Recent changes to this wiki. Not to be confused with my history.

Complete source to the wiki is available on gitweb or by cloning this site.

more camera notes
diff --git a/hardware/camera.mdwn b/hardware/camera.mdwn
index b4001bae..6f0486db 100644
--- a/hardware/camera.mdwn
+++ b/hardware/camera.mdwn
@@ -10,30 +10,32 @@ Absolute requirements
 
  * interchangeable lenses
  * builtin flash
- * top screen
  * fast startup/shutdown
  * RAW
  * 3200+ ISO
- * casing max 1000$
+ * case max 1000$
+ * APS-C or larger
 
 Nice to have
 ------------
 
+ * USB charging
+ * top screen
  * cursor or pad? not sure
  * 6400+ ISO
- * 2-3 FPS
+ * 2-3 FPS+
  * articulated display
  * casing max 650$, 1000$ total
  * easy access live view
  * SD card support
  * timelapse mode (intervalometer)
+ * sealed body
 
 Candy on top
 ------------
 
  * reasonable video features (e.g. be able to adjust settings while filming)
  * exposure bracketing
- * sealed body
  * full frame
  * free or cheap (~200-300$)
  * compatible with my current remote
@@ -153,6 +155,26 @@ Cons:
 
  * 1000$ for the box at lozeau
 
+d7500: 1500 lozeau
+d7200: 1000$ lozeau: https://lozeau.com/produits/fr/photo/appareils-reflex/nikon/nikon/boitier-nikon-d7200-p24089c74c75c76/
+
+D750
+----
+
+still recommended option by dpreview:
+
+https://www.dpreview.com/reviews/2017-buying-guide-best-cameras-under-2000/2
+
+pro:
+
+ * articulated display
+ * fullframe
+ * 2 sd slots
+
+con:
+
+ * expensive (1800CAD lozeau 2017-12-7)
+
 Lentilles
 ---------
 
@@ -259,6 +281,20 @@ con:
  * no articulated display
  * CF card!!!
 
+Sony
+====
+
+Pros:
+
+ * really interesting line up of mirrorless cameras that start to
+   rival with traditional SLRs
+
+con:
+
+ * controls seem ackward until the a7r
+ * can be pricey
+ * yet another lens lock-in
+
 Inventaire
 ==========
 
@@ -310,6 +346,8 @@ Voir aussi:
  * [Another](http://rick_oleson.tripod.com/index-99.html)
  * [Wikipedia](https://en.wikipedia.org/wiki/Lens_mount)
 
+https://www.dpreview.com/articles/9162056837/digital-camera-lens-buying-guide
+
 Flash
 -----
 

Added a comment: D8
diff --git a/blog/2017-11-30-free-software-activities-november-2017/comment_2_b01a581820a083d4d2318310a0560360._comment b/blog/2017-11-30-free-software-activities-november-2017/comment_2_b01a581820a083d4d2318310a0560360._comment
new file mode 100644
index 00000000..338dd2e9
--- /dev/null
+++ b/blog/2017-11-30-free-software-activities-november-2017/comment_2_b01a581820a083d4d2318310a0560360._comment
@@ -0,0 +1,15 @@
+[[!comment format=mdwn
+ ip="173.246.7.196"
+ claimedauthor="LeLutin"
+ url="https://lelutin.ca"
+ subject="D8"
+ date="2017-12-04T02:22:31Z"
+ content="""
+Drupal 8 is clearly not oriented towards giving a publishing tool to the comunity anymore. All development since D8 is meant to make big projects possible.
+
+Also D8 breaks its own API on minor releases.
+
+So they've only exacerberated what was already problematic: maintaining a website that uses D8 costs way more money than did already previous versions of Drupal.
+
+So there's no surprise seeing that most of its comunity is not following anymore. Most ppl using Drupal used to be from backgrounds different than big corporations.
+"""]]

Added a comment: OpenPGP keys
diff --git a/blog/2017-10-16-strategies-offline-pgp-key-storage/comment_1_087cf0343053b416eb71f547fcbecd94._comment b/blog/2017-10-16-strategies-offline-pgp-key-storage/comment_1_087cf0343053b416eb71f547fcbecd94._comment
new file mode 100644
index 00000000..6361cd35
--- /dev/null
+++ b/blog/2017-10-16-strategies-offline-pgp-key-storage/comment_1_087cf0343053b416eb71f547fcbecd94._comment
@@ -0,0 +1,13 @@
+[[!comment format=mdwn
+ ip="189.48.156.245"
+ claimedauthor="John Bras"
+ url="braselectron.com"
+ subject="OpenPGP keys"
+ date="2017-12-03T19:47:30Z"
+ content="""
+Thanks for sharing. OpenPGP keys is a difficult subject for GNU users in general.  I personally am working this subject as much as I can to better understand all the uses and needs on a daily bases.
+
+For instance, what happens when you HDD crashes or you need to reinstall your system or share your protected docs with different devices (ie. Desktop, laptop, tablet, etc.)?
+
+How can you relate OpenPGP keys to digital certificates which you need to pay a agent to validate; why can't we have a FSF certificate accepted world wide ?
+"""]]

Added a comment: f3
diff --git a/blog/2017-11-30-free-software-activities-november-2017/comment_1_2d5b7284bc8c89140fed92f387c773a8._comment b/blog/2017-11-30-free-software-activities-november-2017/comment_1_2d5b7284bc8c89140fed92f387c773a8._comment
new file mode 100644
index 00000000..963230a2
--- /dev/null
+++ b/blog/2017-11-30-free-software-activities-november-2017/comment_1_2d5b7284bc8c89140fed92f387c773a8._comment
@@ -0,0 +1,14 @@
+[[!comment format=rst
+ ip="158.181.87.43"
+ subject="f3"
+ date="2017-12-03T15:35:35Z"
+ content="""
+Maybe add a note to: 
+
+    make experimental
+
+for:
+
+* f3probe
+* f3fix
+"""]]

add disaster recovery plan
diff --git a/services/backup.mdwn b/services/backup.mdwn
index a1f4332a..86141ba8 100644
--- a/services/backup.mdwn
+++ b/services/backup.mdwn
@@ -198,3 +198,40 @@ and is aimed at technical users familiar with the commandline.
     and can be found with the `blkid` command as well."""]]
 
  12. reboot and pray
+
+Disaster recovery
+-----------------
+
+backup plan if all else fails
+
+ 1. GTFO with the backup drives, and at least password manager
+    (laptop/workstation rip out)
+
+ 2. confirm Gandi, park domains on a "Gandi Site" (free, one page)
+ 
+ 3. setup one VPS to restore DNS service, secondary at Gandi
+ 
+ 4. setup second VPS to restore tier-1 services
+ 
+ 5. restore other services as necessary
+
+### Tier 1
+
+DNS: setup 3 primary zones and glue records.
+
+Email: install dovecot + postfix, setup aliases and delivery. Restore
+mailboxes.
+
+Web: install apache2 + restore wiki.
+
+## VPS providers
+
+ * Koumbit: 20$/mth, friends
+
+ * OVH: 4.50$/mth, "local" 100mbps unlimited,
+   [KVM 2.4GHz, 2GB RAM 10GB SSD](https://www.ovh.com/us/vps/vps-ssd.xml)
+
+ * [Prgmr](https://prgmr.com/aup.html): 5$/mth, Xen, no bullshit, ssh
+   console [1.25 GiB RAM, 15 GiB Disk](https://billing.prgmr.com/index.php/order/main/packages/xen/?group_id=10)
+
+ * Gandi: 4$/mth 256MiB RAM, 3GB disk

removed
diff --git a/blog/2017-11-30-free-software-activities-november-2017/comment_1_29ae6ef8baaee2ec861de1885f28a14d._comment b/blog/2017-11-30-free-software-activities-november-2017/comment_1_29ae6ef8baaee2ec861de1885f28a14d._comment
deleted file mode 100644
index cd0fd603..00000000
--- a/blog/2017-11-30-free-software-activities-november-2017/comment_1_29ae6ef8baaee2ec861de1885f28a14d._comment
+++ /dev/null
@@ -1,13 +0,0 @@
-[[!comment format=mdwn
- ip="194.44.209.147"
- claimedauthor="Tina"
- subject="LMS"
- date="2017-12-01T13:38:20Z"
- content="""
-In my business, I actively use cloud software https://voiptimecloud.com/power-dialer.
-This solution helps to make the business even more successful.
-My contact center is the best thanks to the fact that it is possible to handle online leads. LMS (lead-management system) is actively used as a crm system
-It is possible to create projects.
-Cloud solution allows your business to fly in the clouds)
-
-"""]]

Added a comment: LMS
diff --git a/blog/2017-11-30-free-software-activities-november-2017/comment_1_29ae6ef8baaee2ec861de1885f28a14d._comment b/blog/2017-11-30-free-software-activities-november-2017/comment_1_29ae6ef8baaee2ec861de1885f28a14d._comment
new file mode 100644
index 00000000..cd0fd603
--- /dev/null
+++ b/blog/2017-11-30-free-software-activities-november-2017/comment_1_29ae6ef8baaee2ec861de1885f28a14d._comment
@@ -0,0 +1,13 @@
+[[!comment format=mdwn
+ ip="194.44.209.147"
+ claimedauthor="Tina"
+ subject="LMS"
+ date="2017-12-01T13:38:20Z"
+ content="""
+In my business, I actively use cloud software https://voiptimecloud.com/power-dialer.
+This solution helps to make the business even more successful.
+My contact center is the best thanks to the fact that it is possible to handle online leads. LMS (lead-management system) is actively used as a crm system
+It is possible to create projects.
+Cloud solution allows your business to fly in the clouds)
+
+"""]]

publish monthly report
diff --git a/blog/2017-11-30-free-software-activities-november-2017.mdwn b/blog/2017-11-30-free-software-activities-november-2017.mdwn
new file mode 100644
index 00000000..cd6b016a
--- /dev/null
+++ b/blog/2017-11-30-free-software-activities-november-2017.mdwn
@@ -0,0 +1,369 @@
+[[!meta title="November 2017 report: LTS, standard disclosure, Monkeysphere in
+Python, flash fraud and Goodbye Drupal"]]
+
+[[!toc levels=2]]
+
+Debian Long Term Support (LTS)
+==============================
+
+This is my monthly [Debian LTS][] report. I didn't do as much as I
+wanted this month so a bunch of hours are reported to next month. I
+got frustrated by two difficult packages: exiv2 and libreoffice.
+
+Exiv
+----
+
+For Exiv2 I first [reported the issues upstream](https://github.com/Exiv2/exiv2/issues/174) as requested in
+the [original CVE assignment](http://www.openwall.com/lists/oss-security/2017/06/30/1). Then I went to see if I could
+reproduce the issue. Valgrind didn't find anything, so I went on to
+test the [new ASAN instructions](https://wiki.debian.org/LTS/Development/Asan) that tell us how to build for ASAN
+in LTS. Turns out that
+I [couldn't make that work either](https://lists.debian.org/87shd4u61v.fsf@curie.anarc.at). Fortunately, Roberto was able
+to [build the package properly](https://lists.debian.org/20171128013820.4dnnjypazyeeganx@connexer.com) and confirmed the wheezy version as
+non-vulnerable, so I marked the three CVEs as not-affected and moved
+on.
+
+Libreoffice
+-----------
+
+Next up was LibreOffice. I started backporting the patches to wheezy
+which was a little difficult because any error in the backport takes
+*hours* to find because LibreOffice is so big. The monster takes about
+4 hours to build on my i3-6100U processor - I can't imagine how long
+that would take on a slower machine. Still, I managed to
+get [patches](https://lists.debian.org/87bmjrsjel.fsf@curie.anarc.at) that *mostly* builds. I say *mostly* because while
+most of the code builds, the tests fail to build. Not only do they
+fail to build, but they even *segfault* the linker. At that point, I
+had already spent too many hours working on this frustrating loop of
+"work/build-wait/crash" that I gave up.
+
+I also worked on reproducing a supposed regression associated with the
+last security update. Somehow, I [couldn't reproduce](https://lists.debian.org/8760a1uhbl.fsf@curie.anarc.at) either - the
+description of the regression was very limited and all suggested
+approaches failed to trigger the problems described.
+
+[Debian LTS]: https://www.freexian.com/services/debian-lts.html
+
+OptiPNG
+-------
+
+Finally, a little candy: an easy backport of a simple 2-line patch for
+a simple program, OptiPNG that, ironically, had a vulnerability
+([[!debcve CVE-2017-16938]]) in GIF parsing. I could do hundreds of
+those breezy updates, they are fun and simple, and easy to test. This
+resulted in the trivial [DLA-1196-1](https://lists.debian.org/20171130191701.dbm3rhj3fys7wcim@curie.anarc.at).
+
+Miscellaneous
+-------------
+
+LibreOffice stretched the limits of my development environment. I had
+to figure out how to deal with out of space conditions in the build
+tree (`/build`) something that is really not obvious in [sbuild](https://wiki.debian.org/sbuild). I
+ended up documenting that in a new [troubleshooting section](https://wiki.debian.org/sbuild#Missing_space_in_.2Fbuild) in the
+wiki.
+
+Other free software work
+========================
+
+feed2exec
+---------
+
+I pushed forward with the development of my programmable feed
+reader, [feed2exec](https://feed2exec.readthedocs.io). Last month I mentioned I released the 0.6.0
+beta: since then 4 more releases were published, and we are now at the
+[0.10.0 beta](https://gitlab.com/anarcat/feed2exec/tags/0.10.0). This added a bunch new features:
+
+ * `wayback` plugin to save feed items to
+   the [Wayback Machine on archive.org](http://web.archive.org/)
+ * `archive` plugin to save feed items to the local filesystem
+ * `transmission` plugin to save RSS Torrent feeds to
+   the [Transmission](https://transmissionbt.com/) torrent client
+ * vast expansion of the documentation, now hosted
+   on [ReadTheDocs](https://readthedocs.org/). The design was detailed with a tour of the
+   source code and detailed plugin writing instructions were added to
+   the documentation, also shipped as a [feed2exec-plugins](https://manpages.debian.org/feed2exec-plugins)
+   manpage.
+ * major cleanup and refactoring of the codebase, including standard
+   locations for the configuration files, which moved
+
+The documentation deserves special mention. If you compare
+between [version 0.6](https://feed2exec.readthedocs.io/en/0.6.0/) and the [latest version](https://feed2exec.readthedocs.io/en/latest/) you can see 4 new
+sections:
+
+ * [Plugins](https://feed2exec.readthedocs.io/en/latest/plugins.html) - extensive documentation on plugins use, the design
+   of the plugin system and a full tutorial on how to write new
+   plugins. the tutorial was written while writing the `archive`
+   plugin, which was written as an example plugin just for that
+   purpose and should be readable by novice programmers
+ * [Support](https://feed2exec.readthedocs.io/en/latest/support.html) - a handy guide on how to get technical support for
+   the project, copied over from the [Monkeysign](https://monkeysign.readthedocs.io/en/2.x/support.html) project.
+ * [Code of conduct](https://feed2exec.readthedocs.io/en/latest/code.html) - was originally part of the contribution
+   guide. the idea then was to force people to read the Code when they
+   wanted to contribute, but it wasn't a good idea. The contribution
+   page was overloaded and critical parts were hidden down in the
+   page, after what is essentially boilerplate text. Inversely, the
+   Code was itself *hidden* in the contribution guide. Now it is
+   clearly visible from the top and trolls will see this is an ethical
+   community.
+ * [Contact](https://feed2exec.readthedocs.io/en/latest/contact.html) - another idea from the Monkeysign project. became
+   essential when the security contact was added (see below).
+
+All those changes were backported in the [ecdysis](https://ecdysis.readthedocs.io/en/latest/) template
+documentation and I hope to backport them back into my other projects
+eventually. As part of my documentation work, I also drifted into the
+Sphinx project itself and submitted a [patch to make manpage
+references clickable](https://github.com/sphinx-doc/sphinx/pull/4235) as well.
+
+I now use feed2exec to archive new posts on my website to the internet
+archive, which means I have an ad-hoc offsite backup of all content I
+post online. I think that's pretty neat. I also leverage
+the [Linkchecker](https://github.com/linkcheck/linkchecker/) program to look for dead links in new articles
+published on the site. This is possible thanks to a Ikiwiki-specific
+filter to extract links to changed files from the Recent Changes RSS
+feed.
+
+I'm considering making the `parse` step of the program pluggable. This
+is an idea I had in mind for a while, but it didn't make sense until
+recently. I described the project and someone said "oh that's
+like [IFTTT](https://en.wikipedia.org/wiki/IFTTT)", a tool I wasn't really aware of, which connects
+various "feeds" (Twitter, Facebook, RSS) to each other, using
+triggers. The key concept here is that feed2exec could be made to read
+from Twitter or other feeds, like IFTTT and not just *write* to
+them. This could allow users to bridge social networks by writing only
+to a single one and broadcasting to the other ones.
+
+Unfortunately, this means adding a lot of interface code and I do not
+have a strong use case for this just yet. Furthermore, it may mean
+switching from a "cron" design to a more interactive, interrupt-driven
+design that would run continuously and wake up on certain triggers.
+
+Maybe that could come in a 2.0 release. For now, I'll see to it that
+the current codebase is solid. I'll release a 0.11 release candidate
+shortly, which has seen a major refactoring since 0.10. I again
+welcome beta testers and users to report their issues. I am happy to
+report I got and fixed my [first bug report](https://gitlab.com/anarcat/feed2exec/issues/1) on this project this
+month.
+
+Towards standard security disclosure guidelines
+-----------------------------------------------
+
+When reading the excellent [State of Opensource Security report](https://snyk.io/stateofossecurity/),
+some metrics caught my eye:
+
+ * 75% of vulnerabilities are not discovered by the maintainer
+
+ * 79.5% of maintainers said that they had no public-facing disclosure
+   policy in place
+
+ * 21% of maintainers who do not have a public disclosure policy have
+   been notified privately about a vulnerability
+
+ * 73% of maintainers who do have a public disclosure policy have been
+   notified privately about a vulnerability
+
+In other words, having a public disclosure policy more than triples
+your chances of being notified of a security vulnerability. I was also
+surprised to find that 4 out of 5 projects do not have such a
+page. Then I realized that *none* of my projects had such a page, so I
+decided to fix that and fix my [documentation templates](https://ecdysis.readthedocs.io/en/latest/) (the
+infamously named [ecdysis](https://gitlab.com/anarcat/ecdysis) project) to specifically include
+a [section on security issues](https://ecdysis.readthedocs.io/en/latest/contribute.html#security-issues).
+
+I found that the [HackerOne disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) were pretty
+good, except they require having a bounty for disclosure. I understand
+it's part of their business model, but I have no such money to give
+out - in fact, I don't even pay *myself* for the work of developing
+the project, so I don't quite see why I would pay for disclosures.
+
+I also found that many projects include OpenPGP key fingerprints in
+their contact information. I find that's a little silly: project
+documentation is no place to offer OpenPGP key discovery. If security
+researchers cannot find and verify OpenPGP key fingerprints, I would
+be worried about their capabilities. Adding a fingerprint or key
+material is just bound to create outdated documentation when
+maintainers rotate. Instead, I encourage people to use proper key
+discovery mechanism like the [Web of trust](https://en.wikipedia.org/wiki/Web_of_trust), [WKD](https://wiki.gnupg.org/WKD) or
+obviously [TOFU](https://en.wikipedia.org/wiki/Trust_on_first_use) which is basically what publishing a fingerprint
+does anyways.
+
+Git-Mediawiki
+-------------
+
+After being granted access to the [Git-Mediawiki](https://github.com/Git-Mediawiki/Git-Mediawiki/) project last
+month, I got to work. I fought hard with both Travis and Git, and
+Perl, and MediaWiki, to [add continuous integration](https://github.com/Git-Mediawiki/Git-Mediawiki/pull/50) in the

(Diff truncated)
fix broken links
diff --git a/blog/2017-11-14-ROCA-return-of-the-coppersmith-attack.mdwn b/blog/2017-11-14-ROCA-return-of-the-coppersmith-attack.mdwn
index df96d5f6..fdef87f0 100644
--- a/blog/2017-11-14-ROCA-return-of-the-coppersmith-attack.mdwn
+++ b/blog/2017-11-14-ROCA-return-of-the-coppersmith-attack.mdwn
@@ -70,7 +70,7 @@ media](https://en.wikipedia.org/wiki/Eesti_Rahvusringh%C3%A4%C3%A4ling)
 (ERR). Indeed, estimates show that cracking a
 single key would cost €80,000 in cloud computing costs. Since then,
 however, the vulnerability was also
-[reviewed](https://blog.cr.yp.to/20171105-infineon.html%20) by
+[reviewed](https://blog.cr.yp.to/20171105-infineon.html) by
 cryptographers Daniel J. Bernstein and Tanja Lange, who found that it
 was possible to improve the performance of the attack: they stopped
 after a  25% improvement, but suspect even further
diff --git a/services/backup.mdwn b/services/backup.mdwn
index 162376a9..a1f4332a 100644
--- a/services/backup.mdwn
+++ b/services/backup.mdwn
@@ -11,7 +11,7 @@ hand, monthly.
 Workstation and laptop backups are more irregular, on a separate
 drive.
 
-Most backups are performed with [borg](borgbackup.rtfd.org/) but some offsite backups are
+Most backups are performed with [borg](http://borgbackup.rtfd.org/) but some offsite backups are
 still done with [bup](https://bup.github.io/) for historical reasons but may be migrated to
 another storage system.
 

fix links to be internal
diff --git a/blog/2017-11-14-ROCA-return-of-the-coppersmith-attack.mdwn b/blog/2017-11-14-ROCA-return-of-the-coppersmith-attack.mdwn
index 3f636041..df96d5f6 100644
--- a/blog/2017-11-14-ROCA-return-of-the-coppersmith-attack.mdwn
+++ b/blog/2017-11-14-ROCA-return-of-the-coppersmith-attack.mdwn
@@ -37,8 +37,8 @@ frame.
 Private key recovery is one of the worst security vulnerabilities (short
 of direct cleartext recovery) that can happen in asymmetric crypto
 systems. It turns out that Infineon is one of only three secure chip
-manufacturers and therefore its chips are everywhere: in [cryptographic
-keycards](https://lwn.net/Articles/736231/) (e.g. the popular
+manufacturers and therefore its chips are everywhere: in [[cryptographic
+keycards|2017-10-26-comparison-cryptographic-keycards]] (e.g. the popular
 [Yubikey 4](https://www.yubico.com/support/security-advisories/ysa-2017-01/))
 but also [Trusted Platform
 Modules](https://en.wikipedia.org/wiki/Trusted_Platform_Module) (TPMs)
@@ -262,8 +262,8 @@ obscurity.*"
 The paper concludes by stating that "*relevant certification bodies
 might want to reconsider such an approach in favor of open
 implementations and specifications.*" This is a similar conclusion to
-the one I reached in my [comparison of cryptographic
-tokens](https://lwn.net/Articles/736231/): we should be able to design
+the one I reached in my [[comparison of cryptographic
+tokens|2017-10-26-comparison-cryptographic-keycards]]: we should be able to design
 secure, yet open, hardware and hopefully these kinds of vulnerabilities
 will serve as a lesson for the future.
 

creating tag page tag/vulnerability
diff --git a/tag/vulnerability.mdwn b/tag/vulnerability.mdwn
new file mode 100644
index 00000000..6c436248
--- /dev/null
+++ b/tag/vulnerability.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged vulnerability"]]
+
+[[!inline pages="tagged(vulnerability)" actions="no" archive="yes"
+feedshow=10]]

creating tag page tag/analysis
diff --git a/tag/analysis.mdwn b/tag/analysis.mdwn
new file mode 100644
index 00000000..2784179a
--- /dev/null
+++ b/tag/analysis.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged analysis"]]
+
+[[!inline pages="tagged(analysis)" actions="no" archive="yes"
+feedshow=10]]

publish the ROCA paper
diff --git a/blog/2017-11-14-ROCA-return-of-the-coppersmith-attack.mdwn b/blog/2017-11-14-ROCA-return-of-the-coppersmith-attack.mdwn
new file mode 100644
index 00000000..3f636041
--- /dev/null
+++ b/blog/2017-11-14-ROCA-return-of-the-coppersmith-attack.mdwn
@@ -0,0 +1,277 @@
+[[!meta title="ROCA: Return Of the Coppersmith Attack"]]
+[[!meta date="2017-11-14T00:00:00+0000"]]
+[[!meta updated="2017-11-29T22:27:33-0500"]]
+
+On October 30, 2017, a group of Czech researchers from Masaryk
+University presented the [ROCA
+paper](https://crocs.fi.muni.cz/public/papers/rsa_ccs17) at the ACM CCS
+Conference, which earned the [Real-World Impact
+Award](https://ccs2017.sigsac.org/awards.html). We briefly [mentioned
+ROCA](https://lwn.net/Articles/736520/) when it was first reported but
+haven't dug into details of the vulnerability yet. Because of its
+far-ranging impact, it seems important to review the vulnerability in
+light of the new results published recently.
+
+ROCA and its impacts
+--------------------
+
+As we all probably know, most modern cryptography is based on the
+fundamental assumption that finding the prime factors of a large number
+is *much* harder than generating that number from two large primes. For
+this assumption to hold, however, the prime numbers need to be randomly
+chosen, otherwise it becomes possible to guess those numbers more
+easily. The prime generation process can take time, especially on
+embedded devices like cryptographic tokens.
+
+The ROCA vulnerability occurred because Infineon, a popular smartcard
+manufacturer, developed its own proprietary algorithm based on the [fast
+prime](https://crypto.stackexchange.com/questions/52292/what-is-fast-prime)
+technique. If used correctly, fast prime allows the creation of randomly
+distributed primes faster than traditional methods, which generally
+consist of generating random numbers and testing for primality. The ROCA
+paper shows that Infineon goofed on the implementation and the resulting
+primes were not evenly distributed. This opened the possibility of
+recovering private keys from public key material in a reasonable time
+frame.
+
+Private key recovery is one of the worst security vulnerabilities (short
+of direct cleartext recovery) that can happen in asymmetric crypto
+systems. It turns out that Infineon is one of only three secure chip
+manufacturers and therefore its chips are everywhere: in [cryptographic
+keycards](https://lwn.net/Articles/736231/) (e.g. the popular
+[Yubikey 4](https://www.yubico.com/support/security-advisories/ysa-2017-01/))
+but also [Trusted Platform
+Modules](https://en.wikipedia.org/wiki/Trusted_Platform_Module) (TPMs)
+that live in most modern computers; even some official identity cards,
+which are used in everything from banking to voting, have Infineon
+chips. So the impact of this vulnerability is broad: medical records,
+voting, OpenPGP signatures and encryption, Digital Rights Management
+(DRM), full disk encryption, and secure boot; all become vulnerable if
+the wrong keycard generated the private key material.
+
+Hacking the Estonian elections
+------------------------------
+
+Let's take an extreme example of identity theft to illustrate the
+severity of the ROCA vulnerability. Estonia used Infineon chips in its
+state-issued [identity cards](https://www.id.ee/?lang=en). Because those
+cards are used in its electronic voting system, it was speculated that
+votes could be forged in an election. Indeed, there was a parliamentary
+election in 2015, at a time when vulnerable cards were in the wild.
+
+The Estonian government [claims](https://id.ee/index.php?id=38066) that
+leveraging the attack to commit electoral fraud in Estonia is
+"*complicated and not cheap*". This seems to rely on an unnamed expert
+as saying it would "*cost approximately €60 billion*" to mount such an
+attack, a number found in [this
+article](http://news.err.ee/631683/survey-attitudes-toward-e-voting-unaffected-by-id-card-security-risk)
+published by the [Estonian state
+media](https://en.wikipedia.org/wiki/Eesti_Rahvusringh%C3%A4%C3%A4ling)
+(ERR). Indeed, estimates show that cracking a
+single key would cost €80,000 in cloud computing costs. Since then,
+however, the vulnerability was also
+[reviewed](https://blog.cr.yp.to/20171105-infineon.html%20) by
+cryptographers Daniel J. Bernstein and Tanja Lange, who found that it
+was possible to improve the performance of the attack: they stopped
+after a  25% improvement, but suspect even further
+speed-ups are possible. So let's see what effect those numbers would
+have in an election now.
+
+There are 750,000 vulnerable cards, [according to
+ERR](http://news.err.ee/616732/potential-security-risk-could-affect-750-000-estonian-id-cards),
+out of the 1.3 million cards currently in circulation, [according to
+National Electoral
+Committee](http://www.vvk.ee/voting-methods-in-estonia/engindex/statistics).
+There were around 900,000 eligible voters in the 2015 parliamentary
+elections, about 600,000 of those voted and about 30% of voters cast
+their votes electronically. So, assuming the distribution of compromised
+cards is uniform among voters, we can use the percentage of compromised
+cards (roughly 60%) to estimate that vulnerable cards could have been
+used in about 17% of the total votes.
+
+The 2015 election was pretty close: the [Estonian Reform
+Party](https://en.wikipedia.org/wiki/Estonian_Reform_Party) beat its
+closest rival, the [Estonian Centre
+Party](https://en.wikipedia.org/wiki/Estonian_Centre_Party), by only 5%.
+So, it could have been possible to affect the result of that election,
+even without compromising all the cards. Bernstein and Lange were
+actually generous when they said that "*'large-scale vote fraud' does
+not require breaking all of the ID cards; 10% already buys massive
+influence*".
+
+In fact, according to their numbers, the €80,000 required to break one
+card can be reduced by a factor of four thanks to various
+performance improvements and by another factor of ten using dedicated
+hardware, which means we can expect targeted attacks to be 40 times
+cheaper than the original paper, bringing the cost of one vote down to
+around €2000. An Ars Technica article
+[quoted](https://arstechnica.com/information-technology/2017/11/flaw-crippling-millions-of-crypto-keys-is-worse-than-first-disclosed/)
+another researcher as saying: "*I'm not sure whether someone can slash
+the cost of one key below \$1,000 as of today, but I certainly see it as
+a possibility.*"
+
+So, being generous with the exchange rates for the sake of convenience,
+we could use a price per vote range of about €1,000-2,000. This means
+that buying the 5% of the votes necessary to win that 2015 election (or
+around 30,000 votes) would cost €30-60 *million*, which is a much lower
+number than originally announced and definitely affordable for a hostile
+foreign-state actor.
+
+Now, I am not saying that this happened during the 2015 Estonian
+election. I am merely pointing out that the resources required to buy
+votes (one way or another) are much cheaper than previously thought. And
+while the Electoral Committee [released the server-side source
+code](https://github.com/vvk-ehk/ivxv) in 2013, that wasn't where the
+ROCA problem lies. The vulnerability, this time, is client-side: the
+identity cards based on proprietary hardware. Fortunately, the Estonian
+authorities took action to
+[block](https://www.ria.ee/en/id-cards-affected-by-the-security-risk-can-be-renewed-from-november.html)
+the Infineon cards on November 3 and issue new certificates for the
+vulnerable cards in a state-wide replacement program. So far, there is
+no evidence of foul play or identity theft, according to state
+officials.
+
+The attack and disclosure
+-------------------------
+
+ROCA is an acronym for "Return Of the Coppersmith Attack" which, in
+turn, refers to a [class of attacks on
+RSA](https://en.wikipedia.org/wiki/Coppersmith%27s_attack) that uses
+some knowledge about the secret key material that allows the key to be
+guessed in less than brute-force time. The actual mathematical details
+are available in the [full paper
+\[PDF\]](https://crocs.fi.muni.cz/_media/public/papers/nemec_roca_ccs17_preprint.pdf)
+and go beyond my modest mathematical knowledge, but it certainly seems
+like Infineon took shortcuts in designing its random number generator.
+What the Czech researchers found is that the primes generated by the
+Infineon algorithm had a specific structure that made them easier to
+guess than randomly distributed primes. Indeed, all primes generated by
+RSALib, the library Infineon created for those chips, followed this
+pattern:
+
+        p = k ∗ M + (65537^a mod M)
+
+Here `p` is one of the secret primes used to construct the public key.
+The secrets in the equation are `k` and `a`, while `M` varies depending
+with the chosen key size. The problem is that `M` is disproportionately
+large, close enough to the size of `p` so that `k` and `a` are too
+small. And this is where the [Coppersmith
+method](https://en.wikipedia.org/wiki/Coppersmith_method) comes in: it
+relies on small integers being part of the equation generating the
+prime. It is also where I get lost in the math; interested readers can
+read the papers to find out more.
+
+Something interesting here is that Bernstein and Lange were able to
+reproduce the results *before* the paper was publicly released, using
+only information disclosed as part of the public advisory. As such, they
+raise the interesting question of whether delaying publication of the
+actual paper helped in containing the security vulnerability, since they
+were able to construct an attack within about a week of part-time work.
+They outlined that publicizing the keyword "Coppersmith" in the title of
+the research paper (which was public at the time of disclosure) was
+especially useful in confirming they were on the right path during their
+research. In that sense, Bernstein and Lange imply that delaying the
+publication of the paper had no benefit to the security community, and
+may have actually benefited attackers in a critical period, while
+impeding the work of honest security researchers.
+
+They also questioned the unusually long delay given to Infineon (eight
+months) before disclosure. Usually, "responsible disclosure" ranges from
+a few days to several months. For example, Google's [Project
+Zero](https://en.wikipedia.org/wiki/Project_Zero_%28Google%29) team
+gives projects 90 days to fix problems before it publicizes the results.
+The long delay was presumably given to provide ample time for companies
+and governments to organize mitigation measures. Yet, when the paper was
+finally released, some companies (e.g. Gemalto) still weren't clear if
+their products were affected. According to Ars Technica, Gemalto's
+customers, including Microsoft, which uses the products for two-factor
+authentication, are now still left wondering if their products are
+secure. Similarly, Estonia recently scrambled to suspend all affected
+cards, earlier than originally planned, even though they were notified
+of the vulnerability back in August. It seems the long delay didn't
+work: stakeholders did not proceed with those changes promptly and
+thousands if not millions of devices are *still* vulnerable at the time
+of writing.

