.624 L 615.87,171.495 L 615.87,149.366 L 612.734,152.269 L 612.734,174.624z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #494936" d="M 612.734 174.624 L 615.87,171.495 L 615.87,149.366 L 612.734,152.269 L 612.734,174.624"/>
-  </g>
-  <line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="537.622" y1="196.914" x2="578.561" y2="181.478"/>
-  <text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="594.208" y="201.266">
-    <tspan x="594.208" y="201.266">marcos</tspan>
-    <tspan x="594.208" y="217.266">192.168.0.3/24</tspan>
-  </text>
-  <line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="411.999" y1="159.792" x2="463.567" y2="196.166"/>
-  <g>
+  <g id="Arrière-plan">
     <g>
-      <path style="fill: #b7b79d" d="M 568.45 401.973 L 568.45,410.258 L 603.461,410.258 L 603.461,401.973 L 568.45,401.973z"/>
-      <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #494936" d="M 568.45 401.973 L 568.45,410.258 L 603.461,410.258 L 603.461,401.973 L 568.45,401.973"/>
-      <path style="fill: #c9c9b6" d="M 568.45 401.973 L 585.417,374.943 L 620.44,374.943 L 603.461,401.973 L 568.45,401.973z"/>
-      <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #494936" d="M 568.45 401.973 L 585.417,374.943 L 620.44,374.943 L 603.461,401.973 L 568.45,401.973"/>
-      <path style="fill: #7a7a5a" d="M 603.461 410.258 L 620.44,393.317 L 620.44,374.943 L 603.461,401.973 L 603.461,410.258z"/>
-      <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #494936" d="M 603.461 410.258 L 620.44,393.317 L 620.44,374.943 L 603.461,401.973 L 603.461,410.258"/>
-      <path style="fill: #c9c9b6" d="M 576.755 394.394 L 580.719,386.835 L 587.941,377.823 L 594.799,370.258 L 602.02,370.258 L 594.448,378.193 L 587.22,387.562 L 583.62,394.394 L 576.755,394.394z"/>
-      <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #494936" d="M 576.755 394.394 L 580.719,386.835 L 587.941,377.823 L 594.799,370.258 L 602.02,370.258 L 594.448,378.193 L 587.22,387.562 L 583.62,394.394 L 576.755,394.394"/>
-      <path style="fill: #b7b79d" d="M 576.755 394.394 L 576.755,400.169 L 584.34,400.169 L 583.62,394.394 L 576.755,394.394z"/>

(Diff truncated)
new patches on ikiwiki
diff --git a/services/wiki.mdwn b/services/wiki.mdwn
index 0a82a34..14521f5 100644
--- a/services/wiki.mdwn
+++ b/services/wiki.mdwn
@@ -130,7 +130,8 @@ On any given upgrade, the following patches need to be applied:
 
 There are two patches left:
 
- * [[!iki todo/toc-with-human-readable-anchors]]
+ * [[!iki todo/toc-with-human-readable-anchors]] and [[!iki plugins/contrib/i18nheadinganchors]]
+ * [[!iki bugs/footnotes-look-weird]]
  * [[!iki todo/git-annex_support]]
  * [[!iki todo/admonitions]]
 

un beau livre!!
diff --git a/wishlist.mdwn b/wishlist.mdwn
index 7d2c451..42498b0 100644
--- a/wishlist.mdwn
+++ b/wishlist.mdwn
@@ -54,6 +54,7 @@ Voici des choses que vous pouvez m'acheter si vous êtes le Père Nowel (yeah ri
    [chez abebooks.com](http://www.abebooks.com/servlet/BookDetailsPL?bi=14250044964&searchurl=sts%3Dt%26amp%3By%3D0%26amp%3Bx%3D0%26amp%3Bkn%3D9782857251842),
    aussi en [DVD](http://www.capehorn.com/TrailerAng.htm))
    * autres
+     * [Astronomica : galaxies, planètes, étoiles, cartes des constellations, explorations spatiales](http://www.worldcat.org/oclc/495085208)
      * <http://whatif.xkcd.com/book/>
      * [La théorie du drone](http://www.worldcat.org/oclc/847564093)
      * [The ARRL Operating Manual](http://www.arrl.org/shop/The-ARRL-Operating-Manual/)

add bookchin quote
diff --git a/sigs.fortune b/sigs.fortune
index ca1897c..23c3271 100644
--- a/sigs.fortune
+++ b/sigs.fortune
@@ -1050,3 +1050,6 @@ domain of capital.
 Gods don't like people not doing much work. People who aren't busy all
 the time might start to think.
                         - Terry Pratchett, Small Gods
+%
+If we do not do the impossible, we shall be faced with the unthinkable.
+                        - Murray Bookchin

fix yet another link
diff --git a/blog/2017-04-29-netdev-rise-linux-networking-hw.mdwn b/blog/2017-04-29-netdev-rise-linux-networking-hw.mdwn
index 24cdb9f..86f58b9 100644
--- a/blog/2017-04-29-netdev-rise-linux-networking-hw.mdwn
+++ b/blog/2017-04-29-netdev-rise-linux-networking-hw.mdwn
@@ -151,7 +151,7 @@ show up as a single port, which limits the amount of information that
 can be extracted from the switch. For example, you cannot have per-port
 traffic statistics with swconfig. That limitation is what led to the
 creation of the switchdev framework, when swconfig was
-[proposed](/Articles/571390/) (then refused) for inclusion in mainline.
+[proposed](https://lwn.net/Articles/571390/) (then refused) for inclusion in mainline.
 Another goal of switchdev was to support bridge hardware offloading and
 network interface card (NIC) virtualization.
 

fix typos in URLs
diff --git a/blog/2017-04-29-netdev-rise-linux-networking-hw.mdwn b/blog/2017-04-29-netdev-rise-linux-networking-hw.mdwn
index cd0edf7..24cdb9f 100644
--- a/blog/2017-04-29-netdev-rise-linux-networking-hw.mdwn
+++ b/blog/2017-04-29-netdev-rise-linux-networking-hw.mdwn
@@ -48,7 +48,7 @@ hardware and software in the network threaten free software in the
 server. Even though some manufacturers are already providing a "Linux
 interface" in their hardware, it is often only some sort of
 compatibility shell which might be compared with the [Ubuntu
-compatibility layer in Windows](/Articles/681768/): it's not a real
+compatibility layer in Windows](https://lwn.net/Articles/681768/): it's not a real
 Linux.
 
 Mukherjee pushed this idea further by saying that those companies are
@@ -101,7 +101,7 @@ improve:
     that need to scale to hundreds of interfaces and devices easily.
     This is something the Linux bridge was never designed to do and it's
     showing scalability issues. During the conference, there was hope
-    that the [new XDP and eBPF developments](/Articles/719850/) could
+    that the [new XDP and eBPF developments](https://lwn.net/Articles/719850/) could
     help, but also concerns this would create yet another bridge layer
     inside the kernel.
 
@@ -120,14 +120,14 @@ So how exactly do switches work in Linux?
 
 The Linux kernel manipulates switches with three different operation
 structures: `switchdev_ops`, which we [previously
-covered](/Articles/675826/), `ethtool_ops`, and `netdev_ops`. Certain
+covered](https://lwn.net/Articles/675826/), `ethtool_ops`, and `netdev_ops`. Certain
 switches, however, also need [distributed switch architecture
 (DSA)](https://www.kernel.org/doc/Documentation/networking/dsa/dsa.txt)
 features to be properly handled. DSA is a more obscure part of the
 network stack that allows Linux to represent hardware switches or chains
 of switches using regular Linux tools like `bridge`, `ifconfig`, and so
 on. While switchdev is a new layer, DSA has been in the kernel [since
-2.6.28](/Articles/302333/) in 2008. Originally developed to support
+2.6.28](https://lwn.net/Articles/302333/) in 2008. Originally developed to support
 Marvell switches, DSA is now a generic layer deployed in WiFi access
 points, set-top boxes, on-board flight entertainment systems, trains,
 and other industrial equipment. Switches that have an Ethernet
@@ -184,7 +184,7 @@ your own wireless router or data center switch runs Linux.
 
 In recent years, we have seen more and more networking devices shipped
 with Linux and sometimes even OpenWrt (e.g. in the case of the Turris
-Omnia, which we [previously covered](/Articles/705051/)), and especially
+Omnia, which we [previously covered](https://lwn.net/Articles/705051/)), and especially
 on SOHO routers, but it sometimes means a crippled operating system that
 only offers you a proprietary web interface. But at least those efforts
 make it easier to deploy free operating systems on those devices.
@@ -200,8 +200,8 @@ continuous struggle for OpenWrt developers to liberate generation after
 generation of proprietary hardware with companies like Cisco locking
 down the venerable WRT platform in 2006 and the US Federal
 Communications Commission (FCC) rules that forced TP-Link to [block free
-software on its routers](/Articles/679801/), a change that was [later
-reverted](/Articles/695994/).
+software on its routers](https://lwn.net/Articles/679801/), a change that was [later
+reverted](https://lwn.net/Articles/695994/).
 
 Most hardware providers are obviously not dedicated to software freedom:
 deploying Linux on their hardware is for them an economic, not political
diff --git a/blog/2017-04-29-netdev-rise-linux-networking-hw/comment_2_bcad385e65f47e950b9ff2896c5fd76b._comment b/blog/2017-04-29-netdev-rise-linux-networking-hw/comment_2_bcad385e65f47e950b9ff2896c5fd76b._comment
new file mode 100644
index 0000000..66a62b0
--- /dev/null
+++ b/blog/2017-04-29-netdev-rise-linux-networking-hw/comment_2_bcad385e65f47e950b9ff2896c5fd76b._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ username="anarcat"
+ subject="""fixed"""
+ date="2017-04-30T14:37:32Z"
+ content="""
+thanks for the heads up! should always run linkchecker on my articles...
+
+*and* I should automate this further... :)
+"""]]

Added a comment: Dead links
diff --git a/blog/2017-04-29-netdev-rise-linux-networking-hw/comment_1_dacf96a68de6979535afeca57d2d47a5._comment b/blog/2017-04-29-netdev-rise-linux-networking-hw/comment_1_dacf96a68de6979535afeca57d2d47a5._comment
new file mode 100644
index 0000000..a93409d
--- /dev/null
+++ b/blog/2017-04-29-netdev-rise-linux-networking-hw/comment_1_dacf96a68de6979535afeca57d2d47a5._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ ip="45.72.243.40"
+ claimedauthor="mvc"
+ subject="Dead links"
+ date="2017-04-29T23:42:13Z"
+ content="""
+FYI links to /Articles/XXX need the LWN domain here.
+"""]]

fix typos
diff --git a/blog/2017-04-29-free-software-activities-april-2017.mdwn b/blog/2017-04-29-free-software-activities-april-2017.mdwn
index 6fd3d52..afb7bae 100644
--- a/blog/2017-04-29-free-software-activities-april-2017.mdwn
+++ b/blog/2017-04-29-free-software-activities-april-2017.mdwn
@@ -29,8 +29,8 @@ services, this may mean elevated compromise and more nasty stuff.
 I furthered the investigation done with my [own analysis][] which
 showed the problem is difficult to solve: Kodi internally uses the
 facility to show thumbnails and media to the user, and there are no
-clear way of restricting which paths Kodi should have acess
-to. Indeed, Kodi is designed to access mounted filesystems and paths
+clear way of restricting which paths Kodi should have access
+to. Indeed, Kodi is designed to access mounted file systems and paths
 in arbitrary locations. In [[!debbug 855225]], I further confirmed
 confirmed wheezy and jessie-backports as vulnerable and therefore
 showed with good certainty that stretch and sid are vulnerable as
@@ -150,13 +150,13 @@ Triage
 Looking for more work, I peeked a bit in the secretary tasks to triage
 some pending issues. I found that [[!debpkg trafficserver]] could be
 crashed with simple requests ([[!debcve CVE-2017-5659]]) so I looked
-into that issue. My [analysis shoed][] that the patch is long and
+into that issue. My [analysis showed][] that the patch is long and
 complex and could be difficult to backport to the old version
 available in wheezy. I also couldn't reproduce the issue in wheezy, so
 it may be a bug introduced only later, although I couldn't confirm
 that directly.
 
-[analysis shoed]: https://lists.debian.org/20170426162316.sraxe7bnagjt2rss@curie.anarc.at
+[analysis showed]: https://lists.debian.org/20170426162316.sraxe7bnagjt2rss@curie.anarc.at
 
 I also triaged [[!debcve wireshark]], where I just noted the
 maintainer expressed concern that we were taking up issues too fast
@@ -214,7 +214,7 @@ free environment is not lost on me.
 
 Needing to scratch that particular itch, and with the help of clever
 people from the IRC channel, I was able to make Emacs tell Xmonad to
-show its window (or "frame" as Emaces likes to call it) on all
+show its window (or "frame" as Emacs likes to call it) on all
 desktops. This involved creating a new function which I think could be
 useful in the [CopyWindow library][]:
 
@@ -273,7 +273,7 @@ identifier and wrote a event hook handler to process it:
       -- we processed the event completely
       return $ All True
 
-All that was left was to hook that into emacs, and I was done!
+All that was left was to hook that into Emacs, and I was done!
 Whoohoo! Full screen total domination, distraction free work! :)
 
 I would love to hear from others what they think of that approach, if
@@ -292,11 +292,14 @@ Speaking of Emacs, after complaining in the noisy `#emacs` IRC channel
 about the [poor TLS configuration of marmelade.org][] -- and filing a
 bug ([[!debbug 861106]]) regarding the use of SHA-1 in certificate
 pinning -- I was told we shouldn't expect trust from third-party ELPA
-repositories. Marmelade seems to be basically dead, as the maintainer
-is "behind the great firewall of China" and still hasn't figured
-out [how to sign packages][]. In the end, it seems like there
+repositories. [Marmelade][] seems to be dead, as the maintainer is
+"behind the great firewall of China" and [MELPA][] still hasn't
+figured out [how to sign packages][]. In the end, it seems like there
 are [tons of elpa packages in Debian][] and that if your favorite one
-is missing, that's a bug that can be fixed.
+is missing, that's a bug that can be filed and fixed.
+
+[MELPA]: https://melpa.org/
+[Marmelade]: https://marmalade-repo.org/
 
 I first discovered that 6 of the packages I used were already
 packaged:
@@ -339,7 +342,7 @@ then [NicerHeadingIds][] and that I have always found frustrating with
 Ikiwiki.
 
 It turns out the problem was both easier and hairier than I
-thought. Right from the start, somethign weird was happening:
+thought. Right from the start, something weird was happening:
 something *was* already adding nice headings, but they were somewhat
 broken. It turns out that [multimarkdown][] already inserts those
 headers, but I wasn't satisfied with the way they were generated. But

link to libsndfile DLA
diff --git a/blog/2017-04-29-free-software-activities-april-2017.mdwn b/blog/2017-04-29-free-software-activities-april-2017.mdwn
index dbff1e8..6fd3d52 100644
--- a/blog/2017-04-29-free-software-activities-april-2017.mdwn
+++ b/blog/2017-04-29-free-software-activities-april-2017.mdwn
@@ -99,8 +99,10 @@ would be best to incorporate the security fixes done in stable, which
 brought in fixes for [[!debcve CVE-2015-7805]], [[!debcve
 CVE-2014-9756]] and [[!debcve CVE-2014-9496]]. So in the end, I ported
 patches from wheezy to jessie and uploaded the jessie version
-(reverting certain build changes) into wheezy.
+(reverting certain build changes) into wheezy and
+uploaded [DLA-928-1][] with the results.
 
+[DLA-928-1]: https://lists.debian.org/20170429193236.xp7gzzpbwf25mfp6@curie.anarc.at
 [test package]: https://lists.debian.org/87bmrk47kt.fsf@curie.anarc.at
 
 yaml-cpp

fix syntax issue
diff --git a/blog/2017-04-29-free-software-activities-april-2017.mdwn b/blog/2017-04-29-free-software-activities-april-2017.mdwn
index f441b3f..dbff1e8 100644
--- a/blog/2017-04-29-free-software-activities-april-2017.mdwn
+++ b/blog/2017-04-29-free-software-activities-april-2017.mdwn
@@ -309,12 +309,12 @@ packaged:
 And so I went ahead and filed a ton more bugs for the packages I am
 using but that aren't in Debian just yet:
  
- * company-go: [[!debbug 861177]
- * elpy: [[!debbug 861174]
- * markdown-toc: [[!debbug 861128]
- * multiple-cursors: [[!debbug 861127]
- * writegood-mode: [[!debbug 861125]
- * writeroom-mode: [[!debbug 861124]
+ * company-go: [[!debbug 861177]]
+ * elpy: [[!debbug 861174]]
+ * markdown-toc: [[!debbug 861128]]
+ * multiple-cursors: [[!debbug 861127]]
+ * writegood-mode: [[!debbug 861125]]
+ * writeroom-mode: [[!debbug 861124]]
 
 Of those, I can't recommend [multiple-cursors][] (MC) enough: I used
 it at least 4 times just writing this text. It's just awesome. The

creating tag page tag/xmonad
diff --git a/tag/xmonad.mdwn b/tag/xmonad.mdwn
new file mode 100644
index 0000000..4e973f3
--- /dev/null
+++ b/tag/xmonad.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged xmonad"]]
+
+[[!inline pages="tagged(xmonad)" actions="no" archive="yes"
+feedshow=10]]

monthly report
diff --git a/blog/2017-04-29-free-software-activities-april-2017.mdwn b/blog/2017-04-29-free-software-activities-april-2017.mdwn
new file mode 100644
index 0000000..f441b3f
--- /dev/null
+++ b/blog/2017-04-29-free-software-activities-april-2017.mdwn
@@ -0,0 +1,417 @@
+[[!meta title="My free software activities, April 2017"]]
+
+[[!toc levels=2]]
+
+Debian Long Term Support (LTS)
+==============================
+
+This is my monthly [Debian LTS][] report. My time this month was spent
+working on various hairy security issues, most notably XBMC (now known
+as Kodi) and yaml-cpp.
+
+[Debian LTS]: https://www.freexian.com/services/debian-lts.html
+
+Kodi directory transversal
+--------------------------
+
+I started by looking in [[!debcve CVE-2017-5982]], a "directory
+traversal" vulnerability in XBMC (now known as [Kodi][]) which is a
+technical term for "allow attackers to read any world-readable file on
+your computer from the network". It's a serious vulnerability which
+has no known fix. When you enable the "remote control" interface in
+Kodi, it allows anyone with the password (which is disabled by
+default) to download *any* files Kodi has read access to on the
+machine it's running. Considering Kodi is often connected to multiple
+services, this may mean elevated compromise and more nasty stuff.
+
+[Kodi]: https://kodi.tv/
+
+I furthered the investigation done with my [own analysis][] which
+showed the problem is difficult to solve: Kodi internally uses the
+facility to show thumbnails and media to the user, and there are no
+clear way of restricting which paths Kodi should have acess
+to. Indeed, Kodi is designed to access mounted filesystems and paths
+in arbitrary locations. In [[!debbug 855225]], I further confirmed
+confirmed wheezy and jessie-backports as vulnerable and therefore
+showed with good certainty that stretch and sid are vulnerable as
+well. I also suggested possible workaround, but at this point, it's in
+upstream's hands, as the changes will be intrusive. The file transfer
+mechanism need to be revamped all over Kodi, or authentication (with a
+proper password policy), need to be enforced.
+
+[own analysis]: https://lists.debian.org/87zif33oxf.fsf@curie.anarc.at
+
+Squirrelmail
+------------
+
+Next I looked at that old webmail software, [Squirrelmail][], which
+suffers from a remote code execution vulnerability ([[!debcve
+CVE-2017-7692]]) when sending mails with [[!debpkg sendmail]] on the
+commandline. This is arguably an edge case, but considering the patch
+was simple, I figured I would provide an update to the LTS
+community. I tried to get a coordinated release for jessie, since the
+code is the same, but this wasn't completed at the time of writing. A
+[patch is available][] and will hopefully be picked up by another LTS
+worker soon.
+
+[patch is available]: https://lists.debian.org/87h917xfg3.fsf@curie.anarc.at
+[Squirrelmail]: http://squirrelmail.org/
+
+Fop and Batik
+-------------
+
+Those issues ([[!debcve CVE-2017-5661]] and [[!debcve CVE-2017-5662]])
+were more difficult. The patches weren't clearly documented and there
+were no upstream references other than security advisories for the
+first release in years (in the case of batik) or months (in the case
+of fop), which made it hard to track down the issues. Fortunately, I
+was able to track down the upstream issues ([FOP-2668][]
+and [BATIK-1139][]) where I got confirmation on what the proper fixes
+were. I could then release [DLA-927-1][] and [DLA-926-1][] with the
+backported patches.
+
+I do not use fop or batik. In fact, even after reading the homepage of
+both products, I couldn't quite figure out what use people could
+possibly have for that thing. Before uploading the packages, I
+therefore made packages available for testing for [fop][fop-testing]
+and [batik][batik-testing].
+
+[batik-testing]: https://lists.debian.org/87d1bz2fpk.fsf@curie.anarc.at
+[fop-testing]: https://lists.debian.org/87shkv0xj1.fsf@curie.anarc.at
+[DLA-927-1]: https://lists.debian.org/debian-lts-announce/2017/04/msg00046.html
+[DLA-926-1]: https://lists.debian.org/debian-lts-announce/2017/04/msg00044.html
+[FOP-2668]: https://issues.apache.org/jira/browse/FOP-2668
+[BATIK-1139]: https://issues.apache.org/jira/browse/BATIK-1139
+
+libsndfile
+----------
+
+Next up was [[!debcve libsndfile]] which a bunch of overflows when
+parsing various audio files. I backported a patch for [[!debcve
+CVE-2017-7585]] [[!debcve CVE-2017-7586]] and [[!debcve
+CVE-2017-7741]] which all seemed to be fixed by a single patch
+usptream. [[!debcve CVE-2017-7742]] was also fixed, although with a
+separate patch. In all of those, i could only test CVE-2017-7741 and
+CVE-2017-7742, as the others were missing test cases.
+
+I provided a [test package][] for a few days then I also figured it
+would be best to incorporate the security fixes done in stable, which
+brought in fixes for [[!debcve CVE-2015-7805]], [[!debcve
+CVE-2014-9756]] and [[!debcve CVE-2014-9496]]. So in the end, I ported
+patches from wheezy to jessie and uploaded the jessie version
+(reverting certain build changes) into wheezy.
+
+[test package]: https://lists.debian.org/87bmrk47kt.fsf@curie.anarc.at
+
+yaml-cpp
+--------
+
+I then turned to [[!debpkg yaml-cpp]], a C++ parser for YAML. This one
+didn't have a known upstream fix, but I figured I would give it a shot
+anyways. I ended up writing my [first C++ code in years][] which is
+still pending review and merge upstream. It's not an easy problem to
+fix: this is basically an excessive recursion problem that can be used
+to smash the stack. I figured I could introduce a recursion limit, but
+as the discussion showed, this is a limited approach: stack size
+varies on different platforms and it's not easy to find the right
+limit.
+
+[first C++ code in years]: https://github.com/jbeder/yaml-cpp/pull/489
+
+The real solution is to rewrite the code to avoid recursion but that's
+a major code refactoring I didn't feel belong in a LTS
+update. Besides, this could be better handled by upstream, so I will
+leave things at that for now. It does make you wonder how much code
+out there is recursing on untrusted data structures... 
+
+kedpm
+-----
+
+Finally, a friend over at [Koumbit.org](https://koumbit.org) reported
+[[!debbug 860817]], as information leak in kedpm, a password manager I
+previously maintained. I requested and got assigned [[!debcve
+CVE-2017-8296]] and provided a fix for wheezy and jessie. For unstable
+and the coming stretch release, I have requested kedpm to be
+completely removed from Debian ([[!debbug 860817]]) which involved a
+release notes update ([[!debbug 861277]]).
+
+It's unfortunate to see software go, but kedpm wasn't maintained. I
+wasn't the original author: I just gave a few patches and ended up
+maintaining that software and not using it. It's a bad situation to be
+in, as you don't really know what's working and not with the tools you
+are supposed to be responsible for. There are more modern alternatives
+available now and I encourage everyone to switch.
+
+Triage
+------
+
+Looking for more work, I peeked a bit in the secretary tasks to triage
+some pending issues. I found that [[!debpkg trafficserver]] could be
+crashed with simple requests ([[!debcve CVE-2017-5659]]) so I looked
+into that issue. My [analysis shoed][] that the patch is long and
+complex and could be difficult to backport to the old version
+available in wheezy. I also couldn't reproduce the issue in wheezy, so
+it may be a bug introduced only later, although I couldn't confirm
+that directly.
+
+[analysis shoed]: https://lists.debian.org/20170426162316.sraxe7bnagjt2rss@curie.anarc.at
+
+I also triaged [[!debcve wireshark]], where I just noted the
+maintainer expressed concern that we were taking up issues too fast
+and will probably take care of this one. I also postponed various
+issues in GnuTLS (marked "no-dsa") as they affect only a
+(unfortunately) rarely used part of GnuTLS that has been removed in
+later version: OpenPGP support.
+
+Other free software work
+========================
+
+Debiman
+-------
+
+I finally got around contributing to the [debiman][] project. I worked
+on ensuring that there is a [dman compatibility][] in debiman, by
+shipping dman in the [[!debpkg debian-goodies]] package ([[!debbug
+860920]]). I also submitted a pull request to fix
+the [fix about page title][], document
+the [custom assets repository][], [fix a stray bracket][] and link to
+the link to venerable [man7.org project][]
+
+[man7.org project]: https://github.com/Debian/debiman/issues/74
+[fix a stray bracket]: https://github.com/Debian/debiman/issues/73
+[custom assets repository]: https://github.com/Debian/debiman/issues/76
+[fix about page title]: https://github.com/Debian/debiman/pull/77
+[dman compatibility]: https://github.com/Debian/debiman/issues/57
+[debiman]: https://github.com/Debian/debiman/
+
+After a discussion on IRC, I also filed a few more issues:
+
+ * [redirect bpf to bpf.2, not bpf.4freebsd](https://github.com/Debian/debiman/issues/68)
+ * [redirect to unstable by default](https://github.com/Debian/debiman/issues/69)
+ * [arrows missing in table of contents](https://github.com/Debian/debiman/issues/71)
+ * [automatically collapse long links](https://github.com/Debian/debiman/issues/72)
+ * [old ?query= parameter ignored/failing](https://github.com/Debian/debiman/issues/78)
+

(Diff truncated)
add forgotten tags
diff --git a/blog/2017-04-29-netdev-fast-path.mdwn b/blog/2017-04-29-netdev-fast-path.mdwn
index c747a31..aceb407 100644
--- a/blog/2017-04-29-netdev-fast-path.mdwn
+++ b/blog/2017-04-29-netdev-fast-path.mdwn
@@ -297,3 +297,5 @@ systems into the Linux kernel.
 
 [first appeared]: https://lwn.net/Articles/719850
 [Linux Weekly News]: http://lwn.net/
+
+[[!tag debian-planet linux kernel netdev conference lwn geek coverage]]
diff --git a/blog/2017-04-29-netdev-rise-linux-networking-hw.mdwn b/blog/2017-04-29-netdev-rise-linux-networking-hw.mdwn
index 87171ac..cd0edf7 100644
--- a/blog/2017-04-29-netdev-rise-linux-networking-hw.mdwn
+++ b/blog/2017-04-29-netdev-rise-linux-networking-hw.mdwn
@@ -260,3 +260,5 @@ dominance in general-purpose computing.
 
