Recent changes to this wiki. Not to be confused with my history.

Complete source to the wiki is available on gitweb or by cloning this site.

another leguin quote
diff --git a/fortunes.txt b/fortunes.txt
index 63a35904..2a51aae2 100644
--- a/fortunes.txt
+++ b/fortunes.txt
@@ -1166,3 +1166,8 @@ happier if it is called "the People's Stick."
 No theory, no ready-made system, no book that has ever been written
 will save the world. I cleave to no system. I am a true seeker.
                         - Mikhail Bakunin
+%
+Imaginative fiction trains people to be aware that there *are* other
+ways to do things and other ways to be, that there is not just one
+civilization and it is good and it is the way we have to be.
+                        - Ursula K. Le Guin

more places where my key lives, sigh
diff --git a/.well-known/openpgpkey/Makefile b/.well-known/openpgpkey/Makefile
index 2a525ec8..4d5eaa5b 100644
--- a/.well-known/openpgpkey/Makefile
+++ b/.well-known/openpgpkey/Makefile
@@ -19,6 +19,10 @@ upload:
 	gpg --keyserver keyring.debian.org --send-keys $(FINGERPRINT)
 	gpg --keyserver keys.openpgp.org --send-keys $(FINGERPRINT)
 	gpg --keyserver pool.sks-keyservers.net --send-keys $(FINGERPRINT)
+	@echo "Not covered: GitLab and GitHub accounts:"
+	@echo "https://gitlab.torproject.org/-/profile/gpg_keys"
+	@echo "https://gitlab.com/-/profile/gpg_keys"
+	@echo "https://github.com/settings/keys"
 
 renew:
 	gpg --quick-set-expire $(FINGERPRINT) $(NEXT_EXPIRE)

fix ordering: the default showed the warning at the end
diff --git a/.well-known/openpgpkey/Makefile b/.well-known/openpgpkey/Makefile
index ea4efcd6..2a525ec8 100644
--- a/.well-known/openpgpkey/Makefile
+++ b/.well-known/openpgpkey/Makefile
@@ -1,12 +1,14 @@
-.PHONY: all hu upload renew upload-tpo
+.PHONY: all warn hu upload renew upload-tpo
 
 ADDRESS=anarcat@debian.org
 FINGERPRINT=8DC901CE64146C048AD50FBB792152527B75921E
 NEXT_EXPIRE=$(shell LANG=C date -d '+1 year +1 month' '+%Y-%m-%d')
 TPO_KEYRING=~/src/tor/account-keyring/
 
-all: hu upload
-	@echo "run $(MAKE) renew all upload-tpo to make a full renewal"
+all: warn hu upload
+
+warn:
+	@echo "run '$(MAKE) renew hu upload upload-tpo' to make a full renewal"
 	@echo "this is not default because 'renew' and 'upload-tpo' are not idempotent"
 
 hu:

renew my OpenPGP key for another year
I may switch to ed25519, SSH ecdsa-sk, change keycards, or give up on
the entire thing eventually, but for now this will fix the immediate
problem I have set for myself every year.
diff --git a/.well-known/openpgpkey/hu/myctwj4an6ne7htuzyoo8osctuji68xe b/.well-known/openpgpkey/hu/myctwj4an6ne7htuzyoo8osctuji68xe
index 87688745..224f3439 100644
Binary files a/.well-known/openpgpkey/hu/myctwj4an6ne7htuzyoo8osctuji68xe and b/.well-known/openpgpkey/hu/myctwj4an6ne7htuzyoo8osctuji68xe differ

fix typo
diff --git a/.well-known/openpgpkey/Makefile b/.well-known/openpgpkey/Makefile
index 7556a141..ea4efcd6 100644
--- a/.well-known/openpgpkey/Makefile
+++ b/.well-known/openpgpkey/Makefile
@@ -7,7 +7,7 @@ TPO_KEYRING=~/src/tor/account-keyring/
 
 all: hu upload
 	@echo "run $(MAKE) renew all upload-tpo to make a full renewal"
-	@echo "this is not default because 'renew' and 'upload-tpo' are no idempotent"
+	@echo "this is not default because 'renew' and 'upload-tpo' are not idempotent"
 
 hu:
 	@echo "Consider switching to weasel's version in https://kushaldas.in/posts/setting-up-wkd.html"

also push to alberti
diff --git a/.well-known/openpgpkey/Makefile b/.well-known/openpgpkey/Makefile
index 62f74384..7556a141 100644
--- a/.well-known/openpgpkey/Makefile
+++ b/.well-known/openpgpkey/Makefile
@@ -26,3 +26,4 @@ upload-tpo:
 	gpg --export --export-options export-minimal $(FINGERPRINT) > $(TPO_KEYRING)/torproject-keyring/anarcat-$(FINGERPRINT).gpg
 	git -C $(TPO_KEYRING) commit torproject-keyring/anarcat-$(FINGERPRINT).gpg
 	git -C $(TPO_KEYRING) push
+	git -C $(TPO_KEYRING) push alberti

fix date format in expiry specification
Previous one would be (1) localized, and (2) with spaces, both of
which made GnuPG unhappy enough to just totally fail.
diff --git a/.well-known/openpgpkey/Makefile b/.well-known/openpgpkey/Makefile
index 6636f2e8..62f74384 100644
--- a/.well-known/openpgpkey/Makefile
+++ b/.well-known/openpgpkey/Makefile
@@ -2,7 +2,7 @@
 
 ADDRESS=anarcat@debian.org
 FINGERPRINT=8DC901CE64146C048AD50FBB792152527B75921E
-NEXT_EXPIRE=$(shell date -d '+1 year +1 month')
+NEXT_EXPIRE=$(shell LANG=C date -d '+1 year +1 month' '+%Y-%m-%d')
 TPO_KEYRING=~/src/tor/account-keyring/
 
 all: hu upload

simpler alternative to recordmydesktop
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 91de6973..c98209ed 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -203,7 +203,9 @@ list.
    an option here)
  * [gocode was removed](https://bugs.debian.org/976642) along with elpa-company-go, need to switch
    to gopls
- * [gtk-recordmydesktop](https://tracker.debian.org/pkg/gtk-recordmydesktop) - Python 2, dead upstream, see [bug 943983](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943983)
+ * [gtk-recordmydesktop](https://tracker.debian.org/pkg/gtk-recordmydesktop) - Python 2, dead upstream, see [bug
+   943983](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943983), [peek](https://github.com/phw/peek) ([in Debian](https://tracker.debian.org/pkg/peek)) is a great, no-frills
+   replacement
  * Python 2 support is removed! hopefully most of my stuff is already
    Python 3, but I did lose monkeysign and gameclock, as mentioned above
  * Mailman 2 is consequently removed
@@ -243,11 +245,11 @@ possible I won't be able to do anything after reboot. :p
 Some other removed packages I have just accepted the removal, with the
 following alternatives:
 
-| Package               | Alternative             | Rationale                                      |
-|-----------------------|-------------------------|------------------------------------------------|
-| `gocode`              | `gopls`                 | LSP is the (ad-hoc) standard                   |
-| `gtk-recordmydesktop` | `obs`                   | OBS Studio can also be used for live streaming |
-| `usbguard-applet-qt`  | `usbguard allow-device` | GUI just gone, but commandline might work      |
+| Package               | Alternative             | Rationale                                                                          |
+|-----------------------|-------------------------|------------------------------------------------------------------------------------|
+| `gocode`              | `gopls`                 | LSP is the (ad-hoc) standard                                                       |
+| `gtk-recordmydesktop` | `obs`, `peek`           | peek is a nice, simple alternative, OBS Studio can also be used for live streaming |
+| `usbguard-applet-qt`  | `usbguard allow-device` | GUI just gone, but commandline might work                                          |
 
 ### Cool things I want to try
 

approve comment
diff --git a/blog/2020-03-10-font-changes/comment_1_dc3edf8f30167de3f6b290f5ccd69994._comment b/blog/2020-03-10-font-changes/comment_1_dc3edf8f30167de3f6b290f5ccd69994._comment
new file mode 100644
index 00000000..88c46908
--- /dev/null
+++ b/blog/2020-03-10-font-changes/comment_1_dc3edf8f30167de3f6b290f5ccd69994._comment
@@ -0,0 +1,13 @@
+[[!comment format=mdwn
+ ip="73.4.124.145"
+ claimedauthor="Robert Mohns"
+ url="https://www.imarc.com/about/robert-mohns"
+ subject="comment 5"
+ date="2021-05-07T16:05:11Z"
+ content="""
+Hi! I noticed the link here to my \"What’s the best font size for the web?\" post. I'm glad you found it useful!
+
+I recently discovered that my article was completely munged up by a site migration. I restored the busted calculator and cleaned up some repeated copy and some layout issues. Embarrassing, but … it's better now, and I think you'll find it more useful as well. :)
+
+I loved your post here. I really like seeing people get hands on with making their typography & readability better.
+"""]]

snapshots: check
diff --git a/hardware/tubman.md b/hardware/tubman.md
index 3e9238a6..19756dcb 100644
--- a/hardware/tubman.md
+++ b/hardware/tubman.md
@@ -382,7 +382,7 @@ TODO:
         zfs snapshot bpool/BOOT/debian@install
         zfs snapshot rpool/ROOT/debian@install
 
- * [automatic snapshots](https://wiki.archlinux.org/title/ZFS#Automatic_snapshots)?
+ * [automatic snapshots](https://wiki.archlinux.org/title/ZFS#Automatic_snapshots) (DONE, with sanoid, [puppet](https://gitlab.com/anarcat/puppet/-/blob/main/site-modules/profile/manifests/sanoid.pp), [config](https://gitlab.com/anarcat/puppet/-/blob/main/site-modules/profile/files/sanoid.conf))
  * setup services:
    * radio (DONE)
    * sonic

name tubman
diff --git a/hardware/tubman.md b/hardware/tubman.md
index 38c28b7c..3e9238a6 100644
--- a/hardware/tubman.md
+++ b/hardware/tubman.md
@@ -1,3 +1,18 @@
+Tubman is named after [Harriet Tubman](https://en.wikipedia.org/wiki/Harriet_Tubman), an "*American abolitionist
+and political activist. Born into slavery, Tubman escaped and
+subsequently made some 13 missions to rescue approximately 70 enslaved
+people, including family and friends, using the network of antislavery
+activists and safe houses known as the [Underground
+Railroad](https://en.wikipedia.org/wiki/Underground_Railroad). During the [American Civil War](https://en.wikipedia.org/wiki/American_Civil_War), she served as an
+armed scout and spy for the Union Army. The first woman to lead an
+armed expedition in the war, she guided the raid at Combahee Ferry,
+which liberated more than 700 enslaved people. In her later years,
+Tubman was an activist in the movement for women's suffrage.*"
+
+> I was the conductor of the Underground Railroad for eight years, and
+> I can say what most conductors can't say — I never ran my train off
+> the track and I never lost a passenger.
+
 # Specification
 