(Diff truncated)
fix typo in artist name
diff --git a/sigs.fortune b/sigs.fortune
index 1b4f7f80..357fa2c1 100644
--- a/sigs.fortune
+++ b/sigs.fortune
@@ -852,19 +852,19 @@ Only in the darkness can you see the stars.
 %
 We don't need any more heroes.
 We just need someone to take out recycling.
-                        - Bansky
+                        - Banksy
 %
 The greatest crimes in the world are not committed by people breaking
 the rules but by people following the rules. It's people who follow
 orders that drop bombs and massacre villages.
-                        - Bansky
+                        - Banksy
 %
 A lot of people never use their initiative because no-one told them to.
-                        - Bansky
+                        - Banksy
 %
 People in glass houses shouldn't throw stones.
 People in glass cities shouldn't fire missiles.
-                        - Bansky
+                        - Banksy
 %
 Some believe it is only great power that can hold evil in check, but
 that is not what I have found. It is the small everyday deeds of

detail current partition scheme
diff --git a/services/backup.mdwn b/services/backup.mdwn
index 9f078854..162376a9 100644
--- a/services/backup.mdwn
+++ b/services/backup.mdwn
@@ -90,7 +90,16 @@ and is aimed at technical users familiar with the commandline.
 
  1. create parts with parted, mark a 8MB leading part with the
     `bios_grub` flag. parted complains about the partitions not being
-    optimal, and I haven't figure out how to fix that correctly.
+    optimal, and I haven't figure out how to fix that
+    correctly. Marcos partitions are currently:
+
+         $ sudo lvdisplay -C
+         LV   VG        Attr       LSize
+         home marcossd1 -wi-ao---- 380,00g
+         root marcossd1 -wi-ao----  10,00g
+         swap marcossd1 -wi-ao----   4,00g
+         usr  marcossd1 -wi-ao----  20,00g
+         var  marcossd1 -wi-ao----  30,00g
 
  2. initialise crypt partition:
 

move backup inventory to backup page
diff --git a/hardware/server/marcos.mdwn b/hardware/server/marcos.mdwn
index dd206983..b5f27250 100644
--- a/hardware/server/marcos.mdwn
+++ b/hardware/server/marcos.mdwn
@@ -1,64 +1,8 @@
 Voir aussi la documentation de [[maintenance|services]], en
-particulier [[services/mail]].
+particulier [[services/mail]] et [[services/backup]].
 
 [[!toc levels=3]]
 
-# Storage inventory
-
-## Internal
-
- * `srv`: 4TB (3.6TiB) SATA; video, mp3, external backups, postcasts and so on
-   * `/srv/video`: 1.3TiB, git-annex `backup` group
- * `marcossd1`: 480GB SSD; `/home`, `/var`, `/usr` and so on...
-
-## External
-
- * `calyx`: 1.5TB iOmega external backup drive, encrypted, `borg`
-   backups (currently ~700GB)
- * `archive0`: 160GB Maxtor hard drive, clear, `git-annex` for `mp3`
-
-## Offsite
-
- * `green_crypt1`: 1.5TB WD "green" hard drive, encrypted, bup backups
- * `barracuda_crypt2`: 2TB Seagate barracuda drive, encrypted,
-   `git-annex` archive, previously `/srv`, but stripped of private
-   data - see
-   [this post about reinit](http://git-annex.branchable.com/todo/reinit_should_work_without_arguments/)
-   git-annex `incrementalbackup`
- * `green_crypt0`: 1.5TB WD "green" hard drive, encrypted, `git-annex`
-   backups - at hacim's house, git-annex `backup` group
- * `markov`: office workstation backup of `mp3`, unmaintained
-
-## bill of material
-
- path                 | backup location        | notes
---------------------- | ------------------     | -----
-`/`                   | `borg` on `calyx`      |
-`/var`                | `borg` on `calyx`      |
-`/usr`                | `borg` on `calyx`      |
-`/home`               | `borg` on `calyx`      |
-`/srv`                | no                     | see below
-`/srv/archive/`       | `bup-srv` on `calyx`   | one time only
-`/srv/audiobooks/`    | `git-annex` on `green` |
-`/srv/auto/`          | no                     | transient data
-`/srv/backup/`        | `bup-srv` on `calyx`   | one time only
-`/srv/books/`         | `git-annex` on `green` |
-`/srv/books-incoming/`| no                     | transient data
-`/srv/conference/`    | no                     | local copy of public data
-`/srv/espresso/`      | `git-annex` on `markov`|
-`/srv/incoming/`      | `bup-srv` on `calyx`   | one time only
-`/srv/karaoke/`       | `bup-srv` on `calyx`   | one time only
-`/srv/mp3/`           | `git-annex` on `VHS`   | also `markov`, `angela`, `archive0`
-`/srv/playlists/`     | `bup-srv` on `calyx`   | one time only
-`/srv/podcast/`       | no                     | todo?
-`/srv/roms/`          | `git-annex` on `green` | 
-`/srv/sid/`           | `bup-srv` on `calyx`   | one time only
-`/srv/SteamLibrary/`  | `bup-srv` on `calyx`   | one time only
-`/srv/tahoe/`         | no                     | redundant data, by definition, unusable without key
-`/srv/tempete/`       | `bup-srv` on `calyx`   | one time only
-`/srv/tftp/`          | `git-annex`            | not sync'd to `green`, but files are publicly available, and git repo copied over at koumbit
-`/srv/video/`         | `git-annex` on `green` |
-
 # Hardware maintenance
 
 See [[hardware/server/marcos/configuration]] for the initial setup notes.
diff --git a/services/backup.mdwn b/services/backup.mdwn
index f48304ae..9f078854 100644
--- a/services/backup.mdwn
+++ b/services/backup.mdwn
@@ -1,4 +1,87 @@
-[[!meta title="Hard drive replacement procedure"]]
+[[!meta title="Backup procedures"]]
+
+[[!toc levels=3]]
+
+Policies
+--------
+
+Main server backups are automatic, nightly. Offsite backups are by
+hand, monthly.
+
+Workstation and laptop backups are more irregular, on a separate
+drive.
+
+Most backups are performed with [borg](borgbackup.rtfd.org/) but some offsite backups are
+still done with [bup](https://bup.github.io/) for historical reasons but may be migrated to
+another storage system.
+
+Backup storage
+--------------
+
+### Marcos storage
+
+ * `srv`: 4TB (3.6TiB) SATA; video, mp3, external backups, postcasts and so on
+   * `/srv/video`: 1.3TiB, git-annex `backup` group
+ * `marcossd1`: 480GB SSD; `/home`, `/var`, `/usr` and so on...
+
+### External
+
+ * `wd`: black external WD drive connected to `marcos`
+ * `calyx`: 1.5TB iOmega external backup drive, encrypted, `borg`
+   backups for angela
+ * `archive0`: 160GB Maxtor hard drive, clear, partial `git-annex`
+   archive for `mp3`
+
+### Offsite
+
+ * `green_crypt1`: 1.5TB WD "green" hard drive, encrypted, bup backups
+ * `barracuda_crypt2`: 2TB Seagate barracuda drive, encrypted,
+   `git-annex` archive, previously `/srv`, but stripped of private
+   data - see [this post about reinit](http://git-annex.branchable.com/todo/reinit_should_work_without_arguments/) - git-annex
+   `incrementalbackup`
+
+### Offsite (squirrel mode)
+
+Those are archives that were disseminated in different locations.
+
+ * `green_crypt0`: 1.5TB WD "green" hard drive, encrypted, `git-annex`
+   backups - at hacim's house, git-annex `backup` group
+ * `markov`: office workstation backup of `mp3`, abandoned
+
+### Marcos backup inventory details
+
+This is out of date.
+
+ path                 | backup location        | notes
+--------------------- | ------------------     | -----
+`/`                   | `borg` on `calyx`      |
+`/var`                | `borg` on `calyx`      |
+`/usr`                | `borg` on `calyx`      |
+`/home`               | `borg` on `calyx`      |
+`/srv`                | no                     | see below
+`/srv/archive/`       | `bup-srv` on `calyx`   | one time only
+`/srv/audiobooks/`    | `git-annex` on `green` |
+`/srv/auto/`          | no                     | transient data
+`/srv/backup/`        | `bup-srv` on `calyx`   | one time only
+`/srv/books/`         | `git-annex` on `green` |
+`/srv/books-incoming/`| no                     | transient data
+`/srv/conference/`    | no                     | local copy of public data
+`/srv/espresso/`      | `git-annex` on `markov`|
+`/srv/incoming/`      | `bup-srv` on `calyx`   | one time only
+`/srv/karaoke/`       | `bup-srv` on `calyx`   | one time only
+`/srv/mp3/`           | `git-annex` on `VHS`   | also `markov`, `angela`, `archive0`
+`/srv/playlists/`     | `bup-srv` on `calyx`   | one time only
+`/srv/podcast/`       | no                     | todo?
+`/srv/roms/`          | `git-annex` on `green` | 
+`/srv/sid/`           | `bup-srv` on `calyx`   | one time only
+`/srv/SteamLibrary/`  | `bup-srv` on `calyx`   | one time only
+`/srv/tahoe/`         | no                     | redundant data, by definition, unusable without key
+`/srv/tempete/`       | `bup-srv` on `calyx`   | one time only
+`/srv/tftp/`          | `git-annex`            | not sync'd to `green`, but files are publicly available, and git repo copied over at koumbit
+`/srv/video/`         | `git-annex` on `green` |
+
+Drive replacement
+-----------------
 
 This procedure describes a major disk replacement on a system with
 LUKS encryption and LVM, but without RAID-1 (which would be obviously

rename drive-replacement to backup
diff --git a/hardware/server/marcos.mdwn b/hardware/server/marcos.mdwn
index f0ff3548..dd206983 100644
--- a/hardware/server/marcos.mdwn
+++ b/hardware/server/marcos.mdwn
@@ -29,7 +29,6 @@ particulier [[services/mail]].
    backups - at hacim's house, git-annex `backup` group
  * `markov`: office workstation backup of `mp3`, unmaintained
 
-
 ## bill of material
 
  path                 | backup location        | notes
@@ -66,7 +65,7 @@ See [[hardware/server/marcos/configuration]] for the initial setup notes.
 
 There's a nasty [[lcd|services/lcd]] here, see [[services/lcd]] for how to configure it.
 
-See [[services/drive-replacement]] for drive replacement procedures.
+See [[services/backup]] for backup and drive replacement procedures.
  
 ## Screen lockup
 
diff --git a/services/drive-replacement.mdwn b/services/backup.mdwn
similarity index 100%
rename from services/drive-replacement.mdwn
rename to services/backup.mdwn

borg extract in right location
diff --git a/services/drive-replacement.mdwn b/services/drive-replacement.mdwn
index 12789743..f48304ae 100644
--- a/services/drive-replacement.mdwn
+++ b/services/drive-replacement.mdwn
@@ -44,6 +44,7 @@ and is aimed at technical users familiar with the commandline.
 
  5. restore the root filesystem:
  
+        cd /mnt
         borg extract -e boot -e usr -e var -e home --progress /media/sdc2/borg::marcos-2017-06-19
 
     [[!tip """note that `--progress` is available only in newer
@@ -75,7 +76,9 @@ and is aimed at technical users familiar with the commandline.
 
  8. restore everything from backups:
  
-        borg extract --progress /media/sdc2/borg::marcos-2017-06-19
+        cd /mnt
+        borg extract --progress /media/sdc2/borg::marcos-auto-2017-06-19
+        borg extract --progress /media/sdc2/borg::marcos-logs-2017-11-28
 
     or rsync from the live filesystem (see below).
  

use sdX in restore procedure
diff --git a/services/drive-replacement.mdwn b/services/drive-replacement.mdwn
index 5bef3ffc..12789743 100644
--- a/services/drive-replacement.mdwn
+++ b/services/drive-replacement.mdwn
@@ -11,8 +11,8 @@ and is aimed at technical users familiar with the commandline.
 
  2. initialise crypt partition:
 
-        cryptsetup -v --verify-passphrase luksFormat /dev/sdc3
-        cryptsetup luksOpen /dev/sdc3 crucial_crypt
+        cryptsetup -v --verify-passphrase luksFormat /dev/sdX3
+        cryptsetup luksOpen /dev/sdX3 crucial_crypt
 
     <span /><div class="tip">
     Note that newer versions of Debian (e.g. stretch and later) have
@@ -54,7 +54,13 @@ and is aimed at technical users familiar with the commandline.
     
         rsync -vaHAx --inplace --delete --one-file-system / /mnt/
 
- 6. edit `/mnt/etc/fstab` (and keep a copy in `/etc/fstab.new`)
+    note that this will destroy the mountpoint directories like
+    /mnt/usr, which need to be recreated.
+
+ 6. edit `/mnt/etc/fstab` (and keep a copy in `/etc/fstab.new`) to
+    change the VG paths and the `/boot` UUID (which can be found with
+    `blkid /dev/sdX2`
+
  7. mount all filesystems:
 
         mount -o bind /dev /mnt/dev
@@ -65,7 +71,7 @@ and is aimed at technical users familiar with the commandline.
 
  5. change `/mnt/etc/crypttab` (make a copy in `/etc/crypttab.new`) to follow the new partition names:
     * make sure you have *NO TYPO* in the new line
-    * use `blkid` to get the UUID of the crypto device, e.g. `blkid /dev/sda3`
+    * use `blkid` to get the UUID of the crypto device, e.g. `blkid /dev/sdX3`
 
  8. restore everything from backups:
  
@@ -91,7 +97,7 @@ and is aimed at technical users familiar with the commandline.
         echo "search.fs_uuid c7bf0134-d9bf-4506-b859-3d19e9a333c1 root" >> /boot/grub/load.cfg
         update-initramfs -u -k all
         update-grub2
-        grub-install /dev/sdc
+        grub-install /dev/sdX
 
     [[!important """the `fs.uuid` flag comes from the `/boot` device,
     and can be found with the `blkid` command as well."""]]

marginal progress on phone
diff --git a/hardware/phone/lg-g3-d852.mdwn b/hardware/phone/lg-g3-d852.mdwn
index ef9b382b..668baf7f 100644
--- a/hardware/phone/lg-g3-d852.mdwn
+++ b/hardware/phone/lg-g3-d852.mdwn
@@ -138,7 +138,9 @@ So I'm stuck: there doesn't seem to be a way to root this device.
 
 Update: I had a [confirmation](https://github.com/Lekensteyn/lglaf/issues/31#issuecomment-347381719) of my worst suspicions. It does seem
 like the above is a restriction on the recovery mode to keep people
-from doing *exactly* what I am trying to do.
+from doing *exactly* what I am trying to do. The new `--rawshell`
+argument helps a little: I can run *some* commands, but nothing that
+can allow me to sideload the root app that I would need.
 
 Recovery setup
 ==============

status update: still fail
diff --git a/hardware/phone/lg-g3-d852.mdwn b/hardware/phone/lg-g3-d852.mdwn
index 032133df..ef9b382b 100644
--- a/hardware/phone/lg-g3-d852.mdwn
+++ b/hardware/phone/lg-g3-d852.mdwn
@@ -127,15 +127,19 @@ With the patch (or running as root), it still fails, with:
 
     LGLAF.py: WARNING: Command failed with error code 0x8000010a
 
-So we need another patch to send a proper  [challenge-response](https://github.com/Lekensteyn/lglaf/pull/12) and
-*then* we get a prompt. Unfortunately, some clever thing is still
-refusing our commands:
+So we need [another patch](https://github.com/Lekensteyn/lglaf/pull/12) (now [merged](https://github.com/Lekensteyn/lglaf/pull/27)) to send a proper
+challenge-response and *then* we get a prompt. Unfortunately, some
+clever thing is still refusing our commands:
 
     # sh /data/local/tmp/lg_root.sh dummy 1 /data/local/tmp/UPDATE-SuperSU-v2.46.zip /data/local/tmp/busybox
     Hello, I am LAF. Nice to meet you.#
 
 So I'm stuck: there doesn't seem to be a way to root this device.
 
+Update: I had a [confirmation](https://github.com/Lekensteyn/lglaf/issues/31#issuecomment-347381719) of my worst suspicions. It does seem
+like the above is a restriction on the recovery mode to keep people
+from doing *exactly* what I am trying to do.
+
 Recovery setup
 ==============
 
@@ -148,7 +152,7 @@ about. Maybe it's necessary to boot TWRP at all?
 Custom ROM install
 ==================
 
-Next step is to install [LineageOS](https://lineageos.org/), because the current firmware
+And *then* the next step is to install [LineageOS](https://lineageos.org/), because the current firmware
 has all sorts of crappy apps like spam from Google and god knows what
 else. With LineageOS, I still have proprietary software, but at least
 I know exactly [what those are][proprietary drivers list] and I'm confident it's the bare

document my custom styles
diff --git a/software/desktop/firefox.mdwn b/software/desktop/firefox.mdwn
index 2242c034..943f28cc 100644
--- a/software/desktop/firefox.mdwn
+++ b/software/desktop/firefox.mdwn
@@ -89,6 +89,21 @@ I have set the following configuration options:
  * `extensions.pocket.enabled` - disable the pocket extension that I
    have no use for ([ref](https://support.mozilla.org/en-US/kb/remove-pocket-button-firefox))
 
+I also override certain site's stylesheets in my
+`~/.mozilla/firefox/*/chrome/userContent.css` CSS file. For example,
+this restricts the width of pages in the Debian wiki:
+
+    /* limit paragraph width to ease reading, and center */
+    @-moz-document domain(wiki.debian.org) {
+        div#content { max-width: 60em !important; margin: auto !important; }
+    }
+    @-moz-document domain(lwn.net) {
+        div.ArticleText { max-width: 60em !important; margin: auto !important; }
+    }
+
+The syntax of this file is basically undocumented. Its location and
+basic usage is documented [in MozillaZine](http://kb.mozillazine.org/UserContent.css) but not much further.
+
 History
 -------
 

another inspiring quote from Aaron
diff --git a/sigs.fortune b/sigs.fortune
index ba69c165..1b4f7f80 100644
--- a/sigs.fortune
+++ b/sigs.fortune
@@ -1077,3 +1077,6 @@ worldwide collection of software engineers who can't write operating
 systems or applications without security holes, can then turn around
 and suddenly write virtualization layers without security holes.
                         - Theo de Raadt
+%
+Be curious. Read widely. Try new things. I think a lot of what people
+call intelligence boils down to curiosity.  - Aaron Swartz

more details about current status
diff --git a/software/desktop/firefox.mdwn b/software/desktop/firefox.mdwn
index 3a62a2f5..2242c034 100644
--- a/software/desktop/firefox.mdwn
+++ b/software/desktop/firefox.mdwn
@@ -2,6 +2,9 @@
 
 [[!toc levels=2]]
 
+TL;DR: I use [Firefox](https://getfirefox.com/), for technical and
+political reasons. This page documents my config and why.
+
 Extensions
 ----------
 
@@ -83,6 +86,8 @@ I have set the following configuration options:
      with the Yubikey and other 2FA tokens
    * `security.webauth.webauthn` - enable [WebAuthN](https://www.w3.org/TR/webauthn/) support, not
      sure what that's for but it sounds promising
+ * `extensions.pocket.enabled` - disable the pocket extension that I
+   have no use for ([ref](https://support.mozilla.org/en-US/kb/remove-pocket-button-firefox))
 
 History
 -------
@@ -125,11 +130,15 @@ Remaining issues
 
 My remaining concerns with Firefox, right now, are:
 
- * it's slower than Chromium: Firefox starts in about 2 seconds here
+ * <del>it's slower than Chromium: Firefox starts in about 2 seconds here
    whereas Chromium starts in less than a second (on `curie`, i3-6100U
    4x2.3Ghz, 16GB of ram, on my laptop, it's even worst: about 7-8
    seconds for Firefox and < 2 seconds for Chromium). since i usually
-   have the browser already started, that's kind of okay.
- * history retention settings are unclear
- * it has the "pocket" plugin enabled by default, which supports a
-   proprietary service, a questionable decision at best.
+   have the browser already started, that's kind of okay.</del> This
+   is fixed in Firefox 57: it's super fast, startup time seems even
+   faster than Chromium.
+ * history retention settings are [unclear](https://www.reddit.com/r/firefox/comments/3gbm7m/how_long_does_firefox_keep_history/) - FF computes a number
+   that "will not affect performance" but that may mean a number that
+   is just huge. For example, it keeps 162 751 pages here, keeping
+   pages well over 6 months. There are extensions to fix this like
+   [Expire history by days](https://addons.mozilla.org/en-US/firefox/addon/expire-history-by-days/) and [History cleaner](https://addons.mozilla.org/en-US/firefox/addon/history-cleaner/) 

firefox: move history down at the bottom
diff --git a/software/desktop/firefox.mdwn b/software/desktop/firefox.mdwn
index 492168dc..3a62a2f5 100644
--- a/software/desktop/firefox.mdwn
+++ b/software/desktop/firefox.mdwn
@@ -2,42 +2,6 @@
 
 [[!toc levels=2]]
 
-History
--------
-
-I have been a long time user of the "Mozilla" family of web
-browsers. My first web browser (apart from [[!wikipedia lynx]]) was
-probably the venerable [[!wikipedia Netscape Navigator]], which was
-eventually opened source into what was then called Pheonix and then
-[[!wikipedia Firefox]]. I eventually abandoned Firefox because of
-stability and features: an HTML5 video site would crash firefox, and
-when I tried it in Chromium, it worked, so I gave on up on Firefox
-then.
-
-But now (Jan 2017) I have switched back to Firefox, mostly because of
-privacy reasons. There are multiple privacy issues in Chromium (which
-is supposed to be the unbranded version of the Google Chrome browser).
-Some [infamous privacy intrusions][] were fixed, but others werent:
-bug [[!debbug 792580]] (phones home to [[!wikipedia DoubleClick]] and
-[[!wikipedia Google Analytics]]) was filed in 2015 and I confirmed it
-in 2016, and it's still not fixed. I have also found troubling the
-[site engagement][] profile that Chromium builds on you (which carries
-over into the Incognito mode). I also had concerns that Chromium would
-keep history indefinitely, but it looks like it actually
-[keeps it for 90 days][]. Firefox is now actually worst than Chromium
-in that regard as it keeps a [dynamic number of pages][] instead of a
-configurable delay. I also had problems with Chromium not opening tabs
-when it's lacking focus ([[!debbug 848930]]), a new regression that
-was really annoying as I visit a lot of websites... There's the
-[ungoogled-chromium][] project which attempts to correct all of those
-issues, but that is yet another browser, and it's not packaged in
-Debian, so not really an option for me right now.
-
-[ungoogled-chromium]: https://github.com/Eloston/ungoogled-chromium
-
-So long story short, I use firefox now. It's nice to root for the
-[[!wikipedia Browser_wars desc="underdog"]] anyways.
-
 Extensions
 ----------
 
@@ -120,6 +84,42 @@ I have set the following configuration options:
    * `security.webauth.webauthn` - enable [WebAuthN](https://www.w3.org/TR/webauthn/) support, not
      sure what that's for but it sounds promising
 
+History
+-------
+
+I have been a long time user of the "Mozilla" family of web
+browsers. My first web browser (apart from [[!wikipedia lynx]]) was
+probably the venerable [[!wikipedia Netscape Navigator]], which was
+eventually opened source into what was then called Pheonix and then
+[[!wikipedia Firefox]]. I eventually abandoned Firefox because of
+stability and features: an HTML5 video site would crash firefox, and
+when I tried it in Chromium, it worked, so I gave on up on Firefox
+then.
+
+But now (Jan 2017) I have switched back to Firefox, mostly because of
+privacy reasons. There are multiple privacy issues in Chromium (which
+is supposed to be the unbranded version of the Google Chrome browser).
+Some [infamous privacy intrusions][] were fixed, but others werent:
+bug [[!debbug 792580]] (phones home to [[!wikipedia DoubleClick]] and
+[[!wikipedia Google Analytics]]) was filed in 2015 and I confirmed it
+in 2016, and it's still not fixed. I have also found troubling the
+[site engagement][] profile that Chromium builds on you (which carries
+over into the Incognito mode). I also had concerns that Chromium would
+keep history indefinitely, but it looks like it actually
+[keeps it for 90 days][]. Firefox is now actually worst than Chromium
+in that regard as it keeps a [dynamic number of pages][] instead of a
+configurable delay. I also had problems with Chromium not opening tabs
+when it's lacking focus ([[!debbug 848930]]), a new regression that
+was really annoying as I visit a lot of websites... There's the
+[ungoogled-chromium][] project which attempts to correct all of those
+issues, but that is yet another browser, and it's not packaged in
+Debian, so not really an option for me right now.
+
+[ungoogled-chromium]: https://github.com/Eloston/ungoogled-chromium
+
+So long story short, I use firefox now. It's nice to root for the
+[[!wikipedia Browser_wars desc="underdog"]] anyways.
+
 Remaining issues
 ----------------
 

move password hashers list to article about that
diff --git a/blog/2017-03-02-hashers-history.mdwn b/blog/2017-03-02-hashers-history.mdwn
index 00405a0e..ca275da9 100644
--- a/blog/2017-03-02-hashers-history.mdwn
+++ b/blog/2017-03-02-hashers-history.mdwn
@@ -321,4 +321,16 @@ say, most people don't do modulo arithmetics every day...
 [covered here]: http://scilogs.spektrum.de/hlf/mental-cryptography-and-good-passwords/
 [Blum's Mental Hash]: https://programmingpraxis.com/2014/09/26/blums-mental-hash/
 
