Recent changes to this wiki. Not to be confused with my history.

Complete source to the wiki is available on gitweb or by cloning this site.

remove unreferenced scripts that are available in gitlab.com/anarcat/scripts anyways
diff --git a/software/dict_gen.py b/software/dict_gen.py
deleted file mode 100644
index d9d4b858..00000000
--- a/software/dict_gen.py
+++ /dev/null
@@ -1,117 +0,0 @@
-#! /usr/bin/python
-
-"""%prog [options]
-
-Password dictionnary generator
-
-If you know a bit what your are guessing for in a password, just
-brute forcing your way through all the keyspace is not efficient.
-
-This script allows you to focus on some combinations of words, birth
-days, and times."""
-
-import math
-import sys
-import datetime
-
-from optparse import OptionParser
-
-parser = OptionParser(usage=__doc__)
-parser.add_option("-w", "--words", dest="words",
-                  help="add list of WORDS", metavar="FILE")
-parser.add_option("-s", "--seperator", dest="sep", default=" ",
-                  help="words are seperated with SEP", metavar="SEP")
-parser.add_option("-o", "--output-seperator", dest="outsep", default=" ",
-                  help="output words are seperated with SEP", metavar="SEP")
-parser.add_option("-t", "--time", dest="time", default=False, action="store_true",
-                  help="add all possible time", metavar="TIME")
-parser.add_option("-b", "--birthday", dest="birthday", default=False, action="store_true",
-                  help="add all possible birthdays", metavar="TIME")
-parser.add_option("-e", "--epoch", dest="epoch", default=1950, type="int",
-                  help="first possible birthday YEAR", metavar="YEAR")
-
-(options, args) = parser.parse_args()
-
-if options.words:
-    words = options.words.split(options.sep)
-
-def fact(n):
-    fact = 1
-    for i in range(1,n+1):
-        fact = fact*i
-    return fact
-
-# taken from http://code.activestate.com/help/terms/
-# MIT licensed: http://www.opensource.org/licenses/mit-license.php
-def all_perms(str):
-    if len(str) <=1:
-        yield str
-    else:
-        for perm in all_perms(str[1:]):
-            for i in range(len(perm)+1):
-                #nb str[0:1] works in both string and list contexts
-                yield perm[:i] + str[0:1] + perm[i:]
-
-def all_times():
-    perms = []
-    for hour in range(23):
-        for minute in range(59):
-            perms += [ "%s%02d" % ( hour, minute ),
-                       "%sh%02d" % ( hour, minute ),
-                       "%s:%02d" % ( hour, minute ) ]
-    return perms
-
-# this is by no means all dates:
-# * we are not using seperators, which can vary a lot
-# * we are always zero-filling the days and months
-# * we are using 4-digits years
-# * we are assuming a gregorian calendar
-#
-# Additionnally, this has the following problems:
-# * it will generate duplicate items (february 2nd and 2nd of ferbruary)
-# * it will generate invalid dates (february 30th)
-# * it always uses the year
-def all_dates():
-    perms = []
-    for year in range(options.epoch, datetime.date.today().year):
-        perms += [ "%04d" % year ]
-        for month in range(12):
-            perms += [ "%02d%04d" % ( month, year ),
-                       "%02d%04d" % ( year, month ) ]
-            for day in range(31):
-                perms += [ "%02d%02d%04d" % ( day, month, year ),
-                           "%02d%02d%04d" % ( month, day, year ),
-                           "%04d%02d%02d" % ( year, month, day ),
-                           "%04d%02d%02d" % ( year, day, month ),
-                           ]
-    return perms
-
-if options.time:
-    times = all_times()
-else:
-    times = [""]
-
-if options.birthday:
-    dates = all_dates()
-else:
-    dates = [""]
-
-if options.words:
-    print "%d words submitted, %d permutations possible" % ( len(words), fact(len(words)))
-    
-    for p in all_perms(words):
-        for t in times:
-            for d in dates:
-                print options.outsep.join(p + [t + d])
-
-else:
-    for t in times:
-        for d in dates:
-            if t != "" and d != "":
-                print options.outsep.join([t, d])
-            elif t == "":
-                print d
-            elif d == "":
-                print t
-            
-                
diff --git a/software/luks_cracker.py b/software/luks_cracker.py
deleted file mode 100644
index 12ebda5d..00000000
--- a/software/luks_cracker.py
+++ /dev/null
@@ -1,168 +0,0 @@
-#! /usr/bin/perl -w
-
-# testing this script:
-# dd if=/dev/urandom of=testfile bs=1M count=10
-# losetup /dev/loop1 testfile
-# cryptsetup luksFormat /dev/loop1 (choose a trivial password)
-# ./luks_cracker -d /dev/loop1 -n 98000 < /usr/share/dict/words
-#
-# when interrupt, cryptsetup may leave the device opened, clean it up with:
-#
-# dmsetup ls
-# dmsetup remove temporary-cryptsetup-2287
-#
-
-use Fcntl;
-use Getopt::Std;
-
-sub abort {
- print "\n" . join("\n", @_);
- print "\naborting after $i attemps on passphrase $_\n";
- close(PASS); close(CRYPT); exit(1);
-}
-
-if (!getopts('cd:n:s:v')) {
-    die "invalid syntax\n";
-}
-
-$SIG{INT} = sub { abort("interrupted by user"); };
-
-open(PASS, "> pass") || 
-    die("can't open tmp pass file: $!");
-
-if ($opt_d) {
-    $dev=$opt_d;
-} else {
-    $dev = "/dev/loop0";
-}
-
-if (!$opt_s) {
-    $opt_s = 0;
-}
-
-print "Attempting to open luks filesystem on $dev\n";
-
-$i = 0;
-$rate = 1;
-$| = 1;
-
-if ($opt_v) {
-    $verbose = "";
-} else {
-    $verbose = " 2> /dev/null";
-}
-
-if (system("cryptsetup isLuks $dev") == 0) {
-    print "device seems to be a LUKS device, going ahead\n";
-} else {
-    die("this doesn't seem to be a LUKS device\n");
-}
-
-$crypt_cmd = "cryptsetup --key-file pass luksOpen $dev cracked $verbose";
-
-if ($opt_v) {
-    print "cryptsetup: $crypt_cmd\n";
-}
-$start = time();
-while (<>) {
-    chop;
-    $key = $_;
-    $i++;
-    # skip requested lines, to allow resuming

(Diff truncated)
long overdue sync of my xmonad config
diff --git a/software/desktop/xmonad.hs b/software/desktop/xmonad.hs
index b9360872..00b99048 100644
--- a/software/desktop/xmonad.hs
+++ b/software/desktop/xmonad.hs
@@ -4,14 +4,14 @@
 
 -- requirements:
 -- dmenu (from suckless-tools)
--- xmobar
+-- taffybar
 -- xmonad
 -- xmonad-contrib
 -- trayer
 -- libnotify-bin (optional)
 --
 -- the following config files should be installed along with this one
--- .xmobarrc
+-- .config/taffybar/taffybar.hs
 -- .xmonad/xmonad-session-rc
 
 -- originally copied from clint's config at
@@ -58,13 +58,17 @@ import XMonad
 import XMonad.Hooks.DynamicLog
 -- avoid tiling docks
 import XMonad.Hooks.ManageDocks
--- ignore urgency warnings, xmobar will take care of it
+-- ignore urgency warnings, taffybar will take care of it
 -- source: https://braincrater.wordpress.com/2009/03/14/pimp-your-xmonad-4-urgency-hooks/
 import XMonad.Hooks.UrgencyHook
 -- window settings presets helper
 import XMonad.Hooks.ManageHelpers (isFullscreen, doFullFloat, composeOne, (-?>))
 import XMonad.Hooks.FadeWindows (isFloating)
 
+-- for the status bar (taffybar)
+import XMonad.Hooks.EwmhDesktops        (ewmh)
+import System.Taffybar.Hooks.PagerHints (pagerHints)
+
 -- for the confirm hook
 import Control.Monad(when)
 -- to communicate with dmenu
@@ -100,7 +104,7 @@ import XMonad.Prompt.Window (windowPromptBringCopy)
 import XMonad.Prompt.XMonad (xmonadPrompt)
 
 -- to make windows "sticky" on all desktops (mod-v/V)
-import XMonad.Actions.CopyWindow (copyToAll,killAllOtherCopies,kill1)
+import XMonad.Actions.CopyWindow (wsContainingCopies,copyToAll,killAllOtherCopies,kill1)
 -- to toggle between workspaces
 import XMonad.Actions.CycleWS
 
@@ -115,6 +119,9 @@ import XMonad.Hooks.ManageHelpers
 import System.IO
 import System.Exit
 
+-- for "All"
+import Data.Monoid
+
 -- float some windows by default
 myManageHook = composeAll
     [ manageDocks
@@ -130,12 +137,13 @@ myManageHook = composeAll
     , className =? "gm display" --> doFloat
     , className =? "mpv"        --> doFloat
     , className =? "mplayer"    --> doFloat
+    , className =? "SafeEyes"    --> doFloat
+    , className =? "safeeyes"    --> doFloat
+    , title =? "pop-up"         --> doFloat
     -- do not focus notify output
     , className =? "Xfce4-notifyd" --> doIgnore
     ]
 
-myBar = "xmobar"
-
 -- solarized color theme
 colorBlack           = "#002b36" -- base03
 colorDarkGray        = "#073642" -- base02
@@ -156,16 +164,6 @@ myXPConfig = defaultXPConfig { bgColor     = colorBlack
                              , position    = Top
                              }
 
--- pretty-print the xmobar
--- XXX: should really be in the xmobar config to avoid tangling those
--- things up
-myPP :: PP
-myPP = xmobarPP { ppCurrent = xmobarColor colorYellow ""
-                , ppTitle   = xmobarColor colorGreen  "" . shorten 40
-                , ppVisible = wrap "(" ")"
-                , ppUrgent = xmobarColor colorYellow colorRed
-                }
-
 myLayoutHook  = avoidStruts layouts
     where
         -- layouts list
@@ -209,9 +207,6 @@ scratchpads =
 -- define "windows key" as "mod"
 modm = mod4Mask
 
--- toggle for hiding "struts" (e.g. xmobar status bar)
-toggleStrutsKey XConfig {XMonad.modMask = modMask} = (modMask, xK_b)
-
 -- the opposite of kill1: if a window is in multiple workspaces, delete it here, if not, do nothing
 -- there has to be a simpler way...
 killsoft :: X ()
@@ -219,23 +214,71 @@ killsoft = do ss <- gets windowset
               whenJust (W.peek ss) $ \w -> when (W.member w $ delete'' w ss) $ windows $ delete'' w
        where delete'' w = W.modify Nothing (W.filter (/= w))
 
+-- | handle X client messages that tell Xmonad to make a window appear
+-- on all workspaces
+--
+-- this should really be using _NET_WM_STATE and
+-- _NET_WM_STATE_STICKY. but that's more complicated: then we'd need
+-- to inspect a window and figure out the current state and act
+-- accordingly. I am not good enough with Xmonad to figure out that
+-- part yet.
+--
+-- Instead, just check for the relevant message and check if the
+-- focused window is already on all workspaces and toggle based on
+-- that.
+--
+-- this is designed to interoperate with Emacs's writeroom-mode module
+-- and called be called from elisp with:
+--
+-- (x-send-client-message nil 0 nil "XMONAD_COPY_ALL_SELF" 8 '(0))
+toggleStickyEventHook :: Event -> X All
+toggleStickyEventHook (ClientMessageEvent {ev_message_type = mt, ev_data = dt}) = do
+  dpy <- asks display
+  -- the client message we're expecting
+  copyAllMsg <- io $ internAtom dpy "XMONAD_COPY_ALL_SELF" False
+  -- if the event matches the message we expect, toggle sticky state
+  when (mt == copyAllMsg && dt /= []) $ do
+    copyToAllToggle
+  -- we processed the event completely
+  return $ All True
+-- ignore other messages
+toggleStickyEventHook _ = return $ All True
+
+-- | Toggle between "copyToAll" or "killAllOtherCopies". Copies to all
+-- workspaces, or remove from all other workspaces, depending on
+-- previous state (checked with "wsContainingCopies").
+copyToAllToggle :: X ()
+copyToAllToggle = do
+    -- check which workspaces have copies
+    copies <- wsContainingCopies
+    if null copies
+      then windows copyToAll -- no workspaces, make sticky
+      else killAllOtherCopies -- already other workspaces, unstick
+
+
 -- main config declaration
 myConfig = defaultConfig {
          modMask = modm
        , normalBorderColor = "#111111"
        , focusedBorderColor = "#333333"
        , manageHook = myManageHook
-       , terminal = "uxterm"
-       , handleEventHook = handleEventHook defaultConfig <+> fullscreenEventHook
+       , terminal = "x-terminal-emulator"
+       , handleEventHook = handleEventHook defaultConfig <+> fullscreenEventHook <+> toggleStickyEventHook
        , layoutHook = myLayoutHook
     } `additionalKeys` [
     ((noModMask         , xK_Pause), spawn "xscreensaver-command -lock")
-  , ((noModMask         , xK_Print), spawn "shutter -f")
-  , ((shiftMask         , xK_Print), spawn "shutter -w")
-  , ((controlMask       , xK_Print), spawn "shutter -s")
+  , ((noModMask         , xK_Print), spawn "snap")
+  --, ((noModMask         , xK_XF86AudioLowerVolume), spawn "amixer set Master 2-")
+  --, ((noModMask         , xK_XF86AudioRaiseVolume), spawn "amixer set Master 2+")
+  --, ((noModMask         , xK_XF86AudioMute), spawn "amixer set Master toggle")
+  , ((0                 , 0x1008ff12 ), spawn "pactl set-sink-mute 0 toggle")
+  , ((0                 , 0x1008ff11), spawn "pactl -- set-sink-volume 0 -2%")
+  , ((0                 , 0x1008ff13), spawn "pactl -- set-sink-volume 0 +2%")
+  , ((modm              , xK_Return), spawn $ XMonad.terminal defaultConfig )
   , ((modm              , xK_F12   ), xmonadPrompt      myXPConfig     )
-  , ((modm              , xK_F2    ), sshPrompt         myXPConfig     )
-  , ((modm              , xK_F3    ), shellPrompt       myXPConfig     )
+  , ((modm              , xK_F2    ), spawn "rofi -show ssh" )
+  , ((modm              , xK_F3    ), spawn "rofi -show run" )
+  , ((modm              , xK_r     ), spawn "rofi -show run" )
   , ((modm              , xK_F5    ), themePrompt       myXPConfig     )
   , ((modm              , xK_F6    ), windowPromptBringCopy myXPConfig )
   -- same, on mod-g for "grep"
@@ -248,17 +291,17 @@ myConfig = defaultConfig {
   , ((modm              , xK_f     ), toggleFloat                           )
   , ((modm              , xK_m     ), withFocused $ sendMessage . maximizeRestore )
   -- Make focused window always visible
-  , ((modm              , xK_v     ), windows copyToAll                     )
-  -- Toggle window state back
-  , ((modm .|. shiftMask, xK_v     ),  killAllOtherCopies                   )
+  , ((modm              , xK_v     ), copyToAllToggle                       )
   -- used to banish a window from the current workspace, if it's also elsewhere
   , ((modm              , xK_c     ), killsoft                                 )
   -- kill even if it's on multiple workspaces
   , ((modm .|. shiftMask, xK_c     ), kill                                  )
-  , ((modm              , xK_r     ), shellPrompt        myXPConfig         )
   , ((modm              , xK_Return), spawn $ XMonad.terminal myConfig      )
-  , ((modm              , xK_s     ), spawn "xscreensaver-command -lock; sudo pm-suspend" )
-  , ((modm .|. shiftMask, xK_h     ), confirmPrompt myXPConfig "halt" $ spawn "notify-send 'powering off...' ; sudo poweroff")
+  , ((modm .|. controlMask, xK_h     ), spawn "xscreensaver-command -lock; sudo systemctl suspend" )
+  , ((modm .|. shiftMask, xK_h     ),
+          confirmPrompt myXPConfig "hibernate?" $ spawn "xscreensaver-command -lock ; sudo systemctl hibernate")

(Diff truncated)
creating tag page tag/monkeysphere
diff --git a/tag/monkeysphere.mdwn b/tag/monkeysphere.mdwn
new file mode 100644
index 00000000..9d6c6a05
--- /dev/null
+++ b/tag/monkeysphere.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged monkeysphere"]]
+
+[[!inline pages="tagged(monkeysphere)" actions="no" archive="yes"
+feedshow=10]]

creating tag page tag/keycard
diff --git a/tag/keycard.mdwn b/tag/keycard.mdwn
new file mode 100644
index 00000000..d3575d4f
--- /dev/null
+++ b/tag/keycard.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged keycard"]]
+
+[[!inline pages="tagged(keycard)" actions="no" archive="yes"
+feedshow=10]]

creating tag page tag/openpgp
diff --git a/tag/openpgp.mdwn b/tag/openpgp.mdwn
new file mode 100644
index 00000000..457c82f2
--- /dev/null
+++ b/tag/openpgp.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged openpgp"]]
+
+[[!inline pages="tagged(openpgp)" actions="no" archive="yes"
+feedshow=10]]

Squashed commit of the following:
commit f841deeda93c8e73c6b59b72aee9f1069f288c20
Author: Antoine Beaupré <anarcat@debian.org>
Date: Mon Oct 16 20:03:57 2017 -0400
pgp offline branch ready for publication
commit 52ed2451c1d6152e7f96f928c9854244206eac84
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Oct 3 08:55:16 2017 -0400
remove second part
commit 0c16f71953800aab9a56f2a406e5213ccfa85127
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Oct 3 08:51:57 2017 -0400
follow upstream naming
commit 17e89762ec4739f3145f9e0a5d53da9b5691ebb6
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Oct 3 08:51:43 2017 -0400
last change before publication
commit 140e988da8dd586160a20710eeeda0ad7db90553
Author: Antoine Beaupré <anarcat@debian.org>
Date: Mon Oct 2 19:11:10 2017 -0400
another round of fixes from jake
commit 9ff2b4671f38947b85bf084778de951bc3c7b93f
Author: Antoine Beaupré <anarcat@debian.org>
Date: Mon Oct 2 15:34:58 2017 -0400
extra changes from LWN
commit 238f6e526a2056ddfb7e59dcc19fa830ec74f5e5
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Sep 29 17:16:35 2017 -0400
final fixes from jake
commit 10a1452fbb916f6abcda45b781a389f03e10a234
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Sep 29 15:17:11 2017 -0400
harmonize key output and description
commit 57dc4a63b823fd09f67be3dde42a87d0753c24da
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Sep 29 15:10:15 2017 -0400
tiny procedure fixes from LWN
commit 9a923b336a0debd86f441b4392a140128d96b6c1
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Sep 29 14:33:51 2017 -0400
final changes after review with my previous draft
commit bcb80bc065f531cc51bcb58634919b99dc3966a1
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Sep 29 14:25:42 2017 -0400
another round from LWN
commit 13420d95adb4de6ec04ca4159b82e012089821bc
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Sep 29 12:15:16 2017 -0400
reimport from lwn, overwriting some of my changes
commit fe2015dd4a712449d471bc8f0f861202faecb0a7
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Sep 29 12:09:38 2017 -0400
thorough review
commit d1140fb4c6cb54042f1a86ca1cd147b22c605778
Author: Antoine Beaupré <anarcat@debian.org>
Date: Thu Sep 28 13:22:26 2017 -0400
integrate first LWN review
commit f37d928b66711a905f32159a51db4cbb204118fe
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Sep 23 17:26:23 2017 -0400
review first cert/token article again
commit fafab0a4d1e09ee0e585c22db5ae3d43f63fa2bd
Author: Antoine Beaupré <anarcat@debian.org>
Date: Mon Sep 18 14:13:34 2017 -0400
shove stats below
commit f2acc8e46777cb685d58e0070f2a852129ac1ccb
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sun Sep 17 19:12:22 2017 -0400
fix image links
commit 0b414ac8d16c8906016a801c77ab855caf30710e
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sun Sep 17 18:16:20 2017 -0400
finish first draft of second half
commit dfa6670cad579c6197ff0759a301d3e86017b34b
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Sep 16 22:03:11 2017 -0400
quick talks notes
commit ed66c55ee013cb46445a7ec8fc83ef9adb15ec50
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Sep 16 22:02:47 2017 -0400
rewrite first half, sent yesterday
commit 70434f4203a223158f9c9fbfaa5b630f36067d4a
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Sep 16 22:01:48 2017 -0400
start working on second half of the keycard article
commit 390a66c013b3a27db2a95b89b560019712f7e579
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Sep 15 10:47:44 2017 -0400
reword quote
commit 224e8f7341e4182f5dd40b41a7147bddcc669fc3
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Sep 12 17:57:40 2017 -0400
make a first draft
commit 9d132df6ab72c9ca5b4f1be14794ffa706a9d44c
Author: Antoine Beaupré <anarcat@debian.org>
Date: Thu Aug 31 14:08:22 2017 -0400
more notes
commit 3da2972fc4f4295820671d6dfd8bf718adb1d83c
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Aug 29 12:50:50 2017 -0400
gniibe dc14 slides
commit 03db02b391c6a286c209cd048f98cf16e1326864
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Aug 29 10:15:56 2017 -0400
first notes on tokens review
publish the pgp-offline article from LWN
diff --git a/blog/2017-10-16-strategies-offline-pgp-key-storage.mdwn b/blog/2017-10-16-strategies-offline-pgp-key-storage.mdwn
new file mode 100644
index 00000000..b36dabc9
--- /dev/null
+++ b/blog/2017-10-16-strategies-offline-pgp-key-storage.mdwn
@@ -0,0 +1,360 @@
+[[!meta title="Strategies for offline PGP key storage"]]
+[[!meta date="2017-10-02T12:00:00-0500"]]
+[[!meta updated="2017-10-16T20:05:30-0500"]]
+
+While the adoption of [OpenPGP](http://openpgp.org/) by the general
+population is marginal at best, it is a critical component for the
+security community and particularly for Linux distributions. For
+example, every package uploaded into Debian is verified by the central
+repository using the maintainer's OpenPGP keys and the repository itself
+is, in turn, signed using a separate key. If upstream packages also use
+such signatures, this creates a complete trust path from the original
+upstream developer to users. Beyond that, pull requests for the Linux
+kernel are verified using signatures as well. Therefore, the stakes are
+high: a compromise of the release key, or even of a single maintainer's
+key, could enable devastating attacks against many machines.
+
+That has led the Debian community to develop a good grasp of best
+practices for cryptographic signatures (which are typically handled
+using [GNU Privacy Guard](http://gnupg.org/), also known as GnuPG or
+GPG). For example, weak (less than 2048 bits) and
+[vulnerable](https://lwn.net/Articles/588266/) PGPv3 keys were
+[removed](https://lists.debian.org/20150101191039.GB5209@earth.li) from
+the keyring in 2015, and there is a strong culture of cross-signing keys
+between Debian members at in-person meetings. Yet even Debian developers
+(DDs) do not seem to have established practices on how to actually store
+critical private key material, as we can see in this
+[discussion](https://lists.debian.org/debian-project/2017/08/msg00011.html)
+on the debian-project mailing list. That email boiled down to a simple
+request: can I have a "key dongles for dummies" tutorial? Key dongles,
+or keycards as we'll call them here, are small devices that allow users
+to store keys on an offline device and provide one possible solution for
+protecting private key material. In this article, I hope to use my
+experience in this domain to clarify the issue of how to store those
+precious private keys that, if compromised, could enable arbitrary code
+execution on millions of machines all over the world.
+
+Why store keys offline?
+-----------------------
+
+Before we go into details about storing keys offline, it may be useful
+to do a small reminder of how the [OpenPGP
+standard](https://tools.ietf.org/html/rfc4880) works. OpenPGP keys are
+made of a main public/private key pair, the certification key, used to
+sign user identifiers and subkeys. My public key, shown below, has the
+usual main certification/signature key (marked `SC`) but also an
+encryption subkey (marked `E`), a separate signature key (`S`), and two
+authentication keys (marked `A`) which I use as RSA keys to log into
+servers using SSH, thanks to the
+[Monkeysphere](http://monkeysphere.info/) project.
+
+        pub   rsa4096/792152527B75921E 2009-05-29 [SC] [expires: 2018-04-19]
+          8DC901CE64146C048AD50FBB792152527B75921E
+        uid                 [ultimate] Antoine Beaupré <anarcat@anarc.at>
+        uid                 [ultimate] Antoine Beaupré <anarcat@koumbit.org>
+        uid                 [ultimate] Antoine Beaupré <anarcat@orangeseeds.org>
+        uid                 [ultimate] Antoine Beaupré <anarcat@debian.org>
+        sub   rsa2048/B7F648FED2DF2587 2012-07-18 [A]
+        sub   rsa2048/604E4B3EEE02855A 2012-07-20 [A]
+        sub   rsa4096/A51D5B109C5A5581 2009-05-29 [E]
+        sub   rsa2048/3EA1DDDDB261D97B 2017-08-23 [S]
+
+All the subkeys (`sub`) and identities (`uid`) are bound by the main
+certification key using cryptographic self-signatures. So while an
+attacker stealing a private subkey can spoof signatures in my name or
+authenticate to other servers, that key can always be revoked by the
+main certification key. But if the certification key gets stolen, all
+bets are off: the attacker can create or revoke identities or subkeys as
+they wish. In a catastrophic scenario, an attacker could even steal the
+key and remove your copies, taking complete control of the key, without
+any possibility of recovery. Incidentally, this is why it is so
+important to generate a revocation certificate and store it offline.
+
+So by moving the certification key offline, we reduce the attack surface
+on the OpenPGP trust chain: day-to-day keys (e.g. email encryption or
+signature) can stay online but if they get stolen, the certification key
+can revoke those keys without having to revoke the main certification
+key as well. Note that a stolen encryption key is a different problem:
+even if we revoke the encryption subkey, this will only affect future
+encrypted messages. Previous messages *will* be readable by the attacker
+with the stolen subkey even if that subkey gets revoked, so the benefits
+of revoking encryption certificates are more limited.
+
+Common strategies for offline key storage
+-----------------------------------------
+
+Considering the security tradeoffs, some propose storing those critical
+keys offline to reduce those threats. But where exactly? In an attempt
+to answer that question, Jonathan McDowell, a member of the [Debian
+keyring maintenance team](https://wiki.debian.org/Teams/KeyringMaint),
+said that there are [three
+options](https://lists.debian.org/debian-project/2017/08/msg00054.html):
+use an external LUKS-encrypted volume, an air-gapped system, or a
+keycard.
+
+Full-disk encryption like LUKS adds an extra layer of security by hiding
+the content of the key from an attacker. Even though private keyrings
+are usually protected by a passphrase, they are easily identifiable as a
+keyring. But when a volume is fully encrypted, it's not immediately
+obvious to an attacker there is private key material on the device.
+[According](https://lists.debian.org/debian-project/2017/08/msg00148.html)
+to Sean Whitton, another advantage of LUKS over plain GnuPG keyring
+encryption is that you can pass the `--iter-time` argument when creating
+a LUKS partition to increase key-derivation delay, which makes
+brute-forcing much harder. Indeed, GnuPG 2.x [doesn't
+have](https://dev.gnupg.org/T3400) a run-time option to configure the
+key-derivation algorithm, although a
+[patch](https://dev.gnupg.org/T3399) was introduced recently to make the
+delay configurable at compile time in `gpg-agent`, which is now
+responsible for all secret key operations.
+
+The downside of external volumes is complexity: GnuPG makes it difficult
+to extract secrets out of its keyring, which makes the first setup
+tricky and error-prone. This is easier in the 2.x series thanks to the
+new storage system and the associated `keygrip` files, but it still
+requires arcane knowledge of GPG internals. It is also inconvenient to
+use secret keys stored outside your main keyring when you actually *do*
+need to use them, as GPG doesn't know where to find those keys anymore.
+
+Another option is to set up a separate air-gapped system to perform
+certification operations. An example is the [PGP clean
+room](https://wiki.debian.org/OpenPGP/CleanRoomLiveEnvironment) project,
+which is a live system based on Debian and designed by DD Daniel Pocock
+to operate an OpenPGP and X.509 certificate authority using commodity
+hardware. The basic principle is to store the secrets on a different
+machine that is never connected to the network and, therefore, not
+exposed to attacks, at least in theory. I have personally discarded that
+approach because I feel air-gapped systems provide a false sense of
+security: data eventually does need to come in and out of the system,
+somehow, even if only to propagate signatures out of the system, which
+exposes the system to attacks.
+
+System updates are similarly problematic: to keep the system secure,
+timely security updates need to be deployed to the air-gapped system. A
+common use pattern is to share data through USB keys, which introduce a
+vulnerability where attacks like
+[BadUSB](https://lwn.net/Articles/608503/) can infect the air-gapped
+system. From there, there is a multitude of exotic ways of exfiltrating
+the data using
+[LEDs](https://threatpost.com/blinking-router-leds-leak-data-from-air-gapped-networks/126199/),
+[infrared
+cameras](http://thehackernews.com/2017/09/airgap-network-malware-hacking.html),
+or the good old
+[TEMPEST](https://www.wired.com/2015/07/researchers-hack-air-gapped-computer-simple-cell-phone/)
+attack. I therefore concluded the complexity tradeoffs of an air-gapped
+system are not worth it. Furthermore, the workflow for air-gapped
+systems is complex: even though PGP clean room went a long way, it's
+still lacking even simple scripts that allow signing or transferring
+keys, which is a problem shared by the external LUKS storage approach.
+
+Keycard advantages
+------------------
+
+The approach I have chosen is to use a cryptographic keycard: an
+external device, usually connected through the USB port, that stores the
+private key material and performs critical cryptographic operations on
+the behalf of the host. For example, the [FST-01
+keycard](http://www.gniibe.org/FST-01/fst-01.html) can perform RSA and
+ECC public-key decryption without ever exposing the private key material
+to the host. In effect, a keycard is a miniature computer that performs
+restricted computations for another host. Keycards usually support
+multiple "slots" to store subkeys. The OpenPGP standard specifies there
+are three subkeys available by default: for signature, authentication,
+and encryption. Finally, keycards can have an actual physical keypad to
+enter passwords so a potential keylogger cannot capture them, although
+the keycards I have access to do not feature such a keypad.
+
+We could easily draw a parallel between keycards and an air-gapped
+system; in effect, a keycard is a miniaturized air-gapped computer and
+suffers from similar problems. An attacker can intercept data on the
+host system and attack the device in the same way, if not more easily,
+because a keycard is actually "online" (i.e. clearly not air-gapped)
+when connected. The advantage over a fully-fledged air-gapped computer,
+however, is that the keycard implements only a restricted set of
+operations. So it is easier to create an open hardware and software
+design that is audited and verified, which is much harder to accomplish
+for a general-purpose computer.
+
+Like air-gapped systems, keycards address the scenario where an attacker
+wants to get the private key material. While an attacker could fool the
+keycard into signing or decrypting some data, this is possible only
+while the key is physically connected, and the keycard software will
+prompt the user for a password before doing the operation, though the
+keycard can cache the password for some time. In effect, it thwarts
+offline attacks: to brute-force the key's password, the attacker needs
+to be on the target system and try to guess the keycard's password,
+which will lock itself after a limited number of tries. It also provides
+for a clean and standard interface to store keys offline: a single GnuPG
+command moves private key material to a keycard (the `keytocard` command
+in the `--edit-key` interface), whereas moving private key material to a
+LUKS-encrypted device or air-gapped computer is more complex.
+
+Keycards are also useful if you operate on multiple computers. A common
+problem when using GnuPG on multiple machines is how to safely copy and
+synchronize private key material among different devices, which

(fichier de différences tronqué)
it's all text is dead, vive ghosttext
diff --git a/software/desktop/firefox.mdwn b/software/desktop/firefox.mdwn
index bfbc0c2a..7a3a31b5 100644
--- a/software/desktop/firefox.mdwn
+++ b/software/desktop/firefox.mdwn
@@ -43,12 +43,12 @@ Extensions
 
 I usually have those extensions installed:
 
-* [uBlock Origin](https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/)
-  ([[!debpkg xul-ext-ublock-origin desc="debian package"]],
-  [source](https://github.com/gorhill/uBlock))
-* [it's all text!](https://addons.mozilla.org/en-US/firefox/addon/its-all-text/) ([[!debpkg xul-ext-itsalltext desc="debian package"]], [source](https://github.com/docwhat/itsalltext))
-* [uMatrix](https://addons.mozilla.org/firefox/addon/umatrix/) (no
-  debian package, [source](https://github.com/gorhill/uMatrix))
+* [uBlock Origin](https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/) ([[!debpkg xul-ext-ublock-origin desc="debian
+  package"]], [source](https://github.com/gorhill/uBlock))
+* [it's all text!](https://addons.mozilla.org/en-US/firefox/addon/its-all-text/) ([[!debpkg xul-ext-itsalltext desc="debian
+  package"]], [source](https://github.com/docwhat/itsalltext)) - now [obsolete](https://github.com/docwhat/itsalltext/issues/94), [GhostText](https://addons.mozilla.org/en-US/firefox/addon/ghosttext/) being
+  tested
+* [uMatrix](https://addons.mozilla.org/firefox/addon/umatrix/) (no debian package, [source](https://github.com/gorhill/uMatrix))
 * [wallabager](https://addons.mozilla.org/en-US/firefox/addon/wallabagger/)
   (no debian package,
   [source](https://github.com/wallabag/wallabagger)) 

expand on the kodi issues as some readers thought i was saying i was running kodi as root
diff --git a/blog/2017-10-02-free-software-activities-september-2017.mdwn b/blog/2017-10-02-free-software-activities-september-2017.mdwn
index 30dcf408..cae97242 100644
--- a/blog/2017-10-02-free-software-activities-september-2017.mdwn
+++ b/blog/2017-10-02-free-software-activities-september-2017.mdwn
@@ -269,8 +269,12 @@ media box. I simply used the following
     [Install]
     WantedBy=multi-user.target
 
-The downside of this is that it requires root to run, whereas modern X
-can run without root. Not sure how to fix this or where...
+The downside of this is that it needs Xorg to run as root, whereas
+modern Xorg can now run rootless. Not sure how to fix this or
+where... But if I put `needs_root_rights=no` in [Xwrapper.config](https://manpages.debian.org/stretch/xserver-xorg-legacy/Xorg.wrap.1.en.html),
+I get the following error in `.local/share/xorg/Xorg.1.log`:
+
+    [  2502.533] (EE) modeset(0): drmSetMaster failed: Permission denied
 
