RecentChanges

diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index 762e4eb3..6e8f4195 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -966,7 +966,8 @@ anyone freaks out, I already had to use GTK for proper clipboard
 support, so this isn't much of a stretch...)
 
 One thing I'm, missing is some review/annotation tool. [Satty](https://github.com/gabm/Satty)
-provides a nice minimal wrapper like that. See also [Gradia](https://github.com/AlexanderVanhee/Gradia).
+provides a nice minimal wrapper like that. See also [Gradia](https://github.com/AlexanderVanhee/Gradia) which
+will likely ship in Debian 14 "forky".
 
 For now, I'm using whatever default image viewer I have configured
 (currently geeqie), one key feature is that it must support the "copy

diff --git a/blog/2026-05-16-four-horsemen.md b/blog/2026-05-16-four-horsemen.md
index c5753904..43e610f4 100644
--- a/blog/2026-05-16-four-horsemen.md
+++ b/blog/2026-05-16-four-horsemen.md
@@ -284,7 +284,7 @@ Go low tech. [Moore's law](https://en.wikipedia.org/wiki/Moore%27s_law) is dead,
 
 Patch your shit. [Go weird](https://anginedepoitrine.com/).
 
-Refuse slop. Train your brain.
+Refuse slop. Train your brain. [Refuse distillation](https://github.com/leilei926524-tech/anti-distill).
 
 The horsemen will collapse, but let's not go down with them.
 

diff --git a/blog/2026-05-16-four-horsemen.md b/blog/2026-05-16-four-horsemen.md
index 3070174e..c5753904 100644
--- a/blog/2026-05-16-four-horsemen.md
+++ b/blog/2026-05-16-four-horsemen.md
@@ -109,6 +109,13 @@ yet to fully materialize. Regardless for engineers, the market feels
 tighter than it was a couple years ago, and everyone feels on edge
 that they will just have to learn to operate LLMs to keep their jobs.
 
+Update: it turns out I was clearly too optimistic. Cisco is laying
+off 4,000 or 5% of its staff in a [jolly announcement celebrating
+a record $15.8 billion revenue](https://blogs.cisco.com/news/our-path-forward), and Meta will [lay off 8,000 or
+10% of its workforce](https://www.nytimes.com/2026/04/23/technology/meta-layoffs.html), in [horrifying conditions](https://sfstandard.com/pacific-standard-time/2026/05/15/meta-employee-gets-real-horror-working-right-now/). See also the
+[jobloss.ai tracker](https://jobloss.ai/) which counts 125,000 jobs lost since January
+2025, as of May 2026.
+
 Which brings us, of course, to Death.
 
 # Death: security and copyright
@@ -290,4 +297,4 @@ The horsemen will collapse, but let's not go down with them.
 
 
 <!-- posted to the federation on 2026-05-16T19:59:05.822639 -->
-[[!mastodon "https://kolektiva.social/@Anarcat/116586967566862470"]]
\ No newline at end of file
+[[!mastodon "https://kolektiva.social/@Anarcat/116586967566862470"]]

diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index 0325e094..762e4eb3 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -1181,15 +1181,12 @@ case, they should be listed here:
 |--------------|---------------------------------------|-----------|
 | `arandr`     | [nwg-displays][]                      | yes       |
 | `autorandr`  | [kanshi][]                            | yes       |
-| `xclock`     | [wlclock][]                           | no        |
+| `xclock`     | [wlclock][]                           | yes       |
 | `xdotool`    | [wtype][]                             | yes       |
 | `xev`        | [wev][], `xkbcli interactive-wayland` | yes       |
-| `xlsclients` | `swaymsg -t get_tree`                 | yes       |
+| `xlsclients` | [lswt][] or `swaymsg -t get_tree`     | no        |
 | `xprop`      | [wlprop][] or `swaymsg -t get_tree`   | no        |
-| `xrandr`     | [wlr-randr][]                         | yes       |
-
-[lswt][] is a more direct replacement for `xlsclients` but is not
-packaged in Debian.
+| `xrandr`     | [wlr-randr][] or [lsdisplay][]        | yes       |
 
 `xkbcli interactive-wayland` is part of the `libxkbcommon-tools`
 package.
@@ -1237,6 +1234,7 @@ makes it much easier to use.
 [nwg-displays]: https://github.com/nwg-piotr/nwg-displays
 [wlclock]: https://git.sr.ht/~leon_plickat/wlclock
 [shikane]: https://docs.rs/crate/shikane/latest
+[lsdisplay]: https://github.com/AGuyMarc/lsdisplay
 
 # Other issues
 

diff --git a/services/radio.mdwn b/services/radio.mdwn
index 9ebc7025..cd088b17 100644
--- a/services/radio.mdwn
+++ b/services/radio.mdwn
@@ -240,6 +240,12 @@ for example:
 The "Live stream key" from Peertube should be added as the "Stream
 key". I also set the Peertube stream to be "low latency".
 
+The "Settings" available in the "controls" are saved as a "Profile"
+named, in this case, `peertube.wtf`. This is separate from the "Scene
+Collection", so you can use profiles to keep configurations for
+different streaming backends (Peertube, Twitch, YouTube, whatever),
+without having to rebuild your scene collection.
+
 Then in "Audio", I disable the "desktop source" so that I have better
 control over the inputs (in order to avoid loops, for example, if I
 listen to some other stream, or leaks for example if i listen to
@@ -254,7 +260,10 @@ the Jack input can easily get disconnected. The "JACK" output plugin
 in Audacious has a setting to pick the output port and that can be set
 to `OBS.*in_.*`. The problem with that is then you don't hear the
 audio yourself! But this can be fixed by patching that less important
-output by hand in `qjackctl` or `qpwgraph`.
+output by hand in `qjackctl` or `qpwgraph`. The "patchbay" feature
+seems capable of restoring those automatically as well. Otherwise
+there's `raysession` that has a more advanced setup including
+automatically starting and patching apps.
 
 The final touch is to connect the second `capture_AUX1` ports into the
 OBS Mic/Aux input, because otherwise input is mono on a single channel

diff --git a/blog.mdwn b/blog.mdwn
index 626ea5ac..61f654f6 100644
--- a/blog.mdwn
+++ b/blog.mdwn
@@ -97,7 +97,7 @@ more socially acceptable and less politically controversial.
 <!-- add it. yes, this is kind of silly. -->
 
 <!-- end copy-paste -->
-## 2025
+## 2026
 
 [[!inline pages="
 (

diff --git a/blog/2026-05-16-four-horsemen.md b/blog/2026-05-16-four-horsemen.md
index 02b70e54..3070174e 100644
--- a/blog/2026-05-16-four-horsemen.md
+++ b/blog/2026-05-16-four-horsemen.md
@@ -171,11 +171,12 @@ deliberate, but it lacks meaning, intent, will.
 
 I have not been confronted with much slop, apart from the lobster
 Jesus or the yellow man atrocities, and particularly not in my
-work. 
+work. But I see what it is doing to my profession: beyond
+[vibe-coding](https://en.wikipedia.org/wiki/Vibe_coding), people are now [token-maxxing](https://www.forbes.com/sites/timkeary/2026/04/13/is-the-cult-of-tokenmaxxingjust-another-fad-or-the-new-normal/), and
+[land-grabbing their colleagues](https://leehanchung.github.io/blogs/2026/04/05/the-ai-great-leap-forward/#let-a-hundred-skills-bloom).
 
-TODO: rephrase. But I see what it is doing to my profession: I don't like
-vibe-coded software, and don't like what it does to our communities,
-or the fabric of software we live with.
+I don't like what LLMs do to our communities, or the fabric of
+software we live with.
 
 Software does not evolve in a void. It is a team effort, be it free
 software or a corporate product. Generations of humans have carefully

diff --git a/blog/2026-05-16-four-horsemen.md b/blog/2026-05-16-four-horsemen.md
index 9376afac..02b70e54 100644
--- a/blog/2026-05-16-four-horsemen.md
+++ b/blog/2026-05-16-four-horsemen.md
@@ -286,3 +286,7 @@ The horsemen will collapse, but let's not go down with them.
 > and should not be used to train one.
 
 [[!tag llm analysis sysadmin copyleft copyright debian-planet python-planet internet linux security kernel software vulnerability free-software]]
+
+
+<!-- posted to the federation on 2026-05-16T19:59:05.822639 -->
+[[!mastodon "https://kolektiva.social/@Anarcat/116586967566862470"]]
\ No newline at end of file

diff --git a/tag/llm.mdwn b/tag/llm.mdwn
new file mode 100644
index 00000000..b99a28b5
--- /dev/null
+++ b/tag/llm.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged llm"]]
+
+[[!inline pages="tagged(llm)" actions="no" archive="yes"
+feedshow=10]]

diff --git a/blog/2026-05-16-four-horsemen.md b/blog/2026-05-16-four-horsemen.md
index 68fbc6ff..9376afac 100644
--- a/blog/2026-05-16-four-horsemen.md
+++ b/blog/2026-05-16-four-horsemen.md
@@ -4,7 +4,12 @@ I have been battling Large Language Models (LLM[^1]) for the past
 couple of weeks and have struggled to think about what it means and
 how to deal with its fallout.
 
-[^1]: I prefer "LLM" to Artificial Intelligence term which they definitely aren't.
+[^1]: I prefer "LLM" to Artificial Intelligence, as I don't consider
+    models to have "Intelligence" which goes far beyond the analytical
+    traits we train models for. Intelligence *requires* embodiment
+    and social interaction; machines lack the innate human skills of
+    empathy, feeling and care, which explains a lot of the evils
+    behind the current trends.
 
 Because the fight has come from many fronts, I've come to articulate
 this in terms of the [Four Horsemen of the Apocalypse](https://en.wikipedia.org/wiki/Four_Horsemen_of_the_Apocalypse).
@@ -17,9 +22,9 @@ this in terms of the [Four Horsemen of the Apocalypse](https://en.wikipedia.org/
 
 # War: bot armies
 
-Let's start with War. We've been battling bot armies crawling our
-GitLab server [for a while](https://gitlab.torproject.org/tpo/tpa/team/-/work_items/42152). Bots crawl virtually infinite
-endpoints on Git repositories (as opposed to downloading even an
+Let's start with War. We've been battling bot armies for control of
+our GitLab server [for a while](https://gitlab.torproject.org/tpo/tpa/team/-/work_items/42152). Bots crawl virtually infinite
+endpoints on our Git repositories (as opposed to downloading an
 archive or shallow clone), including our fork of Firefox, Tor Browser,
 a massive repository.
 
@@ -47,7 +52,7 @@ included, so a feeble cookie is no match for the massive bot armies.
 ## Side note on LLM "order of battle"
 
 We often underestimate the size of that army. The cloud was huge even
-before AI, serving about two thirds of the web. Even larger swaths of
+before LLMs, serving about two thirds of the web. Even larger swaths of
 clients like government and corporate databases have all moved to the
 cloud, in shared, but private infrastructure with massive spare
 capacity that is readily available to anyone who pays.
@@ -65,10 +70,10 @@ Those companies can launch thousands, if not millions of fully
 functional web browsers at our servers. Computing power or bandwidth
 are not a limitation for them, our primitive infrastructure is. No one
 but hyperscalers can deal with this kind of load, and I suspect that
-even them are having troubles of their own, as even [Google is
-deploying extreme mechanisms in reCAPTCHA](https://www.androidauthority.com/google-recaptcha-play-services-requirement-3664806/).
+they are also struggling, as even [Google is deploying extreme
+mechanisms in reCAPTCHA](https://www.androidauthority.com/google-recaptcha-play-services-requirement-3664806/).
 
-This is the largest scale attack on the internet since the [Morris
+This is the largest attack on the internet since the [Morris
 worm](https://en.wikipedia.org/wiki/Morris_worm) but while [Robert Tappan Morris](https://en.wikipedia.org/wiki/Robert_Tappan_Morris) went to jail on a felony,
 LLM companies are celebrated as innovators and will soon be too big to
 fail.[^2]
@@ -86,8 +91,7 @@ All that computing power doesn't come out of thin air: it needs
 massive amounts of hardware, power, and cooling.
 
 Earlier this year, I've heard from a colleague that their Dell
-supplier refused to even provide a *quote* to them before
-August. Dell!
+supplier refused to even provide a *quote* before August. Dell!
 
 In February, [Western Digital's hard drive production for 2026 was
 already sold out](https://www.techspot.com/news/111346-western-digital-hdd-production-capacity-2026-already-sold.html). Hard drives essentially [doubled in price within
@@ -100,10 +104,10 @@ But regular folks are facing real-life shortages as well, as
 stealing fresh water and energy from human beings to feed the war
 machine.
 
-The actual job market apocalypse seems to have yet to materialize. But
-for engineers, the market feels tighter than it was a couple years
-ago, and everyone feels on edge that they will just have to learn to
-operate LLMs to keep their jobs.
+We've been scared of losing our jobs, but it seems that Apocalypse has
+yet to fully materialize. Regardless for engineers, the market feels
+tighter than it was a couple years ago, and everyone feels on edge
+that they will just have to learn to operate LLMs to keep their jobs.
 
 Which brings us, of course, to Death.
 
@@ -116,25 +120,24 @@ then, a few months later, everyone is [scrambling to deal with floods
 of good reports](https://lwn.net/Articles/1066581/).
 
 In the past two weeks, this culminated in a significant number of
-highly critical security issues across multiple projects. Chained
+critical security issues across multiple projects. Chained
 together, remote code execution vulnerabilities in [Nginx](https://depthfirst.com/nginx-rift) and
 [Apache](https://www.cve.org/CVERecord?id=CVE-2026-23918) and *two* local privilege escalations in the Linux kernel
-([dirtyfrag](https://github.com/V4bel/dirtyfrag/) and [fragnesia](https://github.com/v12-security/pocs/tree/main/fragnesia#fragnesia)) essentially gave everyone with a
-clue root access to any unpatched server to the web.
+([dirtyfrag](https://github.com/V4bel/dirtyfrag/) and [fragnesia](https://github.com/v12-security/pocs/tree/main/fragnesia#fragnesia)) essentially gave anyone root access to any unpatched server to the web.
 
-Just today, [another vulnerability dropped](https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn), which gives read
+As I write this, [another vulnerability dropped](https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn), which gives read
 access to any file to a local user, compromising TLS and SSH private
 keys.
 
-All those were released without any significant coordination while
-people scrambled to mitigate.
+All those vulnerabilities were released without any significant
+coordination while people scrambled to mitigate.
 
 Many people [including Linus Torvalds](https://lwn.net/Articles/1072007/#Comments) are now considering issues
 discovered through LLMs to be essentially public. This puts [some
 debates about disclosure processes](https://lwn.net/Articles/1071499/) in perspective, to say the
 least.
 
-But this is not merely the death of traditional coordinated disclosure
+But this is not merely the death of the traditional coordinated disclosure
 process, the C programming language, or the Linux kernel: remember
 that those bots are trained on a large corpus of copyrighted
 material. Facebook has [trained their models on pirated books](https://www.theguardian.com/technology/2025/jan/10/mark-zuckerberg-meta-books-ai-models-sarah-silverman) and
@@ -145,7 +148,7 @@ LLM outputs are not copyrightable](https://www.congress.gov/crs-product/LSB10922
 With many people now vibe coding their way out of learning or
 remembering how computers work, is this the Death of Copyright?
 
-And this, of course, brings us to the final horseman: Pestilence.
+And that, of course, brings us to the final horseman: Pestilence.
 
 # Pestilence: slop
 
@@ -153,20 +156,24 @@ There is a growing meme that programming is essentially over as we
 know it. That you can simply vibe-code applications from scratch and
 it's pretty good.
 
-Maybe that is true. Most of my attempts at resolving any complex
-problem with a LLM have often been faced with bizarre failures. [Some
-worked surprisingly well.](https://gitlab.com/anarcat/scripts/-/blob/main/transmodify.py?ref_type=heads)
+Maybe that's true. 
+
+So far, most of my attempts at resolving any complex problem with a
+LLM have often failed with bizarre failures. [Some worked surprisingly
+well.](https://gitlab.com/anarcat/scripts/-/blob/main/transmodify.py?ref_type=heads) Maybe, of course, I am holding it wrong.
 
 I personally don't believe LLMs will ever be good enough to produce
 and maintain software at scale. They're surprisingly good at finding
 security flaws right now. But what I see is also a lot of
-[Bullshit](https://en.wikipedia.org/wiki/Bullshit), with capital B. It's not lying: it does not "know"
+[Bullshit](https://en.wikipedia.org/wiki/Bullshit), with a capital B. It's not lying: it does not "know"
 anything, so it *can't* lie. It's misleadingly cohesive and
-meaningful, but it lacks meaning, intent, will.
+deliberate, but it lacks meaning, intent, will.
 
 I have not been confronted with much slop, apart from the lobster
 Jesus or the yellow man atrocities, and particularly not in my
-work. But I see what it is doing to my profession: I don't like
+work. 
+
+TODO: rephrase. But I see what it is doing to my profession: I don't like
 vibe-coded software, and don't like what it does to our communities,
 or the fabric of software we live with.
 
@@ -187,8 +194,8 @@ LLM found an 0day in our slop" kind of stupid.
 
 # The fifth horsemen
 
-Researching source for this article, I looked up the four horsemen and
-found out they original seems to have been:
+Researching for this article, I looked up the four horsemen and found
+out they original seems to have been:
 
 - Famine
 - War
@@ -217,23 +224,23 @@ The point is, there are actually five horsemen, and the fifth one is,
 in my opinion, Conquest.
 
 Those companies (and *not* "AI", mind you) are taking over the
-worlds. There's a strong connection between the "post-truth" world
-imposed on us by fascists like Trump and Putin. It's not an accident,
-it's a power grab part of the [Californian Ideology](https://en.wikipedia.org/wiki/The_Californian_Ideology)[^3]. Just like
-Airbnb broke housing, Uber destroyed the transportation and Amazon is
-taking over hosting and retail, LLM companies are essentially trying
+world. I sense a strong connection with the "post-truth" world imposed
+on us by fascists like Trump and Putin. It's not an accident, it's a
+power grab part of the [Californian Ideology](https://en.wikipedia.org/wiki/The_Californian_Ideology)[^3]. Just like Airbnb
+broke housing, Uber destroyed the transportation and Amazon is taking
+over retail and server hosting, LLM companies are essentially trying
 to take over if not everything, at least [Cognition](https://en.wikipedia.org/wiki/Cognition) as a whole.
 
 [^3]: Probably a good time to watch [All Watched Over by Machines of Loving Grace][].
 
-But those companies capitalizations (OpenAI and Nvidia in particular)
+But the capitalization of those companies (OpenAI and Nvidia in particular)
 are so far beyond reason that their inevitable collapse will likely
-lead to a global financial collapse of biblical proportion.
+lead to a global financial collapse of biblical proportions.
 
-Because they will inevitably fail like previous bubbles -- the dot
-com, the ad scam, the blockchain scam, and now the LLM lie -- they are
-built on. And when they fail, I hope it zips all the way back up to
-the dot com and git me back my internet.
+Because they will inevitably fail like previous bubbles they are built
+on. And when they fail, I hope it zips all the way back through the
+blockchain scam, the ad surveillance system, and the dot com then git
+me back my internet.
 
 [All Watched Over by Machines of Loving Grace]: https://en.wikipedia.org/wiki/All_Watched_Over_by_Machines_of_Loving_Grace_(TV_series)
 
@@ -252,24 +259,24 @@ much that the only translators not replaced by LLMs right now are
 [interpreters](https://en.wikipedia.org/wiki/Language_interpretation), who translate vocally in real time. But
 interpreters are worried about their jobs as well.

(Diff truncated)

diff --git a/blog/2026-05-16-four-horsemen.md b/blog/2026-05-16-four-horsemen.md
index 7574a90a..68fbc6ff 100644
--- a/blog/2026-05-16-four-horsemen.md
+++ b/blog/2026-05-16-four-horsemen.md
@@ -11,7 +11,7 @@ this in terms of the [Four Horsemen of the Apocalypse](https://en.wikipedia.org/
 
 > Sound track: Metallica's [The Four Horsemen](https://www.metallica.com/songs/the-four-horsemen.html), preferably
 > [downloaded from Napster around 2000](https://en.wikipedia.org/wiki/Metallica_v._Napster,_Inc.), but now I guess you [get
-> on YouTube](https://www.youtube.com/watch?v=-zKOhVSERS8).
+> it on YouTube](https://www.youtube.com/watch?v=-zKOhVSERS8).
 
 [[!toc levels=2]]
 

diff --git a/blog/2026-05-16-four-horsemen.md b/blog/2026-05-16-four-horsemen.md
index 603cbaef..7574a90a 100644
--- a/blog/2026-05-16-four-horsemen.md
+++ b/blog/2026-05-16-four-horsemen.md
@@ -265,6 +265,8 @@ So this is a call to arms.
 
 Fight back.
 
+Block bots.
+
 Refuse slop.
 
 Train your brain.

diff --git a/blog/2026-05-16-four-horsemen.md b/blog/2026-05-16-four-horsemen.md
index 365fdd12..603cbaef 100644
--- a/blog/2026-05-16-four-horsemen.md
+++ b/blog/2026-05-16-four-horsemen.md
@@ -1,109 +1,109 @@
 [[!meta title="The Four Horsemen of the LLM Apocalypse"]]
 
-I have been battling Large Language Models (LLM, a term I prefer to
-the pretentious Artificial Intelligence term which they definitely
-aren't) for the past couple of weeks and have struggled to think about
-what it means and how to deal with its fallout.
+I have been battling Large Language Models (LLM[^1]) for the past
+couple of weeks and have struggled to think about what it means and
+how to deal with its fallout.
 
-I've come to articulate this in terms of the [Four Horsemen of the
-Apocalypse](https://en.wikipedia.org/wiki/Four_Horsemen_of_the_Apocalypse), as we've come under attack from many fronts.
+[^1]: I prefer "LLM" to Artificial Intelligence term which they definitely aren't.
 
-> Appropriate sound track: Metallica's [The Four Horsemen](https://genius.com/Metallica-the-four-horsemen-lyrics),
-> preferably [downloaded from Napster around 2000](https://en.wikipedia.org/wiki/Metallica_v._Napster,_Inc.).
+Because the fight has come from many fronts, I've come to articulate
+this in terms of the [Four Horsemen of the Apocalypse](https://en.wikipedia.org/wiki/Four_Horsemen_of_the_Apocalypse).
+
+> Sound track: Metallica's [The Four Horsemen](https://www.metallica.com/songs/the-four-horsemen.html), preferably
+> [downloaded from Napster around 2000](https://en.wikipedia.org/wiki/Metallica_v._Napster,_Inc.), but now I guess you [get
+> on YouTube](https://www.youtube.com/watch?v=-zKOhVSERS8).
 
 [[!toc levels=2]]
 
 # War: bot armies
 
-Let's start with War. For a long time already, we've been battling bot
-armies crawling our servers, mostly GitLab, where bots indiscriminately
-and stupidly crawl virtually infinite endpoints to list directories,
-read files, go back in history and run `diff` or `blame` on large
-repositories. This includes our fork of Firefox, Tor Browser, a
-massive repository.
+Let's start with War. We've been battling bot armies crawling our
+GitLab server [for a while](https://gitlab.torproject.org/tpo/tpa/team/-/work_items/42152). Bots crawl virtually infinite
+endpoints on Git repositories (as opposed to downloading even an
+archive or shallow clone), including our fork of Firefox, Tor Browser,
+a massive repository.
 
 At first, we've tried various methods: [robots.txt](https://www.robotstxt.org/), blocking user
-agents, and finally blocking entire misbehaving networks. Like many
-others attempting to fend off the armies of War, it worked for a
-while. But now they're back with a vengeance. Blocking entire networks
-doesn't work: they come back some other way, typically through [shady
-proxy networks](https://acid.vegas/blog/the-shady-world-of-ip-leasing/), which is kind of ironic considering we're
-essentially running the largest proxy network of the world.
-
-Out of desperation, we've forced users to fetch and resend a cookie
-when visiting our site, hoping this would tame some bots. The only way
-to get a cookie is to visit a specific page, or run JavaScript,
-essentially running a poor man's Anubis, considering it seems [bots
-have broken Anubis anyways](https://social.anoxinon.de/@Codeberg/115033790447125787) and that it [does not really defend
-against a well-funded attacker](https://lock.cmpxchg8b.com/anubis.html), something which [Pretix warned
-against in 2025 already](https://behind.pretix.eu/2025/05/23/captchas-are-over/). 
+agents, and finally blocking entire networks. I [[wrote
+asncounter|blog/2025-05-30-asncounter]]. It worked for a while.
+
+But now, blocking entire networks doesn't work: they come back some
+other way, typically through [shady proxy networks](https://acid.vegas/blog/the-shady-world-of-ip-leasing/), which is kind
+of ironic considering we're essentially running the largest proxy
+network of the world.
+
+Out of desperation, we've forced users to [use cookies](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/0108-gitlab-cookie-and-javascript-enforcement) when
+visiting our site. We haven't deployed [Anubis](https://anubis.techaro.lol/) yet, as we worry
+that [bots have broken Anubis anyways](https://social.anoxinon.de/@Codeberg/115033790447125787) and that it [does not really
+defend against a well-funded attacker](https://lock.cmpxchg8b.com/anubis.html), something which [Pretix
+warned against in 2025 already](https://behind.pretix.eu/2025/05/23/captchas-are-over/).
 
 (We have a whole [discussion regarding those tools here](https://gitlab.torproject.org/tpo/tpa/team/-/work_items/42229).)
 
-But even that, predictably, has failed: bots are, really, agents
-nowadays and run a full web browser, JavaScript included, so a feeble
-cookie is no match for the massive bot armies.
+But even that, predictably, has failed. I suspect what we consider
+bots are now really agents. They run full web browsers, JavaScript
+included, so a feeble cookie is no match for the massive bot armies.
 
 ## Side note on LLM "order of battle"
 
-We often underestimate the size of that army. The cloud is huge. It
-was huge before AI, monopolizing effectively about two thirds of the
-publicly facing sites in the world. There are large swaths of
-processing power that are not in there like government and corporate
-databases that have all moved to the cloud, in shared, but private
-infrastructure that is readily available to anyone who pays.
+We often underestimate the size of that army. The cloud was huge even
+before AI, serving about two thirds of the web. Even larger swaths of
+clients like government and corporate databases have all moved to the
+cloud, in shared, but private infrastructure with massive spare
+capacity that is readily available to anyone who pays.
 
-Now AI has made the problem worse by dramatically expanding the
-capacity of the "cloud". We now have state-sized data centers (in terms
-of power usage) that dwarf any data centers that have been built
-before. They have millions of cores, petabytes of memory, exabytes of
-storage.
+LLMs have made the problem worse by dramatically expanding the
+capacity of the "cloud". We now have data centers that defy
+imagination with [millions of cores](https://epoch.ai/data/data-centers), petabytes of memory, exabytes
+of storage.
 
-I think of how impressed I was to hear domestic 25 gigabit/s internet
-connection in US municipal networks or Switzerland. That is nothing.
+I thought that [25 gigabit residential internet in Switzerland](https://sschueller.github.io/posts/the-free-market-lie/)
+could bring balance, but this is nothing compared to the scale of
+those data centers.
 
 Those companies can launch thousands, if not millions of fully
-functional web browsers our way. We have worked for years at this
-point to automate web browsers for unit testing web apps, now they're
-being abused for crawling. Computing resources is not an
-issue. Bandwidth is not an issue.
-
-Our contents are hosted on retrograde, old school, single point of
-failure, single (or even multiple) VMs that can't deal with that kind
-of load. Anything but hyperscalers can deal with this kind of load,
-and I suspect, even them are having troubles of their own.
-
-This is the largest scale attack on the internet since the Morris worm
-but, contrary to that worm, they're not going to jail. They're
-celebrated as innovators and will soon be too big to fail.
+functional web browsers at our servers. Computing power or bandwidth
+are not a limitation for them, our primitive infrastructure is. No one
+but hyperscalers can deal with this kind of load, and I suspect that
+even them are having troubles of their own, as even [Google is
+deploying extreme mechanisms in reCAPTCHA](https://www.androidauthority.com/google-recaptcha-play-services-requirement-3664806/).
+
+This is the largest scale attack on the internet since the [Morris
+worm](https://en.wikipedia.org/wiki/Morris_worm) but while [Robert Tappan Morris](https://en.wikipedia.org/wiki/Robert_Tappan_Morris) went to jail on a felony,
+LLM companies are celebrated as innovators and will soon be too big to
+fail.[^2]
+
+[^2]: It should be noted that Morris also happened to be one of the
+    founder of [Y Combinator](https://en.wikipedia.org/wiki/Y_Combinator) where he is in good company with
+    other techno-fascists like Peter Thiel, Sam Altman, and so
+    on. Crime, after all, pays.
 
 Which brings us to the second horsemen, famine.
 
 # Famine: shortages
 
 All that computing power doesn't come out of thin air: it needs
-hardware, and a *lot* of it. Earlier this year, I've heard from a
-colleague that their Dell supplier refused to even provide a *quote*
-to them before August. Dell! In February, [Western Digital's hard
-drive production for 2026 was already sold out](https://www.techspot.com/news/111346-western-digital-hdd-production-capacity-2026-already-sold.html). Hard drives would
-essentially [doubled in price within a year](https://gitlab.torproject.org/tpo/tpa/team/-/work_items/42465), and some have now
-tripled. A server quote we had in November was renewed recently and
-*quadrupled*, going from 10 thousand to *FORTY* thousand dollars for
-a single server.
-
-And that's just us privileged computer engineers. Real folks are
-facing real-life shortages out there, as massive data centers are
-being built at neck-breaking speed, stealing fresh water from actual
-humans to feed the war machine.
-
-The actual job market apocalypse hasn't quite reached us just yet: it
-seems there are *some* job losses, but nothing quite apocalyptic as
-one would have expected so far. But I wouldn't be surprised if the job
-market goes south, especially for white collar jobs. For engineers,
-the trend has certainly been reversing for a while, something that
-Google and other large corporations have been working hard on for
-years, trying to train new engineers to flood the market with
-initiatives like "summer of code" and so on.
+massive amounts of hardware, power, and cooling.
+
+Earlier this year, I've heard from a colleague that their Dell
+supplier refused to even provide a *quote* to them before
+August. Dell!
+
+In February, [Western Digital's hard drive production for 2026 was
+already sold out](https://www.techspot.com/news/111346-western-digital-hdd-production-capacity-2026-already-sold.html). Hard drives essentially [doubled in price within
+a year](https://gitlab.torproject.org/tpo/tpa/team/-/work_items/42465), and some have now tripled. A server quote we had in
+November has now *quadrupled*, going from 10 thousand to *FORTY*
+thousand dollars for a single server.
+
+But regular folks are facing real-life shortages as well, as
+[city-size data centers](https://www.theguardian.com/us-news/2026/may/13/utah-approves-datacenter-backlash) are being built at neck-breaking speed,
+stealing fresh water and energy from human beings to feed the war
+machine.
+
+The actual job market apocalypse seems to have yet to materialize. But
+for engineers, the market feels tighter than it was a couple years
+ago, and everyone feels on edge that they will just have to learn to
+operate LLMs to keep their jobs.
 
 Which brings us, of course, to Death.
 
@@ -122,36 +122,30 @@ together, remote code execution vulnerabilities in [Nginx](https://depthfirst.co
 ([dirtyfrag](https://github.com/V4bel/dirtyfrag/) and [fragnesia](https://github.com/v12-security/pocs/tree/main/fragnesia#fragnesia)) essentially gave everyone with a
 clue root access to any unpatched server to the web.
 
-Just today, another "0-day" exploit dropped, [ssh-keysign-pwn](https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn),
-which gives read access to any file to a local user on a Linux system,
-compromising TLS and SSH private keys.

(Diff truncated)

diff --git a/blog/2026-05-16-four-horsemen.md b/blog/2026-05-16-four-horsemen.md
index cbb8c084..365fdd12 100644
--- a/blog/2026-05-16-four-horsemen.md
+++ b/blog/2026-05-16-four-horsemen.md
@@ -270,6 +270,8 @@ But I think this is where, ultimately, LLMs bring us. Towards collapse.
 So this is a call to arms. Fight back. Refuse slop, train your
 brain. The horsemen will collapse, but let's not go down with them.
 
+[Butlerian Jihad](https://dune.fandom.com/wiki/Butlerian_Jihad).
+
 > This article was written without the use of a large language model
 > and should not be used to train one.
 

diff --git a/blog/2026-05-16-four-horsemen.md b/blog/2026-05-16-four-horsemen.md
index 0cf23f48..cbb8c084 100644
--- a/blog/2026-05-16-four-horsemen.md
+++ b/blog/2026-05-16-four-horsemen.md
@@ -11,7 +11,7 @@ Apocalypse](https://en.wikipedia.org/wiki/Four_Horsemen_of_the_Apocalypse), as w
 > Appropriate sound track: Metallica's [The Four Horsemen](https://genius.com/Metallica-the-four-horsemen-lyrics),
 > preferably [downloaded from Napster around 2000](https://en.wikipedia.org/wiki/Metallica_v._Napster,_Inc.).
 
-[[!toc]]
+[[!toc levels=2]]
 
 # War: bot armies
 
@@ -44,7 +44,7 @@ But even that, predictably, has failed: bots are, really, agents
 nowadays and run a full web browser, JavaScript included, so a feeble
 cookie is no match for the massive bot armies.
 
-# Side note on LLM "order of battle"
+## Side note on LLM "order of battle"
 
 We often underestimate the size of that army. The cloud is huge. It
 was huge before AI, monopolizing effectively about two thirds of the
@@ -277,4 +277,4 @@ brain. The horsemen will collapse, but let's not go down with them.
 
 
 <!-- posted to the federation on 2026-05-15T17:25:30.545241 -->
-[[!mastodon "https://kolektiva.social/@Anarcat/116580701329940204"]]
\ No newline at end of file
+[[!mastodon "https://kolektiva.social/@Anarcat/116580701329940204"]]

diff --git a/blog/2026-05-16-four-horsemen.md b/blog/2026-05-16-four-horsemen.md
index 6c9ef78c..0cf23f48 100644
--- a/blog/2026-05-16-four-horsemen.md
+++ b/blog/2026-05-16-four-horsemen.md
@@ -11,6 +11,8 @@ Apocalypse](https://en.wikipedia.org/wiki/Four_Horsemen_of_the_Apocalypse), as w
 > Appropriate sound track: Metallica's [The Four Horsemen](https://genius.com/Metallica-the-four-horsemen-lyrics),
 > preferably [downloaded from Napster around 2000](https://en.wikipedia.org/wiki/Metallica_v._Napster,_Inc.).
 