+Update: in case you didn't have enough links from the above, I figured
+I would add other hashers I found in my earlier research which I
+forgot to mention here:
+
+ * [Alzheimer password generator](https://github.com/viralpoetry/password-generator) - similar to standford's pwdhash,
+   has a seed, but less usable
+ * [getvau.lt](https://getvau.lt) - also only a web page, but crypto looks sound
+ * [lastpass](https://www.lastpass.com/) - proprietary server-side
+ * [hash0](https://github.com/dannysu/hash0) - another one
+ * [bpassword](https://www.alexhornung.com/code/bpasswd/) - uses bcrypt
+ * [more extensive list of password managers](https://wiki.koumbit.net/GestionDesMotDePasse)
+
 [[!tag debian-planet debian passwords geek security crypto]]
diff --git a/software/desktop/firefox.mdwn b/software/desktop/firefox.mdwn
index 681b29e6..492168dc 100644
--- a/software/desktop/firefox.mdwn
+++ b/software/desktop/firefox.mdwn
@@ -77,7 +77,9 @@ I removed those:
  * [firebug](https://addons.mozilla.org/firefox/1843/) - same
  * [webdevelopper toolbar](https://addons.mozilla.org/firefox/60/) - builtin
  * [password hasher](https://addons.mozilla.org/fr/firefox/addon/3282) -
-   has security issues
+   has security issues - completely removed any password management
+   from my browser, see [[blog/2017-03-02-password-hashers]] for a
+   further review of password hashers.
  * [Privacy Badger](https://www.eff.org/privacybadger), tested as a replacement for the more
    aggressive uMatrix. Issues: doesn't allow blanket configuration
    (e.g. block cookies by default) and difficult to make mass
@@ -92,32 +94,6 @@ I removed those:
    because upstream will drop support in 2018. Debian is scrambling to
    package the newer version that is only standalone ([#871502](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871502))
 
-I know about the following password hashers, which all have issues, so
-I am now using a regular password manager for my web passwords:
-
-Password hasher alternatives:
-
- * [lesspass](https://lesspass.com/) - interesting, but needs a server, see also [this discussion](https://news.ycombinator.com/item?id=12889807). v1 has weak key derivation, and v2's key derivation exhausted my patience (more than 30 seconds to generate a password, wtf)
- * [pwdhash](https://crypto.stanford.edu/PwdHash) - standford's pwdhash - like the original password hasher, more or less. doesn't have settings or private key
- * [Alzheimer password generator](https://github.com/viralpoetry/password-generator) - similar, has a seed, but less usable
- * [supergenpass](https://github.com/chriszarate/supergenpass) - bookmarklet, one of the earliest ones, MD5
- * [nic wolff's](http://angel.net/~nic/passwd.current.html) - probably the first implementation of this (see [this claim](https://news.ycombinator.com/item?id=12892655))
- * [getvau.lt](https://getvau.lt) - also only a web page, but crypto looks sound
- * [lastpass](https://www.lastpass.com/) - proprietary server-side
- * [hash0](https://github.com/dannysu/hash0) - another one
- * [bpassword](https://www.alexhornung.com/code/bpasswd/) - uses bcrypt
-
-It looks like they all suck in new exotic ways. Heck, even the
-original password hasher is a simple hmac_sha256, from what i can
-see. horrible. Hashing needs 100k+ iterations of PBKDF, see
-[this](http://stackoverflow.com/questions/6054082/recommended-of-iterations-when-using-pbkdf2-sha256). So
-i need to ditch my password hasher. Sad. Should probably make a blog
-post or page about this from <https://wiki.koumbit.net/GestionDesMotDePasse>.
-
-Update: I *did* write an extensive series about passwords, password
-managers and password hashers. See
-[[blog/2017-03-02-password-hashers]].
-
 Configuration
 -------------
 

firefox 57 extension overhaul
diff --git a/software/desktop/firefox.mdwn b/software/desktop/firefox.mdwn
index 2afdba60..681b29e6 100644
--- a/software/desktop/firefox.mdwn
+++ b/software/desktop/firefox.mdwn
@@ -41,24 +41,17 @@ So long story short, I use firefox now. It's nice to root for the
 Extensions
 ----------
 
-I usually have those extensions installed:
-
-* [uBlock Origin](https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/) ([[!debpkg xul-ext-ublock-origin desc="debian
-  package"]], [source](https://github.com/gorhill/uBlock))
-* [it's all text!](https://addons.mozilla.org/en-US/firefox/addon/its-all-text/) ([[!debpkg xul-ext-itsalltext desc="debian
-  package"]], [source](https://github.com/docwhat/itsalltext)) - now [obsolete](https://github.com/docwhat/itsalltext/issues/94), [GhostText](https://addons.mozilla.org/en-US/firefox/addon/ghosttext/) being
-  tested
-* [uMatrix](https://addons.mozilla.org/firefox/addon/umatrix/) (no debian package, [source](https://github.com/gorhill/uMatrix))
-* [wallabager](https://addons.mozilla.org/en-US/firefox/addon/wallabagger/)
-  (no debian package,
-  [source](https://github.com/wallabag/wallabagger)) 
-* [zotero](https://www.zotero.org/)
-  ([[!debpkg zotero-standalone desc="zotero standalone debian package"]]
-  and
-  [[!debpkg xul-ext-zotero title"zotero extension debian package"]])
-* [U2F Support](https://addons.mozilla.org/en-US/firefox/addon/u2f-support-add-on/), should be unnecessary starting with FF 57,
-  see [issue #59](https://github.com/prefiks/u2f4moz/issues/59#issuecomment-325768286). apparently, the magic setting is
-  `security.webauth.u2f true`. the upstream issue is [#1065729](https://bugzilla.mozilla.org/show_bug.cgi?id=1065729)
+I have those extensions installed:
+
+ * [GhostText](https://addons.mozilla.org/en-US/firefox/addon/ghosttext/) - "It's all text" replacement
+ * [QR Code Image Generator](https://addons.mozilla.org/en-US/firefox/addon/qr-code-image-generator/) - to send links to my phone
+ * [uBlock Origin](https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/) ([[!debpkg xul-ext-ublock-origin desc="debian
+   package"]], [source](https://github.com/gorhill/uBlock)) - making the web sane again
+ * [uMatrix](https://addons.mozilla.org/firefox/addon/umatrix/) (no debian package, [source](https://github.com/gorhill/uMatrix)) - making the web
+   somewhat safe again
+ * [wallabager](https://addons.mozilla.org/en-US/firefox/addon/wallabagger/) (no debian package, [source](https://github.com/wallabag/wallabagger)) - to YOLO a bunch
+   of links in a pile outside my web browser that I can read offline
+   thanks to [Wallabako](https://gitlab.com/anarcat/wallabako/)
 
 [dynamic number of pages]: https://developer.mozilla.org/en-US/docs/Mozilla/Tech/Places/Places_Expiration
 [keeps it for 90 days]: https://support.google.com/chrome/answer/95589
@@ -68,24 +61,36 @@ I usually have those extensions installed:
 I am testing this:
 
  * [Smart HTTPS](https://addons.mozilla.org/en-US/firefox/addon/smart-https-revived/)
- * [Privacy Badger](https://www.eff.org/privacybadger), as a
-   replacement for the more aggressive uMatrix. Issues found: doesn't
-   allow blanket configuration (e.g. block cookies by default) and
-   difficult to make mass configuration.
- * [QR Code Image Generator](https://addons.mozilla.org/en-US/firefox/addon/qr-code-image-generator/)
- * [Addons compatibility reporter](https://addons.mozilla.org/en-US/firefox/addon/add-on-compatibility-reporter/) - will apparently be useless in
-   newer versions
+ * [Multi-account containers](https://github.com/mozilla/multi-account-containers/) - kind of useful, but also a bit
+   strange: impossible to assign an existing tab to a container, UI is
+   very clikety (can't open a container-specific tab from the
+   keyboard), etc.
 
 I removed those:
 
- * [adblock plus](https://addons.mozilla.org/fr/firefox/addon/1865) -
-   now selling ads! replaced with ublock
- * [yslow](https://addons.mozilla.org/fr/firefox/addon/5369) - now
-   more or less built-in
+ * [adblock plus](https://addons.mozilla.org/fr/firefox/addon/1865) - now selling ads! replaced with ublock
+ * [Addons compatibility reporter](https://addons.mozilla.org/en-US/firefox/addon/add-on-compatibility-reporter/) - useless since Firefox 57 /
+   Quantum, as incompatible extensions are just *disabled*
+ * [it's all text!](https://addons.mozilla.org/en-US/firefox/addon/its-all-text/) ([[!debpkg xul-ext-itsalltext desc="debian
+   package"]], [source](https://github.com/docwhat/itsalltext)) - now [obsolete](https://github.com/docwhat/itsalltext/issues/94)
+ * [yslow](https://addons.mozilla.org/fr/firefox/addon/5369) - now more or less built-in
  * [firebug](https://addons.mozilla.org/firefox/1843/) - same
  * [webdevelopper toolbar](https://addons.mozilla.org/firefox/60/) - builtin
  * [password hasher](https://addons.mozilla.org/fr/firefox/addon/3282) -
    has security issues
+ * [Privacy Badger](https://www.eff.org/privacybadger), tested as a replacement for the more
+   aggressive uMatrix. Issues: doesn't allow blanket configuration
+   (e.g. block cookies by default) and difficult to make mass
+   configuration. Very hard to edit the list of domains, sometimes
+   clicking on a domain would scroll back up. Doesn't block any Google
+   cookies when I visit their sites, which is a no-no for me.
+ * [U2F Support](https://addons.mozilla.org/en-US/firefox/addon/u2f-support-add-on/), is now unnecessary as it is builtin, starting
+   with FF 57 (see [issue #59](https://github.com/prefiks/u2f4moz/issues/59#issuecomment-325768286)). the upstream issue
+   was [#1065729](https://bugzilla.mozilla.org/show_bug.cgi?id=1065729)
+ * [zotero](https://www.zotero.org/) is in a bad shape in Debian. The "XUL" extension is
+   gone from Zotero 5.0, and the 4.0 extension will stop working
+   because upstream will drop support in 2018. Debian is scrambling to
+   package the newer version that is only standalone ([#871502](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871502))
 
 I know about the following password hashers, which all have issues, so
 I am now using a regular password manager for my web passwords:
@@ -133,6 +138,11 @@ I have set the following configuration options:
  * `middlemouse.contentLoadURL` ([ref](http://kb.mozillazine.org/Middlemouse.contentLoadURL)):
    false (got used to chromium not doing that, and it seems too risky:
    passwords can leak in DNS too easily if you miss the field)
+ * [U2F configuration](https://wiki.mozilla.org/Security/CryptoEngineering#Using_U2F_.2F_WebAuthn):
+   * `security.webauth.u2f` - enable U2F token support, to use 2FA
+     with the Yubikey and other 2FA tokens
+   * `security.webauth.webauthn` - enable [WebAuthN](https://www.w3.org/TR/webauthn/) support, not
+     sure what that's for but it sounds promising
 
 Remaining issues
 ----------------

software of the month
diff --git a/software/packages.yml b/software/packages.yml
index 9a599c15..e4e3d04f 100644
--- a/software/packages.yml
+++ b/software/packages.yml
@@ -89,6 +89,7 @@
       - git-buildpackage
       - git-email
       - git-extras
+      - git-mediawiki
       - git-svn
       - glade
       - gocode
@@ -131,6 +132,7 @@
       - python3-doc
       - python-jedi
       - python3-jedi
+      - python3-html2text
       - python-pip
       - python3-pip
       - python-pytest
@@ -266,6 +268,7 @@
       - xmonad
       - xplanet
       - xscreensaver
+      - xscreensaver-bsod
       - xterm
       - xul-ext-zotero
       - yubikey-personalization
@@ -399,8 +402,8 @@
       - gpredict
       - gqrx-sdr
       - multimon
-      - splat
       - soundmodem
+      - splat
       - xastir
  
   - name: install GPS tools

add a bunch of tools i installed in the last month
diff --git a/software/packages.yml b/software/packages.yml
index 9425c6e9..9a599c15 100644
--- a/software/packages.yml
+++ b/software/packages.yml
@@ -102,9 +102,11 @@
       - ikiwiki
       - ikiwiki-hosting-common
       - info
+      - inotify-tools
       - ipython
       - ipython3
       - jq
+      - kicad
       - libterm-readkey-perl
       - libtext-bibtex-perl
       - libsearch-xapian-perl
@@ -120,9 +122,13 @@
       - org-mode-doc
       - pastebinit
       - perl-doc
+      - po4a
       - pv
+      - pypi2deb
       - python
       - python3
+      - python3-betamax
+      - python3-doc
       - python-jedi
       - python3-jedi
       - python-pip
@@ -140,7 +146,9 @@
       - python-sphinx-rtd-theme
       - python3-sphinx-rtd-theme
       - python-ttystatus
+      - python3-unidecode
       - python-wheel
+      - python3-vcr
       - reprotest
       - tox
       - twine
@@ -154,6 +162,7 @@
       - subversion
       - time
       - twine
+      - ubuntu-dev-tools
       - vagrant
       - valgrind
       - vim
@@ -175,6 +184,7 @@
       - electrum
       - emacs
       - exiftool
+      - feed2exec
       - fim
       - firefox-esr
       - fonts-roboto
@@ -183,6 +193,7 @@
       - gameclock
       - git-annex
       - git-lfs
+      - git-mediawiki
       - gobby
       - gnutls-bin
       - hledger
@@ -280,6 +291,7 @@
     tags: sysadmin
     apt: name={{item}} state=installed
     with_items:
+      - analog
       - ansible
       - apt-transport-https
       - asciinema
@@ -294,6 +306,8 @@
       - dnsutils
       - etckeeper
       - f3
+      - git
+      - goaccess
       - gparted
       - hdparm
       - hopenpgp-tools
@@ -302,6 +316,7 @@
       - intel-microcode
       - ioping
       - ipcalc
+      - iperf3
       - libu2f-host0
       - memtest86+
       - moreutils
@@ -314,6 +329,7 @@
       - powertop
       - pv
       - pwgen
+      - rcs
       - reptyr
       - restic
       - rsync
@@ -329,6 +345,8 @@
       - tor
       - tuptime
       - whois
+      - wireguard-dkms
+      - wireguard-tools
       - wireshark
       - xterm
       - yubikey-personalization
@@ -373,13 +391,16 @@
     tags: ham
     apt: name={{item}} state=installed
     with_items:
+      - ax25-apps
       - chirp
+      - direwolf
       - fldigi
       - gnuradio
       - gpredict
       - gqrx-sdr
       - multimon
       - splat
+      - soundmodem
       - xastir
  
   - name: install GPS tools

add more FF extensions i am using
diff --git a/software/desktop/firefox.mdwn b/software/desktop/firefox.mdwn
index 94b46b51..2afdba60 100644
--- a/software/desktop/firefox.mdwn
+++ b/software/desktop/firefox.mdwn
@@ -56,13 +56,26 @@ I usually have those extensions installed:
   ([[!debpkg zotero-standalone desc="zotero standalone debian package"]]
   and
   [[!debpkg xul-ext-zotero title"zotero extension debian package"]])
-* [Smart HTTPS](https://addons.mozilla.org/en-US/firefox/addon/smart-https-revived/)
+* [U2F Support](https://addons.mozilla.org/en-US/firefox/addon/u2f-support-add-on/), should be unnecessary starting with FF 57,
+  see [issue #59](https://github.com/prefiks/u2f4moz/issues/59#issuecomment-325768286). apparently, the magic setting is
+  `security.webauth.u2f true`. the upstream issue is [#1065729](https://bugzilla.mozilla.org/show_bug.cgi?id=1065729)
 
 [dynamic number of pages]: https://developer.mozilla.org/en-US/docs/Mozilla/Tech/Places/Places_Expiration
 [keeps it for 90 days]: https://support.google.com/chrome/answer/95589
 [site engagement]: https://www.chromium.org/developers/design-documents/site-engagement
 [infamous privacy intrusions]: https://lwn.net/Articles/648392/
 
+I am testing this:
+
+ * [Smart HTTPS](https://addons.mozilla.org/en-US/firefox/addon/smart-https-revived/)
+ * [Privacy Badger](https://www.eff.org/privacybadger), as a
+   replacement for the more aggressive uMatrix. Issues found: doesn't
+   allow blanket configuration (e.g. block cookies by default) and
+   difficult to make mass configuration.
+ * [QR Code Image Generator](https://addons.mozilla.org/en-US/firefox/addon/qr-code-image-generator/)
+ * [Addons compatibility reporter](https://addons.mozilla.org/en-US/firefox/addon/add-on-compatibility-reporter/) - will apparently be useless in
+   newer versions
+
 I removed those:
 
  * [adblock plus](https://addons.mozilla.org/fr/firefox/addon/1865) -

link to the blog series
diff --git a/software/desktop/firefox.mdwn b/software/desktop/firefox.mdwn
index ea9ede42..94b46b51 100644
--- a/software/desktop/firefox.mdwn
+++ b/software/desktop/firefox.mdwn
@@ -96,6 +96,10 @@ see. horrible. Hashing needs 100k+ iterations of PBKDF, see
 i need to ditch my password hasher. Sad. Should probably make a blog
 post or page about this from <https://wiki.koumbit.net/GestionDesMotDePasse>.
 
+Update: I *did* write an extensive series about passwords, password
+managers and password hashers. See
+[[blog/2017-03-02-password-hashers]].
+
 Configuration
 -------------
 

formatting issues
diff --git a/software/desktop/firefox.mdwn b/software/desktop/firefox.mdwn
index acf622e4..ea9ede42 100644
--- a/software/desktop/firefox.mdwn
+++ b/software/desktop/firefox.mdwn
@@ -101,19 +101,19 @@ Configuration
 
 I have set the following configuration options:
 
- * [browser.tabs.loadDivertedInBackground](http://kb.mozillazine.org/About:config_entries):
+ * `browser.tabs.loadDivertedInBackground` ([ref](http://kb.mozillazine.org/About:config_entries)):
    true (fixes an issue where focus would change to the firefox window
    (and workspace!) when clicking links in other apps
- * privacy.donottrackheader.enabled: true (maybe futile)
- * browser.safebrowsing.enabled: true (this downloads a list of sites
+ * `privacy.donottrackheader.enabled`: true (maybe futile)
+ * `browser.safebrowsing.enabled`: true (this downloads a list of sites
    in Mozille products, doesn't report indivudual sites to google...)
- * browser.search.defaultenginename: [searx.me](https://searx.me/)
+ * `browser.search.defaultenginename`: [searx.me](https://searx.me/)
    (default search engine)
- * [browser.startup.page](http://kb.mozillazine.org/Browser.startup.page):
+ * `browser.startup.page` ([ref](http://kb.mozillazine.org/Browser.startup.page)):
    3 (startup with previous session)
- * [network.cookie.cookieBehavior](http://kb.mozillazine.org/Network.cookie.cookieBehavior#3_2):
+ * `network.cookie.cookieBehavior` ([ref](http://kb.mozillazine.org/Network.cookie.cookieBehavior#3_2)):
    1 (no third-party cookies)
- * [middlemouse.contentLoadURL](http://kb.mozillazine.org/Middlemouse.contentLoadURL):
+ * `middlemouse.contentLoadURL` ([ref](http://kb.mozillazine.org/Middlemouse.contentLoadURL)):
    false (got used to chromium not doing that, and it seems too risky:
    passwords can leak in DNS too easily if you miss the field)
 

add smart https
diff --git a/software/desktop/firefox.mdwn b/software/desktop/firefox.mdwn
index 7a3a31b5..acf622e4 100644
--- a/software/desktop/firefox.mdwn
+++ b/software/desktop/firefox.mdwn
@@ -56,6 +56,7 @@ I usually have those extensions installed:
   ([[!debpkg zotero-standalone desc="zotero standalone debian package"]]
   and
   [[!debpkg xul-ext-zotero title"zotero extension debian package"]])
+* [Smart HTTPS](https://addons.mozilla.org/en-US/firefox/addon/smart-https-revived/)
 
 [dynamic number of pages]: https://developer.mozilla.org/en-US/docs/Mozilla/Tech/Places/Places_Expiration
 [keeps it for 90 days]: https://support.google.com/chrome/answer/95589

keyboard updates
diff --git a/hardware/keyboard.mdwn b/hardware/keyboard.mdwn
index 54f8bcfa..2e1e6d93 100644
--- a/hardware/keyboard.mdwn
+++ b/hardware/keyboard.mdwn
@@ -2,6 +2,11 @@ I [type so much](http://anarcat.koumbit.org/2010-03-22-working-too-much-computer
 
 [[!toc levels=2]]
 
+Update: I ended up buying a Rosewill RK-9000 with, I believe, Cherry
+MX blue keys. That turned out to be too noisy, even with my roommates
+being *in the next room*, so I do not use the keyboard except as a
+spare now (!).
+
 Requirements
 ============
 
@@ -10,6 +15,14 @@ Layout
 
 I like the [ANSI layout](https://en.wikipedia.org/wiki/Keyboard_layout#Mechanical.2C_visual_and_functional_layouts), [[!wikipedia QWERTY]] of course. Ideally, I would like to have an ANSI keyboard with the `«»` key added, but this doesn't seem to actually exist, and I don't like the oversized ISO enter key, as I used backslash a lot.
 
+No numpad
+---------
+
+I would like to have an external numeric keypad. This means less
+traveling between the keyboard and the mouse, which I still use more
+often than the keypad. I would need to get an external keypad, but
+that's easy to solve - even if it takes an extra USB port.
+
 Tactile feel
 ------------
 
@@ -20,10 +33,30 @@ Keyboard models
 
 So here is inventory of the (surprisingly) expensive alternatives...
 
+WASD
+----
+
+The [WASD](http://www.wasdkeyboards.com/) family has interesting
+model. The [WASD V2 87-Key Custom Mechanical Keyboard](http://www.wasdkeyboards.com/index.php/products/mechanical-keyboard/wasd-v2-87-key-custom-mechanical-keyboard.html) has the
+interesting feature of *not* having a numpad at all and customizable
+everything.
+
+ * 104/87/61 keys
+ * customizale layout and colors
+ * 2.0 lbs
+ * USB/PS2 (with adapter)
+ * made in taiwan, assembled in USA
+ * includes keycap puller
+ * DIP switches to control behavior
+ * no led backlight
+ * custom switches
+ * no windows logo (customizable)
+ * 145$, 185$ with o-rings and MX-clear
+
 CODE
 ----
 
-The [CODE keyboard](http://codekeyboards.com/) 
+The [CODE keyboard](http://codekeyboards.com/) is also made by WASD but has special specs.
 
  * 104 or 87 keys (ie. no keypad), US ANSI layout
  * 2.42 lbs

Added a comment: Yes… and… NO!!!
diff --git a/blog/2017-11-02-free-software-activities-october-2017/comment_3_10bfef1ae2696ebdd829ddb631351311._comment b/blog/2017-11-02-free-software-activities-october-2017/comment_3_10bfef1ae2696ebdd829ddb631351311._comment
new file mode 100644
index 00000000..494b5ea9
--- /dev/null
+++ b/blog/2017-11-02-free-software-activities-october-2017/comment_3_10bfef1ae2696ebdd829ddb631351311._comment
@@ -0,0 +1,14 @@
+[[!comment format=mdwn
+ ip="89.1.20.66"
+ claimedauthor="mirabilos"
+ subject="Yes… and… NO!!!"
+ date="2017-11-09T16:13:11Z"
+ content="""
+Hm. I used git-remote-mediawiki to dump all the Wikis into git branches when we removed MediaWiki from our FusionForge instances due to security reasons.
+
+On the other hand: NOOOOOOOOO! “It’s all text” is *so* basic, and now they break it. Firefox really is a barebones-but-bloated thing (I remember Opera having a lot more _actually useful_ functionality built in). Even lynx has that feature built-in (press ^Xe in a textarea).
+
+The suggested replacement doesn’t seem to be able to run xterm-based editors, so it’s not a replacement at all.
+
+I guess many people will stick with Firefox 45 ESR now (because 52 ESR also broke sound, except in Debian where it was still compiled with ALSA support).
+"""]]

Added a comment: git remote vs dump
diff --git a/blog/2017-11-02-free-software-activities-october-2017/comment_2_64b7a5f38401314b718a4829190f3bb5._comment b/blog/2017-11-02-free-software-activities-october-2017/comment_2_64b7a5f38401314b718a4829190f3bb5._comment
new file mode 100644
index 00000000..fe327415
--- /dev/null
+++ b/blog/2017-11-02-free-software-activities-october-2017/comment_2_64b7a5f38401314b718a4829190f3bb5._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="anarcat"
+ avatar="https://seccdn.libravatar.org/avatar/741655483dd8a0b4df28fb3dedfa7e4c"
+ subject="git remote vs dump"
+ date="2017-11-06T21:00:50Z"
+ content="""
+that's pretty awesome! I didn't know about those - thanks for the reference! The mediawiki remote, however, is much more powerful than just a dump script - it allows, in theory, two-way sync between the wiki and git...
+"""]]

Added a comment: gave up on git-mediawiki
diff --git a/blog/2017-11-02-free-software-activities-october-2017/comment_1_ac4ebdd2af4f12c6aa275fbb8ff6fc2d._comment b/blog/2017-11-02-free-software-activities-october-2017/comment_1_ac4ebdd2af4f12c6aa275fbb8ff6fc2d._comment
new file mode 100644
index 00000000..6ffd08ae
--- /dev/null
+++ b/blog/2017-11-02-free-software-activities-october-2017/comment_1_ac4ebdd2af4f12c6aa275fbb8ff6fc2d._comment
@@ -0,0 +1,11 @@
+[[!comment format=mdwn
+ ip="86.132.237.221"
+ claimedauthor="Jonathan"
+ url="jmtd.net"
+ subject="gave up on git-mediawiki"
+ date="2017-11-06T20:43:50Z"
+ content="""
+I was interested to read of your interactions with git-mediawiki. I was looking at using it for backing up mediawikis, too, and I hit all the problems you did. I ended up abandoning it and instead using the ArchiveTeam sub-team WikiTeam's backup/dump scripts, which worked for me: https://github.com/WikiTeam/wikiteam
+
+They were also a LOT faster. I've dumped doomwiki, nin.wiki and chocolate-doom.org so far.
+"""]]

optimized pic from gtmetrix.com
diff --git a/folipon.jpg b/folipon.jpg
index ac2b715f..cce2b82c 100644
Binary files a/folipon.jpg and b/folipon.jpg differ

extend feed to 100 entries, 10 is a little short if things become really active here
diff --git a/recentchanges.mdwn b/recentchanges.mdwn
index 31cf8aa8..aa563c9e 100644
--- a/recentchanges.mdwn
+++ b/recentchanges.mdwn
@@ -13,6 +13,6 @@ template=recentchanges show=0]]
 
 Archival link:
 
-[[!inline pages="*" feeds=yes feedonly=yes feedfile=archive show=10]]
+[[!inline pages="*" feeds=yes feedonly=yes feedfile=archive show=100]]
 
 The above link creates a machine-readable RSS feed that can be used to easily archive new changes to the site. It is used by internal scripts to do sanity checks on new entries in the wiki.

fix archive rss filename
diff --git a/recentchanges.mdwn b/recentchanges.mdwn
index 8d5ecd34..31cf8aa8 100644
--- a/recentchanges.mdwn
+++ b/recentchanges.mdwn
@@ -13,6 +13,6 @@ template=recentchanges show=0]]
 
 Archival link:
 
-[[!inline pages="*" feeds=yes feedonly=yes show=10]]
+[[!inline pages="*" feeds=yes feedonly=yes feedfile=archive show=10]]
 
 The above link creates a machine-readable RSS feed that can be used to easily archive new changes to the site. It is used by internal scripts to do sanity checks on new entries in the wiki.

add rss feed with all new pages
diff --git a/recentchanges.mdwn b/recentchanges.mdwn
index 472ca0c3..8d5ecd34 100644
--- a/recentchanges.mdwn
+++ b/recentchanges.mdwn
@@ -1,4 +1,4 @@
-[[!if test="enabled(meta)" then="""
+ [[!if test="enabled(meta)" then="""
 [[!meta title="RecentChanges"]]
 """]]
 Recent changes to this wiki. Not to be confused with my
@@ -10,3 +10,9 @@ Complete source to the wiki is available on
 
 [[!inline pages="internal(recentchanges/change_*) and !*/Discussion" 
 template=recentchanges show=0]]
+
+Archival link:
+
+[[!inline pages="*" feeds=yes feedonly=yes show=10]]
+
+The above link creates a machine-readable RSS feed that can be used to easily archive new changes to the site. It is used by internal scripts to do sanity checks on new entries in the wiki.

yet another broken link
diff --git a/hardware/camera.mdwn b/hardware/camera.mdwn
index a4958074..b4001bae 100644
--- a/hardware/camera.mdwn
+++ b/hardware/camera.mdwn
@@ -64,7 +64,7 @@ Con:
  * firmware still closed despite [heroic efforts to reverse-engineer it](https://nikonhacker.com)
  * 3 remote shutter cords connectors, none of which compatible with what i have - see [this documentation](http://www.doc-diy.net/photo/remote_pinout/) - upgrading from D7000 to the D700 means changing the connector!
 