 After fooling around with [iPython](https://ipython.org/), I ended up trying
 the [xonsh shell](http://xon.sh/), which is supposed to provide a bash-compatible

creating tag page tag/restic
diff --git a/tag/restic.mdwn b/tag/restic.mdwn
new file mode 100644
index 00000000..0d2f649e
--- /dev/null
+++ b/tag/restic.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged restic"]]
+
+[[!inline pages="tagged(restic)" actions="no" archive="yes"
+feedshow=10]]

creating tag page tag/feed2exec
diff --git a/tag/feed2exec.mdwn b/tag/feed2exec.mdwn
new file mode 100644
index 00000000..d4b9f117
--- /dev/null
+++ b/tag/feed2exec.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged feed2exec"]]
+
+[[!inline pages="tagged(feed2exec)" actions="no" archive="yes"
+feedshow=10]]

monthly report first draft
diff --git a/blog/2017-10-02-free-software-activities-september-2017.mdwn b/blog/2017-10-02-free-software-activities-september-2017.mdwn
new file mode 100644
index 00000000..30dcf408
--- /dev/null
+++ b/blog/2017-10-02-free-software-activities-september-2017.mdwn
@@ -0,0 +1,292 @@
+[[!meta title="My free software activities, September 2017"]]
+
+[[!toc levels=2]]
+
+Debian Long Term Support (LTS)
+==============================
+
+This is my monthly [Debian LTS][] report. I mostly worked on the git,
+git-annex and ruby packages this month but didn't have time to
+completely use my allocated hours because I started too late in the
+month.
+
+Ruby
+----
+
+I was hoping someone would pick up the Ruby work I submitted in
+August, but it seems no one wanted to touch that mess,
+understandably. Since then, new issues came up, and not only did I
+have to work on the rubygems and ruby1.9 package, but now the ruby1.8
+package also had to get security updates. Yes: it's bad enough that
+the rubygems code is duplicated in *one* other package, but wheezy had
+the misfortune of having *two* Ruby versions supported. 
+
+The Ruby 1.9 also failed to build from source because of test suite
+issues, which I haven't found a clean and easy fix for, so I ended up
+making test suite failures non-fatal in 1.9, which they were already
+in 1.8. I did keep a close eye on changes in the test suite output to
+make sure tests introduced in the security fixes would pass and that I
+wouldn't introduce *new* regressions as well.
+
+So I published the following advisories:
+
+ * ruby 1.8: [DLA-1113-1](https://lists.debian.org/debian-lts-announce/2017/09/msg00030.html), fixing [[!debcve CVE-2017-0898]] and
+   [[!debcve CVE-2017-10784]]. 1.8 doesn't seem affected by [[!debcve
+   CVE-2017-14033]] as the provided test does not fail (but it does
+   fail in 1.9.1). test suite was, before patch:
+   
+        2199 tests, 1672513 assertions, 18 failures, 51 errors
+
+   and after patch:
+
+        2200 tests, 1672514 assertions, 18 failures, 51 errors
+
+ * rubygems: uploaded the package prepared in August as is
+   in [DLA-1112-1]( https://lists.debian.org/debian-lts-announce/2017/09/msg00031.html), fixing [[!debcve CVE-2017-0899]], [[!debcve
+   CVE-2017-0900]], [[!debcve CVE-2017-0901]]. here the test suite
+   passed normally.
+
+ * ruby 1.9: here I used the used 2.2.8 release tarball to generate
+   a patch that would cover all issues and published [DLA-1114-1]( https://lists.debian.org/debian-lts-announce/2017/09/msg00029.html)
+   that fixes the CVEs of the two packages above. the test suite was,
+   before patches:
+
+        10179 tests, 2232711 assertions, 26 failures, 23 errors, 51 skips
+
+   and after patches:
+
+        1.9 after patches (B): 10184 tests, 2232771 assertions, 26 failures, 23 errors, 53 skips
+
+Git
+---
+
+I also quickly issued an advisory ([DLA-1120-1](https://lists.debian.org/debian-lts-announce/2017/10/msg00000.html)) for [[!debcve
+CVE-2017-14867]], an odd issue affecting git in wheezy. The backport
+was tricky because it wouldn't apply cleanly and the git package had a
+custom patching system which made it tricky to work on.
+
+[Debian LTS]: https://www.freexian.com/services/debian-lts.html
+
+Git-annex
+---------
+
+I did a quick stint on git-annex as well: I was able
+to [reproduce the issue](https://lists.debian.org/87y3p0ozap.fsf@curie.anarc.at) and confirm [an approach](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873088#33) to fixing the
+issue in wheezy, although I didn't have time to complete the work
+before the end of the month.
+
+Other free software work
+========================
+
+New project: feed2exec
+----------------------
+
+I should probably make a separate blog post about this, but
+ironically, I don't want to spend too much time writing those reports,
+so this will be quick.
+
+I wrote a new program, called [feed2exec](https://gitlab.com/anarcat/feed2exec/). It's basically a
+combination of [feed2imap](https://github.com/feed2imap/feed2imap/), [rss2email](https://github.com/rss2email) and [feed2tweet](https://github.com/chaica/feed2tweet/): it
+allows you to fetch RSS feeds and send them in a mailbox, but what's
+special about it, compared to the other programs above, is that it is
+more generic: you can basically make it do whatever you want on new
+feed items. I have, for example, replaced my `feed2tweet` instance
+with it, using this simple configuration:
+
+    [anarcat]
+    url = https://anarc.at/blog/index.rss
+    output = feed2exec.plugins.exec
+    args = tweet "%(title)0.70s %(link)0.70s"
+
+The sample configuration file also has examples to talk with Mastodon,
+Pump.io and, why not, a torrent server to download torrent files
+available over RSS feeds. A trivial configuration can also make it
+work as a crude podcast client. My main motivation to work on this was
+that it was difficult to extend feed2imap to do what I needed (which
+was to talk to transmission to download torrent files) and rss2email
+didn't support my workflow (which is delivering to feed-specific mail
+folders). Because both projects also seemed abandoned, it seemed like
+a good idea at the time to start a new one, although the rss2email
+community has now restarted the project and may produce interesting
+results.
+
+As an experiment, I tracked my time working on this project. It turns
+out it took about 45 hours to write that software. Considering
+feed2exec is about 1400 SLOC, that's 30 lines of code per hour. I
+don't know if that's slow or fast, but it's an interesting metric for
+future projects. It sure seems slow to me, but we need to keep in mind
+those 30 lines of code don't include documentation and repeated head
+banging on the keyboard. For example, I found [two](https://github.com/kurtmckee/feedparser/issues/113) [issues](https://github.com/kurtmckee/feedparser/issues/112)
+with the upstream [feedparser](https://github.com/kurtmckee/feedparser/) package which I use to parse feeds
+which *also* seems [unmaintained](https://github.com/kurtmckee/feedparser/issues/108), unfortunately.
+
+Feed2exec is beta software at this point, but it's working well enough
+for me and the design is much simpler than the other programs of the
+kind. The main issue people can expect from it at this point is
+formatting issues or parse errors on exotic feeds, and noisy error
+messages on network errors, all of which should be fairly easy to fix
+in the test suite. I hope it will be useful for the community and, as
+usual, I welcome contributions, help and suggestions on how to improve
+the software.
+
+More Python templates
+---------------------
+
+As part of the work on feed2exec, I did cleanup a few things in
+the [ecdysis](https://gitlab.com/anarcat/ecdysis) project, mostly to hook tests up in the CI, improve
+on the [advancedConfig](https://gitlab.com/anarcat/ecdysis/blob/b026219509e16b5ceeb1de9d7c8aa7fd7cd3f27c/ecdysis/logging.py#L47) logger and cleanup more stuff.
+
+While I was there, it turns out that I built a pretty decent
+basic [CI configuration for Python](https://gitlab.com/gitlab-org/gitlab-ci-yml/merge_requests/96) on GitLab. Whereas the previous
+templates only had a non-working Django example, you should now be
+able to chose a `Python` template when you configure CI on GitLab 10
+and above, which should hook you up with normal Python setup
+procedures like `setup.py install` and `setup.py test`.
+
+Selfspy
+-------
+
+I mentioned working on a monitoring tool in my last post, because it
+was a feature from [Workrave](http://www.workrave.org/) missing in [SafeEyes](http://slgobinath.github.io/SafeEyes/). It turns
+out there is already such a tool called [selfspy](https://github.com/gurgeh/selfspy). I did an
+extensive [review](https://github.com/gurgeh/selfspy/issues/160) of the software to make sure it wouldn't leak
+out confidential information out before using it, and it looks,
+well... kind of okay. It crashed on me at least once so far, which is
+too bad because then it loses track of the precious activity. I have
+used it at least once to figure out what the heck I worked on during
+the day, so it's pretty useful. I particularly used it to backtrack my
+work on feed2exec as I didn't originally track my time on the project.
+
+Unfortunately, selfspy seems unmaintained. I have [proposed a
+maintenance team](https://github.com/gurgeh/selfspy/issues/161) and hopefully the project maintainer will respond
+and at least share access so we don't end up in a situation like
+linkchecker. I also sent a bunch of pull requests to fix some issues
+like being [secure by default](https://github.com/gurgeh/selfspy/pull/158) and [fixing](https://github.com/gurgeh/selfspy/pull/157)
+the [build](https://github.com/gurgeh/selfspy/pull/156). Apart from the crash, the main issue I have found with
+the software is that it doesn't [detect idle time](https://github.com/gurgeh/selfspy/issues/162) which means
+certain apps are disproportionatly represented in statistics. There
+are also some [weaknesses in the crypto](https://github.com/gurgeh/selfspy/issues/159) that should be adressed
+for people that encrypt their database.
+
+Next step is to [package selfspy in Debian](https://bugs.debian.org/873955) which should hopefully
+be simple enough...
+
+Restic documentation security
+-----------------------------
+
+As part of a [documentation patch](https://github.com/restic/restic/pull/1245) on the Restic backup software, I
+have improved on my previous Perl script to snoop on process
+commandline arguments. A common flaw in shell scripts and cron jobs is
+to pass secret material in the environment (usually safe) but often
+through commandline arguments (definitely not safe). The challenge, in
+this peculiar case, was the `env` binary, but the last time I
+encountered such an [issue](https://www.drupal.org/node/671906) was with the [Drush](http://www.drush.org/) commandline
+tool, which was passing database credentials in clear to the `mysql`
+binary. Using my [Perl sniffer](https://gitlab.com/anarcat/scripts/blob/master/sniff-cli.pl), I could get to 60 checks per
+second (or 60Hz). After reimplementing it in [Python](https://gitlab.com/anarcat/scripts/blob/master/sniff-cli.py), this number
+went up to 160Hz, which *still* wasn't enough to catch the elusive
+`env` command, which is much faster at hiding arguments than MySQL, in
+large part because it simply does an `execve()` once the environment
+is setup.
+
+Eventually, I just went crazy and [rewrote the whole thing in C](https://gitlab.com/anarcat/scripts/blob/master/sniff-cli.c)
+which was able to get 700-900Hz and *did* catch the `env` command
+about 10-20% of the time. I could probably have rewritten this by

(fichier de différences tronqué)
new mandela quote, thx rhl
diff --git a/sigs.fortune b/sigs.fortune
index 28a7f14a..e33b34b7 100644
--- a/sigs.fortune
+++ b/sigs.fortune
@@ -1062,3 +1062,8 @@ make it so simple that there are obviously no deficiencies, and the
 other way is to make it so complicated that there are no obvious
 deficiencies. The first method is far more difficult.
                         - C.A.R. Hoare
+%
+Like slavery and apartheid, poverty is not natural. It is man-made and
+it can be overcome and eradicated by the actions of human
+beings. Overcoming poverty is not a gesture of charity. It is an act
+of justice.             - Nelson Mandela

other image builders
diff --git a/software/containers.mdwn b/software/containers.mdwn
index 0378bb38..dc9b9053 100644
--- a/software/containers.mdwn
+++ b/software/containers.mdwn
@@ -48,4 +48,5 @@ Re-running:
 
 Building images requires using the separate [acbuild](https://github.com/containers/build) command which
 builds "standard" ACI images and not docker images. Other tools are
-obviously available like [Packer](https://www.packer.io/).
+available like [Packer](https://www.packer.io/), [umoci](https://github.com/openSUSE/umoci) or [Buildah](https://github.com/projectatomic/buildah), although only
+Buildah can use Dockerfiles to build images.

Added a comment: Theoretical compromise
diff --git a/blog/2017-03-02-password-hashers/comment_5_1c5fb04ffa7e4595be79e42c66d0d127._comment b/blog/2017-03-02-password-hashers/comment_5_1c5fb04ffa7e4595be79e42c66d0d127._comment
new file mode 100644
index 00000000..410bf505
--- /dev/null
+++ b/blog/2017-03-02-password-hashers/comment_5_1c5fb04ffa7e4595be79e42c66d0d127._comment
@@ -0,0 +1,12 @@
+[[!comment format=mdwn
+ ip="80.177.21.246"
+ claimedauthor="copernicus"
+ subject="Theoretical compromise"
+ date="2017-09-24T11:47:49Z"
+ content="""
+>Password hashing, as a general concept, actually has serious problems: since the hashing outputs are constantly compromised (they are sent in password forms to various possibly hostile sites), it's theoretically possible to derive the master password and then break all the generated tokens in one shot.
+
+I wouldn't see this as serious problem (or even a problem at all) with [masterpassword](http://masterpasswordapp.com/). A 20 character high-entropy alphanumicic + special symbols master password would take many years to force. That's all apart from the slowness of scrypt.
+
+Also, assume the attacker has the plaintext version of the password and can derive **a** master password from it. (BTW, how does he know all the details to do this, full name etc?). This master password need not be **the** master password the user has typed on the keyboard.
+"""]]

add quotes from hoare
diff --git a/sigs.fortune b/sigs.fortune
index 23c3271f..28a7f14a 100644
--- a/sigs.fortune
+++ b/sigs.fortune
@@ -1053,3 +1053,12 @@ the time might start to think.
 %
 If we do not do the impossible, we shall be faced with the unthinkable.
                         - Murray Bookchin
+%
+The price of reliability is the pursuit of the utmost simplicity.
+                        - C.A.R. Hoare
+%
+There are two ways of constructing a software design: One way is to
+make it so simple that there are obviously no deficiencies, and the
+other way is to make it so complicated that there are no obvious
+deficiencies. The first method is far more difficult.
+                        - C.A.R. Hoare

remove ham packages i dont use
diff --git a/software/packages.yml b/software/packages.yml
index 27da4ec1..9425c6e9 100644
--- a/software/packages.yml
+++ b/software/packages.yml
@@ -378,9 +378,7 @@
       - gnuradio
       - gpredict
       - gqrx-sdr
-      - grig
       - multimon
-      - owx
       - splat
       - xastir
  

remove netdata, too big for casual needs
diff --git a/software/packages.yml b/software/packages.yml
index d065223e..27da4ec1 100644
--- a/software/packages.yml
+++ b/software/packages.yml
@@ -308,7 +308,6 @@
       - mtr-tiny
       - netcat
       - netcat-openbsd
-      - netdata
       - nmap
       - oping
       - passwdqc

remove missing packages
diff --git a/software/packages.yml b/software/packages.yml
index ebfd2918..d065223e 100644
--- a/software/packages.yml
+++ b/software/packages.yml
@@ -281,7 +281,6 @@
     apt: name={{item}} state=installed
     with_items:
       - ansible
-      - apacheutils
       - apt-transport-https
       - asciinema
       - borgbackup
@@ -381,11 +380,9 @@
       - gpredict
       - gqrx-sdr
       - grig
-      - ibp
       - multimon
       - owx
       - splat
-      - uhd
       - xastir
  
   - name: install GPS tools

convert tasks list to ansible playbook
diff --git a/software/contributions.mdwn b/software/contributions.mdwn
index c640e4ba..2ed68569 100644
--- a/software/contributions.mdwn
+++ b/software/contributions.mdwn
@@ -25,7 +25,8 @@ Actifs:
  * [irklab](https://gitlab.com/anarcat/irklab/), an IRC gateway for [gitlab.com](http://gitlab.com)
  * [bup-cron](https://github.com/anarcat/bup-cron), a wrapper
    around [bup](https://bup.github.io/)
- * [[a set of packages to install on debian|mytasks.desc]]
+ * [[a set of packages to install on debian|packages.yml]], usable as
+   an ansible playbook
 
 Inactifs:
 
diff --git a/software/mytasks.desc b/software/mytasks.desc
deleted file mode 100644
index db4e1610..00000000
--- a/software/mytasks.desc
+++ /dev/null
@@ -1,370 +0,0 @@
-Task: anarcat-graphist
-Section: user
-Description: Anarcat's graphic design software
- My graphic design tools. Not much, since I don't do much of that.
-Packages: list
- colorhug-client
- darktable
- dia
- dispcalgui
- gimp
- inkscape
- sane
- xsane
-
-Task: anarcat-developer
-Section: user
-Description: Anarcat's dev tools
- Mostly VCS tools, emacs, emulation tools and emulators.
-Packages: list
- adb
- apt-file
- apt-listbugs
- aptitude
- bzr
- build-essential
- cdbs
- curl
- colordiff
- cvs
- debian-el
- debian-installer-9-netboot-amd64
- dgit
- syslinux-efi
- pxelinux
- devscripts
- dia
- dpkg-dev-el
- elpa-anzu
- elpa-company
- elpa-company-go
- elpa-ledger
- elpa-markdown-mode
- elpa-py-autopep8
- elpa-use-package
- elpa-yasnippet
- exuberant-ctags
- emacs
- emacs-goodies-el
- emacs25
- emacs25-common-non-dfsg
- fastboot
- flake8
- gdb
- git
- git-annex
- git-buildpackage
- git-email
- git-extras
- git-svn
- glade
- gocode
- golang
- golang-mode
- golint
- graphviz
- haskell-mode
- stylish-haskell
- icdiff
- ikiwiki
- ikiwiki-hosting-common
- info
- ipython
- ipython3
- jq
- libterm-readkey-perl
- libtext-bibtex-perl
- libsearch-xapian-perl
- linkchecker
- make-doc
- mercurial
- myrepos
- ncdu
- nodejs
- nodejs-legacy
- npm
- org-mode
- org-mode-doc
- pastebinit
- perl-doc
- pv
- python
- python3
- python-jedi
- python3-jedi
- python-pip
- python3-pip
- python-pytest
- python3-pytest
- python-seaborn
- python3-seaborn
- python-setuptools
- python3-setuptools-scm
- python-setuptools
- python3-setuptools-scm
- python-sphinx
- python3-sphinx
- python-sphinx-rtd-theme
- python3-sphinx-rtd-theme
- python-ttystatus
- python-wheel
- reprotest
- tox
- twine
- qemu
- qemu-kvm
- quilt
- sbuild
- shellcheck
- sloccount
- sqlitebrowser
- subversion
- time
- twine
- vagrant
- valgrind
- vim
- virtualbox
- wget
-
-Task: anarcat-desktop
-Section: user
-Description: Anarcat's desktop setup
- Shitload of stuff that doesn't fit anywhere else.
-Packages: list
- apksigner
- arandr
- aspell-fr
- calibre
- chromium
- diceware
- dict
- electrum
- emacs
- exiftool
- fim
- firefox
- fonts-roboto
- fortunes
- gajim
- gameclock
- git-annex
- git-lfs
- gobby
- gnutls-bin
- hledger
- jmtpfs
- ledger
- ledger-el
- less
- libnotify-bin
- libu2f-host0
- localepurge
- locales
- mlocate
- maim
- monkeysign
- monkeysphere
- mpd
- msmtp-mta
- mumble
- mutt
- ncdu
- needrestart
- needrestart-session
- network-manager-iodine-gnome
- network-manager-openvpn-gnome
- notmuch
- notmuch-emacs
- oathtool
- offlineimap

(fichier de différences tronqué)
remove unused mailserver task
diff --git a/software/mytasks.desc b/software/mytasks.desc
index 677f2208..db4e1610 100644
--- a/software/mytasks.desc
+++ b/software/mytasks.desc
@@ -316,14 +316,6 @@ Packages: list
  mutt
  offlineimap
 
-Task: anarcat-mailserver
-Section: user
-Description: Anarcat's mail services
- Postfix for now, but will have more goodies.
-Packages: list
- postfix
- postfix-pcre
-
 Task: anarcat-multimedia
 Section: user
 Description: Anarcat's multimedia tools

more stuff from the up to april installed on my workstation
diff --git a/software/mytasks.desc b/software/mytasks.desc
index fd19099f..677f2208 100644
--- a/software/mytasks.desc
+++ b/software/mytasks.desc
@@ -3,7 +3,10 @@ Section: user
 Description: Anarcat's graphic design software
  My graphic design tools. Not much, since I don't do much of that.
 Packages: list
+ colorhug-client
+ darktable
  dia
+ dispcalgui
  gimp
  inkscape
  sane
@@ -26,6 +29,7 @@ Packages: list
  cvs
  debian-el
  debian-installer-9-netboot-amd64
+ dgit
  syslinux-efi
  pxelinux
  devscripts
@@ -33,10 +37,13 @@ Packages: list
  dpkg-dev-el
  elpa-anzu
  elpa-company
+ elpa-company-go
  elpa-ledger
  elpa-markdown-mode
+ elpa-py-autopep8
  elpa-use-package
  elpa-yasnippet
+ exuberant-ctags
  emacs
  emacs-goodies-el
  emacs25
@@ -50,6 +57,7 @@ Packages: list
  git-email
  git-extras
  git-svn
+ glade
  gocode
  golang
  golang-mode
@@ -61,6 +69,8 @@ Packages: list
  ikiwiki
  ikiwiki-hosting-common
  info
+ ipython
+ ipython3
  jq
  libterm-readkey-perl
  libtext-bibtex-perl
@@ -80,28 +90,33 @@ Packages: list
  pv
  python
  python3
- python-autopep8
  python-jedi
- python-pytest
- python-setuptools-scm
- python-wheel
  python3-jedi
- python3-pip
  python-pip
- python-wheel
+ python3-pip
+ python-pytest
+ python3-pytest
+ python-seaborn
+ python3-seaborn
  python-setuptools
- python-setuptools-scm
+ python3-setuptools-scm
+ python-setuptools
+ python3-setuptools-scm
  python-sphinx
- python-sphinx-rtd-theme
  python3-sphinx
+ python-sphinx-rtd-theme
  python3-sphinx-rtd-theme
  python-ttystatus
+ python-wheel
+ reprotest
+ tox
  twine
  qemu
  qemu-kvm
  quilt
  sbuild
  shellcheck
+ sloccount
  sqlitebrowser
  subversion
  time
@@ -133,6 +148,9 @@ Packages: list
  fortunes
  gajim
  gameclock
+ git-annex
+ git-lfs
+ gobby
  gnutls-bin
  hledger
  jmtpfs
@@ -149,14 +167,18 @@ Packages: list
  monkeysphere
  mpd
  msmtp-mta
+ mumble
  mutt
  ncdu
  needrestart
  needrestart-session
+ network-manager-iodine-gnome
+ network-manager-openvpn-gnome
  notmuch
  notmuch-emacs
  oathtool
  offlineimap
+ onionshare
  openjdk-8-jdk-headless
  openntpd
  parcimonie
@@ -165,6 +187,7 @@ Packages: list
  pcscd
  picard
  pidgin
+ pinpoint
  pmount
  pinentry-qt
  python-certifi
@@ -183,6 +206,7 @@ Packages: list
  trayer
  tty-clock
  unattended-upgrades
+ unicode
  verbiste
  verbiste-gnome
  workrave
@@ -210,8 +234,11 @@ Description: Anarcat's authorship tools (TeX)
 Packages: list
  auctex
  dict
+ epubcheck
+ elpa-writegood-mode
  libtext-multimarkdown-perl
  pandoc
+ sigil
  texlive-latex-base
  texlive-latex-recommended
  texlive-latex-extra
@@ -221,6 +248,7 @@ Section: user
 Description: Anarcat's sysadmin tools
  .
 Packages: list
+ ansible
  apacheutils
  apt-transport-https
  asciinema
@@ -228,15 +256,19 @@ Packages: list
  borgbackup-doc
  bup
  ccze
+ cu
  curl
  debian-goodies
+ debsums
  dnsutils
  etckeeper
+ f3
  gparted
  hdparm
  hopenpgp-tools
  i7z
  iftop
+ intel-microcode
  ioping
  ipcalc
  libu2f-host0
@@ -300,7 +332,7 @@ Description: Anarcat's multimedia tools
 Packages: list
  audacious
  audacity
- darktable
+ beets
  exfalso
  gmpc
  gmpc-plugins

small tweaks to spamassassin config
diff --git a/services/mail.mdwn b/services/mail.mdwn
index c29d9155..d9b2236d 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -393,7 +393,7 @@ sudo chown -R :spampd cur new tmp
 chmod g+rX cur new tmp -R
 </pre>
 
-FIrst training run:
+First training run:
 
 <pre>
 [1020]anarcat@marcos:Maildir$ sudo -u spampd sa-learn --ham --progress --max-size=1048576 ~anarcat/Maildir/cur/
@@ -408,6 +408,10 @@ Also, to add to whitelist:
 
     sudo -u spampd spamassassin -t -d -x -W <path>
 
+Also important to enable nightly rules updates:
+
+    sudo sed -i s/^CRON=./CRON=1/ /etc/default/spamassassin
+
 This doesn't report emails to pyzor and similar services, unfortunately, see <https://wiki.apache.org/spamassassin/ReportingSpam>
 
 See also: <https://wiki.apache.org/spamassassin/SiteWideBayesFeedback>
@@ -426,7 +430,11 @@ for training, but it's not in Jessie.
 
 Another thing I could add is the [OpenPGP plugin][] which classifies
 mail according to its PGP signatures. It fetches keys on the fly and
-doesn't seem to check for updates. It's also old, so issues may abound.
+doesn't seem to check for updates. It's also old, so issues may
+abound.
+
+Finally, we should keep an eye on the [rspamd](https://rspamd.com/)
+project which reminds me of the old dspam...
 
 [OpenPGP plugin]: http://search.cpan.org/~brondsem/Mail-SpamAssassin-Plugin-OpenPGP-1.0.4/lib/Mail/SpamAssassin/Plugin/OpenPGP.pm
 

document kodi setup hack
diff --git a/services/upgrades/stretch.mdwn b/services/upgrades/stretch.mdwn
index b42ca2d1..9a0b641c 100644
--- a/services/upgrades/stretch.mdwn
+++ b/services/upgrades/stretch.mdwn
@@ -62,8 +62,46 @@ Issues
 * [[!debbug 866792]]: irssi profile should load in complain mode
 * [[!debbug 866790]]: postfix apparmor profile syntax errors
 * [[!debbug 845938]] and [[!debbug 805414]]: a2db sink locked by gdm
-* Kodi doesn't start on the right tty? (not filed, see
-  https://www.earth.li/~noodles/blog/2017/08/notes-on-stretch.html for workaround?)
+* Kodi doesn't start without switching ttys (not filed, [noodles](https://www.earth.li/~noodles/blog/2017/08/notes-on-stretch.html)
+  has a similar issue, workaround was to setup Kodi as a systemd
+  service and disabling gdm3 completely. the following file was added
+  to `/etc/systemd/system/kodi.service`:
+  
+        # stolen from https://github.com/graysky2/kodi-standalone-service
+        [Unit]
+        Description=Kodi Media Center
+        After=systemd-user-sessions.service network.target sound.target
+        
+        [Service]
+        User=xbmc
+        Group=video
+        Type=simple
+        #PAMName=login # you might want to try this one, did not work on all systems
+        # not sure what this does
+        TTYPath=/dev/tty1
+        StandardInput=tty
+        # original suggestion, but noodles added dbus-launch
+        #ExecStart=/usr/bin/xinit /usr/bin/kodi-standalone -- :0 -nolisten tcp vt1
+        # this allows the process to start in parallel with gdm3, although i had flickering issues then
+        #ExecStart=/usr/bin/xinit /usr/bin/dbus-launch --exit-with-session /usr/bin/kodi-standalone -- :1 -keeptty -nolisten tcp vt7
+        ExecStart=/usr/bin/xinit /usr/bin/dbus-launch --exit-with-session /usr/bin/kodi-standalone -- :0 -nolisten tcp vt1
+        Restart=on-abort
+        RestartSec=5
+        
+        [Install]
+        WantedBy=multi-user.target
+
+  then disable the gdm3 service and enable the service:
+
+        systemctl disable gdm3
+        systemctl enable kodi
+        systemctl stop gdm3
+        systemctl start kodi
+
+  unfortunately, I had to disable rootless X, something I would prefer
+  to avoid, but I couldn't figure out how to do that. This is done by
+  adding `needs_root_rights=yes` to `/etc/X11/Xwrapper.config`.
+
 * forgot to review the list of packages removed, those I would have
   liked to keep: torbrowser-launcher, npm
 * upgrade was performed with a bad battery, which meant suspending

respond
diff --git a/blog/2017-02-22-password-managers/comment_4_5e9afcbbe7a75565c307af3cf0edc4b3._comment b/blog/2017-02-22-password-managers/comment_4_5e9afcbbe7a75565c307af3cf0edc4b3._comment
new file mode 100644
index 00000000..d2740015
--- /dev/null
+++ b/blog/2017-02-22-password-managers/comment_4_5e9afcbbe7a75565c307af3cf0edc4b3._comment
@@ -0,0 +1,22 @@
+[[!comment format=mdwn
+ username="anarcat"
+ subject="""USB drives and physical limitations"""
+ date="2017-09-07T12:35:32Z"
+ content="""That does seems like a quite constrained environment... I assume you
+cannot run the password manager directly on the machine either,
+ie. you can't install your own software or lobby administration to
+install password managers for you?
+
+In that case, I agree that you are in trouble. You may find it more
+interesting to generate semi-random passwords in that case so that
+they are easier to transcribe. Fully random strings of characters tend
+to take longer to transcribe than series of words for roughly
+equivalent entropy, in my experience, so that could be useful.
+
+You may also want to look into password hashers: you may not be able
+to install your own password manager on the machine (e.g. pass or
+KeePass) but you may be able to install a browser plugin in which case
+[[password hashers|2017-03-02-password-hashers]] become interesting again.
+
+But yeah, if you can't run your own password manager on that device,
+your only solution is to run one on a different device, of course."""]]

add reference to LWN.net article
diff --git a/blog/2017-09-04-supposed-decline-copyleft.mdwn b/blog/2017-09-04-supposed-decline-copyleft.mdwn
index 1485ec92..f555f13e 100644
--- a/blog/2017-09-04-supposed-decline-copyleft.mdwn
+++ b/blog/2017-09-04-supposed-decline-copyleft.mdwn
@@ -222,7 +222,13 @@ free-software world, we can all acknowledge that the conversion of
 proprietary software to more permissive—and certainly simpler—licenses
 is definitely heading in the right direction.
 
-\[I would like to thank the DebConf organizers for providing meals for
-me during the conference.\]
+> \[I would like to thank the DebConf organizers for providing meals for
+> me during the conference.\]
+
+> *Note: this article [first appeared][] in
+> the [Linux Weekly News][].*
+
+[first appeared]: https://lwn.net/Articles/731722/
+[Linux Weekly News]: http://lwn.net/
 
 [[!tag debian-planet lwn debconf debian copyleft free-software github]]

remove lwn-specific markup
diff --git a/blog/2017-09-04-supposed-decline-copyleft.mdwn b/blog/2017-09-04-supposed-decline-copyleft.mdwn
index 03b49986..1485ec92 100644
--- a/blog/2017-09-04-supposed-decline-copyleft.mdwn
+++ b/blog/2017-09-04-supposed-decline-copyleft.mdwn
@@ -22,8 +22,7 @@ Bacon from February 2017 that showed a histogram of license usage
 between 2010 and 2017 (seen below).
 
 > ![\[Black Duck
-> histogram\]](https://static.lwn.net/images/2017/debconf-blackduck.png){.photo
-> width="1000" height="662"}
+> histogram\]](https://static.lwn.net/images/2017/debconf-blackduck.png)
 
 From that, Bacon elaborates possible reasons for the apparent decline of
 the GPL. The graphic used in the article was actually generated by
@@ -88,8 +87,7 @@ at projects on GitHub would give you a reasonable sampling from which to
 draw conclusions".
 
 > ![\[GitHub
-> graph\]](https://static.lwn.net/images/2017/debconf-github.png){.photo
-> width="700" height="409"}
+> graph\]](https://static.lwn.net/images/2017/debconf-github.png)
 
 Indeed, GitHub published a
 [report](https://github.com/blog/1964-open-source-license-usage-on-github-com)
@@ -167,8 +165,7 @@ to the Hamm 2.0 release in 1998. The data and how to reproduce it are
 BY-SA 4.0 license.
 
 > ![\[Debsource
-> graph\]](https://static.lwn.net/images/2017/debconf-debsources.png){.photo
-> width="1024" height="634"}
+> graph\]](https://static.lwn.net/images/2017/debconf-debsources.png)
 
 Sullivan presented the above graph from the research paper that showed
 the evolution of software license use in the Debian archive. Whereas

creating tag page tag/free-software
diff --git a/tag/free-software.mdwn b/tag/free-software.mdwn
new file mode 100644
index 00000000..9f32c1de
--- /dev/null
+++ b/tag/free-software.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged free-software"]]
+
+[[!inline pages="tagged(free-software)" actions="no" archive="yes"
+feedshow=10]]

creating tag page tag/copyleft
diff --git a/tag/copyleft.mdwn b/tag/copyleft.mdwn
new file mode 100644
index 00000000..485339d4
--- /dev/null
+++ b/tag/copyleft.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged copyleft"]]
+
+[[!inline pages="tagged(copyleft)" actions="no" archive="yes"
+feedshow=10]]

publish copyleft article
diff --git a/blog/debconf-licenses.mdwn b/blog/2017-09-04-supposed-decline-copyleft.mdwn
similarity index 98%
rename from blog/debconf-licenses.mdwn
rename to blog/2017-09-04-supposed-decline-copyleft.mdwn
index 07dcff9d..03b49986 100644
--- a/blog/debconf-licenses.mdwn
+++ b/blog/2017-09-04-supposed-decline-copyleft.mdwn
@@ -1,8 +1,6 @@
-The supposed decline of copyleft
-================================
-
-\[LWN subscriber-only content\]
--------------------------------
+[[!meta title="The supposed decline of copyleft"]]
+[[!meta date="2017-08-23T12:00:00-0500"]]
+[[!meta updated="2017-09-04T09:19:13-0500"]]
 
 At [DebConf17](https://debconf17.debconf.org/), John Sullivan, the
 executive director of the FSF, gave a talk on the supposed decline of
@@ -230,3 +228,4 @@ is definitely heading in the right direction.
 \[I would like to thank the DebConf organizers for providing meals for
 me during the conference.\]
 
+[[!tag debian-planet lwn debconf debian copyleft free-software github]]

Added a comment
diff --git a/blog/2017-02-22-password-managers/comment_3_c72d9365d2cdad17909fa1485421f375._comment b/blog/2017-02-22-password-managers/comment_3_c72d9365d2cdad17909fa1485421f375._comment
new file mode 100644
index 00000000..03d862af
--- /dev/null
+++ b/blog/2017-02-22-password-managers/comment_3_c72d9365d2cdad17909fa1485421f375._comment
@@ -0,0 +1,21 @@
+[[!comment format=creole
+ ip="178.24.245.0"
+ subject="comment 3"
+ date="2017-09-03T11:00:13Z"
+ content="""
+Thanks for your reply. Maybe I did not describe the scenario clearly enough:
+
+Case 1:
+* I use a computer which is not mine, and I am not sure it is trustworthy
+* I could use a portable installation of a password manager on my USB drive, but I do not want to because of the given reason
+
+Conclusion: I do not use the computer to access my password (what you said).
+
+Case 2:
+* I use a computer which is not mine, but I consider it trustworthy
+* I cannot use a portable installation of a password manager on my USB drive because of physical or administrative constraints
+
+The only solution I can come up with in this case is a password manager app on my smartphone, looking up my password there and typing it manually on the computer.
+
+Seems quite inconvenient to me. Or am I missing something?
+"""]]

fix more broken links
diff --git a/blog/2017-09-01-free-software-activities-august-2017.mdwn b/blog/2017-09-01-free-software-activities-august-2017.mdwn
index 5cb2d95b..4f7701ea 100644
--- a/blog/2017-09-01-free-software-activities-august-2017.mdwn
+++ b/blog/2017-09-01-free-software-activities-august-2017.mdwn
@@ -27,9 +27,9 @@ backport, especially because the Mercurial test suite takes a long
 time to complete. This reminded me of the virtues of
 `DEB_BUILD_OPTIONS=parallel=4`, which sped up the builds
 considerably. I also discovered that the Wheezy build chain doesn't
-support [[!debman sbuild]]'s `--source-only-changes` flag which I had
-hardcoded in my [[!debman sbuild.conf]] file. This seems to be simply
-because sbuild passes `--build=source` to [[!debman
+support [[!man sbuild]]'s `--source-only-changes` flag which I had
+hardcoded in my [[!man sbuild.conf]] file. This seems to be simply
+because sbuild passes `--build=source` to [[!man
 dpkg-buildpackage]], an option that is supported only in jessie or
 later.
 

font-large and small are actually two separate scripts
diff --git a/blog/2017-09-01-free-software-activities-august-2017.mdwn b/blog/2017-09-01-free-software-activities-august-2017.mdwn
index 16572156..5cb2d95b 100644
--- a/blog/2017-09-01-free-software-activities-august-2017.mdwn
+++ b/blog/2017-09-01-free-software-activities-august-2017.mdwn
@@ -345,8 +345,8 @@ combination of looking into my GitHub and GitLab profiles, the last 30
 days of emails (!) and filesystem changes (!!). En vrac, a list of
 changes which may be of interest:
 
- * [font-large](https://gitlab.com/anarcat/scripts/blob/master/font-large) (and its alias, font-small): shortcut to send the
-   right escape sequence to rxvt so it changes its font
+ * [font-large](https://gitlab.com/anarcat/scripts/blob/master/font-large) (and its alias, [font-small](https://gitlab.com/anarcat/scripts/blob/master/font-small)): shortcut to send
+   the right escape sequence to rxvt so it changes its font
  * [fix-acer](https://gitlab.com/anarcat/scripts/blob/master/fix-acer): short script to hardcode the modeline (you remember
    those?!) for my screen which has a broken EDID pin (so
    autodetection fails, yay Xorg log files...)

fix broken link
diff --git a/blog/2017-09-01-free-software-activities-august-2017.mdwn b/blog/2017-09-01-free-software-activities-august-2017.mdwn
index d823b733..16572156 100644
--- a/blog/2017-09-01-free-software-activities-august-2017.mdwn
+++ b/blog/2017-09-01-free-software-activities-august-2017.mdwn
@@ -22,7 +22,7 @@ is an issue that actually affects many other similar software like Git
 and even CVS ([[!debcve CVE-2017-12836]]). The latter symlink issue is
 a distinct issue that came up during an internal audit.
 