+[[!toc]]
+
 # War: bot armies
 
 Let's start with War. For a long time already, we've been battling bot
@@ -30,7 +32,7 @@ essentially running the largest proxy network of the world.
 
 Out of desperation, we've forced users to fetch and resend a cookie
 when visiting our site, hoping this would tame some bots. The only way
-to get a cookie is to visit a specific page, or run Javascript,
+to get a cookie is to visit a specific page, or run JavaScript,
 essentially running a poor man's Anubis, considering it seems [bots
 have broken Anubis anyways](https://social.anoxinon.de/@Codeberg/115033790447125787) and that it [does not really defend
 against a well-funded attacker](https://lock.cmpxchg8b.com/anubis.html), something which [Pretix warned
@@ -39,9 +41,11 @@ against in 2025 already](https://behind.pretix.eu/2025/05/23/captchas-are-over/)
 (We have a whole [discussion regarding those tools here](https://gitlab.torproject.org/tpo/tpa/team/-/work_items/42229).)
 
 But even that, predictably, has failed: bots are, really, agents
-nowadays and run a full web browser, Javascript included, so a feeble
+nowadays and run a full web browser, JavaScript included, so a feeble
 cookie is no match for the massive bot armies.
 
+# Side note on LLM "order of battle"
+
 We often underestimate the size of that army. The cloud is huge. It
 was huge before AI, monopolizing effectively about two thirds of the
 publicly facing sites in the world. There are large swaths of
@@ -50,8 +54,8 @@ databases that have all moved to the cloud, in shared, but private
 infrastructure that is readily available to anyone who pays.
 
 Now AI has made the problem worse by dramatically expanding the
-capacity of the "cloud". We now have state-sized datacenters (in terms
-of power usage) that dwarf any datacenters that have been built
+capacity of the "cloud". We now have state-sized data centers (in terms
+of power usage) that dwarf any data centers that have been built
 before. They have millions of cores, petabytes of memory, exabytes of
 storage.
 
@@ -84,11 +88,11 @@ to them before August. Dell! In February, [Western Digital's hard
 drive production for 2026 was already sold out](https://www.techspot.com/news/111346-western-digital-hdd-production-capacity-2026-already-sold.html). Hard drives would
 essentially [doubled in price within a year](https://gitlab.torproject.org/tpo/tpa/team/-/work_items/42465), and some have now
 tripled. A server quote we had in November was renewed recently and
-*quadrupled*, going from 10 thousand to *FOURTY* thousand dollars for
+*quadrupled*, going from 10 thousand to *FORTY* thousand dollars for
 a single server.
 
 And that's just us privileged computer engineers. Real folks are
-facing real-life shortages out there, as massive datacenters are
+facing real-life shortages out there, as massive data centers are
 being built at neck-breaking speed, stealing fresh water from actual
 humans to feed the war machine.
 
@@ -181,8 +185,8 @@ understands.
 
 The idea of simply giving up on that understanding and delegating it
 to an unproven model is not only chilling, it feels just plain
-stupid. Not stpud as in "Terminator" stupid, stupid as in "I can't get
-inside the datacenter because the authentication system is
+stupid. Not stupid as in "Terminator" stupid, stupid as in "I can't get
+inside the data center because the authentication system is
 down". Except we're in a "the power plant doesn't reboot" or "their
 LLM found an 0day in our slop" kind of stupid.
 
@@ -235,9 +239,9 @@ the ad scam, the blockchain scam, and now the LLM lie -- they are
 built on. And when they fail, I hope it zips all the way back up to
 the dot com and git me back my internet.
 
-# The TOwer of Babel
+# The Tower of Babel
 
-While I'm off in the woodwords hallucinating (ha) on the Bible, I feel
+While I'm off in the woods hallucinating (ha) on the Bible, I feel
 there's another sign that the apocalypse is coming.
 
 The [Tower of Babel](https://en.wikipedia.org/wiki/Tower_of_Babel) legend says that humans were trying to create
@@ -247,7 +251,7 @@ and scatters the human race.
 This is what is happening to our human translators now. LLMs being,
 after all, Language Models, are of course excellent at translation
 work, up to a point the only sector not replaced by LLMs are
-interpreters, who translate in realtime, over voice. But it's
+interpreters, who translate in real-time, over voice. But it's
 generally felt that this will go away too.
 
 What's happening to translators is what they want to do to all of us,
@@ -266,6 +270,9 @@ But I think this is where, ultimately, LLMs bring us. Towards collapse.
 So this is a call to arms. Fight back. Refuse slop, train your
 brain. The horsemen will collapse, but let's not go down with them.
 
+> This article was written without the use of a large language model
+> and should not be used to train one.
+
 [[!tag draft]]
 
 

diff --git a/blog/2026-05-16-four-horsemen.md b/blog/2026-05-16-four-horsemen.md
index 964c9ca9..6c9ef78c 100644
--- a/blog/2026-05-16-four-horsemen.md
+++ b/blog/2026-05-16-four-horsemen.md
@@ -267,3 +267,7 @@ So this is a call to arms. Fight back. Refuse slop, train your
 brain. The horsemen will collapse, but let's not go down with them.
 
 [[!tag draft]]
+
+
+<!-- posted to the federation on 2026-05-15T17:25:30.545241 -->
+[[!mastodon "https://kolektiva.social/@Anarcat/116580701329940204"]]
\ No newline at end of file

diff --git a/services/meshtastic.md b/services/meshtastic.md
index 27bd7fd4..1b5fb3f0 100644
--- a/services/meshtastic.md
+++ b/services/meshtastic.md
@@ -535,6 +535,14 @@ this is about 5$ each. I could have gotten batteries with the build
 (2$USD) but it makes shipping more complicated and expensive, so I
 went the quicker way.
 
+Update: the batteries were bought from Addison. They're super tight. I
+also got batteries for the Solar Node P1 from Abra, but they didn't
+fit because I needed button-top batteries that I ended up ordering
+from Mastervox.
+
+Update, 2026-04-17: ordered 10 heltec v3 kits to have devices to hook
+up as bots or resell at foulab or for friends.
+
 ## Other devices
 
 The devices listed here have been moved to the [local mesh hardware

diff --git a/blog/2026-05-16-four-horsemen.md b/blog/2026-05-16-four-horsemen.md
index 6662cc6d..964c9ca9 100644
--- a/blog/2026-05-16-four-horsemen.md
+++ b/blog/2026-05-16-four-horsemen.md
@@ -168,12 +168,9 @@ meaning.
 
 I have not been confronted with much slop, apart from the lobster
 Jesus or the yellow man atrocities, and particularly not that much in
-my work. But I see what it is doing to my profession. I suspect the
-deskilling aspect is real. But beyond that, I am truly concern by how
-
-
-TODO: rephrase we are throwing crap at each other.
-
+my work. But I see what it is doing to my profession, and, frankly, I
+don't like it. I don't like vibe-coded software, and don't like what
+it does to our communities, or the fabric of software we live with.
 
 Software does not evolve in a void. It is a community effort,
 regardless of whether or not it is a community-based free software or
@@ -188,3 +185,85 @@ stupid. Not stpud as in "Terminator" stupid, stupid as in "I can't get
 inside the datacenter because the authentication system is
 down". Except we're in a "the power plant doesn't reboot" or "their
 LLM found an 0day in our slop" kind of stupid.
+
+# The fifth horsemen
+
+Researching source for this article, I looked up the four horsemen and
+found out they original seems to have been:
+
+- Famine
+- War
+- Death
+- .. Conquest?
+
+I was surprised. I grew up thinking about the horsemen being Famine,
+War, Pestilence, and Death. So I went back to [my original source](https://genius.com/Metallica-the-four-horsemen-lyrics)
+which actually claims the horsemen are:
+
+```
+Time has taken its toll on you, the lines that crack your face.
+Famine, your body, it has torn through, withered in every place.
+Pestilence for what you've had to endure, and what you have put others through
+Death, deliverance for you, for sure, now there's nothing you can do
+```
+
+So I guess that makes no sense either, which, fair enough, I shouldn't
+rely on Metallica for theological references. Especially since that
+song was originally called [Mechanix](https://en.wikipedia.org/wiki/Mechanix) and "about having sex at a
+gas station".
+
+Anyways.
+
+The point is, there are actually five horsemen, and the fifth one is,
+in my opinion, Conquest.
+
+Those companies (and *not* "AI", mind you) are taking over the
+worlds. There's a strong connection and meaning between the
+"post-truth" world imposed on us by fascists like Trump and
+Putin. It's not an accident. It's a power grab. Just like AirBNB broke
+hosting, Uber destroyed the taxi industry, Amazon taking over hosting
+and retail, LLM companies are essentially trying to take over
+everything.
+
+But OpenAI's and Nvidia's capitalizations are so far beyond reason
+that their inevitable collapse will likely lead to a collapse of
+finance similar or worse to the 2008 crash, or even the biblical 20th
+century ones.
+
+Because they will inevitably fail, like previous bubbles -- the dot com,
+the ad scam, the blockchain scam, and now the LLM lie -- they are
+built on. And when they fail, I hope it zips all the way back up to
+the dot com and git me back my internet.
+
+# The TOwer of Babel
+
+While I'm off in the woodwords hallucinating (ha) on the Bible, I feel
+there's another sign that the apocalypse is coming.
+
+The [Tower of Babel](https://en.wikipedia.org/wiki/Tower_of_Babel) legend says that humans were trying to create
+a big tower up to the sky and become god. God confounds their speech
+and scatters the human race.
+
+This is what is happening to our human translators now. LLMs being,
+after all, Language Models, are of course excellent at translation
+work, up to a point the only sector not replaced by LLMs are
+interpreters, who translate in realtime, over voice. But it's
+generally felt that this will go away too.
+
+What's happening to translators is what they want to do to all of us,
+of course.
+
+But what's more important to understand here is that this concretely
+mean we will lose the human capacity, as a civilization, to translate
+between each other. It is still an [open question](https://revues.imist.ma/index.php/JALCS/article/view/59018) whether the
+remaining revision work for translators will be enough avoid
+deskilling, but other research has shown that LLM use leads to
+[cognitive decline](https://publichealthpolicyjournal.com/mit-study-finds-artificial-intelligence-use-reprograms-the-brain-leading-to-cognitive-decline/), [impacts critical thinking](https://dl.acm.org/doi/full/10.1145/3706598.3713778), and generally,
+that [deskilling is a common outcome](https://publicera.kb.se/ir/article/view/47143).
+
+But I think this is where, ultimately, LLMs bring us. Towards collapse.
+
+So this is a call to arms. Fight back. Refuse slop, train your
+brain. The horsemen will collapse, but let's not go down with them.
+
+[[!tag draft]]

diff --git a/blog/2026-05-16-four-horsemen.md b/blog/2026-05-16-four-horsemen.md
index c0f6b73e..6662cc6d 100644
--- a/blog/2026-05-16-four-horsemen.md
+++ b/blog/2026-05-16-four-horsemen.md
@@ -151,3 +151,40 @@ And this, of course, brings us to the last horseman: Pestilence.
 
 # Pestilence: slop
 
+There is a growing meme that programming is essentially over as we
+know it. That you can simply vibe-code applications from scratch and
+it's pretty good.
+
+Maybe that is true. Most of my attempts at resolving any complex
+problem with a LLM have often been faced with bizarre failures. [Some
+worked surprisingly well.](https://gitlab.com/anarcat/scripts/-/blob/main/transmodify.py?ref_type=heads)
+
+I personally don't believe LLMs will ever be good enough to produce
+and maintain software at scale. They're surprisingly good at finding
+security flaws right now. But what I see is also a lot of
+[Bullshit](https://en.wikipedia.org/wiki/Bullshit), with capital B. It's not lying, it does not "know"
+anything. It's misleadingly cohesive and meaningful, but it lacks
+meaning.
+
+I have not been confronted with much slop, apart from the lobster
+Jesus or the yellow man atrocities, and particularly not that much in
+my work. But I see what it is doing to my profession. I suspect the
+deskilling aspect is real. But beyond that, I am truly concern by how
+
+
+TODO: rephrase we are throwing crap at each other.
+
+
+Software does not evolve in a void. It is a community effort,
+regardless of whether or not it is a community-based free software or
+corporate product. Generations of humans have carefully built the
+scaffolding of technology required for modern networks and software to
+operate, in a convoluted contraption that no single human currently
+understands. 
+
+The idea of simply giving up on that understanding and delegating it
+to an unproven model is not only chilling, it feels just plain
+stupid. Not stpud as in "Terminator" stupid, stupid as in "I can't get
+inside the datacenter because the authentication system is
+down". Except we're in a "the power plant doesn't reboot" or "their
+LLM found an 0day in our slop" kind of stupid.

diff --git a/blog/2026-05-16-four-horsemen.md b/blog/2026-05-16-four-horsemen.md
new file mode 100644
index 00000000..c0f6b73e
--- /dev/null
+++ b/blog/2026-05-16-four-horsemen.md
@@ -0,0 +1,153 @@
+[[!meta title="The Four Horsemen of the LLM Apocalypse"]]
+
+I have been battling Large Language Models (LLM, a term I prefer to
+the pretentious Artificial Intelligence term which they definitely
+aren't) for the past couple of weeks and have struggled to think about
+what it means and how to deal with its fallout.
+
+I've come to articulate this in terms of the [Four Horsemen of the
+Apocalypse](https://en.wikipedia.org/wiki/Four_Horsemen_of_the_Apocalypse), as we've come under attack from many fronts.
+
+> Appropriate sound track: Metallica's [The Four Horsemen](https://genius.com/Metallica-the-four-horsemen-lyrics),
+> preferably [downloaded from Napster around 2000](https://en.wikipedia.org/wiki/Metallica_v._Napster,_Inc.).
+
+# War: bot armies
+
+Let's start with War. For a long time already, we've been battling bot
+armies crawling our servers, mostly GitLab, where bots indiscriminately
+and stupidly crawl virtually infinite endpoints to list directories,
+read files, go back in history and run `diff` or `blame` on large
+repositories. This includes our fork of Firefox, Tor Browser, a
+massive repository.
+
+At first, we've tried various methods: [robots.txt](https://www.robotstxt.org/), blocking user
+agents, and finally blocking entire misbehaving networks. Like many
+others attempting to fend off the armies of War, it worked for a
+while. But now they're back with a vengeance. Blocking entire networks
+doesn't work: they come back some other way, typically through [shady
+proxy networks](https://acid.vegas/blog/the-shady-world-of-ip-leasing/), which is kind of ironic considering we're
+essentially running the largest proxy network of the world.
+
+Out of desperation, we've forced users to fetch and resend a cookie
+when visiting our site, hoping this would tame some bots. The only way
+to get a cookie is to visit a specific page, or run Javascript,
+essentially running a poor man's Anubis, considering it seems [bots
+have broken Anubis anyways](https://social.anoxinon.de/@Codeberg/115033790447125787) and that it [does not really defend
+against a well-funded attacker](https://lock.cmpxchg8b.com/anubis.html), something which [Pretix warned
+against in 2025 already](https://behind.pretix.eu/2025/05/23/captchas-are-over/). 
+
+(We have a whole [discussion regarding those tools here](https://gitlab.torproject.org/tpo/tpa/team/-/work_items/42229).)
+
+But even that, predictably, has failed: bots are, really, agents
+nowadays and run a full web browser, Javascript included, so a feeble
+cookie is no match for the massive bot armies.
+
+We often underestimate the size of that army. The cloud is huge. It
+was huge before AI, monopolizing effectively about two thirds of the
+publicly facing sites in the world. There are large swaths of
+processing power that are not in there like government and corporate
+databases that have all moved to the cloud, in shared, but private
+infrastructure that is readily available to anyone who pays.
+
+Now AI has made the problem worse by dramatically expanding the
+capacity of the "cloud". We now have state-sized datacenters (in terms
+of power usage) that dwarf any datacenters that have been built
+before. They have millions of cores, petabytes of memory, exabytes of
+storage.
+
+I think of how impressed I was to hear domestic 25 gigabit/s internet
+connection in US municipal networks or Switzerland. That is nothing.
+
+Those companies can launch thousands, if not millions of fully
+functional web browsers our way. We have worked for years at this
+point to automate web browsers for unit testing web apps, now they're
+being abused for crawling. Computing resources is not an
+issue. Bandwidth is not an issue.
+
+Our contents are hosted on retrograde, old school, single point of
+failure, single (or even multiple) VMs that can't deal with that kind
+of load. Anything but hyperscalers can deal with this kind of load,
+and I suspect, even them are having troubles of their own.
+
+This is the largest scale attack on the internet since the Morris worm
+but, contrary to that worm, they're not going to jail. They're
+celebrated as innovators and will soon be too big to fail.
+
+Which brings us to the second horsemen, famine.
+
+# Famine: shortages
+
+All that computing power doesn't come out of thin air: it needs
+hardware, and a *lot* of it. Earlier this year, I've heard from a
+colleague that their Dell supplier refused to even provide a *quote*
+to them before August. Dell! In February, [Western Digital's hard
+drive production for 2026 was already sold out](https://www.techspot.com/news/111346-western-digital-hdd-production-capacity-2026-already-sold.html). Hard drives would
+essentially [doubled in price within a year](https://gitlab.torproject.org/tpo/tpa/team/-/work_items/42465), and some have now
+tripled. A server quote we had in November was renewed recently and
+*quadrupled*, going from 10 thousand to *FOURTY* thousand dollars for
+a single server.
+
+And that's just us privileged computer engineers. Real folks are
+facing real-life shortages out there, as massive datacenters are
+being built at neck-breaking speed, stealing fresh water from actual
+humans to feed the war machine.
+
+The actual job market apocalypse hasn't quite reached us just yet: it
+seems there are *some* job losses, but nothing quite apocalyptic as
+one would have expected so far. But I wouldn't be surprised if the job
+market goes south, especially for white collar jobs. For engineers,
+the trend has certainly been reversing for a while, something that
+Google and other large corporations have been working hard on for
+years, trying to train new engineers to flood the market with
+initiatives like "summer of code" and so on.
+
+Which brings us, of course, to Death.
+
+# Death: security and copyright
+
+Our third horseman is one I did *not* expect a couple of months
+ago. Back at FOSDEM, `curl`'s maintainer Daniel Stenberg famously
+[complained about the poor quality of LLM-generated reports](https://lwn.net/Articles/1058266/) but
+then, a few months later, everyone is [scrambling to deal with floods
+of good reports](https://lwn.net/Articles/1066581/).
+
+In the past two weeks, this culminated in a significant number of
+highly critical security issues across multiple projects. Chained
+together, remote code execution vulnerabilities in [Nginx](https://depthfirst.com/nginx-rift) and
+[Apache](https://www.cve.org/CVERecord?id=CVE-2026-23918) and *two* local privilege escalations in the Linux kernel
+([dirtyfrag](https://github.com/V4bel/dirtyfrag/) and [fragnesia](https://github.com/v12-security/pocs/tree/main/fragnesia#fragnesia)) essentially gave everyone with a
+clue root access to any unpatched server to the web.
+
+Just today, another "0-day" exploit dropped, [ssh-keysign-pwn](https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn),
+which gives read access to any file to a local user on a Linux system,
+compromising TLS and SSH private keys.
+
+All those were released without any significant coordination while
+people scrambled to find mitigations. For the latter, there's
+currently no known mitigation.
+
+Many ([including Linus Torvalds](https://lwn.net/Articles/1072007/#Comments)) are now considering such issues
+to be a matter of immediate, public disclosure which puts [some old
+debates about disclosure processes](https://lwn.net/Articles/1071499/) in perspective, to say the
+least.
+
+I would certainly worry about sandboxing if I would be running agents
+locally (which I most certainly am not), by the way.
+
+But this is not merely the death of traditional coordinated disclosure
+process, the C programming language, the Linux kernel.
+
+Keep in mind those bots were (and are still) trained on a large corpus
+of copyrighted material. Facebook has [trained their models on pirated
+books](https://www.theguardian.com/technology/2025/jan/10/mark-zuckerberg-meta-books-ai-models-sarah-silverman) and [Nvidia has done deals with Anna's Archive](https://torrentfreak.com/nvidia-contacted-annas-archive-to-secure-access-to-millions-of-pirated-books/) to secure
+access to large swaths of copyrighted material. The [US Congress seems
+to think LLM outputs are not copyrightable](https://www.congress.gov/crs-product/LSB10922), like any other machine
+outputs. 
+
+With many people now vibe coding their way out of learning or
+remembering how computers work, is this the Death of Copyright?
+
+And this, of course, brings us to the last horseman: Pestilence.
+
+# Pestilence: slop
+

diff --git a/services/radio.mdwn b/services/radio.mdwn
index 509711e4..9ebc7025 100644
--- a/services/radio.mdwn
+++ b/services/radio.mdwn
@@ -267,7 +267,7 @@ face.
 
 It looks like that when streaming:
 
-[[!img snap-20260513T165553.png]]
+<a href="snap-20260513T165553.png"><img src="snap-20260513T165553.png" /></a>
 
 A good way to test streaming is, with ffmpeg:
 

diff --git a/services/radio/snap-20260513T165553.png b/services/radio/snap-20260513T165553.png
deleted file mode 120000
index 7af2f99f..00000000
--- a/services/radio/snap-20260513T165553.png
+++ /dev/null
@@ -1 +0,0 @@
-../../.git/annex/objects/Gx/Fz/SHA256E-s5212768--5dd9531699593f162a644136ca8d7e343587be08b3552d264308cf987c3548df.png/SHA256E-s5212768--5dd9531699593f162a644136ca8d7e343587be08b3552d264308cf987c3548df.png
\ No newline at end of file
diff --git a/services/radio/snap-20260513T165553.png b/services/radio/snap-20260513T165553.png
new file mode 100644
index 00000000..b88e355a
--- /dev/null
+++ b/services/radio/snap-20260513T165553.png
@@ -0,0 +1 @@
+/annex/objects/SHA256E-s5212768--5dd9531699593f162a644136ca8d7e343587be08b3552d264308cf987c3548df.png

diff --git a/services/radio.mdwn b/services/radio.mdwn
index 1f639c82..509711e4 100644
--- a/services/radio.mdwn
+++ b/services/radio.mdwn
@@ -237,7 +237,8 @@ for example:
 
     rtmp://peertube.wtf:1935/live
 
-The "Live stream key" from Peertube should be added as the "Stream key".
+The "Live stream key" from Peertube should be added as the "Stream
+key". I also set the Peertube stream to be "low latency".
 
 Then in "Audio", I disable the "desktop source" so that I have better
 control over the inputs (in order to avoid loops, for example, if I

diff --git a/services/radio.mdwn b/services/radio.mdwn
index 83c201a6..1f639c82 100644
--- a/services/radio.mdwn
+++ b/services/radio.mdwn
@@ -224,6 +224,61 @@ Fixed issues:
 I have also filed a [WNPP bug](https://bugs.debian.org/926457) so the thing is (eventually)
 packaged in Debian.
 
+# OBS
+
+I tried OBS studio to stream audio from my laptop, to Peertube and
+friends.
+
+It works!
+
+The key must be input into the "stream" settings each time. The trick
+is to create a "custom" source and add the Peertube URL as the server,
+for example:
+
+    rtmp://peertube.wtf:1935/live
+
+The "Live stream key" from Peertube should be added as the "Stream key".
+
+Then in "Audio", I disable the "desktop source" so that I have better
+control over the inputs (in order to avoid loops, for example, if I
+listen to some other stream, or leaks for example if i listen to
+voicemail), but keep the "Mic/Auxiliary audio" as is.
+
+Then everything happens in "scenes" which are basically audio/visual
+transitions between different contexts. In the basic scene, we add a
+"Jack Input Client", into which we'll plug in our audio player. 
+
+This is more brittle than the default "desktop audio" setting, because
+the Jack input can easily get disconnected. The "JACK" output plugin
+in Audacious has a setting to pick the output port and that can be set
+to `OBS.*in_.*`. The problem with that is then you don't hear the
+audio yourself! But this can be fixed by patching that less important
+output by hand in `qjackctl` or `qpwgraph`.
+
+The final touch is to connect the second `capture_AUX1` ports into the
+OBS Mic/Aux input, because otherwise input is mono on a single channel
+
+I also add a background image, which I "Transform > Fit to screen".
+
+I configured a bunch of scenes like this with various track fallbacks
+and images, and even one with a webcam to scream, sorry stream my
+face.
+
+It looks like that when streaming:
+
+[[!img snap-20260513T165553.png]]
+
+A good way to test streaming is, with ffmpeg:
+
+    MOVIE=clip.mp4
+    KEY="REDACTED"
+    HOST="rtmp://peertube.wtf:1935/live/${KEY}"
+    ffmpeg -re -i "${MOVIE}" -vcodec copy -loop -1 -c:a aac -b:a 160k -ar 44100 -strict -2 -f flv ${HOST}
+
+The problem with using "just" ffmpeg is that it only streams a local
+file. What we want is open a JACK port and stream that. Ideally
+streaming the album covers as well, which is currently done manually.
+
 Old design
 ==========
 
@@ -240,6 +295,12 @@ réguliers (à chaque 15 chansons).
 
 Les détails de la configuration technique sont ci-bas.
 
+Update: I tried again liquidsoap on 2026-05-13 and was able to stream
+to RTMP AKA Peertube and friends. Unfortunately, the `input.jack`
+input was dropping samples so the resulting stream was spotty. Worse,
+it was either always on, or always off, so it didn't work to use it as
+a fallback.
+
 <a href="radio-design.svg"><img src="radio-design.png" /></a>
 
 Liquidsoap configuration
diff --git a/services/radio/.gitignore b/services/radio/.gitignore
new file mode 100644
index 00000000..c262b7bb
--- /dev/null
+++ b/services/radio/.gitignore
@@ -0,0 +1 @@
+passwords.liq.inc
diff --git a/services/radio/basic.liq b/services/radio/basic.liq
new file mode 100755
index 00000000..5f9c0ca8
--- /dev/null
+++ b/services/radio/basic.liq
@@ -0,0 +1,13 @@
+#!/usr/bin/liquidsoap
+
+#favorites = playlist.safe(reload_mode="watch", '~/Music/playlists/Favoris.m3u')
+#radio = rotate(weights = [5, 30, 1], [favorites, shuffle, jingles])
+emergency = single("/home/anarcat/src/puppet/site-modules/profile/files/icecast2/fallback-jingle.mp3")
+jack = input.jack(id="liquidsoap", fallible=true)
+# this fallback does nothing, as jack always succeeds, even if fully disconnected, and even with failible
+radio = fallback(track_sensitive=false, [jack, emergency])
+
+%include "passwords.liq.inc"
+
+# http.transport.secure_transport doesn't work in debian, seems like it's not compield with libssl or ocaml-tls
+output.icecast(%mp3, host="localhost",  port=8000, password="#{password}", mount="radio.mp3", radio)
diff --git a/services/radio/fallback-jingle.mp3 b/services/radio/fallback-jingle.mp3
new file mode 100644
index 00000000..3f184a4b
--- /dev/null
+++ b/services/radio/fallback-jingle.mp3
@@ -0,0 +1 @@
+/annex/objects/SHA256E-s994930--5078f0e7b15b554b3dfd0efd1712309d4ee029cb9bd3f229afd5a2ca966e2d60.mp3
diff --git a/services/radio/fallback-jingle.ogg b/services/radio/fallback-jingle.ogg
new file mode 100644
index 00000000..4544e035
--- /dev/null
+++ b/services/radio/fallback-jingle.ogg
@@ -0,0 +1 @@
+/annex/objects/SHA256E-s867943--a725f65316b40106c01333e4a2de583fe8aa4870ec72f28c62d9ffdca149346f.ogg
diff --git a/services/radio/ffmpeg-shared-encoding.liq b/services/radio/ffmpeg-shared-encoding.liq
new file mode 100644
index 00000000..9cad6da4
--- /dev/null
+++ b/services/radio/ffmpeg-shared-encoding.liq
@@ -0,0 +1,28 @@
+# An audio source...
+audio = sine()
+
+# Encode it in mp3
+audio = ffmpeg.encode.audio(%ffmpeg(%audio(codec = "libmp3lame")), audio)
+
+# A video source, for instance a static image
+video = single("/home/anarcat/folipon.jpg")
+
+# Encode it in h264 format
+video = ffmpeg.encode.video(%ffmpeg(%video(codec = "libx264")), video)
+
+# Mux it with the audio
+stream = source.mux.video(video=video, audio)
+
+# Copy encoder for the rtmp stream
+enc = %ffmpeg(format = "flv", %audio.copy, %video.copy)
+
+%include "passwords.liq.inc"
+
+# above should include
+# key = "..."
+url = "rtmp://peertube.wtf:1935/live/#{key}"
+output.url(self_sync=true, url=url, enc, stream)
+
+# Send to YouTube
+#url = "rtmp://a.rtmp.youtube.com/live2/#{key}"
+#output.url(url=url, enc, stream)
diff --git a/services/radio/rtmp.liq b/services/radio/rtmp.liq
new file mode 100644
index 00000000..cf3d02ca
--- /dev/null
+++ b/services/radio/rtmp.liq
@@ -0,0 +1,27 @@
+# A video source: static image
+image = single("/home/anarcat/folipon.jpg")
+
+cam = input.v4l2()
+
+# Encode it in h264 format
+video = ffmpeg.encode.video(%ffmpeg(%video(codec = "libx264")), fallback([cam, image]))
+
+emergency = single("/home/anarcat/src/puppet/site-modules/profile/files/icecast2/fallback-jingle.mp3")
+
+jack = input.jack(id="liquidsoap", fallible=true, start=false)
+
+radio = fallback(track_sensitive=false, [jack, emergency])
+
+audio = ffmpeg.encode.audio(%ffmpeg(%audio(codec = "libmp3lame")), radio)
+
+stream = source.mux.video(video=video, audio)
+
+# Copy encoder for the rtmp stream
+enc = %ffmpeg(format = "flv", %audio.copy, %video.copy)
+
+%include "passwords.liq.inc"
+
+# above should include
+# key = "..."
+url = "rtmp://peertube.wtf:1935/live/#{key}"
+output.url(self_sync=true, url=url, enc, stream)
diff --git a/services/radio/snap-20260513T165553.png b/services/radio/snap-20260513T165553.png
new file mode 120000
index 00000000..7af2f99f
--- /dev/null
+++ b/services/radio/snap-20260513T165553.png
@@ -0,0 +1 @@
+../../.git/annex/objects/Gx/Fz/SHA256E-s5212768--5dd9531699593f162a644136ca8d7e343587be08b3552d264308cf987c3548df.png/SHA256E-s5212768--5dd9531699593f162a644136ca8d7e343587be08b3552d264308cf987c3548df.png
\ No newline at end of file