 (copied from [[hardware/server/marcos/v1]])
diff --git a/services/dns.mdwn b/services/dns.mdwn
index ac76dfda..18e612d2 100644
--- a/services/dns.mdwn
+++ b/services/dns.mdwn
@@ -82,6 +82,7 @@ femmes. Exemples utilisés:
  * [[hardware/ursula]] ([K. Le Guin](https://en.wikipedia.org/wiki/Ursula_K._Le_Guin))
  * [[hardware/server/mafalda]] ([yes, the character](https://en.wikipedia.org/wiki/Mafalda))
  * [[hardware/server/plastik]] (a "piece of plastic")
+ * ([Harriet](https://en.wikipedia.org/wiki/Harriet_Tubman)) [[hardware/tubman]]
 
 Anciens
 -------
@@ -117,9 +118,6 @@ Les noms suivants pourraient être utilisés pour de futures machines:
    arborer le drapeau noir
  * [Séverine](https://fr.wikipedia.org/wiki/S%C3%A9verine) - journaliste, féministe, première femme à diriger un
    grand quotidien en France
- * [Harriet Tubman](https://en.wikipedia.org/wiki/Harriet_Tubman) - kick-ass self-freed slave, black women that
-   ran the underground railroad for 8 years and first women to lead an
-   army squadron in the US (in the Civil War, to free more slaves)
  * [Sojourner Truth](https://en.wikipedia.org/wiki/Sojourner_Truth) - abolotionist, first black women to win a
    court case against a black man
  * [Claudette Colvin](https://en.wikipedia.org/wiki/Claudette_Colvin) - before rosa parks, there was this rebel!

tag tubman
diff --git a/hardware/tubman.md b/hardware/tubman.md
index 3be368fa..38c28b7c 100644
--- a/hardware/tubman.md
+++ b/hardware/tubman.md
@@ -463,3 +463,5 @@ Destroy:
    for the above procedure
  * [WIP PR for Bullseye root on ZFS instructions](https://github.com/openzfs/openzfs-docs/pull/126)
  * [another ZFS on linux documentation](https://pthree.org/2012/04/17/install-zfs-on-debian-gnulinux/)
+
+[[!tag node]]

extra zfs docs, ssd caching
diff --git a/hardware/tubman.md b/hardware/tubman.md
index 59938af2..3be368fa 100644
--- a/hardware/tubman.md
+++ b/hardware/tubman.md
@@ -310,24 +310,69 @@ says). I want to do systemd-networkd anyways.
 We performed steps 1 through 6, remaining steps are optional and
 troubleshooting.
 
+## SSD caching
+
+The machine has been installed on two HDD: spinning rust! Those are
+typically slow, but they are redundant which should ensure high
+availability. To boost performance, we're setting up a SSD cache.
+
+ZFS has two types of caches:
+
+ * write intent log (external ZIL or SLOG)
+ * layer 2 adaptive replacement cache (L2ARC)
+
+The L2ARC is purely a performance cache, and if it dies, no data is
+lost. The former, however, can cause data loss (typically a few
+seconds, but still) in case the drive dies. So we're going with L2ARC,
+based on this [source for the redundancy claim](https://www.reddit.com/r/zfs/comments/4lkv5v/can_loss_of_slog_or_l2arc_failure_on_modern/).
+
+To configure the L2ARC cache, we simply did this:
+
+    zpool add rpool cache /dev/sda3
+
+(Actually, `-f` was necessary because there already was a
+`crypto_LUKS` partition on there, which we didn't care about.)
+
+The `sda3` device is the third partition on the SSD drive. It's 465GB
+so it should provide a lot of space for the cache.
+
+The status of the cache can be found with the `zpool iostat` command:
+
+    root@tubman:~# zpool iostat -v
+                  capacity     operations     bandwidth 
+    pool        alloc   free   read  write   read  write
+    ----------  -----  -----  -----  -----  -----  -----
+    bpool       47.8M   912M      0      0      3     14
+      mirror    47.8M   912M      0      0      3     14
+        sdb3        -      -      0      0      1      7
+        sdc3        -      -      0      0      1      7
+    ----------  -----  -----  -----  -----  -----  -----
+    rpool       1.29G  3.62T      0     60    437   432K
+      mirror    1.29G  3.62T      0     60    437   432K
+        sdb4        -      -      0     30    199   216K
+        sdc4        -      -      0     30    238   216K
+    cache           -      -      -      -      -      -
+      sda3       326M   465G      0    183  4.96K  11.9M
+    ----------  -----  -----  -----  -----  -----  -----
+
 ## Next steps
 
 TODO:
 
- * SSD caching
- * configure swap? (step 7)
+ * SSD caching (DONE)
+ * configure swap? (step 7, issues with memory pressure)
  * disable log compression? (step 8.3)
  * delete install snapshots?
         
         zfs snapshot bpool/BOOT/debian@install
         zfs snapshot rpool/ROOT/debian@install
 
- * configure regular snaphots?
+ * [automatic snapshots](https://wiki.archlinux.org/title/ZFS#Automatic_snapshots)?
  * setup services:
    * radio (DONE)
    * sonic
    * paste
-   * photos
+   * photos (Nextcloud?)
    * torrent
  * static IP (DONE)
  * port forward SSH so that it doesn't land on curie (DONE)
@@ -369,6 +414,40 @@ TODO:
  * [initrd documentation](https://openzfs.github.io/openzfs-docs/Getting%20Started/Debian/Debian%20GNU%20Linux%20initrd%20documentation.html): booting from a snapshot, rollbacks, etc
  * [install troubleshooting](https://openzfs.github.io/openzfs-docs/Getting%20Started/Debian/Debian%20Buster%20Root%20on%20ZFS.html#troubleshooting)
 
+## ZFS primer
+
+### Information
+
+Listing partitions and snapshots:
+
+    zfs list
+
+IO statistics, every second:
+
+    zpool iostat 1
+
+### Snapshots
+
+Creating:
+
+    zfs snapshot pool/volume@LABEL
+
+Listing:
+
+    zfs list -t snapshot
+
+Listing with creation date:
+
+    zfs list -t snapshot -o name,creation
+
+Rollback:
+
+    zfs rollback pool/volume@LABEL
+
+Destroy:
+
+    zfs destroy pool/volume@LABEL
+
 ## Other documentation
 
 ### ZFS documentation
@@ -383,5 +462,4 @@ TODO:
  * [OpenZFS: Debian buster root on ZFS](https://openzfs.github.io/openzfs-docs/Getting%20Started/Debian/Debian%20Buster%20Root%20on%20ZFS.htm): excellent documentation, basis
    for the above procedure
  * [WIP PR for Bullseye root on ZFS instructions](https://github.com/openzfs/openzfs-docs/pull/126)
- * [source for redundancy claim](https://www.reddit.com/r/zfs/comments/4lkv5v/can_loss_of_slog_or_l2arc_failure_on_modern/)
  * [another ZFS on linux documentation](https://pthree.org/2012/04/17/install-zfs-on-debian-gnulinux/)

sort through some links
diff --git a/hardware/tubman.md b/hardware/tubman.md
index 69b8e8bb..59938af2 100644
--- a/hardware/tubman.md
+++ b/hardware/tubman.md
@@ -324,7 +324,7 @@ TODO:
 
  * configure regular snaphots?
  * setup services:
-   * radio
+   * radio (DONE)
    * sonic
    * paste
    * photos
@@ -332,16 +332,6 @@ TODO:
  * static IP (DONE)
  * port forward SSH so that it doesn't land on curie (DONE)
  * [report back on the procedure](https://github.com/openzfs/openzfs-docs/pull/126#pullrequestreview-647650769) (DONE)
- * sort through those links:
-   * <https://wiki.debian.org/ZF>
-   * <https://www.reddit.com/r/zfs/comments/b2j66o/zfs_on_root_are_you_doing_it>
-   * <https://www.funtoo.org/ZFS_as_Root_Filesyste>
-   * <https://openzfs.github.io/openzfs-docs/Getting%20Started/Debian/Debian%20Buster%20Root%20on%20ZFS.htm>
-   * <https://github.com/openzfs/openzfs-docs/pull/12>
-   * <https://www.reddit.com/r/zfs/comments/4lkv5v/can_loss_of_slog_or_l2arc_failure_on_modern>
-   * <https://duckduckgo.com/?t=ffab&q=zfs+ssd+caching&ia=we>
-   * <https://startpage.com/do/metasearch.pl?query=zfs%20ssd%20cachin>
-   * <https://duckduckgo.com/?t=ffab&q=zfs+filesystem+caching>
 
 ## Decisions taken during the procedure
 
@@ -378,3 +368,20 @@ TODO:
 
  * [initrd documentation](https://openzfs.github.io/openzfs-docs/Getting%20Started/Debian/Debian%20GNU%20Linux%20initrd%20documentation.html): booting from a snapshot, rollbacks, etc
  * [install troubleshooting](https://openzfs.github.io/openzfs-docs/Getting%20Started/Debian/Debian%20Buster%20Root%20on%20ZFS.html#troubleshooting)
+
+## Other documentation
+
+### ZFS documentation
+
+ * [Debian wiki page](https://wiki.debian.org/ZFS): good introduction, basic commands, some
+   advanced stuff
+ * [Arch wiki page](https://wiki.archlinux.org/title/ZFS): much more stuff
+ * [Gentoo wiki page](https://wiki.gentoo.org/wiki/ZFS): less more stuff, similar to ARch
+ * [FreeBSD handbook](https://docs.freebsd.org/en/books/handbook/zfs/): FreeBSD-specific of course, but
+   excellent as always
+ * [ZFS on Linux FAQ](https://github.com/zfsonlinux/zfs/wiki/faq)
+ * [OpenZFS: Debian buster root on ZFS](https://openzfs.github.io/openzfs-docs/Getting%20Started/Debian/Debian%20Buster%20Root%20on%20ZFS.htm): excellent documentation, basis
+   for the above procedure
+ * [WIP PR for Bullseye root on ZFS instructions](https://github.com/openzfs/openzfs-docs/pull/126)
+ * [source for redundancy claim](https://www.reddit.com/r/zfs/comments/4lkv5v/can_loss_of_slog_or_l2arc_failure_on_modern/)
+ * [another ZFS on linux documentation](https://pthree.org/2012/04/17/install-zfs-on-debian-gnulinux/)

spacing
diff --git a/blog/2021-04-28-tpo-status-page.mdwn b/blog/2021-04-28-tpo-status-page.mdwn
index 43844272..8935599b 100644
--- a/blog/2021-04-28-tpo-status-page.mdwn
+++ b/blog/2021-04-28-tpo-status-page.mdwn
@@ -3,7 +3,7 @@
 The Tor Project now has a [status page](https://status.torproject.org/) which shows the state of
 our major services.
 
