Recent changes to this wiki. Not to be confused with my history.

Complete source to the wiki is available on gitweb or by cloning this site.

wishlist update
diff --git a/wishlist.mdwn b/wishlist.mdwn
index 42498b0f..c4b4459b 100644
--- a/wishlist.mdwn
+++ b/wishlist.mdwn
@@ -12,8 +12,10 @@ Voici des choses que vous pouvez m'acheter si vous êtes le Père Nowel (yeah ri
    * [US military bases](http://i.imgur.com/Y4ZWY.jpg)
    * [internet maps](http://chrisharrison.net/projects/InternetMap/index.html)
    * une carte du monde [Dymaxion](http://en.wikipedia.org/wiki/Dymaxion_map), [Werner](http://en.wikipedia.org/wiki/Werner_map_projection) ou [Gall-Peters](http://en.wikipedia.org/wiki/Gall-Peters_projection)
- * un laptop [novena](https://www.crowdsupply.com/kosagi/novena-open-laptop)
- * un mini-PC comme le [fitlet](http://www.fit-pc.com/web/products/fitlet/) ([review](http://linuxgizmos.com/tiny-fanless-mini-pc-runs-linux-on-quad-core-amd-soc/))
+ * <del>un laptop [novena](https://www.crowdsupply.com/kosagi/novena-open-laptop)</del>
+   voir [[hardware/laptop]]
+ * <del>un mini-PC comme le [fitlet](http://www.fit-pc.com/web/products/fitlet/) ([review](http://linuxgizmos.com/tiny-fanless-mini-pc-runs-linux-on-quad-core-amd-soc/))</del> j'ai
+   achete un Intel NUC, voir [[hardware/laptop]]
  * un bon stylo (voir [cette liste](http://coolmaterial.com/feature/pens-of-kickstarter/), particulièrement le [Pen Type-A](https://www.kickstarter.com/projects/cwandt/pen-type-a-a-minimal-pen) a une règle, mais est très cher (150$), alors que le [PHX](http://www.bigidesign.com/welcome/phx-pen-2/) est aussi compatible avec les recharges Hi-Tec-C mais est seulement 30$)
  * d'autres trucs de [xkcd.net](http://shop.xkcd.net/), particulièrement [ce t-shirt](http://store.xkcd.com/xkcd/#TechSupport)
  * des livres:
@@ -37,22 +39,19 @@ Voici des choses que vous pouvez m'acheter si vous êtes le Père Nowel (yeah ri
      * [programming pearls](http://www.cs.bell-labs.com/cm/cs/pearls/)..
      * [the art of electronics](http://amzn.com/0521370957)
    * voile
-     * [La Voile, de Gründ](https://www.worldcat.org/title/voile-techniques-voiliers-equipements-navigation-courses/oclc/859744434) - me semble plus compact et mieux fait que "la bible" que j'ai en stock
-     * [La longue route; seul entre mers et ciels](http://www.worldcat.org/oclc/1239742)
      * [Atlas des océans](http://www.boutique.voilesetvoiliers.com/atlas-des-oceans,fr,4,92216.cfm) (ou les Pilot Charts, maintenant librement disponibles [en ligne](http://msi.nga.mil/NGAPortal/MSI.portal?_nfpb=true&_pageLabel=msi_portal_page_62&pubCode=0003) mais j'aimerais une version imprimée
      * [livre de bord fantaisiste](http://www.boutique.voilesetvoiliers.com/guide-des-antilles,fr,4,92255.cfm) - vérifier si j'en ai pas déjà un, ce qui est fort probable
      * [Connaître les cordages modernes et leurs usages à bord](http://www.boutique.voilesetvoiliers.com/bien-barrer-son-voilier,fr,4,92294_copie.cfm) un autre livre de noeuds!
      * [Le dictionnaire de la mer : savoir-faire, traditions, vocabulaire, techniques](http://www.worldcat.org/oclc/6327481) de Jean Merrien - Renaud Bray a une édition différente, voir [ISBN:9782258113275](https://en.wikipedia.org/wiki/Special:BookSources/9782258113275)
      * [Lexique nautique polyglotte](http://www.worldcat.org/oclc/21840200) - peut-être? du même auteur (Jean Merrien)
-     * Les livres de Carl Mailhot et Yves Gélinas: La V'limeuse autour du monde, tome 1 et suivants
-   ([ISBN:9782980447303](https://en.wikipedia.org/wiki/Special:BookSources/9782980447303),
-   [chez abebooks.com](http://www.abebooks.com/servlet/BookDetailsPL?bi=14061305584&searchurl=x%3D0%26amp%3By%3D0%26amp%3Bbi%3D0%26amp%3Bds%3D30%26amp%3Bsts%3Dt%26amp%3Bbx%3Doff%26amp%3Bsortby%3D17%26amp%3Ban%3DCarl+Mailhot%26amp%3Brecentlyadded%3Dall)),
-   De la V'limeuse a Dingo: L'Atlantique en solitaire sur un 6,50
-   Metres ([ISBN:9782980447327](https://en.wikipedia.org/wiki/Special:BookSources/9782980447327),
-   [chez abebooks.com](http://www.abebooks.com/servlet/BookDetailsPL?bi=8882922329&searchurl=an%3DCarl+Mailhot%2C+Dominique+Manny)),
-   Jean du Sud et l'Oizo-Magick ([ISBN: 9782857251842](https://en.wikipedia.org/wiki/Special:BookSources/9782857251842),
-   [chez abebooks.com](http://www.abebooks.com/servlet/BookDetailsPL?bi=14250044964&searchurl=sts%3Dt%26amp%3By%3D0%26amp%3Bx%3D0%26amp%3Bkn%3D9782857251842),
-   aussi en [DVD](http://www.capehorn.com/TrailerAng.htm))
+     * Les livres de Carl Mailhot et Yves Gélinas: La V'limeuse autour
+       du monde, tome 1 et suivants
+       ([ISBN:9782980447303](https://en.wikipedia.org/wiki/Special:BookSources/9782980447303), [chez abebooks.com](http://www.abebooks.com/servlet/BookDetailsPL?bi=14061305584&searchurl=x%3D0%26amp%3By%3D0%26amp%3Bbi%3D0%26amp%3Bds%3D30%26amp%3Bsts%3Dt%26amp%3Bbx%3Doff%26amp%3Bsortby%3D17%26amp%3Ban%3DCarl+Mailhot%26amp%3Brecentlyadded%3Dall)), De la
+       V'limeuse a Dingo: L'Atlantique en solitaire sur un 6,50 Metres
+       ([ISBN:9782980447327](https://en.wikipedia.org/wiki/Special:BookSources/9782980447327), [chez abebooks.com](http://www.abebooks.com/servlet/BookDetailsPL?bi=8882922329&searchurl=an%3DCarl+Mailhot%2C+Dominique+Manny)), Jean du Sud
+       et l'Oizo-Magick
+       ([ISBN: 9782857251842](https://en.wikipedia.org/wiki/Special:BookSources/9782857251842), [chez abebooks.com](http://www.abebooks.com/servlet/BookDetailsPL?bi=14250044964&searchurl=sts%3Dt%26amp%3By%3D0%26amp%3Bx%3D0%26amp%3Bkn%3D9782857251842), aussi
+       en [DVD](http://www.capehorn.com/TrailerAng.htm))
    * autres
      * [Astronomica : galaxies, planètes, étoiles, cartes des constellations, explorations spatiales](http://www.worldcat.org/oclc/495085208)
      * <http://whatif.xkcd.com/book/>
@@ -61,9 +60,11 @@ Voici des choses que vous pouvez m'acheter si vous êtes le Père Nowel (yeah ri
      * [Les idées noires](https://en.wikipedia.org/wiki/Id%C3%A9es_noires) de Franquin, [l'intégrale](http://www.worldcat.org/oclc/493932411)
  * des longues vacances au costa rica, dans le charlevoix ou à une autre place pas rapport
  * un [[hardware/radio/FmTransmitter]]
+ * un "portable image scanner" comme
+   le [SVP 4500](http://www.svp-tech.com/ps4400/ps4400.html) ou le
+   Wolverine Data pass
  * un transceiver générique, e.g. le [hack RF](https://greatscottgadgets.com/hackrf/), esp. avec le [portapack](https://sharebrained.myshopify.com/products/portapack-for-hackrf-one)
  * un [cours de premier de cordée](http://www.passemontagne.com/fr/cours.html)
- * une certification de plongée en lac
  * un appareil photo digital reflex de qualité... voir [[hardware/camera]]
  * le [freewrite](https://astrohaus.com/)
  * une autre liste de [wishlist](https://lib3.net/bookie/anarcat/recent/wishlist)

fix workflow image link to pop the full version that will be clickable
diff --git a/software/debian-development.mdwn b/software/debian-development.mdwn
index aab15f03..65072279 100644
--- a/software/debian-development.mdwn
+++ b/software/debian-development.mdwn
@@ -51,7 +51,7 @@ This will guide you through a standardized approach to:
 It covers a workflow that could be summarily described by this
 diagram:
 
-![A diagram of my Debian packaging workflow](workflow.svg)
+[[!img workflow.svg]]
 
 [make]: https://manpages.debian.org/make
 [uscan]: https://manpages.debian.org/uscan

fix links for svg
diff --git a/software/debian-development/workflow.dot b/software/debian-development/workflow.dot
index 7e595681..d0808caa 100644
--- a/software/debian-development/workflow.dot
+++ b/software/debian-development/workflow.dot
@@ -1,36 +1,46 @@
 digraph workflow {
         label="Debian packaging workflow, 2017"
         labelloc=top
-        dget [ url="https://manpages.debian.org/dget" ]
-        dgit [ url="https://manpages.debian.org/dgit" ]
-        git [ url="https://manpages.debian.org/git", label="git, ..." ]
-        debmake [ url="https://www.debian.org/doc/manuals/debmake-doc/index.en.html" ]
-        dbp [ label="dpkg-buildpackage", url="https://manpages.debian.org/dpkg-buildpackage" ]
-        source [ label="source package (.dsc, ...)", url="https://wiki.debian.org/Packaging/SourcePackage" ];
-        binary [ label="binary package (.changes, .deb)", url="https://wiki.debian.org/Packaging/BinaryPackage" ];
-        BTS [ url="https://wiki.debian.org/BTS" ];
-        quilt [ url="https://wiki.debian.org/UsingQuilt" ];
-        dch [ url="https://manpages.debian.org/dch" ];
-        lintian [ url="https://manpages.debian.org/lintian" ];
-        
+        dget [ href="https://manpages.debian.org/dget" ]
+        dgit [ href="https://manpages.debian.org/dgit" ]
+        git [ href="https://manpages.debian.org/git" label="git, ..." ]
+        debmake [ href="https://www.debian.org/doc/manuals/debmake-doc/index.en.html" ]
+        dbp [ label="dpkg-buildpackage" href="https://manpages.debian.org/dpkg-buildpackage" ]
+        source [ shape=box label="source package (.dsc, ...)", href="https://wiki.debian.org/Packaging/SourcePackage" ];
+        binary [ shape=box label="binary package(s) (.changes, .deb)" href="https://wiki.debian.org/Packaging/BinaryPackage" ];
+        BTS [ shape=box href="https://wiki.debian.org/BTS" ];
+        quilt [ href="https://wiki.debian.org/UsingQuilt" ];
+        dch [ href="https://manpages.debian.org/dch" ];
+        lintian [ href="https://manpages.debian.org/lintian" ];
+        # those should link to the package-cycle stuff!
+        archive [ shape=box label="FTP archive" ]
+        ppa [ shape=box label="PPAs, ..." ]
+
         { "apt-get source", dget, debmake, dgit, git } -> source;
         source -> dbp -> binary;
         source -> quilt -> source
         source -> dch -> source
         source -> { sbuild, gbp } -> dbp
+        gbp -> sbuild
         binary -> lintian -> source
-        binary -> dput -> { "FTP archive", "PPA, ..." } -> "apt-get install";
-        source -> debdiff -> BTS
-        
+        binary -> dput -> { archive, ppa } -> "apt-get install";
+        source -> debdiff -> BTS -> quilt
+
         {
                 rank = same;
-                dput [ url="https://manpages.debian.org/dput" ];
-                debdiff [ url="https://manpages.debian.org/debdiff" ];
+                quilt
+                dch
+                dbp
+        }
+        {
+                rank = same;
+                dput [ href="https://manpages.debian.org/dput" ];
+                debdiff [ href="https://manpages.debian.org/debdiff" ];
         }
         {
                 rank = same;
                 source;
-                sbuild [ url="https://wiki.debian.org/sbuild" ];
-                gbp [ url="https://manpages.debian.org/git-buildpackage", label="git-buildpackage" ];
+                sbuild [ href="https://wiki.debian.org/sbuild" ];
+                gbp [ href="https://manpages.debian.org/git-buildpackage" label="git-buildpackage" ];
         }
 }
diff --git a/software/debian-development/workflow.svg b/software/debian-development/workflow.svg
index 26ec4394..d0706eb4 100644
--- a/software/debian-development/workflow.svg
+++ b/software/debian-development/workflow.svg
@@ -4,41 +4,53 @@
 <!-- Generated by graphviz version 2.38.0 (20140413.2041)
  -->
 <!-- Title: workflow Pages: 1 -->
-<svg width="551pt" height="499pt"
- viewBox="0.00 0.00 551.49 499.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+<svg width="509pt" height="499pt"
+ viewBox="0.00 0.00 509.00 499.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
 <g id="graph0" class="graph" transform="scale(1 1) rotate(0) translate(4 495)">
 <title>workflow</title>
-<polygon fill="white" stroke="none" points="-4,4 -4,-495 547.489,-495 547.489,4 -4,4"/>
-<text text-anchor="middle" x="271.745" y="-475.8" font-family="Times,serif" font-size="14.00">Debian packaging workflow, 2017</text>
+<polygon fill="white" stroke="none" points="-4,4 -4,-495 505,-495 505,4 -4,4"/>
+<text text-anchor="middle" x="250.5" y="-475.8" font-family="Times,serif" font-size="14.00">Debian packaging workflow, 2017</text>
 <!-- dget -->
 <g id="node1" class="node"><title>dget</title>
+<g id="a_node1"><a xlink:href="https://manpages.debian.org/dget" xlink:title="dget">
 <ellipse fill="none" stroke="black" cx="27" cy="-450" rx="27" ry="18"/>
 <text text-anchor="middle" x="27" y="-446.3" font-family="Times,serif" font-size="14.00">dget</text>
+</a>
+</g>
 </g>
 <!-- source -->
 <g id="node6" class="node"><title>source</title>
-<ellipse fill="none" stroke="black" cx="176" cy="-378" rx="99.3824" ry="18"/>
+<g id="a_node6"><a xlink:href="https://wiki.debian.org/Packaging/SourcePackage" xlink:title="source package (.dsc, ...)">
+<polygon fill="none" stroke="black" points="252.5,-396 99.5,-396 99.5,-360 252.5,-360 252.5,-396"/>
 <text text-anchor="middle" x="176" y="-374.3" font-family="Times,serif" font-size="14.00">source package (.dsc, ...)</text>
+</a>
+</g>
 </g>
 <!-- dget&#45;&gt;source -->
 <g id="edge1" class="edge"><title>dget&#45;&gt;source</title>
-<path fill="none" stroke="black" d="M48.316,-438.923C53.1433,-436.644 58.2471,-434.237 63,-432 85.9528,-421.198 111.544,-409.192 132.561,-399.342"/>
-<polygon fill="black" stroke="black" points="134.299,-402.392 141.869,-394.98 131.329,-396.054 134.299,-402.392"/>
+<path fill="none" stroke="black" d="M48.316,-438.923C53.1433,-436.644 58.2471,-434.237 63,-432 85.1877,-421.558 109.841,-409.991 130.444,-400.334"/>
+<polygon fill="black" stroke="black" points="132.032,-403.455 139.602,-396.042 129.062,-397.116 132.032,-403.455"/>
 </g>
 <!-- dgit -->
 <g id="node2" class="node"><title>dgit</title>
+<g id="a_node2"><a xlink:href="https://manpages.debian.org/dgit" xlink:title="dgit">
 <ellipse fill="none" stroke="black" cx="99" cy="-450" rx="27" ry="18"/>
 <text text-anchor="middle" x="99" y="-446.3" font-family="Times,serif" font-size="14.00">dgit</text>
+</a>
+</g>
 </g>
 <!-- dgit&#45;&gt;source -->
 <g id="edge2" class="edge"><title>dgit&#45;&gt;source</title>
-<path fill="none" stroke="black" d="M114.582,-434.834C124.748,-425.593 138.265,-413.305 150.03,-402.609"/>
-<polygon fill="black" stroke="black" points="152.41,-405.175 157.456,-395.859 147.702,-399.996 152.41,-405.175"/>
+<path fill="none" stroke="black" d="M114.582,-434.834C124.579,-425.746 137.818,-413.71 149.445,-403.141"/>
+<polygon fill="black" stroke="black" points="152.131,-405.429 157.176,-396.113 147.422,-400.25 152.131,-405.429"/>
 </g>
 <!-- git -->
 <g id="node3" class="node"><title>git</title>
+<g id="a_node3"><a xlink:href="https://manpages.debian.org/git" xlink:title="git, ...">
 <ellipse fill="none" stroke="black" cx="176" cy="-450" rx="32.4942" ry="18"/>
 <text text-anchor="middle" x="176" y="-446.3" font-family="Times,serif" font-size="14.00">git, ...</text>
+</a>
+</g>
 </g>
 <!-- git&#45;&gt;source -->
 <g id="edge3" class="edge"><title>git&#45;&gt;source</title>
@@ -47,48 +59,63 @@
 </g>
 <!-- debmake -->
 <g id="node4" class="node"><title>debmake</title>
+<g id="a_node4"><a xlink:href="https://www.debian.org/doc/manuals/debmake-doc/index.en.html" xlink:title="debmake">
 <ellipse fill="none" stroke="black" cx="269" cy="-450" rx="42.7926" ry="18"/>
 <text text-anchor="middle" x="269" y="-446.3" font-family="Times,serif" font-size="14.00">debmake</text>
+</a>
+</g>
 </g>
 <!-- debmake&#45;&gt;source -->
 <g id="edge4" class="edge"><title>debmake&#45;&gt;source</title>
-<path fill="none" stroke="black" d="M248.82,-433.811C236.433,-424.487 220.33,-412.367 206.418,-401.895"/>
-<polygon fill="black" stroke="black" points="208.186,-398.845 198.091,-395.628 203.976,-404.438 208.186,-398.845"/>
+<path fill="none" stroke="black" d="M248.82,-433.811C236.61,-424.621 220.79,-412.713 207.015,-402.345"/>
+<polygon fill="black" stroke="black" points="208.849,-399.344 198.754,-396.127 204.639,-404.937 208.849,-399.344"/>
 </g>
 <!-- dbp -->
 <g id="node5" class="node"><title>dbp</title>
-<ellipse fill="none" stroke="black" cx="397" cy="-306" rx="77.9862" ry="18"/>
-<text text-anchor="middle" x="397" y="-302.3" font-family="Times,serif" font-size="14.00">dpkg&#45;buildpackage</text>
+<g id="a_node5"><a xlink:href="https://manpages.debian.org/dpkg-buildpackage" xlink:title="dpkg&#45;buildpackage">
+<ellipse fill="none" stroke="black" cx="387" cy="-306" rx="77.9862" ry="18"/>
+<text text-anchor="middle" x="387" y="-302.3" font-family="Times,serif" font-size="14.00">dpkg&#45;buildpackage</text>
+</a>
+</g>
 </g>
 <!-- binary -->
 <g id="node7" class="node"><title>binary</title>
-<ellipse fill="none" stroke="black" cx="420" cy="-234" rx="123.478" ry="18"/>
-<text text-anchor="middle" x="420" y="-230.3" font-family="Times,serif" font-size="14.00">binary package (.changes, .deb)</text>
+<g id="a_node7"><a xlink:href="https://wiki.debian.org/Packaging/BinaryPackage" xlink:title="binary package(s) (.changes, .deb)">
+<polygon fill="none" stroke="black" points="501,-252 297,-252 297,-216 501,-216 501,-252"/>
+<text text-anchor="middle" x="399" y="-230.3" font-family="Times,serif" font-size="14.00">binary package(s) (.changes, .deb)</text>
+</a>
+</g>
 </g>
 <!-- dbp&#45;&gt;binary -->
 <g id="edge7" class="edge"><title>dbp&#45;&gt;binary</title>
-<path fill="none" stroke="black" d="M402.685,-287.697C405.248,-279.898 408.333,-270.509 411.185,-261.829"/>
-<polygon fill="black" stroke="black" points="414.584,-262.697 414.38,-252.104 407.933,-260.512 414.584,-262.697"/>
+<path fill="none" stroke="black" d="M389.966,-287.697C391.289,-279.983 392.878,-270.712 394.352,-262.112"/>
+<polygon fill="black" stroke="black" points="397.828,-262.552 396.068,-252.104 390.928,-261.369 397.828,-262.552"/>
 </g>
 <!-- source&#45;&gt;dbp -->
 <g id="edge6" class="edge"><title>source&#45;&gt;dbp</title>
-<path fill="none" stroke="black" d="M223.139,-362.069C258.399,-350.901 306.659,-335.615 343.389,-323.981"/>
-<polygon fill="black" stroke="black" points="344.465,-327.311 352.941,-320.955 342.351,-320.638 344.465,-327.311"/>
+<path fill="none" stroke="black" d="M227.347,-359.966C259.848,-349.183 301.757,-335.28 334.482,-324.423"/>
+<polygon fill="black" stroke="black" points="335.933,-327.629 344.322,-321.159 333.728,-320.986 335.933,-327.629"/>
 </g>
 <!-- quilt -->
 <g id="node9" class="node"><title>quilt</title>
+<g id="a_node9"><a xlink:href="https://wiki.debian.org/UsingQuilt" xlink:title="quilt">
 <ellipse fill="none" stroke="black" cx="104" cy="-306" rx="27" ry="18"/>
 <text text-anchor="middle" x="104" y="-302.3" font-family="Times,serif" font-size="14.00">quilt</text>
+</a>
+</g>
 </g>
 <!-- source&#45;&gt;quilt -->
 <g id="edge8" class="edge"><title>source&#45;&gt;quilt</title>
-<path fill="none" stroke="black" d="M153.097,-360.411C142.935,-351.479 131.255,-340.31 121.754,-330.498"/>
-<polygon fill="black" stroke="black" points="124.079,-327.862 114.672,-322.988 118.987,-332.665 124.079,-327.862"/>

(Diff truncated)
add links to workflow SVG
diff --git a/software/debian-development/workflow.dot b/software/debian-development/workflow.dot
index d9f91bc8..7e595681 100644
--- a/software/debian-development/workflow.dot
+++ b/software/debian-development/workflow.dot
@@ -1,25 +1,36 @@
 digraph workflow {
         label="Debian packaging workflow, 2017"
         labelloc=top
-        { "apt-get source", "dget", "dh_make, debmake", "(d)git" } -> source;
-        source -> "dpkg-buildpackage" -> binary;
+        dget [ url="https://manpages.debian.org/dget" ]
+        dgit [ url="https://manpages.debian.org/dgit" ]
+        git [ url="https://manpages.debian.org/git", label="git, ..." ]
+        debmake [ url="https://www.debian.org/doc/manuals/debmake-doc/index.en.html" ]
+        dbp [ label="dpkg-buildpackage", url="https://manpages.debian.org/dpkg-buildpackage" ]
+        source [ label="source package (.dsc, ...)", url="https://wiki.debian.org/Packaging/SourcePackage" ];
+        binary [ label="binary package (.changes, .deb)", url="https://wiki.debian.org/Packaging/BinaryPackage" ];
+        BTS [ url="https://wiki.debian.org/BTS" ];
+        quilt [ url="https://wiki.debian.org/UsingQuilt" ];
+        dch [ url="https://manpages.debian.org/dch" ];
+        lintian [ url="https://manpages.debian.org/lintian" ];
+        
+        { "apt-get source", dget, debmake, dgit, git } -> source;
+        source -> dbp -> binary;
         source -> quilt -> source
         source -> dch -> source
-        source -> { "sbuild, pbuilder", "gitpkg, gbp" } -> "dpkg-buildpackage"
+        source -> { sbuild, gbp } -> dbp
         binary -> lintian -> source
         binary -> dput -> { "FTP archive", "PPA, ..." } -> "apt-get install";
         source -> debdiff -> BTS
-        source [ label="source package (.dsc, ...)" ];
-        binary [ label="binary package (.changes, .deb)" ];
+        
         {
                 rank = same;
-                dput;
-                debdiff;
+                dput [ url="https://manpages.debian.org/dput" ];
+                debdiff [ url="https://manpages.debian.org/debdiff" ];
         }
         {
                 rank = same;
                 source;
-                "sbuild, pbuilder";
-                "gitpkg, gbp";
+                sbuild [ url="https://wiki.debian.org/sbuild" ];
+                gbp [ url="https://manpages.debian.org/git-buildpackage", label="git-buildpackage" ];
         }
 }
diff --git a/software/debian-development/workflow.svg b/software/debian-development/workflow.svg
index 5d15d13f..26ec4394 100644
--- a/software/debian-development/workflow.svg
+++ b/software/debian-development/workflow.svg
@@ -4,216 +4,226 @@
 <!-- Generated by graphviz version 2.38.0 (20140413.2041)
  -->
 <!-- Title: workflow Pages: 1 -->
-<svg width="608pt" height="499pt"
- viewBox="0.00 0.00 607.74 499.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+<svg width="551pt" height="499pt"
+ viewBox="0.00 0.00 551.49 499.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
 <g id="graph0" class="graph" transform="scale(1 1) rotate(0) translate(4 495)">
 <title>workflow</title>
-<polygon fill="white" stroke="none" points="-4,4 -4,-495 603.739,-495 603.739,4 -4,4"/>
-<text text-anchor="middle" x="299.869" y="-475.8" font-family="Times,serif" font-size="14.00">Debian packaging workflow, 2017</text>
-<!-- apt&#45;get source -->
-<g id="node1" class="node"><title>apt&#45;get source</title>
-<ellipse fill="none" stroke="black" cx="60.4446" cy="-450" rx="60.3893" ry="18"/>
-<text text-anchor="middle" x="60.4446" y="-446.3" font-family="Times,serif" font-size="14.00">apt&#45;get source</text>
+<polygon fill="white" stroke="none" points="-4,4 -4,-495 547.489,-495 547.489,4 -4,4"/>
+<text text-anchor="middle" x="271.745" y="-475.8" font-family="Times,serif" font-size="14.00">Debian packaging workflow, 2017</text>
+<!-- dget -->
+<g id="node1" class="node"><title>dget</title>
+<ellipse fill="none" stroke="black" cx="27" cy="-450" rx="27" ry="18"/>
+<text text-anchor="middle" x="27" y="-446.3" font-family="Times,serif" font-size="14.00">dget</text>
 </g>
 <!-- source -->
-<g id="node5" class="node"><title>source</title>
-<ellipse fill="none" stroke="black" cx="228.445" cy="-378" rx="99.3824" ry="18"/>
-<text text-anchor="middle" x="228.445" y="-374.3" font-family="Times,serif" font-size="14.00">source package (.dsc, ...)</text>
+<g id="node6" class="node"><title>source</title>
+<ellipse fill="none" stroke="black" cx="176" cy="-378" rx="99.3824" ry="18"/>
+<text text-anchor="middle" x="176" y="-374.3" font-family="Times,serif" font-size="14.00">source package (.dsc, ...)</text>
 </g>
-<!-- apt&#45;get source&#45;&gt;source -->
-<g id="edge1" class="edge"><title>apt&#45;get source&#45;&gt;source</title>
-<path fill="none" stroke="black" d="M94.0382,-435.003C119.05,-424.581 153.523,-410.217 181.294,-398.646"/>
-<polygon fill="black" stroke="black" points="182.926,-401.758 190.811,-394.681 180.234,-395.296 182.926,-401.758"/>
+<!-- dget&#45;&gt;source -->
+<g id="edge1" class="edge"><title>dget&#45;&gt;source</title>
+<path fill="none" stroke="black" d="M48.316,-438.923C53.1433,-436.644 58.2471,-434.237 63,-432 85.9528,-421.198 111.544,-409.192 132.561,-399.342"/>
+<polygon fill="black" stroke="black" points="134.299,-402.392 141.869,-394.98 131.329,-396.054 134.299,-402.392"/>
+</g>
+<!-- dgit -->
+<g id="node2" class="node"><title>dgit</title>
+<ellipse fill="none" stroke="black" cx="99" cy="-450" rx="27" ry="18"/>
+<text text-anchor="middle" x="99" y="-446.3" font-family="Times,serif" font-size="14.00">dgit</text>
+</g>
+<!-- dgit&#45;&gt;source -->
+<g id="edge2" class="edge"><title>dgit&#45;&gt;source</title>
+<path fill="none" stroke="black" d="M114.582,-434.834C124.748,-425.593 138.265,-413.305 150.03,-402.609"/>
+<polygon fill="black" stroke="black" points="152.41,-405.175 157.456,-395.859 147.702,-399.996 152.41,-405.175"/>
+</g>
+<!-- git -->
+<g id="node3" class="node"><title>git</title>
+<ellipse fill="none" stroke="black" cx="176" cy="-450" rx="32.4942" ry="18"/>
+<text text-anchor="middle" x="176" y="-446.3" font-family="Times,serif" font-size="14.00">git, ...</text>
+</g>
+<!-- git&#45;&gt;source -->
+<g id="edge3" class="edge"><title>git&#45;&gt;source</title>
+<path fill="none" stroke="black" d="M176,-431.697C176,-423.983 176,-414.712 176,-406.112"/>
+<polygon fill="black" stroke="black" points="179.5,-406.104 176,-396.104 172.5,-406.104 179.5,-406.104"/>
+</g>
+<!-- debmake -->
+<g id="node4" class="node"><title>debmake</title>
+<ellipse fill="none" stroke="black" cx="269" cy="-450" rx="42.7926" ry="18"/>
+<text text-anchor="middle" x="269" y="-446.3" font-family="Times,serif" font-size="14.00">debmake</text>
+</g>
+<!-- debmake&#45;&gt;source -->
+<g id="edge4" class="edge"><title>debmake&#45;&gt;source</title>
+<path fill="none" stroke="black" d="M248.82,-433.811C236.433,-424.487 220.33,-412.367 206.418,-401.895"/>
+<polygon fill="black" stroke="black" points="208.186,-398.845 198.091,-395.628 203.976,-404.438 208.186,-398.845"/>
+</g>
+<!-- dbp -->
+<g id="node5" class="node"><title>dbp</title>
+<ellipse fill="none" stroke="black" cx="397" cy="-306" rx="77.9862" ry="18"/>
+<text text-anchor="middle" x="397" y="-302.3" font-family="Times,serif" font-size="14.00">dpkg&#45;buildpackage</text>
 </g>
-<!-- dget -->
-<g id="node2" class="node"><title>dget</title>
-<ellipse fill="none" stroke="black" cx="165.445" cy="-450" rx="27" ry="18"/>
-<text text-anchor="middle" x="165.445" y="-446.3" font-family="Times,serif" font-size="14.00">dget</text>
+<!-- binary -->
+<g id="node7" class="node"><title>binary</title>
+<ellipse fill="none" stroke="black" cx="420" cy="-234" rx="123.478" ry="18"/>
+<text text-anchor="middle" x="420" y="-230.3" font-family="Times,serif" font-size="14.00">binary package (.changes, .deb)</text>
 </g>
-<!-- dget&#45;&gt;source -->
-<g id="edge2" class="edge"><title>dget&#45;&gt;source</title>
-<path fill="none" stroke="black" d="M178.805,-434.155C186.807,-425.264 197.177,-413.742 206.369,-403.529"/>
-<polygon fill="black" stroke="black" points="209.02,-405.814 213.109,-396.04 203.817,-401.132 209.02,-405.814"/>
-</g>
-<!-- dh_make, debmake -->
-<g id="node3" class="node"><title>dh_make, debmake</title>
-<ellipse fill="none" stroke="black" cx="291.445" cy="-450" rx="80.6858" ry="18"/>
-<text text-anchor="middle" x="291.445" y="-446.3" font-family="Times,serif" font-size="14.00">dh_make, debmake</text>
-</g>
-<!-- dh_make, debmake&#45;&gt;source -->
-<g id="edge3" class="edge"><title>dh_make, debmake&#45;&gt;source</title>
-<path fill="none" stroke="black" d="M276.194,-432.055C268.569,-423.583 259.196,-413.168 250.779,-403.815"/>
-<polygon fill="black" stroke="black" points="253.284,-401.367 243.992,-396.275 248.081,-406.05 253.284,-401.367"/>
-</g>
-<!-- (d)git -->
-<g id="node4" class="node"><title>(d)git</title>
-<ellipse fill="none" stroke="black" cx="420.445" cy="-450" rx="30.5947" ry="18"/>
-<text text-anchor="middle" x="420.445" y="-446.3" font-family="Times,serif" font-size="14.00">(d)git</text>
-</g>
-<!-- (d)git&#45;&gt;source -->
-<g id="edge4" class="edge"><title>(d)git&#45;&gt;source</title>
-<path fill="none" stroke="black" d="M396.642,-438.276C391.651,-436.125 386.398,-433.934 381.445,-432 349.567,-419.553 313.408,-406.958 284.249,-397.172"/>
-<polygon fill="black" stroke="black" points="285.238,-393.812 274.645,-393.965 283.021,-400.452 285.238,-393.812"/>
-</g>
-<!-- dpkg&#45;buildpackage -->
-<g id="node6" class="node"><title>dpkg&#45;buildpackage</title>
-<ellipse fill="none" stroke="black" cx="449.445" cy="-306" rx="77.9862" ry="18"/>
-<text text-anchor="middle" x="449.445" y="-302.3" font-family="Times,serif" font-size="14.00">dpkg&#45;buildpackage</text>
-</g>
-<!-- source&#45;&gt;dpkg&#45;buildpackage -->
-<g id="edge5" class="edge"><title>source&#45;&gt;dpkg&#45;buildpackage</title>
-<path fill="none" stroke="black" d="M275.584,-362.069C310.843,-350.901 359.104,-335.615 395.833,-323.981"/>
-<polygon fill="black" stroke="black" points="396.91,-327.311 405.386,-320.955 394.796,-320.638 396.91,-327.311"/>
+<!-- dbp&#45;&gt;binary -->
+<g id="edge7" class="edge"><title>dbp&#45;&gt;binary</title>
+<path fill="none" stroke="black" d="M402.685,-287.697C405.248,-279.898 408.333,-270.509 411.185,-261.829"/>
+<polygon fill="black" stroke="black" points="414.584,-262.697 414.38,-252.104 407.933,-260.512 414.584,-262.697"/>
+</g>
+<!-- source&#45;&gt;dbp -->
+<g id="edge6" class="edge"><title>source&#45;&gt;dbp</title>
+<path fill="none" stroke="black" d="M223.139,-362.069C258.399,-350.901 306.659,-335.615 343.389,-323.981"/>
+<polygon fill="black" stroke="black" points="344.465,-327.311 352.941,-320.955 342.351,-320.638 344.465,-327.311"/>
 </g>
 <!-- quilt -->
-<g id="node8" class="node"><title>quilt</title>
-<ellipse fill="none" stroke="black" cx="156.445" cy="-306" rx="27" ry="18"/>
-<text text-anchor="middle" x="156.445" y="-302.3" font-family="Times,serif" font-size="14.00">quilt</text>
+<g id="node9" class="node"><title>quilt</title>
+<ellipse fill="none" stroke="black" cx="104" cy="-306" rx="27" ry="18"/>
+<text text-anchor="middle" x="104" y="-302.3" font-family="Times,serif" font-size="14.00">quilt</text>
 </g>
 <!-- source&#45;&gt;quilt -->
-<g id="edge7" class="edge"><title>source&#45;&gt;quilt</title>
-<path fill="none" stroke="black" d="M205.542,-360.411C195.379,-351.479 183.699,-340.31 174.199,-330.498"/>
-<polygon fill="black" stroke="black" points="176.524,-327.862 167.117,-322.988 171.431,-332.665 176.524,-327.862"/>
+<g id="edge8" class="edge"><title>source&#45;&gt;quilt</title>
+<path fill="none" stroke="black" d="M153.097,-360.411C142.935,-351.479 131.255,-340.31 121.754,-330.498"/>
+<polygon fill="black" stroke="black" points="124.079,-327.862 114.672,-322.988 118.987,-332.665 124.079,-327.862"/>
 </g>
 <!-- dch -->
-<g id="node9" class="node"><title>dch</title>

(Diff truncated)
fix typo in makefile
diff --git a/software/debian-development/Makefile b/software/debian-development/Makefile
index af0c9132..dbd9f0e1 100644
--- a/software/debian-development/Makefile
+++ b/software/debian-development/Makefile
@@ -4,7 +4,7 @@ FILES=workflow.svg
 all: $(FILES)
 
 %.svg: %.dot
-	gdot -Tsvg $< > $@
+	dot -Tsvg $< > $@
 
 .PHONY: clean
 clean:

add diagram from session
diff --git a/software/debian-development.mdwn b/software/debian-development.mdwn
index 00283539..aab15f03 100644
--- a/software/debian-development.mdwn
+++ b/software/debian-development.mdwn
@@ -31,14 +31,14 @@ may find useful when looking for more information.
 [Debian policy]: https://www.debian.org/doc/debian-policy/
 [developer's manual suite]: https://www.debian.org/doc/devel-manuals
 
-This guides tries to take a streamlined and opinionated approach to
-maintaining Debian packages. It doesn't try to cover all cases,
-doesn't try to teach you about [debhelper][], [cdbs][], [uscan][] or
-[make][]. It assumes you will find that information elsewhere, for
-example in the above references, and that you are already somewhat
-familiar with Debian systems administration (you know how to use a
-shell) and Debian packages as a concept (you know what a `.deb` file
-is and know how to use `dpkg -i`).
+This guides tries to take an opinionated approach to maintaining
+Debian packages. It doesn't try to cover all cases, doesn't try to
+teach you about [debhelper][], [cdbs][], [uscan][] or [make][]. It
+assumes you will find that information elsewhere, for example in the
+above references, and that you are already somewhat familiar with
+Debian systems administration (you know how to use a shell) and Debian
+packages as a concept (you know what a `.deb` file is and know how to
+use `dpkg -i`).
 
 This will guide you through a standardized approach to:
 
@@ -48,6 +48,11 @@ This will guide you through a standardized approach to:
   unstable, backports)
 * upload packages
 
+It covers a workflow that could be summarily described by this
+diagram:
+
+![A diagram of my Debian packaging workflow](workflow.svg)
+
 [make]: https://manpages.debian.org/make
 [uscan]: https://manpages.debian.org/uscan
 [cdbs]: https://manpages.debian.org/cdbs
diff --git a/software/debian-development/Makefile b/software/debian-development/Makefile
new file mode 100644
index 00000000..af0c9132
--- /dev/null
+++ b/software/debian-development/Makefile
@@ -0,0 +1,11 @@
+FILES=workflow.svg
+
+.PHONY: all
+all: $(FILES)
+
+%.svg: %.dot
+	gdot -Tsvg $< > $@
+
+.PHONY: clean
+clean:
+	rm -f $(FILES)
diff --git a/software/debian-development/workflow.dot b/software/debian-development/workflow.dot
new file mode 100644
index 00000000..d9f91bc8
--- /dev/null
+++ b/software/debian-development/workflow.dot
@@ -0,0 +1,25 @@
+digraph workflow {
+        label="Debian packaging workflow, 2017"
+        labelloc=top
+        { "apt-get source", "dget", "dh_make, debmake", "(d)git" } -> source;
+        source -> "dpkg-buildpackage" -> binary;
+        source -> quilt -> source
+        source -> dch -> source
+        source -> { "sbuild, pbuilder", "gitpkg, gbp" } -> "dpkg-buildpackage"
+        binary -> lintian -> source
+        binary -> dput -> { "FTP archive", "PPA, ..." } -> "apt-get install";
+        source -> debdiff -> BTS
+        source [ label="source package (.dsc, ...)" ];
+        binary [ label="binary package (.changes, .deb)" ];
+        {
+                rank = same;
+                dput;
+                debdiff;
+        }
+        {
+                rank = same;
+                source;
+                "sbuild, pbuilder";
+                "gitpkg, gbp";
+        }
+}
diff --git a/software/debian-development/workflow.svg b/software/debian-development/workflow.svg
new file mode 100644
index 00000000..5d15d13f
--- /dev/null
+++ b/software/debian-development/workflow.svg
@@ -0,0 +1,219 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
+ "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<!-- Generated by graphviz version 2.38.0 (20140413.2041)
+ -->
+<!-- Title: workflow Pages: 1 -->
+<svg width="608pt" height="499pt"
+ viewBox="0.00 0.00 607.74 499.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+<g id="graph0" class="graph" transform="scale(1 1) rotate(0) translate(4 495)">
+<title>workflow</title>
+<polygon fill="white" stroke="none" points="-4,4 -4,-495 603.739,-495 603.739,4 -4,4"/>
+<text text-anchor="middle" x="299.869" y="-475.8" font-family="Times,serif" font-size="14.00">Debian packaging workflow, 2017</text>
+<!-- apt&#45;get source -->
+<g id="node1" class="node"><title>apt&#45;get source</title>
+<ellipse fill="none" stroke="black" cx="60.4446" cy="-450" rx="60.3893" ry="18"/>
+<text text-anchor="middle" x="60.4446" y="-446.3" font-family="Times,serif" font-size="14.00">apt&#45;get source</text>
+</g>
+<!-- source -->
+<g id="node5" class="node"><title>source</title>
+<ellipse fill="none" stroke="black" cx="228.445" cy="-378" rx="99.3824" ry="18"/>
+<text text-anchor="middle" x="228.445" y="-374.3" font-family="Times,serif" font-size="14.00">source package (.dsc, ...)</text>
+</g>
+<!-- apt&#45;get source&#45;&gt;source -->
+<g id="edge1" class="edge"><title>apt&#45;get source&#45;&gt;source</title>
+<path fill="none" stroke="black" d="M94.0382,-435.003C119.05,-424.581 153.523,-410.217 181.294,-398.646"/>
+<polygon fill="black" stroke="black" points="182.926,-401.758 190.811,-394.681 180.234,-395.296 182.926,-401.758"/>
+</g>
+<!-- dget -->
+<g id="node2" class="node"><title>dget</title>
+<ellipse fill="none" stroke="black" cx="165.445" cy="-450" rx="27" ry="18"/>
+<text text-anchor="middle" x="165.445" y="-446.3" font-family="Times,serif" font-size="14.00">dget</text>
+</g>
+<!-- dget&#45;&gt;source -->
+<g id="edge2" class="edge"><title>dget&#45;&gt;source</title>
+<path fill="none" stroke="black" d="M178.805,-434.155C186.807,-425.264 197.177,-413.742 206.369,-403.529"/>
+<polygon fill="black" stroke="black" points="209.02,-405.814 213.109,-396.04 203.817,-401.132 209.02,-405.814"/>
+</g>
+<!-- dh_make, debmake -->
+<g id="node3" class="node"><title>dh_make, debmake</title>
+<ellipse fill="none" stroke="black" cx="291.445" cy="-450" rx="80.6858" ry="18"/>
+<text text-anchor="middle" x="291.445" y="-446.3" font-family="Times,serif" font-size="14.00">dh_make, debmake</text>
+</g>
+<!-- dh_make, debmake&#45;&gt;source -->
+<g id="edge3" class="edge"><title>dh_make, debmake&#45;&gt;source</title>
+<path fill="none" stroke="black" d="M276.194,-432.055C268.569,-423.583 259.196,-413.168 250.779,-403.815"/>
+<polygon fill="black" stroke="black" points="253.284,-401.367 243.992,-396.275 248.081,-406.05 253.284,-401.367"/>
+</g>
+<!-- (d)git -->
+<g id="node4" class="node"><title>(d)git</title>
+<ellipse fill="none" stroke="black" cx="420.445" cy="-450" rx="30.5947" ry="18"/>
+<text text-anchor="middle" x="420.445" y="-446.3" font-family="Times,serif" font-size="14.00">(d)git</text>
+</g>
+<!-- (d)git&#45;&gt;source -->
+<g id="edge4" class="edge"><title>(d)git&#45;&gt;source</title>
+<path fill="none" stroke="black" d="M396.642,-438.276C391.651,-436.125 386.398,-433.934 381.445,-432 349.567,-419.553 313.408,-406.958 284.249,-397.172"/>
+<polygon fill="black" stroke="black" points="285.238,-393.812 274.645,-393.965 283.021,-400.452 285.238,-393.812"/>
+</g>
+<!-- dpkg&#45;buildpackage -->
+<g id="node6" class="node"><title>dpkg&#45;buildpackage</title>
+<ellipse fill="none" stroke="black" cx="449.445" cy="-306" rx="77.9862" ry="18"/>
+<text text-anchor="middle" x="449.445" y="-302.3" font-family="Times,serif" font-size="14.00">dpkg&#45;buildpackage</text>
+</g>
+<!-- source&#45;&gt;dpkg&#45;buildpackage -->
+<g id="edge5" class="edge"><title>source&#45;&gt;dpkg&#45;buildpackage</title>
+<path fill="none" stroke="black" d="M275.584,-362.069C310.843,-350.901 359.104,-335.615 395.833,-323.981"/>
+<polygon fill="black" stroke="black" points="396.91,-327.311 405.386,-320.955 394.796,-320.638 396.91,-327.311"/>
+</g>
+<!-- quilt -->
+<g id="node8" class="node"><title>quilt</title>
+<ellipse fill="none" stroke="black" cx="156.445" cy="-306" rx="27" ry="18"/>
+<text text-anchor="middle" x="156.445" y="-302.3" font-family="Times,serif" font-size="14.00">quilt</text>
+</g>
+<!-- source&#45;&gt;quilt -->
+<g id="edge7" class="edge"><title>source&#45;&gt;quilt</title>
+<path fill="none" stroke="black" d="M205.542,-360.411C195.379,-351.479 183.699,-340.31 174.199,-330.498"/>
+<polygon fill="black" stroke="black" points="176.524,-327.862 167.117,-322.988 171.431,-332.665 176.524,-327.862"/>
+</g>
+<!-- dch -->
+<g id="node9" class="node"><title>dch</title>
+<ellipse fill="none" stroke="black" cx="228.445" cy="-306" rx="27" ry="18"/>
+<text text-anchor="middle" x="228.445" y="-302.3" font-family="Times,serif" font-size="14.00">dch</text>
+</g>
+<!-- source&#45;&gt;dch -->
+<g id="edge9" class="edge"><title>source&#45;&gt;dch</title>
+<path fill="none" stroke="black" d="M222.529,-359.697C221.721,-351.868 221.5,-342.435 221.865,-333.728"/>
+<polygon fill="black" stroke="black" points="225.365,-333.85 222.601,-323.622 218.384,-333.342 225.365,-333.85"/>
+</g>
+<!-- sbuild, pbuilder -->
+<g id="node10" class="node"><title>sbuild, pbuilder</title>
+<ellipse fill="none" stroke="black" cx="533.445" cy="-378" rx="66.0889" ry="18"/>
+<text text-anchor="middle" x="533.445" y="-374.3" font-family="Times,serif" font-size="14.00">sbuild, pbuilder</text>
+</g>
+<!-- source&#45;&gt;sbuild, pbuilder -->
+<g id="edge11" class="edge"><title>source&#45;&gt;sbuild, pbuilder</title>
+<path fill="none" stroke="black" d="M270.895,-394.286C293.049,-401.925 320.812,-410.177 346.445,-414 391.282,-420.687 404.018,-423.02 448.445,-414 463.885,-410.865 480.002,-404.829 493.999,-398.582"/>
+<polygon fill="black" stroke="black" points="495.72,-401.642 503.316,-394.256 492.772,-395.292 495.72,-401.642"/>
+</g>
+<!-- gitpkg, gbp -->
+<g id="node11" class="node"><title>gitpkg, gbp</title>
+<ellipse fill="none" stroke="black" cx="397.445" cy="-378" rx="51.1914" ry="18"/>
+<text text-anchor="middle" x="397.445" y="-374.3" font-family="Times,serif" font-size="14.00">gitpkg, gbp</text>
+</g>
+<!-- source&#45;&gt;gitpkg, gbp -->
+<g id="edge12" class="edge"><title>source&#45;&gt;gitpkg, gbp</title>
+<path fill="none" stroke="black" d="M328.128,-378C330.734,-378 333.34,-378 335.947,-378"/>
+<polygon fill="black" stroke="black" points="335.999,-381.5 345.999,-378 335.999,-374.5 335.999,-381.5"/>
+</g>

(Diff truncated)
latest status
diff --git a/hardware/phone/lg-g3-d852.mdwn b/hardware/phone/lg-g3-d852.mdwn
index 9c16246..032133d 100644
--- a/hardware/phone/lg-g3-d852.mdwn
+++ b/hardware/phone/lg-g3-d852.mdwn
@@ -7,11 +7,18 @@ in Canada). It is a nice device, although on the big side for me.
 Root
 ====
 
-First step is to get root. Instructions for this
-vary: [some](https://forum.xda-developers.com/lg-g3/general/guide-root-lg-firmwares-kitkat-lollipop-t3056951) [forums](https://forum.xda-developers.com/android/development/guide-root-method-lg-devices-t3049772) tell you to run weird Windows executables
-to get "one-click root" on the device. This obviously won't work for
-me on Linux. But [this guide](https://forum.xda-developers.com/android/development/guide-root-method-lg-devices-t3049772) is a little better and I think I can
-break it down to a step-by-step process that basically consists of:
+First step is to get root. Instructions for this vary: [some](https://forum.xda-developers.com/lg-g3/general/guide-root-lg-firmwares-kitkat-lollipop-t3056951)
+[forums](https://forum.xda-developers.com/android/development/guide-root-method-lg-devices-t3049772) tell you to run weird Windows executables to get
+"one-click root" on the device. This obviously won't work for me on
+Linux. The *one* option that's *designed* to run on Linux
+("[PurpleDrake](https://forum.xda-developers.com/lg-g3/development/root-root-lg-g3-easily-purpledrake-lite-t2821000)", found in [Reddit](https://www.reddit.com/r/LGG3/comments/39yroe/root_method_with_linux/ )) relies on a vulnerability
+that seems to have been patched in the phone I have.
+
+[This guide](https://forum.xda-developers.com/android/development/guide-root-method-lg-devices-t3049772) seems a little better and I think I can break it down
+to a step-by-step process that basically consists of pushing a set of
+tools using `adb`, then rebooting in diagnostic mode and issuing
+commands over the serial console. The batch script basically goes like
+this:
 
  1. install `adb`:
  
@@ -62,6 +69,10 @@ break it down to a step-by-step process that basically consists of:
         
  8. run the magic command:
  
+        sh /data/local/tmp/lg_root.sh dummy 1 /data/local/tmp/UPDATE-SuperSU-v2.46.zip /data/local/tmp/busybox
+
+    the original command was:
+
         sh /data/local/tmp/lg_root.sh dummy 1 /data/local/tmp/SuperSU-v2.82-201705271822.zip /data/local/tmp/busybox
 
  9. pull the battery to get out of download mode, or hold volume up
@@ -74,6 +85,57 @@ talk to the "download mode". I have also tried to run the magic
     #wine: Call from 0x7b83ae8c to unimplemented function msvcr100.dll.gets_s, aborting
     wine: Unimplemented function msvcr100.dll.gets_s called at address 0x7b83ae8c (thread 0009), starting debugger...
 