-The fix, shipped as [DLA-1072-1](https://lists.debian.org/20170829131643.tbuuaqbyn7qeacs2@curie.anarc.at), involved a rather difficult
+The fix, shipped as [DLA-1072-1](https://lists.debian.org/debian-lts-announce/2017/08/msg00032.html), involved a rather difficult
 backport, especially because the Mercurial test suite takes a long
 time to complete. This reminded me of the virtues of
 `DEB_BUILD_OPTIONS=parallel=4`, which sped up the builds

creating tag page tag/numpy
diff --git a/tag/numpy.mdwn b/tag/numpy.mdwn
new file mode 100644
index 00000000..0146ae2d
--- /dev/null
+++ b/tag/numpy.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged numpy"]]
+
+[[!inline pages="tagged(numpy)" actions="no" archive="yes"
+feedshow=10]]

creating tag page tag/lfs
diff --git a/tag/lfs.mdwn b/tag/lfs.mdwn
new file mode 100644
index 00000000..41851dba
--- /dev/null
+++ b/tag/lfs.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged lfs"]]
+
+[[!inline pages="tagged(lfs)" actions="no" archive="yes"
+feedshow=10]]

creating tag page tag/ansible
diff --git a/tag/ansible.mdwn b/tag/ansible.mdwn
new file mode 100644
index 00000000..78d2ea1e
--- /dev/null
+++ b/tag/ansible.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged ansible"]]
+
+[[!inline pages="tagged(ansible)" actions="no" archive="yes"
+feedshow=10]]

creating tag page tag/gnupg
diff --git a/tag/gnupg.mdwn b/tag/gnupg.mdwn
new file mode 100644
index 00000000..68f4a14d
--- /dev/null
+++ b/tag/gnupg.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged gnupg"]]
+
+[[!inline pages="tagged(gnupg)" actions="no" archive="yes"
+feedshow=10]]

creating tag page tag/debconf
diff --git a/tag/debconf.mdwn b/tag/debconf.mdwn
new file mode 100644
index 00000000..16581b4d
--- /dev/null
+++ b/tag/debconf.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged debconf"]]
+
+[[!inline pages="tagged(debconf)" actions="no" archive="yes"
+feedshow=10]]

creating tag page tag/pgp
diff --git a/tag/pgp.mdwn b/tag/pgp.mdwn
new file mode 100644
index 00000000..73313f19
--- /dev/null
+++ b/tag/pgp.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged pgp"]]
+
+[[!inline pages="tagged(pgp)" actions="no" archive="yes"
+feedshow=10]]

publish monthly report
diff --git a/blog/2017-09-01-free-software-activities-august-2017.mdwn b/blog/2017-09-01-free-software-activities-august-2017.mdwn
new file mode 100644
index 00000000..d823b733
--- /dev/null
+++ b/blog/2017-09-01-free-software-activities-august-2017.mdwn
@@ -0,0 +1,372 @@
+[[!meta title="My free software activities, August 2017"]]
+
+[[!toc levels=2]]
+
+Debian Long Term Support (LTS)
+==============================
+
+This is my monthly [Debian LTS][] report. This month I worked on a few
+major packages that took a long time instead of multiple smaller
+issues. Affected packages were Mercurial, libdbd-mysql-perl and Ruby.
+
+[Debian LTS]: https://www.freexian.com/services/debian-lts.html
+
+Mercurial updates
+-----------------
+
+Mercurial was vulnerable to two CVEs: [[!debcve CVE-2017-1000116]]
+(command injection on clients through malicious ssh URLs) and
+[[!debcve CVE-2017-1000115]] (path traversal via symlink). The former
+is an issue that actually affects many other similar software like Git
+([[!debcve CVE-2017-1000117]]), Subversion ([[!debcve CVE-2017-9800]])
+and even CVS ([[!debcve CVE-2017-12836]]). The latter symlink issue is
+a distinct issue that came up during an internal audit.
+
+The fix, shipped as [DLA-1072-1](https://lists.debian.org/20170829131643.tbuuaqbyn7qeacs2@curie.anarc.at), involved a rather difficult
+backport, especially because the Mercurial test suite takes a long
+time to complete. This reminded me of the virtues of
+`DEB_BUILD_OPTIONS=parallel=4`, which sped up the builds
+considerably. I also discovered that the Wheezy build chain doesn't
+support [[!debman sbuild]]'s `--source-only-changes` flag which I had
+hardcoded in my [[!debman sbuild.conf]] file. This seems to be simply
+because sbuild passes `--build=source` to [[!debman
+dpkg-buildpackage]], an option that is supported only in jessie or
+later.
+
+libdbd-mysql-perl
+-----------------
+
+I have worked on fixing two issues with the [[!debpkg
+libdbd-mysql-perl]] package, [[!debcve CVE-2017-10788]] and [[!debcve
+CVE-2017-10789]], which resulted in the [DLA-1079-1](https://lists.debian.org/20170831115827.eaciz7h6g7ecl5jh@curie.anarc.at) upload.
+Behind this mysteriously named package sits a critical piece of
+infrastructure, namely the `mysql` commandline client which is
+probably used and abused by hundreds if not thousands of home-made
+scripts, but also all of Perl's MySQL support, which is probably used
+by even a larger base of software.
+
+Through the Debian bug reports ([[!debbug 866818]] and [[!debbug
+866821]]), I have learned that the patches existed in the upstream
+tracker but were either [ignored](https://github.com/perl5-dbi/DBD-mysql/issues/120#issuecomment-325342844) or even [reverted](https://github.com/perl5-dbi/DBD-mysql/issues/110) in the
+latest 4.043 upstream release. It turns out that there are talks of
+[forking that library](https://www.nntp.perl.org/group/perl.dbi.dev/2017/08/msg8030.html) because of maintainership issue. It blows my
+mind that such an important part of MySQL is basically unmaintained.
+
+I ended up backporting the upstream patches, which was also somewhat
+difficult because of the long-standing issues with SSL support in
+MySQL. The backport there was particularly hard to test, as you need
+to run that test suite by hand, twice: once with a server configured
+with a (valid!) SSL certificate and one without (!). I'm wondering how
+much time it is really worth spending on trying to fix SSL in MySQL,
+however. It has been badly broken forever, and while the patch *is* an
+improvement, I would actually still never trust SSL transports in
+MySQL over an untrusted network. The few people that I know use such
+transports wrap their connections around a simpler [[!debpkg stunnel]]
+instead.
+
+The other issue was easier to fix so I submitted a [pull request
+upstream](https://github.com/perl5-dbi/DBD-mysql/pull/142) to make sure that work isn't lost, although it is not
+clear what the future of that patch (or project!) will be at this
+point.
+
+Rubygems
+--------
+
+I also worked on the [[!debpkg rubygems]] issues, which, thanks to the
+"vendoring" practice of the Ruby community, also affects the [[!debpkg
+ruby1.9]] package. 4 distinct CVEs were triaged here ([[!debcve
+CVE-2017-0899]], [[!debcve CVE-2017-0900]], [[!debcve CVE-2017-0901]]
+and [[!debcve CVE-2017-0902]]) and I determined the latter issue
+didn't affect wheezy as rubygems doesn't do its own DNS resolution
+there (later versions lookup SRV records).
+
+This is another package where the test suite takes a long time to
+run. Worse, the packages in Wheezy actually fails to build from
+source: the test suites just fail in various steps, particularly
+because of `dh key too small` errors for Rubygems, but also other
+errors for Ruby. I also had trouble backporting one test which I had
+to simply skip for Rubygems. I uploaded and [announced](https://lists.debian.org/87h8wkzyos.fsf@curie.anarc.at) test
+packages and hopefully I'll be able to complete this work soon,
+although I would certainly appreciate any help on this...
+
+Triage
+------
+
+I took a look at the [[!debpkg sox]], [[!debpkg libvorbis]] and
+[[!debpkg exiv2]] issues. None had fixes available. sox and exiv2 were
+basically a list of fuzzing issues, which are often minor or at least
+of unknown severity. Those would have required a significant amount of
+work and I figured I would prioritize other work first.
+
+I also triaged [[!debcve CVE-2017-7506]], which doesn't seem to affect
+the [[!debpkg spice]] package in wheezy, after doing a fairly thorough
+audit of the code. The vulnerability is specifically bound to the
+`reds_on_main_agent_monitors_config` function, which is simply not
+present in our older version. A hostile message would fall through the
+code and not provoke memory allocation or out of bounds access, so I
+simply marked the wheezy version as `not-affected`, something which
+usually happens during the original triage but can also happen during
+the actual patching work, as in this case.
+
+Other free software work
+========================
+
+This describes the volunteer work I do on various free software
+projects. This month, again, my internal reports show that I spent
+about the same time on volunteer and paid time, but this is probably a
+wrong estimate because I spent a lot of time at Debconf which I didn't
+clock in...
+
+Debconf
+-------
+
+So I participated in the [17th Debian Conference](http://debconf17.debconf.org/) in Montreal. It
+was great to see (and make!) so many friends from all over the world
+in person again, and I was happy to work on specific issues together
+with other Debian developers. I am especially thankful to David
+Bremner for fixing the syncing of the `flagged` tag when added to new
+messages ([patch series](https://notmuchmail.org/pipermail/notmuch/2017/025046.html)). This allows me to easily sync the one
+tag (`inbox`) that is not statically assigned during `notmuch new`, by
+using `flagged` as a synchronization tool. This allows me to use
+notmuch more easily across multiple machines without having to sync
+all tags with dump/restore or using muchsync which wasn't working for
+me (although a [new release came out](https://notmuchmail.org/pipermail/notmuch/2017/024500.html) which may fix my issues). The
+magic incantation looks something like this:
+
+    notmuch tag -inbox tag:inbox and not tag:flagged
+    notmuch tag +inbox not tag:inbox and tag:flagged
+
+However, most of my time in the first week (Debcamp) was spent trying
+to complete the networking setup: configure switches, setup wiring and
+so on. I also configured an [[!debpkg apt-cacher-ng]] proxy to serve
+packages to attendees during the conference. I configured it with
+Avahi to configure clients automatically, which led me to discover
+(and fix) issue [[!debbug 870321]]) although there are more issues
+with the autodiscovery mechanism... I spent extra time to document the
+(somewhat simple) configuration of such a server in the [Debian
+wiki](https://wiki.debian.org/AptCacherNg) because it was not the first time I had research that
+procedure...
+
+I somehow thought this was a great time to upgrade my laptop to
+stretch. Normally, I keep that device running stable because I don't
+use it often and I don't want to have major traumatizing upgrades
+every time I leave with it on a trip. But this time was special: there
+were literally *hundreds* of Debian developers to help me out if there
+was trouble. And there was, of course, trouble as it turns out! I had
+problems with the fonts on my display, because, well, I had
+*suspended* (twice) my laptop *during* the install. The fix was simply
+to flush the fontconfig cache, and I tried to document this in the
+[fonts wiki page](https://wiki.debian.org/Fonts) and my [[upgrades page|services/upgrades/stretch]].
+
+I also gave a short training called [Debian packaging 101](https://debconf17.debconf.org/talks/161/) which
+was pretty successful. Like the short presentation I made at the last
+[[Montreal BSP|2017-04-09-montreal-bsp-report]], the workshop was
+based on my [[quick debian development guide|software/debian-development]]. 
+I'm thinking of expanding this to a larger audience with a "102"
+course that would discuss more complex packaging problems. But my
+secret plan (well, secret until now I guess) is to make packaging
+procedures more uniform in Debian by training new Debian packagers
+using that same training for the next 2 decades. But I will probably
+start by just trying to do this again at the next Debconf, if I can
+attend.
+
+Debian uploads
+--------------
+
+I also sponsored two packages during Debconf: one was a "scratch an
+itch" upload ([[!debpkg elpa-ivy]]) which I requested ([[!debbug
+863216]]) as part of a larger effort to ship the Emacs elisp packages
+as Debian packages. The other was an [upload](https://tracker.debian.org/news/864378) of [[!debpkg
+diceware]] to build the documentation in a separate package and fix
+other issues I have found in the package during a review.
+
+I also uploaded a bunch of other fixes to the Debian archive:
+
+ * [[!debpkg slop]] upstream update and matching [[!debpkg maim]] NMU
+ * asked for [[!debpkg gnome-web-photo]] removal ([[!debbug 873015]])
+ * [[!debpkg charybdis]] 3.5.5-2 to officially switch to [[!debpkg
+   mbedtls]] ([[!debbug 705369]])
+ * [[!debpkg gmpc]]: ship pending patches from git and Ubuntu
+ * [[!debpkg horst]]: new upstream release and workaround for sparse
+   bug [[!debbug 873508]]
+ * uploaded [percol](https://github.com/mooz/percol) to NEW ([[!debbug 754972]])
+
+Signing keys rotation

(fichier de différences tronqué)
Added a comment: impossible constraints
diff --git a/blog/2017-02-22-password-managers/comment_2_51a146c0382f029c2fb5d0e1b9468f2f._comment b/blog/2017-02-22-password-managers/comment_2_51a146c0382f029c2fb5d0e1b9468f2f._comment
new file mode 100644
index 00000000..2798ae9c
--- /dev/null
+++ b/blog/2017-02-22-password-managers/comment_2_51a146c0382f029c2fb5d0e1b9468f2f._comment
@@ -0,0 +1,17 @@
+[[!comment format=mdwn
+ username="anarcat"
+ avatar="http://cdn.libravatar.org/avatar/741655483dd8a0b4df28fb3dedfa7e4c"
+ subject="impossible constraints"
+ date="2017-09-02T14:20:35Z"
+ content="""
+You are posing what seem to me like impossible constraints:
+
+ 1. you work on a computer that is not yours
+ 2. you do not want to use a \"portable autofiller\"
+ 3. yet you still want to type confidential passwords on the device
+ 4. (assumed) you do not want the device to spy on those passwords
+
+This has nothing to do with password managers: 3 and 4 are just in contradiction. If you do not trust your computer, the game is up, a password manager won't save you. Any key logger (in Linux, it's as simple as running `input-events 0` as root) will record your master password if you use a password manager or your copy-pasted password if you store it offline.
+
+You need a trusted platform to keep your passwords confidential. One way, however, to use untrusted platforms is to use two factor authentication: in this case a phone or security token can be useful, because it will send a one-time token that cannot be reused by an attacker.
+"""]]

Added a comment
diff --git a/blog/2017-02-22-password-managers/comment_1_d4e1816708dd7885e650e2fb453ce94e._comment b/blog/2017-02-22-password-managers/comment_1_d4e1816708dd7885e650e2fb453ce94e._comment
new file mode 100644
index 00000000..31a067bc
--- /dev/null
+++ b/blog/2017-02-22-password-managers/comment_1_d4e1816708dd7885e650e2fb453ce94e._comment
@@ -0,0 +1,7 @@
+[[!comment format=mdwn
+ ip="178.24.244.207"
+ subject="comment 1"
+ date="2017-09-02T10:19:19Z"
+ content="""
+So how do I use a password manager on a computer that is not mine and that I cannot or do not want to run a portable version on to autofill my passwords? Have an app on my smartphone and type that superlong and unreadable password manually?
+"""]]

Added a comment: CryptoPass
diff --git a/blog/2017-03-02-hashers-history/comment_4_dab2b0c3c348d21889ad91fd2a933035._comment b/blog/2017-03-02-hashers-history/comment_4_dab2b0c3c348d21889ad91fd2a933035._comment
new file mode 100644
index 00000000..19c60d3c
--- /dev/null
+++ b/blog/2017-03-02-hashers-history/comment_4_dab2b0c3c348d21889ad91fd2a933035._comment
@@ -0,0 +1,15 @@
+[[!comment format=rst
+ ip="178.24.244.195"
+ subject="CryptoPass"
+ date="2017-09-01T22:34:04Z"
+ content="""
+Thanks for this great article!
+
+I came across CryptoPass the other day. It's available for Chrome and Android.
+
+What's your opinion?
+
+https://github.com/dchest/cryptopass
+
+https://bitbucket.org/zeac/cryptopass
+"""]]

cross-reference password articles
diff --git a/blog/2017-02-18-passwords-entropy.mdwn b/blog/2017-02-18-passwords-entropy.mdwn
index f7358531..62d59118 100644
--- a/blog/2017-02-18-passwords-entropy.mdwn
+++ b/blog/2017-02-18-passwords-entropy.mdwn
@@ -4,6 +4,13 @@
 
 [[!toc startlevel=2]]
 
+> This article is part of series of 4 articles on passwords:
+>
+> * [[Reliably generating good passwords|2017-02-18-passwords-entropy]]
+> * [[A look at password managers|2017-02-22-password-managers]]
+> * [[The case against password hashers|2017-03-02-password-hashers]]
+> * [[A short history of password hashers|2017-03-02-hashers-history]]
+
 > Note: this article was translated
 > in [Japanese](http://postd.cc/passwords-entropy/).
 
diff --git a/blog/2017-02-22-password-managers.mdwn b/blog/2017-02-22-password-managers.mdwn
index 878819c1..f8fc00c9 100644
--- a/blog/2017-02-22-password-managers.mdwn
+++ b/blog/2017-02-22-password-managers.mdwn
@@ -4,6 +4,13 @@
 
 [[!toc startlevel=2]]
 
+> This article is part of series of 4 articles on passwords:
+>
+> * [[Reliably generating good passwords|2017-02-18-passwords-entropy]]
+> * [[A look at password managers|2017-02-22-password-managers]]
+> * [[The case against password hashers|2017-03-02-password-hashers]]
+> * [[A short history of password hashers|2017-03-02-hashers-history]]
+
 As we noted in an
 [[earlier article|blog/2017-02-18-passwords-entropy]], passwords are a
 liability and we'd prefer to get rid of them, but the current reality
diff --git a/blog/2017-03-02-hashers-history.mdwn b/blog/2017-03-02-hashers-history.mdwn
index 4637d3d5..00405a0e 100644
--- a/blog/2017-03-02-hashers-history.mdwn
+++ b/blog/2017-03-02-hashers-history.mdwn
@@ -1,6 +1,13 @@
 [[!meta title="A short history of password hashers"]]
 [[!meta updated="2017-03-02T09:45:36-0500"]]
 
+> This article is part of series of 4 articles on passwords:
+>
+> * [[Reliably generating good passwords|2017-02-18-passwords-entropy]]
+> * [[A look at password managers|2017-02-22-password-managers]]
+> * [[The case against password hashers|2017-03-02-password-hashers]]
+> * [[A short history of password hashers|2017-03-02-hashers-history]]
+
 These are notes from my research that led to the publication of the
 [[password hashers|2017-03-02-password-hashers]] article. This article
 is more technical than the previous ones and compares the various
diff --git a/blog/2017-03-02-password-hashers.mdwn b/blog/2017-03-02-password-hashers.mdwn
index 41668fd4..1b976e9b 100644
--- a/blog/2017-03-02-password-hashers.mdwn
+++ b/blog/2017-03-02-password-hashers.mdwn
@@ -4,6 +4,13 @@
 
 [[!toc startlevel=2]]
 
+> This article is part of series of 4 articles on passwords:
+>
+> * [[Reliably generating good passwords|2017-02-18-passwords-entropy]]
+> * [[A look at password managers|2017-02-22-password-managers]]
+> * [[The case against password hashers|2017-03-02-password-hashers]]
+> * [[A short history of password hashers|2017-03-02-hashers-history]]
+
 In previous articles, we have looked at [[how to generate
 passwords|2017-02-18-passwords-entropy]] and did a [[review of various
 password managers|2017-02-22-password-managers]]. There is, however, a

pgp key renewal
diff --git a/pubkey.asc b/pubkey.asc
index d002b15e..0d766443 100644
--- a/pubkey.asc
+++ b/pubkey.asc
@@ -1,5 +1,4 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1
 
 mQINBEogKJ4BEADHRk8dXcT3VmnEZQQdiAaNw8pmnoRG2QkoAvv42q9Ua+DRVe/y
 AEUd03EOXbMJl++YKWpVuzSFr7IlZ+/lJHOCqDeSsBD6LKBSx/7uH2EOIDizGwfZ
@@ -12,156 +11,208 @@ V628Tn9+8oDg6c+dO3RCCmw+nUUPjeGU0k19S6fNIbNPRlElS31QGL4H0IazZqnE
 q1wWFFQDskG+ybN2Qy7SZMQtjjOqM+CmdeAnQGVwxowSDPbHfFpYeCEb+Wzya337
 Jy9yJwkfa+V7e7Lkv9/OysEsV4hJrOh8YXu9a4qBWZvZHnIO7zRbz7cqVBKmdrL2
 iGqpEUv/x5onjNQwpjSVX5S+ZRBZTzah0w186IpXVxsU8dSk0yeQskblrwARAQAB
-tCZBbnRvaW5lIEJlYXVwcsOpIDxhbmFyY2F0QGtvdW1iaXQub3JnPokCPQQTAQgA
-JwIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAUCVz5FfQUJDxBztwAKCRB5IVJS
-e3WSHl15D/9WiaxSPOIrKEkGdl70SrDBqXr/8CR9w08+RBVARZVooIDhLwNkE8jC
-3WHy/Q0LFH95svh5HRV1b7W5QKJlP+x+CEZLJkmX8AEKGMjcM3vorpkDhxEmsJeo
-u8oCR92+BQ9Lnn0ai9SaGKWROkLJioB4kLs7TVpc2wKgV2i6AymH6+b25gz2Ic3k
-iD2IuBOGYf73E+7j+FsLr3wWAvDYHBYIzdG99nXy8mivTjIyWoIZvedURSl99KqI
-k8sOkXltYT0cQIESK8w7LjGNlGX77YrqTgHC0xLK+p+KfW9aq1Lf/4eLOhRBOKd+
-eIPkplCpTk5Tw58Q0ACYLJNDU7GonB+ffMTQVAsvMeNonOQGj4tNuT0YvoejBHQD
-bDBhUq88tBXc9Nb/UWAGhC99233K1VEnO8PDJ4N5/uZ8iG1Bz0FydrUp6cO/CldE
-OauRI4TGywws5iKL2R7yFVI050+nJa5IIOPUdwxs6Q+1Lai52TIF77USvpPLqwa/
-5AdZbdLg+LobggEVSsJfBZXqAQItyQVZltW3aE+Y5rM2fCCQnqCa2iTT0z8nnpEL
-8Hzi4Dze5+iqWb5wfjtCIbSkxueQzKc1zk2vL+UUJZEvuDqGVavDz764nOSiqp37
-evfwLFGPxeqHQaPmlFVWax7FhjSWRwlOOzHI1mGq9vx0VGP3TMOH5bQlQW50b2lu
-ZSBCZWF1cHLDqSA8YW5hcmNhdEBkZWJpYW4ub3JnPokCPQQTAQgAJwIbAwULCQgH
-AwUVCgkICwUWAgMBAAIeAQIXgAUCVz5FgAUJDxBztwAKCRB5IVJSe3WSHoM7EAC7
-zt8aNscfOFXWdCnNbVPUpS2gGRWbbWzrwCw+KN8eeaclBGqlh+Ibg0XCEZIRavRU
-CE0+4Y/nV5KH0dTEnaFMrkv/lzGEzigSTRVCk+CXHw6+6WvBFbF1qccP94Gor4Iv
-Pn6OJ4ihQgw9DXUzvXP9fUFN1mv9dVcRa2bxkuIxm9nmnvLLYNkBjyAerqG3r8qV
-2xjRnvU0P0yC2TpT1S8s53/k4/vYNIlNKFmAlb49M9x6398NREF+I8dhkgvCg0jN
-aXWo0ZDjfKhkILnfFESqKhkEWIx2nbaW0mN/IfvrPzUplg0zySkSXeCdlQ2mDbR9
-LEGFYbpr/iuPA0RkA3HNAB249n+jbcwnyyzmwT6z9IYJ9ZWj27o8qr/71FSmQpHu
-UhBwyTfnlEmL9aztZb/tV+MroJXvg8j9j4p5bO48Ue+C+Nkk9DTN9zmpkGnKzLSr
-WYt0JdPseZZHBtP/UxFZSMnNoGRIhS//VeF1g21tDn9/b54goSGHMXkBi/t+vVDa
-+2tzFxP2eTD6alTOirsj74Vn3scCcr0uQhXG+VV/msMeu46HUNT8TOqSBEiXX87+
-5UsFkboSM0huFrXyEqc8sHa64znZ/Q+gXW2PZlb6FBNZaw912Hw81PGiL3hxXC0N
-YqqmTHnKLKmzNG4tlvcx29+rhOYyjTfKsV8kUzDjO7QqQW50b2luZSBCZWF1cHLD
-qSA8YW5hcmNhdEBvcmFuZ2VzZWVkcy5vcmc+iQI9BBMBCAAnAhsDBQsJCAcDBRUK
-CQgLBRYCAwEAAh4BAheABQJXPkWABQkPEHO3AAoJEHkhUlJ7dZIe3PoP/22dgHTt
-KlIVu/jA0d1yzlcF+fm1l3qdvCBeK5Hofm87/ss4LZMEdEZzaH6mJiTkRU3SRgGJ
-KM7nnzNs1xm2R66vkbT0G9PsbkWr9ggrZclXBr/FzuRDn3oV7LcnCF73cTchTaEF
-J7UFf59xfWVgoTL0oEz5F9RQBeNLyOh6v8Ltjea4pHku6uIWkRjweGfdGuxqpbOG
-JG0DGPzIvvAd+OKkJTUom2n/ISj2qTc+HfvM2bfMiWLwlhUN4dbIiwc7QyDrKBfA
-ureKjVGRIQ1yfAJNne+A8LFVEOo9VwkrBQPjX+1cFaLT99ojW4ZWEZNKEphxFxyQ
-KhSAO5qCZLRb1DU781hBGp00p4Ribqn8UIVll4kVNNiR1Jy6gmUgRlOgDJYBslqu
-W3f2Go32kWcRSRxhpjr5PnTKMe6UfyE+LGwgCWXdn2SebqfMklkL+JPLC7nk3rEZ
-MSwjh2gsRmvDolfDNDfZFkvdJtiHge7zbA6eF8/SS3QMBWC2GT4xXn8Yz8e6FWNe
-PIciOfbj2D5p3ZMs759j5j8CAvJ4c6Z0Hcl6Fd1QoAOGSe2lmjqzeMfzvfy/INt9
-LolTvu1l6EcF2ieyXWbFA1Ts7uX3544Ulir/mDlksX4zIpLKMuUU7QQOphtOuEsj
-Lzt40X2q3V6ctjwy+cONQ7IbIZum2VW/XCP9tC1BbnRvaW5lIEJlYXVwcsOpICh3
-b3JrKSA8YW5hcmNhdEBrb3VtYml0Lm9yZz6JAjYEMAEIACAFAlPOcNsZHSByZW1v
-dmluZyBjb21tZW50IGZpZWxkcwAKCRB5IVJSe3WSHvC/D/sH8ak9X0dom7HTDWyD
-b9fO4g95jP4MOOGuTL2IP7SPn3OoXZtAVaHihgvp+6H7Z0C4S+JiNL8XagcZmv7x
-Z6cbXyfCWAU6JEd6rTDoZUYC8KJ69eExBZOp2AQMPEM4H3tZ4MV635k1ahwW4aLW
-XzbyWCzkFBLSBpeOoLn55aa1aQhzlmhCjQhTh158AUlEiCqCB2DllQfCJ0Q5C3dp
-zIWkDWoMZ3Hgw9Yg+rrLp2oFRkijmRFoYmBB9hoP/LgLzhXZCQujhFBmL7FHSWxG
-07V98PEJK9NZ/xVLf+zwJ4IDIHI0hrBDkS1Gd82lp7UK7kICZ9ognB2L8m3ObACz
-g1+9cOsqRLiedjsvGTxTsARpgFbzRhB97fuudZG1pK0PWqexIWzsmMzNlm/q+aCj
-+rYZVg6L+gnIs85bHqh5vhW71SfhbljYJBJVNcxJF+2pOtaE71TqvNbICK4UIiCu
-bUtts9ydL/fMHmpterncftxzqT0rSWI3rhywRb6ZiY9OVrbIQ+A0UPcJf5yozEpL
-yK57eK3U5MNMvtuI5JKsOn1eZOV30df+70mWVgniTpL4m6Qb5kEVDhFRjk6X2PW2
-CzwCLGQvfaNI6NwHB0bTDpxhva+pSKyTzwKn7w8L026QGs1NAufaNTZRbPiBSgJ3
-QIkSR/zN5ubzmoJLovGkGdAGNLQuQW50b2luZSBCZWF1cHLDqSAoRGViaWFuKSA8
-YW5hcmNhdEBkZWJpYW4ub3JnPokCNgQwAQgAIAUCU85w3RkdIHJlbW92aW5nIGNv
-bW1lbnQgZmllbGRzAAoJEHkhUlJ7dZIeXEQP/RXsCNGrjNHcp7pRApNmi1fq9W2x
-Zmy8rrQcCiGoy1pTHOpDixx2vBUtn1W/tscdYiBi8+zWn+rr4+2QqIkRUIrfRK5e
-+qwHA0bf+YHJvEqVZU1+ythNKGzZ+OVezglWsWvCGyE3+4GxSJobCLnwwTLl9UVn
-tYxMwnqJ9octslNAzc9yDBhhH77RYUpR/umURv/UH2uszkYu/dPPZ8v5FyfxyY+s
-bz4un6F3HAgMD8EEwC3KX0+E4vGBZkKjsxbLDWC89yAtCOMPEoairhRxFPF5zBnj
-xxvjLLSceLkZuskAPxe7eSHuc8DhOYVjlkg47kp1LmVvIO889ZYlmQyxoEY7PFrv
-5fqu1uLUdyIHJztSHAOxfpb0Hs22prs3iXHIFZXEaifzh3GCXgUrcyrpI8ZITt7b
-SwHUliHqT2B3OcPASQipXWMBBU9wXRBGuHTtOv4HHB7TVblNr4PEbfEJeqttQpQx
-GK3hrP7jx4XJk17H8VuNIv75+sGZxAVdumOe5a1YFHlShs12t5BLlEzDomDgg0cV
-QNeTRwPy3zcJ/zNEA8cr7bSspkjPBo5Oy9EcLlhOjbI6gUuEmFU0QrfzVrrE2k83
-7FpkxxEYlal8/0hsCOCf/mJ9K+0WQnc40c002GCRXQbEBc22XhQX1Ongiz7aHsTN
-HpVzb7TT2mz11KMCtDhBbnRvaW5lIEJlYXVwcsOpIChob21lIGFkZHJlc3MpIDxh
-bmFyY2F0QGFuYXJjYXQuYXRoLmN4PokCNgQwAQgAIAUCU85w3RkdIHJlbW92aW5n
-IGNvbW1lbnQgZmllbGRzAAoJEHkhUlJ7dZIeuvsQALv5rpGEI39KvmQHPrW8Y8yc
-N+03b1EeCTsGo/OS8wHhj8EmCno2HXVPVjauU4dpusEzvQHsiKqIkpknq0heA/oT
-kUxSrBLz8hRrmL3XN87StNBOVFNkqAgAr2eoIdi2xpm3TAMqsUUj6jjM4K2JOjdu
-IPSvcpfg43vrAo/Y54W4rINbhTOyCjRjQkqUhPL7bvVJvAlmpluKSDdS+ON5xEWR
-38g3loGkCZQvjBdSB4hhvaxp49MGanVTwIHzI9RSrb+UtYHM3H0G5a4+AgiVYGuw
-qIJZc15hI3Vz+cxPoFJ2haetoKT9rTwnqxZxknW+JnldH2V7KuyEMvWs5Jo3i8qS
-FfLCwG1jW3LGuILDBNtc+QiMxy7NdOZpP3Lex9bqQ6p7io6FfNK7RN/kbeUyQNvI
-zLu6RpB0EkMmI2XDtalZcOZ1TUmQ4gP941HQBBjp/uDAUlkoa4/HIFxRwBTDnPsp
-kG19HLub6QDs5/AB3/55CGS9pBHrU2EsPQ9cLwzb+zfQmJi2vC2IzcVrbwVcTRpA
-luHo8kUVlgTHpnbwXOHrr40FRuKgex7TREBK1OyAn1gYdQUFVhau+SjdcAz9zEVI
-8aj23Umu4oTVYVOjcx2flzZCcdzyG6nzd3JQVWm3gpK3TgWo8eC/hNa7s5aIs7Th
-TofGXh+d5bUtcZx+FbJ5uQENBFAGwRgBCADTtdA/YZOdYY35bKWKokkHkXTklnwW
-KbAMWbcgGaaDbPEMl+0wAm75WoBRUF/ZetwbQQ1SlNsbqymeFp2LiwbwU3xFmw7v
-/TAJrYJxIPEV8fjApIIao7PWzz0o8na+Ocz6w2qKWc1CJkryLT/t/JcUnPsFzlp/
-nYkOyrS0BqdkNwj9/hSO8zB1uaErrtc+TeiUO/Cu6oJ81LR1Rk0sRnHNBQv85W7O
-RVna+38LENQk05dQLuOxyf2c+TbZMJrA2d6VeZwX2hER52N23qOfyAs45f0LQOqm
-yk8y1BcnRykrmVlsVVgVJSBFKDRj6lMPLFrEUG0R5+p15m+W8833VpHnABEBAAGJ
-Ah8EGAEIAAkCGyAFAlAG53UACgkQeSFSUnt1kh6IexAAsxdz/64hu2YW66drIuVB
-gvvTcr9YBraZ4DDo5UKXewNJgfLc1nB85uXmbzSVKvAB++LnqmogRE3wRlOH4A00
-4O/i+JOtGQhf1SG6yPFkVWBpqvwhJeFiGcYqvw+K9XwuFhoYEP8ngpq8/SSaivH7
-IAVV2rSYsWfeEw4B+gS6bkdOiOAt9RTSyn4QVqIKvnPmOTb60I1tZTUbinEWMifu
-45m+6f7qqc1oadk9Ic40NTHEaiO9liYmq0s3l19BBUSRETlBAvJ7caAiucqHGgYe
-qgVfXR3Gpy+L+DBvF29g7XDxtXgXa8BG0AMVmxO5Ey+UH0gUpJ6azoeAFe4+U5O2
-q8pi+8tlLXHoLQBHXeoBvncZVakeC1kfZT8EzcgwtmpkzRcI5bkFRxMXx6rQqool
-WM+m0cVJb95j03bK2Ao7S94soo3ofsgWnEoLjXvkILu3pdbmGznOcC1QINxiFDds
-DfRyF3CBC6wyo1jRquHuqsSYx1ZVc9qHgUsi7A6NIFJ7ZWDozt+4+jn0rmkKvfbi
-Ur+mmlfy5yCAkjjvjWifeMbDOkSN7o7VWEsav4WnKRChyuAvGH5kvYNCMYF9+s/H
-57Isehx3KmLKFLjY3bPAEdPUNnATbRR7eQ1B7kr7Q354uEXcW2iD39SpGvyQ4BcI
-GS3kNS4/m1i7SlbKoVoikwW5AQ0EUAijnwEIALsJjr5pMuWTp6mXX5MrrAhoeDV9
-qB4R+YoWCf5ii/7aUoUiE1GRxbOdBVzJWJWYLuJpmQQh6LWA/37SWux2F7C1MGO+
-QM3FHXxog5EmyIf3kUWMUi4nQdCOszWM7GJeFBnTEuWeEWTHFryP2XnYdO62lhRT
-rd7eW9jQIG6qHtC2Qfe6fuJPoRqoxHfjIVrbKbflqDy6AxtzMHCdMMlifeqkvyAq
-7Dcmcin6p1JBvWwZ0twLgk3TYTb8hjuLDyXMz3FVpvUiC96YInBLQL8G30uyaELL
-0AylpUVoBiN6mB0GlKogxr/xVyhU6uF0lZ8hzt8u236eM3WqiOw+a6GyvWcAEQEA
-AYkCHwQYAQgACQUCUAijnwIbIAAKCRB5IVJSe3WSHkPXD/4sBuRegkO6GUZeXgZv
-+lf2gvq2yMJWTdYWuyGDGGcxygWNEHupGbtzDW8OgGNr4Uj/NOYxscVvvDRley9b
-5iHatSqDbkaeMHkjvth/G6y3pby4aY9KP4q2llKRotF5i1Cz1fb8XqD3ebcB1+ev
-UnBKX0PkAoZxhSxEJ8VMjWgnrK9Jg6mvKlwk6KcgqOzMMmx5UkeiNdZa4GL96waH
-6y9JF6f7n6BtrX7z3GUEDdQWOT+sVUknhptNwzOYfhYnBWqR45Ic2IXfd0u0l8BR
-qGaPQ895oF1CDw6fmMMgF4VQvg1gabQqRMBjZxqtTyUkzINCuCm2SylrgMuuzeXQ
-MCFHcL9G/DNpjwe+rUCzJCZO9M0RsC9YEP5zFdsXBLr/rBM1BEvlu3JTOhfos1BM
-JnWXwNXS+KmGUxW2By+Kt9LpbG0LeITzImgesdZNA/Ar2a6qH00jg77BqmYQEJYa
-xVm2SPvcljgeEoh78iI75RYt4atcT7wYaIH3ajD1q44Sg4K/G0x5iVM19oYQakC3
-q5uARgzZpDfP8aFWWMBZzQ9s97vlnBS6yla3j/U6Zs5WoQvftISffU1HOm2y6XJs
-14Mss2XseeFwB4w2H8bmHSwKRJkpKCISS505yANMjFBfIwF6CLa/5B3mKUxc7wB9
-7IufuV8ZLvy6eHFnrj7ka1M+urkBDQRQDuHnAQgAyu2f3s3RGkGG64wXDVTfvFZC
-Kxk3H+sJAwwATeNMd8LSQaNM6vQE4x/99dj+xC0B59Q9KcrCG2a9EBfPmPqBHsMY
-d+l31W+R0Wf/MdoIY91XtYbbo9vSlaqwZYjScIloxdeI8hrHMrXsQSo3NVvESFGf
-SZNYj6T6ryb2T6V/eu3KtJAYZA9pOw2kzgDmEDFxoGMqv/kyrvSGBrrDl/Q0Eq9L
-lbwpi+bgFX+so05ArdnTgX/GnwvSYO5tFwAotzABdlfKT67OqTUlf0FpkVMKgjAj
-7pBIczAVd4TnXTbW16x0W8U1XyZT2rgKomN+IDZVeQDu5Bxgh0RK+CG4w5ahzwAR
-AQABiQIfBBgBCAAJBQJQDuHnAhsgAAoJEHkhUlJ7dZIexD0P/1jWAJNK5sWWCpZz
-LhTBcIsju5FcjozKaOXL3suCnv67/b32VsYD1jXDR2BkiJ6xAdOv1u1aaAitaEOa
-q+YeF3f1zRM004BK9giDfStwZxyuyu4zMNWwayXEh3Zn7LZSy8spS8gKNqcped1x
-QcWb1O01uumQj4JvBnJrQYk1xpIj6AeoLq6hr38P/KQuTMOgJsSkufUJNMXPbA8j
-Y5RW42EeVaAJMT58qBU8RP0vGqwCyAEcYDpiOabbs4JlukXzwjn2yfEMi3p00EKp
-SVcbkEQ2TlPBbUxjy4SUP2wk/iJWe2h5DRaHQl2xm/SSCfr86yszy+xbB679sbQC
-cLiP82ELTfdVc262qDecL4w0U5JybXwIYyyoaeAu4pTCGj4K8j/WR5E7danE0Ciw
-Hepl9wHKQ3o5U1e2I90F5inLJYBIOhx+aiywo4MNL7CLQpaW6Kfh++aI8r8ZKYYT
-EBTpgewqu0TrLOhkFqi1CM8gaqY84MW2OSSsZXnulufujzeRvVSpApHL8aLimthI
-zELCl7dKes2vLvIWKy1yv3JlHRAXW6/wblTWDo1glC6rA2jvlemNDJvS++tUzowL
-LXxBEVonwEmYQnzNc4CuUZ264/iUndGtra2WLDtlpQDMT4YCNXm4yZ4LSPJ8hR4C
-v0PIz18nn90Xm9tI5v73MPrU2/uvuQINBEogKycBEACYbZwuqUnFo8770OqwkxgG
-ouoa0YjelS1VRSyDGjJ5VKfdhLYFUjacOpADbUU6Sl1AeXyD2VVK1XXxDdOrfev+
-ixONrYInwwBchU2WORXRx64tRhvwq9/TKVtlaggwrU0z1Vh01JVNWRut9QSfvTQf
-nHufE5i6+sAU0K0/lt+u3kRQQueBLCzW+80ALKQp/acNcX9VzRzhp6wEOK/QV4Tl
-uQfAs0XeJy0UMFYLcP3OTP243pgDqKtlpMDftJnyXuE0nx8BVKM17jdu+F/tBq9d
-H4afMRA2LkDNKrult2g1zAQcCLtI0zbnRBC7E84SlG6qbAXPVo8DTAmaArksP0U6
-RQVd+Zl26kKEIG3FO7lmbJS5fVr7/wuq414Hfhnl/EhgY06qtWZE7+VFyx0zUMz5
-25DRBMc6k6Iv0HUoxTCAAp2pHjksXNHJH57HfaXxr9T1Mj8osKx4qlhcwYo8xiGR
-B8YTRhcQJF8EyUez3eNGu0Q8cGzuqf00iCLpuNSbbXnoSx8E0Q3UDTKMny8bjSxL
-TWEtLkdo2CNRD0HwjVlwnU9mSv5ehlT+o8gf6JRwSDq/qFV6iYfuPJIvHAEz3M4a
-t31K+1Ir5oLhsA+u/+KJmeDwirc9YTZ3Z8mBUvUJXRBqPgLAdwKFKVSANF30FZMQ
-/SGa/mbumiep1quDNm7KMQARAQABiQIlBBgBCAAPAhsMBQJXPkWVBQkPEHFgAAoJ
-EHkhUlJ7dZIeju8P/36l36JnS+TYvvwTNjvX37FzrxHkxDw5cyqrABJLVn8brRzC
-gu3rBft1O8H4UhavFDLOYX6RCoZZ3aA2vCor55NOobgYlT3A6kcJJrXTXmFQu0Nd
-RzNbzJt+OcyFqTfkYuQ8nLNlMlmw72jn8OY6NuDTBefGhtLxQDM286DbQzo5U3uy
-05MKR1mwukBdO9RmooBinvj6GgAtTy63VfuZEu3BZ5xvxGuH9DbZYFAcZnV220vT
-2sxAeAEb8e5+ioypHWHArZsjrn5rp1bwBsSN66XPCSc8briAUHnwQT6lozlaRkVq
-REfo0+9AxrzHdfUTBuFcYImaBFIuWDq+XBGpSpYyoiZVpgXhx8hfP7A1jc6vOFLn
-wlX8nLIKJYF+ZPARg+7DGysUhpZTa21NoBdUFXZKVpFyPaO6OdeJL8Kt4Ccfb/Jm
-Kl7QzNY2SrNJHT+q5RnlbZOKYaB08++IS3r1JvRV5a2xZYJebaTkD7ULZEgMur12
-Kj45AF7rexzWZ1gzQGncfyn6Xsfv74v6SvBGbUuJaQ4MHoFMRm/A+42BP9YlkXjs
-ywiM01LkwL2h1EGfn9N0of5kVrk7tJbvEugk5Konumpj1K1C+JYmamxKIuxeOk1I
-RXQmN7dulJo7rhzAxSHaDh9kkg15+rDD3JgbQ+9j6xeF5nRuMxMSLvCY5iW9
-=W3Zo
+tCNBbnRvaW5lIEJlYXVwcsOpIDxhbmFyY2F0QGFuYXJjLmF0PokCVAQTAQgAPhYh
+BI3JAc5kFGwEitUPu3khUlJ7dZIeBQJY96veAhsDBQkQuLYXBQsJCAcDBRUKCQgL
+BRYCAwEAAh4BAheAAAoJEHkhUlJ7dZIeBzIQAIeNS6JilNJFGh1RjBRFpI8JKxmc
+1Cc7Bw8iCwgNB9UjOdD3C2OEiMrm5l3NuuOdBWZ4bv0A3phqiwgaGeeJmrDCDvmp
+dixLBrG5yGwhE8x4cQweY62zN8NbmvOG25CydMph8vmyLpSPn3Y5FpQNFpdStqly
+APRJORgMJQAMYM1G//QksQMjmDIue8kK2wIjCjKkJ8/GYdbGytUBOkfEBuwXYdxN
+WD148zJk1FA3+BatcsUDySQjkpp3hqKLtT+NwI/SZ/4YhZ9kP4F6avBWG4eCCdO4
+hG0kNyNcOjyYvmaczO3I8Yz6Ba7vdd3+ixXRrg0F0oJ3Zzcp4BnDM+0t9uZCzWMV
+wr3DLwWtqZ9UtJUq7uydLLAnpONBdFxCgZKjW1OSMDKybkvOb+i8gSoIWC4VyRn1
+QQlglmuk/znX8W0e0nZDvZW5Jz74P5o8x/Aigb6jbn0JR6lYtxH+jVm31uRbyIsV
+QljVWYaT6Bw2vxH8jjf/GlR5fAX0RwW9IZ+GKOvSIkqoi6kPHidubm7n/3PssT3a
+KzD4rfugt1NFv2j2Nj0wRMLwMyCuhNSr56ddaQVvc5m/4HVceAysm7Jd8ifw1bxY
+tHaqFxwayG04W/PV+M97yOWCbG3kWxwNB0U01bkbjRTg6XTZu6zbGA0KEyu18Jpm
+AGRgsfOT0mYm42BVtCZBbnRvaW5lIEJlYXVwcsOpIDxhbmFyY2F0QGtvdW1iaXQu
+b3JnPokCVAQTAQgAPgIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgBYhBI3JAc5k
+FGwEitUPu3khUlJ7dZIeBQJY96s4BQkQuLYXAAoJEHkhUlJ7dZIeO7AQAJMhIpwD
+iAKor/asxujphJHzB6Phja1S/G24N49bxhvXIScNAAfDaiwyWUF6Pxp6D77Y4NAa
+3+3cZNacBx1VRhWDbgJD22uNF5r++q4iLCApR0LGw8eEZyvm+5tLfcqrhtQgYRB9
+HQkbb87mvMBiNjrfz2jAkhuBRxDYb8i0JsL5UyvD32C0+JRK+CabSyIYpeR2ZdBM
+h9oxR3Hm1ofqlPcO+fNxSNjn8UJvB1RLlS0UqoD9Dbq/l8Ok3ssfWsFbSYdov4ka
+dRCfwI38fFgXuM8dcvit1XtGXtsZzE21HHzwYQIvW6T1lylY7PiUWjnknab88fCw
++HhuAJj+HeJfcpZW8C51Zqf4q4igLtp/BIWkn5ehLKNZhFNc+1m32/fMK8LP1Hvt
+AIiZxTOmjPpTavyO4dTF53kilQjb1+/UEkTwKLK/yCjL/8mfbg4Wkr1dfaGjyolC
+iV4vrOuD3uV5YFhOJW2THV/hKp+M5sNonSmpkkTZ9b7SoFUfg8ZHqsXeqZFgSW2o
++vXtlQvtxwM4gYdRNxcDWi6Xn8/RQ1cAOrh195GEdS9JkHknZPrh9jhr3u9mAX4e
+PCmdi94wO8WADWuaszuuFqqTN3ArxcsXa8VVmAy505h5/eoDrgfKJxoYSUQ8+5p4
+Xr7kzfzSpYPUP9XZuZ6XHxVKej3nrkElDN1ttCpBbnRvaW5lIEJlYXVwcsOpIDxh
+bmFyY2F0QG9yYW5nZXNlZWRzLm9yZz6JAlQEEwEIAD4CGwMFCwkIBwMFFQoJCAsF
+FgIDAQACHgECF4AWIQSNyQHOZBRsBIrVD7t5IVJSe3WSHgUCWPerNQUJELi2FwAK
+CRB5IVJSe3WSHqNeEACr1XFC4JWCNAuUmbKf72keTHAqo7Wr3jNZYUO/GDYOICAT
+ZMmEfPMn9ALWxkSuwCca9SL3KMtxjJ7QREjUnyVH7CeZUaJpUJhRvroOr9cKaDvl
+Yd7VP5QcibVBtXaVqMq8QZCxGMuyWMN+vzNCPFidXQBvOUtYyTeDX0pHQWKbJtv5
+VBlcTNekm40qKCirnEHl8i69wa2wZ4aAUg3VEJ2nF0gQcsEyD6cc0Q86HM652h9j
+uVBNyDVIZAzI1FYAHn7cDeBEB9HwaG29ZrV3R3gcgkJ2B8vXZdcuUfDelZfcZs/J