-There's a way to hack that connector to accept more standard ones, see [this instructable document](www.instructables.com/id/Nikon-D90-MC-DC2-Remote-Shutter-Hack/).
+There's a way to hack that connector to accept more standard ones, see [this instructable document](http://www.instructables.com/id/Nikon-D90-MC-DC2-Remote-Shutter-Hack/).
 
 D300
 ----

more broken links
diff --git a/blog/2010-12-30-wikileaks-en-profondeur.mdwn b/blog/2010-12-30-wikileaks-en-profondeur.mdwn
index adbbc3bd..00165d42 100644
--- a/blog/2010-12-30-wikileaks-en-profondeur.mdwn
+++ b/blog/2010-12-30-wikileaks-en-profondeur.mdwn
@@ -4,7 +4,7 @@
 [[!meta updated="2011-03-15T19:52:40-0500"]]
 [[!meta guid="161 at http://anarcat.koumbit.org"]]
 
-J'ai participé à l'émission de radio <a href="http://ckut.ca/news.php">En Profondeur</a> qui a fait une émission spéciale sur <a href="http://wikileaks.org/">Wikileaks</a> le 13 décembre dernier. Pour les gens qui veulent un aperçu de la situation (à ce moment là! les choses évoluent vite) en audio, et peut-être plus complet que <a href="2010-12-12-wikileaks-le-soulevement-des-hackers">notre article précédent</a> publié dans le dernier numéro de <a href="http://www.ababord.org/">À Babord</a>.
+J'ai participé à l'émission de radio <a href="http://ckut.ca/news.php">En Profondeur</a> qui a fait une émission spéciale sur <a href="http://wikileaks.org/">Wikileaks</a> le 13 décembre dernier. Pour les gens qui veulent un aperçu de la situation (à ce moment là! les choses évoluent vite) en audio, et peut-être plus complet que <a href="../2010-12-12-wikileaks-le-soulevement-des-hackers">notre article précédent</a> publié dans le dernier numéro de <a href="http://www.ababord.org/">À Babord</a>.
 
 <a href="http://koumbit.org/">Koumbit</a> a également <a href="http://www.koumbit.org/articles/koumbit-prend-action-droit-information-transparence">pris position</a> par l'hébergement <a href="http://tor.koumbit.net/">d'un relai tor</a> ainsi que d'un <a href="http://wikileaks.koumbit.net/">mirroir Wikileaks</a>. Un dossier assez complet, avec un paquet de liens et d'informations est disponible <a href="https://wiki.koumbit.net/WikiLeaks">sur le Wiki de Koumbit</a>.
 <!--break-->

Revert "git-annex automatic sync"
Not sure why git-annex removed that file, wasn't supposed to happen.
This reverts commit 55f8c618cc0b9f10aac153ba173431308380dfff.
diff --git a/blog/files/20101213.17.00-18.00.mp3 b/blog/files/20101213.17.00-18.00.mp3
new file mode 120000
index 00000000..48e331e9
--- /dev/null
+++ b/blog/files/20101213.17.00-18.00.mp3
@@ -0,0 +1 @@
+../../.git/annex/objects/69/8J/SHA256E-s28799104--4a95618e9fe1dcc1934f6a2219d5775c2806278248696ec26cd39c45a66d168a.00.mp3/SHA256E-s28799104--4a95618e9fe1dcc1934f6a2219d5775c2806278248696ec26cd39c45a66d168a.00.mp3
\ No newline at end of file

add long lost crap logo
diff --git a/images/title.gif b/images/title.gif
new file mode 100644
index 00000000..de17b9ca
Binary files /dev/null and b/images/title.gif differ

more broken links
diff --git a/blog/2007-03-10-elections-pieges-cons/comment_388._comment b/blog/2007-03-10-elections-pieges-cons/comment_388._comment
index 4f3ff767..c64f63bf 100644
--- a/blog/2007-03-10-elections-pieges-cons/comment_388._comment
+++ b/blog/2007-03-10-elections-pieges-cons/comment_388._comment
@@ -3,7 +3,7 @@
 date="2007-04-08 20:04:00"
 format="mdwn"
 username="anarcat"
-content="""Je viens de réaliser que j'avais déjà écrit un [autre article](/node/44) avec plus ou moins exactement le même titre, il y a deux ans, pour les élections municipales, et à ma surprise, j'ai écrit là que j'ai voté aux élections municipales, pour le parti éléphant blanc. C'est quand même drôle!
+content="""Je viens de réaliser que j'avais déjà écrit un [[autre article|2005-11-07-elections-pieges-con]] avec plus ou moins exactement le même titre, il y a deux ans, pour les élections municipales, et à ma surprise, j'ai écrit là que j'ai voté aux élections municipales, pour le parti éléphant blanc. C'est quand même drôle!
 
 J'ai découvert ça en cherchant [élections pièges à con](http://www.google.com/search?q=%C3%A9lections+pi%C3%A8ges+%C3%A0+cons) dans Google. Je suis deuxième dans la liste..."""
 avatar="http://cdn.libravatar.org/avatar/d41d8cd98f00b204e9800998ecf8427e"
diff --git a/blog/2013-02-03-live-radio-streaming-mpd-part-1.mdwn b/blog/2013-02-03-live-radio-streaming-mpd-part-1.mdwn
index c75856d1..6c11e944 100644
--- a/blog/2013-02-03-live-radio-streaming-mpd-part-1.mdwn
+++ b/blog/2013-02-03-live-radio-streaming-mpd-part-1.mdwn
@@ -151,6 +151,6 @@ Otherwise, this is a fairly standard MPD setup, although there are some special
     id3v1_encoding                  "UTF-8"
 
 
-This is the first part of a series of articles I intend to write about my MPD configuration, next ones detail the configuration of a dumb player and [RTP streaming](/node/190).
+This is the first part of a series of articles I intend to write about my MPD configuration, next ones detail the configuration of a dumb player and [[RTP streaming|2013-02-03-live-radio-streaming-mpd-part-1-multicast-rtp]].
 
-[[!tag "radio" "mpd" "geek" "freedombox" "free software" "debian-planet" "audio"]]
\ No newline at end of file
+[[!tag "radio" "mpd" "geek" "freedombox" "free software" "debian-planet" "audio"]]
diff --git a/blog/2013-02-03-live-radio-streaming-mpd-part-2-rtp/comment_94008._comment b/blog/2013-02-03-live-radio-streaming-mpd-part-2-rtp/comment_94008._comment
index 47938b3f..ec8ed025 100644
--- a/blog/2013-02-03-live-radio-streaming-mpd-part-2-rtp/comment_94008._comment
+++ b/blog/2013-02-03-live-radio-streaming-mpd-part-2-rtp/comment_94008._comment
@@ -3,6 +3,6 @@
 date="2013-02-04 19:40:57"
 format="mdwn"
 username="anarcat"
-content="""So as I mentionned in an edit in the post, there used to be a rant/troll about Pulseaudio in the body of the text, but since that seemed to be generating more responses than the actual subject of the post, I thought it was better to move the discussion to a [separate post](/node/191). Comments were moved along and were of course not edited in any shape or form."""
+content="""So as I mentionned in an edit in the post, there used to be a rant/troll about Pulseaudio in the body of the text, but since that seemed to be generating more responses than the actual subject of the post, I thought it was better to move the discussion to a [[separate post|2013-02-04-why-i-dont-pulseaudio]]. Comments were moved along and were of course not edited in any shape or form."""
 avatar="http://cdn.libravatar.org/avatar/d41d8cd98f00b204e9800998ecf8427e"
 ]]

still getting 404 on the node id equivalent of the tunisie article
diff --git a/blog/node/52.mdwn b/blog/node/52.mdwn
new file mode 100644
index 00000000..37c4f63d
--- /dev/null
+++ b/blog/node/52.mdwn
@@ -0,0 +1,2 @@
+[[!meta redir="/blog/2005-11-23-comment-la-tunisie-censure-linternet"]]
+[[!tag redirection]]

fix about 30 broken links found with linkchecker
diff --git a/blog/2008-02-24-blogging-time.mdwn b/blog/2008-02-24-blogging-time.mdwn
index 8b6dcdab..b85047a7 100644
--- a/blog/2008-02-24-blogging-time.mdwn
+++ b/blog/2008-02-24-blogging-time.mdwn
@@ -4,6 +4,6 @@
 [[!meta updated="2012-12-14T23:33:25-0500"]]
 [[!meta guid="130 at http://anarcat.koumbit.org"]]
 
-Après plus de <a href="/user/anarcat">2 ans de blogging</a> plus ou moins continu, j'ai finalement décidé de me créer un "<a href="http://technorati.com/claim/bpuqenqeqs" rel="me">Technorati Profile</a>". J'ai jamais vraiment bien compris ça servait à quoi ce bidule, mais bon, c'est du geekage de dimanche soir, ça a jamais fait de mal à personne...
+Après plus de 2 ans de blogging plus ou moins continu, j'ai finalement décidé de me créer un "<a href="http://technorati.com/claim/bpuqenqeqs" rel="me">Technorati Profile</a>". J'ai jamais vraiment bien compris ça servait à quoi ce bidule, mais bon, c'est du geekage de dimanche soir, ça a jamais fait de mal à personne...
 
-[[!tag "geek" "meta"]]
\ No newline at end of file
+[[!tag "geek" "meta"]]
diff --git a/blog/2010-12-30-wikileaks-en-profondeur.mdwn b/blog/2010-12-30-wikileaks-en-profondeur.mdwn
index 3ea28439..adbbc3bd 100644
--- a/blog/2010-12-30-wikileaks-en-profondeur.mdwn
+++ b/blog/2010-12-30-wikileaks-en-profondeur.mdwn
@@ -4,10 +4,10 @@
 [[!meta updated="2011-03-15T19:52:40-0500"]]
 [[!meta guid="161 at http://anarcat.koumbit.org"]]
 
-J'ai participé à l'émission de radio <a href="http://ckut.ca/news.php">En Profondeur</a> qui a fait une émission spéciale sur <a href="http://wikileaks.org/">Wikileaks</a> le 13 décembre dernier. Pour les gens qui veulent un aperçu de la situation (à ce moment là! les choses évoluent vite) en audio, et peut-être plus complet que <a href="/node/160">notre article précédent</a> publié dans le dernier numéro de <a href="http://www.ababord.org/">À Babord</a>.
+J'ai participé à l'émission de radio <a href="http://ckut.ca/news.php">En Profondeur</a> qui a fait une émission spéciale sur <a href="http://wikileaks.org/">Wikileaks</a> le 13 décembre dernier. Pour les gens qui veulent un aperçu de la situation (à ce moment là! les choses évoluent vite) en audio, et peut-être plus complet que <a href="2010-12-12-wikileaks-le-soulevement-des-hackers">notre article précédent</a> publié dans le dernier numéro de <a href="http://www.ababord.org/">À Babord</a>.
 
 <a href="http://koumbit.org/">Koumbit</a> a également <a href="http://www.koumbit.org/articles/koumbit-prend-action-droit-information-transparence">pris position</a> par l'hébergement <a href="http://tor.koumbit.net/">d'un relai tor</a> ainsi que d'un <a href="http://wikileaks.koumbit.net/">mirroir Wikileaks</a>. Un dossier assez complet, avec un paquet de liens et d'informations est disponible <a href="https://wiki.koumbit.net/WikiLeaks">sur le Wiki de Koumbit</a>.
 <!--break-->
-Je joins ici une <a href="/files/4032-1-report.mp3">version résumée du podcast</a> ainsi que <a href="/files/20101213.17.00-18.00.mp3">l'archive originale</a> de <a href="http://ckut.ca/>CKUT.ca</a>. Voir aussi <a href="http://www.radio4all.net/index.php/program/48288">l'archive sur radio4all.net</a>.
+Je joins ici une <a href="/blog/files/4032-1-report.mp3">version résumée du podcast</a> ainsi que <a href="/blog/files/20101213.17.00-18.00.mp3">l'archive originale</a> de <a href="http://ckut.ca/>CKUT.ca</a>. Voir aussi <a href="http://www.radio4all.net/index.php/program/48288">l'archive sur radio4all.net</a>.
 
-[[!tag "ckut" "hacker" "radio" "wikileaks" "interview"]]
\ No newline at end of file
+[[!tag "ckut" "hacker" "radio" "wikileaks" "interview"]]
diff --git a/blog/2011-01-02-mes-lecteurs-lan-dernier.mdwn b/blog/2011-01-02-mes-lecteurs-lan-dernier.mdwn
index 05bfa88f..3991621f 100644
--- a/blog/2011-01-02-mes-lecteurs-lan-dernier.mdwn
+++ b/blog/2011-01-02-mes-lecteurs-lan-dernier.mdwn
@@ -22,22 +22,22 @@ Le site en général est classé 464,494e sur le [million de sites](http://www.a
 Visites mensuelles
 ==================
 
-<img src="/files/monthly-2010.png" alt="fréquentation par mois"/>
+<img src="/blog/files/monthly-2010.png" alt="fréquentation par mois"/>
 
-Le mois le plus fréquenté fut mai 2010, avec 766 visites, probablement avec la publication [de l'article sur Prank dial](/2010-05-01-prankdial-et-l%C3%A9coute-%C3%A9lectronique), qui continue de recevoir un nombre significatif de visites, principalement de Google. Celui-ci est suivi de près par le mois de mars 2010, avec 756 visites, peut-être à cause de la publication de [l'article sur le HP Mini 10"](/2010-03-18-hp-mini-10-netbook-doom). Le taux mensuel de visites est satisfaisant, et semble se stabiliser à environ 475 visites par mois, un nombre respectable.
+Le mois le plus fréquenté fut mai 2010, avec 766 visites, probablement avec la publication [de l'article sur Prank dial](/blog/2010-05-01-prankdial-et-l%C3%A9coute-%C3%A9lectronique), qui continue de recevoir un nombre significatif de visites, principalement de Google. Celui-ci est suivi de près par le mois de mars 2010, avec 756 visites, peut-être à cause de la publication de [l'article sur le HP Mini 10"](/blog/2010-03-18-hp-mini-10-netbook-doom). Le taux mensuel de visites est satisfaisant, et semble se stabiliser à environ 475 visites par mois, un nombre respectable.
 
 
 Articles populaires
 ===================
 
-Les articles plus populaires sont la [présentation technique de Prankdial](/2010-05-01-prankdial-et-lécoute-électronique), avec 892 visites, suivi de très près par  l'[analyse de la censure en Tunisie](/censuretunisie) (lié de [l'article Wikipedia sur la question](http://en.wikipedia.org/wiki/Internet_censorship_in_Tunisia)), avec 888 visites. Les articles sur [ma mauvaise expérience avec le HP Mini 10"](/2010-03-18-hp-mini-10-netbook-doom), [le HMAC et le hashing des secrets](/2010-01-29-do-hash-secrets-also-use-hmac) et [le respectable article de 2007 sur les augmentation de loyer](/2007-02-14-calculer-son-augmentation-de-loyer) (avec respectivement 539, 389 et 325 visites sur l'année).
+Les articles plus populaires sont la [présentation technique de Prankdial](/blog/2010-05-01-prankdial-et-lécoute-électronique), avec 892 visites, suivi de très près par  l'[analyse de la censure en Tunisie](/censuretunisie) (lié de [l'article Wikipedia sur la question](http://en.wikipedia.org/wiki/Internet_censorship_in_Tunisia)), avec 888 visites. Les articles sur [ma mauvaise expérience avec le HP Mini 10"](/blog/2010-03-18-hp-mini-10-netbook-doom), [le HMAC et le hashing des secrets](/blog/2010-01-29-do-hash-secrets-also-use-hmac) et [le respectable article de 2007 sur les augmentation de loyer](/blog/2007-02-14-calculer-son-augmentation-de-loyer) (avec respectivement 539, 389 et 325 visites sur l'année).
 
 Fidélité des lecteurs
 =====================
 
 Par contre, la fidélité de mes lecteurs semble avoir varié énormément et diminué depuis 2009.
 
-<img src="/files/fidelite-2010.png" alt="fidélité en 2010" />
+<img src="/blog/files/fidelite-2010.png" alt="fidélité en 2010" />
 
 Il y avait de 50 à 100 visiteurs réguliers de ce site jusqu'à mai 2010. À ce moment, le chiffre est descendu à 20-25 visiteurs réguliers. Ceci est probablement à cause du silence virtuel que je me semble être imposé entre mai et novembre où aucun article a été publié! Mauvais pour garder ses lecteurs... 
 
@@ -46,25 +46,25 @@ Origine
 
 Ces lecteurs sont principalement nord-américains (55%) et européens (38%): 
 
-<img src="/files/origine-continent-2010.png" />
+<img src="/blog/files/origine-continent-2010.png" />
 
 Plus précisément...
 
-<img src="/files/origine-2010.png" />
+<img src="/blog/files/origine-2010.png" />
 
 ...ces lecteurs proviennent principalement du Canada (29%), suivi de près par les États-Unis (27%) et la France (24%). Le 20% restant est composé de 80 autres pays du monde, variant de l'Allemagne à la Turquie, du Brésil à la Hongrie, en passant par le Japon, la Chine, l'Inde, l'Australie, le Danmark, et j'en passe!
 
 Fournisseurs d'accès
 ====================
 
-<img src="/files/isp-2010.png" />
+<img src="/blog/files/isp-2010.png" />
 
 Du côté plus technique, j'ai pu analyser aussi de quels fournisseurs d'accès internet (FAI) proviennent mes utilisateurs, de façon très crûe. Entre les deux mammouth préhistoriques, Vidéotron (12%) remporte la palme sur Bell Canada (6%). Mais la plus grande partie des visites provient de fournisseurs non-identifiés (28%) ou d'autres fournisseurs très variés (47%), ce qui reflète une encourageante diversité des fournisseurs sur la toile.
 
 Navigateurs web
 ===============
 
-<img src="/files/ua-2010.png" />
+<img src="/blog/files/ua-2010.png" />
 
 Parmis les navigateurs, on peut voir que IE n'a pas la marque parmis les lecteurs, avec un maigre 33% de la tarte. Il est facilement battu par l'engin Gecko derrière [Firefox](http://getfirefox.com/) (43%) ainsi que l'engin Webkit (17%) derrière [Chrome](http://www.google.com/chrome) et Safari. J'utilise personnellement [Chromium](http://www.chromium.org/), la version complètement libre et sans frioriture du nagivateur Chrome. On peut donc remarquer que le logiciel libre domine avec 60% de mes lecteurs. Pour les autres encore sur IE: il n'est jamais trop tard pour changer, c'est facile et plus sécuritaire!
 
@@ -73,7 +73,7 @@ Systèmes d'exploitation
 
 (Avoir eu plus de temps et d'esprit, j'aurais fait un joli graphique sur les gens de gauche ou de droite, voire communistes, capitalistes, libéraux, conservateurs ou socio-démocrates, mais vous savez bien que c'est pas mon genre. Restons-en donc à la technique, parce que à ce que je sache, votre navigateur web n'indique pas (pour l'instant) votre penchant politique, même si Google Reader et les autres lecteurs de flux RSS en ligne pourraient probablement permettre une analyse du genre.)
 
-<img src="/files/os-2010.png" />
+<img src="/blog/files/os-2010.png" />
 
 Je m'avoue ici un peu déçu: seulement 15% d'utilisateurs de GNU/Linux? Un immense 68% des lecteurs utilisent encore Windows, avec un impressionnant 43% encore coincés sur le désuet Windows XP, dont la dernière version supportée et officielle date de mai 2008!
 
@@ -87,12 +87,12 @@ Fait intéressant, on note 55% des utilisateurs maintenant en "wide-screen", c'e
 Provenance
 ==========
 
-<img src="/files/prov-2010.png" />
+<img src="/blog/files/prov-2010.png" />
 
 Il semblerait que la plupart des visites proviennent des engins de recherche (45% des visites) suivi par des lecteurs provenant d'autres sites (33%). Mes fidèles lecteurs pourraient donc constituer le 22% restant des visites, soit 1400 visites sur l'année 2010.
 
-<img src="/files/se-2010.png" />
+<img src="/blog/files/se-2010.png" />
 
 De ces engins de recherche, Google domine évidemment, avec 86% des visites, suivi par un ridicule 7% pour l'engin Bing de Microsoft et 5% pour l'ancêtre, Yahoo.
 
-[[!tag "stats" "meta"]]
\ No newline at end of file
+[[!tag "stats" "meta"]]
diff --git a/blog/2012-09-24-improvements-spam-filtering-after-year-tests.mdwn b/blog/2012-09-24-improvements-spam-filtering-after-year-tests.mdwn
index c52e8bac..71041732 100644
--- a/blog/2012-09-24-improvements-spam-filtering-after-year-tests.mdwn
+++ b/blog/2012-09-24-improvements-spam-filtering-after-year-tests.mdwn
@@ -26,7 +26,7 @@ In other words, the filter works very well at marking spam, so well in fact that
 
 And this is only the spam module filters: the CAPTCHA module tells me it's blocked 26535 attempts (26 *thousand*) - amazing.
 
-So overall, the [solutions I put in place a year ago](/node/173) work, somehow, but are too aggressive. I have therefore bumped the threshold from 65% to 80%, hopefully that will help with this.
+So overall, the [[solutions I put in place a year ago|2011-09-28-fighting-spam-your-drupal-site-inventory-and-evaluation-solutions]] work, somehow, but are too aggressive. I have therefore bumped the threshold from 65% to 80%, hopefully that will help with this.
 
 I have also updated the [Honeypot module](https://drupal.org/project/honeypot) since they have done [lots of releases since 1.5](https://drupal.org/node/1232556/release), [fixed the issue I reported](https://drupal.org/node/1264822) *and* it's now [in use on Drupal.org](https://drupal.org/node/1759272) after some tweaking by our [venerable webmaster killes](https://drupal.org/user/227).
 
@@ -34,4 +34,4 @@ If this fails, I will look again at other solutions, like the [blogspam plugin](
 
 (Note to self: I have also removed around 150 comments sitting in the spam module moderation queue, that it didn't seem to remove as it should have done.)
 
-[[!tag "debian-planet" "drupal" "geek" "meta" "spam"]]
\ No newline at end of file
+[[!tag "debian-planet" "drupal" "geek" "meta" "spam"]]
diff --git a/blog/2013-02-03-live-radio-streaming-mpd-part-1-multicast-rtp.mdwn b/blog/2013-02-03-live-radio-streaming-mpd-part-1-multicast-rtp.mdwn
index 260ba165..65791dd1 100644
--- a/blog/2013-02-03-live-radio-streaming-mpd-part-1-multicast-rtp.mdwn
+++ b/blog/2013-02-03-live-radio-streaming-mpd-part-1-multicast-rtp.mdwn
@@ -4,9 +4,9 @@
 [[!meta updated="2013-02-04T19:45:46-0500"]]
 [[!meta guid="190 at http://anarcat.koumbit.org"]]
 
-The [previous article](/node/189) was introducing basic streaming principles based on Icecast. The issue with this, of course, is lag and overhead of HTTP-based connexions. In this article we introduce [RTP](https://en.wikipedia.org/wiki/Real-time_Transport_Protocol)-based streaming system, ([unfortunately](/node/191)) based on [Pulseaudio](http://pulseaudio.org/) and [multicast](https://en.wikipedia.org/wiki/Multicast).
+The [[previous article|2013-02-03-live-radio-streaming-mpd-part-1]] was introducing basic streaming principles based on Icecast. The issue with this, of course, is lag and overhead of HTTP-based connexions. In this article we introduce [RTP](https://en.wikipedia.org/wiki/Real-time_Transport_Protocol)-based streaming system, ([[unfortunately|2013-02-04-why-i-dont-pulseaudio]] based on [Pulseaudio](http://pulseaudio.org/) and [multicast](https://en.wikipedia.org/wiki/Multicast).
 <!--break-->
-*(Update: there was a [rant](/node/191) here about Pulseaudio (PA) that I have moved out of this post because it's not what I was aiming to talk about. Those wanting to answer that troll are welcome to [join the flamewar here](/node/191).)*
+*(Update: there was a [[rant|2013-02-04-why-i-dont-pulseaudio]] here about Pulseaudio (PA) that I have moved out of this post because it's not what I was aiming to talk about. Those wanting to answer that troll are welcome to [[join the flamewar here|2013-02-04-why-i-dont-pulseaudio]].)*
 
 A word on multicast
 -------------------
@@ -134,4 +134,4 @@ I got a lot of information in the [Pulseaudio MPD wiki page](http://mpd.wikia.co
 
 The [Pulseaudio Network documentation](http://www.freedesktop.org/wiki/Software/PulseAudio/Documentation/User/Network) has a set of recipes for using pulseaudio for everything. This [Ask Ubuntu question](http://askubuntu.com/questions/28039/how-to-stream-music-over-the-network-to-multiple-computers) explains how to clikety your way through `paprefs` to essentially do the above.
 
-[[!tag "audio" "debian-planet" "free software" "freedombox" "geek" "mpd" "radio" "rtp"]]
\ No newline at end of file
+[[!tag "audio" "debian-planet" "free software" "freedombox" "geek" "mpd" "radio" "rtp"]]
diff --git a/blog/2013-02-04-why-i-dont-pulseaudio.mdwn b/blog/2013-02-04-why-i-dont-pulseaudio.mdwn
index 6675c25f..1fb22d40 100644
--- a/blog/2013-02-04-why-i-dont-pulseaudio.mdwn
+++ b/blog/2013-02-04-why-i-dont-pulseaudio.mdwn
@@ -4,7 +4,7 @@
 [[!meta updated="2013-02-04T19:57:49-0500"]]
 [[!meta guid="191 at http://anarcat.koumbit.org"]]
 
-(*This rant was originally part of the [live streaming series](node/190), but I moved it to a separate article because people got stuck on it instead of responding to the actual subject of the article.*)
+(*This rant was originally part of the [[live streaming series|2013-02-03-live-radio-streaming-mpd-part-1-multicast-rtp]], but I moved it to a separate article because people got stuck on it instead of responding to the actual subject of the article.*)
 
 Before I get flamed for attacking Pulseaudio (PA), let's just settle this: I don't like it. I think PA is over-engineered and tries to do too many things at once. I used to (until just now) systematically purge `pulseaudio`-related packages from my system, mainly because PA has this awful tendency of automatically starting *and staying around eternally*, which wouldn't be so bad except PA has also the bad habit of hogging the audio device exclusively, which makes regular programs like `mplayer`, `ogg123` fail to simply play audio, unless they go through the PA straight-jacket. (*Update*: this seems to be a bit better in newer versions of PA, where the audio device is released when sound is not being played. Thanks Philipp Kern for the correction.)
 
@@ -13,4 +13,4 @@ In the GNU/Linux audio stack, we *already* have *another* system that supports m
 The other beef I have with PA is the [Not Invented Here syndrome](https://en.wikipedia.org/wiki/Not_Invented_Here): instead of extending existing tools like ALSA or Jack, people just figured they could do everything better and start from scratch. So now [we just have one more "standard" way of playing audio](https://xkcd.com/927/), good job [Lennart](https://en.wikipedia.org/wiki/Lennart_Poettering).
 
 
-[[!tag "audio" "debian-planet" "software" "troll"]]
\ No newline at end of file
+[[!tag "audio" "debian-planet" "software" "troll"]]
diff --git a/services/dns.mdwn b/services/dns.mdwn
index 1e283346..55cfd25c 100644
--- a/services/dns.mdwn
+++ b/services/dns.mdwn
@@ -38,4 +38,4 @@ Relié
  * [[mesh]]
  * [[wifi]]
 
-Voir aussi [Zytrax.com](www.zytrax.com/books/dns/), une excellente documentation de BIND.
+Voir aussi [Zytrax.com](http://www.zytrax.com/books/dns/), une excellente documentation de BIND.
diff --git a/services/wifi/wep.mdwn b/services/wifi/wep.mdwn
index 59f76451..461c1ba4 100644
--- a/services/wifi/wep.mdwn
+++ b/services/wifi/wep.mdwn
@@ -89,4 +89,4 @@ References
 ==========
 

(fichier de différences tronqué)
another common 404 redirection
diff --git a/censuretunisie.mdwn b/censuretunisie.mdwn
new file mode 100644
index 00000000..b62c327b
--- /dev/null
+++ b/censuretunisie.mdwn
@@ -0,0 +1,2 @@
+[[!meta redir="blog/2005-11-23-comment-la-tunisie-censure-linternet"]]
+[[!tag redirection]]

add missing redirection from really old site
diff --git a/pgp.mdwn b/pgp.mdwn
new file mode 100644
index 00000000..aff71248
--- /dev/null
+++ b/pgp.mdwn
@@ -0,0 +1,2 @@
+[[!meta redir="contact"]]
+[[!tag redirection]]

publish on planets
diff --git a/blog/2017-11-02-free-software-activities-october-2017.mdwn b/blog/2017-11-02-free-software-activities-october-2017.mdwn
index 87692dd1..15f02b46 100644
--- a/blog/2017-11-02-free-software-activities-october-2017.mdwn
+++ b/blog/2017-11-02-free-software-activities-october-2017.mdwn
@@ -389,4 +389,4 @@ over the month.
    
