Recent changes to this wiki. Not to be confused with my history.

Complete source to the wiki is available on gitweb or by cloning this site.

more SSGs
diff --git a/services/wiki.mdwn b/services/wiki.mdwn
index 0a1615f0..db1e26fd 100644
--- a/services/wiki.mdwn
+++ b/services/wiki.mdwn
@@ -215,6 +215,11 @@ dropped:
 We're now running upstream (`0.20180719-1`), which hopefully still
 works.
 
+Other SSG options:
+
+ * [11ty](https://www.11ty.dev/) - [picked by mozilla](https://hacks.mozilla.org/2020/10/to-eleventy-and-beyond/), javascript
+ * TODO: compare with other SSGs
+
 2017-06-19: major upgrade
 -------------------------
 

another monitoring tool
diff --git a/blog/2019-11-20-file-monitoring-tools.mdwn b/blog/2019-11-20-file-monitoring-tools.mdwn
index f79f5cd8..18f98ef4 100644
--- a/blog/2019-11-20-file-monitoring-tools.mdwn
+++ b/blog/2019-11-20-file-monitoring-tools.mdwn
@@ -21,6 +21,15 @@ Those tools an watch files or trees of files and execute whatever.
  * No Debian package
  * requires a TOML config file
 
+## chokidar
+
+<https://github.com/kimmobrunfeldt/chokidar-cli>
+
+ * 2015-2019
+ * Javascript
+ * MIT
+ * No Debian package
+
 ## direvent
 
 <https://www.gnu.org.ua/software/direvent/>

spam tricks
diff --git a/services/wiki.mdwn b/services/wiki.mdwn
index 6bd053bd..0a1615f0 100644
--- a/services/wiki.mdwn
+++ b/services/wiki.mdwn
@@ -98,6 +98,9 @@ Here are some things I'm thinking of doing on the website:
     * makesite - pour la création de nouveaux sites
     * missingsite - pour montrer un site même pour les sites manquants
     * parked - pour les sites désactivés
+ * improve spam control, consider the [mediawiki tricks](https://m.mediawiki.org/wiki/Manual:Combating_spam), [friendly
+   captcha](https://friendlycaptcha.com/), the [Tornevall blocklist](https://www.tornevall.net/about/) and other RBLs, and [the
+   ikiwiki discussion](https://ikiwiki.info/todo/anti-spam_protection/)
 
 [TufteCSS]: https://edwardtufte.github.io/tufte-css/
 [controlpanel]: http://anarc.at/ikiwiki.cgi?do=controlpanel

another san option
diff --git a/hardware/server/marcos.mdwn b/hardware/server/marcos.mdwn
index 538c7d76..d97e00f9 100644
--- a/hardware/server/marcos.mdwn
+++ b/hardware/server/marcos.mdwn
@@ -374,6 +374,10 @@ It's unclear if I could just migrate marcos to this platform as is,
 and the prices might be slightly higher than what I would get when
 building it from scratch...
 
+## Ten64
+
+https://www.crowdsupply.com/traverse-technologies/ten64/updates/building-a-nas-with-ten64-and-rockstor-and-new-turnkey-nas-bundle
+
 ## Other SoC boards
 
 There are many SoC boards that could be used to create a device from

add crdt.el
diff --git a/blog/2018-06-26-collaborative-editors-history.mdwn b/blog/2018-06-26-collaborative-editors-history.mdwn
index 21093289..4f6e663d 100644
--- a/blog/2018-06-26-collaborative-editors-history.mdwn
+++ b/blog/2018-06-26-collaborative-editors-history.mdwn
@@ -41,6 +41,7 @@ notable feature or implementation detail.
 | [Qill](https://quilljs.com/)                  | 2013-now   | Web, Node.JS      | Rich text editor, also javascript. Not sure it is really collaborative.                                                                                                                                                                                                                                                    |
 | [Teletype](https://teletype.atom.io/)              | 2017-now   | WebRTC, Node.JS   | For the GitHub's [Atom editor](https://atom.io), introduces "portal" idea that makes guests follow what the host is doing across multiple docs. p2p with webRTC after visit to introduction server, CRDT based.                                                                                                                          |
 | [Tandem](http://typeintandem.com/)                | 2018-now   | Node.JS?          | Plugins for atom, vim, neovim, sublime... uses a relay to setup p2p connexions CRDT based. [Dubious license issues](https://github.com/typeintandem/tandem/issues/131) were resolved thanks to the involvement of Debian developers, which makes it a promising standard to follow in the future.                                                                          |
+| [crdt.el](https://code.librehq.com/qhong/crdt.el/)               | 2020-now   | Emacs             | First CRDT plugin for Emacs, Emacs-only                                                                                                                                                                                                                                                                                    |
 
 Other lists
 ===========

align table
diff --git a/blog/2018-06-26-collaborative-editors-history.mdwn b/blog/2018-06-26-collaborative-editors-history.mdwn
index 76969203..21093289 100644
--- a/blog/2018-06-26-collaborative-editors-history.mdwn
+++ b/blog/2018-06-26-collaborative-editors-history.mdwn
@@ -19,28 +19,28 @@ So without further ado, here is the list of notable collaborative
 editors that I could find. By "notable" i mean that they introduce a
 notable feature or implementation detail.
 
-| Project          | Date       | Platform | Notes |
-| ---------------- | ---------- | -------- | ----- |
-| [SubEthaEdit](https://www.codingmonkeys.de/subethaedit/) | 2003-2015? | Mac-only | first collaborative, real-time, multi-cursor editor I could find. An [reverse-engineering attempt in Emacs](https://www.emacswiki.org/emacs/SubEthaEmacs) failed to produce anything. |
-| [DocSynch](http://docsynch.sourceforge.net/) |  2004-2007 | ? | built on top of IRC! |
-| [Gobby](https://gobby.github.io/) | 2005-now | C, multi-platform | first open, solid and reliable implementation and still around! The protocol ("[libinfinoted](http://infinote.0x539.de/libinfinity/API/libinfinity/)") is notoriously hard to port to other editors (e.g. [Rudel](https://www.emacswiki.org/emacs/Rudel) failed to implement this in Emacs). 0.7 release in jan 2017 adds possible python bindings that might improve this. Interesting plugins: autosave to disk. |
-| [Ethercalc](https://ethercalc.net/) | 2005-now | Web, Javascript | First spreadsheet, along with [Google docs](https://en.wikipedia.org/wiki/Google_docs) |
-| [moonedit](https://web.archive.org/web/20060423192346/http://www.moonedit.com:80/) | 2005-2008? | ? | Original website died. Other user's cursors visible and emulated keystrokes noises. Included a calculator and music sequencer! |
-| [synchroedit](http://www.synchroedit.com/) | 2006-2007 | ? | First web app. |
-| [Inkscape](http://wiki.inkscape.org/wiki/index.php/WhiteBoard) | 2007-2011 | C++ | First graphics editor with collaborative features backed by the "whiteboard" plugin built on top of Jabber, now defunct. |
-| [Abiword](https://en.wikipedia.org/wiki/AbiWord) | 2008-now | C++ | First word processor |
-| [Etherpad](http://etherpad.org/) | 2008-now | Web | First solid web app. Originally developped as a heavy Java app in 2008, acquired and opensourced by Google in 2009, then rewritten in Node.js in 2011. Widely used. |
-| [Wave](https://en.wikipedia.org/wiki/Apache_Wave) | 2009-2010 | Web, Java | Failed attempt at a grand protocol unification |
-| [CRDT](https://en.wikipedia.org/wiki/Conflict-free_replicated_data_type) | 2011 | Specification | Standard for replicating a document's datastructure among different computers reliably.|
-| [Operational transform](http://operational-transformation.github.io/) | 2013 | Specification | Similar to CRDT, yet, well, different. |
-| [Floobits](https://floobits.com/) | 2013-now | ? | Commercial, but opensource plugins for different editors |
-| [LibreOffice Online](https://wiki.documentfoundation.org/Development/LibreOffice_Online) | 2015-now | Web | free Google docs equivalent, now integrated in [Nextcloud](https://nextcloud.com/collaboraonline/) |
-| [HackMD](https://hackmd.io/) | 2015-now | ? | Commercial but [opensource](https://github.com/hackmdio/hackmd). Inspired by hackpad, which was bought up by Dropbox. |
-| [Cryptpad](https://cryptpad.fr/) | 2016-now | web? | spin-off of xwiki. encrypted, "zero-knowledge" on server |
-| [Prosemirror](https://prosemirror.net/) | 2016-now | Web, Node.JS | "Tries to bridge the gap between Markdown text editing and classical WYSIWYG editors." Not really an editor, but something that can be used to build one. |
-| [Qill](https://quilljs.com/) | 2013-now | Web, Node.JS | Rich text editor, also javascript. Not sure it is really collaborative. |
-| [Teletype](https://teletype.atom.io/) | 2017-now | WebRTC, Node.JS | For the GitHub's [Atom editor](https://atom.io), introduces "portal" idea that makes guests follow what the host is doing across multiple docs. p2p with webRTC after visit to introduction server, CRDT based. |
-| [Tandem](http://typeintandem.com/) | 2018-now | Node.JS? | Plugins for atom, vim, neovim, sublime... uses a relay to setup p2p connexions CRDT based. [Dubious license issues](https://github.com/typeintandem/tandem/issues/131) were resolved thanks to the involvement of Debian developers, which makes it a promising standard to follow in the future. |
+| Project                    | Date       | Platform          | Notes                                                                                                                                                                                                                                                                                                                      |
+|----------------------------|------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [SubEthaEdit](https://www.codingmonkeys.de/subethaedit/)           | 2003-2015? | Mac-only          | first collaborative, real-time, multi-cursor editor I could find. An [reverse-engineering attempt in Emacs](https://www.emacswiki.org/emacs/SubEthaEmacs) failed to produce anything.                                                                                                                                                                                 |
+| [DocSynch](http://docsynch.sourceforge.net/)              | 2004-2007  | ?                 | built on top of IRC!                                                                                                                                                                                                                                                                                                       |
+| [Gobby](https://gobby.github.io/)                 | 2005-now   | C, multi-platform | first open, solid and reliable implementation and still around! The protocol ("[libinfinoted](http://infinote.0x539.de/libinfinity/API/libinfinity/)") is notoriously hard to port to other editors (e.g. [Rudel](https://www.emacswiki.org/emacs/Rudel) failed to implement this in Emacs). 0.7 release in jan 2017 adds possible python bindings that might improve this. Interesting plugins: autosave to disk. |
+| [Ethercalc](https://ethercalc.net/)             | 2005-now   | Web, Javascript   | First spreadsheet, along with [Google docs](https://en.wikipedia.org/wiki/Google_docs)                                                                                                                                                                                                                                                                             |
+| [moonedit](https://web.archive.org/web/20060423192346/http://www.moonedit.com:80/)              | 2005-2008? | ?                 | Original website died. Other user's cursors visible and emulated keystrokes noises. Included a calculator and music sequencer!                                                                                                                                                                                             |
+| [synchroedit](http://www.synchroedit.com/)           | 2006-2007  | ?                 | First web app.                                                                                                                                                                                                                                                                                                             |
+| [Inkscape](http://wiki.inkscape.org/wiki/index.php/WhiteBoard)              | 2007-2011  | C++               | First graphics editor with collaborative features backed by the "whiteboard" plugin built on top of Jabber, now defunct.                                                                                                                                                                                                   |
+| [Abiword](https://en.wikipedia.org/wiki/AbiWord)               | 2008-now   | C++               | First word processor                                                                                                                                                                                                                                                                                                       |
+| [Etherpad](http://etherpad.org/)              | 2008-now   | Web               | First solid web app. Originally developped as a heavy Java app in 2008, acquired and opensourced by Google in 2009, then rewritten in Node.js in 2011. Widely used.                                                                                                                                                        |
+| [Wave](https://en.wikipedia.org/wiki/Apache_Wave)                  | 2009-2010  | Web, Java         | Failed attempt at a grand protocol unification                                                                                                                                                                                                                                                                             |
+| [CRDT](https://en.wikipedia.org/wiki/Conflict-free_replicated_data_type)                  | 2011       | Specification     | Standard for replicating a document's datastructure among different computers reliably.                                                                                                                                                                                                                                    |
+| [Operational transform](http://operational-transformation.github.io/) | 2013       | Specification     | Similar to CRDT, yet, well, different.                                                                                                                                                                                                                                                                                     |
+| [Floobits](https://floobits.com/)              | 2013-now   | ?                 | Commercial, but opensource plugins for different editors                                                                                                                                                                                                                                                                   |
+| [LibreOffice Online](https://wiki.documentfoundation.org/Development/LibreOffice_Online)    | 2015-now   | Web               | free Google docs equivalent, now integrated in [Nextcloud](https://nextcloud.com/collaboraonline/)                                                                                                                                                                                                                                                              |
+| [HackMD](https://hackmd.io/)                | 2015-now   | ?                 | Commercial but [opensource](https://github.com/hackmdio/hackmd). Inspired by hackpad, which was bought up by Dropbox.                                                                                                                                                                                                                                       |
+| [Cryptpad](https://cryptpad.fr/)              | 2016-now   | web?              | spin-off of xwiki. encrypted, "zero-knowledge" on server                                                                                                                                                                                                                                                                   |
+| [Prosemirror](https://prosemirror.net/)           | 2016-now   | Web, Node.JS      | "Tries to bridge the gap between Markdown text editing and classical WYSIWYG editors." Not really an editor, but something that can be used to build one.                                                                                                                                                                  |
+| [Qill](https://quilljs.com/)                  | 2013-now   | Web, Node.JS      | Rich text editor, also javascript. Not sure it is really collaborative.                                                                                                                                                                                                                                                    |
+| [Teletype](https://teletype.atom.io/)              | 2017-now   | WebRTC, Node.JS   | For the GitHub's [Atom editor](https://atom.io), introduces "portal" idea that makes guests follow what the host is doing across multiple docs. p2p with webRTC after visit to introduction server, CRDT based.                                                                                                                          |
+| [Tandem](http://typeintandem.com/)                | 2018-now   | Node.JS?          | Plugins for atom, vim, neovim, sublime... uses a relay to setup p2p connexions CRDT based. [Dubious license issues](https://github.com/typeintandem/tandem/issues/131) were resolved thanks to the involvement of Debian developers, which makes it a promising standard to follow in the future.                                                                          |
 
 Other lists
 ===========

another fs watcher, in rust
diff --git a/blog/2019-11-20-file-monitoring-tools.mdwn b/blog/2019-11-20-file-monitoring-tools.mdwn
index 8dd40fb7..f79f5cd8 100644
--- a/blog/2019-11-20-file-monitoring-tools.mdwn
+++ b/blog/2019-11-20-file-monitoring-tools.mdwn
@@ -11,6 +11,16 @@ find in a search engine.
 
 Those tools an watch files or trees of files and execute whatever.
 
+## caretaker
+
+<https://github.com/grego/caretaker>
+
+ * 2020
+ * Rust
+ * MIT
+ * No Debian package
+ * requires a TOML config file
+
 ## direvent
 
 <https://www.gnu.org.ua/software/direvent/>

settext -> atx
diff --git a/blog/2019-11-20-file-monitoring-tools.mdwn b/blog/2019-11-20-file-monitoring-tools.mdwn
index c5e3b09a..8dd40fb7 100644
--- a/blog/2019-11-20-file-monitoring-tools.mdwn
+++ b/blog/2019-11-20-file-monitoring-tools.mdwn
@@ -7,13 +7,11 @@ find in a search engine.
 
 [[!toc levels=3]]
 
-Generic
-=======
+# Generic
 
 Those tools an watch files or trees of files and execute whatever.
 
-direvent
---------
+## direvent
 
 <https://www.gnu.org.ua/software/direvent/>
 
@@ -23,8 +21,7 @@ direvent
  * [Debian package](https://tracker.debian.org/pkg/direvent), since 2015 (stretch), out of date (5.1 vs 5.2)
  * requires a config file to operate
 
-entr
-----
+## entr
 
 <http://eradman.com/entrproject/>
 
@@ -39,8 +36,7 @@ entr
  * has special hacks to reload browser
  * can clear screen between calls
 
-fluffy
-------
+## fluffy
 
 https://github.com/tinkershack/fluffy
 
@@ -52,8 +48,7 @@ https://github.com/tinkershack/fluffy
  * Streams events to standard output
  * also a library
 
-fswatch
--------
+## fswatch
 
 <http://emcrisostomo.github.io/fswatch/>
 
@@ -64,8 +59,7 @@ fswatch
  * outputs changesets using a specific syntax, so requires more
    commandline voodoo
 
-gamin
------
+## gamin
 
 <https://people.gnome.org/~veillard/gamin/>
 
@@ -73,8 +67,7 @@ gamin
  * [Debian package](https://tracker.debian.org/pkg/gamin) since 2005
  * not a commandline tool
 
-incron
-------
+## incron
 
 <https://github.com/ar-/incron>
 
@@ -86,8 +79,7 @@ incron
    obscure](https://manpages.debian.org/incrontab.5)) syntax
  * no event deduplication
 
-inoticoming
------------
+## inoticoming
 
 <https://tracker.debian.org/pkg/inoticoming>
 
@@ -100,8 +92,7 @@ inoticoming
  * built for [reprepro](https://tracker.debian.org/pkg/reprepro)
  * no event deduplication
 
-inotify-hookable
-----------------
+## inotify-hookable
 
 <https://metacpan.org/pod/App::Inotify::Hookable>
 
@@ -113,8 +104,7 @@ inotify-hookable
  * no event deduplication, but can "buffer" multiple events together
    with a timeout
 
-inotify-tools
--------------
+## inotify-tools
 
 <https://github.com/rvoicilas/inotify-tools/>
 
@@ -126,8 +116,7 @@ inotify-tools
  * somewhat [difficult commandline interface](https://manpages.debian.org/buster/inotify-tools/inotifywait.1.en.html)
  * no event deduplication
 
-systemd .path units
---------------------
+## systemd .path units
 
 <https://www.freedesktop.org/software/systemd/man/systemd.path.html>
 
@@ -156,8 +145,7 @@ somehow it didn't work:
 ... ie. it doesn't restart the service on changes to any of those
 files.
 
-watchexec
----------
+## watchexec
 
 <https://github.com/watchexec/watchexec>
 
@@ -178,8 +166,7 @@ watchexec
    elegantly avoided the loops I have had in watchman because of the
    files generated by tox
 
-watchman
---------
+## watchman
 
 <http://facebook.github.io/watchman/>
 
@@ -201,8 +188,7 @@ watchman
    constantely runs the tests, because there's [no way to ignore](https://github.com/facebook/watchman/issues/769)
    files in `watchman-make`.
 