+The `Send_Command.exe` tool has a Python equivalent as well called
+[lglaf](https://github.com/Lekensteyn/lglaf/) which unfortunately doesn't seem to work, either because
+the phone is refusing this, or because the protocol is different
+enough this doesn't work.
+
+    Traceback (most recent call last):
+      File "lglaf.py", line 404, in <module>
+        main()
+      File "lglaf.py", line 386, in main
+        try_hello(comm)
+      File "lglaf.py", line 279, in try_hello
+        data = comm.read(0x20, timeout=HELLO_READ_TIMEOUT)
+      File "lglaf.py", line 148, in read
+        buff = self._read(need, timeout=timeout)
+      File "lglaf.py", line 256, in _read
+        array = self.usbdev.read(self.ep_in, 2**14, timeout=timeout)
+      File "/usr/lib/python2.7/dist-packages/usb/core.py", line 988, in read
+        self.__get_timeout(timeout))
+      File "/usr/lib/python2.7/dist-packages/usb/backend/libusb1.py", line 833, in bulk_read
+        timeout)
+      File "/usr/lib/python2.7/dist-packages/usb/backend/libusb1.py", line 936, in __read
+        _check(retval)
+      File "/usr/lib/python2.7/dist-packages/usb/backend/libusb1.py", line 595, in _check
+        raise USBError(_strerror(ret), ret, _libusb_errno[ret])
+    usb.core.USBError: [Errno 110] Operation timed out
+
+That's because the udev rules do not cover the 852 device, so this
+patch is required:
+
+    --- a/rules.d/42-usb-lglaf.rules
+    +++ b/rules.d/42-usb-lglaf.rules
+    @@ -5,3 +5,5 @@ SUBSYSTEM=="usb", ATTRS{idVendor}=="1004", ATTRS{idProduct}=="633e", TAG+="uacce
+     SUBSYSTEM=="usb", ATTRS{idVendor}=="1004", ATTRS{idProduct}=="627f", TAG+="uaccess"
+     # LG G4 (VS986) in download mode
+     SUBSYSTEM=="usb", ATTRS{idVendor}=="1004", ATTRS{idProduct}=="6298", TAG+="uaccess"
+    +# LG G3 (D852) in download mode
+    +SUBSYSTEM=="usb", ATTRS{idVendor}=="1004", ATTRS{idProduct}=="631d", TAG+="uaccess"
+
+With the patch (or running as root), it still fails, with:
+
+    LGLAF.py: WARNING: Command failed with error code 0x8000010a
+
+So we need another patch to send a proper  [challenge-response](https://github.com/Lekensteyn/lglaf/pull/12) and
+*then* we get a prompt. Unfortunately, some clever thing is still
+refusing our commands:
+
+    # sh /data/local/tmp/lg_root.sh dummy 1 /data/local/tmp/UPDATE-SuperSU-v2.46.zip /data/local/tmp/busybox
+    Hello, I am LAF. Nice to meet you.#
+
+So I'm stuck: there doesn't seem to be a way to root this device.
+
 Recovery setup
 ==============
 

wine + current failure
diff --git a/hardware/phone/lg-g3-d852.mdwn b/hardware/phone/lg-g3-d852.mdwn
index e4beabc..9c16246 100644
--- a/hardware/phone/lg-g3-d852.mdwn
+++ b/hardware/phone/lg-g3-d852.mdwn
@@ -67,6 +67,13 @@ break it down to a step-by-step process that basically consists of:
  9. pull the battery to get out of download mode, or hold volume up
     and power for 30 seconds
 
+Step 8 doesn't work: I can't figure out the port speed or protocol to
+talk to the "download mode". I have also tried to run the magic
+"Send_Command.exe" under wine, but it fails:
+
+    #wine: Call from 0x7b83ae8c to unimplemented function msvcr100.dll.gets_s, aborting
+    wine: Unimplemented function msvcr100.dll.gets_s called at address 0x7b83ae8c (thread 0009), starting debugger...
+
 Recovery setup
 ==============
 

beginning of a guide for the lg g3
diff --git a/hardware/phone/lg-g3-d852.mdwn b/hardware/phone/lg-g3-d852.mdwn
new file mode 100644
index 0000000..e4beabc
--- /dev/null
+++ b/hardware/phone/lg-g3-d852.mdwn
@@ -0,0 +1,104 @@
+[[!meta title="LG G3 Android setup"]]
+
+I was (again, how privileged) given a phone! This one is a [LG G3][phone specifications],
+also known as the "D-852" (the version distributed by Bell and Rogers
+in Canada). It is a nice device, although on the big side for me.
+
+Root
+====
+
+First step is to get root. Instructions for this
+vary: [some](https://forum.xda-developers.com/lg-g3/general/guide-root-lg-firmwares-kitkat-lollipop-t3056951) [forums](https://forum.xda-developers.com/android/development/guide-root-method-lg-devices-t3049772) tell you to run weird Windows executables
+to get "one-click root" on the device. This obviously won't work for
+me on Linux. But [this guide](https://forum.xda-developers.com/android/development/guide-root-method-lg-devices-t3049772) is a little better and I think I can
+break it down to a step-by-step process that basically consists of:
+
+ 1. install `adb`:
+ 
+        apt install adb
+
+ 2. push `busybox` - instead of using an arbitrary copy I found on the
+    internet, I got a more trusted build from [Debian packages](https://packages.debian.org/sid/busybox-static):
+    
+        dpkg -x busybox-static_1.22.0-19+b3_armhf.deb armhf
+        adb push armhf/bin/busybox /data/local/tmp
+ 
+ 3. push [SuperSU](http://www.supersu.com/)
+
+        adb push SuperSU-v2.82-201705271822.zip /data/local/tmp
+
+ 4. push a custom script to glue all this together:
+ 
+         adb push lg_root.sh /data/local/tmp
+
+    The script is in the [LG_Root.zip](http://downloadandroidrom.com/file/LGGFlex2/LG_Root.zip) file which also contains
+    copies of busybox and SuperSU, but I prefered to use other trusted
+    copies of those elsewhere. the script, however, I couldn't find
+    but you can review it, at least. I found a link to the `.zip` file
+    on [this tutorial](http://highonandroid.com/android-smartphones/how-to-root-lg-g-flex-2-g2-g3-on-lollipop/)
+
+ 4. STOP ModemManager! otherwise it may garble the serial port:
+ 
+        sudo service ModemManager stop
+
+ 5. switch to "download mode":
+ 
+    1. unplug the USB cable
+    2. power off the phone
+    3. hold the "volume up" button and plug the USB cable
+    
+    the screen should now say "download mode" then "Firmware
+    update". you're now in download mode
+
+ 6. find the serial port the device is attached to:
+ 
+        dmesg | tail
+    
+    here it was `/dev/ttyACM0`
+
+ 7. attach to the serial port (e.g. with [GNU Screen](https://en.wikipedia.org/wiki/GNU_Screen)):
+ 
+        screen /dev/ttyACM0
+        
+ 8. run the magic command:
+ 
+        sh /data/local/tmp/lg_root.sh dummy 1 /data/local/tmp/SuperSU-v2.82-201705271822.zip /data/local/tmp/busybox
+
+ 9. pull the battery to get out of download mode, or hold volume up
+    and power for 30 seconds
+
+Recovery setup
+==============
+
+Next step is to setup [TWRP](https://twrp.me/), which seems to only be to install
+an [app](https://twrp.me/app/) nowadays, if the device is rooted.
+
+See also the noise about [BUMP!](http://www.droid-life.com/2014/10/10/lg-g3-bump-gives-you-fully-working-twrp-recovery-on-all-variants/) - not sure what that's
+about. Maybe it's necessary to boot TWRP at all?
+
+Custom ROM install
+==================
+
+Next step is to install [LineageOS](https://lineageos.org/), because the current firmware
+has all sorts of crappy apps like spam from Google and god knows what
+else. With LineageOS, I still have proprietary software, but at least
+I know exactly [what those are][proprietary drivers list] and I'm confident it's the bare
+minimum to get the thing running. It's more than my [[previous
+device|htc-one-s]] but it's not that bad.
+
+The [install instructions][] are pretty simple, once the device is
+rooted.
+
+References
+==========
+
+ * [phone specifications][]
+ * [LineageOS device info](https://wiki.lineageos.org/devices/d852)
+ * [install instructions][]
+ * [proprietary drivers list][]
+ * [TWRP install instructions][]
+
+ [TWRP install instructions]: https://twrp.me/devices/lgg3canadabellrogers.html
+ [phone specifications]: http://www.gsmarena.com/lg_g3-6294.php
+ [install instructions]: https://wiki.lineageos.org/devices/d852/install
+ [proprietary drivers list]: https://github.com/LineageOS/android_device_lge_d852/blob/cm-14.1/proprietary-files.txt

one more task
diff --git a/services/upgrades/stretch.mdwn b/services/upgrades/stretch.mdwn
index ac98759..1974674 100644
--- a/services/upgrades/stretch.mdwn
+++ b/services/upgrades/stretch.mdwn
@@ -49,10 +49,15 @@ Post-upgrade:
     reboot
     # review and purge older kernel once the new one boots properly
 
+User-specific tasks:
+
+ * migrated PGP keyring:
+
+         /usr/bin/migrate-pubring-from-classic-gpg --default
+
 Issues
 ------
 
-* need to perform a trustdb upgrade in gpg according to micah, see README.Debian?
 * [[!debbug 866786]]: multiple device support in cryptroot-unlock
 * [[!debbug 866792]]: irssi profile should load in complain mode
 * [[!debbug 866790]]: postfix apparmor profile syntax errors

note about upstream guides
diff --git a/services/upgrades/stretch.mdwn b/services/upgrades/stretch.mdwn
index 0d062ef..ac98759 100644
--- a/services/upgrades/stretch.mdwn
+++ b/services/upgrades/stretch.mdwn
@@ -64,6 +64,7 @@ Issues
   two times during the upgrade process (!), which seems to have worked
   okay
 * [known issues](https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html)
+* this guide should be merged with upstream
 
 References
 ----------

note about -dbg packages
diff --git a/services/upgrades/stretch.mdwn b/services/upgrades/stretch.mdwn
index 03e9ea1..0d062ef 100644
--- a/services/upgrades/stretch.mdwn
+++ b/services/upgrades/stretch.mdwn
@@ -42,6 +42,7 @@ Actual upgrade run:
 Post-upgrade:
 
     apt-get purge $(deborphan -n) # look also for obsolete packages in aptitude
+    dpkg -l '*-dbg' # look for dbg package and possible replace with -dbgsym
     aptitude purge ~c # purge removed packages
     apt autoremove -y --purge
     apt-get clean

my stretch upgrade guide
diff --git a/services/upgrades/stretch.mdwn b/services/upgrades/stretch.mdwn
new file mode 100644
index 0000000..03e9ea1
--- /dev/null
+++ b/services/upgrades/stretch.mdwn
@@ -0,0 +1,74 @@
+Stretch upgrade
+===============
+
+Unfortunately, I started this documentation only after I upgraded 2 of
+my 3 main machines, so it is probably lacking.
+
+Process
+-------
+
+Similar to Koumbit's process, but we don't use Puppet:
+
+Pre-upgrade checks:
+
+    sudo ttyrec -e screen /var/log/upgrade-stretch.ttyrec
+    cd /etc; git tag pre-stretch
+    git gc --prune # make /etc smaller for backup
+    tar cfz /var/backups/pre-stretch-backup.tgz /etc /var/lib/dpkg /var/lib/apt/extended_states /var/lib/aptitude/pkgstates
+    dpkg --get-selections "*" > /var/backups/dpkg-selections-pre-stretch.txt
+    rm /etc/apt/preferences /etc/apt/preferences.d/* #  Check for pinned (on hold) packages, and possibly disable
+    rm /etc/apt/sources.list.d/testing.list # or other similar backports or sources from later releases
+    rm /etc/apt/sources.list.d/jessie-backports.list
+    apt-mark showhold
+    dpkg --audit
+    apt update && apt -y upgrade
+    dpkg -l '*dkms' # look for dkms packages and make sure they are relevant, if not, purge.
+
+Check free space, see
+[this guide to free up space](http://www.debian.org/releases/stretch/amd64/release-notes/ch-upgrading.en.html#sufficient-space)
+and download packages:
+
+    sed -i.orig 's/jessie/stretch/g' /etc/apt/sources.list
+    apt update; apt -o APT::Get::Trivial-Only=true dist-upgrade; df -h
+    apt -y -d upgrade && apt -y -d dist-upgrade
+
+Actual upgrade run:
+
+    export DEBIAN_FRONTEND=noninteractive APT_LISTCHANGES_FRONTEND=mail
+    apt upgrade -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold'
+    apt dist-upgrade -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold'
+    /opt/bin/clean_conflicts
+
+Post-upgrade:
+
+    apt-get purge $(deborphan -n) # look also for obsolete packages in aptitude
+    aptitude purge ~c # purge removed packages
+    apt autoremove -y --purge
+    apt-get clean
+    reboot
+    # review and purge older kernel once the new one boots properly
+
+Issues
+------
+
+* need to perform a trustdb upgrade in gpg according to micah, see README.Debian?
+* [[!debbug 866786]]: multiple device support in cryptroot-unlock
+* [[!debbug 866792]]: irssi profile should load in complain mode
+* [[!debbug 866790]]: postfix apparmor profile syntax errors
+* [[!debbug 845938]] and [[!debbug 805414]]: a2db sink locked by gdm
+* Kodi doesn't start on the right tty? (not filed)
+* forgot to review the list of packages removed, those I would have
+  liked to keep: torbrowser-launcher, npm
+* upgrade was performed with a bad battery, which meant suspending
+  two times during the upgrade process (!), which seems to have worked
+  okay
+* [known issues](https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html)
+
+References
+----------
+
+* [Official guide](https://www.debian.org/releases/stretch/amd64/release-notes/ch-upgrading.fr.html)
+* [Release notes](https://www.debian.org/releases/stretch/amd64/release-notes/ch-whats-new.en.html)
+* [Koumbit guide](https://wiki.koumbit.net/StretchUpgrade)
+* [DSA guide](https://dsa.debian.org/howto/upgrade-to-stretch/)
+* [Solution proposal to automate this](https://wiki.debian.org/AutomatedUpgrade)

wording
diff --git a/hardware/phone/htc-one-s.mdwn b/hardware/phone/htc-one-s.mdwn
index aa22d87..d0db5de 100644
--- a/hardware/phone/htc-one-s.mdwn
+++ b/hardware/phone/htc-one-s.mdwn
@@ -295,7 +295,7 @@ options:
    and later if you can't boot the phone properly, with `adb backup
    --twrp`. The file format is a little weird see [this discussion](https://android.stackexchange.com/questions/28481/how-do-you-extract-an-apps-data-from-a-full-backup-made-through-adb-backup)
    for details. Also note that the format is different when using
-   TWRP, see that [other discussion](https://android.stackexchange.com/questions/171638/extract-twrp-backups-made-with-adb)
+   TWRP, see that [other discussion](https://android.stackexchange.com/questions/171638/extract-twrp-backups-made-with-adb) for details.
 
 I do not believe this makes a backup of the data in sdcard, however,
 so if user data should also be backed up, the above backup and Music,

update x230 section
diff --git a/hardware/laptop.mdwn b/hardware/laptop.mdwn
index ce6e5f2..5fb8d29 100644
--- a/hardware/laptop.mdwn
+++ b/hardware/laptop.mdwn
@@ -109,8 +109,8 @@ http://thinkwiki.de/X201
 X220
 ----
 
-http://www.thinkwiki.org/wiki/Category:X220
-http://thinkwiki.de/X220
+<http://www.thinkwiki.org/wiki/Category:X220>
+<http://thinkwiki.de/X220>
 
  * 12.5" TFT
  * i3-i7
@@ -126,7 +126,7 @@ http://thinkwiki.de/X220
  * fprint reader
  * 65W AC
  * coreboot: mostly
-   * no USB3
+   * no USB3 ("in some models, probably doesn't work")
    * https://www.coreboot.org/Board:lenovo/x220
    * IME, EC, VGA, CPU microcode proprietary
 
@@ -134,7 +134,29 @@ X230
 ----
 
 has a similar chiclet keyboard than the x120e, missing critical keys
-like scroll-lock and sysrq/prtscr. screw that.
+like scroll-lock and sysrq/prtscr. [can be replaced](http://www.thinkwiki.org/wiki/Install_Classic_Keyboard_on_xx30_Series_ThinkPads) with the older
+model (~20-75$ in parts)
+
+<http://www.thinkwiki.org/wiki/Category:X230>
+<http://thinkwiki.de/X230>
+
+ * 12.5" TFT or IPS 1366x768
+ * i3-i7 3320M-3520M
+ * 16GB max
+ * 2 minipci (incl possible mSATA)
+ * gbit
+ * BT
+ * SD card
+ * 3xUSB, incl. 2 USB3
+ * 720p camera
+ * mini displayport
+ * combined audio jack
+ * fprint reader
+ * 65W AC
+ * coreboot: mostly
+   * no power on yellow port
+   * https://www.coreboot.org/Board:lenovo/x230
+   * IME, EC, VGA, CPU microcode proprietary
 
 Chromebooks?
 ------------

add adb backup procedures
diff --git a/hardware/phone/htc-one-s.mdwn b/hardware/phone/htc-one-s.mdwn
index 7990c83..aa22d87 100644
--- a/hardware/phone/htc-one-s.mdwn
+++ b/hardware/phone/htc-one-s.mdwn
@@ -285,6 +285,18 @@ off TWRP with `adb pull`:
 
     sudo adb pull /sdcard/TWRP/BACKUPS/HT26PW407343/2016-03-23--13-20-27_cm_ville-userdebug_5.1.1_LMY49H_a105530ecd
 
+This will fail if the phone doesn't have enough free space. Two
+options:
+
+ * OTG dongle: a small adapter that allows you to plug external USB
+   storage in the phone
+ * `adb backup`: from a host connected through USB, you can generate
+   an archive of the whole system. this also works through TWRP 3.1
+   and later if you can't boot the phone properly, with `adb backup
+   --twrp`. The file format is a little weird see [this discussion](https://android.stackexchange.com/questions/28481/how-do-you-extract-an-apps-data-from-a-full-backup-made-through-adb-backup)
+   for details. Also note that the format is different when using
+   TWRP, see that [other discussion](https://android.stackexchange.com/questions/171638/extract-twrp-backups-made-with-adb)
+
 I do not believe this makes a backup of the data in sdcard, however,
 so if user data should also be backed up, the above backup and Music,
 Podcasts, Pictures and so on can all be pulled at once with:

fix some wording and links
diff --git a/blog/2017-07-29-free-software-activities-july-2017.mdwn b/blog/2017-07-29-free-software-activities-july-2017.mdwn
index bcaacc6..5aa6b31 100644
--- a/blog/2017-07-29-free-software-activities-july-2017.mdwn
+++ b/blog/2017-07-29-free-software-activities-july-2017.mdwn
@@ -103,29 +103,31 @@ introduced a regression. Unfortunately, there is no test suite or
 proof of concept to control the results.
 
 The reality is that ipsec-tools is really old, and should maybe simply
-be removed from Debian, in favor of Strongswan. Upstream hasn't done a
-release in years and various distributions have patched up forks of
-those to keep it alive... I was happy, however, to know that the
-maintainer (noahm) will take care of managing the resulting upload
-with my patch in LTS and other suites, fixing that issue for now.
+be removed from Debian, in favor of [[!debpkg strongswan]]. Upstream
+hasn't done a release in years and various distributions have patched
+up forks of those to keep it alive... I was happy, however, to know
+that a maintainer will take care of updating the various suites,
+including LTS, with my improved patch. So this fixes the issue for
+now, but I would strongly encourage users to switch away from
+ipsec-tools in the future.
 
 apache2
 -------
 
-Finally, I was bitten back by my old [DLA-841-1](https://lists.debian.org/20170228162053.rl5scb5vmevtux4w@curie.anarc.at) upload I did all
-the way back in February, as it introduced a regression ([[!debbug
-858373]]) in which it was possible to segfault Apache workers with a
-trivial query, in certain (rather exotic, I might add) configurations
-(ErrorDocument 400 directive pointing to a cgid script in worker
-mode). 
+Finally, I was bitten by the old [DLA-841-1](https://lists.debian.org/20170228162053.rl5scb5vmevtux4w@curie.anarc.at) upload I did all the
+way back in February, as it introduced a regression ([[!debbug
+858373]]). It turns out it was possible to segfault Apache workers
+with a trivial HTTP request, in certain (rather exotic, I might add)
+configurations (`ErrorDocument` 400 directive pointing to a cgid script
+in worker mode).
 
 Still, it was a serious regression and I found a part of the nasty
 long patch we worked on back then that was faulty, and introduced a
 small fix to correct that. The [proposed](https://lists.debian.org/87r2x9rjjt.fsf@curie.anarc.at) package unfortunately
 didn't yield any feedback, and I can only assume it will work okay for
 people. The result is the [DLA-841-2](https://lists.debian.org/20170729174152.f6r4dmqtnuddt743@curie.anarc.at) upload which fixes the
-regression. I unfortunately didn't have time to work on the other CVEs
-affecting apache2 in LTS at the time of writing.
+regression. I unfortunately didn't have time to work on the remaining
+CVEs affecting apache2 in LTS at the time of writing.
 
 Triage
 ------
@@ -159,7 +161,7 @@ Announcing ecdysis
 I recently published [ecdysis](https://gitlab.com/anarcat/ecdysis), a set of template and code samples
 that I frequently reuse across project. This is probably the least
 pronounceable project name I have ever chosen, but this is somewhat on
-purpose. The purpose of this project is not collaboration or to become
+purpose. The goal of this project is not collaboration or to become
 a library: it's just a personal project which I share with the world
 as a curiosity.
 
@@ -168,7 +170,7 @@ To quote the README file:
 > The name comes from what snakes and other animals do to "create a new
 > snake": they shed their skin. This is not so appropriate for snakes,
 > as it's just a way to rejuvenate their skin, but is especially
-> relevant for anthropods since the ecdysis may be associated with a
+> relevant for anthropods since then "ecdysis" may be associated with a
 > metamorphosis:
 > 
 > > Ecdysis is the moulting of the cuticle in many invertebrates of
@@ -194,20 +196,23 @@ code could also be factored into upstream project and maybe even the
 Python standard library.
 
 In short, this is stuff I keep on forgetting how to do: a proper
-`setup.py` config, some fancy `argparse` extensions and so on.
+`setup.py` config, some fancy `argparse` extensions and so on. Instead
+of having to remember where I had written that clever piece of code, I
+now shove it in the crazy chaotic project where I can find it again in
+the future.
 
 Beets experiments
 -----------------
 
 Since I started using [Subsonic](http://subsonic.org/) (or [Libresonic](http://libresonic.org/)) to manage the
 music on my phone, album covers are suddenly way more interesting. But
-my collection so far has had limited album covers: my other media play
-([gmpc](https://gmpclient.org/)) would download those on the fly on its own and store them
-in its own database - not on the filesystem. I guess this could be
-considered to be a limitation of Subsonic, but I actually appreciate
-the separation of duty here: garbage in, garbage out. The quality of
-Subsonic's rendering depends largely on how well setup your library
-and tags are.
+my collection so far has had limited album covers: my other media
+player ([gmpc](https://gmpclient.org/)) would download those on the fly on its own and
+store them in its own database - not on the filesystem. I guess this
+could be considered to be a limitation of Subsonic, but I actually
+appreciate the separation of duty here. Garbage in, garbage out: the
+quality of Subsonic's rendering depends largely on how well setup your
+library and tags are.
 
 It turns out there is an amazing tool called [beets](http://beets.readthedocs.io/) to do exactly
 that kind of stuff. I originally discarded that "media library
@@ -242,8 +247,8 @@ overkill and confusing.
 
 Oh, and thanks to those efforts, I got admitted in the [beetbox](https://github.com/beetbox)
 organization on GitHub! I am not sure what I will do with that
-newfound power: I was scratching an itch, really. But hopefully I'll
-be able to help here and there in the future as well.
+newfound power: I was just scratching an itch, really. But hopefully
+I'll be able to help here and there in the future as well.
 
 Debian package maintenance
 --------------------------

creating tag page tag/beets
diff --git a/tag/beets.mdwn b/tag/beets.mdwn
new file mode 100644
index 0000000..9cb9c16
--- /dev/null
+++ b/tag/beets.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged beets"]]
+
+[[!inline pages="tagged(beets)" actions="no" archive="yes"
+feedshow=10]]

creating tag page tag/ecdysis
diff --git a/tag/ecdysis.mdwn b/tag/ecdysis.mdwn
new file mode 100644
index 0000000..b9093c9
--- /dev/null
+++ b/tag/ecdysis.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged ecdysis"]]
+
+[[!inline pages="tagged(ecdysis)" actions="no" archive="yes"
+feedshow=10]]

complete volunteer work report
diff --git a/blog/2017-07-29-free-software-activities-july-2017.mdwn b/blog/2017-07-29-free-software-activities-july-2017.mdwn
index c135290..bcaacc6 100644
--- a/blog/2017-07-29-free-software-activities-july-2017.mdwn
+++ b/blog/2017-07-29-free-software-activities-july-2017.mdwn
@@ -127,8 +127,8 @@ people. The result is the [DLA-841-2](https://lists.debian.org/20170729174152.f6
 regression. I unfortunately didn't have time to work on the other CVEs
 affecting apache2 in LTS at the time of writing.
 
-Minor triage
-------------
+Triage
+------
 
 I also did some miscellaneous triage by filing [[!debbug 867477]] for
 [[!debpkg poppler]] in an effort to document better the pending issue.
@@ -148,4 +148,139 @@ and let them open for others to look at.
 Other free software work
 ========================
 
-[[!tag debian-planet debian debian-lts python-planet software geek free]]
+And of course, there's my usual monthly volunteer work. My ratio is a
+little better this time, having reached an about even ratio between
+paid and volunteer work, whereas this was 60% volunteer work [[in
+march|2017-03-30-free-software-activities-march-2017/]].
+
+Announcing ecdysis
+------------------
+
+I recently published [ecdysis](https://gitlab.com/anarcat/ecdysis), a set of template and code samples
+that I frequently reuse across project. This is probably the least
+pronounceable project name I have ever chosen, but this is somewhat on
+purpose. The purpose of this project is not collaboration or to become
+a library: it's just a personal project which I share with the world
+as a curiosity.
+
+To quote the README file:
+
+> The name comes from what snakes and other animals do to "create a new
+> snake": they shed their skin. This is not so appropriate for snakes,
+> as it's just a way to rejuvenate their skin, but is especially
+> relevant for anthropods since the ecdysis may be associated with a
+> metamorphosis:
+> 
+> > Ecdysis is the moulting of the cuticle in many invertebrates of
+> > the clade Ecdysozoa. Since the cuticle of these animals typically
+> > forms a largely inelastic exoskeleton, it is shed during growth
+> > and a new, larger covering is formed. The remnants of the old,
+> > empty exoskeleton are called exuviae.
+> >                                                      — Wikipedia
+> 
+> So this project is metamorphosed into others when the documentation
+> templates, code examples and so on are reused elsewhere. For that
+> reason, the license is an unusally liberal (for me) MIT/Expat
+> license.
+>
+> The name also has the nice property of being absolutely
+> unpronounceable, which makes it unlikely to be copied but easy to
+> search online.
+
+It was an interesting exercise to go back into older projects and
+factor out interesting code. The process is not complete yet, as there
+are older projects I'm still curious in reviewing. A bunch of that
+code could also be factored into upstream project and maybe even the
+Python standard library.
+
+In short, this is stuff I keep on forgetting how to do: a proper
+`setup.py` config, some fancy `argparse` extensions and so on.
+
+Beets experiments
+-----------------
+
+Since I started using [Subsonic](http://subsonic.org/) (or [Libresonic](http://libresonic.org/)) to manage the
+music on my phone, album covers are suddenly way more interesting. But
+my collection so far has had limited album covers: my other media play
+([gmpc](https://gmpclient.org/)) would download those on the fly on its own and store them
+in its own database - not on the filesystem. I guess this could be
+considered to be a limitation of Subsonic, but I actually appreciate
+the separation of duty here: garbage in, garbage out. The quality of
+Subsonic's rendering depends largely on how well setup your library
+and tags are.
+
+It turns out there is an amazing tool called [beets](http://beets.readthedocs.io/) to do exactly
+that kind of stuff. I originally discarded that "media library
+management system for obsessive-compulsive [OC] music geeks", trying to
+convince myself i was *not* an "OC music geek". Turns out I am. Oh
+well.
+
+Thanks to beets, I was able to download album covers for a lot of the
+albums in my collection. The only covers that are missing now are
+albums that are not correctly tagged and that beets couldn't
+automatically fix up. I still need to go through those and fix all
+those tags, but the first run did an impressive job at getting album
+covers.
+
+Then I got the next crazy idea: after a camping trip where we forgot
+(*again*) the lyrics to [Georges Brassens](https://en.wikipedia.org/wiki/Georges_Brassens), I figured I could start
+putting some lyrics on my ebook reader. "How hard can that be?" of
+course, being the start of another crazy project. A [pull request](https://github.com/beetbox/beets/pull/2628)
+and 3 days later, I had something that could turn a beets lyrics
+database into a [Sphinx](http://www.sphinx-doc.org/) document which, in turn, can be turned
+into an ePUB. In the process, I probably got [blocked](https://github.com/beetbox/beets/pull/2634) from
+MusixMatch a hundred times, but it's done. Phew!
+
+The resulting e-book is about 8000 pages long, but is still
+surprisingly responsive. In the process, I also happened to do a
+[partial benchmark](https://github.com/beetbox/beets/issues/2635#issuecomment-316182853) of Python's bloom filter libraries. The biggest
+surprise there was the performance of the `set` builtin: for small
+items, it *is* basically as fast as a bloom filter. Of course, when
+the item size grows larger, its memory usage explodes, but in this
+case it turned out to be sufficient and bloom filter completely
+overkill and confusing.
+
+Oh, and thanks to those efforts, I got admitted in the [beetbox](https://github.com/beetbox)
+organization on GitHub! I am not sure what I will do with that
+newfound power: I was scratching an itch, really. But hopefully I'll
+be able to help here and there in the future as well.
+
+Debian package maintenance
+--------------------------
+
+I did some normal upkeep on a bunch of my packages this month, that
+were long overdue:
+
+ * [uploaded](https://tracker.debian.org/news/857733) [[!debpkg slop]] 6.3.47-1: major new upstream release
+ * [uploaded](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870082) an NMU for [[!debpkg maim]] 5.4.64-1.1: maim was
+   broken by the slop release
+ * [uploaded](https://tracker.debian.org/news/857724) [[!debpkg pv]] 1.6.6-1: new upstream release
+ * [uploaded](https://tracker.debian.org/news/858188) [[!debpkg kedpm]] 1.0+deb8u1 to jessie (oldstable):
+   one last security fix ([[!debbug 860817]], [[!debcve
+   CVE-2017-8296]]) for that derelict password manager
+ * [uploaded](https://tracker.debian.org/news/857739) [[!debpkg charybdis]] 3.5.5-1: new minor upstream
+   release, with optional support for [[!debpkg mbedtls]]
+ * filed [[!debbug 866786]] against [[!debpkg cryptsetup]] to make the
+   remote initramfs SSH-based unlocking support multiple devices:
+   thanks to the maintainer, this now works flawlessly in buster and
+   may be backported to stretch
+ * expanded on [[!debbug 805414]] against [[!debpkg gdm3]] and
+   [[!debbug 845938]] against [[!debpkg pulseaudio]], because I had
+   trouble connecting my computer to this new Bluetooth speaker. turns
+   out this is a known issue in Pulseaudio: whereas it releases ALSA
+   devices, it doesn't release Bluetooth devices properly. Documented
+   this more clearly in the [wiki page](https://wiki.debian.org/BluetoothUser/a2dp#Refused_to_switch_profile_to_a2dp_sink:_Not_connected)
+ * filed [[!debbug 866790]] regarding old stray Apparmor profiles that
+   were lying around my system after an upgrade, which got me
+   interested in [[!debbug 830502]] in turn
+ * filed [[!debbug 868728]] against [[!debpkg cups]] regarding a weird
+   behavior I had interacting with a network printer. turns out the
+   other workstation was misconfigured... why are printers still so
+   hard?
+ * filed [[!debbug 870102]] to automate sbuild schroots upgrades
+ * after playing around with [rash](https://pypi.python.org/pypi/rash) tried to complete the packaging
+   ([[!debbug 754972]]) of [percol](https://github.com/mooz/percol/pull/97) with this [pull request](https://github.com/mooz/percol/pull/97)
+   upstream. this ended up to be way too much overhead and I reverted
+   to my old normal history habits.
+
+[[!tag debian-planet debian debian-lts python-planet software geek free beets ecdysis subsonic]]

first report draft
diff --git a/blog/2017-07-29-free-software-activities-july-2017.mdwn b/blog/2017-07-29-free-software-activities-july-2017.mdwn
new file mode 100644
index 0000000..c135290
--- /dev/null
+++ b/blog/2017-07-29-free-software-activities-july-2017.mdwn
@@ -0,0 +1,151 @@
+[[!meta title="My free software activities, July 2017"]]
+
+[[!toc levels=2]]
+
+Debian Long Term Support (LTS)
+==============================
+
+This is my monthly working on [Debian LTS][]. This time I worked on
+various hairy issues surrounding ca-certificates, unattended-upgrades,
+apache2 regressions, libmtp, tcpdump and ipsec-tools.
+
+[Debian LTS]: https://www.freexian.com/services/debian-lts.html
+[Raphael Hertzog at Freexian]: http://www.freexian.com
+
+ca-certificates updates
+-----------------------
+
+I've been working on the removal of the Wosign and StartCom
+certificates ([[!debbug 858539]]) and, in general, the synchronisation
+of [[!debpkg ca-certificates]] across suites ([[!debbug 867461]])
+since at least last march. I have made an attempt
+at [summarizing the issue](https://lists.debian.org/87bmoiyhpq.fsf@curie.anarc.at) which led to a productive discussion and
+it seems that, in the end, the maintainer
+will [take care of synchronizing information across suites](https://lists.debian.org/d0b9674a-ac5b-5cc9-1982-fb6f36155c5a@pbandjelly.org).
+
+Guido was right in again [raising the question](https://lists.debian.org/20170707140251.igywdem62hjuuu4y@bogon.m.sigxcpu.org) of synchronizing
+NSS across all suites ([[!debbug 824872]]) which
+itself [raised the other question](https://lists.debian.org/20170721210322.ctlq3oajxz5w4df5@pisco.westfalen.local) of how to test reverse
+dependencies. This brings me back to [[!debbug 817286]] which,
+basically proposed the idea of having "proposed updates" for security
+issues. The problem is while we can upload test packages
+to [stable proposed-updates](https://wiki.debian.org/StableProposedUpdates), we can't do the same in LTS because
+the suite is closed and we operate only on security packages. This
+issue came up before in other security upload and we need to think
+better about how to solve this.
+
+unattended-upgrades
+-------------------
+
+Speaking of security upgrades brings me to the question of a bug
+([[!debbug 867169]]) that was filed against the wheezy version of
+[[!debpkg unattended-upgrades]], which showed that the package simply
+stopped working since the latest stable release, because wheezy became
+"oldoldstable". I first [suggested](https://lists.debian.org/87fuecs1vg.fsf@curie.anarc.at) using the "codename" but that
+appears to have been introduced only after wheezy.
+
+In the end, I [proposed](https://lists.debian.org/87efteyinr.fsf@curie.anarc.at) a simple update that would fix the
+configuration files and uploaded this as [DLA-1032-1](https://lists.debian.org/20170719135700.juzjilhunyyswheh@curie.anarc.at). This is
+thankfully fixed in later releases and will not require such hackery
+when jessie becomes LTS as well.
+
+libmtp
+------
+
+Next up is the work on the [[!debpkg libmtp]] vulnerabilities
+([[!debcve CVE-2017-9831]] and [[!debcve CVE-2017-9832]]). As I
+described in my [announcement](https://lists.debian.org/87lgnzvjvb.fsf@curie.anarc.at), the work to backport the patch was
+huge, as upstream basically backported a whole library from the
+[[!debpkg gphoto2]] package to fix those issues (and probably many
+more). The lack of a test suite made it difficult to trust my own
+work, but given that I had no (negative) feedback, I figured it was
+okay to simply upload the result and that became [DLA-1029-1](https://lists.debian.org/20170717213810.b3phflqfi3k3ksza@curie.anarc.at).
+
+tcpdump
+-------
+
+I then looked at reproducing [[!debcve CVE-2017-11108]], a heap
+overflow triggered [[!debpkg tcpdump]] would parse specifically
+[[!wikipedia STP]] packets. In [[!debbug 867718]], I described how to
+reproduce the issue across all suites and opened
+an [issue upstream](https://github.com/the-tcpdump-group/tcpdump/issues/616), given that the upstream maintainers hadn't
+responded responded in weeks according to notes in
+the [RedHat Bugzilla issue](https://bugzilla.redhat.com/show_bug.cgi?id=1468504). I eventually worked on a [patch](https://github.com/the-tcpdump-group/tcpdump/pull/617)
+which I shared upstream, but that was rejected as they were already
+working on it in their embargoed repository.
+
+I can explain this confusion and duplication of work with:
+
+ 1. the original submitter didn't really contact security@tcpdump.org
+ 2. he did and they didn't reply, being just too busy
+ 3. they replied and he didn't relay that information back
+
+I think #2 is most likely: the tcpdump.org folks are probably very
+busy with tons of reports like this. Still, I should probably have
+contacted security@tcpdump.org directly *before* starting my work,
+even though no harm was done because I didn't divulge issues that were
+already public.
+
+Since then, tcpdump has released 4.9.1 which fixes the issue, but
+*then* new CVEs came out that will require more work and probably
+another release. People looking into this issue must be certain to
+coordinate with the tcpdump security team before fixing the actual
+issues.
+
+ipsec-tools
+-----------
+
+Another package that didn't quite have a working solution is the
+[[!debpkg ipsec-tools]] suite, in which the racoon daemon was
+vulnerable to a remotely-triggered DOS attack ([[!debcve
+CVE-2016-10396]]). I reviewed and [fixed](https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682) the upstream patch which
+introduced a regression. Unfortunately, there is no test suite or
+proof of concept to control the results.
+
+The reality is that ipsec-tools is really old, and should maybe simply
+be removed from Debian, in favor of Strongswan. Upstream hasn't done a
+release in years and various distributions have patched up forks of
+those to keep it alive... I was happy, however, to know that the
+maintainer (noahm) will take care of managing the resulting upload
+with my patch in LTS and other suites, fixing that issue for now.
+
+apache2
+-------
+
+Finally, I was bitten back by my old [DLA-841-1](https://lists.debian.org/20170228162053.rl5scb5vmevtux4w@curie.anarc.at) upload I did all
+the way back in February, as it introduced a regression ([[!debbug
+858373]]) in which it was possible to segfault Apache workers with a
+trivial query, in certain (rather exotic, I might add) configurations
+(ErrorDocument 400 directive pointing to a cgid script in worker
+mode). 
+
+Still, it was a serious regression and I found a part of the nasty
+long patch we worked on back then that was faulty, and introduced a
+small fix to correct that. The [proposed](https://lists.debian.org/87r2x9rjjt.fsf@curie.anarc.at) package unfortunately
+didn't yield any feedback, and I can only assume it will work okay for
+people. The result is the [DLA-841-2](https://lists.debian.org/20170729174152.f6r4dmqtnuddt743@curie.anarc.at) upload which fixes the
+regression. I unfortunately didn't have time to work on the other CVEs
+affecting apache2 in LTS at the time of writing.
+
+Minor triage
+------------
+
+I also did some miscellaneous triage by filing [[!debbug 867477]] for
+[[!debpkg poppler]] in an effort to document better the pending issue.
+
+Next up was some minor work on [[!debpkg eglibc]] issues. [[!debcve
+CVE-2017-8804]] has a patch, but it's been [disputed](https://sourceware.org/ml/libc-alpha/2017-05/msg00128.html). since the
+main victim of this and the core of the vulnerability ([[!debpkg
+rpcbind]]) has already been fixed, I am not sure this vulnerability is
+still a thing in LTS at all.
+
+I also looked at [[!debcve CVE-2014-9984]], but the code is so
+different in wheezy that I wonder if LTS is affected at
+all. Unfortunately, the eglibc gymnastics are a little beyond me and I
+do not feel confident enough to just push those issues aside for now
+and let them open for others to look at.
+
+Other free software work
+========================
+
+[[!tag debian-planet debian debian-lts python-planet software geek free]]

add the pyra to laptop list
diff --git a/hardware/laptop.mdwn b/hardware/laptop.mdwn
index 5d3ee51..ce6e5f2 100644
--- a/hardware/laptop.mdwn
+++ b/hardware/laptop.mdwn
@@ -59,6 +59,32 @@ https://www.pine64.org/?page_id=3707
  * LCD 11.6"
  * 1.04Kg
 
+Pyra
+----
+
+https://pyra-handheld.com/boards/pages/pyra/
+
+Tiny computer, a cross between a laptop, a Nintendo DS and a phone.
+
+ * Dual-core ARM Cortex A15 1.5GHz
+ * 2/4GB RAM
+ * 32GB flash eMMC
+ * 2 SDXC slots + one internal MicroSDXC
+ * Wifi bgn, BT 4.1
+ * Sensors: gyro, accel, compass, humidity? temperature? pressure?
+ * Mini-HDMI
+ * Physical keyboard
+ * 2xUSB 2.0, 1xMicroUSB 3.0
+ * Optional GPS
+ * Optional GSM
+ * 720p 5" screen
+ * 139 x 87 x 32 mm, 400g
+ * non-free: GPU 3D driver + firmware, wifi + BT firmware
+ * 8h battery?
+ * 2GB no mobile: 595EUR (tx inc.), 4GB + mobile: 745EUR (tx inc.)
+
+https://www.pyra-handheld.com/wiki/index.php?title=Comparison_Chart
+
 x201
 ----
 

link to plan comparison
diff --git a/hardware/phone.mdwn b/hardware/phone.mdwn
index 52a4b2b..adb80f0 100644
--- a/hardware/phone.mdwn
+++ b/hardware/phone.mdwn
@@ -540,3 +540,6 @@ References
  * <http://www.devicespecifications.com/> - good comparison tool
  * <http://www.gsmarena.com/> - more detailed and up to date tool!
  * <https://www.stockdroids.com/> - curated list
+ * <http://www.planhub.ca/> - good plan comparison tool
+ * <https://wiki.debconf.org/wiki/DebConf17/Sim-card-information> -
+   quick research done for Debconf

another note about purism
diff --git a/hardware/laptop.mdwn b/hardware/laptop.mdwn
index b5eb4ae..5d3ee51 100644
--- a/hardware/laptop.mdwn
+++ b/hardware/laptop.mdwn
@@ -118,7 +118,8 @@ Purism
 
 https://puri.sm/products/
 
-1500 - 1700$USD... trop cher.
+1500 - 1700$USD... trop cher. mais vraiment intéressant parce qu'ils
+semblent vraiment libérer le matériel.
 