(fichier de différences tronqué)
another link for data plans
diff --git a/hardware/phone.mdwn b/hardware/phone.mdwn
index 8efe36a6..d1576ed5 100644
--- a/hardware/phone.mdwn
+++ b/hardware/phone.mdwn
@@ -568,3 +568,5 @@ References
  * <http://www.planhub.ca/> - good plan comparison tool
  * <https://wiki.debconf.org/wiki/DebConf17/Sim-card-information> -
    quick research done for Debconf
+ * <http://prepaid-data-sim-card.wikia.com/wiki/Canada> - prepaid sim
+   card information wiki

final review from LWN, now online
diff --git a/blog/debconf-licenses.mdwn b/blog/debconf-licenses.mdwn
index 23768ab1..07dcff9d 100644
--- a/blog/debconf-licenses.mdwn
+++ b/blog/debconf-licenses.mdwn
@@ -6,35 +6,37 @@ The supposed decline of copyleft
 
 At [DebConf17](https://debconf17.debconf.org/), John Sullivan, the
 executive director of the FSF, gave a talk on the supposed decline of
-copyleft licenses use in free-software projects. In his presentation,
-Sullivan questioned the notion that "permissive" licenses, like the BSD
-or MIT licenses, are gaining ground at the expense of the traditionally
+the use of copyleft licenses use free-software projects. In his
+[presentation](https://debconf17.debconf.org/talks/155/), Sullivan
+questioned the notion that permissive licenses, like the BSD or MIT
+licenses, are gaining ground at the expense of the traditionally
 dominant copyleft licenses from the FSF. While there does seem to be a
-rise in the use of MIT, in general, there may be other explanations for
-the phenomenon that merit discussion.
+rise in the use of permissive licenses, in general, there are several
+possible explanations for the phenomenon.
 
 When the rumor mill starts
 --------------------------
 
-Sullivan gave a recent example of the rumor of the copyleft decline in
-an [article on
+Sullivan gave a recent example of the claim of the decline of copyleft
+in an [article on
 Opensource.com](https://opensource.com/article/17/2/decline-gpl) by Jono
 Bacon from February 2017 that showed a histogram of license usage
-between 2010 and 2017 (seen below). From that, Baker elaborates possible
-reasons for the apparent decline of the GPL. The graphic used in the
-article was actually generated by Stephen O'Grady in a January article,
-[The State Of Open Source
+between 2010 and 2017 (seen below).
+
+> ![\[Black Duck
+> histogram\]](https://static.lwn.net/images/2017/debconf-blackduck.png){.photo
+> width="1000" height="662"}
+
+From that, Bacon elaborates possible reasons for the apparent decline of
+the GPL. The graphic used in the article was actually generated by
+Stephen O'Grady in a January article, [The State Of Open Source
 Licensing](http://redmonk.com/sogrady/2017/01/13/the-state-of-open-source-licensing/),
 which said:
-
 > In Black Duck's sample, the most popular variant of the GPL – version
 > 2 – is less than half as popular as it was (46% to 19%). Over the same
 > span, the permissive MIT has gone from 8% share to 29%, while its
 > permissive cousin the Apache License 2.0 jumped from 5% to 15%.
 
-![Black Duck histogram](http://sogrady-media.redmonk.com/sogr
-ady/files/2017/01/OSS-blk-duck-licensing-0110-0117-wm-2.png)
-
 Sullivan, however, argued that the methodology used to create both
 articles was problematic. Neither contains original research: the graphs
 actually come from the [Black Duck
@@ -42,19 +44,19 @@ Software](https://www.blackducksoftware.com/) "KnowledgeBase" data,
 which was partly created from the old Ohloh web site now known as [Open
 Hub](https://openhub.net/).
 
-To show one problem with the data set, Sullivan pointed out that free
-software projects showcased on the front page of Ohloh.net around 2012:
-GNU Bash and GNU Emacs. On the site, Bash was (and [still
+To show one problem with the data, Sullivan mentioned two free-software
+projects, GNU Bash and GNU Emacs, that had been showcased on the front
+page of Ohloh.net in 2012. On the site, Bash was (and [still
 is](https://web.archive.org/web/20170820182836/https://www.openhub.net/p/bash))
-listed as GPLv2+, whereas it is GPLv3 [since
-2011](http://git.savannah.gnu.org/cgit/bash.git/commit/COPYING?h=devel&id=2e4498b3aaccbc2618e74f1101abafed96a6bf19).
-He also claimed that "Emacs was listed as licensed under GPLv3-only
-which is a license Emacs has never had in its history", although I
-wasn't able to verify that information from the Internet archive.
-Basically, according to Sullivan, "the two projects featured on the
-front page of a site that was using \[the Black Duck\] data set were
-wrong". This, in turn, seriously brings into question the quality of the
-data:
+listed as GPLv2+, whereas it
+[changed](http://git.savannah.gnu.org/cgit/bash.git/commit/COPYING?h=devel&id=2e4498b3aaccbc2618e74f1101abafed96a6bf19)
+to GPLv3 in 2011. He also claimed that "Emacs was listed as licensed
+under GPLv3-only, which is a license Emacs has never had in its
+history", although I wasn't able to verify that information from the
+Internet archive. Basically, according to Sullivan, "the two projects
+featured on the front page of a site that was using \[the Black Duck\]
+data set were wrong". This, in turn, seriously brings into question the
+quality of the data:
 
 > I reported this problem and we'll continue to do that but when someone
 > is not sharing the data set that they're using for other people to
@@ -87,7 +89,9 @@ projects on GitHub over the last 5-10 years." Carey also suggested that
 at projects on GitHub would give you a reasonable sampling from which to
 draw conclusions".
 
-![GitHub graph](https://static.lwn.net/images/2017/debconf-github.png)
+> ![\[GitHub
+> graph\]](https://static.lwn.net/images/2017/debconf-github.png){.photo
+> width="700" height="409"}
 
 Indeed, GitHub published a
 [report](https://github.com/blog/1964-open-source-license-usage-on-github-com)
@@ -107,34 +111,33 @@ GitHub project creation page links to the site, Sullivan explained that
 the site's bias could have actually influenced GitHub users' license
 choices. Following [a
 talk](https://archive.fosdem.org/2016/schedule/event/license_pickers/)
-from Sullivan at FOSDEM 2016, GitHub [addressed the problem in
-2016](https://github.com/github/choosealicense.com/issues/335) by
-[rewording parts of the front
-page](https://github.com/github/choosealicense.com/commit/db18b5dfe6a8d788f6df2ab60cf95091e5f73e1d)
-to be more accurate, but that impact obviously doesn't show in the
-report produced in 2015 and won't affect choices users have already
-made. Therefore, there can be reasonable doubts that GitHub's subset of
-software projects may not actually be that representative of the larger
-free-software community.
+from Sullivan at FOSDEM 2016, GitHub [addressed the problem later that
+year](https://github.com/github/choosealicense.com/issues/335) by
+rewording parts of the front page to be more accurate, but that any
+change in license choice obviously doesn't show in the report produced
+in 2015 and won't affect choices users have already made. Therefore,
+there can be reasonable doubts that GitHub's subset of software projects
+may not actually be that representative of the larger free-software
+community.
 
 In search of solid evidence
 ---------------------------
 
 So it seems we are missing good, reproducible results to confirm or
-dispel these rumors. Sullivan explained that it is a difficult problem,
+dispel these claims. Sullivan explained that it is a difficult problem,
 if only in the way you select which projects to analyze: the impact of a
 MIT-licensed personal wiki will obviously be vastly different from, say,
-a GPL-licensed C compiler or kernel. We may also want to distinguish
-between active and inactive projects. There is also the problem of code
+a GPL-licensed C compiler or kernel. We may want to distinguish between
+active and inactive projects. Then there is the problem of code
 duplication, both across publication platforms (a project may be
 published on GitHub *and* SourceForge for example) but also across
-projects (code may be copy-pasted between projects). We should also
-think about how to evaluate the license of a given project: different
-files in the same code base regularly have different licenses—often none
-at all. This is why having a clear, documented and publicly available
-data set and methodology is critical. Without this, the assumptions made
-are not clear and it is unreasonable to draw certain conclusions from
-the results.
+projects (code may be copy-pasted between projects). We should think
+about how to evaluate the license of a given project: different files in
+the same code base regularly have different licenses—often none at all.
+This is why having a clear, documented and publicly available data set
+and methodology is critical. Without this, the assumptions made are not
+clear and it is unreasonable to draw certain conclusions from the
+results.
 
 It turns out that some researchers did that kind of open research in
 2016 in a paper called ["The Debsources Dataset: Two Decades of Free and
@@ -153,20 +156,21 @@ origins. According to the paper:
 Sullivan argued that the Debsources data set is interesting because of
 its quality: every package in Debian has been reviewed by multiple
 humans, including the original packager, but also by the FTP masters to
-ensure the distribution can legally redistribute the software. The
-existence of a package in Debian also provides a minimal "proof of use":
+ensure that the distribution can legally redistribute the software. The
+existence of a package in Debian provides a minimal "proof of use":
 unmaintained packages get removed from Debian on a regular basis and the
 mere fact that a piece of software gets packaged in Debian means at
 least some users found it important enough to work on packaging it.
-Debian packagers also make specific efforts to avoid code duplication
-between packages in order to ease security maintenance. The data set
-also covers a period longer than Black Duck's or GitHub's, as it goes
-all the way back to the Hamm 2.0 release in 1998. The data and how to
-reproduce it are also [freely
-available](http://dx.doi.org/10.5281/zenodo.61089) under a CC BY-SA 4.0
-license.
+Debian packagers make specific efforts to avoid code duplication between
+packages in order to ease security maintenance. The data set covers a
+period longer than Black Duck's or GitHub's, as it goes all the way back
+to the Hamm 2.0 release in 1998. The data and how to reproduce it are
+[freely available](http://dx.doi.org/10.5281/zenodo.61089) under a CC
+BY-SA 4.0 license.
 
-![Debsource graph](https://static.lwn.net/images/2017/debconf-debsources.png)
+> ![\[Debsource
+> graph\]](https://static.lwn.net/images/2017/debconf-debsources.png){.photo
+> width="1024" height="634"}
 
 Sullivan presented the above graph from the research paper that showed
 the evolution of software license use in the Debian archive. Whereas
@@ -220,8 +224,9 @@ licenses are still free software, according to the FSF and the Debian
 Free Software Guidelines, so their rise is still a positive outcome.
 Even if the GPL is a better tool to accomplish the goal of a
 free-software world, we can all acknowledge that the conversion of
-proprietary software to more "permissive" and certainly simpler licenses
-is definitely to the good. Unfortunately, because of the very nature of
-proprietary software, actual research on *that* phenomenon will likely
-be out of reach for the foreseeable future.
+proprietary software to more permissive—and certainly simpler—licenses
+is definitely heading in the right direction.
+
+\[I would like to thank the DebConf organizers for providing meals for
+me during the conference.\]
 

first pass of changes from LWN
diff --git a/blog/debconf-licenses.mdwn b/blog/debconf-licenses.mdwn
index 7e682b91..23768ab1 100644
--- a/blog/debconf-licenses.mdwn
+++ b/blog/debconf-licenses.mdwn
@@ -1,174 +1,194 @@
 The supposed decline of copyleft
 ================================
 
-At Debconf17, John Sullivan, the executive directory of the FSF,
-presented an interesting talk regarding the supposed decline of
-copyleft licenses use in free software projects. In his talk, Sullivan
-questioned the notion that "permissive" licenses like the BSD or MIT
-licenses are gaining grounds at the expense the traditionally dominant
-copyleft licenses of the FSF. While there does seem to be a rise in
-the use of MIT in general, there may be many other explanations for
-that phenomenon which merit discussion.
+\[LWN subscriber-only content\]
+-------------------------------
+
+At [DebConf17](https://debconf17.debconf.org/), John Sullivan, the
+executive director of the FSF, gave a talk on the supposed decline of
+copyleft licenses use in free-software projects. In his presentation,
+Sullivan questioned the notion that "permissive" licenses, like the BSD
+or MIT licenses, are gaining ground at the expense of the traditionally
+dominant copyleft licenses from the FSF. While there does seem to be a
+rise in the use of MIT, in general, there may be other explanations for
+the phenomenon that merit discussion.
 
 When the rumor mill starts
 --------------------------
 
-Sullivan gave an example of the rumor of the copyleft decline as
-an [article on opensource.com](https://opensource.com/article/17/2/decline-gpl) by Jono Bacon from February 2017
-showing a histogram of license usage between 2010 and 2017. From that,
-Baker elaborates possible reasons for the apparent decline of the
-GPL. The graphic used in the article was actually generated by Stephen
-O'Grady in a January
-article, [The State Of Open Source Licensing](http://redmonk.com/sogrady/2017/01/13/the-state-of-open-source-licensing/), which shows that:
-
-> In Black Duck’s sample, the most popular variant of the GPL –
-> version 2 – is less than half as popular as it was (46% to
-> 19%). Over the same span, the permissive MIT has gone from 8% share
-> to 29%, while its permissive cousin the Apache License 2.0 jumped
-> from 5% to 15%.
-
-![Histogram showing evolution of license share between 2010 and 2017 from Black Duck](http://sogrady-media.redmonk.com/sogrady/files/2017/01/OSS-blk-duck-licensing-0110-0117-wm-2.png)
-
-Sullivan, however, argued that the methodology used to create the
-articles was problematic. None of those articles are original
-research: the graphs actually come from the [Black Duck](https://www.blackducksoftware.com/) "KnowledgeBase"
-data, partly created from the old Ohloh web site now known
-as [OpenHub](https://openhub.net/).
-
-To show one problem with the dataset, Sullivan gave the example of two
-free software projects showcased on the frontpage of Ohloh.net around
-2012: GNU Bash and GNU Emacs. On the site, Bash was (and [still
-is](https://web.archive.org/web/20170820182836/https://www.openhub.net/p/bash)) listed as GPLv2+, whereas it is GPLv3 [since 2011](http://git.savannah.gnu.org/cgit/bash.git/commit/COPYING?h=devel&id=2e4498b3aaccbc2618e74f1101abafed96a6bf19). He also
-claimed that "Emacs was listed as licensed under GPLv3-only which is a
-license Emacs has never had in its history", although I wasn't able to
-verify that information from the Internet archive. But basically,
-according to Sullivan, "the two projects featured on the frontpage of
-a site that was using [the Black Duck] dataset were wrong". This, in
-turns, seriously brings into question the quality of the data:
-
-> I reported this problem and we'll continue to do that but when
-> someone is not sharing the dataset that they're using for other
-> people to evaluate it and we see glimpses of it which are incorrect,
-> that should give us a lot of hesitation about accepting any
-> conclusion that come out of it.
-
-We can certainly agree the necessity of reproducible observations to
-the establishment solid theories in science. Sullivan didn't try to
-contact Black Duck to get access to the database, because he assumed
-(rightly, as it turned out) that he would need to "pay for the data
-under terms that forbid you to share that information with anybody
-else". So I wrote Black Duck myself to confirm this information. In an
-email interview, Patrick Carey from Black Duck Software confirmed
-their dataset is "proprietary". He believes, however, that through a
-"combination of human and automated techniques", Black Duck is "highly
-confident at the accuracy and completeness of the data in the
-KnowledgeBase". He did point out, however, that "the way we track the
-data may not necessarily be optimal for answering the question on
-license use trend" as "that would entail examination of new open
-source projects coming into existence each year and the licenses used
-by them".
-
-In other words, even according to Black Duck Software, its database
-may not be useful to establish the conclusions drawn by those other
-articles. Carey did agree with those conclusions intuitively, however,
-saying that "there seems to be a shift toward Apache and MIT licenses
-in new projects, though I don't have data to back that up". He
-suggested that "an effective way to answer the trend question would be
-to analyze the new projects on GitHub over the last 5-10 years." Carey
-also suggested that "GitHub has become so dominant over the recent
-years that just looking at projects on GitHub would give you a
-reasonable sampling from which to draw conclusions".
-
-![Evolution of licenses in GitHub repositories between 2008 and 2015](https://cloud.githubusercontent.com/assets/282759/6517300/9dc14536-c367-11e4-9a63-b23a3d75af78.png)
-
-Indeed, GitHub published a [report](https://github.com/blog/1964-open-source-license-usage-on-github-com) in 2015 which also seems to
-confirm MIT's popularity (45%), surpassing copyleft licenses (24%).
-The data is, however, not without its own limitations. For example, in
-the above graph going back to the inception of GitHub in 2008, we see
-a rather abnormal spike in 2013, which seems to correlate with the
-launch of the [choosealicense.com](https://choosealicense.com/) site, described by GitHub as
-"our first pass at making open source licensing on GitHub easier". In
-his talk, Sullivan was critical of the [initial version of the
-site](http://web.archive.org/web/20130716093023/http://choosealicense.com/) which he described as biased towards permissive
-licenses. Because the GitHub project creation page links to the site,
-Sullivan explained that the site's bias could have actually influenced
-GitHub's users license choices. Following [a talk](https://archive.fosdem.org/2016/schedule/event/license_pickers/) from Sullivan at
-FOSDEM 2016, GitHub actually [addressed the question in 2016](https://github.com/github/choosealicense.com/issues/335) by
-[rewording parts of the frontpage](https://github.com/github/choosealicense.com/commit/db18b5dfe6a8d788f6df2ab60cf95091e5f73e1d) to be more accurate, but that
-impact obviously doesn't show in the report produced in 2015 and won't
-affect choices users have already made. Therefore, we can have
-reasonable doubts that GitHub's subset of software projects may not
-actually be that representative of the larger free software community.
+Sullivan gave a recent example of the rumor of the copyleft decline in
+an [article on
+Opensource.com](https://opensource.com/article/17/2/decline-gpl) by Jono
+Bacon from February 2017 that showed a histogram of license usage
+between 2010 and 2017 (seen below). From that, Baker elaborates possible
+reasons for the apparent decline of the GPL. The graphic used in the
+article was actually generated by Stephen O'Grady in a January article,
+[The State Of Open Source
+Licensing](http://redmonk.com/sogrady/2017/01/13/the-state-of-open-source-licensing/),
+which said:
+
+> In Black Duck's sample, the most popular variant of the GPL – version
+> 2 – is less than half as popular as it was (46% to 19%). Over the same
+> span, the permissive MIT has gone from 8% share to 29%, while its
+> permissive cousin the Apache License 2.0 jumped from 5% to 15%.
+
+![Black Duck histogram](http://sogrady-media.redmonk.com/sogr
+ady/files/2017/01/OSS-blk-duck-licensing-0110-0117-wm-2.png)
+
+Sullivan, however, argued that the methodology used to create both
+articles was problematic. Neither contains original research: the graphs
+actually come from the [Black Duck
+Software](https://www.blackducksoftware.com/) "KnowledgeBase" data,
+which was partly created from the old Ohloh web site now known as [Open
+Hub](https://openhub.net/).
+
+To show one problem with the data set, Sullivan pointed out that free
+software projects showcased on the front page of Ohloh.net around 2012:
+GNU Bash and GNU Emacs. On the site, Bash was (and [still
+is](https://web.archive.org/web/20170820182836/https://www.openhub.net/p/bash))
+listed as GPLv2+, whereas it is GPLv3 [since
+2011](http://git.savannah.gnu.org/cgit/bash.git/commit/COPYING?h=devel&id=2e4498b3aaccbc2618e74f1101abafed96a6bf19).
+He also claimed that "Emacs was listed as licensed under GPLv3-only
+which is a license Emacs has never had in its history", although I
+wasn't able to verify that information from the Internet archive.
+Basically, according to Sullivan, "the two projects featured on the
+front page of a site that was using \[the Black Duck\] data set were
+wrong". This, in turn, seriously brings into question the quality of the
+data:
+
+> I reported this problem and we'll continue to do that but when someone
+> is not sharing the data set that they're using for other people to
+> evaluate it and we see glimpses of it which are incorrect, that should
+> give us a lot of hesitation about accepting any conclusion that comes
+> out of it.
+
+Reproducible observations are necessary to the establishment of solid
+theories in science. Sullivan didn't try to contact Black Duck to get
+access to the database, because he assumed (rightly, as it turned out)
+that he would need to "pay for the data under terms that forbid you to
+share that information with anybody else". So I wrote Black Duck myself
+to confirm this information. In an email interview, Patrick Carey from
+Black Duck confirmed its data set is proprietary. He believes, however,
+that through a "combination of human and automated techniques", Black
+Duck is "highly confident at the accuracy and completeness of the data
+in the KnowledgeBase". He did point out, however, that "the way we track
+the data may not necessarily be optimal for answering the question on
+license use trend" as "that would entail examination of new open source
+projects coming into existence each year and the licenses used by them".
+
+In other words, even according to Black Duck, its database may not be
+useful to establish the conclusions drawn by those articles. Carey did
+agree with those conclusions intuitively, however, saying that "there
+seems to be a shift toward Apache and MIT licenses in new projects,
+though I don't have data to back that up". He suggested that "an
+effective way to answer the trend question would be to analyze the new
+projects on GitHub over the last 5-10 years." Carey also suggested that
+"GitHub has become so dominant over the recent years that just looking
+at projects on GitHub would give you a reasonable sampling from which to
+draw conclusions".
+
+![GitHub graph](https://static.lwn.net/images/2017/debconf-github.png)
+
+Indeed, GitHub published a
+[report](https://github.com/blog/1964-open-source-license-usage-on-github-com)
+in 2015 that also seems to confirm MIT's popularity (45%), surpassing
+copyleft licenses (24%). The data is, however, not without its own
+limitations. For example, in the above graph going back to the inception
+of GitHub in 2008, we see a rather abnormal spike in 2013, which seems
+to correlate with the launch of the
+[choosealicense.com](https://choosealicense.com/) site, described by
+GitHub as "our first pass at making open source licensing on GitHub
+easier".

(fichier de différences tronqué)
add note about stretch issues
diff --git a/services/upgrades/stretch.mdwn b/services/upgrades/stretch.mdwn
index 1974674a..b42ca2d1 100644
--- a/services/upgrades/stretch.mdwn
+++ b/services/upgrades/stretch.mdwn
@@ -62,7 +62,8 @@ Issues
 * [[!debbug 866792]]: irssi profile should load in complain mode
 * [[!debbug 866790]]: postfix apparmor profile syntax errors
 * [[!debbug 845938]] and [[!debbug 805414]]: a2db sink locked by gdm
-* Kodi doesn't start on the right tty? (not filed)
+* Kodi doesn't start on the right tty? (not filed, see
+  https://www.earth.li/~noodles/blog/2017/08/notes-on-stretch.html for workaround?)
 * forgot to review the list of packages removed, those I would have
   liked to keep: torbrowser-launcher, npm
 * upgrade was performed with a bad battery, which meant suspending

last review before getting into LWN drafts
diff --git a/blog/debconf-licenses.mdwn b/blog/debconf-licenses.mdwn
index 4fb153a6..7e682b91 100644
--- a/blog/debconf-licenses.mdwn
+++ b/blog/debconf-licenses.mdwn
@@ -2,17 +2,19 @@ The supposed decline of copyleft
 ================================
 
 At Debconf17, John Sullivan, the executive directory of the FSF,
-presented an interesting talk regarding the supposed decline of the
-use of copyleft licenses in free software projects. In his talk,
-Sullivan questionned the notion that "permissive" licenses like the
-BSD or MIT licenses are gaining grounds towards the traditionally
-dominant copyleft licenses of the FSF.
-
-When the rumour mill starts
----------------------------
-
-Sullivan identified the rumour of the copyleft decline as
-an [article on opensource.com](https://opensource.com/article/17/2/decline-gpl) by Jono Baker from February 2017
+presented an interesting talk regarding the supposed decline of
+copyleft licenses use in free software projects. In his talk, Sullivan
+questioned the notion that "permissive" licenses like the BSD or MIT
+licenses are gaining grounds at the expense the traditionally dominant
+copyleft licenses of the FSF. While there does seem to be a rise in
+the use of MIT in general, there may be many other explanations for
+that phenomenon which merit discussion.
+
+When the rumor mill starts
+--------------------------
+
+Sullivan gave an example of the rumor of the copyleft decline as
+an [article on opensource.com](https://opensource.com/article/17/2/decline-gpl) by Jono Bacon from February 2017
 showing a histogram of license usage between 2010 and 2017. From that,
 Baker elaborates possible reasons for the apparent decline of the
 GPL. The graphic used in the article was actually generated by Stephen
@@ -33,17 +35,16 @@ research: the graphs actually come from the [Black Duck](https://www.blackduckso
 data, partly created from the old Ohloh web site now known
 as [OpenHub](https://openhub.net/).
 
-To explain one problem with the dataset, Sullivan gave the example of
-two free software projects that showcased on the frontpage of
-Ohloh.net around 2012: GNU Bash and GNU Emacs. On the site, Bash was
-(and [still is](https://web.archive.org/web/20170820182836/https://www.openhub.net/p/bash)) listed as GPLv2+, whereas it is
-GPLv3 [since 2011](http://git.savannah.gnu.org/cgit/bash.git/commit/COPYING?h=devel&id=2e4498b3aaccbc2618e74f1101abafed96a6bf19). He also claimed that "Emacs was listed as
-licensed under GPLv3-only which is a license Emacs has never had in
-its history", although I wasn't able to verify that information from
-the Internet archive. But basically, according to Sullivan, "the two
-projects featured on the frontpage of a site that was using [the Black
-Duck] dataset were wrong". This, in turns, seriously brings into
-question the quality of the data:
+To show one problem with the dataset, Sullivan gave the example of two
+free software projects showcased on the frontpage of Ohloh.net around
+2012: GNU Bash and GNU Emacs. On the site, Bash was (and [still
+is](https://web.archive.org/web/20170820182836/https://www.openhub.net/p/bash)) listed as GPLv2+, whereas it is GPLv3 [since 2011](http://git.savannah.gnu.org/cgit/bash.git/commit/COPYING?h=devel&id=2e4498b3aaccbc2618e74f1101abafed96a6bf19). He also
+claimed that "Emacs was listed as licensed under GPLv3-only which is a
+license Emacs has never had in its history", although I wasn't able to
+verify that information from the Internet archive. But basically,
+according to Sullivan, "the two projects featured on the frontpage of
+a site that was using [the Black Duck] dataset were wrong". This, in
+turns, seriously brings into question the quality of the data:
 
 > I reported this problem and we'll continue to do that but when
 > someone is not sharing the dataset that they're using for other
@@ -51,21 +52,21 @@ question the quality of the data:
 > that should give us a lot of hesitation about accepting any
 > conclusion that come out of it.
 
-Sullivan also underlined the necessity for science to reproduce
-observations to establish solid theories. Sullivan didn't try to
+We can certainly agree the necessity of reproducible observations to
+the establishment solid theories in science. Sullivan didn't try to
 contact Black Duck to get access to the database, because he assumed
 (rightly, as it turned out) that he would need to "pay for the data
 under terms that forbid you to share that information with anybody
-else". So I figured I would write Black Duck myself to confirm this
-information. In an email interview, Patrick Carey from Black Duck
-Software confirmed their dataset is "proprietary". He believes,
-however, that through a "combination of human and automated
-techniques", Black Duck is "highly confident at the accuracy and
-completeness of the data in the KnowledgeBase". He did point out,
-however, that "the way we track the data may not necessarily be
-optimal for answering the question on license use trend" as "that
-would entail examination of new open source projects coming into
-existence each year and the licenses used by them".
+else". So I wrote Black Duck myself to confirm this information. In an
+email interview, Patrick Carey from Black Duck Software confirmed
+their dataset is "proprietary". He believes, however, that through a
+"combination of human and automated techniques", Black Duck is "highly
+confident at the accuracy and completeness of the data in the
+KnowledgeBase". He did point out, however, that "the way we track the
+data may not necessarily be optimal for answering the question on
+license use trend" as "that would entail examination of new open
+source projects coming into existence each year and the licenses used
+by them".
 
 In other words, even according to Black Duck Software, its database
 may not be useful to establish the conclusions drawn by those other
@@ -82,51 +83,49 @@ reasonable sampling from which to draw conclusions".
 
 Indeed, GitHub published a [report](https://github.com/blog/1964-open-source-license-usage-on-github-com) in 2015 which also seems to
 confirm MIT's popularity (45%), surpassing copyleft licenses (24%).
-The data is, however, not without its own set of limitations. In the graph
-going up to the inception of GitHub in 2008, we see, for example, a
-rather abnormal spike in 2013, which seems to correlate with the
+The data is, however, not without its own limitations. For example, in
+the above graph going back to the inception of GitHub in 2008, we see
+a rather abnormal spike in 2013, which seems to correlate with the
 launch of the [choosealicense.com](https://choosealicense.com/) site, described by GitHub as
 "our first pass at making open source licensing on GitHub easier". In
-his talk, Sullivan was critical of
-the [initial version of the site](http://web.archive.org/web/20130716093023/http://choosealicense.com/) which he described as biased
-towards permissive licenses. Because the GitHub project creation page
-links to the site, Sullivan explained that the site's bias may have
-actually influenced GitHub's users license
-choices. Following [a talk](https://archive.fosdem.org/2016/schedule/event/license_pickers/) from Sullivan at FOSDEM 2016, GitHub
-actually [addressed the question in 2016](https://github.com/github/choosealicense.com/issues/335)
-by [rewording parts of the frontpage](https://github.com/github/choosealicense.com/commit/db18b5dfe6a8d788f6df2ab60cf95091e5f73e1d) to be more accurate, but that
+his talk, Sullivan was critical of the [initial version of the
+site](http://web.archive.org/web/20130716093023/http://choosealicense.com/) which he described as biased towards permissive
+licenses. Because the GitHub project creation page links to the site,
+Sullivan explained that the site's bias could have actually influenced
+GitHub's users license choices. Following [a talk](https://archive.fosdem.org/2016/schedule/event/license_pickers/) from Sullivan at
+FOSDEM 2016, GitHub actually [addressed the question in 2016](https://github.com/github/choosealicense.com/issues/335) by
+[rewording parts of the frontpage](https://github.com/github/choosealicense.com/commit/db18b5dfe6a8d788f6df2ab60cf95091e5f73e1d) to be more accurate, but that
 impact obviously doesn't show in the report produced in 2015 and won't
 affect choices users have already made. Therefore, we can have
-resonsable doubts that GitHub's subset of software projects may not
+reasonable doubts that GitHub's subset of software projects may not
 actually be that representative of the larger free software community.
 
 In search of solid evidence
 ---------------------------
 
-So it seems we are missing good, reproducible results to draw those
-conclusions. Sullivan explained this was a difficult problem, if only
-in the way you determine which projects to analyse. The impact of a
+So it seems we are missing good, reproducible results to confirm or
+dispel the rumors. Sullivan explained this was a difficult problem, if
+only in the way you select which projects to analyse: the impact of a
 MIT-licensed personal wiki will obviously be vastly different from,
-say, a GPL-licensed C compiler or kernel and we may not want to
-consider them the same way. We may also want to distinguish between
-active and inactive projects. There is also the problem of code
-duplication, both across publication platforms (a project may be
-published on GitHub.com *and* sourceforge.net for example) but also
-across projects (code may be copy-pasted between projects). We should
-also think about how to evaluate the license of a given project:
-different files in the same code base often have different licenses
-and often none at all. This is why having a clear, documented and
-publicly available dataset and methodology is critical. Without this,
-the assumptions made are not clear and it may be unfair to draw any
-conclusion from the results.
-
-It turns out that some researchers did exactly that kind of research
-in 2016, in a paper called
-"[The Debsources Dataset: Two Decades of Free and Open Source Software](https://upsilon.cc/~zack/research/publications/debsources-ese-2016.pdf)"
-by Matthieu Caneill, Daniel M. Germán and Stefano Zacchiroli. The
-"[Debsources dataset](https://sources.debian.net/)" is the complete Debian source code covering
-a large history of the Debian project and so thousands of free
-software projects of different origins. According to the paper:
+say, a GPL-licensed C compiler or kernel. We may also want to
+distinguish between active and inactive projects. There is also the
+problem of code duplication, both across publication platforms (a
+project may be published on GitHub.com *and* sourceforge.net for
+example) but also across projects (code may be copy-pasted between
+projects). We should also think about how to evaluate the license of a
+given project: different files in the same code base often have
+different licenses and often none at all. This is why having a clear,
+documented and publicly available dataset and methodology is
+critical. Without this, the assumptions made are not clear and it is
+unfair to draw some conclusion from the results.
+
+It turns out that some researchers did exactly that kind of open
+research in 2016, in a paper called "[The Debsources Dataset: Two
+Decades of Free and Open Source Software](https://upsilon.cc/~zack/research/publications/debsources-ese-2016.pdf)" by Matthieu Caneill,
+Daniel M. Germán and Stefano Zacchiroli. The "[Debsources dataset](https://sources.debian.net/)"
+is the complete Debian source code covering a large history of the
+Debian project and therefore includes thousands of free software
+projects of different origins. According to the paper:
 
 > The long history of Debian creates a perfect subject to evaluate how
 > FOSS licenses use has evolved over time, and the popularity of
@@ -141,7 +140,7 @@ unmaintained packages get removed from Debian on a regular basis and
 the mere fact that a piece of software gets packaged in Debian means
 at least some users found it important enough to work on the
 packaging. Debian packagers also make specific efforts to avoid code
-duplication between packages to ease future security maintenance. The
+duplication between packages to ease security maintenance. The
 dataset also covers a period longer than Black Duck's and GitHub's,
 going all the way back to the Hamm 2.0 release, in 1998. The data and
 how to reproduce it is also [freely available](http://dx.doi.org/10.5281/zenodo.61089) under a CC BY-SA 4.0
@@ -161,15 +160,15 @@ quote the paper again:
 > most Perl libraries), GPL-3.0+, and Apache-2.0.
 