-Web development
-===============
+# Web development
 
 ## grip (markdown)
 
@@ -240,8 +226,7 @@ examples:
    so more smartly
  * [iPython](https://ipython.org/) - has a [autoreload](https://ipython.org/ipython-doc/3/config/extensions/autoreload.html) extension
 
-Unit tests
-==========
+# Unit tests
 
 ## autotest
 
@@ -288,8 +273,7 @@ Unit tests
  * Perl only
  * No Debian package
 
-File synchronization
-====================
+# File synchronization
 
 I will not go through a list of all the file synchronization tools
 here. Most of them have some sort of "wake-up" system to notify file
@@ -322,8 +306,7 @@ am aware of:
  * spawns rsync on file changes
  * Lua configuration can be leveraged to do other things than sync
 
-Intrusion detection
-===================
+# Intrusion detection
 
 Here again, there are many filesystem integrity checkers and intrusion
 detection systems (IDS), but they are not relevant here unless they
@@ -371,8 +354,7 @@ to fit a square peg in this round hole:
  * [Debian package](https://tracker.debian.org/pkg/sshguard) since 2007, out of date
  * similar to fail2ban
 
-Other
-=====
+# Other
 
 ## kfmon (kobo launcher)
 

add toc
diff --git a/blog/2020-10-19-google-authenticator-libpam.mdwn b/blog/2020-10-19-google-authenticator-libpam.mdwn
index 488ecdd6..3ac2e1b0 100644
--- a/blog/2020-10-19-google-authenticator-libpam.mdwn
+++ b/blog/2020-10-19-google-authenticator-libpam.mdwn
@@ -18,6 +18,8 @@ After some fiddling, it turns out I was right and you *can*
 authenticate with a Yubikey over SSH. Here's that procedure so you
 don't have to second-guess it yourself.
 
+[[!toc]]
+
 Installation
 ============
 

fix formatting
diff --git a/blog/2020-10-19-google-authenticator-libpam.mdwn b/blog/2020-10-19-google-authenticator-libpam.mdwn
index fd985122..488ecdd6 100644
--- a/blog/2020-10-19-google-authenticator-libpam.mdwn
+++ b/blog/2020-10-19-google-authenticator-libpam.mdwn
@@ -86,7 +86,7 @@ def convert_b32_b16(data_b32):
         # pad to 20 bytes
         data_b16 += b"\x00" * (20 - len(data_b16))
     return binascii.hexlify(data_b16).decode("ascii")
-"""]
+"""]]
 
 Note that the code assumes a certain token length and will not work
 correctly for other sizes. To use the program, simply call it with:

libpam google authenticator + ssh 2FA + yubikey
diff --git a/blog/2015-12-14-yubikey-howto.mdwn b/blog/2015-12-14-yubikey-howto.mdwn
index fbe6e7c5..c21c8a16 100644
--- a/blog/2015-12-14-yubikey-howto.mdwn
+++ b/blog/2015-12-14-yubikey-howto.mdwn
@@ -304,6 +304,26 @@ for now.
 Using OATH
 ===========
 
+google-authenticator-libpam
+---------------------------
+
+I switched from libpam-oath (below) to another (better maintained)
+plugin, see the procedure in [[this article instead|2020-10-19-google-authenticator-libpam]].
+
+I switched away from libpam-oath because [users couldn't edit their
+own 2FA tokens](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807992) and I had to patch it to [avoid forcing 2FA on all
+users](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807990). The latter was merged in the Debian package, but never
+upstream, and the former was never fixed at all. It seems the library
+is not as well maintained as the Google Authenticator one, so I feel
+more confident using the latter in the future.
+
+libpam-oath
+-----------
+
+WARNING: those are the old instructions I used before I realized I
+could use the above "Google Authenticator" plugin. They are kept only
+for historical reference.
+
 This is pretty neat: it allows you to add two factor authentication to a *lot* of things. For example, PAM has such a module, which I will configure here to allow myself to login to my server from untrusted machines. While I will expose my main password to keyloggers, the OTP password will prevent that from being reused. This is a simplified version of [this OATH tutorial][].
 
 We install the PAM module with:
diff --git a/blog/2020-10-19-google-authenticator-libpam.mdwn b/blog/2020-10-19-google-authenticator-libpam.mdwn
new file mode 100644
index 00000000..fd985122
--- /dev/null
+++ b/blog/2020-10-19-google-authenticator-libpam.mdwn
@@ -0,0 +1,126 @@
+[[!meta title="SSH 2FA with Google Authenticator and Yubikey"]]
+
+About a lifetime ago (5 years), I wrote a [[tutorial on how to
+configure my Yubikey for OpenPGP signing, SSH authentication and SSH
+2FA|2015-12-14-yubikey-howto]]. In there, I used the [libpam-oath](http://www.nongnu.org/oath-toolkit/)
+PAM plugin for authentication, but it turns out that had too many
+problems: [users couldn't edit their own 2FA tokens](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807992) and I had to
+patch it to [avoid forcing 2FA on all users](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807990). The latter was merged
+in the Debian package, but never upstream, and the former was never
+fixed at all. So I started looking at alternatives and found the
+[Google Authenticator libpam plugin](https://github.com/google/google-authenticator-libpam/). A priori, it's designed to
+work with phones and the [Google Authenticator app](https://en.wikipedia.org/wiki/Google_Authenticator), but there's no
+reason why it shouldn't work with hardware tokens like the
+Yubikey. Both use the [standard HOTP protocol](https://en.wikipedia.org/wiki/HMAC-based_One-time_Password_algorithm) so it should "just
+work".
+
+After some fiddling, it turns out I was right and you *can*
+authenticate with a Yubikey over SSH. Here's that procedure so you
+don't have to second-guess it yourself.
+
+Installation
+============
+
+On Debian, the PAM module is shipped in the [google-authenticator](https://tracker.debian.org/pkg/google-authenticator)
+source package:
+
+    apt install libpam-google-authenticator
+
+Then you need to add the module in your PAM stack somewhere. Since I
+only use it for SSH, I added this line on top of `/etc/pam.d/sshd`:
+
+    auth required pam_google_authenticator.so nullok
+
+I also used `no_increment_hotp debug` while debugging to avoid having
+to renew the token all the time and have more information about
+failures in the logs.
+
+Then reload ssh (not sure that's actually necessary):
+
+    service ssh reload
+
+Creating or replacing tokens
+============================
+
+To create a new key, run this command on the server:
+
+    google-authenticator -c
+
+This will prompt you for a bunch of questions. To get them all right,
+I prefer to just call the right ones on the commandline directly:
+
+    google-authenticator --counter-based --qr-mode=NONE --rate-limit=1 --rate-time=30 --emergency-codes=1 --window-size=3
+
+Those are actually the defaults, if my memory serves me right, except
+for the `--qr-mode` and `--emergency-codes` (which can't be disabled
+so I only print one). I disable the QR code display because I won't be
+using the codes on my phone, but you would obviously keep it if you
+want to use the app.
+
+Converting to a Yubikey-compatible secret
+=========================================
+
+Unfortunately, the encoding ([base32](https://tools.ietf.org/html/rfc3548#section-5)) produced by the
+`google-authenticator` command is not compatible with the token
+expected by the `ykpersonalize` command used to configure the Yubikey
+([base16](https://tools.ietf.org/html/rfc3548#page-8) AKA "hexadecimal", with a fixed 20 bytes length). So you
+need a way to convert between the two. I wrote a program called
+[oath-convert](https://gitlab.com/anarcat/scripts/blob/master/oath-convert) which basically does this:
+
+    read base32
+    add padding
+    convert to hex
+    print
+
+Or, in Python:
+
+[[!format python """
+def convert_b32_b16(data_b32):
+    remainder = len(data_b32) % 8
+    if remainder > 0:
+        # XXX: assume 6 chars are missing, the actual padding may vary:
+        # https://tools.ietf.org/html/rfc3548#section-5
+        data_b32 += "======"
+    data_b16 = base64.b32decode(data_b32)
+    if len(data_b16) < 20:
+        # pad to 20 bytes
+        data_b16 += b"\x00" * (20 - len(data_b16))
+    return binascii.hexlify(data_b16).decode("ascii")
+"""]
+
+Note that the code assumes a certain token length and will not work
+correctly for other sizes. To use the program, simply call it with:
+
+    head -1 .google_authenticator | oath-convert
+
+Then you paste the output in the prompt:
+
+    $ ykpersonalize -1 -o oath-hotp -o append-cr -a
+    Firmware version 3.4.3 Touch level 1541 Program sequence 2
+     HMAC key, 20 bytes (40 characters hex) : [SECRET GOES HERE]
+
+    Configuration data to be written to key configuration 1:
+
+    fixed: m:
+    uid: n/a
+    key: h:[SECRET REDACTED]
+    acc_code: h:000000000000
+    OATH IMF: h:0
+    ticket_flags: APPEND_CR|OATH_HOTP
+    config_flags: 
+    extended_flags: 
+
+    Commit? (y/n) [n]: y
+
+Note that you must NOT pass the `-o oath-hotp8` parameter to the
+`ykpersonalize` commandline, which we used to do in the [[Yubikey
+howto|2015-12-14-yubikey-howto]]. That is because Google Authenticator
+tokens are shorter: it's less secure, but it's an acceptable tradeoff
+considering the plugin is actually maintained. There's actually a
+[feature request to support 8-digit codes](https://github.com/google/google-authenticator-libpam/issues/20) so that limitation might
+eventually be fixed as well.
+
+Thanks to the [Google Authenticator people](https://github.com/google/google-authenticator-libpam/issues/186) and [Yubikey people](https://github.com/Yubico/yubikey-personalization/issues/169)
+for their support in establishing this procedure.
+
+[[!tag debian-planet python-planet geek software debian hacking security crypto hardware]]

new list
diff --git a/services/dns.mdwn b/services/dns.mdwn
index a7809cbc..d0ad2501 100644
--- a/services/dns.mdwn
+++ b/services/dns.mdwn
@@ -96,6 +96,9 @@ Les noms suivants pourraient être utilisés pour de futures machines:
 
 [Margaret Hamilton]: https://en.wikipedia.org/wiki/Margaret_Hamilton_(software_engineer)
 
+Voir aussi [cette liste](https://www.hillelwayne.com/important-women-in-cs/) de femmes moins connues mais peut-être
+tout aussi importantes...
+
 Relié
 =====
 

set title
diff --git a/blog/2020-10-18-cdpath-replacement.mdwn b/blog/2020-10-18-cdpath-replacement.mdwn
index 193a98e3..d5df2142 100644
--- a/blog/2020-10-18-cdpath-replacement.mdwn
+++ b/blog/2020-10-18-cdpath-replacement.mdwn
@@ -1,3 +1,5 @@
+[[!meta title="CDPATH replacements"]]
+
 after reading [this post](https://www.kvr.at/posts/my-new-favorite-utility-autojump/) I figured I might as well bite the bullet
 and improve on my CDPATH-related setup, especially because it does not
 work with Emacs. so i looked around for autojump-related alternatives

creating tag page tag/shell
diff --git a/tag/shell.mdwn b/tag/shell.mdwn
new file mode 100644
index 00000000..58d1268f
--- /dev/null
+++ b/tag/shell.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged shell"]]
+
+[[!inline pages="tagged(shell)" actions="no" archive="yes"
+feedshow=10]]

publish cdpath review
diff --git a/blog/cdpath-replacement.mdwn b/blog/2020-10-18-cdpath-replacement.mdwn
similarity index 98%
rename from blog/cdpath-replacement.mdwn
rename to blog/2020-10-18-cdpath-replacement.mdwn
index c34fd651..193a98e3 100644
--- a/blog/cdpath-replacement.mdwn
+++ b/blog/2020-10-18-cdpath-replacement.mdwn
@@ -103,4 +103,4 @@ references
 
 https://www.emacswiki.org/emacs/LocateFilesAnywhere
 
-[[!tag draft]]
+[[!tag debian-planet python-planet shell review emacs]]

finalize cdpath
diff --git a/blog/cdpath-replacement.mdwn b/blog/cdpath-replacement.mdwn
index 661319ae..c34fd651 100644
--- a/blog/cdpath-replacement.mdwn
+++ b/blog/cdpath-replacement.mdwn
@@ -3,6 +3,20 @@ and improve on my CDPATH-related setup, especially because it does not
 work with Emacs. so i looked around for autojump-related alternatives
 that do.
 
+What I use now
+==============
+
+I currently have this in my `.shenv` (sourced by `.bashrc`):
+
+    export CDPATH=".:~:~/src:~/dist:~/wikis:~/go/src:~/src/tor"
+
+This allows me to quickly jump into projects from my home dir, or the
+"source code" (`~/src`), "work" (`src/tor`), or wiki checkouts
+(`~/wikis`) directories. It works well from the shell, but
+unfortunately it's very static: if I want a new directory, I need to
+edit my config file, restart shells, etc. It also doesn't work from my
+text editor.
+
 Shell jumpers
 =============
 
@@ -16,48 +30,37 @@ Some of those may or may not have integration in Emacs.
 autojump
 --------
 
-https://github.com/wting/autojump 
-
-not in emacs, just in eshell
-https://github.com/coldnew/eshell-autojump
-
-https://stackoverflow.com/questions/25277748/use-z-jump-around-in-emacs-to-find-directories
+ * [home page](https://github.com/wting/autojump )
+ * not in emacs, but [works in eshell](https://github.com/coldnew/eshell-autojump)
+ * [this might work though](https://stackoverflow.com/questions/25277748/use-z-jump-around-in-emacs-to-find-directories)
 
 fasd
 ----
 
-https://github.com/clvv/fasd
-
-upstream packaged in debian, but those emacs extensions:
-
- * helm integration: https://github.com/ajsalminen/helm-fasd (not in melpa?)
- * more direct: https://framagit.org/steckerhalter/emacs-fasd
+ * [home page](https://github.com/clvv/fasd)
+ * upstream packaged in Debian
+ * emacs extensions, not in Debian:
+   * [helm integration](https://github.com/ajsalminen/helm-fasd) (not in melpa?)
+   * [more direct](https://framagit.org/steckerhalter/emacs-fasd)
 
 z
 -
 
-ungooglable.
-
-https://github.com/rupa/z
-
-not in debian at all.
-
-helm integration: https://melpa.org/#/helm-z
-eshell integration: https://github.com/xuchunyang/eshell-z
+ * [home page](https://github.com/rupa/z)
+ * ungooglable
+ * not in Debian
+ * [helm integration](https://melpa.org/#/helm-z)
+ * [eshell integration](https://github.com/xuchunyang/eshell-z)
 
 fzf
 ---
 
-https://github.com/junegunn/fzf
-
-the original "fuzzer". uses `find` by default, so no notion of
-frequency.
-
-emacs integration: https://github.com/bling/fzf.el
-
-similar projects: https://github.com/junegunn/fzf/wiki/Related-projects
-
-see also https://github.com/ajeetdsouza/zoxide
+ * [home page](https://github.com/junegunn/fzf)
+ * the original "fuzzer". uses `find` by default, so no notion of
+ frequency.
+ * [emacs integration](https://github.com/bling/fzf.el)
+ * [similar projects](https://github.com/junegunn/fzf/wiki/Related-projects)
+ * [rust implementation](https://github.com/ajeetdsouza/zoxide)
 
 Emacs plugins not integrated with the shell
 ===========================================
@@ -69,19 +72,32 @@ functionality in the shell.
 projectile
 ----------
 
-https://github.com/bbatsov/projectile
+ * [home page](https://github.com/bbatsov/projectile)
+ * supports ido, ivy, or helm.
 
-supports ido, ivy, or helm.
+elpy
+----
 
-elpy?
------
+ * [home page](https://elpy.readthedocs.io/)
+ * elpy has a notion of [projects](https://elpy.readthedocs.io/en/latest/ide.html#projects), so, by default, will find files
+   in the current "project" with <kbd>C-c C-f</kdb> which is useful
 
 bookmarks.el
 ------------
 
+ * built-in
+ * [home page](https://www.emacswiki.org/emacs/BookMarks)
+ * "Bookmarks record locations so you can return to them later"
+
 recentf
 -------
 
+ * built-in
+ * [home page](https://www.emacswiki.org/emacs/RecentFiles)
+ * "builds a list of recently opened files. This list is is
+   automatically saved across sessions on exiting Emacs - you can then
+   access this list through a command or the menu"
+
 references
 ==========
 

xref
diff --git a/software/desktop/calibre.mdwn b/software/desktop/calibre.mdwn
index 594c47c6..5500b79c 100644
--- a/software/desktop/calibre.mdwn
+++ b/software/desktop/calibre.mdwn
@@ -379,4 +379,6 @@ configuration file:
 
 Calibre is installed [through Flatpak](https://flathub.org/apps/details/com.calibre_ebook.calibre) because that version is more
 up to date in Debian (although for the server side of things that
-shouldn't really matter).
+shouldn't really matter). I tried to make systemd detect changes to
+the database and reload the service, but it failed, so maybe i'll need
+to look at another [[filesystem monitoring tool|blog/2019-11-20-file-monitoring-tools]].

bug with .path files
diff --git a/blog/2019-11-20-file-monitoring-tools.mdwn b/blog/2019-11-20-file-monitoring-tools.mdwn
index 57454827..c5e3b09a 100644
--- a/blog/2019-11-20-file-monitoring-tools.mdwn
+++ b/blog/2019-11-20-file-monitoring-tools.mdwn
@@ -137,6 +137,25 @@ systemd .path units
  * [Debian package](https://tracker.debian.org/pkg/systemd/) since 2010
  * activates a system or user "unit" on inotify changes
 
+Update: I tried to make this work for [[software/desktop/calibre]] but
+somehow it didn't work:
+
+    # this doesn't actually work. either it doesn't notices changes from git, or it
+    # doesn't notify calibre-server.service, or it does and that doesn't trigger a
+    # restart, but the thing doesn't restart as i would expect
+    [Path]
+    PathModified=/srv/books/metadata.db
+    PathModified=/srv/books
+    PathChanged=/srv/books/metadata.db
+    PathChanged=/srv/books
+
+    [Unit]
+    Description=calibre content server
+    After=network.target
+
+... ie. it doesn't restart the service on changes to any of those
+files.
+
 watchexec
 ---------
 