 System76
 --------

fix links for suppliers
diff --git a/hardware/laptop.mdwn b/hardware/laptop.mdwn
index 6848ae0..b5eb4ae 100644
--- a/hardware/laptop.mdwn
+++ b/hardware/laptop.mdwn
@@ -281,7 +281,9 @@ has a lower actual clock speed (2.3GHz vs 2.93GHz).
 Fournisseurs
 ============
 
-* minifree: https://minifree.org/ coreboot + x200 t400
-* dantech: http://www.dantech.ca/?q=17-- - local friendly folks
-* https://www.toplaptop.ca/ - local + cheap source of thinkpads
-* https://www.mikescomputershop.com/ - cheap canada seller
+* [minifree](https://minifree.org/) make pre-flashed computers with coreboot, but mostly
+  older ones: x200 t400
+* [dantech](http://www.dantech.ca/) - local friendly folks
+* [toplaptop](https://www.toplaptop.ca/) - local + cheap source of thinkpads
+* [mike's computer shop](https://www.mikescomputershop.com/) - cheap canada seller
+* [canada computers](http://www.canadacomputers.com) - famous toronto computer shop?

document latest fuel trip
diff --git a/pleinair/liste.mdwn b/pleinair/liste.mdwn
index 5421f4b..9c0cd7d 100644
--- a/pleinair/liste.mdwn
+++ b/pleinair/liste.mdwn
@@ -309,7 +309,9 @@ amener. Voici quelques expériences que j'ai noté:
 
 * [[!wikipedia Naphta]] dans un Whisperlite International: 4.4L d'eau bouillie par 100mL ([source][]) - [ce site][] dit qu'une petite bouteille de 11oz peut durer une semaine, mais ça me semble optimiste.
 * trip de ski dans les chics-chocs de 4 jours: utilisé environ 350mL (une bouteille de 325mL pleine et un peu plus) de naphte en plus d'une bouteille de propane Primus pour 6 personnes, incluant plusieurs cafés, thé, chauffé l'eau pour la vaisselle des fois, etc -- TheAnarcat 2015-03-17T11:47:19-0400
-* canot-camping parc de la mauricie, 3 jours: 325 mL épuisés pour plusieurs pâtes, thés, 5 personnes -- TheAnarcat 2015-07-24T19:07:09-0400
+* canot-camping parc de la mauricie, 3 jours, 5 personnes: 325 mL épuisés pour plusieurs pâtes, thés -- TheAnarcat 2015-07-24T19:07:09-0400
+* canot-camping parc de la verendrye, 5 jours, 6 personnes: ~2 cans de
+  propane sur un four coleman -- anarcat 2017-07-14
 * lire aussi: <http://bushwalkingnsw.org.au/clubsites/FAQ/FAQ_Efficiency.htm>
 
  [source]: http://www.cascadedesigns.com/msr/stoves/simple-cooking/whisperlite-universal/product#specs

whalebuilder is in debian now
diff --git a/software/debian-development.mdwn b/software/debian-development.mdwn
index fd28db8..0028353 100644
--- a/software/debian-development.mdwn
+++ b/software/debian-development.mdwn
@@ -748,8 +748,9 @@ simple `chroot`: in `whalebuilder`, packages are built without network
 access and inside a virtualized environment. Keep in mind there are
 limitations to Docker's security and that `pbuilder` and `sbuild` *do* build
 under a different user which will limit the security issues with
-building untrusted packages. Furthermore, `whalebuilder` is not
-currently packaged as an official Debian package and lacks certain
+building untrusted packages. Furthermore, `whalebuilder` <del>is not
+currently packaged as an official Debian package</del> (it is now, see
+[[!debpkg whalebuilder]]) and lacks certain
 features (like [passing custom arguments to dpkg-buildpackage][]) so I
 don't feel it is quite ready yet. For now, if you need better
 isolation, look towards [qemubuilder][] or possibly kvmtool.

Added a comment: correction
diff --git a/blog/2017-03-02-password-hashers/comment_4_48650d1ee8453c1e3dcb446ab7fd207e._comment b/blog/2017-03-02-password-hashers/comment_4_48650d1ee8453c1e3dcb446ab7fd207e._comment
new file mode 100644
index 0000000..5451f31
--- /dev/null
+++ b/blog/2017-03-02-password-hashers/comment_4_48650d1ee8453c1e3dcb446ab7fd207e._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="anarcat"
+ avatar="http://cdn.libravatar.org/avatar/741655483dd8a0b4df28fb3dedfa7e4c"
+ subject="correction"
+ date="2017-07-06T16:32:04Z"
+ content="""
+> How does the JavaScript sniffing work? Isn't wijjo's Password Hasher always a popup dialog in a separate window?
+
+You're right, the Password Hasher master password is entered in a separate window. I am not sure, however, how well that protects the user. But it's true that I was refering to password Hasher Plus here where you type the master password directly in the site password form...
+"""]]

Added a comment
diff --git a/blog/2017-03-02-password-hashers/comment_3_52adf0c1704b75b2c9bebed4b5a26f42._comment b/blog/2017-03-02-password-hashers/comment_3_52adf0c1704b75b2c9bebed4b5a26f42._comment
new file mode 100644
index 0000000..0fd7c50
--- /dev/null
+++ b/blog/2017-03-02-password-hashers/comment_3_52adf0c1704b75b2c9bebed4b5a26f42._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ ip="2.246.106.24"
+ subject="comment 3"
+ date="2017-07-06T16:06:49Z"
+ content="""
+> The venerable Password Hasher is much easier to use, but it makes you type the master password directly in the site's password form, so hostile sites can simply use JavaScript to sniff the master password while it is typed.
+
+How does the JavaScript sniffing work? Isn't wijjo's Password Hasher always a popup dialog in a separate window?
+
+"""]]

Added a comment: docker!
diff --git a/blog/2017-07-03-free-software-activities-june-2017/comment_3_2d2db2fb35e95d42bfee2c0de22127db._comment b/blog/2017-07-03-free-software-activities-june-2017/comment_3_2d2db2fb35e95d42bfee2c0de22127db._comment
new file mode 100644
index 0000000..f0877db
--- /dev/null
+++ b/blog/2017-07-03-free-software-activities-june-2017/comment_3_2d2db2fb35e95d42bfee2c0de22127db._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ ip="107.190.36.196"
+ claimedauthor="mvc"
+ subject="docker!"
+ date="2017-07-04T00:10:04Z"
+ content="""
+Docker is amazing! It's been like learning git for me; hard to wrap my head around at first but the more I know about it the more I can't imagine living without it.
+"""]]

reply re. libresonic
diff --git a/blog/2017-07-03-free-software-activities-june-2017.mdwn b/blog/2017-07-03-free-software-activities-june-2017.mdwn
index 077c1a6..fad2dbd 100644
--- a/blog/2017-07-03-free-software-activities-june-2017.mdwn
+++ b/blog/2017-07-03-free-software-activities-june-2017.mdwn
@@ -175,12 +175,12 @@ audio server which some friends have shown me. Since Subsonic is
 proprietary, I didn't want it to contaminate the rest of my server and
 it seemed like a great occasion to try out containers to keep things
 tidy. Containers may also allow me to transparently switch to
-the [FLOSS fork](http://libresonic.org/) once the trial period is over.
+the FLOSS fork [LibreSonic](http://libresonic.org/) once the trial period is over.
 
 I have learned a lot and may write more about the details of that
 experience soon, for now you can look at the [contributions](https://github.com/mschuerig/subsonic-docker-image/issues?utf8=%E2%9C%93&q=author%3Aanarcat%20) I made
 to the unofficial Subsonic docker image, but also
-the [libresonic one](https://github.com/tonipes/libresonic-docker).
+the [LibreSonic one](https://github.com/tonipes/libresonic-docker).
 
 Since Subsonic also promotes album covers as first-class citizens, I
 used [beets](http://beets.io/) to download a lot of album covers, which was really
diff --git a/blog/2017-07-03-free-software-activities-june-2017/comment_2_f4f19978980b7f4da80e6b8b8f0b4275._comment b/blog/2017-07-03-free-software-activities-june-2017/comment_2_f4f19978980b7f4da80e6b8b8f0b4275._comment
new file mode 100644
index 0000000..cfba88a
--- /dev/null
+++ b/blog/2017-07-03-free-software-activities-june-2017/comment_2_f4f19978980b7f4da80e6b8b8f0b4275._comment
@@ -0,0 +1,7 @@
+[[!comment format=mdwn
+ username="anarcat"
+ subject="""comment 2"""
+ date="2017-07-03T22:49:10Z"
+ content="""
+I knew about Libresonic! I even linked to it in the article, although maybe that wasn't very clear. I've updated the article to make a more obvious reference.
+"""]]

Added a comment: Subsonic is propietary
diff --git a/blog/2017-07-03-free-software-activities-june-2017/comment_1_85a06890290eb6a1f6a533b4f4c4dff9._comment b/blog/2017-07-03-free-software-activities-june-2017/comment_1_85a06890290eb6a1f6a533b4f4c4dff9._comment
new file mode 100644
index 0000000..baff89b
--- /dev/null
+++ b/blog/2017-07-03-free-software-activities-june-2017/comment_1_85a06890290eb6a1f6a533b4f4c4dff9._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ ip="200.86.33.111"
+ claimedauthor="Felipe"
+ subject="Subsonic is propietary"
+ date="2017-07-03T21:38:45Z"
+ content="""
+But it wasn't always so. There is [libresonic](https://github.com/Libresonic/libresonic) that forked from the last free version. You might want to check it out.
+"""]]

fix broken link
diff --git a/blog/2017-07-03-free-software-activities-june-2017.mdwn b/blog/2017-07-03-free-software-activities-june-2017.mdwn
index a62f2fb..077c1a6 100644
--- a/blog/2017-07-03-free-software-activities-june-2017.mdwn
+++ b/blog/2017-07-03-free-software-activities-june-2017.mdwn
@@ -75,7 +75,7 @@ was actually simpler and more straightforward in newer versions, which
 is reassuring. I [uploaded the packages for testing](id:20170629202010.oe3xcyfmxjgejd3m@curie.anarc.at) and uploaded
 them a year later.
 
-I also took extra time to [share the patch](https://lists.debian.org/20170703144502.xw7rluxgayqiwek6@curie.anarc.at) in the Debian
+I also took extra time to [share the patch](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863897#50) in the Debian
 bugtracker, so that people working on the issue in stable may benefit
 from the backported patch, if needed. One issue that came up during
 that work is that sudo doesn't have a test suite at all, so it is

creating tag page tag/docker
diff --git a/tag/docker.mdwn b/tag/docker.mdwn
new file mode 100644
index 0000000..4713807
--- /dev/null
+++ b/tag/docker.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged docker"]]
+
+[[!inline pages="tagged(docker)" actions="no" archive="yes"
+feedshow=10]]

creating tag page tag/subsonic
diff --git a/tag/subsonic.mdwn b/tag/subsonic.mdwn
new file mode 100644
index 0000000..caae3dd
--- /dev/null
+++ b/tag/subsonic.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged subsonic"]]
+
+[[!inline pages="tagged(subsonic)" actions="no" archive="yes"
+feedshow=10]]

monthly
diff --git a/blog/2017-07-03-free-software-activities-june-2017.mdwn b/blog/2017-07-03-free-software-activities-june-2017.mdwn
new file mode 100644
index 0000000..a62f2fb
--- /dev/null
+++ b/blog/2017-07-03-free-software-activities-june-2017.mdwn
@@ -0,0 +1,213 @@
+[[!meta title="My free software activities, June 2017"]]
+
+[[!toc levels=2]]
+
+Debian Long Term Support (LTS)
+==============================
+
+This is my monthly [Debian LTS][] report. This time I worked on
+Mercurial, sudo and Puppet.
+
+[Debian LTS]: https://www.freexian.com/services/debian-lts.html
+
+Mercurial remote code execution
+-------------------------------
+
+I issued [DLA-1005-1](https://lists.debian.org/debian-lts-announce/2017/06/msg00035.html) to resolve problems with the `hg server
+--stdio` command that could be abused by "remote authenticated users to
+launch the Python debugger, and consequently execute arbitrary code,
+by using --debugger as a repository name" ([[!debcve CVE-2017-9462]]).
+
+Backporting the patch was already a little tricky because, as is often
+the case in our line of work, the code had changed significantly in
+newer version. In particular, the commandline dispatcher had been
+refactored which made the patch non-trivial to port. On the other
+hand, mercurial has an extensive test suite which allowed me to make
+those patches in all confidence. I also backported a part of the test
+suite to detect certain failures better and to fix the output so that
+it matches the backported code. The test suite is slow, however, which
+meant slow progress when working on this package.
+
+I also noticed a strange issue with the test suite: all hardlink
+operations would fail. Somehow it seems that my new [sbuild](https://wiki.debian.org/sbuild) setup
+doesn't support doing hardlinks. I ended up building a tarball schroot
+to build those types of packages, as it seems the issue is related to
+the use of overlayfs in sbuild. The odd part is my tests of overlayfs,
+following [those instructions](http://windsock.io/the-overlay-filesystem/), show that it *does* support
+hardlinks, so there maybe something fishy here that I misunderstand.
+
+This, however, allowed me to get a little more familiar with sbuild
+and the schroots. I also took this opportunity to optimize the builds
+by installing an [apt-cacher-ng](https://www.unix-ag.uni-kl.de/~bloch/acng/) proxy to speed up builds, which
+will also be useful for regular system updates.
+
+Puppet remote code execution
+----------------------------
+
+I have issued [DLA-1012-1](https://lists.debian.org/20170703152945.xe7kmz6ia47menmz@curie.anarc.at) to resolve a remote code execution
+attack against puppetmaster servers, from authenticated clients. To
+quote the advisory: "Versions of Puppet prior to 4.10.1 will
+deserialize data off the wire (from the agent to the server, in this
+case) with a attacker-specified format. This could be used to force
+YAML deserialization in an unsafe manner, which would lead to remote
+code execution."
+
+The fix was non-trivial. Normally, this would have involved fixing the
+YAML parsing, but this was considered problematic because the ruby
+libraries themselves were vulnerable and it wasn't clear we could fix
+the problem completely by fixing YAML
+parsing. The [update I proposed](https://lists.debian.org/87lgode3fr.fsf@curie.anarc.at) took the bold step of switching
+all clients to PSON and simply deny YAML parsing from the server. This
+means all clients need to be updated before the server can be updated,
+but thankfully, updated clients will run against an older server as
+well. Thanks to [LeLutin at Koumbit](https://koumbit.org/) for helping in testing patches
+to solve this issue.
+
+Sudo privilege escalation
+-------------------------
+
+I have issued [DLA-1011-1](https://lists.debian.org/20170703153021.luttrkccgcy4arrq@curie.anarc.at) to resolve an incomplete fix for a
+privilege escalation issue ([[!debcve CVE-2017-1000368]] from
+[[!debcve CVE-2017-1000367]]). The backport was not quite trivial as
+the code had changed quite a lot since wheezy as well. Whereas
+mercurial's code was more complex, it's nice to see that sudo's code
+was actually simpler and more straightforward in newer versions, which
+is reassuring. I [uploaded the packages for testing](id:20170629202010.oe3xcyfmxjgejd3m@curie.anarc.at) and uploaded
+them a year later.
+
+I also took extra time to [share the patch](https://lists.debian.org/20170703144502.xw7rluxgayqiwek6@curie.anarc.at) in the Debian
+bugtracker, so that people working on the issue in stable may benefit
+from the backported patch, if needed. One issue that came up during
+that work is that sudo doesn't have a test suite at all, so it is
+quite difficult to test changes and make sure they do not break
+anything.
+
+Should we upload on fridays?
+----------------------------
+
+I brought up a [discussion](https://lists.debian.org/874luxab2m.fsf@curie.anarc.at) on the mailing list regarding uploads
+on fridays. With the sudo *and* puppet uploads pending, it felt really
+... daring to upload *both* packages, on a friday. Years of sysadmin
+work hardwired me to be careful on fridays; as the saying goes: "don't
+deploy on a friday if you don't want to work on the weekend!"
+
+Feedback was great, but I was surprised to find that most people are
+not worried worried about those issues. I have tried to counter some
+of the arguments that were brought up: I wonder if there could be a
+disconnection here between the package maintainer / programmer work
+and the sysadmin work that is at the receiving end of that
+work. Having myself to deal with broken updates in the past, I'm
+surprised this has never come up in the discussions yet, or that the
+response is so underwhelming.
+
+So far, I'll try to balance the need for prompt security updates and
+the need for stable infrastructure. One does not, after all, go
+without the other...
+
+Triage
+------
+
+I also did small fry triage:
+
+ * [smoke testing and review for apache2](https://lists.debian.org/874lv1frat.fsf@curie.anarc.at)
+ * [ping maintainer for the irssi package](https://lists.debian.org/87d19pe0vw.fsf@curie.anarc.at) [and the ca-certificates package](https://lists.debian.org/87y3sdecd2.fsf@curie.anarc.at)
+ * [finally marked trafficserver as N/A](https://lists.debian.org/87fuele1p4.fsf@curie.anarc.at)
+ * [pinged the yaml-cpp maintainers again](https://github.com/jbeder/yaml-cpp/pull/489#issuecomment-311444644)
+
+Hopefully some of those will come to fruitition shortly.
+
+Other work
+==========
+
+My other work this month was a little all over the place.
+
+Stressant
+---------
+
+Uploaded a new release (0.4.1) of [stressant](http://stressant.readthedocs.io/) to split up the
+documentation from the main package, as the main package was taking
+up [too much space](https://github.com/grml/grml-live/pull/34#issuecomment-307498172) according to grml developers.
+
+The release also introduces limited anonymity option, by blocking
+serial numbers display in the smartctl output.
+
+Debiman
+-------
+
+Also did some small followup on the [debiman](https://github.com/Debian/debiman/) project
+to [fix the FAQ links](https://github.com/Debian/debiman/issues/83).
+
+Local server maintenance
+------------------------
+
+I upgraded my main server to Debian stretch. This generally went well,
+althought the upgrade itself took way more time than I would have
+liked (4 hours!). This is partly because I have a lot of cruft
+installed on the server, but also because of what I consider to be
+issues in the automation of major Debian upgrades. For example, I was
+prompted for changes in configuration files at seemingly random
+moments during the upgrade, and got different debconf prompts to
+answer. This should really be batched together, and unfortunately I
+had forgotten to use the [home-made script](https://wiki.debian.org/AutomatedUpgrade#Home_made_scripts) I established when i
+was working at Koumbit which shortens the upgrade a bit.
+
+I wish we would improve on our major upgrade mechanism. I documented
+possible solutions for this in the [AutomatedUpgrade](https://wiki.debian.org/AutomatedUpgrade) wiki page,
+but I'm not sure I see exactly where to go from here.
+
+I had a few regressions after the upgrade:
+
+ * the infrared remote control stopped working: still need to
+   investigate
+ * my home-grown full-disk encryption remote unlocking script broke,
+   but upstream has a nice workaround, see [[!debbug 866786]]
+ * gdm3 breaks bluetooth support ([[!debbug 805414]] - to be fair,
+   this is not a regression in stretch, it's just that I switched my
+   workstation from lightdm to gdm3 after learning that the latter can
+   do rootless X11!)
+
+Docker and Subsonic
+-------------------
+
+I did my first (and late?) foray into [Docker](https://en.wikipedia.org/wiki/Docker_(software)) and containers. My
+rationale was that I wanted to try out [Subsonic](http://subsonic.org/), an impressive
+audio server which some friends have shown me. Since Subsonic is
+proprietary, I didn't want it to contaminate the rest of my server and
+it seemed like a great occasion to try out containers to keep things
+tidy. Containers may also allow me to transparently switch to
+the [FLOSS fork](http://libresonic.org/) once the trial period is over.
+
+I have learned a lot and may write more about the details of that
+experience soon, for now you can look at the [contributions](https://github.com/mschuerig/subsonic-docker-image/issues?utf8=%E2%9C%93&q=author%3Aanarcat%20) I made
+to the unofficial Subsonic docker image, but also
+the [libresonic one](https://github.com/tonipes/libresonic-docker).
+
+Since Subsonic also promotes album covers as first-class citizens, I
+used [beets](http://beets.io/) to download a lot of album covers, which was really
+nice. I look forward to using beets more, but first I'll need to
+implement [two](https://github.com/beetbox/beets/issues/2617) [plugins](https://github.com/beetbox/beets/issues/2616).
+
+Wallabako
+---------
+
+I did a small release of [wallabako](https://gitlab.com/anarcat/wallabako/) to fix the build with the
+latest changes in the underlying wallabago library, which led me to

(Diff truncated)
properly restart containers on reboot
diff --git a/services/radio.mdwn b/services/radio.mdwn
index 42c1539..4519952 100644
--- a/services/radio.mdwn
+++ b/services/radio.mdwn
@@ -18,7 +18,7 @@ tweak it to my needs and update it to latest versions.
 
 The container is started with:
 
-    sudo docker run --detach --publish 127.0.0.1:4040:4040 --publish 127.0.0.1:4343:4343 --volume "subsonic:/var/subsonic" --volume "/srv:/var/music:ro" anarcat/debian-subsonic --https-port=4343
+    sudo docker run --detach --restart=always --publish 127.0.0.1:4040:4040 --publish 127.0.0.1:4343:4343 --volume "subsonic:/var/subsonic" --volume "/srv:/var/music:ro" anarcat/debian-subsonic --https-port=4343
 
 Then I configured `/srv/mp3` and other directories individually. I
 also changed the admin password. Then the only remaining thing was to

fix broken link
diff --git a/software/debian-development.mdwn b/software/debian-development.mdwn
index d415a61..fd28db8 100644
--- a/software/debian-development.mdwn
+++ b/software/debian-development.mdwn
@@ -545,7 +545,7 @@ there. Debian also has [extensive documentation][], especially about
 really is...
 
 [stapelberg's post on the topic]: https://people.debian.org/~stapelberg/2016/11/25/build-tools.html
-[how to configure overlays]: https://wiki.debian.org/sbuild#Using_overlay_with_sbuild
+[how to configure overlays]: https://wiki.debian.org/sbuild#sbuild_overlays_in_tmpfs
 [extensive documentation]: https://wiki.debian.org/sbuild
 [documentation]: https://wiki.ubuntu.com/SimpleSbuild
 [more]: https://wiki.ubuntu.com/SecurityTeam/BuildEnvironment

hardlinks fiasco
diff --git a/software/debian-development.mdwn b/software/debian-development.mdwn
index 1bcd5ea..d415a61 100644
--- a/software/debian-development.mdwn
+++ b/software/debian-development.mdwn
@@ -435,7 +435,7 @@ generated with `dpkg-buildpackage -S`.
 
 To use sbuild, you first need to configure an image:
 
-    sudo sbuild-createchroot --include=eatmydata,ccache,gnupg unstable /srv/chroot/unstable-amd64-sbuild
+    sudo sbuild-createchroot --include=eatmydata,ccache,gnupg unstable /srv/chroot/unstable-amd64-sbuild http://deb.debian.org/debian
 
 [[!note """
 This assumes that:
@@ -451,6 +451,13 @@ This assumes that:
  3. you want to create an "unstable" image in amd64. to change the
     architecture, use the `--arch` argument, and to change the suite,
     change it in two the places that say `unstable`, obviously
+
+ 4. you won't need to use hardlinks. overlay filesystems do not
+    support hardlinks and you may need to switch to a tarball image if
+    you need that feature (e.g. the mercurial test suite relies on
+    this). to create a tarball image, use this:
+    
+        sudo sbuild-createchroot --make-sbuild-tarball=/srv/chroot/unstable-amd64-sbuild.tar.gz unstable `mktemp -d` http://deb.debian.org/debian
 """]]
 
 The above will create chroots for all the main suites and two
@@ -497,9 +504,9 @@ simply add `-sa` to the commandline.
 [[!tip """
 A few handy sbuild-related commands:
 
- * `sbuild -d wheezy` - build in the `wheezy` chroot even though
-   another suite is specified (e.g. `wheezy-backports` or
-   `wheezy-security`)
+ * `sbuild -c wheezy-amd64-sbuild` - build in the `wheezy` chroot even
+   though another suite is specified (e.g. `UNRElEASED`,
+   `wheezy-backports` or `wheezy-security`)
 
  * `schroot -c wheezy-amd64-sbuild` - enter the `wheezy` chroot to make
    tests, changes will be discarded
@@ -507,6 +514,12 @@ A few handy sbuild-related commands:
  * `sbuild-shell wheezy` - enter the `wheezy` chroot to make
    *permanent* changes, which will *not* be discarded
 
+ * `sbuild-destroychroot` - supposedly destroys schroots created by
+   sbuild for later rebuilding, but I have found that command to be
+   quite unreliable. besides, all it does is:
+
+        rm -rf /srv/chroot/unstable-amd64-sbuild /etc/schroot/chroot.d/unstable-amd64-sbuild-*
+
 Also note that it is useful to add aliases to your `schroot`
 configuration files. This allows you, for example, to automatically
 build `wheezy-security` or `wheezy-backports` packages in the `wheezy`

link to CrossGrading article
diff --git a/services/upgrades/cross-architecture.mdwn b/services/upgrades/cross-architecture.mdwn
index 1f0ea1f..bf173ba 100644
--- a/services/upgrades/cross-architecture.mdwn
+++ b/services/upgrades/cross-architecture.mdwn
@@ -21,7 +21,10 @@ There are at least four other howtos like this, but like them, I found that the
 
  * [The Debian wiki](https://wiki.debian.org/Migrate32To64Bit) also suggests using debootstrap, which seems unnecessary, and has all sorts of warning, including a [pointer](https://lists.debian.org/debian-devel-announce/2012/03/msg00005.html) to tools we use here
 
-(!) Exercise for the reader: read all those procedures, try them and figure out the best mix, then update the wiki to document the best practice.
+(!) Exercise for the reader: read all those procedures, try them and
+figure out the best mix, then update the wiki to document the best
+practice. This should probably end up in the [CrossGrading](https://wiki.debian.org/CrossGrading) article
+in the Debian wiki.
 
 Preparation work
 ----------------

removed
diff --git a/blog/2015-10-20-smartrg-sr630n-proprietary-router-running-linux/comment_13_4b022a6e882dc91438f5cd94f478cf81._comment b/blog/2015-10-20-smartrg-sr630n-proprietary-router-running-linux/comment_13_4b022a6e882dc91438f5cd94f478cf81._comment
deleted file mode 100644
index 34f7f3f..0000000
--- a/blog/2015-10-20-smartrg-sr630n-proprietary-router-running-linux/comment_13_4b022a6e882dc91438f5cd94f478cf81._comment
+++ /dev/null
@@ -1,8 +0,0 @@
-[[!comment format=mdwn
- ip="146.198.115.38"
- claimedauthor="mark"
- subject="comment 13"
- date="2017-06-27T18:22:33Z"
- content="""
-I'm doing research on doing the same here in the UK - looks like VigorNIC 132 might be an option - PCIe vdsl2 card, which seems to be compatible with linux. Also supports Annex A. Again though, depends if the ISP is gonna be standards compliant..
-"""]]

Added a comment
diff --git a/blog/2015-10-20-smartrg-sr630n-proprietary-router-running-linux/comment_13_4b022a6e882dc91438f5cd94f478cf81._comment b/blog/2015-10-20-smartrg-sr630n-proprietary-router-running-linux/comment_13_4b022a6e882dc91438f5cd94f478cf81._comment
new file mode 100644
index 0000000..34f7f3f
--- /dev/null
+++ b/blog/2015-10-20-smartrg-sr630n-proprietary-router-running-linux/comment_13_4b022a6e882dc91438f5cd94f478cf81._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ ip="146.198.115.38"
+ claimedauthor="mark"
+ subject="comment 13"
+ date="2017-06-27T18:22:33Z"
+ content="""
+I'm doing research on doing the same here in the UK - looks like VigorNIC 132 might be an option - PCIe vdsl2 card, which seems to be compatible with linux. Also supports Annex A. Again though, depends if the ISP is gonna be standards compliant..
+"""]]

Added a comment
diff --git a/blog/2015-10-20-smartrg-sr630n-proprietary-router-running-linux/comment_12_23a376ac61740375f86b60a5214b337b._comment b/blog/2015-10-20-smartrg-sr630n-proprietary-router-running-linux/comment_12_23a376ac61740375f86b60a5214b337b._comment
new file mode 100644
index 0000000..0f6f9c0
--- /dev/null
+++ b/blog/2015-10-20-smartrg-sr630n-proprietary-router-running-linux/comment_12_23a376ac61740375f86b60a5214b337b._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ ip="146.198.115.38"
+ claimedauthor="mark"
+ subject="comment 12"
+ date="2017-06-27T18:21:55Z"
+ content="""
+I'm doing research on doing the same here in the UK - looks like VigorNIC 132 might be an option - PCIe vdsl2 card, which seems to be compatible with linux. Also supports Annex A. Again though, depends if the ISP is gonna be standards compliant..
+"""]]

container updates and consider supysonic
diff --git a/services/radio.mdwn b/services/radio.mdwn
index 27284e4..42c1539 100644
--- a/services/radio.mdwn
+++ b/services/radio.mdwn
@@ -63,11 +63,14 @@ Boom. You're done.
 Todo
 ----
 
+ * consider [supysonic](https://github.com/spl0k/supysonic) instead of all this java crap.
  * switch to libresonic: subsonic is fun, but there will be ads (!?)
    so let's switch to the libre
    fork. considering [tonipes' container](https://hub.docker.com/r/tonipes/libresonic-docker/~/dockerfile/) since it's (eventually!)
    based on Debian down there. the unofficial one suggested by
-   upstream is [linuxserver's](https://github.com/linuxserver/docker-libresonic), based on Alpine
+   upstream is [linuxserver's](https://github.com/linuxserver/docker-libresonic), based on Alpine. Update: made my
+   own container based on the simpler subsonic one,
+   see [this issue](https://github.com/mschuerig/subsonic-docker-image/issues/14).
  * automatic updates to the container: need to watch updates on the
    packages from the docker manifest (?) and the upstream changelog
 

close the subsonic ports to localhost
this forces everyone to go through the Apache proxy, which now works correctly
diff --git a/services/radio.mdwn b/services/radio.mdwn
index edad172..27284e4 100644
--- a/services/radio.mdwn
+++ b/services/radio.mdwn
@@ -18,7 +18,7 @@ tweak it to my needs and update it to latest versions.
 
 The container is started with:
 
-    sudo docker run --detach --publish 4040:4040  --volume "subsonic:/var/subsonic" --volume "/srv:/var/music:ro" anarcat/debian-subsonic
+    sudo docker run --detach --publish 127.0.0.1:4040:4040 --publish 127.0.0.1:4343:4343 --volume "subsonic:/var/subsonic" --volume "/srv:/var/music:ro" anarcat/debian-subsonic --https-port=4343
 
 Then I configured `/srv/mp3` and other directories individually. I
 also changed the admin password. Then the only remaining thing was to
@@ -70,10 +70,6 @@ Todo
    upstream is [linuxserver's](https://github.com/linuxserver/docker-libresonic), based on Alpine
  * automatic updates to the container: need to watch updates on the
    packages from the docker manifest (?) and the upstream changelog
- * close the cleartext port to localhost (`--publish
-   127.0.0.1:4040:4040`) - this is blocking on some weird issue:
-   sometimes i can login, sometimes i don't. this may be due to
-   cookies and the TLS decapsulation...
 
 Old design
 ==========

working config for subsonic proxy
diff --git a/services/radio.mdwn b/services/radio.mdwn
index 5599503..edad172 100644
--- a/services/radio.mdwn
+++ b/services/radio.mdwn
@@ -27,17 +27,24 @@ configure a reverse Apache proxy:
     <VirtualHost *:80>
             ServerName radio.anarc.at
             Redirect / https://radio.anarc.at/
-            DocumentRoot /var/www/html/
     </VirtualHost>
     
     <VirtualHost *:443>
             ServerName radio.anarc.at
             Use common-letsencrypt-ssl radio.anarc.at
             DocumentRoot /var/www/html/
+            SSLProxyEngine on
+            SSLProxyCheckPeerCN off
+            SSLProxyCheckPeerName off
+            SSLProxyVerify none
+            RequestHeader unset Accept-Encoding
+            ProxyRequests off
             <Location />
                     ProxyPreserveHost On
-                    ProxyPass http://127.0.0.1:4040/
-                    ProxyPassReverse http://127.0.0.1:4040/
+                    #ProxyPass http://127.0.0.1:4040/
+                    #ProxyPassReverse http://127.0.0.1:4040/
+                    ProxyPass https://127.0.0.1:4343/
+                    ProxyPassReverse https://127.0.0.1:4343/
                     Order allow,deny
                     Allow from all
             </Location>

add possible libresonic containers
diff --git a/services/radio.mdwn b/services/radio.mdwn
index b331b9d..5599503 100644
--- a/services/radio.mdwn
+++ b/services/radio.mdwn
@@ -57,7 +57,10 @@ Todo
 ----
 
  * switch to libresonic: subsonic is fun, but there will be ads (!?)
-   so let's switch to the libre fork
+   so let's switch to the libre
+   fork. considering [tonipes' container](https://hub.docker.com/r/tonipes/libresonic-docker/~/dockerfile/) since it's (eventually!)
+   based on Debian down there. the unofficial one suggested by
+   upstream is [linuxserver's](https://github.com/linuxserver/docker-libresonic), based on Alpine
  * automatic updates to the container: need to watch updates on the
    packages from the docker manifest (?) and the upstream changelog
  * close the cleartext port to localhost (`--publish

subsonic todo
diff --git a/services.mdwn b/services.mdwn
index fd1d5a1..60c3378 100644
--- a/services.mdwn
+++ b/services.mdwn
@@ -19,7 +19,7 @@ Service        | État                                      | Détails  | Depuis
 [[Shell]]      | [[!color background=#00ff00 text="OK"]]   | `shell.anarc.at` | 1999?    | privé       | [[!wikipedia SSH]]     | accès shell et fichiers ([[!wikipedia SFTP]])
 [[Mail]]       | [[!color background=#00ff00 text="OK"]]   | `imap.anarc.at` | 2002     | privé       | [[!wikipedia Dovecot]] | courriels par IMAP ou shell
 [[Webmail]]    | [[!color background=#00ff00 text="OK"]]   | <https://mail.anarc.at> | 2005-? 2017    | privé       | [Rainloop][]       | envoi et lecture de courriels
-[[Radio]]      | [[!color background=#ffff00 text="dev"]]  | <http://radio.anarc.at> | 2007     | [public][1] | [[!wikipedia Icecast]] | [stream][] "shoutcast", 64 kbps, rarely online
+[[Radio]]      | [[!color background=#ffff00 text="dev"]]  | <https://radio.anarc.at> | 2007     | privé | Subsonic | Private music collection
 [[Jukebox]]    | [[!color background=#00ff00 text="OK"]]   | `radio.anarc.at:6600` | [2007][] | privé       | [MPD][]                | contrôle de la radio à distance
 [[Torrent]]    | [[!color background=#00ff00 text="OK"]]   | `radio.anarc.at:9091` | 2011     | privé       | [Transmission][]       | client bittorrent partagé pour le voisinage
 [[Multimedia]] | [[!color background=#00ff00 text="OK"]]   |          | 1999?    | privé       | [[!wikipedia XBMC]]    | archive audio et video, "cinéma maison"
@@ -42,7 +42,6 @@ Service        | État                                      | Détails  | Depuis
 [[Social]]     | [[!color background=#ff0000 text="down"]] | fermé car [identi.ca][] est passé à [pump.io][], [Friendica][]?, [[buddycloud]] failed | 2011     | [public][5] | [StatusNet][] | "réseau social" décentralisé et sans surveillance, sur demande
 [[Téléphone]]  | [[!color background=#ff0000 text="down"]] | fermé  | ~2008?   | privé       | N/A           | switched all services to upstream VoIP.ms
 
- [1]: http://radio.orangeseeds:8000/
  [2]: http://sondage.orangeseeds.org/
  [3]: http://bm.orangeseeds.org/
  [4]: http://photos.orangeseeds.org/
diff --git a/services/radio.mdwn b/services/radio.mdwn
index b0ee855..b331b9d 100644
--- a/services/radio.mdwn
+++ b/services/radio.mdwn
@@ -18,7 +18,7 @@ tweak it to my needs and update it to latest versions.
 
 The container is started with:
 
-    sudo docker run --detach --publish 127.0.0.1:4040:4040  --volume "subsonic:/var/subsonic" --volume "/srv:/var/music:ro" anarcat/debian-subsonic
+    sudo docker run --detach --publish 4040:4040  --volume "subsonic:/var/subsonic" --volume "/srv:/var/music:ro" anarcat/debian-subsonic
 
 Then I configured `/srv/mp3` and other directories individually. I
 also changed the admin password. Then the only remaining thing was to
@@ -53,6 +53,18 @@ The certificates are provided by Let's Encrypt, using this command:
 
 Boom. You're done.
 
+Todo
+----
+
+ * switch to libresonic: subsonic is fun, but there will be ads (!?)
+   so let's switch to the libre fork
+ * automatic updates to the container: need to watch updates on the
+   packages from the docker manifest (?) and the upstream changelog
+ * close the cleartext port to localhost (`--publish
+   127.0.0.1:4040:4040`) - this is blocking on some weird issue:
+   sometimes i can login, sometimes i don't. this may be due to
+   cookies and the TLS decapsulation...
+
 Old design
 ==========
 

subsonic documentation
diff --git a/services/radio.mdwn b/services/radio.mdwn
index 2cfdae3..b0ee855 100644
--- a/services/radio.mdwn
+++ b/services/radio.mdwn
@@ -1,4 +1,62 @@
-Une radio [[!wikipedia Icecast]] est disponible à l'addresse <http://radio.anarc.at/>. Le stream est de basse qualité (64kbps) pour éviter de prendre toute la bande passante. Je permets aussi seulement 5 accès simultanés.
+[[!meta title="Radio services documentation"]]
+
+[[!toc levels=2]]
+
+Subsonic
+========
+
+I am switching over from MPD + Liquidsoap + Icecast to simply Subsonic
+/ Libresonic, because it seems much simpler. I may still use MPD as a
+client for some occasions, we'll see.
+
+Subsonic is deployed with [[containers]] (currently using [Docker](https://docker.io/))
+to simplify deployment and to test that technology.
+
+I am using the [subsonic-docker-image](https://github.com/mschuerig/subsonic-docker-image) from [mschuerig](https://github.com/mschuerig) because
+it is simple and uses Debian. I contributed a few patches of my own to
+tweak it to my needs and update it to latest versions.
+
+The container is started with:
+
+    sudo docker run --detach --publish 127.0.0.1:4040:4040  --volume "subsonic:/var/subsonic" --volume "/srv:/var/music:ro" anarcat/debian-subsonic
+
+Then I configured `/srv/mp3` and other directories individually. I
+also changed the admin password. Then the only remaining thing was to
+configure a reverse Apache proxy:
+
+    <VirtualHost *:80>
+            ServerName radio.anarc.at
+            Redirect / https://radio.anarc.at/
+            DocumentRoot /var/www/html/
+    </VirtualHost>
+    
+    <VirtualHost *:443>
+            ServerName radio.anarc.at
+            Use common-letsencrypt-ssl radio.anarc.at
+            DocumentRoot /var/www/html/
+            <Location />
+                    ProxyPreserveHost On
+                    ProxyPass http://127.0.0.1:4040/
+                    ProxyPassReverse http://127.0.0.1:4040/
+                    Order allow,deny
+                    Allow from all
+            </Location>
+    </VirtualHost>
+
+Then restart apache:
+
+    sudo service apache2 restart
+
+The certificates are provided by Let's Encrypt, using this command:
+
+    sudo certbot certonly -d radio.anarc.at --webroot --webroot-path /var/www/html/ && sudo apache2 restart
+
+Boom. You're done.
+
+Old design
+==========
+
+Une radio [[!wikipedia Icecast]] <del>est</del>était disponible à l'addresse <http://radio.anarc.at:8000/>. Le stream est de basse qualité (64kbps) pour éviter de prendre toute la bande passante. Je permets aussi seulement 5 accès simultanés.
 
 Une radio `RTP` est également disponible localement, voir [[cet article|blog/2013-02-03-live-radio-streaming-mpd-part-2-multicast-rtp]] pour plus de détails.
 
@@ -11,11 +69,6 @@ réguliers (à chaque 15 chansons).
 
 Les détails de la configuration technique sont ci-bas.
 
-[[!toc levels=2]]
-
-Overall design
-==============
-
 <a href="radio-design.svg"><img src="radio-design.png" /></a>
 
 Liquidsoap configuration

creating tag page tag/gitlab
diff --git a/tag/gitlab.mdwn b/tag/gitlab.mdwn
new file mode 100644
index 0000000..37be9a4
--- /dev/null
+++ b/tag/gitlab.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged gitlab"]]
+
+[[!inline pages="tagged(gitlab)" actions="no" archive="yes"
+feedshow=10]]

creating tag page tag/hosting
diff --git a/tag/hosting.mdwn b/tag/hosting.mdwn
new file mode 100644
index 0000000..b2b0f6e
--- /dev/null
+++ b/tag/hosting.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged hosting"]]
+
+[[!inline pages="tagged(hosting)" actions="no" archive="yes"
+feedshow=10]]

publish alioth article
diff --git a/blog/alioth-gitlab.mdwn b/blog/2017-06-26-alioth-moving-pagure.mdwn
similarity index 97%
rename from blog/alioth-gitlab.mdwn
rename to blog/2017-06-26-alioth-moving-pagure.mdwn
index ed57118..65a2f14 100644
--- a/blog/alioth-gitlab.mdwn
+++ b/blog/2017-06-26-alioth-moving-pagure.mdwn
@@ -1,5 +1,6 @@
-Alioth moving toward pagure
-===========================
+[[!meta title="Alioth moving toward pagure"]]
+[[!meta date="2017-06-14T12:00:00-0500"]]
+[[!meta updated="2017-06-26T08:48:00-0500"]]
 
 Since 2003, the Debian project has been running a server called
 [Alioth](https://alioth.debian.org/) to host source code version control
@@ -24,6 +25,8 @@ alternatives are still being evaluated, a consensus has emerged on a
 migration plan from FusionForage to a more modern and minimal platform
 based on pagure.
 
+[[!toc startlevel=2]]
+
 Why not GitLab?
 ---------------
 
@@ -295,3 +298,10 @@ GitLab are still going on as we speak, but given how controversial the
 "open core" model used by GitLab is for the Debian community, pagure
 does seem like a more logical alternative.
 
+> *Note: this article [first appeared][] in
+> the [Linux Weekly News][].*
+
+[first appeared]: https://lwn.net/Articles/724986/
+[Linux Weekly News]: http://lwn.net/
+
+[[!tag debian-planet lwn geek debian gitlab git hosting]]

final edit from lwn
diff --git a/blog/alioth-gitlab.mdwn b/blog/alioth-gitlab.mdwn
index 15f9d8b..ed57118 100644
--- a/blog/alioth-gitlab.mdwn
+++ b/blog/alioth-gitlab.mdwn
@@ -1,9 +1,6 @@
 Alioth moving toward pagure
 ===========================
 
-\[LWN subscriber-only content\]
--------------------------------
-
 Since 2003, the Debian project has been running a server called
 [Alioth](https://alioth.debian.org/) to host source code version control
 systems. The server will hit the end of life of the Debian LTS release
@@ -243,7 +240,9 @@ GitLab). In fact, there are *three* different mailing list services for
 the Debian project:
 
 -   the main service, [lists.debian.org](https://lists.debian.org/),
-    running Mailman 2 and managed by hand
+    running ~~Mailman 2~~
+    [SmartList](https://en.wikipedia.org/wiki/Smartlist) and managed by
+    hand
 -   the Alioth service,
     [lists.alioth.debian.org](https://lists.alioth.debian.org/), running
     Mailman 2 and managed by FusionForge

update webmail config to stretch + php 7.0
diff --git a/services/mail.mdwn b/services/mail.mdwn
index efe33ba..c29d915 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -475,8 +475,9 @@ lists, search, etc).
 First part was to setup PHP. I used PHP-FPM to try to avoid the bloat
 associated with `mod_php`. I did this with:
 
-    apt install php5-fpm
-    a2enmod proxy_fcgi
+    apt install php-fpm
+    a2enmod proxy_fcgi setenvif
+    a2enconf php7.0-fpm
 
 Then I created the following config:
 
@@ -492,7 +493,7 @@ Then I created the following config:
         DocumentRoot /var/www/mail.anarc.at/
     
         DirectoryIndex /index.php index.php 
-        ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/var/run/php5-fpm.sock|fcgi://localhost/var/www/mail.anarc.at
+        ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php/php7.0-fpm.sock|fcgi://localhost/var/www/mail.anarc.at
 
         # protect rainloop configs
         <Directory /var/www/mail.anarc.at/data>
@@ -518,6 +519,10 @@ Then I setup the cert with [[!debpkg certbot]]:
         SSLCertificateKeyFile /etc/letsencrypt/live/mail.anarc.at/privkey.pem
         SSLCertificateChainFile /etc/letsencrypt/live/mail.anarc.at/chain.pem
 
+And restarted apache of course:
+
+    service apache2 reload
+
 Then I setup rainloop, which is disturbingly easy:
 
     wget http://www.rainloop.net/repository/webmail/rainloop-community-latest.zip

explain details of article and audience
diff --git a/services/drive-replacement.mdwn b/services/drive-replacement.mdwn
index 1317397..5bef3ff 100644
--- a/services/drive-replacement.mdwn
+++ b/services/drive-replacement.mdwn
@@ -1,4 +1,9 @@
-[[!meta title="Hard drive replacement"]]
+[[!meta title="Hard drive replacement procedure"]]
+
+This procedure describes a major disk replacement on a system with
+LUKS encryption and LVM, but without RAID-1 (which would be obviously
+much easier). It is specific to my setup but could be useful to others
+and is aimed at technical users familiar with the commandline.
 
  1. create parts with parted, mark a 8MB leading part with the
     `bios_grub` flag. parted complains about the partitions not being

fixup title
diff --git a/services/drive-replacement.mdwn b/services/drive-replacement.mdwn
index ce67ef5..1317397 100644
--- a/services/drive-replacement.mdwn
+++ b/services/drive-replacement.mdwn
@@ -1,4 +1,4 @@
-## Hard drive replacement
+[[!meta title="Hard drive replacement"]]
 
  1. create parts with parted, mark a 8MB leading part with the
     `bios_grub` flag. parted complains about the partitions not being

fix markup more
diff --git a/services/drive-replacement.mdwn b/services/drive-replacement.mdwn
index f9cfd93..ce67ef5 100644
--- a/services/drive-replacement.mdwn
+++ b/services/drive-replacement.mdwn
@@ -9,8 +9,7 @@
         cryptsetup -v --verify-passphrase luksFormat /dev/sdc3
         cryptsetup luksOpen /dev/sdc3 crucial_crypt
 
-    [[!tip """
-    
+    <span /><div class="tip">
     Note that newer versions of Debian (e.g. stretch and later) have
     good settings so you do not need to choose cipher settings and so
     on. But on older machines, you may want something like:
@@ -19,7 +18,7 @@
 
     I was also recommending `--use-random` here but I believe
     it is [not necessary anymore](https://media.ccc.de/v/32c3-7441-the_plain_simple_reality_of_entropy).
-    """]]
+    </div>
 
  3. initialize logical volumes
 

formatting fixes
diff --git a/services/drive-replacement.mdwn b/services/drive-replacement.mdwn
index eecda4b..f9cfd93 100644
--- a/services/drive-replacement.mdwn
+++ b/services/drive-replacement.mdwn
@@ -9,14 +9,17 @@
         cryptsetup -v --verify-passphrase luksFormat /dev/sdc3
         cryptsetup luksOpen /dev/sdc3 crucial_crypt
 
+    [[!tip """
+    
     Note that newer versions of Debian (e.g. stretch and later) have
     good settings so you do not need to choose cipher settings and so
     on. But on older machines, you may want something like:
     
-        --cipher aes-xts-plain64 --key-size 512 --hash sha1 --iter-time 5000
+        --cipher aes-xts-plain64 --key-size 512 --hash sha256 --iter-time 5000
 
     I was also recommending `--use-random` here but I believe
     it is [not necessary anymore](https://media.ccc.de/v/32c3-7441-the_plain_simple_reality_of_entropy).
+    """]]
 
  3. initialize logical volumes
 
@@ -37,9 +40,13 @@
 
  5. restore the root filesystem:
  
-        borg extract -e boot -e usr -e var -e home --verbose /media/sdc2/borg::marcos-2017-06-19
+        borg extract -e boot -e usr -e var -e home --progress /media/sdc2/borg::marcos-2017-06-19
+
+    [[!tip """note that `--progress` is available only in newer
+    versions of borg (1.1 and later)."""]]
 