 Indeed, looking at the graph, at most do we see a *rise* of the Apache
-and MIT licenses and no decline of the GPL per se. Another possibility
-is that Debian's dataset has the opposite bias, towards GPL
-software. The Debian project is culturally quite different from the
-GitHub community and even the larger free software ecosystem,
+and MIT licenses and no decline of the GPL per se, although its

(fichier de différences tronqué)
review after lwn feedback
diff --git a/blog/debconf-licenses.mdwn b/blog/debconf-licenses.mdwn
index bae2ad78..4fb153a6 100644
--- a/blog/debconf-licenses.mdwn
+++ b/blog/debconf-licenses.mdwn
@@ -4,8 +4,8 @@ The supposed decline of copyleft
 At Debconf17, John Sullivan, the executive directory of the FSF,
 presented an interesting talk regarding the supposed decline of the
 use of copyleft licenses in free software projects. In his talk,
-Sullivan attacked the notion that "permissive" licenses like the BSD
-or MIT licenses are gaining grounds towards the traditionally
+Sullivan questionned the notion that "permissive" licenses like the
+BSD or MIT licenses are gaining grounds towards the traditionally
 dominant copyleft licenses of the FSF.
 
 When the rumour mill starts
@@ -30,7 +30,7 @@ article, [The State Of Open Source Licensing](http://redmonk.com/sogrady/2017/01
 Sullivan, however, argued that the methodology used to create the
 articles was problematic. None of those articles are original
 research: the graphs actually come from the [Black Duck](https://www.blackducksoftware.com/) "KnowledgeBase"
-data, partly created from the old Ohloh website now known
+data, partly created from the old Ohloh web site now known
 as [OpenHub](https://openhub.net/).
 
 To explain one problem with the dataset, Sullivan gave the example of
@@ -58,16 +58,16 @@ contact Black Duck to get access to the database, because he assumed
 under terms that forbid you to share that information with anybody
 else". So I figured I would write Black Duck myself to confirm this
 information. In an email interview, Patrick Carey from Black Duck
-Software confirmed their dataset is "proprietary". They believe,
+Software confirmed their dataset is "proprietary". He believes,
 however, that through a "combination of human and automated
-techniques" they are "highly confident at the accuracy and
+techniques", Black Duck is "highly confident at the accuracy and
 completeness of the data in the KnowledgeBase". He did point out,
 however, that "the way we track the data may not necessarily be
 optimal for answering the question on license use trend" as "that
 would entail examination of new open source projects coming into
 existence each year and the licenses used by them".
 
-In other words, even according to Black Duck Software, their database
+In other words, even according to Black Duck Software, its database
 may not be useful to establish the conclusions drawn by those other
 articles. Carey did agree with those conclusions intuitively, however,
 saying that "there seems to be a shift toward Apache and MIT licenses
@@ -82,7 +82,7 @@ reasonable sampling from which to draw conclusions".
 
 Indeed, GitHub published a [report](https://github.com/blog/1964-open-source-license-usage-on-github-com) in 2015 which also seems to
 confirm MIT's popularity (45%), surpassing copyleft licenses (24%).
-The data is, however, not without its own set of issues. In the graph
+The data is, however, not without its own set of limitations. In the graph
 going up to the inception of GitHub in 2008, we see, for example, a
 rather abnormal spike in 2013, which seems to correlate with the
 launch of the [choosealicense.com](https://choosealicense.com/) site, described by GitHub as
@@ -93,7 +93,7 @@ towards permissive licenses. Because the GitHub project creation page
 links to the site, Sullivan explained that the site's bias may have
 actually influenced GitHub's users license
 choices. Following [a talk](https://archive.fosdem.org/2016/schedule/event/license_pickers/) from Sullivan at FOSDEM 2016, GitHub
-actually [addressed the issue in 2016](https://github.com/github/choosealicense.com/issues/335)
+actually [addressed the question in 2016](https://github.com/github/choosealicense.com/issues/335)
 by [rewording parts of the frontpage](https://github.com/github/choosealicense.com/commit/db18b5dfe6a8d788f6df2ab60cf95091e5f73e1d) to be more accurate, but that
 impact obviously doesn't show in the report produced in 2015 and won't
 affect choices users have already made. Therefore, we can have
@@ -125,8 +125,12 @@ in 2016, in a paper called
 "[The Debsources Dataset: Two Decades of Free and Open Source Software](https://upsilon.cc/~zack/research/publications/debsources-ese-2016.pdf)"
 by Matthieu Caneill, Daniel M. Germán and Stefano Zacchiroli. The
 "[Debsources dataset](https://sources.debian.net/)" is the complete Debian source code covering
-a large history of the Debian project but also thousands of free
-software projects of different origins.
+a large history of the Debian project and so thousands of free
+software projects of different origins. According to the paper:
+
+> The long history of Debian creates a perfect subject to evaluate how
+> FOSS licenses use has evolved over time, and the popularity of
+> licenses currently in use.
 
 Sullivan argued that the Debsources dataset is interesting because of
 its quality: every package in Debian has been reviewed by multiple
@@ -145,26 +149,50 @@ license.
 
 ![Evolution of the number of packages that have a given dominant license in Debian between 1998 and 2015](debconf-licenses/debsources-ese-2016-fig13.png)
 
-Sullivan presented a graph ("Dominant license in Package") from
-Zacchiroli's research that showed the evolution of software license
-use the Debian archive. Whereas previous graphs showed statistics in
-percentages, this one showed actual absolute numbers, where we can't
-actually distinguish a decline in copyleft licenses. At most do we see
-a *rise* of the Apache and MIT licenses. Of course, Debian's dataset
-may also be skewed in the opposite direction. The Debian project is
-culturally quite different from the GitHub community and even the
-larger free software ecosystem, naturally, which could explain the
-disparity in the results. We can only hope a similar analysis can be
-performed on the much larger [Software Heritage](https://lwn.net/Articles/693471/) dataset
-eventually.
-
-Also, the rise of non-copyleft licenses doesn't necessarily seem
-to be at the detriment of the GPL. Sullivan argued that, even if there
-*is* an actual relative decline, it may be better explained by the
-overall *growth* of free software, at the detriment of proprietary
-software. He reminded the audience that non-copyleft licenses are
-still free software, according to the FSF and the Debian Free Software
-Guidelines.
+Sullivan presented the above graph ("Dominant license in Package")
+from Zacchiroli's research paper that showed the evolution of software
+license use the Debian archive. Whereas previous graphs showed
+statistics in percentages, this one showed actual absolute numbers,
+where we can't actually distinguish a decline in copyleft licenses. To
+quote the paper again:
+
+> The top license is, once again, GPL-2.0+, followed by:
+> Artistic-1.0/GPL dual-licensing (the licensing choice of Perl and
+> most Perl libraries), GPL-3.0+, and Apache-2.0.
+
+Indeed, looking at the graph, at most do we see a *rise* of the Apache
+and MIT licenses and no decline of the GPL per se. Another possibility
+is that Debian's dataset has the opposite bias, towards GPL
+software. The Debian project is culturally quite different from the
+GitHub community and even the larger free software ecosystem,
+naturally, which could explain the disparity in the results. We can
+only hope a similar analysis can be performed on the much larger
+[Software Heritage](https://lwn.net/Articles/693471/) dataset
+eventually, which would certainly give more representative
+results. The paper acknowledges this problem:
+
+> Debian is likely representative of enterprise use of FOSS as a base
+> operating system, where stable, long-term and seldomly updated
+> software products are desirable. Conversely Debian is unlikely
+> representative of more dynamic FOSS environments (e.g., modern
+> Web-development with micro libraries) where users, who are usually
+> developers themselves, expect to receive library updates on a daily
+> basis.
+
+The Debsources research also shares methodoloy limitations
+with Black Duck: while Debian packages are reviewed before uploading
+and we can rely on the copyright information provided by Debian
+packages, Zacchiroli's research also relies on automated tools
+(specifically [FOSSology](https://www.fossology.org/)) to retrieve
+license information. 
+
+Finally, Sullivan brought up the theory that the rise of non-copyleft
+licenses isn't necessarily at the detriment of the GPL. He explained
+that, even if there *is* an actual relative decline, it may be better
+explained by the overall *growth* of free software, at the detriment
+of proprietary software. He reminded the audience that non-copyleft
+licenses are still free software, according to the FSF and the Debian
+Free Software Guidelines.
 
 He also warned against "ascribing reason to numbers": people may have
 different reasons for choosing a particular license. Developers may

mention the s4
diff --git a/hardware/phone.mdwn b/hardware/phone.mdwn
index e4718625..8efe36a6 100644
--- a/hardware/phone.mdwn
+++ b/hardware/phone.mdwn
@@ -32,6 +32,8 @@ Galaxy S3
 
 No FM transmitter, no external keyboard.
 
+The S4 is similar, but one generation newer so better battery and faster LTE support (100mbps!), but at a slightly higher cost (140$ used vs 50-100$).
+
 Nexus S
 -------
 

note sur les grosses liseuses
diff --git a/wishlist.mdwn b/wishlist.mdwn
index c4b4459b..ece6bf85 100644
--- a/wishlist.mdwn
+++ b/wishlist.mdwn
@@ -58,6 +58,8 @@ Voici des choses que vous pouvez m'acheter si vous êtes le Père Nowel (yeah ri
      * [La théorie du drone](http://www.worldcat.org/oclc/847564093)
      * [The ARRL Operating Manual](http://www.arrl.org/shop/The-ARRL-Operating-Manual/)
      * [Les idées noires](https://en.wikipedia.org/wiki/Id%C3%A9es_noires) de Franquin, [l'intégrale](http://www.worldcat.org/oclc/493932411)
+ * une liseuse 13" comme le [Sony DPT-S1](https://www.sony.com/electronics/digital-paper-notepads/dpts1#product_details_default) ou le [Onyx BOOX Max](https://onyxboox.com/boox_max),
+   ou encore une tablette rootable qui roule le plus de logiciel libre possible
  * des longues vacances au costa rica, dans le charlevoix ou à une autre place pas rapport
  * un [[hardware/radio/FmTransmitter]]
  * un "portable image scanner" comme

fix a link
diff --git a/blog/debconf-licenses.mdwn b/blog/debconf-licenses.mdwn
index 6d4147dd..bae2ad78 100644
--- a/blog/debconf-licenses.mdwn
+++ b/blog/debconf-licenses.mdwn
@@ -143,7 +143,7 @@ going all the way back to the Hamm 2.0 release, in 1998. The data and
 how to reproduce it is also [freely available](http://dx.doi.org/10.5281/zenodo.61089) under a CC BY-SA 4.0
 license.
 
-![Evolution of the number of packages that have a given dominant license in Debian between 1998 and 2015](debsources-ese-2016-fig13.png)
+![Evolution of the number of packages that have a given dominant license in Debian between 1998 and 2015](debconf-licenses/debsources-ese-2016-fig13.png)
 
 Sullivan presented a graph ("Dominant license in Package") from
 Zacchiroli's research that showed the evolution of software license

add images
diff --git a/blog/debconf-licenses.mdwn b/blog/debconf-licenses.mdwn
index 78e1859f..6d4147dd 100644
--- a/blog/debconf-licenses.mdwn
+++ b/blog/debconf-licenses.mdwn
@@ -25,6 +25,8 @@ article, [The State Of Open Source Licensing](http://redmonk.com/sogrady/2017/01
 > to 29%, while its permissive cousin the Apache License 2.0 jumped
 > from 5% to 15%.
 
+![Histogram showing evolution of license share between 2010 and 2017 from Black Duck](http://sogrady-media.redmonk.com/sogrady/files/2017/01/OSS-blk-duck-licensing-0110-0117-wm-2.png)
+
 Sullivan, however, argued that the methodology used to create the
 articles was problematic. None of those articles are original
 research: the graphs actually come from the [Black Duck](https://www.blackducksoftware.com/) "KnowledgeBase"
@@ -76,6 +78,8 @@ also suggested that "GitHub has become so dominant over the recent
 years that just looking at projects on GitHub would give you a
 reasonable sampling from which to draw conclusions".
 
+![Evolution of licenses in GitHub repositories between 2008 and 2015](https://cloud.githubusercontent.com/assets/282759/6517300/9dc14536-c367-11e4-9a63-b23a3d75af78.png)
+
 Indeed, GitHub published a [report](https://github.com/blog/1964-open-source-license-usage-on-github-com) in 2015 which also seems to
 confirm MIT's popularity (45%), surpassing copyleft licenses (24%).
 The data is, however, not without its own set of issues. In the graph
@@ -139,6 +143,8 @@ going all the way back to the Hamm 2.0 release, in 1998. The data and
 how to reproduce it is also [freely available](http://dx.doi.org/10.5281/zenodo.61089) under a CC BY-SA 4.0
 license.
 
+![Evolution of the number of packages that have a given dominant license in Debian between 1998 and 2015](debsources-ese-2016-fig13.png)
+
 Sullivan presented a graph ("Dominant license in Package") from
 Zacchiroli's research that showed the evolution of software license
 use the Debian archive. Whereas previous graphs showed statistics in
diff --git a/blog/debconf-licenses/debsources-ese-2016-fig13.png b/blog/debconf-licenses/debsources-ese-2016-fig13.png
new file mode 100644
index 00000000..a49784c0
Binary files /dev/null and b/blog/debconf-licenses/debsources-ese-2016-fig13.png differ

small review from drebs
diff --git a/blog/debconf-licenses.mdwn b/blog/debconf-licenses.mdwn
index 49187836..78e1859f 100644
--- a/blog/debconf-licenses.mdwn
+++ b/blog/debconf-licenses.mdwn
@@ -27,7 +27,7 @@ article, [The State Of Open Source Licensing](http://redmonk.com/sogrady/2017/01
 
 Sullivan, however, argued that the methodology used to create the
 articles was problematic. None of those articles are original
-research: the graphs actually come the [Black Duck](https://www.blackducksoftware.com/) "KnowledgeBase"
+research: the graphs actually come from the [Black Duck](https://www.blackducksoftware.com/) "KnowledgeBase"
 data, partly created from the old Ohloh website now known
 as [OpenHub](https://openhub.net/).
 
@@ -91,10 +91,10 @@ actually influenced GitHub's users license
 choices. Following [a talk](https://archive.fosdem.org/2016/schedule/event/license_pickers/) from Sullivan at FOSDEM 2016, GitHub
 actually [addressed the issue in 2016](https://github.com/github/choosealicense.com/issues/335)
 by [rewording parts of the frontpage](https://github.com/github/choosealicense.com/commit/db18b5dfe6a8d788f6df2ab60cf95091e5f73e1d) to be more accurate, but that
-impact obviously doesn't show in the report produced in 2015. In the
-end, GitHub's data has its own set of issues, if only because it
-represents only a certain subset of the free software projects in
-existence.
+impact obviously doesn't show in the report produced in 2015 and won't
+affect choices users have already made. Therefore, we can have
+resonsable doubts that GitHub's subset of software projects may not
+actually be that representative of the larger free software community.
 
 In search of solid evidence
 ---------------------------
@@ -152,7 +152,7 @@ disparity in the results. We can only hope a similar analysis can be
 performed on the much larger [Software Heritage](https://lwn.net/Articles/693471/) dataset
 eventually.
 
-Also, the rise of non-copyleft licenses, it doesn't necessarily seems
+Also, the rise of non-copyleft licenses doesn't necessarily seem
 to be at the detriment of the GPL. Sullivan argued that, even if there
 *is* an actual relative decline, it may be better explained by the
 overall *growth* of free software, at the detriment of proprietary
@@ -161,10 +161,10 @@ still free software, according to the FSF and the Debian Free Software
 Guidelines.
 
 He also warned against "ascribing reason to numbers": people may have
-different reasons why choosing a particular license. Developers may
+different reasons for choosing a particular license. Developers may
 choose the MIT license because it has fewer words, for compatibility
 reasons or simply because "their lawyers told them to". It may not
-imply actual a deliberate philosophical or ideological choice. In the
+imply an actual deliberate philosophical or ideological choice. In the
 end, Sullivan made a pretty convincing case not only that the GPL use
 may not be declining, but also that this question may not be as
-critical as one might think if, overall free software is on the rise.
+critical as one might think if, overall, free software is on the rise.

diff --git a/hardware/phone.mdwn b/hardware/phone.mdwn
index 9f77cbc8..e4718625 100644
--- a/hardware/phone.mdwn
+++ b/hardware/phone.mdwn
@@ -2,7 +2,9 @@ This section documents my experiments with cellular phone
 technology. I have more detailed guides and documentation on specific
 phones as well:
 
-[[!map pages="page(phone/*)"]]
+[[!map pages="page(hardware/phone/*)"]]
+
+**Table of contents**:
 
 [[!toc levels=2]]
 

add display sizes everywhere and n900 stats
diff --git a/hardware/phone.mdwn b/hardware/phone.mdwn
index 715cdf15..9f77cbc8 100644
--- a/hardware/phone.mdwn
+++ b/hardware/phone.mdwn
@@ -22,7 +22,7 @@ Galaxy S3
  * 16 or 32 GB
  * Up to 64 GB microSDXC
  * 2,100 mAh, replaceable
- * 720×1280
+ * 4.8" 720×1280
  * 8MP f/2.6 1080p 30fps
  * Multi-touch capacitive touchscreen, aGPS, GLONASS, Barometer,
  * Gyroscope, Accelerometer, Digital compass
@@ -43,6 +43,7 @@ Nexus S
  * 16 GB
  * 1,500 mAh replaceable
 
+ * 4" display
  * 3-axis gyroscope, Accelerometer, Ambient light sensor, Capacitive
  * touch-sensitive buttons, Digital compass, Microphone, Multi-touch
  * capacitive touchscreen, Proximity sensor, Push buttons
@@ -73,7 +74,7 @@ First, it's already shipping, although out of stocks now (feb 2015). Second, it
  * 2000mAh Replaceable
  * GPS, Wifi, FM (?), compass, proximity, gyro,
  * 8MP
- * 143 mm x 73 mm x 11 mm 5"
+ * 5" (143 mm x 73 mm x 11 mm)
  * 148 g (phone) + 20 g (external case)
 
 Downside: it doesn't have an FM transmitter and the [baseband isn't open](https://forum.fairphone.com/t/fairphone-baseband-os-firmware/1228).
@@ -301,7 +302,7 @@ See [[htc-one-s]] for config details. [Specs](http://www.gsmarena.com/htc_one_s-
  * Non-removable battery, Up to 317 h, talk up to 10 h 30 min
  * 130.9 x 65 x 7.8 mm (5.15 x 2.56 x 0.31 in)
  * 119.5 g (4.20 oz)
- * 4.3 inches (~59.9% screen-to-body ratio)
+ * 4.3" (~59.9% screen-to-body ratio)
 
 Previous phones
 ===============
@@ -330,7 +331,11 @@ One of the thing that's missing is podcasting, various ideas:
 Nokia n900
 ----------
 
-The [[!wikipedia Nokia_N900]] was a great machine, but those machines are now so dead: no more software support from Nokia... and the hardware is somewhat slow. There's [Neo900](http://neo900.org/), a plan to rebuild a new phone based on the same case, but that's not yet shipping.
+The [[!wikipedia Nokia_N900]] was a great machine, but those machines
+are now so dead: no more software support from Nokia... and the
+hardware is somewhat slow. There's [Neo900](http://neo900.org/), a
+plan to rebuild a new phone based on the same case, but that's not yet
+shipping.
 
 I have two n900 machines, both have their SIM card socket broken now,
 either desoldered or some other broken thing. [Wikipedia says this can
@@ -340,7 +345,17 @@ be fixed by resoldering][], and there are two references online:
 * <https://www.jabawok.net/?p=14>
 
  [Wikipedia says this can be fixed by resoldering]: https://en.wikipedia.org/wiki/Nokia_N900#Known_issues
- 
+
+ * 600MHz Cortex A8
+ * 32GB, 256MB ram
+ * 5MP
+ * FM radio and transceiver(!)
+ * Wi-Fi 802.11 b/g, DLNA
+ * A-GPS
+ * Removeable battery
+ * 3.5" (800 x 480 pixels)
+ * 110.9 x 59.8 x 18 mm, 181g
+
 Features
 ========
 

hotlink to subpages
diff --git a/hardware/phone.mdwn b/hardware/phone.mdwn
index 8aa47913..715cdf15 100644
--- a/hardware/phone.mdwn
+++ b/hardware/phone.mdwn
@@ -1,11 +1,10 @@
-[[!toc levels=2]]
-
 This section documents my experiments with cellular phone
 technology. I have more detailed guides and documentation on specific
 phones as well:
 
- * [[htc-one-s]]
- * [[lg-g3-d852]]
+[[!map pages="page(phone/*)"]]
+
+[[!toc levels=2]]
 
 Potential phones
 ================

link directly to subpages more obviously
diff --git a/hardware/phone.mdwn b/hardware/phone.mdwn
index adb80f07..8aa47913 100644
--- a/hardware/phone.mdwn
+++ b/hardware/phone.mdwn
@@ -1,5 +1,12 @@
 [[!toc levels=2]]
 
+This section documents my experiments with cellular phone
+technology. I have more detailed guides and documentation on specific
+phones as well:
+
+ * [[htc-one-s]]
+ * [[lg-g3-d852]]
+
 Potential phones
 ================
 

my modest container notes
diff --git a/software/containers.mdwn b/software/containers.mdwn
new file mode 100644
index 00000000..0378bb38
--- /dev/null
+++ b/software/containers.mdwn
@@ -0,0 +1,51 @@
+[[!meta title="Container notes"]]
+
+Those are notes and reminders of how to do "things" with containers,
+regardless of technology. The are not a replacement for the official
+documentation and may only be useful for myself.
+
+Docker
+------
+
+To build an image:
+
+    docker build --tag foo
+
+That will create an image named "foo" (even if it says `--tag`, that's
+actually the image name, whatever).
+
+To enter a container:
+
+    docker run --tty --interactive foo /bin/bash
+
+To map volumes to containers, which images pre-define certain
+`VOLUME`, first create a volume:
+
+    docker volume create foo
+
+Then use it in the container:
+
+    docker run --volume foo:/srv/foo /bin/bash
+
+Containers are basically a directory stored in
+`/var/lib/docker/volumes` which can be copied around normally.
+
+To restart a container on reboot, use `--restart=unless-stopped` or
+`--restart=always`, as [documented](https://docs.docker.com/engine/admin/start-containers-automatically/).
+
+Rocket
+------
+
+Running docker containers:
+
+    $ sudo rkt run --insecure-options=image --interactive docker://busybox -- /bin/sh
+
+Those get resolved using the [rkt image resolution](https://coreos.com/rkt/docs/latest/devel/distribution-point.html).
+
+Re-running:
+
+    $ sudo rkt run registry-1.docker.io/library/debian:latest --interactive --exec /bin/bash --net=host
+
+Building images requires using the separate [acbuild](https://github.com/containers/build) command which
+builds "standard" ACI images and not docker images. Other tools are
+obviously available like [Packer](https://www.packer.io/).

add note regarding old configs
diff --git a/services/radio.mdwn b/services/radio.mdwn
index 38e2c7cf..9cc381d6 100644
--- a/services/radio.mdwn
+++ b/services/radio.mdwn
@@ -63,6 +63,11 @@ reverse Apache proxy:
         ProxyPassReverse / http://127.0.0.1:4343/
     </VirtualHost>
 
+[[!note """Note that the above config varies from one fork to the
+other. With Subsonic, for example, I wasn't able to make the above
+work and had to switch Subsonic itself to serve HTTPS. This page's
+history has a record of a working Subsonic config."""]]
+
 Then restart apache:
 
     sudo service apache2 restart

update config and notes to airsonic
diff --git a/services/radio.mdwn b/services/radio.mdwn
index 45199527..38e2c7cf 100644
--- a/services/radio.mdwn
+++ b/services/radio.mdwn
@@ -5,24 +5,46 @@
 Subsonic
 ========
 
-I am switching over from MPD + Liquidsoap + Icecast to simply Subsonic
-/ Libresonic, because it seems much simpler. I may still use MPD as a
-client for some occasions, we'll see.
+I have switched from MPD + Liquidsoap + Icecast to the Subsonic
+ecosystem, mostly because of the extra features. With Subsonic, I can
+stream audio, but I can also download actual copies of the albums on
+the remote clients, including album covert art. I still use MPD/GMPC
+on the desktop, however, because the only Linux desktop client
+implementation (a Clementine plugin) doesn't have all those nice
+features.
 
 Subsonic is deployed with [[containers]] (currently using [Docker](https://docker.io/))
-to simplify deployment and to test that technology.
+to simplify deployment and to test that technology. I originally used
+the original [Subsonic](http://subsonic.org/) implementation, but that turned proprietary
+not long ago, which led to the creation of a fork
+called [Libresonic](https://libresonic.org/) which was *also* itself forked
+into [Airsonic](https://github.com/airsonic/airsonic) because the Libresonic maintainer considers it its
+personal project which limited collboration. Airsonic also features a
+more modern HTML5 player (MediaElement.js instead of JWPlayer).
 
 I am using the [subsonic-docker-image](https://github.com/mschuerig/subsonic-docker-image) from [mschuerig](https://github.com/mschuerig) because
-it is simple and uses Debian. I contributed a few patches of my own to
-tweak it to my needs and update it to latest versions.
+it is based Debian and runs under a separate user. I contributed a few
+patches of my own to tweak it to my needs and update it to latest
+versions. I also (trivially) ported it to Libresonic and Airsonic,
+see [this discussion](https://github.com/mschuerig/subsonic-docker-image/issues/14) for merging that in the original project. I
+discussed making that the official Dockerfile for the Airsonic
+project, but they seem happy enough with their current
+implementation.
 
-The container is started with:
+I build the container with:
 
-    sudo docker run --detach --restart=always --publish 127.0.0.1:4040:4040 --publish 127.0.0.1:4343:4343 --volume "subsonic:/var/subsonic" --volume "/srv:/var/music:ro" anarcat/debian-subsonic --https-port=4343
+    git clone -b airsonic https://github.com/anarcat/docker-subsonic/
+    cd docker-subsonic
+    docker build -t anarcat/debian-airsonic .
 
-Then I configured `/srv/mp3` and other directories individually. I
-also changed the admin password. Then the only remaining thing was to
-configure a reverse Apache proxy:
+The container is then started with:
+
+    sudo docker run --detach --restart=always --publish 127.0.0.1:4343:8080 --volume "airsonic:/var/airsonic" --volume "/srv:/var/music:ro" anarcat/debian-airsonic
+
+Then I configured `/srv/mp3` and other directories individually in the
+GUI. I also changed the admin password and create a separate account
+for remote devices. Then the only remaining thing was to configure a
+reverse Apache proxy:
 
     <VirtualHost *:80>
             ServerName radio.anarc.at
@@ -30,24 +52,15 @@ configure a reverse Apache proxy:
     </VirtualHost>
     
     <VirtualHost *:443>
-            ServerName radio.anarc.at
-            Use common-letsencrypt-ssl radio.anarc.at
-            DocumentRoot /var/www/html/
-            SSLProxyEngine on
-            SSLProxyCheckPeerCN off
-            SSLProxyCheckPeerName off
-            SSLProxyVerify none
-            RequestHeader unset Accept-Encoding
-            ProxyRequests off
-            <Location />
-                    ProxyPreserveHost On
-                    #ProxyPass http://127.0.0.1:4040/
-                    #ProxyPassReverse http://127.0.0.1:4040/
-                    ProxyPass https://127.0.0.1:4343/
-                    ProxyPassReverse https://127.0.0.1:4343/
-                    Order allow,deny
-                    Allow from all
-            </Location>
+        ServerName radio.anarc.at
+        Use common-letsencrypt-ssl radio.anarc.at
+        DocumentRoot /var/www/html/
+        ErrorDocument 404 /404.html
+        RequestHeader set X-Forwarded-Proto "https"
+        RequestHeader set X-Forwarded-Host "radio.anarc.at"
+        RequestHeader set X-Forwarded-Server "radio.anarc.at"
+        ProxyPass / http://127.0.0.1:4343/
+        ProxyPassReverse / http://127.0.0.1:4343/
     </VirtualHost>
 
 Then restart apache:
@@ -58,7 +71,7 @@ The certificates are provided by Let's Encrypt, using this command:
 
     sudo certbot certonly -d radio.anarc.at --webroot --webroot-path /var/www/html/ && sudo apache2 restart
 
-Boom. You're done.
+That's pretty much it!
 
 Todo
 ----

add ref for software heritage
diff --git a/blog/debconf-licenses.mdwn b/blog/debconf-licenses.mdwn
index 0183bf18..49187836 100644
--- a/blog/debconf-licenses.mdwn
+++ b/blog/debconf-licenses.mdwn
@@ -144,10 +144,18 @@ Zacchiroli's research that showed the evolution of software license
 use the Debian archive. Whereas previous graphs showed statistics in
 percentages, this one showed actual absolute numbers, where we can't
 actually distinguish a decline in copyleft licenses. At most do we see
-a *rise* of the Apache and MIT licenses, but that doesn't necessarily
-seems to be at the detriment of the GPL. Sullivan argued that, even if
-there *is* an actual relative decline, it may be better explained by
-the overall *growth* of free software, at the detriment of proprietary
+a *rise* of the Apache and MIT licenses. Of course, Debian's dataset
+may also be skewed in the opposite direction. The Debian project is
+culturally quite different from the GitHub community and even the
+larger free software ecosystem, naturally, which could explain the
+disparity in the results. We can only hope a similar analysis can be
+performed on the much larger [Software Heritage](https://lwn.net/Articles/693471/) dataset
+eventually.
+
+Also, the rise of non-copyleft licenses, it doesn't necessarily seems
+to be at the detriment of the GPL. Sullivan argued that, even if there
+*is* an actual relative decline, it may be better explained by the
+overall *growth* of free software, at the detriment of proprietary
 software. He reminded the audience that non-copyleft licenses are
 still free software, according to the FSF and the Debian Free Software
 Guidelines.

review first draft
diff --git a/blog/debconf-licenses.mdwn b/blog/debconf-licenses.mdwn
index 326bcda8..0183bf18 100644
--- a/blog/debconf-licenses.mdwn
+++ b/blog/debconf-licenses.mdwn
@@ -5,46 +5,43 @@ At Debconf17, John Sullivan, the executive directory of the FSF,
 presented an interesting talk regarding the supposed decline of the
 use of copyleft licenses in free software projects. In his talk,
 Sullivan attacked the notion that "permissive" licenses like the BSD
-or MIT licenses are gaining grounds towards the traditionnally
+or MIT licenses are gaining grounds towards the traditionally
 dominant copyleft licenses of the FSF.
 
-Sullivan begun by reminding the audience that copyright law is only a
-means to an end for the FSF, the end being a world where running only
-free software. He identified other threats to freedom online, which
-have been for too long overlooked, like EULAs, trademark and copyright
-law. In that perspective, one could argue that permissive licenses
-could be called 'lax' or 'dismissive' as they omit key issues
-threatening software freedom in the modern world. He gave the example
-of patents being "Apple and Microsoft's weapon of choice", with the
-latter being in the odd position of giving half a million dollars of
-grant to the Linux Foundation yearly, but on the other end extracting
-"patent royalties from Linux running on Android devices, measured in
-billions of dollars".
-
-Black Duck Software
--------------------
-
-Sullivan then traced the rumour of the copyleft decline to its
-source. He first identified an [article on opensource.com](https://opensource.com/article/17/2/decline-gpl) by Jono
-Baker from February 2017 showing a histogram of various license usage
-between 2010 and 2017. From that, Baker elaborates possible reasons
-for the apparent decline of the GPL. The graphic used in the article
-was actually generated by Stephen O'Grady in a January article
-named [The State Of Open Source Licensing](http://redmonk.com/sogrady/2017/01/13/the-state-of-open-source-licensing/). Sullivan argued that
-the methodology used to create the articles was problematic: none of
-it was original research, and is based on data from
-the [Black Duck](https://www.blackducksoftware.com/) Knowledge Base, partly created from the old
-Ohloh website now known as [OpenHub](https://openhub.net/). 
-
-He also gave the example of two free software projects that were
-showcased on the frontpage of Ohloh.net around 2012: GNU Bash and GNU
-Emacs. On the site, Bash was (and [still is](https://web.archive.org/web/20170820182836/https://www.openhub.net/p/bash)) listed as GPLv2+,
-whereas Bash is licensed under GPLv3 [since 2011](http://git.savannah.gnu.org/cgit/bash.git/commit/COPYING?h=devel&id=2e4498b3aaccbc2618e74f1101abafed96a6bf19). He also claimed
-that "Emacs was listed as licensed under GPLv3-only which is a license
-Emacs has never had in its history", although I wasn't able to verify
-that information from the Internet archive. But basically, according
-to Sullivan, "the two projects featured on the frontpage of a site
-that was using [the Black Duck] dataset were wrong":
+When the rumour mill starts
+---------------------------
+
+Sullivan identified the rumour of the copyleft decline as
+an [article on opensource.com](https://opensource.com/article/17/2/decline-gpl) by Jono Baker from February 2017
+showing a histogram of license usage between 2010 and 2017. From that,
+Baker elaborates possible reasons for the apparent decline of the
+GPL. The graphic used in the article was actually generated by Stephen
+O'Grady in a January
+article, [The State Of Open Source Licensing](http://redmonk.com/sogrady/2017/01/13/the-state-of-open-source-licensing/), which shows that:
+
+> In Black Duck’s sample, the most popular variant of the GPL –
+> version 2 – is less than half as popular as it was (46% to
+> 19%). Over the same span, the permissive MIT has gone from 8% share
+> to 29%, while its permissive cousin the Apache License 2.0 jumped
+> from 5% to 15%.
+
+Sullivan, however, argued that the methodology used to create the
+articles was problematic. None of those articles are original
+research: the graphs actually come the [Black Duck](https://www.blackducksoftware.com/) "KnowledgeBase"
+data, partly created from the old Ohloh website now known
+as [OpenHub](https://openhub.net/).
+
+To explain one problem with the dataset, Sullivan gave the example of
+two free software projects that showcased on the frontpage of
+Ohloh.net around 2012: GNU Bash and GNU Emacs. On the site, Bash was
+(and [still is](https://web.archive.org/web/20170820182836/https://www.openhub.net/p/bash)) listed as GPLv2+, whereas it is
+GPLv3 [since 2011](http://git.savannah.gnu.org/cgit/bash.git/commit/COPYING?h=devel&id=2e4498b3aaccbc2618e74f1101abafed96a6bf19). He also claimed that "Emacs was listed as
+licensed under GPLv3-only which is a license Emacs has never had in
+its history", although I wasn't able to verify that information from
+the Internet archive. But basically, according to Sullivan, "the two
+projects featured on the frontpage of a site that was using [the Black
+Duck] dataset were wrong". This, in turns, seriously brings into
+question the quality of the data:
 
 > I reported this problem and we'll continue to do that but when
 > someone is not sharing the dataset that they're using for other
@@ -52,19 +49,21 @@ that was using [the Black Duck] dataset were wrong":
 > that should give us a lot of hesitation about accepting any
 > conclusion that come out of it.
 
-Sullivan didn't try to contact Black Duck to get access to the
-database, because he assumed (rightly, as it turned out) that he would
-need to "pay for the data under terms that forbid you to share that
-information with anybody else". So I figured I would write Black Duck
-myself to confirm this information. In an email interview, Patrick
-Carey from Black Duck Software confirmed their dataset is
-"proprietary". They believe, however, that through a "combination of
-human and automated techniques" they are "highly confident at the
-accuracy and completeness of the data in the KnowledgeBase". He did
-point out, however, that "the way we track the data may not
-necessarily be optimal for answering the question on license use
-trend" as "that would entail examination of new open source projects
-coming into existence each year and the licenses used by them".
+Sullivan also underlined the necessity for science to reproduce
+observations to establish solid theories. Sullivan didn't try to
+contact Black Duck to get access to the database, because he assumed
+(rightly, as it turned out) that he would need to "pay for the data
+under terms that forbid you to share that information with anybody
+else". So I figured I would write Black Duck myself to confirm this
+information. In an email interview, Patrick Carey from Black Duck
+Software confirmed their dataset is "proprietary". They believe,
+however, that through a "combination of human and automated
+techniques" they are "highly confident at the accuracy and
+completeness of the data in the KnowledgeBase". He did point out,
+however, that "the way we track the data may not necessarily be
+optimal for answering the question on license use trend" as "that
+would entail examination of new open source projects coming into
+existence each year and the licenses used by them".
 