diff --git a/blog/files/20101213.17.00-18.00.mp3 b/blog/files/20101213.17.00-18.00.mp3
deleted file mode 120000
index 48e331e9..00000000
--- a/blog/files/20101213.17.00-18.00.mp3
+++ /dev/null
@@ -1 +0,0 @@
-../../.git/annex/objects/69/8J/SHA256E-s28799104--4a95618e9fe1dcc1934f6a2219d5775c2806278248696ec26cd39c45a66d168a.00.mp3/SHA256E-s28799104--4a95618e9fe1dcc1934f6a2219d5775c2806278248696ec26cd39c45a66d168a.00.mp3
\ No newline at end of file
diff --git a/blog/files/20101213.17.00-18.00.mp3 b/blog/files/20101213.17.00-18.00.mp3
new file mode 100644
index 00000000..b0133c19
--- /dev/null
+++ b/blog/files/20101213.17.00-18.00.mp3
@@ -0,0 +1 @@
+/annex/objects/SHA256E-s28799104--4a95618e9fe1dcc1934f6a2219d5775c2806278248696ec26cd39c45a66d168a.00.mp3
diff --git a/blog/files/4032-1-report.mp3 b/blog/files/4032-1-report.mp3
deleted file mode 120000
index 706d4d31..00000000
--- a/blog/files/4032-1-report.mp3
+++ /dev/null
@@ -1 +0,0 @@
-../../.git/annex/objects/Vv/gk/SHA256E-s30073681--a3d21404046f96a333d2df643920362bc81f4ba03a33e00af9d48bd173bcc197.mp3/SHA256E-s30073681--a3d21404046f96a333d2df643920362bc81f4ba03a33e00af9d48bd173bcc197.mp3
\ No newline at end of file
diff --git a/blog/files/4032-1-report.mp3 b/blog/files/4032-1-report.mp3
new file mode 100644
index 00000000..9c236a2f
--- /dev/null
+++ b/blog/files/4032-1-report.mp3
@@ -0,0 +1 @@
+/annex/objects/SHA256E-s30073681--a3d21404046f96a333d2df643920362bc81f4ba03a33e00af9d48bd173bcc197.mp3
diff --git a/blog/files/desautels201103091732_2.spx b/blog/files/desautels201103091732_2.spx
deleted file mode 120000
index 2156b806..00000000
--- a/blog/files/desautels201103091732_2.spx
+++ /dev/null
@@ -1 +0,0 @@
-../../.git/annex/objects/WJ/5q/SHA256E-s1945971--1c8edbe0448a3ae36a2964b916b44aa105466f35061a3837656cbcf2693c856c.spx/SHA256E-s1945971--1c8edbe0448a3ae36a2964b916b44aa105466f35061a3837656cbcf2693c856c.spx
\ No newline at end of file
diff --git a/blog/files/desautels201103091732_2.spx b/blog/files/desautels201103091732_2.spx
new file mode 100644
index 00000000..e908def5
--- /dev/null
+++ b/blog/files/desautels201103091732_2.spx
@@ -0,0 +1 @@
+/annex/objects/SHA256E-s1945971--1c8edbe0448a3ae36a2964b916b44aa105466f35061a3837656cbcf2693c856c.spx
diff --git a/blog/files/images/2000px-iss027e036656-commented-20110608.svg_.png b/blog/files/images/2000px-iss027e036656-commented-20110608.svg_.png
deleted file mode 120000
index e050c461..00000000
--- a/blog/files/images/2000px-iss027e036656-commented-20110608.svg_.png
+++ /dev/null
@@ -1 +0,0 @@
-../../../.git/annex/objects/gm/6m/SHA256E-s3263545--1e006a069d239975b01aa08ed5e41056dbbbf882402316064a88b7ad516857a5.svg.png/SHA256E-s3263545--1e006a069d239975b01aa08ed5e41056dbbbf882402316064a88b7ad516857a5.svg.png
\ No newline at end of file
diff --git a/blog/files/images/2000px-iss027e036656-commented-20110608.svg_.png b/blog/files/images/2000px-iss027e036656-commented-20110608.svg_.png
new file mode 100644
index 00000000..77cfde86
--- /dev/null
+++ b/blog/files/images/2000px-iss027e036656-commented-20110608.svg_.png
@@ -0,0 +1 @@
+/annex/objects/SHA256E-s3263545--1e006a069d239975b01aa08ed5e41056dbbbf882402316064a88b7ad516857a5.svg.png
diff --git a/blog/files/montrealdaybreak_20110307_46292.mp3 b/blog/files/montrealdaybreak_20110307_46292.mp3
deleted file mode 120000
index 6b0e5472..00000000
--- a/blog/files/montrealdaybreak_20110307_46292.mp3
+++ /dev/null
@@ -1 +0,0 @@
-../../.git/annex/objects/z6/v1/SHA256E-s10857247--244505f759423c33a569c3fe1f4cfecad4f12c978b4828beea46872bcafab9c4.mp3/SHA256E-s10857247--244505f759423c33a569c3fe1f4cfecad4f12c978b4828beea46872bcafab9c4.mp3
\ No newline at end of file
diff --git a/blog/files/montrealdaybreak_20110307_46292.mp3 b/blog/files/montrealdaybreak_20110307_46292.mp3
new file mode 100755
index 00000000..2237d6b7
--- /dev/null
+++ b/blog/files/montrealdaybreak_20110307_46292.mp3
@@ -0,0 +1 @@
+/annex/objects/SHA256E-s10857247--244505f759423c33a569c3fe1f4cfecad4f12c978b4828beea46872bcafab9c4.mp3
diff --git a/services/radio/Fallback-fr.wav b/services/radio/Fallback-fr.wav
deleted file mode 120000
index cc955395..00000000
--- a/services/radio/Fallback-fr.wav
+++ /dev/null
@@ -1 +0,0 @@
-../../.git/annex/objects/Pf/04/SHA256E-s993176--11f92945e410c0c3dd7d7d32db3023366f071a1fbacc02ece63883d9e7a880ee.wav/SHA256E-s993176--11f92945e410c0c3dd7d7d32db3023366f071a1fbacc02ece63883d9e7a880ee.wav
\ No newline at end of file
diff --git a/services/radio/Fallback-fr.wav b/services/radio/Fallback-fr.wav
new file mode 100644
index 00000000..a1f7a672
--- /dev/null
+++ b/services/radio/Fallback-fr.wav
@@ -0,0 +1 @@
+/annex/objects/SHA256E-s993176--11f92945e410c0c3dd7d7d32db3023366f071a1fbacc02ece63883d9e7a880ee.wav
diff --git a/services/radio/Fallback.wav b/services/radio/Fallback.wav
deleted file mode 120000
index 0dad6928..00000000
--- a/services/radio/Fallback.wav
+++ /dev/null
@@ -1 +0,0 @@
-../../.git/annex/objects/JV/6J/SHA256E-s1058444--22c95ad2817bfa4c99d438701ceeadaee5e968fe46023e01263431fea27074b4.wav/SHA256E-s1058444--22c95ad2817bfa4c99d438701ceeadaee5e968fe46023e01263431fea27074b4.wav
\ No newline at end of file
diff --git a/services/radio/Fallback.wav b/services/radio/Fallback.wav
new file mode 100644
index 00000000..60c7bf77
--- /dev/null
+++ b/services/radio/Fallback.wav
@@ -0,0 +1 @@
+/annex/objects/SHA256E-s1058444--22c95ad2817bfa4c99d438701ceeadaee5e968fe46023e01263431fea27074b4.wav
diff --git a/services/radio/fallback-merge.aup b/services/radio/fallback-merge.aup
deleted file mode 120000
index 2efa80d5..00000000
--- a/services/radio/fallback-merge.aup
+++ /dev/null
@@ -1 +0,0 @@
-../../.git/annex/objects/8X/J3/SHA256E-s9607--97f59b31904386498ab1c48729b1d7953909dd96440b27a09da3cf2751fdfa8d.aup/SHA256E-s9607--97f59b31904386498ab1c48729b1d7953909dd96440b27a09da3cf2751fdfa8d.aup
\ No newline at end of file
diff --git a/services/radio/fallback-merge.aup b/services/radio/fallback-merge.aup
new file mode 100644
index 00000000..ce34f71f
--- /dev/null
+++ b/services/radio/fallback-merge.aup
@@ -0,0 +1 @@
+/annex/objects/SHA256E-s9607--97f59b31904386498ab1c48729b1d7953909dd96440b27a09da3cf2751fdfa8d.aup
diff --git a/services/radio/fallback-merge.ogg b/services/radio/fallback-merge.ogg
deleted file mode 120000
index 7ccf53ef..00000000
--- a/services/radio/fallback-merge.ogg
+++ /dev/null
@@ -1 +0,0 @@
-../../.git/annex/objects/66/GJ/SHA256E-s867943--a725f65316b40106c01333e4a2de583fe8aa4870ec72f28c62d9ffdca149346f.ogg/SHA256E-s867943--a725f65316b40106c01333e4a2de583fe8aa4870ec72f28c62d9ffdca149346f.ogg
\ No newline at end of file
diff --git a/services/radio/fallback-merge.ogg b/services/radio/fallback-merge.ogg
new file mode 100644
index 00000000..4544e035
--- /dev/null
+++ b/services/radio/fallback-merge.ogg
@@ -0,0 +1 @@
+/annex/objects/SHA256E-s867943--a725f65316b40106c01333e4a2de583fe8aa4870ec72f28c62d9ffdca149346f.ogg
diff --git a/services/radio/fallback-merge.wav b/services/radio/fallback-merge.wav
deleted file mode 120000
index 36977c46..00000000
--- a/services/radio/fallback-merge.wav
+++ /dev/null
@@ -1 +0,0 @@
-../../.git/annex/objects/Q5/Mx/SHA256E-s10958380--1a7e8e70ab36fe5ced535cfd4b29a14ac5f8bc63d94978da26a848e2448f60f0.wav/SHA256E-s10958380--1a7e8e70ab36fe5ced535cfd4b29a14ac5f8bc63d94978da26a848e2448f60f0.wav
\ No newline at end of file
diff --git a/services/radio/fallback-merge.wav b/services/radio/fallback-merge.wav
new file mode 100644
index 00000000..842944e2
--- /dev/null
+++ b/services/radio/fallback-merge.wav
@@ -0,0 +1 @@
+/annex/objects/SHA256E-s10958380--1a7e8e70ab36fe5ced535cfd4b29a14ac5f8bc63d94978da26a848e2448f60f0.wav
diff --git a/services/radio/fallback-merge_data/e00/d00/e0000009.au b/services/radio/fallback-merge_data/e00/d00/e0000009.au
deleted file mode 120000
index 29d2683f..00000000
--- a/services/radio/fallback-merge_data/e00/d00/e0000009.au
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../.git/annex/objects/6z/2P/SHA256E-s1060956--59d83f3aea64713056d27ebb2ecd95e814370a838757dbeae87e57d958c927ea.au/SHA256E-s1060956--59d83f3aea64713056d27ebb2ecd95e814370a838757dbeae87e57d958c927ea.au
\ No newline at end of file
diff --git a/services/radio/fallback-merge_data/e00/d00/e0000009.au b/services/radio/fallback-merge_data/e00/d00/e0000009.au
new file mode 100644
index 00000000..119d6775
--- /dev/null
+++ b/services/radio/fallback-merge_data/e00/d00/e0000009.au
@@ -0,0 +1 @@
+/annex/objects/SHA256E-s1060956--59d83f3aea64713056d27ebb2ecd95e814370a838757dbeae87e57d958c927ea.au
diff --git a/services/radio/fallback-merge_data/e00/d00/e000005c.au b/services/radio/fallback-merge_data/e00/d00/e000005c.au
deleted file mode 120000
index 2bfc607d..00000000
--- a/services/radio/fallback-merge_data/e00/d00/e000005c.au
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../.git/annex/objects/vz/XK/SHA256E-s530500--cb45f323ccf46e29608d1e1e888e569e2249fde3188bf49669781715c0db7739.au/SHA256E-s530500--cb45f323ccf46e29608d1e1e888e569e2249fde3188bf49669781715c0db7739.au
\ No newline at end of file
diff --git a/services/radio/fallback-merge_data/e00/d00/e000005c.au b/services/radio/fallback-merge_data/e00/d00/e000005c.au
new file mode 100644
index 00000000..1903b6f7
--- /dev/null
+++ b/services/radio/fallback-merge_data/e00/d00/e000005c.au
@@ -0,0 +1 @@
+/annex/objects/SHA256E-s530500--cb45f323ccf46e29608d1e1e888e569e2249fde3188bf49669781715c0db7739.au
diff --git a/services/radio/fallback-merge_data/e00/d00/e00000c7.au b/services/radio/fallback-merge_data/e00/d00/e00000c7.au
deleted file mode 120000
index c0ee0c01..00000000
--- a/services/radio/fallback-merge_data/e00/d00/e00000c7.au
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../.git/annex/objects/69/xF/SHA256E-s1060956--b467664e20de077b5d45239ac2684c978f15189111c955fa85790f28c6887fcd.au/SHA256E-s1060956--b467664e20de077b5d45239ac2684c978f15189111c955fa85790f28c6887fcd.au
\ No newline at end of file
diff --git a/services/radio/fallback-merge_data/e00/d00/e00000c7.au b/services/radio/fallback-merge_data/e00/d00/e00000c7.au
new file mode 100644
index 00000000..2843f8b1
--- /dev/null
+++ b/services/radio/fallback-merge_data/e00/d00/e00000c7.au
@@ -0,0 +1 @@
+/annex/objects/SHA256E-s1060956--b467664e20de077b5d45239ac2684c978f15189111c955fa85790f28c6887fcd.au
diff --git a/services/radio/fallback-merge_data/e00/d00/e00002a6.au b/services/radio/fallback-merge_data/e00/d00/e00002a6.au
deleted file mode 120000
index 9804232c..00000000
--- a/services/radio/fallback-merge_data/e00/d00/e00002a6.au
+++ /dev/null

(Diff truncated)

diff --git a/hardware/radio.mdwn b/hardware/radio.mdwn
index 2ce14dbf..5f0aa471 100644
--- a/hardware/radio.mdwn
+++ b/hardware/radio.mdwn
@@ -259,6 +259,7 @@ resources. Si vous cherchez un guide d'étude, [ces flash cards](https://hamstud
 semblent très bien.
 
 * Manuals, courses
+  * [CLARES](https://www.clares.ca/en) - excellent course, videos
   * [Good overview](http://www.visi.com/~tneu/whatsham.html)
   * [Emergencyradio.ca online course](http://www.emergencyradio.ca/course/)
   * [tech manual](http://kb6nu.com/tech-manual/)

diff --git a/software/zfs.md b/software/zfs.md
index ed2e762e..2be20085 100644
--- a/software/zfs.md
+++ b/software/zfs.md
@@ -180,7 +180,7 @@ other drives. But as far as disk size and ratio calculation goes, it
 As a rule of thumb, a RAIDZ1 (so 1 spare), it's essentially like
 RAID-5.
 
-The most important thingto know about RAID-Z is that the layout can't
+The most important thing to know about RAID-Z is that the layout can't
 be changed after the pool creation. If you have 3 drives in your
 RAIDZ1 pool, you're stuck with 3 drives until you rebuild the pool
 (although you *can* add spares). Arrays *can* be grown in *size* by

diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index e9b94a1a..0325e094 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -930,6 +930,10 @@ In the end, I am just using `swayidle` with a configuration based on
 Interestingly, damjan also has a [service for swaylock][] itself,
 although it's not clear to me what its purpose is...
 
+There's also now a [wayland-pipewire-idle-inhibit](https://github.com/rafaelrc7/wayland-pipewire-idle-inhibit) package that
+will keep screenlock from starting whem audio is playing, although I'm
+not sure I want that.
+
 [swayidle]: https://github.com/swaywm/swayidle
 [swaylock]: https://github.com/swaywm/swaylock
 [unlikely to be implemented upstream]: https://github.com/swaywm/sway/issues/2254

diff --git a/.well-known/openpgpkey/Makefile b/.well-known/openpgpkey/Makefile
index 63f4c577..60848bf5 100644
--- a/.well-known/openpgpkey/Makefile
+++ b/.well-known/openpgpkey/Makefile
@@ -24,9 +24,6 @@ hu:
 	; fi
 
 upload:
-	gpg --keyserver keyring.debian.org --send-keys $(FINGERPRINT)
-	gpg --keyserver pgpkeys.eu --send-keys $(FINGERPRINT)
-	gpg --keyserver keys.openpgp.org --send-keys $(FINGERPRINT)
 	@echo "Not covered:"
 	@echo "# GitLab and GitHub accounts"
 	@echo
@@ -41,7 +38,12 @@ upload:
 	@echo "last test with plain 'python-gitlab' CLI failed though"
 	@echo
 	gpg --export --export-options export-minimal -a $(FINGERPRINT) | wl-copy
-	@echo "key copied to clipboard"
+	@echo "key copied to clipboard, go paste it above"
+	@echo
+	@echo "uploading to keyservers..."
+	gpg --keyserver keyring.debian.org --send-keys $(FINGERPRINT)
+	gpg --keyserver pgpkeys.eu --send-keys $(FINGERPRINT)
+	gpg --keyserver keys.openpgp.org --send-keys $(FINGERPRINT)
 
 renew:
 	gpg --quick-set-expire $(FINGERPRINT) $(NEXT_EXPIRE)

diff --git a/.well-known/openpgpkey/Makefile b/.well-known/openpgpkey/Makefile
index fb314116..63f4c577 100644
--- a/.well-known/openpgpkey/Makefile
+++ b/.well-known/openpgpkey/Makefile
@@ -3,7 +3,7 @@
 ADDRESS=anarcat@anarc.at
 FINGERPRINT=BBB6CD4C98D74E1358A752A602293A6FA4E53473
 NEXT_EXPIRE=$(shell LANG=C date -d '+1 year' '+%Y-%m-%d')
-TPO_KEYRING=~/src/tor/account-keyring/
+TPO_ROOT=~/src/tor
 
 all: warn hu upload
 
@@ -40,10 +40,6 @@ upload:
 	@echo "list, parse for fingerprint, delete, then upload"
 	@echo "last test with plain 'python-gitlab' CLI failed though"
 	@echo
-	@echo "# other locations"
-	@echo
-	@echo "- tor-puppet/openpgp-policy.toml"
-	@echo
 	gpg --export --export-options export-minimal -a $(FINGERPRINT) | wl-copy
 	@echo "key copied to clipboard"
 
@@ -53,7 +49,11 @@ renew:
 
 upload-tpo:
 	@echo "updating TPO keyring"
-	git -C $(TPO_KEYRING) pull
-	gpg --export --export-options export-minimal $(FINGERPRINT) > $(TPO_KEYRING)/torproject-keyring/anarcat-$(FINGERPRINT).gpg
-	git -C $(TPO_KEYRING) commit torproject-keyring/anarcat-$(FINGERPRINT).gpg
-	git -C $(TPO_KEYRING) push
+	git -C $(TPO_ROOT)/account-keyring/ pull
+	gpg --export --export-options export-minimal $(FINGERPRINT) > $(TPO_ROOT)/account-keyring/torproject-keyring/anarcat-$(FINGERPRINT).gpg
+	git -C $(TPO_ROOT)/account-keyring/ commit torproject-keyring/anarcat-$(FINGERPRINT).gpg
+	git -C $(TPO_ROOT)/account-keyring/ push
+	@echo "updating openpgp-policy.toml files"
+	sq-git policy sync --disable-keyservers --policy-file=$(TPO_ROOT)/tor-puppet/openpgp-policy.toml
+	git -C $(TPO_ROOT)/tor-puppet/ commit openpgp-policy.toml
+	git -C $(TPO_ROOT)/tor-puppet/ push

diff --git a/.well-known/openpgpkey/hu/myctwj4an6ne7htuzyoo8osctuji68xe b/.well-known/openpgpkey/hu/myctwj4an6ne7htuzyoo8osctuji68xe
index 34c381d8..adc79f13 100644
Binary files a/.well-known/openpgpkey/hu/myctwj4an6ne7htuzyoo8osctuji68xe and b/.well-known/openpgpkey/hu/myctwj4an6ne7htuzyoo8osctuji68xe differ

diff --git a/software/desktop/calibre.mdwn b/software/desktop/calibre.mdwn
index 49dc1e73..ef771a33 100644
--- a/software/desktop/calibre.mdwn
+++ b/software/desktop/calibre.mdwn
@@ -327,9 +327,10 @@ the database using SQLAlchemy. It does use calibre components to
 convert books but it might be an interesting alternative to the web
 interface shipped with Calibre.
 
-[AnthoLume][], [kavita][] (C#), [librum][] (dotnet), [storyteller][] [kiosk][], [readarr][] ("arr" stands for
-"aaargh C#/Windows again!") and [Ubooquity][] (... Java) are things as
-well, none of which are packaged in Debian. (What is it with e-book
+[AnthoLume][], [kavita][] (C#), [librum][] (dotnet), [storyteller][]
+[kiosk][], [readarr][] ("arr" stands for "aaargh C#/Windows again!"),
+[swic](https://dustri.org/b/swic-a-simple-web-interface-for-calibre.html) (golang, minimalist) and [Ubooquity][] (... Java) are things
+as well, none of which are packaged in Debian. (What is it with e-book
 webservers being written in C#?!)
 
 [readarr]: https://readarr.com/
@@ -687,4 +688,4 @@ conversation here or on your favorite Mastodon instance](https://social.weho.st/
 
 
 <!-- posted to the federation on 2026-01-05T14:28:30.119170 -->
-[[!mastodon "https://kolektiva.social/@Anarcat/115844140883320100"]]
\ No newline at end of file
+[[!mastodon "https://kolektiva.social/@Anarcat/115844140883320100"]]

diff --git a/hardware/radio.mdwn b/hardware/radio.mdwn
index 891f7b7b..2ce14dbf 100644
--- a/hardware/radio.mdwn
+++ b/hardware/radio.mdwn
@@ -90,6 +90,12 @@ I uploaded a few photos [in this album](https://photos.anarc.at/documentation/ra
 
 ### Modern
 
+- heard good things about the [Xiegu G90](https://www.radioddity.com/products/xiegu-g90-hf-transceiver): 0.5-30MHz HF SDR
+  transceiver, built-in tuner, 20W, detachable 1.8" LCD display with a 9-pin
+  serial port, 48KHz waterfall, USB/LSB/CW/CWR/AM/NFM (no FT8), CW
+  decoder, "overheats if used for a long time", 1.63kg 12 x4.5 x21cm
+  (case only), 14 x 5.2 x 25cm (with handles), VHF connector,
+  powerpole connector
 - [QMX](https://qrp-labs.com/qmx.html): low power QRP transceiver HF 20-80M, SDR / CW, packet,
   *not* voice
 - [(tr)uSDX](https://dl2man.de/): tiny, low power (80mA/500mA) QRP HF (20-80m,
@@ -118,6 +124,8 @@ that we might want to learn from. In particular, it ships:
 
 #### Antennas
 
+ - [field antenna, 7-54MHz, telescopic V](https://www.hgeek.com/collections/ham-radio-antennas/products/hamgeek-p-esa-7-54mhz-dipole-antenna-portable-shortwave-antenna), needs a 3m stand for 7M
+ - [log periodic direction finding antenna kit](https://www.hgeek.com/collections/ham-radio-antennas/products/hamgeek-hg1723-0-5ghz-6ghz-pcb-log-periodic-antenna-for-uav-positioning-wifi-direction-finding), 500MHz-6GHz
  - [Diamond X700HNA VHF/UHF antenna](https://www.dxengineering.com/parts/dmn-x700hna) that got the [reticulum guy
    really excited](https://unsigned.io/articles/2024_05_16_Are_We_There_Yet.html)
  - [CHA MPAS 2.0](https://chameleonantenna.com/products/cha-mpas-modular-portable-antenna-system-2-0): fancy multi-band "mobile" HF antenna, but
@@ -167,6 +175,7 @@ now completely useless.
  * [GPS Central](https://www.gpscentral.ca/amateur-radio.html)
  * [dx engineering](https://www.dxengineering.com/)
  * [dxcanada.ca](https://dxcanada.ca/)
+ * [ham geek](https://www.hgeek.com/)
  * [eBay](http://shop.ebay.com/Fixed-/163857/i.html)
  * [local](http://www.raqi.ca/~ve2bzl/)
 

diff --git a/hardware/keyboard.mdwn b/hardware/keyboard.mdwn
index 802a9323..6cef9e3d 100644
--- a/hardware/keyboard.mdwn
+++ b/hardware/keyboard.mdwn
@@ -588,6 +588,11 @@ A friend recommended the [Rechteck](https://www.boardsource.xyz/products/Rechtec
 
 A bit too small for my taste, but nice looking.
 
+## Framework
+
+[Framework](https://frame.work) made a [wireless keyboard and mouse combo](https://frame.work/ca/en/blog/previewing-the-framework-wireless-touchpad-keyboard). Not yet
+available as of April 2026.
+
 # Mini / travel keyboards
 
 Those are useful for the media station or traveling on the road with a
diff --git a/hardware/laptop.mdwn b/hardware/laptop.mdwn
index de54d1eb..2d7d282c 100644
--- a/hardware/laptop.mdwn
+++ b/hardware/laptop.mdwn
@@ -96,6 +96,20 @@ Review:
  * [Phoronix](https://www.phoronix.com/review/framework-13-amd/6), AMD - "fantastic choice for Linux users"
  * [rtings](https://www.rtings.com/laptop/reviews/framework/laptop-13-2023)
 
+#### Pro
+
+Framework rebuilt their 13" laptop series with improvements like:
+
+- longer battery life (20h?)
+- Intel® Core™ Ultra Series 3 processor with LPCAMM2 memory or AMD AI 300
+- CNC-milled case (making it more rigid)
+- new 700 display with touch screen
+- newer Dolby atmos speaker module on the sides instead of front
+- other keyboard color keys
+- haptic touchpad
+- mostly backwards-compatible
+- black chassis
+
 ### 16"
 
 Framework just (2023-03-23) just announced a whole bunch of new stuff:

diff --git a/software/desktop/firefox.mdwn b/software/desktop/firefox.mdwn
index 8dab1adc..c67884c7 100644
--- a/software/desktop/firefox.mdwn
+++ b/software/desktop/firefox.mdwn
@@ -68,18 +68,30 @@ I am testing those and they might make it to the top list once I'm happy:
    tabs](https://addons.mozilla.org/en-US/firefox/addon/snoozetabs/) (no deb, [source](https://github.com/bwinton/SnoozeTabs#readme)) for this as well.
  * [Clean URLs](https://docs.clearurls.xyz/) (no deb, [source](https://github.com/ClearURLs/Addon)) - remove garbage in URLs
  * [Display anchors](https://addons.mozilla.org/en-US/firefox/addon/display-_anchors/) (no deb, [source](https://github.com/Rob--W/display-anchors))
- * Firefox [Multi-account containers][] (no deb, [source](https://github.com/mozilla/multi-account-containers/)) - kind of
-   useful to separate work/private stuff and generally keep cross-site
-   surveillance under control. I was also using "Container Tab Groups"
-   (AKA "TabArray") but this had [data loss issues](https://github.com/menhera-org/TabArray/issues/457). That extension
-   was very useful to "hide a container", but the builtin extension
-   also provides that feature, just with a bunch more clicks. 
+ * Firefox [Multi-account containers][] (no deb, [source](https://github.com/mozilla/multi-account-containers/)) - kind
+   of useful to separate work/private stuff and generally keep
+   cross-site surveillance under control. I was also using "Container
+   Tab Groups" (AKA "TabArray") but this had [data loss issues](https://github.com/menhera-org/TabArray/issues/457) and
+   [horrible memory leaks](https://github.com/menhera-org/TabArray/issues/631). That extension was very useful to "hide
+   a container", but the builtin extension also provides that feature,
+   just with a bunch more clicks.
    - builtin: extension button -> click ">" on the right container -> "Hide this
    container"
    - tabarray: right-click on tab and "hide this container" See
    [Hide/Show container more accessible (#755)](https://github.com/mozilla/multi-account-containers/issues/755), [Show only this
    container option (#1662)](https://github.com/mozilla/multi-account-containers/issues/1662), and [Some options are hard to access
-   from the container list (#2089)](https://github.com/mozilla/multi-account-containers/issues/2089).
+   from the container
+   list (#2089)](https://github.com/mozilla/multi-account-containers/issues/2089). 
+   One feature TabArray was giving me was the "stickiness" of the "new
+   tab" functionality, which would open new tabs in the same container
+   as the current tab. Instead of that, I used the
+   [KazuAlex/firefox-new-tab-page-container](https://github.com/KazuAlex/firefox-new-tab-page-container) which forces a
+   pop-up. The two extensions that supposedly add the "stickiness"
+   ([Sticky Containers](https://addons.mozilla.org/en-US/firefox/addon/sticky-containers/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=collection) and [Sticky Window Containers](https://addons.mozilla.org/en-US/firefox/addon/sticky-window-containers/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=collection)) both
+   fail to work here. So I ended up just using the "default container"
+   for everything but certain exceptions and things just work: tabs
+   open in that default container by default.
+       
    Containers are rendered mostly irrelevant by the "first party
    isolation" features shipped with Firefox 87 (also known as [total
    cookie protection](https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/)), my primary use case for those containers is

diff --git a/software/desktop/firefox.mdwn b/software/desktop/firefox.mdwn
index 91e5c959..8dab1adc 100644
--- a/software/desktop/firefox.mdwn
+++ b/software/desktop/firefox.mdwn
@@ -31,6 +31,9 @@ I have those extensions installed and use them very frequently:
    [source](https://github.com/shgysk8zer0/awesome-rss)) - replace the [Live bookmarks removal](https://support.mozilla.org/en-US/kb/live-bookmarks-migration)
  * [uBlock Origin][] ([[!debpkg webext-ublock-origin desc="debian
    package"]], [source](https://github.com/gorhill/uBlock)) - making the web sane again
+ * [Popup window](https://addons.mozilla.org/en-US/firefox/addon/popup-window/) (no deb, [source](https://github.com/ettoolong/PopupWindow)) - open the link in a
+   pop-up, useful to have an "app-like" window for a website (I use
+   this for videoconferencing in a second tab)
  * [Readeck](https://readeck.org/en/extension) (no deb, [source](https://codeberg.org/readeck/browser-extension)), read-it later service,
    replacing Wallabag
  * [URL to QR Code](https://addons.mozilla.org/en-US/firefox/addon/url-to-qrcode/?src=search) - (no debian package, [source](https://github.com/smoqadam/url-to-qrcode-firefox-addon)) after
@@ -93,9 +96,6 @@ I am testing those and they might make it to the top list once I'm happy:
  * [Link hints][] (no deb, [source](https://github.com/lydell/LinkHints/)) - nice and simple alternative
    to full-scale keyboard driven interface like [tridactyl][], see the
    [keybindings](#keybindings) section below
- * [Popup window](https://addons.mozilla.org/en-US/firefox/addon/popup-window/) (no deb, [source](https://github.com/ettoolong/PopupWindow)) - open the link in a
-   pop-up, useful to have an "app-like" window for a website (I use
-   this for videoconferencing in a second tab)
 
 [tridactyl]: https://github.com/tridactyl/tridactyl
 [builtin Firefox shortcuts]: https://support.mozilla.org/en-US/kb/keyboard-shortcuts-perform-firefox-tasks-quickly

diff --git a/software/desktop/firefox.mdwn b/software/desktop/firefox.mdwn
index 429a021a..91e5c959 100644
--- a/software/desktop/firefox.mdwn
+++ b/software/desktop/firefox.mdwn
@@ -23,11 +23,6 @@ or have used in the past.
 
 I have those extensions installed and use them very frequently:
 
- * [browserpass-ce](https://addons.mozilla.org/en-US/firefox/addon/browserpass-ce/) ([[!debpkg webext-browserpass desc="debian
-   package"]], [source](https://github.com/browserpass/browserpass)) - super fast access to my passwords. use
-   some magic mumble-jumble message passing thing which feels a bit
-   creepy. possible alternative: [passff](https://github.com/passff/passff#readme), no Debian package,
-   [872773](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872773).
  * [Cookie AutoDelete](https://addons.mozilla.org/en-US/firefox/addon/cookie-autodelete/) (no Debian package, [908285](http://bugs.debian.org/908285),
    [source](https://github.com/Cookie-AutoDelete/Cookie-AutoDelete)) - clear long-term identities for all sites except a
    few, too bad it does not sync with uBlock/uMatrix ([issue
@@ -155,6 +150,11 @@ hard to use or simply irrelevant.
  * [adblock plus](https://addons.mozilla.org/fr/firefox/addon/1865) - now selling ads! replaced with ublock
  * [Addons compatibility reporter](https://addons.mozilla.org/en-US/firefox/addon/add-on-compatibility-reporter/) - useless since Firefox 57 /
    Quantum, as incompatible extensions are just *disabled*
+ * [browserpass-ce](https://addons.mozilla.org/en-US/firefox/addon/browserpass-ce/) ([[!debpkg webext-browserpass desc="debian
+   package"]], [source](https://github.com/browserpass/browserpass)) - super fast access to my passwords. use
+   some magic mumble-jumble message passing thing which feels a bit
+   creepy. has Debian package, felt uncomfortable with my browser
+   having access to my OpenPGP keyring
  * [Debian buttons](https://icedeb.ktnx.net/) didn't work for me as it requires buttons, so I
    made a simple [bookmarks folder](https://salsa.debian.org/debian/debian-bookmarks-shortcuts) instead
  * [firebug](https://addons.mozilla.org/firefox/1843/) - somewhat built-in

diff --git a/software/desktop/firefox.mdwn b/software/desktop/firefox.mdwn
index 302bc2ab..429a021a 100644
--- a/software/desktop/firefox.mdwn
+++ b/software/desktop/firefox.mdwn
@@ -36,6 +36,8 @@ I have those extensions installed and use them very frequently:
    [source](https://github.com/shgysk8zer0/awesome-rss)) - replace the [Live bookmarks removal](https://support.mozilla.org/en-US/kb/live-bookmarks-migration)
  * [uBlock Origin][] ([[!debpkg webext-ublock-origin desc="debian
    package"]], [source](https://github.com/gorhill/uBlock)) - making the web sane again
+ * [Readeck](https://readeck.org/en/extension) (no deb, [source](https://codeberg.org/readeck/browser-extension)), read-it later service,
+   replacing Wallabag
  * [URL to QR Code](https://addons.mozilla.org/en-US/firefox/addon/url-to-qrcode/?src=search) - (no debian package, [source](https://github.com/smoqadam/url-to-qrcode-firefox-addon)) after
    removing another alternative that was proprietary spyware (!! see
    below), I found about 6 different alternatives (this one and
@@ -43,9 +45,6 @@ I have those extensions installed and use them very frequently:
    people??) This is the most popular, reviews are mostly positive,
    seems to be working offline, has a free license, and source is
    available. Super simple too.
- * [Wallabager][] (no debian package, [source](https://github.com/wallabag/wallabagger)) - to YOLO a bunch
-   of links in a pile outside my web browser that I can read offline
-   thanks to [Wallabako](https://gitlab.com/anarcat/wallabako/)
 