-    or:
+    if borg is not available for some reason, the filesystem can also
+    be synchronized directly:
     
         rsync -vaHAx --inplace --delete --one-file-system / /mnt/
 
@@ -54,22 +61,21 @@
 
  5. change `/mnt/etc/crypttab` (make a copy in `/etc/crypttab.new`) to follow the new partition names:
     * make sure you have *NO TYPO* in the new line
-    * use `blkid` to get the UUID of the crypto device, example in my case:
-
-          blkid /dev/sda2 >> /etc/crypttab
+    * use `blkid` to get the UUID of the crypto device, e.g. `blkid /dev/sda3`
 
  8. restore everything from backups:
  
-        borg extract --verbose /media/sdc2/borg::marcos-2017-06-19
+        borg extract --progress /media/sdc2/borg::marcos-2017-06-19
 
-    or rsync from the live filesystem
+    or rsync from the live filesystem (see below).
  
  9. go to single user mode:
 
         shutdown now
 
- 10. sync from the live filesystem again, using `/root/sync.sh` - a
-     bunch of rsync for each partition, basically:
+ 10. sync from the live filesystem again, using
+     `/home/anarcat/bin/backup-rsync-mnt` - a bunch of rsync for each
+     partition, basically:
 
         rsync -vaHAx --inplace --delete /usr/ /mnt/usr/
 
@@ -83,7 +89,7 @@
         update-grub2
         grub-install /dev/sdc
 
- 12. reboot and pray
+    [[!important """the `fs.uuid` flag comes from the `/boot` device,
+    and can be found with the `blkid` command as well."""]]
 
-Note how the `load.cfg` grub configuration need to be updated with the
-new boot sector (`/boot` here).
+ 12. reboot and pray

cleanup after camping trip
diff --git a/pleinair/liste.mdwn b/pleinair/liste.mdwn
index bf945ea..5421f4b 100644
--- a/pleinair/liste.mdwn
+++ b/pleinair/liste.mdwn
@@ -33,6 +33,8 @@ toujours retourner sur l'ordinateur.
  * Sac a viande
  * Hamac et chaînes
  * Sac à dos, grand et/ou petit, ou valise
+ * Lampe de poche
+ * Lampe frontale
 
 ## Kit de survie
 
@@ -57,8 +59,6 @@ toujours retourner sur l'ordinateur.
  * Livre d'identification d'oiseaux, etc
  * # Téléphone d’urgence
  * Dictionnaire de traduction (e.g. fr-es)
- * Lampe de poche
- * Lampe frontale
 
 ## Équipement technique
 
@@ -72,8 +72,6 @@ toujours retourner sur l'ordinateur.
  * Crampons
  * Wetsuit
  * Tuba et masque
- * Lunettes de soleil
- * Sacs poubelle
  * Petits mousquetons ("not for climbing")
 
 ## Papiers et autres attaches
@@ -131,6 +129,8 @@ toujours retourner sur l'ordinateur.
  * Tampon à récurer avec éponge
  * Linge à vaisselle
  * Glacière
+ * Sacs poubelle / compost
+ * Tupperwares pour les restes
 
 ## Trousse de dépannage
 
@@ -150,9 +150,11 @@ toujours retourner sur l'ordinateur.
  * Papier de toilette
  * Serviettes sanitaires / keeper
  * Mouchoir de poche
- * Lunettes
  * Verres de contact & kit de nettoyage
+ * Lunettes
+ * Lunettes de soleil
  * Crème solaire
+ * Anti-moustique en crème ou vaporisateur
  * Savon
  * Dentifrice
  * Brosse à dents
@@ -184,6 +186,7 @@ toujours retourner sur l'ordinateur.
  * Maillot de bain
  * Serviette
  * Coupe-vent imperméable (gore-tex) / Anorak
+ * Pantalons de pluie
  * Sous-vêtements synthétique (haut & bas)
  * Manteau d'hiver
  * Pantalons de neige
@@ -194,6 +197,8 @@ toujours retourner sur l'ordinateur.
  * Mitaines et sous-mitaines
  * Foulard / Masque facial / Cache-cou
  * Lunettes de ski
+ * Chapeau
+ * Filet anti-moustique
 
 ## Trousse de premiers soins
 

update disk replacement procedure
introduce backup restoration and other changes following latest
attempt at disk replacement.
diff --git a/services/drive-replacement.mdwn b/services/drive-replacement.mdwn
index b1da201..eecda4b 100644
--- a/services/drive-replacement.mdwn
+++ b/services/drive-replacement.mdwn
@@ -1,29 +1,49 @@
 ## Hard drive replacement
 
- 1. create parts with parted, mark a 8MB leading part with the `bios_grub` flag
+ 1. create parts with parted, mark a 8MB leading part with the
+    `bios_grub` flag. parted complains about the partitions not being
+    optimal, and I haven't figure out how to fix that correctly.
+
  2. initialise crypt partition:
 
-        cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha1 --iter-time 5000 --use-random --verify-passphrase luksFormat /dev/sdc3
+        cryptsetup -v --verify-passphrase luksFormat /dev/sdc3
         cryptsetup luksOpen /dev/sdc3 crucial_crypt
 
+    Note that newer versions of Debian (e.g. stretch and later) have
+    good settings so you do not need to choose cipher settings and so
+    on. But on older machines, you may want something like:
+    
+        --cipher aes-xts-plain64 --key-size 512 --hash sha1 --iter-time 5000
+
+    I was also recommending `--use-random` here but I believe
+    it is [not necessary anymore](https://media.ccc.de/v/32c3-7441-the_plain_simple_reality_of_entropy).
+
  3. initialize logical volumes
 
         pvcreate /dev/mapper/crucial_crypt
         vgcreate marcossd1 /dev/mapper/crucial_crypt
-        lvcreate -L...
-        mkfs -t ext4 ...
 
+    repeat for every filesystem, use `vgdisplay -C` and `lvdisplay -C`
+    to inspect existing sizes:
+
+        lvcreate -L10G -n root marcossd1
+        mkfs /dev/mapper/marcoss1-root
+        # [...]
+  
  4. basic filesystem setup:
 
         mount /dev/mapper/marcossd1-root /mnt
+        mkdir /mnt/{dev,sys,proc,boot,usr,var,home,srv}
 
- 5. change `/mnt/etc/crypttab` (copy in in `/etc/crypttab.new`) - a few tricks:
-    * make sure you have *NO TYPO* in the new line
-    * use `blkid` to get the UUID of the crypto device, example in my case:
+ 5. restore the root filesystem:
+ 
+        borg extract -e boot -e usr -e var -e home --verbose /media/sdc2/borg::marcos-2017-06-19
 
-        blkid /dev/sda2 >> /etc/crypttab
+    or:
+    
+        rsync -vaHAx --inplace --delete --one-file-system / /mnt/
 
- 6. change `/mnt/etc/fstab` (copy in `/etc/fstab.new`)
+ 6. edit `/mnt/etc/fstab` (and keep a copy in `/etc/fstab.new`)
  7. mount all filesystems:
 
         mount -o bind /dev /mnt/dev
@@ -32,17 +52,26 @@
         mount -t sysfs sys /sys
         exit
 
- 8. sync all the data with `/root/sync.sh` - a bunch of rsync for each partition, basically:
+ 5. change `/mnt/etc/crypttab` (make a copy in `/etc/crypttab.new`) to follow the new partition names:
+    * make sure you have *NO TYPO* in the new line
+    * use `blkid` to get the UUID of the crypto device, example in my case:
 
-        rsync -vaHAx --inplace --delete /usr/ /mnt/usr/
+          blkid /dev/sda2 >> /etc/crypttab
 
+ 8. restore everything from backups:
+ 
+        borg extract --verbose /media/sdc2/borg::marcos-2017-06-19
+
+    or rsync from the live filesystem
+ 
  9. go to single user mode:
 
         shutdown now
 
- 10. sync again
+ 10. sync from the live filesystem again, using `/root/sync.sh` - a
+     bunch of rsync for each partition, basically:
 
-        /root/sync.sh
+        rsync -vaHAx --inplace --delete /usr/ /mnt/usr/
 
  11. install boot blocks
 

add more sellers
diff --git a/hardware/laptop.mdwn b/hardware/laptop.mdwn
index 568a47e..6848ae0 100644
--- a/hardware/laptop.mdwn
+++ b/hardware/laptop.mdwn
@@ -282,5 +282,6 @@ Fournisseurs
 ============
 
 * minifree: https://minifree.org/ coreboot + x200 t400
-* dantech: http://www.dantech.ca/?q=17--
-* https://www.toplaptop.ca/
+* dantech: http://www.dantech.ca/?q=17-- - local friendly folks
+* https://www.toplaptop.ca/ - local + cheap source of thinkpads
+* https://www.mikescomputershop.com/ - cheap canada seller

major upgrade of the ikiwiki platform
diff --git a/services/wiki.mdwn b/services/wiki.mdwn
index 14521f5..eadf7ff 100644
--- a/services/wiki.mdwn
+++ b/services/wiki.mdwn
@@ -130,7 +130,7 @@ On any given upgrade, the following patches need to be applied:
 
 There are two patches left:
 
- * [[!iki todo/toc-with-human-readable-anchors]] and [[!iki plugins/contrib/i18nheadinganchors]]
+ * [[!iki todo/toc-with-human-readable-anchors]] (merged, not released) and [[!iki plugins/contrib/i18nheadinganchors]]
  * [[!iki bugs/footnotes-look-weird]]
  * [[!iki todo/git-annex_support]]
  * [[!iki todo/admonitions]]
@@ -140,7 +140,7 @@ I dropped the [[!iki bugs/notifyemail fails with some openid providers]] patch b
 To apply this patch:
 
     cd src/ikiwiki
-    release=debian/3.20141016.4
+    release=debian/3.20170111
     git rebase $release dev/git-annex-support
     git diff $release..dev/git-annex-support | ( cd /usr/share/perl5 ; sudo patch -p1 --dry-run )
     git diff $release..dev/git-annex-support | ( cd /usr/share/perl5 ; sudo patch -p1 )
@@ -151,11 +151,11 @@ To apply this patch:
     git diff $release..i18n-headinganchors | ( cd /usr/share/perl5 ; sudo patch -p1 --dry-run )
     git diff $release..i18n-headinganchors | ( cd /usr/share/perl5 ; sudo patch -p1  )
     # not sure about that rebase
-    git rebase origin/master admonitions
-    git diff origin/master..admonitions IkiWiki/Plugin/admonition.pm | ( cd /usr/share/perl5 ; sudo patch -p1 --dry-run )
-    git diff origin/master..admonitions IkiWiki/Plugin/admonition.pm | ( cd /usr/share/perl5 ; sudo patch -p1 )
-    git diff origin/master..admonitions doc/style.css | ( cd /usr/share/ikiwiki/basewiki ; sudo patch -p2 --dry-run )
-    git diff origin/master..admonitions doc/style.css | ( cd /usr/share/ikiwiki/basewiki ; sudo patch -p2 )
+    git rebase $release admonitions
+    git diff $release..admonitions IkiWiki/Plugin/admonition.pm | ( cd /usr/share/perl5 ; sudo patch -p1 --dry-run )
+    git diff $release..admonitions IkiWiki/Plugin/admonition.pm | ( cd /usr/share/perl5 ; sudo patch -p1 )
+    git diff $release..admonitions doc/style.css | ( cd /usr/share/ikiwiki/basewiki ; sudo patch -p2 --dry-run )
+    git diff $release..admonitions doc/style.css | ( cd /usr/share/ikiwiki/basewiki ; sudo patch -p2 )
 
 ### New feature: markdown WYSIWYG!
 
@@ -187,6 +187,13 @@ patching file templates/albumprev.tmpl
 patching file templates/albumviewer.tmpl
 """]]
 
+2017-06-19: major upgrade
+-------------------------
+
+upgraded to the upstream 3.20170111 release using backports in
+preperation for the stretch upgrade. patches reapplied as they are not
+factored in upstream yet.
+
 2017-04-19: ikiwiki-hosting upgrade
 -----------------------------------
 

final edits from LWN before publication
diff --git a/blog/alioth-gitlab.mdwn b/blog/alioth-gitlab.mdwn
index 3dc904c..15f9d8b 100644
--- a/blog/alioth-gitlab.mdwn
+++ b/blog/alioth-gitlab.mdwn
@@ -4,31 +4,34 @@ Alioth moving toward pagure
 \[LWN subscriber-only content\]
 -------------------------------
 
-Since 2003, the Debian project has been running a server
-called [Alioth](https://alioth.debian.org/) to host source code version control systems. The
-server will soon hit the end of life of the Debian LTS release
-(wheezy) next year and the coming deadline raised some questions
-regarding the viability of the service in the coming years. This
-naturally lead to a conversation regarding possible replacements.
-
-In response, the current Alioth maintainer, Alexander
-Wirt, [announced](https://lists.debian.org/debian-devel-announce/2017/06/msg00002.html) a [sprint](https://wiki.debian.org/Sprints/2017/Alioth) to migrate to [pagure](https://pagure.io/pagure), a
-free-software "Git-centered forge" written in Python for the Fedora
-project, which LWN [covered last year](https://lwn.net/Articles/687821/). Alioth currently
-runs [FusionForge](http://www.fusionforge.org/), previously known as GForge, which is the
-free-software fork of the [SourceForge](https://sourceforge.net/) code base when that service
-closed its source in 2001. Alioth hosts source code repositories,
-mainly Git and Subversion (SVN) and, like other "forge" sites, also
-offers forums, issue trackers, and mailing list services. While other
-alternatives like [GitLab](https://about.gitlab.com/) are still being evaluated, the consensus
-has evolved to a migration plan from FusionForge to a more modern and
-minimal platform based on pagure.
+Since 2003, the Debian project has been running a server called
+[Alioth](https://alioth.debian.org/) to host source code version control
+systems. The server will hit the end of life of the Debian LTS release
+(Wheezy) next year; that deadline raised some questions regarding the
+plans for the server over the coming years. Naturally, that led to a
+discussion regarding possible replacements.
+
+In response, the current Alioth maintainer, Alexander Wirt,
+[announced](https://lists.debian.org/debian-devel-announce/2017/06/msg00002.html)
+a [sprint](https://wiki.debian.org/Sprints/2017/Alioth) to migrate to
+[pagure](https://pagure.io/pagure), a free-software "Git-centered forge"
+written in Python for the Fedora project, which LWN [covered last
+year](https://lwn.net/Articles/687821/). Alioth currently runs
+[FusionForge](http://www.fusionforge.org/), previously known as GForge,
+which is the free-software fork of the
+[SourceForge](https://sourceforge.net/) code base when that service
+closed its source in 2001. Alioth hosts source code repositories, mainly
+Git and Subversion (SVN) and, like other "forge" sites, also offers
+forums, issue trackers, and mailing list services. While other
+alternatives are still being evaluated, a consensus has emerged on a
+migration plan from FusionForage to a more modern and minimal platform
+based on pagure.
 
 Why not GitLab?
 ---------------
 
 While this may come as a surprise to some who would expect Debian to use
-the more popular GitLab project, the
+the more popular [GitLab project](https://about.gitlab.com/), the
 discussion and decision actually took place a while back. During a
 [lengthy
 debate](https://lists.debian.org/debian-devel/2016/06/threads.html#00062)
@@ -102,11 +105,11 @@ to adding features to GitLab CE. The
 from Debian Developer Holger Levsen was categorical: "*It's not about a
 specific patch. Free GitLab and we can talk again.*" But beyond the
 practical and ethical concerns, some specific features Debian needs
-*are* currently only in GitLab EE; for example, debian.org systems use
+*are* currently only in GitLab EE. For example, debian.org systems use
 LDAP for authentication, which would obviously be useful in a GitLab
-deployment and while GitLab CE supports basic LDAP authentication,
-advanced features like group synchronization or SSH key
-synchronization, are only available in GitLab EE.
+deployment; GitLab CE supports basic LDAP authentication, but advanced
+features, like group or SSH-key synchronization, are only available in
+GitLab EE.
 
 Wirt also expressed concern about the [Contributor License
 Agreement](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/legal/individual_contributor_license_agreement.md)
@@ -139,31 +142,35 @@ user, GitLab is much nicer than pagure and it has those nice CI
 blog](http://blog.snow-crash.org/blog/upcoming-alioth-sprint/) "*GitLab
 is Opencore, \[and\] that it is not entirely opensource. I don't think
 we should use software licensed under such a model for one of our core
-services*" which leaves pagure as the only stable candidate.
-
-In an email interview, Sid Sijbrandij, CEO of GitLab did say that "*we
+services*" which leaves pagure as the only stable candidate. Other
+candidates were excluded on technical grounds, according to Wirt: Gogs
+"doesn't scale well" and a quick security check didn't yield
+satisfactory results; "Gitblit is Java" and Kallithea doesn't have
+support for accessing repositories over SSH (although there is a pending
+[pull
+request](https://bitbucket.org/conservancy/kallithea/pull-requests/311/ssh-v8/diff)
+to add the feature).
+
+In an email interview, Sid Sijbrandij, CEO of GitLab, did say that "we
 want to make sure that our open source edition can be used by open
-source projects*" giving the example of features liberated following
-requests by the community, like [branded login pages](https://gitlab.com/gitlab-org/gitlab-ce/issues/11489) for
-the [VLC project](https://news.ycombinator.com/item?id=10931347) and [GitLab pages](https://about.gitlab.com/2016/12/24/were-bringing-gitlab-pages-to-community-edition/) after popular demand. He
-stressed that "*There are no artificial limits in our open source
-edition and some organizations use it with more than 20.000 users.*"
-So if the concern of the Debian community is that features may be
-missing from GitLab CE, there is definitly an opening from GitLab to
-add those features. If, however, the concern is purely ethical, it's
-hard to see how an agreement could be reached, as Sijbrandij put it:
-
-> On the mailinglist it seemed that some Debian maintainers do not
-> agree with our open core business model and demand that there is no
+source projects". He gave examples of features liberated following
+requests by the community, such as [branded login
+pages](https://gitlab.com/gitlab-org/gitlab-ce/issues/11489) for the
+[VLC project](https://news.ycombinator.com/item?id=10931347) and [GitLab
+Pages](https://about.gitlab.com/2016/12/24/were-bringing-gitlab-pages-to-community-edition/)
+after popular demand. He stressed that "There are no artificial limits
+in our open source edition and some organizations use it with more than
+20.000 users." So if the concern of the Debian community is that
+features may be missing from GitLab CE, there is definitely an opening
+from GitLab to add those features. If, however, the concern is purely
+ethical, it's hard to see how an agreement could be reached. As
+Sijbrandij put it:
+
+> On the mailinglist it seemed that some Debian maintainers do not agree
+> with our open core business model and demand that there is no
 > proprietary version. We respect that position but we don't think we
-> can compete with the purely proprietary software like GitHub with
-> this model.
-
-Other candidates were excluded on technical grounds, according to
-Wirt: Gogs "doesn't scale well" and a quick security check didn't
-yield satisfactory results; "Gitblit is Java" and Kallithea doesn't
-have support for accessing repositories over SSH (although there is a
-pending [pull request](https://bitbucket.org/conservancy/kallithea/pull-requests/311/ssh-v8/diff) to add the feature).
+> can compete with the purely proprietary software like GitHub with this
+> model.
 
 Working toward a pagure migration
 ---------------------------------
@@ -171,7 +178,7 @@ Working toward a pagure migration
 The issue of Alioth maintenance came up again last month when Boyuan
 Yang
 [asked](https://lists.debian.org/debian-devel/2017/05/msg00095.html)
-what would happen to Alioth when support for Debian LTS (wheezy) ends
+what would happen to Alioth when support for Debian LTS (Wheezy) ends
 next year. Wirt [brought
 up](https://lists.debian.org/debian-devel/2017/05/msg00110.html) the
 pagure migration proposal and the community tried to make a plan for the

rewrite first graf, clarify ldap issue, add gitlab quote
diff --git a/blog/alioth-gitlab.mdwn b/blog/alioth-gitlab.mdwn
index fa8e0b3..3dc904c 100644
--- a/blog/alioth-gitlab.mdwn
+++ b/blog/alioth-gitlab.mdwn
@@ -4,34 +4,31 @@ Alioth moving toward pagure
 \[LWN subscriber-only content\]
 -------------------------------
 
-Since 2003, the Debian project has been running a server called
-[Alioth](https://alioth.debian.org/) to host source code version control
-systems. it's too old and unsupported... 
-
-two grafs, details in second
-introduce why ditch alioth justification
-remove seems
-
- In early June, the current Alioth maintainer, Alexander Wirt,
-[announced](https://lists.debian.org/debian-devel-announce/2017/06/msg00002.html)
-a [sprint](https://wiki.debian.org/Sprints/2017/Alioth) to migrate to
-[pagure](https://pagure.io/pagure), a free-software "Git-centered forge"
-written in Python for the Fedora project, which LWN [covered last
-year](https://lwn.net/Articles/687821/). Alioth is currently runs
-[FusionForge](http://www.fusionforge.org/), previously known as GForge,
-which is the free-software fork of the
-[SourceForge](https://sourceforge.net/) code base when that service
-closed its source in 2001. Alioth hosts source code repositories, mainly
-Git and Subversion (SVN) and, like other "forge" sites, also offers
-forums, issue trackers, and mailing list services. The plan seems to be
-to migrate from FusionForge to a more modern and minimal platform based
-on pagure.
+Since 2003, the Debian project has been running a server
+called [Alioth](https://alioth.debian.org/) to host source code version control systems. The
+server will soon hit the end of life of the Debian LTS release
+(wheezy) next year and the coming deadline raised some questions
+regarding the viability of the service in the coming years. This
+naturally lead to a conversation regarding possible replacements.
+
+In response, the current Alioth maintainer, Alexander
+Wirt, [announced](https://lists.debian.org/debian-devel-announce/2017/06/msg00002.html) a [sprint](https://wiki.debian.org/Sprints/2017/Alioth) to migrate to [pagure](https://pagure.io/pagure), a
+free-software "Git-centered forge" written in Python for the Fedora
+project, which LWN [covered last year](https://lwn.net/Articles/687821/). Alioth currently
+runs [FusionForge](http://www.fusionforge.org/), previously known as GForge, which is the
+free-software fork of the [SourceForge](https://sourceforge.net/) code base when that service
+closed its source in 2001. Alioth hosts source code repositories,
+mainly Git and Subversion (SVN) and, like other "forge" sites, also
+offers forums, issue trackers, and mailing list services. While other
+alternatives like [GitLab](https://about.gitlab.com/) are still being evaluated, the consensus
+has evolved to a migration plan from FusionForge to a more modern and
+minimal platform based on pagure.
 
 Why not GitLab?
 ---------------
 
 While this may come as a surprise to some who would expect Debian to use
-the more popular [GitLab project](https://about.gitlab.com/), the
+the more popular GitLab project, the
 discussion and decision actually took place a while back. During a
 [lengthy
 debate](https://lists.debian.org/debian-devel/2016/06/threads.html#00062)
@@ -107,7 +104,9 @@ specific patch. Free GitLab and we can talk again.*" But beyond the
 practical and ethical concerns, some specific features Debian needs
 *are* currently only in GitLab EE; for example, debian.org systems use
 LDAP for authentication, which would obviously be useful in a GitLab
-deployment.
+deployment and while GitLab CE supports basic LDAP authentication,
+advanced features like group synchronization or SSH key
+synchronization, are only available in GitLab EE.
 
 Wirt also expressed concern about the [Contributor License
 Agreement](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/legal/individual_contributor_license_agreement.md)
@@ -140,14 +139,31 @@ user, GitLab is much nicer than pagure and it has those nice CI
 blog](http://blog.snow-crash.org/blog/upcoming-alioth-sprint/) "*GitLab
 is Opencore, \[and\] that it is not entirely opensource. I don't think
 we should use software licensed under such a model for one of our core
-services*" which leaves pagure as the only stable candidate. Other
-candidates were excluded on technical grounds, according to Wirt: Gogs
-"doesn't scale well" and a quick security check didn't yield
-satisfactory results; "Gitblit is Java" and Kallithea doesn't have
-support for accessing repositories over SSH (although there is a pending
-[pull
-request](https://bitbucket.org/conservancy/kallithea/pull-requests/311/ssh-v8/diff)
-to add the feature).
+services*" which leaves pagure as the only stable candidate.
+
+In an email interview, Sid Sijbrandij, CEO of GitLab did say that "*we
+want to make sure that our open source edition can be used by open
+source projects*" giving the example of features liberated following
+requests by the community, like [branded login pages](https://gitlab.com/gitlab-org/gitlab-ce/issues/11489) for
+the [VLC project](https://news.ycombinator.com/item?id=10931347) and [GitLab pages](https://about.gitlab.com/2016/12/24/were-bringing-gitlab-pages-to-community-edition/) after popular demand. He
+stressed that "*There are no artificial limits in our open source
+edition and some organizations use it with more than 20.000 users.*"
+So if the concern of the Debian community is that features may be
+missing from GitLab CE, there is definitly an opening from GitLab to
+add those features. If, however, the concern is purely ethical, it's
+hard to see how an agreement could be reached, as Sijbrandij put it:
+
+> On the mailinglist it seemed that some Debian maintainers do not
+> agree with our open core business model and demand that there is no
+> proprietary version. We respect that position but we don't think we
+> can compete with the purely proprietary software like GitHub with
+> this model.
+
+Other candidates were excluded on technical grounds, according to
+Wirt: Gogs "doesn't scale well" and a quick security check didn't
+yield satisfactory results; "Gitblit is Java" and Kallithea doesn't
+have support for accessing repositories over SSH (although there is a
+pending [pull request](https://bitbucket.org/conservancy/kallithea/pull-requests/311/ssh-v8/diff) to add the feature).
 
 Working toward a pagure migration
 ---------------------------------

more nitpicks by lwn
diff --git a/blog/alioth-gitlab.mdwn b/blog/alioth-gitlab.mdwn
index 9ee9450..fa8e0b3 100644
--- a/blog/alioth-gitlab.mdwn
+++ b/blog/alioth-gitlab.mdwn
@@ -1,5 +1,5 @@
 Alioth moving toward pagure
-=======================
+===========================
 
 \[LWN subscriber-only content\]
 -------------------------------
@@ -82,7 +82,7 @@ Partnerships, Eliran Mesika,
 [explained](https://lists.debian.org/debian-devel/2016/06/msg00227.html)
 the company's [stewardship
 policy](https://about.gitlab.com/about/#stewardship) that explains how
-GitLab decides which feature ends up in the proprietary version. Praveen
+GitLab decides which features end up in the proprietary version. Praveen
 [pointed
 out](https://lists.debian.org/debian-devel/2016/06/msg00228.html) that:
 
@@ -104,9 +104,10 @@ to adding features to GitLab CE. The
 [response](https://lists.debian.org/debian-devel/2016/06/msg00346.html)
 from Debian Developer Holger Levsen was categorical: "*It's not about a
 specific patch. Free GitLab and we can talk again.*" But beyond the
-ethical concerns, some specific features Debian needs *are* currently
-only in GitLab EE; for example, debian.org systems use LDAP for
-authentication, which would obviously be useful in a GitLab deployment.
+practical and ethical concerns, some specific features Debian needs
+*are* currently only in GitLab EE; for example, debian.org systems use
+LDAP for authentication, which would obviously be useful in a GitLab
+deployment.
 
 Wirt also expressed concern about the [Contributor License
 Agreement](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/legal/individual_contributor_license_agreement.md)
@@ -130,19 +131,23 @@ wiki](https://wiki.debian.org/Alioth/GitNext) as well. In the end,
 however, Praveen [gave up on replacing Alioth with
 GitLab](https://lists.debian.org/debian-devel/2016/07/msg00510.html)
 because of the controversy and moved on to support the pagure migration,
-which resolved the discussion in July 2016. More recently, Wirt admitted
-in an IRC conversation that "on the technical side I like GitLab a lot
-more than pagure" and that "as a user, GitLab is much nicer than pagure
-and it has those nice CI \[continuous integration\] features". However,
-as he explained [in his
+which resolved the discussion in July 2016.
+
+More recently, Wirt admitted in an IRC conversation that "on the
+technical side I like GitLab a lot more than pagure" and that "as a
+user, GitLab is much nicer than pagure and it has those nice CI
+\[continuous integration\] features". However, as he explained [in his
 blog](http://blog.snow-crash.org/blog/upcoming-alioth-sprint/) "*GitLab
 is Opencore, \[and\] that it is not entirely opensource. I don't think
 we should use software licensed under such a model for one of our core
 services*" which leaves pagure as the only stable candidate. Other
 candidates were excluded on technical grounds, according to Wirt: Gogs
 "doesn't scale well" and a quick security check didn't yield
-satisfactory results; "Gitblit is Java" and Kallithea's support for
-accessing repositories over SSH has not yet been merged.
+satisfactory results; "Gitblit is Java" and Kallithea doesn't have
+support for accessing repositories over SSH (although there is a pending
+[pull
+request](https://bitbucket.org/conservancy/kallithea/pull-requests/311/ssh-v8/diff)
+to add the feature).
 
 Working toward a pagure migration
 ---------------------------------
@@ -160,11 +165,10 @@ One of the issues raised was the question of the non-Git repositories
 hosted on Alioth, as pagure, like GitLab, only supports Git. Indeed, Ben
 Hutchings
 [calculated](https://lists.debian.org/debian-devel/2017/05/msg00103.html)
-that while 90% (\~19,000) of the repositories are Git, there are 2,400
-SVN repositories and a handful of Mercurial, Bazaar (bzr), Darcs, Arch,
-and even CVS repositories. As part of an [informal
-survey](https://lists.debian.org/debian-devel/2017/05/msg00138.html)
-thread, however, most packaging teams explained they either had already
+that while 90% (\~19,000) of the repositories currently on Alioth are
+Git, there are 2,400 SVN repositories and a handful of Mercurial, Bazaar
+(bzr), Darcs, Arch, and even CVS repositories. As part of an informal
+survey, however, most packaging teams explained they either had already
 migrated away from SVN to Git or were in the process of doing so. The
 largest CVS user, the web site team, also explained it was progressively
 migrating to Git. Mattia Rizzolo then
@@ -229,8 +233,9 @@ Wirt, with his "list-master hat" on,
 that the main mailing list service is "*not really suited as a
 self-service*" and expressed concern at the idea of migrating the large
 number mailing lists hosted on Alioth. Indeed, there are around 1,400
-lists on Alioth while the main service has a curated set of 300 lists.
-No solution for those mailing lists was found at the time of writing.
+lists on Alioth while the main service has a set of 300 lists selected
+by the list masters. No solution for those mailing lists was found at
+the time of this writing.
 
 In the end, it seems like the Debian project has chosen pagure, the
 simpler, less featureful, but also less controversial, solution and will
@@ -240,8 +245,8 @@ Fedora. Wirt is also considering using
 pagure. The plan is to migrate away from FusionForge one bit at a time,
 and pagure is the solution for the first step: the Git repositories.
 Lists, other repositories, and additional features of FusionForge will
-dealt with later on, but Wirt expects a plan to come out of the upcoming
-sprint.
+be dealt with later on, but Wirt expects a plan to come out of the
+upcoming sprint.
 
 It will also be interesting to see how the interoperability promises of
 pagure will play out in the Debian world. Even though the federation

start graf rewrite
diff --git a/blog/alioth-gitlab.mdwn b/blog/alioth-gitlab.mdwn
index 0ba886e..9ee9450 100644
--- a/blog/alioth-gitlab.mdwn
+++ b/blog/alioth-gitlab.mdwn
@@ -6,7 +6,13 @@ Alioth moving toward pagure
 
 Since 2003, the Debian project has been running a server called
 [Alioth](https://alioth.debian.org/) to host source code version control
-systems. In early June, the current Alioth maintainer, Alexander Wirt,
+systems. it's too old and unsupported... 
+
+two grafs, details in second
+introduce why ditch alioth justification
+remove seems
+
+ In early June, the current Alioth maintainer, Alexander Wirt,
 [announced](https://lists.debian.org/debian-devel-announce/2017/06/msg00002.html)
 a [sprint](https://wiki.debian.org/Sprints/2017/Alioth) to migrate to
 [pagure](https://pagure.io/pagure), a free-software "Git-centered forge"

partial merge with lwn, script broken on jessie
diff --git a/blog/alioth-gitlab.mdwn b/blog/alioth-gitlab.mdwn
index 1223d30..0ba886e 100644
--- a/blog/alioth-gitlab.mdwn
+++ b/blog/alioth-gitlab.mdwn
@@ -1,4 +1,4 @@
-Alioth moving to pagure
+Alioth moving toward pagure
 =======================
 
 \[LWN subscriber-only content\]
@@ -40,9 +40,10 @@ project. The sponsorship was originally [offered in
 the GitLab CEO, presumably to counter a possible move to GitHub, as
 there was a
 [discussion](https://lists.debian.org/debian-devel/2015/04/threads.html#00164)
-about creating a GitHub organization for Debian at the time. The
-deployment of a Debian-specific GitLab instance then raised the question
-of the overlap with the already existing
+about creating a [GitHub
+Organization](https://github.com/blog/674-introducing-organizations) for
+Debian at the time. The deployment of a Debian-specific GitLab instance
+then raised the question of the overlap with the already existing
 [git.debian.org](https://git.debian.org/) service, which is backed by
 Alioth's FusionForge deployment. It then seemed natural that the new
 GitLab instance would replace Alioth.

fix pandoc rendering to match original headers and lwn links
diff --git a/blog/alioth-gitlab.mdwn b/blog/alioth-gitlab.mdwn
index c74bc72..1223d30 100644
--- a/blog/alioth-gitlab.mdwn
+++ b/blog/alioth-gitlab.mdwn
@@ -11,7 +11,7 @@ systems. In early June, the current Alioth maintainer, Alexander Wirt,
 a [sprint](https://wiki.debian.org/Sprints/2017/Alioth) to migrate to
 [pagure](https://pagure.io/pagure), a free-software "Git-centered forge"
 written in Python for the Fedora project, which LWN [covered last
-year](/Articles/687821/). Alioth is currently runs
+year](https://lwn.net/Articles/687821/). Alioth is currently runs
 [FusionForge](http://www.fusionforge.org/), previously known as GForge,
 which is the free-software fork of the
 [SourceForge](https://sourceforge.net/) code base when that service
@@ -21,7 +21,8 @@ forums, issue trackers, and mailing list services. The plan seems to be
 to migrate from FusionForge to a more modern and minimal platform based
 on pagure.
 
-#### Why not GitLab?
+Why not GitLab?
+---------------
 
 While this may come as a surprise to some who would expect Debian to use
 the more popular [GitLab project](https://about.gitlab.com/), the
@@ -136,7 +137,8 @@ candidates were excluded on technical grounds, according to Wirt: Gogs
 satisfactory results; "Gitblit is Java" and Kallithea's support for
 accessing repositories over SSH has not yet been merged.
 
-#### Working toward a pagure migration
+Working toward a pagure migration
+---------------------------------
 
 The issue of Alioth maintenance came up again last month when Boyuan
 Yang

another review from LWN
diff --git a/blog/alioth-gitlab.mdwn b/blog/alioth-gitlab.mdwn
index 4fc0056..c74bc72 100644
--- a/blog/alioth-gitlab.mdwn
+++ b/blog/alioth-gitlab.mdwn
@@ -100,9 +100,7 @@ ethical concerns, some specific features Debian needs *are* currently
 only in GitLab EE; for example, debian.org systems use LDAP for
 authentication, which would obviously be useful in a GitLab deployment.
 
-Wirt also [expressed
-concerns](https://lists.debian.org/debian-devel/2016/06/msg00151.html)
-about the [Contributor License
+Wirt also expressed concern about the [Contributor License
 Agreement](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/legal/individual_contributor_license_agreement.md)
 that GitLab B.V. requires contributors to sign when they send patches,
 which forces users to allow the release of their code under a non-free
@@ -135,8 +133,8 @@ we should use software licensed under such a model for one of our core
 services*" which leaves pagure as the only stable candidate. Other
 candidates were excluded on technical grounds, according to Wirt: Gogs
 "doesn't scale well" and a quick security check didn't yield
-satisfactory results; "Gitblit is Java" and Kallithea doesn't support
-accessing repositories over SSH.
+satisfactory results; "Gitblit is Java" and Kallithea's support for
+accessing repositories over SSH has not yet been merged.
 
 #### Working toward a pagure migration
 
@@ -144,8 +142,10 @@ The issue of Alioth maintenance came up again last month when Boyuan
 Yang
 [asked](https://lists.debian.org/debian-devel/2017/05/msg00095.html)
 what would happen to Alioth when support for Debian LTS (wheezy) ends
-next year. Wirt then [brought back](https://lists.debian.org/debian-devel/2017/05/msg00110.html) the pagure migration proposal and the
-community tried to make a plan for the migration.
+next year. Wirt [brought
+up](https://lists.debian.org/debian-devel/2017/05/msg00110.html) the
+pagure migration proposal and the community tried to make a plan for the
+migration.
 
 One of the issues raised was the question of the non-Git repositories
 hosted on Alioth, as pagure, like GitLab, only supports Git. Indeed, Ben
@@ -153,12 +153,12 @@ Hutchings
 [calculated](https://lists.debian.org/debian-devel/2017/05/msg00103.html)
 that while 90% (\~19,000) of the repositories are Git, there are 2,400
 SVN repositories and a handful of Mercurial, Bazaar (bzr), Darcs, Arch,
-and even CVS repositories. During an [informal
-survey](https://lists.debian.org/debian-devel/2017/05/msg00138.html),
-however, most packaging teams explained they either had already migrated
-away from SVN to Git or were in the process of doing so. The largest CVS
-user, the web site team, also explained it was progressively migrating
-to Git. Mattia Rizzolo then
+and even CVS repositories. As part of an [informal
+survey](https://lists.debian.org/debian-devel/2017/05/msg00138.html)
+thread, however, most packaging teams explained they either had already
+migrated away from SVN to Git or were in the process of doing so. The
+largest CVS user, the web site team, also explained it was progressively
+migrating to Git. Mattia Rizzolo then
 [proposed](https://lists.debian.org/debian-devel/2017/05/msg00215.html)
 that older repository services like SVN could continue running even if
 FusionForge goes down, as FusionForge is, after all, just a web
@@ -186,8 +186,10 @@ tools have limited use outside of the Debian project directly. While
 Debian derivatives and other distributions could reuse them, what
 usually happens is that other distributions roll their own software,
 like Ubuntu did with the Launchpad project. Still, Paul Wise, a member
-of the DSA team, [reasoned](https://lists.debian.org/debian-devel/2017/05/msg00171.html) that it was better, in the long term, to have
-Debian packages for debian.org services:
+of the DSA team,
+[reasoned](https://lists.debian.org/debian-devel/2017/05/msg00171.html)
+that it was better, in the long term, to have Debian packages for
+debian.org services:
 
 > Personally I'm leaning towards the feeling that all configuration,
 > code and dependencies for Debian services should be packaged and
@@ -213,24 +215,24 @@ the Debian project:
     [lists.debconf.org](https://lists.debconf.org/), also running
     Mailman 2
 
-Wirt, with his "listmaster hat", [explained](https://lists.debian.org/debian-devel/2017/05/msg00115.html) that the main mailing list
-service is "*not really suited as a self-service*" and expressed concern
-at the idea of migrating the large number mailing lists hosted on
-Alioth. Indeed, there are around 1,400 lists on Alioth while the main
-service has a curated set of 300 lists. No solution for those mailing
-lists was found at the time of writing.
+Wirt, with his "list-master hat" on,
+[explained](https://lists.debian.org/debian-devel/2017/05/msg00115.html)
+that the main mailing list service is "*not really suited as a
+self-service*" and expressed concern at the idea of migrating the large
+number mailing lists hosted on Alioth. Indeed, there are around 1,400
+lists on Alioth while the main service has a curated set of 300 lists.
+No solution for those mailing lists was found at the time of writing.
 
 In the end, it seems like the Debian project has chosen pagure, the
 simpler, less featureful, but also less controversial, solution and will
 use the same hosting software as their fellow Linux distribution,
-Fedora. Wirt is also
-[considering](https://lists.debian.org/debian-devel/2017/05/msg00110.html)
-using [FreeIPA](https://www.freeipa.org/) for account management on top
-of pagure. The plan is to migrate away from FusionForge one bit at a
-time, and pagure is the solution for the first step: the Git
-repositories. Lists, other repositories, and additional features of
-FusionForge will dealt with later on, but Wirt expects a plan to come
-out of the upcoming sprint.
+Fedora. Wirt is also considering using
+[FreeIPA](https://www.freeipa.org/) for account management on top of
+pagure. The plan is to migrate away from FusionForge one bit at a time,
+and pagure is the solution for the first step: the Git repositories.
+Lists, other repositories, and additional features of FusionForge will
+dealt with later on, but Wirt expects a plan to come out of the upcoming
+sprint.
 
 It will also be interesting to see how the interoperability promises of
 pagure will play out in the Debian world. Even though the federation

revert some lwn changes, add missing refs
diff --git a/blog/alioth-gitlab.mdwn b/blog/alioth-gitlab.mdwn
index 793691b..4fc0056 100644
--- a/blog/alioth-gitlab.mdwn
+++ b/blog/alioth-gitlab.mdwn
@@ -39,7 +39,7 @@ project. The sponsorship was originally [offered in
 the GitLab CEO, presumably to counter a possible move to GitHub, as
 there was a
 [discussion](https://lists.debian.org/debian-devel/2015/04/threads.html#00164)
-about creating GitHub repositories for Debian at the time. The
+about creating a GitHub organization for Debian at the time. The
 deployment of a Debian-specific GitLab instance then raised the question
 of the overlap with the already existing
 [git.debian.org](https://git.debian.org/) service, which is backed by
@@ -144,7 +144,7 @@ The issue of Alioth maintenance came up again last month when Boyuan
 Yang
 [asked](https://lists.debian.org/debian-devel/2017/05/msg00095.html)
 what would happen to Alioth when support for Debian LTS (wheezy) ends
-next year. Wirt then brought up the pagure migration proposal and the
+next year. Wirt then [brought back](https://lists.debian.org/debian-devel/2017/05/msg00110.html) the pagure migration proposal and the
 community tried to make a plan for the migration.
 
 One of the issues raised was the question of the non-Git repositories
@@ -186,7 +186,7 @@ tools have limited use outside of the Debian project directly. While
 Debian derivatives and other distributions could reuse them, what
 usually happens is that other distributions roll their own software,
 like Ubuntu did with the Launchpad project. Still, Paul Wise, a member
-of the DSA team, reasoned that it was better, in the long term, to have
+of the DSA team, [reasoned](https://lists.debian.org/debian-devel/2017/05/msg00171.html) that it was better, in the long term, to have
 Debian packages for debian.org services:
 
 > Personally I'm leaning towards the feeling that all configuration,
@@ -213,7 +213,7 @@ the Debian project:
     [lists.debconf.org](https://lists.debconf.org/), also running
     Mailman 2
 
-Wirt, with his "listmaster hat", explained that the main mailing list
+Wirt, with his "listmaster hat", [explained](https://lists.debian.org/debian-devel/2017/05/msg00115.html) that the main mailing list
 service is "*not really suited as a self-service*" and expressed concern
 at the idea of migrating the large number mailing lists hosted on
 Alioth. Indeed, there are around 1,400 lists on Alioth while the main

edits from LWN
diff --git a/blog/alioth-gitlab.mdwn b/blog/alioth-gitlab.mdwn
index 5616a4e..793691b 100644
--- a/blog/alioth-gitlab.mdwn
+++ b/blog/alioth-gitlab.mdwn
@@ -1,222 +1,259 @@
-Debian moves to Pagure.io
-=========================
-
-Since 2003, the Debian project has been running server
-called [Alioth](https://alioth.debian.org/) to host source code version control systems. Early
-June, the current Alioth maintainer, Alexander Wirt, [announced](https://lists.debian.org/debian-devel-announce/2017/06/msg00002.html)
-an [upcoming sprint](https://wiki.debian.org/Sprints/2017/Alioth) to migrate to [Pagure][], a free software
-"Git-centered forge" written in Python for the Fedora project, which
-LWN [covered last year](https://lwn.net/Articles/687821/). Alioth is a Debian server
-running [FusionForge](http://www.fusionforge.org/), previously known as GForge, the free
-software fork of the [SourceForge](https://sourceforge.net/) codebase, which became
-proprietary in 2001. Alioth hosts source code repositories, mainly Git
-and Subversion (SVN) and, like other "forge" sites, also offers
-forums, issue trackers and mailing lists services. The plan seems to
-be to migrate from FusionForge to a more modern and minimal platform
-based on Pagure.
-
-[Pagure]: https://pagure.io/pagure
-
-Why not GitLab?
----------------
-
-While this may come as a surprise to some who would expect Debian to
-use the more popular [GitLab project](https://about.gitlab.com/), this discussion was actually
-taken a while ago. During a [lengthy debate](https://lists.debian.org/debian-devel/2016/06/msg00062.html) last year, Debian
-contributors discussed the relative merits of different code hosting
-platforms, following the initiative of a Debian Developer, "Pirate"
-Praveen Arimbrathodiyil, to package GitLab into Debian. Praveen then
-also got a public GitLab instance running for Debian
-([gitlab.debian.net][]), sponsored by GitLab B.V. - the commercial
-entity behind the GitLab project. The sponsorship was
-actually [offered in 2015](https://lists.debian.org/debian-devel/2015/04/msg00350.html) by the GitLab CEO, presumably to counter
-a possible move to GitHub, as there was a [discussion](https://lists.debian.org/debian-devel/2015/04/msg00164.html) about
-creating a GitHub organization for Debian at the time. The deployment
-of a Debian-specific GitLab instance then raised the question of the
-overlap with the already existing [git.debian.org](https://git.debian.org/) service, backed
-by Alioth's FusionForge deployment. It then seemed natural that the
-new GitLab instance would replace Alioth.
-
-[gitlab.debian.net]: https://gitlab.debian.net/
+Alioth moving to pagure
+=======================
+
+\[LWN subscriber-only content\]
+-------------------------------
+
+Since 2003, the Debian project has been running a server called
+[Alioth](https://alioth.debian.org/) to host source code version control
+systems. In early June, the current Alioth maintainer, Alexander Wirt,
+[announced](https://lists.debian.org/debian-devel-announce/2017/06/msg00002.html)
+a [sprint](https://wiki.debian.org/Sprints/2017/Alioth) to migrate to
+[pagure](https://pagure.io/pagure), a free-software "Git-centered forge"
+written in Python for the Fedora project, which LWN [covered last
+year](/Articles/687821/). Alioth is currently runs
+[FusionForge](http://www.fusionforge.org/), previously known as GForge,
+which is the free-software fork of the
+[SourceForge](https://sourceforge.net/) code base when that service
+closed its source in 2001. Alioth hosts source code repositories, mainly
+Git and Subversion (SVN) and, like other "forge" sites, also offers
+forums, issue trackers, and mailing list services. The plan seems to be
+to migrate from FusionForge to a more modern and minimal platform based
+on pagure.
+
+#### Why not GitLab?
+
+While this may come as a surprise to some who would expect Debian to use
+the more popular [GitLab project](https://about.gitlab.com/), the
+discussion and decision actually took place a while back. During a
+[lengthy
+debate](https://lists.debian.org/debian-devel/2016/06/threads.html#00062)
+last year, Debian contributors discussed the relative merits of
+different code-hosting platforms, following the initiative of Debian
+Developer "Pirate" Praveen Arimbrathodiyil to package GitLab for Debian.
+At that time, Praveen also got a public GitLab instance running for
+Debian ([gitlab.debian.net](https://gitlab.debian.net/)), which was
+sponsored by GitLab B.V. — the commercial entity behind the GitLab
+project. The sponsorship was originally [offered in
+2015](https://lists.debian.org/debian-devel/2015/04/msg00350.html) by
+the GitLab CEO, presumably to counter a possible move to GitHub, as
+there was a
+[discussion](https://lists.debian.org/debian-devel/2015/04/threads.html#00164)
+about creating GitHub repositories for Debian at the time. The
+deployment of a Debian-specific GitLab instance then raised the question
+of the overlap with the already existing
+[git.debian.org](https://git.debian.org/) service, which is backed by
+Alioth's FusionForge deployment. It then seemed natural that the new
+GitLab instance would replace Alioth.
 