-**You can check[status.torprojet.org](https://status.torproject.org) for news about major outages
+**You can check [status.torprojet.org](https://status.torproject.org) for news about major outages
 in Tor services**, including v3 and v2 onion services, directory
 authorities, our website ([torproject.org](https://torproject.org)), and the
 [check.torproject.org](https://check.torproject.org/) tool. The status page also displays outages

creating tag page tag/hugo
diff --git a/tag/hugo.mdwn b/tag/hugo.mdwn
new file mode 100644
index 00000000..6fe433d3
--- /dev/null
+++ b/tag/hugo.mdwn
@@ -0,0 +1,4 @@
+[[!meta title="pages tagged hugo"]]
+
+[[!inline pages="tagged(hugo)" actions="no" archive="yes"
+feedshow=10]]

publish tor blog post
It was put online on blog.torproject.org
diff --git a/blog/2021-04-28-tpo-status-page.mdwn b/blog/2021-04-28-tpo-status-page.mdwn
index 0ec9a1cf..43844272 100644
--- a/blog/2021-04-28-tpo-status-page.mdwn
+++ b/blog/2021-04-28-tpo-status-page.mdwn
@@ -87,4 +87,8 @@ when we need to. It doesn't seem like a priority at the moment.
 
 Comments and feedback are welcome!
 
-[[!tag draft]]
+----
+
+> This article was first published on the [Tor Project Blog](https://blog.torproject.org/check-status-of-tor-services).
+
+[[!tag debian-planet web sysadmin python-planet hugo markdown tor]]

more edits from torproject.org
diff --git a/blog/2021-04-28-tpo-status-page.mdwn b/blog/2021-04-28-tpo-status-page.mdwn
index 1d0e17f7..0ec9a1cf 100644
--- a/blog/2021-04-28-tpo-status-page.mdwn
+++ b/blog/2021-04-28-tpo-status-page.mdwn
@@ -1,65 +1,62 @@
 [[!meta title="Building a status page service with Hugo"]]
 
-The Tor Project now has a [status page](https://status.torproject.org/) which
-shows the state of our major services. It will be used to announce major
-outages in external (e.g. hidden services or consensus) or internal (e.g.
-GitLab) services not working. This post documents how the service was built
-and how it works.
+The Tor Project now has a [status page](https://status.torproject.org/) which shows the state of
+our major services.
+
+**You can check[status.torprojet.org](https://status.torproject.org) for news about major outages
+in Tor services**, including v3 and v2 onion services, directory
+authorities, our website ([torproject.org](https://torproject.org)), and the
+[check.torproject.org](https://check.torproject.org/) tool. The status page also displays outages
+related to Tor internal services, like our GitLab instance.
+
+This post documents why we launched
+[status.torproject.org](https://status.torproject.org), how the service was
+built, and how it works.
 
 # Why a status page
 
-The first step in setting up a service page was to realize we needed one in
-the first place. I did a [service
-survey](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/roadmap/2021#survey-
-results) for internal users at the end of 2020 to see what could be improved,
-and one of the suggestions that came up was to "document downtimes of one hour
-or longer" and generally improve communications around monitoring. The latter
-is still on the [sysadmin
-roadmap](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/roadmap/2021), but
-a status page seemed like a good solution for the former.
-
-Note that we already have to monitoring tools in the sysadmin team:
-[Icinga](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/nagios) (a
-fork of Nagios) and
-[Prometheus](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/prometheus/),
-with
-[Grafana](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/grafana)
-dashboards. But those are hard to understand for users. Worse, they also tend
-to generate false positives, and don't clearly show users which issues are
-critical. In the end, a manually curated dashboard provides important
-usability benefits over an automated system, and [all major organisations have
-one](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/service/status#example-
-sites).
+The first step in setting up a service page was to realize we needed
+one in the first place. I [surveyed internal users](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/roadmap/2021#survey- results) at the end of
+2020 to see what could be improved, and one of the suggestions that
+came up was to "document downtimes of one hour or longer" and
+generally improve communications around monitoring. The latter is
+still on the [sysadmin roadmap](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/roadmap/2021), but a status page seemed like a
+good solution for the former.
+
+We already have two monitoring tools in the sysadmin team: [Icinga](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/nagios)
+(a fork of Nagios) and [Prometheus](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/prometheus/), with [Grafana](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/grafana)
+dashboards. But those are hard to understand for users. Worse, they
+also tend to generate false positives, and don't clearly show users
+which issues are critical.
+
+In the end, a manually curated dashboard provides important usability
+benefits over an automated system, and [all major organisations have
+one](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/service/status#example- sites).
 
 # Picking the right tool
 
-It wasn't my first foray in status page design. In another life, I had setup a
-status page using a tool called [Cachet](https://cachethq.io/). That was
-already a great improvement over the previous solutions, which were to use
+It wasn't my first foray in status page design. In another life, I had
+setup a status page using a tool called [Cachet](https://cachethq.io/). That was already
+a great improvement over the previous solutions, which were to use
 first a wiki and then a blog to post updates. But Cachet is a complex
-[Laravel](https://laravel.com/) app, which also requires a web browser to
-update. It generally requires more maintenance than what we'd like, needing
-silly things like a SQL database and PHP web server.
+[Laravel](https://laravel.com/) app, which also requires a web browser to update. It
+generally requires more maintenance than what we'd like, needing silly
+things like a SQL database and PHP web server.
 
-So when I found [cstate](https://github.com/cstate/cstate), I was pretty
-excited. It's basically a theme for the [Hugo](https://gohugo.io/) static site
-generator, which means that it's a set of HTML, CSS, and a sprinkle of
-Javascript. And being based on Hugo means that the site is generated from a
-set of [Markdown](https://en.wikipedia.org/wiki/Markdown) files and the result
-is just plain HTML that can be hosted on any web server on the planet.
+So when I found [cstate](https://github.com/cstate/cstate), I was pretty excited. It's basically a
+theme for the [Hugo](https://gohugo.io/) static site generator, which means that it's a
+set of HTML, CSS, and a sprinkle of Javascript. And being based on
+Hugo means that the site is generated from a set of [Markdown](https://en.wikipedia.org/wiki/Markdown)
+files and the result is just plain HTML that can be hosted on any web
+server on the planet.
 
 # Deployment
 
-At first, I wanted to deploy the site through [GitLab
-CI](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/service/ci), but at
-that time we didn't have GitLab pages setup. Even though we do [have GitLab
-pages setup
-now](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/gitlab#publishing-
-gitlab-pages), it's not (yet) integrated with our mirroring infrastructure.
-So, for now, the source is hosted and built in our legacy
-[git](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/git) and
-[Jenkins](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/jenkins)
-services.
+At first, I wanted to deploy the site through [GitLab CI](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/service/ci), but at
+that time we didn't have GitLab pages set up. Even though we do [have
+GitLab pages set up now](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/gitlab#publishing- gitlab-pages), it's not (yet) integrated with our
+mirroring infrastructure.  So, for now, the source is hosted and built
+in our legacy [git](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/git) and [Jenkins](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/jenkins) services.
 
 It is nice to have the content hosted in a git repository: sysadmins can just
 edit Markdown in the git repository and push to deploy changes, no web browser
@@ -69,24 +66,24 @@ required. And it's trivial to setup a local environment to preview changes:
     firefox https://localhost:1313/
 
 Only the sysadmin team and gitolite administrators have access to the
-repository, at this stage, but that could be improved if necessary. Merge
-requests can also be issued on the [GitLab
-repository](https://gitlab.torproject.org/tpo/tpa/status-site/) and then
-pushed by authorized personnel later on, naturally.
+repository, at this stage, but that could be improved if
+necessary. Merge requests can also be issued on the [GitLab
+repository](https://gitlab.torproject.org/tpo/tpa/status-site/) and then pushed by authorized personnel later on,
+naturally.
 
 # Availability
 
-One of the concern I have is that the site is hosted inside our normal mirror
+One of the concerns I have is that the site is hosted inside our normal mirror
 infrastructure. Naturally, if an outage occurs there, the site goes down. But
 I figured it's a bridge we'll cross when we get there. Because it's so easy to
 build the site from scratch, it's actually trivial to host a copy of the site
 on _any_ GitLab server, thanks to the `.gitlab-ci.yml` file shipped (but not
-currently used) in the repository So if push comes to shove, we can just
-publish the site elsewhere and point DNS there.
+currently used) in the repository. If push comes to shove, we can just publish
+the site elsewhere and point DNS there.
 
 And, of course, if DNS fails us, then we're in trouble, but that's the
-situation anyways: we can always register a new domain name for the status
-page when we need to. It doesn't seem like a priority at the moment.
+situation anyway: we can always register a new domain name for the status page
+when we need to. It doesn't seem like a priority at the moment.
 
 Comments and feedback are welcome!
 

redraft
diff --git a/blog/2021-04-28-tpo-status-page.mdwn b/blog/2021-04-28-tpo-status-page.mdwn
index 939a911b..1d0e17f7 100644
--- a/blog/2021-04-28-tpo-status-page.mdwn
+++ b/blog/2021-04-28-tpo-status-page.mdwn
@@ -90,3 +90,4 @@ page when we need to. It doesn't seem like a priority at the moment.
 
 Comments and feedback are welcome!
 