 [first appeared]: https://lwn.net/Articles/720313/
 [Linux Weekly News]: http://lwn.net/
+
+[[!tag debian-planet linux kernel netdev conference lwn geek coverage]]

publish articles from netdev 2.2
commit 2030c969ac4745b3bef48a1136423df62e6a3334
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Apr 18 21:02:39 2017 -0400
fix typo
commit e5ccc39e4939c66ee029f7d10965da9582ad9388
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Apr 18 21:02:12 2017 -0400
import latest reviews from jake
commit 44463eb4ff629e35432656017d690288d6638c0f
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Apr 18 15:51:23 2017 -0400
rephrase the standard bit, it was confusing + wording
commit fe152a835ca9b608e1107866d351523a9f2142f6
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Apr 18 15:41:09 2017 -0400
first review from jake
commit 1fccc8245ad95b1930fb3e8c3c5891d04e6eaab3
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Apr 18 11:27:18 2017 -0400
import final fast-path version from LWN
commit 14b99b6a907894b71920748ee2d3a5de98450843
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Apr 18 11:21:17 2017 -0400
yet another review, expand conclusion and more
commit fabc6842c1df4ce2242ecb9d3fda2d58b1f64568
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Apr 18 08:52:34 2017 -0400
get real quotes from cumulus
commit a21eaa65233fedb311b11dd751d4444feee7b0cb
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sun Apr 16 19:32:15 2017 -0400
one last review before sending to LWN
commit 44e53d7c6741c5c4d249239936da662e9b9fbae5
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sun Apr 16 19:10:07 2017 -0400
changes afre andrews review
commit 3502ac691dec198068218f185fab3481bed3e77a
Author: Antoine Beaupré <anarcat@debian.org>
Date: Thu Apr 13 20:02:59 2017 -0400
finish a first draft for linux-networking article
commit adfcba008883adaf2aeea2957da6780b14c33373
Author: Antoine Beaupré <anarcat@debian.org>
Date: Thu Apr 13 11:28:50 2017 -0400
fastpath article review from jake
commit 7a858d56cba10f3f389edda9ee3e1d6023e3bae4
Author: Antoine Beaupré <anarcat@debian.org>
Date: Thu Apr 13 10:03:50 2017 -0400
small errors i found in review
commit fc73342601c55ed9c3f8de1300a6d78b548a2f69
Author: Antoine Beaupré <anarcat@debian.org>
Date: Wed Apr 12 18:20:14 2017 -0400
fix typos spotted by lwn
commit f69e67d6ebd634f24187e18fc940565bc1b12576
Author: Antoine Beaupré <anarcat@debian.org>
Date: Wed Apr 12 18:18:22 2017 -0400
import new review from LWN
commit 9149b74f88813088af1f8e0c7cd8c9bf34babb1e
Author: Antoine Beaupré <anarcat@debian.org>
Date: Mon Apr 10 14:48:46 2017 -0400
one more send for fast-path
commit bef79b219e175638b69f8ce129faf6671b940e00
Author: Antoine Beaupré <anarcat@debian.org>
Date: Mon Apr 10 12:22:21 2017 -0400
full review, from jesper and myself
commit afafc6baca21892128ce39edb3d3e50269a2504a
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 14:13:56 2017 -0400
formatting
commit b28d9d0cdae962b65f0a5bbd45813a6c1997a24f
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 12:34:11 2017 -0400
reorder article and review
commit 91006892c2eac5580f56ab7265515e716c82b804
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 12:34:01 2017 -0400
graf review and conclusion
commit b997e02bfd320ebdf969ece5ef5ba559f13ace66
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Apr 7 17:57:40 2017 -0400
4 more netdev drafts
commit ad1e548182a3e9cbb1c4d2af69e95067e66388ee
Author: Antoine Beaupré <anarcat@debian.org>
Date: Wed Apr 12 17:48:07 2017 -0400
final update from lwn
commit dd93499126ff6005198ab5004c4de915327386d4
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Apr 11 13:24:52 2017 -0400
another lwn review
commit 5ce4246660feaab75d9acdf50d4908eb4858b46c
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Apr 11 09:12:58 2017 -0400
sync netconf1/2 with LWN.net
commit ed2cc9fe04f5991a8921fd31e83c5becc7b43e32
Author: Antoine Beaupré <anarcat@debian.org>
Date: Mon Apr 10 15:57:02 2017 -0400
small tweaks on day1
commit 1f6398cb9813f68bea1d029a66b0a131fae63d2e
Author: Antoine Beaupré <anarcat@debian.org>
Date: Mon Apr 10 14:49:09 2017 -0400
edge review netconf1
commit 7740f10ebd27f01616a7c12454f99fe5402b98ba
Author: Antoine Beaupré <anarcat@debian.org>
Date: Mon Apr 10 10:26:01 2017 -0400
corbet review day 2
commit e2deaafc745628042c134998aecadfd8efe86ce4
Author: Antoine Beaupré <anarcat@debian.org>
Date: Mon Apr 10 09:43:01 2017 -0400
review from corbet
commit 5b50af5f57e667cd2bf76f2a6194cc0b83feaa0e
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 18:29:51 2017 -0400
short review from alexei
commit dac6ebe94d8a42e64e8969e7151f789ba3dfbb3f
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 17:07:33 2017 -0400
link to the new netlink patch
commit e6918945a2317294a0993e2f26b07ecde26f8fe5
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 14:20:50 2017 -0400
move notes to... well, notes
commit 6cf9ae23b961f2785bf7490a000b6eca71f324c8
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 12:19:21 2017 -0400
fix names in netconf2
commit 8a2aacfba38a9e22cfa19bd058f8583eec956b2b
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 12:09:48 2017 -0400
more name fixes
commit 3f058f456d9bd8bb97c15ac863632f69b90d2ee5
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 12:06:23 2017 -0400
add reviewers thanks
commit 074b969ce03e7e98a0ddb27733305a0d1f008506
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 12:06:12 2017 -0400
patch sent during netdev
commit 11a831e56648b7383e9a2bf968c27316dbe5dff7
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 12:05:49 2017 -0400
fix names in netconf1
commit c5248a7bc571c1d2e0a810629af9662d06ca1468
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 12:05:18 2017 -0400
hannes' corrections of VLAN0 issues
commit 257c31950c0a24f22d9407f1f3d71e3d4f6483d3
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 10:24:38 2017 -0400
small review from corbet
commit 1dbc5e83a2cb82bd61544f21882528630ee38b42
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Apr 7 21:10:38 2017 -0400
small clarification
commit 243f16cc1d0c0a5c58c68de9288aa9fc4460ad50
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Apr 7 14:36:02 2017 -0400
fix some names, add conclusion, and details on if flags
commit 4eb7d0cde9c9aae0dbf553d35462e93cb23292ea
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Apr 7 12:33:17 2017 -0400
final draft sent to lwn
commit 3b67c5de2f21630e74263eda4509af1414f09693
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Apr 7 11:37:38 2017 -0400
review from corbet
commit 49def9cc3b84e58ce315297e48e0bf3ac13a2b5e
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Apr 7 11:30:26 2017 -0400
review from jaml
commit 029243389b3327dc9745ce3e189b823a7f93a665
Author: Antoine Beaupré <anarcat@debian.org>
Date: Thu Apr 6 18:43:02 2017 -0400
finish second draft
commit 40413df121c82e182dd6f7c17c54dce97a1e5f8b
Author: Antoine Beaupré <anarcat@debian.org>
Date: Wed Apr 5 17:57:32 2017 -0400
complete first day draft
commit 557d89648d4b93da089fe829c49fbd3327d0cbed
Author: Antoine Beaupré <anarcat@debian.org>
Date: Wed Apr 5 16:17:50 2017 -0400
first plan for netconf article plus incomplete day1 draft
diff --git a/blog/2017-04-29-netdev-fast-path.mdwn b/blog/2017-04-29-netdev-fast-path.mdwn
new file mode 100644
index 0000000..c747a31
--- /dev/null
+++ b/blog/2017-04-29-netdev-fast-path.mdwn
@@ -0,0 +1,299 @@
+[[!meta title="New approaches to network fast paths"]]
+[[!meta date="2017-04-13T12:00:00-0500"]]
+[[!meta updated="2017-04-39T13:35:53-0500"]]
+
+With the speed of network hardware now reaching 100 Gbps and distributed
+denial-of-service (DDoS) attacks going in the [Tbps
+range](https://en.wikipedia.org/wiki/2016_Dyn_cyberattack), Linux kernel
+developers are scrambling to optimize key network paths in the kernel to
+keep up. Many efforts are actually geared toward getting traffic *out*
+of the costly Linux TCP stack. We have already
+[covered](https://lwn.net/Articles/708087/) the XDP (eXpress Data Path)
+patch set, but two new ideas surfaced during the Netconf and Netdev
+conferences held in Toronto and Montreal in early April 2017. One is a
+patch set called af\_packet, which aims at extracting raw packets from
+the kernel as fast as possible; the other is the idea of implementing
+in-kernel layer-7 proxying. There are also user-space network stacks
+like [Netmap](http://info.iet.unipi.it/%7Eluigi/netmap/),
+[DPDK](http://dpdk.org/), or Snabb (which we [previously
+covered](https://lwn.net/Articles/713918/)).
+
+This article aims at clarifying what all those components do and to
+provide a short status update for the tools we have already covered. We
+will focus on in-kernel solutions for now. Indeed, user-space tools have
+a fundamental limitation: if they need to re-inject packets onto the
+network, they must again pay the expensive cost of crossing the kernel
+barrier. User-space performance is effectively bounded by that
+fundamental design. So we'll focus on kernel solutions here. We will
+start from the lowest part of the stack, the af\_packet patch set, and
+work our way up the stack all the way up to layer-7 and in-kernel
+proxying.
+
+[[!toc startlevel=2]]
+
+## af\_packet v4
+
+John Fastabend presented a new version of a patch set that was first
+[published in
+January](http://marc.info/?l=linux-netdev&m=148555290811249&w=2)
+regarding the af\_packet protocol family, which is currently used by
+`tcpdump` to extract packets from network interfaces. The goal of this
+change is to allow zero-copy transfers between user-space applications
+and the NIC (network interface card) transmit and receive ring buffers.
+Such optimizations are useful for telecommunications companies, which
+may use it for [deep packet
+inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) or
+running exotic protocols in user space. Another use case is running a
+high-performance [intrusion detection
+system](https://en.wikipedia.org/wiki/Intrusion_detection_system) that
+needs to watch large traffic streams in realtime to catch certain types
+of attacks.
+
+Fastabend presented his work during the Netdev network-performance
+workshop, but also brought the patch set up for discussion during
+Netconf. There, he said he could achieve line-rate extraction (and
+injection) of packets, with packet rates as high as 30Mpps. This
+performance gain is possible because user-space pages are directly
+DMA-mapped to the NIC, which is also a security concern. The other
+downside of this approach is that a complete pair of ring buffers needs
+to be dedicated for this purpose; whereas before packets were copied to
+user space, now they are memory-mapped, so the user-space side needs to
+process those packets quickly otherwise they are simply dropped.
+Furthermore, it's an "all or nothing" approach; while NIC-level
+classifiers could be used to steer part of the traffic to a specific
+queue, once traffic hits that queue, it is only accessible through the
+af\_packet interface and not the rest of the regular stack. If done
+correctly, however, this could actually improve the way user-space
+stacks access those packets, providing projects like DPDK a safer way to
+share pages with the NIC, because it is well defined and
+kernel-controlled. According to Jesper Dangaard Brouer (during review of
+this article):
+
+> This proposal will be a safer way to share raw packet data between
+> user space and kernel space than what DPDK is doing, \[by providing\]
+> a cleaner separation as we keep driver code in the kernel where it
+> belongs.
+
+During the Netdev network-performance workshop, Fastabend asked if there
+was a better data structure to use for such a purpose. The goal here is
+to provide a consistent interface to user space regardless of the driver
+or hardware used to extract packets from the wire. af\_packet currently
+defines its own packet format that abstracts away the NIC-specific
+details, but there are other possible formats. For example, someone in
+the audience proposed the virtio packet format. Alexei Starovoitov
+rejected this idea because af\_packet is a kernel-specific facility
+while virtio has [its own separate specification](https://lwn.net/Articles/580186/)
+with its own requirements.
+
+The next step for af\_packet is the posting of the new "v4" patch set,
+although Miller warned that this wouldn't get merged until proper XDP
+support lands in the Intel drivers. The concern, of course, is that the
+kernel would have multiple incomplete bypass solutions available at
+once. Hopefully, Fastabend will present the (by then) merged patch set
+at the next Netdev conference in November.
+
+## XDP updates
+
+Higher up in the networking stack sits XDP. The af\_packet feature
+differs from XDP in that it does not perform any sort of analysis or
+mangling of packets; its objective is purely to get the data into and
+out of the kernel as fast as possible, completely bypassing the regular
+kernel networking stack. XDP also sits before the networking stack
+except that, according to Brouer, it is "*focused on cooperating with
+the existing network stack infrastructure, and on use-cases where the
+packet doesn't necessarily need to leave kernel space (like routing and
+bridging, or skipping complex code-paths).*"
+
+XDP has evolved quite a bit since we last covered it in LWN. It seems
+that most of the controversy surrounding the introduction of XDP in the
+Linux kernel has died down in public discussions, under the leadership
+of David Miller, who heralded XDP as the right solution for a long-term
+architecture in the kernel. He presented XDP as a fast, flexible, and
+safe solution.
+
+Indeed, one of the controversies surrounding XDP was the question of the
+inherent security challenges with introducing user-provided programs
+directly into the Linux kernel to mangle packets at such a low level.
+Miller argued that whatever protections are expected for user-space
+programs also apply to XDP programs, comparing the virtual memory
+protections to the eBPF (extended BPF) verifier applied to XDP programs.
+Those programs are actually eBPF that have an interesting set of
+restrictions:
+
+-   they have a limited size
+-   they cannot jump backward (and thus cannot loop), so they execute in
+    predictable time
+-   they do only static allocation, so they are also limited in memory
+
+XDP is not a one-size-fits-all solution: netfilter, the TC traffic
+shaper, and other normal Linux utilities still have their place. There
+is, however, a clear use case for a solution like XDP in the kernel.
+
+For example, Facebook and Cloudflare have both started testing XDP and,
+in Facebook's case, deploying XDP in production. Martin Kafai Lau, from
+Facebook, presented the tool set the company is using to construct a
+DDoS-resilience solution and a level-4 load balancer (L4LB), which got a
+ten-times performance improvement over the previous
+[IPVS](http://www.linuxvirtualserver.org/software/ipvs.html)-based
+solution. Facebook rolled out its own user-space solution called
+"Droplet" to detect hostile traffic and deploy blocking rules in the
+form of eBPF programs loaded in XDP. Lau demonstrated the way Facebook
+deploys a three-part chained eBPF program: the first part allows
+debugging and dumping of packets, the second is Droplet itself, which
+drops undesirable traffic, and the last segment is the load balancer,
+which mangles the packets to tweak their destination according to
+internal rules. Droplet can drop DDoS attacks at line rate while keeping
+the architecture flexible, which were two key design requirements.
+
+Gilberto Bertin, from Cloudflare, presented a similar approach:
+Cloudflare has a tool that processes
+[sFlow](https://en.wikipedia.org/wiki/SFlow) data generated from
+`iptables` in order to generate cBPF (classic BPF) mitigation rules that
+are then deployed on edge routers. Those rules are created with a tool
+called `bpfgen`, part of Cloudflare's BSD-licensed
+[bpftools](https://github.com/cloudflare/bpftools) suite. For example,
+it could create a cBPF bytecode blob that would match DNS queries to any
+`example.com` domain with something like:
+
+        bpfgen dns *.example.com
+
+Originally, Cloudflare would deploy those rules to plain `iptables`
+firewalls with the `xt_bpf` module, but this led to performance issues.
+It then deployed a proprietary user-space solution based on
+[Solarflare](http://www.solarflare.com/) hardware, but this has the
+performance limitations of user-space applications — getting packets
+back onto the wire involves the cost of re-injecting packets back into
+the kernel. This is why Cloudflare is experimenting with XDP, which was
+partly developed in response to the company's problems, to deploy those
+BPF programs.
+
+A concern that Bertin identified was the lack of visibility into dropped
+packets. Cloudflare currently samples some of the dropped traffic to
+analyze attacks; this is not currently possible with XDP unless you pass
+the packets down the stack, which is expensive. Miller agreed that the
+lack of monitoring for XDP programs is a large issue that needs to be
+resolved, and suggested creating a way to mark packets for extraction to
+allow analysis. Cloudflare is currently in a testing phase with XDP and
+it is unclear if its whole XDP tool chain will be publicly available.
+
+While those two companies are starting to use XDP as-is, there is more
+work needed to complete the XDP project. As mentioned above and in our
+[previous coverage](https://lwn.net/Articles/719388/#stats), massive statistics
+extraction is still limited in the Linux kernel and [introspection is
+difficult](https://lwn.net/Articles/719393/#progid). Furthermore, while the existing
+actions (`XDP_DROP` and `XDP_TX`, see the
+[documentation](http://prototype-kernel.readthedocs.io/en/latest/networking/XDP/implementation/xdp_actions.html)
+for more information) are well implemented and used, another action may
+be introduced, called `XDP_REDIRECT`, which would allow redirecting
+packets to different network interfaces. Such an action could also be
+used to accelerate bridges as packets could be "switched" based on the
+MAC address table. XDP also requires network driver support, which is
+currently limited. For example, the Intel drivers still do not support
+XDP, although that should come pretty soon.
+
+Miller, in his Netdev keynote, focused on XDP and presented it as the

(Diff truncated)
add a bunch of emacs plugins and other tools
debian-goodies is for dman!
diff --git a/software/mytasks.desc b/software/mytasks.desc
index 15eef07..fd19099 100644
--- a/software/mytasks.desc
+++ b/software/mytasks.desc
@@ -31,7 +31,12 @@ Packages: list
  devscripts
  dia
  dpkg-dev-el
+ elpa-anzu
+ elpa-company
+ elpa-ledger
  elpa-markdown-mode
+ elpa-use-package
+ elpa-yasnippet
  emacs
  emacs-goodies-el
  emacs25
@@ -75,6 +80,7 @@ Packages: list
  pv
  python
  python3
+ python-autopep8
  python-jedi
  python-pytest
  python-setuptools-scm
@@ -94,6 +100,8 @@ Packages: list
  qemu
  qemu-kvm
  quilt
+ sbuild
+ shellcheck
  sqlitebrowser
  subversion
  time
@@ -132,6 +140,7 @@ Packages: list
  ledger-el
  less
  libnotify-bin
+ libu2f-host0
  localepurge
  locales
  mlocate
@@ -177,6 +186,7 @@ Packages: list
  verbiste
  verbiste-gnome
  workrave
+ wotsap
  xkbset
  xprintidle
  xkcdpass
@@ -190,6 +200,7 @@ Packages: list
  xscreensaver
  xterm
  xul-ext-zotero
+ yubikey-personalization
  zotero-standalone
 
 Task: anarcat-author
@@ -218,6 +229,7 @@ Packages: list
  bup
  ccze
  curl
+ debian-goodies
  dnsutils
  etckeeper
  gparted
@@ -240,6 +252,7 @@ Packages: list
  powertop
  pv
  pwgen
+ reptyr
  restic
  rsync
  sdparm
@@ -313,6 +326,7 @@ Packages: list
  fldigi
  gnuradio
  gpredict
+ gqrx-sdr
  grig
  ibp
  multimon

add another free laptop
diff --git a/hardware/laptop.mdwn b/hardware/laptop.mdwn
index c847bf5..568a47e 100644
--- a/hardware/laptop.mdwn
+++ b/hardware/laptop.mdwn
@@ -44,6 +44,21 @@ based on the allwinner chipset.
 
 Backordered, of course (2017-02-02). See also the [announcement](https://olimex.wordpress.com/2017/02/01/teres-i-do-it-yourself-open-source-hardware-and-software-hackers-friendly-laptop-is-complete/).
 
+Pine64
+------
+
+https://www.pine64.org/?page_id=3707
+
+ * Quad-core ARM Cortex A53 1.2Ghz
+ * 2GB RAM
+ * 16GB flash storage
+ * Wifi bgn, BLE 4.0
+ * USB: 2
+ * MicroSD
+ * Mini-HDMI
+ * LCD 11.6"
+ * 1.04Kg
+
 x201
 ----
 

and sbuild aliases
diff --git a/software/debian-development.mdwn b/software/debian-development.mdwn
index f5d5a31..1bcd5ea 100644
--- a/software/debian-development.mdwn
+++ b/software/debian-development.mdwn
@@ -506,6 +506,14 @@ A few handy sbuild-related commands:
 
  * `sbuild-shell wheezy` - enter the `wheezy` chroot to make
    *permanent* changes, which will *not* be discarded
+
+Also note that it is useful to add aliases to your `schroot`
+configuration files. This allows you, for example, to automatically
+build `wheezy-security` or `wheezy-backports` packages in the `wheezy`
+schroot. Just add this line to the relevant config in
+`/etc/schroot/chroot.d/`:
+
+    aliases=wheezy-security-amd64-sbuild,wheezy-backports-amd64-build
 """]]
 
 [[!note """

some tricks with sbuild
diff --git a/software/debian-development.mdwn b/software/debian-development.mdwn
index 9a0e13b..f5d5a31 100644
--- a/software/debian-development.mdwn
+++ b/software/debian-development.mdwn
@@ -494,6 +494,20 @@ you often need `-sa` to provide the source tarball with the upload),
 you should use `--debbuildopts -sa` in `sbuild`. For git-buildpackage,
 simply add `-sa` to the commandline.
 
+[[!tip """
+A few handy sbuild-related commands:
+
+ * `sbuild -d wheezy` - build in the `wheezy` chroot even though
+   another suite is specified (e.g. `wheezy-backports` or
+   `wheezy-security`)
+
+ * `schroot -c wheezy-amd64-sbuild` - enter the `wheezy` chroot to make
+   tests, changes will be discarded
+
+ * `sbuild-shell wheezy` - enter the `wheezy` chroot to make
+   *permanent* changes, which will *not* be discarded
+"""]]
+
 [[!note """
 I was previously using `pbuilder` and switched in 2017 to `sbuild`. [AskUbuntu.com has a good comparative between pbuilder and sbuild][]
 that shows they are pretty similar. The big advantage of sbuild is

note the entropy article was translated to japanese (!)
diff --git a/blog/2017-02-18-passwords-entropy.mdwn b/blog/2017-02-18-passwords-entropy.mdwn
index a329696..f735853 100644
--- a/blog/2017-02-18-passwords-entropy.mdwn
+++ b/blog/2017-02-18-passwords-entropy.mdwn
@@ -4,6 +4,9 @@
 
 [[!toc startlevel=2]]
 
+> Note: this article was translated
+> in [Japanese](http://postd.cc/passwords-entropy/).
+
 Passwords are used everywhere in our modern life. Between your email
 account and your bank card, a lot of critical security infrastructure
 relies on "something you know", a password. Yet there is little standard

fix publication order
diff --git a/blog/2017-04-12-netconf2.mdwn b/blog/2017-04-12-netconf2.mdwn
index e13aab2..b0886aa 100644
--- a/blog/2017-04-12-netconf2.mdwn
+++ b/blog/2017-04-12-netconf2.mdwn
@@ -1,6 +1,6 @@
 [[!meta title="A report from Netconf: Day 2"]]
 [[!meta date="2017-04-11T12:00:00-0500"]]
-[[!meta updated="2017-04-21T16:42:20-0400"]]
+[[!meta updated="2017-04-21T16:55:38-0400"]]
 
 This article covers the second day of the informal Netconf discussions,
 held on on April 4, 2017. Topics discussed this day included the binding

fix tocs again again
diff --git a/blog/2017-04-11-netconf1.mdwn b/blog/2017-04-11-netconf1.mdwn
index 095b379..9de4f4f 100644
--- a/blog/2017-04-11-netconf1.mdwn
+++ b/blog/2017-04-11-netconf1.mdwn
@@ -20,9 +20,9 @@ frequent (indeed, encouraged) and the focus is on hashing out issues
 that are blocked on the mailing list and getting suggestions, ideas,
 solutions, and feedback from their peers.
 
-[[!toc]]
+[[!toc levels=2 startlevel=2]]
 
-#### Removing ndo_select_queue()
+## Removing ndo_select_queue()
 
 One of the first discussions that elicited a significant debate was the
 `ndo_select_queue()` function, a key component of the Linux polling
@@ -54,7 +54,7 @@ moving away from a generic `ndo_select_queue()` interface to
 stack-specific or even driver-specific (in the case of Intel) queue
 management interfaces.
 
-#### refcount\_t followup
+## refcount\_t followup
 
 There was a followup discussion on the integration of the `refcount_t`
 type into the network stack, which we [covered
@@ -103,7 +103,7 @@ performance cost. Yet it was clear in the discussions that the team
 cares about security issues and wants those issues to be fixed; the
 impact of some of the solutions is just too big.
 
-#### Lightweight wireless management packet access
+## Lightweight wireless management packet access
 
 Berg explained that some users need to have high-performance access to
 certain management frames in the wireless stack and wondered how to best
@@ -123,7 +123,7 @@ get the statistics they need. This will require an extra hook in the
 wireless stack, but it seems like this is the way that will be taken to
 implement this feature.
 
-#### VLAN 0 inconsistencies
+## VLAN 0 inconsistencies
 
 Hannes Frederic Sowa brought up the seemingly innocuous question of "how
 do we handle
@@ -138,7 +138,7 @@ there was a change here and this was originally working but is now
 broken. Sowa therefore got the go-ahead to fix this to make the behavior
 consistent again.
 
-#### Loopy fun
+## Loopy fun
 
 Then it came the turn of Jamal Hadi Salim, the maintainer of the
 kernel's [traffic-control (tc) subsystem](http://lartc.org/). The first
@@ -184,7 +184,7 @@ fields, there is no way to fix the general case here, and this
 constitutes a security issue. So either the bits need to be brought
 back, or we need to live with the inherent DoS threat.
 
-#### Dumping large statistics sets
+## Dumping large statistics sets
 
 Another issue Salim brought up was the question of how to export large
 statistics sets from the kernel. It turns out that some use cases may
diff --git a/blog/2017-04-12-netconf2.mdwn b/blog/2017-04-12-netconf2.mdwn
index cfda959..e13aab2 100644
--- a/blog/2017-04-12-netconf2.mdwn
+++ b/blog/2017-04-12-netconf2.mdwn
@@ -9,9 +9,9 @@ between IPv4 and IPv6, changes to data-center hardware, and more. (See
 [this article](https://lwn.net/Articles/719388/) for coverage from the first day of
 discussions).
 
-[[!toc]]
+[[!toc levels=2 startlevel=2]]
 
-#### How to bind to specific sockets in VRF
+## How to bind to specific sockets in VRF
 
 One of the first presentations was from David Ahern of Cumulus, who
 presented a few interesting questions for the audience. His first was
@@ -67,7 +67,7 @@ for every address. It seems the consensus evolved towards using,
 users. It is currently limited to UDP and RAW sockets, but it could be
 extended for TCP.
 
-#### XDP and eBPF program identification
+## XDP and eBPF program identification
 
 Ahern then turned to the problem of extracting BPF programs from the
 kernel. He gave the example of a simple cBPF (classic BPF) filter that
@@ -114,7 +114,7 @@ still uncertain that it will be possible to extract an exact copy that
 could then be recompiled into the same program. Starovoitov added that
 he needed this in production to do proper reporting.
 
-#### IPv4/IPv6 equivalency
+## IPv4/IPv6 equivalency
 
 The last issue — or set of issues — that Ahern brought up was the
 question of inconsistencies between IPv4 and IPv6. It turns out that,
@@ -160,7 +160,7 @@ data structures could be merged. What is more likely is that the code
 path could be merged and simplified, while keeping the data structures
 separate.
 
-#### Modules options substitutions
+## Modules options substitutions
 
 The next issue that was raised was from Jiří Pírko, who asked how to
 pass configuration options to a driver *before* the driver is
@@ -190,7 +190,7 @@ Shrijeet Mukherjee explained that right now, Cumulus is doing this using
 horrible startup script magic by retrying and re-registering, but it
 would be nice to have a more standard way to do this.
 