 But when Praveen directly proposed to move to GitLab, Wirt stepped in
-and [explained](https://lists.debian.org/debian-devel/2016/06/msg00080.html) that a migration plan was already in progress. The
-plan then was to migrate to a simpler [gitolite](http://gitolite.com/)-based setup, a
-decision that was apparently taken in corridor discussions surrouding
-the [Alioth Git replacement BoF](https://summit.debconf.org/debconf15/meeting/390/alioth-git-replacement-bof/) held during Debconf 2015. The
-first objection raised by Wirt against GitLab was its "huge number of
-dependencies". Another issue Wirt [identified](https://lists.debian.org/debian-devel/2016/06/msg00104.html) was the "open core /
-enterprise model", preferring a "real open source system", an opinion
-which seems shared by other participants on the mailing
-list. Wirt [backed](https://lists.debian.org/debian-devel/2016/06/msg00151.html) his concerns with an hypothetical example:
-
-> Debian needs feature X but it is already in the enterprise
-> version. We make a patch and, for commercial reasons, it never gets
-> merged (they already sell it in the enterprise version). Which means
-> we will have to fork the software and keep those patches
-> forever. Been there done that. For me, that isn't acceptable.
+and
+[explained](https://lists.debian.org/debian-devel/2016/06/msg00080.html)
+that a migration plan was already in progress. The plan then was to
+migrate to a simpler [gitolite](http://gitolite.com/)-based setup, a
+decision that was apparently made in corridor discussions surrounding
+the [Alioth Git replacement
+BoF](https://summit.debconf.org/debconf15/meeting/390/alioth-git-replacement-bof/)
+held during Debconf 2015. The first objection raised by Wirt against
+GitLab was its "*huge number of dependencies*". Another issue Wirt
+[identified](https://lists.debian.org/debian-devel/2016/06/msg00104.html)
+was the "*open core / enterprise model*", preferring a "*real open
+source system*", an opinion which seems shared by other participants on
+the mailing list. Wirt
+[backed](https://lists.debian.org/debian-devel/2016/06/msg00151.html)
+his concerns with an hypothetical example:
+
+> Debian needs feature X but it is already in the enterprise version. We
+> make a patch and, for commercial reasons, it never gets merged (they
+> already sell it in the enterprise version). Which means we will have
+> to fork the software and keep those patches forever. Been there done
+> that. For me, that isn't acceptable.
 
 This concern was further deepened when GitLab's Director of Strategic
-Partnerships, Eliran Mesika, [explained](https://lists.debian.org/debian-devel/2016/06/msg00227.html)
-their [stewardship policy](https://about.gitlab.com/about/#stewardship) that explains how GitLab decides which
-feature ends up in the proprietary version. Praveen [pointed out](https://lists.debian.org/debian-devel/2016/06/msg00228.html)
-that:
+Partnerships, Eliran Mesika,
+[explained](https://lists.debian.org/debian-devel/2016/06/msg00227.html)
+the company's [stewardship
+policy](https://about.gitlab.com/about/#stewardship) that explains how
+GitLab decides which feature ends up in the proprietary version. Praveen
+[pointed
+out](https://lists.debian.org/debian-devel/2016/06/msg00228.html) that:
 
-> basically it boils down to features that they consider important
-> for organizations with less than 100 developers may get accepted. I
-> see that as a red flag for a big community like debian.
+> \[...\] basically it boils down to features that they consider
+> important for organizations with less than 100 developers may get
+> accepted. I see that as a red flag for a big community like debian.
 
-Since there are over 600 Debian developers, the community seems to
-fall within the needs of "enterprise" users. The features the Debian
+Since there are over 600 Debian Developers, the community seems to fall
+within the needs of "enterprise" users. The features the Debian
 community may need are, by definition, appropriate only to the
 "Enterprise Edition" (GitLab EE), the non-free version, and are
-therefore unlikely to end up in the "Community Edition" (GitLab CE)
-the free software version.
-
-Interestingly, Mesika [asked to clarify](https://lists.debian.org/debian-devel/2016/06/msg00345.html) which features were
-missing, explaining that GitLab is actually opened to adding features
-to GitLab CE. The response from Holger Levsen, a Debian Developer, was
-categorical: "It's not about a specific patch. Free GitLab and we can
-talk again."  But beyond the ethical concerns, some specific features
-Debian needs *are* currently only in GitLab EE: for example,
-Debian.org systems use LDAP for authentication which would obviously
-be useful in a GitLab deployment.
-
-Wirt also [expressed concerns](https://lists.debian.org/debian-devel/2016/06/msg00151.html)
-aboutthe [Contributor License Agreement](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/legal/individual_contributor_license_agreement.md) that GitLab B.V. requires
-contributors to sign when the send patches, which forces users to
-allow the release of their code in a non-free
-license, [according to Ben Hutchings](https://lists.debian.org/debian-devel/2016/06/msg00184.html).
+therefore unlikely to end up in the "Community Edition" (GitLab CE), the
+free-software version.
+
+Interestingly, Mesika [asked for
+clarification](https://lists.debian.org/debian-devel/2016/06/msg00345.html)
+on which features were missing, explaining that GitLab is actually open
+to adding features to GitLab CE. The
+[response](https://lists.debian.org/debian-devel/2016/06/msg00346.html)
+from Debian Developer Holger Levsen was categorical: "*It's not about a
+specific patch. Free GitLab and we can talk again.*" But beyond the
+ethical concerns, some specific features Debian needs *are* currently
+only in GitLab EE; for example, debian.org systems use LDAP for
+authentication, which would obviously be useful in a GitLab deployment.
+
+Wirt also [expressed
+concerns](https://lists.debian.org/debian-devel/2016/06/msg00151.html)
+about the [Contributor License
+Agreement](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/legal/individual_contributor_license_agreement.md)
+that GitLab B.V. requires contributors to sign when they send patches,
+which forces users to allow the release of their code under a non-free
+license.
 
 The debate then went on going through a exhaustive inventory of
 different free-software alternatives:
 
- * GitLab, a Ruby-based GitHub replacement, dual licensed

(Diff truncated)
respond to a review from jake
diff --git a/blog/alioth-gitlab.mdwn b/blog/alioth-gitlab.mdwn
index ed2dc36..5616a4e 100644
--- a/blog/alioth-gitlab.mdwn
+++ b/blog/alioth-gitlab.mdwn
@@ -1,73 +1,54 @@
 Debian moves to Pagure.io
 =========================
 
-Since 2003, the Debian project runs a server
-called [Alioth](https://alioth.debian.org/) to host source code
-version control systems. Last week, the current Alioth
-maintainer, Alexander
-Wirt,
-[announced](https://lists.debian.org/debian-devel-announce/2017/06/msg00002.html) an
-[upcoming sprint](https://wiki.debian.org/Sprints/2017/Alioth) to
-migrate to [Pagure][], a free software
-"git-centered forge" written in Python for the Fedora project, which
-LWN [covered last year](https://lwn.net/Articles/687821/). Alioth is a
-Debian server running [FusionForge](http://www.fusionforge.org/),
-previously known as GForge, the free software fork of
-the [SourceForge](https://sourceforge.net/) codebase, which became
-proprietary in 2001. Alioth hosts source code repositories, mainly git
-and subversion and, like other "forge" sites, also offers forums,
-issue trackers and mailing lists services. The plan seems to be to
-migrate from FusionForge to a more modern and minimal platform based
-on Pagure.
+Since 2003, the Debian project has been running server
+called [Alioth](https://alioth.debian.org/) to host source code version control systems. Early
+June, the current Alioth maintainer, Alexander Wirt, [announced](https://lists.debian.org/debian-devel-announce/2017/06/msg00002.html)
+an [upcoming sprint](https://wiki.debian.org/Sprints/2017/Alioth) to migrate to [Pagure][], a free software
+"Git-centered forge" written in Python for the Fedora project, which
+LWN [covered last year](https://lwn.net/Articles/687821/). Alioth is a Debian server
+running [FusionForge](http://www.fusionforge.org/), previously known as GForge, the free
+software fork of the [SourceForge](https://sourceforge.net/) codebase, which became
+proprietary in 2001. Alioth hosts source code repositories, mainly Git
+and Subversion (SVN) and, like other "forge" sites, also offers
+forums, issue trackers and mailing lists services. The plan seems to
+be to migrate from FusionForge to a more modern and minimal platform
+based on Pagure.
 
 [Pagure]: https://pagure.io/pagure
 
-Why not Gitlab?
+Why not GitLab?
 ---------------
 
 While this may come as a surprise to some who would expect Debian to
-use the more popular Gitlab project, this discussion was actually
-taken a while ago. During
-a
-[lengthy debate](https://lists.debian.org/debian-devel/2016/06/msg00062.html) last
-year, Debian contributors discussed the relative merits of different
-code hosting platforms, following the initiative of a Debian
-Developer, "Pirate" Praveen Arimbrathodiyil, to package Gitlab into
-Debian. Praveen then also got a public Gitlab instance running for
-Debian ([gitlab.debian.net][]), sponsored by
-Gitlab B.V. - the commercial entity behind the Gitlab project. The
-sponsorship was
-actually
-[offered in 2015](https://lists.debian.org/debian-devel/2015/04/msg00350.html) by
-the Gitlab CEO, presumably to counter a possible move to Github, as
-there was a
-[discussion](https://lists.debian.org/debian-devel/2015/04/msg00164.html) about
-creating a Github organization for Debian at the time. The deployment of a Debian-specific Gitlab instance then raised the
-question of the overlap with the already
-existing [git.debian.org](https://git.debian.org/) service, backed by
-Alioth's FusionForge deployment. It then seemed natural that the new
-Gitlab instance would replace Alioth.
+use the more popular [GitLab project](https://about.gitlab.com/), this discussion was actually
+taken a while ago. During a [lengthy debate](https://lists.debian.org/debian-devel/2016/06/msg00062.html) last year, Debian
+contributors discussed the relative merits of different code hosting
+platforms, following the initiative of a Debian Developer, "Pirate"
+Praveen Arimbrathodiyil, to package GitLab into Debian. Praveen then
+also got a public GitLab instance running for Debian
+([gitlab.debian.net][]), sponsored by GitLab B.V. - the commercial
+entity behind the GitLab project. The sponsorship was
+actually [offered in 2015](https://lists.debian.org/debian-devel/2015/04/msg00350.html) by the GitLab CEO, presumably to counter
+a possible move to GitHub, as there was a [discussion](https://lists.debian.org/debian-devel/2015/04/msg00164.html) about
+creating a GitHub organization for Debian at the time. The deployment
+of a Debian-specific GitLab instance then raised the question of the
+overlap with the already existing [git.debian.org](https://git.debian.org/) service, backed
+by Alioth's FusionForge deployment. It then seemed natural that the
+new GitLab instance would replace Alioth.
 
 [gitlab.debian.net]: https://gitlab.debian.net/
 
-But when Praveen directly proposed to move to Gitlab, Wirt stepped in
-and
-[explained](https://lists.debian.org/debian-devel/2016/06/msg00080.html) that
-a migration plan was already in progress. The plan then was to migrate
-to a simpler [gitolite](http://gitolite.com/)-based setup, a decision
-that was apparently taken in corridor discussions surrouding
-the
-[Alioth git replacement BoF](https://summit.debconf.org/debconf15/meeting/390/alioth-git-replacement-bof/) held
-during Debconf 2015. The first objection raised by Wirt against Gitlab
-was its "huge number of dependencies". Another issue
-Wirt
-[identified](https://lists.debian.org/debian-devel/2016/06/msg00104.html) was
-the "open core / enterprise model", preferring a "real open source
-system", an opinion which seems shared by other participants on the
-mailing
-list. Wirt
-[backed](https://lists.debian.org/debian-devel/2016/06/msg00151.html)
-his concerns with an hypothetical example:
+But when Praveen directly proposed to move to GitLab, Wirt stepped in
+and [explained](https://lists.debian.org/debian-devel/2016/06/msg00080.html) that a migration plan was already in progress. The
+plan then was to migrate to a simpler [gitolite](http://gitolite.com/)-based setup, a
+decision that was apparently taken in corridor discussions surrouding
+the [Alioth Git replacement BoF](https://summit.debconf.org/debconf15/meeting/390/alioth-git-replacement-bof/) held during Debconf 2015. The
+first objection raised by Wirt against GitLab was its "huge number of
+dependencies". Another issue Wirt [identified](https://lists.debian.org/debian-devel/2016/06/msg00104.html) was the "open core /
+enterprise model", preferring a "real open source system", an opinion
+which seems shared by other participants on the mailing
+list. Wirt [backed](https://lists.debian.org/debian-devel/2016/06/msg00151.html) his concerns with an hypothetical example:
 
 > Debian needs feature X but it is already in the enterprise
 > version. We make a patch and, for commercial reasons, it never gets
@@ -75,13 +56,11 @@ his concerns with an hypothetical example:
 > we will have to fork the software and keep those patches
 > forever. Been there done that. For me, that isn't acceptable.
 
-This concern was further deepened when Gitlab's Director of Strategic
-Partnerships, Eliran Mesika,
-[explained](https://lists.debian.org/debian-devel/2016/06/msg00227.html)
-their
-[stewardship policy](https://about.gitlab.com/about/#stewardship) that
-explains how Gitlab decides which feature ends up in the proprietary version. Praveen
-[argued that](https://lists.debian.org/debian-devel/2016/06/msg00228.html):
+This concern was further deepened when GitLab's Director of Strategic
+Partnerships, Eliran Mesika, [explained](https://lists.debian.org/debian-devel/2016/06/msg00227.html)
+their [stewardship policy](https://about.gitlab.com/about/#stewardship) that explains how GitLab decides which
+feature ends up in the proprietary version. Praveen [pointed out](https://lists.debian.org/debian-devel/2016/06/msg00228.html)
+that:
 
 > basically it boils down to features that they consider important
 > for organizations with less than 100 developers may get accepted. I
@@ -90,33 +69,30 @@ explains how Gitlab decides which feature ends up in the proprietary version. Pr
 Since there are over 600 Debian developers, the community seems to
 fall within the needs of "enterprise" users. The features the Debian
 community may need are, by definition, appropriate only to the
-"Enterprise Edition" (Gitlab EE), the non-free version, and are
-therefore unlikely to end up in the "Community Edition" (Gitlab CE)
+"Enterprise Edition" (GitLab EE), the non-free version, and are
+therefore unlikely to end up in the "Community Edition" (GitLab CE)
 the free software version.
 
-Interestingly, Gitlab's Director of Strategic Partnerships, Eliran
-Mesika,
-[joined the conversation](https://lists.debian.org/debian-devel/2016/06/msg00345.html) to
-explain that Gitlab is actually opened to adding features to Gitlab CE
-and asked for clarification of which features were missing. The
-response from Holger Levsen, a Debian Developer, was categorical:
-"It's not about a specific patch. Free gitlab and we can talk again."
-But beyond the ethical concerns, some specific features Debian needs
-*are* currently only in Gitlab EE: for example, Debian.org systems use
-LDAP for authentication which would obviously be useful in a Gitlab
-deployment.
-
-Wirt also [expressed concerns](https://lists.debian.org/debian-devel/2016/06/msg00151.html) aboutthe
-[Contributor License Agreement](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/legal/individual_contributor_license_agreement.md)
-that Gitlab.com requires contributors to sign when the send patches,
-which forces users to allow the release of their code in a non-free
+Interestingly, Mesika [asked to clarify](https://lists.debian.org/debian-devel/2016/06/msg00345.html) which features were
+missing, explaining that GitLab is actually opened to adding features
+to GitLab CE. The response from Holger Levsen, a Debian Developer, was
+categorical: "It's not about a specific patch. Free GitLab and we can
+talk again."  But beyond the ethical concerns, some specific features
+Debian needs *are* currently only in GitLab EE: for example,
+Debian.org systems use LDAP for authentication which would obviously
+be useful in a GitLab deployment.
+
+Wirt also [expressed concerns](https://lists.debian.org/debian-devel/2016/06/msg00151.html)
+aboutthe [Contributor License Agreement](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/legal/individual_contributor_license_agreement.md) that GitLab B.V. requires
+contributors to sign when the send patches, which forces users to
+allow the release of their code in a non-free
 license, [according to Ben Hutchings](https://lists.debian.org/debian-devel/2016/06/msg00184.html).
 
-The debate then went on going through a exhaustive
-inventory of different free-software alternatives:
+The debate then went on going through a exhaustive inventory of
+different free-software alternatives:
 
- * [Gitlab](https://gitlab.com/), a Ruby-based Github replacement,
-   dual licensed MIT/Commercial
+ * GitLab, a Ruby-based GitHub replacement, dual licensed
+   MIT/Commercial
  * [Gogs](https://gogs.io/), Golang, MIT
  * [GitBlit](http://gitblit.com/), Java, Apache-licensed
  * [Kallithea](https://kallithea-scm.org/), in Python, also supports
@@ -124,80 +100,63 @@ inventory of different free-software alternatives:
  * and finally, [Pagure][], also written Python
 
 A feature comparison between each project was
-created [in the Debian wiki](https://wiki.debian.org/Alioth/GitNext)
-as well. In the end, however,
-Praveen
-[gave up on replacing Alioth with Gitlab](https://lists.debian.org/debian-devel/2016/07/msg00510.html) because
-of the controversy and moved on to support the Pagure migration, which
+created [in the Debian wiki](https://wiki.debian.org/Alioth/GitNext) as well. In the end, however,
+Praveen [gave up on replacing Alioth with GitLab](https://lists.debian.org/debian-devel/2016/07/msg00510.html) because of the

(Diff truncated)
explain why other candidates were excluded
diff --git a/blog/alioth-gitlab.mdwn b/blog/alioth-gitlab.mdwn
index be47942..ed2dc36 100644
--- a/blog/alioth-gitlab.mdwn
+++ b/blog/alioth-gitlab.mdwn
@@ -115,11 +115,12 @@ license, [according to Ben Hutchings](https://lists.debian.org/debian-devel/2016
 The debate then went on going through a exhaustive
 inventory of different free-software alternatives:
 
- * [Gitlab](https://gitlab.com/), a Ruby-based Github replacement
- * [Gogs](https://gogs.io/), Golang, still in development
- * [GitBlit](http://gitblit.com/), Java
- * [Kallithea](https://kallithea-scm.org/), in Python, also supporting
-Mercurial
+ * [Gitlab](https://gitlab.com/), a Ruby-based Github replacement,
+   dual licensed MIT/Commercial
+ * [Gogs](https://gogs.io/), Golang, MIT
+ * [GitBlit](http://gitblit.com/), Java, Apache-licensed
+ * [Kallithea](https://kallithea-scm.org/), in Python, also supports
+   Mercurial
  * and finally, [Pagure][], also written Python
 
 A feature comparison between each project was
@@ -136,7 +137,11 @@ explained
 [in his blog](http://blog.snow-crash.org/blog/upcoming-alioth-sprint/)
 "Gitlab is Opencore, [and] that it is not entirely opensource. I don’t
 think we should use software licensed under such a model for one of
-our core services" which leaves Pagure as the only stable candidate.
+our core services" which leaves Pagure as the only stable
+candidate. Other candidates were excluded on technical grounds,
+according to Wirt: Gogs "doesn't scale well" and a quick security
+check didn't yield satisfactory results; "Gitlab is Java" and
+Kallithea doesn't support SSH repositories.
 
 Working towards a Pagure migration
 ----------------------------------

review first draft, sent to LWN
diff --git a/blog/alioth-gitlab.mdwn b/blog/alioth-gitlab.mdwn
index d5901f8..be47942 100644
--- a/blog/alioth-gitlab.mdwn
+++ b/blog/alioth-gitlab.mdwn
@@ -1,135 +1,208 @@
 Debian moves to Pagure.io
 =========================
 
-The Debian project has started working on moving their "Alioth"
-server, which powers most of their public version control
-repositories, from the FusionForge software to
-[Pagure.io](https://pagure.io/pagure), which we
-[previously covered](https://lwn.net/Articles/687821/). In a
-[short notice](https://lists.debian.org/debian-devel-announce/2017/06/msg00002.html),
-Alexander Wirt, the current Alioth maintainer, announced a
-[sprint](https://wiki.debian.org/Sprints/2017/Alioth) to be held at
-the Hamburg Chaos Computer Club headquarters in August.
-
-While this may come as a surprise to some, the discussion actually
-started years ago. During a
-[lengthy debate](https://lists.debian.org/debian-devel/2016/06/msg00062.html)
-last year, Debian contributors discussed the relative merits of
-various hosting platforms, following the initiative of a Debian
+Since 2003, the Debian project runs a server
+called [Alioth](https://alioth.debian.org/) to host source code
+version control systems. Last week, the current Alioth
+maintainer, Alexander
+Wirt,
+[announced](https://lists.debian.org/debian-devel-announce/2017/06/msg00002.html) an
+[upcoming sprint](https://wiki.debian.org/Sprints/2017/Alioth) to
+migrate to [Pagure][], a free software
+"git-centered forge" written in Python for the Fedora project, which
+LWN [covered last year](https://lwn.net/Articles/687821/). Alioth is a
+Debian server running [FusionForge](http://www.fusionforge.org/),
+previously known as GForge, the free software fork of
+the [SourceForge](https://sourceforge.net/) codebase, which became
+proprietary in 2001. Alioth hosts source code repositories, mainly git
+and subversion and, like other "forge" sites, also offers forums,
+issue trackers and mailing lists services. The plan seems to be to
+migrate from FusionForge to a more modern and minimal platform based
+on Pagure.
+
+[Pagure]: https://pagure.io/pagure
+
+Why not Gitlab?
+---------------
+
+While this may come as a surprise to some who would expect Debian to
+use the more popular Gitlab project, this discussion was actually
+taken a while ago. During
+a
+[lengthy debate](https://lists.debian.org/debian-devel/2016/06/msg00062.html) last
+year, Debian contributors discussed the relative merits of different
+code hosting platforms, following the initiative of a Debian
 Developer, "Pirate" Praveen Arimbrathodiyil, to package Gitlab into
-Debian and deploy a publicly available instance at
-[gitlab.debian.net](https://gitlab.debian.net/), sponsored by Gitlab
-B.V. - the commercial entity behind the Gitlab project. This
-sponsorship was actually
-[announced](https://lists.debian.org/debian-devel/2015/04/msg00350.html)
-in 2015, when the Gitlab CEO offered it to the Debian project to
-counter a possible move to a Github organization. A year later, Gitlab
-was packaged in Debian and the server was available.
-
-But the deployment of a Debian-specific Gitlab instance obviously
-raised the question of overlap of that service and the already
-existing [git.debian.org](https://git.debian.org/) service, which is
-running on the venerable Alioth service. Alioth is a Debian server
-running FusionForge, previously known as GForge, the free software
-fork of the SourceForce.net codebase closed in 2001. Alioth hosts
-source code repositories, mostly git and subversion and, like other
-"forge" sites, also offers forums, issue trackers and mailing lists
-services.
-
-Last year, when a desire to move to Gitlab was clearly expressed, Wirt
-stepped in and
-[explained](https://lists.debian.org/debian-devel/2016/06/msg00080.html)
-that a migration plan was already in progress to migrate to a simpler
-[gitolite](http://gitolite.com/)-based setup, a process that was
-started during the
-[Alioth git replacement BoF](https://summit.debconf.org/debconf15/meeting/390/alioth-git-replacement-bof/)
-held during Debconf 2015. The first objection raised by Wirt against
-Gitlab was its "huge number of dependencies". Another issue Wirt
-[identified](https://lists.debian.org/debian-devel/2016/06/msg00104.html)
-was the "open core / enterprise model", preferring a "real open source
-system", an opinion which seems to be shared with many other
-participants on the mailing list. Wirt
-[explained](https://lists.debian.org/debian-devel/2016/06/msg00151.html):
+Debian. Praveen then also got a public Gitlab instance running for
+Debian ([gitlab.debian.net][]), sponsored by
+Gitlab B.V. - the commercial entity behind the Gitlab project. The
+sponsorship was
+actually
+[offered in 2015](https://lists.debian.org/debian-devel/2015/04/msg00350.html) by
+the Gitlab CEO, presumably to counter a possible move to Github, as
+there was a
+[discussion](https://lists.debian.org/debian-devel/2015/04/msg00164.html) about
+creating a Github organization for Debian at the time. The deployment of a Debian-specific Gitlab instance then raised the
+question of the overlap with the already
+existing [git.debian.org](https://git.debian.org/) service, backed by
+Alioth's FusionForge deployment. It then seemed natural that the new
+Gitlab instance would replace Alioth.
+
+[gitlab.debian.net]: https://gitlab.debian.net/
+
+But when Praveen directly proposed to move to Gitlab, Wirt stepped in
+and
+[explained](https://lists.debian.org/debian-devel/2016/06/msg00080.html) that
+a migration plan was already in progress. The plan then was to migrate
+to a simpler [gitolite](http://gitolite.com/)-based setup, a decision
+that was apparently taken in corridor discussions surrouding
+the
+[Alioth git replacement BoF](https://summit.debconf.org/debconf15/meeting/390/alioth-git-replacement-bof/) held
+during Debconf 2015. The first objection raised by Wirt against Gitlab
+was its "huge number of dependencies". Another issue
+Wirt
+[identified](https://lists.debian.org/debian-devel/2016/06/msg00104.html) was
+the "open core / enterprise model", preferring a "real open source
+system", an opinion which seems shared by other participants on the
+mailing
+list. Wirt
+[backed](https://lists.debian.org/debian-devel/2016/06/msg00151.html)
+his concerns with an hypothetical example:
 
 > Debian needs feature X but it is already in the enterprise
 > version. We make a patch and, for commercial reasons, it never gets
 > merged (they already sell it in the enterprise version). Which means
 > we will have to fork the software and keep those patches
-> forever. Been there done that. For me, that isn't acceptable.  I
-> don't want another Nagios.
+> forever. Been there done that. For me, that isn't acceptable.
 
 This concern was further deepened when Gitlab's Director of Strategic
 Partnerships, Eliran Mesika,
 [explained](https://lists.debian.org/debian-devel/2016/06/msg00227.html)
 their
-[stewardship policy](https://about.gitlab.com/about/#stewardship). Praveen
+[stewardship policy](https://about.gitlab.com/about/#stewardship) that
+explains how Gitlab decides which feature ends up in the proprietary version. Praveen
 [argued that](https://lists.debian.org/debian-devel/2016/06/msg00228.html):
 
 > basically it boils down to features that they consider important
 > for organizations with less than 100 developers may get accepted. I
 > see that as a red flag for a big community like debian.
 
-As a reminder, there are over 600 Debian developers, so the community
-clearly falls within the needs of "entreprise" users. This means that
-the features the Debian community needs are, by definition,
-appropriate only to the non-free edition.
+Since there are over 600 Debian developers, the community seems to
+fall within the needs of "enterprise" users. The features the Debian
+community may need are, by definition, appropriate only to the
+"Enterprise Edition" (Gitlab EE), the non-free version, and are
+therefore unlikely to end up in the "Community Edition" (Gitlab CE)
+the free software version.
 
 Interestingly, Gitlab's Director of Strategic Partnerships, Eliran
 Mesika,
-[joined the conversation](https://lists.debian.org/debian-devel/2016/06/msg00345.html)
-to explain that Gitlab is actually opened to adding features to the
-Community Edition (CE) and asked for clarification of which features
-were missing. No clear response was given, but it is clear that LDAP
-integration would be a requirement, as the Debian.org systems use LDAP
-for authentication and that feature is only available to paying
-customers.
-
-There were also concerns regarding the
+[joined the conversation](https://lists.debian.org/debian-devel/2016/06/msg00345.html) to
+explain that Gitlab is actually opened to adding features to Gitlab CE
+and asked for clarification of which features were missing. The
+response from Holger Levsen, a Debian Developer, was categorical:
+"It's not about a specific patch. Free gitlab and we can talk again."
+But beyond the ethical concerns, some specific features Debian needs
+*are* currently only in Gitlab EE: for example, Debian.org systems use
+LDAP for authentication which would obviously be useful in a Gitlab
+deployment.
+
+Wirt also [expressed concerns](https://lists.debian.org/debian-devel/2016/06/msg00151.html) aboutthe
 [Contributor License Agreement](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/legal/individual_contributor_license_agreement.md)
 that Gitlab.com requires contributors to sign when the send patches,
-which forces users to allow their code to be released in a non-free
+which forces users to allow the release of their code in a non-free
 license, [according to Ben Hutchings](https://lists.debian.org/debian-devel/2016/06/msg00184.html).
 
-The debate then went on going through a surprisingly exhaustive
-inventory of various free-software alternatives:
-[Gogs](https://gogs.io/) (Go-based Github replacement),
-[GitBlit](http://gitblit.com/) (Java),
-[Kallithea](https://kallithea-scm.org/) (Python, also supporting
-Mercurial) and finally, Pagure, which was
-[introduced by Barry Warsaw](https://lists.debian.org/debian-devel/2016/06/msg00168.html),
-the Mailman maintainer and major Python contributor. A feature
-comparison between each project was created
-[in the Debian wiki](https://wiki.debian.org/Alioth/GitNext) as well.
-
-Ironically, while Praveen and other Debian maintainers have been
-working very hard to package Gitlab in Debian, Pagure
-[isn't packaged yet](https://bugs.debian.org/829046). Antonio
-Terceiro, member of the Debian System Administrator (DSA) team,
-[explained](https://lists.debian.org/debian-devel/2016/07/msg00555.html)

(Diff truncated)
first alioth/gitlab/pagure switch draft
diff --git a/blog/alioth-gitlab.mdwn b/blog/alioth-gitlab.mdwn
new file mode 100644
index 0000000..d5901f8
--- /dev/null
+++ b/blog/alioth-gitlab.mdwn
@@ -0,0 +1,206 @@
+Debian moves to Pagure.io
+=========================
+
+The Debian project has started working on moving their "Alioth"
+server, which powers most of their public version control
+repositories, from the FusionForge software to
+[Pagure.io](https://pagure.io/pagure), which we
+[previously covered](https://lwn.net/Articles/687821/). In a
+[short notice](https://lists.debian.org/debian-devel-announce/2017/06/msg00002.html),
+Alexander Wirt, the current Alioth maintainer, announced a
+[sprint](https://wiki.debian.org/Sprints/2017/Alioth) to be held at
+the Hamburg Chaos Computer Club headquarters in August.
+
+While this may come as a surprise to some, the discussion actually
+started years ago. During a
+[lengthy debate](https://lists.debian.org/debian-devel/2016/06/msg00062.html)
+last year, Debian contributors discussed the relative merits of
+various hosting platforms, following the initiative of a Debian
+Developer, "Pirate" Praveen Arimbrathodiyil, to package Gitlab into
+Debian and deploy a publicly available instance at
+[gitlab.debian.net](https://gitlab.debian.net/), sponsored by Gitlab
+B.V. - the commercial entity behind the Gitlab project. This
+sponsorship was actually
+[announced](https://lists.debian.org/debian-devel/2015/04/msg00350.html)
+in 2015, when the Gitlab CEO offered it to the Debian project to
+counter a possible move to a Github organization. A year later, Gitlab
+was packaged in Debian and the server was available.
+
+But the deployment of a Debian-specific Gitlab instance obviously
+raised the question of overlap of that service and the already
+existing [git.debian.org](https://git.debian.org/) service, which is
+running on the venerable Alioth service. Alioth is a Debian server
+running FusionForge, previously known as GForge, the free software
+fork of the SourceForce.net codebase closed in 2001. Alioth hosts
+source code repositories, mostly git and subversion and, like other
+"forge" sites, also offers forums, issue trackers and mailing lists
+services.
+
+Last year, when a desire to move to Gitlab was clearly expressed, Wirt
+stepped in and
+[explained](https://lists.debian.org/debian-devel/2016/06/msg00080.html)
+that a migration plan was already in progress to migrate to a simpler
+[gitolite](http://gitolite.com/)-based setup, a process that was
+started during the
+[Alioth git replacement BoF](https://summit.debconf.org/debconf15/meeting/390/alioth-git-replacement-bof/)
+held during Debconf 2015. The first objection raised by Wirt against
+Gitlab was its "huge number of dependencies". Another issue Wirt
+[identified](https://lists.debian.org/debian-devel/2016/06/msg00104.html)
+was the "open core / enterprise model", preferring a "real open source
+system", an opinion which seems to be shared with many other
+participants on the mailing list. Wirt
+[explained](https://lists.debian.org/debian-devel/2016/06/msg00151.html):
+
+> Debian needs feature X but it is already in the enterprise
+> version. We make a patch and, for commercial reasons, it never gets
+> merged (they already sell it in the enterprise version). Which means
+> we will have to fork the software and keep those patches
+> forever. Been there done that. For me, that isn't acceptable.  I
+> don't want another Nagios.
+
+This concern was further deepened when Gitlab's Director of Strategic
+Partnerships, Eliran Mesika,
+[explained](https://lists.debian.org/debian-devel/2016/06/msg00227.html)
+their
+[stewardship policy](https://about.gitlab.com/about/#stewardship). Praveen
+[argued that](https://lists.debian.org/debian-devel/2016/06/msg00228.html):
+
+> basically it boils down to features that they consider important
+> for organizations with less than 100 developers may get accepted. I
+> see that as a red flag for a big community like debian.
+
+As a reminder, there are over 600 Debian developers, so the community
+clearly falls within the needs of "entreprise" users. This means that
+the features the Debian community needs are, by definition,
+appropriate only to the non-free edition.
+
+Interestingly, Gitlab's Director of Strategic Partnerships, Eliran
+Mesika,
+[joined the conversation](https://lists.debian.org/debian-devel/2016/06/msg00345.html)
+to explain that Gitlab is actually opened to adding features to the
+Community Edition (CE) and asked for clarification of which features
+were missing. No clear response was given, but it is clear that LDAP
+integration would be a requirement, as the Debian.org systems use LDAP
+for authentication and that feature is only available to paying
+customers.
+
+There were also concerns regarding the
+[Contributor License Agreement](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/legal/individual_contributor_license_agreement.md)
+that Gitlab.com requires contributors to sign when the send patches,
+which forces users to allow their code to be released in a non-free
+license, [according to Ben Hutchings](https://lists.debian.org/debian-devel/2016/06/msg00184.html).
+
+The debate then went on going through a surprisingly exhaustive
+inventory of various free-software alternatives:
+[Gogs](https://gogs.io/) (Go-based Github replacement),
+[GitBlit](http://gitblit.com/) (Java),
+[Kallithea](https://kallithea-scm.org/) (Python, also supporting
+Mercurial) and finally, Pagure, which was
+[introduced by Barry Warsaw](https://lists.debian.org/debian-devel/2016/06/msg00168.html),
+the Mailman maintainer and major Python contributor. A feature
+comparison between each project was created
+[in the Debian wiki](https://wiki.debian.org/Alioth/GitNext) as well.
+
+Ironically, while Praveen and other Debian maintainers have been
+working very hard to package Gitlab in Debian, Pagure
+[isn't packaged yet](https://bugs.debian.org/829046). Antonio
+Terceiro, member of the Debian System Administrator (DSA) team,
+[explained](https://lists.debian.org/debian-devel/2016/07/msg00555.html)
+this wasn't actually a big issue for debian.org services:
+
+> Note that DSA does not need/want the service software itself packaged,
+> only its dependencies.
+
+The issue of Alioth maintenance was raised again last month when
+Boyuan Yang
+[asked](https://lists.debian.org/debian-devel/2017/05/msg00095.html)
+what would happen to Alioth when Debian LTS (wheezy) stops being
+supported in about a year. This time, one of the issue that was raised
+was the question of the non-git repositories hosted on Alioth. Indeed,
+Hutchings
+[calculated](https://lists.debian.org/debian-devel/2017/05/msg00103.html)
+that while 90% (~19 000) are git repositories, there are 2 400
+subversion repositories and a handful of mercurial, bzr, darcs, arch
+and even CVS repositories. During an
+[informal survey](https://lists.debian.org/debian-devel/2017/05/msg00138.html),
+however, most packaging teams explained they either had already
+migrated away from SVN to Git or were in the process of doing so. The
+largest CVS user, the website team, also explained they were
+progressively migrating to git. Mattia Rizzolo then
+[proposed](https://lists.debian.org/debian-devel/2017/05/msg00215.html)
+that older repository services like Subversion could keep running as
+is even if the forge itself is disabled.
+
+The last pending issue is the question of mailing lists hosted on
+Alioth, as Pagure doesn't offer mailing list management (nor does
+Gitlab). Indeed, there are *three* different mailing list services in
+the Debian project:
+
+ * the main service, [lists.debian.org](https://lists.debian.org/),
+   running Mailman 2 and managed by hand
+ * the Alioth service,
+   [lists.alioth.debian.org](https://lists.debian.org/), running
+   Mailman 2 and managed by FusionForge
+ * the Debconf service,
+   [lists.debconf.org](https://lists.debconf.org/), also running
+   Mailman
+ 
+Wirt, with his "listmaster hat", explained that the main mailing list
+service is "not really suited as a self-service" and expressed concern
+at the idea of migrating the large number mailing lists hosted on Alioth.
+Indeed, there are around 1 400 lists on Alioth while the main service
+has a curated set of 300 lists. No solution for those mailing lists
+was found at the time of writing.
+
+In the end, it seems like the Debian project has chosen Pagure, the
+simpler, less featureful but also less controversial solution of using
+the same hosting software as their fellow Linux distribution,
+Fedora. Wirt
+[considers](https://lists.debian.org/debian-devel/2017/05/msg00110.html)
+using [FreeIPA](https://www.freeipa.org/) for account management on
+top of Pagure.
+
+In any case, given the long history and the wild variety of workflows
+in the Debian project, it is unlikely that a single tool will solve
+all issues. Alioth itself was often seen as having significant overlap
+with other tools that exist within Debian, not only does it have
+mailing lists and forums, but it also has its own issue tracker that
+overlaps with the Debian BTS. This is just the way things are in
+Debian: it is an old project with lots of moving part. As Jonathan
+Dowland
+[puts it](https://lists.debian.org/debian-devel/2016/06/msg00180.html):
+
+> The nature of the project is loosely-coupled, some redundancy, lots
+> of legacy cruft, and sadly more than one way to do it.
+
+
+
+
+https://lists.debian.org/debian-devel/2017/05/msg00171.html
+Pabs:
+> On Tue, May 16, 2017 at 12:39 AM, Antonio Terceiro wrote:
+> 
+> > Right. IIRC that was said to me at Debconf16 about Debian-specific
+> > services (such as ci.debian.net which was the context of my question).
+> 
+> Yeah, for codebases maintained by the service maintainer not having
+> packages seems reasonable (but not for dependencies of that codebase)
+> and that seems to be the current feeling within DSA.
+> 
+> Personally I'm leaning towards the feeling that all configuration,
+> code and dependencies for Debian services should be packaged and
+> subjected to the usual Debian QA activities but I acknowledge that the
+> current archive setup (testing migration plus backporting etc) doesn't
+> necessarily make this easy. The PPA/bikeshed mechanism might make it