 > There is no [web extension] only XUL! - [Inside joke](https://en.wikipedia.org/wiki/XUL#Etymology_and_Ghostbusters_references)
 
-[[!tag debian feed2exec git haskell mediawiki debian-lts software geek free]]
+[[!tag debian feed2exec git haskell mediawiki debian-lts software geek free debian-planet python-planet]]

fix 404 and title
diff --git a/blog/2017-11-02-free-software-activities-october-2017.mdwn b/blog/2017-11-02-free-software-activities-october-2017.mdwn
index a92d6d1e..87692dd1 100644
--- a/blog/2017-11-02-free-software-activities-october-2017.mdwn
+++ b/blog/2017-11-02-free-software-activities-october-2017.mdwn
@@ -178,7 +178,7 @@ I am keeping a steady flow of releases. I wish there was a way to see
 how effective I am at reaching out with this project, but
 unfortunately [GitLab doesn't provide usage statistics](https://gitlab.com/gitlab-org/gitlab-ce/issues/21743)... And I
 have received only a few comments on IRC about the project, so maybe I
-need to [reach out more](https://twitter.com/theanarcat/status/926104482076876800) like it says in
+need to [reach out more](https://twitter.com/theanarcat/status/926106023022219265) like it says in
 the [fine manual](https://opensource.guide/finding-users/). Always feels strange to have to promote your
 project like it's some new bubbly soap...
 
@@ -187,8 +187,8 @@ production-ready 1.0.0. I am also thinking of making a small
 screencast to show the basic capabilities of the software, maybe
 with [asciinema's upcoming audio support](https://github.com/asciinema/asciinema-server/issues/63)?
 
-Haskell programming
--------------------
+Pandoc filters
+--------------
 
 As I mentioned earlier, I dove again in Haskell programming when
 working on the git-annex security update. But I also have a small

creating tag page tag/mediawiki
diff --git a/tag/mediawiki.mdwn b/tag/mediawiki.mdwn
new file mode 100644
index 00000000..3a780c79
--- /dev/null
+++ b/tag/mediawiki.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged mediawiki"]]
+
+[[!inline pages="tagged(mediawiki)" actions="no" archive="yes"
+feedshow=10]]

creating tag page tag/haskell
diff --git a/tag/haskell.mdwn b/tag/haskell.mdwn
new file mode 100644
index 00000000..46988699
--- /dev/null
+++ b/tag/haskell.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged haskell"]]
+
+[[!inline pages="tagged(haskell)" actions="no" archive="yes"
+feedshow=10]]

prepare monthly report blog post
diff --git a/blog/2017-11-02-free-software-activities-october-2017.mdwn b/blog/2017-11-02-free-software-activities-october-2017.mdwn
new file mode 100644
index 00000000..a92d6d1e
--- /dev/null
+++ b/blog/2017-11-02-free-software-activities-october-2017.mdwn
@@ -0,0 +1,392 @@
+[[!meta title="October 2017 report: LTS, feed2exec beta, pandoc filters, git mediawiki"]]
+
+[[!toc levels=2]]
+
+Debian Long Term Support (LTS)
+==============================
+
+This is my monthly [Debian LTS][] report. This time I worked on the
+famous KRACK attack, git-annex, golang and the continuous stream of
+GraphicsMagick security issues.
+
+[Debian LTS]: https://www.freexian.com/services/debian-lts.html
+
+WPA & KRACK update
+------------------
+
+I spent most of my time this month on the [Linux WPA code](http://w1.fi/wpa_supplicant/), to
+backport it to the old (~2012) `wpa_supplicant` release. I
+first [published](https://lists.debian.org/87k1zlbfbe.fsf@curie.anarc.at) a patchset based on the patches shipped after the
+embargo for the oldstable/jessie release. After feedback from the
+list, I also [built packages for i386 and ARM](https://lists.debian.org/87bmktlo9f.fsf@angela.anarc.at).
+
+I have also reviewed the [WPA protocol](https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access) to make sure I understood
+the implications of the changes required to backport the patches. For
+example, I removed the patches touching the WNM sleep mode code as
+that was introduced only in the 2.0 release. Chunks of code regarding
+state tracking were also not backported as they are part of the state
+tracking code introduced later, in [3ff3323](http://w1.fi/cgit/hostap/commit/?id=bb598c3bdd0616f0c15e1a42e99591d8f3ff3323). Finally, I still have
+concerns about the nonce setup in patch #5. In the last chunk, you'll
+notice `peer->tk` is reset, to_set to negotiate a new `TK`. The other
+approach I considered was to backport [1380fcbd9f](http://w1.fi/cgit/hostap/commit/?id=1380fcbd9f) ("*TDLS: Do not
+modify RNonce for an TPK M1 frame with same INonce*") but I figured I
+would play it safe and not introduce further variations.
+
+I should note that I share [Matthew Green's observations](https://blog.cryptographyengineering.com/2017/10/16/falling-through-the-kracks/) regarding
+the opacity of the protocol. Normally, network protocols are freely
+available and security researchers like me can easily review them. In
+this case, I would have needed to read the
+opaque [802.11i-2004 pdf](http://standards.ieee.org/getieee802/download/802.11i-2004.pdf) which is behind a [TOS](https://en.wikipedia.org/wiki/Terms_of_service) wall at
+the [IEEE](https://en.wikipedia.org/wiki/Institute_of_Electrical_and_Electronics_Engineers). I ended up reading up on the [IEEE_802.11i-2004](https://en.wikipedia.org/wiki/IEEE_802.11i-2004)
+Wikipedia article which gives a simpler view of the protocol. But it's
+a real problem to see such critical protocols developed behind closed
+doors like this.
+
+At [Guido's suggestion](https://lists.debian.org/20171024061447.yeaxb6njunrtpvyg@bogon.m.sigxcpu.org), I [sent the final patch upstream](https://lists.debian.org/878tfxlgqq.fsf@angela.anarc.at)
+explaining the concerns I had with the patch. I have not, at the time
+of writing, received any response from upstream about this,
+unfortunately. I uploaded the fixed packages as [DLA 1150-1](https://lists.debian.org/20171031144826.enjjqbqvsu2cohy2@curie.anarc.at) on
+October 31st.
+
+Git-annex
+---------
+
+The next big chunk on my list was completing the work on git-annex
+([[!debcve CVE-2017-12976]]) that I started in August. It turns out
+doing the backport was simpler than I expected, even with my rusty
+experience with Haskell. Type-checking really helps in doing the right
+thing, especially considering how Joey Hess implemented the fix: by
+introducing a new type.
+
+So I [backported the patch from upstream](https://lists.debian.org/87she9bn4c.fsf@curie.anarc.at) and notified the security
+team that the jessie and stretch updates would be similarly easy. I
+shipped the backport to LTS as [DLA-1144-1](https://lists.debian.org/debian-lts-announce/2017/10/msg00026.html). I also [shared](https://lists.debian.org/87wp3ikmf0.fsf@angela.anarc.at) the
+updated packages for jessie (which required a similar backport) and
+stretch (which didn't) and those Sebastien Delafond published those
+as [DSA 4010-1](https://lists.debian.org/E1e94i7-0002xZ-9O@seger.debian.org).
+
+Graphicsmagick
+--------------
+
+Up next was yet another security vulnerability in the Graphicsmagick
+stack. This involved the usual deep dive into intricate and sometimes
+just unreasonable C code to try and fit a round tree in a square
+sinkhole. I'm always unsure about those patches, but the test suite
+passes, smoke tests show the vulnerability as fixed, and that's pretty
+much as good as it gets.
+
+The announcement ([DLA 1154-1](https://lists.debian.org/20171031174800.q262mmqkt3ccxxc7@curie.anarc.at)) turned out to be a little special
+because I had previously [noticed](https://lists.debian.org/87she4k3gt.fsf@angela.anarc.at) that the penultimate
+announcement (DLA 1130-1) was never sent out. So I made a merged
+announcement to cover both instead of re-sending the original 3 weeks
+late, which may have been confusing for our users.
+
+Triage & misc
+-------------
+
+We always do a bit of triage even when not on frontdesk duty, so I:
+
+ * sent [another ping to the ca-certificates maintainer](https://lists.debian.org/87efpuc95w.fsf@curie.anarc.at)
+
+ * triaged Puppet's [[!debcve CVE-2016-5714]] out of wheezy and other
+   suites, after a thorough analysis of the what has become
+   the [intricate numbering scheme for Puppet suites](https://puppet.com/docs/puppet/4.10/about_agent.html)
+
+ * triaged ImageMagick as not affecting in wheezy and jessie, but it
+   turned out the latter was a little too enthusiastic as the team
+   wanted to wait for upstream confirmation before skipping jessie
+
+ * did some research on tiff's [[!debcve CVE-2017-11613]] (skipped by
+   RHEL) and [[!debcve CVE-2017-9935]] (no fix upstream)
+
+I also did smaller bits of work on:
+
+ * worked on a patch to add a `dch --lts` flag in [[!debbug 762715]]
+   which is currently pending review
+
+ * [golang](https://tracker.debian.org/pkg/golang)'s [[!debcve CVE-2017-15041]] which I
+   originally [triaged out](https://lists.debian.org/87zi8g8h65.fsf@curie.anarc.at) but then [changed my mind](https://lists.debian.org/87vaj0k4fq.fsf@angela.anarc.at) as the
+   patch was small and the impact was large. This turned
+   into [DLA-1148-1](https://lists.debian.org/20171027154341.2ws6u6p7jzx4ibub@angela.anarc.at).
+
+The latter reminded me of the concerns I have about the long-term
+maintainability of the golang ecosystem: because everything is
+statically linked, an update to a core library (say the SMTP library
+as in [[!debcve CVE-2017-15042]], thankfully not affecting LTS)
+requires a full rebuild of all packages including the library in all
+distributions. So what would be a simple update in a shared library
+system could mean an explosion of work on statically linked
+infrastructures. This is a lot of work which can definitely be
+error-prone: as I've seen in other updates, some packages (for example
+the Ruby interpreter) just bit-rot on their own and eventually fail to
+build from source. We would also have to investigate all packages to
+see which one include the library, something which we are not well
+equipped for at this point.
+
+Wheezy was the first release shipping golang packages but at least
+it's shipping only *one*... Stretch has shipped with *two* golang
+versions (1.7 and 1.8) which will make maintenance ever harder in the
+long term.
+
+> We build our computers the way we build our cities--over time,
+> without a plan, on top of ruins.
+>                         - [Ellen Ullman](https://www.salon.com/1998/05/12/feature_321/)
+   
+Other free software work
+========================
+
+This month again, I was busy doing some serious [yak shaving](https://en.wiktionary.org/wiki/yak_shaving)
+operations all over the internet, on top of publishing two of my
+largest LWN articles to date
+([[2017-10-16-strategies-offline-pgp-key-storage]] and
+[[2017-10-26-comparison-cryptographic-keycards]]).
+
+feed2exec beta
+--------------
+
+Since I
+[[announced|2017-10-02-free-software-activities-september-2017#new-project-feed2exec]]
+this new project last month I have released it as a [beta](https://gitlab.com/anarcat/feed2exec/tags/0.6.0) and
+it [entered Debian](https://tracker.debian.org/pkg/feed2exec). I have also wrote useful plugins like the
+`wayback` plugin that saves pages on the [Wayback machine](http://web.archive.org/) for
+eternal archival. The `archive` plugin can also similarly save pages
+to the local filesystem. I also added bash completion, expanded unit
+tests and documentation, fixed default file paths and a bunch of bugs,
+and refactored the code. Finally, I also started using two external
+Python libraries instead of rolling my own code: the [pyxdg](https://pypi.python.org/pypi/pyxdg)
+and [requests-file](https://pypi.python.org/pypi/requests-file) libraries, the latter which
+I [packaged in Debian](https://packages.debian.org/python-requests-file) (and [fixed a bug in their test suite](https://github.com/dashea/requests-file/pull/9)).
+
+The program is working pretty well for me. The only thing I feel is
+really missing now is a retry/fail mechanism. Right now, it's a little
+brittle: any network hiccup will yield an error email, which are
+readable to me but could be confusing to a new user. Strangely enough,
+I am particularly having trouble with (local!) DNS resolution that I
+need to look into, but that is probably unrelated with the software
+itself. Thankfully, the user can disable those with `--loglevel=ERROR`
+to silence `WARNING`s.
+
+Furthermore, some plugins still have some rough edges. For example,
+The [Transmission](https://transmissionbt.com/) integration would probably work better as a
+distinct plugin instead of a simple `exec` call, because when it adds
+new torrents, the output is totally cryptic. That plugin could also
+leverage more feed parameters to save different files in different
+locations depending on the feed titles, something would be hard to do
+safely with the `exec` plugin now.
+
+I am keeping a steady flow of releases. I wish there was a way to see
+how effective I am at reaching out with this project, but
+unfortunately [GitLab doesn't provide usage statistics](https://gitlab.com/gitlab-org/gitlab-ce/issues/21743)... And I
+have received only a few comments on IRC about the project, so maybe I
+need to [reach out more](https://twitter.com/theanarcat/status/926104482076876800) like it says in
+the [fine manual](https://opensource.guide/finding-users/). Always feels strange to have to promote your
+project like it's some new bubbly soap...
+
+Next steps for the project is a final review of the API and release
+production-ready 1.0.0. I am also thinking of making a small
+screencast to show the basic capabilities of the software, maybe
+with [asciinema's upcoming audio support](https://github.com/asciinema/asciinema-server/issues/63)?
+
+Haskell programming
+-------------------
+
+As I mentioned earlier, I dove again in Haskell programming when
+working on the git-annex security update. But I also have a small

(fichier de différences tronqué)
more computing quotes
diff --git a/sigs.fortune b/sigs.fortune
index e33b34b7..ba69c165 100644
--- a/sigs.fortune
+++ b/sigs.fortune
@@ -1067,3 +1067,13 @@ Like slavery and apartheid, poverty is not natural. It is man-made and
 it can be overcome and eradicated by the actions of human
 beings. Overcoming poverty is not a gesture of charity. It is an act
 of justice.             - Nelson Mandela
+%
+We build our computer (systems) the way we build our cities: over
+time, without a plan, on top of ruins.
+                        - Ellen Ullman
+%
+You are absolutely deluded, if not stupid, if you think that a
+worldwide collection of software engineers who can't write operating
+systems or applications without security holes, can then turn around
+and suddenly write virtualization layers without security holes.
+                        - Theo de Raadt

got links backwards again
diff --git a/blog/2017-10-26-comparison-cryptographic-keycards.mdwn b/blog/2017-10-26-comparison-cryptographic-keycards.mdwn
index 19963b3b..e9db42dd 100644
--- a/blog/2017-10-26-comparison-cryptographic-keycards.mdwn
+++ b/blog/2017-10-26-comparison-cryptographic-keycards.mdwn
@@ -3,7 +3,7 @@
 [[!meta date="2017-10-17T00:00:00+0000"]]
 [[!meta updated="2017-10-26T19:42:06-0400"]]
 
-An [[2017-10-16-strategies-offline-pgp-key-storage|earlier article]] showed that
+An [[earlier article|2017-10-16-strategies-offline-pgp-key-storage]] showed that
 private key storage is an important problem to solve in any
 cryptographic system and established keycards as a good way to store
 private key material offline. But which keycard should we use? This
@@ -11,8 +11,7 @@ article examines the form factor, openness, and performance of four
 keycards to try to help readers choose the one that will fit their
 needs.
 
-I have personally been using a [[2015-12-14-yubikey-howto|YubiKey
-NEO]], since a 2015
+I have personally been using a [[YubiKey NEO|2015-12-14-yubikey-howto]], since a 2015
 [announcement](https://github.com/blog/2071-github-supports-universal-2nd-factor-authentication)
 on GitHub promoting two-factor authentication. I was also able to hook
 up my SSH authentication key into the YubiKey's 2048 bit RSA slot. It

fix internal links
diff --git a/blog/2017-10-26-comparison-cryptographic-keycards.mdwn b/blog/2017-10-26-comparison-cryptographic-keycards.mdwn
index 39a7c2e8..19963b3b 100644
--- a/blog/2017-10-26-comparison-cryptographic-keycards.mdwn
+++ b/blog/2017-10-26-comparison-cryptographic-keycards.mdwn
@@ -3,7 +3,7 @@
 [[!meta date="2017-10-17T00:00:00+0000"]]
 [[!meta updated="2017-10-26T19:42:06-0400"]]
 
-An [earlier LWN article](https://lwn.net/Articles/734767/) showed that
+An [[2017-10-16-strategies-offline-pgp-key-storage|earlier article]] showed that
 private key storage is an important problem to solve in any
 cryptographic system and established keycards as a good way to store
 private key material offline. But which keycard should we use? This
@@ -11,8 +11,8 @@ article examines the form factor, openness, and performance of four
 keycards to try to help readers choose the one that will fit their
 needs.
 
-I have personally been using a [YubiKey
-NEO](https://lwn.net/Articles/594498/), since a 2015
+I have personally been using a [[2015-12-14-yubikey-howto|YubiKey
+NEO]], since a 2015
 [announcement](https://github.com/blog/2071-github-supports-universal-2nd-factor-authentication)
 on GitHub promoting two-factor authentication. I was also able to hook
 up my SSH authentication key into the YubiKey's 2048 bit RSA slot. It
@@ -75,7 +75,7 @@ when connected to a laptop. On my workstation, however, it usually stays
 put even with my whole keyring hanging off of it. I suspect this adds
 more strain to the host's USB port but that's a tradeoff I've lived with
 without any noticeable wear so far. Finally, the NEO has this peculiar
-feature of supporting NFC for certain operations, as we [previously
+feature of supporting NFC for certain operations, as LWN [previously
 covered](https://lwn.net/Articles/594498/), but I haven't used that
 feature yet.
 

more layout fixes
comment block actually made the table behave, + no width fix needed for graph
diff --git a/blog/2017-10-26-comparison-cryptographic-keycards.mdwn b/blog/2017-10-26-comparison-cryptographic-keycards.mdwn
index 7a134bd5..39a7c2e8 100644
--- a/blog/2017-10-26-comparison-cryptographic-keycards.mdwn
+++ b/blog/2017-10-26-comparison-cryptographic-keycards.mdwn
@@ -331,21 +331,21 @@ I used the following:
 
 I ran crypto-bench for each keycard, which resulted in the following:
 
-| Algorithm       | Device       | Mean time (s) |
-|-----------------|--------------|---------------|
-| ECDH-Curve25519 | CPU          | 0.036         |
-|                 | FST-01       | 0.135         |
-| RSA-2048        | CPU          | 0.016         |
-|                 | YubiKey-4    | 0.162         |
-|                 | Nitrokey-Pro | 0.610         |
-|                 | YubiKey-NEO  | 0.736         |
-|                 | FST-01       | 1.265         |
-| RSA-4096        | CPU          | 0.043         |
-|                 | YubiKey-4    | 0.875         |
-|                 | Nitrokey-Pro | 3.150         |
-|                 | FST-01       | 8.218         |
-
-[[!img keycards-results-graph.png size=600x alt="Decryption graph"]]
+> | Algorithm       | Device       | Mean time (s) |
+> |-----------------|--------------|---------------|
+> | ECDH-Curve25519 | CPU          | 0.036         |
+> |                 | FST-01       | 0.135         |
+> | RSA-2048        | CPU          | 0.016         |
+> |                 | YubiKey-4    | 0.162         |
+> |                 | Nitrokey-Pro | 0.610         |
+> |                 | YubiKey-NEO  | 0.736         |
+> |                 | FST-01       | 1.265         |
+> | RSA-4096        | CPU          | 0.043         |
+> |                 | YubiKey-4    | 0.875         |
+> |                 | Nitrokey-Pro | 3.150         |
+> |                 | FST-01       | 8.218         |
+
+[[!img keycards-results-graph.png alt="Decryption graph"]]
 
 There we see the performance of the four keycards I tested, compared
 with the same operations done without a keycard: the "CPU" device. That

move credits down with other notes
diff --git a/blog/2017-10-26-comparison-cryptographic-keycards.mdwn b/blog/2017-10-26-comparison-cryptographic-keycards.mdwn
index f12cbbec..7a134bd5 100644
--- a/blog/2017-10-26-comparison-cryptographic-keycards.mdwn
+++ b/blog/2017-10-26-comparison-cryptographic-keycards.mdwn
@@ -447,11 +447,11 @@ backed up on two different devices. As for the encryption key, I'll wait
 for keycard performance to improve, or simply switch my whole keyring to
 ECC and use the FST-01 or Nitrokey Start for that purpose.
 
-\[The author would like to thank Nitrokey for providing hardware for
-testing.\]
-
 ------------------------------------------------------------------------
 
+> \[The author would like to thank Nitrokey for providing hardware for
+> testing.\]
+>
 > *This article [first appeared][] in the [Linux Weekly News][].*
 
 [first appeared]: https://lwn.net/Articles/736231/

remove useless quote
diff --git a/blog/2017-10-26-comparison-cryptographic-keycards.mdwn b/blog/2017-10-26-comparison-cryptographic-keycards.mdwn
index abcc36d8..f12cbbec 100644
--- a/blog/2017-10-26-comparison-cryptographic-keycards.mdwn
+++ b/blog/2017-10-26-comparison-cryptographic-keycards.mdwn
@@ -331,21 +331,21 @@ I used the following:
 
 I ran crypto-bench for each keycard, which resulted in the following:
 
-> | Algorithm       | Device       | Mean time (s) |
-> |-----------------|--------------|---------------|
-> | ECDH-Curve25519 | CPU          | 0.036         |
-> |                 | FST-01       | 0.135         |
-> | RSA-2048        | CPU          | 0.016         |
-> |                 | YubiKey-4    | 0.162         |
-> |                 | Nitrokey-Pro | 0.610         |
-> |                 | YubiKey-NEO  | 0.736         |
-> |                 | FST-01       | 1.265         |
-> | RSA-4096        | CPU          | 0.043         |
-> |                 | YubiKey-4    | 0.875         |
-> |                 | Nitrokey-Pro | 3.150         |
-> |                 | FST-01       | 8.218         |
->
-> [[!img keycards-results-graph.png size=600x alt="Decryption graph"]]
+| Algorithm       | Device       | Mean time (s) |
+|-----------------|--------------|---------------|
+| ECDH-Curve25519 | CPU          | 0.036         |
+|                 | FST-01       | 0.135         |
+| RSA-2048        | CPU          | 0.016         |
+|                 | YubiKey-4    | 0.162         |
+|                 | Nitrokey-Pro | 0.610         |
+|                 | YubiKey-NEO  | 0.736         |
+|                 | FST-01       | 1.265         |
+| RSA-4096        | CPU          | 0.043         |
+|                 | YubiKey-4    | 0.875         |
+|                 | Nitrokey-Pro | 3.150         |
+|                 | FST-01       | 8.218         |
+
+[[!img keycards-results-graph.png size=600x alt="Decryption graph"]]
 
 There we see the performance of the four keycards I tested, compared
 with the same operations done without a keycard: the "CPU" device. That

limit images width otherwise they blow up
diff --git a/blog/2017-10-26-comparison-cryptographic-keycards.mdwn b/blog/2017-10-26-comparison-cryptographic-keycards.mdwn
index a3280453..abcc36d8 100644
--- a/blog/2017-10-26-comparison-cryptographic-keycards.mdwn
+++ b/blog/2017-10-26-comparison-cryptographic-keycards.mdwn
@@ -38,7 +38,7 @@ the card's firmware.
 Form factor
 -----------
 
-[[!img nitro-neo-yubi4-fst.jpg alt="The Nitrokey Pro, YubiKey NEO
+[[!img nitro-neo-yubi4-fst.jpg size=600x alt="The Nitrokey Pro, YubiKey NEO
 (worn out), YubiKey 4, and FST-01"]]
 
 The four keycards have similar form factors: they all connect to a
@@ -112,7 +112,7 @@ Its devices (the Pro, Start, and HSM models) use a similar chip to the
 FST-01: the [STM32F103
 microcontroller](http://www.st.com/en/microcontrollers/stm32f103r8.html).
 
-[[!img nitro-pro-stm32.jpg alt="Nitrokey Pro with STM32F103TBU6 MCU"]]
+[[!img nitro-pro-stm32.jpg size=600x alt="Nitrokey Pro with STM32F103TBU6 MCU"]]
 
 Nitrokey also publishes its hardware designs, [on
 GitHub](https://github.com/Nitrokey), which shows the Pro is basically a
@@ -123,7 +123,7 @@ should warn you against; I broke one of the pins holding it together
 when opening it so now it's even more fragile. But at least, I was able
 to confirm it was built using the STM32F103TBU6 MCU, like the FST-01.
 
-[[!img nitro-pro-backside.jpg alt="Nitrokey back side"]]
+[[!img nitro-pro-backside.jpg size=600x alt="Nitrokey back side"]]
 
 But this is where the comparison ends: on the back side, we find a SIM
 card reader that holds the [OpenPGP
@@ -345,7 +345,7 @@ I ran crypto-bench for each keycard, which resulted in the following:
 > |                 | Nitrokey-Pro | 3.150         |
 > |                 | FST-01       | 8.218         |
 >
-> [[!img keycards-results-graph.png alt="Decryption graph"]]
+> [[!img keycards-results-graph.png size=600x alt="Decryption graph"]]
 
 There we see the performance of the four keycards I tested, compared
 with the same operations done without a keycard: the "CPU" device. That

render in png, fonts are nicer
diff --git a/blog/2017-10-26-comparison-cryptographic-keycards/keycards-results-graph.png b/blog/2017-10-26-comparison-cryptographic-keycards/keycards-results-graph.png
new file mode 100644
index 00000000..3679799c
Binary files /dev/null and b/blog/2017-10-26-comparison-cryptographic-keycards/keycards-results-graph.png differ
diff --git a/blog/2017-10-26-comparison-cryptographic-keycards/results-16b.svg b/blog/2017-10-26-comparison-cryptographic-keycards/results-16b.svg
deleted file mode 100644
index 1c0399e0..00000000
--- a/blog/2017-10-26-comparison-cryptographic-keycards/results-16b.svg
+++ /dev/null
@@ -1,2088 +0,0 @@
-<?xml version="1.0" encoding="utf-8" standalone="no"?>
-<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
-  "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
-<!-- Created with matplotlib (http://matplotlib.org/) -->
-<svg height="325pt" version="1.1" viewBox="0 0 404 325" width="404pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
- <defs>
-  <style type="text/css">
-*{stroke-linecap:butt;stroke-linejoin:round;}
-  </style>
- </defs>
- <g id="figure_1">
-  <g id="patch_1">
-   <path d="M 0 325.986375 
-L 404.16065 325.986375 
-L 404.16065 0 
-L 0 0 
-z
-" style="fill:#ffffff;"/>
-  </g>
-  <g id="axes_1">
-   <g id="patch_2">
-    <path d="M 34.240625 288.430125 
-L 391.360625 288.430125 
-L 391.360625 22.318125 
-L 34.240625 22.318125 
-z
-" style="fill:#ffffff;"/>
-   </g>
-   <g id="patch_3">
-    <path clip-path="url(#pfd962fa2b4)" d="M 41.383025 288.430125 
-L 60.429425 288.430125 
-L 60.429425 287.955138 
-L 41.383025 287.955138 
-z
-" style="fill:#3274a1;"/>
-   </g>
-   <g id="patch_4">
-    <path clip-path="url(#pfd962fa2b4)" d="M 112.807025 288.430125 
-L 131.853425 288.430125 
-L 131.853425 283.398977 
-L 112.807025 283.398977 
-z
-" style="fill:#3274a1;"/>
-   </g>
-   <g id="patch_5">
-    <path clip-path="url(#pfd962fa2b4)" d="M 184.231025 288.430125 
-L 203.277425 288.430125 
-L 203.277425 269.633864 
-L 184.231025 269.633864 
-z
-" style="fill:#3274a1;"/>
-   </g>
-   <g id="patch_6">
-    <path clip-path="url(#pfd962fa2b4)" d="M 255.655025 288.430125 
-L 274.701425 288.430125 
-L 274.701425 265.844773 
-L 255.655025 265.844773 
-z
-" style="fill:#3274a1;"/>
-   </g>
-   <g id="patch_7">
-    <path clip-path="url(#pfd962fa2b4)" d="M 327.079025 288.430125 
-L 346.125425 288.430125 
-L 346.125425 249.545481 
-L 327.079025 249.545481 
-z
-" style="fill:#3274a1;"/>
-   </g>
-   <g id="patch_8">
-    <path clip-path="url(#pfd962fa2b4)" d="M 60.429425 288.430125 
-L 79.475825 288.430125 
-L 79.475825 287.103306 
-L 60.429425 287.103306 
-z
-" style="fill:#e1812c;"/>
-   </g>
-   <g id="patch_9">
-    <path clip-path="url(#pfd962fa2b4)" d="M 131.853425 288.430125 
-L 150.899825 288.430125 
-L 150.899825 261.5111 
-L 131.853425 261.5111 
-z
-" style="fill:#e1812c;"/>
-   </g>
-   <g id="patch_10">
-    <path clip-path="url(#pfd962fa2b4)" d="M 203.277425 288.430125 
-L 222.323825 288.430125 
-L 222.323825 191.312348 
-L 203.277425 191.312348 
-z
-" style="fill:#e1812c;"/>
-   </g>
-   <g id="patch_11">
-    <path clip-path="url(#pfd962fa2b4)" d="z
-" style="fill:#e1812c;"/>
-   </g>
-   <g id="patch_12">
-    <path clip-path="url(#pfd962fa2b4)" d="M 346.125425 288.430125 
-L 365.171825 288.430125 
-L 365.171825 35.187957 
-L 346.125425 35.187957 
-z
-" style="fill:#e1812c;"/>
-   </g>
-   <g id="patch_13">
-    <path clip-path="url(#pfd962fa2b4)" d="M 79.475825 288.430125 
-L 98.522225 288.430125 
-L 98.522225 287.319258 
-L 79.475825 287.319258 
-z
-" style="fill:#3a923a;"/>
-   </g>
-   <g id="patch_14">
-    <path clip-path="url(#pfd962fa2b4)" d="z
-" style="fill:#3a923a;"/>
-   </g>
-   <g id="patch_15">
-    <path clip-path="url(#pfd962fa2b4)" d="z
-" style="fill:#3a923a;"/>
-   </g>
-   <g id="patch_16">
-    <path clip-path="url(#pfd962fa2b4)" d="z
-" style="fill:#3a923a;"/>
-   </g>
-   <g id="patch_17">
-    <path clip-path="url(#pfd962fa2b4)" d="M 365.171825 288.430125 
-L 384.218225 288.430125 
-L 384.218225 284.230586 
-L 365.171825 284.230586 
-z
-" style="fill:#3a923a;"/>
-   </g>
-   <g id="patch_18">
-    <path clip-path="url(#pfd962fa2b4)" d="M 41.383025 288.430125 
-L 60.429425 288.430125 
-L 60.429425 287.955138 
-L 41.383025 287.955138 
-z
-" style="fill:#3274a1;"/>
-   </g>
-   <g id="patch_19">
-    <path clip-path="url(#pfd962fa2b4)" d="M 112.807025 288.430125 
-L 131.853425 288.430125 
-L 131.853425 283.398977 
-L 112.807025 283.398977 
-z
-" style="fill:#3274a1;"/>
-   </g>
-   <g id="patch_20">
-    <path clip-path="url(#pfd962fa2b4)" d="M 184.231025 288.430125 
-L 203.277425 288.430125 
-L 203.277425 269.633864 
-L 184.231025 269.633864 
-z
-" style="fill:#3274a1;"/>
-   </g>
-   <g id="patch_21">
-    <path clip-path="url(#pfd962fa2b4)" d="M 255.655025 288.430125 
-L 274.701425 288.430125 
-L 274.701425 265.844773 
-L 255.655025 265.844773 
-z
-" style="fill:#3274a1;"/>
-   </g>
-   <g id="patch_22">
-    <path clip-path="url(#pfd962fa2b4)" d="M 327.079025 288.430125 
-L 346.125425 288.430125 
-L 346.125425 249.545481 
-L 327.079025 249.545481 
-z
-" style="fill:#3274a1;"/>
-   </g>
-   <g id="patch_23">
-    <path clip-path="url(#pfd962fa2b4)" d="M 60.429425 288.430125 
-L 79.475825 288.430125 
-L 79.475825 287.103306 
-L 60.429425 287.103306 
-z
-" style="fill:#e1812c;"/>
-   </g>
-   <g id="patch_24">
-    <path clip-path="url(#pfd962fa2b4)" d="M 131.853425 288.430125 
-L 150.899825 288.430125 
-L 150.899825 261.5111 
-L 131.853425 261.5111 
-z
-" style="fill:#e1812c;"/>
-   </g>
-   <g id="patch_25">
-    <path clip-path="url(#pfd962fa2b4)" d="M 203.277425 288.430125 