+[[!tag draft]]

did some edits on the website, reimported with html2markdown
diff --git a/blog/2021-04-28-tpo-status-page.mdwn b/blog/2021-04-28-tpo-status-page.mdwn
index 66a8d98a..939a911b 100644
--- a/blog/2021-04-28-tpo-status-page.mdwn
+++ b/blog/2021-04-28-tpo-status-page.mdwn
@@ -1,87 +1,92 @@
 [[!meta title="Building a status page service with Hugo"]]
 
-The Tor Project now has a [status page](https://status.torproject.org/) which shows the state of
-our major services. We'll use this going forward to announce major
-outages in external (e.g. hidden services or consensus ) or internal
-(e.g. GitLab) services not working. This post documents how the
-service was built and how it works.
+The Tor Project now has a [status page](https://status.torproject.org/) which
+shows the state of our major services. It will be used to announce major
+outages in external (e.g. hidden services or consensus) or internal (e.g.
+GitLab) services not working. This post documents how the service was built
+and how it works.
 
 # Why a status page
 
-The first step in setting up a service page was to realize we needed
-one in the first place. I have made a [service survey](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/roadmap/2021#survey-results) for internal
-users at the end of 2020 to see what could be improved, and one of the
-suggestions that came up was to "document downtimes of one hour or
-longer" and generally improve communications and monitoring. The
-latter is still on the [sysadmin roadmap](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/roadmap/2021), but for the former, it
-seemed ideal to create a status page.
+The first step in setting up a service page was to realize we needed one in
+the first place. I did a [service
+survey](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/roadmap/2021#survey-
+results) for internal users at the end of 2020 to see what could be improved,
+and one of the suggestions that came up was to "document downtimes of one hour
+or longer" and generally improve communications around monitoring. The latter
+is still on the [sysadmin
+roadmap](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/roadmap/2021), but
+a status page seemed like a good solution for the former.
 
 Note that we already have to monitoring tools in the sysadmin team:
-[Icinga](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/nagios) (a fork of Nagios) and [Prometheus](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/prometheus/), with [Grafana](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/grafana)
-dashboards. But those are hard to understand for users and worse, tend
-to generate false positive, and don't clearly show users which issues
-are critical. In the end, a manually curated dashboard provides huge
-usability benefits over automated system, and [all major organisations
-have one](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/service/status#example-sites).
+[Icinga](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/nagios) (a
+fork of Nagios) and
+[Prometheus](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/prometheus/),
+with
+[Grafana](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/grafana)
+dashboards. But those are hard to understand for users. Worse, they also tend
+to generate false positives, and don't clearly show users which issues are
+critical. In the end, a manually curated dashboard provides important
+usability benefits over an automated system, and [all major organisations have
+one](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/service/status#example-
+sites).
 
 # Picking the right tool
 
-It wasn't my first foray in status page design. In a previous job, I
-had setup a status page using a tool called [Cachet](https://cachethq.io/), which was a
-great improvement over the previous solutions, which were to use first
-a wiki and then a blog to post updates. But Cachet is a complex
-PHP/Laravel app, and requires some work to setup and deploy. It also
-requires a web browser to update, and generally requires more
-maintenance than what we'd like.
+It wasn't my first foray in status page design. In another life, I had setup a
+status page using a tool called [Cachet](https://cachethq.io/). That was
+already a great improvement over the previous solutions, which were to use
+first a wiki and then a blog to post updates. But Cachet is a complex
+[Laravel](https://laravel.com/) app, which also requires a web browser to
+update. It generally requires more maintenance than what we'd like, needing
+silly things like a SQL database and PHP web server.
 
-So when I found about [cstate](https://github.com/cstate/cstate), I was so excited that I just set it
-up right away. It's basically a theme for the [Hugo](https://gohugo.io/) static site
+So when I found [cstate](https://github.com/cstate/cstate), I was pretty
+excited. It's basically a theme for the [Hugo](https://gohugo.io/) static site
 generator, which means that it's a set of HTML, CSS, and a sprinkle of
-Javascript. And being based on Hugo means that the site is generated
-from a set of [Markdown](https://en.wikipedia.org/wiki/Markdown) files and the result is just plain HTML
-that can be hosted on any web server on the planet.
+Javascript. And being based on Hugo means that the site is generated from a
+set of [Markdown](https://en.wikipedia.org/wiki/Markdown) files and the result
+is just plain HTML that can be hosted on any web server on the planet.
 
 # Deployment
 
-At first, I wanted to deploy the site through GitLab CI, but at that
-time we didn't have GitLab pages setup. Even though we [do have GitLab
-pages setup](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/gitlab#publishing-gitlab-pages), it's not integrated with our mirroring
-infrastructure. So, for now, the source is hosted and build in our
-[legacy git](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/git) and [Jenkins](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/jenkins) services.
-
-It is nice to have the content hosted in a git repository: sysadmins
-can just edit markdown in the git repository and push to deploy
-changes, no web browser required. And because `hugo` is fast, it's
-trivial to setup a local environment to preview changes:
+At first, I wanted to deploy the site through [GitLab
+CI](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/service/ci), but at
+that time we didn't have GitLab pages setup. Even though we do [have GitLab
+pages setup
+now](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/gitlab#publishing-
+gitlab-pages), it's not (yet) integrated with our mirroring infrastructure.
+So, for now, the source is hosted and built in our legacy
+[git](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/git) and
+[Jenkins](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/jenkins)
+services.
+
+It is nice to have the content hosted in a git repository: sysadmins can just
+edit Markdown in the git repository and push to deploy changes, no web browser
+required. And it's trivial to setup a local environment to preview changes:
 
     hugo serve --baseUrl=http://localhost/
     firefox https://localhost:1313/
 
 Only the sysadmin team and gitolite administrators have access to the
-repository, at this stage, but that can be changed. Merge requests can
-also be issued on the [GitLab repository](https://gitlab.torproject.org/tpo/tpa/status-site/) and then pushed by
-authorized personnel later on, naturally.
+repository, at this stage, but that could be improved if necessary. Merge
+requests can also be issued on the [GitLab
+repository](https://gitlab.torproject.org/tpo/tpa/status-site/) and then
+pushed by authorized personnel later on, naturally.
 
 # Availability
 
-One of the concern I have is that the site is hosted inside our normal
-mirror infrastructure. Naturally, if an outage occurs there, the site
-goes down. But I figured it's a bridge we'll cross when we get
-there.
-
-Because it's so easy to build the site from scratch, it's actually
-trivial to host a copy of the site on *any* GitLab server, thanks to
-the `.gitlab-ci.yml` file shipped (but not currently used) in the
-repository.
-
-If push comes to shove, we can just publish the site elsewhere and
-point DNS there.
+One of the concern I have is that the site is hosted inside our normal mirror
+infrastructure. Naturally, if an outage occurs there, the site goes down. But
+I figured it's a bridge we'll cross when we get there. Because it's so easy to
+build the site from scratch, it's actually trivial to host a copy of the site
+on _any_ GitLab server, thanks to the `.gitlab-ci.yml` file shipped (but not
+currently used) in the repository So if push comes to shove, we can just
+publish the site elsewhere and point DNS there.
 
 And, of course, if DNS fails us, then we're in trouble, but that's the
-situation anyways: we can always register a new domain name for the
-status page when we need to. It doesn't seem like a priority at the
-moment.
+situation anyways: we can always register a new domain name for the status
+page when we need to. It doesn't seem like a priority at the moment.
 
 Comments and feedback are welcome!
 
-[[!tag draft]]

keychron review
diff --git a/hardware/keyboard.mdwn b/hardware/keyboard.mdwn
index be67b14e..a9d42bf9 100644
--- a/hardware/keyboard.mdwn
+++ b/hardware/keyboard.mdwn
@@ -263,4 +263,11 @@ Keychron
 
 [Keychron](https://www.keychron.com/) - nice wireless keyboards, maybe?
 
+[Review from a DD](https://venthur.de/2021-04-30-keychron-c1-on-linux.html) says:
+
+> Although the fix [making F-keys work] was not very hard to find and
+> apply, this experience still leaves a foul taste. I naively assumed
+> the problem of having a properly functioning keyboard that simply
+> works when you plug it in, has been thoroughly solved by 2021.
+
 [[!tag research]]

fixed formatting
diff --git a/hardware/tubman.md b/hardware/tubman.md
index c7e4e73c..69b8e8bb 100644
--- a/hardware/tubman.md
+++ b/hardware/tubman.md
@@ -314,7 +314,6 @@ troubleshooting.
 
 TODO:
 
- * fix markdown/ikiwiki formatting above
  * SSD caching
  * configure swap? (step 7)
  * disable log compression? (step 8.3)

agin
diff --git a/hardware/tubman.md b/hardware/tubman.md
index 5b436988..c7e4e73c 100644
--- a/hardware/tubman.md
+++ b/hardware/tubman.md
@@ -291,7 +291,7 @@ We boot from a [grml](https://grml.org/) live image based on Debian testing
 
  18. exit chroot:
  
-        exit
+         exit
 
  18. unmount filesystems:
  

agin
diff --git a/hardware/tubman.md b/hardware/tubman.md
index 95176744..5b436988 100644
--- a/hardware/tubman.md
+++ b/hardware/tubman.md
@@ -216,26 +216,26 @@ We boot from a [grml](https://grml.org/) live image based on Debian testing
  12. enable tmpfs (TODO: isn't there a better way?)
 
          ln -s /usr/share/systemd/tmp.mount /etc/systemd/system/
-         root@grml:/# systemctl enable tmp.mount
+        root@grml:/# systemctl enable tmp.mount
 
  13. grub setup:
 
          root@grml:/# grub-probe /boot
-         zfs
-         root@grml:/# update-initramfs -c -k all
-         update-initramfs: Generating /boot/initrd.img-5.10.0-6-amd64
-         root@grml:/# sed -i 's,GRUB_CMDLINE_LINUX.*,GRUB_CMDLINE_LINUX="root=ZFS=rpool/ROOT/debian",' /etc/default/grub
-         root@grml:/# update-grub
-         Generating grub configuration file ...
-         Found linux image: /boot/vmlinuz-5.10.0-6-amd64
-         Found initrd image: /boot/initrd.img-5.10.0-6-amd64
-         done
-         root@grml:/# grub-install /dev/sdb 
-         Installing for i386-pc platform.
-         Installation finished. No error reported.
-         root@grml:/# grub-install /dev/sdc 
-         Installing for i386-pc platform.
-         Installation finished. No error reported.
+        zfs
+        root@grml:/# update-initramfs -c -k all
+        update-initramfs: Generating /boot/initrd.img-5.10.0-6-amd64
+        root@grml:/# sed -i 's,GRUB_CMDLINE_LINUX.*,GRUB_CMDLINE_LINUX="root=ZFS=rpool/ROOT/debian",' /etc/default/grub
+        root@grml:/# update-grub
+        Generating grub configuration file ...
+        Found linux image: /boot/vmlinuz-5.10.0-6-amd64
+        Found initrd image: /boot/initrd.img-5.10.0-6-amd64
+        done
+        root@grml:/# grub-install /dev/sdb 
+        Installing for i386-pc platform.
+        Installation finished. No error reported.
+        root@grml:/# grub-install /dev/sdc 
+        Installing for i386-pc platform.
+        Installation finished. No error reported.
 