-#### Control over UAPI patches
+## Control over UAPI patches
 
 Another issue that came up was the problem of changes in the user-space
 API (UAPI) which break backward compatibility. Pírko said that "we have
@@ -211,7 +211,7 @@ in that "we're stuck with it forever". He then went on to propose that,
 since there's a maintainer (or more) for each module, he can make sure
 that each maintainer explicitly approves changes to those modules.
 
-#### Data-center hardware changes
+## Data-center hardware changes
 
 Starovoitov brought up the issue of a new type of hardware that is
 currently being deployed in data centers called a "multi-host NIC"

add and fixup tocs
diff --git a/blog/2017-04-11-netconf1.mdwn b/blog/2017-04-11-netconf1.mdwn
index 188d887..095b379 100644
--- a/blog/2017-04-11-netconf1.mdwn
+++ b/blog/2017-04-11-netconf1.mdwn
@@ -20,7 +20,9 @@ frequent (indeed, encouraged) and the focus is on hashing out issues
 that are blocked on the mailing list and getting suggestions, ideas,
 solutions, and feedback from their peers.
 
-#### Removing `ndo_select_queue()`
+[[!toc]]
+
+#### Removing ndo_select_queue()
 
 One of the first discussions that elicited a significant debate was the
 `ndo_select_queue()` function, a key component of the Linux polling
diff --git a/blog/2017-04-12-netconf2.mdwn b/blog/2017-04-12-netconf2.mdwn
index 271879d..cfda959 100644
--- a/blog/2017-04-12-netconf2.mdwn
+++ b/blog/2017-04-12-netconf2.mdwn
@@ -9,6 +9,8 @@ between IPv4 and IPv6, changes to data-center hardware, and more. (See
 [this article](https://lwn.net/Articles/719388/) for coverage from the first day of
 discussions).
 
+[[!toc]]
+
 #### How to bind to specific sockets in VRF
 
 One of the first presentations was from David Ahern of Cumulus, who

creating tag page tag/conference
diff --git a/tag/conference.mdwn b/tag/conference.mdwn
new file mode 100644
index 0000000..4165b0b
--- /dev/null
+++ b/tag/conference.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged conference"]]
+
+[[!inline pages="tagged(conference)" actions="no" archive="yes"
+feedshow=10]]

creating tag page tag/kernel
diff --git a/tag/kernel.mdwn b/tag/kernel.mdwn
new file mode 100644
index 0000000..7de2b00
--- /dev/null
+++ b/tag/kernel.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged kernel"]]
+
+[[!inline pages="tagged(kernel)" actions="no" archive="yes"
+feedshow=10]]

creating tag page tag/coverage
diff --git a/tag/coverage.mdwn b/tag/coverage.mdwn
new file mode 100644
index 0000000..6b47ab3
--- /dev/null
+++ b/tag/coverage.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged coverage"]]
+
+[[!inline pages="tagged(coverage)" actions="no" archive="yes"
+feedshow=10]]

creating tag page tag/linux
diff --git a/tag/linux.mdwn b/tag/linux.mdwn
new file mode 100644
index 0000000..3831fa1
--- /dev/null
+++ b/tag/linux.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged linux"]]
+
+[[!inline pages="tagged(linux)" actions="no" archive="yes"
+feedshow=10]]

creating tag page tag/netdev
diff --git a/tag/netdev.mdwn b/tag/netdev.mdwn
new file mode 100644
index 0000000..c07a6c9
--- /dev/null
+++ b/tag/netdev.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged netdev"]]
+
+[[!inline pages="tagged(netdev)" actions="no" archive="yes"
+feedshow=10]]

publish the netconf articles
this is a squash of the following commits:
commit 3f4b7eceef9962101050f170e8e2af1639478e86
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Apr 21 16:46:29 2017 -0400
publish the netconf articles
commit 2685358eb0436df51ef779fe8fc47e40853a0f0a
Author: Antoine Beaupré <anarcat@debian.org>
Date: Thu Apr 13 11:30:38 2017 -0400
fix typo
commit ad1e548182a3e9cbb1c4d2af69e95067e66388ee
Author: Antoine Beaupré <anarcat@debian.org>
Date: Wed Apr 12 17:48:07 2017 -0400
final update from lwn
commit dd93499126ff6005198ab5004c4de915327386d4
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Apr 11 13:24:52 2017 -0400
another lwn review
commit 5ce4246660feaab75d9acdf50d4908eb4858b46c
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Apr 11 09:12:58 2017 -0400
sync netconf1/2 with LWN.net
commit ed2cc9fe04f5991a8921fd31e83c5becc7b43e32
Author: Antoine Beaupré <anarcat@debian.org>
Date: Mon Apr 10 15:57:02 2017 -0400
small tweaks on day1
commit 1f6398cb9813f68bea1d029a66b0a131fae63d2e
Author: Antoine Beaupré <anarcat@debian.org>
Date: Mon Apr 10 14:49:09 2017 -0400
edge review netconf1
commit 7740f10ebd27f01616a7c12454f99fe5402b98ba
Author: Antoine Beaupré <anarcat@debian.org>
Date: Mon Apr 10 10:26:01 2017 -0400
corbet review day 2
commit e2deaafc745628042c134998aecadfd8efe86ce4
Author: Antoine Beaupré <anarcat@debian.org>
Date: Mon Apr 10 09:43:01 2017 -0400
review from corbet
commit 5b50af5f57e667cd2bf76f2a6194cc0b83feaa0e
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 18:29:51 2017 -0400
short review from alexei
commit dac6ebe94d8a42e64e8969e7151f789ba3dfbb3f
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 17:07:33 2017 -0400
link to the new netlink patch
commit e6918945a2317294a0993e2f26b07ecde26f8fe5
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 14:20:50 2017 -0400
move notes to... well, notes
commit 6cf9ae23b961f2785bf7490a000b6eca71f324c8
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 12:19:21 2017 -0400
fix names in netconf2
commit 8a2aacfba38a9e22cfa19bd058f8583eec956b2b
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 12:09:48 2017 -0400
more name fixes
commit 3f058f456d9bd8bb97c15ac863632f69b90d2ee5
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 12:06:23 2017 -0400
add reviewers thanks
commit 074b969ce03e7e98a0ddb27733305a0d1f008506
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 12:06:12 2017 -0400
patch sent during netdev
commit 11a831e56648b7383e9a2bf968c27316dbe5dff7
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 12:05:49 2017 -0400
fix names in netconf1
commit c5248a7bc571c1d2e0a810629af9662d06ca1468
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 12:05:18 2017 -0400
hannes' corrections of VLAN0 issues
commit 257c31950c0a24f22d9407f1f3d71e3d4f6483d3
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 10:24:38 2017 -0400
small review from corbet
commit 1dbc5e83a2cb82bd61544f21882528630ee38b42
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Apr 7 21:10:38 2017 -0400
small clarification
commit 243f16cc1d0c0a5c58c68de9288aa9fc4460ad50
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Apr 7 14:36:02 2017 -0400
fix some names, add conclusion, and details on if flags
commit 4eb7d0cde9c9aae0dbf553d35462e93cb23292ea
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Apr 7 12:33:17 2017 -0400
final draft sent to lwn
commit 3b67c5de2f21630e74263eda4509af1414f09693
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Apr 7 11:37:38 2017 -0400
review from corbet
commit 49def9cc3b84e58ce315297e48e0bf3ac13a2b5e
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Apr 7 11:30:26 2017 -0400
review from jaml
commit 029243389b3327dc9745ce3e189b823a7f93a665
Author: Antoine Beaupré <anarcat@debian.org>
Date: Thu Apr 6 18:43:02 2017 -0400
finish second draft
commit 40413df121c82e182dd6f7c17c54dce97a1e5f8b
Author: Antoine Beaupré <anarcat@debian.org>
Date: Wed Apr 5 17:57:32 2017 -0400
complete first day draft
commit 557d89648d4b93da089fe829c49fbd3327d0cbed
Author: Antoine Beaupré <anarcat@debian.org>
Date: Wed Apr 5 16:17:50 2017 -0400
first plan for netconf article plus incomplete day1 draft
diff --git a/blog/2017-04-11-netconf1.mdwn b/blog/2017-04-11-netconf1.mdwn
new file mode 100644
index 0000000..188d887
--- /dev/null
+++ b/blog/2017-04-11-netconf1.mdwn
@@ -0,0 +1,235 @@
+[[!meta title="A report from Netconf: Day 1"]]
+[[!meta date="2017-04-11T12:00:00-0500"]]
+[[!meta updated="2017-04-21T16:42:20-0400"]]
+
+As is becoming traditional, two times a year the kernel networking
+community meets in a two-stage conference: an invite-only, informal,
+two-day plenary session called
+[Netconf](http://vger.kernel.org/netconf2017.html), held in Toronto this
+year, and a more conventional one-track conference open to the public
+called [Netdev](http://www.netdevconf.org/2.1/index.html). I was invited
+to cover both conferences this year, given that Netdev was in Montreal
+(my hometown), and was happy to meet the crew of developers that
+maintain the network stack of the Linux kernel.
+
+This article covers the first day of the conference which consisted of
+around 25 Linux developers meeting under the direction of David Miller,
+the kernel's networking subsystem maintainer. Netconf has no formal
+sessions; although some people presented slides, interruptions are
+frequent (indeed, encouraged) and the focus is on hashing out issues
+that are blocked on the mailing list and getting suggestions, ideas,
+solutions, and feedback from their peers.
+
+#### Removing `ndo_select_queue()`
+
+One of the first discussions that elicited a significant debate was the
+`ndo_select_queue()` function, a key component of the Linux polling
+system that determines when and how to send packets on a network
+interface (see
+[`netdev_pick_tx`](http://lxr.free-electrons.com/ident?i=netdev_pick_tx)
+and friends). The general question was whether the use of
+`ndo_select_queue()` in drivers is a good idea. Alexander Duyck
+explained that Intel people were considering using `ndo_select_queue()`
+for receive/transmit queue matching. Intel drivers do not currently use
+the hook provided by the Linux kernel and it turns out no one is happy
+with `ndo_select_queue()`: the heuristics it uses don't really please
+anyone. The consensus (including from Duyck himself) seemed to be that
+it should just not be used anymore, or at least not used for that
+specific purpose.
+
+The discussion turned toward the wireless network stack, which uses it
+extensively, but for other purposes. Johannes Berg explained that the
+wireless stack uses `ndo_select_queue()` for traffic classification, for
+example to get voice traffic through even if the best-effort queue is
+backed up. The wireless stack could stop using it by doing flow control
+completely inside the wireless stack, which already uses the `fq_codel`
+flow-control mechanism for other purposes, so porting away from
+`ndo_select_queue()` seems possible there.
+
+The problem then becomes how to update all the drivers to change that
+behavior, which would be a lot of work. Still, it seems people are
+moving away from a generic `ndo_select_queue()` interface to
+stack-specific or even driver-specific (in the case of Intel) queue
+management interfaces.
+
+#### refcount\_t followup
+
+There was a followup discussion on the integration of the `refcount_t`
+type into the network stack, which we [covered
+recently](https://lwn.net/Articles/718275/). This type is meant to be an in-kernel
+defense against exploits based on overflowing or underflowing an
+object's reference count.
+
+The consensus seems to be that having `refcount_t` used for debugging is
+acceptable, but it cannot be enabled by default. An issue that was
+identified is that the networking developers are fairly sure that
+introducing `refcount_t` would have a severe impact on performance, but
+they do not have benchmarks to prove it, something Miller identified as
+a problem that needs to be worked on. Miller then expressed some
+openness to the idea of having it as a kernel configuration option.
+
+A similar discussion happened, on the second day, regarding the
+[KASan](https://01.org/linuxgraphics/gfx-docs/drm/dev-tools/kasan.html)
+memory error detector which was [covered](https://lwn.net/Articles/612153/) when it was
+introduced in 2014. Eric Dumazet warned that there could be a lot of
+issues that cannot be detected by KASan because of the way the network
+stack often bypasses regular memory-allocation routines for performance
+reasons. He also noted that this can sometimes mean the stack may go
+over the regular 10% memory limit (the `tcp_mem` parameter, described in
+the [tcp(7) man page](http://man7.org/linux/man-pages/man7/tcp.7.html))
+for certain operations, especially when rebuilding out of order packets
+with lots of parallel TCP connections.
+
+Therefore it was proposed that these special memory recycling tricks
+could be optionally disabled, at run or compile-time, to instrument
+proper memory tracking. Dumazet argued this was a situation similar to
+`refcount_t` in that we need a way to disable high performance to make
+the network stack easier to debug with KAsan.
+
+The problem with optional parameters is that they are often disabled in
+production or even by default, which, in turn, means that critical bugs
+cannot actually be found because the code paths are not tested. When I
+asked Dumazet about this, he explained that Google performs integration
+testing of new kernels before putting them in production, and those
+toggles could be enabled there to find and fix those bugs. But he agreed
+that certain code paths are then not tested until the code gets deployed
+in production.
+
+So it seems the status quo remains: security folks wants to improve the
+reliability of the kernel, but the network folks can't afford the
+performance cost. Yet it was clear in the discussions that the team
+cares about security issues and wants those issues to be fixed; the
+impact of some of the solutions is just too big.
+
+#### Lightweight wireless management packet access
+
+Berg explained that some users need to have high-performance access to
+certain management frames in the wireless stack and wondered how to best
+expose those to user space. The wireless stack already allows users to
+clone a network interface in "monitor" mode, but this has a big
+performance cost, as the [radiotap header](https://lwn.net/Articles/719391/) needs to
+be constructed from scratch and the packet header needs to be copied. As
+wireless improves and the bandwidth rises to gigabit levels, this can
+become significant bottleneck for packet sniffers or reporting software
+that need to know precisely what's going on over the air outside of the
+regular access point client operation.
+
+It seems the proper way to do this is with an eBPF program. As Miller
+summarized, just add another API call that allows loading a BPF program
+into the kernel and then those users can use a BPF filtering point to
+get the statistics they need. This will require an extra hook in the
+wireless stack, but it seems like this is the way that will be taken to
+implement this feature.
+
+#### VLAN 0 inconsistencies
+
+Hannes Frederic Sowa brought up the seemingly innocuous question of "how
+do we handle
+[VLAN](https://wiki.linuxfoundation.org/networking/vlan) 0?" In theory,
+VLAN 0 means "no VLAN". But the Linux kernel currently handles this
+differently depending on whether the VLAN module is loaded and whether a
+VLAN 0 interface was created. Sometimes the VLAN tag is stripped,
+sometimes not.
+
+It turns out the semantics of this were accidentally changed last time
+there was a change here and this was originally working but is now
+broken. Sowa therefore got the go-ahead to fix this to make the behavior
+consistent again.
+
+#### Loopy fun
+
+Then it came the turn of Jamal Hadi Salim, the maintainer of the
+kernel's [traffic-control (tc) subsystem](http://lartc.org/). The first
+issue he brought up is a problem in the `tc` `REDIRECT` action that can
+create infinite loops within the kernel. The problem can be easily
+alleviated when loops are created on the same interface: checks can be
+added that just drop packets coming from the same device and rate-limit
+logging to avoid a denial-of-service (DoS) condition.
+
+The more serious problem occurs when a packet is forwarded from (say)
+interface `eth0` to `eth1` which then promptly redirects it from `eth1`
+back to `eth0`. Obviously, this kind of problem can only be created by a
+user with root access so, at first glance, those issues don't seem that
+serious: admins can shoot themselves in the foot, so what?
+
+But things become a little more serious when you consider the container
+case, where an untrusted user has root access inside a container and
+*should* have constrained resource limitations. Such a loop could allow
+this user to deploy an effective DoS attack against a whole group of
+containers running on the same machine. Even worse, this endless loop
+could possibly turn into a deadlock in certain scenarios, as the kernel
+could try to transmit the packet on the same device it originated from
+and block, progressively filling the queues and eventually completely
+breaking network access. Florian Westphal argued that a container can
+already create DoS conditions, for example by doing a ping flood.
+
+According to Salim, this whole problem was created when two bits used
+for tracking such packets were reclaimed from the `skb` structure used
+to represent packets in the kernel. Those bits were a simple TTL (time
+to live) field that was incremented on each loop and dropped after a
+pre-determined limit was reached, breaking infinite loops. Salim asked
+everyone if this should be fixed or if we should just forget about this
+issue and move on.
+
+Miller proposed to keep a one-behind state for the packet, fixing the
+simplest case (two interfaces). The general case, however, would requite
+a bitmap of all the interfaces to be scanned, which would impose a large
+overhead. Miller said an attempt to fix this should somehow be made. The
+root of the problem is that the network maintainers are trying to reduce
+the size of the `skb` structure, because it's used in many critical
+paths of the network stack. Salim's position is that, without the TTL
+fields, there is no way to fix the general case here, and this
+constitutes a security issue. So either the bits need to be brought
+back, or we need to live with the inherent DoS threat.
+
+#### Dumping large statistics sets
+
+Another issue Salim brought up was the question of how to export large
+statistics sets from the kernel. It turns out that some use cases may
+end up dumping a *lot* of data. Salim mentioned a real-world tc use case
+that calls for reading six-million entries. The current netlink-based
+API provides a way to get only 20 entries at a time, which means it
+takes forever to dump the state of all those policy actions. Salim has a
+patch that changes the dump size be eight times the `NLMSG_GOOD_SIZE`,
+which improves performance by an order of magnitude already, although

(Diff truncated)
add a potential todo
diff --git a/services/mail.mdwn b/services/mail.mdwn
index 30e9957..efe33ba 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -412,6 +412,9 @@ This doesn't report emails to pyzor and similar services, unfortunately, see <ht
 
 See also: <https://wiki.apache.org/spamassassin/SiteWideBayesFeedback>
 
+Todo
+----
+
 To improve on this, I could use the
 [dovecot-antispam plugin](http://wiki2.dovecot.org/Plugins/Antispam),
 probably by piping messages into sa-learn or some wrapper script. It's
@@ -451,6 +454,11 @@ when the cert is renewed. I use those simple symlink:
 I also configured filtering and many more things that are documented
 in [[blog/2016-05-12-email-setup]].
 
+Todo
+----
+
+On the fly [OpenPGP encryption of incoming emails](https://perot.me/encrypt-specific-incoming-emails-using-dovecot-and-sieve)?
+
 Webmail
 =======
 

Added a comment: refilter
diff --git a/blog/2016-05-12-email-setup/comment_1_13b70a6c83aee71bfbe0cc870d22ef29._comment b/blog/2016-05-12-email-setup/comment_1_13b70a6c83aee71bfbe0cc870d22ef29._comment
new file mode 100644
index 0000000..d52956e
--- /dev/null
+++ b/blog/2016-05-12-email-setup/comment_1_13b70a6c83aee71bfbe0cc870d22ef29._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ ip="92.100.245.7"
+ claimedauthor="wigust"
+ subject="refilter"
+ date="2017-04-21T15:58:57Z"
+ content="""
+Thanks for awesome article. I found another way to filter via dovecot
+https://wiki2.dovecot.org/HowTo/RefilterMail
+"""]]

note the openpgp plugin
diff --git a/services/mail.mdwn b/services/mail.mdwn
index fdabba3..30e9957 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -421,6 +421,12 @@ method (see
 that could be more appropriate, as another daemon could pick up files
 for training, but it's not in Jessie.
 
+Another thing I could add is the [OpenPGP plugin][] which classifies
+mail according to its PGP signatures. It fetches keys on the fly and
+doesn't seem to check for updates. It's also old, so issues may abound.
+
+[OpenPGP plugin]: http://search.cpan.org/~brondsem/Mail-SpamAssassin-Plugin-OpenPGP-1.0.4/lib/Mail/SpamAssassin/Plugin/OpenPGP.pm
+
 Dovecot and mail filters
 ========================
 

add missing monthly-report tag
diff --git a/blog/2017-03-30-free-software-activities-march-2017.mdwn b/blog/2017-03-30-free-software-activities-march-2017.mdwn
index 78215d9..44f8fcd 100644
--- a/blog/2017-03-30-free-software-activities-march-2017.mdwn
+++ b/blog/2017-03-30-free-software-activities-march-2017.mdwn
@@ -485,4 +485,4 @@ As usual, there's the usual mixed bags of chaos:
 
 More stuff on [Github](https://github.com/anarcat?tab=overview&from=2017-02-01&to=2017-02-28&utf8=%E2%9C%93)...
 
-[[!tag debian-planet debian debian-lts python-planet software geek free wallabako stressant signal untrusteddebs security funding]]
+[[!tag debian-planet debian debian-lts python-planet software geek free wallabako stressant signal untrusteddebs security funding monthly-report]]

fix colors
diff --git a/services.mdwn b/services.mdwn
index 8ad5a92..fd1d5a1 100644
--- a/services.mdwn
+++ b/services.mdwn
@@ -15,17 +15,17 @@ Service        | État                                      | Détails  | Depuis
 [[IPv6]]       | [[!color background=#ff0000 text="down"]] | `2607:f2c0:91eb:4d00::/56`, routing problems upstream, disabled in DNS for now | 2011     | public      | Linux, FreeBSD         | le prochain internet: [[!wikipedia IPv6]]
 [[DNS]]        | [[!color background=#00ff00 text="OK"]]   | `anarc.at` `orangeseeds.org` `anarcat.ath.cx`  | 2010?    | public      | [[!wikipedia BIND]]    | hébergement DNS
 [[Wifi]]       | [[!color background=#00ff00 text="OK"]]   | N/A | 2004-2016    | privé      | [[!wikipedia OpenWRT]] | accès à internet restreint, par [[!wikipedia Wifi]]
-[[Mesh]]       | [[!color background=#00ff00 text="down"]] | [nodes list][] | 2012-2016     | public      | [Babel][] | relai dans le mesh [reseaulibre.ca][]
+[[Mesh]]       | [[!color background=#ff0000 text="down"]] | [nodes list][] | 2012-2016     | public      | [Babel][] | relai dans le mesh [reseaulibre.ca][]
 [[Shell]]      | [[!color background=#00ff00 text="OK"]]   | `shell.anarc.at` | 1999?    | privé       | [[!wikipedia SSH]]     | accès shell et fichiers ([[!wikipedia SFTP]])
 [[Mail]]       | [[!color background=#00ff00 text="OK"]]   | `imap.anarc.at` | 2002     | privé       | [[!wikipedia Dovecot]] | courriels par IMAP ou shell
-[[Webmail]]    | [[!color background=#ff0000 text="OK"]]   | <https://mail.anarc.at> | 2005-? 2017    | privé       | [Rainloop][]       | envoi et lecture de courriels
+[[Webmail]]    | [[!color background=#00ff00 text="OK"]]   | <https://mail.anarc.at> | 2005-? 2017    | privé       | [Rainloop][]       | envoi et lecture de courriels
 [[Radio]]      | [[!color background=#ffff00 text="dev"]]  | <http://radio.anarc.at> | 2007     | [public][1] | [[!wikipedia Icecast]] | [stream][] "shoutcast", 64 kbps, rarely online
 [[Jukebox]]    | [[!color background=#00ff00 text="OK"]]   | `radio.anarc.at:6600` | [2007][] | privé       | [MPD][]                | contrôle de la radio à distance
 [[Torrent]]    | [[!color background=#00ff00 text="OK"]]   | `radio.anarc.at:9091` | 2011     | privé       | [Transmission][]       | client bittorrent partagé pour le voisinage
 [[Multimedia]] | [[!color background=#00ff00 text="OK"]]   |          | 1999?    | privé       | [[!wikipedia XBMC]]    | archive audio et video, "cinéma maison"
 [[Web]]        | [[!color background=#00ff00 text="OK"]]   | [[sites hébergés|hosted]], [[nginx]] considéré, [[SSL]] à faire | 1999?    | public      | [Apache][] | hébergement de sites web, sur demande
 [[Wiki]]       | [[!color background=#ffff00 text="dev"]]  | <http://wiki.anarc.at>, à automatiser | 2011     | [public][9]      | [ikiwiki-hosting][]      | Hébergement de wikis [[ikiwiki]], sur demande
-[[Git]]        | [[!color background=#00ff00 text="dev"]]  | <http://src.anarc.at>, deprecated         | ~2012?   | [public][6] | [Git][]                | hébergement de dépôts git, sur demande, en migration vers [Gitlab](https://gitlab.com/anarcat)
+[[Git]]        | [[!color background=#ffff00 text="dev"]]  | <http://src.anarc.at>, deprecated         | ~2012?   | [public][6] | [Git][]                | hébergement de dépôts git, sur demande, en migration vers [Gitlab](https://gitlab.com/anarcat)
 [[Gallery]]    | [[!color background=#ffff00 text="dev"]]  | <http://photos.orangeseeds.org>, à automatiser | 1999?    | [public][4] | [PhotoFloat][]         | galleries de photos, sur demande
 [[Stats]]      | [[!color background=#00ff00 text="OK"]]   | <http://munin.anarc.at> | 2012     | [public][8] | [Munin][]              | statistiques du réseau
 
@@ -36,11 +36,11 @@ Les services suivants ont été définitivement fermés.
 