(fichier de différences tronqué)
make crypto keycards review public
diff --git a/blog/2017-10-26-comparison-cryptographic-keycards.mdwn b/blog/2017-10-26-comparison-cryptographic-keycards.mdwn
new file mode 100644
index 00000000..a3280453
--- /dev/null
+++ b/blog/2017-10-26-comparison-cryptographic-keycards.mdwn
@@ -0,0 +1,460 @@
+[[!meta title="A comparison of cryptographic keycards"]]
+
+[[!meta date="2017-10-17T00:00:00+0000"]]
+[[!meta updated="2017-10-26T19:42:06-0400"]]
+
+An [earlier LWN article](https://lwn.net/Articles/734767/) showed that
+private key storage is an important problem to solve in any
+cryptographic system and established keycards as a good way to store
+private key material offline. But which keycard should we use? This
+article examines the form factor, openness, and performance of four
+keycards to try to help readers choose the one that will fit their
+needs.
+
+I have personally been using a [YubiKey
+NEO](https://lwn.net/Articles/594498/), since a 2015
+[announcement](https://github.com/blog/2071-github-supports-universal-2nd-factor-authentication)
+on GitHub promoting two-factor authentication. I was also able to hook
+up my SSH authentication key into the YubiKey's 2048 bit RSA slot. It
+seemed natural to move the other subkeys onto the keycard, provided that
+performance was sufficient. The mail client that I use,
+([Notmuch](http://notmuchmail.org/)), blocks when decrypting messages,
+which could be a serious problems on large email threads from [encrypted
+mailing lists](https://schleuder.nadir.org/).
+
+So I built a test harness and got access to some more keycards: I bought
+a [FST-01](http://www.gniibe.org/FST-01/fst-01.html) from its creator,
+Yutaka Niibe, at the last DebConf and Nitrokey donated a [Nitrokey
+Pro](https://shop.nitrokey.com/shop/product/nitrokey-pro-3). I also
+bought a [YubiKey 4](https://www.yubico.com/product/yubikey-4-series/)
+when I got the NEO. There are of course other keycards out there, but
+those are the ones I could get my hands on. You'll notice none of those
+keycards have a physical keypad to enter passwords, so they are all
+vulnerable to keyloggers that could extract the key's PIN. Keep in mind,
+however, that even with the PIN, an attacker could only ask the keycard
+to decrypt or sign material but not extract the key that is protected by
+the card's firmware.
+
+Form factor
+-----------
+
+[[!img nitro-neo-yubi4-fst.jpg alt="The Nitrokey Pro, YubiKey NEO
+(worn out), YubiKey 4, and FST-01"]]
+
+The four keycards have similar form factors: they all connect to a
+standard USB port, although both YubiKey keycards have a capacitive
+button by which the user triggers two-factor authentication and the
+YubiKey 4 can also [require a button
+press](https://developers.yubico.com/PGP/Card_edit.html#_yubikey_4_touch)
+to confirm private key use. The YubiKeys feel sturdier than the other
+two. The NEO has withstood two years of punishment in my pockets along
+with the rest of my "real" keyring and there is only minimal wear on the
+keycard in the picture. It's also thinner so it fits well on the
+keyring.
+
+The FST-01 stands out from the other two with its minimal design. Out of
+the box, the FST-01 comes without a case, so the circuitry is exposed.
+This is deliberate: one of its goals is to be as transparent as
+possible, both in terms of software and hardware design and you
+definitely get that feeling at the physical level. Unfortunately, that
+does mean it feels more brittle than other models: I wouldn't carry it
+in my pocket all the time, although there is a
+[case](https://www.seeedstudio.com/fst01-with-white-enclosure-p-1279.html)
+that may protect the key a little better, but it does not provide an
+easy way to hook it into a keyring. In the group picture above, the
+FST-01 is the pink plastic thing, which is a rubbery casing I received
+along with the device when I got it.
+
+Notice how the USB connectors of the YubiKeys differ from the other two:
+while the FST-01 and the Nitrokey have standard USB connectors, the
+YubiKey has only a "half-connector", which is what makes it thinner than
+the other two. The "Nano" form factor takes this even further and almost
+disappears in the USB port. Unfortunately, this arrangement means the
+YubiKey NEO often comes loose and falls out of the USB port, especially
+when connected to a laptop. On my workstation, however, it usually stays
+put even with my whole keyring hanging off of it. I suspect this adds
+more strain to the host's USB port but that's a tradeoff I've lived with
+without any noticeable wear so far. Finally, the NEO has this peculiar
+feature of supporting NFC for certain operations, as we [previously
+covered](https://lwn.net/Articles/594498/), but I haven't used that
+feature yet.
+
+The Nitrokey Pro looks like a normal USB key, in contrast with the other
+two devices. It does feel a little brittle when compared with the
+YubiKey, although only time will tell how much of a beating it can take.
+It has a small ring in the case so it is possible to carry it directly
+on your keyring, but I would be worried the cap would come off
+eventually. Nitrokey devices are also two times thicker than the Yubico
+models which makes them less convenient to carry around on keyrings.
+
+Open and closed designs
+-----------------------
+
+The FST-01 is as open as hardware comes, down to the PCB design
+available as [KiCad](http://www.kicad-pcb.org/) files in this [Git
+repository](http://git.gniibe.org/gitweb/?p=gnuk/fst-01.git). The
+software running on the card is the
+[Gnuk](http://www.fsij.org/doc-gnuk/) firmware that implements the
+[OpenPGP card protocol](http://g10code.com/p-card.html), but you can
+also get it with firmware implementing a true random number generator
+(TRNG) called
+[NeuG](http://www.gniibe.org/memo/development/gnuk/rng/neug.html)
+(pronounced "noisy"); the device is
+[programmable](http://www.fsij.org/doc-gnuk/development.html) through a
+standard [Serial Wire
+Debug](https://en.wikipedia.org/wiki/Serial_Wire_Debug) (SWD) port. The
+Nitrokey Start model also runs the Gnuk firmware. However, the [Nitrokey
+website](https://www.nitrokey.com/) announces only ECC and RSA 2048-bit
+support for the Start, while the FST-01 also supports RSA-4096.
+Nitrokey's founder Jan Suhr, in a private email, explained that this is
+because "Gnuk doesn't support RSA-3072 or larger at a reasonable speed".
+Its devices (the Pro, Start, and HSM models) use a similar chip to the
+FST-01: the [STM32F103
+microcontroller](http://www.st.com/en/microcontrollers/stm32f103r8.html).
+
+[[!img nitro-pro-stm32.jpg alt="Nitrokey Pro with STM32F103TBU6 MCU"]]
+
+Nitrokey also publishes its hardware designs, [on
+GitHub](https://github.com/Nitrokey), which shows the Pro is basically a
+fork of the FST-01, according to the
+[ChangeLog](https://github.com/Nitrokey/nitrokey-pro-hardware/blob/b8b274e39f739e39a5d840d1ae3cecd120c05bf7/ChangeLog).
+I opened the case to confirm it was using the STM MCU, something I
+should warn you against; I broke one of the pins holding it together
+when opening it so now it's even more fragile. But at least, I was able
+to confirm it was built using the STM32F103TBU6 MCU, like the FST-01.
+
+[[!img nitro-pro-backside.jpg alt="Nitrokey back side"]]
+
+But this is where the comparison ends: on the back side, we find a SIM
+card reader that holds the [OpenPGP
+card](https://en.wikipedia.org/wiki/OpenPGP_card) that, in turn, holds
+the private key material and does the cryptographic operations. So, in
+effect, the Nitrokey Pro is really a evolution of the original [OpenPGP
+card readers](https://www.gnupg.org/howtos/card-howto/en/ch02s02.html).
+Nitrokey confirmed the OpenPGP card featured in the Pro is the same as
+the one [shipped](https://wiki.fsfe.org/TechDocs/FellowshipSmartCard) by
+the Free Software Foundation Europe (FSFE): the
+[BasicCard](http://basiccard.com/) built by ZeitControl. Those cards,
+however, are covered by NDAs and the firmware is only [partially open
+source](https://g10code.com/p-card.html).
+
+This makes the Nitrokey Pro less open than the FST-01, but that's an
+inevitable tradeoff when choosing a design based on the OpenPGP cards,
+which Suhr described to me as "pretty proprietary". There are other
+keycards out there, however, for example the
+[SLJ52GDL150-150k](https://secure.smartcardsource.com/slj52gdl150cl-java-smart-card.html)
+smartcard [suggested](https://www.corsac.net/?rub=blog&post=1588) by
+Debian developer Yves-Alexis Perez, which he prefers as it is certified
+by French and German authorities. In that blog post, he also said he was
+experimenting with the GPL-licensed [OpenPGP
+applet](https://github.com/anssi-fr/smartpgp) implemented by the French
+[ANSSI](https://en.wikipedia.org/wiki/Agence_nationale_de_la_s%C3%A9curit%C3%A9_des_syst%C3%A8mes_d%27information).
+
+But the YubiKey devices are even further away in the closed-design
+direction. Both the hardware designs and firmware are proprietary. The
+YubiKey NEO, for example, cannot be upgraded at all, even though it is
+based on an open firmware. According to Yubico's
+[FAQ](https://www.yubico.com/support/knowledge-base/categories/articles/can-update-current-yubikey-neo-u2f/),
+this is due to "best security practices": "*There is a 'no upgrade'
+policy for our devices since nothing, including malware, can write to
+the firmware.*"
+
+I find this decision questionable in a context where security updates
+are often more important than trying to design a bulletproof design,
+which may simply be impossible. And the YubiKey NEO did suffer from
+[critical security
+issue](https://developers.yubico.com/ykneo-openpgp/SecurityAdvisory%202015-04-14.html)
+that allowed attackers to bypass the PIN protection on the card, which
+raises the question of the actual protection of the private key material
+on those cards. According to Niibe, "some OpenPGP cards store the
+private key unencrypted. It is a common attitude for many smartcard
+implementations", which was confirmed by Suhr: "the private key is
+protected by hardware mechanisms which prevent its extraction and
+misuse". He is referring to the use of [tamper
+resistance](https://en.wikipedia.org/wiki/Tamper_resistance).
+
+After that security issue, there was no other option for YubiKey NEO
+users than to get a new keycard (for free, thankfully) from Yubico,
+which also meant discarding the private key material on the key. For
+OpenPGP keys, this may mean having to bootstrap the web of trust from
+scratch if the keycard was responsible for the main certification key.
+
+But at least the NEO is running free software based on the [OpenPGP card
+applet](https://github.com/jderuiter/javacard-openpgpcard) and the
+source is still [available on
+GitHub](https://github.com/Yubico/ykneo-openpgp). The YubiKey 4, on the
+other hand, is now [closed
+source](https://github.com/Yubico/ykneo-openpgp/issues/2#issuecomment-218446368),
+which was controversial when the new model was announced last year. It
+led the main Linux Foundation system administrator, Konstantin
+Ryabitsev, to [withdraw his
+endorsement](https://plus.google.com/+KonstantinRyabitsev/posts/4a7RNxtt7vy)
+of Yubico products. In response, Yubico argued that this approach was
+[essential to the security of its
+devices](https://www.yubico.com/2016/05/secure-hardware-vs-open-source/),

(fichier de différences tronqué)
more DIY stuff
diff --git a/hardware/laptop.mdwn b/hardware/laptop.mdwn
index 5fb8d29d..6073709c 100644
--- a/hardware/laptop.mdwn
+++ b/hardware/laptop.mdwn
@@ -26,6 +26,32 @@ Extras:
 Modèles
 =======
 
+Mnt reform
+----------
+
+The [reform](http://mntmn.com/reform/) is a DIY laptop at the
+prototype stage:
+
+ * ARM NXP i.MX6 / i.MX8
+ * PCIe, USB3/C?
+ * Wifi?
+ * MiniSD boot, SSD
+ * 500-700EUR
+
+Interesting especially for the possibility of a e-ink screen...
+
+Novena
+------
+
+The [Novena](https://en.wikipedia.org/wiki/Novena_(computing_platform)) laptop board is still [on sale](https://www.crowdsupply.com/sutajio-kosagi/novena) but it's showing
+its age now:
+
+ * ARM i.MX6
+ * 4GB max RAM
+ 
+Could be possible to build a complete machine with ~1000$ in parts,
+but that's quite expensive for such old specs... 
+
 Olimex
 ------
 

remove unreferenced scripts that are available in gitlab.com/anarcat/scripts anyways
diff --git a/software/dict_gen.py b/software/dict_gen.py
deleted file mode 100644
index d9d4b858..00000000
--- a/software/dict_gen.py
+++ /dev/null
@@ -1,117 +0,0 @@
-#! /usr/bin/python
-
-"""%prog [options]
-
-Password dictionnary generator
-
-If you know a bit what your are guessing for in a password, just
-brute forcing your way through all the keyspace is not efficient.
-
-This script allows you to focus on some combinations of words, birth
-days, and times."""
-
-import math
-import sys
-import datetime
-
-from optparse import OptionParser
-
-parser = OptionParser(usage=__doc__)
-parser.add_option("-w", "--words", dest="words",
-                  help="add list of WORDS", metavar="FILE")
-parser.add_option("-s", "--seperator", dest="sep", default=" ",
-                  help="words are seperated with SEP", metavar="SEP")
-parser.add_option("-o", "--output-seperator", dest="outsep", default=" ",
-                  help="output words are seperated with SEP", metavar="SEP")
-parser.add_option("-t", "--time", dest="time", default=False, action="store_true",
-                  help="add all possible time", metavar="TIME")
-parser.add_option("-b", "--birthday", dest="birthday", default=False, action="store_true",
-                  help="add all possible birthdays", metavar="TIME")
-parser.add_option("-e", "--epoch", dest="epoch", default=1950, type="int",
-                  help="first possible birthday YEAR", metavar="YEAR")
-
-(options, args) = parser.parse_args()
-
-if options.words:
-    words = options.words.split(options.sep)
-
-def fact(n):
-    fact = 1
-    for i in range(1,n+1):
-        fact = fact*i
-    return fact
-
-# taken from http://code.activestate.com/help/terms/
-# MIT licensed: http://www.opensource.org/licenses/mit-license.php
-def all_perms(str):
-    if len(str) <=1:
-        yield str
-    else:
-        for perm in all_perms(str[1:]):
-            for i in range(len(perm)+1):
-                #nb str[0:1] works in both string and list contexts
-                yield perm[:i] + str[0:1] + perm[i:]
-
-def all_times():
-    perms = []
-    for hour in range(23):
-        for minute in range(59):
-            perms += [ "%s%02d" % ( hour, minute ),
-                       "%sh%02d" % ( hour, minute ),
-                       "%s:%02d" % ( hour, minute ) ]
-    return perms
-
-# this is by no means all dates:
-# * we are not using seperators, which can vary a lot
-# * we are always zero-filling the days and months
-# * we are using 4-digits years
-# * we are assuming a gregorian calendar
-#
-# Additionnally, this has the following problems:
-# * it will generate duplicate items (february 2nd and 2nd of ferbruary)
-# * it will generate invalid dates (february 30th)
-# * it always uses the year
-def all_dates():
-    perms = []
-    for year in range(options.epoch, datetime.date.today().year):
-        perms += [ "%04d" % year ]
-        for month in range(12):
-            perms += [ "%02d%04d" % ( month, year ),
-                       "%02d%04d" % ( year, month ) ]
-            for day in range(31):
-                perms += [ "%02d%02d%04d" % ( day, month, year ),
-                           "%02d%02d%04d" % ( month, day, year ),
-                           "%04d%02d%02d" % ( year, month, day ),
-                           "%04d%02d%02d" % ( year, day, month ),
-                           ]
-    return perms
-
-if options.time:
-    times = all_times()
-else:
-    times = [""]
-
-if options.birthday:
-    dates = all_dates()
-else:
-    dates = [""]
-
-if options.words:
-    print "%d words submitted, %d permutations possible" % ( len(words), fact(len(words)))
-    
-    for p in all_perms(words):
-        for t in times:
-            for d in dates:
-                print options.outsep.join(p + [t + d])
-
-else:
-    for t in times:
-        for d in dates:
-            if t != "" and d != "":
-                print options.outsep.join([t, d])
-            elif t == "":
-                print d
-            elif d == "":
-                print t
-            
-                
diff --git a/software/luks_cracker.py b/software/luks_cracker.py
deleted file mode 100644
index 12ebda5d..00000000
--- a/software/luks_cracker.py
+++ /dev/null
@@ -1,168 +0,0 @@
-#! /usr/bin/perl -w
-
-# testing this script:
-# dd if=/dev/urandom of=testfile bs=1M count=10
-# losetup /dev/loop1 testfile
-# cryptsetup luksFormat /dev/loop1 (choose a trivial password)
-# ./luks_cracker -d /dev/loop1 -n 98000 < /usr/share/dict/words
-#
-# when interrupt, cryptsetup may leave the device opened, clean it up with:
-#
-# dmsetup ls
-# dmsetup remove temporary-cryptsetup-2287
-#
-
-use Fcntl;
-use Getopt::Std;
-
-sub abort {
- print "\n" . join("\n", @_);
- print "\naborting after $i attemps on passphrase $_\n";
- close(PASS); close(CRYPT); exit(1);
-}
-
-if (!getopts('cd:n:s:v')) {
-    die "invalid syntax\n";
-}
-
-$SIG{INT} = sub { abort("interrupted by user"); };
-
-open(PASS, "> pass") || 
-    die("can't open tmp pass file: $!");
-
-if ($opt_d) {
-    $dev=$opt_d;
-} else {
-    $dev = "/dev/loop0";
-}
-
-if (!$opt_s) {
-    $opt_s = 0;
-}
-
-print "Attempting to open luks filesystem on $dev\n";
-
-$i = 0;
-$rate = 1;
-$| = 1;
-
-if ($opt_v) {
-    $verbose = "";
-} else {
-    $verbose = " 2> /dev/null";
-}
-
-if (system("cryptsetup isLuks $dev") == 0) {
-    print "device seems to be a LUKS device, going ahead\n";
-} else {
-    die("this doesn't seem to be a LUKS device\n");
-}
-
-$crypt_cmd = "cryptsetup --key-file pass luksOpen $dev cracked $verbose";
-
-if ($opt_v) {
-    print "cryptsetup: $crypt_cmd\n";
-}
-$start = time();
-while (<>) {
-    chop;
-    $key = $_;
-    $i++;
-    # skip requested lines, to allow resuming

(fichier de différences tronqué)
long overdue sync of my xmonad config
diff --git a/software/desktop/xmonad.hs b/software/desktop/xmonad.hs
index b9360872..00b99048 100644
--- a/software/desktop/xmonad.hs
+++ b/software/desktop/xmonad.hs
@@ -4,14 +4,14 @@
 
 -- requirements:
 -- dmenu (from suckless-tools)
--- xmobar
+-- taffybar
 -- xmonad
 -- xmonad-contrib
 -- trayer
 -- libnotify-bin (optional)
 --
 -- the following config files should be installed along with this one
--- .xmobarrc
+-- .config/taffybar/taffybar.hs
 -- .xmonad/xmonad-session-rc
 
 -- originally copied from clint's config at
@@ -58,13 +58,17 @@ import XMonad
 import XMonad.Hooks.DynamicLog
 -- avoid tiling docks
 import XMonad.Hooks.ManageDocks
--- ignore urgency warnings, xmobar will take care of it
+-- ignore urgency warnings, taffybar will take care of it
 -- source: https://braincrater.wordpress.com/2009/03/14/pimp-your-xmonad-4-urgency-hooks/
 import XMonad.Hooks.UrgencyHook
 -- window settings presets helper
 import XMonad.Hooks.ManageHelpers (isFullscreen, doFullFloat, composeOne, (-?>))
 import XMonad.Hooks.FadeWindows (isFloating)
 
+-- for the status bar (taffybar)
+import XMonad.Hooks.EwmhDesktops        (ewmh)
+import System.Taffybar.Hooks.PagerHints (pagerHints)
+
 -- for the confirm hook
 import Control.Monad(when)
 -- to communicate with dmenu
@@ -100,7 +104,7 @@ import XMonad.Prompt.Window (windowPromptBringCopy)
 import XMonad.Prompt.XMonad (xmonadPrompt)
 
 -- to make windows "sticky" on all desktops (mod-v/V)
-import XMonad.Actions.CopyWindow (copyToAll,killAllOtherCopies,kill1)
+import XMonad.Actions.CopyWindow (wsContainingCopies,copyToAll,killAllOtherCopies,kill1)
 -- to toggle between workspaces
 import XMonad.Actions.CycleWS
 
@@ -115,6 +119,9 @@ import XMonad.Hooks.ManageHelpers
 import System.IO
 import System.Exit
 
+-- for "All"
+import Data.Monoid
+
 -- float some windows by default
 myManageHook = composeAll
     [ manageDocks
@@ -130,12 +137,13 @@ myManageHook = composeAll
     , className =? "gm display" --> doFloat
     , className =? "mpv"        --> doFloat
     , className =? "mplayer"    --> doFloat
+    , className =? "SafeEyes"    --> doFloat
+    , className =? "safeeyes"    --> doFloat
+    , title =? "pop-up"         --> doFloat
     -- do not focus notify output
     , className =? "Xfce4-notifyd" --> doIgnore
     ]
 
-myBar = "xmobar"
-
 -- solarized color theme
 colorBlack           = "#002b36" -- base03
 colorDarkGray        = "#073642" -- base02
@@ -156,16 +164,6 @@ myXPConfig = defaultXPConfig { bgColor     = colorBlack
                              , position    = Top
                              }
 
--- pretty-print the xmobar
--- XXX: should really be in the xmobar config to avoid tangling those
--- things up
-myPP :: PP
-myPP = xmobarPP { ppCurrent = xmobarColor colorYellow ""
-                , ppTitle   = xmobarColor colorGreen  "" . shorten 40
-                , ppVisible = wrap "(" ")"
-                , ppUrgent = xmobarColor colorYellow colorRed
-                }
-
 myLayoutHook  = avoidStruts layouts
     where
         -- layouts list
@@ -209,9 +207,6 @@ scratchpads =
 -- define "windows key" as "mod"
 modm = mod4Mask
 
--- toggle for hiding "struts" (e.g. xmobar status bar)
-toggleStrutsKey XConfig {XMonad.modMask = modMask} = (modMask, xK_b)
-
 -- the opposite of kill1: if a window is in multiple workspaces, delete it here, if not, do nothing
 -- there has to be a simpler way...
 killsoft :: X ()
@@ -219,23 +214,71 @@ killsoft = do ss <- gets windowset
               whenJust (W.peek ss) $ \w -> when (W.member w $ delete'' w ss) $ windows $ delete'' w
        where delete'' w = W.modify Nothing (W.filter (/= w))
 
+-- | handle X client messages that tell Xmonad to make a window appear
+-- on all workspaces
+--
+-- this should really be using _NET_WM_STATE and
+-- _NET_WM_STATE_STICKY. but that's more complicated: then we'd need
+-- to inspect a window and figure out the current state and act
+-- accordingly. I am not good enough with Xmonad to figure out that
+-- part yet.
+--
+-- Instead, just check for the relevant message and check if the
+-- focused window is already on all workspaces and toggle based on
+-- that.
+--
+-- this is designed to interoperate with Emacs's writeroom-mode module
+-- and called be called from elisp with:
+--
+-- (x-send-client-message nil 0 nil "XMONAD_COPY_ALL_SELF" 8 '(0))
+toggleStickyEventHook :: Event -> X All
+toggleStickyEventHook (ClientMessageEvent {ev_message_type = mt, ev_data = dt}) = do
+  dpy <- asks display
+  -- the client message we're expecting
+  copyAllMsg <- io $ internAtom dpy "XMONAD_COPY_ALL_SELF" False
+  -- if the event matches the message we expect, toggle sticky state
+  when (mt == copyAllMsg && dt /= []) $ do
+    copyToAllToggle
+  -- we processed the event completely
+  return $ All True
+-- ignore other messages
+toggleStickyEventHook _ = return $ All True
+
+-- | Toggle between "copyToAll" or "killAllOtherCopies". Copies to all
+-- workspaces, or remove from all other workspaces, depending on
+-- previous state (checked with "wsContainingCopies").
+copyToAllToggle :: X ()
+copyToAllToggle = do
+    -- check which workspaces have copies
+    copies <- wsContainingCopies
+    if null copies
+      then windows copyToAll -- no workspaces, make sticky
+      else killAllOtherCopies -- already other workspaces, unstick
+
+
 -- main config declaration
 myConfig = defaultConfig {
          modMask = modm
        , normalBorderColor = "#111111"
        , focusedBorderColor = "#333333"
        , manageHook = myManageHook
-       , terminal = "uxterm"
-       , handleEventHook = handleEventHook defaultConfig <+> fullscreenEventHook
+       , terminal = "x-terminal-emulator"
+       , handleEventHook = handleEventHook defaultConfig <+> fullscreenEventHook <+> toggleStickyEventHook
        , layoutHook = myLayoutHook
     } `additionalKeys` [
     ((noModMask         , xK_Pause), spawn "xscreensaver-command -lock")
-  , ((noModMask         , xK_Print), spawn "shutter -f")
-  , ((shiftMask         , xK_Print), spawn "shutter -w")
-  , ((controlMask       , xK_Print), spawn "shutter -s")
+  , ((noModMask         , xK_Print), spawn "snap")
+  --, ((noModMask         , xK_XF86AudioLowerVolume), spawn "amixer set Master 2-")
+  --, ((noModMask         , xK_XF86AudioRaiseVolume), spawn "amixer set Master 2+")
+  --, ((noModMask         , xK_XF86AudioMute), spawn "amixer set Master toggle")
+  , ((0                 , 0x1008ff12 ), spawn "pactl set-sink-mute 0 toggle")
+  , ((0                 , 0x1008ff11), spawn "pactl -- set-sink-volume 0 -2%")
+  , ((0                 , 0x1008ff13), spawn "pactl -- set-sink-volume 0 +2%")
+  , ((modm              , xK_Return), spawn $ XMonad.terminal defaultConfig )
   , ((modm              , xK_F12   ), xmonadPrompt      myXPConfig     )
-  , ((modm              , xK_F2    ), sshPrompt         myXPConfig     )
-  , ((modm              , xK_F3    ), shellPrompt       myXPConfig     )
+  , ((modm              , xK_F2    ), spawn "rofi -show ssh" )
+  , ((modm              , xK_F3    ), spawn "rofi -show run" )
+  , ((modm              , xK_r     ), spawn "rofi -show run" )
   , ((modm              , xK_F5    ), themePrompt       myXPConfig     )
   , ((modm              , xK_F6    ), windowPromptBringCopy myXPConfig )
   -- same, on mod-g for "grep"
@@ -248,17 +291,17 @@ myConfig = defaultConfig {
   , ((modm              , xK_f     ), toggleFloat                           )
   , ((modm              , xK_m     ), withFocused $ sendMessage . maximizeRestore )
   -- Make focused window always visible
-  , ((modm              , xK_v     ), windows copyToAll                     )
-  -- Toggle window state back
-  , ((modm .|. shiftMask, xK_v     ),  killAllOtherCopies                   )
+  , ((modm              , xK_v     ), copyToAllToggle                       )
   -- used to banish a window from the current workspace, if it's also elsewhere
   , ((modm              , xK_c     ), killsoft                                 )
   -- kill even if it's on multiple workspaces
   , ((modm .|. shiftMask, xK_c     ), kill                                  )
-  , ((modm              , xK_r     ), shellPrompt        myXPConfig         )
   , ((modm              , xK_Return), spawn $ XMonad.terminal myConfig      )
-  , ((modm              , xK_s     ), spawn "xscreensaver-command -lock; sudo pm-suspend" )
-  , ((modm .|. shiftMask, xK_h     ), confirmPrompt myXPConfig "halt" $ spawn "notify-send 'powering off...' ; sudo poweroff")
+  , ((modm .|. controlMask, xK_h     ), spawn "xscreensaver-command -lock; sudo systemctl suspend" )
+  , ((modm .|. shiftMask, xK_h     ),
+          confirmPrompt myXPConfig "hibernate?" $ spawn "xscreensaver-command -lock ; sudo systemctl hibernate")