     make sure you check both disks in there:
     
@@ -244,9 +244,9 @@ We boot from a [grml](https://grml.org/) live image based on Debian testing
  14. filesystem mount ordering (TODO: is this necessary?):
 
          mkdir /etc/zfs/zfs-list.cache
-         touch /etc/zfs/zfs-list.cache/bpool
-         touch /etc/zfs/zfs-list.cache/rpool
-         zed -F &
+        touch /etc/zfs/zfs-list.cache/bpool
+        touch /etc/zfs/zfs-list.cache/rpool
+        zed -F &
 
     then verify the files have data:
     
@@ -274,11 +274,11 @@ We boot from a [grml](https://grml.org/) live image based on Debian testing
 
  15. fix the paths to eliminate `/mnt`:
 
-        sed -Ei "s|/mnt/?|/|" /etc/zfs/zfs-list.cache/*
+         sed -Ei "s|/mnt/?|/|" /etc/zfs/zfs-list.cache/*
 
  16. extra config, setup SSH with auth key:
 
-        apt install --yes openssh-server
+         apt install --yes openssh-server
         mkdir /root/.ssh/
         cat > /root/.ssh/authorized_keys <<EOF
         ...
@@ -286,7 +286,7 @@ We boot from a [grml](https://grml.org/) live image based on Debian testing
 
  17. snapshot initial install:
  
-        zfs snapshot bpool/BOOT/debian@install
+         zfs snapshot bpool/BOOT/debian@install
         zfs snapshot rpool/ROOT/debian@install
 
  18. exit chroot:
@@ -295,13 +295,13 @@ We boot from a [grml](https://grml.org/) live image based on Debian testing
 
  18. unmount filesystems:
  
-        mount | grep -v zfs | tac | awk '/\/mnt/ {print $3}' | \
+         mount | grep -v zfs | tac | awk '/\/mnt/ {print $3}' | \
             xargs -i{} umount -lf {}
         zpool export -a
 
  18. reboot:
  
-        reboot
+         reboot
 
 That procedure actually worked! The only problem was the interfaces(5)
 configuration, which was missing (regardless of what the above

try to fix md formatting
dang you ikiwiki
diff --git a/hardware/tubman.md b/hardware/tubman.md
index 58ec2034..95176744 100644
--- a/hardware/tubman.md
+++ b/hardware/tubman.md
@@ -190,11 +190,11 @@ We boot from a [grml](https://grml.org/) live image based on Debian testing
 
  10. pick a root password
  
-        passwd
+         passwd
 
  11. bpool import hack (TODO: whyy)
 
-        cat > /etc/systemd/system/zfs-import-bpool.service <<EOF
+         cat > /etc/systemd/system/zfs-import-bpool.service <<EOF
         [Unit]
         DefaultDependencies=no
         Before=zfs-import-scan.service
@@ -215,38 +215,38 @@ We boot from a [grml](https://grml.org/) live image based on Debian testing
 
  12. enable tmpfs (TODO: isn't there a better way?)
 
-        ln -s /usr/share/systemd/tmp.mount /etc/systemd/system/
-        root@grml:/# systemctl enable tmp.mount
+         ln -s /usr/share/systemd/tmp.mount /etc/systemd/system/
+         root@grml:/# systemctl enable tmp.mount
 
  13. grub setup:
 
-        root@grml:/# grub-probe /boot
-        zfs
-        root@grml:/# update-initramfs -c -k all
-        update-initramfs: Generating /boot/initrd.img-5.10.0-6-amd64
-        root@grml:/# sed -i 's,GRUB_CMDLINE_LINUX.*,GRUB_CMDLINE_LINUX="root=ZFS=rpool/ROOT/debian",' /etc/default/grub
-        root@grml:/# update-grub
-        Generating grub configuration file ...
-        Found linux image: /boot/vmlinuz-5.10.0-6-amd64
-        Found initrd image: /boot/initrd.img-5.10.0-6-amd64
-        done
-        root@grml:/# grub-install /dev/sdb 
-        Installing for i386-pc platform.
-        Installation finished. No error reported.
-        root@grml:/# grub-install /dev/sdc 
-        Installing for i386-pc platform.
-        Installation finished. No error reported.
+         root@grml:/# grub-probe /boot
+         zfs
+         root@grml:/# update-initramfs -c -k all
+         update-initramfs: Generating /boot/initrd.img-5.10.0-6-amd64
+         root@grml:/# sed -i 's,GRUB_CMDLINE_LINUX.*,GRUB_CMDLINE_LINUX="root=ZFS=rpool/ROOT/debian",' /etc/default/grub
+         root@grml:/# update-grub
+         Generating grub configuration file ...
+         Found linux image: /boot/vmlinuz-5.10.0-6-amd64
+         Found initrd image: /boot/initrd.img-5.10.0-6-amd64
+         done
+         root@grml:/# grub-install /dev/sdb 
+         Installing for i386-pc platform.
+         Installation finished. No error reported.
+         root@grml:/# grub-install /dev/sdc 
+         Installing for i386-pc platform.
+         Installation finished. No error reported.
 
     make sure you check both disks in there:
     
-        dpkg-reconfigure grub-pc
+         dpkg-reconfigure grub-pc
 
  14. filesystem mount ordering (TODO: is this necessary?):
 
-        mkdir /etc/zfs/zfs-list.cache
-        touch /etc/zfs/zfs-list.cache/bpool
-        touch /etc/zfs/zfs-list.cache/rpool
-        zed -F &
+         mkdir /etc/zfs/zfs-list.cache
+         touch /etc/zfs/zfs-list.cache/bpool
+         touch /etc/zfs/zfs-list.cache/rpool
+         zed -F &
 
     then verify the files have data:
     

pre blocks misformatted, sigh
diff --git a/hardware/tubman.md b/hardware/tubman.md
index 8b75db6f..58ec2034 100644
--- a/hardware/tubman.md
+++ b/hardware/tubman.md
@@ -314,6 +314,7 @@ troubleshooting.
 
 TODO:
 
+ * fix markdown/ikiwiki formatting above
  * SSD caching
  * configure swap? (step 7)
  * disable log compression? (step 8.3)

link dump
diff --git a/hardware/tubman.md b/hardware/tubman.md
index ffa2bfb6..8b75db6f 100644
--- a/hardware/tubman.md
+++ b/hardware/tubman.md
@@ -332,6 +332,16 @@ TODO:
  * static IP (DONE)
  * port forward SSH so that it doesn't land on curie (DONE)
  * [report back on the procedure](https://github.com/openzfs/openzfs-docs/pull/126#pullrequestreview-647650769) (DONE)
+ * sort through those links:
+   * <https://wiki.debian.org/ZF>
+   * <https://www.reddit.com/r/zfs/comments/b2j66o/zfs_on_root_are_you_doing_it>
+   * <https://www.funtoo.org/ZFS_as_Root_Filesyste>
+   * <https://openzfs.github.io/openzfs-docs/Getting%20Started/Debian/Debian%20Buster%20Root%20on%20ZFS.htm>
+   * <https://github.com/openzfs/openzfs-docs/pull/12>
+   * <https://www.reddit.com/r/zfs/comments/4lkv5v/can_loss_of_slog_or_l2arc_failure_on_modern>
+   * <https://duckduckgo.com/?t=ffab&q=zfs+ssd+caching&ia=we>
+   * <https://startpage.com/do/metasearch.pl?query=zfs%20ssd%20cachin>
+   * <https://duckduckgo.com/?t=ffab&q=zfs+filesystem+caching>
 
 ## Decisions taken during the procedure
 

install successful!
diff --git a/hardware/tubman.md b/hardware/tubman.md
index cbe598c8..ffa2bfb6 100644
--- a/hardware/tubman.md
+++ b/hardware/tubman.md
@@ -299,7 +299,13 @@ We boot from a [grml](https://grml.org/) live image based on Debian testing
             xargs -i{} umount -lf {}
         zpool export -a
 
- 18. TODO: reboot
+ 18. reboot:
+ 
+        reboot
+
+That procedure actually worked! The only problem was the interfaces(5)
+configuration, which was missing (regardless of what the above
+says). I want to do systemd-networkd anyways.
 
 We performed steps 1 through 6, remaining steps are optional and
 troubleshooting.
@@ -323,9 +329,9 @@ TODO:
    * paste
    * photos
    * torrent
- * static IP
- * port forward SSH so that it doesn't land on curie
- * [report back on the procedure](https://github.com/openzfs/openzfs-docs/pull/126#pullrequestreview-647650769)
+ * static IP (DONE)
+ * port forward SSH so that it doesn't land on curie (DONE)
+ * [report back on the procedure](https://github.com/openzfs/openzfs-docs/pull/126#pullrequestreview-647650769) (DONE)
 
 ## Decisions taken during the procedure
 

ssd caching was the whole point
diff --git a/hardware/tubman.md b/hardware/tubman.md
index 3e9921f4..cbe598c8 100644
--- a/hardware/tubman.md
+++ b/hardware/tubman.md
@@ -308,6 +308,7 @@ troubleshooting.
 