 Service        | État                                      | Détails  | Depuis   | Accès       | Logiciel               | Description
 -------------- | ----------------------------------------- | -------- | -------- | ----------- | ---------------------- | ------------
-[[Sondages]]   | [[!color background=#ffff00 text="down"]] | fermé en septembre 2015, pour favoriser le [Framadate](http://framadate.org/) officiel | 2012     | [dead][2] | [OpenSondage][]        | alternative libre à [[!wikipedia Doodle]]
+[[Sondages]]   | [[!color background=#ff0000 text="down"]] | fermé en septembre 2015, pour favoriser le [Framadate](http://framadate.org/) officiel | 2012     | [dead][2] | [OpenSondage][]        | alternative libre à [[!wikipedia Doodle]]
 [[Bookmarks]]  | [[!color background=#ff0000 text="down"]]  | moved to bookie to wallabag on a friend's network | 2011-2014  | [dead][3] | [SemanticScuttle][]    | bookmarks en ligne disponibles partout
-[[Drupal]]     | [[!color background=#ffff00 text="down"]]  | complètement fermé | 2011?    | [dead][7] | [Aegir][]              | Hébergement de sites [Drupal][], sur demande
+[[Drupal]]     | [[!color background=#ff0000 text="down"]]  | complètement fermé | 2011?    | [dead][7] | [Aegir][]              | Hébergement de sites [Drupal][], sur demande
 [[Social]]     | [[!color background=#ff0000 text="down"]] | fermé car [identi.ca][] est passé à [pump.io][], [Friendica][]?, [[buddycloud]] failed | 2011     | [public][5] | [StatusNet][] | "réseau social" décentralisé et sans surveillance, sur demande
-[[Téléphone]]  | [[!color background=#ffff00 text="down"]] | fermé  | ~2008?   | privé       | N/A           | switched all services to upstream VoIP.ms
+[[Téléphone]]  | [[!color background=#ff0000 text="down"]] | fermé  | ~2008?   | privé       | N/A           | switched all services to upstream VoIP.ms
 
  [1]: http://radio.orangeseeds:8000/
  [2]: http://sondage.orangeseeds.org/

tons of service status updates
phones are down: all moved to VoIP.ms
mesh and wifi are down: antenna down and wifi closed since i moved
webmail is up
mpd radio is mostly offline
git is being migrated to gitlab
sondages, bookmarks, drupal and social are definitely down
jabber was never started so just removed
diff --git a/services.mdwn b/services.mdwn
index 1499648..8ad5a92 100644
--- a/services.mdwn
+++ b/services.mdwn
@@ -14,27 +14,34 @@ Service        | État                                      | Détails  | Depuis
 [[Réseau]]     | [[!color background=#00ff00 text="OK"]]   | 25 mbps down, 6 mbps up | 1996?    | privé       | [[!wikipedia ADSL]], [[!wikipedia PPPoE]] | accès internet "haute vitesse"
 [[IPv6]]       | [[!color background=#ff0000 text="down"]] | `2607:f2c0:91eb:4d00::/56`, routing problems upstream, disabled in DNS for now | 2011     | public      | Linux, FreeBSD         | le prochain internet: [[!wikipedia IPv6]]
 [[DNS]]        | [[!color background=#00ff00 text="OK"]]   | `anarc.at` `orangeseeds.org` `anarcat.ath.cx`  | 2010?    | public      | [[!wikipedia BIND]]    | hébergement DNS
-[[Téléphone]]  | [[!color background=#ffff00 text="dev"]]  |  passer à freeswitch?       | ~2008?   | privé       | [Asterisk][]           | boîtes vocales, suivi d'appels, appels locaux et internationaux, sur demande
-[[Wifi]]       | [[!color background=#00ff00 text="OK"]]   | `acces.reseaulibre.ca` | 2004?    | public      | [[!wikipedia OpenWRT]] | accès à internet restreint, par [[!wikipedia Wifi]]
-[[Mesh]]       | [[!color background=#00ff00 text="OK"]]   | [nodes list][] | 2012     | public      | [Babel][]             | relai dans le mesh [reseaulibre.ca][]
+[[Wifi]]       | [[!color background=#00ff00 text="OK"]]   | N/A | 2004-2016    | privé      | [[!wikipedia OpenWRT]] | accès à internet restreint, par [[!wikipedia Wifi]]
+[[Mesh]]       | [[!color background=#00ff00 text="down"]] | [nodes list][] | 2012-2016     | public      | [Babel][] | relai dans le mesh [reseaulibre.ca][]
 [[Shell]]      | [[!color background=#00ff00 text="OK"]]   | `shell.anarc.at` | 1999?    | privé       | [[!wikipedia SSH]]     | accès shell et fichiers ([[!wikipedia SFTP]])
-[[Mail]]  | [[!color background=#00ff00 text="OK"]]   | `imap.anarc.at` | 2002     | privé       | [[!wikipedia Dovecot]] | courriels par IMAP ou shell
-[[Webmail]]    | [[!color background=#ff0000 text="down"]] | fermé en 2010 par manque d'utilisateurs | 2005?    | privé       | [Squirrelmail][]       | envoi et lecture de courriels
-[[Radio]]      | [[!color background=#ffff00 text="dev"]]   | <http://radio.anarc.at>, crashes frequently | 2007     | [public][1] | [[!wikipedia Icecast]] | [stream][] "shoutcast", 64 kbps
+[[Mail]]       | [[!color background=#00ff00 text="OK"]]   | `imap.anarc.at` | 2002     | privé       | [[!wikipedia Dovecot]] | courriels par IMAP ou shell
+[[Webmail]]    | [[!color background=#ff0000 text="OK"]]   | <https://mail.anarc.at> | 2005-? 2017    | privé       | [Rainloop][]       | envoi et lecture de courriels
+[[Radio]]      | [[!color background=#ffff00 text="dev"]]  | <http://radio.anarc.at> | 2007     | [public][1] | [[!wikipedia Icecast]] | [stream][] "shoutcast", 64 kbps, rarely online
 [[Jukebox]]    | [[!color background=#00ff00 text="OK"]]   | `radio.anarc.at:6600` | [2007][] | privé       | [MPD][]                | contrôle de la radio à distance
 [[Torrent]]    | [[!color background=#00ff00 text="OK"]]   | `radio.anarc.at:9091` | 2011     | privé       | [Transmission][]       | client bittorrent partagé pour le voisinage
 [[Multimedia]] | [[!color background=#00ff00 text="OK"]]   |          | 1999?    | privé       | [[!wikipedia XBMC]]    | archive audio et video, "cinéma maison"
 [[Web]]        | [[!color background=#00ff00 text="OK"]]   | [[sites hébergés|hosted]], [[nginx]] considéré, [[SSL]] à faire | 1999?    | public      | [Apache][] | hébergement de sites web, sur demande
 [[Wiki]]       | [[!color background=#ffff00 text="dev"]]  | <http://wiki.anarc.at>, à automatiser | 2011     | [public][9]      | [ikiwiki-hosting][]      | Hébergement de wikis [[ikiwiki]], sur demande
-[[Git]]        | [[!color background=#00ff00 text="OK"]]   | <http://src.anarc.at>         | ~2012?   | [public][6] | [Git][]                | hébergement de dépôts git, sur demande
-[[Sondages]]   | [[!color background=#ffff00 text="dev"]]   | <http://sondage.orangeseeds.org>, sera fermé en septembre 2015, pour favoriser le [Framadate](http://framadate.org/) officiel | 2012     | [public][2] | [OpenSondage][]        | alternative libre à [[!wikipedia Doodle]]
-[[Bookmarks]]  | [[!color background=#ff0000 text="down"]]  | moved to Bookie at <https://lib3.net/bookie/>  | 2011-2014  | [dead][3] | [SemanticScuttle][]    | bookmarks en ligne disponibles partout
-[[Drupal]]     | [[!color background=#ffff00 text="dev"]]  | <http://aegir.orangeseeds.org>, intermittent | 2011?    | [public][7] | [Aegir][]              | Hébergement de sites [Drupal][], sur demande
+[[Git]]        | [[!color background=#00ff00 text="dev"]]  | <http://src.anarc.at>, deprecated         | ~2012?   | [public][6] | [Git][]                | hébergement de dépôts git, sur demande, en migration vers [Gitlab](https://gitlab.com/anarcat)
 [[Gallery]]    | [[!color background=#ffff00 text="dev"]]  | <http://photos.orangeseeds.org>, à automatiser | 1999?    | [public][4] | [PhotoFloat][]         | galleries de photos, sur demande
-[[Social]]     | [[!color background=#ff0000 text="down"]] | fermé car [identi.ca][] est passé à [pump.io][], [Friendica][]?, [[buddycloud]] failed | 2011     | [public][5] | [StatusNet][] | "réseau social" décentralisé et sans surveillance, sur demande
-[[Jabber]]     | [[!color background=#ffff00 text="dev"]]  | à venir? | 2013     | privé       | [Prosody][]?           | messagerie instantanée libre
 [[Stats]]      | [[!color background=#00ff00 text="OK"]]   | <http://munin.anarc.at> | 2012     | [public][8] | [Munin][]              | statistiques du réseau
 
+Ancien services
+---------------
+
+Les services suivants ont été définitivement fermés.
+
+Service        | État                                      | Détails  | Depuis   | Accès       | Logiciel               | Description
+-------------- | ----------------------------------------- | -------- | -------- | ----------- | ---------------------- | ------------
+[[Sondages]]   | [[!color background=#ffff00 text="down"]] | fermé en septembre 2015, pour favoriser le [Framadate](http://framadate.org/) officiel | 2012     | [dead][2] | [OpenSondage][]        | alternative libre à [[!wikipedia Doodle]]
+[[Bookmarks]]  | [[!color background=#ff0000 text="down"]]  | moved to bookie to wallabag on a friend's network | 2011-2014  | [dead][3] | [SemanticScuttle][]    | bookmarks en ligne disponibles partout
+[[Drupal]]     | [[!color background=#ffff00 text="down"]]  | complètement fermé | 2011?    | [dead][7] | [Aegir][]              | Hébergement de sites [Drupal][], sur demande
+[[Social]]     | [[!color background=#ff0000 text="down"]] | fermé car [identi.ca][] est passé à [pump.io][], [Friendica][]?, [[buddycloud]] failed | 2011     | [public][5] | [StatusNet][] | "réseau social" décentralisé et sans surveillance, sur demande
+[[Téléphone]]  | [[!color background=#ffff00 text="down"]] | fermé  | ~2008?   | privé       | N/A           | switched all services to upstream VoIP.ms
+
  [1]: http://radio.orangeseeds:8000/
  [2]: http://sondage.orangeseeds.org/
  [3]: http://bm.orangeseeds.org/
@@ -62,8 +69,7 @@ Service        | État                                      | Détails  | Depuis
  [Apache]: http://apache.org/
  [Git]: http://git-scm.org/
  [Asterisk]: http://www.asterisk.org/
- [Squirrelmail]: http://www.squirrelmail.org/
- [Prosody]: http://prosody.im/
+ [Rainloop]: http://www.rainloop.net/
  [reseaulibre.ca]: http://reseaulibre.ca/
  [Babel]: http://www.pps.jussieu.fr/~jch/software/babel/
  [nodes list]: http://wiki.reseaulibre.ca/users/anarcat/#index2h1

redirect webmail to documentation
diff --git a/services/webmail.mdwn b/services/webmail.mdwn
new file mode 100644
index 0000000..87495f8
--- /dev/null
+++ b/services/webmail.mdwn
@@ -0,0 +1,2 @@
+[[!meta redir="mail#webmail"]]
+[[!tag redirection]]

small SSL status update: we're on LE now
diff --git a/services/ssl.mdwn b/services/ssl.mdwn
index a8b3176..3d57ccb 100644
--- a/services/ssl.mdwn
+++ b/services/ssl.mdwn
@@ -1,8 +1,19 @@
-Self-signed certificates managed in `/etc/ssl/private`, TODO:
+TLS/X509/SSL certificates now issued by [Let's Encrypt][] for most
+domains.
+
+[Let's Encrypt]: https://letsencrypt.org/
+
+Todo:
 
  * document better
  * <del>activate SSL on a bunch of sites (all? how?)</del> used let's encrypt to issue certs for this website and reseaulibre.
  * hook into monkeysphere?
- * hook into [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) - requires [[dns/DNSSEC]], see [[dns]]
-* need to hook into IMAP
-* need to renew and fix aliases for openid login, see <https://ikiwiki-hosting.branchable.com/todo/letsencrypt_support/>
+ * add [CAA record][] - requires upgrade to stretch
+ * hook into [DANE][] - requires [[dns/DNSSEC]], see [[dns]]
+ * <del>need to hook into IMAP</del>
+ * <del>need to renew and fix aliases for openid login, see
+   <https://ikiwiki-hosting.branchable.com/todo/letsencrypt_support/></del>
+   see also [[wiki]]
+
+[DANE]: https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
+[CAA record]: https://ma.ttias.be/caa-checking-becomes-mandatory-ssltls-certificates/

clarifier
diff --git a/services/wiki.mdwn b/services/wiki.mdwn
index a3e3245..0a82a34 100644
--- a/services/wiki.mdwn
+++ b/services/wiki.mdwn
@@ -17,7 +17,7 @@ Les wikis fonctionnent sous l'excellent logiciel [[ikiwiki]], et les wikis sont
 
 Chaque wiki a sont propre dépôt [[git]] indépendant qui garde l'historique des changements, et donc peut facilement être cloné. Les wikis peuvent être modifiés par l'interface web ou par git, et un ensemble de [[!iki plugins]] sont disponibles.
 
-Un [[!wikipedia stylesheet]] peut être installé par les utilisateurs, et un thème complet (tel [[night city|night_city/README]] qui forme la jolie présentation ici) peut être installé sur demande.
+Un [[!wikipedia stylesheet]] peut être installé par les utilisateurs, et un thème complet (tel [[night city|night_city/README]] qui formait la jolie présentation ici) peut être installé sur demande.
 
 Tips
 ====
@@ -92,8 +92,14 @@ Here are some things I'm thinking of doing on the website:
  * [ikiwiki-hosting let's encrypt integration][] - automate management
    of X509 certs for new sites, see `use_letsencrypt` parameter?
  * [ikiwikihosting-dns][] - automatic DNS configuration for new sites
- * [customersite][] - billing, hosting and so on... 
-
+ * [customersite][] - billing, hosting and so
+   on... the [controlpanel][] should be fixed, along with the
+   following plugins:
+    * makesite - pour la création de nouveaux sites
+    * missingsite - pour montrer un site même pour les sites manquants
+    * parked - pour les sites désactivés
+
+[controlpanel]: http://anarc.at/ikiwiki.cgi?do=controlpanel
 [more]: http://codecondo.com/minimal-css-frameworks-grid-systems/
 [plenty]: http://sixrevisions.com/css/small-css-frameworks/
 [bulma]: http://bulma.io/
@@ -233,6 +239,12 @@ It seems there were some ikiwiki criticial bugs in jessie that warranted a [3.20
 
 My openid patch is still not in, but I believe the [SSL issue](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761635) is finally fixed. See the [3.20141016.1 upload](https://tracker.debian.org/news/671435) for release notes.
 
+2014-??-??: ikiwiki-hosting upgrade?
+------------------------------------
+
+At some point during the year, ikiwiki-hosting was upgraded to
+0.20140613 (or just installed?).
+
 2014-10-28: minor upgrade
 -------------------------
 
@@ -284,15 +296,10 @@ The changes cover this [changelog](http://source.ikiwiki.branchable.com/?p=sourc
 2013-09-08? Migration à ikiwiki-hosting
 ---------------------------------------
 
-Instructions pour la maintenance du service.
-
- * [liste des sites](http://anarc.at/ikiwiki.cgi?do=controlpanel)
-
-Autres plugins possibles:
-
- * makesite - pour la création de nouveaux sites
- * missingsite - pour montrer un site même pour les sites manquants
- * parked - pour les sites désactivés
+Ikiwiki-hosting est en utilisation depuis peut-être 2011, puisque
+c'est là que me premières contributions arrivent dans le projet. Mais
+ces modifications dataient de 2013 dans l'historique de la page, alors
+meh.
 
 ### Essentiel
 

move blog migration in updates history
diff --git a/services/wiki.mdwn b/services/wiki.mdwn
index 124e968..a3e3245 100644
--- a/services/wiki.mdwn
+++ b/services/wiki.mdwn
@@ -33,11 +33,6 @@ Migrating from Moinmoin markup to markdown regexes
 
 Those are probably not being rendered properly, see [[!iki tips/convert_moinmoin_to_ikiwiki]] for a more complete solution.
 
-Migrating from Drupal
----------------------
-
-See [[blog/2015-02-06-migrating-drupal-ikiwiki/]].
-
 Renaming a wiki
 ---------------
 
@@ -215,6 +210,11 @@ still useful.
 
 Upstream did a security update in Jessie from [3.20141016.2](https://tracker.debian.org/news/671435) to [3.20141016.3](https://tracker.debian.org/media/packages/i/ikiwiki/changelog-3.20141016.3). I decided to drop the  [[!iki bugs/notifyemail fails with some openid providers]] patch because it's probably not really in use and OpenID is dying anyways. I did reapply the git-annex patch since that is still useful.
 
+2015-02-06: blog migrated from Drupal
+-------------------------------------
+
+See [[blog/2015-02-06-migrating-drupal-ikiwiki/]].
+
 2015-04-02: security upgrade
 ----------------------------
 