(Diff truncated)
update network plan after internal move
things that were done actually before the move:
* roadkiller replaced with octavia
* secondary switch removed
* plastik replaced with dawkins
after the move:
* dawkins removed
diff --git "a/services/r\303\251seau/plan.dia" "b/services/r\303\251seau/plan.dia"
index 6e53844..dda5eed 100644
Binary files "a/services/r\303\251seau/plan.dia" and "b/services/r\303\251seau/plan.dia" differ
diff --git "a/services/r\303\251seau/plan.svg" "b/services/r\303\251seau/plan.svg"
index bce4c8f..0cedaf5 100644
--- "a/services/r\303\251seau/plan.svg"
+++ "b/services/r\303\251seau/plan.svg"
@@ -1,331 +1,247 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.0//EN" "http://www.w3.org/TR/2001/PR-SVG-20010719/DTD/svg10.dtd">
 <svg width="17cm" height="23cm" viewBox="330 3 331 454" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
-  <g>
-    <path style="fill: #b6c7c9" d="M 584.709 165.832 L 584.642,162.915 L 584.407,159.997 L 583.97,157.132 L 583.365,154.266 L 582.558,151.349 L 581.651,148.534 L 580.508,145.77 L 579.231,143.058 L 577.853,140.346 L 576.24,137.787 L 574.526,135.228 L 572.643,132.823 L 570.593,130.418 L 568.442,128.166 L 566.157,125.965 L 563.703,123.918 L 561.183,121.922 L 558.561,120.08 L 555.805,118.34 L 552.948,116.753 L 549.99,115.218 L 546.932,113.939 L 543.874,112.659 L 540.681,111.585 L 537.42,110.612 L 534.16,109.793 L 530.833,109.128 L 527.472,108.668 L 524.077,108.258 L 520.649,108.053 L 517.221,107.951 L 517.221,107.951 L 513.826,108.053 L 510.365,108.258 L 507.004,108.668 L 503.643,109.128 L 500.282,109.793 L 497.022,110.612 L 493.761,111.585 L 490.602,112.659 L 487.476,113.939 L 484.485,115.218 L 481.527,116.753 L 478.704,118.34 L 475.915,120.08 L 473.293,121.922 L 470.739,123.918 L 468.285,125.965 L 466,128.166 L 463.849,130.418 L 461.799,132.823 L 459.916,135.228 L 458.202,137.787 L 456.623,140.346 L 455.177,143.058 L 453.967,145.77 L 452.825,148.534 L 451.884,151.349 L 451.077,154.266 L 450.539,157.132 L 450.102,159.997 L 449.8,162.915 L 449.766,165.832 L 449.766,165.832 L 449.8,168.8 L 450.102,171.717 L 450.539,174.634 L 451.077,177.5 L 451.884,180.366 L 452.825,183.18 L 453.967,185.944 L 455.177,188.707 L 456.623,191.369 L 458.202,193.927 L 459.916,196.486 L 461.799,198.943 L 463.849,201.297 L 466,203.549 L 468.285,205.749 L 470.739,207.847 L 473.293,209.741 L 475.915,211.686 L 478.704,213.426 L 481.527,215.012 L 484.485,216.445 L 487.476,217.827 L 490.602,219.055 L 493.761,220.13 L 497.022,221.102 L 500.282,221.921 L 503.643,222.535 L 507.004,223.047 L 510.365,223.507 L 513.826,223.661 L 517.221,223.712 L 517.221,223.712 L 520.649,223.661 L 524.077,223.507 L 527.472,223.047 L 530.833,222.535 L 534.16,221.921 L 537.42,221.102 L 540.681,220.13 L 543.874,219.055 L 546.932,217.827 L 549.99,216.445 L 552.948,215.012 L 555.805,213.426 L 558.561,211.686 L 561.183,209.741 L 563.703,207.847 L 566.157,205.749 L 568.442,203.549 L 570.593,201.297 L 572.643,198.943 L 574.526,196.486 L 576.24,193.927 L 577.853,191.369 L 579.231,188.707 L 580.508,185.944 L 581.651,183.18 L 582.558,180.366 L 583.365,177.5 L 583.97,174.634 L 584.407,171.717 L 584.642,168.8 L 584.709,165.832z"/>
-    <path style="fill: #b6c7c9" d="M 478.94 196.23 L 478.872,193.313 L 478.637,190.396 L 478.368,187.53 L 477.898,184.613 L 477.293,181.747 L 476.553,178.933 L 475.679,176.169 L 474.738,173.457 L 473.663,170.745 L 472.453,168.186 L 471.142,165.627 L 469.697,163.222 L 468.084,160.816 L 466.437,158.565 L 464.689,156.364 L 462.807,154.317 L 460.925,152.321 L 458.841,150.479 L 456.757,148.739 L 454.539,147.203 L 452.321,145.617 L 450.002,144.235 L 447.582,143.058 L 445.162,141.983 L 442.675,141.011 L 440.154,140.192 L 437.6,139.527 L 435.012,139.066 L 432.457,138.657 L 429.836,138.401 L 427.214,138.35 L 427.214,138.35 L 424.593,138.401 L 421.971,138.657 L 419.349,139.066 L 416.795,139.527 L 414.207,140.192 L 411.686,141.011 L 409.233,141.983 L 406.813,143.058 L 404.427,144.235 L 402.108,145.617 L 399.822,147.203 L 397.671,148.739 L 395.52,150.479 L 393.504,152.321 L 391.588,154.317 L 389.706,156.364 L 387.958,158.565 L 386.277,160.816 L 384.698,163.222 L 383.286,165.627 L 381.942,168.186 L 380.765,170.745 L 379.656,173.457 L 378.682,176.169 L 377.841,178.933 L 377.102,181.747 L 376.497,184.613 L 376.06,187.53 L 375.724,190.396 L 375.522,193.313 L 375.455,196.23 L 375.455,196.23 L 375.522,199.199 L 375.724,202.116 L 376.06,205.033 L 376.497,207.899 L 377.102,210.764 L 377.841,213.579 L 378.682,216.343 L 379.656,219.055 L 380.765,221.767 L 381.942,224.326 L 383.286,226.885 L 384.698,229.29 L 386.277,231.696 L 387.958,233.947 L 389.706,236.148 L 391.588,238.195 L 393.504,240.14 L 395.52,241.982 L 397.671,243.824 L 399.822,245.411 L 402.108,246.844 L 404.427,248.277 L 406.813,249.454 L 409.233,250.528 L 411.686,251.501 L 414.207,252.268 L 416.795,252.934 L 419.349,253.446 L 421.971,253.906 L 424.593,254.06 L 427.214,254.111 L 427.214,254.111 L 429.836,254.06 L 432.457,253.906 L 435.012,253.446 L 437.6,252.934 L 440.154,252.268 L 442.675,251.501 L 445.162,250.528 L 447.582,249.454 L 450.002,248.277 L 452.321,246.844 L 454.539,245.411 L 456.757,243.824 L 458.841,241.982 L 460.925,240.14 L 462.807,238.195 L 464.689,236.148 L 466.437,233.947 L 468.084,231.696 L 469.697,229.29 L 471.142,226.885 L 472.453,224.326 L 473.663,221.767 L 474.738,219.055 L 475.679,216.343 L 476.553,213.579 L 477.293,210.764 L 477.898,207.899 L 478.368,205.033 L 478.637,202.116 L 478.872,199.199 L 478.94,196.23z"/>
-    <path style="fill: #b6c7c9" d="M 413.703 255.339 L 413.669,252.934 L 413.569,250.528 L 413.333,248.123 L 413.031,245.769 L 412.594,243.517 L 412.09,241.163 L 411.552,238.86 L 410.913,236.66 L 410.174,234.459 L 409.334,232.361 L 408.426,230.365 L 407.452,228.318 L 406.41,226.373 L 405.301,224.48 L 404.091,222.74 L 402.847,221.102 L 401.57,219.413 L 400.225,217.929 L 398.78,216.496 L 397.301,215.166 L 395.789,213.989 L 394.209,212.863 L 392.63,211.89 L 390.983,211.02 L 389.302,210.202 L 387.622,209.587 L 385.908,208.973 L 384.126,208.615 L 382.379,208.308 L 380.665,208.154 L 378.883,208.052 L 378.883,208.052 L 377.102,208.154 L 375.321,208.308 L 373.573,208.615 L 371.859,208.973 L 370.111,209.587 L 368.397,210.202 L 366.75,211.02 L 365.137,211.89 L 363.49,212.863 L 361.91,213.989 L 360.398,215.166 L 358.919,216.496 L 357.508,217.929 L 356.13,219.413 L 354.852,221.102 L 353.609,222.74 L 352.432,224.48 L 351.29,226.373 L 350.248,228.318 L 349.273,230.365 L 348.366,232.361 L 347.593,234.459 L 346.853,236.66 L 346.215,238.86 L 345.61,241.163 L 345.106,243.517 L 344.736,245.769 L 344.433,248.123 L 344.164,250.528 L 344.03,252.934 L 344.03,255.339 L 344.03,255.339 L 344.03,257.642 L 344.164,260.047 L 344.433,262.401 L 344.736,264.756 L 345.106,267.161 L 345.61,269.413 L 346.215,271.664 L 346.853,273.916 L 347.593,276.117 L 348.366,278.215 L 349.273,280.262 L 350.248,282.258 L 351.29,284.203 L 352.432,286.045 L 353.609,287.785 L 354.852,289.474 L 356.13,291.163 L 357.508,292.595 L 358.919,294.028 L 360.398,295.359 L 361.91,296.587 L 363.49,297.713 L 365.137,298.685 L 366.75,299.555 L 368.397,300.323 L 370.111,300.988 L 371.859,301.551 L 373.573,302.012 L 375.321,302.268 L 377.102,302.421 L 378.883,302.524 L 378.883,302.524 L 380.665,302.421 L 382.379,302.268 L 384.126,302.012 L 385.908,301.551 L 387.622,300.988 L 389.302,300.323 L 390.983,299.555 L 392.63,298.685 L 394.209,297.713 L 395.789,296.587 L 397.301,295.359 L 398.78,294.028 L 400.225,292.595 L 401.57,291.163 L 402.847,289.474 L 404.091,287.785 L 405.301,286.045 L 406.41,284.203 L 407.452,282.258 L 408.426,280.262 L 409.334,278.215 L 410.174,276.117 L 410.913,273.916 L 411.552,271.664 L 412.09,269.413 L 412.594,267.161 L 413.031,264.756 L 413.333,262.401 L 413.569,260.047 L 413.669,257.642 L 413.703,255.339z"/>
-    <path style="fill: #b6c7c9" d="M 469.966 300.835 L 469.932,298.225 L 469.697,295.666 L 469.327,293.056 L 468.89,290.497 L 468.285,287.99 L 467.579,285.482 L 466.672,283.025 L 465.731,280.62 L 464.588,278.368 L 463.378,276.014 L 462,273.763 L 460.555,271.664 L 459.009,269.566 L 457.328,267.468 L 455.547,265.574 L 453.665,263.732 L 451.682,262.043 L 449.598,260.354 L 447.481,258.87 L 445.263,257.386 L 442.943,256.107 L 440.591,254.878 L 438.171,253.804 L 435.717,252.831 L 433.197,252.013 L 430.609,251.347 L 428.054,250.733 L 425.433,250.221 L 422.811,249.914 L 420.156,249.71 L 417.467,249.658 L 417.467,249.658 L 414.812,249.71 L 412.191,249.914 L 409.502,250.221 L 406.914,250.733 L 404.292,251.347 L 401.772,252.013 L 399.251,252.831 L 396.764,253.804 L 394.344,254.878 L 392.025,256.107 L 389.706,257.386 L 387.487,258.87 L 385.336,260.354 L 383.286,262.043 L 381.303,263.732 L 379.421,265.574 L 377.64,267.468 L 375.959,269.566 L 374.38,271.664 L 372.934,273.763 L 371.556,276.014 L 370.313,278.368 L 369.237,280.62 L 368.263,283.025 L 367.355,285.482 L 366.616,287.99 L 366.078,290.497 L 365.574,293.056 L 365.238,295.666 L 365.036,298.225 L 364.969,300.835 L 364.969,300.835 L 365.036,303.394 L 365.238,306.004 L 365.574,308.562 L 366.078,311.121 L 366.616,313.629 L 367.355,316.137 L 368.263,318.644 L 369.237,321.05 L 370.313,323.352 L 371.556,325.604 L 372.934,327.856 L 374.38,330.005 L 375.959,332.155 L 377.64,334.202 L 379.421,336.095 L 381.303,337.887 L 383.286,339.627 L 385.336,341.264 L 387.487,342.799 L 389.706,344.284 L 392.025,345.563 L 394.344,346.791 L 396.764,347.815 L 399.251,348.787 L 401.772,349.606 L 404.292,350.322 L 406.914,350.988 L 409.502,351.448 L 412.191,351.755 L 414.812,351.96 L 417.467,351.96 L 417.467,351.96 L 420.156,351.96 L 422.811,351.755 L 425.433,351.448 L 428.054,350.988 L 430.609,350.322 L 433.197,349.606 L 435.717,348.787 L 438.171,347.815 L 440.591,346.791 L 442.943,345.563 L 445.263,344.284 L 447.481,342.799 L 449.598,341.264 L 451.682,339.627 L 453.665,337.887 L 455.547,336.095 L 457.328,334.202 L 459.009,332.155 L 460.555,330.005 L 462,327.856 L 463.378,325.604 L 464.588,323.352 L 465.731,321.05 L 466.672,318.644 L 467.579,316.137 L 468.285,313.629 L 468.89,311.121 L 469.327,308.562 L 469.697,306.004 L 469.932,303.394 L 469.966,300.835z"/>
-    <path style="fill: #b6c7c9" d="M 595.969 327.293 L 595.834,324.171 L 595.565,321.05 L 595.028,318.03 L 594.322,315.011 L 593.448,311.991 L 592.372,309.074 L 591.095,306.208 L 589.616,303.291 L 587.936,300.477 L 586.121,297.764 L 584.071,295.154 L 581.92,292.595 L 579.567,290.088 L 577.08,287.683 L 574.358,285.38 L 571.602,283.23 L 568.644,281.132 L 565.552,279.187 L 562.392,277.396 L 559.032,275.707 L 555.637,274.121 L 552.108,272.739 L 548.512,271.408 L 544.781,270.283 L 541.05,269.259 L 537.219,268.44 L 533.387,267.724 L 529.421,267.212 L 525.556,266.854 L 521.557,266.547 L 517.591,266.547 L 517.591,266.547 L 513.625,266.547 L 509.659,266.854 L 505.726,267.212 L 501.828,267.724 L 497.929,268.44 L 494.131,269.259 L 490.367,270.283 L 486.703,271.408 L 483.04,272.739 L 479.578,274.121 L 476.116,275.707 L 472.823,277.396 L 469.63,279.187 L 466.571,281.132 L 463.613,283.23 L 460.79,285.38 L 458.135,287.683 L 455.648,290.088 L 453.262,292.595 L 451.077,295.154 L 449.06,297.764 L 447.279,300.477 L 445.599,303.291 L 444.12,306.208 L 442.843,309.074 L 441.734,311.991 L 440.86,315.011 L 440.12,318.03 L 439.616,321.05 L 439.314,324.171 L 439.213,327.293 L 439.213,327.293 L 439.314,330.261 L 439.616,333.383 L 440.12,336.402 L 440.86,339.473 L 441.734,342.492 L 442.843,345.409 L 444.12,348.275 L 445.599,351.192 L 447.279,354.007 L 449.06,356.719 L 451.077,359.329 L 453.262,361.991 L 455.648,364.396 L 458.135,366.801 L 460.79,369.053 L 463.613,371.305 L 466.571,373.352 L 469.63,375.296 L 472.823,377.088 L 476.116,378.828 L 479.578,380.312 L 483.04,381.745 L 486.703,383.024 L 490.367,384.15 L 494.131,385.225 L 497.929,385.992 L 501.828,386.709 L 505.726,387.272 L 509.659,387.63 L 513.625,387.937 L 517.591,387.937 L 517.591,387.937 L 521.557,387.937 L 525.556,387.63 L 529.421,387.272 L 533.387,386.709 L 537.219,385.992 L 541.05,385.225 L 544.781,384.15 L 548.512,383.024 L 552.108,381.745 L 555.637,380.312 L 559.032,378.828 L 562.392,377.088 L 565.552,375.296 L 568.644,373.352 L 571.602,371.305 L 574.358,369.053 L 577.08,366.801 L 579.567,364.396 L 581.92,361.991 L 584.071,359.329 L 586.121,356.719 L 587.936,354.007 L 589.616,351.192 L 591.095,348.275 L 592.372,345.409 L 593.448,342.492 L 594.322,339.473 L 595.028,336.402 L 595.565,333.383 L 595.834,330.261 L 595.969,327.293z"/>
-    <path style="fill: #b6c7c9" d="M 639.46 187.223 L 639.426,184.972 L 639.224,182.617 L 638.855,180.315 L 638.451,178.063 L 637.846,175.862 L 637.174,173.61 L 636.334,171.41 L 635.359,169.26 L 634.317,167.213 L 633.175,165.115 L 631.864,163.119 L 630.452,161.175 L 628.973,159.383 L 627.327,157.541 L 625.646,155.852 L 623.797,154.266 L 621.915,152.628 L 619.966,151.195 L 617.882,149.865 L 615.765,148.585 L 613.614,147.408 L 611.328,146.333 L 609.009,145.361 L 606.657,144.491 L 604.237,143.723 L 601.817,143.212 L 599.33,142.598 L 596.842,142.188 L 594.288,141.932 L 591.767,141.779 L 589.213,141.676 L 589.213,141.676 L 586.625,141.779 L 584.104,141.932 L 581.55,142.188 L 579.063,142.598 L 576.609,143.212 L 574.156,143.723 L 571.77,144.491 L 569.383,145.361 L 567.064,146.333 L 564.779,147.408 L 562.594,148.585 L 560.51,149.865 L 558.427,151.195 L 556.477,152.628 L 554.595,154.266 L 552.78,155.852 L 551.066,157.541 L 549.419,159.383 L 547.94,161.175 L 546.562,163.119 L 545.218,165.115 L 544.075,167.213 L 543.033,169.26 L 542.059,171.41 L 541.218,173.61 L 540.546,175.862 L 539.975,178.063 L 539.504,180.315 L 539.202,182.617 L 539.034,184.972 L 538.933,187.223 L 538.933,187.223 L 539.034,189.526 L 539.202,191.829 L 539.504,194.081 L 539.975,196.384 L 540.546,198.636 L 541.218,200.836 L 542.059,203.037 L 543.033,205.186 L 544.075,207.336 L 545.218,209.332 L 546.562,211.276 L 547.94,213.272 L 549.419,215.114 L 551.066,216.854 L 552.78,218.594 L 554.595,220.232 L 556.477,221.767 L 558.427,223.2 L 560.51,224.633 L 562.594,225.913 L 564.779,227.039 L 567.064,228.164 L 569.383,229.086 L 571.77,229.904 L 574.156,230.723 L 576.609,231.337 L 579.063,231.849 L 581.55,232.31 L 584.104,232.514 L 586.625,232.77 L 589.213,232.77 L 589.213,232.77 L 591.767,232.77 L 594.288,232.514 L 596.842,232.31 L 599.33,231.849 L 601.817,231.337 L 604.237,230.723 L 606.657,229.904 L 609.009,229.086 L 611.328,228.164 L 613.614,227.039 L 615.765,225.913 L 617.882,224.633 L 619.966,223.2 L 621.915,221.767 L 623.797,220.232 L 625.646,218.594 L 627.327,216.854 L 628.973,215.114 L 630.452,213.272 L 631.864,211.276 L 633.175,209.332 L 634.317,207.336 L 635.359,205.186 L 636.334,203.037 L 637.174,200.836 L 637.846,198.636 L 638.451,196.384 L 638.855,194.081 L 639.224,191.829 L 639.426,189.526 L 639.46,187.223z"/>
-    <path style="fill: #b6c7c9" d="M 653.71 245.718 L 653.609,243.415 L 653.475,241.112 L 653.139,238.86 L 652.702,236.609 L 652.097,234.306 L 651.425,232.156 L 650.618,229.904 L 649.643,227.806 L 648.601,225.657 L 647.459,223.661 L 646.148,221.614 L 644.736,219.72 L 643.291,217.929 L 641.644,216.036 L 639.964,214.398 L 638.216,212.709 L 636.334,211.174 L 634.317,209.741 L 632.334,208.359 L 630.217,207.08 L 628.066,205.903 L 625.814,204.828 L 623.529,203.907 L 621.176,203.037 L 618.756,202.269 L 616.336,201.655 L 613.883,201.143 L 611.362,200.683 L 608.875,200.478 L 606.354,200.324 L 603.833,200.222 L 603.833,200.222 L 601.279,200.324 L 598.792,200.478 L 596.271,200.683 L 593.818,201.143 L 591.364,201.655 L 588.911,202.269 L 586.524,203.037 L 584.205,203.907 L 581.886,204.828 L 579.634,205.903 L 577.483,207.08 L 575.366,208.359 L 573.316,209.741 L 571.4,211.174 L 569.518,212.709 L 567.669,214.398 L 565.989,216.036 L 564.409,217.929 L 562.964,219.72 L 561.552,221.614 L 560.275,223.661 L 559.065,225.657 L 558.023,227.806 L 557.116,229.904 L 556.276,232.156 L 555.536,234.306 L 554.998,236.609 L 554.561,238.86 L 554.225,241.112 L 554.024,243.415 L 553.99,245.718 L 553.99,245.718 L 554.024,248.021 L 554.225,250.375 L 554.561,252.627 L 554.998,254.878 L 555.536,257.13 L 556.276,259.331 L 557.116,261.583 L 558.023,263.681 L 559.065,265.728 L 560.275,267.826 L 561.552,269.771 L 562.964,271.716 L 564.409,273.558 L 565.989,275.349 L 567.669,277.089 L 569.518,278.675 L 571.4,280.262 L 573.316,281.695 L 575.366,283.025 L 577.483,284.305 L 579.634,285.482 L 581.886,286.557 L 584.205,287.529 L 586.524,288.45 L 588.911,289.218 L 591.364,289.73 L 593.818,290.344 L 596.271,290.702 L 598.792,291.009 L 601.279,291.163 L 603.833,291.214 L 603.833,291.214 L 606.354,291.163 L 608.875,291.009 L 611.362,290.702 L 613.883,290.344 L 616.336,289.73 L 618.756,289.218 L 621.176,288.45 L 623.529,287.529 L 625.814,286.557 L 628.066,285.482 L 630.217,284.305 L 632.334,283.025 L 634.317,281.695 L 636.334,280.262 L 638.216,278.675 L 639.964,277.089 L 641.644,275.349 L 643.291,273.558 L 644.736,271.716 L 646.148,269.771 L 647.459,267.826 L 648.601,265.728 L 649.643,263.681 L 650.618,261.583 L 651.425,259.331 L 652.097,257.13 L 652.702,254.878 L 653.139,252.627 L 653.475,250.375 L 653.609,248.021 L 653.71,245.718z"/>
-    <path style="fill: #b6c7c9" d="M 643.963 294.08 L 643.896,290.344 L 643.694,286.505 L 643.426,282.821 L 642.989,279.034 L 642.417,275.349 L 641.711,271.716 L 640.905,268.133 L 639.93,264.602 L 638.888,261.173 L 637.779,257.796 L 636.502,254.52 L 635.09,251.398 L 633.612,248.328 L 631.998,245.411 L 630.318,242.596 L 628.57,239.884 L 626.688,237.325 L 624.772,235.022 L 622.722,232.77 L 620.638,230.723 L 618.487,228.779 L 616.303,227.039 L 614.017,225.401 L 611.698,223.968 L 609.278,222.74 L 606.892,221.767 L 604.405,220.846 L 601.951,220.181 L 599.498,219.72 L 597.011,219.413 L 594.49,219.362 L 594.49,219.362 L 591.969,219.413 L 589.482,219.72 L 586.961,220.181 L 584.508,220.846 L 582.088,221.767 L 579.634,222.74 L 577.282,223.968 L 574.963,225.401 L 572.677,227.039 L 570.425,228.779 L 568.274,230.723 L 566.19,232.77 L 564.207,235.022 L 562.224,237.325 L 560.376,239.884 L 558.595,242.596 L 556.914,245.411 L 555.334,248.328 L 553.822,251.398 L 552.478,254.52 L 551.2,257.796 L 550.024,261.173 L 548.982,264.602 L 548.075,268.133 L 547.268,271.716 L 546.562,275.349 L 545.991,279.034 L 545.554,282.821 L 545.218,286.505 L 545.016,290.344 L 544.949,294.08 L 544.949,294.08 L 545.016,297.867 L 545.218,301.705 L 545.554,305.39 L 545.991,309.125 L 546.562,312.912 L 547.268,316.495 L 548.075,320.026 L 548.982,323.608 L 550.024,326.986 L 551.2,330.364 L 552.478,333.69 L 553.822,336.812 L 555.334,339.831 L 556.914,342.799 L 558.595,345.614 L 560.376,348.275 L 562.224,350.834 L 564.207,353.239 L 566.19,355.44 L 568.274,357.538 L 570.425,359.432 L 572.677,361.223 L 574.963,362.809 L 577.282,364.242 L 579.634,365.419 L 582.088,366.494 L 584.508,367.313 L 586.961,367.978 L 589.482,368.439 L 591.969,368.746 L 594.49,368.899 L 594.49,368.899 L 597.011,368.746 L 599.498,368.439 L 601.951,367.978 L 604.405,367.313 L 606.892,366.494 L 609.278,365.419 L 611.698,364.242 L 614.017,362.809 L 616.303,361.223 L 618.487,359.432 L 620.638,357.538 L 622.722,355.44 L 624.772,353.239 L 626.688,350.834 L 628.57,348.275 L 630.318,345.614 L 631.998,342.799 L 633.612,339.831 L 635.09,336.812 L 636.502,333.69 L 637.779,330.364 L 638.888,326.986 L 639.93,323.608 L 640.905,320.026 L 641.711,316.495 L 642.417,312.912 L 642.989,309.125 L 643.426,305.39 L 643.694,301.705 L 643.896,297.867 L 643.963,294.08z"/>
-    <path style="fill: #b6c7c9" d="M 601.212 249.096 L 601.077,245.257 L 600.674,241.573 L 600.035,237.734 L 599.162,234.05 L 598.019,230.365 L 596.607,226.68 L 594.96,223.098 L 593.045,219.567 L 590.961,216.138 L 588.608,212.812 L 585.987,209.485 L 583.197,206.312 L 580.172,203.344 L 576.946,200.376 L 573.517,197.51 L 569.955,194.849 L 566.157,192.341 L 562.191,189.936 L 558.124,187.684 L 553.856,185.586 L 549.453,183.692 L 544.949,181.901 L 540.345,180.315 L 535.639,178.933 L 530.799,177.756 L 525.892,176.681 L 520.952,175.862 L 515.944,175.197 L 510.902,174.634 L 505.827,174.378 L 500.685,174.276 L 500.685,174.276 L 495.61,174.378 L 490.535,174.634 L 485.493,175.197 L 480.452,175.862 L 475.511,176.681 L 470.604,177.756 L 465.798,178.933 L 461.093,180.315 L 456.421,181.901 L 451.984,183.692 L 447.582,185.586 L 443.28,187.684 L 439.179,189.936 L 435.28,192.341 L 431.449,194.849 L 427.853,197.51 L 424.492,200.376 L 421.232,203.344 L 418.207,206.312 L 415.451,209.485 L 412.829,212.812 L 410.51,216.138 L 408.393,219.567 L 406.443,223.098 L 404.83,226.68 L 403.452,230.365 L 402.242,234.05 L 401.368,237.734 L 400.73,241.573 L 400.326,245.257 L 400.225,249.096 L 400.225,249.096 L 400.326,252.831 L 400.73,256.618 L 401.368,260.354 L 402.242,264.141 L 403.452,267.826 L 404.83,271.46 L 406.443,274.991 L 408.393,278.573 L 410.51,282.053 L 412.829,285.38 L 415.451,288.604 L 418.207,291.777 L 421.232,294.847 L 424.492,297.764 L 427.853,300.579 L 431.449,303.291 L 435.28,305.85 L 439.179,308.255 L 443.28,310.507 L 447.582,312.503 L 451.984,314.499 L 456.421,316.188 L 461.093,317.774 L 465.798,319.207 L 470.604,320.435 L 475.511,321.459 L 480.452,322.329 L 485.493,322.994 L 490.535,323.455 L 495.61,323.813 L 500.685,323.864 L 500.685,323.864 L 505.827,323.813 L 510.902,323.455 L 515.944,322.994 L 520.952,322.329 L 525.892,321.459 L 530.799,320.435 L 535.639,319.207 L 540.345,317.774 L 544.949,316.188 L 549.453,314.499 L 553.856,312.503 L 558.124,310.507 L 562.191,308.255 L 566.157,305.85 L 569.955,303.291 L 573.517,300.579 L 576.946,297.764 L 580.172,294.847 L 583.197,291.777 L 585.987,288.604 L 588.608,285.38 L 590.961,282.053 L 593.045,278.573 L 594.96,274.991 L 596.607,271.46 L 598.019,267.826 L 599.162,264.141 L 600.035,260.354 L 600.674,256.618 L 601.077,252.831 L 601.212,249.096z"/>
-    <path style="fill: #b6c7c9" d="M 517.994 165.32 L 584.508,152.423 L 583.667,149.609 L 582.626,146.743 L 581.483,143.928 L 580.105,141.216 L 578.626,138.606 L 576.946,135.945 L 575.198,133.437 L 573.181,131.032 L 571.131,128.678 L 568.913,126.426 L 566.526,124.276 L 564.039,122.281 L 561.418,120.336 L 558.695,118.442 L 555.872,116.753 L 552.948,115.218 L 549.99,113.683 L 546.865,112.403 L 543.705,111.226 L 540.513,110.152 L 537.185,109.231 L 533.858,108.514 L 530.497,107.849 L 527.102,107.388 L 523.674,107.081 L 520.212,106.928 L 516.784,106.928 L 513.322,107.081 L 509.86,107.286 L 506.499,107.695 L 503.105,108.361 L 499.744,109.026 L 496.417,109.947 L 493.156,110.919 L 489.997,112.045 L 486.905,113.325 L 483.847,114.758 L 480.889,116.242 L 478.099,117.931 L 475.343,119.722 L 472.688,121.615 L 470.167,123.611 L 467.781,125.761 L 465.529,128.012 L 463.378,130.315 L 461.362,132.72 L 459.479,135.228 L 457.765,137.787 L 456.287,140.499 L 454.841,143.109 L 453.598,145.924 L 452.556,148.688 L 451.682,151.553 L 450.943,154.419 L 517.994,165.32z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #6c8f93" d="M 584.508 152.321 L 583.634,149.455 L 582.626,146.64 L 581.449,143.826 L 580.105,141.165 L 578.559,138.503 L 576.912,135.893 L 575.131,133.386 L 573.114,130.98 L 571.03,128.678 L 568.879,126.426 L 566.459,124.174 L 564.039,122.178 L 561.384,120.233 L 558.662,118.442 L 555.872,116.651 L 552.948,115.116 L 549.957,113.683 L 546.831,112.352 L 543.672,111.226 L 540.513,110.152 L 537.185,109.231 L 533.824,108.514 L 530.463,107.849 L 527.069,107.388 L 523.674,107.081 L 520.179,106.928 L 516.75,106.928 L 513.322,107.081 L 509.894,107.286 L 506.466,107.695 L 503.105,108.361 L 499.744,108.975 L 496.45,109.845 L 493.224,110.919 L 489.997,112.045 L 486.939,113.325 L 483.88,114.758 L 480.956,116.242 L 478.099,117.879 L 475.377,119.722 L 472.722,121.615 L 470.201,123.56 L 467.815,125.709 L 465.529,127.91 L 463.378,130.264 L 461.362,132.669 L 459.547,135.126 L 457.799,137.787 L 456.287,140.346 L 454.875,143.058 L 453.665,145.77 L 452.556,148.585 L 451.682,151.451 L 450.976,154.317"/>
-    <path style="fill: #b6c7c9" d="M 427.55 195.667 L 461.093,150.888 L 459.009,149.046 L 456.824,147.306 L 454.606,145.77 L 452.321,144.235 L 450.002,142.905 L 447.582,141.676 L 445.094,140.653 L 442.641,139.68 L 440.053,138.913 L 437.499,138.248 L 434.877,137.787 L 432.256,137.429 L 429.634,137.224 L 427.012,137.224 L 424.357,137.326 L 421.736,137.633 L 419.114,137.992 L 416.526,138.555 L 413.972,139.271 L 411.451,140.09 L 408.93,141.062 L 406.511,142.188 L 404.091,143.468 L 401.772,144.849 L 399.52,146.385 L 397.369,148.073 L 395.218,149.865 L 393.201,151.707 L 391.285,153.754 L 389.403,155.852 L 387.655,158.104 L 386.042,160.356 L 384.496,162.812 L 383.085,165.269 L 381.74,167.827 L 380.564,170.489 L 379.455,173.201 L 378.514,175.913 L 377.673,178.728 L 377.001,181.594 L 376.463,184.46 L 375.993,187.428 L 375.657,190.396 L 375.522,193.313 L 375.455,196.23 L 375.556,199.199 L 375.758,202.218 L 376.161,205.084 L 427.55,195.667z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #6c8f93" d="M 460.925 150.735 L 458.841,148.892 L 456.723,147.203 L 454.505,145.617 L 452.186,144.184 L 449.8,142.802 L 447.414,141.625 L 444.96,140.55 L 442.439,139.629 L 439.919,138.913 L 437.297,138.248 L 434.709,137.787 L 432.121,137.429 L 429.5,137.224 L 426.811,137.224 L 424.256,137.326 L 421.635,137.633 L 418.946,137.992 L 416.392,138.606 L 413.871,139.271 L 411.283,140.192 L 408.83,141.113 L 406.41,142.29 L 404.023,143.57 L 401.671,144.952 L 399.419,146.487 L 397.268,148.176 L 395.184,149.916 L 393.167,151.86 L 391.184,153.805 L 389.403,156.006 L 387.622,158.155 L 385.975,160.509 L 384.463,162.863 L 383.017,165.32 L 381.74,167.93 L 380.564,170.591 L 379.455,173.303 L 378.48,176.016 L 377.673,178.882 L 377.001,181.645 L 376.396,184.562 L 375.993,187.53 L 375.657,190.447 L 375.522,193.364 L 375.455,196.333 L 375.623,199.25 L 375.825,202.218 L 376.161,205.186"/>
-    <path style="fill: #b6c7c9" d="M 418.207 300.272 L 364.229,298.685 L 364.229,301.398 L 364.33,303.957 L 364.599,306.669 L 365.036,309.228 L 365.54,311.838 L 366.179,314.499 L 367.019,316.955 L 367.893,319.463 L 369.002,321.92 L 370.178,324.274 L 371.422,326.679 L 372.901,328.931 L 374.38,331.131 L 376.06,333.23 L 377.774,335.277 L 379.623,337.221 L 381.606,339.012 L 383.622,340.752 L 385.74,342.492 L 387.958,343.977 L 390.243,345.409 L 392.63,346.791 L 395.05,347.917 L 397.469,349.043 L 400.024,350.015 L 402.612,350.834 L 405.233,351.499 L 407.889,352.114 L 410.544,352.574 L 413.232,352.881 L 415.955,353.035 L 418.711,353.035 L 421.366,352.932 L 424.088,352.728 L 426.777,352.421 L 429.432,351.96 L 432.121,351.295 L 434.675,350.527 L 437.297,349.708 L 439.751,348.634 L 442.238,347.61 L 444.658,346.331 L 446.943,344.949 L 449.262,343.465 L 451.38,341.878 L 453.497,340.241 L 418.207,300.272z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #6c8f93" d="M 364.297 298.685 L 364.196,301.295 L 364.398,303.957 L 364.599,306.567 L 365.036,309.228 L 365.54,311.787 L 366.212,314.397 L 367.019,316.955 L 367.96,319.463 L 369.002,321.868 L 370.111,324.274 L 371.422,326.577 L 372.8,328.88 L 374.38,331.029 L 375.993,333.23 L 377.741,335.174 L 379.555,337.119 L 381.505,339.012 L 383.521,340.752 L 385.639,342.39 L 387.857,343.925 L 390.143,345.358 L 392.462,346.689 L 394.882,347.917 L 397.402,349.043 L 399.889,349.913 L 402.444,350.732 L 405.065,351.499 L 407.754,352.011 L 410.409,352.574 L 413.064,352.779 L 415.787,353.035 L 418.509,353.035 L 421.198,353.035 L 423.887,352.779 L 426.576,352.421 L 429.231,351.96 L 431.919,351.346 L 434.474,350.629 L 437.095,349.759 L 439.582,348.736 L 442.002,347.61 L 444.422,346.382 L 446.741,345.051 L 449.06,343.618 L 451.245,342.032 L 453.295,340.394"/>
-    <path style="fill: #b6c7c9" d="M 589.952 186.149 L 637.443,200.939 L 638.25,198.738 L 638.855,196.537 L 639.426,194.286 L 639.762,191.983 L 640.098,189.68 L 640.165,187.377 L 640.165,185.023 L 640.098,182.771 L 639.829,180.468 L 639.46,178.165 L 638.922,175.913 L 638.283,173.662 L 637.544,171.512 L 636.67,169.312 L 635.662,167.213 L 634.519,165.115 L 633.242,163.068 L 631.931,161.123 L 630.486,159.23 L 628.94,157.439 L 627.293,155.596 L 625.478,153.959 L 623.663,152.372 L 621.68,150.888 L 619.697,149.455 L 617.613,148.176 L 615.462,146.896 L 613.21,145.77 L 610.925,144.747 L 608.572,143.826 L 606.152,143.058 L 603.766,142.393 L 601.245,141.779 L 598.758,141.318 L 596.238,140.96 L 593.683,140.806 L 591.162,140.653 L 588.642,140.653 L 586.087,140.806 L 583.533,141.011 L 581.046,141.369 L 578.525,141.83 L 576.038,142.393 L 573.585,143.109 L 589.952,186.149z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #6c8f93" d="M 633.074 209.28 L 637.409,201.041 L 638.216,198.892 L 638.855,196.64 L 639.359,194.388 L 639.762,192.085 L 640.031,189.782 L 640.132,187.53 L 640.165,185.125 L 640.065,182.873 L 639.829,180.57 L 639.46,178.267 L 638.922,176.016 L 638.283,173.764 L 637.577,171.563 L 636.704,169.465 L 635.662,167.265 L 634.519,165.166 L 633.343,163.119 L 631.965,161.175 L 630.519,159.281 L 628.973,157.439 L 627.327,155.699 L 625.579,154.061 L 623.73,152.423 L 621.815,150.888 L 619.764,149.506 L 617.681,148.176 L 615.529,146.948 L 613.278,145.924 L 610.992,144.849 L 608.673,143.877 L 606.287,143.058 L 603.833,142.393 L 601.413,141.779 L 598.926,141.318 L 596.406,141.011 L 593.851,140.806 L 591.297,140.653 L 588.709,140.653 L 586.188,140.806 L 583.634,141.011 L 581.113,141.318 L 578.626,141.779 L 576.172,142.342 L 573.719,143.058"/>
-    <path style="fill: #b6c7c9" d="M 596.708 246.281 L 650.181,265.011 L 651.257,262.555 L 652.131,260.15 L 652.937,257.591 L 653.576,255.032 L 654.013,252.473 L 654.315,249.914 L 654.416,247.253 L 654.416,244.643 L 654.214,242.033 L 653.912,239.474 L 653.374,236.864 L 652.735,234.357 L 651.895,231.849 L 650.988,229.341 L 649.845,226.936 L 648.568,224.633 L 647.19,222.279 L 645.61,219.976 L 643.93,217.827 L 596.708,246.281z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #6c8f93" d="M 643.392 273.507 L 650.114,265.114 L 651.122,262.708 L 652.131,260.15 L 652.904,257.642 L 653.542,255.032 L 653.979,252.473 L 654.315,249.914 L 654.45,247.253 L 654.416,244.643 L 654.214,241.982 L 653.845,239.423 L 653.374,236.864 L 652.735,234.306 L 651.895,231.747 L 650.954,229.239 L 649.778,226.783 L 648.534,224.48 L 647.055,222.126 L 645.543,219.874 L 643.829,217.724 L 633.074,209.28"/>
-    <path style="fill: #b6c7c9" d="M 594.456 295.717 L 577.584,366.801 L 580.071,367.927 L 582.592,368.951 L 585.113,369.718 L 587.734,370.332 L 590.289,370.793 L 592.843,370.998 L 595.498,370.998 L 598.086,370.793 L 600.64,370.486 L 603.228,369.872 L 605.749,369.104 L 608.27,368.234 L 610.757,367.108 L 613.21,365.727 L 615.563,364.242 L 617.916,362.554 L 620.201,360.711 L 622.419,358.664 L 624.571,356.566 L 626.621,354.161 L 628.57,351.653 L 630.452,349.043 L 632.267,346.228 L 633.981,343.311 L 635.527,340.292 L 637.006,337.119 L 638.418,333.895 L 639.661,330.517 L 640.77,327.14 L 641.812,323.608 L 642.686,319.975 L 643.493,316.29 L 644.131,312.605 L 644.669,308.818 L 645.005,305.083 L 645.308,301.244 L 645.375,297.406 L 645.375,293.568 L 645.241,289.73 L 644.972,285.891 L 644.568,282.104 L 644.064,278.368 L 643.392,274.684 L 594.456,295.717z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #6c8f93" d="M 577.719 366.852 L 580.239,368.081 L 582.726,369.053 L 585.281,369.872 L 587.835,370.384 L 590.457,370.793 L 593.011,370.998 L 595.599,371.1 L 598.187,370.793 L 600.808,370.486 L 603.363,369.872 L 605.883,369.104 L 608.404,368.132 L 610.891,367.006 L 613.311,365.675 L 615.731,364.14 L 618.05,362.502 L 620.302,360.711 L 622.487,358.664 L 624.638,356.412 L 626.688,354.058 L 628.637,351.499 L 630.519,348.889 L 632.334,346.177 L 634.015,343.209 L 635.628,340.138 L 637.04,337.068 L 638.451,333.741 L 639.695,330.364 L 640.804,326.986 L 641.812,323.455 L 642.72,319.77 L 643.526,316.137 L 644.131,312.401 L 644.669,308.665 L 645.072,304.929 L 645.308,301.091 L 645.375,297.253 L 645.375,293.414 L 645.207,289.576 L 644.972,285.738 L 644.535,281.951 L 643.963,278.215 L 643.392,274.53"/>
-    <path style="fill: #b6c7c9" d="M 380.698 255.339 L 378.144,207.08 L 376.262,207.336 L 374.48,207.643 L 372.598,208.154 L 370.783,208.769 L 369.002,209.485 L 367.254,210.406 L 365.54,211.276 L 363.86,212.453 L 362.179,213.579 L 360.6,214.859 L 359.054,216.292 L 357.575,217.776 L 356.13,219.362 L 354.819,221.102 L 353.508,222.842 L 352.298,224.684 L 351.155,226.629 L 350.113,228.676 L 349.071,230.723 L 348.164,232.924 L 347.391,235.176 L 346.652,237.427 L 345.946,239.679 L 345.408,242.033 L 344.971,244.439 L 344.568,246.844 L 344.265,249.3 L 344.131,251.808 L 344.03,254.213 L 344.03,256.67 L 344.131,259.075 L 344.332,261.583 L 344.635,263.988 L 344.971,266.393 L 345.475,268.798 L 346.013,271.153 L 346.685,273.456 L 347.425,275.707 L 348.265,277.908 L 349.172,280.108 L 350.214,282.104 L 351.256,284.151 L 352.432,286.096 L 353.676,287.938 L 354.953,289.73 L 356.331,291.367 L 357.776,292.954 L 359.255,294.489 L 360.835,295.871 L 362.381,297.15 L 364.061,298.327 L 380.698,255.339z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #6c8f93" d="M 378.144 207.08 L 376.363,207.336 L 374.514,207.643 L 372.699,208.154 L 370.951,208.717 L 369.17,209.434 L 367.422,210.202 L 365.742,211.174 L 364.095,212.197 L 362.448,213.323 L 360.936,214.603 L 359.356,215.984 L 357.911,217.417 L 356.499,218.953 L 355.155,220.641 L 353.81,222.381 L 352.634,224.121 L 351.458,226.066 L 350.416,228.011 L 349.408,230.058 L 348.534,232.156 L 347.693,234.306 L 346.887,236.455 L 346.215,238.707 L 345.61,241.01 L 345.106,243.364 L 344.736,245.718 L 344.366,248.123 L 344.164,250.528 L 344.03,252.934 L 344.03,255.339 L 344.03,257.744 L 344.232,260.15 L 344.433,262.555 L 344.736,264.96 L 345.173,267.314 L 345.61,269.617 L 346.215,271.869 L 346.954,274.223 L 347.693,276.424 L 348.534,278.522 L 349.475,280.62 L 350.449,282.667 L 351.491,284.612 L 352.634,286.505 L 353.878,288.297 L 355.188,290.037 L 356.533,291.674 L 357.978,293.21 L 359.39,294.694 L 360.936,296.024 L 362.515,297.253 L 364.129,298.43"/>
-    <path style="fill: #b6c7c9" d="M 516.851 332.82 L 440.356,338.398 L 440.86,341.213 L 441.498,344.079 L 442.372,346.842 L 443.481,349.555 L 444.658,352.165 L 446.103,354.826 L 447.682,357.385 L 449.464,359.944 L 451.447,362.349 L 453.564,364.754 L 455.782,367.006 L 458.236,369.206 L 460.79,371.305 L 463.513,373.352 L 466.369,375.194 L 469.327,377.036 L 472.486,378.674 L 475.646,380.312 L 478.973,381.745 L 482.368,383.126 L 485.93,384.252 L 489.493,385.378 L 493.089,386.299 L 496.853,387.118 L 500.618,387.784 L 504.416,388.295 L 508.18,388.705 L 512.045,388.909 L 515.944,389.063 L 519.775,389.063 L 523.674,388.858 L 527.506,388.551 L 531.303,388.091 L 535.068,387.425 L 538.832,386.709 L 542.462,385.839 L 546.092,384.764 L 549.621,383.741 L 553.116,382.461 L 556.477,381.028 L 559.704,379.493 L 562.863,377.855 L 565.922,376.064 L 568.846,374.222 L 571.635,372.277 L 574.223,370.23 L 576.744,368.081 L 579.063,365.829 L 581.281,363.475 L 583.331,361.069 L 585.146,358.664 L 586.827,356.105 L 588.373,353.444 L 589.684,350.834 L 516.851,332.82z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #6c8f93" d="M 440.423 338.501 L 440.86,341.264 L 441.532,344.079 L 442.372,346.842 L 443.481,349.555 L 444.725,352.267 L 446.103,354.826 L 447.716,357.385 L 449.464,359.944 L 451.447,362.349 L 453.564,364.754 L 455.782,367.006 L 458.236,369.206 L 460.857,371.305 L 463.513,373.352 L 466.369,375.194 L 469.327,377.036 L 472.486,378.674 L 475.646,380.261 L 478.973,381.745 L 482.368,383.126 L 485.863,384.252 L 489.426,385.378 L 493.056,386.299 L 496.82,387.118 L 500.551,387.784 L 504.348,388.244 L 508.146,388.705 L 511.978,388.909 L 515.843,389.063 L 519.708,389.012 L 523.54,388.858 L 527.371,388.449 L 531.236,388.091 L 535.001,387.425 L 538.698,386.658 L 542.395,385.839 L 545.991,384.866 L 549.52,383.741 L 552.982,382.461 L 556.309,381.028 L 559.603,379.493 L 562.762,377.906 L 565.787,376.218 L 568.711,374.324 L 571.467,372.379 L 574.156,370.332 L 576.643,368.081 L 578.996,365.88 L 581.214,363.526 L 583.197,361.223 L 585.079,358.664 L 586.76,356.157 L 588.238,353.547 L 589.616,350.885"/>
-  </g>
-  <g>
-    <path style="fill: #0078aa" d="M 422.212 151.362 L 422.155,150.763 L 422.032,150.164 L 421.822,149.575 L 421.528,148.995 L 421.128,148.405 L 420.662,147.835 L 420.101,147.274 L 419.474,146.722 L 418.751,146.18 L 417.953,145.657 L 417.087,145.153 L 416.146,144.64 L 415.129,144.155 L 414.045,143.699 L 412.885,143.261 L 411.668,142.843 L 410.403,142.434 L 409.072,142.063 L 407.694,141.712 L 406.258,141.379 L 404.775,141.075 L 403.244,140.818 L 401.685,140.552 L 400.106,140.342 L 398.48,140.143 L 396.826,139.991 L 395.153,139.848 L 393.46,139.753 L 391.768,139.658 L 390.056,139.629 L 388.345,139.601 L 388.345,139.601 L 386.624,139.629 L 384.912,139.658 L 383.22,139.753 L 381.528,139.848 L 379.854,139.991 L 378.2,140.143 L 376.574,140.342 L 374.986,140.552 L 373.427,140.818 L 371.906,141.075 L 370.422,141.379 L 368.987,141.712 L 367.608,142.063 L 366.277,142.434 L 365.003,142.843 L 363.795,143.261 L 362.635,143.699 L 361.551,144.155 L 360.534,144.64 L 359.593,145.153 L 358.728,145.657 L 357.929,146.18 L 357.206,146.722 L 356.579,147.274 L 356.018,147.835 L 355.552,148.405 L 355.153,148.995 L 354.848,149.575 L 354.63,150.164 L 354.516,150.763 L 354.468,151.362 L 354.468,151.362 L 354.516,151.952 L 354.63,152.551 L 354.848,153.14 L 355.153,153.72 L 355.552,154.31 L 356.018,154.88 L 356.579,155.441 L 357.206,155.993 L 357.929,156.534 L 358.728,157.057 L 359.593,157.58 L 360.534,158.075 L 361.551,158.56 L 362.635,159.016 L 363.795,159.472 L 365.003,159.891 L 366.277,160.281 L 367.608,160.661 L 368.987,161.003 L 370.422,161.336 L 371.906,161.64 L 373.427,161.916 L 374.986,162.163 L 376.574,162.391 L 378.2,162.572 L 379.854,162.743 L 381.528,162.867 L 383.22,162.981 L 384.912,163.057 L 386.624,163.104 L 388.345,163.114 L 388.345,163.114 L 390.056,163.104 L 391.768,163.057 L 393.46,162.981 L 395.153,162.867 L 396.826,162.743 L 398.48,162.572 L 400.106,162.391 L 401.685,162.163 L 403.244,161.916 L 404.775,161.64 L 406.258,161.336 L 407.694,161.003 L 409.072,160.661 L 410.403,160.281 L 411.668,159.891 L 412.885,159.472 L 414.045,159.016 L 415.129,158.56 L 416.146,158.075 L 417.087,157.58 L 417.953,157.057 L 418.751,156.534 L 419.474,155.993 L 420.101,155.441 L 420.662,154.88 L 421.128,154.31 L 421.528,153.72 L 421.822,153.14 L 422.032,152.551 L 422.155,151.952 L 422.212,151.362z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #aae6ff" d="M 421.813 151.172 L 421.765,150.573 L 421.651,150.003 L 421.433,149.413 L 421.138,148.843 L 420.748,148.272 L 420.254,147.711 L 419.74,147.169 L 419.094,146.618 L 418.381,146.085 L 417.591,145.553 L 416.717,145.058 L 415.785,144.564 L 414.777,144.089 L 413.703,143.632 L 412.562,143.195 L 411.345,142.795 L 410.071,142.415 L 408.758,142.025 L 407.389,141.702 L 405.963,141.36 L 404.48,141.065 L 402.978,140.799 L 401.437,140.552 L 399.85,140.342 L 398.243,140.143 L 396.588,139.991 L 394.934,139.848 L 393.251,139.753 L 391.559,139.686 L 389.857,139.629 L 388.155,139.629 L 388.155,139.629 L 386.434,139.629 L 384.741,139.686 L 383.039,139.753 L 381.376,139.848 L 379.712,139.991 L 378.067,140.143 L 376.45,140.342 L 374.863,140.552 L 373.313,140.799 L 371.811,141.065 L 370.327,141.36 L 368.901,141.702 L 367.541,142.025 L 366.22,142.415 L 364.946,142.795 L 363.738,143.195 L 362.607,143.632 L 361.532,144.089 L 360.515,144.564 L 359.564,145.058 L 358.718,145.553 L 357.919,146.085 L 357.206,146.618 L 356.579,147.169 L 356.027,147.711 L 355.552,148.272 L 355.172,148.843 L 354.867,149.413 L 354.649,150.003 L 354.525,150.573 L 354.478,151.172 L 354.478,151.172 L 354.525,151.752 L 354.649,152.351 L 354.867,152.912 L 355.172,153.492 L 355.552,154.072 L 356.027,154.623 L 356.579,155.175 L 357.206,155.726 L 357.919,156.249 L 358.718,156.782 L 359.564,157.286 L 360.515,157.761 L 361.532,158.246 L 362.607,158.712 L 363.738,159.13 L 364.946,159.539 L 366.22,159.929 L 367.541,160.309 L 368.901,160.642 L 370.327,160.965 L 371.811,161.269 L 373.313,161.536 L 374.863,161.773 L 376.45,162.002 L 378.067,162.192 L 379.712,162.344 L 381.376,162.477 L 383.039,162.572 L 384.741,162.658 L 386.434,162.705 L 388.155,162.715 L 388.155,162.715 L 389.857,162.705 L 391.559,162.658 L 393.251,162.572 L 394.934,162.477 L 396.588,162.344 L 398.243,162.192 L 399.85,162.002 L 401.437,161.773 L 402.978,161.536 L 404.48,161.269 L 405.963,160.965 L 407.389,160.642 L 408.758,160.309 L 410.071,159.929 L 411.345,159.539 L 412.562,159.13 L 413.703,158.712 L 414.777,158.246 L 415.785,157.761 L 416.717,157.286 L 417.591,156.782 L 418.381,156.249 L 419.094,155.726 L 419.74,155.175 L 420.254,154.623 L 420.748,154.072 L 421.138,153.492 L 421.433,152.912 L 421.651,152.351 L 421.765,151.752 L 421.813,151.172"/>
-    <path style="fill: #0078aa" d="M 354.478 135.075 L 354.478,151.581 L 421.813,151.581 L 421.813,135.075 L 354.478,135.075z"/>
-    <path style="fill: #00b4ff" d="M 422.212 134.875 L 422.155,134.276 L 422.032,133.668 L 421.822,133.088 L 421.528,132.498 L 421.128,131.909 L 420.662,131.338 L 420.101,130.777 L 419.474,130.235 L 418.751,129.684 L 417.953,129.171 L 417.087,128.648 L 416.146,128.153 L 415.129,127.659 L 414.045,127.212 L 412.885,126.765 L 411.668,126.337 L 410.403,125.938 L 409.072,125.567 L 407.694,125.215 L 406.258,124.892 L 404.775,124.597 L 403.244,124.312 L 401.685,124.065 L 400.106,123.837 L 398.48,123.646 L 396.826,123.485 L 395.153,123.352 L 393.46,123.247 L 391.768,123.171 L 390.056,123.124 L 388.345,123.114 L 388.345,123.114 L 386.624,123.124 L 384.912,123.171 L 383.22,123.247 L 381.528,123.352 L 379.854,123.485 L 378.2,123.646 L 376.574,123.837 L 374.986,124.065 L 373.427,124.312 L 371.906,124.597 L 370.422,124.892 L 368.987,125.215 L 367.608,125.567 L 366.277,125.938 L 365.003,126.337 L 363.795,126.765 L 362.635,127.212 L 361.551,127.659 L 360.534,128.153 L 359.593,128.648 L 358.728,129.171 L 357.929,129.684 L 357.206,130.235 L 356.579,130.777 L 356.018,131.338 L 355.552,131.909 L 355.153,132.498 L 354.848,133.088 L 354.63,133.668 L 354.516,134.276 L 354.468,134.875 L 354.468,134.875 L 354.516,135.465 L 354.63,136.064 L 354.848,136.653 L 355.153,137.224 L 355.552,137.813 L 356.018,138.384 L 356.579,138.945 L 357.206,139.506 L 357.929,140.048 L 358.728,140.561 L 359.593,141.075 L 360.534,141.588 L 361.551,142.063 L 362.635,142.52 L 363.795,142.967 L 365.003,143.385 L 366.277,143.794 L 367.608,144.155 L 368.987,144.507 L 370.422,144.84 L 371.906,145.153 L 373.427,145.41 L 374.986,145.667 L 376.574,145.895 L 378.2,146.076 L 379.854,146.237 L 381.528,146.37 L 383.22,146.475 L 384.912,146.561 L 386.624,146.608 L 388.345,146.618 L 388.345,146.618 L 390.056,146.608 L 391.768,146.561 L 393.46,146.475 L 395.153,146.37 L 396.826,146.237 L 398.48,146.076 L 400.106,145.895 L 401.685,145.667 L 403.244,145.41 L 404.775,145.153 L 406.258,144.84 L 407.694,144.507 L 409.072,144.155 L 410.403,143.794 L 411.668,143.385 L 412.885,142.967 L 414.045,142.52 L 415.129,142.063 L 416.146,141.588 L 417.087,141.075 L 417.953,140.561 L 418.751,140.048 L 419.474,139.506 L 420.101,138.945 L 420.662,138.384 L 421.128,137.813 L 421.528,137.224 L 421.822,136.653 L 422.032,136.064 L 422.155,135.465 L 422.212,134.875z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #aae6ff" d="M 421.813 134.676 L 421.765,134.077 L 421.651,133.506 L 421.433,132.926 L 421.138,132.346 L 420.748,131.785 L 420.254,131.205 L 419.74,130.673 L 419.094,130.121 L 418.381,129.598 L 417.591,129.056 L 416.717,128.572 L 415.785,128.068 L 414.777,127.592 L 413.703,127.155 L 412.562,126.699 L 411.345,126.318 L 410.071,125.909 L 408.758,125.539 L 407.389,125.196 L 405.963,124.863 L 404.48,124.569 L 402.978,124.302 L 401.437,124.065 L 399.85,123.837 L 398.243,123.646 L 396.588,123.494 L 394.934,123.352 L 393.251,123.257 L 391.559,123.181 L 389.857,123.133 L 388.155,123.124 L 388.155,123.124 L 386.434,123.133 L 384.741,123.181 L 383.039,123.257 L 381.376,123.352 L 379.712,123.494 L 378.067,123.646 L 376.45,123.837 L 374.863,124.065 L 373.313,124.302 L 371.811,124.569 L 370.327,124.863 L 368.901,125.196 L 367.541,125.539 L 366.22,125.909 L 364.946,126.318 L 363.738,126.699 L 362.607,127.155 L 361.532,127.592 L 360.515,128.068 L 359.564,128.572 L 358.718,129.056 L 357.919,129.598 L 357.206,130.121 L 356.579,130.673 L 356.027,131.205 L 355.552,131.785 L 355.172,132.346 L 354.867,132.926 L 354.649,133.506 L 354.525,134.077 L 354.478,134.676 L 354.478,134.676 L 354.525,135.265 L 354.649,135.845 L 354.867,136.425 L 355.172,136.996 L 355.552,137.566 L 356.027,138.137 L 356.579,138.679 L 357.206,139.23 L 357.919,139.753 L 358.718,140.285 L 359.564,140.789 L 360.515,141.265 L 361.532,141.75 L 362.607,142.206 L 363.738,142.634 L 364.946,143.043 L 366.22,143.433 L 367.541,143.803 L 368.901,144.146 L 370.327,144.478 L 371.811,144.792 L 373.313,145.039 L 374.863,145.296 L 376.45,145.515 L 378.067,145.695 L 379.712,145.867 L 381.376,146 L 383.039,146.085 L 384.741,146.171 L 386.434,146.218 L 388.155,146.228 L 388.155,146.228 L 389.857,146.218 L 391.559,146.171 L 393.251,146.085 L 394.934,146 L 396.588,145.867 L 398.243,145.695 L 399.85,145.515 L 401.437,145.296 L 402.978,145.039 L 404.48,144.792 L 405.963,144.478 L 407.389,144.146 L 408.758,143.803 L 410.071,143.433 L 411.345,143.043 L 412.562,142.634 L 413.703,142.206 L 414.777,141.75 L 415.785,141.265 L 416.717,140.789 L 417.591,140.285 L 418.381,139.753 L 419.094,139.23 L 419.74,138.679 L 420.254,138.137 L 420.748,137.566 L 421.138,136.996 L 421.433,136.425 L 421.651,135.845 L 421.765,135.265 L 421.813,134.676"/>
-    <path style="fill: #000000" d="M 388.972 132.204 L 393.898,133.858 L 405.811,128.895 L 411.145,130.54 L 408.264,126.432 L 394.316,126.432 L 400.049,127.659 L 388.972,132.204z"/>
-    <path style="fill: #000000" d="M 386.909 136.739 L 381.994,135.075 L 370.489,140.048 L 364.746,138.384 L 367.608,142.919 L 381.994,142.919 L 375.823,141.265 L 386.909,136.739z"/>
-    <path style="fill: #000000" d="M 365.973 127.659 L 370.888,126.014 L 382.811,130.54 L 388.155,129.313 L 385.283,133.421 L 371.307,133.421 L 377.049,132.204 L 365.973,127.659z"/>
-    <path style="fill: #000000" d="M 410.318 141.674 L 405.383,143.328 L 393.898,138.384 L 388.155,140.048 L 391.026,135.902 L 405.383,135.902 L 399.231,137.138 L 410.318,141.674z"/>
-    <path style="fill: #ffffff" d="M 389.381 132.612 L 394.316,134.257 L 406.201,129.313 L 411.554,130.968 L 408.673,126.832 L 394.715,126.832 L 400.468,128.058 L 389.381,132.612z"/>
-    <path style="fill: #ffffff" d="M 387.328 137.138 L 382.383,135.493 L 370.888,140.438 L 365.145,138.793 L 368.017,143.328 L 382.383,143.328 L 376.232,141.674 L 387.328,137.138z"/>
-    <path style="fill: #ffffff" d="M 366.381 128.058 L 371.307,126.432 L 383.22,130.968 L 388.554,129.713 L 385.692,133.858 L 371.715,133.858 L 377.477,132.612 L 366.381,128.058z"/>
-    <path style="fill: #ffffff" d="M 410.717 142.101 L 405.811,143.746 L 394.316,138.793 L 388.554,140.438 L 391.425,136.33 L 405.811,136.33 L 399.65,137.557 L 410.717,142.101z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #aae6ff" d="M 354.478 134.676 L 354.478,151.153"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #aae6ff" d="M 421.813 134.676 L 421.813,151.153"/>
-  </g>
-  <line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="539.815" y1="59.8656" x2="465.169" y2="59.9832"/>
-  <g>
-    <path style="fill: #00b4ff" d="M 436.008 60.048 L 445.014,52.7662 L 465.806,52.7662 L 458.353,60.048 L 436.008,60.048z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #000000" d="M 436.008 60.048 L 445.014,52.7662 L 465.806,52.7662 L 458.353,60.048 L 436.008,60.048"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.1; stroke: #add6e7" d="M 436.008 60.048 L 445.014,52.7662 L 465.806,52.7662 L 458.353,60.048 L 436.008,60.048"/>
-    <path style="fill: #005a80" d="M 458.353 67.2865 L 465.806,59.2394 L 465.806,52.7783 L 458.353,60.0471 L 458.353,67.2856 L 458.353,67.2865z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #000000" d="M 458.353 67.2865 L 465.806,59.2394 L 465.806,52.7783 L 458.353,60.0471 L 458.353,67.2856 L 458.353,67.2865"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.1; stroke: #add6e7" d="M 458.353 67.2865 L 465.806,59.2394 L 465.806,52.7783 L 458.353,60.0471 L 458.353,67.2856"/>
-    <path style="fill: #0096d4" d="M 436.039 67.2934 L 458.353,67.2934 L 458.353,60.048 L 436.039,60.048 L 436.039,67.2934z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #000000" d="M 436.039 67.2934 L 458.353,67.2934 L 458.353,60.048 L 436.039,60.048 L 436.039,67.2934"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.1; stroke: #add6e7" d="M 436.039 67.2934 L 458.353,67.2934 L 458.353,60.048 L 436.039,60.048 L 436.039,67.2934"/>
-    <path style="fill: #ffffff" d="M 448.194 64.0642 L 439.471,64.0694 L 439.471,63.0039 L 448.194,63.0005 L 448.198,61.34 L 452.074,63.5341 L 448.198,65.7281 L 448.194,64.0642z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #add6e7" d="M 448.194 64.0642 L 439.471,64.0694 L 439.471,63.0039 L 448.194,63.0005 L 448.198,61.34 L 452.074,63.5341 L 448.198,65.7281 L 448.194,64.0642"/>
-    <path style="fill: #ffffff" d="M 440.429 63.0048 L 440.425,61.3443 L 436.549,63.5384 L 440.425,65.7324 L 440.429,64.0685 L 440.429,63.0048z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #add6e7" d="M 440.429 63.0048 L 440.425,61.3443 L 436.549,63.5384 L 440.425,65.7324 L 440.429,64.0685 L 440.429,63.0048"/>
-    <path style="fill: #ffffff" d="M 457.386 63.0048 L 457.383,61.3443 L 453.507,63.5384 L 457.383,65.7324 L 457.386,64.0685 L 457.386,63.0048z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #add6e7" d="M 457.386 63.0048 L 457.383,61.3443 L 453.507,63.5384 L 457.383,65.7324 L 457.386,64.0685 L 457.386,63.0048"/>
-  </g>
-  <line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="445.67" y1="67.3281" x2="402.603" y2="124.228"/>
-  <text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="447.212" y="79.267">
-    <tspan x="447.212" y="79.267">modem</tspan>
-    <tspan x="447.212" y="95.267">VDSL</tspan>
-    <tspan x="447.212" y="111.267">SmartRG</tspan>
-  </text>
-  <g>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.8; stroke: #00aed9" d="M 514.769 308.067 L 514.769,290.135"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 4; stroke: #00aed9" d="M 514.769 307.777 L 514.769,295.477"/>
-    <path style="fill: #000000" d="M 515.29 291.858 L 514.194,291.858 L 514.194,289.666 L 515.29,289.666 L 515.29,291.858z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #00aed9" d="M 515.29 291.858 L 514.194,291.858 L 514.194,289.666 L 515.29,289.666 L 515.29,291.858"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.8; stroke: #00aed9" d="M 488.19 308.067 L 488.19,290.135"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 4; stroke: #00aed9" d="M 488.19 307.777 L 488.19,295.477"/>
-    <path style="fill: #000000" d="M 488.71 291.858 L 487.614,291.858 L 487.614,289.666 L 488.71,289.666 L 488.71,291.858z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #00aed9" d="M 488.71 291.858 L 487.614,291.858 L 487.614,289.666 L 488.71,289.666 L 488.71,291.858"/>
-    <path style="fill: #00aed9" d="M 522.204 310.343 C 522.204,314.673 513.179,318.182 502.045,318.182 C 490.911,318.182 481.886,314.673 481.886,310.343 L 481.886,321.826 C 481.886,326.156 490.911,329.666 502.045,329.666 C 513.179,329.666 522.204,326.156 522.204,321.826 L 522.204,310.343z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.8; stroke: #ffffff" d="M 522.204 310.343 C 522.204,314.673 513.179,318.182 502.045,318.182 C 490.911,318.182 481.886,314.673 481.886,310.343 L 481.886,321.826 C 481.886,326.156 490.911,329.666 502.045,329.666 C 513.179,329.666 522.204,326.156 522.204,321.826 L 522.204,310.343"/>
-    <path style="fill: #00aed9" d="M 502.045 318.182 C 513.179,318.182 522.204,314.673 522.204,310.343 C 522.204,306.013 513.179,302.503 502.045,302.503 C 490.911,302.503 481.886,306.013 481.886,310.343 C 481.886,314.673 490.911,318.182 502.045,318.182z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.8; stroke: #ffffff" d="M 502.045 318.182 C 513.179,318.182 522.204,314.673 522.204,310.343 C 522.204,306.013 513.179,302.503 502.045,302.503 C 490.911,302.503 481.886,306.013 481.886,310.343 C 481.886,314.673 490.911,318.182 502.045,318.182"/>
-    <path style="fill: #ffffff" d="M 497.441 307.278 L 499.106,309.775 L 492.813,311.229 L 494.187,310.085 L 484.46,308.422 L 486.901,306.593 L 496.286,308.182 L 497.441,307.278z"/>
-    <path style="fill: #ffffff" d="M 506.299 313.332 L 505.162,310.759 L 510.839,309.624 L 509.854,310.506 L 519.317,312.122 L 517.048,313.938 L 507.64,312.173 L 506.299,313.332z"/>
-    <path style="fill: #ffffff" d="M 503.194 305.914 L 509.553,304.174 L 509.628,306.9 L 508.039,306.596 L 504.934,309.169 L 501.974,308.738 L 505.176,306.22 L 503.194,305.914z"/>
-    <path style="fill: #ffffff" d="M 500.469 315.68 L 494.414,316.815 L 494.187,314.015 L 495.927,314.392 L 499.26,311.546 L 502.21,312.046 L 498.653,315.15 L 500.469,315.68z"/>
-  </g>
-  <text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="502.046" y="341.566">
-    <tspan x="502.046" y="341.566">plastik</tspan>
-    <tspan x="502.046" y="357.566">TP-Link 1043D</tspan>
-    <tspan x="502.046" y="373.566">CrapN6</tspan>
-  </text>
-  <text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:700" x="510.608" y="254.27">
-    <tspan x="510.608" y="254.27">LAN</tspan>
-  </text>
-  <g>
-    <path style="fill: #0096d4" d="M 442.494 216.486 L 442.494,234.849 L 515.139,234.849 L 515.139,216.486 L 442.494,216.486z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #aae6ff" d="M 442.494 216.486 L 442.494,234.849 L 515.139,234.849 L 515.139,216.486 L 442.494,216.486"/>
-    <path style="fill: #005a80" d="M 515.139 216.486 L 537.634,194.849 L 537.634,213.213 L 515.139,234.849 L 515.139,216.486z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #aae6ff" d="M 515.139 216.486 L 537.634,194.849 L 537.634,213.213 L 515.139,234.849 L 515.139,216.486"/>
-    <path style="fill: #00b4ff" d="M 515.139 216.486 L 537.634,194.849 L 464.94,194.849 L 442.494,216.486 L 515.139,216.486z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #aae6ff" d="M 515.139 216.486 L 537.634,194.849 L 464.94,194.849 L 442.494,216.486 L 515.139,216.486"/>
-    <path style="fill: #000000" d="M 488.048 206.006 L 485.42,208.585 L 503.899,208.585 L 501.271,211.891 L 516.461,207.94 L 508.544,204.684 L 506.544,206.006 L 488.048,206.006z"/>
-    <path style="fill: #000000" d="M 497.304 197.477 L 494.659,200.089 L 513.155,200.089 L 509.849,203.362 L 525.701,198.8 L 517.122,195.494 L 515.833,197.477 L 497.304,197.477z"/>
-    <path style="fill: #000000" d="M 481.436 213.213 L 484.13,210.568 L 464.94,210.568 L 468.246,207.296 L 453.023,211.213 L 460.973,214.519 L 462.312,213.213 L 481.436,213.213z"/>
-    <path style="fill: #000000" d="M 490.048 203.99 L 492.692,201.428 L 474.196,201.428 L 477.519,198.122 L 461.634,202.701 L 470.213,206.006 L 471.535,203.99 L 490.048,203.99z"/>
-    <path style="fill: #ffffff" d="M 488.709 206.618 L 486.081,209.246 L 504.577,209.246 L 501.932,212.535 L 517.122,208.585 L 509.172,205.329 L 507.221,206.618 L 488.709,206.618z"/>
-    <path style="fill: #ffffff" d="M 497.965 198.122 L 495.32,200.734 L 513.816,200.734 L 510.511,203.99 L 526.378,199.411 L 517.8,196.155 L 516.461,198.122 L 497.965,198.122z"/>
-    <path style="fill: #ffffff" d="M 482.097 213.858 L 484.742,211.213 L 465.618,211.213 L 468.874,207.94 L 453.701,211.891 L 461.634,215.163 L 462.94,213.858 L 482.097,213.858z"/>
-    <path style="fill: #ffffff" d="M 490.676 204.684 L 493.354,202.039 L 474.825,202.039 L 478.147,198.8 L 462.312,203.362 L 470.891,206.618 L 472.18,204.684 L 490.676,204.684z"/>
-  </g>
-  <g>
-    <path style="fill: #1c97cd" d="M 554.055 258.822 L 554.055,279.655 L 615.255,279.655 L 615.255,258.822 L 554.055,258.822z"/>
-    <path style="fill: #8dcaef" d="M 554.055 279.942 L 554.323,279.655 L 554.323,258.822 L 553.768,258.822 L 553.768,279.655 L 554.055,279.942z"/>
-    <path style="fill: #8dcaef" d="M 615.541 279.655 L 615.255,279.378 L 554.055,279.378 L 554.055,279.942 L 615.255,279.942 L 615.541,279.655z"/>
-    <path style="fill: #8dcaef" d="M 615.255 258.554 L 614.995,258.822 L 614.995,279.655 L 615.541,279.655 L 615.541,258.822 L 615.255,258.554z"/>
-    <path style="fill: #8dcaef" d="M 553.768 258.822 L 554.055,259.109 L 615.255,259.109 L 615.255,258.554 L 554.055,258.554 L 553.768,258.822z"/>
-    <path style="fill: #076086" d="M 615.255 258.822 L 633.911,240.22 L 633.911,261.071 L 615.255,279.655 L 615.255,258.822z"/>
-    <path style="fill: #8dcaef" d="M 634.189 240.22 L 633.714,240.023 L 615.076,258.634 L 615.461,259.028 L 634.117,240.417 L 634.189,240.22z"/>
-    <path style="fill: #8dcaef" d="M 634.117 261.268 L 634.189,261.071 L 634.189,240.22 L 633.634,240.22 L 633.634,261.071 L 634.117,261.268z"/>
-    <path style="fill: #8dcaef" d="M 614.995 279.655 L 615.461,279.852 L 634.117,261.268 L 633.714,260.873 L 615.076,279.467 L 614.995,279.655z"/>
-    <path style="fill: #8dcaef" d="M 615.076 258.634 L 614.995,258.822 L 614.995,279.655 L 615.541,279.655 L 615.541,258.822 L 615.076,258.634z"/>
-    <path style="fill: #3cafe4" d="M 615.255 258.822 L 633.911,240.22 L 572.684,240.22 L 554.055,258.822 L 615.255,258.822z"/>
-    <path style="fill: #8dcaef" d="M 633.911 239.942 L 633.714,240.023 L 615.076,258.634 L 615.461,259.028 L 634.117,240.417 L 633.911,239.942z"/>
-    <path style="fill: #8dcaef" d="M 572.478 240.023 L 572.684,240.497 L 633.911,240.497 L 633.911,239.942 L 572.684,239.942 L 572.478,240.023z"/>
-    <path style="fill: #8dcaef" d="M 554.055 259.109 L 554.234,259.028 L 572.881,240.417 L 572.478,240.023 L 553.849,258.634 L 554.055,259.109z"/>
-    <path style="fill: #8dcaef" d="M 615.461 259.028 L 615.255,258.554 L 554.055,258.554 L 554.055,259.109 L 615.255,259.109 L 615.461,259.028z"/>
-    <path style="fill: #000000" d="M 576.948 254.299 L 576.939,254.434 L 576.921,254.541 L 576.867,254.658 L 576.822,254.774 L 576.751,254.882 L 576.67,254.998 L 576.571,255.105 L 576.464,255.222 L 576.356,255.303 L 576.204,255.419 L 576.061,255.509 L 575.909,255.616 L 575.729,255.697 L 575.55,255.804 L 575.353,255.867 L 575.156,255.947 L 574.941,256.037 L 574.717,256.118 L 574.493,256.171 L 574.252,256.243 L 574.019,256.297 L 573.741,256.368 L 573.481,256.413 L 573.222,256.449 L 572.935,256.512 L 572.657,256.539 L 572.362,256.565 L 572.093,256.592 L 571.789,256.619 L 571.484,256.637 L 571.162,256.637 L 570.857,256.646 L 570.562,256.637 L 570.23,256.637 L 569.917,256.619 L 569.639,256.592 L 569.335,256.565 L 569.03,256.539 L 568.77,256.512 L 568.484,256.449 L 568.215,256.413 L 567.955,256.368 L 567.686,256.297 L 567.436,256.243 L 567.203,256.171 L 566.979,256.118 L 566.755,256.037 L 566.54,255.947 L 566.334,255.867 L 566.155,255.804 L 565.967,255.697 L 565.797,255.616 L 565.635,255.509 L 565.501,255.419 L 565.349,255.303 L 565.223,255.222 L 565.116,255.105 L 565.026,254.998 L 564.955,254.882 L 564.883,254.774 L 564.838,254.658 L 564.785,254.541 L 564.749,254.434 L 564.749,254.299 L 564.749,254.183 L 564.785,254.066 L 564.838,253.932 L 564.883,253.825 L 564.955,253.717 L 565.026,253.601 L 565.116,253.493 L 565.223,253.395 L 565.349,253.287 L 565.501,253.18 L 565.635,253.09 L 565.797,253.001 L 565.967,252.902 L 566.155,252.813 L 566.334,252.732 L 566.54,252.642 L 566.755,252.562 L 566.979,252.481 L 567.203,252.418 L 567.436,252.365 L 567.686,252.302 L 567.955,252.23 L 568.215,252.195 L 568.484,252.141 L 568.77,252.087 L 569.03,252.06 L 569.335,252.033 L 569.639,252.006 L 569.917,251.98 L 570.23,251.971 L 570.562,251.953 L 570.857,251.953 L 571.162,251.953 L 571.484,251.971 L 571.789,251.98 L 572.093,252.006 L 572.362,252.033 L 572.657,252.06 L 572.935,252.087 L 573.222,252.141 L 573.481,252.195 L 573.741,252.23 L 574.019,252.302 L 574.252,252.365 L 574.493,252.418 L 574.717,252.481 L 574.941,252.562 L 575.156,252.642 L 575.353,252.732 L 575.55,252.813 L 575.729,252.902 L 575.909,253.001 L 576.061,253.09 L 576.204,253.18 L 576.356,253.287 L 576.464,253.395 L 576.571,253.493 L 576.67,253.601 L 576.751,253.717 L 576.822,253.825 L 576.867,253.932 L 576.921,254.066 L 576.939,254.183 L 576.948,254.299z"/>
-    <path style="fill: #ffffff" d="M 576.948 253.153 L 576.939,253.269 L 576.921,253.395 L 576.867,253.511 L 576.822,253.628 L 576.751,253.735 L 576.67,253.852 L 576.571,253.959 L 576.464,254.066 L 576.356,254.183 L 576.204,254.272 L 576.061,254.362 L 575.909,254.47 L 575.729,254.55 L 575.55,254.64 L 575.353,254.72 L 575.156,254.801 L 574.941,254.882 L 574.717,254.962 L 574.493,255.034 L 574.252,255.105 L 574.019,255.159 L 573.741,255.222 L 573.481,255.258 L 573.222,255.303 L 572.935,255.356 L 572.657,255.392 L 572.362,255.419 L 572.093,255.446 L 571.789,255.473 L 571.484,255.473 L 571.162,255.5 L 570.857,255.5 L 570.562,255.5 L 570.23,255.473 L 569.917,255.473 L 569.639,255.446 L 569.335,255.419 L 569.03,255.392 L 568.77,255.356 L 568.484,255.303 L 568.215,255.258 L 567.955,255.222 L 567.686,255.159 L 567.436,255.105 L 567.203,255.034 L 566.979,254.962 L 566.755,254.882 L 566.54,254.801 L 566.334,254.72 L 566.155,254.64 L 565.967,254.55 L 565.797,254.47 L 565.635,254.362 L 565.501,254.272 L 565.349,254.183 L 565.223,254.066 L 565.116,253.959 L 565.026,253.852 L 564.955,253.735 L 564.883,253.628 L 564.838,253.511 L 564.785,253.395 L 564.749,253.269 L 564.749,253.153 L 564.749,253.036 L 564.785,252.92 L 564.838,252.813 L 564.883,252.678 L 564.955,252.562 L 565.026,252.454 L 565.116,252.347 L 565.223,252.23 L 565.349,252.141 L 565.501,252.033 L 565.635,251.944 L 565.797,251.836 L 565.967,251.747 L 566.155,251.666 L 566.334,251.577 L 566.54,251.496 L 566.755,251.415 L 566.979,251.362 L 567.203,251.272 L 567.436,251.218 L 567.686,251.156 L 567.955,251.084 L 568.215,251.048 L 568.484,250.994 L 568.77,250.941 L 569.03,250.914 L 569.335,250.887 L 569.639,250.851 L 569.917,250.833 L 570.23,250.824 L 570.562,250.824 L 570.857,250.824 L 571.162,250.824 L 571.484,250.824 L 571.789,250.833 L 572.093,250.851 L 572.362,250.887 L 572.657,250.914 L 572.935,250.941 L 573.222,250.994 L 573.481,251.048 L 573.741,251.084 L 574.019,251.156 L 574.252,251.218 L 574.493,251.272 L 574.717,251.362 L 574.941,251.415 L 575.156,251.496 L 575.353,251.577 L 575.55,251.666 L 575.729,251.747 L 575.909,251.836 L 576.061,251.944 L 576.204,252.033 L 576.356,252.141 L 576.464,252.23 L 576.571,252.347 L 576.67,252.454 L 576.751,252.562 L 576.822,252.678 L 576.867,252.813 L 576.921,252.92 L 576.939,253.036 L 576.948,253.153z"/>
-    <path style="fill: #1f1a17" d="M 592.03 262.02 L 592.075,262.02 L 592.174,262.02 L 592.254,262.038 L 592.326,262.038 L 592.407,262.065 L 592.505,262.083 L 592.541,262.092 L 592.604,262.118 L 592.639,262.136 L 592.693,262.181 L 592.738,262.208 L 592.792,262.244 L 592.837,262.262 L 592.863,262.315 L 592.917,262.36 L 592.953,262.414 L 592.989,262.468 L 593.025,262.539 L 593.06,262.593 L 593.078,262.665 L 593.096,262.736 L 593.141,262.817 L 593.32,266.247 L 599.33,267.242 L 599.921,265.952 L 598.425,261.832 L 597.718,261.662 L 597.01,261.491 L 596.321,261.348 L 595.658,261.223 L 595.013,261.097 L 594.386,260.999 L 593.759,260.9 L 593.177,260.82 L 592.604,260.748 L 592.048,260.676 L 591.502,260.623 L 590.983,260.578 L 590.49,260.542 L 590.024,260.497 L 589.567,260.497 L 589.146,260.47 L 588.725,260.453 L 588.34,260.444 L 587.964,260.444 L 587.642,260.444 L 587.328,260.444 L 587.015,260.444 L 586.773,260.453 L 586.54,260.453 L 586.119,260.497 L 585.832,260.497 L 585.671,260.524 L 585.6,260.524 L 585.895,260.524 L 585.859,260.524 L 585.707,260.497 L 585.474,260.497 L 585.143,260.453 L 584.955,260.453 L 584.74,260.444 L 584.48,260.444 L 584.22,260.444 L 583.925,260.444 L 583.62,260.444 L 583.289,260.453 L 582.913,260.47 L 582.536,260.497 L 582.124,260.497 L 581.695,260.542 L 581.265,260.578 L 580.781,260.623 L 580.297,260.676 L 579.769,260.748 L 579.232,260.82 L 578.685,260.9 L 578.094,260.999 L 577.503,261.097 L 576.867,261.223 L 576.222,261.348 L 575.559,261.491 L 574.888,261.662 L 574.162,261.832 L 572.675,265.952 L 573.266,267.242 L 579.258,266.247 L 579.455,262.817 L 579.482,262.736 L 579.509,262.665 L 579.536,262.593 L 579.563,262.539 L 579.608,262.468 L 579.626,262.414 L 579.679,262.36 L 579.715,262.315 L 579.751,262.262 L 579.814,262.244 L 579.841,262.208 L 579.894,262.181 L 579.939,262.136 L 579.993,262.118 L 580.029,262.092 L 580.073,262.083 L 580.172,262.065 L 580.27,262.038 L 580.342,262.038 L 580.414,262.02 L 580.521,262.02 L 580.557,262.02 L 592.03,262.02z"/>
-    <path style="fill: #1f1a17" d="M 592.586 265.092 L 592.201,265.468 L 592.201,278.285 L 592.953,278.285 L 592.953,265.468 L 592.586,265.092 L 592.953,265.468 L 592.953,265.092 L 592.586,265.092z"/>
-    <path style="fill: #1f1a17" d="M 579.626 265.468 L 580.011,265.844 L 592.586,265.844 L 592.586,265.092 L 580.011,265.092 L 579.626,265.468 L 580.011,265.092 L 579.626,265.092 L 579.626,265.468z"/>
-    <path style="fill: #1f1a17" d="M 580.011 278.661 L 580.378,278.285 L 580.378,265.468 L 579.626,265.468 L 579.626,278.285 L 580.011,278.661 L 579.626,278.285 L 579.626,278.661 L 580.011,278.661z"/>
-    <path style="fill: #1f1a17" d="M 592.953 278.285 L 592.586,277.909 L 580.011,277.909 L 580.011,278.661 L 592.586,278.661 L 592.953,278.285 L 592.586,278.661 L 592.953,278.661 L 592.953,278.285z"/>
-    <path style="fill: #000000" d="M 584.776 277.336 L 580.906,266.418 L 583.289,266.418 L 586.056,274.461 L 588.708,266.418 L 591.063,266.418 L 587.158,277.336 L 584.776,277.336z"/>
-    <path style="fill: #ffffff" d="M 591.627 261.733 L 591.672,261.733 L 591.771,261.733 L 591.833,261.733 L 591.941,261.742 L 592.021,261.769 L 592.102,261.796 L 592.156,261.814 L 592.201,261.832 L 592.254,261.868 L 592.29,261.868 L 592.353,261.912 L 592.398,261.939 L 592.433,261.993 L 592.478,262.02 L 592.514,262.065 L 592.541,262.118 L 592.604,262.181 L 592.622,262.244 L 592.657,262.307 L 592.693,262.36 L 592.711,262.441 L 592.738,262.513 L 592.935,265.952 L 598.927,266.964 L 599.536,265.647 L 598.022,261.536 L 597.324,261.348 L 596.616,261.196 L 595.935,261.062 L 595.273,260.936 L 594.619,260.82 L 593.983,260.712 L 593.374,260.623 L 592.765,260.524 L 592.201,260.453 L 591.645,260.399 L 591.117,260.327 L 590.597,260.291 L 590.078,260.247 L 589.612,260.229 L 589.164,260.193 L 588.725,260.175 L 588.322,260.166 L 587.937,260.166 L 587.579,260.148 L 587.23,260.148 L 586.907,260.148 L 586.621,260.166 L 586.352,260.166 L 586.119,260.175 L 585.725,260.193 L 585.447,260.202 L 585.268,260.229 L 585.214,260.229 L 585.501,260.229 L 585.456,260.229 L 585.322,260.202 L 585.089,260.193 L 584.758,260.175 L 584.552,260.166 L 584.328,260.166 L 584.086,260.148 L 583.808,260.148 L 583.54,260.148 L 583.208,260.166 L 582.877,260.166 L 582.528,260.175 L 582.142,260.193 L 581.739,260.229 L 581.309,260.247 L 580.862,260.291 L 580.396,260.327 L 579.894,260.399 L 579.384,260.453 L 578.846,260.524 L 578.282,260.623 L 577.709,260.712 L 577.1,260.82 L 576.482,260.936 L 575.819,261.062 L 575.156,261.196 L 574.476,261.348 L 573.759,261.536 L 572.281,265.647 L 572.881,266.964 L 578.855,265.952 L 579.07,262.513 L 579.079,262.441 L 579.106,262.36 L 579.133,262.307 L 579.16,262.244 L 579.205,262.181 L 579.232,262.118 L 579.276,262.065 L 579.312,262.02 L 579.357,261.993 L 579.402,261.939 L 579.438,261.912 L 579.491,261.868 L 579.536,261.868 L 579.59,261.832 L 579.626,261.814 L 579.679,261.796 L 579.769,261.769 L 579.867,261.742 L 579.957,261.733 L 580.011,261.733 L 580.118,261.733 L 580.154,261.733 L 591.627,261.733z"/>
-    <path style="fill: #ffffff" d="M 592.174 264.805 L 591.815,265.173 L 591.815,277.989 L 592.541,277.989 L 592.541,265.173 L 592.174,264.805 L 592.541,265.173 L 592.541,264.805 L 592.174,264.805z"/>
-    <path style="fill: #ffffff" d="M 579.232 265.173 L 579.608,265.549 L 592.174,265.549 L 592.174,264.805 L 579.608,264.805 L 579.232,265.173 L 579.608,264.805 L 579.232,264.805 L 579.232,265.173z"/>
-    <path style="fill: #ffffff" d="M 579.608 278.366 L 579.975,277.989 L 579.975,265.173 L 579.232,265.173 L 579.232,277.989 L 579.608,278.366 L 579.232,277.989 L 579.232,278.366 L 579.608,278.366z"/>
-    <path style="fill: #ffffff" d="M 592.541 277.989 L 592.174,277.613 L 579.608,277.613 L 579.608,278.366 L 592.174,278.366 L 592.541,277.989 L 592.174,278.366 L 592.541,278.366 L 592.541,277.989z"/>
-    <path style="fill: #ffffff" d="M 584.364 277.04 L 580.503,266.14 L 582.877,266.14 L 585.653,274.183 L 588.296,266.14 L 590.651,266.14 L 586.755,277.04 L 584.364,277.04z"/>
-  </g>
-  <line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="521.685" y1="228.569" x2="565.1" y2="247.401"/>
-  <text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="584.65" y="291.842">
-    <tspan x="584.65" y="291.842">Cisco</tspan>
-    <tspan x="584.65" y="307.842">ATA-186</tspan>
-  </text>
-  <g>
-    <path style="fill: #b7b79d" d="M 578.572 176.18 L 618.541,176.18 L 618.541,183.566 L 578.572,183.566 L 578.572,176.18z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #494936" d="M 578.572 176.18 L 618.541,176.18 L 618.541,183.566 L 578.572,183.566 L 578.572,176.18"/>
-    <path style="fill: #c9c9b6" d="M 578.572 176.18 L 582.81,172.162 L 622.779,172.162 L 618.541,176.18 L 578.572,176.18z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #494936" d="M 578.572 176.18 L 582.81,172.162 L 622.779,172.162 L 618.541,176.18 L 578.572,176.18"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 2.12; stroke: #000000" d="M 616.305 179.543 L 606.714,179.543"/>
-    <path style="fill: #7a7a5a" d="M 618.541 183.566 L 622.779,179.316 L 622.779,172.162 L 618.541,176.18 L 618.541,183.566z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #494936" d="M 618.541 183.566 L 622.779,179.316 L 622.779,172.162 L 618.541,176.18 L 618.541,183.566"/>
-    <path style="fill: #c9c9b6" d="M 578.799 188.252 L 583.257,182.666 L 614.076,182.666 L 609.617,188.252 L 578.799,188.252z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #494936" d="M 578.799 188.252 L 583.257,182.666 L 614.076,182.666 L 609.617,188.252 L 578.799,188.252"/>
-    <path style="fill: #7a7a5a" d="M 609.617 189.366 L 614.076,184.681 L 614.076,182.666 L 609.617,188.252 L 609.617,189.366z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #494936" d="M 609.617 189.366 L 614.076,184.681 L 614.076,182.666 L 609.617,188.252 L 609.617,189.366"/>
-    <path style="fill: #b7b79d" d="M 578.799 188.252 L 609.617,188.252 L 609.617,189.366 L 578.799,189.366 L 578.799,188.252z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #494936" d="M 578.799 188.252 L 609.617,188.252 L 609.617,189.366 L 578.799,189.366 L 578.799,188.252"/>
-    <path style="fill: #000000" d="M 584.598 175.292 L 587.955,172.162 L 616.305,172.162 L 613.188,175.292 L 584.598,175.292z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #000000" d="M 584.598 175.292 L 587.955,172.162 L 616.305,172.162 L 613.188,175.292 L 584.598,175.292"/>
-    <path style="fill: #c9c9b6" d="M 584.372 152.269 L 587.508,149.366 L 615.87,149.366 L 612.734,152.269 L 584.372,152.269z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #494936" d="M 584.372 152.269 L 587.508,149.366 L 615.87,149.366 L 612.734,152.269 L 584.372,152.269"/>
-    <path style="fill: #b7b79d" d="M 584.372 152.269 L 612.961,152.269 L 612.961,174.838 L 584.372,174.838 L 584.372,152.269z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #494936" d="M 584.372 152.269 L 612.949,152.269 L 612.949,174.832 L 584.372,174.832 L 584.372,152.269"/>
-    <path style="fill: #ffffff" d="M 586.828 155.166 L 610.499,155.166 L 610.499,172.603 L 586.828,172.603 L 586.828,155.166z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #494936" d="M 586.828 155.166 L 610.499,155.166 L 610.499,172.597 L 586.828,172.597 L 586.828,155.166"/>
-    <path style="fill: #7a7a5a" d="M 612.734 174.624 L 615.87,171.495 L 615.87,149.366 L 612.734,152.269 L 612.734,174.624z"/>
-    <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #494936" d="M 612.734 174.624 L 615.87,171.495 L 615.87,149.366 L 612.734,152.269 L 612.734,174.624"/>
-  </g>
-  <line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="537.622" y1="196.914" x2="578.561" y2="181.478"/>
-  <text font-size="12.8" style="fill: #000000;text-anchor:middle;font-family:sans-serif;font-style:normal;font-weight:normal" x="594.208" y="201.266">
-    <tspan x="594.208" y="201.266">marcos</tspan>
-    <tspan x="594.208" y="217.266">192.168.0.3/24</tspan>
-  </text>
-  <line style="fill: none; fill-opacity:0; stroke-width: 2; stroke: #000000" x1="411.999" y1="159.792" x2="463.567" y2="196.166"/>
-  <g>
+  <g id="Arrière-plan">
     <g>
-      <path style="fill: #b7b79d" d="M 568.45 401.973 L 568.45,410.258 L 603.461,410.258 L 603.461,401.973 L 568.45,401.973z"/>
-      <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #494936" d="M 568.45 401.973 L 568.45,410.258 L 603.461,410.258 L 603.461,401.973 L 568.45,401.973"/>
-      <path style="fill: #c9c9b6" d="M 568.45 401.973 L 585.417,374.943 L 620.44,374.943 L 603.461,401.973 L 568.45,401.973z"/>
-      <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #494936" d="M 568.45 401.973 L 585.417,374.943 L 620.44,374.943 L 603.461,401.973 L 568.45,401.973"/>
-      <path style="fill: #7a7a5a" d="M 603.461 410.258 L 620.44,393.317 L 620.44,374.943 L 603.461,401.973 L 603.461,410.258z"/>
-      <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #494936" d="M 603.461 410.258 L 620.44,393.317 L 620.44,374.943 L 603.461,401.973 L 603.461,410.258"/>
-      <path style="fill: #c9c9b6" d="M 576.755 394.394 L 580.719,386.835 L 587.941,377.823 L 594.799,370.258 L 602.02,370.258 L 594.448,378.193 L 587.22,387.562 L 583.62,394.394 L 576.755,394.394z"/>
-      <path style="fill: none; fill-opacity:0; stroke-width: 0.02; stroke: #494936" d="M 576.755 394.394 L 580.719,386.835 L 587.941,377.823 L 594.799,370.258 L 602.02,370.258 L 594.448,378.193 L 587.22,387.562 L 583.62,394.394 L 576.755,394.394"/>
-      <path style="fill: #b7b79d" d="M 576.755 394.394 L 576.755,400.169 L 584.34,400.169 L 583.62,394.394 L 576.755,394.394z"/>