OPDS server
diff --git a/software/desktop/calibre.mdwn b/software/desktop/calibre.mdwn
index 1f5c08de..594c47c6 100644
--- a/software/desktop/calibre.mdwn
+++ b/software/desktop/calibre.mdwn
@@ -328,3 +328,55 @@ independent from the Calibre project and talks directly to the
 database using SQLAlchemy. It does use calibre components to convert
 books but it might be an interesting alternative to the web interface
 shipped with Calibre.
+
+Update 3: I ended up setting up calibre on the server side of things
+to have an OPDS directory to more easily transfer books from my
+e-reader, now that I have an Android tablet (running "Document Viewer"
+or "Koreader", both of which support OPDS), or Koreader on my Kobo
+(which works much better than before, thanks to NickelMenu. I setup
+the service using this `.service` file:
+
+    [Service]
+    Type=simple
+    User=calibre-sandbox
+    Group=media
+    # this exposes the service to local users, which isn't great. socket activation
+    # would be better, but is not documented upstream and, well, it's only books and
+    # /srv/books is readable anyways..
+    ExecStart=/usr/bin/calibre-server --disable-fallback-to-detected-interface --listen-on 127.0.0.1 --port 4341 /srv/books
+
+    [Install]
+    WantedBy=multi-user.target
+
+The server is made publicly visible with authentication (because I
+don't trust calibre's builtin auth) thanks to this Apache
+configuration file:
+
+    <VirtualHost *:80>
+        ServerName calibre.anarc.at
+        Redirect / https://calibre.anarc.at/
+        DocumentRoot /var/www/html/
+    </VirtualHost>
+
+    <VirtualHost *:443>
+        ServerName calibre.anarc.at
+        Use common-letsencrypt-ssl calibre.anarc.at
+        DocumentRoot /var/www/html/
+        AllowEncodedSlashes On
+        ProxyPreserveHost On
+        ProxyPass /.well-known/ !
+            # 43 41 is ASCII hex for C A (L I B R E)
+            ProxyPass / http://127.0.0.1:4341/
+            ProxyPassReverse / http://127.0.0.1:4341/
+
+            <Location />
+            AuthType Basic
+            AuthName "Restricted Content"
+            AuthUserFile /etc/apache2/htpasswd.calibre
+            Require valid-user
+        </Location>
+    </VirtualHost>
+
+Calibre is installed [through Flatpak](https://flathub.org/apps/details/com.calibre_ebook.calibre) because that version is more
+up to date in Debian (although for the server side of things that
+shouldn't really matter).

tried google authenticator
diff --git a/blog/2015-12-14-yubikey-howto/comment_3_f5611c9d076c0dadfc8a448c428470df._comment b/blog/2015-12-14-yubikey-howto/comment_3_f5611c9d076c0dadfc8a448c428470df._comment
new file mode 100644
index 00000000..693be1d8
--- /dev/null
+++ b/blog/2015-12-14-yubikey-howto/comment_3_f5611c9d076c0dadfc8a448c428470df._comment
@@ -0,0 +1,18 @@
+[[!comment format=mdwn
+ username="anarcat"
+ subject="""tried google authenticator"""
+ date="2020-10-14T14:21:56Z"
+ content="""
+Because I suspect it is better maintained, I tried the [google-authenticator-libpam](https://github.com/google/google-authenticator-libpam) plugin which *claims* to also support HOTP/OATH so hit should just work. Unfortunately, I wasn't able to make it work:
+
+ 1. the secret is formatted differently, with base32 that `base32 -d` cannot parse
+ 2. even if it would, it uses a different secret length
+
+I tried this magic piece of Python to generate a secret that would work in both:
+
+    secret = secrets.token_bytes(20)
+    print(binascii.hexlify(secret).decode('ascii'))
+    print(base64.b32encode(secret).decode('ascii'))
+
+.. but it doesn't work. Details in <https://github.com/Yubico/yubikey-personalization/issues/169>
+"""]]

crazy glue might solve this?
diff --git a/hardware/laptop/purism-librem13v4.mdwn b/hardware/laptop/purism-librem13v4.mdwn
index 1f8df52d..b9e0224a 100644
--- a/hardware/laptop/purism-librem13v4.mdwn
+++ b/hardware/laptop/purism-librem13v4.mdwn
@@ -540,3 +540,4 @@ The timeline of that laptop's hardware problems looks like this:
  * 2020-08-07: laptop delivered
  * 2020-09-20: bottom left "pad" drops off
  * 2020-10-10: asked support@ about the pad
+ * 2020-10-11: support response: crazy glue and [spare pads](https://shop.puri.sm/shop/rubber-feet/) (good)

notified support of hw problem again
diff --git a/hardware/laptop/purism-librem13v4.mdwn b/hardware/laptop/purism-librem13v4.mdwn
index e56e1e36..1f8df52d 100644
--- a/hardware/laptop/purism-librem13v4.mdwn
+++ b/hardware/laptop/purism-librem13v4.mdwn
@@ -539,3 +539,4 @@ The timeline of that laptop's hardware problems looks like this:
  * 2020-08-06: laptop shipped
  * 2020-08-07: laptop delivered
  * 2020-09-20: bottom left "pad" drops off
+ * 2020-10-10: asked support@ about the pad

two more suggestions from the fediverse
diff --git a/blog/2020-09-30-presentation-tools.mdwn b/blog/2020-09-30-presentation-tools.mdwn
index 909ab5a5..66e3d222 100644
--- a/blog/2020-09-30-presentation-tools.mdwn
+++ b/blog/2020-09-30-presentation-tools.mdwn
@@ -65,6 +65,12 @@ keep up to date.
  * [Source code](https://github.com/impress/impress.js), [demo](https://impress.js.org/)
  * [Hekyll](https://github.com/bmcmurray/hekyll) uses [Jekyll](https://github.com/mojombo/jekyll) as a backend
 
+## Impressive
+
+ * simply displays PDFs or images
+ * page transitions, overview screen, highlighting
+ * [Home page](http://impressive.sourceforge.net/)
+
 ## Libreoffice Impress
 
  * Powerpoint clone
@@ -80,10 +86,11 @@ keep up to date.
  * no release since 2008
  * [Home page](http://member.wide.ad.jp/wg/mgp/)
 
-## mdp
+## mdp and lookatme (commandline)
 
  * Commandline-only, markdown
  * [Home page](https://github.com/visit1985/mdp)
+ * [lookatme](https://github.com/d0c-s4vage/lookatme) is similar
 
 ## Pandoc
 

forgot a previous rant on this topic
diff --git a/blog/2020-09-30-presentation-tools.mdwn b/blog/2020-09-30-presentation-tools.mdwn
index b61f2f46..909ab5a5 100644
--- a/blog/2020-09-30-presentation-tools.mdwn
+++ b/blog/2020-09-30-presentation-tools.mdwn
@@ -51,6 +51,13 @@ keep up to date.
  * see also [powerdot](https://www.ctan.org/pkg/powerdot/)
  * [Home page](https://ctan.org/pkg/beamer)
 
+## Darkslide
+
+ * HTML, Javascript
+ * presenter notes, table of contents, Markdown, RST, Textile, themes,
+   code samples, auto-reload
+ * [Home page](https://github.com/ionelmc/python-darkslide), [demo](https://ionelmc.github.io/python-darkslide/#slide:1)
+
 ## Impress.js
 
  * Javascript
@@ -116,10 +123,40 @@ keep up to date.
    python-docutils
  * [Home page](http://meyerweb.com/eric/tools/s5), [demo](https://meyerweb.com/eric/tools/s5/s5-intro.html)
 
+## sent
+
+ * X11 only
+ * plain text, black on white, image support, and that's it
+ * from the [suckless.org](https://suckless.org/) elitists
+ * [Home page](https://tools.suckless.org/sent/)
+
 ## Sozi
 
  * Entire presentation is one poster, zooming and jumping around
  * SVG + Javascript
  * [Home page](https://sozi.baierouge.fr/), [demo](https://sozi.baierouge.fr/pages/10-about.html)
 
+## Other options
+
+Another option I have seriously considered is just generate a series
+of images with good resolution, hopefully matching the resolution (or
+at least aspect ratio) of the output device. Then you flip through a
+series of images one by one. In that case, any of those image viewers
+(not an exhaustive list) would work:
+
+ * [Geeqie](http://geeqie.org/)
+ * GNOME's [eog](https://wiki.gnome.org/Apps/EyeOfGnome/)
+ * [pho](http://shallowsky.com/software/pho/)
+ * [feh](https://feh.finalrewind.org/)
+ * [fim](https://www.nongnu.org/fbi-improved/)
+ * [sxiv](https://github.com/muennich/sxiv)
+
+Update: it turns out I already wrote a somewhat similar thing when I
+did a recent presentation. If you're into rants, you might enjoy [the
+README file accompanying the Kubecon rant presentation][]. TL;DR:
+"makes me want to scream" and "yet another unsolved problem space,
+sigh" (refering to "display images full-screen" specifically).
+
+[the README file accompanying the Kubecon rant presentation]: https://gitlab.com/anarcat/presentation-ethics/-/blob/master/README.md
+
 [[!tag debian-planet python-planet software review]]

toc
diff --git a/blog/2020-09-30-presentation-tools.mdwn b/blog/2020-09-30-presentation-tools.mdwn
index 1e51ae05..b61f2f46 100644
--- a/blog/2020-09-30-presentation-tools.mdwn
+++ b/blog/2020-09-30-presentation-tools.mdwn
@@ -6,6 +6,8 @@ I shouldn't share this (even if for myself!).
 
 So here it is. What's your favorite presentation tool?
 
+[[!toc levels=2]]
+
 # Tips
 
  * if you have some text to present, **outline keywords** so that you

title
diff --git a/blog/2020-09-30-presentation-tools.mdwn b/blog/2020-09-30-presentation-tools.mdwn
index 03297fb0..1e51ae05 100644
--- a/blog/2020-09-30-presentation-tools.mdwn
+++ b/blog/2020-09-30-presentation-tools.mdwn
@@ -1,3 +1,5 @@
+[[!meta title="Presentation tools"]]
+
 I keep forgetting how to make presentations. I had a list of tools in
 a wiki from a previous job, but that's now private and I don't see why
 I shouldn't share this (even if for myself!).

link to coms
diff --git a/blog/2020-09-30-presentation-tools.mdwn b/blog/2020-09-30-presentation-tools.mdwn
index 5264c376..03297fb0 100644
--- a/blog/2020-09-30-presentation-tools.mdwn
+++ b/blog/2020-09-30-presentation-tools.mdwn
@@ -34,6 +34,9 @@ Some of my presentations are available [in my GitLab.com account](https://gitlab
  * [Presentation about the Maple Spring, at OHM2013](https://gitlab.com/anarcat/ohm2013/)
  * [First presentation at Tor](https://gitlab.torproject.org/anarcat/onion-tex/-/tree/main/src/pandoc/anarcat-demo-2020)
 
+See also my [list of talks and presentations](/communication) which I can't seem to
+keep up to date.
+
 # Tools
 
 ## Beamer (LaTeX)

tag, add list of presentations
diff --git a/blog/2020-09-30-presentation-tools.mdwn b/blog/2020-09-30-presentation-tools.mdwn
index 5df346fc..5264c376 100644
--- a/blog/2020-09-30-presentation-tools.mdwn
+++ b/blog/2020-09-30-presentation-tools.mdwn
@@ -25,6 +25,15 @@ for most slides, because PDFs are more reliable and portable than web
 pages. I've also used Libreoffice, Pinpoint, and S5 (through RST) in
 the past. I miss Pinpoint, too bad that it died.
 
+Some of my presentations are available [in my GitLab.com account](https://gitlab.com/users/anarcat/projects):
+
+ * [Presentations while I worked at Koumbit](https://gitlab.com/anarcat/presentations-koumbit)
+ * [Short presentation about PRISM](https://gitlab.com/anarcat/presentation-prism)
+ * [Security training](https://gitlab.com/anarcat/presentation-security)
+ * [Ethics in computing](https://gitlab.com/anarcat/presentation-ethics), based on [this blog post](https://anarc.at/blog/2018-05-26-kubecon-rant/)
+ * [Presentation about the Maple Spring, at OHM2013](https://gitlab.com/anarcat/ohm2013/)
+ * [First presentation at Tor](https://gitlab.torproject.org/anarcat/onion-tex/-/tree/main/src/pandoc/anarcat-demo-2020)
+
 # Tools
 
 ## Beamer (LaTeX)
@@ -105,3 +114,5 @@ the past. I miss Pinpoint, too bad that it died.
  * Entire presentation is one poster, zooming and jumping around
  * SVG + Javascript
  * [Home page](https://sozi.baierouge.fr/), [demo](https://sozi.baierouge.fr/pages/10-about.html)
+
+[[!tag debian-planet python-planet software review]]

presentation tools
diff --git a/blog/2020-09-30-presentation-tools.mdwn b/blog/2020-09-30-presentation-tools.mdwn
new file mode 100644
index 00000000..5df346fc
--- /dev/null
+++ b/blog/2020-09-30-presentation-tools.mdwn
@@ -0,0 +1,107 @@
+I keep forgetting how to make presentations. I had a list of tools in
+a wiki from a previous job, but that's now private and I don't see why
+I shouldn't share this (even if for myself!).
+
+So here it is. What's your favorite presentation tool?
+
+# Tips
+
+ * if you have some text to present, **outline keywords** so that you
+   can present your subject **without reading every word**
+ * ideally, **don't read from your slides** - they are there to help
+   people follow, not for people to read
+ * even better: make your slides **pretty** with only a few words, or
+   **don't make slides at all**
+
+Further advice:
+
+ * [7 tips by Jeffrey Veen](http://veen.com/jeff/archives/000483.html)
+ * [10 tips by Neil Patel](http://www.quicksprout.com/2007/09/01/10-tips-for-a-killer-presentation/)
+ * [The Art of Presenting by Matt Westgate](https://www.lullabot.com/blog/art-presenting) (video)
+ * [Presenting You by Emma Jane Hogbin](http://dc2009.drupalcon.org/session/presenting-you.html) (video)
+
+I'm currently using Pandoc with PDF input (with a trip through LaTeX)
+for most slides, because PDFs are more reliable and portable than web
+pages. I've also used Libreoffice, Pinpoint, and S5 (through RST) in
+the past. I miss Pinpoint, too bad that it died.
+
+# Tools
+
+## Beamer (LaTeX)
+
+ * LaTeX class
+ * Do not use directly unless you are a LaTeX expert or masochist, see
+   Pandoc below
+ * see also [powerdot](https://www.ctan.org/pkg/powerdot/)
+ * [Home page](https://ctan.org/pkg/beamer)
+
+## Impress.js
+
+ * Javascript
+ * Zooms in and out, 3D support
+ * [Source code](https://github.com/impress/impress.js), [demo](https://impress.js.org/)
+ * [Hekyll](https://github.com/bmcmurray/hekyll) uses [Jekyll](https://github.com/mojombo/jekyll) as a backend
+
+## Libreoffice Impress
+
+ * Powerpoint clone
+ * Makes my life miserable
+ * PDF export, presenter notes, outline view, etc
+ * [Home page](https://libreoffice.org/discover/impress/), [screenshots](https://libreoffice.org/discover/screenshots/)
+
+## Magicpoint
+
+ * ancestor of everyone else (1997!)
+ * text input format, image support, talk timer, slide guides,
+   HTML/Postscript export, draw on slides, X11 output
+ * no release since 2008
+ * [Home page](http://member.wide.ad.jp/wg/mgp/)
+
+## mdp
+
+ * Commandline-only, markdown
+ * [Home page](https://github.com/visit1985/mdp)
+
+## Pandoc
+
+ * Allows converting from basically whatever into slides, including
+   Beamer, DZSlides, reveal.js, slideous, slidy, Powerpoint
+ * PDF, HTML, Powerpoint export, presentation notes, full screen
+   background images
+ * nice plain text or markdown input format
+ * [Home page](https://pandoc.org/), [documentation](https://pandoc.org/MANUAL.html#producing-slide-shows-with-pandoc)
+
+## PDF Presenter
+
+ * PDF presentation tool, shows presentation notes
+ * basically "Keynote for Linux"
+ * [Home page](https://pdfpc.github.io/), pdf-presenter-console in Debian
+
+## Pinpoint
+
+ * Native GNOME app
+ * Full screen slides, PDF export, live change, presenter notes, pango
+   markup, video, image backgrounds
+ * [Home page](https://wiki.gnome.org/Attic/Pinpoint)
+ * Abandoned since at least 2019
+
+## Reveal.js
+
+ * HTML, Javascript
+ * PDF export, Markdown, LaTeX support, syntax-highlighting, nested
+   slides, speaker notes
+ * [Source code](https://github.com/hakimel/reveal.js), [demo](https://revealjs.com/)
+
+## S5
+
+ * HTML, CSS
+ * incremental, bookmarks, keyboard controls
+ * can be transformed from ReStructuredText (RST) with `rst2s5` with
+   python-docutils
+ * [Home page](http://meyerweb.com/eric/tools/s5), [demo](https://meyerweb.com/eric/tools/s5/s5-intro.html)
+
+## Sozi
+
+ * Entire presentation is one poster, zooming and jumping around
+ * SVG + Javascript
+ * [Home page](https://sozi.baierouge.fr/), [demo](https://sozi.baierouge.fr/pages/10-about.html)

add delivery date
diff --git a/hardware/laptop/purism-librem13v4.mdwn b/hardware/laptop/purism-librem13v4.mdwn
index 1d27f7f2..e56e1e36 100644
--- a/hardware/laptop/purism-librem13v4.mdwn
+++ b/hardware/laptop/purism-librem13v4.mdwn
@@ -537,4 +537,5 @@ The timeline of that laptop's hardware problems looks like this:
    next week by the end of next week"
  * 2020-08-04: replacement ready, prompted for address again
  * 2020-08-06: laptop shipped
+ * 2020-08-07: laptop delivered
  * 2020-09-20: bottom left "pad" drops off

pads fall off
diff --git a/hardware/laptop/purism-librem13v4.mdwn b/hardware/laptop/purism-librem13v4.mdwn
index d4efb3c6..1d27f7f2 100644
--- a/hardware/laptop/purism-librem13v4.mdwn
+++ b/hardware/laptop/purism-librem13v4.mdwn
@@ -462,9 +462,10 @@ incurred significant extra costs and delays in getting the machine up
 to speed.
 
 But it seems the platform has some fundamental hardware reliability
-issues. Case screws would [fall off](https://forums.puri.sm/t/where-can-i-get-screws-for-the-librem-13v4/7044). A USB port broke. The CPU fan
-goes crazy. And now, after a year, the laptop just completely
-died. Below are the details...
+issues. Case screws would [fall off](https://forums.puri.sm/t/where-can-i-get-screws-for-the-librem-13v4/7044). (Update: and the "pads" below
+the laptop fall off.) A USB port broke. The CPU fan goes crazy. And
+now, after a year, the laptop just completely died. Below are the
+details...
 