add todo list for homepage
diff --git a/services/wiki.mdwn b/services/wiki.mdwn
index 01ccce2..124e968 100644
--- a/services/wiki.mdwn
+++ b/services/wiki.mdwn
@@ -73,6 +73,48 @@ mv a-test a-testwiki
 sudo ikisite changesetup testwiki.anarc.at --rebuild
 ```
 
+Todo list
+=========
+
+Here are some things I'm thinking of doing on the website:
+
+ * reduce [webpage bloat][]: [some tests][] on [webpagetest.org][] show
+   that the site can be as slow as 1.7s on a first load on a normal
+   cable connexion. we should be faster. here are a few ideas:
+   * ditch the [[Bootstrap theme|blog/2015-09-09-bootstrap]]: more
+     than 50% of the page size is CSS and JS (23% and 30% resp.). we
+     don't need this framework to make a pretty site, and there are
+     other much smaller frameworks, see for
+     example [pure.css][], [miligram][], [bulma][], [min][], 
+     [mini.css][], [skeleton][], [picnic][] and [plenty][] [more][]
+   * <del>ditch the Fira font</del> done - this greatly reduced the
+     loading time
+   * ditch JQuery - i'm not sure why it's used, but it certainly takes
+     a significant part of the load time
+   * use a CDN or a cache - not sure. huge privacy implications
+   * use a VPS - the site would certainly load faster from a real
+     datacenter... but it's an extra cost and maintenance
+ * [ikiwiki-hosting let's encrypt integration][] - automate management
+   of X509 certs for new sites, see `use_letsencrypt` parameter?
+ * [ikiwikihosting-dns][] - automatic DNS configuration for new sites
+ * [customersite][] - billing, hosting and so on... 
+
+[more]: http://codecondo.com/minimal-css-frameworks-grid-systems/
+[plenty]: http://sixrevisions.com/css/small-css-frameworks/
+[bulma]: http://bulma.io/
+[miligram]: https://milligram.github.io/
+[pure.css]: https://purecss.io/
+[picnic]: https://github.com/picnicss/picnic
+[skeleton]: http://getskeleton.com/
+[mini.css]: https://chalarangelo.github.io/mini.css/
+[min]: https://mincss.com/
+[webpage bloat]: http://idlewords.com/talks/website_obesity.htm
+[some tests]: https://www.webpagetest.org/testlog.php?days=365&filter=anarc.at&all=on
+[webpagetest.org]: https://webpagetest.org/
+[customersite]: http://ikiwiki-hosting.branchable.com/design/customersite/
+[ikiwikihosting-dns]: http://ikiwiki-hosting.branchable.com/ikidns/
+[ikiwiki-hosting let's encrypt integration]: http://ikiwiki-hosting.branchable.com/todo/letsencrypt_support/
+
 Update log
 ==========
 

ikiwiki-hosting upgrade
diff --git a/services/wiki.mdwn b/services/wiki.mdwn
index 7c97248..01ccce2 100644
--- a/services/wiki.mdwn
+++ b/services/wiki.mdwn
@@ -143,6 +143,22 @@ patching file templates/albumprev.tmpl
 patching file templates/albumviewer.tmpl
 """]]
 
+2017-04-19: ikiwiki-hosting upgrade
+-----------------------------------
+
+Followed the upstream 0.20161219 release from stretch. Had to apply
+the following patches:
+
+ * [hsts](https://ikiwiki-hosting.branchable.com/todo/strict_transport_security/)
+ * [control panel bug](https://ikiwiki-hosting.branchable.com/bugs/controlpanel_crashes_when_ikisite-wrapper_fails/)
+
+The following patches were dropped:
+
+ * attic/apache24: [merged upstream](https://ikiwiki-hosting.branchable.com/todo/apache_2.4_support/)
+ * dev/idempotent-delete: [refused upstream](https://ikiwiki-hosting.branchable.com/bugs/too_much_garbage_to_remove_when_failing_to_create/) -
+   seems like there's a workaround...
+ * dev/usercreate_fails: not reported upstream, werid use case
+
 2017-01-14: security upgrade
 ----------------------------
 

reorder page, put maintenance stuff below
diff --git a/services/wiki.mdwn b/services/wiki.mdwn
index c76b800..7c97248 100644
--- a/services/wiki.mdwn
+++ b/services/wiki.mdwn
@@ -38,67 +38,6 @@ Migrating from Drupal
 
 See [[blog/2015-02-06-migrating-drupal-ikiwiki/]].
 
-Maintenance
-===========
-
-Instructions pour la maintenance du service.
-
- * [liste des sites](http://anarc.at/ikiwiki.cgi?do=controlpanel)
-
-Autres plugins possibles:
-
- * makesite - pour la création de nouveaux sites
- * missingsite - pour montrer un site même pour les sites manquants
- * parked - pour les sites désactivés
-
-Tâches à faire
---------------
-
-### Essentiel
-
- * <del>migrer de anarcat.ath.cx vers anarc.at ou anarcat.orangeseeds.org</del> - done!
- * désigner un sous-domaine de base pour les nouveaux wikis, possibilités:
-  *  i.anarc.at
-  *  w.anarc.at
-  *  wiki.anarc.at
-  *  wikis.anarc.at
-  *  iki.anarc.at
-  *  ikis.anarc.at
-  *  i.orangeseeds.org
-  *  w.orangeseeds.org
-  *  wiki.orangeseeds.org
-  *  wikis.orangeseeds.org
-  *  iki.orangeseeds.org
-  * ikis.orangeseeds.org
- * installer le control-panel pour la création de wiki quelquepart (ici?)
-
-### Glaçage
-
- * migrate <del><https://wiki.koumbit.net/TheAnarcat> and</del> subpages here, <del>keep a small page there</del> - mostly done
- * <del>publish the theme (with
- * [submodules](http://ikiwiki.info/todo/submodule_support/)?)</del> done, now on the [theme market](http://ikiwiki.info/theme_market/)
- * this would also fix the following paths: `cv` and `presentations`
- * decide if i upgrade <http://anarcat.koumbit.org> to D7 or make a blog here :P
-
-Migration du site statique vers ikiwiki
----------------------------------------
-
-### Must have before online
-
- * <del>have a way to just dump stuff as i used to (see pastes directory)</del> - this is wiki dude.
- * <del>keep tourne's photos (with [[!iki plugins/album]]?)</del> - just used the attachment plugin which allows me to add the `img` tags to the page
- * <del>archive all the rest</del> - well, that public_html directory is still sitting there anyways...
- * <del>migrate [image gallery](http://anarcat.ath.cx/images) (!)</del> (no: static html will work forever)
- * <del>recreate [software gallery](http://anarcat.ath.cx/software) (?)</del> (no: will be archived)
- * <del>document [[offered services|services]] and add to sidebar</del> (done)
-
-We're live baby! -- [[anarcat]] 2011-12-16
-
-### Nice to haves
-
- * <del>a real gallery with [[!iki plugins/album]]?</del> - used
-   photofloat for http://photos.orangeseeds.org/
-
 Renaming a wiki
 ---------------
 
@@ -283,3 +222,63 @@ I upgraded to the current version in `jessie`, that is `3.20130904.1`. This deal
 All the patches above were applied but the magic-mime problem.
 
 The changes cover this [changelog](http://source.ikiwiki.branchable.com/?p=source.git;a=blob;f=debian/changelog;hb=031ccf618e2fdf50e65ab3a9bffcc7f48c4c2547#l175) between versions `3.20130904.1` and `3.20120725`.
+
+2013-09-08? Migration à ikiwiki-hosting
+---------------------------------------
+
+Instructions pour la maintenance du service.
+
+ * [liste des sites](http://anarc.at/ikiwiki.cgi?do=controlpanel)
+
+Autres plugins possibles:
+
+ * makesite - pour la création de nouveaux sites
+ * missingsite - pour montrer un site même pour les sites manquants
+ * parked - pour les sites désactivés
+
+### Essentiel
+
+ * <del>migrer de anarcat.ath.cx vers anarc.at ou anarcat.orangeseeds.org</del> - done!
+ * désigner un sous-domaine de base pour les nouveaux wikis, possibilités:
+  *  i.anarc.at
+  *  w.anarc.at
+  *  wiki.anarc.at
+  *  wikis.anarc.at
+  *  iki.anarc.at
+  *  ikis.anarc.at
+  *  i.orangeseeds.org
+  *  w.orangeseeds.org
+  *  wiki.orangeseeds.org
+  *  wikis.orangeseeds.org
+  *  iki.orangeseeds.org
+  * ikis.orangeseeds.org
+ * installer le control-panel pour la création de wiki quelquepart (ici?)
+
+### Glaçage
+
+ * migrate <del><https://wiki.koumbit.net/TheAnarcat> and</del> subpages here, <del>keep a small page there</del> - mostly done
+ * <del>publish the theme (with
+ * [submodules](http://ikiwiki.info/todo/submodule_support/)?)</del> done, now on the [theme market](http://ikiwiki.info/theme_market/)
+ * this would also fix the following paths: `cv` and `presentations`
+ * <del>decide if i upgrade <http://anarcat.koumbit.org> to D7 or make
+   a blog here :P</del> a blog was made, see [[blog/2015-02-06-migrating-drupal-ikiwiki]].
+
+2011-12-16: Migration du site statique vers ikiwiki
+---------------------------------------------------
+
+### Must have before online
+
+ * <del>have a way to just dump stuff as i used to (see pastes directory)</del> - this is wiki dude.
+ * <del>keep tourne's photos (with [[!iki plugins/album]]?)</del> - just used the attachment plugin which allows me to add the `img` tags to the page
+ * <del>archive all the rest</del> - well, that public_html directory is still sitting there anyways...
+ * <del>migrate [image gallery](http://anarcat.ath.cx/images) (!)</del> (no: static html will work forever)
+ * <del>recreate [software gallery](http://anarcat.ath.cx/software) (?)</del> (no: will be archived)
+ * <del>document [[offered services|services]] and add to sidebar</del> (done)
+
+We're live baby! -- [[anarcat]] 2011-12-16
+
+### Nice to haves
+
+ * <del>a real gallery with [[!iki plugins/album]]?</del> - used
+   photofloat for http://photos.orangeseeds.org/
+

fix typo in date
diff --git a/blog/2017-04-09-montreal-bsp-report.mdwn b/blog/2017-04-09-montreal-bsp-report.mdwn
index 3e9f919..83cd45d 100644
--- a/blog/2017-04-09-montreal-bsp-report.mdwn
+++ b/blog/2017-04-09-montreal-bsp-report.mdwn
@@ -1,5 +1,5 @@
 [[!meta title="Montreal Bug Squashing Party report"]]
-[[!meta date="2017-03-16T15:19:59-0400"]]
+[[!meta date="2017-04-16T15:19:59-0400"]]
 
 > Un sommaire de cet article est également
 > [traduit vers le français](https://www.koumbit.org/fr/content/rapport-devenement-bug-squashing-party-debian),

refer to history for qemu
diff --git a/software/debian-development.mdwn b/software/debian-development.mdwn
index a97c1aa..9a0e13b 100644
--- a/software/debian-development.mdwn
+++ b/software/debian-development.mdwn
@@ -596,12 +596,18 @@ commands. But it is probably better to run tests within a completely
 isolated environment, often called a "Virtual Machine".
 
 There are a *lot* of different virtualization solutions you can use
-([Xen][], [KVM][], [Docker][] and [Virtualbox][]), which are for now
+(e.g. [Xen][], [KVM][], [Docker][] or [Virtualbox][]), which are for now
 considered to be outside the scope of this tutorial. I have also
 found [libguestfs][] to be useful to operate on virtual images in
 various ways. [Libvirt][] and [Vagrant][] are also useful wrappers on
 top of the above systems.
 
+I was previously using [Qemu][] to run virtual machines, and had to
+create VMs by hand with various tools. This didn't work so well so I
+switched to using Vagrant as a de-facto standard to build development
+environment machines. Previous instructions for using Qemu are in the
+history of this page.
+
 [Vagrant]: https://www.vagrantup.com/
 [Virtualbox]: https://en.wikipedia.org/wiki/Virtualbox
 [libguestfs]: https://en.wikipedia.org/wiki/Libguestfs

remove unshare and qemu instructions
vagrant is good enough for our needs
diff --git a/software/debian-development.mdwn b/software/debian-development.mdwn
index 53b8a60..a97c1aa 100644
--- a/software/debian-development.mdwn
+++ b/software/debian-development.mdwn
@@ -660,112 +660,6 @@ the [Hashicorp Atlas][].
 [build your own]: https://wiki.debian.org/Teams/Cloud/RebuildVagrantBaseBoxes
 [official Debian images]: https://atlas.hashicorp.com/debian
 
-Qemu virtual machines
----------------------
-
-For now, we will stick with the simplest approach which is using
-[Qemu][]. We will need to use a special tool to create the virtual
-machine as debootstrap only creates a chroot, which virtual machines
-do not necessarily understand. Here is how to create the virtual
-machine disk using [vmdebootstrap][].
-
-    DIST=sid ARCH=amd64
-    sudo vmdebootstrap --serial-console --enable-dhcp --convert-qcow2 --verbose --distribution=$DIST --arch=$ARCH --image=$DIST-$ARCH.qcow2
-
-[vmdebootstrap]: https://vmdebootstrap.alioth.debian.org/
-
-This makes sure that the `--serial-console` is enabled, which allows
-us to connect to the VM without having a complete GUI. It also enables
-networking (`--enable-dhcp`). It also converts the resulting image to
-the [QCOW][] file format, which takes up less space as it expands as
-necessary on writes.
-
-[[!important """
-There are issues when setting up a `wheezy` machine on older
-`vmdebootstrap` versions: for example, it couldn't setup the
-bootloader. I had trouble with the jessie version (`0.5`), and even
-with backports (`1.4`). Try to have at least 1.6 running. This may
-also mean using newer `e2fsprogs` from backports as well.
- """]]
-
-[[!note """There is another tool that accomplished similar things called
-[grml-debootstrap][]. I do not use it because it doesn't create a
-minimal image by default. `vmdebootstrap` is also destined to be the
-main tool used to create [Debian Live][] official images which makes
-it interesting in the long term. I have used the following commandline
-when using grml-deboostrap:
-
-    sudo grml-deboostratp --vmfile --bootappend console=ttyS0 --arch $ARCH --release $DIST --target $DIST.qcow2
-
-[grml-debootstrap]: http://grml.org/grml-debootstrap/
-[Debian Live]: https://wiki.debian.org/DebianLive
-
-Also note that the [Debian Cloud team][] is considering using 
-[FAI][] for this in the future, see [this post][] for details and
-other ideas.
-
-[FAI]: https://wiki.debian.org/FAI
-[this post]: https://lists.debian.org/debian-cloud/2016/11/msg00100.html
-[Debian Cloud team]: https://wiki.debian.org/Teams/Cloud
-"""]]
-
-To boot those images with Qemu, use:
-
-    qemu-system-x86_64 -snapshot -enable-kvm -display none -serial mon:stdio $DIST-$ARCH.qcow2
-
-`-snapshot` makes the image read-only, so it can be readily reused
-without worring about contaminating the environment. [KVM][] is
-obviously optional here, but usually works in my tests and is much
-faster than non-[HVM][] usage. The remaining options are to make sure
-I get a regular terminal from Qemu instead of a graphical window. This
-requires special configuration in the image, otherwise you will get no
-output at all. Also, if you are testing GUIs, you will obviously want
-to remove those options and install a bunch of packages on top of the
-minimal install.
-
-[[!tip """
-To transfer data between the host and the virtual machines, the
-simplest way I could find is with [netcat][]. On the host:
-
-    nc -q 0 -l -p 10080 < phpmyadmin_3.4.11.1-2+deb7u4_all.deb 
-
-In the VM:
-
-    nc 10.0.2.2 10080 > phpmyadmin_3.4.11.1-2+deb7u4_all.deb
-
-The IP address may change, use, `ip route` to find the address of the
-host, which should be the gateway. `10080` is an arbitrary port above
-`1024`.
-
-Ports can also be forwarded from the host to the VM using the `-net`
-command. For example, `-net user,hostfwd=tcp::10022-:22 -net nic`
-would allow the host to connect to the VM's SSH server. I ended up
-setting up the following shell alias:
-
-    # qemu: specify architecture, enable serial port and common port
-    # forwards (HTTP and SSH), enable KVM support and don't write the
-    # image by default (can be worked around with C-a s at
-    # runtime). graphical display still enabled for POLA (some VMs don't
-    # have serial), can be turned off with -display none.
-    alias qemu="qemu-system-x86_64 -serial mon:stdio -net user,hostfwd=tcp::10080-:80 -net user,hostfwd=tcp::10022-:22 -net nic -enable-kvm -snapshot"
-
-`.deb` files can be installed with `dpkg -i`, which will likely fail
-because of missing dependency, so you need to also run `apt-get
-install -f`.
-
-[netcat]: https://en.wikipedia.org/wiki/Netcat
-
-Another option is to use the "unshare" command, which launches another
-command in a different namespace:
-
-    sudo unshare -i -m -p -u -f chroot /path/mountpoint qemu-arm-static /bin/bash
-
-This can reuse chroots previously created for cowbuilder, but the
-filesystem separation works only if /path/mountpoint is really a
-different mountpoint. Otherwise changes in the filesystem affect the
-parent host, in which case you can just copy over the chroot.
-"""]]
-
 Uploading packages
 ==================
 

some wording fixes
diff --git a/software/debian-development.mdwn b/software/debian-development.mdwn
index 7876d92..53b8a60 100644
--- a/software/debian-development.mdwn
+++ b/software/debian-development.mdwn
@@ -408,10 +408,9 @@ all of those, so you can try to install them with:
 
 But this installs a lot of cruft on your system! `mk-build-deps` makes
 a dummy package to wrap them all up together, so they are easy to
-uninstall, but still: this is relevant only if you are doing recurring
-development on the project.
+uninstall.
 
-Furthermore, it doesn't build the package in a "clean
+Furthermore, the above procedure doesn't build the package in a "clean
 environment". For example, say I am building a package for a regular
 upload into `unstable` ("sid"). Yet, my workstation is running
 `stable` ("jessie", currently). I can't simply build the package in
@@ -561,8 +560,7 @@ takes almost triple that time (17 minutes). Plus Debomatic runs
 The obvious downside is that I need to trust the remote server to
 generate the same package as I would do locally. Even if the package
 is [reproducible][] (which is not always the case!), I would still
-have to build the package locally to ensure the package was
-trustworthy.
+have to build the package locally to be able to compare the results...
 
 [piuparts]: https://manpages.debian.org/piuparts
 [reproducible]: https://reproducible-builds.org

reorder checkout instructions
move the more confusing debcheckout stuff to a later note
diff --git a/software/debian-development.mdwn b/software/debian-development.mdwn
index 6c53044..7876d92 100644
--- a/software/debian-development.mdwn
+++ b/software/debian-development.mdwn
@@ -67,17 +67,7 @@ comfortable working on.[^lazy]
     regardless of the version control used. Furthermore, some packages
     do not use version control at all!
 
-But if the version control system the package uses is familiar to you,
-you *can* use [debcheckout][] to checkout the source directly. If you
-are comfortable with many revision control systems, this may be better
-for you in general. However, keep in mind that it does not ensure
-end-to-end cryptographic integrity like the following procedure
-does. It *will* be useful, however, if you want to review the source
-code history of the package to figure out where things come from.
-
-[debcheckout]: https://manpages.debian.org/debcheckout
-
-So to get the source code on an arbitrary package, visit the
+To get the source code on an arbitrary package, visit the
 [package tracker][].[^tracker] In this case, we look at the
 [Calibre package tracker page][] and find the download links for the
 release we're interested in. Since we are doing a backport, we use the
@@ -214,6 +204,16 @@ process works.
 
 [debian-keyring package]: https://packages.debian.org/debian-keyring
 
+If the version control system the package uses is familiar to you,
+you *can* use [debcheckout][] to checkout the source directly. If you
+are comfortable with many revision control systems, this may be better
+for you in general. However, keep in mind that it does not ensure
+end-to-end cryptographic integrity like the previous procedure
+does. It *will* be useful, however, if you want to review the source
+code history of the package to figure out where things come from.
+
+[debcheckout]: https://manpages.debian.org/debcheckout
+
 Modifying the package
 =====================
 

fix admonition markup
diff --git a/software/debian-development.mdwn b/software/debian-development.mdwn
index f2f3c75..6c53044 100644
--- a/software/debian-development.mdwn
+++ b/software/debian-development.mdwn
@@ -438,7 +438,7 @@ To use sbuild, you first need to configure an image:
 
     sudo sbuild-createchroot --include=eatmydata,ccache,gnupg unstable /srv/chroot/unstable-amd64-sbuild
 
-[[!wiki note """
+[[!note """
 This assumes that:
 
  1. you are running Stretch or later (see the [sbuild wiki docs](https://wiki.debian.org/sbuild) for workarounds in Jessie)
@@ -495,7 +495,7 @@ you often need `-sa` to provide the source tarball with the upload),
 you should use `--debbuildopts -sa` in `sbuild`. For git-buildpackage,
 simply add `-sa` to the commandline.
 
-[[!wiki note """
+[[!note """
 I was previously using `pbuilder` and switched in 2017 to `sbuild`. [AskUbuntu.com has a good comparative between pbuilder and sbuild][]
 that shows they are pretty similar. The big advantage of sbuild is
 that it is the tool in use on the buildds and it's written in Perl

switch from pbuilder to sbuild
pbuilder instructions are totally removed in the hope it will make the
guide shorter and clearer. they are still available in the history if
necessary...
diff --git a/software/debian-development.mdwn b/software/debian-development.mdwn
index d50ae00..f2f3c75 100644
--- a/software/debian-development.mdwn
+++ b/software/debian-development.mdwn
@@ -420,84 +420,103 @@ environment.
 
 For this, we need more powerful tools.
 
-Building in a clean environment: pbuilder and cowbuilder
---------------------------------------------------------
-
-[[!note """I've been looking at switching
-to [sbuild](https://wiki.debian.org/sbuild) instead of pbuilder as
-it's design is slightly better and it's the program running on the
-official buildd's. I just haven't got around to migrating just
-yet. See the "future work" section at the bottom for details."""]]
-
-[pbuilder][] takes your source package (the `.dsc` file), and builds
-it in a clean, temporary `chroot`. To create that `.dsc` file, you can
-use `dpkg-source -b` or simply call `pdebuild` instead of `pbuilder`,
-which will do that for you. Some places, like Debomatic, require a
-full `.changes` file, which is generated with `dpkg-buildpackage -S`.
-
-However, I don't use pbuilder in its default configuration as it uses
-tarballs, which are slow to create and extract. Instead, I use
-[cowbuilder][], which uses a clever hack to optimize the creation of
-the temporary chroot, using hardlinks and [cowdancer][].
-
-To use cowbuilder, you first need to create the base images:
-
-    for DIST in wheezy jessie stretch sid; do
-        for ARCH in i386 amd64; do
-            sudo cowbuilder --create --distribution $DIST --architecture $ARCH --basepath=/var/cache/pbuilder/base-$DIST-$ARCH.cow
-        done
-    done
+Building in a clean environment
+-------------------------------
+
+I am using [[!man sbuild]] to build packages in a dedicated clean
+build environment. This means I can build packages for arbitrary
+distributions and also make sure there aren't exotic local
+configurations that can contaminate the build.
+
+`sbuild` takes your source package (the `.dsc` file), and builds it in
+a clean, temporary `chroot`. To create that `.dsc` file, you can use
+`dpkg-source -b` or simply call `sbuild` in the source directory. Some
+places, like Debomatic, require a full `.changes` file, which is
+generated with `dpkg-buildpackage -S`.
+
+To use sbuild, you first need to configure an image:
+
+    sudo sbuild-createchroot --include=eatmydata,ccache,gnupg unstable /srv/chroot/unstable-amd64-sbuild
+
+[[!wiki note """
+This assumes that:
+
+ 1. you are running Stretch or later (see the [sbuild wiki docs](https://wiki.debian.org/sbuild) for workarounds in Jessie)
+
+ 2. sbuild is already installed and you are in the right group, do
+    this otherwise:
+
+        sudo apt-get install sbuild
+        sudo sbuild-adduser $LOGNAME
+
+ 3. you want to create an "unstable" image in amd64. to change the
+    architecture, use the `--arch` argument, and to change the suite,
+    change it in two the places that say `unstable`, obviously
+"""]]
 
 The above will create chroots for all the main suites and two
 architectures, using [debootstrap][]. You may of course modify this to
-taste based on your requirements and available disk space. My
-`pbuilder` directory is around 7GB (including ~3GB of cached `.deb`
+taste based on your requirements and available disk space. My build
+directories count for around 7GB (including ~3GB of cached `.deb`
 packages) and each chroot is between 500MB and 700MB.
 
 [debootstrap]: https://manpages.debian.org/debootstrap
 
-It is also useful to configure your `.pbuilderrc` to make all this
-easier to use. Noticed how long the above cowbuilder commandline is? I
-use a [[modified version|pbuilderrc]] of the [Ubuntu pbuilder Howto][]
-in my configuration that allows me to avoid having to pass
-`--distribution`, `--architecture` and `--basepath` all the time, and
-just set the `DIST` and `ARCH` environment.
-
 Then I build packages in one of three ways.
 
- 1. With cowbuilder, if I have a `.dsc` already (again, that can be
-    generated with `dpkg-source -b` in the source tree):
+ 1. If I have a `.dsc` already (again, that can be generated with
+    `dpkg-source -b` in the source tree):
  
-        DIST=jessie ARCH=amd64 cowbuilder --build calibre_2.55.0+dfsg-1~bpo8+1.dsc
+        sbuild calibre_2.55.0+dfsg-1~bpo8+1.dsc
 
- 2. With pdebuild if I'm in the source tree:
+ 2. If I'm in the source tree:
  
-        DIST=jessie ARCH=amd64 pdebuild --pbuilder cowbuilder
+        sbuild
 
  3. With git-buildpackage:
 
-        git-buildpackage --git-builder=git-pbuilder
+        git-buildpackage --git-builder=sbuild
 
     The above can be configured by default in `~/.gbp.conf`:
     
         [DEFAULT]
-        builder=/usr/bin/git-pbuilder
+        builder=sbuild
         # to force lintian to run since we don't use debuild anymore
         postbuild = lintian $GBP_CHANGES_FILE
 
-All of those will generate your binary package in
-`/var/cache/pbuilder/$DIST-$ARCH/result`.
+`sbuild` will generate your binary package in the parent directory
+(`..`). It will build your package with the suite specified in the
+package's latest `changelog` entry. If you want to use another suite,
+you can specify an arbitarry chroot with the `--chroot` option. See
+`schroot -l` to list the available options.
 
 To pass options to the underlying `dpkg-buildpackage` (for example,
 you often need `-sa` to provide the source tarball with the upload),
-you should use `-- --debbuildopts -sa` in `pdebuild`, `pbuilder` and
-`cowbuilder`. For git-buildpackage, simply add `-sa` to the
-commandline.
+you should use `--debbuildopts -sa` in `sbuild`. For git-buildpackage,
+simply add `-sa` to the commandline.
 
-[Ubuntu pbuilder Howto]: https://wiki.ubuntu.com/PbuilderHowto
-[cowdancer]: https://manpages.debian.org/cowdancer
-[cowbuilder]: https://manpages.debian.org/cowbuilder
-[pbuilder]: https://manpages.debian.org/pbuilder
+[[!wiki note """
+I was previously using `pbuilder` and switched in 2017 to `sbuild`. [AskUbuntu.com has a good comparative between pbuilder and sbuild][]
+that shows they are pretty similar. The big advantage of sbuild is
+that it is the tool in use on the buildds and it's written in Perl
+instead of shell. My concerns about switching were POLA (I'm used to
+pbuilder), the fact that pbuilder runs as a separate user (works with
+sbuild as well now, if the `_apt` user is present), and setting up COW
+semantics in sbuild (can't just plug cowbuilder there, need to
+configure overlayfs or aufs, which is non-trivial in jessie with
+backports...). Ubuntu folks, again, have [more][] [documentation][]
+there. Debian also has [extensive documentation][], especially about
+[how to configure overlays][]. I was convinced by
+[stapelberg's post on the topic][] which shows how simpler sbuild
+really is...
+
+[stapelberg's post on the topic]: https://people.debian.org/~stapelberg/2016/11/25/build-tools.html
+[how to configure overlays]: https://wiki.debian.org/sbuild#Using_overlay_with_sbuild
+[extensive documentation]: https://wiki.debian.org/sbuild
+[documentation]: https://wiki.ubuntu.com/SimpleSbuild
+[more]: https://wiki.ubuntu.com/SecurityTeam/BuildEnvironment
+[AskUbuntu.com has a good comparative between pbuilder and sbuild]: http://askubuntu.com/questions/53014/why-use-sbuild-over-pbuilder
+"""]]
 
 Offloading: cowpoke and debomatic
 ---------------------------------
@@ -710,7 +729,7 @@ minimal install.
 To transfer data between the host and the virtual machines, the
 simplest way I could find is with [netcat][]. On the host:
 
-    nc -q 0 -l -p 10080 <  /var/cache/pbuilder/wheezy-amd64/result/phpmyadmin_3.4.11.1-2+deb7u4_all.deb 
+    nc -q 0 -l -p 10080 < phpmyadmin_3.4.11.1-2+deb7u4_all.deb 
 
 In the VM:
 
@@ -790,14 +809,11 @@ host your own Debian repository using [reprepro][] (Koumbit has some
 Further work and remaining issues
 =================================
 
-The pbuilder configuration should probably be factored into the
-default pbuilder configuration.
-
 I am curious about [Whalebuilder][], which uses Docker to build
-packages instead of `pbuilder`. Docker provides more isolation than a
+packages instead of `pbuilder` or `sbuild`. Docker provides more isolation than a
 simple `chroot`: in `whalebuilder`, packages are built without network
 access and inside a virtualized environment. Keep in mind there are