 [Wallabager]: https://addons.mozilla.org/en-US/firefox/addon/wallabagger/
 [uMatrix]: https://addons.mozilla.org/firefox/addon/umatrix/
@@ -204,6 +203,9 @@ hard to use or simply irrelevant.
    (basically only the sites which you really want a long-term
    identity on, whereas you had to unblock cookies from a lot more
    sites just to get things to work at all in uMatrix)
+ * [Wallabager][] (no debian package, [source](https://github.com/wallabag/wallabagger)) - to YOLO a bunch
+   of links in a pile outside my web browser that I can read offline
+   thanks to [Wallabako](https://gitlab.com/anarcat/wallabako/), switched to Readeck
  * [Wayback machine](https://addons.mozilla.org/en-US/firefox/addon/wayback-machine_new/) (no deb, [source](https://github.com/internetarchive/wayback-machine-chrome)?) - i also have
    bookmarklets, but this could work better! Unfortunately, it doesn't
    work with other archival sites like archive.is or Google's

diff --git a/hardware/radio.mdwn b/hardware/radio.mdwn
index 808f8664..6e6c7dd2 100644
--- a/hardware/radio.mdwn
+++ b/hardware/radio.mdwn
@@ -148,6 +148,7 @@ now completely useless.
  * [Universal Radio](https://www.universal-radio.com/)
  * [GPS Central](https://www.gpscentral.ca/amateur-radio.html)
  * [dx engineering](https://www.dxengineering.com/)
+ * [dxcanada.ca](https://dxcanada.ca/)
  * [eBay](http://shop.ebay.com/Fixed-/163857/i.html)
  * [local](http://www.raqi.ca/~ve2bzl/)
 

diff --git a/hardware/radio.mdwn b/hardware/radio.mdwn
index 6e6c7dd2..891f7b7b 100644
--- a/hardware/radio.mdwn
+++ b/hardware/radio.mdwn
@@ -18,18 +18,61 @@ See also [[services/meshtastic]] (think DIY text mesh) and
   * [Yaesu FT-60R](https://www.yaesu.com/indexVS.cfm?cmd=DisplayProducts&encProdID=6EC43B29CEF0EC2B4E19BB7371688B7F)
   * [Quansheng UV-K5](https://qsfj.com/products/3002): similar to baofeng UV-5R, but more hackable,
      see [custom firmware](https://github.com/nikant/kamilsss655-uv-k5-firmware-custom-nkk?tab=readme-ov-file), [also](https://whosmatt.github.io/uvmod/)
-* Transceiver: Yaesu FT-100D, bought around 600$ on ebay in 2010
+  - [Retevis RT3S](https://www.retevis.com/products/rt3s-dual-band-dmr-radio-non-gps-built-in-gps), rebranded version of the [Tyt MD-UV 380](https://www.tyt888.com/pro_info147.html):
+    DMR/analog, UHF/VHF, 5W, 3000 channels, color LCD, AES encryption,
+    8 hours recording. biggest downside is lack of USB-C plug.
+    
+    bought straight from the retevis.com for 115$CAD, also considered
+    [bigupdagets](https://ca.bigupgadgets.com/retevis-rt3s-136-174mhz-400-480mhz-3000ch-handheld-dmr-digital-two-way-radio-walkie-talkie-06-0151960) (140$CAD) [fleetwood](https://www.fleetwooddp.com/products/retevis-rt3s-dual-band-dmr-gps-amateur-ham-radio), and
+    [unclemikesoutdoors.ca](https://unclemikesoutdoors.ca/products/retevis-rt3s-dual-band-dmr-gps-amateur-ham-radio) (150$CAD).
+    
+    hoping i can use one of this to program it, because chirp can't:
+    [editcp](https://www.farnsworth.org/dale/codeplug/editcp/), [dmrconfig](https://github.com/OpenRTX/dmrconfig), [qdmr](https://github.com/hmatuschek/qdmr?tab=readme-ov-file), might be flashable with a
+    custom firmware like [OpenRTX](https://openrtx.org/#/), unclear how well it works.
+* Transceiver: 
+  - Yaesu FT-100D, bought around 600$ on ebay in 2010
+  - i bought *two* from [HF Signals](https://www.hfsignals.com/), my main challenge for
+    adoption was the BNC connectors (I have everything in PL259, maybe
+    a [simple adapter like this](https://addison-electronique.com/en/uhf-female-to-bnc-male-adaptor.html) or [this BNC male to UHF SO239
+    female adapter](https://www.radioworld.ca/product/con-210/bnc-male-uhf-female-adapter) (2.99$), [signalstuff also has more expensive
+    ones](https://signalstuff.com/products/so239-bncm/), i ended up buying from dxengineering... the radios I
+    have are:
+  - [sBITX](https://www.sbitx.net/): 25W, 80-10m, 10W on 20-10m, receive 500KHz-30MHz, idle
+    600mA, xmit 9A, SSB/CW/CW-Reverse/FT8/FLdigi, 7" touch screen
+    display, built-in mic and speaker, on-screen keyboard, 4 memories
+    per band, A/B VFOs, [N1MM](https://n1mmwp.hamdocs.com/)-style logger, real time clock, HDMI
+    output, WAV recording, QRZ.com lookups, telnet/BBS (RBN/DX
+    clusters), can be powered off RC/drone batteries with the XT60
+    connector, BNC connector, web interface, [sbitx v3](https://www.hfsignals.com/index.php/sbitx-v3/) and others
+    can apparently [run Debian!](https://www.cybertec-postgresql.com/en/the-debian-conference-2025-in-brest/), [open source](https://github.com/afarhan/sbitx), 10"x6"x2",
+    4lbs, 430$USD
+  - [zBitx](https://www.hfsignals.com/index.php/zbitx/): 5W HF, 80-10m, CW/SSB/FreeDV/FT8/SSTV, 480×320 touch
+    screen, 156mm x 80mm x 35mm, 250g, 410g with 2x18650 LiPO
+    batteries, same software as the sBitx, 6V-9V PSU, 300mA standby,
+    1.5-3A transmit, 197$USD
+  - [uBITX v6](https://www.hfsignals.com/index.php/ubitx-v6/): 10W HF, SSB/CW, SDR, arduino-based, GPL-3, 210$,
+    seems like the older version of the other two
 * Tuner wiring kit:
   * MFJ-941E - antenna tuner and switch [155$ at radioworld](http://radioworld.ca/product_info.php?products_id=2885)
   * 100' of RG8 coax cabling [65$ at radioworld](http://radioworld.ca/product_info.php?cPath=73_394&products_id=6831)
   * PL259 connectors [4$ at radioworld](http://radioworld.ca/product_info.php?cPath=73_394&products_id=3244)
   * VHF/UHF meter: [workman 50$](http://www.ebay.com/itm/SWR-Power-500-Watt-METER-120-500-MHz-UHF-VHF-Ham-Radio-w-RG8X-Jumper-/380424888249)  ([17 reviews: 3.5/5](http://www.eham.net/reviews/detail/3905))
   * Ferrites: ~40$ + 24$ customs fees (PN: 2643167851 from [IBS electronics](http://www.ibselectronics.com/search_r.asp?mfgpn=2643167851))
+  * some sort of powerpole adapter for the FT-100d, maybe [this thing
+    from Powererx](https://powerwerx.com/radio-power-cable-yaesu-kenwood-icom)? i ended up buying a power supply from Addison,
+    a kit from dxengineering and cutting/crimping a bunch of stuf
+  * i also bought a smaller (but not small enough) power supply from dxeng
 * Antennas
   * MAP-G5RV 1/2 - G5RV 50' dipole antenna (10-40m) [85$ at radioworld](http://radioworld.ca/product_info.php?manufacturers_id=121&products_id=7788)
   * [S&K Open Stub J-Pole Antenna](https://signalstuff.com/product/signal-staff-osj/) (OSJ) from [Signalstuff.com](https://signalstuff.com/),
     can be mounted on a mast *or* a camera tripod *or* even hanged from
     a tree! (60$USD)
+  * [Palomar PAL-OCF4010-100](https://palomar-engineers.com/catalog/Best-Off-Center-Fed-Dipole-Antenna-40-6-Meters-100-500-1-5KW-5KW-PEP-POTA-Field-Day-FREE-shipping-in-USA-p153923527) (165$CAD)
+  - the [Chameleon OCF-40](https://www.dxengineering.com/parts/cha-ocf-40) seems like a good portable option, is
+    easier to setup than my G5RV, nice carrying pouch, designed to be
+    lifted by the middle instead of the ends, something I should
+    really do with my G5RV in the field anyways. works great, but not
+    on 80m
   * DIY copper J-pole
   * Mag-mount VHF antenna (spec missing)
 * Books:
@@ -38,7 +81,8 @@ See also [[services/meshtastic]] (think DIY text mesh) and
   * ARRL Handbook 2011, Softcover: 49.95$USD
   * ARRL Antenna Book: 44.95$USD
 
-Total rig cost so far: 1242.60$ (not counting the quad project below)
+Total rig cost originally: 1242.60$ (not counting the quad project
+below, the new HF Signals stuff, and the handhelds
 
 I uploaded a few photos [in this album](https://photos.anarc.at/documentation/radio/#/0).
 
@@ -46,26 +90,6 @@ I uploaded a few photos [in this album](https://photos.anarc.at/documentation/ra
 
 ### Modern
 
-- [HF Signals](https://www.hfsignals.com/) have built tons of awesome open hardware kits and
-  products, my main challenge for adoption are the BNC connectors (I
-  have everything in PL259, maybe a [simple adapter like this](https://addison-electronique.com/en/uhf-female-to-bnc-male-adaptor.html) or
-  [this BNC male to UHF SO239 female adapter](https://www.radioworld.ca/product/con-210/bnc-male-uhf-female-adapter) (2.99$), which i
-  might already have, [signalstuff also has more expensive ones](https://signalstuff.com/products/so239-bncm/)
-  - [sBITX](https://www.sbitx.net/): 25W, 80-10m, 10W on 20-10m, receive 500KHz-30MHz, idle
-    600mA, xmit 9A, SSB/CW/CW-Reverse/FT8/FLdigi, 7" touch screen
-    display, built-in mic and speaker, on-screen keyboard, 4 memories
-    per band, A/B VFOs, [N1MM](https://n1mmwp.hamdocs.com/)-style logger, real time clock, HDMI
-    output, WAV recording, QRZ.com lookups, telnet/BBS (RBN/DX
-    clusters), can be powered off RC/drone batteries with the XT60
-    connector, BNC connector, web interface, [sbitx v3](https://www.hfsignals.com/index.php/sbitx-v3/) and others
-    can apparently [run Debian!](https://www.cybertec-postgresql.com/en/the-debian-conference-2025-in-brest/), [open source](https://github.com/afarhan/sbitx), 10"x6"x2",
-    4lbs, 430$USD
-  - [zBitx](https://www.hfsignals.com/index.php/zbitx/): 5W HF, 80-10m, CW/SSB/FreeDV/FT8/SSTV, 480×320 touch
-    screen, 156mm x 80mm x 35mm, 250g, 410g with 2x18650 LiPO
-    batteries, same software as the sBitx, 6V-9V PSU, 300mA standby,
-    1.5-3A transmit, 197$USD
-  - [uBITX v6](https://www.hfsignals.com/index.php/ubitx-v6/): 10W HF, SSB/CW, SDR, arduino-based, GPL-3, 210$,
-    seems like the older version of the other two
 - [QMX](https://qrp-labs.com/qmx.html): low power QRP transceiver HF 20-80M, SDR / CW, packet,
   *not* voice
 - [(tr)uSDX](https://dl2man.de/): tiny, low power (80mA/500mA) QRP HF (20-80m,
@@ -79,8 +103,6 @@ could reuse with my FT-100d. It seems I am missing:
  * a [Condor pack insert](https://condoroutdoor.com/va7-pack-insert.html)
  * a [Bienno LiFePO4 battery](https://www.bioennopower.com/collections/lifepo4-batteries-for-communication-equipment-ham-radio) - smaller, lighter and safer than SLA
    batteries
- * some sort of powerpole adapter for the FT-100d, maybe [this thing
-   from Powererx](https://powerwerx.com/radio-power-cable-yaesu-kenwood-icom)?
 
 That guy also made an [emcomm kit guide](https://www.tothewoods.net/Comms-vehicle-emergency-communications-EMCOMM-kit.php) (emergency communications)
 that we might want to learn from. In particular, it ships:
@@ -108,10 +130,6 @@ that we might want to learn from. In particular, it ships:
    which would be a little tighter but still fits (cf. 2025B p. 58),
    also [available at Radioworld](https://www.radioworld.ca/product/palomar-bullet4006100/end-fed-ocf-antenna-system-100w-55-feet-40-6-meters-including-warc-bands) but inexplicably much more
    expensive (230$CAD)
- - the [Chameleon OCF-40](https://www.dxengineering.com/parts/cha-ocf-40) seems like a good portable option, would
-   be easier to setup than my G5RV, nice carrying pouch, designed to
-   be lifted by the middle instead of the ends, something I should
-   really do with my G5RV in the field anyways
  - the [Alpha Delta Parallel Dipole DX-EE](https://www.dxengineering.com/parts/alf-dx-ee) is interesting because
    "40ft overall", but a different design than the above EFHW and OCF,
    lots of wires!

diff --git a/services/meshtastic.md b/services/meshtastic.md
index f5a43b8c..27bd7fd4 100644
--- a/services/meshtastic.md
+++ b/services/meshtastic.md
@@ -458,6 +458,25 @@ reflash and try a "full erase", it worked in my case.
 This is a neat case: small and handy, but without display or
 battery. Probably the cheapest kit out there.
 
+## Heltec v4 WiFi LoRa 32 Expansion Kit
+
+I ordered the [Heltec v4 WiFi LoRa 32 Expansion Kit, 50-60USD](https://heltec.org/project/wifi-lora-32-v4-expansion-housing/)
+(52$USD) as a small basic kit, 5 of them, to bootstrap a mesh in a
+friendly village. I expected something like "case, battery and OLED
+display you connect to with your phone" but this is much more. There's
+a 18650 battery, sure, but the case is really nice, and the antenna
+looks long enough to be good.
+
+But the *display* is pretty awesome. This is a color TFT display with
+a touch screen, which makes this a standalone device to rival things
+like the T-Deck, as you can pull up a keyboard to type full messages.
+
+Just be careful: don't flash it on the current (`2.7.20.6658ec2-alpha`)
+firmware, as the display will stop working. If you do, you need to
+reflash with the [upstream firmware](https://resource.heltec.cn/download/WiFi_LoRa_32_V4/firmware/Touch) (currently
+`firmware-heltec-v4-tft-2.7.20.1116217.factory.bin`) while erasing the
+device to restore the display.
+
 ## Other owned devices
 
 I also own those devices, but have not written a thorough review:

diff --git a/services/meshtastic.md b/services/meshtastic.md
index 51cde087..f5a43b8c 100644
--- a/services/meshtastic.md
+++ b/services/meshtastic.md
@@ -343,6 +343,16 @@ This means the RAK has 1.8x the T-Echo battery life even though it has
 a much larger (and heavier) battery (3200mAh vs 850mAh), specifically
 3.8 times larger.
 
+Also, the USB-C charge controller is weird: if you plug it in a modern
+charger, it just doesn't pick up the charge. You **must** plug it in a
+**legacy** 5 volt USB-A charger for the charge to work, which is
+pretty annoying because I'm more and more standardizing on USB-C here.
+
+Finally, I tested Meshcore on that thing and didn't see any
+relays. Worse, the firmware seems to use more power than the
+Meshtastic one, although I can't tell for sure. It has that neat
+feature that the backlight turns on when you tap the top "button".
+
 ## SenseCAP Solar Node P1
 
 The [SenseCAP Solar Node P1](https://www.seeedstudio.com/SenseCAP-Solar-Node-P1-for-Meshtastic-LoRa-p-6425.html) looks *really* nice: outdoors
@@ -359,6 +369,13 @@ time, because otherwise Meshtastic was spending a couple of seconds
 probing for a device, at least in the shipped firmware (2.6.9) which
 *does* work with the current app.
 
+I was surprised to see the machine boot up with minimal of indirect
+sunlight. Unfortunately, without batteries, it can't actually send
+messages out right now. I've tried slotting in batteries but it turns
+out it's better to actually *charge* those 18650 before you put them
+in solar equipment: that way, the solar only needs to top off
+batteries instead of bringing them up for nothing.
+
 Next up on this one is outdoors endurance tests while, unfortunately,
 spring is coming (so no winter test yet, sorry).
 

diff --git a/services/meshtastic.md b/services/meshtastic.md
index 876bdd99..51cde087 100644
--- a/services/meshtastic.md
+++ b/services/meshtastic.md
@@ -484,9 +484,9 @@ ordered a bunch more devices to examine, test, and give away.
   - [XIAO nRF52840 & Wio-SX1262 Kit](https://www.seeedstudio.com/XIAO-nRF52840-Wio-SX1262-Kit-for-Meshtastic-p-6400.html): even tinier, nRF52840,
     Semtech SX1262, NFC, BT, -40°C ~ 65°C, 22 x 21 x 17.8mm
 - Heltec: $327.90 ($289.40USD + 38.50 shipping)
- - [Heltec v4 pre-built kit, 50-60USD](https://heltec.org/project/wifi-lora-32-v4-expansion-housing/) (52$), 5 of them, to bootstrap a
-   mesh in a friendly village
- - [HELTEC v4](https://heltec.org/project/wifi-lora-32-v4/) with a display (20$), a test board for the above
+  - [Heltec v4 pre-built kit, 50-60USD](https://heltec.org/project/wifi-lora-32-v4-expansion-housing/) (52$), 5 of them, to bootstrap a
+    mesh in a friendly village
+  - [HELTEC v4](https://heltec.org/project/wifi-lora-32-v4/) with a display (20$), a test board for the above
 - **Total**: 640,14USD or about 900CAD + 27CAD customs for 11 devices
   or 620 for 9, or 70$CAD each, if you discount the more expensive
   stuff (the solar and pager)

diff --git a/services/meshcore.md b/services/meshcore.md
new file mode 100644
index 00000000..fba0b0ea
--- /dev/null
+++ b/services/meshcore.md
@@ -0,0 +1,33 @@
+Flash the T-Echo with the [web flasher](https://flasher.meshcore.co.uk/). There's a "put in DFU
+mode" button that doesn't work: it turns into a checkmark, but then
+the drive doesn't show up. I had to manually hit the reset button
+twice. Then I hit the "flash" button but it flashed directly in the
+browser, while I was expecting to download the image and move it to
+the drive.
+
+Before flashing, I backed up the meshtastic configuration with:
+
+    ~/Documents/backups/meshtastic$ meshtastic --export-config > acho.yaml
+
+Tried the [open app](https://github.com/zjs81/meshcore-open) which made me go through [Obtainium](https://obtainium.imranr.dev/) which
+was my first successful round-trip through that particular app store.
+
+Bluetooth pairing didn't work at first, the PIN dialog didn't show
+up.. worked after a couple of retries.
+
+Once started, I did not see anything. There's a nice "privacy mode" in
+the settings, which are generally more intuitive than Meshtastic.
+
+Then i tried Liam Cottle's proprietary app that is [suggested in the
+apps list](https://meshcore.co.uk/apps.html). Its "radio presets" is more visible than in the open
+app, so I was able to set it
+
+The (proprietary) app has a couple of nice features:
+
+ - real time noise floor graph
+ - awesome "line of sight" built-in app to show elevation profiles
+   between two points on the map (!)
+ - also awesome "antenna coverage" which does essentially the
+   equivalent of a "site planner" but right there in the app
+
+Everything else is relatively similar with the open app, at first glance.

diff --git a/services/meshtastic.md b/services/meshtastic.md
index 32a00587..876bdd99 100644
--- a/services/meshtastic.md
+++ b/services/meshtastic.md
@@ -332,10 +332,16 @@ brittle, however, but I suspect it might be flyable on a drone.
 There's a [InkHUD](https://meshtastic.org/docs/configuration/device-uis/inkhud/) interface that Meshtastic is developing. I'm not
 sure how it differs from the standard one.
 
-Next step is to do a battery test with the Wispocket, which started
-at 2026-03-16T20:53. As of 22:47, the T-Echo is already down to 79%
-battery vs 92% for the Wispocket, but to be fair the Wispocket has a
-much larger (and heavier) battery (3200mAh vs 850mAh).
+I compared the battery of the T-Echo with the RAK WisMesh
+Pocket. Between 2026-03-16T20:53 and 2026-03-18T10:38 (so 37h45m), the
+devices went from full to 55% for the RAK and 18% for the T-Echo. This
+gives an estimated remaining time for the RAK of 46h8m, so a total run
+time of 3 days, 11h and 53min or 83h53m. At this rate, the T-Echo has 9h26m
+left, with a total 47h11 m.
+
+This means the RAK has 1.8x the T-Echo battery life even though it has
+a much larger (and heavier) battery (3200mAh vs 850mAh), specifically
+3.8 times larger.
 
 ## SenseCAP Solar Node P1
 

diff --git a/services/meshtastic.md b/services/meshtastic.md
index 8f4eb6dc..32a00587 100644
--- a/services/meshtastic.md
+++ b/services/meshtastic.md
@@ -192,11 +192,19 @@ device, but know that those are the functions of the main button:
 | Press three times     | Switch on/off the GPS     | -              |
 | Press and hold for 5s | Power off                 | Falling melody |
 
+### Bricked
+
 Update: at the moment, the T1000-E is essentially bricked. I think I
 failed to do a wipe correctly and it just loops on the boot loader
-until it runs out of battery. I have found the device much more
-difficult to debug than other platforms, and don't encourage getting
-one for development at least, if at all.
+until it runs out of battery. 
+
+I have found the device much more difficult to debug than other
+platforms, and don't encourage getting one for development at least,
+if at all. 
+
+And yes, I did managed to [get in DFU mode](https://wiki.seeedstudio.com/sensecap_t1000_e/#device-stuck-in-boot-loop) and reflash the
+firmware, I even tried to [flash the bootloader](https://wiki.seeedstudio.com/sensecap_t1000_e/#device-bricked), it never
+recovered.
 
 ### Fun story
 

diff --git a/services/meshtastic.md b/services/meshtastic.md
index be14a6be..8f4eb6dc 100644
--- a/services/meshtastic.md
+++ b/services/meshtastic.md
@@ -363,7 +363,7 @@ Flashing through Chrome works as it seems to be able to kick the
 device over to DFU mode from the serial port, which makes me think
 this is something we should add to reflashtic.
 