 I have found that any significant hardware processing would quickly
 throttle the CPU because it would overheat. Any videoconferencing work
@@ -536,3 +537,4 @@ The timeline of that laptop's hardware problems looks like this:
    next week by the end of next week"
  * 2020-08-04: replacement ready, prompted for address again
  * 2020-08-06: laptop shipped
+ * 2020-09-20: bottom left "pad" drops off

approve comment
diff --git a/blog/2020-09-21-mailman-psa/comment_1_8865e32354a3769b0107feabd63edbb1._comment b/blog/2020-09-21-mailman-psa/comment_1_8865e32354a3769b0107feabd63edbb1._comment
new file mode 100644
index 00000000..983bd6b4
--- /dev/null
+++ b/blog/2020-09-21-mailman-psa/comment_1_8865e32354a3769b0107feabd63edbb1._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ ip="187.214.194.0"
+ claimedauthor="Gunnar Wolf"
+ url="https://gwolf.org/"
+ subject="Lots of love and a promise of a beer. Thanks!"
+ date="2020-09-21T23:21:15Z"
+ content="""
+I have, like many others, spent some time head-scratching because of this stupid spammy behavior. Thanks a lot for taking the extra steps and providing a fix for it!
+"""]]

more notes
diff --git a/hardware/car.mdwn b/hardware/car.mdwn
index cb0834b6..b7e6e94b 100644
--- a/hardware/car.mdwn
+++ b/hardware/car.mdwn
@@ -19,6 +19,7 @@ Car comparisons
 
 * [axlegeeks.com](http://cars.axlegeeks.com/)
 * [cars.com](http://www.cars.com/go/compare/modelCompare.jsp?myids=7644,4656,3883)
+* [edmunds.com](https://www.edmunds.com/car-comparisons/)
 
 Listings
 ========
@@ -26,5 +27,11 @@ Listings
 * [Guide de l'auto](http://www.guideautoweb.com/occasions/)
 * [Auto-hebdo.net](http://wwwa.autohebdo.net/autos/toyota/qc/montr%C3%A9al/?prx=100&prv=Qu%C3%A9bec&loc=h2s+2r8&sts=Neuf-Occasion&pRng=%2c5000&oRng=1000%2c&hprc=True&wcp=True&uag=C28484A8C31B6F670D1F7AFAE9610D92DFC8A897C244B774026A439C5DEAA458&rcs=0&rcp=100&srt=12)
 * [Kijiji < 5000$ grand montréal](http://www.kijiji.ca/b-autos-camions/grand-montreal/autre+type+de+carrosserie__berline__bicorps__cabriolet__coupe__familiale/c174l80002a138?ad=offering&price=__5000)
+* [Car gurus](https://www.cargurus.ca/)
+
+Reference
+=========
+
+* [how to read a tire size](https://www.goodyearautoservice.com/en-US/tire-basics/tire-size)
 
 [[!tag research]]

reorder
diff --git a/blog/2020-09-21-mailman-psa.mdwn b/blog/2020-09-21-mailman-psa.mdwn
index 648522dd..8e61e1ad 100644
--- a/blog/2020-09-21-mailman-psa.mdwn
+++ b/blog/2020-09-21-mailman-psa.mdwn
@@ -1,12 +1,12 @@
 [[!meta title="PSA: Mailman used to harrass people"]]
 
-[[!toc]]
-
 It seems that Mailman instances are being abused to harrass people
 with subscribe spam. If some random people complain to you that they
 "never wanted to subscribe to your mailing list", you may be a victim
 to that attack, even if you run the latest Mailman 2.
 
+[[!toc]]
+
 # TL;DR: IKR! HOW DO I FIX THIS!?
 
 Make sure you have `SUBSCRIBE_FORM_SECRET` set in your mailman configuration:

toc, no repeat
diff --git a/blog/2020-09-21-mailman-psa.mdwn b/blog/2020-09-21-mailman-psa.mdwn
index a37fe2fe..648522dd 100644
--- a/blog/2020-09-21-mailman-psa.mdwn
+++ b/blog/2020-09-21-mailman-psa.mdwn
@@ -1,5 +1,7 @@
 [[!meta title="PSA: Mailman used to harrass people"]]
 
+[[!toc]]
+
 It seems that Mailman instances are being abused to harrass people
 with subscribe spam. If some random people complain to you that they
 "never wanted to subscribe to your mailing list", you may be a victim
@@ -71,8 +73,7 @@ cross-site scripting attack against Mailman servers.
 Obviously, CSRF protection should be enabled by default in Mailman,
 but there you go. Hopefully this will help some folks...
 
-(Obviously, the latest Mailman 3 release doesn't suffer from such
-idiotic defaults and ships with proper CSRF protection out of the
-box.)
+(The latest Mailman 3 release doesn't suffer from such idiotic
+defaults and ships with proper CSRF protection out of the box.)
 
 [[!tag mailman security debian-planet python-planet sysadmin email web]]

mailman security issue
diff --git a/blog/2020-09-21-mailman-psa.mdwn b/blog/2020-09-21-mailman-psa.mdwn
new file mode 100644
index 00000000..a37fe2fe
--- /dev/null
+++ b/blog/2020-09-21-mailman-psa.mdwn
@@ -0,0 +1,78 @@
+[[!meta title="PSA: Mailman used to harrass people"]]
+
+It seems that Mailman instances are being abused to harrass people
+with subscribe spam. If some random people complain to you that they
+"never wanted to subscribe to your mailing list", you may be a victim
+to that attack, even if you run the latest Mailman 2.
+
+# TL;DR: IKR! HOW DO I FIX THIS!?
+
+Make sure you have `SUBSCRIBE_FORM_SECRET` set in your mailman configuration:
+
+    SECRET=$(tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 30)'
+    echo "SUBSCRIBE_FORM_SECRET = '$SECRET'" >> /etc/mailman/mm.cfg
+
+This will add a magic token to all forms in the Mailman web forms that
+will force the attacker to at least get a token before asking for
+registration. There are, of course, other ways of performing the
+attack then, but it's more expensive than a single request for the
+attacker and keeps most of the junk out.
+
+# Other solutions
+
+I originally deployed a different fix, using referrer checks and an IP
+block list:
+
+    RewriteMap hosts-deny  txt:/etc/apache2/blocklist.txt
+    RewriteCond ${hosts-deny:%{REMOTE_ADDR}|NOT-FOUND} !=NOT-FOUND [OR]
+    RewriteCond ${hosts-deny:%{REMOTE_HOST}|NOT-FOUND} !=NOT-FOUND [OR]
+    RewriteCond %{HTTP_REFERER} !^https://lists.torproject.org/$ [NC]
+    RewriteRule ^/cgi-bin/mailman/subscribe/ - [F]
+    # see also https://www.w3.org/TR/referrer-policy/#referrer-policy-origin
+    Header always set Referrer-Policy "origin"
+
+I kept those restrictions in place because it keeps the spammers from
+even hitting the Mailman CGI, which is useful to preserve our server
+resources. But if "they" escalate with smarter crawlers, the block
+list will still be useful.
+
+You can use this query to extract the top 10 IP addresses used for
+subscription attempts:
+
+    awk '{ print $NF }' /var/log/mailman/subscribe | sort | uniq -c | sort -n | tail -10  | awk '{ print $2 " " $1 }'
+
+Note that this might include email-based registration, but in our logs
+those are extremely rare: only *two* in three weeks, out of over
+73,000 requests. I also use this to keep an eye on the logs:
+
+    tail -f  /var/log/mailman/subscribe /var/log/apache2/lists.torproject.org-access.log | grep -v 'GET /pipermail/'
+
+The server-side mitigations might also be useful if you happen to run
+an extremely old version of Mailman, that is pre-2.1.18, but it's now
+over 6 years old and part of every supported Debian release out there
+(all the way back to Debian 8 jessie).
+
+# Why does that attack work?
+
+Because Mailman 2 doesn't have CSRF tokens in its forms by default,
+anyone can send a `POST` request to `/mailman/subscribe/LISTNAME` to
+have Mailman send an email to the user. In the old "Internet is for
+nice people" universe, that wasn't a problem: all it does is ask the
+victim if they want to subscribe to `LISTNAME`. Innocuous, right?
+
+But in the brave, new, post-[Eternal-September](https://en.wikipedia.org/wiki/Eternal_September), "Internet is for
+stupid" universe, some assholes think it's a good idea to make a form
+that collects *hundreds* of mailing list URLs and spam them through an
+`iframe`. To see what that looks like, you can look at the rendered
+source code behind `samedyfreeday.co.uk` (not linking to avoid
+promoting it). That site does what is basically a distributed
+cross-site scripting attack against Mailman servers.
+
+Obviously, CSRF protection should be enabled by default in Mailman,
+but there you go. Hopefully this will help some folks...
+
+(Obviously, the latest Mailman 3 release doesn't suffer from such
+idiotic defaults and ships with proper CSRF protection out of the
+box.)
+
+[[!tag mailman security debian-planet python-planet sysadmin email web]]

Added a comment
diff --git a/blog/2020-06-04-replacing-smokeping-prometheus/comment_4_eabcbdbaa55049097ffc27833ba22ab5._comment b/blog/2020-06-04-replacing-smokeping-prometheus/comment_4_eabcbdbaa55049097ffc27833ba22ab5._comment
new file mode 100644
index 00000000..04a25949
--- /dev/null
+++ b/blog/2020-06-04-replacing-smokeping-prometheus/comment_4_eabcbdbaa55049097ffc27833ba22ab5._comment
@@ -0,0 +1,20 @@
+[[!comment format=mdwn
+ username="anarcat"
+ avatar="https://seccdn.libravatar.org/avatar/741655483dd8a0b4df28fb3dedfa7e4c"
+ subject="comment 4"
+ date="2020-09-21T14:06:48Z"
+ content="""
+>  Could you share that smokeping_prober dash? Looks nice 
+
+The dashboard is linked from the post, but in case you can't find the link, here it is again:
+
+<https://grafana.com/grafana/dashboards/12412>
+
+... unless you mean the Prometheus exporter? It's here:
+
+<https://github.com/SuperQ/smokeping_prober/>
+
+I've also added the dashboard to my personal repo in:
+
+<https://gitlab.com/anarcat/grafana-dashboards>
+"""]]

approve comment
diff --git a/blog/2020-06-04-replacing-smokeping-prometheus/comment_1_fa7e97d669f16bf4b429d536b6447218._comment b/blog/2020-06-04-replacing-smokeping-prometheus/comment_1_fa7e97d669f16bf4b429d536b6447218._comment
new file mode 100644
index 00000000..29b87a84
--- /dev/null
+++ b/blog/2020-06-04-replacing-smokeping-prometheus/comment_1_fa7e97d669f16bf4b429d536b6447218._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ ip="107.3.130.185"
+ claimedauthor="simply_jack"
+ subject="Dashboard"
+ date="2020-09-20T22:22:34Z"
+ content="""
+Could you share that smokeping_prober dash? Looks nice
+"""]]

notice the wootbook
diff --git a/hardware/laptop.mdwn b/hardware/laptop.mdwn
index 18e451bc..34ad9c90 100644
--- a/hardware/laptop.mdwn
+++ b/hardware/laptop.mdwn
@@ -95,6 +95,21 @@ prototype stage:
 
 Interesting especially for the possibility of a e-ink screen...
 
+Wootbook
+--------
+
+KDE and others have started branding laptops and shipping them with
+Linux. KDE has the [Slimbook 14](https://slimbook.es/en/store/slimbook-kde/kde-slimbook-14-comprar) for example, and there's the
+[Tuxedo Pulse 14](https://www.tuxedocomputers.com/en/Linux-Hardware/Linux-Notebooks/10-14-inch/TUXEDO-Pulse-14-Gen1.tuxedo). Both of those are actually rebranded Tongfang
+PF4NU1F laptops. Because of that stupidly hard name, many refer to
+them as the [Wootbook](https://www.wootware.co.za/wootbook-metal-ii-pf4nu1f-amd-ryzen-7-4800h-2-9ghz-octa-core-14-full-hd-1920x1080-ips-space-black-laptop.html).
+
+The current DPL has a [good review](https://jonathancarter.org/2020/09/13/wootbook-tongfang-laptop/) of the hardware, which looks
+like a nice cheap AMD laptop.
+
+I like that it has many USB ports and a real ethernet port, even
+though it's slim and light...
+
 Novena
 ------
 

merge the two opds notes
diff --git a/software/desktop/calibre.mdwn b/software/desktop/calibre.mdwn
index fe175ca4..1f5c08de 100644
--- a/software/desktop/calibre.mdwn
+++ b/software/desktop/calibre.mdwn
@@ -270,9 +270,6 @@ Calibre is...
    for this, however, given that I already use it to synchronize and
    backup my ebook collection in the first place...
 
-   TODO: Talk about OPDS? Liber doesn't support it (yet) and very few
-   server implementations ([test server](http://feedbooks.github.io/opds-test-catalog/), [2016 analysis](https://github.com/wallabag/wallabag/issues/1253#issuecomment-204996640)).
-
  * an **RSS reader**: I used this for a while to read RSS feeds on my
    ebook-reader, but it was pretty clunky. Calibre would be
    continously generating new ebooks based on those feeds and I would
@@ -291,7 +288,11 @@ Calibre is...
    supports acting as an OPDS directory, which is kind of neat. There
    are, as far as I know, no alternative for such a system although
    there *are* servers to share and store ebooks, like [Trantor][] or
-   [Liber][].
+   [Liber][]. Unfortunately, neither support OPDS, which is too bad:
+   that protocol is quite useful to browse books on the fly from
+   hacked Kobo readers (running [Koreader](http://koreader.rocks/), but [not Plato](https://github.com/baskerville/plato/issues/69)) or
+   Android devices (running [Document Viewer](https://f-droid.org/packages/org.sufficientlysecure.viewer/) or Koreader)... There
+   is an OPDS [test server](http://feedbooks.github.io/opds-test-catalog/), see also my [2016 analysis](https://github.com/wallabag/wallabag/issues/1253#issuecomment-204996640).
 
 [Liber]: https://git.autistici.org/ale/liber
 [Trantor]: https://gitlab.com/trantor/trantor

mention opds
diff --git a/software/desktop/calibre.mdwn b/software/desktop/calibre.mdwn
index bd9fb266..fe175ca4 100644
--- a/software/desktop/calibre.mdwn
+++ b/software/desktop/calibre.mdwn
@@ -270,6 +270,9 @@ Calibre is...
    for this, however, given that I already use it to synchronize and
    backup my ebook collection in the first place...
 
+   TODO: Talk about OPDS? Liber doesn't support it (yet) and very few
+   server implementations ([test server](http://feedbooks.github.io/opds-test-catalog/), [2016 analysis](https://github.com/wallabag/wallabag/issues/1253#issuecomment-204996640)).
+
  * an **RSS reader**: I used this for a while to read RSS feeds on my
    ebook-reader, but it was pretty clunky. Calibre would be
    continously generating new ebooks based on those feeds and I would

fix broken link
diff --git a/software/desktop/calibre.mdwn b/software/desktop/calibre.mdwn
index 8778b0ec..bd9fb266 100644
--- a/software/desktop/calibre.mdwn
+++ b/software/desktop/calibre.mdwn
@@ -239,7 +239,7 @@ Calibre is...
    This also connects with the more general "book inventory" problem I
    have which involves an inventory physical books and directory of
    online articles. See also [[firefox]] (Zotero section) and
-   [[bookmarks]] for a longer discussion of that problem.
+   [[services/bookmarks]] for a longer discussion of that problem.
 
  * a **metadata editor**: the "collection browser" is based on a lot
    of metadata that Calibre indexes from the books. It can magically

sort linesc
diff --git a/services/bookmarks.mdwn b/services/bookmarks.mdwn
index 4293bd44..730659f8 100644
--- a/services/bookmarks.mdwn
+++ b/services/bookmarks.mdwn
@@ -50,19 +50,19 @@ Possible alternatives to zotero and/or wallabag include:
 
  * [i librarian](https://i-librarian.net/)
  * [jabref](http://www.jabref.org/)
- * [xapers](https://finestructure.net/xapers/)
- * [pubs](https://github.com/pubs/pubs)
  * [papis](https://github.com/papis/papis)
+ * [pubs](https://github.com/pubs/pubs)
+ * [xapers](https://finestructure.net/xapers/)
 
 This also overlaps with bookmarking software like:
 
- * [Turtl](https://turtlapp.com/)
- * [reminiscense](https://github.com/kanishka-linux/reminiscence)
  * [archivebox](https://archivebox.io/) (previously called [bookmark-archiver](https://pirate.github.io/bookmark-archiver/))
- * [Wallabag](https://wallabag.org/)
  * [Buku](https://github.com/jarun/Buku)
- * [Shiori](https://github.com/RadhiFadlillah/shiori)
  * [memex](https://worldbrain.io/)
+ * [reminiscense](https://github.com/kanishka-linux/reminiscence)
+ * [Shiori](https://github.com/RadhiFadlillah/shiori)
+ * [Turtl](https://turtlapp.com/)
+ * [Wallabag](https://wallabag.org/)
 
 ... and archival software in the [[WARC ecosystem|services/archive]].
 

add two more bookmarks tools
diff --git a/services/bookmarks.mdwn b/services/bookmarks.mdwn
index 76fd2641..4293bd44 100644
--- a/services/bookmarks.mdwn
+++ b/services/bookmarks.mdwn
@@ -48,6 +48,8 @@ Possible alternatives
 
 Possible alternatives to zotero and/or wallabag include:
 
+ * [i librarian](https://i-librarian.net/)
+ * [jabref](http://www.jabref.org/)
  * [xapers](https://finestructure.net/xapers/)
  * [pubs](https://github.com/pubs/pubs)
  * [papis](https://github.com/papis/papis)

another thing suggested on mastodon
diff --git a/blog/cdpath-replacement.mdwn b/blog/cdpath-replacement.mdwn
index 2007a5a6..661319ae 100644
--- a/blog/cdpath-replacement.mdwn
+++ b/blog/cdpath-replacement.mdwn
@@ -57,6 +57,8 @@ emacs integration: https://github.com/bling/fzf.el
 
 similar projects: https://github.com/junegunn/fzf/wiki/Related-projects
 
+see also https://github.com/ajeetdsouza/zoxide
+
 Emacs plugins not integrated with the shell
 ===========================================
 

correction, mlterm does not use VTE
diff --git a/blog/2018-04-12-terminal-emulators-1.mdwn b/blog/2018-04-12-terminal-emulators-1.mdwn
index 4549211c..08abca35 100644
--- a/blog/2018-04-12-terminal-emulators-1.mdwn
+++ b/blog/2018-04-12-terminal-emulators-1.mdwn
@@ -39,7 +39,7 @@ Here are the terminals examined in the series:
 | [Alacritty](https://github.com/jwilm/alacritty)            | N/A           | N/A     | 6debc4f  | no releases, Git head                                                                 |
 | [GNOME Terminal](https://wiki.gnome.org/Apps/Terminal)     | 3.22.2        | 3.26.2  | 3.28.0   | uses GTK3, [VTE](https://github.com/GNOME/vte)                                        |
 | [Konsole](https://konsole.kde.org/)                        | 16.12.0       | 17.12.2 | 17.12.3  | uses KDE libraries                                                                    |
-| [mlterm](http://mlterm.sourceforge.net/)                   | 3.5.0         | 3.7.0   | 3.8.5    | uses VTE, "Multi-lingual terminal"                                                    |
+| [mlterm](http://mlterm.sourceforge.net/)                   | 3.5.0         | 3.7.0   | 3.8.5    | <del>uses VTE,</del> "Multi-lingual terminal"                                                    |
 | [pterm](https://manpages.debian.org/pterm)                 | 0.67          | 0.70    | 0.70     | [PuTTY](https://www.chiark.greenend.org.uk/%7Esgtatham/putty/) without ssh, uses GTK2 |
 | [st](https://st.suckless.org/)                             | 0.6           | 0.7     | 0.8.1    | "simple terminal"                                                                     |
 | [Terminator](https://gnometerminator.blogspot.ca/)         | 1.90+bzr-1705 | 1.91    | 1.91     | uses GTK3, VTE                                                                        |

nice quote heard on This American Life ep #713
diff --git a/fortunes.txt b/fortunes.txt
index 6a8e6592..555d0a6f 100644
--- a/fortunes.txt
+++ b/fortunes.txt
@@ -1123,3 +1123,7 @@ skill. The code you leave behind speaks.
 %
 When the power of love overcomes love of power the world will know peace.
                         - Jimi Hendrix
+%
+Treating different things the same can generate as much inequality as
+treating the same things differently.
+                        - Kimberlé Crenshaw

alternative to minimal
diff --git a/software/desktop/firefox.mdwn b/software/desktop/firefox.mdwn
index 29a5ad0e..aeea4ae7 100644
--- a/software/desktop/firefox.mdwn
+++ b/software/desktop/firefox.mdwn
@@ -32,7 +32,8 @@ I have those extensions installed and use them very frequently:
  * [Livemarks](https://addons.mozilla.org/en-US/firefox/addon/livemarks/) (no deb, [source](https://github.com/nt1m/livemarks)) or [Awesome RSS](https://addons.mozilla.org/en-US/firefox/addon/awesome-rss/) (no deb,
    [source](https://github.com/shgysk8zer0/awesome-rss)) - replace the [Live bookmarks removal](https://support.mozilla.org/en-US/kb/live-bookmarks-migration)
  * [Minimal](https://addons.mozilla.org/en-US/firefox/addon/minimal-internet-experience/) ([homepage](https://minimal.community/)) - removes autoplay, search suggestions
-   and all sorts of junks from many websites
+   and all sorts of junks from many websites (alternative:
+   [shutup](https://addons.mozilla.org/en-US/firefox/addon/shut-up-comment-blocker/), just for comments)
  * [uBlock Origin][] ([[!debpkg webext-ublock-origin desc="debian
    package"]], [source](https://github.com/gorhill/uBlock)) - making the web sane again
  * [uMatrix][] ([[!debpkg webext-umatrix desc="debian package"]],

another day, another patch
diff --git a/services/wiki.mdwn b/services/wiki.mdwn
index dbae7a85..6bd053bd 100644
--- a/services/wiki.mdwn
+++ b/services/wiki.mdwn
@@ -140,9 +140,14 @@ I still carry those patches on top of ikiwiki:
  * [todo/admonitions](https://ikiwiki.info/todo/admonitions)
  * [bugs/footnotes-look-weird](https://ikiwiki.info/bugs/footnotes-look-weird) (not a patch on core per se, but
    a modification to the stylesheet, as [many others](https://anarc.at/bootstrap.local.css))
+ * [todo/add_geo_uri_scheme](https://ikiwiki.info/todo/add_geo_uri_scheme/)
 