-limitations to Docker's security and that `pbuilder` *does* build
+limitations to Docker's security and that `pbuilder` and `sbuild` *do* build
 under a different user which will limit the security issues with
 building untrusted packages. Furthermore, `whalebuilder` is not
 currently packaged as an official Debian package and lacks certain
@@ -809,28 +825,6 @@ isolation, look towards [qemubuilder][] or possibly kvmtool.
 [passing custom arguments to dpkg-buildpackage]: https://gitlab.com/uhoreg/whalebuilder/issues/4
 [whalebuilder]: https://www.uhoreg.ca/programming/debian/whalebuilder
 
-I should also look at [sbuild][]
-again. [AskUbuntu.com has a good comparative between pbuilder and sbuild][]
-that shows they are pretty similar. The big advantage of sbuild is
-that it is the tool in use on the buildds and it's written in Perl
-instead of shell. My concerns about switching are POLA, the fact that
-pbuilder runs as a separate user (needs to be checked in sbuild), and
-setting up COW semantics in sbuild (can't just plug cowbuilder there,
-need to configure overlayfs or something similar). Ubuntu folks,
-again, have [more][] [documentation][] there. Debian also has
-[extensive documentation][], especially about

(Diff truncated)
add link to translation
diff --git a/blog/2017-04-09-montreal-bsp-report.mdwn b/blog/2017-04-09-montreal-bsp-report.mdwn
index 04c266b..3e9f919 100644
--- a/blog/2017-04-09-montreal-bsp-report.mdwn
+++ b/blog/2017-04-09-montreal-bsp-report.mdwn
@@ -1,6 +1,10 @@
 [[!meta title="Montreal Bug Squashing Party report"]]
 [[!meta date="2017-03-16T15:19:59-0400"]]
 
+> Un sommaire de cet article est également
+> [traduit vers le français](https://www.koumbit.org/fr/content/rapport-devenement-bug-squashing-party-debian),
+> merci!
+
 Last friday, a group of Debian users, developers and enthusiasts met
 at [Koumbit.org][] offices for a [bug squashing party][]. We were
 about a dozen people of various levels: developers, hackers and users.

answer other questions
diff --git a/blog/2017-04-09-montreal-bsp-report/comment_5_0d97239869193406b2d23d6832533392._comment b/blog/2017-04-09-montreal-bsp-report/comment_5_0d97239869193406b2d23d6832533392._comment
index e356d08..4dd4346 100644
--- a/blog/2017-04-09-montreal-bsp-report/comment_5_0d97239869193406b2d23d6832533392._comment
+++ b/blog/2017-04-09-montreal-bsp-report/comment_5_0d97239869193406b2d23d6832533392._comment
@@ -3,6 +3,7 @@
  subject="""apologies and response"""
  date="2017-04-16T17:32:06Z"
  content="""
+@Solveig
 > I think you should rephrase the sentence "I guess that maybe half of
 > the people were able to learn new, or improve their skills to make
 > significant contributions. Other learned how to hunt and triage bugs
@@ -19,5 +20,74 @@ contributions as "lesser" contributions, way too often. It's unfair
 and inproductive, and I apologize to the participants of the BSP that
 gave their time to make Debian better!
 
+@Coucouf
+> And did you know that the shorter "apt" can be used as a nice
+> replacement for most apt-* command ? [...]
+
+Yes! That's a great innovation that appeared in Debian Jessie for
+which I am very grateful... Because I wanted to test people's
+knowledge of Debian, I did not introduce that additional complexity -
+introducing rmadison was tricky enough... :)
+
+Also, I have found that `apt` doesn't work as well for auto-completion
+and a bunch of commands (e.g. `apt-cache policy`) are still missing so
+I am often reverting back to the old `apt-*` toolset.
+
+> What would be your advice to clean result directory from older
+> versions of a currently built package? I also need to preserve older
+> versions of few packages I build, so I hope there is a way to add an
+> exception for them.
+
+Hmm... I am not sure what you are refering to... If you are talking
+about the `pbuilder` output directory
+(`/var/cache/pbuilder/unstable-amd64/result`, for example), I usually
+just remove everything in there once in a while. What I want to keep
+elsewhere, I upload it, either to `people.debian.org` or the main
+archive. For non-members, I would recommend [mentors.debian.net][].
+
+[mentors.debian.net]: https://mentors.debian.net/
+
+For the record, here's my `.dput.cf`:
+
+    [DEFAULT]
+    run_lintian = 0
+    scp_compress = 1
+    
+    [mentors]
+    fqdn = mentors.debian.net
+    method = ftp
+    login = anonymous
+    incoming = .
+    allow_unsigned_uploads = 0
+    run_dinstall = 0
+    progress_indicator = 2
+    passive_ftp = 1
+    
+    [people]
+    fqdn = people.debian.org
+    method = scp
+    incoming = /home/anarcat/public_html/debian/wheezy-lts/
+    run_dinstall = 0
+    progress_indicator = 2
+    allowed_distributions = UNRELEASED
+    
+    [bpo]
+    fqdn = backports-master.debian.org
+    incoming = /pub/UploadQueue/
+    method = ftp
+    login = anonymous
+    allow_dcut = 1
+    
+    [debomatic-amd64]
+    fqdn           = debomatic-amd64.debian.net
+    incoming       = /srv/debomatic-amd64
+    login          = debomatic
+    method         = scp
+    allow_unsigned_uploads  = 0
+    allow_dcut     = 1
+    scp_compress   = 1
+
+The `ftp-master` is, of course, builtin and the default. :)
+
 A.
 """]]

retract part of the article that was unfortunately worded
all contributions are welcome, not just patches...
diff --git a/blog/2017-04-09-montreal-bsp-report.mdwn b/blog/2017-04-09-montreal-bsp-report.mdwn
index 811d996..04c266b 100644
--- a/blog/2017-04-09-montreal-bsp-report.mdwn
+++ b/blog/2017-04-09-montreal-bsp-report.mdwn
@@ -51,9 +51,13 @@ patch.
 [UDD bugs page]: https://udd.debian.org/bugs/
 
 I guess that maybe half of the people were able to learn new, or
-improve their skills to make significant contributions. Other learned
+improve their skills to make <del>significant contributions</del>
+or test actual patches. Other learned
 how to hunt and triage bugs in the [BTS][].
 
+Update: sorry for the wording: all contributions were really useful,
+thanks and apologies to bug hunters!!
+
 [BTS]: https://bugs.debian.org
 
 I myself learned how to use `sbuild` thanks to the excellent
diff --git a/blog/2017-04-09-montreal-bsp-report/comment_5_0d97239869193406b2d23d6832533392._comment b/blog/2017-04-09-montreal-bsp-report/comment_5_0d97239869193406b2d23d6832533392._comment
new file mode 100644
index 0000000..e356d08
--- /dev/null
+++ b/blog/2017-04-09-montreal-bsp-report/comment_5_0d97239869193406b2d23d6832533392._comment
@@ -0,0 +1,23 @@
+[[!comment format=mdwn
+ username="anarcat"
+ subject="""apologies and response"""
+ date="2017-04-16T17:32:06Z"
+ content="""
+> I think you should rephrase the sentence "I guess that maybe half of
+> the people were able to learn new, or improve their skills to make
+> significant contributions. Other learned how to hunt and triage bugs
+> in the BTS."
+> 
+> As is, it means that people either made significant contributions, or
+> triaged bugs. It's not very flattering for bug triagers.
+
+You are absolutely right. I have changed the wording to be more
+respectful...
+
+It's a sad reality that we are not considering "non-code"
+contributions as "lesser" contributions, way too often. It's unfair
+and inproductive, and I apologize to the participants of the BSP that
+gave their time to make Debian better!
+
+A.
+"""]]

fix article timestamp
diff --git a/blog/2017-04-09-montreal-bsp-report.mdwn b/blog/2017-04-09-montreal-bsp-report.mdwn
index 5e09eaf..811d996 100644
--- a/blog/2017-04-09-montreal-bsp-report.mdwn
+++ b/blog/2017-04-09-montreal-bsp-report.mdwn
@@ -1,4 +1,5 @@
 [[!meta title="Montreal Bug Squashing Party report"]]
+[[!meta date="2017-03-16T15:19:59-0400"]]
 
 Last friday, a group of Debian users, developers and enthusiasts met
 at [Koumbit.org][] offices for a [bug squashing party][]. We were

remove duplicate comment
diff --git a/blog/2017-04-09-montreal-bsp-report/comment_1_4c4f7db5f92765a35cfb33546560ce3b._comment b/blog/2017-04-09-montreal-bsp-report/comment_1_4c4f7db5f92765a35cfb33546560ce3b._comment
deleted file mode 100644
index fc2693f..0000000
--- a/blog/2017-04-09-montreal-bsp-report/comment_1_4c4f7db5f92765a35cfb33546560ce3b._comment
+++ /dev/null
@@ -1,11 +0,0 @@
-[[!comment format=mdwn
- ip="37.171.97.245"
- claimedauthor="Coucouf"
- subject="apt"
- date="2017-04-15T22:52:32Z"
- content="""
-And do you know that the shorter \"apt\" can be used as a nice replacement for most apt-* command ?
-apt install / apt source / apt build-dep for instance can easily replace the 3 example commands you mention in this post. You even get install progress for free with apt install.
-
-Cheers !
-"""]]

Added a comment: Style
diff --git a/blog/2017-04-09-montreal-bsp-report/comment_4_a12b985ea70e48b5a04e67b0ffa3c477._comment b/blog/2017-04-09-montreal-bsp-report/comment_4_a12b985ea70e48b5a04e67b0ffa3c477._comment
new file mode 100644
index 0000000..4577d82
--- /dev/null
+++ b/blog/2017-04-09-montreal-bsp-report/comment_4_a12b985ea70e48b5a04e67b0ffa3c477._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ ip="176.161.16.182"
+ claimedauthor="Solveig"
+ subject="Style"
+ date="2017-04-16T09:48:26Z"
+ content="""
+I think you should rephrase the sentence \"I guess that maybe half of the people were able to learn new, or improve their skills to make significant contributions. Other learned how to hunt and triage bugs in the BTS.\"
+
+As is, it means that people either made significant contributions, or triaged bugs. It's not very flattering for bug triagers.
+"""]]

Added a comment: cleaning result dir
diff --git a/blog/2017-04-09-montreal-bsp-report/comment_3_903ab485414e0189c20a04e3bfa3a51b._comment b/blog/2017-04-09-montreal-bsp-report/comment_3_903ab485414e0189c20a04e3bfa3a51b._comment
new file mode 100644
index 0000000..3cbe0ec
--- /dev/null
+++ b/blog/2017-04-09-montreal-bsp-report/comment_3_903ab485414e0189c20a04e3bfa3a51b._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ ip="193.106.102.81"
+ claimedauthor="Krzysztof Sobiecki"
+ subject="cleaning result dir"
+ date="2017-04-16T08:29:45Z"
+ content="""
+What would be your advice to clean result directory from older versions of a currently built package? I also need to preserve older versions of few packages I build, so I hope there is a way to add an exception for them.
+"""]]

Added a comment: apt
diff --git a/blog/2017-04-09-montreal-bsp-report/comment_2_67fc8827af9690d1e3b01c49061e0bae._comment b/blog/2017-04-09-montreal-bsp-report/comment_2_67fc8827af9690d1e3b01c49061e0bae._comment
new file mode 100644
index 0000000..1eb3bdd
--- /dev/null
+++ b/blog/2017-04-09-montreal-bsp-report/comment_2_67fc8827af9690d1e3b01c49061e0bae._comment
@@ -0,0 +1,11 @@
+[[!comment format=mdwn
+ ip="37.171.97.245"
+ claimedauthor="Coucouf"
+ subject="apt"
+ date="2017-04-15T22:56:11Z"
+ content="""
+And did you know that the shorter \"apt\" can be used as a nice replacement for most apt-* command ?
+apt install / apt source / apt build-dep for instance can easily replace the 3 example commands you mention in this post. You even get install progress in the terminal for free with apt install !
+
+Cheers !
+"""]]

Added a comment: apt
diff --git a/blog/2017-04-09-montreal-bsp-report/comment_1_4c4f7db5f92765a35cfb33546560ce3b._comment b/blog/2017-04-09-montreal-bsp-report/comment_1_4c4f7db5f92765a35cfb33546560ce3b._comment
new file mode 100644
index 0000000..fc2693f
--- /dev/null
+++ b/blog/2017-04-09-montreal-bsp-report/comment_1_4c4f7db5f92765a35cfb33546560ce3b._comment
@@ -0,0 +1,11 @@
+[[!comment format=mdwn
+ ip="37.171.97.245"
+ claimedauthor="Coucouf"
+ subject="apt"
+ date="2017-04-15T22:52:32Z"
+ content="""
+And do you know that the shorter \"apt\" can be used as a nice replacement for most apt-* command ?
+apt install / apt source / apt build-dep for instance can easily replace the 3 example commands you mention in this post. You even get install progress for free with apt install.
+
+Cheers !
+"""]]

creating tag page tag/report
diff --git a/tag/report.mdwn b/tag/report.mdwn
new file mode 100644
index 0000000..19a6f90
--- /dev/null
+++ b/tag/report.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged report"]]
+
+[[!inline pages="tagged(report)" actions="no" archive="yes"
+feedshow=10]]

BSP report
diff --git a/blog/2017-04-09-montreal-bsp-report.mdwn b/blog/2017-04-09-montreal-bsp-report.mdwn
new file mode 100644
index 0000000..5e09eaf
--- /dev/null
+++ b/blog/2017-04-09-montreal-bsp-report.mdwn
@@ -0,0 +1,97 @@
+[[!meta title="Montreal Bug Squashing Party report"]]
+
+Last friday, a group of Debian users, developers and enthusiasts met
+at [Koumbit.org][] offices for a [bug squashing party][]. We were
+about a dozen people of various levels: developers, hackers and users.
+
+[bug squashing party]: https://wiki.debian.org/BSP/2017/04/ca/Montreal
+[Koumbit.org]: https://koumbit.org
+
+I gave a quick overview of Debian packaging using my
+[quick development guide][], which proved to be pretty useful. I made
+a [deb.li][] link (<https://deb.li/quickdev>) for people to be able to
+easily find the guide on their computers.
+
+[quick development guide]: https://anarc.at/software/debian-development/
+[deb.li]: https://deb.li/
+
+Then I started going through a list of different programs used to do
+Debian packaging, to try and see the level of the people attending:
+
+* `apt-get install` - everyone knew about it
+* `apt-get source` - everyone paying attention
+* `dget` - only 1 knew about it
+* `dch` - 1
+* `quilt` - about 2
+* `apt-get build-dep` - 1
+* `dpkg-buildpackage` - only 3 people
+* `git-buildpackage` / `gitpkg` - 1
+* `sbuild` / `pbuilder`
+* `dput` - 1
+* `rmadison` - 0 (the other DD wasn't paying attention anymore)
+
+So mostly skilled Debian users (they know `apt-get source`) but not
+used to packaging (they don't know about `dpkg-buildpackage`). So I
+went through the list again and explained how they all fit together
+and could be used to work on Debian packages in the context of a
+Debian release bug squashing party. This was the fastest crash course
+in Debian packaging I have ever given (and probably the first too) -
+going through those tools in about 30 minutes. I was happy to have the
+guide that people could refer to later in the back.
+
+The first question after the presentation was "how do we find bugs"?
+which led me to add links to the [UDD bugs page][] and
+[release-critical bugs page][]. I also explained the key links on top
+of the UDD page to find specific sets of bugs, and explained the
+useful "patch" filter that allows to select bugs with our without
+patch.
+
+[release-critical bugs page]: https://bugs.debian.org/release-critical
+[UDD bugs page]: https://udd.debian.org/bugs/
+
+I guess that maybe half of the people were able to learn new, or
+improve their skills to make significant contributions. Other learned
+how to hunt and triage bugs in the [BTS][].
+
+[BTS]: https://bugs.debian.org
+
+I myself learned how to use `sbuild` thanks to the excellent
+[sbuild wiki page][] which I improved upon. A friend was able to pick
+up sbuild very quickly and use it to build a package for stretch,
+which I find encouraging: my first experience with `pbuilder` was
+definitely not as good. I have therefore starting the process of
+switching my build chroots to `sbuild`, which didn't go so well on
+Jessie because I use a backported kernel, and had to use the
+backported `sbuild` as well. That required a lot of poking around, so
+I ended up just using `pbuilder` for now, but I will definitely switch
+on my home machine, and I updated the sbuild wiki page to give out
+more explanations on how to setup pbuilder.
+
+[sbuild wiki page]: https://wiki.debian.org/sbuild
+
+We worked on a bunch of bugs, and learned how to tag them as part of
+the BSP, which was documented in the [BSP wiki page][]. It seems we
+have worked on about [11 different bugs][] which is a better average
+than the last BSP that I organized, so I'm pretty happy with that.
+
+[11 different bugs]: https://bugs.debian.org/cgi-bin/pkgreport.cgi?users=debian-release@lists.debian.org;tag=bsp-2017-04-ca-montreal
+[BSP wiki page]: https://wiki.debian.org/BSP/2017/04/ca/Montreal
+
+More importantly, we got Debian people together to meet and talk, over
+delicious pizza, thanks to a sponsorship granted by the [DPL][]. Some
+people got involved in the [next DebConf][] which is also great.
+
+[next DebConf]: https://debconf17.debconf.org/
+[DPL]: https://wiki.debian.org/DebianProjectLeader
+
+On top of fixing bugs and getting people involved in Debian, my third
+goal was to have fun, and fun we certainly had. I didn't work on as
+many bugs as I expected myself, achieving only one upload in the end,
+but since I was answering so many questions left and right, I felt
+useful and that is certainly gratifying. Organization was simple
+enough: just get a place, send invites and get food, and the rest is
+just sharing knowledge and answering questions.
+
+Thanks everyone for coming, and let's do this again soon!
+
+[[!tag debian-planet bsp event report montreal debian]]

fix links to new manpages.d.o
diff --git a/software/debian-development.mdwn b/software/debian-development.mdwn
index c16ef41..d50ae00 100644
--- a/software/debian-development.mdwn
+++ b/software/debian-development.mdwn
@@ -15,8 +15,8 @@ existing efforts already). :/ So go see one of those:
  * [Debian New Maintainer's Guide](https://www.debian.org/doc/manuals/maint-guide/index.en.html):
    the one *I* followed originally
  * [Guide for Debian Maintainers](https://www.debian.org/doc/manuals/debmake-doc/index.en.html):
-   a new version of the above, basically using the new [debmake](https://manpages.debian.org/?query=debmake)
-   instead of [dh-make](https://manpages.debian.org/?query=dh-make),
+   a new version of the above, basically using the new [debmake](https://manpages.debian.org/debmake)
+   instead of [dh-make](https://manpages.debian.org/dh-make),
    untested
  * [Introduction to Debian packaging](https://www.debian.org/doc/manuals/packaging-tutorial/packaging-tutorial.en.pdf):
    a set of slides, a good primer for people that like slides,
@@ -48,10 +48,10 @@ This will guide you through a standardized approach to:
   unstable, backports)
 * upload packages
 
-[make]: https://manpages.debian.org/?query=make
-[uscan]: https://manpages.debian.org/?query=uscan
-[cdbs]: https://manpages.debian.org/?query=cdbs
-[debhelper]: https://manpages.debian.org/?query=debhelper
+[make]: https://manpages.debian.org/make
+[uscan]: https://manpages.debian.org/uscan
+[cdbs]: https://manpages.debian.org/cdbs
+[debhelper]: https://manpages.debian.org/debhelper
 
 Find the source
 ===============
@@ -75,7 +75,7 @@ end-to-end cryptographic integrity like the following procedure
 does. It *will* be useful, however, if you want to review the source
 code history of the package to figure out where things come from.
 
-[debcheckout]: https://manpages.debian.org/?query=debcheckout
+[debcheckout]: https://manpages.debian.org/debcheckout
 
 So to get the source code on an arbitrary package, visit the
 [package tracker][].[^tracker] In this case, we look at the
@@ -113,7 +113,7 @@ To get the Ubuntu results, I added the following line to my
 </div>
 
 [devscripts package]: https://tracker.debian.org/devscripts
-[rmadison]: https://manpages.debian.org/?query=rmadison
+[rmadison]: https://manpages.debian.org/rmadison
 [archive.debian.net]: https://archive.debian.net/
 
 What we are looking for is the [calibre_2.55.0+dfsg-1.dsc][] file, the
@@ -164,7 +164,7 @@ code, using [dget(1)][]:
     dpkg-source: info: mise en place de mips_no_build_threads.patch
     dpkg-source: info: mise en place de links-privacy.patch
 
-[dget(1)]: https://manpages.debian.org/?query=dget
+[dget(1)]: https://manpages.debian.org/dget
 
 A lot of stuff has happened here!
 
@@ -196,7 +196,7 @@ is basically just a shortcut to commands you could all have ran by
 hand. This is something useful to keep in mind to understand how this
 process works.
 
-[dscverify]: https://manpages.debian.org/?query=dscverify
+[dscverify]: https://manpages.debian.org/dscverify
 [^openpgp]: In my case, this works cleanly, but that is only because
     the key is known on my system. `dget` actually offloads that work
     to `dscverify` which looks into the official keyrings in the
@@ -278,7 +278,7 @@ There are more described in the [dch][] manpage. The
 in crafting those specific packages.
 
 [managing packages section]: https://www.debian.org/doc/manuals/developers-reference/pkgs.html
-[dch]: https://manpages.debian.org/?query=dch
+[dch]: https://manpages.debian.org/dch
 [security uploads]: https://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security
 [non-maintainer uploads]: https://www.debian.org/doc/manuals/developers-reference/pkgs.html#nmu
 
@@ -305,7 +305,7 @@ generate a patch that will end up added to the [quilt][] patchset in
 template when creating a new patch.
 
 [patch tagging guidelines]: http://dep.debian.net/deps/dep3/
-[quilt]: https://manpages.debian.org/?query=quilt
+[quilt]: https://manpages.debian.org/quilt
 
 Applying patches
 ----------------
@@ -365,7 +365,7 @@ it. The generic command to build a Debian package is
 
     dpkg-buildpackage
 
-[dpkg-buildpackage]: https://manpages.debian.org/?query=dpkg-buildpackage
+[dpkg-buildpackage]: https://manpages.debian.org/dpkg-buildpackage
 
 [dpkg-buildpackage][] will the `.deb` file. It also creates
 *new* `.dsc`, `.debian.tar.gz` and `.changes` files.[^changes] Those
@@ -378,8 +378,8 @@ files should all show up in the parent directory.
     because it also runs [lintian][] and signs the binary package with
     [debsign][].
 
-[lintian]: https://manpages.debian.org/?query=lintian
-[debsign]: https://manpages.debian.org/?query=debsign
+[lintian]: https://manpages.debian.org/lintian
+[debsign]: https://manpages.debian.org/debsign
 
 <span/><div class="tip">
 If you are building from a VCS (e.g. git) checkout, you will get a lot
@@ -391,8 +391,8 @@ complicated and less intuitive if you actually know what you are
 doing, which wasn't my case when I started.[^gitpkg]
 </div>
 
-[git-pkg]: https://manpages.debian.org/?query=git-pkg
-[git-buildpackage]: https://manpages.debian.org/?query=git-buildpackage
+[git-pkg]: https://manpages.debian.org/git-pkg
+[git-buildpackage]: https://manpages.debian.org/git-buildpackage
 [^gitpkg]: git-pkg actually only extracts a source package from your
     git tree, and nothing else. There are hooks to trigger builds and
     so on, but it's basically expected that you do that yourself, and
@@ -454,7 +454,7 @@ taste based on your requirements and available disk space. My
 `pbuilder` directory is around 7GB (including ~3GB of cached `.deb`
 packages) and each chroot is between 500MB and 700MB.
 
-[debootstrap]: https://manpages.debian.org/?query=debootstrap
+[debootstrap]: https://manpages.debian.org/debootstrap
 
 It is also useful to configure your `.pbuilderrc` to make all this
 easier to use. Noticed how long the above cowbuilder commandline is? I
@@ -495,9 +495,9 @@ you should use `-- --debbuildopts -sa` in `pdebuild`, `pbuilder` and
 commandline.
 
 [Ubuntu pbuilder Howto]: https://wiki.ubuntu.com/PbuilderHowto
-[cowdancer]: https://manpages.debian.org/?query=cowdancer
-[cowbuilder]: https://manpages.debian.org/?query=cowbuilder
-[pbuilder]: https://manpages.debian.org/?query=pbuilder
+[cowdancer]: https://manpages.debian.org/cowdancer
+[cowbuilder]: https://manpages.debian.org/cowbuilder
+[pbuilder]: https://manpages.debian.org/pbuilder
 
 Offloading: cowpoke and debomatic
 ---------------------------------
@@ -545,11 +545,11 @@ is [reproducible][] (which is not always the case!), I would still
 have to build the package locally to ensure the package was
 trustworthy.
 
-[piuparts]: https://manpages.debian.org/?query=piuparts
+[piuparts]: https://manpages.debian.org/piuparts
 [reproducible]: https://reproducible-builds.org
 [Deb-o-Matic site]: http://debomatic-amd64.debian.net/
 [debomatic]: http://debomatic.github.io/
-[cowpoke]: https://manpages.debian.org/?query=cowpoke
+[cowpoke]: https://manpages.debian.org/cowpoke
 
 Testing packages
 ================
@@ -595,7 +595,7 @@ top of the above systems.
 [KVM]: https://en.wikipedia.org/wiki/Kernel-based_Virtual_Machine
 [QCOW]: https://en.wikipedia.org/wiki/Qcow
 [Qemu]: http://qemu.org/
-[chroot]: https://manpages.debian.org/?query=chroot
+[chroot]: https://manpages.debian.org/chroot
 
 Vagrant virtual machines
 ------------------------

expand on sbuild
diff --git a/software/debian-development.mdwn b/software/debian-development.mdwn
index 735dc55..c16ef41 100644
--- a/software/debian-development.mdwn
+++ b/software/debian-development.mdwn
@@ -423,7 +423,11 @@ For this, we need more powerful tools.
 Building in a clean environment: pbuilder and cowbuilder
 --------------------------------------------------------
 
-[[!note """I've been looking at switching to [sbuild](https://wiki.debian.org/sbuild) instead of pbuilder as it's design is slightly better and it's the program running on the official buildd's. I just haven't got around to migrating just yet."""]]
+[[!note """I've been looking at switching
+to [sbuild](https://wiki.debian.org/sbuild) instead of pbuilder as
+it's design is slightly better and it's the program running on the
+official buildd's. I just haven't got around to migrating just
+yet. See the "future work" section at the bottom for details."""]]
 
 [pbuilder][] takes your source package (the `.dsc` file), and builds
 it in a clean, temporary `chroot`. To create that `.dsc` file, you can
@@ -805,7 +809,7 @@ isolation, look towards [qemubuilder][] or possibly kvmtool.
 [passing custom arguments to dpkg-buildpackage]: https://gitlab.com/uhoreg/whalebuilder/issues/4
 [whalebuilder]: https://www.uhoreg.ca/programming/debian/whalebuilder
 
-Apparently, I should also look at [sbuild][]
+I should also look at [sbuild][]
 again. [AskUbuntu.com has a good comparative between pbuilder and sbuild][]
 that shows they are pretty similar. The big advantage of sbuild is
 that it is the tool in use on the buildds and it's written in Perl
@@ -815,8 +819,11 @@ setting up COW semantics in sbuild (can't just plug cowbuilder there,
 need to configure overlayfs or something similar). Ubuntu folks,
 again, have [more][] [documentation][] there. Debian also has
 [extensive documentation][], especially about
-[how to configure overlays][].
+[how to configure overlays][]. I was convinced
+by [stapelberg's post on the topic][] which shows how simpler sbuild
+really is... 
 
+[stapelberg's post on the topic]: https://people.debian.org/~stapelberg/2016/11/25/build-tools.html
 [how to configure overlays]: https://wiki.debian.org/sbuild#Using_overlay_with_sbuild
 [extensive documentation]: https://wiki.debian.org/sbuild
 [documentation]: https://wiki.ubuntu.com/SimpleSbuild

mention sbuild
diff --git a/software/debian-development.mdwn b/software/debian-development.mdwn
index aab2d6b..735dc55 100644
--- a/software/debian-development.mdwn
+++ b/software/debian-development.mdwn
@@ -423,6 +423,8 @@ For this, we need more powerful tools.
 Building in a clean environment: pbuilder and cowbuilder
 --------------------------------------------------------
 
+[[!note """I've been looking at switching to [sbuild](https://wiki.debian.org/sbuild) instead of pbuilder as it's design is slightly better and it's the program running on the official buildd's. I just haven't got around to migrating just yet."""]]
+
 [pbuilder][] takes your source package (the `.dsc` file), and builds
 it in a clean, temporary `chroot`. To create that `.dsc` file, you can
 use `dpkg-source -b` or simply call `pdebuild` instead of `pbuilder`,

add links to all contributions and fix broken links
diff --git a/software/contributions.mdwn b/software/contributions.mdwn
index 8639840..c640e4b 100644
--- a/software/contributions.mdwn
+++ b/software/contributions.mdwn
@@ -3,7 +3,14 @@
 Contributions au logiciel libre
 ===============================
 
-Je milite pour les logiciels libres depuis la fin des années 1990 et j'écris du logiciel libre depuis au moins 2000. Voici une liste presque exhaustive des projets libres auxquels j'ai participé. Vous pouvez également constater mon activité sur [Ohloh](https://www.ohloh.net/accounts/anarcat) ou [CIA.vc](http://cia.vc/stats/author/anarcat).
+Je milite pour les logiciels libres depuis la fin des années 1990 et
+j'écris du logiciel libre depuis au moins 2000. Voici une liste
+presque exhaustive des projets libres auxquels j'ai participé. Vous
+pouvez également constater mon activité
+sur
+[Ohloh](https://www.ohloh.net/accounts/anarcat),
+[Gitlab](https://gitlab.com/users/anarcat/projects)
+ou [Github](https://github.com/anarcat/).
 
 Auteur principal
 ----------------
@@ -19,7 +26,6 @@ Actifs:
  * [bup-cron](https://github.com/anarcat/bup-cron), a wrapper
    around [bup](https://bup.github.io/)
  * [[a set of packages to install on debian|mytasks.desc]]
- * [[ikiwiki-osm|ikiwiki-osm/README]] - OpenStreetMap and Ikiwiki integration
 