-### XIAO ESP32S3 & Wio-SX1262 Kit
+## XIAO ESP32S3 & Wio-SX1262 Kit
 
 The [XIAO ESP32S3 & Wio-SX1262 Kit](https://www.seeedstudio.com/XIAO-ESP32S3-for-Meshtastic-LoRa-with-3D-Printed-Enclosure-p-6314.html) is... something else. It
 doesn't look like it comes flashed with Meshtastic. Here's what the
@@ -421,8 +421,11 @@ E (495) boot: No bootable app partitions in the partition table
 ...
 ```
 
-So it seems this is essentially not functional and I can't recommend
-it for Meshtastic.
+But that's because the partition table was incorrect. If that happens,
+reflash and try a "full erase", it worked in my case.
+
+This is a neat case: small and handy, but without display or
+battery. Probably the cheapest kit out there.
 
 ## Other owned devices
 
@@ -463,7 +466,7 @@ ordered a bunch more devices to examine, test, and give away.
     be used with only two batteries?
   - [XIAO ESP32S3 & Wio-SX1262 Kit](https://www.seeedstudio.com/XIAO-ESP32S3-for-Meshtastic-LoRa-with-3D-Printed-Enclosure-p-6314.html): tiny, cheap, - 40℃ ~ 100℃,
     WiFi 2.4GHz, BLE 5.0 / Mesh, reset/boot button, 22x23x57mm, 37g,
-    exposed GPIO ports, 20$, to see if it has a battery
+    exposed GPIO ports, no battery, 20$
   - [XIAO nRF52840 & Wio-SX1262 Kit](https://www.seeedstudio.com/XIAO-nRF52840-Wio-SX1262-Kit-for-Meshtastic-p-6400.html): even tinier, nRF52840,
     Semtech SX1262, NFC, BT, -40°C ~ 65°C, 22 x 21 x 17.8mm
 - Heltec: $327.90 ($289.40USD + 38.50 shipping)

diff --git a/software/desktop/wayland.md b/software/desktop/wayland.md
index fd9e1e83..e9b94a1a 100644
--- a/software/desktop/wayland.md
+++ b/software/desktop/wayland.md
@@ -186,7 +186,11 @@ Other options include:
  * [MagoWC][]: tiling, scrolling, tagging, 
  * [niri][]: scrolling, paper-vm like, Rust, not in Debian ([1065355][])
  * [Qtile][]: tiling, extensible, Python, in Debian since trixie ([1015267][])
- * [river][]: Zig, stackable, tagging, not in Debian  ([1006593][])
+ * [river][]: Zig, stackable, tagging, not in Debian  ([1006593][]),
+   now built as a framework where "window managers" can be built on
+   top, including about [*fifteen* new window managers already](https://codeberg.org/river/wiki/src/branch/main/pages/wm-list.md),
+   including: tiling, stacking, scrolling, dynamic,
+   xmonad-like-in-rust, emacs-based...
  * [smithay][], and many derivatives: Rust, not in Debian
  * [velox][]: inspired by xmonad and dwm, not in Debian
  * [vivarium][]: inspired by xmonad, not in Debian

diff --git a/services/meshtastic.md b/services/meshtastic.md
index 6ce7e8ab..be14a6be 100644
--- a/services/meshtastic.md
+++ b/services/meshtastic.md
@@ -575,45 +575,31 @@ well.
   to Meshtastic!)
 - HiveMQ public broker: `broker.hivemq.com`, see [their documentation](https://www.hivemq.com/mqtt/public-mqtt-broker/)
 
-# Relays
-
-- [Matrix](https://github.com/geoffwhittington/meshtastic-matrix-relay)
-- [IRC](https://github.com/AkitaEngineering/Meshtastic-IRC)
-
-# Maps
-
-- <https://meshmap.net/>
-- <https://meshtastic.liamcottle.net/> (AKA <https://meshmap.app/>)
-- <https://site.meshtastic.org/>
-- [Canada mesh map](https://map.mt.gt/)
-
 # Links
 
 - <https://www.meshtastic.org/>
-- [LWN review][] (2025)
-- [Another meshtastic guide](https://anarchosolarpunk.substack.com/p/encryptedcomms)
-
-[LWN review]: https://lwn.net/Articles/1009782/
+- <https://lora.reseaulibre.ca/> - where most of the doc that was here
+  migrated
 
 # Fellow meshes
 
-- [Canadaverse mesh wiki](https://wiki.mt.gt/)
-- [meshtQuebec (Telegram group)](https://t.me/meshtQuebec)
+Those are meshes I am particularly paying attention to, because
+they're friends or they are technically amazing:
+
 - [Puget Mesh](https://pugetmesh.org/): Seattle area, they have their own [MQTT server](https://pugetmesh.org/meshtastic/#mqtt-and-maps)
   and [map](https://meshtastic.davekeogh.com/), lots of interesting [projects and software](https://pugetmesh.org/meshtastic/#member-projects),
-  including a [weekly net](https://pugetmesh.org/meshtastic/#weekly-net), updates:
+  ([AREDN](https://www.arednmesh.org/)) including a [weekly net](https://pugetmesh.org/meshtastic/#weekly-net), updates:
   - 2026-02-21: 4997 meshtastic nodes
   - Q1 2026: "building out Meshcore", according to the [meshcore
     map](https://meshcore.co.uk/map.html), there's around 1300 nodes in the area, [1472 according to
     this other map](https://analyzer.letsmesh.net/map)
   - May 2025: experimented with ShortFast
   - 2025-03-26: 2274 meshtastic nodes 
-- [mtnme.sh](https://mtnme.sh/): Tenessee
-- [nyme.sh](https://nyme.sh/): New York city
-- [upstatemesh.org](https://www.upstatemesh.org/): "Capital district" (Albany, NY)
-- [NHMesh](https://nhmesh.com/): New Hampshire, though [their map](https://nhmesh.live/) shows mostly meshcore in Boston
+- [Austin Mesh](https://www.austinmesh.org/): US Texas [weirdos](https://en.wikipedia.org/wiki/Keep_Austin_Weird), moving to Meshcore as well,
+  [flying drones](https://www.austinmesh.org/devices/#aerial) and [kites](https://www.austinmesh.org/learn/kite-nodes-for-mesh-networking/) and [DIY solar kits](https://www.austinmesh.org/devices/#solar), excellent
+  documentation
 
-See also the [official list of local groups](https://meshtastic.org/docs/community/local-groups/).
+See also the [Réseau Libre neighbours](https://lora.reseaulibre.ca/references/neighbours/).
 
 # Alternative LoRa networks
 

diff --git a/services/meshtastic.md b/services/meshtastic.md
index 88ca3c34..6ce7e8ab 100644
--- a/services/meshtastic.md
+++ b/services/meshtastic.md
@@ -294,6 +294,136 @@ the range, because as it is now it's not great. Apparently, there's an
 on-board [ipex connector](https://github.com/Xinyuan-LilyGO/T-Deck/issues/20), so I'd just need a IPEX/SMA connector
 and a [LoRa antenna](https://meshtastic.org/docs/hardware/antennas/#community-favorites).
 
+The device was donated to a family member.
+
+## T-Echo
+
+The [T-Echo](https://lilygo.cc/products/t-echo-meshtastic?variant=52153213190325) is an interesting device: e-ink, tiny, NRF5280
+circuit, 53$USD
+
+Built-in firmware is too old for the Android app.
+
+Chrome-based flasher works well. Reflashtic works, but i had to
+specify the mountpoint because it is named `TECHOBOOT` and not
+`T-ECHO`:
+
+    ./reflashtic.py --interactive --mountpoint /media/anarcat/TECHOBOOT/
+
+The top-left button is the "reset" button, which I find a little
+counter-intuitive: I was expecting it to be a "confirm" button, and
+the "reset" button to be less accessible. But it works: double-click
+that button and it goes in DFU mode.
+
+I left the GPS enabled but configured the node to not send its
+position in the LongFast channel for privacy reasons.
+
+The device is pretty neat: it's *tiny* and light, much lighter than
+the Wispocket, while also being more compact. It feels a little more
+brittle, however, but I suspect it might be flyable on a drone.
+
+There's a [InkHUD](https://meshtastic.org/docs/configuration/device-uis/inkhud/) interface that Meshtastic is developing. I'm not
+sure how it differs from the standard one.
+
+Next step is to do a battery test with the Wispocket, which started
+at 2026-03-16T20:53. As of 22:47, the T-Echo is already down to 79%
+battery vs 92% for the Wispocket, but to be fair the Wispocket has a
+much larger (and heavier) battery (3200mAh vs 850mAh).
+
+## SenseCAP Solar Node P1
+
+The [SenseCAP Solar Node P1](https://www.seeedstudio.com/SenseCAP-Solar-Node-P1-for-Meshtastic-LoRa-p-6425.html) looks *really* nice: outdoors
+solar-powered relay with 4x18650 batteries, nRF4840, GNSS, BT 5.0, 3
+power buttons, 5 LEDs, USB-C for debug, [recommended by nyme.sh](https://nyme.sh/faq/).
+At 70$USD, it's cheaper than its RAK wireless equivalent.
+
+I first thought I could power it with only two 18650 batteries, but
+that doesn't seem like it.
+
+Flashing it with reflashtic was also straightforward, the mountpoint
+is `XIAO-BOOT`. I marked the GNSS as `NOT_PRESENT` to speed up boot
+time, because otherwise Meshtastic was spending a couple of seconds
+probing for a device, at least in the shipped firmware (2.6.9) which
+*does* work with the current app.
+
+Next up on this one is outdoors endurance tests while, unfortunately,
+spring is coming (so no winter test yet, sorry).
+
+## XIAO nRF52840 & Wio-SX1262 Kit
+
+The [XIAO nRF52840 & Wio-SX1262 Kit](https://www.seeedstudio.com/XIAO-nRF52840-Wio-SX1262-Kit-for-Meshtastic-p-6400.html) is the smallest LoRa +
+Bluetooth kit I have ever seen. At 8mm × 22mm × 23mm, it's a little
+larger (but way spikier) than my thumb.
+
+It ships with a Meshtastic 2.6.2.31c0e8f firmware, and I was able to
+flash it from the Chrome app. There *is* an extremely tiny "RST"
+button that allows it to flip to DFU, but I didn't find it until after
+trying out the web flasher.
+
+Flashing through Chrome works as it seems to be able to kick the
+device over to DFU mode from the serial port, which makes me think
+this is something we should add to reflashtic.
+
+### XIAO ESP32S3 & Wio-SX1262 Kit
+
+The [XIAO ESP32S3 & Wio-SX1262 Kit](https://www.seeedstudio.com/XIAO-ESP32S3-for-Meshtastic-LoRa-with-3D-Printed-Enclosure-p-6314.html) is... something else. It
+doesn't look like it comes flashed with Meshtastic. Here's what the
+serial port looks like when you click the button twice:
+
+```
+I (147784) NimBLE: GAP procedure initiated: advertise; 
+I (147784) NimBLE: disc_mode=2
+I (147784) NimBLE:  adv_channel_map=0 own_addr_type=0 adv_filter_policy=0 adv_itvl_min=0 adv_itvl_max=0
+I (147784) NimBLE: 
+
+I (148894) NimBLE: GAP procedure initiated: stop advertising.
+```
+
+According to upstream, this is the "LoRa single-channel gateway
+firmware". It seems like the web flasher is able to flash a "community
+maintained" firmware, but that actually fails to boot with a loop on:
+
+```
+ESP-ROM:esp32s3-20210327
+Build:Mar 27 2021
+rst:0x3 (RTC_SW_SYS_RST),boot:0x8 (SPI_FAST_FLASH_BOOT)
+Saved PC:0x403cdd11
+SPIWP:0xee
+mode:DIO, clock div:1
+load:0x3fce3810,len:0x178c
+load:0x403c9700,len:0x4
+load:0x403c9704,len:0xcbc
+load:0x403cc700,len:0x2da0
+entry 0x403c9914
+I (26) boot: ESP-IDF v5.2.1-dirty 2nd stage bootloader
+I (26) boot: compile time Nov 28 2024 14:14:32
+I (26) boot: Multicore bootloader
+I (30) boot: chip revision: v0.2
+I (34) boot.esp32s3: Boot SPI Speed : 80MHz
+I (38) boot.esp32s3: SPI Mode       : DIO
+I (43) boot.esp32s3: SPI Flash Size : 8MB
+I (48) boot: Enabling RNG early entropy source...
+I (53) boot: Partition Table:
+I (57) boot: ## Label            Usage          Type ST Offset   Length
+I (64) boot:  0 nvs              WiFi data        01 02 00009000 00006000
+I (71) boot:  1 phy_init         RF data          01 01 0000f000 00001000
+I (79) boot:  2 factory          factory app      00 00 00010000 00177000
+I (86) boot: End of partition table
+I (91) esp_image: segment 0: paddr=00010020 vaddr=3c170020 size=6dd68h (449896) map
+I (180) esp_image: segment 1: paddr=0007dd90 vaddr=3fc99e70 size=02288h (  8840) load
+I (182) esp_image: segment 2: paddr=00080020 vaddr=42000020 size=168534h (1475892) map
+I (450) esp_image: segment 3: paddr=001e855c vaddr=3fc9c0f8 size=061a8h ( 25000) load
+I (456) esp_image: segment 4: paddr=001ee70c vaddr=40374000 size=15e68h ( 89704) load
+I (476) esp_image: segment 5: paddr=0020457c vaddr=50000000 size=00004h (     4) load
+I (476) esp_image: segment 6: paddr=00204588 vaddr=600fe000 size=0002ch (    44) load
+E (482) esp_image: Image length 2049504 doesn't fit in partition length 1536000
+E (490) boot: Factory app partition is not bootable
+E (495) boot: No bootable app partitions in the partition table
+...
+```
+
+So it seems this is essentially not functional and I can't recommend
+it for Meshtastic.
+
 ## Other owned devices
 
 I also own those devices, but have not written a thorough review:
@@ -323,9 +453,10 @@ ordered a bunch more devices to examine, test, and give away.
   - [T-Lora Pager](https://lilygo.cc/products/t-lora-pager-meshtastic?variant=52332073386165), an alternative to the T-Deck with a bigger
     keyboard and likely better antennas, 94.39$USD
   - [T-Echo](https://lilygo.cc/products/t-echo-meshtastic?variant=52153213190325), tiny handheld, to test the e-ink battery life
-    alongside a NRF5280 circuit, 53$USD
+    alongside a NRF5280 circuit, 53$USD (shipped in a week, separately
+    from above)
 - Seeed studio:  $134.36  ($101.29$USD + 33.07USD shipping + CAD 27.21
-  customs)
+  customs, order shipped in a week!)
   - [SenseCAP Solar Node P1](https://www.seeedstudio.com/SenseCAP-Solar-Node-P1-for-Meshtastic-LoRa-p-6425.html): 70$USD, outdoors solar-powered relay
     with 4x18650 batteries, nRF4840, GNSS, BT 5.0, 3 power buttons, 5
     LEDs, USB-C for debug, [recommended by nyme.sh](https://nyme.sh/faq/), apprently can

diff --git a/services/meshtastic.md b/services/meshtastic.md
index 9200aeeb..88ca3c34 100644
--- a/services/meshtastic.md
+++ b/services/meshtastic.md
@@ -326,7 +326,7 @@ ordered a bunch more devices to examine, test, and give away.
     alongside a NRF5280 circuit, 53$USD
 - Seeed studio:  $134.36  ($101.29$USD + 33.07USD shipping + CAD 27.21
   customs)
-  - [SenseCAP Solar Node P1](https://www.seeedstudio.com/SenseCAP-Solar-Node-P1-for-Meshtastic-LoRa-p-6425.html): 90$USD, outdoors solar-powered relay
+  - [SenseCAP Solar Node P1](https://www.seeedstudio.com/SenseCAP-Solar-Node-P1-for-Meshtastic-LoRa-p-6425.html): 70$USD, outdoors solar-powered relay
     with 4x18650 batteries, nRF4840, GNSS, BT 5.0, 3 power buttons, 5
     LEDs, USB-C for debug, [recommended by nyme.sh](https://nyme.sh/faq/), apprently can
     be used with only two batteries?

diff --git a/services/meshtastic.md b/services/meshtastic.md
index 05e32357..9200aeeb 100644
--- a/services/meshtastic.md
+++ b/services/meshtastic.md
@@ -488,7 +488,7 @@ See also the [official list of local groups](https://meshtastic.org/docs/communi
 
 - <https://mycelium-mesh.net/> (dead?)
 - [Reticulum](https://github.com/markqvist/Reticulum), talks over LoRa but also packet radio, WiFi, i2p,
-  etc, see [sidebande](https://github.com/markqvist/Sideband?tab=readme-ov-file), [meshchat](https://lib3.net/wallabag/view/56011), [nomadnet](https://github.com/markqvist/NomadNet). update, Feb
+  etc, see [sidebande](https://github.com/markqvist/Sideband), [meshchat](https://github.com/liamcottle/reticulum-meshchat), [nomadnet](https://github.com/markqvist/NomadNet). update, Feb
   2026: Reticulum silently [switched to a in-house, non-free license
   in April 2025](https://github.com/markqvist/Reticulum/commit/e7daceec820850d397e6bf9aa585ef7222977891) and ultimately become "private source", where the
   GitHub repository is a "[public mirror](https://github.com/markqvist/Reticulum/blob/master/MIRROR.md)" but development "happens

diff --git a/services/meshtastic.md b/services/meshtastic.md
index 73b6b886..05e32357 100644
--- a/services/meshtastic.md
+++ b/services/meshtastic.md
@@ -287,7 +287,7 @@ All in all, this is a pretty amazing machine and one of the rare
 systems that allows communication without any other external device
 (like a phone or computer), which is really great. The new UI is
 fantastic, and you even have a rudimentary map showing remote nodes
-with [offline maps](https://www.reddit.com/r/meshtastic/comments/1j1chem/meshtastic_26_map_tiles_with_higher_zoom_levels/)
+with [offline maps](https://www.jeffgeerling.com/blog/2025/adding-gps-and-grid-maps-my-meshtastic-t-deck/)
 
 One improvement I want to do is to add an external antenna to increase
 the range, because as it is now it's not great. Apparently, there's an

diff --git a/services/meshtastic.md b/services/meshtastic.md
index 6a75c157..73b6b886 100644
--- a/services/meshtastic.md
+++ b/services/meshtastic.md
@@ -243,11 +243,27 @@ actually performed the following upgrades so far:
 - stock to 2.6.0.f7afa9a ("pre-release")
 - [2.6.0.f7afa9a to 2.6.2.31c0e8f](https://github.com/meshtastic/firmware/compare/v2.6.0.f7afa9a...v2.6.2.31c0e8f) (second to last "alpha",
   2.6.3.640e731 is latest as of 2025-03-27)
+- 2.7.15 beta (current "stable") switches to a more bare bones "TUI"
+  interface that works across all firmware, but you can switch to the
+  nicer "MUI" interface by holding the cursor in what i remember to be
+  the settings screen. I don't remember how to switch *back*.
 
 I have tried flashing at 115200 at first but 921600 seems to work fine
 too over USB. USB-C to USB-C does *not* work though, I need a USB-C to
 USB-A cable, bizarrely.
 
+To flash the device, one needs to:
+
+ 1. power it off
+ 2. hold down the middle, black pointer ball
+ 3. switch on the power (the flip switch on the right)
+ 4. connect the USB cable
+ 5. release the middle ball once the USB device comes up
+
+You will know it works when it shows up as a "Product: USB JTAG/serial
+debug unit" instead of "Espressif Systems LilyGO T-Deck (16 MB FLASH,
+8 MB PSRAM)".
+
 I couldn't use the GPS at first, and [filed an issue](https://github.com/Xinyuan-LilyGO/T-Deck/issues/78) which was
 promptly fixed: you need to enable it: from the UI, hold the "pin"
 logo in the main screen, this will turn on GPS and reboot. Same with

diff --git a/services/meshtastic.md b/services/meshtastic.md
index 8096db27..6a75c157 100644
--- a/services/meshtastic.md
+++ b/services/meshtastic.md
@@ -348,8 +348,15 @@ and printed or bought, see [this list](https://meshtastic.org/docs/category/encl
 
 # Software
 
+This section was mostly emptied in favor of the [reseaulibre software
+docs](https://lora.reseaulibre.ca/references/software/), see there for updates.
+
 ## Flashing special firmware
 
+Update: this is kept for historical purposes, but this has, sadly,
+changed... You can now update use alpha releases without entering a
+secret code.
+
 There are special "technical preview" or "pre-release" firmware
 available at <https://flasher.meshtastic.org> but only after you enter
 the [Konami code](https://flasher.meshtastic.org/#) (yes, really), which is, of course:
@@ -369,51 +376,6 @@ thing).
 Note that you can also [flash firmware](https://meshtastic.org/docs/getting-started/flashing-firmware/) without a web UI, but the
 flasher web UI is still useful to download the right firmware.
 
-## Mobile apps
-
-There's also an [Android app](https://meshtastic.org/docs/category/android-app/), also [shipped on F-Droid](https://f-droid.org/packages/com.geeksville.mesh/).
-
-And yes, there's also an [iOS app](https://meshtastic.org/docs/software/apple/installation/).
-
-Note that those won't work without a LoRa transmitter, to which you
-typically connect over Bluetooth.
-
-## Linux
-
-There's a [commandline client and Python library](https://github.com/meshtastic/python) that can be used
-to talk to devices. There's even a rudimentary [GTK client](https://gitlab.com/kop316/gtk-meshtastic-client). Both
-are packaged in Debian. 
-
-- TUIs
-  - [contact](https://github.com/pdxlocations/contact) (messaging)
-  - [connect](https://github.com/pdxlocations/connect) (LoRa-less client)
-
-- [reflashtic](https://gitlab.com/anarcat/scripts/-/blob/main/reflashtic.py?ref_type=heads): batch flashing tool I wrote, derived from work a
-  friend did on a similar bash script
-
-- [puget mesh](https://pugetmesh.org/) has a [bunch of interesting projects](https://pugetmesh.org/meshtastic/#member-projects):
-
-  - [meshing-around](https://github.com/SpudGunMan/meshing-around): "BBS" like functionality, ping, weather alerts,
-    shell commands, games, quizzes, messaging, testing
-
-  - [aprstastic](https://github.com/afourney/aprstastic): APRS gateway
-
-  - [meshfirmware](https://github.com/mikecarper/meshfirmware): "automatic" flasher, see also my reflashtic above
-
-- [TC2-BBS-mesh](https://github.com/TheCommsChannel/TC2-BBS-mesh): mail, channel directory, stats, fortune
-
-- [Frozen BBS](https://github.com/kstrauser/frozenbbs): another BBS, rust
-
-- [hops](https://github.com/morria/hops): bot from [nyme.sh](https://nyme.sh/)
-
-## Monitoring
-
-- <https://dash.mt.gt/>
-- <https://github.com/cordelster/mesh-metrics/>
-- <https://github.com/artiommocrenco/meshtastic-prometheus-exporter>
-- <https://github.com/tcivie/meshtastic-metrics-exporter>
-- [Meshmonitor](https://meshmonitor.org/): maps, analytics, traceroutes, triggers
-
 # MQTT
 
 Meshtastic devices can typically connect to a [MQTT](https://en.wikipedia.org/wiki/MQTT) gateway or

diff --git a/services/meshtastic.md b/services/meshtastic.md
index 4b7aa67b..8096db27 100644
--- a/services/meshtastic.md
+++ b/services/meshtastic.md
@@ -308,7 +308,8 @@ ordered a bunch more devices to examine, test, and give away.
     keyboard and likely better antennas, 94.39$USD
   - [T-Echo](https://lilygo.cc/products/t-echo-meshtastic?variant=52153213190325), tiny handheld, to test the e-ink battery life
     alongside a NRF5280 circuit, 53$USD
-- Seeed studio:  $134.36  ($101.29$USD + 33.07USD shipping)
+- Seeed studio:  $134.36  ($101.29$USD + 33.07USD shipping + CAD 27.21
+  customs)
   - [SenseCAP Solar Node P1](https://www.seeedstudio.com/SenseCAP-Solar-Node-P1-for-Meshtastic-LoRa-p-6425.html): 90$USD, outdoors solar-powered relay
     with 4x18650 batteries, nRF4840, GNSS, BT 5.0, 3 power buttons, 5
     LEDs, USB-C for debug, [recommended by nyme.sh](https://nyme.sh/faq/), apprently can
@@ -322,15 +323,17 @@ ordered a bunch more devices to examine, test, and give away.
  - [Heltec v4 pre-built kit, 50-60USD](https://heltec.org/project/wifi-lora-32-v4-expansion-housing/) (52$), 5 of them, to bootstrap a
    mesh in a friendly village
  - [HELTEC v4](https://heltec.org/project/wifi-lora-32-v4/) with a display (20$), a test board for the above
-- **Total**: 640,14USD or about 900CAD for 11 devices or 620 for 9, or
-  70$CAD each, if you discount the more expensive stuff (the solar and
-  pager)
+- **Total**: 640,14USD or about 900CAD + 27CAD customs for 11 devices
+  or 620 for 9, or 70$CAD each, if you discount the more expensive
+  stuff (the solar and pager)
 
 I did *not* get the [LoRa antenna](https://www.seeedstudio.com/RF-Explorer-LoRa-Fiberglass-Antenna-Kit-902-930MHz-5-8dBi-800mm-p-5275.html) (10$USD) because it was adding a
 whopping 70$ in shipping fees.
 
 I'll need to find 18650 batteries for the Heltec devices. I assume
-this is about 5$ each.
+this is about 5$ each. I could have gotten batteries with the build
+(2$USD) but it makes shipping more complicated and expensive, so I
+went the quicker way.
 
 ## Other devices
 

diff --git a/services/meshtastic.md b/services/meshtastic.md
index 82923a72..4b7aa67b 100644
--- a/services/meshtastic.md
+++ b/services/meshtastic.md
@@ -329,6 +329,9 @@ ordered a bunch more devices to examine, test, and give away.
 I did *not* get the [LoRa antenna](https://www.seeedstudio.com/RF-Explorer-LoRa-Fiberglass-Antenna-Kit-902-930MHz-5-8dBi-800mm-p-5275.html) (10$USD) because it was adding a
 whopping 70$ in shipping fees.
 
+I'll need to find 18650 batteries for the Heltec devices. I assume
+this is about 5$ each.
+
 ## Other devices
 
 The devices listed here have been moved to the [local mesh hardware

diff --git a/services/meshtastic.md b/services/meshtastic.md
index ba7b5e22..82923a72 100644
--- a/services/meshtastic.md
+++ b/services/meshtastic.md
@@ -138,14 +138,13 @@ mode relatively easily.
 
 # Hardware
 
-Below are some Meshtastic-compatible devices I found interesting.
+Below are some Meshtastic-compatible devices I have personally tested
+and own.
 
 Those are mostly taken from [official device list](https://meshtastic.org/docs/hardware/devices/), which you
 should consult for recommendations, particularly on chipset tradeoffs
 (e.g. ESP32 uses more battery, but is cheaper).
 
-I explain below some tests I've made with various devices.
-
 ## SenseCAP Card Tracker T1000-E
 
 The [SenseCAP Card Tracker T1000-E](https://www.seeedstudio.com/SenseCAP-Card-Tracker-T1000-E-for-Meshtastic-p-5913.html) is a neat little device:
@@ -193,6 +192,12 @@ device, but know that those are the functions of the main button:
 | Press three times     | Switch on/off the GPS     | -              |
 | Press and hold for 5s | Power off                 | Falling melody |
 
+Update: at the moment, the T1000-E is essentially bricked. I think I
+failed to do a wipe correctly and it just loops on the boot loader
+until it runs out of battery. I have found the device much more
+difficult to debug than other platforms, and don't encourage getting
+one for development at least, if at all.
+
 ### Fun story
 
 I lost that device one day! I had put it on top of a doorframe on the

diff --git a/hardware/audio.mdwn b/hardware/audio.mdwn
index f771b0e8..e0d8ac0d 100644
--- a/hardware/audio.mdwn
+++ b/hardware/audio.mdwn
@@ -255,6 +255,11 @@ jacks.
    24-bit / 192 kHz, "direct monitoring", phantom, 111dB dynamic
    range, 1kg, 130 x 174 x 53 mm, [3d mount](https://www.thingiverse.com/thing:6753373), [289$ L&M](https://www.long-mcquade.com/252196/Pro-Audio-Recording/Audio-Interfaces-DAW-Controllers/Universal-Audio/Volt-2-USB-Interface.htm)
 
+Update: I'm using a Scarlett 2i2. It generally works, with some quirks
+(i've had disconnect problems, but they seem to have resolved itself).
+
+Also interested the [Snowsky echo mini](https://www.fiiocanada.ca/products/snowsky-echo-mini) for phone-less audio listening.
+
 # Setup
 
 Our final setup would look something like this:

diff --git a/software/zfs.md b/software/zfs.md
index 3c8d042a..ed2e762e 100644
--- a/software/zfs.md
+++ b/software/zfs.md
@@ -72,7 +72,18 @@ with standard LUKS instead of ZFS encryption:
     The above will not ask you for any passphrase, but will make the
     disks unrecoverable in case the on-disk keys are lost.
 
-    TODO: use a TPM2 device instead, see [`systemd-cryptenroll`](https://wiki.archlinux.org/title/Systemd-cryptenroll)
+    This is with a TPM setup:
+    
+        for disk in sde1 sdd1 ; do
+            systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/$disk
+            systemd-cryptsetup attach crypt_dev_$disk /dev/$disk none tpm2-device=auto
+            echo crypt_dev_$disk UUID=$(lsblk -n -o UUID /dev/$disk | head -1) none  tpm2-device=auto,discard | tee -a /etc/crypttab
+        done
+    
+    This is barely tested, see [`systemd-cryptenroll`](https://wiki.archlinux.org/title/Systemd-cryptenroll) for where
+    this comes from. In particular, the `--tpm2-pcrs=7` might break on
+    firmware upgrades, see [Trusted_Platform_Module#PCR_policies](https://wiki.archlinux.org/title/Trusted_Platform_Module#PCR_policies)
+    and [Talk:Systemd-cryptenroll](https://wiki.archlinux.org/title/Talk:Systemd-cryptenroll) in the Arch wiki as well.
 
  4. Create the pool:
  

diff --git a/services/meshtastic.md b/services/meshtastic.md
index 4efc381a..ba7b5e22 100644
--- a/services/meshtastic.md
+++ b/services/meshtastic.md
@@ -273,6 +273,57 @@ the range, because as it is now it's not great. Apparently, there's an
 on-board [ipex connector](https://github.com/Xinyuan-LilyGO/T-Deck/issues/20), so I'd just need a IPEX/SMA connector
 and a [LoRa antenna](https://meshtastic.org/docs/hardware/antennas/#community-favorites).
 
+## Other owned devices
+
+I also own those devices, but have not written a thorough review:
+
+- [WisMesh Pocket V2](https://store.rakwireless.com/products/wismesh-pocket): GNSS, 1.3" OLED, acceleration sensor, power
+  button, 3200mAh battery, USB-C powered, battery lasts for days, good
+  device, good range, a bit expensive (100$)
+- [WishMesh Solar Repeater Mini](https://store.rakwireless.com/products/wishmesh-meshtastic-solar-repeater-mini): solar, battery, mast-mountable,
+  lived on my roof for a while but fell down a meter and got shaken
+  up: water inside and antenna unscrewed, survived, still in operation
+  in a window (100USD)
+- [RAK19003 base kit](https://store.rakwireless.com/products/wisblock-meshtastic-starter-kit?variant=43884035113158), test kit for the above (28$)
+- [WisMesh Ethernet Gateway](https://store.rakwireless.com/products/wismesh-ethernet-gateway): no battery, no solar ([might be
+  convertible](https://forum.rakwireless.com/t/ethernet-gateway-with-batteries-solar/14601), but ethernet and PoE, note that [HTTP-based
+  management not possible](https://github.com/meshtastic/firmware/issues/2908), so configuration still has to go
+  through Bluetooth, but monitoring is possible over MQTT, and of
+  course the gateway receives and relays messages over
+  LoRa/Meshtastic! waiting for time to deploy and hook up to
+  monitoring
+
+## 2026 order
+
+The above was ordered and tested in 2025. In 2026, I did it again and
+ordered a bunch more devices to examine, test, and give away.
+
+- Lilygo: $177.88USD (147$USD + 30$USD shipping)
+  - [T-Lora Pager](https://lilygo.cc/products/t-lora-pager-meshtastic?variant=52332073386165), an alternative to the T-Deck with a bigger
+    keyboard and likely better antennas, 94.39$USD
+  - [T-Echo](https://lilygo.cc/products/t-echo-meshtastic?variant=52153213190325), tiny handheld, to test the e-ink battery life
+    alongside a NRF5280 circuit, 53$USD
+- Seeed studio:  $134.36  ($101.29$USD + 33.07USD shipping)
+  - [SenseCAP Solar Node P1](https://www.seeedstudio.com/SenseCAP-Solar-Node-P1-for-Meshtastic-LoRa-p-6425.html): 90$USD, outdoors solar-powered relay
+    with 4x18650 batteries, nRF4840, GNSS, BT 5.0, 3 power buttons, 5
+    LEDs, USB-C for debug, [recommended by nyme.sh](https://nyme.sh/faq/), apprently can
+    be used with only two batteries?
+  - [XIAO ESP32S3 & Wio-SX1262 Kit](https://www.seeedstudio.com/XIAO-ESP32S3-for-Meshtastic-LoRa-with-3D-Printed-Enclosure-p-6314.html): tiny, cheap, - 40℃ ~ 100℃,
+    WiFi 2.4GHz, BLE 5.0 / Mesh, reset/boot button, 22x23x57mm, 37g,
+    exposed GPIO ports, 20$, to see if it has a battery
+  - [XIAO nRF52840 & Wio-SX1262 Kit](https://www.seeedstudio.com/XIAO-nRF52840-Wio-SX1262-Kit-for-Meshtastic-p-6400.html): even tinier, nRF52840,
+    Semtech SX1262, NFC, BT, -40°C ~ 65°C, 22 x 21 x 17.8mm
+- Heltec: $327.90 ($289.40USD + 38.50 shipping)
+ - [Heltec v4 pre-built kit, 50-60USD](https://heltec.org/project/wifi-lora-32-v4-expansion-housing/) (52$), 5 of them, to bootstrap a
+   mesh in a friendly village
+ - [HELTEC v4](https://heltec.org/project/wifi-lora-32-v4/) with a display (20$), a test board for the above
+- **Total**: 640,14USD or about 900CAD for 11 devices or 620 for 9, or
+  70$CAD each, if you discount the more expensive stuff (the solar and
+  pager)
+
+I did *not* get the [LoRa antenna](https://www.seeedstudio.com/RF-Explorer-LoRa-Fiberglass-Antenna-Kit-902-930MHz-5-8dBi-800mm-p-5275.html) (10$USD) because it was adding a
+whopping 70$ in shipping fees.
+
 ## Other devices
 
 The devices listed here have been moved to the [local mesh hardware

diff --git a/services/meshtastic.md b/services/meshtastic.md
index 14177aee..4efc381a 100644
--- a/services/meshtastic.md
+++ b/services/meshtastic.md
@@ -1,6 +1,10 @@
 After reading this [LWN review][] and being poked a few times by
 friends, I started playing around with [meshtastic](https://meshtastic.org/).
 
+> Note: I have started a whole [website for the Montreal mesh
+> project](https://lora.reseaulibre.ca/) and will progressively migrate at least some content
+> from here to there.
+
 [[!toc levels=3]]
 
 # Range
@@ -271,64 +275,11 @@ and a [LoRa antenna](https://meshtastic.org/docs/hardware/antennas/#community-fa
 
 ## Other devices
 
-Those are currently in testing, I'll write more about them as I find
-the time:
-
-- [WisMesh Pocket V2](https://store.rakwireless.com/products/wismesh-pocket): GNSS, 1.3" OLED, acceleration sensor, power
-  button, 3200mAh battery, USB-C powered, 100$
-- [WisMesh Solar Repeater](https://store.rakwireless.com/products/wismesh-meshtastic-solar-repeater): solar, battery, mast-mountable, unclear
-  if it can be setup without solar and if it supports MQTT/ethernet,
-  300$, SenseCAP Solar Node P1 (below) might be sturdier and cheaper
-- [WishMesh Solar Repeater Mini](https://store.rakwireless.com/products/wishmesh-meshtastic-solar-repeater-mini): solar, battery, mast-mountable,
-  cheaper, 100$
-- [WisMesh Ethernet Gateway](https://store.rakwireless.com/products/wismesh-ethernet-gateway): no battery, no solar, but ethernet
-  and PoE, [asked about converting this to solar](https://forum.rakwireless.com/t/ethernet-gateway-with-batteries-solar/14601), seems like a
-  project but possible, [HTTP-based management not possible](https://github.com/meshtastic/firmware/issues/2908), so
-  configuration still has to go through Bluetooth, but monitoring is
-  possible over MQTT, and of course the gateway receives and relays
-  messages over LoRa/Meshtastic!
-- the [RAK19003 base kit](https://store.rakwireless.com/products/wisblock-meshtastic-starter-kit?variant=43884035113158) is also nice. it's more expensive (28$,
-  *without* a case), but a case [can be printed](https://www.printables.com/model/286664-rak19003-micro-case-for-meshtastic) but it's tricky
-  because there are many (83!) design files in there, useful if you
-  already order from RAK wireless and need extra kits and know your
-  way around DIY builds. you need to also buy:
-  - 4 × M3x20mm socket head cap screws ([this kit](https://abra-electronics.com/hardware/metric-hardware-kits/nuts/sc-h-m-ss-kit-m2-m3-m4-stainless-steel-hex-socket-cap-head-screws-washers-nuts-assortment-kit-1080pcs.html) covers this and
-    the nuts)
-  - 4 × M3 nuts
-  - 2 × M2.5 screws (*not* part of the above kit, [length unclear](https://www.printables.com/model/286664-rak19003-micro-case-for-meshtastic/comments/2516182),
-    [here are M2.5x6mm](https://abra-electronics.com/hardware/metric-hardware-round-phillips-head-screws/1968p-machine-screw-m2.5-6mm-length-phillips-25-pack.html) or [this kit](https://abra-electronics.com/hardware/metric-hardware-kits/screws-bolts/repair-kit-for-eyeglasses-watches-screws-and-nuts-caps-m1m2m2.5-stainless.html))
-  - 1 × battery ([Amazon](https://www.amazon.com/gp/product/B091FKGW8H), possibly the same as [Abra](https://abra-electronics.com/batteries-holders/batteries-polymer-lithium-ion/1578-ada-lithium-ion-polymer-battery-37v-500mah-1578-ada.html),
-    optional?)
-  - there's also an optional [battery cutoff switch](https://www.amazon.com/gp/product/B086L2GPGX), couldn't find
-    an [equivalent on Abra](https://abra-electronics.com/electromechanical/switches/pushbutton-switches/)
-
-Those I haven't tested yet as I haven't laid hand on them:
-
-- [SenseCAP Solar Node P1](https://www.seeedstudio.com/SenseCAP-Solar-Node-P1-for-Meshtastic-LoRa-p-6425.html): 90$USD, outdoors solar-powered relay
-  with 4x18650 batteries, nRF4840, GNSS, BT 5.0, 3 power buttons, 5
-  LEDs, USB-C for debug, [recommended by nyme.sh](https://nyme.sh/faq/)
-- [T-Echo](https://lilygo.cc/products/t-echo-lilygo): e-ink display, GPS, BT 5.0, no wifi, only three
-  buttons, NFC, 850mAh battery, temperature/pressure sensor, 55$
-- [T-Beam Supreme](https://lilygo.cc/products/t-beam-supreme?variant=43067944173749): 1.3" OLED display, 18650 battery socket,
-  magnetometer, 2.4GHz WiFi, BLE 5, GNSS, no case, 52$, the [T-Beam
-  SoftRF](https://lilygo.cc/products/t-beam-softrf?variant=43170158477493) is similar but without a display and cheaper, 30$
-- [T-Deck Pro](https://lilygo.cc/products/t-deck-pro): 3.1" e-ink touch screen, 4G module, WiFi 2.4GHz,
-  BLE 5, GPS, TF Card, mic, speaker, keypad, see also the [T5 e-paper
-  s3 pro](https://lilygo.cc/products/t5-e-paper-s3-pro)
-- Seeedstudio [XIAO ESP32S3 & Wio-SX1262 Kit](https://www.seeedstudio.com/XIAO-ESP32S3-for-Meshtastic-LoRa-with-3D-Printed-Enclosure-p-6314.html): tiny, cheap, - 40℃ ~
-  100℃, WiFi 2.4GHz, BLE 5.0 / Mesh, reset/boot button, 22x23x57mm,
-  37g, exposed GPIO ports, unclear if has a battery, 20$
-- the [HELTEC v3](https://heltec.org/project/wifi-lora-32-v3/) might be a more reliable bet as it's listed more
-  prominently in Meshtastic docs, also 20$ with the case (but no
-  battery, and battery doesn't fit in the case), they also have an
-  [eink dev board](https://heltec.org/project/vision-master-e290/)
-- [Muzi](https://muzi.works/) has builds on top of the Heltec, e.g. [this H2T](https://muzi.works/products/h2t-complete-device-heltec-t114-with-gps-running-meshtastic) made
-  with a Heltec T114, [this R1 Neo](https://muzi.works/products/r1-neo-complete-meshtastic-device) is similar to the WisMesh
-  Pocket, but smaller, better sealed, but more expensive
-- [Lamp hack](https://hackaday.io/project/194509-harbor-breeze-meshtastic-hack)
-- [Antennas](https://meshtastic.org/docs/hardware/antennas/) vary as well
-- Power is a whole other question, see [power consumption