(Diff truncated)
new patches on ikiwiki
diff --git a/services/wiki.mdwn b/services/wiki.mdwn
index 0a82a34..14521f5 100644
--- a/services/wiki.mdwn
+++ b/services/wiki.mdwn
@@ -130,7 +130,8 @@ On any given upgrade, the following patches need to be applied:
 
 There are two patches left:
 
- * [[!iki todo/toc-with-human-readable-anchors]]
+ * [[!iki todo/toc-with-human-readable-anchors]] and [[!iki plugins/contrib/i18nheadinganchors]]
+ * [[!iki bugs/footnotes-look-weird]]
  * [[!iki todo/git-annex_support]]
  * [[!iki todo/admonitions]]
 

un beau livre!!
diff --git a/wishlist.mdwn b/wishlist.mdwn
index 7d2c451..42498b0 100644
--- a/wishlist.mdwn
+++ b/wishlist.mdwn
@@ -54,6 +54,7 @@ Voici des choses que vous pouvez m'acheter si vous êtes le Père Nowel (yeah ri
    [chez abebooks.com](http://www.abebooks.com/servlet/BookDetailsPL?bi=14250044964&searchurl=sts%3Dt%26amp%3By%3D0%26amp%3Bx%3D0%26amp%3Bkn%3D9782857251842),
    aussi en [DVD](http://www.capehorn.com/TrailerAng.htm))
    * autres
+     * [Astronomica : galaxies, planètes, étoiles, cartes des constellations, explorations spatiales](http://www.worldcat.org/oclc/495085208)
      * <http://whatif.xkcd.com/book/>
      * [La théorie du drone](http://www.worldcat.org/oclc/847564093)
      * [The ARRL Operating Manual](http://www.arrl.org/shop/The-ARRL-Operating-Manual/)

add bookchin quote
diff --git a/sigs.fortune b/sigs.fortune
index ca1897c..23c3271 100644
--- a/sigs.fortune
+++ b/sigs.fortune
@@ -1050,3 +1050,6 @@ domain of capital.
 Gods don't like people not doing much work. People who aren't busy all
 the time might start to think.
                         - Terry Pratchett, Small Gods
+%
+If we do not do the impossible, we shall be faced with the unthinkable.
+                        - Murray Bookchin

fix yet another link
diff --git a/blog/2017-04-29-netdev-rise-linux-networking-hw.mdwn b/blog/2017-04-29-netdev-rise-linux-networking-hw.mdwn
index 24cdb9f..86f58b9 100644
--- a/blog/2017-04-29-netdev-rise-linux-networking-hw.mdwn
+++ b/blog/2017-04-29-netdev-rise-linux-networking-hw.mdwn
@@ -151,7 +151,7 @@ show up as a single port, which limits the amount of information that
 can be extracted from the switch. For example, you cannot have per-port
 traffic statistics with swconfig. That limitation is what led to the
 creation of the switchdev framework, when swconfig was
-[proposed](/Articles/571390/) (then refused) for inclusion in mainline.
+[proposed](https://lwn.net/Articles/571390/) (then refused) for inclusion in mainline.
 Another goal of switchdev was to support bridge hardware offloading and
 network interface card (NIC) virtualization.
 

fix typos in URLs
diff --git a/blog/2017-04-29-netdev-rise-linux-networking-hw.mdwn b/blog/2017-04-29-netdev-rise-linux-networking-hw.mdwn
index cd0edf7..24cdb9f 100644
--- a/blog/2017-04-29-netdev-rise-linux-networking-hw.mdwn
+++ b/blog/2017-04-29-netdev-rise-linux-networking-hw.mdwn
@@ -48,7 +48,7 @@ hardware and software in the network threaten free software in the
 server. Even though some manufacturers are already providing a "Linux
 interface" in their hardware, it is often only some sort of
 compatibility shell which might be compared with the [Ubuntu
-compatibility layer in Windows](/Articles/681768/): it's not a real
+compatibility layer in Windows](https://lwn.net/Articles/681768/): it's not a real
 Linux.
 
 Mukherjee pushed this idea further by saying that those companies are
@@ -101,7 +101,7 @@ improve:
     that need to scale to hundreds of interfaces and devices easily.
     This is something the Linux bridge was never designed to do and it's
     showing scalability issues. During the conference, there was hope
-    that the [new XDP and eBPF developments](/Articles/719850/) could
+    that the [new XDP and eBPF developments](https://lwn.net/Articles/719850/) could
     help, but also concerns this would create yet another bridge layer
     inside the kernel.
 
@@ -120,14 +120,14 @@ So how exactly do switches work in Linux?
 
 The Linux kernel manipulates switches with three different operation
 structures: `switchdev_ops`, which we [previously
-covered](/Articles/675826/), `ethtool_ops`, and `netdev_ops`. Certain
+covered](https://lwn.net/Articles/675826/), `ethtool_ops`, and `netdev_ops`. Certain
 switches, however, also need [distributed switch architecture
 (DSA)](https://www.kernel.org/doc/Documentation/networking/dsa/dsa.txt)
 features to be properly handled. DSA is a more obscure part of the
 network stack that allows Linux to represent hardware switches or chains
 of switches using regular Linux tools like `bridge`, `ifconfig`, and so
 on. While switchdev is a new layer, DSA has been in the kernel [since
-2.6.28](/Articles/302333/) in 2008. Originally developed to support
+2.6.28](https://lwn.net/Articles/302333/) in 2008. Originally developed to support
 Marvell switches, DSA is now a generic layer deployed in WiFi access
 points, set-top boxes, on-board flight entertainment systems, trains,
 and other industrial equipment. Switches that have an Ethernet
@@ -184,7 +184,7 @@ your own wireless router or data center switch runs Linux.
 
 In recent years, we have seen more and more networking devices shipped
 with Linux and sometimes even OpenWrt (e.g. in the case of the Turris
-Omnia, which we [previously covered](/Articles/705051/)), and especially
+Omnia, which we [previously covered](https://lwn.net/Articles/705051/)), and especially
 on SOHO routers, but it sometimes means a crippled operating system that
 only offers you a proprietary web interface. But at least those efforts
 make it easier to deploy free operating systems on those devices.
@@ -200,8 +200,8 @@ continuous struggle for OpenWrt developers to liberate generation after
 generation of proprietary hardware with companies like Cisco locking
 down the venerable WRT platform in 2006 and the US Federal
 Communications Commission (FCC) rules that forced TP-Link to [block free
-software on its routers](/Articles/679801/), a change that was [later
-reverted](/Articles/695994/).
+software on its routers](https://lwn.net/Articles/679801/), a change that was [later
+reverted](https://lwn.net/Articles/695994/).
 