 Inactifs:
 
@@ -27,7 +33,7 @@ Inactifs:
  * [PHPTimetracker](http://phptimetracker.sf.net/), which included an ORM for PHP as far back as 2004
  * [decisions](http://drupal.org/project/decisions) (with others)
  * [worldtools](http://www.freshports.org/sysutils/worldtools)
- * numerous house-made shell scripts (source: git://src.anarcat.ath.cx/scripts.git)
+ * [numerous house-made shell scripts](https://gitlab.com/anarcat/scripts)
  * [[bksh|bksh.en.html]]: un "backup shell" [rs]sh, très sécuritaire, très pratique
  * [[rec|rec.en.html]]: un outil pour enregistrer de l'audio PCM d'un système compatible OSS, sur UNIX
  * [[reverse engineering of the LastFM protocol|LastFmReverseEngineering]]
@@ -82,41 +88,43 @@ Patches
 
 On top of the above, I sent small patches to tens of projects including:
 
- * apt-src
- * darktable
- * drupal
- * feed2tweet
- * freebsd
- * git-annex
- * gmpc
- * ibid
- * ikiwiki
+ * [apt-src](https://tracker.debian.org/pkg/apt-src)
+ * [Darktable](http://www.darktable.org/)
+ * [Drupal](https://drupal.org/)
+ * [feed2tweet](https://github.com/chaica/feed2tweet/)
+ * [FreeBSD](https://freebsd.org/)
+ * [git-annex](https://git-annex.branchable.com/)
+ * [Gitlab](https://gitlab.com/)
+ * [gmpc](https://github.com/DaveDavenport/gmpc/)
+ * [ibid](http://ibid.omnia.za.net/)
+ * [ikiwiki](https://ikiwiki.info/)
    * Open Street Map integration ([osm plugin](http://ikiwiki.info/plugins/osm/))
    * mediawiki to ikiwiki converter ([discussion](http://ikiwiki.info/tips/convert_mediawiki_to_ikiwiki/discussion))
    * the theme for this blog ([[Night City|night_city/README]])
    * some [documentation](http://ikiwiki.info/todo/themes_should_ship_with_templates)
    * and tons of bug reports, see [my home* there](http://ikiwiki.info/users/anarcat/) for more info
- * ikiwiki-hosting
+ * [ikiwiki-hosting](http://ikiwiki-hosting.branchable.com/)
    * [ipv6/NAT issues](http://ikiwiki-hosting.branchable.com/bugs/ipv6_should_be_priority/)
    * [other contribusions](http://ikiwiki-hosting.branchable.com/users/anarcat/)
- * irssi-xmpp
- * kodi
- * ledger
- * ledgersmb
- * loreley
- * moinmoin
- * monkeysphere
- * mpd
+ * [irssi-xmpp](http://cybione.org/~irssi-xmpp/)
+ * [kodi](https://kodi.tv/)
+ * [ledger](http://ledger-cli.org/)
+ * [LedgerSMB](https://ledgersmb.org/)
+ * [loreley](https://wiki.koumbit.net/action/recall/LoreleyHowto?action=recall&rev=2)
+ * [MoinMoin](https://moinmo.in/)
+ * [Monkeysphere](http://monkeysphere.info/)
+ * [MPD](https://www.musicpd.org/)
  * [[noping|blog/2013-12-03-announcing-prettier-noping]]
- * notmuch
- * puppet
- * pwsafe
- * quodlibet
- * redmine
- * relaxx
- * restic
- * rox
- * spip
+ * [Notmuch](https://notmuchmail.org/)
+ * [Puppet](https://puppet.com/)
+ * [pwsafe](https://www.pwsafe.org/)
+ * [Quodlibet](https://quodlibet.readthedocs.io/en/latest/)
+ * [Redmine](http://www.redmine.org/)
+ * [Relaxx](http://relaxx.dirk-hoeschen.de/)
+ * [Restic](http://restic.readthedocs.io/en/latest/)
+ * [ROX](http://rox.sourceforge.net/)
+ * [SPIP](http://www.spip.net/)
+ * [xmonad](http://xmonad.org/)
  * and probably countless others, see [[tag/monthly-report]] for my
    monthly reports about those activities
 

add patch for better toc
diff --git a/services/wiki.mdwn b/services/wiki.mdwn
index 78d0895..c76b800 100644
--- a/services/wiki.mdwn
+++ b/services/wiki.mdwn
@@ -148,6 +148,7 @@ On any given upgrade, the following patches need to be applied:
 
 There are two patches left:
 
+ * [[!iki todo/toc-with-human-readable-anchors]]
  * [[!iki todo/git-annex_support]]
  * [[!iki todo/admonitions]]
 
@@ -160,6 +161,12 @@ To apply this patch:
     git rebase $release dev/git-annex-support
     git diff $release..dev/git-annex-support | ( cd /usr/share/perl5 ; sudo patch -p1 --dry-run )
     git diff $release..dev/git-annex-support | ( cd /usr/share/perl5 ; sudo patch -p1 )
+    git rebase $release toc-id-recycle
+    git diff $release..toc-id-recycle | ( cd /usr/share/perl5 ; sudo patch -p1 --dry-run )
+    git diff $release..toc-id-recycle | ( cd /usr/share/perl5 ; sudo patch -p1  )
+    git rebase $release i18n-headinganchors
+    git diff $release..i18n-headinganchors | ( cd /usr/share/perl5 ; sudo patch -p1 --dry-run )
+    git diff $release..i18n-headinganchors | ( cd /usr/share/perl5 ; sudo patch -p1  )
     # not sure about that rebase
     git rebase origin/master admonitions
     git diff origin/master..admonitions IkiWiki/Plugin/admonition.pm | ( cd /usr/share/perl5 ; sudo patch -p1 --dry-run )

expand on rainloop settings
diff --git a/services/mail.mdwn b/services/mail.mdwn
index 911a184..fdabba3 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -510,21 +510,25 @@ Then I setup rainloop, which is disturbingly easy:
     mkdir /var/www/rainloop
     unzip rainloop-latest.zip -d /var/www/rainloop
     
-Then I visited the admin page (`/?admin`), changed the password and
-setup a "wildcard" (`*`) domain to allow logging in without a domain
-name ("use short login"). I also enabled SSL verification and disabled
-self-signed certs in the "Security" section.
-
-Other settings enabled:
+Then I visited the admin page (`/?admin`) and made the following
+changes:
 
  * General:
    * Disallow additional accounts
  * Domains:
    * Disabled gmail
-   * Added wildcard (see above)
+   * Added wildcard domain (`*`) with:
+     * Use short login (both IMAP and SMTP, to avoid having to enter
+     the domain
+     * SSL/TLS security (on IMAP, not SMTP, as I want to deliver
+     without credentials locally)
+     * SMTP: localhost
  * Security:
    * local proxying for external images
    * Allow 2-step verification (untested)
+   * Changed admin password
+   * Require verification of SSL certificate used
+   * Disallow self signed certificates
  * Login:
    * Try to determine user domain (unchecked)
  * Contacts:

rainloop config
diff --git a/services/mail.mdwn b/services/mail.mdwn
index fde8c97..911a184 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -444,3 +444,92 @@ when the cert is renewed. I use those simple symlink:
 
 I also configured filtering and many more things that are documented
 in [[blog/2016-05-12-email-setup]].
+
+Webmail
+=======
+
+Yes, people like that thing. Even *I* like that thing now, because I
+want to be able to look at my mail without a full IMAP client or
+logging in through SSH.
+
+I started testing [Rainloop](http://www.rainloop.net/), a minimalist
+webmail client. It does require PHP which sucks, but is way easier to
+setup than Roundcube and supports mobile very well, while at the same
+time allowing all the great features you'd expect (sieve, contact
+lists, search, etc).
+
+First part was to setup PHP. I used PHP-FPM to try to avoid the bloat
+associated with `mod_php`. I did this with:
+
+    apt install php5-fpm
+    a2enmod proxy_fcgi
+
+Then I created the following config:
+
+    <VirtualHost *:80>
+        ServerName mail.anarc.at
+        ServerAlias imap.anarc.at smtp.anarc.at submission.anarc.at
+        Redirect / https://mail.anarc.at/
+    </VirtualHost>
+    
+    <VirtualHost *:443>
+        ServerName mail.anarc.at
+        ServerAlias imap.anarc.at smtp.anarc.at submission.anarc.at
+        DocumentRoot /var/www/mail.anarc.at/
+    
+        DirectoryIndex /index.php index.php 
+        ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/var/run/php5-fpm.sock|fcgi://localhost/var/www/mail.anarc.at
+
+        # protect rainloop configs
+        <Directory /var/www/mail.anarc.at/data>
+            Options -FollowSymLinks
+            AllowOverride None
+            <IfVersion >= 2.3>
+              Require all denied
+            </IfVersion>
+            <IfVersion < 2.3>
+              Order allow,deny
+              Deny from all
+            </IfVersion>
+        </Directory>
+    <VirtualHost>
+
+Then I setup the cert with [[!debpkg certbot]]:
+
+    certbot certonly --domains mail.anarc.at,imap.anarc.at,smtp.anarc.at,submission.anarc.at --webroot --webroot-path /var/www/mail.anarc.at
+
+... and added the following to the above vhost:
+
+        SSLCertificateFile /etc/letsencrypt/live/mail.anarc.at/cert.pem
+        SSLCertificateKeyFile /etc/letsencrypt/live/mail.anarc.at/privkey.pem
+        SSLCertificateChainFile /etc/letsencrypt/live/mail.anarc.at/chain.pem
+
+Then I setup rainloop, which is disturbingly easy:
+
+    wget http://www.rainloop.net/repository/webmail/rainloop-community-latest.zip
+    mkdir /var/www/rainloop
+    unzip rainloop-latest.zip -d /var/www/rainloop
+    
+Then I visited the admin page (`/?admin`), changed the password and
+setup a "wildcard" (`*`) domain to allow logging in without a domain
+name ("use short login"). I also enabled SSL verification and disabled
+self-signed certs in the "Security" section.
+
+Other settings enabled:
+
+ * General:
+   * Disallow additional accounts
+ * Domains:
+   * Disabled gmail
+   * Added wildcard (see above)
+ * Security:
+   * local proxying for external images
+   * Allow 2-step verification (untested)
+ * Login:
+   * Try to determine user domain (unchecked)
+ * Contacts:
+   * Enable contacts
+   * Type: SQLite
+
+That must be one of the simplest webapp install I've seen, considering
+the complexity of this thing. Bravo!

creating tag page tag/montreal
diff --git a/tag/montreal.mdwn b/tag/montreal.mdwn
new file mode 100644
index 0000000..7886c97
--- /dev/null
+++ b/tag/montreal.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged montreal"]]
+
+[[!inline pages="tagged(montreal)" actions="no" archive="yes"
+feedshow=10]]

creating tag page tag/event
diff --git a/tag/event.mdwn b/tag/event.mdwn
new file mode 100644
index 0000000..34dfcf6
--- /dev/null
+++ b/tag/event.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged event"]]
+
+[[!inline pages="tagged(event)" actions="no" archive="yes"
+feedshow=10]]

creating tag page tag/announcement
diff --git a/tag/announcement.mdwn b/tag/announcement.mdwn
new file mode 100644
index 0000000..066ab20
--- /dev/null
+++ b/tag/announcement.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged announcement"]]
+
+[[!inline pages="tagged(announcement)" actions="no" archive="yes"
+feedshow=10]]

creating tag page tag/bsp
diff --git a/tag/bsp.mdwn b/tag/bsp.mdwn
new file mode 100644
index 0000000..ecfb262
--- /dev/null
+++ b/tag/bsp.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged bsp"]]
+
+[[!inline pages="tagged(bsp)" actions="no" archive="yes"
+feedshow=10]]

announce upcoming BSP
diff --git a/blog/2017-04-09-montreal-bsp.mdwn b/blog/2017-04-09-montreal-bsp.mdwn
new file mode 100644
index 0000000..ba0230b
--- /dev/null
+++ b/blog/2017-04-09-montreal-bsp.mdwn
@@ -0,0 +1,92 @@
+[[!meta title="Contribute your skills to Debian in Montreal, April 14 2017"]]
+
+Join us in **Montreal, on April 14 2017**, and we will find a way in
+which *you* can help Debian with your current set of skills! You might
+even learn one or two things in passing (but you don't have to).
+
+[Debian][1] is a [free][2] operating system for your computer. An
+operating system is the set of basic programs and utilities that make
+your computer run. Debian comes with dozens of thousands of packages,
+precompiled software bundled up for easy installation on your
+machine. A number of other operating systems, such as [Ubuntu][3]
+and [Tails][4], are based on Debian.
+
+[1]: https://www.debian.org/
+[2]: https://www.debian.org/intro/free
+[3]: https://www.ubuntu.com/
+[4]: https://tails.boum.org/
+
+The **upcoming version of Debian, called Stretch**, will be released
+later this year. We need you to help us make it awesome :)
+
+Whether you're a computer user, a graphics designer, or a bug triager,
+there are many ways **you can contribute** to this effort. We also
+welcome experience in consensus decision-making, anti-harassment
+teams, and package maintenance. No effort is too small and whatever
+you bring to this community will be appreciated.
+
+Here's what we will be doing:
+
+ * We will **triage bug reports** that are blocking the release of the
+   upcoming version of Debian.
+
+ * Debian package maintainers will **fix some of these bugs**.
+
+[[!toc]]
+
+Goals and principles
+====================
+
+This is a **work in progress**, and a statement of intent. Not
+everything is organized and confirmed yet.
+
+We want to bring together a **heterogeneous group of people**. This
+goal will guide our handling of sponsorship requests, and will help us
+make decisions if more people want to attend than we can welcome
+properly. In other words: if you're part of a group that is currently
+under-represented in computer communities, we would like you to be
+able to attend.
+
+We are committed to providing a **friendly, safe and welcoming
+environment** for all, regardless of level of experience, gender,
+gender identity and expression, sexual orientation, disability,
+personal appearance, body size, race, ethnicity, age, religion,
+nationality, or other similar personal characteristic. Attending this
+event requires reading and respecting the [Debian Code of Conduct][5],
+that sets the standards in terms of behaviour for the whole event,
+including communication (public and private) before, while and after.
+
+[5]: https://www.debian.org/code_of_conduct.en.html
+
+The space where this event will take place is unfortunately **not
+accessible** to wheelchairs. **Food** (including vegetarian options)
+should be provided for lunch. If you have any specific needs regarding
+food, please let us know when registering, and we will do our best.
+
+What we will be doing
+=====================
+
+This will be an informal session to confirm and fix bugs in Debian. If
+you have never worked with Debian packages, this is a good opportunity
+to learn about packaging and bugtracker usage.
+
+Bugs flagged as *Release Critical* are blocking the release of the
+upcoming version of Debian. To fix them, it helps to make sure the bug
+report documents the up-to-date status of the bug, and of its
+resolution. One does not need to be a programmer to do this work! For
+example, you can try and reproduce bugs in software you use... or in
+software you will discover. This helps package maintainers better
+focus their work.
+
+We will also try to actually fix bugs by testing patches and uploading
+fixes into Debian itself. Antoine Beaupré, a seasoned Debian
+developer, will be available to sponsor uploads and teach people about
+basic Debian packaging skills.
+
+Where? When? How to register?
+=============================
+
+See <https://wiki.debian.org/BSP/2017/04/ca/Montreal> for the exact
+address and time.
+
+[[!tag debian-planet bsp event announcement news montreal debian]]

add more software from my workstation
diff --git a/software/mytasks.desc b/software/mytasks.desc
index 28fef26..15eef07 100644
--- a/software/mytasks.desc
+++ b/software/mytasks.desc
@@ -14,13 +14,16 @@ Section: user
 Description: Anarcat's dev tools
  Mostly VCS tools, emacs, emulation tools and emulators.
 Packages: list
+ adb
  apt-file
  apt-listbugs
  aptitude
  bzr
+ build-essential
  cdbs
  curl
  colordiff
+ cvs
  debian-el
  debian-installer-9-netboot-amd64
  syslinux-efi
@@ -33,22 +36,30 @@ Packages: list
  emacs-goodies-el
  emacs25
  emacs25-common-non-dfsg
+ fastboot
  flake8
+ gdb
  git
  git-annex
  git-buildpackage
  git-email
+ git-extras
  git-svn
+ gocode
  golang
  golang-mode
  golint
  graphviz
  haskell-mode
  stylish-haskell
+ icdiff
  ikiwiki
+ ikiwiki-hosting-common
  info
  jq
  libterm-readkey-perl
+ libtext-bibtex-perl
+ libsearch-xapian-perl
  linkchecker
  make-doc
  mercurial
@@ -74,14 +85,23 @@ Packages: list
  python-wheel
  python-setuptools
  python-setuptools-scm
+ python-sphinx
+ python-sphinx-rtd-theme
+ python3-sphinx
+ python3-sphinx-rtd-theme
+ python-ttystatus
  twine
  qemu
+ qemu-kvm
  quilt
  sqlitebrowser
  subversion
  time
  twine
+ vagrant
+ valgrind
  vim
+ virtualbox
  wget
 
 Task: anarcat-desktop
@@ -89,6 +109,7 @@ Section: user
 Description: Anarcat's desktop setup
  Shitload of stuff that doesn't fit anywhere else.
 Packages: list
+ apksigner
  arandr
  aspell-fr
  calibre
@@ -102,6 +123,7 @@ Packages: list
  firefox
  fonts-roboto
  fortunes
+ gajim
  gameclock
  gnutls-bin
  hledger
@@ -126,12 +148,14 @@ Packages: list
  notmuch-emacs
  oathtool
  offlineimap
+ openjdk-8-jdk-headless
  openntpd
  parcimonie
  pavucontrol
  pass
  pcscd
  picard
+ pidgin
  pmount
  pinentry-qt
  python-certifi
@@ -153,11 +177,18 @@ Packages: list
  verbiste
  verbiste-gnome
  workrave
+ xkbset
+ xprintidle
  xkcdpass
  xmobar
+ libghc-xmonad-dev
+ libghc-xmonad-contrib-dev
+ libghc-xmonad-extras-dev
+ libghc-taffybar-dev
  xmonad
  xplanet
  xscreensaver
+ xterm
  xul-ext-zotero
  zotero-standalone
 
@@ -180,27 +211,36 @@ Description: Anarcat's sysadmin tools
  .
 Packages: list
  apacheutils
+ apt-transport-https
+ asciinema
  borgbackup
  borgbackup-doc
+ bup
  ccze
  curl
  dnsutils
  etckeeper
  gparted
  hdparm
+ hopenpgp-tools
  i7z
  iftop
  ioping
  ipcalc
+ libu2f-host0
  memtest86+
+ moreutils
  mtr-tiny
  netcat
+ netcat-openbsd
+ netdata
  nmap
  oping
  passwdqc
  powertop
  pv
  pwgen
+ restic
  rsync
  sdparm
  siege
@@ -208,11 +248,15 @@ Packages: list
  socat
  sshfs
  strace
+ stressant
  swaks
  tcpdump
  tor
  tuptime
  whois
+ wireshark
+ xterm
+ yubikey-personalization
 
 Task: anarcat-comms
 Section: user
@@ -248,6 +292,7 @@ Packages: list
  gmpc
  gmpc-plugins
  gtk-recordmydesktop
+ kdenlive
  mediainfo
  mpc
  mpdtoys

comment about signal
diff --git a/blog/2017-03-30-free-software-activities-march-2017/comment_4_8b63e3b24793c7a1588c456544485dd2._comment b/blog/2017-03-30-free-software-activities-march-2017/comment_4_8b63e3b24793c7a1588c456544485dd2._comment
new file mode 100644
index 0000000..71e735c
--- /dev/null
+++ b/blog/2017-03-30-free-software-activities-march-2017/comment_4_8b63e3b24793c7a1588c456544485dd2._comment
@@ -0,0 +1,30 @@
+[[!comment format=mdwn
+ username="anarcat"
+ subject="""The problems with Signal"""
+ date="2017-04-05T21:58:05Z"
+ content="""
+Really, I could not have said it better myself. Signal has tons of
+problems, as you so clearly pointed out.
+
+I've been meaning to write about Signal for a long time, and this was
+just an activity blurb, not an endorsement statement... I should
+really just bite the bullet and do it, but things are changing fast
+and comments get old quickly, even in the XMPP world. For the record,
+I had written a short summary of my concerns with Signal
+[[here|hardware/phone/htc-one-s/#index15h2]] of which certain issues
+still remain relevant.
+
+The biggest concern I have with Signal right now is the use of phone
+numbers *especially* in the case of group chat. For example, once
+someone adds you to a group chat (and you can't refuse), your phone
+number gets leaked to everyone else in that group. Arguably, someone
+could leak your phone number to all their contacts without your
+knowledge of course, but this may not be an obvious consequence to
+Signal users. And there are other issues with the group chat: you
+can't kick anyone out and there's zero moderation, but I guess they
+wanted to keep this simple...
+
+So I think that Signal is great, but could really be improved in a lot
+of places. Unfortunately, the main alternative (XMPP?) has critical
+usability issues that Signal is actively solving, sometimes at a cost
+of privacy..."""]]

Added a comment: Signal
diff --git a/blog/2017-03-30-free-software-activities-march-2017/comment_3_fe8770ea59f7a766de8e4e4fe0cb459c._comment b/blog/2017-03-30-free-software-activities-march-2017/comment_3_fe8770ea59f7a766de8e4e4fe0cb459c._comment
new file mode 100644
index 0000000..4a57219
--- /dev/null
+++ b/blog/2017-03-30-free-software-activities-march-2017/comment_3_fe8770ea59f7a766de8e4e4fe0cb459c._comment
@@ -0,0 +1,16 @@
+[[!comment format=mdwn
+ ip="77.12.129.113"
+ claimedauthor="Martin"
+ subject="Signal"
+ date="2017-04-03T20:50:58Z"
+ content="""
+Too me, it is a very sad thing, if people use or promote Signal, but I understand very well, that it is hard to avoid in some cases.
+
+ - Signal excludes people, who refuse to use a mobile phone or a \"smart\" phone, but prefer a system running a free operating system, such as Debian. Note, that XMPP, Matrix etc. have free clients for most operating systems and different use cases, e.g. console clients.
+
+ - Signal uses phone numbers as ids. This is wrong in so many ways, that I don't know where to start. Not only, that phone numbers are hard to hash securely, in many countries anonymous SIMs are outlawed already and landline isn't anonymous neither. Also, it is difficult to create different accounts for different things, etc. Neither XMPP nor Matrix have this problem.
+
+ - Signals server is centralised. If you want to change the code, you can do it, but you cannot practically run the changed (or unchanged) version, because nobody would use it. If you want to run a server in a different country, you can't do it. Again, XMPP and Matrix do this right.
+
+We really need to work on free, federated real-time communication, that is usable for everyone, even our non-geek families :~)
+"""]]

mention more explicitly my signal keys changed
diff --git a/blog/2017-03-30-free-software-activities-march-2017.mdwn b/blog/2017-03-30-free-software-activities-march-2017.mdwn
index 6913633..78215d9 100644
--- a/blog/2017-03-30-free-software-activities-march-2017.mdwn
+++ b/blog/2017-03-30-free-software-activities-march-2017.mdwn
@@ -301,10 +301,11 @@ people to distribute an [official copy of Signal][] outside of the
 playstore.
 
 After much struggling, I was able to upgrade to this official client
-(not before reinstalling and registering, which unfortunately changed
-my secret keys) and will be able to upgrade easily by just downloading
-the APK. I do hope Signal enters F-Droid one day, but it could take a
-while because it still [doesn't work without Google services][]
+and will be able to upgrade easily by just downloading the APK. (Do
+note that I ended up reinstalling and re-registering Signal, which
+unfortunately [changed my secret keys](https://anarc.at/signal.txt).)
+I do hope Signal enters F-Droid one day, but it could take a while
+because it still [doesn't work without Google services][]
 and [barely works][] with [MicroG][], the free software alternative to
 the Google services clients. Moxie also set a list of requirements
 like crash reporting and statistics that need to be implemented on

response on key location
diff --git a/blog/2017-03-30-free-software-activities-march-2017/comment_2_e51083b7c1a00823cdf6b59dd64e389c._comment b/blog/2017-03-30-free-software-activities-march-2017/comment_2_e51083b7c1a00823cdf6b59dd64e389c._comment
new file mode 100644
index 0000000..b2a1697
--- /dev/null
+++ b/blog/2017-03-30-free-software-activities-march-2017/comment_2_e51083b7c1a00823cdf6b59dd64e389c._comment
@@ -0,0 +1,23 @@
+[[!comment format=mdwn
+ username="anarcat"
+ subject="""key location"""
+ date="2017-04-02T13:28:32Z"
+ content="""
+Maybe this should be made a little more explicit in the spec... We do touch on this later when we mention:
+
+> When using this configuration, the system administrator SHOULD
+> ensure that all other repositories on the system have an explicit
+> Signed-By option, so that the derivative's key is not capable of
+> impersonating other archives.
+
+As I mentioned in the blog post here, posting new keys to `/etc` is a
+security issue: it allows that key to impersonate the regular Debian
+archives, something which we definitely want to avoid! Only Debian.org-managed keys should end up there.
+
+You are correct in pointing out those keys should be managed by a package. As the spec mentions:
+
+> Keys updates SHOULD be distributed by a Debian package called
+> deriv-archive-keyring.
+
+So downloading them in that location is merely to bootstrap the process of downloading that package, and we explicitly recommend instructions include downloading that package as part of the setup process.
+"""]]

fix shortcut, thanks pabs
diff --git a/blog/2017-03-30-free-software-activities-march-2017.mdwn b/blog/2017-03-30-free-software-activities-march-2017.mdwn
index 70e6aae..6913633 100644
--- a/blog/2017-03-30-free-software-activities-march-2017.mdwn
+++ b/blog/2017-03-30-free-software-activities-march-2017.mdwn
@@ -387,8 +387,8 @@ of both the stable and Red Hat security teams by marking this
 "no-dsa". I similiarly reviewed the [[!debpkg mp3splt]] [[!debcve
 mp3splt desc="security issues"]] (specifically [[!debcve
 CVE-2017-5666]]) and was fairly puzzled by [that issue][], which seems
-to be triggered only the same [[!wikipedia AddressSanitizer
-desc="address sanitization]] extensions than PCRE, although there was
+to be triggered only the same [[!wikipedia AddressSanitizer 
+desc="address sanitization"]] extensions than PCRE, although there was
 some pretty wild interplay with debugging flags in there. All in all,
 it seems we can't reproduce that issue in wheezy, but I do not feel
 confident enough in the results to push that issue aside for now.

Added a comment: key location
diff --git a/blog/2017-03-30-free-software-activities-march-2017/comment_1_56dc589e2cef904d86873fc51d04d065._comment b/blog/2017-03-30-free-software-activities-march-2017/comment_1_56dc589e2cef904d86873fc51d04d065._comment
new file mode 100644
index 0000000..e327d1f
--- /dev/null
+++ b/blog/2017-03-30-free-software-activities-march-2017/comment_1_56dc589e2cef904d86873fc51d04d065._comment
@@ -0,0 +1,7 @@
+[[!comment format=mdwn
+ ip="95.1.137.160"
+ subject="key location"
+ date="2017-04-02T11:02:34Z"
+ content="""
+Really good step forward regarding adding third party repositories to a system. I wonder though why does the key must be placed in /usr/share/keyrings and not inside /etc/. Placing them in /usr feels wrong because it doesn't belong to a package, not managed by apt but instead manually added to the system alongside with the other files in /etc/apt/sources.list.d and /etc/apt/preferences.
+"""]]

fix 3 more links
the security tracker doesn't like bare DLA links
diff --git a/blog/2017-03-30-free-software-activities-march-2017.mdwn b/blog/2017-03-30-free-software-activities-march-2017.mdwn
index d501461..70e6aae 100644
--- a/blog/2017-03-30-free-software-activities-march-2017.mdwn
+++ b/blog/2017-03-30-free-software-activities-march-2017.mdwn
@@ -396,13 +396,12 @@ confident enough in the results to push that issue aside for now.
 [that issue]: https://blogs.gentoo.org/ago/2017/01/29/mp3splt-invalid-free-in-free_options-options_manager-c/
 
 I finally uploaded the pending [[!debpkg graphicsmagick]] [[!debcve
-graphicsmagick desc="issue"]] ([[!debcve DLA-547-2]]), a regression
+graphicsmagick desc="issue"]] ([DLA-547-2](https://security-tracker.debian.org/DLA-547-2)), a regression
 update to fix a crash that was introduced in the previous release
-([[!debcve DLA-547-1]], mistakenly named [[!debcve
-DLA-574-1]]). Hopefully that release should clear up some of the
+([DLA-547-1](https://security-tracker.debian.org/DLA-547-1), mistakenly named [DLA-574-1](https://security-tracker.debian.org/DLA-574-1)). Hopefully that release should clear up some of the
 confusion and fix the regression.
 
-I also released [[!debcve DLA-879-1]] for the [[!debcve CVE-2017-6369]] in
+I also released [DLA-879-1](https://security-tracker.debian.org/DLA-879-1) for the [[!debcve CVE-2017-6369]] in
 [[!debpkg firebird2.5]] which was an interesting experiment:
 I [couldn't reproduce the issue][] in a local VM. After following
 the [Ubuntu setup tutorial][], as I wasn't too familiar with the

fix two links
diff --git a/blog/2017-03-30-free-software-activities-march-2017.mdwn b/blog/2017-03-30-free-software-activities-march-2017.mdwn
index b6969c7..d501461 100644
--- a/blog/2017-03-30-free-software-activities-march-2017.mdwn
+++ b/blog/2017-03-30-free-software-activities-march-2017.mdwn
@@ -425,8 +425,8 @@ I have also done some "meta" work in starting a [[!debmsg
 87inmtb1vw.fsf@curie.anarc.at desc="discussion about fixing the
 missing DLA links in the tracker"]], as you will notice all of the
 above links lead to nowhere. Thanks to [pabs][], there are now *some*
-links but unfortunately there are [[!debmsg 859122 desc="about 500
-DLAs missing from the website"]]. We also discussed ways to [[!debmsg
+links but unfortunately there are [[!debbug 859122 desc="about 500
+DLAs missing from the website"]]. We also discussed ways to [[!debbug
 859123 dsec="automate import of DLAs and DSAs in www.debian.org"]],
 something which is currently a manual process. This is now in the
 hands of the excellent [[!debwiki Teams/Webmaster desc="webmaster

creating tag page tag/untrusteddebs
diff --git a/tag/untrusteddebs.mdwn b/tag/untrusteddebs.mdwn
new file mode 100644
index 0000000..fab05bb
--- /dev/null
+++ b/tag/untrusteddebs.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged untrusteddebs"]]
+
+[[!inline pages="tagged(untrusteddebs)" actions="no" archive="yes"