 To apply this patch set:
 
+!!!! switch to a master branch instead of this tangled mess. the
+master branch on gitlab has all the goods, i believe, while the stuff
+below is missing at least the geo scheme stuff. !!!
+
     cd src/ikiwiki &&
     release=debian/3.20190228-1 &&
     git rebase $release dev/git-annex-support &&

diff --git a/pleinair/sites.mdwn b/pleinair/sites.mdwn
index 4d87a99a..fd73f3fb 100644
--- a/pleinair/sites.mdwn
+++ b/pleinair/sites.mdwn
@@ -12,7 +12,7 @@ fast-food et station-service proche.
 Au sud de la sortie 29 de l'autouroute 10, après le Tim Horton's.
 
  * [OpenStreetMap](https://www.openstreetmap.org/node/5846671485)
- * [45.41158N 73.24219W](geo:45.41158,-73.24219)
+ * <a href="geo:45.41158,-73.24219">45.41158N 73.24219W</a>
 
 Petite Rivière St-François
 ==========================

toc
diff --git a/pleinair/sites.mdwn b/pleinair/sites.mdwn
index 20c3cda7..4d87a99a 100644
--- a/pleinair/sites.mdwn
+++ b/pleinair/sites.mdwn
@@ -1,5 +1,7 @@
 [[!meta title="Sites de camping et haltes routières"]]
 
+[[!toc]]
+
 Halte du Richelieu
 ==================
 

commencer un inventaire des belles haltes sur la route
diff --git a/pleinair/sites.mdwn b/pleinair/sites.mdwn
new file mode 100644
index 00000000..20c3cda7
--- /dev/null
+++ b/pleinair/sites.mdwn
@@ -0,0 +1,18 @@
+[[!meta title="Sites de camping et haltes routières"]]
+
+Halte du Richelieu
+==================
+
+Très jolie halte sur le Richelieu, sur les ruines d'un ancien moulin
+avec pied dans la rivière. Tables à pic-nic, ombragé, toilettes,
+fast-food et station-service proche.
+
+Au sud de la sortie 29 de l'autouroute 10, après le Tim Horton's.
+
+ * [OpenStreetMap](https://www.openstreetmap.org/node/5846671485)
+ * [45.41158N 73.24219W](geo:45.41158,-73.24219)
+
+Petite Rivière St-François
+==========================
+
+... détails à venir.

ideas
diff --git a/blog/cdpath-replacement.mdwn b/blog/cdpath-replacement.mdwn
new file mode 100644
index 00000000..2007a5a6
--- /dev/null
+++ b/blog/cdpath-replacement.mdwn
@@ -0,0 +1,88 @@
+after reading [this post](https://www.kvr.at/posts/my-new-favorite-utility-autojump/) I figured I might as well bite the bullet
+and improve on my CDPATH-related setup, especially because it does not
+work with Emacs. so i looked around for autojump-related alternatives
+that do.
+
+Shell jumpers
+=============
+
+Those are commandline tools that can be used from a shell, generally
+with built-in shell integration so that a shell alias will find the
+right directory magically, usually by keeping track of the directories
+visited with `cd`.
+
+Some of those may or may not have integration in Emacs.
+
+autojump
+--------
+
+https://github.com/wting/autojump 
+
+not in emacs, just in eshell
+https://github.com/coldnew/eshell-autojump
+
+https://stackoverflow.com/questions/25277748/use-z-jump-around-in-emacs-to-find-directories
+
+fasd
+----
+
+https://github.com/clvv/fasd
+
+upstream packaged in debian, but those emacs extensions:
+
+ * helm integration: https://github.com/ajsalminen/helm-fasd (not in melpa?)
+ * more direct: https://framagit.org/steckerhalter/emacs-fasd
+
+z
+-
+
+ungooglable.
+
+https://github.com/rupa/z
+
+not in debian at all.
+
+helm integration: https://melpa.org/#/helm-z
+eshell integration: https://github.com/xuchunyang/eshell-z
+
+fzf
+---
+
+https://github.com/junegunn/fzf
+
+the original "fuzzer". uses `find` by default, so no notion of
+frequency.
+
+emacs integration: https://github.com/bling/fzf.el
+
+similar projects: https://github.com/junegunn/fzf/wiki/Related-projects
+
+Emacs plugins not integrated with the shell
+===========================================
+
+Those projects can be used to track files inside a project or find
+files around directories, but do not offer the equivalent
+functionality in the shell.
+
+projectile
+----------
+
+https://github.com/bbatsov/projectile
+
+supports ido, ivy, or helm.
+
+elpy?
+-----
+
+bookmarks.el
+------------
+
+recentf
+-------
+
+references
+==========
+
+https://www.emacswiki.org/emacs/LocateFilesAnywhere
+
+[[!tag draft]]

yolo
diff --git a/hardware/monitor.mdwn b/hardware/monitor.mdwn
index 9b2d33f5..7475ba2c 100644
--- a/hardware/monitor.mdwn
+++ b/hardware/monitor.mdwn
@@ -91,6 +91,8 @@ Normal
  * [Philips Moniteur 276E8VJSB 27 po, IPS 4K UHD 3840 x 2160, 60Hz,
    5ms](https://www.bureauengros.ca/products/2939812-fr-philips-moniteur-276e8vjsb-27-po-ips-4k-uhd-3840-x-2160-60hz-5ms) (BEG: 380$)
 
+Another idea: a [USB C monitor](https://etbe.coker.com.au/2020/07/02/desklab-portable-usb-c-monitor/)
+
 Note on latency
 ---------------
 

new hardware and people
diff --git a/hardware/monitor.mdwn b/hardware/monitor.mdwn
index 49cb7e22..9b2d33f5 100644
--- a/hardware/monitor.mdwn
+++ b/hardware/monitor.mdwn
@@ -84,6 +84,10 @@ Normal
    computers: 270$)
  * [Dell U2419H 24" Ultrasharp LED Monitor 1920 x 1080 - IPS](https://www.canadacomputers.com/product_info.php?cPath=22_1195_700_1103&item_id=133314):
    (Canada computers: $320, special order)
+ * same at amazon, 27", https://www.amazon.com/dp/B07KGR784M/, as
+   suggested by [this
+   article](https://arstechnica.com/features/2020/08/work-from-home-01-ergo/),
+   see also https://www.amazon.com/dp/B082X46ZGD/
  * [Philips Moniteur 276E8VJSB 27 po, IPS 4K UHD 3840 x 2160, 60Hz,
    5ms](https://www.bureauengros.ca/products/2939812-fr-philips-moniteur-276e8vjsb-27-po-ips-4k-uhd-3840-x-2160-60hz-5ms) (BEG: 380$)
 
diff --git a/services/dns.mdwn b/services/dns.mdwn
index f2b4bfe8..a7809cbc 100644
--- a/services/dns.mdwn
+++ b/services/dns.mdwn
@@ -92,6 +92,7 @@ Les noms suivants pourraient être utilisés pour de futures machines:
    army squadron in the US (in the Civil War, to free more slaves)
  * [Sojourner Truth](https://en.wikipedia.org/wiki/Sojourner_Truth) - abolotionist, first black women to win a
    court case against a black man
+ * [Claudette Colvin](https://en.wikipedia.org/wiki/Claudette_Colvin) - before rosa parks, there was this rebel!
 
 [Margaret Hamilton]: https://en.wikipedia.org/wiki/Margaret_Hamilton_(software_engineer)
 

two more awesome people
diff --git a/services/dns.mdwn b/services/dns.mdwn
index 27cab389..f2b4bfe8 100644
--- a/services/dns.mdwn
+++ b/services/dns.mdwn
@@ -87,6 +87,11 @@ Les noms suivants pourraient être utilisés pour de futures machines:
    arborer le drapeau noir
  * [Séverine](https://fr.wikipedia.org/wiki/S%C3%A9verine) - journaliste, féministe, première femme à diriger un
    grand quotidien en France
+ * [Harriet Tubman](https://en.wikipedia.org/wiki/Harriet_Tubman) - kick-ass self-freed slave, black women that
+   ran the underground railroad for 8 years and first women to lead an
+   army squadron in the US (in the Civil War, to free more slaves)
+ * [Sojourner Truth](https://en.wikipedia.org/wiki/Sojourner_Truth) - abolotionist, first black women to win a
+   court case against a black man
 
 [Margaret Hamilton]: https://en.wikipedia.org/wiki/Margaret_Hamilton_(software_engineer)
 

ship date
diff --git a/hardware/laptop/purism-librem13v4.mdwn b/hardware/laptop/purism-librem13v4.mdwn
index fab16286..d4efb3c6 100644
--- a/hardware/laptop/purism-librem13v4.mdwn
+++ b/hardware/laptop/purism-librem13v4.mdwn
@@ -535,3 +535,4 @@ The timeline of that laptop's hardware problems looks like this:
  * 2020-07-26: response: repair failed, new device will be sent, "ETA
    next week by the end of next week"
  * 2020-08-04: replacement ready, prompted for address again
+ * 2020-08-06: laptop shipped

another nice book
diff --git a/wishlist.mdwn b/wishlist.mdwn
index 2c6b5bf3..7595ca2c 100644
--- a/wishlist.mdwn
+++ b/wishlist.mdwn
@@ -52,6 +52,7 @@ Voici des choses que vous pouvez m'acheter si vous êtes le Père Nowel (yeah ri
      * [La théorie du drone](http://www.worldcat.org/oclc/847564093)
      * [The ARRL Operating Manual](http://www.arrl.org/shop/The-ARRL-Operating-Manual/)
      * [Les idées noires](https://en.wikipedia.org/wiki/Id%C3%A9es_noires) de Franquin, [l'intégrale](http://www.worldcat.org/oclc/493932411)
+     * [99% invisible city](https://99percentinvisible.org/book/)
  * <del>une liseuse 13" comme le [Sony DPT-S1](https://www.sony.com/electronics/digital-paper-notepads/dpts1#product_details_default) ou le [Onyx BOOX Max](https://onyxboox.com/boox_max),
    ou encore une tablette rootable qui roule le plus de logiciel libre
    possible</del> - j'en ai un maintenant, voir aussi [[hardware/tablet]]

update: maybe shipped soon?
diff --git a/hardware/laptop/purism-librem13v4.mdwn b/hardware/laptop/purism-librem13v4.mdwn
index d85a3b2b..fab16286 100644
--- a/hardware/laptop/purism-librem13v4.mdwn
+++ b/hardware/laptop/purism-librem13v4.mdwn
@@ -534,3 +534,4 @@ The timeline of that laptop's hardware problems looks like this:
  * 2020-07-25: ping sent
  * 2020-07-26: response: repair failed, new device will be sent, "ETA
    next week by the end of next week"
+ * 2020-08-04: replacement ready, prompted for address again

problem with dark mode and privacy
diff --git a/software/desktop/firefox.mdwn b/software/desktop/firefox.mdwn
index d79c1e53..29a5ad0e 100644
--- a/software/desktop/firefox.mdwn
+++ b/software/desktop/firefox.mdwn
@@ -294,7 +294,9 @@ that I version-control into git:
  * `network.cookie.cookieBehavior` ([ref](http://kb.mozillazine.org/Network.cookie.cookieBehavior#3_2)):
    1 (no third-party cookies)
  * `browser.in-content.dark-mode`: true (prefer dark CSS, see [this
-   discussion](https://css-tricks.com/dark-modes-with-css/), new in FF ~68)
+   discussion](https://css-tricks.com/dark-modes-with-css/), [new in FF 67](https://blog.logrocket.com/whats-new-in-firefox-67-prefers-color-scheme-and-more-195be81df03f/)), does not work with
+   `privacy.resistFingerprinting`, use `ui.systemUsesDarkTheme` set to
+   `1` instead. see [this doc](https://developer.mozilla.org/en-US/docs/Web/CSS/@media/prefers-color-scheme)
  * `middlemouse.contentLoadURL` ([ref](http://kb.mozillazine.org/Middlemouse.contentLoadURL)):
    false (got used to chromium not doing that, and it seems too risky:
    passwords can leak in DNS too easily if you miss the field)

fix formatting problem
diff --git a/software/desktop/firefox.mdwn b/software/desktop/firefox.mdwn
index fae57ec3..d79c1e53 100644
--- a/software/desktop/firefox.mdwn
+++ b/software/desktop/firefox.mdwn
@@ -120,7 +120,7 @@ hard to use or simply irrelevant.
  * [Cookie autodelete](https://addons.mozilla.org/en-US/firefox/addon/cookie-autodelete/) - even though uMatrix stops most cookies
    from being sent, it actually stores them locally. it would be great
    if this could sync with umatrix block lists... maybe with [issue
-   #43](https://github.com/Cookie-AutoDelete/Cookie-AutoDelete/issues/43)? turns out this is too inconvenient: need to specify the
+   43](https://github.com/Cookie-AutoDelete/Cookie-AutoDelete/issues/43)? turns out this is too inconvenient: need to specify the
    cookies to keep per container, then per site, it's a huge mess and
    there's no way to run a "simulation" mode... either the cookies get
    deleted and you get kicked out everywhere (at once!) or it does

approve comment
diff --git a/blog/2020-06-10-gnutls-audit/comment_1_8c16cd71ac43a3c4449ef84cb0864038._comment b/blog/2020-06-10-gnutls-audit/comment_1_8c16cd71ac43a3c4449ef84cb0864038._comment
new file mode 100644
index 00000000..67c58fea
--- /dev/null
+++ b/blog/2020-06-10-gnutls-audit/comment_1_8c16cd71ac43a3c4449ef84cb0864038._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ ip="90.208.192.45"
+ claimedauthor="Peter Green"
+ subject="Client verses server."
+ date="2020-07-27T15:25:48Z"
+ content="""
+You seem to be assuming that this vulnerability affects gnutls clients, but my reading of the advisory is that it is an issue with gnutls servers.
+
+Can anyone with deeper knowledge of the vulnerability clarify?
+"""]]
diff --git a/blog/2020-06-10-gnutls-audit/comment_1_9511d5d7a8d44aaabd7fbf63f17bb99c._comment b/blog/2020-06-10-gnutls-audit/comment_1_9511d5d7a8d44aaabd7fbf63f17bb99c._comment
new file mode 100644
index 00000000..d42f9279
--- /dev/null
+++ b/blog/2020-06-10-gnutls-audit/comment_1_9511d5d7a8d44aaabd7fbf63f17bb99c._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ ip="50.39.163.217"
+ claimedauthor="Josh"
+ subject="OpenSSL licensing is not fixed yet"
+ date="2020-07-27T08:16:24Z"
+ content="""
+> There are at least a few programs that link against GnuTLS because of the OpenSSL licensing oddities but that has been first announced in 2015, then definitely and clearly resolved in 2017 -- or maybe that was in 2018? Anyways it's fixed
+
+Unfortunately, the OpenSSL license is only fixed on the branches leading up to OpenSSL 3.0, which hasn't been released yet; it's still in alpha.
+"""]]

approve comment
diff --git a/blog/2020-06-10-gnutls-audit/comment_1_183d6ddbea4e146041ec7e0780416529._comment b/blog/2020-06-10-gnutls-audit/comment_1_183d6ddbea4e146041ec7e0780416529._comment
new file mode 100644
index 00000000..9a24be91
--- /dev/null
+++ b/blog/2020-06-10-gnutls-audit/comment_1_183d6ddbea4e146041ec7e0780416529._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ ip="193.16.224.12"
+ claimedauthor="anonym guy"
+ subject="comment 2"
+ date="2020-07-27T12:40:21Z"
+ content="""
+And what about: 
+
+https://www.libressl.org/
+"""]]

purism status update
diff --git a/hardware/laptop/purism-librem13v4.mdwn b/hardware/laptop/purism-librem13v4.mdwn
index 68439f49..d85a3b2b 100644
--- a/hardware/laptop/purism-librem13v4.mdwn
+++ b/hardware/laptop/purism-librem13v4.mdwn
@@ -531,3 +531,6 @@ The timeline of that laptop's hardware problems looks like this:
  * 2020-07-13: ping sent to Purism
  * 2020-07-13: [update to this review published](/blog/2020-07-13-not-recommending-purism)
  * 2020-07-14: response: motherboard confirmed dead
+ * 2020-07-25: ping sent
+ * 2020-07-26: response: repair failed, new device will be sent, "ETA
+   next week by the end of next week"