-  measurements](https://meshtastic.org/docs/hardware/solar-powered/measure-power-consumption/) and [old reseaulibre power notes](https://wiki.reseaulibre.ca/documentation/power/)
+The devices listed here have been moved to the [local mesh hardware
+review guide](https://lora.reseaulibre.ca/guides/hardware/).
+
+Power is a whole other question, see [power consumption
+measurements](https://meshtastic.org/docs/hardware/solar-powered/measure-power-consumption/) and [old reseaulibre power notes](https://wiki.reseaulibre.ca/documentation/power/)
 
 Devices without cases typically have 3D designs that can be downloaded
 and printed or bought, see [this list](https://meshtastic.org/docs/category/enclosures/).

diff --git a/blog/2026-03-05-wallabako-retirement.md b/blog/2026-03-05-wallabako-retirement.md
index 284329c9..4dde4fdc 100644
--- a/blog/2026-03-05-wallabako-retirement.md
+++ b/blog/2026-03-05-wallabako-retirement.md
@@ -20,11 +20,17 @@ better out there. I have switched away from [Wallabag](https://wallabag.org/) to
 [Readeck](https://readeck.org/)!
 
 And I'm also tired of maintaining "modern" software. Most of the
-recent commits on Wallabag are [renovate-bot](https://gitlab.com/renovate-bot-anarcat). This feels futile
+recent commits on Wallabako are from [renovate-bot](https://gitlab.com/renovate-bot-anarcat). This feels futile
 and pointless. I guess it *must* be done at some point, but it also
-feels we went wrong somewhere there. Maybe [Filippo Valsord](https://filippo.io/) is
+feels we went wrong somewhere there. Maybe [Filippo Valsorda](https://filippo.io/) is
 right and one should [turn dependabot off](https://words.filippo.io/dependabot/).
 
+I did consider porting Wallabako to Readeck for a while, but there's a
+[perfectly fine Koreader plugin](https://github.com/iceyear/readeck.koplugin) that I've been pretty happy to
+use. I was worried it would be slow (because the Wallabag plugin *is*
+slow), but it turns out that Readeck is fast enough that this doesn't
+matter.
+
 # Moving from Wallabag to Readeck
 
 Readeck is pretty fantastic: it's fast, it's lightweight, everything
@@ -32,7 +38,7 @@ Just Works. All sorts of concerns I had with Wallabag are just gone:
 [questionable authentication](https://github.com/wallabag/wallabag/issues/2800), [questionable API](https://github.com/wallabag/wallabag/issues/2859), [weird
 bugs](https://github.com/wallabag/wallabag/issues/6532), mostly gone. I am still looking for [multiple tags
 filtering](https://github.com/wallabag/wallabag/issues/1197) but I have a much better feeling about Readeck than
-Wallabag: it's written in Golang and under activ development.
+Wallabag: it's written in Golang and under active development.
 
 In any case, I don't want to throw shade at the Wallabag folks
 either. They did [solve most of the issues I raised with them](https://github.com/wallabag/wallabag/issues?q=involves%3Aanarcat) and
@@ -41,8 +47,8 @@ thousands of articles for a long time! It's just time to move on.
 
 The migration from Wallabag was impressively simple. The importer is
 well-tuned, fast, and just works. I wrote about the import in [this
-issue](https://codeberg.org/readeck/readeck/issues/1119), but it took about 20 minutes to import essentially all the
-articles, and another 5 hours to refresh all the contnts.
+issue](https://codeberg.org/readeck/readeck/issues/1119), but it took about 20 minutes to import essentially all 
+articles, and another 5 hours to refresh all the contents.
 
 There are minor issues with Readeck which I have filed (after asking!):
 
@@ -54,13 +60,13 @@ There are minor issues with Readeck which I have filed (after asking!):
 
 But overall I'm happy and impressed with the result.
 
-I'm also a mix of happy and sad at letting go of my first (and only,
+I'm also both happy and sad at letting go of my first (and only,
 so far) Golang project. I loved writing in Go: it's a clean language,
 fast to learn, and a beauty to write parallel code in (at the cost of
 a rather obscure runtime). 
 
 It would have been *much* harder to write this in Python, but my
-experience in Golang help me think about how to write more parallel
+experience in Golang helped me think about how to write more parallel
 code in Python, which is kind of cool.
 
 The [GitLab project](https://gitlab.com/anarcat/wallabako/) will remain publicly accessible, but archived,

diff --git a/blog/2026-03-05-wallabako-retirement.md b/blog/2026-03-05-wallabako-retirement.md
index d266d2a3..284329c9 100644
--- a/blog/2026-03-05-wallabako-retirement.md
+++ b/blog/2026-03-05-wallabako-retirement.md
@@ -70,3 +70,7 @@ stewardship for this project, [contact me](https://anarc.at/contact/).
 Thanks Wallabag folks, it was a great ride!
 
 [[!tag wallabako debian-planet python-planet]]
+
+
+<!-- posted to the federation on 2026-03-05T22:05:36.672330 -->
+[[!mastodon "https://kolektiva.social/@Anarcat/116180014625645863"]]
\ No newline at end of file

diff --git a/blog/2026-03-05-wallabako-retirement.md b/blog/2026-03-05-wallabako-retirement.md
new file mode 100644
index 00000000..d266d2a3
--- /dev/null
+++ b/blog/2026-03-05-wallabako-retirement.md
@@ -0,0 +1,72 @@
+[[!meta title="Wallabako retirement and Readeck adoption"]]
+
+Today I have made the tough decision of retiring the [Wallabako](https://gitlab.com/anarcat/wallabako/)
+project. I have rolled out a final (and trivial) 1.8.0 release which
+fixes the uninstall procedure and rolls out a bunch of dependency
+updates.
+
+[[!toc]]
+
+# Why?
+
+The main reason why I'm retiring Wallabako is that I have completely
+stopped using it. It's not the first time: for a while, I wasn't
+reading Wallabag articles on my Kobo anymore. But I had started
+working on it again [about four years ago](https://anarc.at/blog/2022-05-06-wallabako-1.4.0-released/). Wallabako itself is
+about to turn 10 years old.
+
+This time, I stopped using Wallabako because there's simply something
+better out there. I have switched away from [Wallabag](https://wallabag.org/) to
+[Readeck](https://readeck.org/)!
+
+And I'm also tired of maintaining "modern" software. Most of the
+recent commits on Wallabag are [renovate-bot](https://gitlab.com/renovate-bot-anarcat). This feels futile
+and pointless. I guess it *must* be done at some point, but it also
+feels we went wrong somewhere there. Maybe [Filippo Valsord](https://filippo.io/) is
+right and one should [turn dependabot off](https://words.filippo.io/dependabot/).
+
+# Moving from Wallabag to Readeck
+
+Readeck is pretty fantastic: it's fast, it's lightweight, everything
+Just Works. All sorts of concerns I had with Wallabag are just gone:
+[questionable authentication](https://github.com/wallabag/wallabag/issues/2800), [questionable API](https://github.com/wallabag/wallabag/issues/2859), [weird
+bugs](https://github.com/wallabag/wallabag/issues/6532), mostly gone. I am still looking for [multiple tags
+filtering](https://github.com/wallabag/wallabag/issues/1197) but I have a much better feeling about Readeck than
+Wallabag: it's written in Golang and under activ development.
+
+In any case, I don't want to throw shade at the Wallabag folks
+either. They did [solve most of the issues I raised with them](https://github.com/wallabag/wallabag/issues?q=involves%3Aanarcat) and
+even accepted [my pull request](https://github.com/wallabag/wallabag/pull/7849). They have helped me collect
+thousands of articles for a long time! It's just time to move on.
+
+The migration from Wallabag was impressively simple. The importer is
+well-tuned, fast, and just works. I wrote about the import in [this
+issue](https://codeberg.org/readeck/readeck/issues/1119), but it took about 20 minutes to import essentially all the
+articles, and another 5 hours to refresh all the contnts.
+
+There are minor issues with Readeck which I have filed (after asking!):
+
+- [add justified view for articles](https://codeberg.org/gollyhatch/eckard/issues/19) (Android app)
+- [more metadata in article display](https://codeberg.org/gollyhatch/eckard/issues/20) (Android app)
+- [show the number of articles in the label browser](https://codeberg.org/readeck/readeck/issues/1126)
+- [ignore duplicates](https://codeberg.org/readeck/readeck/issues/73#issuecomment-11025251) (Readeck will happily add duplicates, whereas
+  Wallabag at least *tries* to deduplicate articles -- but often fails)
+
+But overall I'm happy and impressed with the result.
+
+I'm also a mix of happy and sad at letting go of my first (and only,
+so far) Golang project. I loved writing in Go: it's a clean language,
+fast to learn, and a beauty to write parallel code in (at the cost of
+a rather obscure runtime). 
+
+It would have been *much* harder to write this in Python, but my
+experience in Golang help me think about how to write more parallel
+code in Python, which is kind of cool.
+
+The [GitLab project](https://gitlab.com/anarcat/wallabako/) will remain publicly accessible, but archived,
+for the foreseeable future. If you're interested in taking over
+stewardship for this project, [contact me](https://anarc.at/contact/).
+
+Thanks Wallabag folks, it was a great ride!
+
+[[!tag wallabako debian-planet python-planet]]

diff --git a/hardware/keyboard.mdwn b/hardware/keyboard.mdwn
index eac26f77..802a9323 100644
--- a/hardware/keyboard.mdwn
+++ b/hardware/keyboard.mdwn
@@ -175,6 +175,20 @@ The whole point of this was to try to get a scroll lock key to work. I
 haven't figured it out. I did find their [layout manual](https://cdn.shopifycdn.net/s/files/1/0268/7297/1373/files/NuPhy_Air75_V2_Q_A.pdf?v=1692772705) and the
 [quick guide](https://cdn.shopify.com/s/files/1/0268/7297/1373/files/NuPhy_Air75_V2_Quick_Guide.pdf?v=1696498123) but it doesn't seem to support those extra keys.
 
+Ultimately, I bound the <kbd>meta k</kbd> key to `input type:keyboard
+xkb_switch_layout next` (I don't use `focus left`) which worked for
+the immediate fix.
+
+Update, 2026-03-02: I am using this keyboard more as I set it up with
+a travel rack (a [Roost v3 Plus](https://www.therooststand.com/collections/roost-laptop-stand/products/roost-v3-plus-laptop-stand-copy)) and use it while working away
+from home, paired with the Nuphy (because it's small). The first day
+was fine, and it worked great (although it made me realize how loud it
+is!), but during the second day, the keyboard seemed to hang about
+half a dozen times. It would just get stuck on a key and keep sending
+the same key over and over, as if I was holding it down. I have to
+turn the keyboard off and then back on to fix this. Furthermore, it
+looks like newer Nuphy keyboards [do *not* ship with QMK](https://github.com/qmk/qmk_firmware/pull/22751#issuecomment-3455721189).
+
 ### Other reviews
 
 rtings reviewed [five models](https://www.rtings.com/keyboard/tools/table/141136) and outlined:

diff --git a/blog/secrets-recovery.md b/blog/secrets-recovery.md
index 1fdcbee1..489f34c6 100644
--- a/blog/secrets-recovery.md
+++ b/blog/secrets-recovery.md
@@ -61,6 +61,7 @@ to review: https://news.ycombinator.com/item?id=37534615
 
 128-bit metal punch card backup https://volution.ro/pckb/
 
+https://git.joeyh.name/index.cgi/gpg.git/tree/README.sss
 
 <!-- posted to the federation on 2025-06-01T23:04:28.772798 -->
 [[!mastodon "https://kolektiva.social/@Anarcat/114611550199170060"]]

diff --git a/services/dns.mdwn b/services/dns.mdwn
index 37e64614..009ffe8f 100644
--- a/services/dns.mdwn
+++ b/services/dns.mdwn
@@ -99,15 +99,17 @@ présentement:
    simplement quitter / ignorer
 
  * mythic-beasts: découvert que c'est un revendeur OpenSRS, donc moins
-   intéressant, coûteux, mais trusted... pour l'instant un seul
-   domaine là, à migrer vers OpenSRS?
+   intéressant, coûteux, mais trusted...
 
  * OpenSRS: reste ~70$USD de crédit, intéressant parce que très
    puissant, mais pas sûr que je veux être revendeur, j'aurais
    probablement jamais le débit (1000 *nouveaux* par an!) pour avoir
    des rabais, mais somme toute assez bon: DNSSEC fonctionnel, API,
    comptes revendeurs, etc, autre problème: pas de facturation
-   automatique sur VISA, il faut débiter manuellement
+   automatique sur VISA, il faut débiter manuellement. vraiment trop
+   compliqué.
+
+ * porkbun: pas cher, mais la [gestion multi-user](https://kb.porkbun.com/article/242-subaccounts-vs-authorized-users) st pas super
 
 À considérer, sinon:
 
@@ -121,14 +123,13 @@ présentement:
 Situation actuelle:
 
  * opensrs: test account created, hosted: `debian-policy.info`
-   (2025-10-15), not sure I want to keep, could be just for `anarc.at`
- * mythic beasts: idem, to be closed, hosted: `alterne.ca`
-   (2025-09-11), maybe keep for `anarc.at` and close OpenSRS because
-   it's too complicated?
+   (2025-10-15), way too complicated, to close, probably alongside
+   debian-policy.info
+ * mythic beasts: kept for `anarc.at`
  * porkbun: `orangeseeds.net` `orangeseeds.org` (transfer started
    2023-12-19), `vichama.ca` (2024-05-17)
- * gandi: `reseaulibre.ca` (2024-04-28), `anarc.at` (2024-09-06),
-   `insomniaque.org` (2029-04-28)
+ * gandi: `reseaulibre.ca` (2024-04-28), `insomniaque.org`
+   (2029-04-28)
 
 ## Secondaires
 

diff --git a/services/dns.mdwn b/services/dns.mdwn
index 088a2f85..37e64614 100644
--- a/services/dns.mdwn
+++ b/services/dns.mdwn
@@ -65,7 +65,7 @@ n'y sont pas listés.
 | dnssimple.com     | 14.50USD | 14.00USD | 16.00USD | 16.00CAD | 18.00USD | 21.60USD | also hosting, support for [RFC 8078][]                          |
 | dynadot.com       | 11.99USD | 10.99USD | 11.99USD | 9.99USD  | 13.25USD | 17.99USD | hosted wikileaks, blocked in india for cybersquatting           |
 | easydns.com       | 19.00USD | 19.00USD | 15.00USD | 12.53USD | 24.00USD | 26.00USD | 12.52USD = 15.00CAD, also hosting                               |
-| gandi.net         | 23.99USD | 24.99USD | 24.99USD | 24.99CAD | 29.99USD | 39.99USD | pas de transfer lock .at, [vendus][], prix explosés             |
+| gandi.net         | 23.99USD | 24.99USD | 24.99USD | 24.99CAD | 29.99USD | 39.99USD | [vendus][], prix explosés             |
 | glauca.digital    | 22.34USD | 27.58USD | 30.09USD | 28.80CAD | 22.05EUR | 28.74USD | excellent API, support for [RFC 7344][] and [RFC 8078][]        |
 | infomaniak.com    | 12.23EUR | 14.70USD | 13.36USD | 14.86USD | 14.70USD | 20.06USD | 2,40 € / year extra for domain privacy, requires identity check |
 | joker.com         | 16.99USD | 16.88USD | 18.67USD | N/A      | 15.99USD | 28.80USD |                                                                 |

diff --git a/blog/2026-02-18-iproute2.md b/blog/2026-02-18-iproute2.md
index 41dbc465..ee3aac53 100644
--- a/blog/2026-02-18-iproute2.md
+++ b/blog/2026-02-18-iproute2.md
@@ -17,6 +17,9 @@ package to `net-tools` the new `iproute2`, about 10 years late:
 | `route del ROUTE`           | `ip route del ROUTE`                         | `ip r d ROUTE`               | remove `ROUTE` (e.g. `default`)         |
 | `netstat -anpe`             | `ss --all --numeric  --processes --extended` | `ss -anpe`                   | list listening processes, less pretty   |
 
+Note that I wrote a [[whole
+article|blog/2023-03-10-listening-processes]] about the latter.
+
 # Another trick
 
 Also note that I often alias `ip` to `ip -br -c` as it provides a
@@ -98,4 +101,4 @@ hilarious.
 
 
 <!-- posted to the federation on 2026-02-18T11:30:55.082264 -->
-[[!mastodon "https://kolektiva.social/@Anarcat/116092584255984978"]]
\ No newline at end of file
+[[!mastodon "https://kolektiva.social/@Anarcat/116092584255984978"]]

diff --git a/blog/list-tags.sh b/blog/list-tags.sh
index 01f3d83e..b07d4ca5 100644
--- a/blog/list-tags.sh
+++ b/blog/list-tags.sh
@@ -1,2 +1,3 @@
 #! /bin/sh
+
 grep -P -h '(?<!\\)\[\[!tag' *.mdwn | sed 's/\[\[!tag//g;s/\]\]//g;s/"//g;s/ /\n/g' | sort | grep . | uniq -c | sort -n

diff --git a/blog.mdwn b/blog.mdwn
index b46f05bf..626ea5ac 100644
--- a/blog.mdwn
+++ b/blog.mdwn
@@ -434,4 +434,5 @@ quick=yes
 * 2005-2015: [Blog Drupal](https://web.archive.org/web/20150209161332/http://anarcat.koumbit.org/)
 * 2005: [Pseudo-blog wiki](http://wiki.koumbit.net/TheAnarcatBlog)
 * 2003-2004: [Blog de l'Insomniaque](http://insomniaque.org/blog/5.html)
+
 </div>

diff --git a/blog.mdwn b/blog.mdwn
index 820ac066..b46f05bf 100644
--- a/blog.mdwn
+++ b/blog.mdwn
@@ -435,7 +435,3 @@ quick=yes
 * 2005: [Pseudo-blog wiki](http://wiki.koumbit.net/TheAnarcatBlog)
 * 2003-2004: [Blog de l'Insomniaque](http://insomniaque.org/blog/5.html)
 </div>
-
-
-<!-- posted to the federation on 2026-02-23T14:39:17.330821 -->
-[[!mastodon "https://kolektiva.social/@Anarcat/116121636514747968"]]
\ No newline at end of file

diff --git a/blog.mdwn b/blog.mdwn
index b46f05bf..820ac066 100644
--- a/blog.mdwn
+++ b/blog.mdwn
@@ -435,3 +435,7 @@ quick=yes
 * 2005: [Pseudo-blog wiki](http://wiki.koumbit.net/TheAnarcatBlog)
 * 2003-2004: [Blog de l'Insomniaque](http://insomniaque.org/blog/5.html)
 </div>
+
+
+<!-- posted to the federation on 2026-02-23T14:39:17.330821 -->
+[[!mastodon "https://kolektiva.social/@Anarcat/116121636514747968"]]
\ No newline at end of file

diff --git a/blog.mdwn b/blog.mdwn
index df76e9b4..b46f05bf 100644
--- a/blog.mdwn
+++ b/blog.mdwn
@@ -99,6 +99,22 @@ more socially acceptable and less politically controversial.
 <!-- end copy-paste -->
 ## 2025
 
+[[!inline pages="
+(
+  page(blog/*)
+  or tagged(blog)
+)
+and creation_year(2026)
+and !blog/*/*
+and !link(foo)
+and !tagged(draft)
+and !tagged(redirection)"
+archive=yes
+quick=yes
+]]
+
+## 2025
+
 [[!inline pages="
 (
   page(blog/*)

diff --git a/blog/2026-02-23-dst-warning.md b/blog/2026-02-23-dst-warning.md
index bee66209..0ddce923 100644
--- a/blog/2026-02-23-dst-warning.md
+++ b/blog/2026-02-23-dst-warning.md
@@ -188,3 +188,7 @@ was written, and curses found along the way, are also documented in
 duty.
 
 [[!tag news time debian-planet python-planet]]
+
+
+<!-- posted to the federation on 2026-02-23T14:32:07.697000 -->
+[[!mastodon "https://kolektiva.social/@Anarcat/116121608354789757"]]
\ No newline at end of file

diff --git a/blog/2026-02-23-dst-warning.md b/blog/2026-02-23-dst-warning.md
new file mode 100644
index 00000000..bee66209
--- /dev/null
+++ b/blog/2026-02-23-dst-warning.md
@@ -0,0 +1,190 @@
+[[!meta title="PSA: North america changes time forward soon, Europe next"]]
+
+> This is a copy of an email I used to send internally at work and now
+> [made public](https://lists.torproject.org/mailman3/hyperkitty/list/tor-project@lists.torproject.org/thread/HR3ISDIVLOR5NNAN24F2TCHMPHFOI2XR/). I'm not sure I'll make a habit of posting it here,
+> especially not *twice a year*, unless people really like it. Right
+> now, it's mostly here to keep with my current writing spree going.
+
+This is your bi-yearly reminder that time is changing soon!
+
+# What's happening?
+
+For people not on tor-internal, you should know that I've been sending
+semi-regular announcements when daylight saving changes occur. Starting
+now, I'm making those announcements public so they can be shared with
+the wider community because, after all, this affects everyone (kind of).
+
+For those of you lucky enough to have no idea what I'm talking about,
+you should know that some places in the world implement what is called
+[Daylight saving time or DST](https://en.wikipedia.org/wiki/Daylight_saving_time).
+
+Normally, you shouldn't have to do anything: computers automatically
+change time following local rules, assuming they are correctly
+configured, provided recent updates have been applied in the case of a
+recent change in said rules (because yes, this happens).
+
+Appliances, of course, will likely *not* change time and will need to
+adjusted unless they are so-called "smart" (also known as "part of a bot
+net").
+
+If your clock is flashing "0:00" or "12:00", you have no action to take,
+congratulations on having the right time once or twice a day.
+
+If you haven't changed those clocks in six months, congratulations, they
+will be accurate again!
+
+In any case, you should still consider DST because it might affect some
+of your meeting schedules, particularly if you set up a new meeting
+schedule in the last 6 months and forgot to consider this
+change.
+
+# If your location does not have DST
+
+Properly scheduled meetings affecting multiple time zones are set in UTC
+time, which does *not* change. So if your location does not observer
+time changes, your (local!) meeting time will *not* change.
+
+But be aware that some other folks attending your meeting *might* have
+the DST bug and *their* meeting times will change. They might miss
+entire meetings or arrive late as you frantically ping them over IRC,
+Matrix, Signal, SMS, Ricochet, Mattermost, SimpleX, Whatsapp, Discord,
+Slack, Wechat, Snapchat, Telegram, XMPP, Briar, Zulip, RocketChat,
+DeltaChat, talk(1), write(1), actual telegrams, Meshtastic, Meshcore,
+Reticulum, APRS, snail mail, and, finally, flying a remote presence
+drone to their house, asking what's going on.
+
+(Sorry if I forgot your preferred messaging client here, I tried my
+best.)
+
+Be kind; those poor folks might be more sleep deprived as DST *steals*
+one hour of sleep from them on the night that implements the change.
+
+# If you do observe DST
+
+If you are affected by the DST bug, your *local* meeting times *will*
+change access the board. Normally, you can trust that your meetings are
+scheduled to take this change into account and the new time should still
+be reasonable.
+
+Trust, but verify; make sure the new times *are* adequate and there are
+no scheduling conflicts.
+
+Do this *now*: take a look at your calendar in two week *and* in
+April. See if any meeting need to be rescheduled because of an
+impossible or conflicting time.
+
+# When does time change, how and where?
+
+Notice how I mentioned "North America" in the subject? That's a
+lie. ("The doctor lies", as they say on the BBC.) Other places,
+including Europe, also changes times, just not all at once (and not all
+North America).
+
+We'll get into "where" soon, but first let's look at the "how". As you might
+already know, the trick is:
+
+> Spring forward, fall backwards.
+
+This northern-centric (sorry!) proverb says that clocks will move
+*forward* by an hour this "spring", after moving *backwards* last
+"fall". This is why we lose an hour of work, sorry, sleep. It sucks, to
+put it bluntly. I want it to stop and will keep writing those advisories
+until it does.
+
+To see where and when, we, unfortunately, still need to go into politics.
+
+## USA and Canada
+
+First, we start with "North America" which, really, is just some *parts*
+of USA[1] and Canada[2]. As usual, on the Second Sunday in March (the
+8th) at 02:00 local (not UTC!), the clocks will move forward.
+
+This means that properly set clocks will flip from 1:59 to 3:00, coldly
+depriving us from an hour of sleep that was perniciously granted 6
+months ago and making calendar software stupidly hard to write.
+
+Practically, set your wrist watch and alarm clocks[3] back one hour
+before going to bed and go to bed early.
+
+[1] except Arizona (except the Navajo nation), US territories, and
+    Hawaii
+
+[2] except Yukon, most of Saskatchewan, and parts of British Columbia
+    (northeast), one island in Nunavut (Southampton Island), one town in
+    Ontario (Atikokan) and small parts of Quebec (Le
+    Golfe-du-Saint-Laurent), a list which I keep recopying because I
+    find it just so amazing how chaotic it is. When your clock has its
+    [own Wikipedia page](https://en.wikipedia.org/wiki/Time_in_Saskatchewan), you know something is wrong.    
+
+[3] hopefully not managed by a botnet, otherwise kindly ask your bot net
+    operator to apply proper software upgrades in a timely manner
+
+## Europe
+
+Next we look at our dear Europe, which will change time on the last
+Sunday in March (the 29th) at 01:00 *UTC* (not local!). I *think* it
+means that, Amsterdam-time, the clocks will flip from 1:59 to 3:00 AM
+*local* on that night.
+
+(Every time I write this, I have doubts. I would welcome independent
+confirmation from night owls that observe that funky behavior
+experimentally.)
+
+Just like your poor fellows out west, just fix your old-school clocks
+before going to bed, and go to sleep early, it's good for you.
+
+## Rest of the world with DST
+
+Renewed and recurring apologies again to the people of Cuba, Mexico,
+Moldova, Israel, Lebanon, Palestine, Egypt, Chile (except Magallanes
+Region), parts of Australia, and New Zealand which *all* have their own
+*individual* DST rules, omitted here for brevity.
+
+In general, changes also happen in March, but either on different
+times or different days, except in the south hemisphere, where they
+happen in April.
+
+## Rest of the world without DST
+
+All of you other folks without DST, rejoice! Thank you for reminding us
+how manage calendars and clocks normally. Sometimes, doing nothing is
+precisely the right thing to do. You're an inspiration for us all.
+
+# Changes since last time
+
+There were, again, no changes since last year on daylight savings that
+I'm aware of. It seems the [US congress debating switching to a
+"half-daylight" time zone](https://www.usatoday.com/story/news/nation/2026/02/19/daylight-act-of-2026-proposing-half-daylight-saving-time/88760725007/) which is an half-baked idea that I
+should have expected from the current USA politics.
+
+The plan is to, say, switch from "Eastern is UTC-4 in the summer" to
+"Eastern is UTC-4.5". The bill also proposes to do this 90 days after
+enactment, which is dangerously optimistic about our capacity at
+deploying any significant change in human society.
+
+In general, I rely on the [Wikipedia time nerds](https://en.wikipedia.org/wiki/Daylight_saving_time_by_country) for this and Paul
+Eggert which seems to singlehandledly be keeping everything in order
+for all of us, on the [tz-announce mailing list](https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/latest).
+
+This time, I've also looked at the [tz mailing list](https://lists.iana.org/hyperkitty/list/tz@iana.org/latest) which is where
+I learned about the congress bill.
+
+If your country has changed time and no one above noticed, now would
+be an extremely late time to do something about this, typically
+writing to the above list. (Incredibly, *I* need to write to the list
+because of [this post](https://lists.iana.org/hyperkitty/list/tz@iana.org/thread/6HN5SWD2BJA7OVTPFR3VB42JIA6PFLPG/).)
+
+One thing that *did* change since last year is that I've implemented
+what I hope to be a robust calendar for this, which was surprisingly
+tricky.
+
+If you have access to our Nextcloud, it should be visible under the
+heading "Daylight saving times". If you don't, you can access it using
+[this direct link](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/time/dst.ics).
+
+The procedures around how this calendar was created, how this email
+was written, and curses found along the way, are also documented in
+[this wiki page](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/time), if someone ever needs to pick up the Time Lord
+duty.
+
+[[!tag news time debian-planet python-planet]]

diff --git a/services/meshtastic.md b/services/meshtastic.md
index 99257dee..14177aee 100644
--- a/services/meshtastic.md
+++ b/services/meshtastic.md
@@ -83,6 +83,55 @@ More concerning is his criticism of the core team culture:
 
 He points at Meshcore and Reticulum as possible replacements.
 
+Many mesh nets have switched to MediumFast as a response to some
+scalability problems, which is also described on [this official blog
+post](https://meshtastic.org/blog/why-your-mesh-should-switch-from-longfast/), which include:
+
+- [Bay area, USA and Wellington, NZ](https://meshtastic.org/blog/why-your-mesh-should-switch-from-longfast/#real-world-success), from the above blog post
+- [mtnme.sh](https://mtnme.sh/mediumfast/)
+- puget mesh experimented with MediumFast, but seem to be moving to
+  Meshcore as of Q1-2026
+
+# Privacy and security
+
+Default security is pretty much non-existent: in the default channel,
+packets are encrypted, but with a known key.
+
+*Other* channels seem to use pretty solid encryption, but there's
+likely metadata leakage ("who is talking to who") in cleartext over
+the airwaves that can be easily sniffed by anyone in range. Joining a
+MQTT server makes that even easier to sniff. 
+
+Also note that Meshtastic only does *encryption*: you don't get things
+like forward-secrecy, authentication, or integrity, see the
+[encryption section](https://meshtastic.org/docs/overview/encryption/). This sounds minor, but this is a significant
+threat vector as, for example, if someone knows you wrote "hi" to a
+channel, even if they don't have the encryption key, they can replay
+that "hi" by sending the exact same encrypted packet. Security is
+hard. It seems like [Reticulum does this better](https://reticulum.network/crypto.html).
+
+Nodes often transmit other telemetry like GPS location, temperature,
+and other sensors, by default. GPS location precision can be reduced
+(say "I'm in Montreal" instead of "I'm at 1234 boulevard
+Saint-Laurent") or completely turned off, but it might still possible
+to triangulate device's positions, as with any typical radio
+transmission. LoRa signals are "bursty" and low power, so that's more
+difficult than, say, classic ham radio signals though.
+
+There's a [Meshtastic ZPS](https://github.com/a-f-G-U-C/Meshtastic-ZPS) project that tries to implement GPS-less
+localization, but it's using external positioning systems and
+WiFi/Bluetooth scans instead of a GPS, so it's not triangulation per
+se.
+
+Weak default Bluetooth pairing codes (the "PIN") are often
+[luggage-strength](https://en.wikipedia.org/wiki/Spaceballs) like `1234` or `123456`. They should be changed
+unless you're okay with anyone within range taking control of your
+devices.
+
+Physical access to the devices also likely leads to full compromise as
+devices can generally be put in "DFU" ([Device firmware upgrade](https://en.wikipedia.org/wiki/USB#Device_Firmware_Upgrade_mechanism))
+mode relatively easily.
+
 # Hardware
 
 Below are some Meshtastic-compatible devices I found interesting.
@@ -229,7 +278,7 @@ the time:
   button, 3200mAh battery, USB-C powered, 100$
 - [WisMesh Solar Repeater](https://store.rakwireless.com/products/wismesh-meshtastic-solar-repeater): solar, battery, mast-mountable, unclear
   if it can be setup without solar and if it supports MQTT/ethernet,
-  300$
+  300$, SenseCAP Solar Node P1 (below) might be sturdier and cheaper
 - [WishMesh Solar Repeater Mini](https://store.rakwireless.com/products/wishmesh-meshtastic-solar-repeater-mini): solar, battery, mast-mountable,
   cheaper, 100$
 - [WisMesh Ethernet Gateway](https://store.rakwireless.com/products/wismesh-ethernet-gateway): no battery, no solar, but ethernet
@@ -247,7 +296,7 @@ the time:
     the nuts)
   - 4 × M3 nuts
   - 2 × M2.5 screws (*not* part of the above kit, [length unclear](https://www.printables.com/model/286664-rak19003-micro-case-for-meshtastic/comments/2516182),
-    [here are M2.5x6mm](https://abra-electronics.com/hardware/metric-hardware-round-phillips-head-screws/1968p-machine-screw-m2.5-6mm-length-phillips-25-pack.html) or [this kit](https://abra-electronics.com/hardware/metric-hardware-kits/screws-bolts/repair-kit-for-eyeglasses-watches-screws-and-nuts-caps-m1m2m2.5-stainless.html)3)
+    [here are M2.5x6mm](https://abra-electronics.com/hardware/metric-hardware-round-phillips-head-screws/1968p-machine-screw-m2.5-6mm-length-phillips-25-pack.html) or [this kit](https://abra-electronics.com/hardware/metric-hardware-kits/screws-bolts/repair-kit-for-eyeglasses-watches-screws-and-nuts-caps-m1m2m2.5-stainless.html))
   - 1 × battery ([Amazon](https://www.amazon.com/gp/product/B091FKGW8H), possibly the same as [Abra](https://abra-electronics.com/batteries-holders/batteries-polymer-lithium-ion/1578-ada-lithium-ion-polymer-battery-37v-500mah-1578-ada.html),
     optional?)
   - there's also an optional [battery cutoff switch](https://www.amazon.com/gp/product/B086L2GPGX), couldn't find
@@ -255,9 +304,9 @@ the time:
 
 Those I haven't tested yet as I haven't laid hand on them:
 
-- [SenseCAP Solar Node P1](https://www.seeedstudio.com/SenseCAP-Solar-Node-P1-for-Meshtastic-LoRa-p-6425.html): pre-order (as of 2025-04-22), 70$USD,
-  outdoors solar-powered relay with 4x18650 batteries, nRF4840, GNSS,
-  BT 5.0, 3 power buttons, 5 LEDs, USB-C for debug
+- [SenseCAP Solar Node P1](https://www.seeedstudio.com/SenseCAP-Solar-Node-P1-for-Meshtastic-LoRa-p-6425.html): 90$USD, outdoors solar-powered relay
+  with 4x18650 batteries, nRF4840, GNSS, BT 5.0, 3 power buttons, 5
+  LEDs, USB-C for debug, [recommended by nyme.sh](https://nyme.sh/faq/)
 - [T-Echo](https://lilygo.cc/products/t-echo-lilygo): e-ink display, GPS, BT 5.0, no wifi, only three
   buttons, NFC, 850mAh battery, temperature/pressure sensor, 55$
 - [T-Beam Supreme](https://lilygo.cc/products/t-beam-supreme?variant=43067944173749): 1.3" OLED display, 18650 battery socket,
@@ -274,7 +323,8 @@ Those I haven't tested yet as I haven't laid hand on them:
   battery, and battery doesn't fit in the case), they also have an
   [eink dev board](https://heltec.org/project/vision-master-e290/)
 - [Muzi](https://muzi.works/) has builds on top of the Heltec, e.g. [this H2T](https://muzi.works/products/h2t-complete-device-heltec-t114-with-gps-running-meshtastic) made
-  with a Heltec T114
+  with a Heltec T114, [this R1 Neo](https://muzi.works/products/r1-neo-complete-meshtastic-device) is similar to the WisMesh
+  Pocket, but smaller, better sealed, but more expensive
 - [Lamp hack](https://hackaday.io/project/194509-harbor-breeze-meshtastic-hack)
 - [Antennas](https://meshtastic.org/docs/hardware/antennas/) vary as well
 - Power is a whole other question, see [power consumption
@@ -306,26 +356,50 @@ thing).
 Note that you can also [flash firmware](https://meshtastic.org/docs/getting-started/flashing-firmware/) without a web UI, but the
 flasher web UI is still useful to download the right firmware.
 
+## Mobile apps
+
+There's also an [Android app](https://meshtastic.org/docs/category/android-app/), also [shipped on F-Droid](https://f-droid.org/packages/com.geeksville.mesh/).
+
+And yes, there's also an [iOS app](https://meshtastic.org/docs/software/apple/installation/).
+
+Note that those won't work without a LoRa transmitter, to which you
+typically connect over Bluetooth.
+
 ## Linux
 
 There's a [commandline client and Python library](https://github.com/meshtastic/python) that can be used
 to talk to devices. There's even a rudimentary [GTK client](https://gitlab.com/kop316/gtk-meshtastic-client). Both
 are packaged in Debian. 
 
-There's also TUIs like [contact](https://github.com/pdxlocations/contact) (messaging), [connect](https://github.com/pdxlocations/connect)
-(LoRa-less client), [control](https://github.com/pdxlocations/control) (configuration).
+- TUIs
+  - [contact](https://github.com/pdxlocations/contact) (messaging)
+  - [connect](https://github.com/pdxlocations/connect) (LoRa-less client)
 
-I wrote a batch flashing tool that's called [reflashtic](https://gitlab.com/anarcat/scripts/-/blob/main/reflashtic.py?ref_type=heads), derived
-from work a friend did on a similar bash script.
+- [reflashtic](https://gitlab.com/anarcat/scripts/-/blob/main/reflashtic.py?ref_type=heads): batch flashing tool I wrote, derived from work a
+  friend did on a similar bash script
 
-## Mobile apps
+- [puget mesh](https://pugetmesh.org/) has a [bunch of interesting projects](https://pugetmesh.org/meshtastic/#member-projects):
 
-There's also an [Android app](https://meshtastic.org/docs/category/android-app/), also [shipped on F-Droid](https://f-droid.org/packages/com.geeksville.mesh/).
+  - [meshing-around](https://github.com/SpudGunMan/meshing-around): "BBS" like functionality, ping, weather alerts,
+    shell commands, games, quizzes, messaging, testing
 
-And yes, there's also an [iOS app](https://meshtastic.org/docs/software/apple/installation/).
+  - [aprstastic](https://github.com/afourney/aprstastic): APRS gateway
 
-Note that those won't work without a LoRa transmitter, to which you
-typically connect over Bluetooth.
+  - [meshfirmware](https://github.com/mikecarper/meshfirmware): "automatic" flasher, see also my reflashtic above
+
+- [TC2-BBS-mesh](https://github.com/TheCommsChannel/TC2-BBS-mesh): mail, channel directory, stats, fortune
+
+- [Frozen BBS](https://github.com/kstrauser/frozenbbs): another BBS, rust
+
+- [hops](https://github.com/morria/hops): bot from [nyme.sh](https://nyme.sh/)