(fichier de différences tronqué)
creating tag page tag/monkeysphere
diff --git a/tag/monkeysphere.mdwn b/tag/monkeysphere.mdwn
new file mode 100644
index 00000000..9d6c6a05
--- /dev/null
+++ b/tag/monkeysphere.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged monkeysphere"]]
+
+[[!inline pages="tagged(monkeysphere)" actions="no" archive="yes"
+feedshow=10]]

creating tag page tag/keycard
diff --git a/tag/keycard.mdwn b/tag/keycard.mdwn
new file mode 100644
index 00000000..d3575d4f
--- /dev/null
+++ b/tag/keycard.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged keycard"]]
+
+[[!inline pages="tagged(keycard)" actions="no" archive="yes"
+feedshow=10]]

creating tag page tag/openpgp
diff --git a/tag/openpgp.mdwn b/tag/openpgp.mdwn
new file mode 100644
index 00000000..457c82f2
--- /dev/null
+++ b/tag/openpgp.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged openpgp"]]
+
+[[!inline pages="tagged(openpgp)" actions="no" archive="yes"
+feedshow=10]]

Squashed commit of the following:
commit f841deeda93c8e73c6b59b72aee9f1069f288c20
Author: Antoine Beaupré <anarcat@debian.org>
Date: Mon Oct 16 20:03:57 2017 -0400
pgp offline branch ready for publication
commit 52ed2451c1d6152e7f96f928c9854244206eac84
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Oct 3 08:55:16 2017 -0400
remove second part
commit 0c16f71953800aab9a56f2a406e5213ccfa85127
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Oct 3 08:51:57 2017 -0400
follow upstream naming
commit 17e89762ec4739f3145f9e0a5d53da9b5691ebb6
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Oct 3 08:51:43 2017 -0400
last change before publication
commit 140e988da8dd586160a20710eeeda0ad7db90553
Author: Antoine Beaupré <anarcat@debian.org>
Date: Mon Oct 2 19:11:10 2017 -0400
another round of fixes from jake
commit 9ff2b4671f38947b85bf084778de951bc3c7b93f
Author: Antoine Beaupré <anarcat@debian.org>
Date: Mon Oct 2 15:34:58 2017 -0400
extra changes from LWN
commit 238f6e526a2056ddfb7e59dcc19fa830ec74f5e5
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Sep 29 17:16:35 2017 -0400
final fixes from jake
commit 10a1452fbb916f6abcda45b781a389f03e10a234
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Sep 29 15:17:11 2017 -0400
harmonize key output and description
commit 57dc4a63b823fd09f67be3dde42a87d0753c24da
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Sep 29 15:10:15 2017 -0400
tiny procedure fixes from LWN
commit 9a923b336a0debd86f441b4392a140128d96b6c1
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Sep 29 14:33:51 2017 -0400
final changes after review with my previous draft
commit bcb80bc065f531cc51bcb58634919b99dc3966a1
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Sep 29 14:25:42 2017 -0400
another round from LWN
commit 13420d95adb4de6ec04ca4159b82e012089821bc
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Sep 29 12:15:16 2017 -0400
reimport from lwn, overwriting some of my changes
commit fe2015dd4a712449d471bc8f0f861202faecb0a7
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Sep 29 12:09:38 2017 -0400
thorough review
commit d1140fb4c6cb54042f1a86ca1cd147b22c605778
Author: Antoine Beaupré <anarcat@debian.org>
Date: Thu Sep 28 13:22:26 2017 -0400
integrate first LWN review
commit f37d928b66711a905f32159a51db4cbb204118fe
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Sep 23 17:26:23 2017 -0400
review first cert/token article again
commit fafab0a4d1e09ee0e585c22db5ae3d43f63fa2bd
Author: Antoine Beaupré <anarcat@debian.org>
Date: Mon Sep 18 14:13:34 2017 -0400
shove stats below
commit f2acc8e46777cb685d58e0070f2a852129ac1ccb
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sun Sep 17 19:12:22 2017 -0400
fix image links
commit 0b414ac8d16c8906016a801c77ab855caf30710e
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sun Sep 17 18:16:20 2017 -0400
finish first draft of second half
commit dfa6670cad579c6197ff0759a301d3e86017b34b
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Sep 16 22:03:11 2017 -0400
quick talks notes
commit ed66c55ee013cb46445a7ec8fc83ef9adb15ec50
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Sep 16 22:02:47 2017 -0400
rewrite first half, sent yesterday
commit 70434f4203a223158f9c9fbfaa5b630f36067d4a
Author: Antoine Beaupré <anarcat@debian.org>
Date: Sat Sep 16 22:01:48 2017 -0400
start working on second half of the keycard article
commit 390a66c013b3a27db2a95b89b560019712f7e579
Author: Antoine Beaupré <anarcat@debian.org>
Date: Fri Sep 15 10:47:44 2017 -0400
reword quote
commit 224e8f7341e4182f5dd40b41a7147bddcc669fc3
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Sep 12 17:57:40 2017 -0400
make a first draft
commit 9d132df6ab72c9ca5b4f1be14794ffa706a9d44c
Author: Antoine Beaupré <anarcat@debian.org>
Date: Thu Aug 31 14:08:22 2017 -0400
more notes
commit 3da2972fc4f4295820671d6dfd8bf718adb1d83c
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Aug 29 12:50:50 2017 -0400
gniibe dc14 slides
commit 03db02b391c6a286c209cd048f98cf16e1326864
Author: Antoine Beaupré <anarcat@debian.org>
Date: Tue Aug 29 10:15:56 2017 -0400
first notes on tokens review
publish the pgp-offline article from LWN
diff --git a/blog/2017-10-16-strategies-offline-pgp-key-storage.mdwn b/blog/2017-10-16-strategies-offline-pgp-key-storage.mdwn
new file mode 100644
index 00000000..b36dabc9
--- /dev/null
+++ b/blog/2017-10-16-strategies-offline-pgp-key-storage.mdwn
@@ -0,0 +1,360 @@
+[[!meta title="Strategies for offline PGP key storage"]]
+[[!meta date="2017-10-02T12:00:00-0500"]]
+[[!meta updated="2017-10-16T20:05:30-0500"]]
+
+While the adoption of [OpenPGP](http://openpgp.org/) by the general
+population is marginal at best, it is a critical component for the
+security community and particularly for Linux distributions. For
+example, every package uploaded into Debian is verified by the central
+repository using the maintainer's OpenPGP keys and the repository itself
+is, in turn, signed using a separate key. If upstream packages also use
+such signatures, this creates a complete trust path from the original
+upstream developer to users. Beyond that, pull requests for the Linux
+kernel are verified using signatures as well. Therefore, the stakes are
+high: a compromise of the release key, or even of a single maintainer's
+key, could enable devastating attacks against many machines.
+
+That has led the Debian community to develop a good grasp of best
+practices for cryptographic signatures (which are typically handled
+using [GNU Privacy Guard](http://gnupg.org/), also known as GnuPG or
+GPG). For example, weak (less than 2048 bits) and
+[vulnerable](https://lwn.net/Articles/588266/) PGPv3 keys were
+[removed](https://lists.debian.org/20150101191039.GB5209@earth.li) from
+the keyring in 2015, and there is a strong culture of cross-signing keys
+between Debian members at in-person meetings. Yet even Debian developers
+(DDs) do not seem to have established practices on how to actually store
+critical private key material, as we can see in this
+[discussion](https://lists.debian.org/debian-project/2017/08/msg00011.html)
+on the debian-project mailing list. That email boiled down to a simple
+request: can I have a "key dongles for dummies" tutorial? Key dongles,
+or keycards as we'll call them here, are small devices that allow users
+to store keys on an offline device and provide one possible solution for
+protecting private key material. In this article, I hope to use my
+experience in this domain to clarify the issue of how to store those
+precious private keys that, if compromised, could enable arbitrary code
+execution on millions of machines all over the world.
+
+Why store keys offline?
+-----------------------
+
+Before we go into details about storing keys offline, it may be useful
+to do a small reminder of how the [OpenPGP
+standard](https://tools.ietf.org/html/rfc4880) works. OpenPGP keys are
+made of a main public/private key pair, the certification key, used to
+sign user identifiers and subkeys. My public key, shown below, has the
+usual main certification/signature key (marked `SC`) but also an
+encryption subkey (marked `E`), a separate signature key (`S`), and two
+authentication keys (marked `A`) which I use as RSA keys to log into
+servers using SSH, thanks to the
+[Monkeysphere](http://monkeysphere.info/) project.
+
+        pub   rsa4096/792152527B75921E 2009-05-29 [SC] [expires: 2018-04-19]
+          8DC901CE64146C048AD50FBB792152527B75921E
+        uid                 [ultimate] Antoine Beaupré <anarcat@anarc.at>
+        uid                 [ultimate] Antoine Beaupré <anarcat@koumbit.org>
+        uid                 [ultimate] Antoine Beaupré <anarcat@orangeseeds.org>
+        uid                 [ultimate] Antoine Beaupré <anarcat@debian.org>
+        sub   rsa2048/B7F648FED2DF2587 2012-07-18 [A]
+        sub   rsa2048/604E4B3EEE02855A 2012-07-20 [A]
+        sub   rsa4096/A51D5B109C5A5581 2009-05-29 [E]
+        sub   rsa2048/3EA1DDDDB261D97B 2017-08-23 [S]
+
+All the subkeys (`sub`) and identities (`uid`) are bound by the main
+certification key using cryptographic self-signatures. So while an
+attacker stealing a private subkey can spoof signatures in my name or
+authenticate to other servers, that key can always be revoked by the
+main certification key. But if the certification key gets stolen, all
+bets are off: the attacker can create or revoke identities or subkeys as
+they wish. In a catastrophic scenario, an attacker could even steal the
+key and remove your copies, taking complete control of the key, without
+any possibility of recovery. Incidentally, this is why it is so
+important to generate a revocation certificate and store it offline.
+
+So by moving the certification key offline, we reduce the attack surface
+on the OpenPGP trust chain: day-to-day keys (e.g. email encryption or
+signature) can stay online but if they get stolen, the certification key
+can revoke those keys without having to revoke the main certification
+key as well. Note that a stolen encryption key is a different problem:
+even if we revoke the encryption subkey, this will only affect future
+encrypted messages. Previous messages *will* be readable by the attacker
+with the stolen subkey even if that subkey gets revoked, so the benefits
+of revoking encryption certificates are more limited.
+
+Common strategies for offline key storage
+-----------------------------------------
+
+Considering the security tradeoffs, some propose storing those critical
+keys offline to reduce those threats. But where exactly? In an attempt
+to answer that question, Jonathan McDowell, a member of the [Debian
+keyring maintenance team](https://wiki.debian.org/Teams/KeyringMaint),
+said that there are [three
+options](https://lists.debian.org/debian-project/2017/08/msg00054.html):
+use an external LUKS-encrypted volume, an air-gapped system, or a
+keycard.
+
+Full-disk encryption like LUKS adds an extra layer of security by hiding
+the content of the key from an attacker. Even though private keyrings
+are usually protected by a passphrase, they are easily identifiable as a
+keyring. But when a volume is fully encrypted, it's not immediately
+obvious to an attacker there is private key material on the device.
+[According](https://lists.debian.org/debian-project/2017/08/msg00148.html)
+to Sean Whitton, another advantage of LUKS over plain GnuPG keyring
+encryption is that you can pass the `--iter-time` argument when creating
+a LUKS partition to increase key-derivation delay, which makes
+brute-forcing much harder. Indeed, GnuPG 2.x [doesn't
+have](https://dev.gnupg.org/T3400) a run-time option to configure the
+key-derivation algorithm, although a
+[patch](https://dev.gnupg.org/T3399) was introduced recently to make the
+delay configurable at compile time in `gpg-agent`, which is now
+responsible for all secret key operations.
+
+The downside of external volumes is complexity: GnuPG makes it difficult
+to extract secrets out of its keyring, which makes the first setup
+tricky and error-prone. This is easier in the 2.x series thanks to the
+new storage system and the associated `keygrip` files, but it still
+requires arcane knowledge of GPG internals. It is also inconvenient to
+use secret keys stored outside your main keyring when you actually *do*
+need to use them, as GPG doesn't know where to find those keys anymore.
+
+Another option is to set up a separate air-gapped system to perform
+certification operations. An example is the [PGP clean
+room](https://wiki.debian.org/OpenPGP/CleanRoomLiveEnvironment) project,
+which is a live system based on Debian and designed by DD Daniel Pocock
+to operate an OpenPGP and X.509 certificate authority using commodity
+hardware. The basic principle is to store the secrets on a different
+machine that is never connected to the network and, therefore, not
+exposed to attacks, at least in theory. I have personally discarded that
+approach because I feel air-gapped systems provide a false sense of
+security: data eventually does need to come in and out of the system,
+somehow, even if only to propagate signatures out of the system, which
+exposes the system to attacks.
+
+System updates are similarly problematic: to keep the system secure,
+timely security updates need to be deployed to the air-gapped system. A
+common use pattern is to share data through USB keys, which introduce a
+vulnerability where attacks like
+[BadUSB](https://lwn.net/Articles/608503/) can infect the air-gapped
+system. From there, there is a multitude of exotic ways of exfiltrating
+the data using
+[LEDs](https://threatpost.com/blinking-router-leds-leak-data-from-air-gapped-networks/126199/),
+[infrared
+cameras](http://thehackernews.com/2017/09/airgap-network-malware-hacking.html),
+or the good old
+[TEMPEST](https://www.wired.com/2015/07/researchers-hack-air-gapped-computer-simple-cell-phone/)
+attack. I therefore concluded the complexity tradeoffs of an air-gapped
+system are not worth it. Furthermore, the workflow for air-gapped
+systems is complex: even though PGP clean room went a long way, it's
+still lacking even simple scripts that allow signing or transferring
+keys, which is a problem shared by the external LUKS storage approach.
+
+Keycard advantages
+------------------
+
+The approach I have chosen is to use a cryptographic keycard: an
+external device, usually connected through the USB port, that stores the
+private key material and performs critical cryptographic operations on
+the behalf of the host. For example, the [FST-01
+keycard](http://www.gniibe.org/FST-01/fst-01.html) can perform RSA and
+ECC public-key decryption without ever exposing the private key material
+to the host. In effect, a keycard is a miniature computer that performs
+restricted computations for another host. Keycards usually support
+multiple "slots" to store subkeys. The OpenPGP standard specifies there
+are three subkeys available by default: for signature, authentication,
+and encryption. Finally, keycards can have an actual physical keypad to
+enter passwords so a potential keylogger cannot capture them, although
+the keycards I have access to do not feature such a keypad.
+
+We could easily draw a parallel between keycards and an air-gapped
+system; in effect, a keycard is a miniaturized air-gapped computer and
+suffers from similar problems. An attacker can intercept data on the
+host system and attack the device in the same way, if not more easily,
+because a keycard is actually "online" (i.e. clearly not air-gapped)
+when connected. The advantage over a fully-fledged air-gapped computer,
+however, is that the keycard implements only a restricted set of
+operations. So it is easier to create an open hardware and software
+design that is audited and verified, which is much harder to accomplish
+for a general-purpose computer.
+
+Like air-gapped systems, keycards address the scenario where an attacker
+wants to get the private key material. While an attacker could fool the
+keycard into signing or decrypting some data, this is possible only
+while the key is physically connected, and the keycard software will
+prompt the user for a password before doing the operation, though the
+keycard can cache the password for some time. In effect, it thwarts
+offline attacks: to brute-force the key's password, the attacker needs
+to be on the target system and try to guess the keycard's password,
+which will lock itself after a limited number of tries. It also provides
+for a clean and standard interface to store keys offline: a single GnuPG
+command moves private key material to a keycard (the `keytocard` command
+in the `--edit-key` interface), whereas moving private key material to a
+LUKS-encrypted device or air-gapped computer is more complex.
+
+Keycards are also useful if you operate on multiple computers. A common
+problem when using GnuPG on multiple machines is how to safely copy and
+synchronize private key material among different devices, which

(fichier de différences tronqué)
it's all text is dead, vive ghosttext
diff --git a/software/desktop/firefox.mdwn b/software/desktop/firefox.mdwn
index bfbc0c2a..7a3a31b5 100644
--- a/software/desktop/firefox.mdwn
+++ b/software/desktop/firefox.mdwn
@@ -43,12 +43,12 @@ Extensions
 
 I usually have those extensions installed:
 
-* [uBlock Origin](https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/)
-  ([[!debpkg xul-ext-ublock-origin desc="debian package"]],
-  [source](https://github.com/gorhill/uBlock))
-* [it's all text!](https://addons.mozilla.org/en-US/firefox/addon/its-all-text/) ([[!debpkg xul-ext-itsalltext desc="debian package"]], [source](https://github.com/docwhat/itsalltext))
-* [uMatrix](https://addons.mozilla.org/firefox/addon/umatrix/) (no
-  debian package, [source](https://github.com/gorhill/uMatrix))
+* [uBlock Origin](https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/) ([[!debpkg xul-ext-ublock-origin desc="debian
+  package"]], [source](https://github.com/gorhill/uBlock))
+* [it's all text!](https://addons.mozilla.org/en-US/firefox/addon/its-all-text/) ([[!debpkg xul-ext-itsalltext desc="debian
+  package"]], [source](https://github.com/docwhat/itsalltext)) - now [obsolete](https://github.com/docwhat/itsalltext/issues/94), [GhostText](https://addons.mozilla.org/en-US/firefox/addon/ghosttext/) being
+  tested
+* [uMatrix](https://addons.mozilla.org/firefox/addon/umatrix/) (no debian package, [source](https://github.com/gorhill/uMatrix))
 * [wallabager](https://addons.mozilla.org/en-US/firefox/addon/wallabagger/)
   (no debian package,
   [source](https://github.com/wallabag/wallabagger)) 

expand on the kodi issues as some readers thought i was saying i was running kodi as root
diff --git a/blog/2017-10-02-free-software-activities-september-2017.mdwn b/blog/2017-10-02-free-software-activities-september-2017.mdwn
index 30dcf408..cae97242 100644
--- a/blog/2017-10-02-free-software-activities-september-2017.mdwn
+++ b/blog/2017-10-02-free-software-activities-september-2017.mdwn
@@ -269,8 +269,12 @@ media box. I simply used the following
     [Install]
     WantedBy=multi-user.target
 
-The downside of this is that it requires root to run, whereas modern X
-can run without root. Not sure how to fix this or where...
+The downside of this is that it needs Xorg to run as root, whereas
+modern Xorg can now run rootless. Not sure how to fix this or
+where... But if I put `needs_root_rights=no` in [Xwrapper.config](https://manpages.debian.org/stretch/xserver-xorg-legacy/Xorg.wrap.1.en.html),
+I get the following error in `.local/share/xorg/Xorg.1.log`:
+
+    [  2502.533] (EE) modeset(0): drmSetMaster failed: Permission denied
 
 After fooling around with [iPython](https://ipython.org/), I ended up trying
 the [xonsh shell](http://xon.sh/), which is supposed to provide a bash-compatible

creating tag page tag/restic
diff --git a/tag/restic.mdwn b/tag/restic.mdwn
new file mode 100644
index 00000000..0d2f649e
--- /dev/null
+++ b/tag/restic.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged restic"]]
+
+[[!inline pages="tagged(restic)" actions="no" archive="yes"
+feedshow=10]]

creating tag page tag/feed2exec
diff --git a/tag/feed2exec.mdwn b/tag/feed2exec.mdwn
new file mode 100644
index 00000000..d4b9f117
--- /dev/null
+++ b/tag/feed2exec.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged feed2exec"]]
+
+[[!inline pages="tagged(feed2exec)" actions="no" archive="yes"
+feedshow=10]]

monthly report first draft
diff --git a/blog/2017-10-02-free-software-activities-september-2017.mdwn b/blog/2017-10-02-free-software-activities-september-2017.mdwn
new file mode 100644
index 00000000..30dcf408
--- /dev/null
+++ b/blog/2017-10-02-free-software-activities-september-2017.mdwn
@@ -0,0 +1,292 @@
+[[!meta title="My free software activities, September 2017"]]
+
+[[!toc levels=2]]
+
+Debian Long Term Support (LTS)
+==============================
+
+This is my monthly [Debian LTS][] report. I mostly worked on the git,
+git-annex and ruby packages this month but didn't have time to
+completely use my allocated hours because I started too late in the
+month.
+
+Ruby
+----
+
+I was hoping someone would pick up the Ruby work I submitted in
+August, but it seems no one wanted to touch that mess,
+understandably. Since then, new issues came up, and not only did I
+have to work on the rubygems and ruby1.9 package, but now the ruby1.8
+package also had to get security updates. Yes: it's bad enough that
+the rubygems code is duplicated in *one* other package, but wheezy had
+the misfortune of having *two* Ruby versions supported. 
+
+The Ruby 1.9 also failed to build from source because of test suite
+issues, which I haven't found a clean and easy fix for, so I ended up
+making test suite failures non-fatal in 1.9, which they were already
+in 1.8. I did keep a close eye on changes in the test suite output to
+make sure tests introduced in the security fixes would pass and that I
+wouldn't introduce *new* regressions as well.
+
+So I published the following advisories:
+
+ * ruby 1.8: [DLA-1113-1](https://lists.debian.org/debian-lts-announce/2017/09/msg00030.html), fixing [[!debcve CVE-2017-0898]] and
+   [[!debcve CVE-2017-10784]]. 1.8 doesn't seem affected by [[!debcve
+   CVE-2017-14033]] as the provided test does not fail (but it does
+   fail in 1.9.1). test suite was, before patch:
+   
+        2199 tests, 1672513 assertions, 18 failures, 51 errors
+
+   and after patch:
+
+        2200 tests, 1672514 assertions, 18 failures, 51 errors
+
+ * rubygems: uploaded the package prepared in August as is
+   in [DLA-1112-1]( https://lists.debian.org/debian-lts-announce/2017/09/msg00031.html), fixing [[!debcve CVE-2017-0899]], [[!debcve
+   CVE-2017-0900]], [[!debcve CVE-2017-0901]]. here the test suite
+   passed normally.
+
+ * ruby 1.9: here I used the used 2.2.8 release tarball to generate
+   a patch that would cover all issues and published [DLA-1114-1]( https://lists.debian.org/debian-lts-announce/2017/09/msg00029.html)
+   that fixes the CVEs of the two packages above. the test suite was,
+   before patches:
+
+        10179 tests, 2232711 assertions, 26 failures, 23 errors, 51 skips
+
+   and after patches:
+
+        1.9 after patches (B): 10184 tests, 2232771 assertions, 26 failures, 23 errors, 53 skips
+
+Git
+---
+
+I also quickly issued an advisory ([DLA-1120-1](https://lists.debian.org/debian-lts-announce/2017/10/msg00000.html)) for [[!debcve
+CVE-2017-14867]], an odd issue affecting git in wheezy. The backport
+was tricky because it wouldn't apply cleanly and the git package had a
+custom patching system which made it tricky to work on.
+
+[Debian LTS]: https://www.freexian.com/services/debian-lts.html
+
+Git-annex
+---------
+
+I did a quick stint on git-annex as well: I was able
+to [reproduce the issue](https://lists.debian.org/87y3p0ozap.fsf@curie.anarc.at) and confirm [an approach](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873088#33) to fixing the
+issue in wheezy, although I didn't have time to complete the work
+before the end of the month.
+
+Other free software work
+========================
+
+New project: feed2exec
+----------------------
+
+I should probably make a separate blog post about this, but
+ironically, I don't want to spend too much time writing those reports,
+so this will be quick.
+
+I wrote a new program, called [feed2exec](https://gitlab.com/anarcat/feed2exec/). It's basically a
+combination of [feed2imap](https://github.com/feed2imap/feed2imap/), [rss2email](https://github.com/rss2email) and [feed2tweet](https://github.com/chaica/feed2tweet/): it
+allows you to fetch RSS feeds and send them in a mailbox, but what's
+special about it, compared to the other programs above, is that it is
+more generic: you can basically make it do whatever you want on new
+feed items. I have, for example, replaced my `feed2tweet` instance
+with it, using this simple configuration:
+
+    [anarcat]
+    url = https://anarc.at/blog/index.rss
+    output = feed2exec.plugins.exec
+    args = tweet "%(title)0.70s %(link)0.70s"
+
+The sample configuration file also has examples to talk with Mastodon,
+Pump.io and, why not, a torrent server to download torrent files
+available over RSS feeds. A trivial configuration can also make it
+work as a crude podcast client. My main motivation to work on this was
+that it was difficult to extend feed2imap to do what I needed (which
+was to talk to transmission to download torrent files) and rss2email
+didn't support my workflow (which is delivering to feed-specific mail
+folders). Because both projects also seemed abandoned, it seemed like
+a good idea at the time to start a new one, although the rss2email
+community has now restarted the project and may produce interesting
+results.
+
+As an experiment, I tracked my time working on this project. It turns
+out it took about 45 hours to write that software. Considering
+feed2exec is about 1400 SLOC, that's 30 lines of code per hour. I
+don't know if that's slow or fast, but it's an interesting metric for
+future projects. It sure seems slow to me, but we need to keep in mind
+those 30 lines of code don't include documentation and repeated head
+banging on the keyboard. For example, I found [two](https://github.com/kurtmckee/feedparser/issues/113) [issues](https://github.com/kurtmckee/feedparser/issues/112)
+with the upstream [feedparser](https://github.com/kurtmckee/feedparser/) package which I use to parse feeds
+which *also* seems [unmaintained](https://github.com/kurtmckee/feedparser/issues/108), unfortunately.
+
+Feed2exec is beta software at this point, but it's working well enough
+for me and the design is much simpler than the other programs of the
+kind. The main issue people can expect from it at this point is
+formatting issues or parse errors on exotic feeds, and noisy error
+messages on network errors, all of which should be fairly easy to fix
+in the test suite. I hope it will be useful for the community and, as
+usual, I welcome contributions, help and suggestions on how to improve
+the software.
+
+More Python templates
+---------------------
+
+As part of the work on feed2exec, I did cleanup a few things in
+the [ecdysis](https://gitlab.com/anarcat/ecdysis) project, mostly to hook tests up in the CI, improve
+on the [advancedConfig](https://gitlab.com/anarcat/ecdysis/blob/b026219509e16b5ceeb1de9d7c8aa7fd7cd3f27c/ecdysis/logging.py#L47) logger and cleanup more stuff.
+
+While I was there, it turns out that I built a pretty decent
+basic [CI configuration for Python](https://gitlab.com/gitlab-org/gitlab-ci-yml/merge_requests/96) on GitLab. Whereas the previous
+templates only had a non-working Django example, you should now be
+able to chose a `Python` template when you configure CI on GitLab 10
+and above, which should hook you up with normal Python setup
+procedures like `setup.py install` and `setup.py test`.
+
+Selfspy
+-------
+
+I mentioned working on a monitoring tool in my last post, because it
+was a feature from [Workrave](http://www.workrave.org/) missing in [SafeEyes](http://slgobinath.github.io/SafeEyes/). It turns
+out there is already such a tool called [selfspy](https://github.com/gurgeh/selfspy). I did an
+extensive [review](https://github.com/gurgeh/selfspy/issues/160) of the software to make sure it wouldn't leak
+out confidential information out before using it, and it looks,
+well... kind of okay. It crashed on me at least once so far, which is
+too bad because then it loses track of the precious activity. I have
+used it at least once to figure out what the heck I worked on during
+the day, so it's pretty useful. I particularly used it to backtrack my
+work on feed2exec as I didn't originally track my time on the project.
+
+Unfortunately, selfspy seems unmaintained. I have [proposed a
+maintenance team](https://github.com/gurgeh/selfspy/issues/161) and hopefully the project maintainer will respond
+and at least share access so we don't end up in a situation like
+linkchecker. I also sent a bunch of pull requests to fix some issues
+like being [secure by default](https://github.com/gurgeh/selfspy/pull/158) and [fixing](https://github.com/gurgeh/selfspy/pull/157)
+the [build](https://github.com/gurgeh/selfspy/pull/156). Apart from the crash, the main issue I have found with
+the software is that it doesn't [detect idle time](https://github.com/gurgeh/selfspy/issues/162) which means
+certain apps are disproportionatly represented in statistics. There
+are also some [weaknesses in the crypto](https://github.com/gurgeh/selfspy/issues/159) that should be adressed
+for people that encrypt their database.
+
+Next step is to [package selfspy in Debian](https://bugs.debian.org/873955) which should hopefully
+be simple enough...
+
+Restic documentation security
+-----------------------------
+
+As part of a [documentation patch](https://github.com/restic/restic/pull/1245) on the Restic backup software, I
+have improved on my previous Perl script to snoop on process
+commandline arguments. A common flaw in shell scripts and cron jobs is
+to pass secret material in the environment (usually safe) but often
+through commandline arguments (definitely not safe). The challenge, in
+this peculiar case, was the `env` binary, but the last time I
+encountered such an [issue](https://www.drupal.org/node/671906) was with the [Drush](http://www.drush.org/) commandline
+tool, which was passing database credentials in clear to the `mysql`
+binary. Using my [Perl sniffer](https://gitlab.com/anarcat/scripts/blob/master/sniff-cli.pl), I could get to 60 checks per
+second (or 60Hz). After reimplementing it in [Python](https://gitlab.com/anarcat/scripts/blob/master/sniff-cli.py), this number
+went up to 160Hz, which *still* wasn't enough to catch the elusive
+`env` command, which is much faster at hiding arguments than MySQL, in
+large part because it simply does an `execve()` once the environment
+is setup.
+
+Eventually, I just went crazy and [rewrote the whole thing in C](https://gitlab.com/anarcat/scripts/blob/master/sniff-cli.c)
+which was able to get 700-900Hz and *did* catch the `env` command
+about 10-20% of the time. I could probably have rewritten this by

(fichier de différences tronqué)
new mandela quote, thx rhl
diff --git a/sigs.fortune b/sigs.fortune
index 28a7f14a..e33b34b7 100644
--- a/sigs.fortune
+++ b/sigs.fortune
@@ -1062,3 +1062,8 @@ make it so simple that there are obviously no deficiencies, and the
 other way is to make it so complicated that there are no obvious
 deficiencies. The first method is far more difficult.
                         - C.A.R. Hoare
+%
+Like slavery and apartheid, poverty is not natural. It is man-made and
+it can be overcome and eradicated by the actions of human
+beings. Overcoming poverty is not a gesture of charity. It is an act
+of justice.             - Nelson Mandela

other image builders
diff --git a/software/containers.mdwn b/software/containers.mdwn
index 0378bb38..dc9b9053 100644
--- a/software/containers.mdwn
+++ b/software/containers.mdwn
@@ -48,4 +48,5 @@ Re-running:
 
 Building images requires using the separate [acbuild](https://github.com/containers/build) command which
 builds "standard" ACI images and not docker images. Other tools are
-obviously available like [Packer](https://www.packer.io/).
+available like [Packer](https://www.packer.io/), [umoci](https://github.com/openSUSE/umoci) or [Buildah](https://github.com/projectatomic/buildah), although only
+Buildah can use Dockerfiles to build images.