Added a comment: comment removed
diff --git a/blog/2020-07-13-not-recommending-purism/comment_6_24f29cfc00da5c43ca95a0a1d51975f9._comment b/blog/2020-07-13-not-recommending-purism/comment_6_24f29cfc00da5c43ca95a0a1d51975f9._comment
new file mode 100644
index 00000000..1ad37174
--- /dev/null
+++ b/blog/2020-07-13-not-recommending-purism/comment_6_24f29cfc00da5c43ca95a0a1d51975f9._comment
@@ -0,0 +1,12 @@
+[[!comment format=mdwn
+ username="anarcat"
+ avatar="https://seccdn.libravatar.org/avatar/741655483dd8a0b4df28fb3dedfa7e4c"
+ subject="comment removed"
+ date="2020-07-19T13:05:04Z"
+ content="""
+A comment questioning the fact that Purism allows racism was removed. (The word *racism* was \"quoted\" in the original comment, which makes me believe the author was also questioning the existence of racism itself, which I find to be just despicable.)
+
+People interested in criticizing my stance on Purism's \"tolerance\" of neonazis and related ideologies are welcome to read [[my previous post on the topic|2019-05-13-free-speech]] and generally, just shove off somewhere else.
+
+Yes, you have found a Social Justice Warrior. Don't wet your pants too much, there's plenty of us out there.
+"""]]

-port isn't necessary as we have a proxy
diff --git a/services/analytics.mdwn b/services/analytics.mdwn
index 3af0b8ab..2dec9d28 100644
--- a/services/analytics.mdwn
+++ b/services/analytics.mdwn
@@ -31,7 +31,7 @@ Server configuration
 
  3. start the server:
 
-        exec docker run --restart=unless-stopped --volume="goatcounter:/home/user/db/" --publish 127.0.0.1:8081:8080 --detach zgoat/goatcounter serve -listen :8080 -port 8080 -tls none
+        exec docker run --restart=unless-stopped --volume="goatcounter:/home/user/db/" --publish 127.0.0.1:8081:8080 --detach zgoat/goatcounter serve -listen :8080 -tls none
 
  4. apache configuration:
 

more todos
diff --git a/services/analytics.mdwn b/services/analytics.mdwn
index 0939c712..3af0b8ab 100644
--- a/services/analytics.mdwn
+++ b/services/analytics.mdwn
@@ -73,8 +73,8 @@ Server configuration
 Remaining issues
 ================
 
- * the :8080 port leaks in some places, namely in the "Site config"
-   documentation
+ * Docker image should be `FROM scratch`, this is statically built
+   golang stuff after all...
  * move to Docker Compose or podman instead of just starting the thing
    by hand
  * this is all super janky and should be put in config management
@@ -82,8 +82,8 @@ Remaining issues
  * remove "anarc.at" test site (the site is the analytics site, not
    the tracked site), seems like [this is not possible yet](https://github.com/zgoat/goatcounter/issues/344)
  * do log parsing instead of Javascript or 1x1 images?
- * compare with goaccess logs, probably in september
- * `goatcounter monitor` [doesn't with sqlite](https://github.com/zgoat/goatcounter/issues/343)
+ * compare with goaccess logs, probably at the end of july, to have
+   two full weeks to compare
 
 Fixed issues
 ============
@@ -95,5 +95,9 @@ Fixed issues
  * <del>add pixel tracking for `noscript` users</del> done, but
    required a [patch to ikiwi](https://ikiwiki.info/ikiwiki.cgi?do=goto&page=todo%2Finclude_page_variable_in_base_templates) (and I noticed [another bug while
    doing it](https://ikiwiki.info/ikiwiki.cgi?do=goto&page=bugs%2Fjavascript_resources_placed_after_html_tag))
+ * `goatcounter monitor` [doesn't with sqlite](https://github.com/zgoat/goatcounter/issues/343) (fixed upstream!)
+ * <del>the :8080 port leaks in some places, namely in the "Site config"
+   documentation</del> that is because i was using `-port 8080` which
+   was not necessary.
 
 [[!tag blog debian-planet python-planet privacy meta ikiwiki stats]]

Added a comment: Re: Praising Pine64
diff --git a/blog/2020-07-13-not-recommending-purism/comment_5_8cfee72fe20550614c1907b35fa7a3d9._comment b/blog/2020-07-13-not-recommending-purism/comment_5_8cfee72fe20550614c1907b35fa7a3d9._comment
new file mode 100644
index 00000000..890a6d3a
--- /dev/null
+++ b/blog/2020-07-13-not-recommending-purism/comment_5_8cfee72fe20550614c1907b35fa7a3d9._comment
@@ -0,0 +1,26 @@
+[[!comment format=mdwn
+ username="anarcat"
+ avatar="https://seccdn.libravatar.org/avatar/741655483dd8a0b4df28fb3dedfa7e4c"
+ subject="Re: Praising Pine64"
+ date="2020-07-16T18:35:05Z"
+ content="""
+> How many of the people running PostmarketOS (or any other distribution) are using Phosh and other apps that were developed for it?
+
+Frankly, I don't know... I had to lookup \"Phosh\", just to give you an idea. I sense this is a rhetorical question and that the answer should be obvious, yet it is not at all, to me.
+
+> You are consistently leaving important details out of the picture. That makes your statements unfair and reflects badly on you.
+
+I am probably leaving out a lot of details out of Pine64, system76, and Fairphone out of this picture. But that's the point, isn't it: this is not a review of Pine64, it's a review of Purism and its hardware. Believe me, when I end up with Pine64 or system76 hardware, I will do a similarly merciless review and hordes of *their* fans will come accusing me of being unfair to *them* then. Maybe that will be a consolation? :p
+
+> As I said I’m all for criticising and you make good points against Purism, but you must apply equal treatment to all.
+
+As you have correctly asserted, I lack information about Pine64. I just felt they are more honest about their work, and I do not believe I have explicitly compared their free **software** work against Purism. What I said in the original post is:
+
+> I wish that people wishing to support the free software **movement** would spend their energy towards organisations that actually do honest work in that direction, like System76 and Pine64. And if you're going to go crazy with an experimental free hardware design, why not go retro with the MNT Reform.
+
+Emphasis added. Maybe you misinterpreted my comment as saying that System76 and Pine64 were contributing more to the **software** part of the ecosystem. That is not what I am saying. I am saying that by contributing cheap and somewhat open hardware that works well on Linux, and being honest about what their promises are, they are being more useful than Purism.
+
+I will be happy to apply the same, hopefully fair, treatment to other manufacturers when I end up with their products falling apart in my hands, when they do.
+
+I will also point out that you seem to get stuck on a tiny part of the lengthy review I (re)announced here. There are way more problems with Purism than their free software contributions. I did not even mention them in the original review, a year ago...
+"""]]

approve comment
diff --git a/blog/2020-07-13-not-recommending-purism/comment_1_1b7a40f08b245add3d6d2100b160b1f3._comment b/blog/2020-07-13-not-recommending-purism/comment_1_1b7a40f08b245add3d6d2100b160b1f3._comment
new file mode 100644
index 00000000..9b1a827c
--- /dev/null
+++ b/blog/2020-07-13-not-recommending-purism/comment_1_1b7a40f08b245add3d6d2100b160b1f3._comment
@@ -0,0 +1,15 @@
+[[!comment format=mdwn
+ ip="82.242.148.38"
+ claimedauthor="Alexandre Franke"
+ url="https://alexandrefranke.com"
+ subject="Re: Re: Praising Pine64"
+ date="2020-07-16T09:35:37Z"
+ content="""
+>> How much of the PinePhone is working thanks to the work of Purism?
+
+> Really? Probably not much, actually. Most people do not use PureOS on their PinePhone, as far as I know. The reviews I have seen use either PostmarketOS or their own distro on top of it, see for example Drew Devault's review.
+
+How many of the people running PostmarketOS (or any other distribution) are using Phosh and other apps that were developed for it? 
+
+You are consistently leaving important details out of the picture. That makes your statements unfair and reflects badly on *you*. As I said I’m all for criticising and you make good points against Purism, but you must apply equal treatment to all.
+"""]]

clarify trigger warning
diff --git a/blog/2020-07-13-not-recommending-purism.mdwn b/blog/2020-07-13-not-recommending-purism.mdwn
index 8ca40fe4..029565ae 100644
--- a/blog/2020-07-13-not-recommending-purism.mdwn
+++ b/blog/2020-07-13-not-recommending-purism.mdwn
@@ -52,6 +52,9 @@ post. There were more discussions on the subject here:
  * [Reddit /r/linux](http://www.reddit.com/r/linux/comments/hr8hvi/not_recommending_purism), [/r/linuxhardware](https://www.reddit.com/r/linuxhardware/comments/hqs48i/debian_developer_not_recommending_purism/), [r/purism](https://www.reddit.com/r/Purism/comments/hqs0vz/debian_developer_not_recommending_purism/)
  * [Hacker news](https://news.ycombinator.com/item?id=23842347)
 
-Trigger warning: 
+Trigger warning: some of those threads include personal insults and
+explicitly venture into the [[free speech
+discussion|2019-05-13-free-speech]], with predictable (sad)
+consequences...
 
 [[!tag debian-planet python-planet hardware review phone laptop]]

update external discussion links
diff --git a/blog/2020-07-13-not-recommending-purism.mdwn b/blog/2020-07-13-not-recommending-purism.mdwn
index 772ab082..8ca40fe4 100644
--- a/blog/2020-07-13-not-recommending-purism.mdwn
+++ b/blog/2020-07-13-not-recommending-purism.mdwn
@@ -49,10 +49,9 @@ while I usually get about 1k visitors after a week on any regular blog
 post. There were more discussions on the subject here:
 
  * [Lobsters](https://lobste.rs/s/ecyjq2/not_recommending_purism)
- * [Reddit /r/linux 1](http://www.reddit.com/r/linux/comments/hr8hvi/not_recommending_purism), [2](https://www.reddit.com/r/linuxhardware/comments/hqs48i/debian_developer_not_recommending_purism/)
+ * [Reddit /r/linux](http://www.reddit.com/r/linux/comments/hr8hvi/not_recommending_purism), [/r/linuxhardware](https://www.reddit.com/r/linuxhardware/comments/hqs48i/debian_developer_not_recommending_purism/), [r/purism](https://www.reddit.com/r/Purism/comments/hqs0vz/debian_developer_not_recommending_purism/)
  * [Hacker news](https://news.ycombinator.com/item?id=23842347)
 
-It also apparently showed up on /r/ubuntu and /r/purism but
-disapparead, at least from the latter.
+Trigger warning: 
 
 [[!tag debian-planet python-planet hardware review phone laptop]]

typo
diff --git a/blog/2020-07-13-not-recommending-purism.mdwn b/blog/2020-07-13-not-recommending-purism.mdwn
index ff54ef1a..772ab082 100644
--- a/blog/2020-07-13-not-recommending-purism.mdwn
+++ b/blog/2020-07-13-not-recommending-purism.mdwn
@@ -49,7 +49,7 @@ while I usually get about 1k visitors after a week on any regular blog
 post. There were more discussions on the subject here:
 
  * [Lobsters](https://lobste.rs/s/ecyjq2/not_recommending_purism)
- * [Reddit /r/linux 1](http://www.reddit.com/r/linux/comments/hr8hvi/not_recommending_purism) [2](https://www.reddit.com/r/linuxhardware/comments/hqs48i/debian_developer_not_recommending_purism/), 
+ * [Reddit /r/linux 1](http://www.reddit.com/r/linux/comments/hr8hvi/not_recommending_purism), [2](https://www.reddit.com/r/linuxhardware/comments/hqs48i/debian_developer_not_recommending_purism/)
  * [Hacker news](https://news.ycombinator.com/item?id=23842347)
 
 It also apparently showed up on /r/ubuntu and /r/purism but

link to other discussions
diff --git a/blog/2020-07-13-not-recommending-purism.mdwn b/blog/2020-07-13-not-recommending-purism.mdwn
index 6c1b6d31..ff54ef1a 100644
--- a/blog/2020-07-13-not-recommending-purism.mdwn
+++ b/blog/2020-07-13-not-recommending-purism.mdwn
@@ -44,4 +44,15 @@ the [Fairphone](https://www.fairphone.com/) a fair chance. It really is a "fair"
 the best, but okay) phone that you can moderately liberate, and it
 actually frigging works. See also my [hardware review of the FP2](/hardware/phone/fairphone2).
 
+Update: this kind of blew up, for my standards: 10k visitors in ~24h
+while I usually get about 1k visitors after a week on any regular blog
+post. There were more discussions on the subject here:
+
+ * [Lobsters](https://lobste.rs/s/ecyjq2/not_recommending_purism)
+ * [Reddit /r/linux 1](http://www.reddit.com/r/linux/comments/hr8hvi/not_recommending_purism) [2](https://www.reddit.com/r/linuxhardware/comments/hqs48i/debian_developer_not_recommending_purism/), 
+ * [Hacker news](https://news.ycombinator.com/item?id=23842347)
+
+It also apparently showed up on /r/ubuntu and /r/purism but
+disapparead, at least from the latter.
+
 [[!tag debian-planet python-planet hardware review phone laptop]]

fix tag name
diff --git a/services/analytics.mdwn b/services/analytics.mdwn
index a2a144b6..0939c712 100644
--- a/services/analytics.mdwn
+++ b/services/analytics.mdwn
@@ -96,4 +96,4 @@ Fixed issues
    required a [patch to ikiwi](https://ikiwiki.info/ikiwiki.cgi?do=goto&page=todo%2Finclude_page_variable_in_base_templates) (and I noticed [another bug while
    doing it](https://ikiwiki.info/ikiwiki.cgi?do=goto&page=bugs%2Fjavascript_resources_placed_after_html_tag))
 
-[[!tag blog debian-planet python-planet privacy meta ikiwiki stat]]
+[[!tag blog debian-planet python-planet privacy meta ikiwiki stats]]
diff --git a/tag/stat.mdwn b/tag/stat.mdwn
deleted file mode 100644
index e061f111..00000000
--- a/tag/stat.mdwn
+++ /dev/null
@@ -1,4 +0,0 @@
-[[!meta title="pages tagged stat"]]
-
-[[!inline pages="tagged(stat)" actions="no" archive="yes"
-feedshow=10]]

try to fix ikiwiki freaking out about gt
diff --git a/services/analytics.mdwn b/services/analytics.mdwn
index a7a79c56..a2a144b6 100644
--- a/services/analytics.mdwn
+++ b/services/analytics.mdwn
@@ -41,15 +41,15 @@ Server configuration
                     DocumentRoot /var/www/html/
             </VirtualHost>
 
-            <VirtualHost *:443>
-                    ServerName analytics.anarc.at
-                    Use common-letsencrypt-ssl analytics.anarc.at
-                    DocumentRoot /var/www/html/
-                    ProxyPass /.well-known/ !
-                    ProxyPass / http://localhost:8081/
-                    ProxyPassReverse / http://localhost:8081/
-                    ProxyPreserveHost on
-            </VirtualHost>
+        <VirtualHost *:443>
+                ServerName analytics.anarc.at
+                Use common-letsencrypt-ssl analytics.anarc.at
+                DocumentRoot /var/www/html/
+                ProxyPass /.well-known/ !
+                ProxyPass / http://localhost:8081/
+                ProxyPassReverse / http://localhost:8081/
+                ProxyPreserveHost on
+        </VirtualHost>
 
  5. add `analytics.anarc.at` to DNS
 

creating tag page tag/stat
diff --git a/tag/stat.mdwn b/tag/stat.mdwn
new file mode 100644
index 00000000..e061f111
--- /dev/null
+++ b/tag/stat.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged stat"]]
+
+[[!inline pages="tagged(stat)" actions="no" archive="yes"
+feedshow=10]]

make this an article on my blog
diff --git a/services/analytics.mdwn b/services/analytics.mdwn
index 23a43d8b..a7a79c56 100644
--- a/services/analytics.mdwn
+++ b/services/analytics.mdwn
@@ -1,63 +1,99 @@
-goatcounter docker image:
+[[!meta title="Goatcounter analytics in ikiwiki"]]
 
-https://github.com/anarcat/goatcounter
+I have started using [Goatcounter](https://www.goatcounter.com/) for analytics after reading
+[this LWN article](https://lwn.net/Articles/822568/) called "Lightweight alternatives to Google
+Analytics". Goatcounter has an interesting approach to privacy in that
+it:
 
-build:
+> tracks sessions using a hash of the browser's user agent and IP
+> address to identify the client without storing any personal
+> information. The salt used to generate these hashes is rotated every
+> 4 hours with a sliding window.
 
-    docker build -t zgoat/goatcounter .
+There was no Debian package for the project, so I filed a [request for
+package](https://bugs.debian.org/964905) and instead made a [fork of the project to add a Docker
+image](https://github.com/anarcat/goatcounter).
 
-create volume for db:
+This page documents how Goatcounter was setup from there...
 
-    docker volume create goatcounter
+[[!toc]]
 
-startup:
+Server configuration
+====================
 
-    exec docker run --restart=unless-stopped --volume="goatcounter:/home/user/db/" --publish 127.0.0.1:8081:8080 --detach zgoat/goatcounter serve -listen :8080 -port 8080 -tls none
+ 1. build the image from [this fork](https://github.com/anarcat/goatcounter)
 
-need to be committed...
+        docker build -t zgoat/goatcounter .
 