 In other words, even according to Black Duck Software, their database
 may not be useful to establish the conclusions drawn by those other
@@ -72,109 +71,92 @@ articles. Carey did agree with those conclusions intuitively, however,
 saying that "there seems to be a shift toward Apache and MIT licenses
 in new projects, though I don't have data to back that up". He
 suggested that "an effective way to answer the trend question would be
-to analyze the new projects on GitHub over the last 5-10 years."
-
-Github
-------
-
-So we turn to GitHub for more results. In a [2015 report](https://github.com/blog/1964-open-source-license-usage-on-github-com), GitHub
-also seems to confirm MIT's popularity (45%), surpassing copyleft
-licenses (24%). Interestingly, GitHub's analysis also shows that most
-projects are actually *not* explicitly licensed. Since GitHub's early
-days, the ratio of licensed projects seems to hover around 20%, a
-surprisingly low ratio considering the popular (and often incorrect)
-assumption that GitHub-hosted projects are free software. Indeed,
-unlicensed software is, under US copyright law, proprietary and it is
-only by "hacking" copyright law that software freedom activists have
-worked around that issue. That ratio should therefore give us pause
-before we analyse the other results. We can only hope that that
-situation is unintentional... 
-
-Furthermore, while Carey argued in the interview that "GitHub has
-become so dominant over the recent years that just looking at projects
-on GitHub would give you a reasonable sampling from which to draw
-conclusions", I would counter that GitHub *itself* promotes a certain
-approach to free software, closer to the "permissive" approach than
-the more radical line of the FSF. Indeed, GitHub itself is not free
-software and only 5 years after their launch date did they implement
-the choosealicense.com site to encourage users to actually choose a
-license.
-
-And indeed, the "Percentage of repositories licensed" graph shows an
-interesting spike in 2013, however, which they correlate with the
-launch date of the [choosealicense.com](https://choosealicense.com/) site, described by GitHub
-as "our first pass at making open source licensing on GitHub
-easier". In his talk, Sullivan was critical of
-the [initial version of the site](http://web.archive.org/web/20130716093023/http://choosealicense.com/) which he said was biased towards
-permissive licenses. Because the site is linked from the project
-creation page, Sullivan argues that GitHub's bias towards the MIT
-license may have actually influenced GitHub's users license choices
-since 2013. Following [a talk](https://archive.fosdem.org/2016/schedule/event/license_pickers/) from Sullivan at FOSDEM 2016, GitHub
-actually [adressed the issue in 2016](https://github.com/github/choosealicense.com/issues/335)
-by [rewording various parts of the frontpage](https://github.com/github/choosealicense.com/commit/db18b5dfe6a8d788f6df2ab60cf95091e5f73e1d) to be more accurate,
-but it could be argued that the damage was already done at that point:
-"such claims may become self-fulfilling prophecies". In the end,
-GitHub's data has its own set of issues, if only because it represents
-only a certain subset of the free software projects in existence.
-
-Debian
-------
-
-So it seems we are missing a way to generate good, reproducible
-results to draw those conclusions. Sullivan explained this was a
-difficult problem, if only in the way you determine which projects to
-analyse, but also *how* data is extracted from source code. Can
-personal projects be considered similarly to large scale projects used
-by millions? How about project activity? Should we count all projects
-on the web? Sullivan also talked about the problem of code duplication
-both between projects or considering a project's history. One should
+to analyze the new projects on GitHub over the last 5-10 years." Carey
+also suggested that "GitHub has become so dominant over the recent
+years that just looking at projects on GitHub would give you a
+reasonable sampling from which to draw conclusions".
+
+Indeed, GitHub published a [report](https://github.com/blog/1964-open-source-license-usage-on-github-com) in 2015 which also seems to
+confirm MIT's popularity (45%), surpassing copyleft licenses (24%).
+The data is, however, not without its own set of issues. In the graph
+going up to the inception of GitHub in 2008, we see, for example, a
+rather abnormal spike in 2013, which seems to correlate with the
+launch of the [choosealicense.com](https://choosealicense.com/) site, described by GitHub as
+"our first pass at making open source licensing on GitHub easier". In
+his talk, Sullivan was critical of
+the [initial version of the site](http://web.archive.org/web/20130716093023/http://choosealicense.com/) which he described as biased
+towards permissive licenses. Because the GitHub project creation page
+links to the site, Sullivan explained that the site's bias may have
+actually influenced GitHub's users license
+choices. Following [a talk](https://archive.fosdem.org/2016/schedule/event/license_pickers/) from Sullivan at FOSDEM 2016, GitHub
+actually [addressed the issue in 2016](https://github.com/github/choosealicense.com/issues/335)

(fichier de différences tronqué)
at last a draft
diff --git a/blog/debconf-licenses.mdwn b/blog/debconf-licenses.mdwn
index 15387e4c..326bcda8 100644
--- a/blog/debconf-licenses.mdwn
+++ b/blog/debconf-licenses.mdwn
@@ -1,98 +1,180 @@
-
-
-law is a means to an end, which is a free software world
-
-other threats
-
-- copyright
-- EULA
-- patents
-
-apple and M$'s choice of weapon. M$ gave the Linux Foundation about
-500k$ in grants but in different part of the company, Microsoft
-extracted patent royalties from Linux running on Android devices,
-measured in billions of dollars. M$ should allow people to install
-Linux on their ARM-based devices.
-
-lax or permissive or dismissive?
-
-opensource.com/article/17/2/decline-gpl (feb 2017)
-blackducksoftware.com/top-open-source-licenses
-
-then Bacon 2017
-
-ref. another article which ultimately refers to blackduck.com. data is
-missing, behind sales@blackduck.com with probably a EULA?
-
-write blackduck.com?
-
-so we need to generate good, reproducible results
-
-difficult to select which projects to examine
-
-- personal projects?
-- are different packages different projects?
-- level: file or package?
-- duplication between projects
-- how many users?
-- project activity?
-
-showcase on blackduck.com: bash being GPL-2+ while it has been GPL-3+
-since at least 2014, according to debian [URL?]. emacs is marked as
-GPL-3 only [but that's what debian says as well? check with blackduck
-again]
-
-such claims may become self-fulfilling prophecies. GitHub, for
-example, runs a service called [choosealicense.com](https://choosealicense.com/) which is linked
-from the project creation page, to help users to choose licenses. this
-page used to be biased towards MIT licenses [archive.org?]. after a
-conversation between the FSF and GitHub, the latter adjusted the text
-of the site to be more accurate [not only for GPL]
-
-
-proper data can be found in Zack's paper about sources.debian.net
-
-"The Debsources Dataset: Two Decades of Free and Open Source Software"
-by Matthieu Caneill, Daniel M. Germán and Stefano Zacchiroli
-http://dx.doi.org/10.5281/zenodo.61089 - CC BY-SA 4.0 license,
-
-[Springer 1382-3256 debsources-ese-2016.pdf]. Sullivan presented a
-graph from Zack's research that showed a history of the evolution of
-software license use the Debian archive. he chose the graph named
-"Dominant license in Package"
-
-
-the debian dataset is interesting because of its
+The supposed decline of copyleft
+================================
+
+At Debconf17, John Sullivan, the executive directory of the FSF,
+presented an interesting talk regarding the supposed decline of the
+use of copyleft licenses in free software projects. In his talk,
+Sullivan attacked the notion that "permissive" licenses like the BSD
+or MIT licenses are gaining grounds towards the traditionnally
+dominant copyleft licenses of the FSF.
+
+Sullivan begun by reminding the audience that copyright law is only a
+means to an end for the FSF, the end being a world where running only
+free software. He identified other threats to freedom online, which
+have been for too long overlooked, like EULAs, trademark and copyright
+law. In that perspective, one could argue that permissive licenses
+could be called 'lax' or 'dismissive' as they omit key issues
+threatening software freedom in the modern world. He gave the example
+of patents being "Apple and Microsoft's weapon of choice", with the
+latter being in the odd position of giving half a million dollars of
+grant to the Linux Foundation yearly, but on the other end extracting
+"patent royalties from Linux running on Android devices, measured in
+billions of dollars".
+
+Black Duck Software
+-------------------
+
+Sullivan then traced the rumour of the copyleft decline to its
+source. He first identified an [article on opensource.com](https://opensource.com/article/17/2/decline-gpl) by Jono
+Baker from February 2017 showing a histogram of various license usage
+between 2010 and 2017. From that, Baker elaborates possible reasons
+for the apparent decline of the GPL. The graphic used in the article
+was actually generated by Stephen O'Grady in a January article
+named [The State Of Open Source Licensing](http://redmonk.com/sogrady/2017/01/13/the-state-of-open-source-licensing/). Sullivan argued that
+the methodology used to create the articles was problematic: none of
+it was original research, and is based on data from
+the [Black Duck](https://www.blackducksoftware.com/) Knowledge Base, partly created from the old
+Ohloh website now known as [OpenHub](https://openhub.net/). 
+
+He also gave the example of two free software projects that were
+showcased on the frontpage of Ohloh.net around 2012: GNU Bash and GNU
+Emacs. On the site, Bash was (and [still is](https://web.archive.org/web/20170820182836/https://www.openhub.net/p/bash)) listed as GPLv2+,
+whereas Bash is licensed under GPLv3 [since 2011](http://git.savannah.gnu.org/cgit/bash.git/commit/COPYING?h=devel&id=2e4498b3aaccbc2618e74f1101abafed96a6bf19). He also claimed
+that "Emacs was listed as licensed under GPLv3-only which is a license
+Emacs has never had in its history", although I wasn't able to verify
+that information from the Internet archive. But basically, according
+to Sullivan, "the two projects featured on the frontpage of a site
+that was using [the Black Duck] dataset were wrong":
+
+> I reported this problem and we'll continue to do that but when
+> someone is not sharing the dataset that they're using for other
+> people to evaluate it and we see glimpses of it which are incorrect,
+> that should give us a lot of hesitation about accepting any
+> conclusion that come out of it.
+
+Sullivan didn't try to contact Black Duck to get access to the
+database, because he assumed (rightly, as it turned out) that he would
+need to "pay for the data under terms that forbid you to share that
+information with anybody else". So I figured I would write Black Duck
+myself to confirm this information. In an email interview, Patrick
+Carey from Black Duck Software confirmed their dataset is
+"proprietary". They believe, however, that through a "combination of
+human and automated techniques" they are "highly confident at the
+accuracy and completeness of the data in the KnowledgeBase". He did
+point out, however, that "the way we track the data may not
+necessarily be optimal for answering the question on license use
+trend" as "that would entail examination of new open source projects
+coming into existence each year and the licenses used by them".
+
+In other words, even according to Black Duck Software, their database
+may not be useful to establish the conclusions drawn by those other
+articles. Carey did agree with those conclusions intuitively, however,
+saying that "there seems to be a shift toward Apache and MIT licenses
+in new projects, though I don't have data to back that up". He
+suggested that "an effective way to answer the trend question would be
+to analyze the new projects on GitHub over the last 5-10 years."
+
+Github
+------
+
+So we turn to GitHub for more results. In a [2015 report](https://github.com/blog/1964-open-source-license-usage-on-github-com), GitHub
+also seems to confirm MIT's popularity (45%), surpassing copyleft
+licenses (24%). Interestingly, GitHub's analysis also shows that most
+projects are actually *not* explicitly licensed. Since GitHub's early
+days, the ratio of licensed projects seems to hover around 20%, a
+surprisingly low ratio considering the popular (and often incorrect)
+assumption that GitHub-hosted projects are free software. Indeed,
+unlicensed software is, under US copyright law, proprietary and it is
+only by "hacking" copyright law that software freedom activists have
+worked around that issue. That ratio should therefore give us pause
+before we analyse the other results. We can only hope that that
+situation is unintentional... 
+
+Furthermore, while Carey argued in the interview that "GitHub has
+become so dominant over the recent years that just looking at projects
+on GitHub would give you a reasonable sampling from which to draw
+conclusions", I would counter that GitHub *itself* promotes a certain
+approach to free software, closer to the "permissive" approach than
+the more radical line of the FSF. Indeed, GitHub itself is not free
+software and only 5 years after their launch date did they implement
+the choosealicense.com site to encourage users to actually choose a
+license.
+
+And indeed, the "Percentage of repositories licensed" graph shows an
+interesting spike in 2013, however, which they correlate with the
+launch date of the [choosealicense.com](https://choosealicense.com/) site, described by GitHub
+as "our first pass at making open source licensing on GitHub
+easier". In his talk, Sullivan was critical of
+the [initial version of the site](http://web.archive.org/web/20130716093023/http://choosealicense.com/) which he said was biased towards
+permissive licenses. Because the site is linked from the project
+creation page, Sullivan argues that GitHub's bias towards the MIT
+license may have actually influenced GitHub's users license choices
+since 2013. Following [a talk](https://archive.fosdem.org/2016/schedule/event/license_pickers/) from Sullivan at FOSDEM 2016, GitHub
+actually [adressed the issue in 2016](https://github.com/github/choosealicense.com/issues/335)
+by [rewording various parts of the frontpage](https://github.com/github/choosealicense.com/commit/db18b5dfe6a8d788f6df2ab60cf95091e5f73e1d) to be more accurate,
+but it could be argued that the damage was already done at that point:
+"such claims may become self-fulfilling prophecies". In the end,
+GitHub's data has its own set of issues, if only because it represents
+only a certain subset of the free software projects in existence.
+
+Debian
+------
+
+So it seems we are missing a way to generate good, reproducible
+results to draw those conclusions. Sullivan explained this was a
+difficult problem, if only in the way you determine which projects to
+analyse, but also *how* data is extracted from source code. Can
+personal projects be considered similarly to large scale projects used
+by millions? How about project activity? Should we count all projects
+on the web? Sullivan also talked about the problem of code duplication
+both between projects or considering a project's history. One should

(fichier de différences tronqué)
removed
diff --git a/blog/2016-04-21-free-software-activities-april-2016/comment_2_aebee370fac0751baede0b50e7a6414b._comment b/blog/2016-04-21-free-software-activities-april-2016/comment_2_aebee370fac0751baede0b50e7a6414b._comment
deleted file mode 100644
index fb5c53d6..00000000
--- a/blog/2016-04-21-free-software-activities-april-2016/comment_2_aebee370fac0751baede0b50e7a6414b._comment
+++ /dev/null
@@ -1,10 +0,0 @@
-[[!comment format=mdwn
- ip="47.9.181.173"
- claimedauthor="Aptoide"
- url="https://www.app-aptoide.com"
- subject="Aptoide"
- date="2017-08-19T16:20:39Z"
- content="""
-Hi, very good article.
-Thanks for sharing, keep up the good work.
-"""]]

Added a comment: Aptoide
diff --git a/blog/2016-04-21-free-software-activities-april-2016/comment_2_aebee370fac0751baede0b50e7a6414b._comment b/blog/2016-04-21-free-software-activities-april-2016/comment_2_aebee370fac0751baede0b50e7a6414b._comment
new file mode 100644
index 00000000..fb5c53d6
--- /dev/null
+++ b/blog/2016-04-21-free-software-activities-april-2016/comment_2_aebee370fac0751baede0b50e7a6414b._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ ip="47.9.181.173"
+ claimedauthor="Aptoide"
+ url="https://www.app-aptoide.com"
+ subject="Aptoide"
+ date="2017-08-19T16:20:39Z"
+ content="""
+Hi, very good article.
+Thanks for sharing, keep up the good work.
+"""]]

first set of notes for sullivans talk
diff --git a/blog/debconf-licenses.mdwn b/blog/debconf-licenses.mdwn
new file mode 100644
index 00000000..15387e4c
--- /dev/null
+++ b/blog/debconf-licenses.mdwn
@@ -0,0 +1,98 @@
+
+
+law is a means to an end, which is a free software world
+
+other threats
+
+- copyright
+- EULA
+- patents
+
+apple and M$'s choice of weapon. M$ gave the Linux Foundation about
+500k$ in grants but in different part of the company, Microsoft
+extracted patent royalties from Linux running on Android devices,
+measured in billions of dollars. M$ should allow people to install
+Linux on their ARM-based devices.
+
+lax or permissive or dismissive?
+
+opensource.com/article/17/2/decline-gpl (feb 2017)
+blackducksoftware.com/top-open-source-licenses
+
+then Bacon 2017
+
+ref. another article which ultimately refers to blackduck.com. data is
+missing, behind sales@blackduck.com with probably a EULA?
+
+write blackduck.com?
+
+so we need to generate good, reproducible results
+
+difficult to select which projects to examine
+
+- personal projects?
+- are different packages different projects?
+- level: file or package?
+- duplication between projects
+- how many users?
+- project activity?
+
+showcase on blackduck.com: bash being GPL-2+ while it has been GPL-3+
+since at least 2014, according to debian [URL?]. emacs is marked as
+GPL-3 only [but that's what debian says as well? check with blackduck
+again]
+
+such claims may become self-fulfilling prophecies. GitHub, for
+example, runs a service called [choosealicense.com](https://choosealicense.com/) which is linked
+from the project creation page, to help users to choose licenses. this
+page used to be biased towards MIT licenses [archive.org?]. after a
+conversation between the FSF and GitHub, the latter adjusted the text
+of the site to be more accurate [not only for GPL]
+
+
+proper data can be found in Zack's paper about sources.debian.net
+
+"The Debsources Dataset: Two Decades of Free and Open Source Software"
+by Matthieu Caneill, Daniel M. Germán and Stefano Zacchiroli
+http://dx.doi.org/10.5281/zenodo.61089 - CC BY-SA 4.0 license,
+
+[Springer 1382-3256 debsources-ese-2016.pdf]. Sullivan presented a
+graph from Zack's research that showed a history of the evolution of
+software license use the Debian archive. he chose the graph named
+"Dominant license in Package"
+
+
+the debian dataset is interesting because of its
+quality: every package in Debian has been reviewed by multiple humans,
+including the original packager, but also the FTP masters which ensure
+they can legally redistribute the software and are therefore bound to
+explicitly review all the packages coming into the archive.
+
+the existence of a package also provides a minimal "proof of use":
+unmaintained packages get removed from debian on a regular basis and
+the mere fact that a piece of software gets packaged in Debian means
+at least some users found it important enough to be packaged. debian
+packagers also make specific efforts to avoid code duplication between
+packages to ease future security maintenance. 
+
+AGPL eMCM[??]  30m
+
+fsf.org/blogs/licensing
+
+assuming intentions assuming reason to numbers
+
+decline may mean shift from proprietary software to MIT! which is also
+free software
+
+
+demand better stats
+
+question the stats you get - guilty myself.
+
+keep in mind that non-copyleft is still FOSS, but copyleft software is
+still better. it means less complexity because means the code will
+never end up under a proprietary license. the GPLv3 is still shorted
+than a lot of provider's EULA, while being portable world-widew.
+
+libreplanet.org/wiki/User:John/Presentations
+

wishlist update
diff --git a/wishlist.mdwn b/wishlist.mdwn
index 42498b0f..c4b4459b 100644
--- a/wishlist.mdwn
+++ b/wishlist.mdwn
@@ -12,8 +12,10 @@ Voici des choses que vous pouvez m'acheter si vous êtes le Père Nowel (yeah ri
    * [US military bases](http://i.imgur.com/Y4ZWY.jpg)
    * [internet maps](http://chrisharrison.net/projects/InternetMap/index.html)
    * une carte du monde [Dymaxion](http://en.wikipedia.org/wiki/Dymaxion_map), [Werner](http://en.wikipedia.org/wiki/Werner_map_projection) ou [Gall-Peters](http://en.wikipedia.org/wiki/Gall-Peters_projection)
- * un laptop [novena](https://www.crowdsupply.com/kosagi/novena-open-laptop)
- * un mini-PC comme le [fitlet](http://www.fit-pc.com/web/products/fitlet/) ([review](http://linuxgizmos.com/tiny-fanless-mini-pc-runs-linux-on-quad-core-amd-soc/))
+ * <del>un laptop [novena](https://www.crowdsupply.com/kosagi/novena-open-laptop)</del>
+   voir [[hardware/laptop]]
+ * <del>un mini-PC comme le [fitlet](http://www.fit-pc.com/web/products/fitlet/) ([review](http://linuxgizmos.com/tiny-fanless-mini-pc-runs-linux-on-quad-core-amd-soc/))</del> j'ai
+   achete un Intel NUC, voir [[hardware/laptop]]
  * un bon stylo (voir [cette liste](http://coolmaterial.com/feature/pens-of-kickstarter/), particulièrement le [Pen Type-A](https://www.kickstarter.com/projects/cwandt/pen-type-a-a-minimal-pen) a une règle, mais est très cher (150$), alors que le [PHX](http://www.bigidesign.com/welcome/phx-pen-2/) est aussi compatible avec les recharges Hi-Tec-C mais est seulement 30$)
  * d'autres trucs de [xkcd.net](http://shop.xkcd.net/), particulièrement [ce t-shirt](http://store.xkcd.com/xkcd/#TechSupport)
  * des livres:
@@ -37,22 +39,19 @@ Voici des choses que vous pouvez m'acheter si vous êtes le Père Nowel (yeah ri
      * [programming pearls](http://www.cs.bell-labs.com/cm/cs/pearls/)..
      * [the art of electronics](http://amzn.com/0521370957)
    * voile
-     * [La Voile, de Gründ](https://www.worldcat.org/title/voile-techniques-voiliers-equipements-navigation-courses/oclc/859744434) - me semble plus compact et mieux fait que "la bible" que j'ai en stock
-     * [La longue route; seul entre mers et ciels](http://www.worldcat.org/oclc/1239742)
      * [Atlas des océans](http://www.boutique.voilesetvoiliers.com/atlas-des-oceans,fr,4,92216.cfm) (ou les Pilot Charts, maintenant librement disponibles [en ligne](http://msi.nga.mil/NGAPortal/MSI.portal?_nfpb=true&_pageLabel=msi_portal_page_62&pubCode=0003) mais j'aimerais une version imprimée
      * [livre de bord fantaisiste](http://www.boutique.voilesetvoiliers.com/guide-des-antilles,fr,4,92255.cfm) - vérifier si j'en ai pas déjà un, ce qui est fort probable
      * [Connaître les cordages modernes et leurs usages à bord](http://www.boutique.voilesetvoiliers.com/bien-barrer-son-voilier,fr,4,92294_copie.cfm) un autre livre de noeuds!
      * [Le dictionnaire de la mer : savoir-faire, traditions, vocabulaire, techniques](http://www.worldcat.org/oclc/6327481) de Jean Merrien - Renaud Bray a une édition différente, voir [ISBN:9782258113275](https://en.wikipedia.org/wiki/Special:BookSources/9782258113275)
      * [Lexique nautique polyglotte](http://www.worldcat.org/oclc/21840200) - peut-être? du même auteur (Jean Merrien)
-     * Les livres de Carl Mailhot et Yves Gélinas: La V'limeuse autour du monde, tome 1 et suivants
-   ([ISBN:9782980447303](https://en.wikipedia.org/wiki/Special:BookSources/9782980447303),
-   [chez abebooks.com](http://www.abebooks.com/servlet/BookDetailsPL?bi=14061305584&searchurl=x%3D0%26amp%3By%3D0%26amp%3Bbi%3D0%26amp%3Bds%3D30%26amp%3Bsts%3Dt%26amp%3Bbx%3Doff%26amp%3Bsortby%3D17%26amp%3Ban%3DCarl+Mailhot%26amp%3Brecentlyadded%3Dall)),
-   De la V'limeuse a Dingo: L'Atlantique en solitaire sur un 6,50
-   Metres ([ISBN:9782980447327](https://en.wikipedia.org/wiki/Special:BookSources/9782980447327),
-   [chez abebooks.com](http://www.abebooks.com/servlet/BookDetailsPL?bi=8882922329&searchurl=an%3DCarl+Mailhot%2C+Dominique+Manny)),
-   Jean du Sud et l'Oizo-Magick ([ISBN: 9782857251842](https://en.wikipedia.org/wiki/Special:BookSources/9782857251842),
-   [chez abebooks.com](http://www.abebooks.com/servlet/BookDetailsPL?bi=14250044964&searchurl=sts%3Dt%26amp%3By%3D0%26amp%3Bx%3D0%26amp%3Bkn%3D9782857251842),
-   aussi en [DVD](http://www.capehorn.com/TrailerAng.htm))
+     * Les livres de Carl Mailhot et Yves Gélinas: La V'limeuse autour
+       du monde, tome 1 et suivants
+       ([ISBN:9782980447303](https://en.wikipedia.org/wiki/Special:BookSources/9782980447303), [chez abebooks.com](http://www.abebooks.com/servlet/BookDetailsPL?bi=14061305584&searchurl=x%3D0%26amp%3By%3D0%26amp%3Bbi%3D0%26amp%3Bds%3D30%26amp%3Bsts%3Dt%26amp%3Bbx%3Doff%26amp%3Bsortby%3D17%26amp%3Ban%3DCarl+Mailhot%26amp%3Brecentlyadded%3Dall)), De la
+       V'limeuse a Dingo: L'Atlantique en solitaire sur un 6,50 Metres
+       ([ISBN:9782980447327](https://en.wikipedia.org/wiki/Special:BookSources/9782980447327), [chez abebooks.com](http://www.abebooks.com/servlet/BookDetailsPL?bi=8882922329&searchurl=an%3DCarl+Mailhot%2C+Dominique+Manny)), Jean du Sud
+       et l'Oizo-Magick
+       ([ISBN: 9782857251842](https://en.wikipedia.org/wiki/Special:BookSources/9782857251842), [chez abebooks.com](http://www.abebooks.com/servlet/BookDetailsPL?bi=14250044964&searchurl=sts%3Dt%26amp%3By%3D0%26amp%3Bx%3D0%26amp%3Bkn%3D9782857251842), aussi
+       en [DVD](http://www.capehorn.com/TrailerAng.htm))
    * autres
      * [Astronomica : galaxies, planètes, étoiles, cartes des constellations, explorations spatiales](http://www.worldcat.org/oclc/495085208)
      * <http://whatif.xkcd.com/book/>
@@ -61,9 +60,11 @@ Voici des choses que vous pouvez m'acheter si vous êtes le Père Nowel (yeah ri
      * [Les idées noires](https://en.wikipedia.org/wiki/Id%C3%A9es_noires) de Franquin, [l'intégrale](http://www.worldcat.org/oclc/493932411)
  * des longues vacances au costa rica, dans le charlevoix ou à une autre place pas rapport
  * un [[hardware/radio/FmTransmitter]]
+ * un "portable image scanner" comme
+   le [SVP 4500](http://www.svp-tech.com/ps4400/ps4400.html) ou le
+   Wolverine Data pass
  * un transceiver générique, e.g. le [hack RF](https://greatscottgadgets.com/hackrf/), esp. avec le [portapack](https://sharebrained.myshopify.com/products/portapack-for-hackrf-one)
  * un [cours de premier de cordée](http://www.passemontagne.com/fr/cours.html)
- * une certification de plongée en lac
  * un appareil photo digital reflex de qualité... voir [[hardware/camera]]
  * le [freewrite](https://astrohaus.com/)
  * une autre liste de [wishlist](https://lib3.net/bookie/anarcat/recent/wishlist)

fix workflow image link to pop the full version that will be clickable
diff --git a/software/debian-development.mdwn b/software/debian-development.mdwn
index aab15f03..65072279 100644
--- a/software/debian-development.mdwn
+++ b/software/debian-development.mdwn
@@ -51,7 +51,7 @@ This will guide you through a standardized approach to:
 It covers a workflow that could be summarily described by this
 diagram:
 
-![A diagram of my Debian packaging workflow](workflow.svg)
+[[!img workflow.svg]]
 
 [make]: https://manpages.debian.org/make
 [uscan]: https://manpages.debian.org/uscan

fix links for svg
diff --git a/software/debian-development/workflow.dot b/software/debian-development/workflow.dot
index 7e595681..d0808caa 100644
--- a/software/debian-development/workflow.dot
+++ b/software/debian-development/workflow.dot
@@ -1,36 +1,46 @@
 digraph workflow {
         label="Debian packaging workflow, 2017"
         labelloc=top
-        dget [ url="https://manpages.debian.org/dget" ]
-        dgit [ url="https://manpages.debian.org/dgit" ]
-        git [ url="https://manpages.debian.org/git", label="git, ..." ]
-        debmake [ url="https://www.debian.org/doc/manuals/debmake-doc/index.en.html" ]
-        dbp [ label="dpkg-buildpackage", url="https://manpages.debian.org/dpkg-buildpackage" ]
-        source [ label="source package (.dsc, ...)", url="https://wiki.debian.org/Packaging/SourcePackage" ];
-        binary [ label="binary package (.changes, .deb)", url="https://wiki.debian.org/Packaging/BinaryPackage" ];
-        BTS [ url="https://wiki.debian.org/BTS" ];
-        quilt [ url="https://wiki.debian.org/UsingQuilt" ];
-        dch [ url="https://manpages.debian.org/dch" ];
-        lintian [ url="https://manpages.debian.org/lintian" ];
-        
+        dget [ href="https://manpages.debian.org/dget" ]
+        dgit [ href="https://manpages.debian.org/dgit" ]
+        git [ href="https://manpages.debian.org/git" label="git, ..." ]
+        debmake [ href="https://www.debian.org/doc/manuals/debmake-doc/index.en.html" ]
+        dbp [ label="dpkg-buildpackage" href="https://manpages.debian.org/dpkg-buildpackage" ]
+        source [ shape=box label="source package (.dsc, ...)", href="https://wiki.debian.org/Packaging/SourcePackage" ];
+        binary [ shape=box label="binary package(s) (.changes, .deb)" href="https://wiki.debian.org/Packaging/BinaryPackage" ];
+        BTS [ shape=box href="https://wiki.debian.org/BTS" ];
+        quilt [ href="https://wiki.debian.org/UsingQuilt" ];
+        dch [ href="https://manpages.debian.org/dch" ];
+        lintian [ href="https://manpages.debian.org/lintian" ];
+        # those should link to the package-cycle stuff!
+        archive [ shape=box label="FTP archive" ]
+        ppa [ shape=box label="PPAs, ..." ]
+
         { "apt-get source", dget, debmake, dgit, git } -> source;
         source -> dbp -> binary;
         source -> quilt -> source
         source -> dch -> source
         source -> { sbuild, gbp } -> dbp
+        gbp -> sbuild
         binary -> lintian -> source
-        binary -> dput -> { "FTP archive", "PPA, ..." } -> "apt-get install";
-        source -> debdiff -> BTS
-        
+        binary -> dput -> { archive, ppa } -> "apt-get install";
+        source -> debdiff -> BTS -> quilt
+
         {
                 rank = same;
-                dput [ url="https://manpages.debian.org/dput" ];
-                debdiff [ url="https://manpages.debian.org/debdiff" ];
+                quilt
+                dch
+                dbp
+        }
+        {
+                rank = same;
+                dput [ href="https://manpages.debian.org/dput" ];
+                debdiff [ href="https://manpages.debian.org/debdiff" ];
         }
         {
                 rank = same;
                 source;
-                sbuild [ url="https://wiki.debian.org/sbuild" ];
-                gbp [ url="https://manpages.debian.org/git-buildpackage", label="git-buildpackage" ];
+                sbuild [ href="https://wiki.debian.org/sbuild" ];
+                gbp [ href="https://manpages.debian.org/git-buildpackage" label="git-buildpackage" ];
         }
 }
diff --git a/software/debian-development/workflow.svg b/software/debian-development/workflow.svg
index 26ec4394..d0706eb4 100644
--- a/software/debian-development/workflow.svg
+++ b/software/debian-development/workflow.svg
@@ -4,41 +4,53 @@
 <!-- Generated by graphviz version 2.38.0 (20140413.2041)
  -->
 <!-- Title: workflow Pages: 1 -->
-<svg width="551pt" height="499pt"
- viewBox="0.00 0.00 551.49 499.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+<svg width="509pt" height="499pt"
+ viewBox="0.00 0.00 509.00 499.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
 <g id="graph0" class="graph" transform="scale(1 1) rotate(0) translate(4 495)">
 <title>workflow</title>
-<polygon fill="white" stroke="none" points="-4,4 -4,-495 547.489,-495 547.489,4 -4,4"/>
-<text text-anchor="middle" x="271.745" y="-475.8" font-family="Times,serif" font-size="14.00">Debian packaging workflow, 2017</text>
+<polygon fill="white" stroke="none" points="-4,4 -4,-495 505,-495 505,4 -4,4"/>
+<text text-anchor="middle" x="250.5" y="-475.8" font-family="Times,serif" font-size="14.00">Debian packaging workflow, 2017</text>
 <!-- dget -->
 <g id="node1" class="node"><title>dget</title>
+<g id="a_node1"><a xlink:href="https://manpages.debian.org/dget" xlink:title="dget">
 <ellipse fill="none" stroke="black" cx="27" cy="-450" rx="27" ry="18"/>
 <text text-anchor="middle" x="27" y="-446.3" font-family="Times,serif" font-size="14.00">dget</text>
+</a>
+</g>
 </g>
 <!-- source -->
 <g id="node6" class="node"><title>source</title>
-<ellipse fill="none" stroke="black" cx="176" cy="-378" rx="99.3824" ry="18"/>
+<g id="a_node6"><a xlink:href="https://wiki.debian.org/Packaging/SourcePackage" xlink:title="source package (.dsc, ...)">
+<polygon fill="none" stroke="black" points="252.5,-396 99.5,-396 99.5,-360 252.5,-360 252.5,-396"/>
 <text text-anchor="middle" x="176" y="-374.3" font-family="Times,serif" font-size="14.00">source package (.dsc, ...)</text>
+</a>
+</g>
 </g>
 <!-- dget&#45;&gt;source -->
 <g id="edge1" class="edge"><title>dget&#45;&gt;source</title>
-<path fill="none" stroke="black" d="M48.316,-438.923C53.1433,-436.644 58.2471,-434.237 63,-432 85.9528,-421.198 111.544,-409.192 132.561,-399.342"/>
-<polygon fill="black" stroke="black" points="134.299,-402.392 141.869,-394.98 131.329,-396.054 134.299,-402.392"/>
+<path fill="none" stroke="black" d="M48.316,-438.923C53.1433,-436.644 58.2471,-434.237 63,-432 85.1877,-421.558 109.841,-409.991 130.444,-400.334"/>
+<polygon fill="black" stroke="black" points="132.032,-403.455 139.602,-396.042 129.062,-397.116 132.032,-403.455"/>
 </g>
 <!-- dgit -->
 <g id="node2" class="node"><title>dgit</title>
+<g id="a_node2"><a xlink:href="https://manpages.debian.org/dgit" xlink:title="dgit">
 <ellipse fill="none" stroke="black" cx="99" cy="-450" rx="27" ry="18"/>
 <text text-anchor="middle" x="99" y="-446.3" font-family="Times,serif" font-size="14.00">dgit</text>
+</a>
+</g>
 </g>
 <!-- dgit&#45;&gt;source -->
 <g id="edge2" class="edge"><title>dgit&#45;&gt;source</title>
-<path fill="none" stroke="black" d="M114.582,-434.834C124.748,-425.593 138.265,-413.305 150.03,-402.609"/>
-<polygon fill="black" stroke="black" points="152.41,-405.175 157.456,-395.859 147.702,-399.996 152.41,-405.175"/>
+<path fill="none" stroke="black" d="M114.582,-434.834C124.579,-425.746 137.818,-413.71 149.445,-403.141"/>
+<polygon fill="black" stroke="black" points="152.131,-405.429 157.176,-396.113 147.422,-400.25 152.131,-405.429"/>
 </g>
 <!-- git -->
 <g id="node3" class="node"><title>git</title>
+<g id="a_node3"><a xlink:href="https://manpages.debian.org/git" xlink:title="git, ...">
 <ellipse fill="none" stroke="black" cx="176" cy="-450" rx="32.4942" ry="18"/>
 <text text-anchor="middle" x="176" y="-446.3" font-family="Times,serif" font-size="14.00">git, ...</text>
+</a>
+</g>
 </g>
 <!-- git&#45;&gt;source -->
 <g id="edge3" class="edge"><title>git&#45;&gt;source</title>
@@ -47,48 +59,63 @@
 </g>
 <!-- debmake -->
 <g id="node4" class="node"><title>debmake</title>
+<g id="a_node4"><a xlink:href="https://www.debian.org/doc/manuals/debmake-doc/index.en.html" xlink:title="debmake">
 <ellipse fill="none" stroke="black" cx="269" cy="-450" rx="42.7926" ry="18"/>
 <text text-anchor="middle" x="269" y="-446.3" font-family="Times,serif" font-size="14.00">debmake</text>
+</a>
+</g>
 </g>
 <!-- debmake&#45;&gt;source -->
 <g id="edge4" class="edge"><title>debmake&#45;&gt;source</title>
-<path fill="none" stroke="black" d="M248.82,-433.811C236.433,-424.487 220.33,-412.367 206.418,-401.895"/>
-<polygon fill="black" stroke="black" points="208.186,-398.845 198.091,-395.628 203.976,-404.438 208.186,-398.845"/>
+<path fill="none" stroke="black" d="M248.82,-433.811C236.61,-424.621 220.79,-412.713 207.015,-402.345"/>
+<polygon fill="black" stroke="black" points="208.849,-399.344 198.754,-396.127 204.639,-404.937 208.849,-399.344"/>
 </g>
 <!-- dbp -->
 <g id="node5" class="node"><title>dbp</title>
-<ellipse fill="none" stroke="black" cx="397" cy="-306" rx="77.9862" ry="18"/>
-<text text-anchor="middle" x="397" y="-302.3" font-family="Times,serif" font-size="14.00">dpkg&#45;buildpackage</text>
+<g id="a_node5"><a xlink:href="https://manpages.debian.org/dpkg-buildpackage" xlink:title="dpkg&#45;buildpackage">
+<ellipse fill="none" stroke="black" cx="387" cy="-306" rx="77.9862" ry="18"/>
+<text text-anchor="middle" x="387" y="-302.3" font-family="Times,serif" font-size="14.00">dpkg&#45;buildpackage</text>
+</a>
+</g>
 </g>
 <!-- binary -->
 <g id="node7" class="node"><title>binary</title>
-<ellipse fill="none" stroke="black" cx="420" cy="-234" rx="123.478" ry="18"/>
-<text text-anchor="middle" x="420" y="-230.3" font-family="Times,serif" font-size="14.00">binary package (.changes, .deb)</text>
+<g id="a_node7"><a xlink:href="https://wiki.debian.org/Packaging/BinaryPackage" xlink:title="binary package(s) (.changes, .deb)">
+<polygon fill="none" stroke="black" points="501,-252 297,-252 297,-216 501,-216 501,-252"/>
+<text text-anchor="middle" x="399" y="-230.3" font-family="Times,serif" font-size="14.00">binary package(s) (.changes, .deb)</text>
+</a>
+</g>
 </g>
 <!-- dbp&#45;&gt;binary -->
 <g id="edge7" class="edge"><title>dbp&#45;&gt;binary</title>
-<path fill="none" stroke="black" d="M402.685,-287.697C405.248,-279.898 408.333,-270.509 411.185,-261.829"/>
-<polygon fill="black" stroke="black" points="414.584,-262.697 414.38,-252.104 407.933,-260.512 414.584,-262.697"/>
+<path fill="none" stroke="black" d="M389.966,-287.697C391.289,-279.983 392.878,-270.712 394.352,-262.112"/>
+<polygon fill="black" stroke="black" points="397.828,-262.552 396.068,-252.104 390.928,-261.369 397.828,-262.552"/>
 </g>
 <!-- source&#45;&gt;dbp -->
 <g id="edge6" class="edge"><title>source&#45;&gt;dbp</title>
-<path fill="none" stroke="black" d="M223.139,-362.069C258.399,-350.901 306.659,-335.615 343.389,-323.981"/>
-<polygon fill="black" stroke="black" points="344.465,-327.311 352.941,-320.955 342.351,-320.638 344.465,-327.311"/>
+<path fill="none" stroke="black" d="M227.347,-359.966C259.848,-349.183 301.757,-335.28 334.482,-324.423"/>
+<polygon fill="black" stroke="black" points="335.933,-327.629 344.322,-321.159 333.728,-320.986 335.933,-327.629"/>
 </g>
 <!-- quilt -->
 <g id="node9" class="node"><title>quilt</title>
+<g id="a_node9"><a xlink:href="https://wiki.debian.org/UsingQuilt" xlink:title="quilt">
 <ellipse fill="none" stroke="black" cx="104" cy="-306" rx="27" ry="18"/>
 <text text-anchor="middle" x="104" y="-302.3" font-family="Times,serif" font-size="14.00">quilt</text>
+</a>
+</g>
 </g>
 <!-- source&#45;&gt;quilt -->
 <g id="edge8" class="edge"><title>source&#45;&gt;quilt</title>
-<path fill="none" stroke="black" d="M153.097,-360.411C142.935,-351.479 131.255,-340.31 121.754,-330.498"/>
-<polygon fill="black" stroke="black" points="124.079,-327.862 114.672,-322.988 118.987,-332.665 124.079,-327.862"/>