 Most hardware providers are obviously not dedicated to software freedom:
 deploying Linux on their hardware is for them an economic, not political
diff --git a/blog/2017-04-29-netdev-rise-linux-networking-hw/comment_2_bcad385e65f47e950b9ff2896c5fd76b._comment b/blog/2017-04-29-netdev-rise-linux-networking-hw/comment_2_bcad385e65f47e950b9ff2896c5fd76b._comment
new file mode 100644
index 0000000..66a62b0
--- /dev/null
+++ b/blog/2017-04-29-netdev-rise-linux-networking-hw/comment_2_bcad385e65f47e950b9ff2896c5fd76b._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ username="anarcat"
+ subject="""fixed"""
+ date="2017-04-30T14:37:32Z"
+ content="""
+thanks for the heads up! should always run linkchecker on my articles...
+
+*and* I should automate this further... :)
+"""]]

Added a comment: Dead links
diff --git a/blog/2017-04-29-netdev-rise-linux-networking-hw/comment_1_dacf96a68de6979535afeca57d2d47a5._comment b/blog/2017-04-29-netdev-rise-linux-networking-hw/comment_1_dacf96a68de6979535afeca57d2d47a5._comment
new file mode 100644
index 0000000..a93409d
--- /dev/null
+++ b/blog/2017-04-29-netdev-rise-linux-networking-hw/comment_1_dacf96a68de6979535afeca57d2d47a5._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ ip="45.72.243.40"
+ claimedauthor="mvc"
+ subject="Dead links"
+ date="2017-04-29T23:42:13Z"
+ content="""
+FYI links to /Articles/XXX need the LWN domain here.
+"""]]

fix typos
diff --git a/blog/2017-04-29-free-software-activities-april-2017.mdwn b/blog/2017-04-29-free-software-activities-april-2017.mdwn
index 6fd3d52..afb7bae 100644
--- a/blog/2017-04-29-free-software-activities-april-2017.mdwn
+++ b/blog/2017-04-29-free-software-activities-april-2017.mdwn
@@ -29,8 +29,8 @@ services, this may mean elevated compromise and more nasty stuff.
 I furthered the investigation done with my [own analysis][] which
 showed the problem is difficult to solve: Kodi internally uses the
 facility to show thumbnails and media to the user, and there are no
-clear way of restricting which paths Kodi should have acess
-to. Indeed, Kodi is designed to access mounted filesystems and paths
+clear way of restricting which paths Kodi should have access
+to. Indeed, Kodi is designed to access mounted file systems and paths
 in arbitrary locations. In [[!debbug 855225]], I further confirmed
 confirmed wheezy and jessie-backports as vulnerable and therefore
 showed with good certainty that stretch and sid are vulnerable as
@@ -150,13 +150,13 @@ Triage
 Looking for more work, I peeked a bit in the secretary tasks to triage
 some pending issues. I found that [[!debpkg trafficserver]] could be
 crashed with simple requests ([[!debcve CVE-2017-5659]]) so I looked
-into that issue. My [analysis shoed][] that the patch is long and
+into that issue. My [analysis showed][] that the patch is long and
 complex and could be difficult to backport to the old version
 available in wheezy. I also couldn't reproduce the issue in wheezy, so
 it may be a bug introduced only later, although I couldn't confirm
 that directly.
 
-[analysis shoed]: https://lists.debian.org/20170426162316.sraxe7bnagjt2rss@curie.anarc.at
+[analysis showed]: https://lists.debian.org/20170426162316.sraxe7bnagjt2rss@curie.anarc.at
 
 I also triaged [[!debcve wireshark]], where I just noted the
 maintainer expressed concern that we were taking up issues too fast
@@ -214,7 +214,7 @@ free environment is not lost on me.
 
 Needing to scratch that particular itch, and with the help of clever
 people from the IRC channel, I was able to make Emacs tell Xmonad to
-show its window (or "frame" as Emaces likes to call it) on all
+show its window (or "frame" as Emacs likes to call it) on all
 desktops. This involved creating a new function which I think could be
 useful in the [CopyWindow library][]:
 
@@ -273,7 +273,7 @@ identifier and wrote a event hook handler to process it:
       -- we processed the event completely
       return $ All True
 
-All that was left was to hook that into emacs, and I was done!
+All that was left was to hook that into Emacs, and I was done!
 Whoohoo! Full screen total domination, distraction free work! :)
 
 I would love to hear from others what they think of that approach, if
@@ -292,11 +292,14 @@ Speaking of Emacs, after complaining in the noisy `#emacs` IRC channel
 about the [poor TLS configuration of marmelade.org][] -- and filing a
 bug ([[!debbug 861106]]) regarding the use of SHA-1 in certificate
 pinning -- I was told we shouldn't expect trust from third-party ELPA
-repositories. Marmelade seems to be basically dead, as the maintainer
-is "behind the great firewall of China" and still hasn't figured
-out [how to sign packages][]. In the end, it seems like there
+repositories. [Marmelade][] seems to be dead, as the maintainer is
+"behind the great firewall of China" and [MELPA][] still hasn't
+figured out [how to sign packages][]. In the end, it seems like there
 are [tons of elpa packages in Debian][] and that if your favorite one
-is missing, that's a bug that can be fixed.
+is missing, that's a bug that can be filed and fixed.
+
+[MELPA]: https://melpa.org/
+[Marmelade]: https://marmalade-repo.org/
 
 I first discovered that 6 of the packages I used were already
 packaged:
@@ -339,7 +342,7 @@ then [NicerHeadingIds][] and that I have always found frustrating with
 Ikiwiki.
 
 It turns out the problem was both easier and hairier than I
-thought. Right from the start, somethign weird was happening:
+thought. Right from the start, something weird was happening:
 something *was* already adding nice headings, but they were somewhat
 broken. It turns out that [multimarkdown][] already inserts those
 headers, but I wasn't satisfied with the way they were generated. But

link to libsndfile DLA
diff --git a/blog/2017-04-29-free-software-activities-april-2017.mdwn b/blog/2017-04-29-free-software-activities-april-2017.mdwn
index dbff1e8..6fd3d52 100644
--- a/blog/2017-04-29-free-software-activities-april-2017.mdwn
+++ b/blog/2017-04-29-free-software-activities-april-2017.mdwn
@@ -99,8 +99,10 @@ would be best to incorporate the security fixes done in stable, which
 brought in fixes for [[!debcve CVE-2015-7805]], [[!debcve
 CVE-2014-9756]] and [[!debcve CVE-2014-9496]]. So in the end, I ported
 patches from wheezy to jessie and uploaded the jessie version
-(reverting certain build changes) into wheezy.
+(reverting certain build changes) into wheezy and
+uploaded [DLA-928-1][] with the results.
 
+[DLA-928-1]: https://lists.debian.org/20170429193236.xp7gzzpbwf25mfp6@curie.anarc.at
 [test package]: https://lists.debian.org/87bmrk47kt.fsf@curie.anarc.at
 
 yaml-cpp

fix syntax issue
diff --git a/blog/2017-04-29-free-software-activities-april-2017.mdwn b/blog/2017-04-29-free-software-activities-april-2017.mdwn
index f441b3f..dbff1e8 100644
--- a/blog/2017-04-29-free-software-activities-april-2017.mdwn
+++ b/blog/2017-04-29-free-software-activities-april-2017.mdwn
@@ -309,12 +309,12 @@ packaged:
 And so I went ahead and filed a ton more bugs for the packages I am
 using but that aren't in Debian just yet:
  
- * company-go: [[!debbug 861177]
- * elpy: [[!debbug 861174]
- * markdown-toc: [[!debbug 861128]
- * multiple-cursors: [[!debbug 861127]
- * writegood-mode: [[!debbug 861125]
- * writeroom-mode: [[!debbug 861124]
+ * company-go: [[!debbug 861177]]
+ * elpy: [[!debbug 861174]]
+ * markdown-toc: [[!debbug 861128]]
+ * multiple-cursors: [[!debbug 861127]]
+ * writegood-mode: [[!debbug 861125]]
+ * writeroom-mode: [[!debbug 861124]]
 
 Of those, I can't recommend [multiple-cursors][] (MC) enough: I used
 it at least 4 times just writing this text. It's just awesome. The

creating tag page tag/xmonad
diff --git a/tag/xmonad.mdwn b/tag/xmonad.mdwn
new file mode 100644
index 0000000..4e973f3
--- /dev/null
+++ b/tag/xmonad.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged xmonad"]]
+
+[[!inline pages="tagged(xmonad)" actions="no" archive="yes"
+feedshow=10]]

monthly report
diff --git a/blog/2017-04-29-free-software-activities-april-2017.mdwn b/blog/2017-04-29-free-software-activities-april-2017.mdwn
new file mode 100644
index 0000000..f441b3f
--- /dev/null
+++ b/blog/2017-04-29-free-software-activities-april-2017.mdwn
@@ -0,0 +1,417 @@
+[[!meta title="My free software activities, April 2017"]]
+
+[[!toc levels=2]]
+
+Debian Long Term Support (LTS)
+==============================
+
+This is my monthly [Debian LTS][] report. My time this month was spent
+working on various hairy security issues, most notably XBMC (now known
+as Kodi) and yaml-cpp.
+
+[Debian LTS]: https://www.freexian.com/services/debian-lts.html
+
+Kodi directory transversal
+--------------------------
+
+I started by looking in [[!debcve CVE-2017-5982]], a "directory
+traversal" vulnerability in XBMC (now known as [Kodi][]) which is a
+technical term for "allow attackers to read any world-readable file on
+your computer from the network". It's a serious vulnerability which
+has no known fix. When you enable the "remote control" interface in
+Kodi, it allows anyone with the password (which is disabled by
+default) to download *any* files Kodi has read access to on the
+machine it's running. Considering Kodi is often connected to multiple
+services, this may mean elevated compromise and more nasty stuff.
+
+[Kodi]: https://kodi.tv/
+
+I furthered the investigation done with my [own analysis][] which
+showed the problem is difficult to solve: Kodi internally uses the
+facility to show thumbnails and media to the user, and there are no
+clear way of restricting which paths Kodi should have acess
+to. Indeed, Kodi is designed to access mounted filesystems and paths
+in arbitrary locations. In [[!debbug 855225]], I further confirmed
+confirmed wheezy and jessie-backports as vulnerable and therefore
+showed with good certainty that stretch and sid are vulnerable as
+well. I also suggested possible workaround, but at this point, it's in
+upstream's hands, as the changes will be intrusive. The file transfer
+mechanism need to be revamped all over Kodi, or authentication (with a
+proper password policy), need to be enforced.
+
+[own analysis]: https://lists.debian.org/87zif33oxf.fsf@curie.anarc.at
+
+Squirrelmail
+------------
+
+Next I looked at that old webmail software, [Squirrelmail][], which
+suffers from a remote code execution vulnerability ([[!debcve
+CVE-2017-7692]]) when sending mails with [[!debpkg sendmail]] on the
+commandline. This is arguably an edge case, but considering the patch
+was simple, I figured I would provide an update to the LTS
+community. I tried to get a coordinated release for jessie, since the
+code is the same, but this wasn't completed at the time of writing. A
+[patch is available][] and will hopefully be picked up by another LTS
+worker soon.
+
+[patch is available]: https://lists.debian.org/87h917xfg3.fsf@curie.anarc.at
+[Squirrelmail]: http://squirrelmail.org/
+
+Fop and Batik
+-------------
+
+Those issues ([[!debcve CVE-2017-5661]] and [[!debcve CVE-2017-5662]])
+were more difficult. The patches weren't clearly documented and there
+were no upstream references other than security advisories for the
+first release in years (in the case of batik) or months (in the case
+of fop), which made it hard to track down the issues. Fortunately, I
+was able to track down the upstream issues ([FOP-2668][]
+and [BATIK-1139][]) where I got confirmation on what the proper fixes
+were. I could then release [DLA-927-1][] and [DLA-926-1][] with the
+backported patches.
+
+I do not use fop or batik. In fact, even after reading the homepage of
+both products, I couldn't quite figure out what use people could
+possibly have for that thing. Before uploading the packages, I
+therefore made packages available for testing for [fop][fop-testing]
+and [batik][batik-testing].
+
+[batik-testing]: https://lists.debian.org/87d1bz2fpk.fsf@curie.anarc.at
+[fop-testing]: https://lists.debian.org/87shkv0xj1.fsf@curie.anarc.at
+[DLA-927-1]: https://lists.debian.org/debian-lts-announce/2017/04/msg00046.html
+[DLA-926-1]: https://lists.debian.org/debian-lts-announce/2017/04/msg00044.html
+[FOP-2668]: https://issues.apache.org/jira/browse/FOP-2668
+[BATIK-1139]: https://issues.apache.org/jira/browse/BATIK-1139
+
+libsndfile
+----------
+
+Next up was [[!debcve libsndfile]] which a bunch of overflows when
+parsing various audio files. I backported a patch for [[!debcve
+CVE-2017-7585]] [[!debcve CVE-2017-7586]] and [[!debcve
+CVE-2017-7741]] which all seemed to be fixed by a single patch
+usptream. [[!debcve CVE-2017-7742]] was also fixed, although with a
+separate patch. In all of those, i could only test CVE-2017-7741 and
+CVE-2017-7742, as the others were missing test cases.
+
+I provided a [test package][] for a few days then I also figured it
+would be best to incorporate the security fixes done in stable, which
+brought in fixes for [[!debcve CVE-2015-7805]], [[!debcve
+CVE-2014-9756]] and [[!debcve CVE-2014-9496]]. So in the end, I ported
+patches from wheezy to jessie and uploaded the jessie version
+(reverting certain build changes) into wheezy.
+
+[test package]: https://lists.debian.org/87bmrk47kt.fsf@curie.anarc.at
+
+yaml-cpp
+--------
+
+I then turned to [[!debpkg yaml-cpp]], a C++ parser for YAML. This one
+didn't have a known upstream fix, but I figured I would give it a shot
+anyways. I ended up writing my [first C++ code in years][] which is
+still pending review and merge upstream. It's not an easy problem to
+fix: this is basically an excessive recursion problem that can be used
+to smash the stack. I figured I could introduce a recursion limit, but
+as the discussion showed, this is a limited approach: stack size
+varies on different platforms and it's not easy to find the right
+limit.
+
+[first C++ code in years]: https://github.com/jbeder/yaml-cpp/pull/489
+
+The real solution is to rewrite the code to avoid recursion but that's
+a major code refactoring I didn't feel belong in a LTS
+update. Besides, this could be better handled by upstream, so I will
+leave things at that for now. It does make you wonder how much code
+out there is recursing on untrusted data structures... 
+
+kedpm
+-----
+
+Finally, a friend over at [Koumbit.org](https://koumbit.org) reported
+[[!debbug 860817]], as information leak in kedpm, a password manager I
+previously maintained. I requested and got assigned [[!debcve
+CVE-2017-8296]] and provided a fix for wheezy and jessie. For unstable
+and the coming stretch release, I have requested kedpm to be
+completely removed from Debian ([[!debbug 860817]]) which involved a
+release notes update ([[!debbug 861277]]).
+
+It's unfortunate to see software go, but kedpm wasn't maintained. I
+wasn't the original author: I just gave a few patches and ended up
+maintaining that software and not using it. It's a bad situation to be
+in, as you don't really know what's working and not with the tools you
+are supposed to be responsible for. There are more modern alternatives
+available now and I encourage everyone to switch.
+
+Triage
+------
+
+Looking for more work, I peeked a bit in the secretary tasks to triage
+some pending issues. I found that [[!debpkg trafficserver]] could be
+crashed with simple requests ([[!debcve CVE-2017-5659]]) so I looked
+into that issue. My [analysis shoed][] that the patch is long and
+complex and could be difficult to backport to the old version
+available in wheezy. I also couldn't reproduce the issue in wheezy, so
+it may be a bug introduced only later, although I couldn't confirm
+that directly.
+
+[analysis shoed]: https://lists.debian.org/20170426162316.sraxe7bnagjt2rss@curie.anarc.at
+
+I also triaged [[!debcve wireshark]], where I just noted the
+maintainer expressed concern that we were taking up issues too fast
+and will probably take care of this one. I also postponed various
+issues in GnuTLS (marked "no-dsa") as they affect only a
+(unfortunately) rarely used part of GnuTLS that has been removed in
+later version: OpenPGP support.
+
+Other free software work
+========================
+
+Debiman
+-------
+
+I finally got around contributing to the [debiman][] project. I worked
+on ensuring that there is a [dman compatibility][] in debiman, by
+shipping dman in the [[!debpkg debian-goodies]] package ([[!debbug
+860920]]). I also submitted a pull request to fix
+the [fix about page title][], document
+the [custom assets repository][], [fix a stray bracket][] and link to
+the link to venerable [man7.org project][]
+
+[man7.org project]: https://github.com/Debian/debiman/issues/74
+[fix a stray bracket]: https://github.com/Debian/debiman/issues/73
+[custom assets repository]: https://github.com/Debian/debiman/issues/76
+[fix about page title]: https://github.com/Debian/debiman/pull/77
+[dman compatibility]: https://github.com/Debian/debiman/issues/57
+[debiman]: https://github.com/Debian/debiman/
+
+After a discussion on IRC, I also filed a few more issues:
+
+ * [redirect bpf to bpf.2, not bpf.4freebsd](https://github.com/Debian/debiman/issues/68)
+ * [redirect to unstable by default](https://github.com/Debian/debiman/issues/69)
+ * [arrows missing in table of contents](https://github.com/Debian/debiman/issues/71)
+ * [automatically collapse long links](https://github.com/Debian/debiman/issues/72)
+ * [old ?query= parameter ignored/failing](https://github.com/Debian/debiman/issues/78)
+

(Diff truncated)
add forgotten tags
diff --git a/blog/2017-04-29-netdev-fast-path.mdwn b/blog/2017-04-29-netdev-fast-path.mdwn
index c747a31..aceb407 100644
--- a/blog/2017-04-29-netdev-fast-path.mdwn
+++ b/blog/2017-04-29-netdev-fast-path.mdwn
@@ -297,3 +297,5 @@ systems into the Linux kernel.
 
 [first appeared]: https://lwn.net/Articles/719850
 [Linux Weekly News]: http://lwn.net/
+
+[[!tag debian-planet linux kernel netdev conference lwn geek coverage]]
diff --git a/blog/2017-04-29-netdev-rise-linux-networking-hw.mdwn b/blog/2017-04-29-netdev-rise-linux-networking-hw.mdwn
index 87171ac..cd0edf7 100644
--- a/blog/2017-04-29-netdev-rise-linux-networking-hw.mdwn
+++ b/blog/2017-04-29-netdev-rise-linux-networking-hw.mdwn
@@ -260,3 +260,5 @@ dominance in general-purpose computing.
 
 [first appeared]: https://lwn.net/Articles/720313/
 [Linux Weekly News]: http://lwn.net/
+
+[[!tag debian-planet linux kernel netdev conference lwn geek coverage]]

publish articles from netdev 2.2
commit 2030c969ac4745b3bef48a1136423df62e6a3334
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Apr 18 21:02:39 2017 -0400
fix typo
commit e5ccc39e4939c66ee029f7d10965da9582ad9388
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Apr 18 21:02:12 2017 -0400
import latest reviews from jake
commit 44463eb4ff629e35432656017d690288d6638c0f
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Apr 18 15:51:23 2017 -0400
rephrase the standard bit, it was confusing + wording
commit fe152a835ca9b608e1107866d351523a9f2142f6
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Apr 18 15:41:09 2017 -0400
first review from jake
commit 1fccc8245ad95b1930fb3e8c3c5891d04e6eaab3
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Apr 18 11:27:18 2017 -0400
import final fast-path version from LWN
commit 14b99b6a907894b71920748ee2d3a5de98450843
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Apr 18 11:21:17 2017 -0400
yet another review, expand conclusion and more
commit fabc6842c1df4ce2242ecb9d3fda2d58b1f64568
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Apr 18 08:52:34 2017 -0400
get real quotes from cumulus
commit a21eaa65233fedb311b11dd751d4444feee7b0cb
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sun Apr 16 19:32:15 2017 -0400
one last review before sending to LWN
commit 44e53d7c6741c5c4d249239936da662e9b9fbae5
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sun Apr 16 19:10:07 2017 -0400
changes afre andrews review
commit 3502ac691dec198068218f185fab3481bed3e77a
Author: Antoine Beaupré <anarcat@debian.org>
Date: Thu Apr 13 20:02:59 2017 -0400
finish a first draft for linux-networking article
commit adfcba008883adaf2aeea2957da6780b14c33373
Author: Antoine Beaupré <anarcat@debian.org>
Date: Thu Apr 13 11:28:50 2017 -0400
fastpath article review from jake
commit 7a858d56cba10f3f389edda9ee3e1d6023e3bae4
Author: Antoine Beaupré <anarcat@debian.org>
Date: Thu Apr 13 10:03:50 2017 -0400
small errors i found in review
commit fc73342601c55ed9c3f8de1300a6d78b548a2f69
Author: Antoine Beaupré <anarcat@debian.org>
Date: Wed Apr 12 18:20:14 2017 -0400
fix typos spotted by lwn
commit f69e67d6ebd634f24187e18fc940565bc1b12576
Author: Antoine Beaupré <anarcat@debian.org>
Date: Wed Apr 12 18:18:22 2017 -0400
import new review from LWN
commit 9149b74f88813088af1f8e0c7cd8c9bf34babb1e
Author: Antoine Beaupré <anarcat@debian.org>
Date: Mon Apr 10 14:48:46 2017 -0400
one more send for fast-path
commit bef79b219e175638b69f8ce129faf6671b940e00
Author: Antoine Beaupré <anarcat@debian.org>
Date: Mon Apr 10 12:22:21 2017 -0400
full review, from jesper and myself
commit afafc6baca21892128ce39edb3d3e50269a2504a
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 14:13:56 2017 -0400
formatting
commit b28d9d0cdae962b65f0a5bbd45813a6c1997a24f
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 12:34:11 2017 -0400
reorder article and review
commit 91006892c2eac5580f56ab7265515e716c82b804
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 12:34:01 2017 -0400
graf review and conclusion
commit b997e02bfd320ebdf969ece5ef5ba559f13ace66
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Apr 7 17:57:40 2017 -0400
4 more netdev drafts
commit ad1e548182a3e9cbb1c4d2af69e95067e66388ee
Author: Antoine Beaupré <anarcat@debian.org>
Date: Wed Apr 12 17:48:07 2017 -0400
final update from lwn
commit dd93499126ff6005198ab5004c4de915327386d4
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Apr 11 13:24:52 2017 -0400
another lwn review
commit 5ce4246660feaab75d9acdf50d4908eb4858b46c
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Apr 11 09:12:58 2017 -0400
sync netconf1/2 with LWN.net
commit ed2cc9fe04f5991a8921fd31e83c5becc7b43e32
Author: Antoine Beaupré <anarcat@debian.org>
Date: Mon Apr 10 15:57:02 2017 -0400
small tweaks on day1
commit 1f6398cb9813f68bea1d029a66b0a131fae63d2e
Author: Antoine Beaupré <anarcat@debian.org>
Date: Mon Apr 10 14:49:09 2017 -0400
edge review netconf1
commit 7740f10ebd27f01616a7c12454f99fe5402b98ba
Author: Antoine Beaupré <anarcat@debian.org>
Date: Mon Apr 10 10:26:01 2017 -0400
corbet review day 2
commit e2deaafc745628042c134998aecadfd8efe86ce4
Author: Antoine Beaupré <anarcat@debian.org>
Date: Mon Apr 10 09:43:01 2017 -0400
review from corbet
commit 5b50af5f57e667cd2bf76f2a6194cc0b83feaa0e
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 18:29:51 2017 -0400
short review from alexei
commit dac6ebe94d8a42e64e8969e7151f789ba3dfbb3f
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 17:07:33 2017 -0400
link to the new netlink patch
commit e6918945a2317294a0993e2f26b07ecde26f8fe5
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 14:20:50 2017 -0400
move notes to... well, notes
commit 6cf9ae23b961f2785bf7490a000b6eca71f324c8
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 12:19:21 2017 -0400
fix names in netconf2
commit 8a2aacfba38a9e22cfa19bd058f8583eec956b2b
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 12:09:48 2017 -0400
more name fixes
commit 3f058f456d9bd8bb97c15ac863632f69b90d2ee5
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 12:06:23 2017 -0400
add reviewers thanks
commit 074b969ce03e7e98a0ddb27733305a0d1f008506
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 12:06:12 2017 -0400
patch sent during netdev
commit 11a831e56648b7383e9a2bf968c27316dbe5dff7
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 12:05:49 2017 -0400
fix names in netconf1
commit c5248a7bc571c1d2e0a810629af9662d06ca1468
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 12:05:18 2017 -0400
hannes' corrections of VLAN0 issues
commit 257c31950c0a24f22d9407f1f3d71e3d4f6483d3
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Apr 8 10:24:38 2017 -0400
small review from corbet
commit 1dbc5e83a2cb82bd61544f21882528630ee38b42
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Apr 7 21:10:38 2017 -0400
small clarification
commit 243f16cc1d0c0a5c58c68de9288aa9fc4460ad50
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Apr 7 14:36:02 2017 -0400
fix some names, add conclusion, and details on if flags
commit 4eb7d0cde9c9aae0dbf553d35462e93cb23292ea
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Apr 7 12:33:17 2017 -0400
final draft sent to lwn
commit 3b67c5de2f21630e74263eda4509af1414f09693
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Apr 7 11:37:38 2017 -0400
review from corbet
commit 49def9cc3b84e58ce315297e48e0bf3ac13a2b5e
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Apr 7 11:30:26 2017 -0400
review from jaml
commit 029243389b3327dc9745ce3e189b823a7f93a665
Author: Antoine Beaupré <anarcat@debian.org>
Date: Thu Apr 6 18:43:02 2017 -0400
finish second draft
commit 40413df121c82e182dd6f7c17c54dce97a1e5f8b
Author: Antoine Beaupré <anarcat@debian.org>
Date: Wed Apr 5 17:57:32 2017 -0400
complete first day draft
commit 557d89648d4b93da089fe829c49fbd3327d0cbed
Author: Antoine Beaupré <anarcat@debian.org>
Date: Wed Apr 5 16:17:50 2017 -0400
first plan for netconf article plus incomplete day1 draft
diff --git a/blog/2017-04-29-netdev-fast-path.mdwn b/blog/2017-04-29-netdev-fast-path.mdwn
new file mode 100644
index 0000000..c747a31
--- /dev/null
+++ b/blog/2017-04-29-netdev-fast-path.mdwn
@@ -0,0 +1,299 @@
+[[!meta title="New approaches to network fast paths"]]
+[[!meta date="2017-04-13T12:00:00-0500"]]
+[[!meta updated="2017-04-39T13:35:53-0500"]]
+
+With the speed of network hardware now reaching 100 Gbps and distributed
+denial-of-service (DDoS) attacks going in the [Tbps
+range](https://en.wikipedia.org/wiki/2016_Dyn_cyberattack), Linux kernel
+developers are scrambling to optimize key network paths in the kernel to
+keep up. Many efforts are actually geared toward getting traffic *out*
+of the costly Linux TCP stack. We have already
+[covered](https://lwn.net/Articles/708087/) the XDP (eXpress Data Path)
+patch set, but two new ideas surfaced during the Netconf and Netdev
+conferences held in Toronto and Montreal in early April 2017. One is a
+patch set called af\_packet, which aims at extracting raw packets from
+the kernel as fast as possible; the other is the idea of implementing
+in-kernel layer-7 proxying. There are also user-space network stacks
+like [Netmap](http://info.iet.unipi.it/%7Eluigi/netmap/),
+[DPDK](http://dpdk.org/), or Snabb (which we [previously
+covered](https://lwn.net/Articles/713918/)).
+
+This article aims at clarifying what all those components do and to
+provide a short status update for the tools we have already covered. We
+will focus on in-kernel solutions for now. Indeed, user-space tools have
+a fundamental limitation: if they need to re-inject packets onto the
+network, they must again pay the expensive cost of crossing the kernel
+barrier. User-space performance is effectively bounded by that
+fundamental design. So we'll focus on kernel solutions here. We will
+start from the lowest part of the stack, the af\_packet patch set, and
+work our way up the stack all the way up to layer-7 and in-kernel
+proxying.
+
+[[!toc startlevel=2]]
+
+## af\_packet v4
+
+John Fastabend presented a new version of a patch set that was first
+[published in
+January](http://marc.info/?l=linux-netdev&m=148555290811249&w=2)
+regarding the af\_packet protocol family, which is currently used by
+`tcpdump` to extract packets from network interfaces. The goal of this
+change is to allow zero-copy transfers between user-space applications
+and the NIC (network interface card) transmit and receive ring buffers.
+Such optimizations are useful for telecommunications companies, which
+may use it for [deep packet
+inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) or
+running exotic protocols in user space. Another use case is running a
+high-performance [intrusion detection
+system](https://en.wikipedia.org/wiki/Intrusion_detection_system) that
+needs to watch large traffic streams in realtime to catch certain types
+of attacks.
+
+Fastabend presented his work during the Netdev network-performance
+workshop, but also brought the patch set up for discussion during
+Netconf. There, he said he could achieve line-rate extraction (and
+injection) of packets, with packet rates as high as 30Mpps. This
+performance gain is possible because user-space pages are directly
+DMA-mapped to the NIC, which is also a security concern. The other
+downside of this approach is that a complete pair of ring buffers needs
+to be dedicated for this purpose; whereas before packets were copied to
+user space, now they are memory-mapped, so the user-space side needs to
+process those packets quickly otherwise they are simply dropped.
+Furthermore, it's an "all or nothing" approach; while NIC-level
+classifiers could be used to steer part of the traffic to a specific
+queue, once traffic hits that queue, it is only accessible through the
+af\_packet interface and not the rest of the regular stack. If done
+correctly, however, this could actually improve the way user-space
+stacks access those packets, providing projects like DPDK a safer way to
+share pages with the NIC, because it is well defined and
+kernel-controlled. According to Jesper Dangaard Brouer (during review of
+this article):
+
+> This proposal will be a safer way to share raw packet data between
+> user space and kernel space than what DPDK is doing, \[by providing\]
+> a cleaner separation as we keep driver code in the kernel where it
+> belongs.
+
+During the Netdev network-performance workshop, Fastabend asked if there
+was a better data structure to use for such a purpose. The goal here is
+to provide a consistent interface to user space regardless of the driver
+or hardware used to extract packets from the wire. af\_packet currently
+defines its own packet format that abstracts away the NIC-specific
+details, but there are other possible formats. For example, someone in
+the audience proposed the virtio packet format. Alexei Starovoitov
+rejected this idea because af\_packet is a kernel-specific facility
+while virtio has [its own separate specification](https://lwn.net/Articles/580186/)
+with its own requirements.
+
+The next step for af\_packet is the posting of the new "v4" patch set,
+although Miller warned that this wouldn't get merged until proper XDP
+support lands in the Intel drivers. The concern, of course, is that the
+kernel would have multiple incomplete bypass solutions available at
+once. Hopefully, Fastabend will present the (by then) merged patch set
+at the next Netdev conference in November.
+
+## XDP updates
+
+Higher up in the networking stack sits XDP. The af\_packet feature
+differs from XDP in that it does not perform any sort of analysis or
+mangling of packets; its objective is purely to get the data into and
+out of the kernel as fast as possible, completely bypassing the regular
+kernel networking stack. XDP also sits before the networking stack
+except that, according to Brouer, it is "*focused on cooperating with
+the existing network stack infrastructure, and on use-cases where the
+packet doesn't necessarily need to leave kernel space (like routing and
+bridging, or skipping complex code-paths).*"
+
+XDP has evolved quite a bit since we last covered it in LWN. It seems
+that most of the controversy surrounding the introduction of XDP in the
+Linux kernel has died down in public discussions, under the leadership
+of David Miller, who heralded XDP as the right solution for a long-term
+architecture in the kernel. He presented XDP as a fast, flexible, and
+safe solution.
+
+Indeed, one of the controversies surrounding XDP was the question of the
+inherent security challenges with introducing user-provided programs
+directly into the Linux kernel to mangle packets at such a low level.
+Miller argued that whatever protections are expected for user-space
+programs also apply to XDP programs, comparing the virtual memory
+protections to the eBPF (extended BPF) verifier applied to XDP programs.
+Those programs are actually eBPF that have an interesting set of
+restrictions:
+
+-   they have a limited size
+-   they cannot jump backward (and thus cannot loop), so they execute in
+    predictable time
+-   they do only static allocation, so they are also limited in memory
+
+XDP is not a one-size-fits-all solution: netfilter, the TC traffic
+shaper, and other normal Linux utilities still have their place. There
+is, however, a clear use case for a solution like XDP in the kernel.
+
+For example, Facebook and Cloudflare have both started testing XDP and,
+in Facebook's case, deploying XDP in production. Martin Kafai Lau, from
+Facebook, presented the tool set the company is using to construct a
+DDoS-resilience solution and a level-4 load balancer (L4LB), which got a
+ten-times performance improvement over the previous
+[IPVS](http://www.linuxvirtualserver.org/software/ipvs.html)-based
+solution. Facebook rolled out its own user-space solution called
+"Droplet" to detect hostile traffic and deploy blocking rules in the
+form of eBPF programs loaded in XDP. Lau demonstrated the way Facebook
+deploys a three-part chained eBPF program: the first part allows
+debugging and dumping of packets, the second is Droplet itself, which
+drops undesirable traffic, and the last segment is the load balancer,
+which mangles the packets to tweak their destination according to
+internal rules. Droplet can drop DDoS attacks at line rate while keeping
+the architecture flexible, which were two key design requirements.
+
+Gilberto Bertin, from Cloudflare, presented a similar approach:
+Cloudflare has a tool that processes
+[sFlow](https://en.wikipedia.org/wiki/SFlow) data generated from
+`iptables` in order to generate cBPF (classic BPF) mitigation rules that
+are then deployed on edge routers. Those rules are created with a tool
+called `bpfgen`, part of Cloudflare's BSD-licensed
+[bpftools](https://github.com/cloudflare/bpftools) suite. For example,
+it could create a cBPF bytecode blob that would match DNS queries to any
+`example.com` domain with something like:
+
+        bpfgen dns *.example.com
+
+Originally, Cloudflare would deploy those rules to plain `iptables`
+firewalls with the `xt_bpf` module, but this led to performance issues.
+It then deployed a proprietary user-space solution based on
+[Solarflare](http://www.solarflare.com/) hardware, but this has the
+performance limitations of user-space applications — getting packets
+back onto the wire involves the cost of re-injecting packets back into
+the kernel. This is why Cloudflare is experimenting with XDP, which was
+partly developed in response to the company's problems, to deploy those
+BPF programs.
+
+A concern that Bertin identified was the lack of visibility into dropped
+packets. Cloudflare currently samples some of the dropped traffic to
+analyze attacks; this is not currently possible with XDP unless you pass
+the packets down the stack, which is expensive. Miller agreed that the
+lack of monitoring for XDP programs is a large issue that needs to be
+resolved, and suggested creating a way to mark packets for extraction to
+allow analysis. Cloudflare is currently in a testing phase with XDP and
+it is unclear if its whole XDP tool chain will be publicly available.
+
+While those two companies are starting to use XDP as-is, there is more
+work needed to complete the XDP project. As mentioned above and in our
+[previous coverage](https://lwn.net/Articles/719388/#stats), massive statistics
+extraction is still limited in the Linux kernel and [introspection is
+difficult](https://lwn.net/Articles/719393/#progid). Furthermore, while the existing
+actions (`XDP_DROP` and `XDP_TX`, see the
+[documentation](http://prototype-kernel.readthedocs.io/en/latest/networking/XDP/implementation/xdp_actions.html)
+for more information) are well implemented and used, another action may
+be introduced, called `XDP_REDIRECT`, which would allow redirecting
+packets to different network interfaces. Such an action could also be
+used to accelerate bridges as packets could be "switched" based on the
+MAC address table. XDP also requires network driver support, which is
+currently limited. For example, the Intel drivers still do not support
+XDP, although that should come pretty soon.
+
+Miller, in his Netdev keynote, focused on XDP and presented it as the

(Diff truncated)
add a bunch of emacs plugins and other tools
debian-goodies is for dman!
diff --git a/software/mytasks.desc b/software/mytasks.desc
index 15eef07..fd19099 100644
--- a/software/mytasks.desc
+++ b/software/mytasks.desc
@@ -31,7 +31,12 @@ Packages: list
  devscripts
  dia
  dpkg-dev-el
+ elpa-anzu
+ elpa-company
+ elpa-ledger
  elpa-markdown-mode
+ elpa-use-package
+ elpa-yasnippet
  emacs
  emacs-goodies-el
  emacs25
@@ -75,6 +80,7 @@ Packages: list
  pv
  python
  python3
+ python-autopep8
  python-jedi
  python-pytest
  python-setuptools-scm
@@ -94,6 +100,8 @@ Packages: list
  qemu
  qemu-kvm
  quilt
+ sbuild
+ shellcheck
  sqlitebrowser
  subversion
  time
@@ -132,6 +140,7 @@ Packages: list
  ledger-el
  less
  libnotify-bin
+ libu2f-host0
  localepurge
  locales
  mlocate
@@ -177,6 +186,7 @@ Packages: list
  verbiste
  verbiste-gnome
  workrave
+ wotsap
  xkbset
  xprintidle
  xkcdpass
@@ -190,6 +200,7 @@ Packages: list
  xscreensaver
  xterm
  xul-ext-zotero
+ yubikey-personalization
  zotero-standalone
 
 Task: anarcat-author
@@ -218,6 +229,7 @@ Packages: list
  bup
  ccze
  curl
+ debian-goodies
  dnsutils
  etckeeper
  gparted
@@ -240,6 +252,7 @@ Packages: list
  powertop
  pv
  pwgen
+ reptyr
  restic
  rsync
  sdparm
@@ -313,6 +326,7 @@ Packages: list
  fldigi
  gnuradio
  gpredict
+ gqrx-sdr
  grig
  ibp
  multimon

add another free laptop
diff --git a/hardware/laptop.mdwn b/hardware/laptop.mdwn
index c847bf5..568a47e 100644
--- a/hardware/laptop.mdwn
+++ b/hardware/laptop.mdwn
@@ -44,6 +44,21 @@ based on the allwinner chipset.
 
 Backordered, of course (2017-02-02). See also the [announcement](https://olimex.wordpress.com/2017/02/01/teres-i-do-it-yourself-open-source-hardware-and-software-hackers-friendly-laptop-is-complete/).
 
+Pine64
+------
+
+https://www.pine64.org/?page_id=3707
+
+ * Quad-core ARM Cortex A53 1.2Ghz
+ * 2GB RAM
+ * 16GB flash storage
+ * Wifi bgn, BLE 4.0
+ * USB: 2
+ * MicroSD
+ * Mini-HDMI
+ * LCD 11.6"
+ * 1.04Kg
+
 x201
 ----
 

and sbuild aliases
diff --git a/software/debian-development.mdwn b/software/debian-development.mdwn
index f5d5a31..1bcd5ea 100644
--- a/software/debian-development.mdwn
+++ b/software/debian-development.mdwn
@@ -506,6 +506,14 @@ A few handy sbuild-related commands:
 
  * `sbuild-shell wheezy` - enter the `wheezy` chroot to make
    *permanent* changes, which will *not* be discarded
+
+Also note that it is useful to add aliases to your `schroot`
+configuration files. This allows you, for example, to automatically
+build `wheezy-security` or `wheezy-backports` packages in the `wheezy`
+schroot. Just add this line to the relevant config in
+`/etc/schroot/chroot.d/`:
+
+    aliases=wheezy-security-amd64-sbuild,wheezy-backports-amd64-build
 """]]
 
 [[!note """

some tricks with sbuild
diff --git a/software/debian-development.mdwn b/software/debian-development.mdwn
index 9a0e13b..f5d5a31 100644
--- a/software/debian-development.mdwn
+++ b/software/debian-development.mdwn
@@ -494,6 +494,20 @@ you often need `-sa` to provide the source tarball with the upload),
 you should use `--debbuildopts -sa` in `sbuild`. For git-buildpackage,
 simply add `-sa` to the commandline.
 
+[[!tip """
+A few handy sbuild-related commands:
+
+ * `sbuild -d wheezy` - build in the `wheezy` chroot even though
+   another suite is specified (e.g. `wheezy-backports` or
+   `wheezy-security`)
+
+ * `schroot -c wheezy-amd64-sbuild` - enter the `wheezy` chroot to make
+   tests, changes will be discarded
+
+ * `sbuild-shell wheezy` - enter the `wheezy` chroot to make
+   *permanent* changes, which will *not* be discarded
+"""]]
+
 [[!note """
 I was previously using `pbuilder` and switched in 2017 to `sbuild`. [AskUbuntu.com has a good comparative between pbuilder and sbuild][]
 that shows they are pretty similar. The big advantage of sbuild is

note the entropy article was translated to japanese (!)
diff --git a/blog/2017-02-18-passwords-entropy.mdwn b/blog/2017-02-18-passwords-entropy.mdwn
index a329696..f735853 100644
--- a/blog/2017-02-18-passwords-entropy.mdwn
+++ b/blog/2017-02-18-passwords-entropy.mdwn
@@ -4,6 +4,9 @@
 
 [[!toc startlevel=2]]
 
+> Note: this article was translated
+> in [Japanese](http://postd.cc/passwords-entropy/).
+
 Passwords are used everywhere in our modern life. Between your email
 account and your bank card, a lot of critical security infrastructure
 relies on "something you know", a password. Yet there is little standard

fix publication order
diff --git a/blog/2017-04-12-netconf2.mdwn b/blog/2017-04-12-netconf2.mdwn
index e13aab2..b0886aa 100644
--- a/blog/2017-04-12-netconf2.mdwn
+++ b/blog/2017-04-12-netconf2.mdwn
@@ -1,6 +1,6 @@
 [[!meta title="A report from Netconf: Day 2"]]
 [[!meta date="2017-04-11T12:00:00-0500"]]
-[[!meta updated="2017-04-21T16:42:20-0400"]]
+[[!meta updated="2017-04-21T16:55:38-0400"]]
 
 This article covers the second day of the informal Netconf discussions,
 held on on April 4, 2017. Topics discussed this day included the binding

fix tocs again again
diff --git a/blog/2017-04-11-netconf1.mdwn b/blog/2017-04-11-netconf1.mdwn
index 095b379..9de4f4f 100644
--- a/blog/2017-04-11-netconf1.mdwn
+++ b/blog/2017-04-11-netconf1.mdwn
@@ -20,9 +20,9 @@ frequent (indeed, encouraged) and the focus is on hashing out issues
 that are blocked on the mailing list and getting suggestions, ideas,
 solutions, and feedback from their peers.
 
-[[!toc]]
+[[!toc levels=2 startlevel=2]]
 
-#### Removing ndo_select_queue()
+## Removing ndo_select_queue()
 
 One of the first discussions that elicited a significant debate was the
 `ndo_select_queue()` function, a key component of the Linux polling
@@ -54,7 +54,7 @@ moving away from a generic `ndo_select_queue()` interface to
 stack-specific or even driver-specific (in the case of Intel) queue
 management interfaces.
 
-#### refcount\_t followup
+## refcount\_t followup
 
 There was a followup discussion on the integration of the `refcount_t`
 type into the network stack, which we [covered
@@ -103,7 +103,7 @@ performance cost. Yet it was clear in the discussions that the team
 cares about security issues and wants those issues to be fixed; the
 impact of some of the solutions is just too big.
 
-#### Lightweight wireless management packet access
+## Lightweight wireless management packet access
 
 Berg explained that some users need to have high-performance access to
 certain management frames in the wireless stack and wondered how to best
@@ -123,7 +123,7 @@ get the statistics they need. This will require an extra hook in the
 wireless stack, but it seems like this is the way that will be taken to
 implement this feature.
 
-#### VLAN 0 inconsistencies
+## VLAN 0 inconsistencies
 
 Hannes Frederic Sowa brought up the seemingly innocuous question of "how
 do we handle
@@ -138,7 +138,7 @@ there was a change here and this was originally working but is now
 broken. Sowa therefore got the go-ahead to fix this to make the behavior
 consistent again.
 
-#### Loopy fun
+## Loopy fun
 
 Then it came the turn of Jamal Hadi Salim, the maintainer of the
 kernel's [traffic-control (tc) subsystem](http://lartc.org/). The first
@@ -184,7 +184,7 @@ fields, there is no way to fix the general case here, and this
 constitutes a security issue. So either the bits need to be brought
 back, or we need to live with the inherent DoS threat.
 
-#### Dumping large statistics sets
+## Dumping large statistics sets
 
 Another issue Salim brought up was the question of how to export large
 statistics sets from the kernel. It turns out that some use cases may
diff --git a/blog/2017-04-12-netconf2.mdwn b/blog/2017-04-12-netconf2.mdwn
index cfda959..e13aab2 100644
--- a/blog/2017-04-12-netconf2.mdwn
+++ b/blog/2017-04-12-netconf2.mdwn
@@ -9,9 +9,9 @@ between IPv4 and IPv6, changes to data-center hardware, and more. (See
 [this article](https://lwn.net/Articles/719388/) for coverage from the first day of
 discussions).
 
-[[!toc]]
+[[!toc levels=2 startlevel=2]]
 
-#### How to bind to specific sockets in VRF
+## How to bind to specific sockets in VRF
 
 One of the first presentations was from David Ahern of Cumulus, who
 presented a few interesting questions for the audience. His first was
@@ -67,7 +67,7 @@ for every address. It seems the consensus evolved towards using,
 users. It is currently limited to UDP and RAW sockets, but it could be
 extended for TCP.
 
-#### XDP and eBPF program identification
+## XDP and eBPF program identification
 
 Ahern then turned to the problem of extracting BPF programs from the
 kernel. He gave the example of a simple cBPF (classic BPF) filter that
@@ -114,7 +114,7 @@ still uncertain that it will be possible to extract an exact copy that
 could then be recompiled into the same program. Starovoitov added that
 he needed this in production to do proper reporting.
 
-#### IPv4/IPv6 equivalency
+## IPv4/IPv6 equivalency
 
 The last issue — or set of issues — that Ahern brought up was the
 question of inconsistencies between IPv4 and IPv6. It turns out that,
@@ -160,7 +160,7 @@ data structures could be merged. What is more likely is that the code
 path could be merged and simplified, while keeping the data structures
 separate.
 
-#### Modules options substitutions
+## Modules options substitutions
 
 The next issue that was raised was from Jiří Pírko, who asked how to
 pass configuration options to a driver *before* the driver is
@@ -190,7 +190,7 @@ Shrijeet Mukherjee explained that right now, Cumulus is doing this using
 horrible startup script magic by retrying and re-registering, but it
 would be nice to have a more standard way to do this.
 
-#### Control over UAPI patches
+## Control over UAPI patches
 
 Another issue that came up was the problem of changes in the user-space
 API (UAPI) which break backward compatibility. Pírko said that "we have
@@ -211,7 +211,7 @@ in that "we're stuck with it forever". He then went on to propose that,
 since there's a maintainer (or more) for each module, he can make sure
 that each maintainer explicitly approves changes to those modules.
 
-#### Data-center hardware changes
+## Data-center hardware changes
 
 Starovoitov brought up the issue of a new type of hardware that is
 currently being deployed in data centers called a "multi-host NIC"

add and fixup tocs
diff --git a/blog/2017-04-11-netconf1.mdwn b/blog/2017-04-11-netconf1.mdwn
index 188d887..095b379 100644
--- a/blog/2017-04-11-netconf1.mdwn
+++ b/blog/2017-04-11-netconf1.mdwn
@@ -20,7 +20,9 @@ frequent (indeed, encouraged) and the focus is on hashing out issues
 that are blocked on the mailing list and getting suggestions, ideas,
 solutions, and feedback from their peers.
 
-#### Removing `ndo_select_queue()`
+[[!toc]]
+
+#### Removing ndo_select_queue()
 
 One of the first discussions that elicited a significant debate was the
 `ndo_select_queue()` function, a key component of the Linux polling
diff --git a/blog/2017-04-12-netconf2.mdwn b/blog/2017-04-12-netconf2.mdwn
index 271879d..cfda959 100644
--- a/blog/2017-04-12-netconf2.mdwn
+++ b/blog/2017-04-12-netconf2.mdwn
@@ -9,6 +9,8 @@ between IPv4 and IPv6, changes to data-center hardware, and more. (See
 [this article](https://lwn.net/Articles/719388/) for coverage from the first day of
 discussions).
 
+[[!toc]]
+
 #### How to bind to specific sockets in VRF
 
 One of the first presentations was from David Ahern of Cumulus, who

creating tag page tag/conference
diff --git a/tag/conference.mdwn b/tag/conference.mdwn
new file mode 100644
index 0000000..4165b0b
--- /dev/null
+++ b/tag/conference.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged conference"]]
+
+[[!inline pages="tagged(conference)" actions="no" archive="yes"
+feedshow=10]]

creating tag page tag/kernel
diff --git a/tag/kernel.mdwn b/tag/kernel.mdwn
new file mode 100644
index 0000000..7de2b00
--- /dev/null
+++ b/tag/kernel.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged kernel"]]
+
+[[!inline pages="tagged(kernel)" actions="no" archive="yes"
+feedshow=10]]

Created . Edited .