-apache:
+ 2. create volume for db:
 
-    <VirtualHost *:80>
-            ServerName analytics.anarc.at
-            Redirect / https://analytics.anarc.at/
-            DocumentRoot /var/www/html/
-    </VirtualHost>
+        docker volume create goatcounter
 
-    <VirtualHost *:443>
-            ServerName analytics.anarc.at
-            Use common-letsencrypt-ssl analytics.anarc.at
-            DocumentRoot /var/www/html/
-            ProxyPass /.well-known/ !
-            ProxyPass / http://localhost:8081/
-            ProxyPassReverse / http://localhost:8081/
-            ProxyPreserveHost on
-    </VirtualHost>
+ 3. start the server:
 
-+ bind
+        exec docker run --restart=unless-stopped --volume="goatcounter:/home/user/db/" --publish 127.0.0.1:8081:8080 --detach zgoat/goatcounter serve -listen :8080 -port 8080 -tls none
 
-let's encrypt:
+ 4. apache configuration:
 
-    certbot certonly --webroot  -d analytics.anarc.at --webroot-path /var/www/html/
+        <VirtualHost *:80>
+                    ServerName analytics.anarc.at
+                    Redirect / https://analytics.anarc.at/
+                    DocumentRoot /var/www/html/
+            </VirtualHost>
 
-create site:
+            <VirtualHost *:443>
+                    ServerName analytics.anarc.at
+                    Use common-letsencrypt-ssl analytics.anarc.at
+                    DocumentRoot /var/www/html/
+                    ProxyPass /.well-known/ !
+                    ProxyPass / http://localhost:8081/
+                    ProxyPassReverse / http://localhost:8081/
+                    ProxyPreserveHost on
+            </VirtualHost>
 
-    docker run -it --rm --volume="goatcounter:/home/user/db/" zgoat/goatcounter create -domain analytics.anarc.at -email anarcat+rapports@anarc.at
+ 5. add `analytics.anarc.at` to DNS
 
-and add to ikiwiki template (must be committed). then:
+ 6. create a TLS cert with LE:
 
-    ikiwiki --setup ikiwiki.setup --rebuild --verbose
+        certbot certonly --webroot  -d analytics.anarc.at --webroot-path /var/www/html/
 
-remaining issues:
+    note that goatcounter has code to do this on its own, but we avoid
+    it to follow our existing policies and simplify things
 
- * cache headers are wrong (120ms!)
- * some redirects...
- * move docker to compose or podman
- * this is all super janky and should be put in CM somehow
+ 7. create site:
+
+        docker run -it --rm --volume="goatcounter:/home/user/db/" zgoat/goatcounter create -domain analytics.anarc.at -email anarcat+rapports@anarc.at
+
+ 8. [add to ikiwiki template](https://gitlab.com/anarcat/ikiwiki-bootstrap-anarcat/-/commit/bde10038f12218a0cd0cea0a4900d9fd3f23e185)
+
+ 9. rebuild wiki:
+
+        ikiwiki --setup ikiwiki.setup --rebuild --verbose
+
+Remaining issues
+================
+
+ * the :8080 port leaks in some places, namely in the "Site config"
+   documentation
+ * move to Docker Compose or podman instead of just starting the thing
+   by hand
+ * this is all super janky and should be put in config management
+   somehow
+ * remove "anarc.at" test site (the site is the analytics site, not
+   the tracked site), seems like [this is not possible yet](https://github.com/zgoat/goatcounter/issues/344)
+ * do log parsing instead of Javascript or 1x1 images?
+ * compare with goaccess logs, probably in september
+ * `goatcounter monitor` [doesn't with sqlite](https://github.com/zgoat/goatcounter/issues/343)
+
+Fixed issues
+============
+
+ * <del>cache headers are wrong (120ms!)</del> deployed workaround in
+   apache, [reported as a bug upstream](https://github.com/zgoat/goatcounter/issues/342)
  * <del>remove self-referer</del> done, just a matter of configuring
    the URL in the settings. could this be automated too?
- * remove "anarc.at" test site (the site is the analytics site,
-   not the tracked site)
- * add pixel tracking for `noscript` users
- * log parsing?
- * compare with goaccess logs, probably in september
+ * <del>add pixel tracking for `noscript` users</del> done, but
+   required a [patch to ikiwi](https://ikiwiki.info/ikiwiki.cgi?do=goto&page=todo%2Finclude_page_variable_in_base_templates) (and I noticed [another bug while
+   doing it](https://ikiwiki.info/ikiwiki.cgi?do=goto&page=bugs%2Fjavascript_resources_placed_after_html_tag))
+
+[[!tag blog debian-planet python-planet privacy meta ikiwiki stat]]

and yet another patch
diff --git a/services/wiki.mdwn b/services/wiki.mdwn
index 565cdd09..dbae7a85 100644
--- a/services/wiki.mdwn
+++ b/services/wiki.mdwn
@@ -134,6 +134,7 @@ I still carry those patches on top of ikiwiki:
  * [todo/git-annex_support](https://ikiwiki.info/todo/git-annex_support)
  * [todo/allow_toc_to_skip_entries](https://ikiwiki.info/todo/allow_toc_to_skip_entries)
  * [todo/include_page_variable_in_base_templates](https://ikiwiki.info/todo/include_page_variable_in_base_templates)
+ * [bugs/javascript_resources_placed_after_html_tag](https://ikiwiki.info/bugs/javascript_resources_placed_after_html_tag/)
  * [plugins/contrib/i18nheadinganchors](https://ikiwiki.info/plugins/contrib/i18nheadinganchors)
  * [plugins/contrib/bootstrap](https://ikiwiki.info/plugins/contrib/bootstrap)
  * [todo/admonitions](https://ikiwiki.info/todo/admonitions)
@@ -153,6 +154,9 @@ To apply this patch set:
     git rebase $release page-template-variable &&
     git diff $release..page-template-variable | ( cd /usr/share/perl5 ; sudo patch -p1 --dry-run ) &&
     git diff $release..page-template-variable | ( cd /usr/share/perl5 ;    sudo patch -p1 ) &&
+    git rebase $release js-newline &&
+    git diff $release..js-newline | ( cd /usr/share/perl5 ; sudo patch -p1 --dry-run ) &&
+    git diff $release..js-newline | ( cd /usr/share/perl5 ;    sudo patch -p1 ) &&
     git rebase $release i18n-headinganchors &&
     mv /usr/share/perl5/IkiWiki/Plugin/i18nheadinganchors.pm{,.orig} &&
     git diff $release..i18n-headinganchors | ( cd /usr/share/perl5 ; sudo patch -p1 --dry-run ) &&

replace macros by real links here so they are clickable in emacs
diff --git a/services/wiki.mdwn b/services/wiki.mdwn
index 87443048..565cdd09 100644
--- a/services/wiki.mdwn
+++ b/services/wiki.mdwn
@@ -131,14 +131,14 @@ On any given upgrade, the following patches need to be applied:
 
 I still carry those patches on top of ikiwiki:
 
- * [[!iki todo/git-annex_support]]
- * [[!iki todo/allow_toc_to_skip_entries]]
- * [[!iki plugins/contrib/i18nheadinganchors]]
- * [[!iki plugins/contrib/bootstrap]]
- * [[!iki todo/admonitions]]
- * [[!iki bugs/footnotes-look-weird]] (not a patch on core per se, but
+ * [todo/git-annex_support](https://ikiwiki.info/todo/git-annex_support)
+ * [todo/allow_toc_to_skip_entries](https://ikiwiki.info/todo/allow_toc_to_skip_entries)
+ * [todo/include_page_variable_in_base_templates](https://ikiwiki.info/todo/include_page_variable_in_base_templates)
+ * [plugins/contrib/i18nheadinganchors](https://ikiwiki.info/plugins/contrib/i18nheadinganchors)
+ * [plugins/contrib/bootstrap](https://ikiwiki.info/plugins/contrib/bootstrap)
+ * [todo/admonitions](https://ikiwiki.info/todo/admonitions)
+ * [bugs/footnotes-look-weird](https://ikiwiki.info/bugs/footnotes-look-weird) (not a patch on core per se, but
    a modification to the stylesheet, as [many others](https://anarc.at/bootstrap.local.css))
- * [[!iki todo/include_page_variable_in_base_templates]]
 
 To apply this patch set:
 

new patch against ikiwiki
diff --git a/services/wiki.mdwn b/services/wiki.mdwn
index a98dfea6..87443048 100644
--- a/services/wiki.mdwn
+++ b/services/wiki.mdwn
@@ -138,6 +138,7 @@ I still carry those patches on top of ikiwiki:
  * [[!iki todo/admonitions]]
  * [[!iki bugs/footnotes-look-weird]] (not a patch on core per se, but
    a modification to the stylesheet, as [many others](https://anarc.at/bootstrap.local.css))
+ * [[!iki todo/include_page_variable_in_base_templates]]
 
 To apply this patch set:
 
@@ -149,6 +150,9 @@ To apply this patch set:
     git rebase $release toc-skip &&
     git diff $release..toc-skip | ( cd /usr/share/perl5 ; sudo patch -p1 --dry-run ) &&
     git diff $release..toc-skip | ( cd /usr/share/perl5 ;    sudo patch -p1 ) &&
+    git rebase $release page-template-variable &&
+    git diff $release..page-template-variable | ( cd /usr/share/perl5 ; sudo patch -p1 --dry-run ) &&
+    git diff $release..page-template-variable | ( cd /usr/share/perl5 ;    sudo patch -p1 ) &&
     git rebase $release i18n-headinganchors &&
     mv /usr/share/perl5/IkiWiki/Plugin/i18nheadinganchors.pm{,.orig} &&
     git diff $release..i18n-headinganchors | ( cd /usr/share/perl5 ; sudo patch -p1 --dry-run ) &&

another linux laptop platform
diff --git a/hardware/laptop.mdwn b/hardware/laptop.mdwn
index 4d85c7a3..18e451bc 100644
--- a/hardware/laptop.mdwn
+++ b/hardware/laptop.mdwn
@@ -532,6 +532,12 @@ the i3 is good enough anyways: it has 4 cores instead of 2, takes up
 much less power (15W vs 65W) and has an integrated GPU, even though it
 has a lower actual clock speed (2.3GHz vs 2.93GHz).
 
+Zareason
+========
+
+Didn't know about [Zareason](https://zareason.com/) until [this comment](https://social.weho.st/web/statuses/104516711452286035) in response to
+[this Purism rant](/blog/2020-07-13-not-recommending-purism/)...
+
 Fournisseurs
 ============
 

more todos
diff --git a/services/analytics.mdwn b/services/analytics.mdwn
index 042902d9..23a43d8b 100644
--- a/services/analytics.mdwn
+++ b/services/analytics.mdwn
@@ -54,6 +54,10 @@ remaining issues:
  * some redirects...
  * move docker to compose or podman
  * this is all super janky and should be put in CM somehow
- * remove self-referer
- * remove "anarc.at" test site (the site is the analytics site, not
-   the tracked site)
+ * <del>remove self-referer</del> done, just a matter of configuring
+   the URL in the settings. could this be automated too?
+ * remove "anarc.at" test site (the site is the analytics site,
+   not the tracked site)
+ * add pixel tracking for `noscript` users
+ * log parsing?
+ * compare with goaccess logs, probably in september

Added a comment: Re: Praising Pine64
diff --git a/blog/2020-07-13-not-recommending-purism/comment_3_cfe79ad93cdf23baad79a43f481b0ad4._comment b/blog/2020-07-13-not-recommending-purism/comment_3_cfe79ad93cdf23baad79a43f481b0ad4._comment
new file mode 100644
index 00000000..dbfabe8c
--- /dev/null
+++ b/blog/2020-07-13-not-recommending-purism/comment_3_cfe79ad93cdf23baad79a43f481b0ad4._comment
@@ -0,0 +1,30 @@
+[[!comment format=mdwn
+ username="anarcat"
+ avatar="https://seccdn.libravatar.org/avatar/741655483dd8a0b4df28fb3dedfa7e4c"
+ subject="Re: Praising Pine64"
+ date="2020-07-15T13:15:06Z"
+ content="""
+> I don’t see how Pine64 deserves your praises when they fail to hire software developers to work on things that Purism actually pays people for.
+
+Pine64 deserves our praise exactly for that: they are a hardware company, and they make good hardware, with open schematics, that we can write software for. They don't pretend that they will build a hardware platform, and operating system, and liberate the universe all at once, because that's unrealistic, and they know it.
+
+And Purism knows it too.
+
+> Your criticism of Purism may be well founded, but you can’t then claim that Pine64 is doing better.
+
+Why not?
+
+> How much of the PinePhone is working thanks to the work of Purism?
+
+Really? Probably not much, actually. Most people do not use PureOS on their PinePhone, as far as I know. The reviews I have seen use either PostmarketOS or their own distro on top of it, see for example [Drew Devault's review](https://drewdevault.com/2019/12/18/PinePhone-review.html).
+
+> How much did Pine64 contribute to the software stack?
+
+Arguably, not much. But that's not their job and they don't pretend it is: they're building a phone, a piece of hardware. They try to make it as open as possible so that people can write software for it.
+
+> If Pine64 was actually a bit more Purism-like, they would both be in better shape (and the community would also benefit).
+
+The entire point of my article here is exactly the opposite of that. I believe we are in a better situation with Pine64 *not* faking it and creating real, working, everyday hardware that people can use instead of promising the moon and then failing to deliver.
+
+Besides, I'm not sure that \"Praising Pine64\" is an honest characterization of my article. I just said they did \"honest work\". If that's praise, our standards are very low indeed...
+"""]]

approve comment
diff --git a/blog/2020-07-13-not-recommending-purism/comment_1_46595ff9be3cc390a959c5d217394f02._comment b/blog/2020-07-13-not-recommending-purism/comment_1_46595ff9be3cc390a959c5d217394f02._comment
new file mode 100644
index 00000000..e479f429
--- /dev/null
+++ b/blog/2020-07-13-not-recommending-purism/comment_1_46595ff9be3cc390a959c5d217394f02._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ ip="90.255.34.237"
+ claimedauthor="Fazal Majid"
+ url="https://majid.info/"
+ subject="This is consistent with their former CTO"
+ date="2020-07-15T12:23:48Z"
+ content="""
+https://www.phoronix.com/scan.php?page=news_item&px=Zlatan-Todoric-Interview
+"""]]
diff --git a/blog/2020-07-13-not-recommending-purism/comment_1_c3736d7c60e0275528cab2dbb3ffef14._comment b/blog/2020-07-13-not-recommending-purism/comment_1_c3736d7c60e0275528cab2dbb3ffef14._comment
new file mode 100644
index 00000000..cf46ec80
--- /dev/null
+++ b/blog/2020-07-13-not-recommending-purism/comment_1_c3736d7c60e0275528cab2dbb3ffef14._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ ip="82.242.148.38"
+ claimedauthor="Alexandre Franke"
+ url="https://alexandrefranke.com"
+ subject="Praising Pine64"
+ date="2020-07-15T08:53:52Z"
+ content="""
+I don’t see how Pine64 deserves your praises when they fail to hire software developers to work on things that Purism actually pays people for. Your criticism of Purism may be well founded, but you can’t then claim that Pine64 is doing better. How much of the PinePhone is working thanks to the work of Purism? How much did Pine64 contribute to the software stack? If Pine64 was actually a bit more Purism-like, they would both be in better shape (and the community would also benefit).
+"""]]

another task
diff --git a/services/analytics.mdwn b/services/analytics.mdwn
index adaff1d1..042902d9 100644
--- a/services/analytics.mdwn
+++ b/services/analytics.mdwn
@@ -55,3 +55,5 @@ remaining issues:
  * move docker to compose or podman
  * this is all super janky and should be put in CM somehow
  * remove self-referer
+ * remove "anarc.at" test site (the site is the analytics site, not
+   the tracked site)

notes on the new analytics service
diff --git a/services/analytics.mdwn b/services/analytics.mdwn
new file mode 100644
index 00000000..adaff1d1
--- /dev/null
+++ b/services/analytics.mdwn
@@ -0,0 +1,57 @@
+goatcounter docker image:
+
+https://github.com/anarcat/goatcounter
+
+build:
+
+    docker build -t zgoat/goatcounter .
+
+create volume for db:
+
+    docker volume create goatcounter
+
+startup:
+
+    exec docker run --restart=unless-stopped --volume="goatcounter:/home/user/db/" --publish 127.0.0.1:8081:8080 --detach zgoat/goatcounter serve -listen :8080 -port 8080 -tls none
+
+need to be committed...
+
+apache:
+
+    <VirtualHost *:80>
+            ServerName analytics.anarc.at
+            Redirect / https://analytics.anarc.at/
+            DocumentRoot /var/www/html/
+    </VirtualHost>
+
+    <VirtualHost *:443>
+            ServerName analytics.anarc.at
+            Use common-letsencrypt-ssl analytics.anarc.at
+            DocumentRoot /var/www/html/
+            ProxyPass /.well-known/ !
+            ProxyPass / http://localhost:8081/
+            ProxyPassReverse / http://localhost:8081/
+            ProxyPreserveHost on
+    </VirtualHost>
+
++ bind
+
+let's encrypt:
+
+    certbot certonly --webroot  -d analytics.anarc.at --webroot-path /var/www/html/
+
+create site:
+
+    docker run -it --rm --volume="goatcounter:/home/user/db/" zgoat/goatcounter create -domain analytics.anarc.at -email anarcat+rapports@anarc.at
+
+and add to ikiwiki template (must be committed). then:
+
+    ikiwiki --setup ikiwiki.setup --rebuild --verbose
+
+remaining issues:
+
+ * cache headers are wrong (120ms!)
+ * some redirects...
+ * move docker to compose or podman
+ * this is all super janky and should be put in CM somehow
+ * remove self-referer

found two more damn monitors!
diff --git a/hardware/monitor.mdwn b/hardware/monitor.mdwn
index 5661c87a..49cb7e22 100644
--- a/hardware/monitor.mdwn
+++ b/hardware/monitor.mdwn
@@ -52,10 +52,12 @@ what works and doesn't, in descending order of (totally subjective)
    looks dusty (physically and in the image)
  * [Dell 1704FPvt](https://www.dell.com/downloads/global/products/monitors/en/spec_1704fp_en.pdf) 1280x1024@60Hz, 17", 1000:1, 25ms, VGA, DVI, USB
    4-port hub, looks square, rotating
- 
-It seems all monitors actually work, although some of those have such
-a poor resolution (long time since I saw 1024x768!) that they are not
-much use...
+ * [Toshiba 19AV500U](https://productz.com/en/toshiba-19av500u/p/eWMGr#full-specs) 1440x900, 19", VGA, HDMI, "component",
+   antenna coax (it's a TV!), can't make it work in Linux
+
+Those monitors do not power up at all:
+
+ * Philips 170B
 
 Possible monitors
 =================

add links
diff --git a/hardware/monitor.mdwn b/hardware/monitor.mdwn
index ae483d68..5661c87a 100644
--- a/hardware/monitor.mdwn
+++ b/hardware/monitor.mdwn
@@ -42,15 +42,15 @@ I somehow managed to collect a ridiculous pile of old monitors. Here's
 what works and doesn't, in descending order of (totally subjective)
 "quality":
 
- * Samsung B2330H TV 1920x1080@60Hz,  23", 70,000:1, 5ms, VGA,
-   HDMI, DVI, gigantic, top burnt off
- * LG Flatron Wide L204WTX-SF 1680x1050@60Hz, 20", 2000:1, 5ms, VGA,
-   DVI, looks great
- * Acer X193w 1440x900@75Hz, 2000:1, 5ms VGA, DVI, clean and simple,
-   top partially melted
- * Acer P186HV 133x768@60Hz, 18.5", 5000:1, 5ms, VGA, display looks
-   dusty (physically and in the image)
- * Dell 1704FPvt 1280x1024@60Hz, 17", 1000:1, 25ms, VGA, DVI, USB
+ * [Samsung B2330H](https://www.samsung.com/us/business/support/owners/product/b2330-series-b2330hd/) 1920x1080@60Hz, 23", 70,000:1, 5ms, VGA, HDMI,
+   DVI, gigantic, molten hole in the back, but works
+ * [LG Flatron Wide L204WTX-SF](https://www.lg.com/ca_en/support/product/lg-L204WTX-SF) 1680x1050@60Hz, 20", 2000:1, 5ms,
+   VGA, DVI, looks great
+ * [Acer X193w](https://www.cnet.com/products/acer-x193w-lcd-monitor/) 1440x900@75Hz, 2000:1, 5ms VGA, DVI, clean and
+   simple, top partially melted
+ * [Acer P186HV](https://productz.com/en/acer-p186hv/p/JJ3rY) 133x768@60Hz, 18.5", 5000:1, 5ms, VGA, display
+   looks dusty (physically and in the image)
+ * [Dell 1704FPvt](https://www.dell.com/downloads/global/products/monitors/en/spec_1704fp_en.pdf) 1280x1024@60Hz, 17", 1000:1, 25ms, VGA, DVI, USB
    4-port hub, looks square, rotating
  
 It seems all monitors actually work, although some of those have such

inventory of a pile of monitors
diff --git a/hardware/monitor.mdwn b/hardware/monitor.mdwn
index 36e8da5a..ae483d68 100644
--- a/hardware/monitor.mdwn
+++ b/hardware/monitor.mdwn
@@ -35,6 +35,28 @@ HP L2245wg
 
 [Upstream](https://support.hp.com/us-en/product/hp-l2245wg-22-inch-widescreen-lcd-monitor/3758498/manuals), [manual](http://h10032.www1.hp.com/ctg/Manual/c01555675), [specs](https://www.cnet.com/products/hp-l2245wg/).
 