Added a comment: Theoretical compromise
diff --git a/blog/2017-03-02-password-hashers/comment_5_1c5fb04ffa7e4595be79e42c66d0d127._comment b/blog/2017-03-02-password-hashers/comment_5_1c5fb04ffa7e4595be79e42c66d0d127._comment
new file mode 100644
index 00000000..410bf505
--- /dev/null
+++ b/blog/2017-03-02-password-hashers/comment_5_1c5fb04ffa7e4595be79e42c66d0d127._comment
@@ -0,0 +1,12 @@
+[[!comment format=mdwn
+ ip="80.177.21.246"
+ claimedauthor="copernicus"
+ subject="Theoretical compromise"
+ date="2017-09-24T11:47:49Z"
+ content="""
+>Password hashing, as a general concept, actually has serious problems: since the hashing outputs are constantly compromised (they are sent in password forms to various possibly hostile sites), it's theoretically possible to derive the master password and then break all the generated tokens in one shot.
+
+I wouldn't see this as serious problem (or even a problem at all) with [masterpassword](http://masterpasswordapp.com/). A 20 character high-entropy alphanumicic + special symbols master password would take many years to force. That's all apart from the slowness of scrypt.
+
+Also, assume the attacker has the plaintext version of the password and can derive **a** master password from it. (BTW, how does he know all the details to do this, full name etc?). This master password need not be **the** master password the user has typed on the keyboard.
+"""]]

add quotes from hoare
diff --git a/sigs.fortune b/sigs.fortune
index 23c3271f..28a7f14a 100644
--- a/sigs.fortune
+++ b/sigs.fortune
@@ -1053,3 +1053,12 @@ the time might start to think.
 %
 If we do not do the impossible, we shall be faced with the unthinkable.
                         - Murray Bookchin
+%
+The price of reliability is the pursuit of the utmost simplicity.
+                        - C.A.R. Hoare
+%
+There are two ways of constructing a software design: One way is to
+make it so simple that there are obviously no deficiencies, and the
+other way is to make it so complicated that there are no obvious
+deficiencies. The first method is far more difficult.
+                        - C.A.R. Hoare

remove ham packages i dont use
diff --git a/software/packages.yml b/software/packages.yml
index 27da4ec1..9425c6e9 100644
--- a/software/packages.yml
+++ b/software/packages.yml
@@ -378,9 +378,7 @@
       - gnuradio
       - gpredict
       - gqrx-sdr
-      - grig
       - multimon
-      - owx
       - splat
       - xastir
  

remove netdata, too big for casual needs
diff --git a/software/packages.yml b/software/packages.yml
index d065223e..27da4ec1 100644
--- a/software/packages.yml
+++ b/software/packages.yml
@@ -308,7 +308,6 @@
       - mtr-tiny
       - netcat
       - netcat-openbsd
-      - netdata
       - nmap
       - oping
       - passwdqc

remove missing packages
diff --git a/software/packages.yml b/software/packages.yml
index ebfd2918..d065223e 100644
--- a/software/packages.yml
+++ b/software/packages.yml
@@ -281,7 +281,6 @@
     apt: name={{item}} state=installed
     with_items:
       - ansible
-      - apacheutils
       - apt-transport-https
       - asciinema
       - borgbackup
@@ -381,11 +380,9 @@
       - gpredict
       - gqrx-sdr
       - grig
-      - ibp
       - multimon
       - owx
       - splat
-      - uhd
       - xastir
  
   - name: install GPS tools

convert tasks list to ansible playbook
diff --git a/software/contributions.mdwn b/software/contributions.mdwn
index c640e4ba..2ed68569 100644
--- a/software/contributions.mdwn
+++ b/software/contributions.mdwn
@@ -25,7 +25,8 @@ Actifs:
  * [irklab](https://gitlab.com/anarcat/irklab/), an IRC gateway for [gitlab.com](http://gitlab.com)
  * [bup-cron](https://github.com/anarcat/bup-cron), a wrapper
    around [bup](https://bup.github.io/)
- * [[a set of packages to install on debian|mytasks.desc]]
+ * [[a set of packages to install on debian|packages.yml]], usable as
+   an ansible playbook
 
 Inactifs:
 
diff --git a/software/mytasks.desc b/software/mytasks.desc
deleted file mode 100644
index db4e1610..00000000
--- a/software/mytasks.desc
+++ /dev/null
@@ -1,370 +0,0 @@
-Task: anarcat-graphist
-Section: user
-Description: Anarcat's graphic design software
- My graphic design tools. Not much, since I don't do much of that.
-Packages: list
- colorhug-client
- darktable
- dia
- dispcalgui
- gimp
- inkscape
- sane
- xsane
-
-Task: anarcat-developer
-Section: user
-Description: Anarcat's dev tools
- Mostly VCS tools, emacs, emulation tools and emulators.
-Packages: list
- adb
- apt-file
- apt-listbugs
- aptitude
- bzr
- build-essential
- cdbs
- curl
- colordiff
- cvs
- debian-el
- debian-installer-9-netboot-amd64
- dgit
- syslinux-efi
- pxelinux
- devscripts
- dia
- dpkg-dev-el
- elpa-anzu
- elpa-company
- elpa-company-go
- elpa-ledger
- elpa-markdown-mode
- elpa-py-autopep8
- elpa-use-package
- elpa-yasnippet
- exuberant-ctags
- emacs
- emacs-goodies-el
- emacs25
- emacs25-common-non-dfsg
- fastboot
- flake8
- gdb
- git
- git-annex
- git-buildpackage
- git-email
- git-extras
- git-svn
- glade
- gocode
- golang
- golang-mode
- golint
- graphviz
- haskell-mode
- stylish-haskell
- icdiff
- ikiwiki
- ikiwiki-hosting-common
- info
- ipython
- ipython3
- jq
- libterm-readkey-perl
- libtext-bibtex-perl
- libsearch-xapian-perl
- linkchecker
- make-doc
- mercurial
- myrepos
- ncdu
- nodejs
- nodejs-legacy
- npm
- org-mode
- org-mode-doc
- pastebinit
- perl-doc
- pv
- python
- python3
- python-jedi
- python3-jedi
- python-pip
- python3-pip
- python-pytest
- python3-pytest
- python-seaborn
- python3-seaborn
- python-setuptools
- python3-setuptools-scm
- python-setuptools
- python3-setuptools-scm
- python-sphinx
- python3-sphinx
- python-sphinx-rtd-theme
- python3-sphinx-rtd-theme
- python-ttystatus
- python-wheel
- reprotest
- tox
- twine
- qemu
- qemu-kvm
- quilt
- sbuild
- shellcheck
- sloccount
- sqlitebrowser
- subversion
- time
- twine
- vagrant
- valgrind
- vim
- virtualbox
- wget
-
-Task: anarcat-desktop
-Section: user
-Description: Anarcat's desktop setup
- Shitload of stuff that doesn't fit anywhere else.
-Packages: list
- apksigner
- arandr
- aspell-fr
- calibre
- chromium
- diceware
- dict
- electrum
- emacs
- exiftool
- fim
- firefox
- fonts-roboto
- fortunes
- gajim
- gameclock
- git-annex
- git-lfs
- gobby
- gnutls-bin
- hledger
- jmtpfs
- ledger
- ledger-el
- less
- libnotify-bin
- libu2f-host0
- localepurge
- locales
- mlocate
- maim
- monkeysign
- monkeysphere
- mpd
- msmtp-mta
- mumble
- mutt
- ncdu
- needrestart
- needrestart-session
- network-manager-iodine-gnome
- network-manager-openvpn-gnome
- notmuch
- notmuch-emacs
- oathtool
- offlineimap

(fichier de différences tronqué)
remove unused mailserver task
diff --git a/software/mytasks.desc b/software/mytasks.desc
index 677f2208..db4e1610 100644
--- a/software/mytasks.desc
+++ b/software/mytasks.desc
@@ -316,14 +316,6 @@ Packages: list
  mutt
  offlineimap
 
-Task: anarcat-mailserver
-Section: user
-Description: Anarcat's mail services
- Postfix for now, but will have more goodies.
-Packages: list
- postfix
- postfix-pcre
-
 Task: anarcat-multimedia
 Section: user
 Description: Anarcat's multimedia tools

more stuff from the up to april installed on my workstation
diff --git a/software/mytasks.desc b/software/mytasks.desc
index fd19099f..677f2208 100644
--- a/software/mytasks.desc
+++ b/software/mytasks.desc
@@ -3,7 +3,10 @@ Section: user
 Description: Anarcat's graphic design software
  My graphic design tools. Not much, since I don't do much of that.
 Packages: list
+ colorhug-client
+ darktable
  dia
+ dispcalgui
  gimp
  inkscape
  sane
@@ -26,6 +29,7 @@ Packages: list
  cvs
  debian-el
  debian-installer-9-netboot-amd64
+ dgit
  syslinux-efi
  pxelinux
  devscripts
@@ -33,10 +37,13 @@ Packages: list
  dpkg-dev-el
  elpa-anzu
  elpa-company
+ elpa-company-go
  elpa-ledger
  elpa-markdown-mode
+ elpa-py-autopep8
  elpa-use-package
  elpa-yasnippet
+ exuberant-ctags
  emacs
  emacs-goodies-el
  emacs25
@@ -50,6 +57,7 @@ Packages: list
  git-email
  git-extras
  git-svn
+ glade
  gocode
  golang
  golang-mode
@@ -61,6 +69,8 @@ Packages: list
  ikiwiki
  ikiwiki-hosting-common
  info
+ ipython
+ ipython3
  jq
  libterm-readkey-perl
  libtext-bibtex-perl
@@ -80,28 +90,33 @@ Packages: list
  pv
  python
  python3
- python-autopep8
  python-jedi
- python-pytest
- python-setuptools-scm
- python-wheel
  python3-jedi
- python3-pip
  python-pip
- python-wheel
+ python3-pip
+ python-pytest
+ python3-pytest
+ python-seaborn
+ python3-seaborn
  python-setuptools
- python-setuptools-scm
+ python3-setuptools-scm
+ python-setuptools
+ python3-setuptools-scm
  python-sphinx
- python-sphinx-rtd-theme
  python3-sphinx
+ python-sphinx-rtd-theme
  python3-sphinx-rtd-theme
  python-ttystatus
+ python-wheel
+ reprotest
+ tox
  twine
  qemu
  qemu-kvm
  quilt
  sbuild
  shellcheck
+ sloccount
  sqlitebrowser
  subversion
  time
@@ -133,6 +148,9 @@ Packages: list
  fortunes
  gajim
  gameclock
+ git-annex
+ git-lfs
+ gobby
  gnutls-bin
  hledger
  jmtpfs
@@ -149,14 +167,18 @@ Packages: list
  monkeysphere
  mpd
  msmtp-mta
+ mumble
  mutt
  ncdu
  needrestart
  needrestart-session
+ network-manager-iodine-gnome
+ network-manager-openvpn-gnome
  notmuch
  notmuch-emacs
  oathtool
  offlineimap
+ onionshare
  openjdk-8-jdk-headless
  openntpd
  parcimonie
@@ -165,6 +187,7 @@ Packages: list
  pcscd
  picard
  pidgin
+ pinpoint
  pmount
  pinentry-qt
  python-certifi
@@ -183,6 +206,7 @@ Packages: list
  trayer
  tty-clock
  unattended-upgrades
+ unicode
  verbiste
  verbiste-gnome
  workrave
@@ -210,8 +234,11 @@ Description: Anarcat's authorship tools (TeX)
 Packages: list
  auctex
  dict
+ epubcheck
+ elpa-writegood-mode
  libtext-multimarkdown-perl
  pandoc
+ sigil
  texlive-latex-base
  texlive-latex-recommended
  texlive-latex-extra
@@ -221,6 +248,7 @@ Section: user
 Description: Anarcat's sysadmin tools
  .
 Packages: list
+ ansible
  apacheutils
  apt-transport-https
  asciinema
@@ -228,15 +256,19 @@ Packages: list
  borgbackup-doc
  bup
  ccze
+ cu
  curl
  debian-goodies
+ debsums
  dnsutils
  etckeeper
+ f3
  gparted
  hdparm
  hopenpgp-tools
  i7z
  iftop
+ intel-microcode
  ioping
  ipcalc
  libu2f-host0
@@ -300,7 +332,7 @@ Description: Anarcat's multimedia tools
 Packages: list
  audacious
  audacity
- darktable
+ beets
  exfalso
  gmpc
  gmpc-plugins

small tweaks to spamassassin config
diff --git a/services/mail.mdwn b/services/mail.mdwn
index c29d9155..d9b2236d 100644
--- a/services/mail.mdwn
+++ b/services/mail.mdwn
@@ -393,7 +393,7 @@ sudo chown -R :spampd cur new tmp
 chmod g+rX cur new tmp -R
 </pre>
 
-FIrst training run:
+First training run:
 
 <pre>
 [1020]anarcat@marcos:Maildir$ sudo -u spampd sa-learn --ham --progress --max-size=1048576 ~anarcat/Maildir/cur/
@@ -408,6 +408,10 @@ Also, to add to whitelist:
 
     sudo -u spampd spamassassin -t -d -x -W <path>
 
+Also important to enable nightly rules updates:
+
+    sudo sed -i s/^CRON=./CRON=1/ /etc/default/spamassassin
+
 This doesn't report emails to pyzor and similar services, unfortunately, see <https://wiki.apache.org/spamassassin/ReportingSpam>
 
 See also: <https://wiki.apache.org/spamassassin/SiteWideBayesFeedback>
@@ -426,7 +430,11 @@ for training, but it's not in Jessie.
 
 Another thing I could add is the [OpenPGP plugin][] which classifies
 mail according to its PGP signatures. It fetches keys on the fly and
-doesn't seem to check for updates. It's also old, so issues may abound.
+doesn't seem to check for updates. It's also old, so issues may
+abound.
+
+Finally, we should keep an eye on the [rspamd](https://rspamd.com/)
+project which reminds me of the old dspam...
 
 [OpenPGP plugin]: http://search.cpan.org/~brondsem/Mail-SpamAssassin-Plugin-OpenPGP-1.0.4/lib/Mail/SpamAssassin/Plugin/OpenPGP.pm
 

document kodi setup hack
diff --git a/services/upgrades/stretch.mdwn b/services/upgrades/stretch.mdwn
index b42ca2d1..9a0b641c 100644
--- a/services/upgrades/stretch.mdwn
+++ b/services/upgrades/stretch.mdwn
@@ -62,8 +62,46 @@ Issues
 * [[!debbug 866792]]: irssi profile should load in complain mode
 * [[!debbug 866790]]: postfix apparmor profile syntax errors
 * [[!debbug 845938]] and [[!debbug 805414]]: a2db sink locked by gdm
-* Kodi doesn't start on the right tty? (not filed, see
-  https://www.earth.li/~noodles/blog/2017/08/notes-on-stretch.html for workaround?)
+* Kodi doesn't start without switching ttys (not filed, [noodles](https://www.earth.li/~noodles/blog/2017/08/notes-on-stretch.html)
+  has a similar issue, workaround was to setup Kodi as a systemd
+  service and disabling gdm3 completely. the following file was added
+  to `/etc/systemd/system/kodi.service`:
+  
+        # stolen from https://github.com/graysky2/kodi-standalone-service
+        [Unit]
+        Description=Kodi Media Center
+        After=systemd-user-sessions.service network.target sound.target
+        
+        [Service]
+        User=xbmc
+        Group=video
+        Type=simple
+        #PAMName=login # you might want to try this one, did not work on all systems
+        # not sure what this does
+        TTYPath=/dev/tty1
+        StandardInput=tty
+        # original suggestion, but noodles added dbus-launch
+        #ExecStart=/usr/bin/xinit /usr/bin/kodi-standalone -- :0 -nolisten tcp vt1
+        # this allows the process to start in parallel with gdm3, although i had flickering issues then
+        #ExecStart=/usr/bin/xinit /usr/bin/dbus-launch --exit-with-session /usr/bin/kodi-standalone -- :1 -keeptty -nolisten tcp vt7
+        ExecStart=/usr/bin/xinit /usr/bin/dbus-launch --exit-with-session /usr/bin/kodi-standalone -- :0 -nolisten tcp vt1
+        Restart=on-abort
+        RestartSec=5
+        
+        [Install]
+        WantedBy=multi-user.target
+
+  then disable the gdm3 service and enable the service:
+
+        systemctl disable gdm3
+        systemctl enable kodi
+        systemctl stop gdm3
+        systemctl start kodi
+
+  unfortunately, I had to disable rootless X, something I would prefer
+  to avoid, but I couldn't figure out how to do that. This is done by
+  adding `needs_root_rights=yes` to `/etc/X11/Xwrapper.config`.
+
 * forgot to review the list of packages removed, those I would have
   liked to keep: torbrowser-launcher, npm
 * upgrade was performed with a bad battery, which meant suspending

respond
diff --git a/blog/2017-02-22-password-managers/comment_4_5e9afcbbe7a75565c307af3cf0edc4b3._comment b/blog/2017-02-22-password-managers/comment_4_5e9afcbbe7a75565c307af3cf0edc4b3._comment
new file mode 100644
index 00000000..d2740015
--- /dev/null
+++ b/blog/2017-02-22-password-managers/comment_4_5e9afcbbe7a75565c307af3cf0edc4b3._comment
@@ -0,0 +1,22 @@
+[[!comment format=mdwn
+ username="anarcat"
+ subject="""USB drives and physical limitations"""
+ date="2017-09-07T12:35:32Z"
+ content="""That does seems like a quite constrained environment... I assume you
+cannot run the password manager directly on the machine either,
+ie. you can't install your own software or lobby administration to
+install password managers for you?
+
+In that case, I agree that you are in trouble. You may find it more
+interesting to generate semi-random passwords in that case so that
+they are easier to transcribe. Fully random strings of characters tend
+to take longer to transcribe than series of words for roughly
+equivalent entropy, in my experience, so that could be useful.
+
+You may also want to look into password hashers: you may not be able
+to install your own password manager on the machine (e.g. pass or
+KeePass) but you may be able to install a browser plugin in which case
+[[password hashers|2017-03-02-password-hashers]] become interesting again.
+
+But yeah, if you can't run your own password manager on that device,
+your only solution is to run one on a different device, of course."""]]

add reference to LWN.net article
diff --git a/blog/2017-09-04-supposed-decline-copyleft.mdwn b/blog/2017-09-04-supposed-decline-copyleft.mdwn
index 1485ec92..f555f13e 100644
--- a/blog/2017-09-04-supposed-decline-copyleft.mdwn
+++ b/blog/2017-09-04-supposed-decline-copyleft.mdwn
@@ -222,7 +222,13 @@ free-software world, we can all acknowledge that the conversion of
 proprietary software to more permissive—and certainly simpler—licenses
 is definitely heading in the right direction.
 
-\[I would like to thank the DebConf organizers for providing meals for
-me during the conference.\]
+> \[I would like to thank the DebConf organizers for providing meals for
+> me during the conference.\]
+
+> *Note: this article [first appeared][] in
+> the [Linux Weekly News][].*
+
+[first appeared]: https://lwn.net/Articles/731722/
+[Linux Weekly News]: http://lwn.net/
 
 [[!tag debian-planet lwn debconf debian copyleft free-software github]]

remove lwn-specific markup
diff --git a/blog/2017-09-04-supposed-decline-copyleft.mdwn b/blog/2017-09-04-supposed-decline-copyleft.mdwn
index 03b49986..1485ec92 100644
--- a/blog/2017-09-04-supposed-decline-copyleft.mdwn
+++ b/blog/2017-09-04-supposed-decline-copyleft.mdwn
@@ -22,8 +22,7 @@ Bacon from February 2017 that showed a histogram of license usage
 between 2010 and 2017 (seen below).
 
 > ![\[Black Duck
-> histogram\]](https://static.lwn.net/images/2017/debconf-blackduck.png){.photo
-> width="1000" height="662"}
+> histogram\]](https://static.lwn.net/images/2017/debconf-blackduck.png)
 
 From that, Bacon elaborates possible reasons for the apparent decline of
 the GPL. The graphic used in the article was actually generated by
@@ -88,8 +87,7 @@ at projects on GitHub would give you a reasonable sampling from which to
 draw conclusions".
 
 > ![\[GitHub
-> graph\]](https://static.lwn.net/images/2017/debconf-github.png){.photo
-> width="700" height="409"}
+> graph\]](https://static.lwn.net/images/2017/debconf-github.png)
 
 Indeed, GitHub published a
 [report](https://github.com/blog/1964-open-source-license-usage-on-github-com)
@@ -167,8 +165,7 @@ to the Hamm 2.0 release in 1998. The data and how to reproduce it are
 BY-SA 4.0 license.
 
 > ![\[Debsource
-> graph\]](https://static.lwn.net/images/2017/debconf-debsources.png){.photo
-> width="1024" height="634"}
+> graph\]](https://static.lwn.net/images/2017/debconf-debsources.png)
 
 Sullivan presented the above graph from the research paper that showed
 the evolution of software license use in the Debian archive. Whereas

creating tag page tag/free-software
diff --git a/tag/free-software.mdwn b/tag/free-software.mdwn
new file mode 100644
index 00000000..9f32c1de
--- /dev/null
+++ b/tag/free-software.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged free-software"]]
+
+[[!inline pages="tagged(free-software)" actions="no" archive="yes"
+feedshow=10]]

creating tag page tag/copyleft
diff --git a/tag/copyleft.mdwn b/tag/copyleft.mdwn
new file mode 100644
index 00000000..485339d4
--- /dev/null
+++ b/tag/copyleft.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged copyleft"]]
+
+[[!inline pages="tagged(copyleft)" actions="no" archive="yes"
+feedshow=10]]

publish copyleft article
diff --git a/blog/debconf-licenses.mdwn b/blog/2017-09-04-supposed-decline-copyleft.mdwn
similarity index 98%
rename from blog/debconf-licenses.mdwn
rename to blog/2017-09-04-supposed-decline-copyleft.mdwn
index 07dcff9d..03b49986 100644
--- a/blog/debconf-licenses.mdwn
+++ b/blog/2017-09-04-supposed-decline-copyleft.mdwn
@@ -1,8 +1,6 @@
-The supposed decline of copyleft
-================================
-
-\[LWN subscriber-only content\]
--------------------------------
+[[!meta title="The supposed decline of copyleft"]]
+[[!meta date="2017-08-23T12:00:00-0500"]]
+[[!meta updated="2017-09-04T09:19:13-0500"]]
 
 At [DebConf17](https://debconf17.debconf.org/), John Sullivan, the
 executive director of the FSF, gave a talk on the supposed decline of
@@ -230,3 +228,4 @@ is definitely heading in the right direction.
 \[I would like to thank the DebConf organizers for providing meals for
 me during the conference.\]
 
+[[!tag debian-planet lwn debconf debian copyleft free-software github]]

Added a comment
diff --git a/blog/2017-02-22-password-managers/comment_3_c72d9365d2cdad17909fa1485421f375._comment b/blog/2017-02-22-password-managers/comment_3_c72d9365d2cdad17909fa1485421f375._comment
new file mode 100644
index 00000000..03d862af
--- /dev/null
+++ b/blog/2017-02-22-password-managers/comment_3_c72d9365d2cdad17909fa1485421f375._comment
@@ -0,0 +1,21 @@
+[[!comment format=creole
+ ip="178.24.245.0"
+ subject="comment 3"
+ date="2017-09-03T11:00:13Z"
+ content="""
+Thanks for your reply. Maybe I did not describe the scenario clearly enough:
+
+Case 1:
+* I use a computer which is not mine, and I am not sure it is trustworthy
+* I could use a portable installation of a password manager on my USB drive, but I do not want to because of the given reason
+
+Conclusion: I do not use the computer to access my password (what you said).
+
+Case 2:
+* I use a computer which is not mine, but I consider it trustworthy
+* I cannot use a portable installation of a password manager on my USB drive because of physical or administrative constraints
+
+The only solution I can come up with in this case is a password manager app on my smartphone, looking up my password there and typing it manually on the computer.
+
+Seems quite inconvenient to me. Or am I missing something?
+"""]]

fix more broken links
diff --git a/blog/2017-09-01-free-software-activities-august-2017.mdwn b/blog/2017-09-01-free-software-activities-august-2017.mdwn
index 5cb2d95b..4f7701ea 100644
--- a/blog/2017-09-01-free-software-activities-august-2017.mdwn
+++ b/blog/2017-09-01-free-software-activities-august-2017.mdwn
@@ -27,9 +27,9 @@ backport, especially because the Mercurial test suite takes a long
 time to complete. This reminded me of the virtues of
 `DEB_BUILD_OPTIONS=parallel=4`, which sped up the builds
 considerably. I also discovered that the Wheezy build chain doesn't
-support [[!debman sbuild]]'s `--source-only-changes` flag which I had
-hardcoded in my [[!debman sbuild.conf]] file. This seems to be simply
-because sbuild passes `--build=source` to [[!debman
+support [[!man sbuild]]'s `--source-only-changes` flag which I had
+hardcoded in my [[!man sbuild.conf]] file. This seems to be simply
+because sbuild passes `--build=source` to [[!man
 dpkg-buildpackage]], an option that is supported only in jessie or
 later.
 

link to the quicklink
diff --git a/software/debian-development.mdwn b/software/debian-development.mdwn
index 65072279..a99d3c8c 100644
--- a/software/debian-development.mdwn
+++ b/software/debian-development.mdwn
@@ -2,6 +2,8 @@
 
 [[!toc levels=2]]
 
+[[!note "This guide is also available under the URL <https://deb.li/quickdev>."]]
+
 This guides aims to kickstart people with working in existing Debian
 packages, either to backport software, patch existing packages or work
 on security issues as part of the security team or the LTS project.

Archival link:

The above link creates a machine-readable RSS feed that can be used to easily archive new changes to the site. It is used by internal scripts to do sanity checks on new entries in the wiki.

Created . Edited .