(fichier de différences tronqué)
add links to workflow SVG
diff --git a/software/debian-development/workflow.dot b/software/debian-development/workflow.dot
index d9f91bc8..7e595681 100644
--- a/software/debian-development/workflow.dot
+++ b/software/debian-development/workflow.dot
@@ -1,25 +1,36 @@
 digraph workflow {
         label="Debian packaging workflow, 2017"
         labelloc=top
-        { "apt-get source", "dget", "dh_make, debmake", "(d)git" } -> source;
-        source -> "dpkg-buildpackage" -> binary;
+        dget [ url="https://manpages.debian.org/dget" ]
+        dgit [ url="https://manpages.debian.org/dgit" ]
+        git [ url="https://manpages.debian.org/git", label="git, ..." ]
+        debmake [ url="https://www.debian.org/doc/manuals/debmake-doc/index.en.html" ]
+        dbp [ label="dpkg-buildpackage", url="https://manpages.debian.org/dpkg-buildpackage" ]
+        source [ label="source package (.dsc, ...)", url="https://wiki.debian.org/Packaging/SourcePackage" ];
+        binary [ label="binary package (.changes, .deb)", url="https://wiki.debian.org/Packaging/BinaryPackage" ];
+        BTS [ url="https://wiki.debian.org/BTS" ];
+        quilt [ url="https://wiki.debian.org/UsingQuilt" ];
+        dch [ url="https://manpages.debian.org/dch" ];
+        lintian [ url="https://manpages.debian.org/lintian" ];
+        
+        { "apt-get source", dget, debmake, dgit, git } -> source;
+        source -> dbp -> binary;
         source -> quilt -> source
         source -> dch -> source
-        source -> { "sbuild, pbuilder", "gitpkg, gbp" } -> "dpkg-buildpackage"
+        source -> { sbuild, gbp } -> dbp
         binary -> lintian -> source
         binary -> dput -> { "FTP archive", "PPA, ..." } -> "apt-get install";
         source -> debdiff -> BTS
-        source [ label="source package (.dsc, ...)" ];
-        binary [ label="binary package (.changes, .deb)" ];
+        
         {
                 rank = same;
-                dput;
-                debdiff;
+                dput [ url="https://manpages.debian.org/dput" ];
+                debdiff [ url="https://manpages.debian.org/debdiff" ];
         }
         {
                 rank = same;
                 source;
-                "sbuild, pbuilder";
-                "gitpkg, gbp";
+                sbuild [ url="https://wiki.debian.org/sbuild" ];
+                gbp [ url="https://manpages.debian.org/git-buildpackage", label="git-buildpackage" ];
         }
 }
diff --git a/software/debian-development/workflow.svg b/software/debian-development/workflow.svg
index 5d15d13f..26ec4394 100644
--- a/software/debian-development/workflow.svg
+++ b/software/debian-development/workflow.svg
@@ -4,216 +4,226 @@
 <!-- Generated by graphviz version 2.38.0 (20140413.2041)
  -->
 <!-- Title: workflow Pages: 1 -->
-<svg width="608pt" height="499pt"
- viewBox="0.00 0.00 607.74 499.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+<svg width="551pt" height="499pt"
+ viewBox="0.00 0.00 551.49 499.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
 <g id="graph0" class="graph" transform="scale(1 1) rotate(0) translate(4 495)">
 <title>workflow</title>
-<polygon fill="white" stroke="none" points="-4,4 -4,-495 603.739,-495 603.739,4 -4,4"/>
-<text text-anchor="middle" x="299.869" y="-475.8" font-family="Times,serif" font-size="14.00">Debian packaging workflow, 2017</text>
-<!-- apt&#45;get source -->
-<g id="node1" class="node"><title>apt&#45;get source</title>
-<ellipse fill="none" stroke="black" cx="60.4446" cy="-450" rx="60.3893" ry="18"/>
-<text text-anchor="middle" x="60.4446" y="-446.3" font-family="Times,serif" font-size="14.00">apt&#45;get source</text>
+<polygon fill="white" stroke="none" points="-4,4 -4,-495 547.489,-495 547.489,4 -4,4"/>
+<text text-anchor="middle" x="271.745" y="-475.8" font-family="Times,serif" font-size="14.00">Debian packaging workflow, 2017</text>
+<!-- dget -->
+<g id="node1" class="node"><title>dget</title>
+<ellipse fill="none" stroke="black" cx="27" cy="-450" rx="27" ry="18"/>
+<text text-anchor="middle" x="27" y="-446.3" font-family="Times,serif" font-size="14.00">dget</text>
 </g>
 <!-- source -->
-<g id="node5" class="node"><title>source</title>
-<ellipse fill="none" stroke="black" cx="228.445" cy="-378" rx="99.3824" ry="18"/>
-<text text-anchor="middle" x="228.445" y="-374.3" font-family="Times,serif" font-size="14.00">source package (.dsc, ...)</text>
+<g id="node6" class="node"><title>source</title>
+<ellipse fill="none" stroke="black" cx="176" cy="-378" rx="99.3824" ry="18"/>
+<text text-anchor="middle" x="176" y="-374.3" font-family="Times,serif" font-size="14.00">source package (.dsc, ...)</text>
 </g>
-<!-- apt&#45;get source&#45;&gt;source -->
-<g id="edge1" class="edge"><title>apt&#45;get source&#45;&gt;source</title>
-<path fill="none" stroke="black" d="M94.0382,-435.003C119.05,-424.581 153.523,-410.217 181.294,-398.646"/>
-<polygon fill="black" stroke="black" points="182.926,-401.758 190.811,-394.681 180.234,-395.296 182.926,-401.758"/>
+<!-- dget&#45;&gt;source -->
+<g id="edge1" class="edge"><title>dget&#45;&gt;source</title>
+<path fill="none" stroke="black" d="M48.316,-438.923C53.1433,-436.644 58.2471,-434.237 63,-432 85.9528,-421.198 111.544,-409.192 132.561,-399.342"/>
+<polygon fill="black" stroke="black" points="134.299,-402.392 141.869,-394.98 131.329,-396.054 134.299,-402.392"/>
+</g>
+<!-- dgit -->
+<g id="node2" class="node"><title>dgit</title>
+<ellipse fill="none" stroke="black" cx="99" cy="-450" rx="27" ry="18"/>
+<text text-anchor="middle" x="99" y="-446.3" font-family="Times,serif" font-size="14.00">dgit</text>
+</g>
+<!-- dgit&#45;&gt;source -->
+<g id="edge2" class="edge"><title>dgit&#45;&gt;source</title>
+<path fill="none" stroke="black" d="M114.582,-434.834C124.748,-425.593 138.265,-413.305 150.03,-402.609"/>
+<polygon fill="black" stroke="black" points="152.41,-405.175 157.456,-395.859 147.702,-399.996 152.41,-405.175"/>
+</g>
+<!-- git -->
+<g id="node3" class="node"><title>git</title>
+<ellipse fill="none" stroke="black" cx="176" cy="-450" rx="32.4942" ry="18"/>
+<text text-anchor="middle" x="176" y="-446.3" font-family="Times,serif" font-size="14.00">git, ...</text>
+</g>
+<!-- git&#45;&gt;source -->
+<g id="edge3" class="edge"><title>git&#45;&gt;source</title>
+<path fill="none" stroke="black" d="M176,-431.697C176,-423.983 176,-414.712 176,-406.112"/>
+<polygon fill="black" stroke="black" points="179.5,-406.104 176,-396.104 172.5,-406.104 179.5,-406.104"/>
+</g>
+<!-- debmake -->
+<g id="node4" class="node"><title>debmake</title>
+<ellipse fill="none" stroke="black" cx="269" cy="-450" rx="42.7926" ry="18"/>
+<text text-anchor="middle" x="269" y="-446.3" font-family="Times,serif" font-size="14.00">debmake</text>
+</g>
+<!-- debmake&#45;&gt;source -->
+<g id="edge4" class="edge"><title>debmake&#45;&gt;source</title>
+<path fill="none" stroke="black" d="M248.82,-433.811C236.433,-424.487 220.33,-412.367 206.418,-401.895"/>
+<polygon fill="black" stroke="black" points="208.186,-398.845 198.091,-395.628 203.976,-404.438 208.186,-398.845"/>
+</g>
+<!-- dbp -->
+<g id="node5" class="node"><title>dbp</title>
+<ellipse fill="none" stroke="black" cx="397" cy="-306" rx="77.9862" ry="18"/>
+<text text-anchor="middle" x="397" y="-302.3" font-family="Times,serif" font-size="14.00">dpkg&#45;buildpackage</text>
 </g>
-<!-- dget -->
-<g id="node2" class="node"><title>dget</title>
-<ellipse fill="none" stroke="black" cx="165.445" cy="-450" rx="27" ry="18"/>
-<text text-anchor="middle" x="165.445" y="-446.3" font-family="Times,serif" font-size="14.00">dget</text>
+<!-- binary -->
+<g id="node7" class="node"><title>binary</title>
+<ellipse fill="none" stroke="black" cx="420" cy="-234" rx="123.478" ry="18"/>
+<text text-anchor="middle" x="420" y="-230.3" font-family="Times,serif" font-size="14.00">binary package (.changes, .deb)</text>
 </g>
-<!-- dget&#45;&gt;source -->
-<g id="edge2" class="edge"><title>dget&#45;&gt;source</title>
-<path fill="none" stroke="black" d="M178.805,-434.155C186.807,-425.264 197.177,-413.742 206.369,-403.529"/>
-<polygon fill="black" stroke="black" points="209.02,-405.814 213.109,-396.04 203.817,-401.132 209.02,-405.814"/>
-</g>
-<!-- dh_make, debmake -->
-<g id="node3" class="node"><title>dh_make, debmake</title>
-<ellipse fill="none" stroke="black" cx="291.445" cy="-450" rx="80.6858" ry="18"/>
-<text text-anchor="middle" x="291.445" y="-446.3" font-family="Times,serif" font-size="14.00">dh_make, debmake</text>
-</g>
-<!-- dh_make, debmake&#45;&gt;source -->
-<g id="edge3" class="edge"><title>dh_make, debmake&#45;&gt;source</title>
-<path fill="none" stroke="black" d="M276.194,-432.055C268.569,-423.583 259.196,-413.168 250.779,-403.815"/>
-<polygon fill="black" stroke="black" points="253.284,-401.367 243.992,-396.275 248.081,-406.05 253.284,-401.367"/>
-</g>
-<!-- (d)git -->
-<g id="node4" class="node"><title>(d)git</title>
-<ellipse fill="none" stroke="black" cx="420.445" cy="-450" rx="30.5947" ry="18"/>
-<text text-anchor="middle" x="420.445" y="-446.3" font-family="Times,serif" font-size="14.00">(d)git</text>
-</g>
-<!-- (d)git&#45;&gt;source -->
-<g id="edge4" class="edge"><title>(d)git&#45;&gt;source</title>
-<path fill="none" stroke="black" d="M396.642,-438.276C391.651,-436.125 386.398,-433.934 381.445,-432 349.567,-419.553 313.408,-406.958 284.249,-397.172"/>
-<polygon fill="black" stroke="black" points="285.238,-393.812 274.645,-393.965 283.021,-400.452 285.238,-393.812"/>
-</g>
-<!-- dpkg&#45;buildpackage -->
-<g id="node6" class="node"><title>dpkg&#45;buildpackage</title>
-<ellipse fill="none" stroke="black" cx="449.445" cy="-306" rx="77.9862" ry="18"/>
-<text text-anchor="middle" x="449.445" y="-302.3" font-family="Times,serif" font-size="14.00">dpkg&#45;buildpackage</text>
-</g>
-<!-- source&#45;&gt;dpkg&#45;buildpackage -->
-<g id="edge5" class="edge"><title>source&#45;&gt;dpkg&#45;buildpackage</title>
-<path fill="none" stroke="black" d="M275.584,-362.069C310.843,-350.901 359.104,-335.615 395.833,-323.981"/>
-<polygon fill="black" stroke="black" points="396.91,-327.311 405.386,-320.955 394.796,-320.638 396.91,-327.311"/>
+<!-- dbp&#45;&gt;binary -->
+<g id="edge7" class="edge"><title>dbp&#45;&gt;binary</title>
+<path fill="none" stroke="black" d="M402.685,-287.697C405.248,-279.898 408.333,-270.509 411.185,-261.829"/>
+<polygon fill="black" stroke="black" points="414.584,-262.697 414.38,-252.104 407.933,-260.512 414.584,-262.697"/>
+</g>
+<!-- source&#45;&gt;dbp -->
+<g id="edge6" class="edge"><title>source&#45;&gt;dbp</title>
+<path fill="none" stroke="black" d="M223.139,-362.069C258.399,-350.901 306.659,-335.615 343.389,-323.981"/>
+<polygon fill="black" stroke="black" points="344.465,-327.311 352.941,-320.955 342.351,-320.638 344.465,-327.311"/>
 </g>
 <!-- quilt -->
-<g id="node8" class="node"><title>quilt</title>
-<ellipse fill="none" stroke="black" cx="156.445" cy="-306" rx="27" ry="18"/>
-<text text-anchor="middle" x="156.445" y="-302.3" font-family="Times,serif" font-size="14.00">quilt</text>
+<g id="node9" class="node"><title>quilt</title>
+<ellipse fill="none" stroke="black" cx="104" cy="-306" rx="27" ry="18"/>
+<text text-anchor="middle" x="104" y="-302.3" font-family="Times,serif" font-size="14.00">quilt</text>
 </g>
 <!-- source&#45;&gt;quilt -->
-<g id="edge7" class="edge"><title>source&#45;&gt;quilt</title>
-<path fill="none" stroke="black" d="M205.542,-360.411C195.379,-351.479 183.699,-340.31 174.199,-330.498"/>
-<polygon fill="black" stroke="black" points="176.524,-327.862 167.117,-322.988 171.431,-332.665 176.524,-327.862"/>
+<g id="edge8" class="edge"><title>source&#45;&gt;quilt</title>
+<path fill="none" stroke="black" d="M153.097,-360.411C142.935,-351.479 131.255,-340.31 121.754,-330.498"/>
+<polygon fill="black" stroke="black" points="124.079,-327.862 114.672,-322.988 118.987,-332.665 124.079,-327.862"/>
 </g>
 <!-- dch -->
-<g id="node9" class="node"><title>dch</title>

(fichier de différences tronqué)
fix typo in makefile
diff --git a/software/debian-development/Makefile b/software/debian-development/Makefile
index af0c9132..dbd9f0e1 100644
--- a/software/debian-development/Makefile
+++ b/software/debian-development/Makefile
@@ -4,7 +4,7 @@ FILES=workflow.svg
 all: $(FILES)
 
 %.svg: %.dot
-	gdot -Tsvg $< > $@
+	dot -Tsvg $< > $@
 
 .PHONY: clean
 clean:

add diagram from session
diff --git a/software/debian-development.mdwn b/software/debian-development.mdwn
index 00283539..aab15f03 100644
--- a/software/debian-development.mdwn
+++ b/software/debian-development.mdwn
@@ -31,14 +31,14 @@ may find useful when looking for more information.
 [Debian policy]: https://www.debian.org/doc/debian-policy/
 [developer's manual suite]: https://www.debian.org/doc/devel-manuals
 
-This guides tries to take a streamlined and opinionated approach to
-maintaining Debian packages. It doesn't try to cover all cases,
-doesn't try to teach you about [debhelper][], [cdbs][], [uscan][] or
-[make][]. It assumes you will find that information elsewhere, for
-example in the above references, and that you are already somewhat
-familiar with Debian systems administration (you know how to use a
-shell) and Debian packages as a concept (you know what a `.deb` file
-is and know how to use `dpkg -i`).
+This guides tries to take an opinionated approach to maintaining
+Debian packages. It doesn't try to cover all cases, doesn't try to
+teach you about [debhelper][], [cdbs][], [uscan][] or [make][]. It
+assumes you will find that information elsewhere, for example in the
+above references, and that you are already somewhat familiar with
+Debian systems administration (you know how to use a shell) and Debian
+packages as a concept (you know what a `.deb` file is and know how to
+use `dpkg -i`).
 
 This will guide you through a standardized approach to:
 
@@ -48,6 +48,11 @@ This will guide you through a standardized approach to:
   unstable, backports)
 * upload packages
 
+It covers a workflow that could be summarily described by this
+diagram:
+
+![A diagram of my Debian packaging workflow](workflow.svg)
+
 [make]: https://manpages.debian.org/make
 [uscan]: https://manpages.debian.org/uscan
 [cdbs]: https://manpages.debian.org/cdbs
diff --git a/software/debian-development/Makefile b/software/debian-development/Makefile
new file mode 100644
index 00000000..af0c9132
--- /dev/null
+++ b/software/debian-development/Makefile
@@ -0,0 +1,11 @@
+FILES=workflow.svg
+
+.PHONY: all
+all: $(FILES)
+
+%.svg: %.dot
+	gdot -Tsvg $< > $@
+
+.PHONY: clean
+clean:
+	rm -f $(FILES)
diff --git a/software/debian-development/workflow.dot b/software/debian-development/workflow.dot
new file mode 100644
index 00000000..d9f91bc8
--- /dev/null
+++ b/software/debian-development/workflow.dot
@@ -0,0 +1,25 @@
+digraph workflow {
+        label="Debian packaging workflow, 2017"
+        labelloc=top
+        { "apt-get source", "dget", "dh_make, debmake", "(d)git" } -> source;
+        source -> "dpkg-buildpackage" -> binary;
+        source -> quilt -> source
+        source -> dch -> source
+        source -> { "sbuild, pbuilder", "gitpkg, gbp" } -> "dpkg-buildpackage"
+        binary -> lintian -> source
+        binary -> dput -> { "FTP archive", "PPA, ..." } -> "apt-get install";
+        source -> debdiff -> BTS
+        source [ label="source package (.dsc, ...)" ];
+        binary [ label="binary package (.changes, .deb)" ];
+        {
+                rank = same;
+                dput;
+                debdiff;
+        }
+        {
+                rank = same;
+                source;
+                "sbuild, pbuilder";
+                "gitpkg, gbp";
+        }
+}
diff --git a/software/debian-development/workflow.svg b/software/debian-development/workflow.svg
new file mode 100644
index 00000000..5d15d13f
--- /dev/null
+++ b/software/debian-development/workflow.svg
@@ -0,0 +1,219 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
+ "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<!-- Generated by graphviz version 2.38.0 (20140413.2041)
+ -->
+<!-- Title: workflow Pages: 1 -->
+<svg width="608pt" height="499pt"
+ viewBox="0.00 0.00 607.74 499.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+<g id="graph0" class="graph" transform="scale(1 1) rotate(0) translate(4 495)">
+<title>workflow</title>
+<polygon fill="white" stroke="none" points="-4,4 -4,-495 603.739,-495 603.739,4 -4,4"/>
+<text text-anchor="middle" x="299.869" y="-475.8" font-family="Times,serif" font-size="14.00">Debian packaging workflow, 2017</text>
+<!-- apt&#45;get source -->
+<g id="node1" class="node"><title>apt&#45;get source</title>
+<ellipse fill="none" stroke="black" cx="60.4446" cy="-450" rx="60.3893" ry="18"/>
+<text text-anchor="middle" x="60.4446" y="-446.3" font-family="Times,serif" font-size="14.00">apt&#45;get source</text>
+</g>
+<!-- source -->
+<g id="node5" class="node"><title>source</title>
+<ellipse fill="none" stroke="black" cx="228.445" cy="-378" rx="99.3824" ry="18"/>
+<text text-anchor="middle" x="228.445" y="-374.3" font-family="Times,serif" font-size="14.00">source package (.dsc, ...)</text>
+</g>
+<!-- apt&#45;get source&#45;&gt;source -->
+<g id="edge1" class="edge"><title>apt&#45;get source&#45;&gt;source</title>
+<path fill="none" stroke="black" d="M94.0382,-435.003C119.05,-424.581 153.523,-410.217 181.294,-398.646"/>
+<polygon fill="black" stroke="black" points="182.926,-401.758 190.811,-394.681 180.234,-395.296 182.926,-401.758"/>
+</g>
+<!-- dget -->
+<g id="node2" class="node"><title>dget</title>
+<ellipse fill="none" stroke="black" cx="165.445" cy="-450" rx="27" ry="18"/>
+<text text-anchor="middle" x="165.445" y="-446.3" font-family="Times,serif" font-size="14.00">dget</text>
+</g>
+<!-- dget&#45;&gt;source -->
+<g id="edge2" class="edge"><title>dget&#45;&gt;source</title>
+<path fill="none" stroke="black" d="M178.805,-434.155C186.807,-425.264 197.177,-413.742 206.369,-403.529"/>
+<polygon fill="black" stroke="black" points="209.02,-405.814 213.109,-396.04 203.817,-401.132 209.02,-405.814"/>
+</g>
+<!-- dh_make, debmake -->
+<g id="node3" class="node"><title>dh_make, debmake</title>
+<ellipse fill="none" stroke="black" cx="291.445" cy="-450" rx="80.6858" ry="18"/>
+<text text-anchor="middle" x="291.445" y="-446.3" font-family="Times,serif" font-size="14.00">dh_make, debmake</text>
+</g>
+<!-- dh_make, debmake&#45;&gt;source -->
+<g id="edge3" class="edge"><title>dh_make, debmake&#45;&gt;source</title>
+<path fill="none" stroke="black" d="M276.194,-432.055C268.569,-423.583 259.196,-413.168 250.779,-403.815"/>
+<polygon fill="black" stroke="black" points="253.284,-401.367 243.992,-396.275 248.081,-406.05 253.284,-401.367"/>
+</g>
+<!-- (d)git -->
+<g id="node4" class="node"><title>(d)git</title>
+<ellipse fill="none" stroke="black" cx="420.445" cy="-450" rx="30.5947" ry="18"/>
+<text text-anchor="middle" x="420.445" y="-446.3" font-family="Times,serif" font-size="14.00">(d)git</text>
+</g>
+<!-- (d)git&#45;&gt;source -->
+<g id="edge4" class="edge"><title>(d)git&#45;&gt;source</title>
+<path fill="none" stroke="black" d="M396.642,-438.276C391.651,-436.125 386.398,-433.934 381.445,-432 349.567,-419.553 313.408,-406.958 284.249,-397.172"/>
+<polygon fill="black" stroke="black" points="285.238,-393.812 274.645,-393.965 283.021,-400.452 285.238,-393.812"/>
+</g>
+<!-- dpkg&#45;buildpackage -->
+<g id="node6" class="node"><title>dpkg&#45;buildpackage</title>
+<ellipse fill="none" stroke="black" cx="449.445" cy="-306" rx="77.9862" ry="18"/>
+<text text-anchor="middle" x="449.445" y="-302.3" font-family="Times,serif" font-size="14.00">dpkg&#45;buildpackage</text>
+</g>
+<!-- source&#45;&gt;dpkg&#45;buildpackage -->
+<g id="edge5" class="edge"><title>source&#45;&gt;dpkg&#45;buildpackage</title>
+<path fill="none" stroke="black" d="M275.584,-362.069C310.843,-350.901 359.104,-335.615 395.833,-323.981"/>
+<polygon fill="black" stroke="black" points="396.91,-327.311 405.386,-320.955 394.796,-320.638 396.91,-327.311"/>
+</g>
+<!-- quilt -->
+<g id="node8" class="node"><title>quilt</title>
+<ellipse fill="none" stroke="black" cx="156.445" cy="-306" rx="27" ry="18"/>
+<text text-anchor="middle" x="156.445" y="-302.3" font-family="Times,serif" font-size="14.00">quilt</text>
+</g>
+<!-- source&#45;&gt;quilt -->
+<g id="edge7" class="edge"><title>source&#45;&gt;quilt</title>
+<path fill="none" stroke="black" d="M205.542,-360.411C195.379,-351.479 183.699,-340.31 174.199,-330.498"/>
+<polygon fill="black" stroke="black" points="176.524,-327.862 167.117,-322.988 171.431,-332.665 176.524,-327.862"/>
+</g>
+<!-- dch -->
+<g id="node9" class="node"><title>dch</title>
+<ellipse fill="none" stroke="black" cx="228.445" cy="-306" rx="27" ry="18"/>
+<text text-anchor="middle" x="228.445" y="-302.3" font-family="Times,serif" font-size="14.00">dch</text>
+</g>
+<!-- source&#45;&gt;dch -->
+<g id="edge9" class="edge"><title>source&#45;&gt;dch</title>
+<path fill="none" stroke="black" d="M222.529,-359.697C221.721,-351.868 221.5,-342.435 221.865,-333.728"/>
+<polygon fill="black" stroke="black" points="225.365,-333.85 222.601,-323.622 218.384,-333.342 225.365,-333.85"/>
+</g>
+<!-- sbuild, pbuilder -->
+<g id="node10" class="node"><title>sbuild, pbuilder</title>
+<ellipse fill="none" stroke="black" cx="533.445" cy="-378" rx="66.0889" ry="18"/>
+<text text-anchor="middle" x="533.445" y="-374.3" font-family="Times,serif" font-size="14.00">sbuild, pbuilder</text>
+</g>
+<!-- source&#45;&gt;sbuild, pbuilder -->
+<g id="edge11" class="edge"><title>source&#45;&gt;sbuild, pbuilder</title>
+<path fill="none" stroke="black" d="M270.895,-394.286C293.049,-401.925 320.812,-410.177 346.445,-414 391.282,-420.687 404.018,-423.02 448.445,-414 463.885,-410.865 480.002,-404.829 493.999,-398.582"/>
+<polygon fill="black" stroke="black" points="495.72,-401.642 503.316,-394.256 492.772,-395.292 495.72,-401.642"/>
+</g>
+<!-- gitpkg, gbp -->
+<g id="node11" class="node"><title>gitpkg, gbp</title>
+<ellipse fill="none" stroke="black" cx="397.445" cy="-378" rx="51.1914" ry="18"/>
+<text text-anchor="middle" x="397.445" y="-374.3" font-family="Times,serif" font-size="14.00">gitpkg, gbp</text>
+</g>
+<!-- source&#45;&gt;gitpkg, gbp -->
+<g id="edge12" class="edge"><title>source&#45;&gt;gitpkg, gbp</title>
+<path fill="none" stroke="black" d="M328.128,-378C330.734,-378 333.34,-378 335.947,-378"/>
+<polygon fill="black" stroke="black" points="335.999,-381.5 345.999,-378 335.999,-374.5 335.999,-381.5"/>
+</g>

(fichier de différences tronqué)
latest status
diff --git a/hardware/phone/lg-g3-d852.mdwn b/hardware/phone/lg-g3-d852.mdwn
index 9c162469..032133df 100644
--- a/hardware/phone/lg-g3-d852.mdwn
+++ b/hardware/phone/lg-g3-d852.mdwn
@@ -7,11 +7,18 @@ in Canada). It is a nice device, although on the big side for me.
 Root
 ====
 
-First step is to get root. Instructions for this
-vary: [some](https://forum.xda-developers.com/lg-g3/general/guide-root-lg-firmwares-kitkat-lollipop-t3056951) [forums](https://forum.xda-developers.com/android/development/guide-root-method-lg-devices-t3049772) tell you to run weird Windows executables
-to get "one-click root" on the device. This obviously won't work for
-me on Linux. But [this guide](https://forum.xda-developers.com/android/development/guide-root-method-lg-devices-t3049772) is a little better and I think I can
-break it down to a step-by-step process that basically consists of:
+First step is to get root. Instructions for this vary: [some](https://forum.xda-developers.com/lg-g3/general/guide-root-lg-firmwares-kitkat-lollipop-t3056951)
+[forums](https://forum.xda-developers.com/android/development/guide-root-method-lg-devices-t3049772) tell you to run weird Windows executables to get
+"one-click root" on the device. This obviously won't work for me on
+Linux. The *one* option that's *designed* to run on Linux
+("[PurpleDrake](https://forum.xda-developers.com/lg-g3/development/root-root-lg-g3-easily-purpledrake-lite-t2821000)", found in [Reddit](https://www.reddit.com/r/LGG3/comments/39yroe/root_method_with_linux/ )) relies on a vulnerability
+that seems to have been patched in the phone I have.
+
+[This guide](https://forum.xda-developers.com/android/development/guide-root-method-lg-devices-t3049772) seems a little better and I think I can break it down
+to a step-by-step process that basically consists of pushing a set of
+tools using `adb`, then rebooting in diagnostic mode and issuing
+commands over the serial console. The batch script basically goes like
+this:
 
  1. install `adb`:
  
@@ -62,6 +69,10 @@ break it down to a step-by-step process that basically consists of:
         
  8. run the magic command:
  
+        sh /data/local/tmp/lg_root.sh dummy 1 /data/local/tmp/UPDATE-SuperSU-v2.46.zip /data/local/tmp/busybox
+
+    the original command was:
+
         sh /data/local/tmp/lg_root.sh dummy 1 /data/local/tmp/SuperSU-v2.82-201705271822.zip /data/local/tmp/busybox
 
  9. pull the battery to get out of download mode, or hold volume up
@@ -74,6 +85,57 @@ talk to the "download mode". I have also tried to run the magic
     #wine: Call from 0x7b83ae8c to unimplemented function msvcr100.dll.gets_s, aborting
     wine: Unimplemented function msvcr100.dll.gets_s called at address 0x7b83ae8c (thread 0009), starting debugger...
 
+The `Send_Command.exe` tool has a Python equivalent as well called
+[lglaf](https://github.com/Lekensteyn/lglaf/) which unfortunately doesn't seem to work, either because
+the phone is refusing this, or because the protocol is different
+enough this doesn't work.
+
+    Traceback (most recent call last):
+      File "lglaf.py", line 404, in <module>
+        main()
+      File "lglaf.py", line 386, in main
+        try_hello(comm)
+      File "lglaf.py", line 279, in try_hello
+        data = comm.read(0x20, timeout=HELLO_READ_TIMEOUT)
+      File "lglaf.py", line 148, in read
+        buff = self._read(need, timeout=timeout)
+      File "lglaf.py", line 256, in _read
+        array = self.usbdev.read(self.ep_in, 2**14, timeout=timeout)
+      File "/usr/lib/python2.7/dist-packages/usb/core.py", line 988, in read
+        self.__get_timeout(timeout))
+      File "/usr/lib/python2.7/dist-packages/usb/backend/libusb1.py", line 833, in bulk_read
+        timeout)
+      File "/usr/lib/python2.7/dist-packages/usb/backend/libusb1.py", line 936, in __read
+        _check(retval)
+      File "/usr/lib/python2.7/dist-packages/usb/backend/libusb1.py", line 595, in _check
+        raise USBError(_strerror(ret), ret, _libusb_errno[ret])
+    usb.core.USBError: [Errno 110] Operation timed out
+
+That's because the udev rules do not cover the 852 device, so this
+patch is required:
+
+    --- a/rules.d/42-usb-lglaf.rules
+    +++ b/rules.d/42-usb-lglaf.rules
+    @@ -5,3 +5,5 @@ SUBSYSTEM=="usb", ATTRS{idVendor}=="1004", ATTRS{idProduct}=="633e", TAG+="uacce
+     SUBSYSTEM=="usb", ATTRS{idVendor}=="1004", ATTRS{idProduct}=="627f", TAG+="uaccess"
+     # LG G4 (VS986) in download mode
+     SUBSYSTEM=="usb", ATTRS{idVendor}=="1004", ATTRS{idProduct}=="6298", TAG+="uaccess"
+    +# LG G3 (D852) in download mode
+    +SUBSYSTEM=="usb", ATTRS{idVendor}=="1004", ATTRS{idProduct}=="631d", TAG+="uaccess"
+
+With the patch (or running as root), it still fails, with:
+
+    LGLAF.py: WARNING: Command failed with error code 0x8000010a
+
+So we need another patch to send a proper  [challenge-response](https://github.com/Lekensteyn/lglaf/pull/12) and
+*then* we get a prompt. Unfortunately, some clever thing is still
+refusing our commands:
+
+    # sh /data/local/tmp/lg_root.sh dummy 1 /data/local/tmp/UPDATE-SuperSU-v2.46.zip /data/local/tmp/busybox
+    Hello, I am LAF. Nice to meet you.#
+
+So I'm stuck: there doesn't seem to be a way to root this device.
+
 Recovery setup
 ==============
 

wine + current failure
diff --git a/hardware/phone/lg-g3-d852.mdwn b/hardware/phone/lg-g3-d852.mdwn
index e4beabc2..9c162469 100644
--- a/hardware/phone/lg-g3-d852.mdwn
+++ b/hardware/phone/lg-g3-d852.mdwn
@@ -67,6 +67,13 @@ break it down to a step-by-step process that basically consists of:
  9. pull the battery to get out of download mode, or hold volume up
     and power for 30 seconds
 
+Step 8 doesn't work: I can't figure out the port speed or protocol to
+talk to the "download mode". I have also tried to run the magic
+"Send_Command.exe" under wine, but it fails:
+
+    #wine: Call from 0x7b83ae8c to unimplemented function msvcr100.dll.gets_s, aborting
+    wine: Unimplemented function msvcr100.dll.gets_s called at address 0x7b83ae8c (thread 0009), starting debugger...
+
 Recovery setup
 ==============
 

beginning of a guide for the lg g3
diff --git a/hardware/phone/lg-g3-d852.mdwn b/hardware/phone/lg-g3-d852.mdwn
new file mode 100644
index 00000000..e4beabc2
--- /dev/null
+++ b/hardware/phone/lg-g3-d852.mdwn
@@ -0,0 +1,104 @@
+[[!meta title="LG G3 Android setup"]]
+
+I was (again, how privileged) given a phone! This one is a [LG G3][phone specifications],
+also known as the "D-852" (the version distributed by Bell and Rogers
+in Canada). It is a nice device, although on the big side for me.
+
+Root
+====
+
+First step is to get root. Instructions for this
+vary: [some](https://forum.xda-developers.com/lg-g3/general/guide-root-lg-firmwares-kitkat-lollipop-t3056951) [forums](https://forum.xda-developers.com/android/development/guide-root-method-lg-devices-t3049772) tell you to run weird Windows executables
+to get "one-click root" on the device. This obviously won't work for
+me on Linux. But [this guide](https://forum.xda-developers.com/android/development/guide-root-method-lg-devices-t3049772) is a little better and I think I can
+break it down to a step-by-step process that basically consists of:
+
+ 1. install `adb`:
+ 
+        apt install adb
+
+ 2. push `busybox` - instead of using an arbitrary copy I found on the
+    internet, I got a more trusted build from [Debian packages](https://packages.debian.org/sid/busybox-static):
+    
+        dpkg -x busybox-static_1.22.0-19+b3_armhf.deb armhf
+        adb push armhf/bin/busybox /data/local/tmp
+ 
+ 3. push [SuperSU](http://www.supersu.com/)
+
+        adb push SuperSU-v2.82-201705271822.zip /data/local/tmp
+
+ 4. push a custom script to glue all this together:
+ 
+         adb push lg_root.sh /data/local/tmp
+
+    The script is in the [LG_Root.zip](http://downloadandroidrom.com/file/LGGFlex2/LG_Root.zip) file which also contains
+    copies of busybox and SuperSU, but I prefered to use other trusted
+    copies of those elsewhere. the script, however, I couldn't find
+    but you can review it, at least. I found a link to the `.zip` file
+    on [this tutorial](http://highonandroid.com/android-smartphones/how-to-root-lg-g-flex-2-g2-g3-on-lollipop/)
+
+ 4. STOP ModemManager! otherwise it may garble the serial port:
+ 
+        sudo service ModemManager stop
+
+ 5. switch to "download mode":
+ 
+    1. unplug the USB cable
+    2. power off the phone
+    3. hold the "volume up" button and plug the USB cable
+    
+    the screen should now say "download mode" then "Firmware
+    update". you're now in download mode
+
+ 6. find the serial port the device is attached to:
+ 
+        dmesg | tail
+    
+    here it was `/dev/ttyACM0`
+
+ 7. attach to the serial port (e.g. with [GNU Screen](https://en.wikipedia.org/wiki/GNU_Screen)):
+ 
+        screen /dev/ttyACM0
+        
+ 8. run the magic command:
+ 
+        sh /data/local/tmp/lg_root.sh dummy 1 /data/local/tmp/SuperSU-v2.82-201705271822.zip /data/local/tmp/busybox
+
+ 9. pull the battery to get out of download mode, or hold volume up
+    and power for 30 seconds
+
+Recovery setup
+==============
+
+Next step is to setup [TWRP](https://twrp.me/), which seems to only be to install
+an [app](https://twrp.me/app/) nowadays, if the device is rooted.
+
+See also the noise about [BUMP!](http://www.droid-life.com/2014/10/10/lg-g3-bump-gives-you-fully-working-twrp-recovery-on-all-variants/) - not sure what that's
+about. Maybe it's necessary to boot TWRP at all?
+
+Custom ROM install
+==================
+
+Next step is to install [LineageOS](https://lineageos.org/), because the current firmware
+has all sorts of crappy apps like spam from Google and god knows what
+else. With LineageOS, I still have proprietary software, but at least
+I know exactly [what those are][proprietary drivers list] and I'm confident it's the bare
+minimum to get the thing running. It's more than my [[previous
+device|htc-one-s]] but it's not that bad.
+
+The [install instructions][] are pretty simple, once the device is
+rooted.
+
+References
+==========
+
+ * [phone specifications][]
+ * [LineageOS device info](https://wiki.lineageos.org/devices/d852)
+ * [install instructions][]
+ * [proprietary drivers list][]
+ * [TWRP install instructions][]
+
+ [TWRP install instructions]: https://twrp.me/devices/lgg3canadabellrogers.html
+ [phone specifications]: http://www.gsmarena.com/lg_g3-6294.php
+ [install instructions]: https://wiki.lineageos.org/devices/d852/install
+ [proprietary drivers list]: https://github.com/LineageOS/android_device_lge_d852/blob/cm-14.1/proprietary-files.txt

one more task
diff --git a/services/upgrades/stretch.mdwn b/services/upgrades/stretch.mdwn
index ac987599..1974674a 100644
--- a/services/upgrades/stretch.mdwn
+++ b/services/upgrades/stretch.mdwn
@@ -49,10 +49,15 @@ Post-upgrade:
     reboot
     # review and purge older kernel once the new one boots properly
 
+User-specific tasks:
+
+ * migrated PGP keyring:
+
+         /usr/bin/migrate-pubring-from-classic-gpg --default
+
 Issues
 ------
 
-* need to perform a trustdb upgrade in gpg according to micah, see README.Debian?
 * [[!debbug 866786]]: multiple device support in cryptroot-unlock
 * [[!debbug 866792]]: irssi profile should load in complain mode
 * [[!debbug 866790]]: postfix apparmor profile syntax errors

note about upstream guides
diff --git a/services/upgrades/stretch.mdwn b/services/upgrades/stretch.mdwn
index 0d062efb..ac987599 100644
--- a/services/upgrades/stretch.mdwn
+++ b/services/upgrades/stretch.mdwn
@@ -64,6 +64,7 @@ Issues
   two times during the upgrade process (!), which seems to have worked
   okay
 * [known issues](https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html)
+* this guide should be merged with upstream
 