+Old monitors
+------------
+
+I somehow managed to collect a ridiculous pile of old monitors. Here's
+what works and doesn't, in descending order of (totally subjective)
+"quality":
+
+ * Samsung B2330H TV 1920x1080@60Hz,  23", 70,000:1, 5ms, VGA,
+   HDMI, DVI, gigantic, top burnt off
+ * LG Flatron Wide L204WTX-SF 1680x1050@60Hz, 20", 2000:1, 5ms, VGA,
+   DVI, looks great
+ * Acer X193w 1440x900@75Hz, 2000:1, 5ms VGA, DVI, clean and simple,
+   top partially melted
+ * Acer P186HV 133x768@60Hz, 18.5", 5000:1, 5ms, VGA, display looks
+   dusty (physically and in the image)
+ * Dell 1704FPvt 1280x1024@60Hz, 17", 1000:1, 25ms, VGA, DVI, USB
+   4-port hub, looks square, rotating
+ 
+It seems all monitors actually work, although some of those have such
+a poor resolution (long time since I saw 1024x768!) that they are not
+much use...
+
 Possible monitors
 =================
 

the x220 has a vga port
diff --git a/hardware/laptop.mdwn b/hardware/laptop.mdwn
index 8b77c403..4d85c7a3 100644
--- a/hardware/laptop.mdwn
+++ b/hardware/laptop.mdwn
@@ -224,7 +224,7 @@ X220
  * SD card
  * 3xUSB, incl. 1 USB3 on i7
  * 720p camera
- * displayport
+ * DisplayPort and VGA port
  * combined audio jack
  * fprint reader
  * 65W AC

move junk to a more generic location
diff --git a/hardware/server/junk.mdwn b/hardware/junk.mdwn
similarity index 100%
rename from hardware/server/junk.mdwn
rename to hardware/junk.mdwn
diff --git a/hardware/server/marcos/v1.mdwn b/hardware/server/marcos/v1.mdwn
index 199f49c1..9b8fc25f 100644
--- a/hardware/server/marcos/v1.mdwn
+++ b/hardware/server/marcos/v1.mdwn
@@ -230,7 +230,7 @@ Chez newegg.ca - 1-2 jours packaging, 2-7 jours shipping, fait aujourdhui. -- Th
 
 ### Inventaire
 
-Inventory of old parts moved to [[junk]].
+Inventory of old parts moved to [[hardware/junk]].
 
 #### Other
 

link to my x220 reference
diff --git a/hardware/emma.mdwn b/hardware/emma.mdwn
index f955d845..81694a1f 100644
--- a/hardware/emma.mdwn
+++ b/hardware/emma.mdwn
@@ -14,8 +14,8 @@ Europe in the first half of the 20th century".
 >
 > -- Emma Goldman, 1910
 
-Emma is also an old battered X220 laptop running Debian I use for
-music recording.
+Emma is also an old battered [X220 laptop](/hardware/laptop/#x220) running Debian I use for
+music recording and as a spare laptop.
 
 Emma's name was also briefly attributed to [[rosa]] by mistake, before
 I remembered of its existence.

note that mumble echo cancelation is actually not that great
One of the most horrible audio conferencing experience i had was with
Mumble failing to do echo cancelation and generating nasty feedback
loops with someone using their speakers and onboard mic on a laptop.
Heck, I've even heard feedback from my *own* mic bleed through someone
else's channel even if I was using a headset. Weird stuff.
diff --git a/blog/2020-04-09-mumble-dreams.mdwn b/blog/2020-04-09-mumble-dreams.mdwn
index b3fb110a..6a1ce1bd 100644
--- a/blog/2020-04-09-mumble-dreams.mdwn
+++ b/blog/2020-04-09-mumble-dreams.mdwn
@@ -31,7 +31,7 @@ implementations, the official one called [Murmur](https://wiki.mumble.info/wiki/
 [umurmur](https://umurmur.net/) and [Grumble](https://github.com/mumble-voip/grumble), a Go rewrite.
 
 It has *great* quality: echo canceling, when correctly configured, is
-solid and latency is minimal. It has "overlays" so you can use it
+<del>solid</del> okay and latency is minimal. It has "overlays" so you can use it
 while gaming or demo'ing in full screen while still having an idea of
 who's talking. It also supports positional audio for gaming that
 integrates with popular games like Counterstrike or Half-Life. It even

mention that mayfirst use mumble for translation
diff --git a/blog/2020-03-15-remote-tools.mdwn b/blog/2020-03-15-remote-tools.mdwn
index 40a90f0f..938272e3 100644
--- a/blog/2020-03-15-remote-tools.mdwn
+++ b/blog/2020-03-15-remote-tools.mdwn
@@ -80,7 +80,10 @@ Teamspeak, but made with free software. It requires users to [install
 an app](https://www.mumble.info/downloads/) but there are clients for every platform out there
 ([F-Droid](https://f-droid.org/repository/browse/?fdid=com.morlunk.mumbleclient), [Google Play](https://play.google.com/store/apps/details?id=com.morlunk.mumbleclient.free), [Apple Store](https://apps.apple.com/us/app/mumble/id443472808)). Mumble is harder
 to setup, but is much more efficient in terms of bandwidth and
-latency. In other words, it will just scale and sound better.
+latency. In other words, it will just scale and sound better. It also
+has interesting moderation and room management features which allow
+creative use of the software. For example, [Mayfirst use it for
+interpretation](https://support.mayfirst.org/wiki/mumble-interpreter-setup) (AKA "simultaneous translation").
 
 Mumble ships with a list of known servers, but you can also connect to
 those trusted ones:
diff --git a/blog/2020-04-09-mumble-dreams.mdwn b/blog/2020-04-09-mumble-dreams.mdwn
index a5f1ee58..b3fb110a 100644
--- a/blog/2020-04-09-mumble-dreams.mdwn
+++ b/blog/2020-04-09-mumble-dreams.mdwn
@@ -34,7 +34,10 @@ It has *great* quality: echo canceling, when correctly configured, is
 solid and latency is minimal. It has "overlays" so you can use it
 while gaming or demo'ing in full screen while still having an idea of
 who's talking. It also supports positional audio for gaming that
-integrates with popular games like Counterstrike or Half-Life.
+integrates with popular games like Counterstrike or Half-Life. It even
+has support for cross-linking different "rooms" which allow all sorts
+of features. For example, [Mayfirst use it for interpretation](https://support.mayfirst.org/wiki/mumble-interpreter-setup) (AKA
+"simultaneous translation").
 
 It's moderately secure: it doesn't support end-to-end encryption, but
 client/server communication is [encrypted and authenticated](https://wiki.mumble.info/wiki/FAQ#Is_Mumble_encrypted.3F) with

update: MB dead, insert articles in timeline
diff --git a/hardware/laptop/purism-librem13v4.mdwn b/hardware/laptop/purism-librem13v4.mdwn
index fbf5a7d4..68439f49 100644
--- a/hardware/laptop/purism-librem13v4.mdwn
+++ b/hardware/laptop/purism-librem13v4.mdwn
@@ -501,9 +501,15 @@ The timeline of that laptop's hardware problems looks like this:
  * 2019-05-09: first laptop received, DOA, TMA issued
  * 2019-05-13: shipping label issued, first laptop returned, second
    laptop shipped
+ * 2019-05-13: [article about Purism and free speech published](/blog/2019-05-13-free-speech)
  * 2019-05-15: first laptop received by Purism
  * 2019-05-17: second laptop received, working, extra 190$ Fedex fee
- * somewhere in April 2020: right-side USB-A port breaks
+ * 2019-05-29: this review published and updated for a few days
+ * (11 months pass): laptop in semi-regular use: travel to two
+   conferences, some holidays, some work from home, but not heavy use
+   until the pandemic hits early march 2020, when it gets used more
+   daily
+ * (somewhere in April 2020): right-side USB-A port breaks
  * 2020-04-27: hardware bug reported to Purism, response from Purism:
    "check dmesg", which I had reported in the bug report as empty,
    replied that
@@ -523,3 +529,5 @@ The timeline of that laptop's hardware problems looks like this:
  * 2020-07-03: Purism confirms reception, announces the hardware issue
    needs to be "diagnosed" which will "take a few days"
  * 2020-07-13: ping sent to Purism
+ * 2020-07-13: [update to this review published](/blog/2020-07-13-not-recommending-purism)
+ * 2020-07-14: response: motherboard confirmed dead

add details of mumble encryption mechanisms
diff --git a/blog/2020-04-09-mumble-dreams.mdwn b/blog/2020-04-09-mumble-dreams.mdwn
index b31f97f7..a5f1ee58 100644
--- a/blog/2020-04-09-mumble-dreams.mdwn
+++ b/blog/2020-04-09-mumble-dreams.mdwn
@@ -37,8 +37,9 @@ who's talking. It also supports positional audio for gaming that
 integrates with popular games like Counterstrike or Half-Life.
 
 It's moderately secure: it doesn't support end-to-end encryption, but
-client/server communication is encrypted with TLS. It supports a
-server password and some moderation mechanisms.
+client/server communication is [encrypted and authenticated](https://wiki.mumble.info/wiki/FAQ#Is_Mumble_encrypted.3F) with
+(mutual) TLS (for the control channel) and OCB-AES-128 over UDP (for
+media). It supports a server password and some moderation mechanisms.
 
 UI improvements
 ===============

spell-check purism docs
Thanks to ukleinek for the heads up.
diff --git a/hardware/laptop/purism-librem13v4.mdwn b/hardware/laptop/purism-librem13v4.mdwn
index cf40e629..fbf5a7d4 100644
--- a/hardware/laptop/purism-librem13v4.mdwn
+++ b/hardware/laptop/purism-librem13v4.mdwn
@@ -46,7 +46,7 @@ Semi-standard power connector
 The power connector is [somewhat standard](https://learn.sparkfun.com/tutorials/connector-basics/power-connectors): 19V DC on a 5.5mm
 sleeve with 2.5 positive pin, with a [C5/C6 cable](https://en.wikipedia.org/wiki/IEC_60320#C5/C6_coupler) for the AC side
 (as opposed to the more standard C13/C14 coupler, mind you). I was
-able to find a "universal 19V adpater" for ~60$ at a local store that
+able to find a "universal 19V adapter" for ~60$ at a local store that
 also supported other barrel connectors.
 
 It would be better if the laptop would charge through USB-C,
@@ -204,7 +204,7 @@ paid it now.
 Bright LEDs, not accessible when lid closed
 -------------------------------------------
 
-There are three leds on the top right of the keyboad: one for wifi,
+There are three leds on the top right of the keyboard: one for wifi,
 battery and power. They are very bright and even though they can
 technically be dimmed, the firmware is not open so there's [no way to
 dim the LEDs](https://forums.puri.sm/t/is-there-a-way-to-dim-the-leds-on-the-13-v2/1172). 
@@ -227,7 +227,7 @@ be questionable. While, yes, they try to provide a [liberated boot](#liberated-b
 and coreboot-based BIOS, that BIOS is not free software. At best they
 "neuter" the Intel Management Engine, but you still require non-free
 firmware to operate a Librem Computer, from the CPU down to the
-Bluetooth and Wifi hardwre. Even if that is a very common pattern on
+Bluetooth and Wifi hardware. Even if that is a very common pattern on
 laptops and phone, it is a huge disconnect with the "purity" and
 "freedom" narrative on their website.
 
@@ -269,7 +269,7 @@ Bullshit anti-interdiction
 --------------------------
 
 This is part of a larger pattern of "bullshit", if you'll pardon my
-french. The market the new Librem 14 as being shippable with
+french. The market the new Librem 14 as being shipped with
 [Anti-interdiction services](https://puri.sm/posts/anti-interdiction-services/) which supposedly consist of:
 
  1. Customized tamper-evident tape on the sealed plastic bag
@@ -330,11 +330,11 @@ that involves know what I mean) and I am deeply aware of how difficult
 OpenPGP and online security can be.
 
 I have actually *asked* Purism to get anti-interdiction services
-before I got the laptop. I knew about their suposed care for those
+before I got the laptop. I knew about their supposed care for those
 services and wanted to have the laptop hand-delivered, say at a
 conference we would commonly attend in the near future: I can wait!
 and I can pay for the extra trouble too. But that fairly
-straightforwared security measure was not possible. And none of the
+straightforward security measure was not possible. And none of the
 above measures seemed to apply to my order.
 
 So I call bullshit on that. 
@@ -400,7 +400,7 @@ enthusiasts in general". Yet in the developer updates, we learn that
 the [latest Dogwood update](https://puri.sm/posts/librem-5-dogwood-update-3/) now features *amazing* new features
 like "multiple hours" battery, "more reliable charging", and "app
 thumbnails". The previous batch, [chestnut](https://puri.sm/posts/librem-5-chestnut-hardware-changes/) had *exciting* stuff
-like a charging LED, a writable microSD card, and working phone
+like a charging LED, a writable MicroSD card, and working phone
 calls...
 
 So I call bullshit on that too: the Librem 5 is not a phone. It's a
@@ -501,8 +501,8 @@ The timeline of that laptop's hardware problems looks like this:
  * 2019-05-09: first laptop received, DOA, TMA issued
  * 2019-05-13: shipping label issued, first laptop returned, second
    laptop shipped
- * 2019-05-15: first laptoped received by Purism
- * 2019-05-17: second laptop received, working, exta 190$ Fedex fee
+ * 2019-05-15: first laptop received by Purism
+ * 2019-05-17: second laptop received, working, extra 190$ Fedex fee
  * somewhere in April 2020: right-side USB-A port breaks
  * 2020-04-27: hardware bug reported to Purism, response from Purism:
    "check dmesg", which I had reported in the bug report as empty,

clarify that coreboot itself might be free software...
... but not the product shipped by purism
diff --git a/hardware/laptop/purism-librem13v4.mdwn b/hardware/laptop/purism-librem13v4.mdwn
index 79fdf5ba..cf40e629 100644
--- a/hardware/laptop/purism-librem13v4.mdwn
+++ b/hardware/laptop/purism-librem13v4.mdwn
@@ -240,11 +240,11 @@ claims to be:
 > line-by-line, to respect your rights to privacy, security, and
 > freedom.
 
-Yet it still ships with Intel processors, known for a large variety
-of fundamental security issues that are part of the hardware design,
+Yet it still ships with Intel processors, known for a large variety of
+fundamental security issues that are part of the hardware design,
 which Intel refuses to fix. That it ships [coreboot](https://puri.sm/coreboot/) on top of that
-is besides the point: coreboot is not free software, and definitely
-ships proprietary blobs.
+is besides the point: coreboot, as shipped by Purism, is not open
+source, or at least ships proprietary blobs.
 
 Compare this with the work System76 has been doing in recent
 times. While they brand themselves as just a company shipping Linux

creating tag page tag/laptop
diff --git a/tag/laptop.mdwn b/tag/laptop.mdwn
new file mode 100644
index 00000000..e263c4eb
--- /dev/null
+++ b/tag/laptop.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged laptop"]]
+
+[[!inline pages="tagged(laptop)" actions="no" archive="yes"
+feedshow=10]]

announce the hardware review changes and rant
diff --git a/blog/2020-07-13-not-recommending-purism.mdwn b/blog/2020-07-13-not-recommending-purism.mdwn
new file mode 100644
index 00000000..6c1b6d31
--- /dev/null
+++ b/blog/2020-07-13-not-recommending-purism.mdwn
@@ -0,0 +1,47 @@
+[[!meta title="Not recommending Purism"]]
+
+This is just a quick note to mention that I have updated my [hardware
+documentation on the Librem 13v4 laptop](/hardware/laptop/purism-librem13v4). It has unfortunately
+turned into a rather lengthy (and ranty) piece about Purism. Let's
+just say that waiting weeks for your replacement laptop (yes, it died
+again) does wonders for creativity. To quote the full review:
+
+> TL;DR: I recommend people avoid the Purism brand and products. I
+> find they have questionable politics, operate in a "libre-washing"
+> fashion, and produce unreliable hardware. Will not buy again.
+
+People who have read the article might want to jump directly to the
+new sections:
+
+ * [Libre washing](/hardware/laptop/purism-librem13v4/#libre-washing)
+ * [Bullshit anti-interdiction](/hardware/laptop/purism-librem13v4/#bullshit-anti-interdiction)
+ * [Bullshit crowdfunding](/hardware/laptop/purism-librem13v4/#bullshit-crowdfunding)
+ * [Hardware reliability](/hardware/laptop/purism-librem13v4/#hardware-reliability) (or lack thereof)
+
+I have also added the minor section of the [missing mic jack](/hardware/laptop/purism-librem13v4/#no-mic-jack).
+
+I realize that some folks (particularly at Debian) might still work at
+Purism, and that this article might be demoralizing for their work. If
+that is the case, I am sorry this article triggered you in any way and
+I hope this can act as a disclaimer. But I feel it is my duty to
+document the issues I am going through, as a user, and to call
+bullshit when I see it (let's face it, the anti-interdiction stuff and
+the Purism 5 crowd-funding campaign were total bullshit).
+
+I also understand that the pandemic makes life hard for everyone, and
+probably makes a bad situation at Purism worse. But those problems
+existed before the pandemic happened. They were issues I had
+identified in 2019 and that I simply never got around to document.
+
+I wish that people wishing to support the free software movement would
+spend their energy towards organisations that actually do honest work
+in that direction, like [System76](https://system76.com/) and [Pine64](https://www.pine64.org/). And if you're
+going to go crazy with an experimental free hardware design, why not
+go retro with the [MNT Reform](https://www.crowdsupply.com/mnt/reform).
+
+In the meantime, if you're looking for a phone, I recommend you give
+the [Fairphone](https://www.fairphone.com/) a fair chance. It really is a "fair" (as in, not
+the best, but okay) phone that you can moderately liberate, and it
+actually frigging works. See also my [hardware review of the FP2](/hardware/phone/fairphone2).
+
+[[!tag debian-planet python-planet hardware review phone laptop]]

Archival link:

The above link creates a machine-readable RSS feed that can be used to easily archive new changes to the site. It is used by internal scripts to do sanity checks on new entries in the wiki.

Created . Edited .