+feedshow=10]]

creating tag page tag/signal
diff --git a/tag/signal.mdwn b/tag/signal.mdwn
new file mode 100644
index 0000000..6da8d24
--- /dev/null
+++ b/tag/signal.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged signal"]]
+
+[[!inline pages="tagged(signal)" actions="no" archive="yes"
+feedshow=10]]

monthly report
diff --git a/blog/2017-03-30-free-software-activities-march-2017.mdwn b/blog/2017-03-30-free-software-activities-march-2017.mdwn
new file mode 100644
index 0000000..b6969c7
--- /dev/null
+++ b/blog/2017-03-30-free-software-activities-march-2017.mdwn
@@ -0,0 +1,488 @@
+[[!meta title="My free software activities, February and March 2017"]]
+
+[[!toc levels=2]]
+
+Looking into self-financing
+===========================
+
+Before I begin, I should mention that I started tracking my time
+working on free software more systematically. I spend a lot of time on
+the computer, as regular readers of this blog might
+[[remember|2016-06-01-work-volume]] so I wanted to know exactly how
+much time was paid vs free work. I was already using [org-mode][]'s
+[time clock system][] to keep track of my work hours, so I just
+extended this to my regular free software contributions, which also
+helps in writing those reports.
+
+It turns out that over 60% of my computer time is spent working on
+free software. That's huge! I was expecting something more along the
+range of 20 to 40% of my time. So I started thinking about ways of
+financing this work. I created a [Patreon page][] but I'm hesitant
+into launching such a campaign: the only thing worse than "no patreon
+page" is "a patreon page with failed goals and no one financing
+it". So before starting such an effort, I'd like to get a feeling of
+what other people's experience with it are. I know that [joeyh][] is
+close to achieving his goals, but I can't compare with the guy that
+invented git-annex or debhelper, so I'm concerned I wouldn't be able
+to raise the same level of funding.
+
+So any advice you have, feel free to contact me in private or in the
+comments. If you would be ready to fund my work, I'd love to know
+about it, obviously, but I guess I wouldn't get real numbers until I
+actually open up such a page...
+
+Now, onto the regular report.
+
+[joeyh]: https://www.patreon.com/joeyh
+[Patreon page]: https://www.patreon.com/anarcat/
+[time clock system]: http://orgmode.org/manual/Clocking-work-time.html
+[org-mode]: http://orgmode.org/
+
+Wallabako
+=========
+
+I spent a good chunk of time completing most of the things I had in
+mind for [Wallabako][], which I mentioned quickly in the [[previous
+report|2017-01-31-free-software-activities-january-2017]]. Wallabako
+is now much easier to installed, with clearer instructions, an easier
+to use configuration file, more reliable synchronization and read
+status propagation. As usual the [Wallabako README file][] has all the
+details.
+
+[Wallabako README file]: https://gitlab.com/anarcat/wallabako/blob/master/README.md
+
+
+I've also looked at [better integration with Koreader][], the free
+software e-reader that forms the basis of
+the [okreader free software distribution][] which has been able to
+port Debian to the Kobo e-readers, a project I am really excited
+about. This project has the potential of supporting Kobo readers
+beyond the lifetime that upstream grants it and removes a lot of
+proprietary software and spyware that ships with the Kobo readers. So
+I have made a [few contributions to okreader][]
+and [also on koreader][], the [ebook reader][] okreader is based on.
+
+[ebook reader]: https://github.com/koreader/koreader
+[also on koreader]: https://github.com/koreader/koreader/issues?utf8=%E2%9C%93&q=commenter%3Aanarcat%20
+[few contributions to okreader]: https://github.com/lgeek/okreader/issues?utf8=%E2%9C%93&q=author%3Aanarcat%20
+[okreader free software distribution]: https://github.com/lgeek/okreader
+[better integration with Koreader]: https://gitlab.com/anarcat/wallabako/issues/15
+
+[Wallabako]: https://gitlab.com/anarcat/wallabako/
+
+Stressant
+=========
+
+I rewrote [stressant][], my simple [[!wikipedia burn-in]] and
+stress-testing tool. After struggling in turn
+with [Debirf][], [live-build][], [vmdebootstrap][] and even [FAI][], I
+just figured maybe it wasn't the best idea to try and reinvent that
+particular wheel: instead of reinventing how to build yet
+another [Debian system build tool][], maybe I should just reuse what's
+already there.
+
+It turns out there's a well known, succesful and fairly complete
+recovery system called [Grml][]. It is a [Debian Derivative][], so all
+I needed to do was to stop procrastinating and actually *write* the
+actual stressant tool instead of just creating a distribution with a
+bunch of random tools shipped in. This allowed me to focus on *which*
+tools were the best to stress test different components. This
+selection ended up being:
+
+* [[!debpkg lshw]] and [[!debpkg smartmon-tools]] (`smartctl`) for
+  hardware inventory
+* [[!debpkg coreutils]]'s famous `dd`, [[!debpkg hdparm]], [[!debpkg
+  fio]] and (again) `smartctl`) for disk testing
+* [[!debpkg stress-ng]] for CPU testing
+* [[!debpkg iperf3]] for network testing
+
+`fio` can also be used to overwrite disk drives with the proper
+options (`--overwrite` and `--size=100%`), although grml also ships
+with [[!debpkg nwipe]] for wiping old spinning disks and `hdparm` to
+do a secure erase of SSD disks (whatever that's worth).
+
+Stressant still needs to be [shipped with grml][] for this transition
+to be complete. In the meantime, I was able to configure the excellent
+[public Gitlab CI service][] to provide ISO images with Stressant
+built-in as a stopgap measure. I also need to figure out a way to
+automate starting stressant from a boot menu to automate deployments
+on a larger scale, although because I have little need for the feature
+at this moment in time, this will likely wait for a sponsor to show up
+for this to be implemented.
+
+Still, stressant has useful features like the capability of sending
+logs by email using a fresh new implementation of the
+Python [SMTPHandler][] ([BufferedSMTPHandler][]) which waits for
+logging to complete before sending a single email. Another interesting
+piece of code in there is the [NegateAction][] [argparse][] handler
+that enables the use of "toggle flags" (e.g. `--flag /
+--no-flag`). I'm so happy with the code that I figure I could just
+share it here directly:
+
+[SMTPHandler]: https://docs.python.org/3/library/logging.handlers.html#smtphandler
+[[!format python """
+class NegateAction(argparse.Action):
+    '''add a toggle flag to argparse
+
+    this is similar to 'store_true' or 'store_false', but allows
+    arguments prefixed with --no to disable the default. the default
+    is set depending on the first argument - if it starts with the
+    negative form (define by default as '--no'), the default is False,
+    otherwise True.
+    '''
+
+    negative = '--no'
+
+    def __init__(self, option_strings, *args, **kwargs):
+        '''set default depending on the first argument'''
+        default = not option_strings[0].startswith(self.negative)
+        super(NegateAction, self).__init__(option_strings, *args,
+                                           default=default, nargs=0, **kwargs)
+
+    def __call__(self, parser, ns, values, option):
+        '''set the truth value depending on whether
+        it starts with the negative form'''
+        setattr(ns, self.dest, not option.startswith(self.negative))
+"""]]
+
+Short and sweet. I wonder why stuff like this is not in the standard
+library yet - maybe just because no one bothered yet? It'd be great to
+get feedback of more experienced Pythonistas on this one.
+
+I hope that my work on Stressant is complete. I get zero funding for
+this work, and have little use for it myself: I manage only a few
+machines and such a tool really shines when you regularly put new
+hardware online, which is (fortunately?) not my case anymore. I'd be
+happy, of course, to accompany organisations and people that wish to
+further develop and use such a tool.
+
+A [short demo of stressant][] as well as detailed description of how
+it works is of course available in its [README file][].
+
+[short demo of stressant]: https://asciinema.org/a/107950
+[README file]: https://gitlab.com/anarcat/stressant/blob/master/README.md
+[argparse]: https://docs.python.org/3/library/argparse.html
+[NegateAction]: https://gitlab.com/anarcat/stressant/blob/master/stressant#L58
+[BufferedSMTPHandler]: https://gitlab.com/anarcat/stressant/blob/master/stressant#L142
+[public Gitlab CI service]: https://about.gitlab.com/gitlab-ci/
+[shipped with grml]: https://github.com/grml/grml-live/pull/34
+[Grml]: https://grml.org/
+[Debian Derivative]: https://wiki.debian.org/Derivatives
+[Debian system build tool]: https://wiki.debian.org/SystemBuildTools
+[Debirf]: http://cmrg.fifthhorseman.net/wiki/debirf
+[FAI]: https://wiki.debian.org/FAI
+[vmdebootstrap]: https://vmdebootstrap.alioth.debian.org/
+[grml-debootstrap]: http://grml.org/grml-debootstrap/
+[live-build]: https://tracker.debian.org/pkg/live-build
+[stressant]: https://gitlab.com/anarcat/stressant
+
+Standard third party repositories
+=================================
+
+After looking
+at [improvements for the grml repository instructions][], I realized
+there was no real "best practices" document on how to configure an Apt
+repository. Sure, there are tools like [[!debpkg reprepro]] and
+others, but those hardly qualify as policy: they are very flexible and
+there are lots of ways to create insecure repositories
+or [curl | sh][] style instructions, which we of course generally want
+to avoid.
+
+While the larger problem of [Unstrusted Debian packages][] remain
+generally unsolved (e.g. when you install *any* `.deb` file, it can
+get root on your system), it seemed to me one critical part of this
+problem was how to add a random third-party repository to your machine

(Diff truncated)
add post details for signal
diff --git a/signal.txt b/signal.txt
index c164ee0..7dcaedf 100644
--- a/signal.txt
+++ b/signal.txt
@@ -3,19 +3,21 @@ Hash: SHA256
 
 yes, my signal safety numbers changed. no, i didn't lose my phone or get compromised.
 and no, there's no way to verify them directly short of checking with each and everyone of you one by one.
+for the geeks who want all the gory details of this epic journey, see:
+https://whispersystems.discoursehosting.net/t/how-to-get-signal-apks-outside-of-the-google-play-store/808
 -----BEGIN PGP SIGNATURE-----
 
-iQIzBAEBCAAdFiEEjckBzmQUbASK1Q+7eSFSUnt1kh4FAljdKcwACgkQeSFSUnt1
-kh6nLRAApUj8Fb1IjceA92d/rY1rm02wdmSPSRuHJ03iYbAxlr7eB9AA8hL8yL8m
-g5zIv5zPcNCcUihEqBzifiifDw8EkgFKHnN4OZ6Pwm3arbGIZhr0hTrm/1mVcPjE
-sN50q15jbCVfdiEJpH/j7vO6uvLPoy5E8+tPgQ8ZAGCIC+oZFG4JK7/WsZstC7rc
-C/FMLnUDMu+Nh0/0EjSs7O4nFYdhFZpWrMWzpVBdR9JFTqHsO09pf7UpU3Rym31A
-ikA9FHekFRdithA6akXI7j/4QpmbNekwYIKY+RbIIoec5OqNvyDAQS2/vgyTWwYh
-xuBp9XlrFd5U3Jidptuo8sur3RbFxpBqmu4LP0kyEdcdz9UzI2YJ62LeT7n6ubgA
-jstpIo9/+6x6eoRzjVwBPAgK0LlaEBfS5oTvNtALd/Sfn/mqxCo4xlQkLIDNgRyk
-t3rLm/eWMOoJBzFD/wHPKdqQCF2eLvu+0CU901CdTi+7wtRSXFeOsW83UA8pR1Sj
-X0dKnGDM4cS5jKx07nrmUwqeOqkAcAq5DC6c9c79r/ny/hcofx52Sp0hmd2oG16m
-vJvUM/Afnkp0syLFEr0rYx3edbUYAsxNoy5GUpg2xDxUDe+JLVhKrIi6S4G44eV1
-ZBFlU5MfzemDWVO6azIIH+mv6k5/puyl1ciDStU3SkKKTcNSZo8=
-=LQR1
+iQIzBAEBCAAdFiEEjckBzmQUbASK1Q+7eSFSUnt1kh4FAljdLfQACgkQeSFSUnt1
+kh4NIhAAkgGbehrvqxiVOVzRHUSGVMpLFq7osqW7nnIvrm1nZ++bg5aMj8yd8ALf
+Nx6F3QbGqAppkzqbKuFcSayd/XYfnoTN3J4nSN3VxHIHPkgOktGCTnQSiJj2HZJC
+1IirkNjUMtUquf2BTuiSibGto3xrAwPp5RE3x8Nr9d+LrXWXXswad5DfgYni9Q5v
+PKGqsQivju9hQC7l87wp946Dk70X+T5Dj9nNs1VLaeFBwWkAYOo1VNMhckP/x0G0
+hkiDVvLkrj23YRp9AHSUBu7L1Ptx8OZuWsqwaN9mJIdXPVUexB1k6q/vQpGdcnr3
+SYaCD7zZVY5iN5Lg87mhNMfPs6new8WAtLQZoTHQWcny1SiZuM/wkSIr5r97r5Wo
+LT/SAEgaG5lPSVpKbNmU6brsEFD/b8VsW3nGFMt2cHTDbfaTaJahu17tvXSrfDtM
+MShtzj61suFguXVAs2CkO5ohdgTFPhkV8iA7DVNgjQVJn23qPUz5eOAdud1s+BEp
+GVy/Iijp2S28xJZDJjimfEsEWDQWBkUAN5LgNl+5LQjZg1DKMUDW7VfXaotRj7I6
+AWxFEGZMDsL3cX4J78fRura2EzgC8+9iQr688fMYDQIA0J8EpNdiq8/EmiDXRUoa
+GRUNgeleuXKrBelvrReuUTtAn+BUQRXRpiR1Bsy6efMI91k44n4=
+=GbLv
 -----END PGP SIGNATURE-----

short announcement
diff --git a/signal.txt b/signal.txt
new file mode 100644
index 0000000..c164ee0
--- /dev/null
+++ b/signal.txt
@@ -0,0 +1,21 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+yes, my signal safety numbers changed. no, i didn't lose my phone or get compromised.
+and no, there's no way to verify them directly short of checking with each and everyone of you one by one.
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCAAdFiEEjckBzmQUbASK1Q+7eSFSUnt1kh4FAljdKcwACgkQeSFSUnt1
+kh6nLRAApUj8Fb1IjceA92d/rY1rm02wdmSPSRuHJ03iYbAxlr7eB9AA8hL8yL8m
+g5zIv5zPcNCcUihEqBzifiifDw8EkgFKHnN4OZ6Pwm3arbGIZhr0hTrm/1mVcPjE
+sN50q15jbCVfdiEJpH/j7vO6uvLPoy5E8+tPgQ8ZAGCIC+oZFG4JK7/WsZstC7rc
+C/FMLnUDMu+Nh0/0EjSs7O4nFYdhFZpWrMWzpVBdR9JFTqHsO09pf7UpU3Rym31A
+ikA9FHekFRdithA6akXI7j/4QpmbNekwYIKY+RbIIoec5OqNvyDAQS2/vgyTWwYh
+xuBp9XlrFd5U3Jidptuo8sur3RbFxpBqmu4LP0kyEdcdz9UzI2YJ62LeT7n6ubgA
+jstpIo9/+6x6eoRzjVwBPAgK0LlaEBfS5oTvNtALd/Sfn/mqxCo4xlQkLIDNgRyk
+t3rLm/eWMOoJBzFD/wHPKdqQCF2eLvu+0CU901CdTi+7wtRSXFeOsW83UA8pR1Sj
+X0dKnGDM4cS5jKx07nrmUwqeOqkAcAq5DC6c9c79r/ny/hcofx52Sp0hmd2oG16m
+vJvUM/Afnkp0syLFEr0rYx3edbUYAsxNoy5GUpg2xDxUDe+JLVhKrIi6S4G44eV1
+ZBFlU5MfzemDWVO6azIIH+mv6k5/puyl1ciDStU3SkKKTcNSZo8=
+=LQR1
+-----END PGP SIGNATURE-----

upgrade warning
diff --git a/hardware/phone/htc-one-s.mdwn b/hardware/phone/htc-one-s.mdwn
index 6b6110d..7990c83 100644
--- a/hardware/phone/htc-one-s.mdwn
+++ b/hardware/phone/htc-one-s.mdwn
@@ -813,6 +813,32 @@ we do not need to trust HTTPS anymore.
 [TOFU]: https://en.wikipedia.org/wiki/Trust_on_first_use
 """]]
 
+[[!warning """The last time I tried the above procedure, it failed
+fairly catastrophically. While the upgrade went on fine and everything
+looked good, I couldn't receive messages. Messages would go out fine,
+but I wouldn't receive confirmation either. It seems something was
+wrong with GCM... I couldn't downgrade either because I had deleted my
+LibreSignal backup because things *seemed* fine until I tried to talk
+to people. I ended up reinstalling from scratch which means my safety
+numbers changed. And the unfortunate thing with that is that I can't
+globally reverify my number - safety numbers are specific to a given
+contact and not global... """]]
+
+[[!important """It seems like Signal *still* requires GCM to operate
+properly, even though they announced a "Google-less" version. The GCM
+checks are incorrect, basically: they count a "deactivated" GCM as
+still installed, so
+Signal [fails to run with a disabled GCM][]. Furthermore, there are
+still [problems running Signal under MicroG][] which makes this whole
+adventure pretty hazardous. But at least there's a secure way to
+download and install the binary. See also this discussion about
+[providing a non-Google Signal][].
+
+[providing a non-Google Signal]: https://whispersystems.discoursehosting.net/t/how-to-get-signal-apks-outside-of-the-google-play-store/808
+[problems running Signal under MicroG]: https://github.com/WhisperSystems/Signal-Android/issues/5975
+[fails to run with a disabled GCM]: https://github.com/WhisperSystems/Signal-Android/issues/6381
+"""]]
+
 Why I do not recommend Signal to my fellow users
 ------------------------------------------------
 

f-droid privileged extensions instructions
diff --git a/hardware/phone/htc-one-s.mdwn b/hardware/phone/htc-one-s.mdwn
index ad57b82..6b6110d 100644
--- a/hardware/phone/htc-one-s.mdwn
+++ b/hardware/phone/htc-one-s.mdwn
@@ -659,6 +659,26 @@ software as well, but it seems like a lesser evil.
 Update: somehow I don't really use this all that much and stopped
 adding the proprietary library after the latest upgrade.
 
+F-Droid privileged extension
+----------------------------
+
+This allows you to turn of that "allow untrusted sources" checkbox and
+enables automated upgrades, see
+the [privileged extension project page][] for more information.
+
+[privileged extension project page]: https://gitlab.com/fdroid/privileged-extension
+
+You need to download the `.zip` file from
+the [privileged extension site][] and sideload it the usual way:
+
+    $ sudo adb reboot recovery
+    # ... phone reboots in TWRP
+    # choose "Advanced" -> "Sideload", then swipe
+    $ sudo adb sideload org.fdroid.fdroid.privileged.ota_2000.zip
+    # ... will sideload, swipe to reboot
+
+[privileged extension site]: https://f-droid.org/repository/browse/?fdid=org.fdroid.fdroid.privileged.ota
+
 Signal
 ======
 

update links now that cm.org is down
diff --git a/hardware/phone/htc-one-s.mdwn b/hardware/phone/htc-one-s.mdwn
index 5007a0f..ad57b82 100644
--- a/hardware/phone/htc-one-s.mdwn
+++ b/hardware/phone/htc-one-s.mdwn
@@ -48,8 +48,18 @@ Downloads
 I do a bunch of downloads first... I apparently have a
 [HTC "ville"][], so I download the [latest nightly][].
 
-[latest nightly]: https://download.cyanogenmod.org/get/jenkins/153919/cm-12.1-20160316-NIGHTLY-ville.zip
-[HTC "ville"]: https://wiki.cyanogenmod.org/w/Ville_Info
+[[!important """Cyanogenmod is now dead. It has been forked into
+LineageOS, which doesn't (yet?) provide builds for the HTC Ville. This
+means our only source for the images are [those Reddit folks][] who
+uploaded the most recent [snapshots][] and [nightlies on Archive.org][].
+
+[snapshots]: https://archive.org/details/cmarchive_snapshots
+[nightlies on Archive.org]: https://archive.org/details/cmarchive_nighlies
+[those Reddit folks]: https://www.reddit.com/r/cyanogenmod/comments/5kas0h/complete_cm_snapshots_and_nightlies_archive_xpost/
+"""]]
+
+[latest nightly]: https://archive.org/download/cmarchive_nighlies/cm-12.1-20160822-NIGHTLY-ville.zip
+[HTC "ville"]: https://web.archive.org/web/https://wiki.cyanogenmod.org/w/Ville_Info
 
 <del>Then i need to choose which gapps i want. I need to choose one, so i
 pick the smallest one (<a href="https://github.com/opengapps/opengapps/wiki/Pico-Package">pico</a>), the only google apps i'd use being
@@ -73,7 +83,7 @@ phone, but otherwise you can enable them by hitting the "build number"
 button 7 times in CM.
 
 [latest (3.0) release of TWRP for Ville]: https://dl.twrp.me/ville/twrp-3.0.0-0-ville.img.html
-[Developer options]: https://wiki.cyanogenmod.org/w/Doc:_developer_options
+[Developer options]: https://web.archive.org/web/https://wiki.cyanogenmod.org/w/Doc:_developer_options
 
 Rooting the phone
 -----------------
@@ -108,9 +118,9 @@ The `devices` list was weird, to fix that:
     HT26PW407343    fastboot
     [1011]anarcat@angela:~$
 
-[install instructions from CM]: https://wiki.cyanogenmod.org/w/Install_CM_for_ville
-[adb]: https://wiki.cyanogenmod.org/w/Doc:_adb_intro
-[fastboot]: https://wiki.cyanogenmod.org/w/Doc:_fastboot_intro
+[install instructions from CM]: https://web.archive.org/web/https://wiki.cyanogenmod.org/w/Install_CM_for_ville
+[adb]: https://web.archive.org/web/https://wiki.cyanogenmod.org/w/Doc:_adb_intro
+[fastboot]: https://web.archive.org/web/https://wiki.cyanogenmod.org/w/Doc:_fastboot_intro
 
 Then I need to go through a byzantine system on
 [HTCdev][] to unlock the phone. I actually had to register and login,
@@ -1028,20 +1038,21 @@ Future work
 References
 ==========
 
- * [Cyanogenmod](https://cyanogenmod.org/): the free software
-   operating system for Android phones, often abbreviated to CM
+ * [Cyanogenmod](https://web.archive.org/web/https://cyanogenmod.org/):
+   the free software operating system for Android phones, often
+   abbreviated to CM, now forked into [LineageOS](http://lineageos.org/)
  * [HTC One S](http://www.gsmarena.com/htc_one_s-4574.php): the device
    I got for now, see also the [XDA developers wiki on the HTC One S](http://forum.xda-developers.com/wiki/HTC_One_S)
  * [TWRP (TeamWin Recovery Project)](https://twrp.me/): the Recovery
    ROM I am using (apparently, CM has its own mod which is sometimes
    recommended over TWRP, unclear. TWRP is also an [awesome prog band](https://twrp.bandcamp.com/)
- * [Developer options](https://wiki.cyanogenmod.org/w/Doc:_developer_options):
+ * [Developer options](https://web.archive.org/web/https://wiki.cyanogenmod.org/w/Doc:_developer_options):
    the builtin "developer" menu in any Android phone that is sometimes
    accessible if the phone is somewhat unlocked. Tons of stuff
    available there.
- * [adb](https://wiki.cyanogenmod.org/w/Doc:_adb_intro): desktop
+ * [adb](https://web.archive.org/web/https://wiki.cyanogenmod.org/w/Doc:_adb_intro): desktop
    client to manage and debug an android phone through USB or the network
- * [fastboot](https://wiki.cyanogenmod.org/w/Doc:_fastboot_intro): a
+ * [fastboot](https://web.archive.org/web/https://wiki.cyanogenmod.org/w/Doc:_fastboot_intro): a
    desktop tool to flash and manipulate the bootloader and recovery images
  * [Libre Android rebuilds](http://android-rebuilds.beuc.net/):
    liberated builds of the Android source code

remove duplicate
diff --git a/software/contributions.mdwn b/software/contributions.mdwn
index abdcb27..8639840 100644
--- a/software/contributions.mdwn
+++ b/software/contributions.mdwn
@@ -117,7 +117,6 @@ On top of the above, I sent small patches to tens of projects including:
  * restic
  * rox
  * spip
- * spip
  * and probably countless others, see [[tag/monthly-report]] for my
    monthly reports about those activities
 

demote aegir, promote stressant and wallabako
diff --git a/software.mdwn b/software.mdwn
index a4cfaa1..8e5f06f 100644
--- a/software.mdwn
+++ b/software.mdwn
@@ -5,7 +5,9 @@
 Debian
 ------
 
-Je suis impliqué dans le projet Debian depuis plusieurs années, et un développeur Debian depuis octobre 2011. Vous pouvez consulter ici [la liste de mes packages](http://qa.debian.org/developer.php?login=anarcat) ou plus largement mes [contributions à Debian](https://contributors.debian.org/contributor/anarcat%40debian).
+Je suis impliqué dans le projet [Debian][] depuis plusieurs années, et un développeur Debian depuis octobre 2011. Vous pouvez consulter ici [la liste de mes packages](http://qa.debian.org/developer.php?login=anarcat) ou plus largement mes [contributions à Debian](https://contributors.debian.org/contributor/anarcat%40debian).
+
+[Debian]: https://debian.org/
 
 J'ai écrit un manuel
 [[d'entretien de packages debian|debian-development]] (en anglais)
@@ -16,10 +18,26 @@ Monkeysphere
 
 Je suis impliqué dans le projet [Monkeysphere](http://monkeysphere.info/) qui vise à rendre la cryptographie OpenPGP plus accessible au commun des mortels. En particulier, j'ai écrit un logiciel nommé [Monkeysign](http://monkeysphere.info/monkeysign) qui permet de facilement signer des clefs PGP. J'ai écrit aussi un [guide simple pour l'utilisation de Monkeysphere](http://web.monkeysphere.info/getting-started-ssh/).
 
-Aegir & Drush
--------------
+Wallabako
+---------
+
+J'utilises [Wallabag](http://wallabag.org/) pour répertorier des
+articles à lire plus tard. Pour éviter d'avoir à les lire sur un
+ordinateur, j'ai écrit un programme embarqué nommé [Wallabako][] pour
+les transférer sur ma liseuse électronique.
+
+[Wallabako]: https://gitlab.com/anarcat/wallabako
+
+Stressant
+---------
+
+J'ai écrit un logiciel pour faire le [Burn-in][] de nouvelles
+machines, nommé [stressant][]. Il est basé sur [Grml][], lui-même
+dérivé de [Debian][].
 
-J'ai été un des contributeurs principaux au projet [Aegir](http://aegirproject.org) et, dans une moindre mesure, au projet [Drush](http://drush.org/), jusqu'en 2015.
+[Grml]: https://grml.org/
+[stressant]: https://gitlab.com/anarcat/stressant
+[Burn-in]: https://en.wikipedia.org/wiki/Burn-in
 
 Freedom Box
 -----------

try to update this desperately out of date page
diff --git a/software/contributions.mdwn b/software/contributions.mdwn
index 413a835..abdcb27 100644
--- a/software/contributions.mdwn
+++ b/software/contributions.mdwn
@@ -8,36 +8,54 @@ Je milite pour les logiciels libres depuis la fin des années 1990 et j'écris d
 Auteur principal
 ----------------
 
-I wrote from scratch:
+Actifs:
 
+ * [Stressant](https://gitlab.com/anarcat/stressant) and [Torride](https://redmine.koumbit.net/projects/torride/)
+ * [Wallabako](https://gitlab.com/anarcat/wallabako)
  * The [gameclock](http://redmine.koumbit.net/projects/gameclock)
  * [Monkeysign](http://monkeysphere.info/monkeysign), a human-friendly PGP key signing package, along with a
    GPG library (originally by Jerome Charaoui but mostly rewrote)
  * [irklab](https://gitlab.com/anarcat/irklab/), an IRC gateway for [gitlab.com](http://gitlab.com)
- * [bup-cron](https://github.com/anarcat/bup-cron), a wrapper aorund [bup](https://bup.github.io/)
+ * [bup-cron](https://github.com/anarcat/bup-cron), a wrapper
+   around [bup](https://bup.github.io/)
+ * [[a set of packages to install on debian|mytasks.desc]]
+ * [[ikiwiki-osm|ikiwiki-osm/README]] - OpenStreetMap and Ikiwiki integration
+
+Inactifs:
+
+ * [debmans](https://gitlab.com/anarcat/debmans)
  * [PHPTimetracker](http://phptimetracker.sf.net/), which included an ORM for PHP as far back as 2004
  * [decisions](http://drupal.org/project/decisions) (with others)
  * [worldtools](http://www.freshports.org/sysutils/worldtools)
  * numerous house-made shell scripts (source: git://src.anarcat.ath.cx/scripts.git)
  * [[bksh|bksh.en.html]]: un "backup shell" [rs]sh, très sécuritaire, très pratique
  * [[rec|rec.en.html]]: un outil pour enregistrer de l'audio PCM d'un système compatible OSS, sur UNIX
- * [[a set of packages to install on debian|mytasks.desc]]
  * [[reverse engineering of the LastFM protocol|LastFmReverseEngineering]]
  * microhttpd (not [that one](http://acme.com/software/micro_httpd/), i wrote mine in 2003 :P)
  * [[portal]] - an open captive portal using ikiwiki, FreeBSD and pf
  * MatrixDesign
  * EMenuEditor
- * [[ikiwiki-osm|ikiwiki-osm/README]] - OpenStreetMap and Ikiwiki integration
 
 Maintenance
 -----------
 
-Je suis ou été l'agent d'entretien ("maintainer") des projets suivants:
+Je suis ou été l'agent d'entretien ("maintainer") des projets
+suivants:
+
+Actifs:
 
  * [Debian](http://qa.debian.org/developer.php?login=anarcat)
+ * [linkchecker](https://github.com/linkcheck/linkchecker)
+
+Retraité:
+
  * [Aegir](http://aegirproject.org/)
  * [AlternC](http://alternc.org/) and friends
  * [Drush](http://drush.ws/)
+ * [Borg](http://borgbackup.readthedocs.io/en/stable/)
+
+Inactifs:
+
  * [kedpm](https://redmine.koumbit.net/projects/kedpm)
  * [barlow drupal theme](http://drupal.org/project/barlow)
  * [drupal's openid_provider](http://drupal.org/project/openid_provider)
@@ -57,32 +75,21 @@ I participated porting to Debian, FreeBSD or others:
  * drush
  * tty-clock
 
+See the full list of Debian packages I maintain in the [Debian QA pages](https://qa.debian.org/developer.php?login=anarcat&comaint=yes).
+
 Patches
 -------
 
 On top of the above, I sent small patches to tens of projects including:
 
- * monkeysphere
- * FreeBSD
- * Drupal core
  * apt-src
- * pwsafe
- * irssi-xmpp
- * redmine
- * relaxx
- * ibid
- * spip
- * LedgerSMB
- * MoinMoin
+ * darktable
+ * drupal
+ * feed2tweet
+ * freebsd
+ * git-annex
  * gmpc
- * quodlibet
- * loreley
- * mpd
- * rox
- * spip
- * puppet
- * notmuch
- * [[noping|blog/2013-12-03-announcing-prettier-noping]]
+ * ibid
  * ikiwiki
    * Open Street Map integration ([osm plugin](http://ikiwiki.info/plugins/osm/))
    * mediawiki to ikiwiki converter ([discussion](http://ikiwiki.info/tips/convert_mediawiki_to_ikiwiki/discussion))
@@ -92,7 +99,27 @@ On top of the above, I sent small patches to tens of projects including:
  * ikiwiki-hosting
    * [ipv6/NAT issues](http://ikiwiki-hosting.branchable.com/bugs/ipv6_should_be_priority/)
    * [other contribusions](http://ikiwiki-hosting.branchable.com/users/anarcat/)
- * and probably countless others
+ * irssi-xmpp
+ * kodi
+ * ledger
+ * ledgersmb
+ * loreley
+ * moinmoin
+ * monkeysphere
+ * mpd
+ * [[noping|blog/2013-12-03-announcing-prettier-noping]]
+ * notmuch
+ * puppet
+ * pwsafe
+ * quodlibet
+ * redmine
+ * relaxx
+ * restic
+ * rox
+ * spip
+ * spip
+ * and probably countless others, see [[tag/monthly-report]] for my
+   monthly reports about those activities
 
 Anciens projets
 ===============

add tag cloud
diff --git a/tag/monthly-report.mdwn b/tag/monthly-report.mdwn
index 107d404..d366293 100644
--- a/tag/monthly-report.mdwn
+++ b/tag/monthly-report.mdwn
@@ -4,5 +4,9 @@ Since late 2015, I report, generally every month, on my free software
 activities, both paid (e.g. through the [[debian-lts]] project) or
 unpaid work.
 
+I work on a large variety of software, see [[software]] for an overview and [[software/contributions]] for an exhaustive inventory. See also the tag cloud on this page for an idea of what the reports cover.
+
+[[!pagestats pages="tag/*" among="tagged(monthly-report)"]]
+
 [[!inline pages="tagged(monthly-report)" actions="no" archive="yes"
 feedshow=10]]

Created . Edited .