+
+## Monitoring
+
+- <https://dash.mt.gt/>
+- <https://github.com/cordelster/mesh-metrics/>
+- <https://github.com/artiommocrenco/meshtastic-prometheus-exporter>
+- <https://github.com/tcivie/meshtastic-metrics-exporter>
+- [Meshmonitor](https://meshmonitor.org/): maps, analytics, traceroutes, triggers
 
 # MQTT
 
@@ -379,57 +453,11 @@ well.
   to Meshtastic!)
 - HiveMQ public broker: `broker.hivemq.com`, see [their documentation](https://www.hivemq.com/mqtt/public-mqtt-broker/)
 
-# Privacy and security
-
-Default security is pretty much non-existent: in the default channel,
-packets are encrypted, but with a known key.
-
-*Other* channels seem to use pretty solid encryption, but there's
-likely metadata leakage ("who is talking to who") in cleartext over
-the airwaves that can be easily sniffed by anyone in range. Joining a
-MQTT server makes that even easier to sniff. 
-
-Also note that Meshtastic only does *encryption*: you don't get things
-like forward-secrecy, authentication, or integrity, see the
-[encryption section](https://meshtastic.org/docs/overview/encryption/). This sounds minor, but this is a significant
-threat vector as, for example, if someone knows you wrote "hi" to a
-channel, even if they don't have the encryption key, they can replay
-that "hi" by sending the exact same encrypted packet. Security is
-hard. It seems like [Reticulum does this better](https://reticulum.network/crypto.html).
-
-Nodes often transmit other telemetry like GPS location, temperature,
-and other sensors, by default. GPS location precision can be reduced
-(say "I'm in Montreal" instead of "I'm at 1234 boulevard
-Saint-Laurent") or completely turned off, but it might still possible
-to triangulate device's positions, as with any typical radio
-transmission. LoRa signals are "bursty" and low power, so that's more
-difficult than, say, classic ham radio signals though.
-
-There's a [Meshtastic ZPS](https://github.com/a-f-G-U-C/Meshtastic-ZPS) project that tries to implement GPS-less
-localization, but it's using external positioning systems and
-WiFi/Bluetooth scans instead of a GPS, so it's not triangulation per
-se.
-
-Weak default Bluetooth pairing codes (the "PIN") are often
-[luggage-strength](https://en.wikipedia.org/wiki/Spaceballs) like `1234` or `123456`. They should be changed
-unless you're okay with anyone within range taking control of your
-devices.

(Diff truncated)

diff --git a/hardware/server/marcos/v3.md b/hardware/server/marcos/v3.md
index 73c56914..b25c122c 100644
--- a/hardware/server/marcos/v3.md
+++ b/hardware/server/marcos/v3.md
@@ -241,6 +241,12 @@ Apparently, [this provider](https://serverpartdeals.com/collections/manufacturer
 ## Other cases
 
 - [Jonsbro](https://www.jonsbo.com/) comes up a lot, see e.g. the [N3](https://www.jonsbo.com/en/products/N3.html)
+- [Terramaster](https://www.terra-master.com/) produces cheap, fully-built systems, see for
+  example this [300$USD 4-drive ARM NAS](https://www.terra-master.com/products/f4-212), or much larger units like
+  this [500USD 9-drive enclosure](https://www.terra-master.com/products/d9-320) is interesting, but of course
+  limited by the bandwidth of a single (!) USB-C cable, it seems to be
+  a "server-less" (ha) version of this more expensive, [1200USD
+  9-drive server](https://www.terra-master.com/products/t9-450)
 
 ## Other reviews
 
diff --git a/services/bookmarks.mdwn b/services/bookmarks.mdwn
index 57433f64..318aed22 100644
--- a/services/bookmarks.mdwn
+++ b/services/bookmarks.mdwn
@@ -62,6 +62,8 @@ Possible alternatives
 
 Possible alternatives to zotero and/or wallabag include:
 
+ * [bibiman](https://codeberg.org/lukeflo/bibiman) - "TUI for fast and simple interacting with your
+   BibLaTeX database"
  * [i librarian](https://i-librarian.net/)
  * [inventaire](https://inventaire.io/) - book sharing/inventory app with an open data aspect
  * [jabref](http://www.jabref.org/)
diff --git a/software/zfs.md b/software/zfs.md
index dcf5cca2..3c8d042a 100644
--- a/software/zfs.md
+++ b/software/zfs.md
@@ -173,7 +173,11 @@ The most important thingto know about RAID-Z is that the layout can't
 be changed after the pool creation. If you have 3 drives in your
 RAIDZ1 pool, you're stuck with 3 drives until you rebuild the pool
 (although you *can* add spares). Arrays *can* be grown in *size* by
-replacing the drives with bigger ones progressively, that said.
+replacing the drives with bigger ones progressively, that
+said. Update: RAID-Z expansion was [actually implemented in 2023](https://github.com/openzfs/zfs/pull/15022),
+but has some caveats, most importantly that the stripe size of
+existing data is not changed, so the existing data doesn't benefit
+from the additional bandwidth of the new drives.
 
 Jim Salter [recommends mirrors instead of RAID-Z](https://jrs-s.net/2015/02/06/zfs-you-should-use-mirror-vdevs-not-raidz/), but the
 [rsync.net people recommend RAID-Z3 with 12-15 drives joined in 3-4

diff --git a/blog/2026-02-18-iproute2.md b/blog/2026-02-18-iproute2.md
index 5947d578..41dbc465 100644
--- a/blog/2026-02-18-iproute2.md
+++ b/blog/2026-02-18-iproute2.md
@@ -95,3 +95,7 @@ makes. The fact that it's called `iproute2` makes it only more
 hilarious.
 
 [[!tag debian-planet python-planet debian network sysadmin linux]]
+
+
+<!-- posted to the federation on 2026-02-18T11:30:55.082264 -->
+[[!mastodon "https://kolektiva.social/@Anarcat/116092584255984978"]]
\ No newline at end of file

diff --git a/blog/2026-02-18-iproute2.md b/blog/2026-02-18-iproute2.md
new file mode 100644
index 00000000..5947d578
--- /dev/null
+++ b/blog/2026-02-18-iproute2.md
@@ -0,0 +1,97 @@
+[[!meta title="net-tools to iproute cheat sheet"]]
+
+This is also known as: "`ifconfig` is not installed by default
+anymore, how do I do this only with the `ip` command?"
+
+I have been slowly training my brain to use the new commands but I
+sometimes forget some. So, here's a couple of equivalence from the old
+package to `net-tools` the new `iproute2`, about 10 years late:
+
+| `net-tools`                 | `iproute2`                                   | shorter form                 | what it does                            |
+|-----------------------------|----------------------------------------------|------------------------------|-----------------------------------------|
+| `arp -an`                   | `ip neighbor`                                | `ip n`                       |                                         |
+| `ifconfig`                  | `ip address`                                 | `ip a`                       | show current IP address                 |
+| `ifconfig`                  | `ip link`                                    | `ip l`                       | show link stats (up/down/packet counts) |
+| `route`                     | `ip route`                                   | `ip r`                       | show or modify the routing table        |
+| `route add default GATEWAY` | `ip route add default via GATEWAY`           | `ip r a default via GATEWAY` | add default route to `GATEWAY`          |
+| `route del ROUTE`           | `ip route del ROUTE`                         | `ip r d ROUTE`               | remove `ROUTE` (e.g. `default`)         |
+| `netstat -anpe`             | `ss --all --numeric  --processes --extended` | `ss -anpe`                   | list listening processes, less pretty   |
+
+# Another trick
+
+Also note that I often alias `ip` to `ip -br -c` as it provides a
+much prettier output.
+
+Compare, before:
+
+```
+anarcat@angela:~> ip a
+1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
+    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+    inet 127.0.0.1/8 scope host lo
+       valid_lft forever preferred_lft forever
+    inet6 ::1/128 scope host noprefixroute 
+       valid_lft forever preferred_lft forever
+2: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
+    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff permaddr xx:xx:xx:xx:xx:xx
+    altname wlp166s0
+    altname wlx8cf8c57333c7
+4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
+    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
+    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
+       valid_lft forever preferred_lft forever
+20: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
+    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
+    inet 192.168.0.108/24 brd 192.168.0.255 scope global dynamic noprefixroute eth0
+       valid_lft 40699sec preferred_lft 40699sec
+```
+
+After:
+
+```
+anarcat@angela:~> ip -br -c a
+lo               UNKNOWN        127.0.0.1/8 ::1/128 
+wlan0            DOWN           
+virbr0           DOWN           192.168.122.1/24 
+eth0             UP             192.168.0.108/24 
+```
+
+I don't even need to redact MAC addresses! It also affects the display
+of the other commands, which look similarly neat.
+
+Also imagine pretty colors above.
+
+Finally, I don't have a cheat sheet for `iw` vs `iwconfig` (from
+`wireless-tools`) yet. I just use NetworkManager now and rarely have
+to mess with wireless interfaces directly.
+
+# Background and history
+
+For context, there are traditionally two ways of configuring the
+network in Linux:
+
+- the old way, with commands like `ifconfig`, `arp`, `route` and
+  `netstat`, those are part of the [net-tools](https://sourceforge.net/projects/net-tools/) package 
+- the new way, mostly (but not entirely!) wrapped in a single `ip`
+  command, that is the [iproute2](https://wiki.linuxfoundation.org/networking/iproute2) package
+
+It seems like the latter was made "important" in Debian [in 2008](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=487533),
+which means every release since Debian 5 "lenny" (!) has featured the
+`ip` command.
+
+The former `net-tools` package was [demoted in December 2016](https://lists.debian.org/debian-devel/2016/12/msg00775.html) which
+means every release since Debian 9 "stretch" ships *without* an
+`ifconfig` command unless explicitly requested. Note that this was
+mentioned [in the release notes](https://www.debian.org/releases/stretch/amd64/release-notes) in a similar (but, IMHO, less
+useful) table.
+
+(Technically, the `net-tools` Debian package source still indicates it
+is `Priority: important` but that's [a bug I have just filed](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128342).)
+
+Finally, and perhaps more importantly, the name `iproute` is hilarious
+if you are a bilingual french speaker: it can be read as "I proute"
+which can be interpreted as "I fart" as "prout!" is the sound a fart
+makes. The fact that it's called `iproute2` makes it only more
+hilarious.
+
+[[!tag debian-planet python-planet debian network sysadmin linux]]

diff --git a/hardware/server/marcos/v3.md b/hardware/server/marcos/v3.md
index a99ed945..73c56914 100644
--- a/hardware/server/marcos/v3.md
+++ b/hardware/server/marcos/v3.md
@@ -58,6 +58,8 @@ here for future maintenance and clarity.
 | **USB-3 adapter**      | 20-pin USB-3.0 to 9-pin USB-2 converter                                                                                                                         | [14.99$ @ Amazon  Canada](https://www.amazon.ca/gp/product/B0816C3ZV6?linkId=59fd3489f37c115eb4eb30b8b1e6a56f&language=en_US)                                              |
 | **NVMe PCI-e adapter** | Maiwo KT058 RGB Design PCIe x16 to NVMe                                                                                                                         | [$9.99 @ Canada Computers](https://www.canadacomputers.com/en/m-2-sata-controller-cards/255786/maiwo-kt058-rgb-design-pcie-x16-to-nvme-ssd-expansion-converter-kt058.html) |
 
+The server is also backed by a UPS, a [APC 1500VA BX1500m](https://www.apc.com/ca/en/product/BX1500M/apc-back-ups-1500-compact-tower-1500va-120v-avr-lcd-10-nema-outlets-5-surge/).
+
 # Next steps
 
 - build issues:
diff --git a/hardware/tubman3.md b/hardware/tubman3.md
index 3d59ee16..b7408caa 100644
--- a/hardware/tubman3.md
+++ b/hardware/tubman3.md
@@ -19,7 +19,9 @@ It reuses the [[hardware/server/marcos/v2]] hardware.
 
  [manual]: https://www.supermicro.com/manuals/chassis/Mid-tower/SC733.pdf
 
-The server is also backed by a UPS, a [APC 1500VA BX1500m](https://www.apc.com/ca/en/product/BX1500M/apc-back-ups-1500-compact-tower-1500va-120v-avr-lcd-10-nema-outlets-5-surge/).
+Even though v2 was physically built in hardware from 2020 (and rebuilt
+in 2026), it doesn't seem to have a TPM2 device (although those are
+mandatory for Windows 10 certification since 2016).
 
 [CSE-733TQ-500B]: https://www.supermicro.com/en/products/archive/chassis/SC733TQ-500B
 [300$]: http://www.atic.ca/index.php?page=details&psku=63796
diff --git a/software/zfs.md b/software/zfs.md
index 8b6995e8..dcf5cca2 100644
--- a/software/zfs.md
+++ b/software/zfs.md
@@ -71,9 +71,8 @@ with standard LUKS instead of ZFS encryption:
 
     The above will not ask you for any passphrase, but will make the
     disks unrecoverable in case the on-disk keys are lost.
-    
-    TODO: a better approach for this would be to use `systemd-creds`
-    instead of on-disk files.
+
+    TODO: use a TPM2 device instead, see [`systemd-cryptenroll`](https://wiki.archlinux.org/title/Systemd-cryptenroll)
 
  4. Create the pool:
  

diff --git a/hardware/server/marcos/v2.md b/hardware/server/marcos/v2.md
index 07cc3f66..27751ffe 100644
--- a/hardware/server/marcos/v2.md
+++ b/hardware/server/marcos/v2.md
@@ -23,7 +23,7 @@ The server is also backed by a UPS, a [APC 1500VA BX1500m](https://www.apc.com/c
 
 [CSE-733TQ-500B]: https://www.supermicro.com/en/products/archive/chassis/SC733TQ-500B
 [300$]: http://www.atic.ca/index.php?page=details&psku=63796
-[ASUS PRIME X470-PRO]: https://www.asus.com/us/Motherboards/PRIME-X470-PRO/
+[ASUS PRIME X470-PRO]: https://www.asus.com/supportonly/prime%20x470-pro/helpdesk_cpu/
 [187$]: http://www.atic.ca/index.php?page=details&psku=196101
 [detailed specs]: https://www.asus.com/us/Motherboards/PRIME-X470-PRO/specifications/
 [Kingston KSM26ED8/16ME]: 
diff --git a/hardware/tubman.md b/hardware/tubman.md
index 1a71dd9d..22876081 100644
--- a/hardware/tubman.md
+++ b/hardware/tubman.md
@@ -17,8 +17,37 @@ Tubman was an activist in the movement for women's suffrage.*"
 
 # Specification
 
-tubman's install changed bodies and is now in "toutatis"'s body. so
-the specs below are inaccurate.
+## v3
+
+The new `tubman` build is a server technically named `tubman2`, but it
+should really just be named `tubman` and is referred to as either.
+
+It's the same hardware than [[hardware/server/marcos/v3]], 7th
+iteration.
+
+| Component         | Model                                                                                                                                                           | Price @ supplier                                                                                                                                          |
+|-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **CPU**           | [AMD Ryzen 5 5500GT 3.6 GHz 6-Core Processor](https://www.amd.com/en/support/downloads/drivers.html/processors/ryzen/ryzen-5000-series/amd-ryzen-5-5500gt.html) | [$159.99 @ Best Buy Canada](https://ca.pcpartpicker.com/product/VcvD4D/amd-ryzen-5-5500gt-36-ghz-6-core-processor-100-100001489box)                       |
+| **Motherboard**   | [Gigabyte A520I AC Mini ITX AM4 Motherboard](https://download.gigabyte.com/FileList/Manual/mb_manual_a520i-ac_1402_e.pdf?v=59849968edde4af54c38e4c0c1bf2ea6)    | [$171.99 @ PC-Canada](https://ca.pcpartpicker.com/product/s6tKHx/gigabyte-a520i-ac-mini-itx-am4-motherboard-a520i-ac)                                     |
+| **Memory**        | Kingston ValueRAM 16 GB (1 x 16 GB) DDR4-3200 CL22 Memory                                                                                                       | [$70.00 @ Vuugo](https://ca.pcpartpicker.com/product/tz2bt6/kingston-valueram-16-gb-1-x-16-gb-ddr4-3200-cl22-memory-kvr32n22s816)                         |
+| **Storage**       | 2 x Western Digital WD Blue 12 TB 3.5" 7200 RPM Internal Hard Drive                                                                                             | [$274.99 @ Western Digital](https://ca.pcpartpicker.com/product/mfkqqs/western-digital-wd-blue-12-tb-35-7200-rpm-internal-hard-drive-wd120eagz)           |
+| **Storage**       | 1 x WD Blue SN570 1TB NVMe                                                                                                                                      | already bought                                                                                                                                            |
+| **Case**          | [Jonsbo N2 Mini ITX Desktop Case](https://www.jonsbo.com/en/products/N2Black.html)                                                                              | [$243.00 @ Newegg Sellers](https://ca.pcpartpicker.com/product/FtVmP6/jonsbo-n2-mini-itx-desktop-case-n2-black)                                           |
+| **Power Supply**  | [Silverstone SFX 500 W 80+ Gold Certified Fully Modular SFX Power Supply](https://www.silverstonetek.com/en/product/info/power-supplies/ST30SF/)                | [$173.26 @ Amazon Canada](https://ca.pcpartpicker.com/product/vrH48d/silverstone-sfx-500-w-80-gold-certified-fully-modular-sfx-power-supply-sst-sx500-lg) |
+| **Case Fan**      | [Noctua A12x15 PWM 55.44 CFM 120 mm Fan](https://www.noctua.at/en/products/nf-a12x15-pwm)                                                                       | [$27.95 @ Newegg Sellers](https://ca.pcpartpicker.com/product/rhQRsY/noctua-nf-a12x15-pwm-942-cfm-120mm-fan-nf-a12x15-pwm)                                |
+| **SATA cabling**  | 6x elbowed SATA cables                                                                                                                                          | [29.99$ @ Amazon  Canada](https://www.amazon.ca/ADCAUDX-SATA-III-Cable-Right-Angle-Server-Raid/dp/B0B1CZHXZ1)                                             |
+| **USB-E adapter** | USB "E" connector to 20-pin USB 3.2 connector                                                                                                                   | [15.99$ @ Amazon  Canada](https://www.amazon.ca/EZDIY-FAB-USB3-1-Internal-Degrees-Adapter/dp/B0B5D5GZX9)                                                  |
+| **USB-3 adapter** | 20-pin USB-3.0 to 9-pin USB-2 converter                                                                                                                         | [14.99$ @ Amazon  Canada](https://www.amazon.ca/gp/product/B0816C3ZV6?linkId=59fd3489f37c115eb4eb30b8b1e6a56f&language=en_US)                             |
+| **KVM**           | [NanoKVM-PCIe](https://wiki.sipeed.com/hardware/en/kvm/NanoKVM_PCIe/introduction.html)                                                                          |                                                                                                                                                           |
+
+The server has room for three more 3.5" drives, but only two are
+usable, because the motherboard only has 4 SATA slots. A PCI-e
+expansion card could be fitted, but the slot is currently taken by the
+NanoKVM.
+
+## v2
+
+This is the old `toutatis` build.
 
  * motherboard: [MSI X58M (MS-7593)](https://www.msi.com/Motherboard/X58M/Specification)
  * case: some alien atrocity
@@ -40,10 +69,14 @@ the specs below are inaccurate.
  * Audio: Oland/Hainan/Cape Verde/Pitcairn HDMI Audio [Radeon HD 7000
    Series]
 
-Note that tubman was originally built with the old marcos hardware,
-but transplanted in what used to be known as `toutatis`, see
-[[hardware/server/marcos/v1]] for the old spec. The `toutatis` install
-was kept install, on a stack of 5 disks (3x~2TB HDD, 2x128GB SSD).
+When `tubman` was reinstalled in `toutatis`, the `toutatis` install was
+kept install, on a stack of 5 disks (3x~2TB HDD, 2x128GB SSD).
+
+## v1
+
+`tubman` was originally built with the old `marcos` hardware, but
+transplanted in what used to be known as `toutatis`, see
+[[hardware/server/marcos/v1]] for the old spec.
 
 [Nehalem]: https://en.wikipedia.org/wiki/Nehalem_(microarchitecture)
 [bloomfield]: https://en.wikipedia.org/wiki/Bloomfield_(microprocessor)
diff --git a/hardware/tubman3.md b/hardware/tubman3.md
new file mode 100644
index 00000000..3d59ee16
--- /dev/null
+++ b/hardware/tubman3.md
@@ -0,0 +1,33 @@
+`tubman3` is the third incantation of the [[tubman]] server. it's not
+*exactly* related to `tubman2` in the sense that it has a different
+purpose: it's not a backup server, it's just a second storage server
+and I was running out of ideas.
+
+It reuses the [[hardware/server/marcos/v2]] hardware.
+
+# Specification
+
+ * Case: [CSE-733TQ-500B][] ([300$][]), incl. 80+ bronze 500W PSU,
+   4x3.5" hotswap bays, 2x5.25" bays, 1x3.5" bay, 7" (4U) x 20.9" x
+   16.8" or 178 x 531 x 427mm (WxDxL), 17Kg ([manual][])
+ * Motherboard: [ASUS PRIME X470-PRO][]: [187$][] (AM4/PGA 1331 ATX
+   12"x9.6" 6 SATA Intel® I211-AT chipset, [detailed specs][])
+ * Memory: Kingston KSM26ED8/16ME (16GB RAM): [114$][]
+ * [AMD Ryzen 5 2600][] - replaced with a [2600x](http://www.atic.ca/index.php?page=details&psku=196096) at same cost (no
+   GPU, 6 cores, 95W 3.4GHz): [287$][]
+ * Total: 889$CAD
+
+ [manual]: https://www.supermicro.com/manuals/chassis/Mid-tower/SC733.pdf
+
+The server is also backed by a UPS, a [APC 1500VA BX1500m](https://www.apc.com/ca/en/product/BX1500M/apc-back-ups-1500-compact-tower-1500va-120v-avr-lcd-10-nema-outlets-5-surge/).
+
+[CSE-733TQ-500B]: https://www.supermicro.com/en/products/archive/chassis/SC733TQ-500B
+[300$]: http://www.atic.ca/index.php?page=details&psku=63796
+[ASUS PRIME X470-PRO]: https://www.asus.com/supportonly/prime%20x470-pro/helpdesk_cpu/
+[187$]: http://www.atic.ca/index.php?page=details&psku=196101
+[detailed specs]: https://www.asus.com/us/Motherboards/PRIME-X470-PRO/specifications/
+[Kingston KSM26ED8/16ME]: 
+[114$]: http://www.atic.ca/index.php?page=details&psku=211327
+[AMD Ryzen 5 2400G]: http://www.atic.ca/index.php?page=details&psku=191280
+[AMD Ryzen 5 2600]: http://www.atic.ca/index.php?page=details&psku=196095
+[287$]: http://www.atic.ca/index.php?page=details&psku=196095

diff --git a/software/zfs.md b/software/zfs.md
index 8f9fb214..8b6995e8 100644
--- a/software/zfs.md
+++ b/software/zfs.md
@@ -47,15 +47,15 @@ with standard LUKS instead of ZFS encryption:
     recovery password:
 
         for disk in sde1 sdd1 ; do
-            cryptsetup luksFormat /dev/$disk &&
-            cryptsetup luksOpen /dev/$disk crypt_dev_$disk &&
             mkdir -p -m 0 /etc/luks &&
             ( umask 077 && dd if=/dev/random bs=64 count=128 of=/etc/luks/crypt_dev_$disk ) &&
-            cryptsetup luksAddKey /dev/$disk /etc/luks/crypt_dev_$disk &&
+            cryptsetup luksFormat --key-file=/etc/luks/crypt_dev_$disk /dev/$disk &&
+            cryptsetup luksOpen --key-file=/etc/luks/crypt_dev_$disk /dev/$disk crypt_dev_$disk &&
+            cryptsetup luksAddKey /dev/$disk &&
             echo crypt_dev_$disk UUID=$(lsblk -n -o UUID /dev/$disk | head -1) /etc/luks/crypt_dev_$disk luks,discard | tee -a /etc/crypttab
         done
 
-    The above will ask you for the encryption key *four* times, but
+    The above will ask you for the encryption key *two* times, but
     will not require typing it on boot *while* simultaneously allowing
     recovery without the key file.
 
@@ -69,9 +69,11 @@ with standard LUKS instead of ZFS encryption:
             echo crypt_dev_$disk UUID=$(lsblk -n -o UUID /dev/$disk | head -1) /etc/luks/crypt_dev_$disk luks,discard | tee -a /etc/crypttab
         done
 
-    The above will ask you for the encryption key *four* times, but
-    will not require typing it on boot *while* simultaneously allowing
-    recovery without the key file.
+    The above will not ask you for any passphrase, but will make the
+    disks unrecoverable in case the on-disk keys are lost.
+    
+    TODO: a better approach for this would be to use `systemd-creds`
+    instead of on-disk files.
 
  4. Create the pool:
  

diff --git a/blog/2026-02-12-recording-decisions.md b/blog/2026-02-12-recording-decisions.md
index 9231684a..7f5e702e 100644
--- a/blog/2026-02-12-recording-decisions.md
+++ b/blog/2026-02-12-recording-decisions.md
@@ -175,3 +175,7 @@ will adopt one after reading this.
 > Note: this article was also published on the [Tor Blog](https://blog.torproject.org/tpa-adr).
 
 [[!tag tor sysadmin debian-planet python-planet documentation]]
+
+
+<!-- posted to the federation on 2026-02-16T15:21:54.624815 -->
+[[!mastodon "https://kolektiva.social/@Anarcat/116082167932519066"]]
\ No newline at end of file

diff --git a/blog/2026-02-12-recording-decisions.md b/blog/2026-02-12-recording-decisions.md
index 8576c4a6..9231684a 100644
--- a/blog/2026-02-12-recording-decisions.md
+++ b/blog/2026-02-12-recording-decisions.md
@@ -1,4 +1,4 @@
-[[!meta title="Recording better decisions"]]
+[[!meta title="Keeping track of decisions using the ADR model"]]
 
 In the Tor Project system Administrator's team (colloquially known as
 TPA), we've recently changed how we take decisions, which means you'll
@@ -8,8 +8,8 @@ get clearer communications from us about upcoming changes or
 Note that this change only affects the TPA team. At Tor, each team has
 its own way of coordinating and making decisions, and so far this
 process is only used inside TPA. We encourage other teams inside and
-outside Tor to evaluate this process to see if it might help improve
-your processes and documentation.
+outside Tor to evaluate this process to see if it can improve your
+processes and documentation.
 
 # The new process
 
@@ -74,14 +74,14 @@ well:
 > adoption.
 
 Now, of course, the devil is in the details (and [ADR-101][]), but the
-point is to keep things SIMPLE.
+point is to keep things simple.
 
  [ADR-101]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/0101-adr-process
 
 A crucial aspect of the proposal, which Jacob Kaplan-Moss calls the
 [one weird trick][], is to "decide who decides". Our previous process
 was vague about who makes the decision and the new template (and
-process) clarifies decision makes, for each decision.
+process) clarifies decision makers, for each decision.
 
  [one weird trick]: https://jacobian.org/2023/dec/5/how-to-decide/
 
@@ -106,7 +106,7 @@ Accountable, Consulted, Informed).
 
 ## Communication guidelines
 
-Finally, a crucial part of the process (by [ADR-102][]) is to decouple
+Finally, a crucial part of the process ([ADR-102][]) is to decouple
 the act of making and recording decisions from *communicating* about
 the decision. Those are two *radically* different problems to
 solve. We have found that a single document can't serve both purposes.
@@ -121,13 +121,13 @@ method (Who? What?  When? Where? Why?) and, again, to keep things simple.
 
 # How we got there
 
-The [ADR process][] is not something I invented. I first stumbled
-upon it in the [Thunderbird Android project][]. Then, in parallel, I
-was in the [process of reviewing the RFC process we had previously
-adopted][], following Jacob Kaplan-Moss's [criticism of the RFC
-process][]. Essentially, Kaplan-Moss argues that:
+The [ADR process][] is not something I invented. I first stumbled upon
+it in the [Thunderbird Android project][]. Then, in parallel, I was in
+the [process of reviewing the RFC process][], following Jacob
+Kaplan-Moss's [criticism of the RFC process][]. Essentially, he argues
+that:
 
- [process of reviewing the RFC process we had previously adopted]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41428
+ [process of reviewing the RFC process]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41428
  [Thunderbird Android project]: https://github.com/thunderbird/thunderbird-android/blob/be2af5c6a0bce08385fc3f654c1185ccf9db3859/docs/architecture/adr/README.md
 
 1. the RFC process "doesn't include any sort of decision-making framework"
@@ -137,8 +137,8 @@ process][]. Essentially, Kaplan-Moss argues that:
    power structures"
 
 And, indeed, I have been guilty of a lot of those issues. A verbose
-writer, I have written [extremely long proposals][] that I doubt anyone
-has read in full. Some proposals were adopted by exhaustion, or
+writer, I have written [extremely long proposals][] that I suspect no
+one has ever fully read. Some proposals were adopted by exhaustion, or
 ignored because not looping in the right stakeholders.
 
  [extremely long proposals]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/tpa-rfc-33-monitoring
@@ -159,19 +159,18 @@ allowed us to document a staggering number of changes and decisions
 
 We're still experimenting with the communication around decisions, as
 this text might suggest. Because it's a separate step, we also have a
-tendency to forget it or postpone it, like today's message, which
-comes a couple of months late.
+tendency to forget or postpone it, like this post, which comes a
+couple of months late.
 
 Previously, we'd just ship a copy of the RFC to everyone, which was
-easy and quick, but incomprehensible to most users. Now we need to
-write a separate communication, which is more work but, hopefully, if
-you're still reading this, it's worth it as the result is more
-digestible.
+easy and quick, but incomprehensible to most. Now we need to write a
+separate communication, which is more work but, hopefully, worth the
+as the result is more digestible.
 
 We can't wait to hear what you think of the new process and how it
-works for you, here or in the [discussion issue][] of course! We're
-particularly interested in people that are already using a RFC or ADR
-process, or that will adopt one after reading this.
+works for you, here or in the [discussion issue][]! We're particularly
+interested in people that are already using a similar process, or that
+will adopt one after reading this.
 
 > Note: this article was also published on the [Tor Blog](https://blog.torproject.org/tpa-adr).
 

diff --git a/hardware/server/marcos/v3.md b/hardware/server/marcos/v3.md
index cebd2e3e..a99ed945 100644
--- a/hardware/server/marcos/v3.md
+++ b/hardware/server/marcos/v3.md
@@ -94,10 +94,10 @@ here for future maintenance and clarity.
   - [x] nano-kvm-pcie installation
   - [x] move box
   - [x] install m2 drive
-  - [~] move 1xSSD drive in new box
-  - [~] move 1x8TB and 1x4TB into new box
-  - [~] resync array
-  - [~] remove 1x8tb drive, add 1x4tb (end result: 16TB storage)
+  - [x] ~~move 1xSSD drive in new box~~
+  - [x] ~~move 1x8TB and 1x4TB into new box~~
+  - [x] ~~resync array~~
+  - [x] ~~remove 1x8tb drive, add 1x4tb (end result: 16TB storage)~~
   - [x] bring back 2x8TB and 2x4TB for tubman3
 - [ ] tubman3 setup (ex-marcos body)
   - [x] install new memory stick

diff --git a/hardware/server/marcos/v3.md b/hardware/server/marcos/v3.md
index 7ab1e160..cebd2e3e 100644
--- a/hardware/server/marcos/v3.md
+++ b/hardware/server/marcos/v3.md
@@ -28,7 +28,7 @@ marcos was put online in the new case on 2026-02-13. the impact on the
 disk temperature was immediate and clear, going from a max of about 80
 degrees Celsius to about 38-48:
 
-[[!img grafana-temp-dashboard.png alt="plot of disk temperatures, ranging from 60 to 80 degrees celcius before to 38-48 after"]]
+[[!img grafana-temp-dashboard.png size="600x" alt="plot of disk temperatures, ranging from 60 to 80 degrees celcius before to 38-48 after"]]
 
 The box is full. 4 of the 5 front physical hard disk slots are taken,
 but there's no room for a 5th drive because there are only 4 SATA

diff --git a/blog/2023-02-10-usb-c.md b/blog/2023-02-10-usb-c.md
index 11a1d318..3df30cbf 100644
--- a/blog/2023-02-10-usb-c.md
+++ b/blog/2023-02-10-usb-c.md
@@ -117,6 +117,9 @@ trips however, especially the TOFU for conferences and the Oneworld
 for hotel rooms (and having *both* means I can leave the latter in the
 hotel room!).
 
+I've also bought a [Pine64 PinePower GaN charger](https://pine64.com/product/pinepower-65w-gan-2c1a-charger-with-international-plugs/) but I regret it:
+it doesn't bring anything particular on top of all the others here.
+
 ### Sharge
 
 I also bought [this
@@ -398,6 +401,13 @@ the clever "180 degrees" system of the [new Nano](https://www.anker.com/ca/produ
 there. I was totally turned off by the Anker website (which loads
 really slow and was all black on my phone) and AI slop support.
 
+Other models:
+
+- [iFixit](https://www.ifixit.com) have a see-through [65W USB-C GaN charger](https://www.ifixit.com/products/ifixit-65w-usb-c-ac-adapter) that can
+  be taken apart with a pick and a soldering iron
+- [recable](https://en.recable.eu) have [this 65W charger](https://en.recable.eu/products/usb-a-2x-usb-c-65-watt-charger-the-recable-dual-port-charger-2-0?variant=56351158239497) that's *really* small
+- [baseus](https://eu.baseus.com/products/picogo-ae21-fast-charger-2c-u-100w) have a nice-looking 100W charger with a power meter
+
 ## USB testers
 
 Now that a USB cable isn't a simple 5V electric signal, cables and

diff --git a/hardware/server/marcos.mdwn b/hardware/server/marcos.mdwn
index b48d3668..444264a3 100644
--- a/hardware/server/marcos.mdwn
+++ b/hardware/server/marcos.mdwn
@@ -19,8 +19,8 @@ particulier [[services/mail]] et [[services/backup]].
 Marcos had many incarnations and each is tracked in its own page
 because otherwise tracking history here gets messy:
 
-- [[v3]]: 2025-present, home lab / NAS
-- [[v2]]: 2020-2025, home server/NAS, being replaced because of overheating
+- [[v3]]: 2026-present, home lab / NAS
+- [[v2]]: 2020-2025, home server/NAS, replaced because of overheating
 - [[v1]]: 2011-2020: home cinema/server, replaced because too old,
   lacking expansion capacity
 
diff --git a/hardware/server/marcos/grafana-temp-dashboard.png b/hardware/server/marcos/grafana-temp-dashboard.png
new file mode 100644
index 00000000..75d70a2d
Binary files /dev/null and b/hardware/server/marcos/grafana-temp-dashboard.png differ
diff --git a/hardware/server/marcos/v2.md b/hardware/server/marcos/v2.md
index df41fce7..07cc3f66 100644
--- a/hardware/server/marcos/v2.md
+++ b/hardware/server/marcos/v2.md
@@ -1,7 +1,7 @@
 This page documents the [[hardware/server/marcos]] v2 build, which
-lived from 2020 to 2025 or so. It is scheduled for retirement (as of
-2025-03-30) for overheating issues, but could be used as a (kind of
-huge) desktop.
+lived from 2020 to 2025 or so. It was scheduled for retirement (as of
+2025-03-30) for overheating issues, and was redeployed as a secondary
+storage server called `tubman3` in February 2026.
 
 [[!toc levels=3]]
 
diff --git a/hardware/server/marcos/v3.md b/hardware/server/marcos/v3.md
index b257bd3f..7ab1e160 100644
--- a/hardware/server/marcos/v3.md
+++ b/hardware/server/marcos/v3.md
@@ -24,6 +24,40 @@ tubman has 2x8TB, 2x4TB and 2xSSD, can't fit inside this build without
 an expansion card or moving data from 8/4TB into 12TB. or by using a
 new NVMe drive.
 
+marcos was put online in the new case on 2026-02-13. the impact on the
+disk temperature was immediate and clear, going from a max of about 80
+degrees Celsius to about 38-48:
+
+[[!img grafana-temp-dashboard.png alt="plot of disk temperatures, ranging from 60 to 80 degrees celcius before to 38-48 after"]]
+
+The box is full. 4 of the 5 front physical hard disk slots are taken,
+but there's no room for a 5th drive because there are only 4 SATA
+connectors on board, and the PCIe slot is taken by the NVMe adapter,
+because there's only one NVMe slot on board.
+
+Having a board with either two onboard NVMe slots, more SATA slots, or
+PCIe slots would have been a better use of that case.
+
+# Specifications
+
+This is essentially a copy of the "iteration 7" below, but surfaced
+here for future maintenance and clarity.
+
+| Component              | Model                                                                                                                                                           | Price @ supplier                                                                                                                                                           |
+|------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **CPU**                | [AMD Ryzen 5 5500GT 3.6 GHz 6-Core Processor](https://www.amd.com/en/support/downloads/drivers.html/processors/ryzen/ryzen-5000-series/amd-ryzen-5-5500gt.html) | [$159.99 @ Best Buy Canada](https://ca.pcpartpicker.com/product/VcvD4D/amd-ryzen-5-5500gt-36-ghz-6-core-processor-100-100001489box)                                        |