 TODO:
 
+ * SSD caching
  * configure swap? (step 7)
  * disable log compression? (step 8.3)
  * delete install snapshots?

yolo
diff --git a/hardware/tubman.md b/hardware/tubman.md
index 40d8d288..3e9921f4 100644
--- a/hardware/tubman.md
+++ b/hardware/tubman.md
@@ -155,7 +155,7 @@ We boot from a [grml](https://grml.org/) live image based on Debian testing
 
  5. install the base system and copy the ZFS config:
  
-        debootstrap bullseye /mnt
+        debootstrap --components=main,contrib bullseye /mnt
         mkdir /mnt/etc/zfs
         cp /etc/zfs/zpool.cache /mnt/etc/zfs/
 
@@ -164,7 +164,6 @@ We boot from a [grml](https://grml.org/) live image based on Debian testing
         echo HOSTNAME > /mnt/etc/hostname
         vi /mnt/etc/hosts
         apt install ca-certificates
-        echo 'deb https://deb.debian.org/debian bullseye main contrib' > /etc/apt/sources.list
         echo 'deb https://deb.debian.org/debian-security bullseye-security main contrib' > /etc/apt/sources.list.d/security.list
 
  7. bind mounts and chroot for more complex config:
@@ -325,6 +324,7 @@ TODO:
    * torrent
  * static IP
  * port forward SSH so that it doesn't land on curie
+ * [report back on the procedure](https://github.com/openzfs/openzfs-docs/pull/126#pullrequestreview-647650769)
 
 ## Decisions taken during the procedure
 
@@ -356,3 +356,8 @@ TODO:
 
  * the `/var/log` and `/var/spool` datasets are creating needless
    complexity in the boot process, we could do without them
+
+## Troubleshooting
+
+ * [initrd documentation](https://openzfs.github.io/openzfs-docs/Getting%20Started/Debian/Debian%20GNU%20Linux%20initrd%20documentation.html): booting from a snapshot, rollbacks, etc
+ * [install troubleshooting](https://openzfs.github.io/openzfs-docs/Getting%20Started/Debian/Debian%20Buster%20Root%20on%20ZFS.html#troubleshooting)

install finished, need to reboot
diff --git a/hardware/tubman.md b/hardware/tubman.md
index 5071daa8..40d8d288 100644
--- a/hardware/tubman.md
+++ b/hardware/tubman.md
@@ -163,7 +163,9 @@ We boot from a [grml](https://grml.org/) live image based on Debian testing
 
         echo HOSTNAME > /mnt/etc/hostname
         vi /mnt/etc/hosts
-        echo 'deb https://deb.debian.org/debian-security bullseye-security main' > /etc/apt/sources.list.d/security.list
+        apt install ca-certificates
+        echo 'deb https://deb.debian.org/debian bullseye main contrib' > /etc/apt/sources.list
+        echo 'deb https://deb.debian.org/debian-security bullseye-security main contrib' > /etc/apt/sources.list.d/security.list
 
  7. bind mounts and chroot for more complex config:
  
@@ -182,16 +184,147 @@ We boot from a [grml](https://grml.org/) live image based on Debian testing
  9. ZFS boot configuration
  
         apt install --yes dpkg-dev linux-headers-amd64 linux-image-amd64
-        apt install --yes zfs-initramfs # TODO
-        echo REMAKE_INITRD=yes > /etc/dkms/zfs.conf # TODO
-        apt install --yes grub-pc # TODO
-        apt remove --purge os-prober # TODO
+        apt install --yes zfs-initramfs
+        echo REMAKE_INITRD=yes > /etc/dkms/zfs.conf
+        apt install --yes grub-pc
+        apt remove --purge os-prober
 
  10. pick a root password
  
         passwd
 
- 11. TODO: now at step 4.11, the systemd config
+ 11. bpool import hack (TODO: whyy)
+
+        cat > /etc/systemd/system/zfs-import-bpool.service <<EOF
+        [Unit]
+        DefaultDependencies=no
+        Before=zfs-import-scan.service
+        Before=zfs-import-cache.service
+
+        [Service]
+        Type=oneshot
+        RemainAfterExit=yes
+        ExecStart=/sbin/zpool import -N -o cachefile=none bpool
+        # Work-around to preserve zpool cache:
+        ExecStartPre=-/bin/mv /etc/zfs/zpool.cache /etc/zfs/preboot_zpool.cache
+        ExecStartPost=-/bin/mv /etc/zfs/preboot_zpool.cache /etc/zfs/zpool.cache
+
+        [Install]
+        WantedBy=zfs-import.target
+        EOF
+        systemctl enable zfs-import-bpool.service
+
+ 12. enable tmpfs (TODO: isn't there a better way?)
+
+        ln -s /usr/share/systemd/tmp.mount /etc/systemd/system/
+        root@grml:/# systemctl enable tmp.mount
+
+ 13. grub setup:
+
+        root@grml:/# grub-probe /boot
+        zfs
+        root@grml:/# update-initramfs -c -k all
+        update-initramfs: Generating /boot/initrd.img-5.10.0-6-amd64
+        root@grml:/# sed -i 's,GRUB_CMDLINE_LINUX.*,GRUB_CMDLINE_LINUX="root=ZFS=rpool/ROOT/debian",' /etc/default/grub
+        root@grml:/# update-grub
+        Generating grub configuration file ...
+        Found linux image: /boot/vmlinuz-5.10.0-6-amd64
+        Found initrd image: /boot/initrd.img-5.10.0-6-amd64
+        done
+        root@grml:/# grub-install /dev/sdb 
+        Installing for i386-pc platform.
+        Installation finished. No error reported.
+        root@grml:/# grub-install /dev/sdc 
+        Installing for i386-pc platform.
+        Installation finished. No error reported.
+
+    make sure you check both disks in there:
+    
+        dpkg-reconfigure grub-pc
+
+ 14. filesystem mount ordering (TODO: is this necessary?):
+
+        mkdir /etc/zfs/zfs-list.cache
+        touch /etc/zfs/zfs-list.cache/bpool
+        touch /etc/zfs/zfs-list.cache/rpool
+        zed -F &
+
+    then verify the files have data:
+    
+        root@grml:/# cat /etc/zfs/zfs-list.cache/bpool                                                                                                                         
+        bpool   /mnt/boot       off     on      on      off     on      off     on      off     -       none    -       -       -       -       -       -       -       -
+        bpool/BOOT      none    off     on      on      off     on      off     on      off     -       none    -       -       -       -       -       -       -       -
+        bpool/BOOT/debian       /mnt/boot       on      on      on      off     on      off     on      off     -       none    -       -       -       -       -       -     -
+                -
+        root@grml:/# cat /etc/zfs/zfs-list.cache/rpool                                                                                                                         |
+        rpool   /mnt    off     on      on      on      on      off     on      off     rpool   prompt  -       -       -       -       -       -       -       -
+        rpool/ROOT      none    off     on      on      on      on      off     on      off     rpool   none    -       -       -       -       -       -       -       -
+        rpool/ROOT/debian       /mnt    noauto  on      on      on      on      off     on      off     rpool   none    -       -       -       -       -       -       -     -
+        rpool/home      /mnt/home       on      on      on      on      on      off     on      off     rpool   none    -       -       -       -       -       -       -     -
+        rpool/home/root /mnt/root       on      on      on      on      on      off     on      off     rpool   none    -       -       -       -       -       -       -     -
+        rpool/srv       /mnt/srv        on      on      on      on      on      off     on      off     rpool   none    -       -       -       -       -       -       -     -
+        rpool/var       /mnt/var        off     on      on      on      on      off     on      off     rpool   none    -       -       -       -       -       -       -     -
+        rpool/var/cache /mnt/var/cache  on      on      on      on      on      off     on      off     rpool   none    -       -       -       -       -       -       -     -
+        rpool/var/lib   /mnt/var/lib    off     on      on      on      on      off     on      off     rpool   none    -       -       -       -       -       -       -     -
+        rpool/var/log   /mnt/var/log    on      on      on      on      on      off     on      off     rpool   none    -       -       -       -       -       -       -     -
+        rpool/var/spool /mnt/var/spool  on      on      on      on      on      off     on      off     rpool   none    -       -       -       -       -       -       -     -
+        rpool/var/tmp   /mnt/var/tmp    on      on      on      on      on      off     on      off     rpool   none    -       -       -       -       -       -       -     -
+        root@grml:/# fg
+        zed -F
+        ^CExiting
+
+ 15. fix the paths to eliminate `/mnt`:
+
+        sed -Ei "s|/mnt/?|/|" /etc/zfs/zfs-list.cache/*
+
+ 16. extra config, setup SSH with auth key:
+
+        apt install --yes openssh-server
+        mkdir /root/.ssh/
+        cat > /root/.ssh/authorized_keys <<EOF
+        ...
+        EOF
+
+ 17. snapshot initial install:
+ 
+        zfs snapshot bpool/BOOT/debian@install
+        zfs snapshot rpool/ROOT/debian@install
+
+ 18. exit chroot:
+ 
+        exit
+
+ 18. unmount filesystems:
+ 
+        mount | grep -v zfs | tac | awk '/\/mnt/ {print $3}' | \
+            xargs -i{} umount -lf {}
+        zpool export -a
+
+ 18. TODO: reboot
+
+We performed steps 1 through 6, remaining steps are optional and
+troubleshooting.
+
+## Next steps
+
+TODO:
+
+ * configure swap? (step 7)
+ * disable log compression? (step 8.3)
+ * delete install snapshots?
+        
+        zfs snapshot bpool/BOOT/debian@install
+        zfs snapshot rpool/ROOT/debian@install
+
+ * configure regular snaphots?
+ * setup services:
+   * radio
+   * sonic
+   * paste
+   * photos
+   * torrent
+ * static IP
+ * port forward SSH so that it doesn't land on curie
 
 ## Decisions taken during the procedure
 
@@ -208,6 +341,9 @@ We boot from a [grml](https://grml.org/) live image based on Debian testing
    eth0` etc)
  * we skip `keyboard-configuration` and `console-setup` config,
    defaults are fine
+ * this was skipped, as the target file already exists in bullseye:
+ 
+        ln -s /usr/lib/zfs-linux/zed.d/history_event-zfs-list-cacher.sh /etc/zfs/zed.d
 