 References
 ----------

note about -dbg packages
diff --git a/services/upgrades/stretch.mdwn b/services/upgrades/stretch.mdwn
index 03e9ea11..0d062efb 100644
--- a/services/upgrades/stretch.mdwn
+++ b/services/upgrades/stretch.mdwn
@@ -42,6 +42,7 @@ Actual upgrade run:
 Post-upgrade:
 
     apt-get purge $(deborphan -n) # look also for obsolete packages in aptitude
+    dpkg -l '*-dbg' # look for dbg package and possible replace with -dbgsym
     aptitude purge ~c # purge removed packages
     apt autoremove -y --purge
     apt-get clean

my stretch upgrade guide
diff --git a/services/upgrades/stretch.mdwn b/services/upgrades/stretch.mdwn
new file mode 100644
index 00000000..03e9ea11
--- /dev/null
+++ b/services/upgrades/stretch.mdwn
@@ -0,0 +1,74 @@
+Stretch upgrade
+===============
+
+Unfortunately, I started this documentation only after I upgraded 2 of
+my 3 main machines, so it is probably lacking.
+
+Process
+-------
+
+Similar to Koumbit's process, but we don't use Puppet:
+
+Pre-upgrade checks:
+
+    sudo ttyrec -e screen /var/log/upgrade-stretch.ttyrec
+    cd /etc; git tag pre-stretch
+    git gc --prune # make /etc smaller for backup
+    tar cfz /var/backups/pre-stretch-backup.tgz /etc /var/lib/dpkg /var/lib/apt/extended_states /var/lib/aptitude/pkgstates
+    dpkg --get-selections "*" > /var/backups/dpkg-selections-pre-stretch.txt
+    rm /etc/apt/preferences /etc/apt/preferences.d/* #  Check for pinned (on hold) packages, and possibly disable
+    rm /etc/apt/sources.list.d/testing.list # or other similar backports or sources from later releases
+    rm /etc/apt/sources.list.d/jessie-backports.list
+    apt-mark showhold
+    dpkg --audit
+    apt update && apt -y upgrade
+    dpkg -l '*dkms' # look for dkms packages and make sure they are relevant, if not, purge.
+
+Check free space, see
+[this guide to free up space](http://www.debian.org/releases/stretch/amd64/release-notes/ch-upgrading.en.html#sufficient-space)
+and download packages:
+
+    sed -i.orig 's/jessie/stretch/g' /etc/apt/sources.list
+    apt update; apt -o APT::Get::Trivial-Only=true dist-upgrade; df -h
+    apt -y -d upgrade && apt -y -d dist-upgrade
+
+Actual upgrade run:
+
+    export DEBIAN_FRONTEND=noninteractive APT_LISTCHANGES_FRONTEND=mail
+    apt upgrade -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold'
+    apt dist-upgrade -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold'
+    /opt/bin/clean_conflicts
+
+Post-upgrade:
+
+    apt-get purge $(deborphan -n) # look also for obsolete packages in aptitude
+    aptitude purge ~c # purge removed packages
+    apt autoremove -y --purge
+    apt-get clean
+    reboot
+    # review and purge older kernel once the new one boots properly
+
+Issues
+------
+
+* need to perform a trustdb upgrade in gpg according to micah, see README.Debian?
+* [[!debbug 866786]]: multiple device support in cryptroot-unlock
+* [[!debbug 866792]]: irssi profile should load in complain mode
+* [[!debbug 866790]]: postfix apparmor profile syntax errors
+* [[!debbug 845938]] and [[!debbug 805414]]: a2db sink locked by gdm
+* Kodi doesn't start on the right tty? (not filed)
+* forgot to review the list of packages removed, those I would have
+  liked to keep: torbrowser-launcher, npm
+* upgrade was performed with a bad battery, which meant suspending
+  two times during the upgrade process (!), which seems to have worked
+  okay
+* [known issues](https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html)
+
+References
+----------
+
+* [Official guide](https://www.debian.org/releases/stretch/amd64/release-notes/ch-upgrading.fr.html)
+* [Release notes](https://www.debian.org/releases/stretch/amd64/release-notes/ch-whats-new.en.html)
+* [Koumbit guide](https://wiki.koumbit.net/StretchUpgrade)
+* [DSA guide](https://dsa.debian.org/howto/upgrade-to-stretch/)
+* [Solution proposal to automate this](https://wiki.debian.org/AutomatedUpgrade)

link to the quicklink
diff --git a/software/debian-development.mdwn b/software/debian-development.mdwn
index 65072279..a99d3c8c 100644
--- a/software/debian-development.mdwn
+++ b/software/debian-development.mdwn
@@ -2,6 +2,8 @@
 
 [[!toc levels=2]]
 
+[[!note "This guide is also available under the URL <https://deb.li/quickdev>."]]
+
 This guides aims to kickstart people with working in existing Debian
 packages, either to backport software, patch existing packages or work
 on security issues as part of the security team or the LTS project.

wording
diff --git a/hardware/phone/htc-one-s.mdwn b/hardware/phone/htc-one-s.mdwn
index aa22d879..d0db5de7 100644
--- a/hardware/phone/htc-one-s.mdwn
+++ b/hardware/phone/htc-one-s.mdwn
@@ -295,7 +295,7 @@ options:
    and later if you can't boot the phone properly, with `adb backup
    --twrp`. The file format is a little weird see [this discussion](https://android.stackexchange.com/questions/28481/how-do-you-extract-an-apps-data-from-a-full-backup-made-through-adb-backup)
    for details. Also note that the format is different when using
-   TWRP, see that [other discussion](https://android.stackexchange.com/questions/171638/extract-twrp-backups-made-with-adb)
+   TWRP, see that [other discussion](https://android.stackexchange.com/questions/171638/extract-twrp-backups-made-with-adb) for details.
 
 I do not believe this makes a backup of the data in sdcard, however,
 so if user data should also be backed up, the above backup and Music,

update x230 section
diff --git a/hardware/laptop.mdwn b/hardware/laptop.mdwn
index ce6e5f24..5fb8d29d 100644
--- a/hardware/laptop.mdwn
+++ b/hardware/laptop.mdwn
@@ -109,8 +109,8 @@ http://thinkwiki.de/X201
 X220
 ----
 
-http://www.thinkwiki.org/wiki/Category:X220
-http://thinkwiki.de/X220
+<http://www.thinkwiki.org/wiki/Category:X220>
+<http://thinkwiki.de/X220>
 
  * 12.5" TFT
  * i3-i7
@@ -126,7 +126,7 @@ http://thinkwiki.de/X220
  * fprint reader
  * 65W AC
  * coreboot: mostly
-   * no USB3
+   * no USB3 ("in some models, probably doesn't work")
    * https://www.coreboot.org/Board:lenovo/x220
    * IME, EC, VGA, CPU microcode proprietary
 
@@ -134,7 +134,29 @@ X230
 ----
 
 has a similar chiclet keyboard than the x120e, missing critical keys
-like scroll-lock and sysrq/prtscr. screw that.
+like scroll-lock and sysrq/prtscr. [can be replaced](http://www.thinkwiki.org/wiki/Install_Classic_Keyboard_on_xx30_Series_ThinkPads) with the older
+model (~20-75$ in parts)
+
+<http://www.thinkwiki.org/wiki/Category:X230>
+<http://thinkwiki.de/X230>
+
+ * 12.5" TFT or IPS 1366x768
+ * i3-i7 3320M-3520M
+ * 16GB max
+ * 2 minipci (incl possible mSATA)
+ * gbit
+ * BT
+ * SD card
+ * 3xUSB, incl. 2 USB3
+ * 720p camera
+ * mini displayport
+ * combined audio jack
+ * fprint reader
+ * 65W AC
+ * coreboot: mostly
+   * no power on yellow port
+   * https://www.coreboot.org/Board:lenovo/x230
+   * IME, EC, VGA, CPU microcode proprietary
 
 Chromebooks?
 ------------

add adb backup procedures
diff --git a/hardware/phone/htc-one-s.mdwn b/hardware/phone/htc-one-s.mdwn
index 7990c83c..aa22d879 100644
--- a/hardware/phone/htc-one-s.mdwn
+++ b/hardware/phone/htc-one-s.mdwn
@@ -285,6 +285,18 @@ off TWRP with `adb pull`:
 
     sudo adb pull /sdcard/TWRP/BACKUPS/HT26PW407343/2016-03-23--13-20-27_cm_ville-userdebug_5.1.1_LMY49H_a105530ecd
 
+This will fail if the phone doesn't have enough free space. Two
+options:
+
+ * OTG dongle: a small adapter that allows you to plug external USB
+   storage in the phone
+ * `adb backup`: from a host connected through USB, you can generate
+   an archive of the whole system. this also works through TWRP 3.1
+   and later if you can't boot the phone properly, with `adb backup
+   --twrp`. The file format is a little weird see [this discussion](https://android.stackexchange.com/questions/28481/how-do-you-extract-an-apps-data-from-a-full-backup-made-through-adb-backup)
+   for details. Also note that the format is different when using
+   TWRP, see that [other discussion](https://android.stackexchange.com/questions/171638/extract-twrp-backups-made-with-adb)
+
 I do not believe this makes a backup of the data in sdcard, however,
 so if user data should also be backed up, the above backup and Music,
 Podcasts, Pictures and so on can all be pulled at once with:

fix some wording and links
diff --git a/blog/2017-07-29-free-software-activities-july-2017.mdwn b/blog/2017-07-29-free-software-activities-july-2017.mdwn
index bcaacc62..5aa6b31f 100644
--- a/blog/2017-07-29-free-software-activities-july-2017.mdwn
+++ b/blog/2017-07-29-free-software-activities-july-2017.mdwn
@@ -103,29 +103,31 @@ introduced a regression. Unfortunately, there is no test suite or
 proof of concept to control the results.
 
 The reality is that ipsec-tools is really old, and should maybe simply
-be removed from Debian, in favor of Strongswan. Upstream hasn't done a
-release in years and various distributions have patched up forks of
-those to keep it alive... I was happy, however, to know that the
-maintainer (noahm) will take care of managing the resulting upload
-with my patch in LTS and other suites, fixing that issue for now.
+be removed from Debian, in favor of [[!debpkg strongswan]]. Upstream
+hasn't done a release in years and various distributions have patched
+up forks of those to keep it alive... I was happy, however, to know
+that a maintainer will take care of updating the various suites,
+including LTS, with my improved patch. So this fixes the issue for
+now, but I would strongly encourage users to switch away from
+ipsec-tools in the future.
 
 apache2
 -------
 
-Finally, I was bitten back by my old [DLA-841-1](https://lists.debian.org/20170228162053.rl5scb5vmevtux4w@curie.anarc.at) upload I did all
-the way back in February, as it introduced a regression ([[!debbug
-858373]]) in which it was possible to segfault Apache workers with a
-trivial query, in certain (rather exotic, I might add) configurations
-(ErrorDocument 400 directive pointing to a cgid script in worker
-mode). 
+Finally, I was bitten by the old [DLA-841-1](https://lists.debian.org/20170228162053.rl5scb5vmevtux4w@curie.anarc.at) upload I did all the
+way back in February, as it introduced a regression ([[!debbug
+858373]]). It turns out it was possible to segfault Apache workers
+with a trivial HTTP request, in certain (rather exotic, I might add)
+configurations (`ErrorDocument` 400 directive pointing to a cgid script
+in worker mode).
 
 Still, it was a serious regression and I found a part of the nasty
 long patch we worked on back then that was faulty, and introduced a
 small fix to correct that. The [proposed](https://lists.debian.org/87r2x9rjjt.fsf@curie.anarc.at) package unfortunately
 didn't yield any feedback, and I can only assume it will work okay for
 people. The result is the [DLA-841-2](https://lists.debian.org/20170729174152.f6r4dmqtnuddt743@curie.anarc.at) upload which fixes the
-regression. I unfortunately didn't have time to work on the other CVEs
-affecting apache2 in LTS at the time of writing.
+regression. I unfortunately didn't have time to work on the remaining
+CVEs affecting apache2 in LTS at the time of writing.
 
 Triage
 ------
@@ -159,7 +161,7 @@ Announcing ecdysis
 I recently published [ecdysis](https://gitlab.com/anarcat/ecdysis), a set of template and code samples
 that I frequently reuse across project. This is probably the least
 pronounceable project name I have ever chosen, but this is somewhat on
-purpose. The purpose of this project is not collaboration or to become
+purpose. The goal of this project is not collaboration or to become
 a library: it's just a personal project which I share with the world
 as a curiosity.
 
@@ -168,7 +170,7 @@ To quote the README file:
 > The name comes from what snakes and other animals do to "create a new
 > snake": they shed their skin. This is not so appropriate for snakes,
 > as it's just a way to rejuvenate their skin, but is especially
-> relevant for anthropods since the ecdysis may be associated with a
+> relevant for anthropods since then "ecdysis" may be associated with a
 > metamorphosis:
 > 
 > > Ecdysis is the moulting of the cuticle in many invertebrates of
@@ -194,20 +196,23 @@ code could also be factored into upstream project and maybe even the
 Python standard library.
 
 In short, this is stuff I keep on forgetting how to do: a proper
-`setup.py` config, some fancy `argparse` extensions and so on.
+`setup.py` config, some fancy `argparse` extensions and so on. Instead
+of having to remember where I had written that clever piece of code, I
+now shove it in the crazy chaotic project where I can find it again in
+the future.
 
 Beets experiments
 -----------------
 
 Since I started using [Subsonic](http://subsonic.org/) (or [Libresonic](http://libresonic.org/)) to manage the
 music on my phone, album covers are suddenly way more interesting. But
-my collection so far has had limited album covers: my other media play
-([gmpc](https://gmpclient.org/)) would download those on the fly on its own and store them
-in its own database - not on the filesystem. I guess this could be
-considered to be a limitation of Subsonic, but I actually appreciate
-the separation of duty here: garbage in, garbage out. The quality of
-Subsonic's rendering depends largely on how well setup your library
-and tags are.
+my collection so far has had limited album covers: my other media
+player ([gmpc](https://gmpclient.org/)) would download those on the fly on its own and
+store them in its own database - not on the filesystem. I guess this
+could be considered to be a limitation of Subsonic, but I actually
+appreciate the separation of duty here. Garbage in, garbage out: the
+quality of Subsonic's rendering depends largely on how well setup your
+library and tags are.
 
 It turns out there is an amazing tool called [beets](http://beets.readthedocs.io/) to do exactly
 that kind of stuff. I originally discarded that "media library
@@ -242,8 +247,8 @@ overkill and confusing.
 
 Oh, and thanks to those efforts, I got admitted in the [beetbox](https://github.com/beetbox)
 organization on GitHub! I am not sure what I will do with that
-newfound power: I was scratching an itch, really. But hopefully I'll
-be able to help here and there in the future as well.
+newfound power: I was just scratching an itch, really. But hopefully
+I'll be able to help here and there in the future as well.
 
 Debian package maintenance
 --------------------------

creating tag page tag/beets
diff --git a/tag/beets.mdwn b/tag/beets.mdwn
new file mode 100644
index 00000000..9cb9c162
--- /dev/null
+++ b/tag/beets.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged beets"]]
+
+[[!inline pages="tagged(beets)" actions="no" archive="yes"
+feedshow=10]]

creating tag page tag/ecdysis
diff --git a/tag/ecdysis.mdwn b/tag/ecdysis.mdwn
new file mode 100644
index 00000000..b9093c9e
--- /dev/null
+++ b/tag/ecdysis.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged ecdysis"]]
+
+[[!inline pages="tagged(ecdysis)" actions="no" archive="yes"
+feedshow=10]]

complete volunteer work report
diff --git a/blog/2017-07-29-free-software-activities-july-2017.mdwn b/blog/2017-07-29-free-software-activities-july-2017.mdwn
index c135290d..bcaacc62 100644
--- a/blog/2017-07-29-free-software-activities-july-2017.mdwn
+++ b/blog/2017-07-29-free-software-activities-july-2017.mdwn
@@ -127,8 +127,8 @@ people. The result is the [DLA-841-2](https://lists.debian.org/20170729174152.f6
 regression. I unfortunately didn't have time to work on the other CVEs
 affecting apache2 in LTS at the time of writing.
 
-Minor triage
-------------
+Triage
+------
 
 I also did some miscellaneous triage by filing [[!debbug 867477]] for
 [[!debpkg poppler]] in an effort to document better the pending issue.
@@ -148,4 +148,139 @@ and let them open for others to look at.
 Other free software work
 ========================
 
-[[!tag debian-planet debian debian-lts python-planet software geek free]]
+And of course, there's my usual monthly volunteer work. My ratio is a
+little better this time, having reached an about even ratio between
+paid and volunteer work, whereas this was 60% volunteer work [[in
+march|2017-03-30-free-software-activities-march-2017/]].
+
+Announcing ecdysis
+------------------
+
+I recently published [ecdysis](https://gitlab.com/anarcat/ecdysis), a set of template and code samples
+that I frequently reuse across project. This is probably the least
+pronounceable project name I have ever chosen, but this is somewhat on
+purpose. The purpose of this project is not collaboration or to become
+a library: it's just a personal project which I share with the world
+as a curiosity.
+
+To quote the README file:
+
+> The name comes from what snakes and other animals do to "create a new
+> snake": they shed their skin. This is not so appropriate for snakes,
+> as it's just a way to rejuvenate their skin, but is especially
+> relevant for anthropods since the ecdysis may be associated with a
+> metamorphosis:
+> 
+> > Ecdysis is the moulting of the cuticle in many invertebrates of
+> > the clade Ecdysozoa. Since the cuticle of these animals typically
+> > forms a largely inelastic exoskeleton, it is shed during growth
+> > and a new, larger covering is formed. The remnants of the old,
+> > empty exoskeleton are called exuviae.
+> >                                                      — Wikipedia
+> 
+> So this project is metamorphosed into others when the documentation
+> templates, code examples and so on are reused elsewhere. For that
+> reason, the license is an unusally liberal (for me) MIT/Expat
+> license.
+>
+> The name also has the nice property of being absolutely
+> unpronounceable, which makes it unlikely to be copied but easy to
+> search online.
+
+It was an interesting exercise to go back into older projects and
+factor out interesting code. The process is not complete yet, as there
+are older projects I'm still curious in reviewing. A bunch of that
+code could also be factored into upstream project and maybe even the
+Python standard library.
+
+In short, this is stuff I keep on forgetting how to do: a proper
+`setup.py` config, some fancy `argparse` extensions and so on.
+
+Beets experiments
+-----------------
+
+Since I started using [Subsonic](http://subsonic.org/) (or [Libresonic](http://libresonic.org/)) to manage the
+music on my phone, album covers are suddenly way more interesting. But
+my collection so far has had limited album covers: my other media play
+([gmpc](https://gmpclient.org/)) would download those on the fly on its own and store them
+in its own database - not on the filesystem. I guess this could be
+considered to be a limitation of Subsonic, but I actually appreciate
+the separation of duty here: garbage in, garbage out. The quality of
+Subsonic's rendering depends largely on how well setup your library
+and tags are.
+
+It turns out there is an amazing tool called [beets](http://beets.readthedocs.io/) to do exactly
+that kind of stuff. I originally discarded that "media library
+management system for obsessive-compulsive [OC] music geeks", trying to
+convince myself i was *not* an "OC music geek". Turns out I am. Oh
+well.
+
+Thanks to beets, I was able to download album covers for a lot of the
+albums in my collection. The only covers that are missing now are
+albums that are not correctly tagged and that beets couldn't
+automatically fix up. I still need to go through those and fix all
+those tags, but the first run did an impressive job at getting album
+covers.
+
+Then I got the next crazy idea: after a camping trip where we forgot
+(*again*) the lyrics to [Georges Brassens](https://en.wikipedia.org/wiki/Georges_Brassens), I figured I could start
+putting some lyrics on my ebook reader. "How hard can that be?" of
+course, being the start of another crazy project. A [pull request](https://github.com/beetbox/beets/pull/2628)
+and 3 days later, I had something that could turn a beets lyrics
+database into a [Sphinx](http://www.sphinx-doc.org/) document which, in turn, can be turned
+into an ePUB. In the process, I probably got [blocked](https://github.com/beetbox/beets/pull/2634) from
+MusixMatch a hundred times, but it's done. Phew!
+
+The resulting e-book is about 8000 pages long, but is still
+surprisingly responsive. In the process, I also happened to do a
+[partial benchmark](https://github.com/beetbox/beets/issues/2635#issuecomment-316182853) of Python's bloom filter libraries. The biggest
+surprise there was the performance of the `set` builtin: for small
+items, it *is* basically as fast as a bloom filter. Of course, when
+the item size grows larger, its memory usage explodes, but in this
+case it turned out to be sufficient and bloom filter completely
+overkill and confusing.
+
+Oh, and thanks to those efforts, I got admitted in the [beetbox](https://github.com/beetbox)
+organization on GitHub! I am not sure what I will do with that
+newfound power: I was scratching an itch, really. But hopefully I'll
+be able to help here and there in the future as well.
+
+Debian package maintenance
+--------------------------
+
+I did some normal upkeep on a bunch of my packages this month, that
+were long overdue:
+
+ * [uploaded](https://tracker.debian.org/news/857733) [[!debpkg slop]] 6.3.47-1: major new upstream release
+ * [uploaded](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870082) an NMU for [[!debpkg maim]] 5.4.64-1.1: maim was
+   broken by the slop release
+ * [uploaded](https://tracker.debian.org/news/857724) [[!debpkg pv]] 1.6.6-1: new upstream release
+ * [uploaded](https://tracker.debian.org/news/858188) [[!debpkg kedpm]] 1.0+deb8u1 to jessie (oldstable):
+   one last security fix ([[!debbug 860817]], [[!debcve
+   CVE-2017-8296]]) for that derelict password manager
+ * [uploaded](https://tracker.debian.org/news/857739) [[!debpkg charybdis]] 3.5.5-1: new minor upstream
+   release, with optional support for [[!debpkg mbedtls]]
+ * filed [[!debbug 866786]] against [[!debpkg cryptsetup]] to make the
+   remote initramfs SSH-based unlocking support multiple devices:
+   thanks to the maintainer, this now works flawlessly in buster and
+   may be backported to stretch
+ * expanded on [[!debbug 805414]] against [[!debpkg gdm3]] and
+   [[!debbug 845938]] against [[!debpkg pulseaudio]], because I had
+   trouble connecting my computer to this new Bluetooth speaker. turns
+   out this is a known issue in Pulseaudio: whereas it releases ALSA
+   devices, it doesn't release Bluetooth devices properly. Documented
+   this more clearly in the [wiki page](https://wiki.debian.org/BluetoothUser/a2dp#Refused_to_switch_profile_to_a2dp_sink:_Not_connected)
+ * filed [[!debbug 866790]] regarding old stray Apparmor profiles that
+   were lying around my system after an upgrade, which got me
+   interested in [[!debbug 830502]] in turn
+ * filed [[!debbug 868728]] against [[!debpkg cups]] regarding a weird
+   behavior I had interacting with a network printer. turns out the
+   other workstation was misconfigured... why are printers still so
+   hard?
+ * filed [[!debbug 870102]] to automate sbuild schroots upgrades
+ * after playing around with [rash](https://pypi.python.org/pypi/rash) tried to complete the packaging
+   ([[!debbug 754972]]) of [percol](https://github.com/mooz/percol/pull/97) with this [pull request](https://github.com/mooz/percol/pull/97)
+   upstream. this ended up to be way too much overhead and I reverted
+   to my old normal history habits.
+
+[[!tag debian-planet debian debian-lts python-planet software geek free beets ecdysis subsonic]]

first report draft
diff --git a/blog/2017-07-29-free-software-activities-july-2017.mdwn b/blog/2017-07-29-free-software-activities-july-2017.mdwn
new file mode 100644
index 00000000..c135290d
--- /dev/null
+++ b/blog/2017-07-29-free-software-activities-july-2017.mdwn
@@ -0,0 +1,151 @@
+[[!meta title="My free software activities, July 2017"]]
+
+[[!toc levels=2]]
+
+Debian Long Term Support (LTS)
+==============================
+
+This is my monthly working on [Debian LTS][]. This time I worked on
+various hairy issues surrounding ca-certificates, unattended-upgrades,
+apache2 regressions, libmtp, tcpdump and ipsec-tools.
+
+[Debian LTS]: https://www.freexian.com/services/debian-lts.html
+[Raphael Hertzog at Freexian]: http://www.freexian.com
+
+ca-certificates updates
+-----------------------
+
+I've been working on the removal of the Wosign and StartCom
+certificates ([[!debbug 858539]]) and, in general, the synchronisation
+of [[!debpkg ca-certificates]] across suites ([[!debbug 867461]])
+since at least last march. I have made an attempt
+at [summarizing the issue](https://lists.debian.org/87bmoiyhpq.fsf@curie.anarc.at) which led to a productive discussion and
+it seems that, in the end, the maintainer
+will [take care of synchronizing information across suites](https://lists.debian.org/d0b9674a-ac5b-5cc9-1982-fb6f36155c5a@pbandjelly.org).
+
+Guido was right in again [raising the question](https://lists.debian.org/20170707140251.igywdem62hjuuu4y@bogon.m.sigxcpu.org) of synchronizing
+NSS across all suites ([[!debbug 824872]]) which
+itself [raised the other question](https://lists.debian.org/20170721210322.ctlq3oajxz5w4df5@pisco.westfalen.local) of how to test reverse
+dependencies. This brings me back to [[!debbug 817286]] which,
+basically proposed the idea of having "proposed updates" for security
+issues. The problem is while we can upload test packages
+to [stable proposed-updates](https://wiki.debian.org/StableProposedUpdates), we can't do the same in LTS because
+the suite is closed and we operate only on security packages. This
+issue came up before in other security upload and we need to think
+better about how to solve this.
+
+unattended-upgrades
+-------------------
+
+Speaking of security upgrades brings me to the question of a bug
+([[!debbug 867169]]) that was filed against the wheezy version of
+[[!debpkg unattended-upgrades]], which showed that the package simply
+stopped working since the latest stable release, because wheezy became
+"oldoldstable". I first [suggested](https://lists.debian.org/87fuecs1vg.fsf@curie.anarc.at) using the "codename" but that
+appears to have been introduced only after wheezy.
+
+In the end, I [proposed](https://lists.debian.org/87efteyinr.fsf@curie.anarc.at) a simple update that would fix the
+configuration files and uploaded this as [DLA-1032-1](https://lists.debian.org/20170719135700.juzjilhunyyswheh@curie.anarc.at). This is
+thankfully fixed in later releases and will not require such hackery
+when jessie becomes LTS as well.
+
+libmtp
+------
+
+Next up is the work on the [[!debpkg libmtp]] vulnerabilities
+([[!debcve CVE-2017-9831]] and [[!debcve CVE-2017-9832]]). As I
+described in my [announcement](https://lists.debian.org/87lgnzvjvb.fsf@curie.anarc.at), the work to backport the patch was
+huge, as upstream basically backported a whole library from the
+[[!debpkg gphoto2]] package to fix those issues (and probably many
+more). The lack of a test suite made it difficult to trust my own
+work, but given that I had no (negative) feedback, I figured it was
+okay to simply upload the result and that became [DLA-1029-1](https://lists.debian.org/20170717213810.b3phflqfi3k3ksza@curie.anarc.at).
+
+tcpdump
+-------
+
+I then looked at reproducing [[!debcve CVE-2017-11108]], a heap
+overflow triggered [[!debpkg tcpdump]] would parse specifically
+[[!wikipedia STP]] packets. In [[!debbug 867718]], I described how to
+reproduce the issue across all suites and opened
+an [issue upstream](https://github.com/the-tcpdump-group/tcpdump/issues/616), given that the upstream maintainers hadn't
+responded responded in weeks according to notes in
+the [RedHat Bugzilla issue](https://bugzilla.redhat.com/show_bug.cgi?id=1468504). I eventually worked on a [patch](https://github.com/the-tcpdump-group/tcpdump/pull/617)
+which I shared upstream, but that was rejected as they were already
+working on it in their embargoed repository.
+
+I can explain this confusion and duplication of work with:
+
+ 1. the original submitter didn't really contact security@tcpdump.org
+ 2. he did and they didn't reply, being just too busy
+ 3. they replied and he didn't relay that information back
+
+I think #2 is most likely: the tcpdump.org folks are probably very
+busy with tons of reports like this. Still, I should probably have
+contacted security@tcpdump.org directly *before* starting my work,
+even though no harm was done because I didn't divulge issues that were
+already public.
+
+Since then, tcpdump has released 4.9.1 which fixes the issue, but
+*then* new CVEs came out that will require more work and probably
+another release. People looking into this issue must be certain to
+coordinate with the tcpdump security team before fixing the actual
+issues.
+
+ipsec-tools
+-----------
+
+Another package that didn't quite have a working solution is the
+[[!debpkg ipsec-tools]] suite, in which the racoon daemon was
+vulnerable to a remotely-triggered DOS attack ([[!debcve
+CVE-2016-10396]]). I reviewed and [fixed](https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682) the upstream patch which
+introduced a regression. Unfortunately, there is no test suite or
+proof of concept to control the results.
+
+The reality is that ipsec-tools is really old, and should maybe simply
+be removed from Debian, in favor of Strongswan. Upstream hasn't done a
+release in years and various distributions have patched up forks of
+those to keep it alive... I was happy, however, to know that the
+maintainer (noahm) will take care of managing the resulting upload
+with my patch in LTS and other suites, fixing that issue for now.
+
+apache2
+-------
+
+Finally, I was bitten back by my old [DLA-841-1](https://lists.debian.org/20170228162053.rl5scb5vmevtux4w@curie.anarc.at) upload I did all
+the way back in February, as it introduced a regression ([[!debbug
+858373]]) in which it was possible to segfault Apache workers with a
+trivial query, in certain (rather exotic, I might add) configurations
+(ErrorDocument 400 directive pointing to a cgid script in worker
+mode). 
+
+Still, it was a serious regression and I found a part of the nasty
+long patch we worked on back then that was faulty, and introduced a
+small fix to correct that. The [proposed](https://lists.debian.org/87r2x9rjjt.fsf@curie.anarc.at) package unfortunately
+didn't yield any feedback, and I can only assume it will work okay for
+people. The result is the [DLA-841-2](https://lists.debian.org/20170729174152.f6r4dmqtnuddt743@curie.anarc.at) upload which fixes the
+regression. I unfortunately didn't have time to work on the other CVEs
+affecting apache2 in LTS at the time of writing.
+
+Minor triage
+------------
+
+I also did some miscellaneous triage by filing [[!debbug 867477]] for
+[[!debpkg poppler]] in an effort to document better the pending issue.
+
+Next up was some minor work on [[!debpkg eglibc]] issues. [[!debcve
+CVE-2017-8804]] has a patch, but it's been [disputed](https://sourceware.org/ml/libc-alpha/2017-05/msg00128.html). since the
+main victim of this and the core of the vulnerability ([[!debpkg
+rpcbind]]) has already been fixed, I am not sure this vulnerability is
+still a thing in LTS at all.
+
+I also looked at [[!debcve CVE-2014-9984]], but the code is so
+different in wheezy that I wonder if LTS is affected at
+all. Unfortunately, the eglibc gymnastics are a little beyond me and I
+do not feel confident enough to just push those issues aside for now
+and let them open for others to look at.
+
+Other free software work
+========================
+
+[[!tag debian-planet debian debian-lts python-planet software geek free]]

add the pyra to laptop list
diff --git a/hardware/laptop.mdwn b/hardware/laptop.mdwn
index 5d3ee513..ce6e5f24 100644
--- a/hardware/laptop.mdwn
+++ b/hardware/laptop.mdwn
@@ -59,6 +59,32 @@ https://www.pine64.org/?page_id=3707
  * LCD 11.6"
  * 1.04Kg
 
+Pyra
+----
+
+https://pyra-handheld.com/boards/pages/pyra/
+
+Tiny computer, a cross between a laptop, a Nintendo DS and a phone.
+
+ * Dual-core ARM Cortex A15 1.5GHz
+ * 2/4GB RAM
+ * 32GB flash eMMC
+ * 2 SDXC slots + one internal MicroSDXC
+ * Wifi bgn, BT 4.1
+ * Sensors: gyro, accel, compass, humidity? temperature? pressure?
+ * Mini-HDMI
+ * Physical keyboard
+ * 2xUSB 2.0, 1xMicroUSB 3.0
+ * Optional GPS
+ * Optional GSM
+ * 720p 5" screen
+ * 139 x 87 x 32 mm, 400g
+ * non-free: GPU 3D driver + firmware, wifi + BT firmware
+ * 8h battery?
+ * 2GB no mobile: 595EUR (tx inc.), 4GB + mobile: 745EUR (tx inc.)
+
+https://www.pyra-handheld.com/wiki/index.php?title=Comparison_Chart
+
 x201
 ----
 

link to plan comparison
diff --git a/hardware/phone.mdwn b/hardware/phone.mdwn
index 52a4b2bc..adb80f07 100644
--- a/hardware/phone.mdwn
+++ b/hardware/phone.mdwn
@@ -540,3 +540,6 @@ References
  * <http://www.devicespecifications.com/> - good comparison tool
  * <http://www.gsmarena.com/> - more detailed and up to date tool!
  * <https://www.stockdroids.com/> - curated list
+ * <http://www.planhub.ca/> - good plan comparison tool
+ * <https://wiki.debconf.org/wiki/DebConf17/Sim-card-information> -
+   quick research done for Debconf

another note about purism
diff --git a/hardware/laptop.mdwn b/hardware/laptop.mdwn
index b5eb4ae8..5d3ee513 100644
--- a/hardware/laptop.mdwn
+++ b/hardware/laptop.mdwn
@@ -118,7 +118,8 @@ Purism
 
 https://puri.sm/products/
 
-1500 - 1700$USD... trop cher.
+1500 - 1700$USD... trop cher. mais vraiment intéressant parce qu'ils
+semblent vraiment libérer le matériel.
 
 System76
 --------

fix links for suppliers
diff --git a/hardware/laptop.mdwn b/hardware/laptop.mdwn
index 6848ae0f..b5eb4ae8 100644
--- a/hardware/laptop.mdwn
+++ b/hardware/laptop.mdwn
@@ -281,7 +281,9 @@ has a lower actual clock speed (2.3GHz vs 2.93GHz).
 Fournisseurs
 ============
 
-* minifree: https://minifree.org/ coreboot + x200 t400
-* dantech: http://www.dantech.ca/?q=17-- - local friendly folks
-* https://www.toplaptop.ca/ - local + cheap source of thinkpads
-* https://www.mikescomputershop.com/ - cheap canada seller
+* [minifree](https://minifree.org/) make pre-flashed computers with coreboot, but mostly
+  older ones: x200 t400
+* [dantech](http://www.dantech.ca/) - local friendly folks
+* [toplaptop](https://www.toplaptop.ca/) - local + cheap source of thinkpads
+* [mike's computer shop](https://www.mikescomputershop.com/) - cheap canada seller
+* [canada computers](http://www.canadacomputers.com) - famous toronto computer shop?

document latest fuel trip
diff --git a/pleinair/liste.mdwn b/pleinair/liste.mdwn
index 5421f4b8..9c0cd7d5 100644
--- a/pleinair/liste.mdwn
+++ b/pleinair/liste.mdwn
@@ -309,7 +309,9 @@ amener. Voici quelques expériences que j'ai noté:
 
 * [[!wikipedia Naphta]] dans un Whisperlite International: 4.4L d'eau bouillie par 100mL ([source][]) - [ce site][] dit qu'une petite bouteille de 11oz peut durer une semaine, mais ça me semble optimiste.
 * trip de ski dans les chics-chocs de 4 jours: utilisé environ 350mL (une bouteille de 325mL pleine et un peu plus) de naphte en plus d'une bouteille de propane Primus pour 6 personnes, incluant plusieurs cafés, thé, chauffé l'eau pour la vaisselle des fois, etc -- TheAnarcat 2015-03-17T11:47:19-0400
-* canot-camping parc de la mauricie, 3 jours: 325 mL épuisés pour plusieurs pâtes, thés, 5 personnes -- TheAnarcat 2015-07-24T19:07:09-0400
+* canot-camping parc de la mauricie, 3 jours, 5 personnes: 325 mL épuisés pour plusieurs pâtes, thés -- TheAnarcat 2015-07-24T19:07:09-0400
+* canot-camping parc de la verendrye, 5 jours, 6 personnes: ~2 cans de
+  propane sur un four coleman -- anarcat 2017-07-14
 * lire aussi: <http://bushwalkingnsw.org.au/clubsites/FAQ/FAQ_Efficiency.htm>
 
  [source]: http://www.cascadedesigns.com/msr/stoves/simple-cooking/whisperlite-universal/product#specs

whalebuilder is in debian now
diff --git a/software/debian-development.mdwn b/software/debian-development.mdwn
index fd28db82..00283539 100644
--- a/software/debian-development.mdwn
+++ b/software/debian-development.mdwn
@@ -748,8 +748,9 @@ simple `chroot`: in `whalebuilder`, packages are built without network
 access and inside a virtualized environment. Keep in mind there are
 limitations to Docker's security and that `pbuilder` and `sbuild` *do* build
 under a different user which will limit the security issues with
-building untrusted packages. Furthermore, `whalebuilder` is not
-currently packaged as an official Debian package and lacks certain
+building untrusted packages. Furthermore, `whalebuilder` <del>is not
+currently packaged as an official Debian package</del> (it is now, see
+[[!debpkg whalebuilder]]) and lacks certain
 features (like [passing custom arguments to dpkg-buildpackage][]) so I
 don't feel it is quite ready yet. For now, if you need better
 isolation, look towards [qemubuilder][] or possibly kvmtool.

Added a comment: correction
diff --git a/blog/2017-03-02-password-hashers/comment_4_48650d1ee8453c1e3dcb446ab7fd207e._comment b/blog/2017-03-02-password-hashers/comment_4_48650d1ee8453c1e3dcb446ab7fd207e._comment
new file mode 100644
index 00000000..5451f310
--- /dev/null
+++ b/blog/2017-03-02-password-hashers/comment_4_48650d1ee8453c1e3dcb446ab7fd207e._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="anarcat"
+ avatar="http://cdn.libravatar.org/avatar/741655483dd8a0b4df28fb3dedfa7e4c"
+ subject="correction"
+ date="2017-07-06T16:32:04Z"
+ content="""
+> How does the JavaScript sniffing work? Isn't wijjo's Password Hasher always a popup dialog in a separate window?
+
+You're right, the Password Hasher master password is entered in a separate window. I am not sure, however, how well that protects the user. But it's true that I was refering to password Hasher Plus here where you type the master password directly in the site password form...
+"""]]

Created . Edited .