+| **Motherboard**        | [Gigabyte A520I AC Mini ITX AM4 Motherboard](https://download.gigabyte.com/FileList/Manual/mb_manual_a520i-ac_1402_e.pdf?v=59849968edde4af54c38e4c0c1bf2ea6)    | [$171.99 @ PC-Canada](https://ca.pcpartpicker.com/product/s6tKHx/gigabyte-a520i-ac-mini-itx-am4-motherboard-a520i-ac)                                                      |
+| **Memory**             | Kingston ValueRAM 16 GB (1 x 16 GB) DDR4-3200 CL22 Memory                                                                                                       | [$70.00 @ Vuugo](https://ca.pcpartpicker.com/product/tz2bt6/kingston-valueram-16-gb-1-x-16-gb-ddr4-3200-cl22-memory-kvr32n22s816)                                          |
+| **Storage**            | 2 x 8TB Ironwolf                                                                                                                                                | from marcos                                                                                                                                                                |
+| **Storage**            | 2 x 1TB Samsung and Intel blue NVMe                                                                                                                             | from marcos                                                                                                                                                                |
+| **Case**               | [Jonsbo N2 Mini ITX Desktop Case](https://www.jonsbo.com/en/products/N2Black.html)                                                                              | [$243.00 @ Newegg Sellers](https://ca.pcpartpicker.com/product/FtVmP6/jonsbo-n2-mini-itx-desktop-case-n2-black)                                                            |
+| **Power Supply**       | [Silverstone SFX 500 W 80+ Gold Certified Fully Modular SFX Power Supply](https://www.silverstonetek.com/en/product/info/power-supplies/ST30SF/)                | [$173.26 @ Amazon Canada](https://ca.pcpartpicker.com/product/vrH48d/silverstone-sfx-500-w-80-gold-certified-fully-modular-sfx-power-supply-sst-sx500-lg)                  |
+| **Case Fan**           | [Noctua A12x15 PWM 55.44 CFM 120 mm Fan](https://www.noctua.at/en/products/nf-a12x15-pwm)                                                                       | [$27.95 @ Newegg Sellers](https://ca.pcpartpicker.com/product/rhQRsY/noctua-nf-a12x15-pwm-942-cfm-120mm-fan-nf-a12x15-pwm)                                                 |
+| **SATA cabling**       | 6x elbowed SATA cables                                                                                                                                          | [29.99$ @ Amazon  Canada](https://www.amazon.ca/ADCAUDX-SATA-III-Cable-Right-Angle-Server-Raid/dp/B0B1CZHXZ1)                                                              |
+| **USB-E adapter**      | USB "E" connector to 20-pin USB 3.2 connector                                                                                                                   | [15.99$ @ Amazon  Canada](https://www.amazon.ca/EZDIY-FAB-USB3-1-Internal-Degrees-Adapter/dp/B0B5D5GZX9)                                                                   |
+| **USB-3 adapter**      | 20-pin USB-3.0 to 9-pin USB-2 converter                                                                                                                         | [14.99$ @ Amazon  Canada](https://www.amazon.ca/gp/product/B0816C3ZV6?linkId=59fd3489f37c115eb4eb30b8b1e6a56f&language=en_US)                                              |
+| **NVMe PCI-e adapter** | Maiwo KT058 RGB Design PCIe x16 to NVMe                                                                                                                         | [$9.99 @ Canada Computers](https://www.canadacomputers.com/en/m-2-sata-controller-cards/255786/maiwo-kt058-rgb-design-pcie-x16-to-nvme-ssd-expansion-converter-kt058.html) |
+
 # Next steps
 
 - build issues:
@@ -35,19 +69,9 @@ new NVMe drive.
 - [x] figure out which machine and disk goes where
   - box-02 will be remote, box-01 will be local... i meant it the
     other way, but installed the kvm on box-02 because it was closer
-- [ ] marcos replacement
-  - [ ] label marcos2 (box-01)
-  - [ ] order new 1TB SSD drive?
-  - [ ] install new SSD drive
-  - [ ] halt
-  - [ ] move *one* NVMe drive
-  - [ ] install two old 8TB drives
-  - [ ] move the two 8TB drives
-  - [ ] boot the new box
-  - [ ] nano-kvm-pcie order
-  - [ ] nano-kvme-pcie installation
+- [x] marcos replacement
 - [x] tubman replacement
-  - [ ] label tubman2 (box-02)
+  - [x] label tubman2 (box-02)
   - [x] install 2x12tb drives
   - [ ] test all ports
     - front
@@ -76,9 +100,9 @@ new NVMe drive.
   - [~] remove 1x8tb drive, add 1x4tb (end result: 16TB storage)
   - [x] bring back 2x8TB and 2x4TB for tubman3
 - [ ] tubman3 setup (ex-marcos body)
-  - [ ] install new memory stick
-  - [ ] nano-kvm-pcie order
-  - [ ] nano-kvm-pcie installation
+  - [x] install new memory stick
+  - [x] ~~nano-kvm-pcie order~~
+  - [x] ~~nano-kvm-pcie installation~~
 
 # Requirements
 

diff --git a/blog/2026-02-15-kernel-only-network-configuration.md b/blog/2026-02-15-kernel-only-network-configuration.md
index 36d2c999..81b74f69 100644
--- a/blog/2026-02-15-kernel-only-network-configuration.md
+++ b/blog/2026-02-15-kernel-only-network-configuration.md
@@ -80,6 +80,18 @@ ones:
   - `off` or `none`: no autoconfiguration (static)
   - `on` or `any`: use any protocol (default)
   - `dhcp`, essentially like `on` for all intents and purposes
+- `<dns0-ip>`, `<dns1-ip>`: IP address of primary and secondary name
+  servers, exported to `/proc/net/pnp`, can by symlinked to
+  `/etc/resolv.conf`
+
+We're ignoring the options:
+
+- `<server-ip>`: IP address of the NFS server, exported to `/proc/net/pnp`
+- `<hostnname>`: Name of the client, typically sent over the DHCP
+  requests, which may lead to a DNS record to be created in some
+  networks
+- `<ntp0-ip>`: exported to `/proc/net/ipconfig/ntp_servers`, unused by
+  the kernel
 
 Note that the [Red Hat manual](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/networking_guide/sec-configuring_ip_networking_from_the_kernel_command_line) has a different opinion:
 
@@ -190,8 +202,9 @@ Also known as: "wait, that works?" Yes, it does! That said...
     not change after boot. Of course, this won't work on laptops or
     any mobile device.
 
- 2. This only works for single interface configurations. If you have
-    multiple interfaces, bridges, VLANs, wifi, none of this will work.
+ 2. This only works for configuring a single, simple, interface. You
+    can't configure multiple interfaces, WiFi, bridges, VLAN, bonding,
+    etc.
 
  3. It does support IPv6 and feels like the best way to configure IPv6
     hosts: true zero configuration.
@@ -210,11 +223,11 @@ Also known as: "wait, that works?" Yes, it does! That said...
  6. It will not automatically reconfigure the interface on link
     changes, but `ifupdown` does not either.
 
- 7. It will *not* write a good `resolv.conf` for you, that you need to
-    configure separately. *Maybe* passing those `dns0-ip` settings
-    will work? Untested, but DNS is, after all, a mostly user-level
-    implementation (typically in `libc`), the kernel doesn't (again,
-    typically) care about DNS.
+ 7. It will *not* write `/etc/resolv.conf` for you *but* the `dns0-ip`
+    and `dns1-ip` do end up in `/proc/net/pnp` which has a compatible
+    syntax, so a common configuration is:
+    
+        ln -s /proc/net/pnp /etc/resolv.conf
 
  8. I have not really tested this [at scale](https://db.torproject.org/machines.cgi): only a single, test
     server at home. 

diff --git a/blog/2026-02-15-kernel-only-network-configuration.md b/blog/2026-02-15-kernel-only-network-configuration.md
index e62eeae7..36d2c999 100644
--- a/blog/2026-02-15-kernel-only-network-configuration.md
+++ b/blog/2026-02-15-kernel-only-network-configuration.md
@@ -1,7 +1,5 @@
 [[!meta title="Kernel-only network configuration on Linux"]]
 
-[[!toc levels=3]]
-
 What if I told you there is a way to configure the network on any
 Linux server that:
 
@@ -14,6 +12,8 @@ Linux server that:
 It has literally 8 different caveats on top of that, but is still
 totally worth your time.
 
+[[!toc levels=3]]
+
 # Known options in Debian
 
 People following Debian development might have noticed there are now
@@ -244,6 +244,5 @@ This whole idea came from the [A/I](https://www.autistici.org/) folks (not to be
 
 [[!tag debian-planet python-planet debian sysadmin network]]
 
-
 <!-- posted to the federation on 2026-02-15T23:18:35.829447 -->
-[[!mastodon "https://kolektiva.social/@Anarcat/116078380029066513"]]
\ No newline at end of file
+[[!mastodon "https://kolektiva.social/@Anarcat/116078380029066513"]]

diff --git a/blog/2026-02-15-kernel-only-network-configuration.md b/blog/2026-02-15-kernel-only-network-configuration.md
index 399e445c..e62eeae7 100644
--- a/blog/2026-02-15-kernel-only-network-configuration.md
+++ b/blog/2026-02-15-kernel-only-network-configuration.md
@@ -1,5 +1,7 @@
 [[!meta title="Kernel-only network configuration on Linux"]]
 
+[[!toc levels=3]]
+
 What if I told you there is a way to configure the network on any
 Linux server that:
 

diff --git a/blog/2026-02-15-kernel-only-network-configuration.md b/blog/2026-02-15-kernel-only-network-configuration.md
index 89acc69c..399e445c 100644
--- a/blog/2026-02-15-kernel-only-network-configuration.md
+++ b/blog/2026-02-15-kernel-only-network-configuration.md
@@ -241,3 +241,7 @@ This whole idea came from the [A/I](https://www.autistici.org/) folks (not to be
 [AI](https://en.wikipedia.org/wiki/Bullshit)) who have been doing this forever, thanks!
 
 [[!tag debian-planet python-planet debian sysadmin network]]
+
+
+<!-- posted to the federation on 2026-02-15T23:18:35.829447 -->
+[[!mastodon "https://kolektiva.social/@Anarcat/116078380029066513"]]
\ No newline at end of file

diff --git a/blog/2026-02-15-kernel-only-network-configuration.md b/blog/2026-02-15-kernel-only-network-configuration.md
new file mode 100644
index 00000000..89acc69c
--- /dev/null
+++ b/blog/2026-02-15-kernel-only-network-configuration.md
@@ -0,0 +1,243 @@
+[[!meta title="Kernel-only network configuration on Linux"]]
+
+What if I told you there is a way to configure the network on any
+Linux server that:
+
+ 1. works across all distributions
+ 2. doesn't require any software installed apart from the kernel and a
+    boot loader (no `systemd-networkd`, `ifupdown`, `NetworkManager`,
+    nothing)
+ 3. is backwards compatible all the way back to Linux 2.0, in 1996
+
+It has literally 8 different caveats on top of that, but is still
+totally worth your time.
+
+# Known options in Debian
+
+People following Debian development might have noticed there are now
+*four* ways of configuring the network Debian system. At least that is
+what the [Debian wiki claims](https://wiki.debian.org/NetworkConfiguration#A4_ways_to_configure_the_network), namely:
+
+* `ifupdown` (`/etc/network/interfaces`): traditional static
+  configuration system, mostly for workstations and servers that has
+  been there forever in Debian (since [at least 2000](https://sources.debian.org/src/ifupdown/0.8.45/debian/changelog#L1948-L1952)), documented
+  [in the Debian wiki](https://wiki.debian.org/NetworkConfiguration)
+
+* [NetworkManager](https://networkmanager.dev/): self-proclaimed "standard Linux network
+  configuration", mostly used on desktops but technically supports
+  servers as well, see the [Debian wiki page]() (introduced in 2004)
+
+* `systemd-network`: used more for servers, see [Debian reference Doc
+  Chapter 5](https://www.debian.org/doc/manuals/debian-reference/ch05.en.html#_the_modern_network_configuration_without_gui) (introduced some time around Debian 8 "jessie", in
+  2015)
+
+* [Netplan](https://netplan.io/): latest entry (2018), YAML-based configuration
+  abstraction layer on top of the above two, see also [Debian
+  reference Doc Chapter 5](https://www.debian.org/doc/manuals/debian-reference/ch05.en.html#_the_modern_network_configuration_for_cloud) and [the Debian wiki](https://wiki.debian.org/Netplan)
+
+At this point, I feel `ifupdown` is on its way out, possibly replaced
+by `systemd-networkd`. NetworkManager already manages most desktop
+configurations.
+
+# A "new" network configuration system
+
+The method is this:
+
+* `ip=` on the [Linux kernel command line][nfsroot.txt]: for servers with a
+  single IPv4 or IPv6 address, no software required other than the
+  kernel and a boot loader (since 2002 or older)
+
+> So by "new" I mean "new to me". This option is *really* old. The
+> `nfsroot.txt` where it is documented predates the git import of the
+> Linux kernel: it's part of the 2005 git import of 2.6.12-rc2. That's
+> already 20+ years old already.
+>
+> The oldest trace I found is in this [2002 commit](https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git/commit/Documentation/nfsroot.txt?id=7a2deb32924142696b8174cdf9b38cd72a11fc96), which imports
+> the whole file at once, but the option might goes back as far as
+> 1996-1997, if the copyright on the file is correct and the option
+> was present back then.
+
+# What are you doing.
+
+The trick is to add an `ip=` parameter to the kernel's
+command-line. The syntax, as mentioned above, is in [nfsroot.txt][]
+and looks like this:
+
+    ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:<dns0-ip>:<dns1-ip>:<ntp0-ip>
+
+[nfsroot.txt]: https://docs.kernel.org/admin-guide/nfs/nfsroot.html
+
+Most settings are pretty self-explanatory, if you ignore the useless
+ones:
+
+- `<client-ip>`: IP address of the server
+- `<gw-ip>`: address of the gateway
+- `<netmask>`: netmask, in quad notation
+- `<device>`: interface name, if multiple available
+- `<autoconf>`: how to configure the interface, namely:
+  - `off` or `none`: no autoconfiguration (static)
+  - `on` or `any`: use any protocol (default)
+  - `dhcp`, essentially like `on` for all intents and purposes
+
+Note that the [Red Hat manual](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/networking_guide/sec-configuring_ip_networking_from_the_kernel_command_line) has a different opinion:
+
+    ip=[<server-id>]:<gateway-IP-number>:<netmask>:<client-hostname>:inteface:[dhcp|dhcp6|auto6|on|any|none|off]
+
+It's essentially the same (although `server-id` is weird), and the
+`autoconf` variable has other settings, so that's a bit odd.
+
+# Examples
+
+For example, this command-line setting:
+
+    ip=192.0.2.42::192.0.2.1:255.255.255.0:::off
+
+... will set the IP address to 192.0.2.42/24 and the gateway to
+192.0.2.1. This will properly guess the network interface if there's a
+single one.
+
+A DHCP only configuration will look like this:
+
+    ip=::::::dhcp
+
+Of course, you don't want to type this by hand every time you boot the
+machine. That wouldn't work. You need to configure the kernel
+commandline, and that depends on your boot loader.
+
+## GRUB
+
+With GRUB, you need to edit (on Debian), the file `/etc/default/grub`
+(ugh) and find a line like:
+
+    GRUB_CMDLINE_LINUX=
+
+and change it to:
+
+    GRUB_CMDLINE_LINUX=ip=::::::dhcp
+
+## systemd-boot and UKI setups
+
+For `systemd-boot` UKI setups, it's simpler: just add the setting to
+the `/etc/kernel/cmdline` file. Don't forget to include anything
+that's non-default from `/proc/cmdline`.
+
+This assumes that is the `Cmdline=@` setting in
+`/etc/kernel/uki.conf`. See [[2025-08-20-luks-ukify-conversion]] for
+my minimal documentation on this.
+
+## Other systems
+
+This is perhaps where this is much less portable than it might first
+look, because of course each distribution has its own way of
+configuring those options. Here are some that I know of:
+
+- [Arch](https://wiki.archlinux.org/title/Kernel_parameters) (11 options, mostly `/etc/default/grub`,
+  `/boot/loader/entries/arch.conf` for `systemd-boot` or
+  `/etc/kernel/cmdline` for UKI)
+- [Fedora](https://fedoramagazine.org/setting-kernel-command-line-arguments-with-fedora-30/) (mostly `/etc/default/grub`, may be more [RHEL mentions
+  grubby](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/managing_monitoring_and_updating_the_kernel/configuring-kernel-command-line-parameters_managing-monitoring-and-updating-the-kernel), possibly some `systemd-boot` things here as well)
+- [Gentoo](https://wiki.gentoo.org/wiki/Kernel/Command-line_parameters) (5 options, mostly `/etc/default/grub`,
+  `/efi/loader/entries/gentoo-sources-kernel.conf` for `systemd-boot`,
+  or `/etc/kernel/install.d/95-uki-with-custom-opts.install`)
+
+It's interesting that `/etc/default/grub` is consistent across all
+distributions above, while the `systemd-boot` setups are *all over the
+place* (except for the UKI case), while I would have expected those be
+*more* standard than GRUB.
+
+## dropbear-initramfs
+
+If `dropbear-initramfs` is setup, it already *requires* you to have
+such a configuration, and it might not work out of the box.
+
+This is because, by default, it *disables* the interfaces configured
+in the kernel after completing its tasks (typically unlocking the
+encrypted disks).
+
+To fix this, you need to *disable* that "feature":
+
+    IFDOWN="none"
+
+This will keep `dropbear-initramfs` from disabling the configured
+interface.
+
+# Why?
+
+Traditionally, I've always setup my servers with `ifupdown` on servers
+and NetworkManager on laptops, because that's essentially the
+default. But on some machines, I've started using `systemd-networkd`
+because `ifupdown` has ... issues, particularly with reloading network
+configurations. `ifupdown` is a old hack, feels like legacy, and is
+Debian-specific.
+
+Not excited about configuring another service, I figured I would try
+something else: just configure the network at boot, through the kernel
+command-line.
+
+I was already doing such configurations for [dropbear-initramfs](https://packages.debian.org/unstable/dropbear-initramfs)
+(see [this documentation](https://wiki.debian.org/DropBear)), which requires the network the be up
+for unlocking the full-disk encryption keys.
+
+So in a sense, this is a "Don't Repeat Yourself" solution.
+
+# Caveats
+
+Also known as: "wait, that works?" Yes, it does! That said...
+
+ 1. This is useful for servers where the network configuration will
+    not change after boot. Of course, this won't work on laptops or
+    any mobile device.
+
+ 2. This only works for single interface configurations. If you have
+    multiple interfaces, bridges, VLANs, wifi, none of this will work.
+
+ 3. It does support IPv6 and feels like the best way to configure IPv6

(Diff truncated)

diff --git a/blog/list-tags.sh b/blog/list-tags.sh
index 7ffc21d1..01f3d83e 100644
--- a/blog/list-tags.sh
+++ b/blog/list-tags.sh
@@ -1,6 +1,2 @@
 #! /bin/sh
 grep -P -h '(?<!\\)\[\[!tag' *.mdwn | sed 's/\[\[!tag//g;s/\]\]//g;s/"//g;s/ /\n/g' | sort | grep . | uniq -c | sort -n
-
-
-<!-- posted to the federation on 2026-02-14T16:00:31.425403 -->
-[[!mastodon "https://kolektiva.social/@Anarcat/116070995150232838"]]
\ No newline at end of file

diff --git a/blog/list-tags.sh b/blog/list-tags.sh
index 01f3d83e..7ffc21d1 100644
--- a/blog/list-tags.sh
+++ b/blog/list-tags.sh
@@ -1,2 +1,6 @@
 #! /bin/sh
 grep -P -h '(?<!\\)\[\[!tag' *.mdwn | sed 's/\[\[!tag//g;s/\]\]//g;s/"//g;s/ /\n/g' | sort | grep . | uniq -c | sort -n
+
+
+<!-- posted to the federation on 2026-02-14T16:00:31.425403 -->
+[[!mastodon "https://kolektiva.social/@Anarcat/116070995150232838"]]
\ No newline at end of file

diff --git a/blog/2026-02-12-recording-decisions.md b/blog/2026-02-12-recording-decisions.md
index d8f69e64..8576c4a6 100644
--- a/blog/2026-02-12-recording-decisions.md
+++ b/blog/2026-02-12-recording-decisions.md
@@ -1,20 +1,22 @@
 [[!meta title="Recording better decisions"]]
 
 In the Tor Project system Administrator's team (colloquially known as
-TPA), we've recently changed how we take and record decisions, which
-means you'll get clearer communications from us.
+TPA), we've recently changed how we take decisions, which means you'll
+get clearer communications from us about upcoming changes or
+*targeted* questions about a proposal.
 
-We had traditionally been using a "RFC" ("Request For Comments")
-process and have recently switched to "ADR" ("Architecture Decision
-Record"), a process which your team could use as well.
-
-The immediate impact of this is you are less likely to see long,
-obscure, "TPA-RFC" emails from us. What you should expect are clearer
-communications about upcoming changes or *targeted* questions about a
-*pending* ADR, requiring specific input from you.
+Note that this change only affects the TPA team. At Tor, each team has
+its own way of coordinating and making decisions, and so far this
+process is only used inside TPA. We encourage other teams inside and
+outside Tor to evaluate this process to see if it might help improve
+your processes and documentation.
 
 # The new process
 
+We had traditionally been using a "RFC" ("Request For Comments")
+process and have recently switched to "ADR" ("Architecture Decision
+Record").
+
 The ADR process is, for us, pretty simple. It consists of three
 things:
 
@@ -24,10 +26,10 @@ things:
 
 ## The template
 
-The first thing I did was to propose a new template (in [ADR-100][]),
-a variation of the [Nygard template][]. The [TPA variation of the
-template][] is quite simple, as it has only 5 headings, and is worth
-quoting in full:
+As team lead, the first thing I did was to propose a new template (in
+[ADR-100][]), a variation of the [Nygard template][]. The [TPA
+variation of the template][] is similarly simple, as it has only 5
+headings, and is worth quoting in full:
 
  [ADR-100]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/0100-adr-template
  [Nygard template]: https://github.com/joelparkerhenderson/architecture-decision-record/blob/main/locales/en/templates/decision-record-template-by-michael-nygard/index.md
@@ -44,10 +46,8 @@ quoting in full:
 - **More Information** (optional): What else should we know? For
   larger projects, consider including a timeline and cost estimate,
   along with the impact on affected users (perhaps including existing
-  Personas).
-
-  Generally, this includes a short evaluation of various alternatives
-  considered.
+  Personas). Generally, this includes a short evaluation of
+  alternatives considered.
 
 - **Metadata**: status, decision date, decision makers, consulted,
   informed users, and link to a discussion forum
@@ -61,7 +61,7 @@ easier to read and digest at one glance.
 An immediate effect of this is that I've started using GitLab issues
 more for comparisons and brainstorming. Instead of dumping in a
 document all sorts of details like pricing or in-depth alternatives
-comparison, those are recorded in the discussion issue, keeping the
+comparison, we record those in the discussion issue, keeping the
 document shorter.
 
 ## The process
@@ -73,21 +73,19 @@ well:
 > ones by email. A delay allows people to submit final comments before
 > adoption.
 
-Now, of course, the devil is in the details (and [ADR-101][] has
-those, in the "More information" section, obviously), but the point is
-to keep things SIMPLE.
+Now, of course, the devil is in the details (and [ADR-101][]), but the
+point is to keep things SIMPLE.
 
  [ADR-101]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/0101-adr-process
 
 A crucial aspect of the proposal, which Jacob Kaplan-Moss calls the
 [one weird trick][], is to "decide who decides". Our previous process
 was vague about who makes the decision and the new template (and
-process) more clearly defines how to define that person, for each
-decision.
+process) clarifies decision makes, for each decision.
 
  [one weird trick]: https://jacobian.org/2023/dec/5/how-to-decide/
 
-Inversely, many decisions degenerate into endless discussions around
+Inversely, some decisions degenerate into endless discussions around
 trivial issues because *too many* stakeholders are consulted, a
 problem known as the [Law of triviality][], also known as the "Bike
 Shed syndrome".
@@ -100,10 +98,9 @@ The new process better identifies stakeholders:
 - "consulted" (previously undefined!)
 - "decision maker" (instead of the vague "approval")
 
-It is still tricky to figure out those stakeholders, but our
-definitions are at least more explicit, and more aligned to the
-classic [RACI matrix][] (Responsible, Accountable, Consulted,
-Informed).
+Picking those stakeholders is still tricky, but our definitions are
+more explicit and aligned to the classic [RACI matrix][] (Responsible,
+Accountable, Consulted, Informed).
 
  [RACI matrix]: https://en.wikipedia.org/wiki/Responsibility_assignment_matrix
 
@@ -111,20 +108,20 @@ Informed).
 
 Finally, a crucial part of the process (by [ADR-102][]) is to decouple
 the act of making and recording decisions from *communicating* about
-the decision. Those are two *radically* different problems to solve
-and a single document can't serve both purposes.
+the decision. Those are two *radically* different problems to
+solve. We have found that a single document can't serve both purposes.
 
 [ADR-102]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/0102-adr-communications
 
 Because ADRs can affect a wide range of things, we don't have a
-specific template. At most we advise to follow the [Five Ws][] method
-(Who? What?  When? Where? Why?) and, again, keep things simple.
+specific template for communications. We suggest the [Five Ws][]
+method (Who? What?  When? Where? Why?) and, again, to keep things simple.
 
  [Five Ws]: https://en.wikipedia.org/wiki/Five_Ws
 
 # How we got there
 
-The [ADR process][] is not something we invented. I first stumbled
+The [ADR process][] is not something I invented. I first stumbled
 upon it in the [Thunderbird Android project][]. Then, in parallel, I
 was in the [process of reviewing the RFC process we had previously
 adopted][], following Jacob Kaplan-Moss's [criticism of the RFC
@@ -133,19 +130,26 @@ process][]. Essentially, Kaplan-Moss argues that:
  [process of reviewing the RFC process we had previously adopted]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41428
  [Thunderbird Android project]: https://github.com/thunderbird/thunderbird-android/blob/be2af5c6a0bce08385fc3f654c1185ccf9db3859/docs/architecture/adr/README.md
 
-1. the RFC process "doesn’t include any sort of decision-making framework"
+1. the RFC process "doesn't include any sort of decision-making framework"
 2. "RFC processes tend to lead to endless discussion"
 3. the process "rewards people who can write to exhaustion"
 4. "these processes are insensitive to expertise", "power dynamics and
    power structures"
 
 And, indeed, I have been guilty of a lot of those issues. A verbose
-writer, I have written extremely long proposals that I doubt anyone
-has read in full. Many proposals were adopted by exhaustion, or
-ignored because not looping in the right stakeholders. Our [discussion
-issue][] on the topic has more details on the issues I found with our
-RFC process but we should also note the RFC process *did* serve us
-well while it was there: it's better than nothing!
+writer, I have written [extremely long proposals][] that I doubt anyone
+has read in full. Some proposals were adopted by exhaustion, or
+ignored because not looping in the right stakeholders.
+
+ [extremely long proposals]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/tpa-rfc-33-monitoring
+
+Our [discussion issue][] on the topic has more details on the issues I
+found with our RFC process. But to give credit to the old process, it
+did serve us well while it was there: it's better than nothing, and it
+allowed us to document a staggering number of changes and decisions
+([95 RFCs][]!) made over the course of 6 years of work.
+
+ [95 RFCs]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy
 
  [criticism of the RFC process]: https://jacobian.org/2023/dec/1/against-rfcs/
  [ADR process]: https://adr.github.io/
@@ -153,10 +157,8 @@ well while it was there: it's better than nothing!
 
 # What's next?
 
-This new process was adopted at the end of December 2025.
-
-We're still experimenting with the communication side of things, as
-this text clearly shows. Because it's a separate step, we also have a
+We're still experimenting with the communication around decisions, as
+this text might suggest. Because it's a separate step, we also have a
 tendency to forget it or postpone it, like today's message, which
 comes a couple of months late.
 

diff --git a/blog/2026-02-12-recording-decisions.md b/blog/2026-02-12-recording-decisions.md
new file mode 100644
index 00000000..d8f69e64
--- /dev/null
+++ b/blog/2026-02-12-recording-decisions.md
@@ -0,0 +1,176 @@
+[[!meta title="Recording better decisions"]]
+
+In the Tor Project system Administrator's team (colloquially known as
+TPA), we've recently changed how we take and record decisions, which
+means you'll get clearer communications from us.
+
+We had traditionally been using a "RFC" ("Request For Comments")
+process and have recently switched to "ADR" ("Architecture Decision
+Record"), a process which your team could use as well.
+
+The immediate impact of this is you are less likely to see long,
+obscure, "TPA-RFC" emails from us. What you should expect are clearer
+communications about upcoming changes or *targeted* questions about a
+*pending* ADR, requiring specific input from you.
+
+# The new process
+
+The ADR process is, for us, pretty simple. It consists of three
+things:
+
+ 1. a simpler template
+ 2. a simpler process
+ 3. communication guidelines separate from the decision record
+
+## The template
+
+The first thing I did was to propose a new template (in [ADR-100][]),
+a variation of the [Nygard template][]. The [TPA variation of the
+template][] is quite simple, as it has only 5 headings, and is worth
+quoting in full:
+
+ [ADR-100]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/0100-adr-template
+ [Nygard template]: https://github.com/joelparkerhenderson/architecture-decision-record/blob/main/locales/en/templates/decision-record-template-by-michael-nygard/index.md
+ [TPA variation of the template]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/template
+
+- **Context**: What is the issue that we're seeing that is motivating
+  this decision or change?
+
+- **Decision**: What is the change that we're proposing and/or doing?
+
+- **Consequences**: What becomes easier or more difficult to do
+  because of this change?
+
+- **More Information** (optional): What else should we know? For
+  larger projects, consider including a timeline and cost estimate,
+  along with the impact on affected users (perhaps including existing
+  Personas).
+
+  Generally, this includes a short evaluation of various alternatives
+  considered.
+
+- **Metadata**: status, decision date, decision makers, consulted,
+  informed users, and link to a discussion forum
+
+The [previous RFC template][] had **17** (seventeen!) headings, which
+encouraged much longer documents. Now, the decision record will be
+easier to read and digest at one glance.
+
+ [previous RFC template]: https://gitlab.torproject.org/tpo/tpa/wiki-replica/-/blob/d52de1828d3ee406996345704d12663dd30f5513/policy/template.md
+
+An immediate effect of this is that I've started using GitLab issues
+more for comparisons and brainstorming. Instead of dumping in a
+document all sorts of details like pricing or in-depth alternatives
+comparison, those are recorded in the discussion issue, keeping the
+document shorter.
+
+## The process
+
+The whole process is simple enough that it's worth quoting in full as
+well:
+
+> Major decisions are introduced to stakeholders in a meeting, smaller
+> ones by email. A delay allows people to submit final comments before
+> adoption.
+
+Now, of course, the devil is in the details (and [ADR-101][] has
+those, in the "More information" section, obviously), but the point is
+to keep things SIMPLE.
+
+ [ADR-101]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/0101-adr-process
+
+A crucial aspect of the proposal, which Jacob Kaplan-Moss calls the
+[one weird trick][], is to "decide who decides". Our previous process
+was vague about who makes the decision and the new template (and
+process) more clearly defines how to define that person, for each
+decision.
+
+ [one weird trick]: https://jacobian.org/2023/dec/5/how-to-decide/
+
+Inversely, many decisions degenerate into endless discussions around
+trivial issues because *too many* stakeholders are consulted, a
+problem known as the [Law of triviality][], also known as the "Bike
+Shed syndrome".
+
+ [Law of triviality]: https://en.wikipedia.org/wiki/Bike_shedding
+
+The new process better identifies stakeholders:
+
+- "informed" users (previously "affected users")
+- "consulted" (previously undefined!)
+- "decision maker" (instead of the vague "approval")
+
+It is still tricky to figure out those stakeholders, but our
+definitions are at least more explicit, and more aligned to the
+classic [RACI matrix][] (Responsible, Accountable, Consulted,
+Informed).
+
+ [RACI matrix]: https://en.wikipedia.org/wiki/Responsibility_assignment_matrix
+
+## Communication guidelines
+
+Finally, a crucial part of the process (by [ADR-102][]) is to decouple
+the act of making and recording decisions from *communicating* about
+the decision. Those are two *radically* different problems to solve
+and a single document can't serve both purposes.
+
+[ADR-102]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/0102-adr-communications
+
+Because ADRs can affect a wide range of things, we don't have a
+specific template. At most we advise to follow the [Five Ws][] method
+(Who? What?  When? Where? Why?) and, again, keep things simple.
+
+ [Five Ws]: https://en.wikipedia.org/wiki/Five_Ws
+
+# How we got there
+
+The [ADR process][] is not something we invented. I first stumbled
+upon it in the [Thunderbird Android project][]. Then, in parallel, I
+was in the [process of reviewing the RFC process we had previously
+adopted][], following Jacob Kaplan-Moss's [criticism of the RFC
+process][]. Essentially, Kaplan-Moss argues that:
+
+ [process of reviewing the RFC process we had previously adopted]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41428
+ [Thunderbird Android project]: https://github.com/thunderbird/thunderbird-android/blob/be2af5c6a0bce08385fc3f654c1185ccf9db3859/docs/architecture/adr/README.md
+
+1. the RFC process "doesn’t include any sort of decision-making framework"
+2. "RFC processes tend to lead to endless discussion"
+3. the process "rewards people who can write to exhaustion"
+4. "these processes are insensitive to expertise", "power dynamics and
+   power structures"
+
+And, indeed, I have been guilty of a lot of those issues. A verbose
+writer, I have written extremely long proposals that I doubt anyone
+has read in full. Many proposals were adopted by exhaustion, or
+ignored because not looping in the right stakeholders. Our [discussion
+issue][] on the topic has more details on the issues I found with our
+RFC process but we should also note the RFC process *did* serve us
+well while it was there: it's better than nothing!
+
+ [criticism of the RFC process]: https://jacobian.org/2023/dec/1/against-rfcs/
+ [ADR process]: https://adr.github.io/
+ [discussion issue]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41428
+
+# What's next?
+
+This new process was adopted at the end of December 2025.
+
+We're still experimenting with the communication side of things, as
+this text clearly shows. Because it's a separate step, we also have a
+tendency to forget it or postpone it, like today's message, which
+comes a couple of months late.
+
+Previously, we'd just ship a copy of the RFC to everyone, which was
+easy and quick, but incomprehensible to most users. Now we need to
+write a separate communication, which is more work but, hopefully, if
+you're still reading this, it's worth it as the result is more
+digestible.
+
+We can't wait to hear what you think of the new process and how it
+works for you, here or in the [discussion issue][] of course! We're
+particularly interested in people that are already using a RFC or ADR
+process, or that will adopt one after reading this.
+
+> Note: this article was also published on the [Tor Blog](https://blog.torproject.org/tpa-adr).
+
+[[!tag tor sysadmin debian-planet python-planet documentation]]