 ## Abandoned ideas
 
@@ -215,3 +351,8 @@ We boot from a [grml](https://grml.org/) live image based on Debian testing
    though it only has related mountpoints (actually, [that's
    supported](https://bugs.debian.org/987735) with `--skip=check/empty`, but that wasn't in the
    buster manpage and I failed to look at the bullseye one)
+
+## To be improved
+
+ * the `/var/log` and `/var/spool` datasets are creating needless
+   complexity in the boot process, we could do without them

draft post about the TPO status page
diff --git a/blog/2021-04-28-tpo-status-page.mdwn b/blog/2021-04-28-tpo-status-page.mdwn
new file mode 100644
index 00000000..66a8d98a
--- /dev/null
+++ b/blog/2021-04-28-tpo-status-page.mdwn
@@ -0,0 +1,87 @@
+[[!meta title="Building a status page service with Hugo"]]
+
+The Tor Project now has a [status page](https://status.torproject.org/) which shows the state of
+our major services. We'll use this going forward to announce major
+outages in external (e.g. hidden services or consensus ) or internal
+(e.g. GitLab) services not working. This post documents how the
+service was built and how it works.
+
+# Why a status page
+
+The first step in setting up a service page was to realize we needed
+one in the first place. I have made a [service survey](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/roadmap/2021#survey-results) for internal
+users at the end of 2020 to see what could be improved, and one of the
+suggestions that came up was to "document downtimes of one hour or
+longer" and generally improve communications and monitoring. The
+latter is still on the [sysadmin roadmap](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/roadmap/2021), but for the former, it
+seemed ideal to create a status page.
+
+Note that we already have to monitoring tools in the sysadmin team:
+[Icinga](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/nagios) (a fork of Nagios) and [Prometheus](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/prometheus/), with [Grafana](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/grafana)
+dashboards. But those are hard to understand for users and worse, tend
+to generate false positive, and don't clearly show users which issues
+are critical. In the end, a manually curated dashboard provides huge
+usability benefits over automated system, and [all major organisations
+have one](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/service/status#example-sites).
+
+# Picking the right tool
+
+It wasn't my first foray in status page design. In a previous job, I
+had setup a status page using a tool called [Cachet](https://cachethq.io/), which was a
+great improvement over the previous solutions, which were to use first
+a wiki and then a blog to post updates. But Cachet is a complex
+PHP/Laravel app, and requires some work to setup and deploy. It also
+requires a web browser to update, and generally requires more
+maintenance than what we'd like.
+
+So when I found about [cstate](https://github.com/cstate/cstate), I was so excited that I just set it
+up right away. It's basically a theme for the [Hugo](https://gohugo.io/) static site
+generator, which means that it's a set of HTML, CSS, and a sprinkle of
+Javascript. And being based on Hugo means that the site is generated
+from a set of [Markdown](https://en.wikipedia.org/wiki/Markdown) files and the result is just plain HTML
+that can be hosted on any web server on the planet.
+
+# Deployment
+
+At first, I wanted to deploy the site through GitLab CI, but at that
+time we didn't have GitLab pages setup. Even though we [do have GitLab
+pages setup](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/gitlab#publishing-gitlab-pages), it's not integrated with our mirroring
+infrastructure. So, for now, the source is hosted and build in our
+[legacy git](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/git) and [Jenkins](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/jenkins) services.
+
+It is nice to have the content hosted in a git repository: sysadmins
+can just edit markdown in the git repository and push to deploy
+changes, no web browser required. And because `hugo` is fast, it's
+trivial to setup a local environment to preview changes:
+
+    hugo serve --baseUrl=http://localhost/
+    firefox https://localhost:1313/
+
+Only the sysadmin team and gitolite administrators have access to the
+repository, at this stage, but that can be changed. Merge requests can
+also be issued on the [GitLab repository](https://gitlab.torproject.org/tpo/tpa/status-site/) and then pushed by
+authorized personnel later on, naturally.
+
+# Availability
+
+One of the concern I have is that the site is hosted inside our normal
+mirror infrastructure. Naturally, if an outage occurs there, the site
+goes down. But I figured it's a bridge we'll cross when we get
+there.
+
+Because it's so easy to build the site from scratch, it's actually
+trivial to host a copy of the site on *any* GitLab server, thanks to
+the `.gitlab-ci.yml` file shipped (but not currently used) in the
+repository.
+
+If push comes to shove, we can just publish the site elsewhere and
+point DNS there.
+
+And, of course, if DNS fails us, then we're in trouble, but that's the
+situation anyways: we can always register a new domain name for the
+status page when we need to. It doesn't seem like a priority at the
+moment.
+
+Comments and feedback are welcome!
+
+[[!tag draft]]

keep going in the zfs install procedure
diff --git a/hardware/tubman.md b/hardware/tubman.md
index e857d3fc..5071daa8 100644
--- a/hardware/tubman.md
+++ b/hardware/tubman.md
@@ -20,29 +20,35 @@
  * USB Bluetooth receiver
  * cost: 350$CAD on 2011-02-26, not counting storage, BT and memory
 
-# ZFS root install
+# Installation procedure
 
-Would have used FAI's setup-storage but it doesn't support ZFS.
+I would have used [FAI](https://fai-project.org/)'s [setup-storage](https://manpages.debian.org/setup-storage.8) but it doesn't support
+ZFS, unfortunately. It is part of the [long term roadmap](https://fai-project.org/roadmap/), that
+said, and there's a [howto for stretch](https://wiki.fai-project.org/index.php/ZFS_root_with_Debian_Stretch_and_FAI), but that doesn't use
+setup-storage. I was hoping I would reuse the [installer](https://gitweb.torproject.org/admin/tsa-misc.git/tree/install) I've been
+working on at work...
 
-Following [this howto](https://openzfs.github.io/openzfs-docs/Getting%20Started/Debian/Debian%20Buster%20Root%20on%20ZFS.html), we have the following configuration:
+We have the following disk configuration:
 
  * `/dev/sda`: SSD drive, 512MB used for caching
  * `/dev/sdb`: HDD drive, 4TB, to be used in a ZFS pool with native encryption
  * `/dev/sdc`: HDD drive, 4TB, same
 
-We boot from a [grml](https://grml.org/) live image based on Debian testing (bullseye).
+We boot from a [grml](https://grml.org/) live image based on Debian testing
+(bullseye), and will follow [this howto](https://openzfs.github.io/openzfs-docs/Getting%20Started/Debian/Debian%20Buster%20Root%20on%20ZFS.html):
 
  1. install requirements:
 
         apt update
         apt install --yes debootstrap gdisk dkms dpkg-dev linux-headers-$(uname -r) zfs-dkms
-        modprobe zfs # TODO
-        apt install --yes zfsutils-linux # TODO
+        modprobe zfs
+        apt install --yes zfsutils-linux
 
-    Note that those instructions differ from the source howto because
-    we start from a `bullseye` live image.
+    Note that those instructions differ from the documentation (we
+    don't use `buster-backports`) because we start from a `bullseye`
+    live image.
 
- 1. clear the partitions on the two HDDs, and setup a BIOS, UEFI, boot
+ 1. clear the partitions on the two HDD, and setup a BIOS, UEFI, boot
     pool and native encrypted partition:
 
         for DISK in /dev/sdb /dev/sdc ; do
@@ -72,7 +78,8 @@ We boot from a [grml](https://grml.org/) live image based on Debian testing (bul
            3         1050624         3147775   1024.0 MiB  BF01  
            4         3147776      7814037134   3.6 TiB     BF00
 
- 2. create a boot pool called `bpool` (TODO):
+ 2. create the boot pool called `bpool` and the root pool called
+    `rpool`, the latter will prompt for a disk encryption key:
 
         zpool create \
             -o cachefile=/etc/zfs/zpool.cache \
@@ -93,9 +100,6 @@ We boot from a [grml](https://grml.org/) live image based on Debian testing (bul
             -O devices=off -O normalization=formD -O relatime=on -O xattr=sa \
             -O mountpoint=/boot -R /mnt \
             bpool mirror /dev/sdb3 /dev/sdc3
-
- 3. create the root pool called `rpool` (TODO):
-
         zpool create \
             -o ashift=12 \
             -O encryption=aes-256-gcm \
@@ -105,4 +109,109 @@ We boot from a [grml](https://grml.org/) live image based on Debian testing (bul
             -O xattr=sa -O mountpoint=/ -R /mnt \
             rpool mirror /dev/sdb4 /dev/sdc4
 
-At step 3, "system installation". TODO.
+ 4. create filesytems and "datasets":
+
+    * this creates two containers, for `ROOT` and `BOOT`
+
+        zfs create -o canmount=off -o mountpoint=none rpool/ROOT
+        zfs create -o canmount=off -o mountpoint=none bpool/BOOT
+
+   * this actually creates the boot and root filesystems:
+
+        zfs create -o canmount=noauto -o mountpoint=/ rpool/ROOT/debian
+        zfs mount rpool/ROOT/debian
+        zfs create -o mountpoint=/boot bpool/BOOT/debian
+
+   * then they use even more data sets, although I'm not sure they are
+     all necessary:
+
+        zfs create                                 rpool/home
+        zfs create -o mountpoint=/root             rpool/home/root
+        chmod 700 /mnt/root
+        zfs create -o canmount=off                 rpool/var
+        zfs create -o canmount=off                 rpool/var/lib
+        zfs create                                 rpool/var/log
+        zfs create                                 rpool/var/spool
+
+   * to exclude temporary files from snapshots, for example:
+
+        zfs create -o com.sun:auto-snapshot=false  rpool/var/cache
+        zfs create -o com.sun:auto-snapshot=false  rpool/var/tmp
+        chmod 1777 /mnt/var/tmp
+
+   * and a `/srv`:
+
+        zfs create                                 rpool/srv
+
+   * or for Docker (TODO):
+
+        zfs create -o com.sun:auto-snapshot=false rpool/var/lib/docker
+
+   * make a `tmpfs` for `/run`:
+
+        mkdir /mnt/run
+        mount -t tmpfs tmpfs /mnt/run
+        mkdir /mnt/run/lock
+
+ 5. install the base system and copy the ZFS config:
+ 
+        debootstrap bullseye /mnt
+        mkdir /mnt/etc/zfs
+        cp /etc/zfs/zpool.cache /mnt/etc/zfs/
+
+ 6. base system configuration:
+
+        echo HOSTNAME > /mnt/etc/hostname
+        vi /mnt/etc/hosts
+        echo 'deb https://deb.debian.org/debian-security bullseye-security main' > /etc/apt/sources.list.d/security.list
+
+ 7. bind mounts and chroot for more complex config:
+ 
+        mount --rbind /dev  /mnt/dev
+        mount --rbind /proc /mnt/proc
+        mount --rbind /sys  /mnt/sys
+        chroot /mnt /bin/bash
+
+ 8. more base system config:
+
+        ln -s /proc/self/mounts /etc/mtab
+        apt update
+        apt install --yes console-setup locales
+        dpkg-reconfigure locales tzdata
+
+ 9. ZFS boot configuration
+ 
+        apt install --yes dpkg-dev linux-headers-amd64 linux-image-amd64
+        apt install --yes zfs-initramfs # TODO
+        echo REMAKE_INITRD=yes > /etc/dkms/zfs.conf # TODO
+        apt install --yes grub-pc # TODO
+        apt remove --purge os-prober # TODO
+
+ 10. pick a root password
+ 
+        passwd
+
+ 11. TODO: now at step 4.11, the systemd config
+
+## Decisions taken during the procedure
+
+ * use a `tmpfs` for `/run`
+ * use native ZFS encryption
+ * setup both BIOS and UEFI partitions, in case we switch to the
+   latter later
+
+## Changes from the original procedure
+
+ * we install a bullseye system from a bullseye live image (instead of
+   buster from buster)
+ * `interfaces(5)` file untouched, default is fine (`allow-hotplug
+   eth0` etc)
+ * we skip `keyboard-configuration` and `console-setup` config,
+   defaults are fine
+
+## Abandoned ideas
+
+ * using `mmdebstrap`: it complains that `/mnt` is "not empty" even
+   though it only has related mountpoints (actually, [that's
+   supported](https://bugs.debian.org/987735) with `--skip=check/empty`, but that wasn't in the
+   buster manpage and I failed to look at the bullseye one)

more todo
diff --git a/hardware/tubman.md b/hardware/tubman.md
index 21e9cb56..e857d3fc 100644
--- a/hardware/tubman.md
+++ b/hardware/tubman.md
@@ -104,3 +104,5 @@ We boot from a [grml](https://grml.org/) live image based on Debian testing (bul
             -O dnodesize=auto -O normalization=formD -O relatime=on \
             -O xattr=sa -O mountpoint=/ -R /mnt \
             rpool mirror /dev/sdb4 /dev/sdc4
+
+At step 3, "system installation". TODO.

tubman setup notes
diff --git a/hardware/tubman.md b/hardware/tubman.md
new file mode 100644
index 00000000..21e9cb56
--- /dev/null
+++ b/hardware/tubman.md
@@ -0,0 +1,106 @@
+# Specification
+
+(copied from [[hardware/server/marcos/v1]])
+
+ * motherboard: [ASUS P5G41-M LE/CSM LGA 775 Intel G41 Micro ATX Intel
+   Motherboard](http://www.newegg.com/Product/Product.aspx?Item=N82E16813131399) 65$ newegg ([processeurs supportés](https://www.asus.com/Motherboards/P5G41M/specifications/))
+ * case: [Antec Black Aluminum / Steel Fusion Remote Black Micro ATX
+   Media Center / HTPC Case](http://www.newegg.com/Product/Product.aspx?Item=N82E16811129054) 150$ newegg, includes "GD01 MX LCD
+   Display/IR Receiver"
+ * CPU: [Intel Pentium Dual-Core E6500 Wolfdale 2.93GHz 2MB L2 Cache
+   LGA 775 65W Dual-Core Processor](http://www.newegg.com/Product/Product.aspx?Item=N82E16819116093) 80$ newegg ([Bonne explication des différents modèles de cores intel](http://en.wikipedia.org/wiki/Intel_Core))
+ * Memory: 8GB ram (2x4GB DDR2 667MHz, 1.5ns)
+ * Network: AR8114 Gigabit ethernet
+ * Storage, internal:
+   * 500GB Samsung SSD 850
+   * 4TB Seagate HDD ST4000DM000-1F21 5900RPM 3.5"
+   * DVD reader/writer (A  DH16A1P, broken)
+ * Storage, external:
+   * 3TB Western Digital "My Book" 1230 USB-3
+ * USB Bluetooth receiver
+ * cost: 350$CAD on 2011-02-26, not counting storage, BT and memory
+
+# ZFS root install
+
+Would have used FAI's setup-storage but it doesn't support ZFS.
+
+Following [this howto](https://openzfs.github.io/openzfs-docs/Getting%20Started/Debian/Debian%20Buster%20Root%20on%20ZFS.html), we have the following configuration:
+
+ * `/dev/sda`: SSD drive, 512MB used for caching
+ * `/dev/sdb`: HDD drive, 4TB, to be used in a ZFS pool with native encryption
+ * `/dev/sdc`: HDD drive, 4TB, same
+
+We boot from a [grml](https://grml.org/) live image based on Debian testing (bullseye).
+
+ 1. install requirements:
+
+        apt update
+        apt install --yes debootstrap gdisk dkms dpkg-dev linux-headers-$(uname -r) zfs-dkms
+        modprobe zfs # TODO
+        apt install --yes zfsutils-linux # TODO
+
+    Note that those instructions differ from the source howto because
+    we start from a `bullseye` live image.
+
+ 1. clear the partitions on the two HDDs, and setup a BIOS, UEFI, boot
+    pool and native encrypted partition:
+
+        for DISK in /dev/sdb /dev/sdc ; do
+            sgdisk --zap-all $DISK
+            sgdisk -a1 -n1:24K:+1000K -t1:EF02 $DISK
+            sgdisk     -n2:1M:+512M   -t2:EF00 $DISK
+            sgdisk     -n3:0:+1G      -t3:BF01 $DISK
+            sgdisk     -n4:0:0        -t4:BF00 $DISK
+        done
+
+    resulting partition table:
+
+        root@grml ~ # sgdisk -p /dev/sdb
+        Disk /dev/sdb: 7814037168 sectors, 3.6 TiB
+        Model: ST4000DM004-2CV1
+        Sector size (logical/physical): 512/4096 bytes
+        Disk identifier (GUID): 63B2F372-B4E9-45FF-8151-9706F9F158C9
+        Partition table holds up to 128 entries
+        Main partition table begins at sector 2 and ends at sector 33
+        First usable sector is 34, last usable sector is 7814037134
+        Partitions will be aligned on 16-sector boundaries
+        Total free space is 14 sectors (7.0 KiB)
+
+        Number  Start (sector)    End (sector)  Size       Code  Name
+           1              48            2047   1000.0 KiB  EF02  
+           2            2048         1050623   512.0 MiB   EF00  
+           3         1050624         3147775   1024.0 MiB  BF01  
+           4         3147776      7814037134   3.6 TiB     BF00
+
+ 2. create a boot pool called `bpool` (TODO):
+
+        zpool create \
+            -o cachefile=/etc/zfs/zpool.cache \
+            -o ashift=12 -d \
+            -o feature@async_destroy=enabled \
+            -o feature@bookmarks=enabled \
+            -o feature@embedded_data=enabled \
+            -o feature@empty_bpobj=enabled \
+            -o feature@enabled_txg=enabled \
+            -o feature@extensible_dataset=enabled \
+            -o feature@filesystem_limits=enabled \
+            -o feature@hole_birth=enabled \
+            -o feature@large_blocks=enabled \
+            -o feature@lz4_compress=enabled \
+            -o feature@spacemap_histogram=enabled \
+            -o feature@zpool_checkpoint=enabled \
+            -O acltype=posixacl -O canmount=off -O compression=lz4 \
+            -O devices=off -O normalization=formD -O relatime=on -O xattr=sa \
+            -O mountpoint=/boot -R /mnt \
+            bpool mirror /dev/sdb3 /dev/sdc3
+
+ 3. create the root pool called `rpool` (TODO):
+
+        zpool create \
+            -o ashift=12 \
+            -O encryption=aes-256-gcm \
+            -O keylocation=prompt -O keyformat=passphrase \
+            -O acltype=posixacl -O canmount=off -O compression=lz4 \
+            -O dnodesize=auto -O normalization=formD -O relatime=on \
+            -O xattr=sa -O mountpoint=/ -R /mnt \
+            rpool mirror /dev/sdb4 /dev/sdc4

approve comment
diff --git a/blog/2021-04-24-ideas/comment_1_2edf87d9a181c95cd9d95af82ed90103._comment b/blog/2021-04-24-ideas/comment_1_2edf87d9a181c95cd9d95af82ed90103._comment
new file mode 100644
index 00000000..b8302737
--- /dev/null
+++ b/blog/2021-04-24-ideas/comment_1_2edf87d9a181c95cd9d95af82ed90103._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ ip="86.150.30.45"
+ claimedauthor="Jonathan"
+ url="jmtd.net"
+ subject="comment 1"
+ date="2021-04-28T15:21:59Z"
+ content="""
+I remember seeing your byline on LWN and being pleased; I enjoy your writing and get the impression that we think alike in a lot of respects. From the list of stubs you have there, \"ideas/on-dying\" jumps out at me as a topic that's important but rarely discussed (and by coincidence, something I've been thinking about more and more recently, although I haven't written anything publically about my thoughts.)
+"""]]

approve comment
diff --git a/blog/2021-04-24-dead-game-clock/comment_1_3e963b06d01a90688617ef5ef2e347b6._comment b/blog/2021-04-24-dead-game-clock/comment_1_3e963b06d01a90688617ef5ef2e347b6._comment
new file mode 100644
index 00000000..b2b9b7e0
--- /dev/null
+++ b/blog/2021-04-24-dead-game-clock/comment_1_3e963b06d01a90688617ef5ef2e347b6._comment
@@ -0,0 +1,7 @@
+[[!comment format=mdwn
+ ip="77.189.146.201"
+ subject="comment 4"
+ date="2021-04-26T19:16:34Z"
+ content="""
+AFAIK pypy build-depends on Python 2 (even the Python 3 version of pypy). So it can't be removed without removing pypy as well.
+"""]]

mention lwn in coms
diff --git a/communication.mdwn b/communication.mdwn
index b13a6ff4..e83f3e20 100644
--- a/communication.mdwn
+++ b/communication.mdwn
@@ -5,6 +5,8 @@
 
 J'essaie d'écrire. Pour l'instant, il s'agit surtout de mon [[blog]] mais j'essaie également d'écrire de la fiction et je participe parfois à la revue [À Babord!](http://www.ababord.org/). J'ai également publié une bonne dizaine d'articles sur le défunt [Insomniaque](http://insomniaque.org/).
 
+Ah, et j'ai [[écrit pendant 2 ans pour LWN|tag/lwn]] (2018-2020).
+
 Voici certain des articles les plus importants que j'ai publié:
 
 [[!bibtex2html publications.bib]]

plug LWN better, and explain the lack of editing
diff --git a/blog/2021-04-24-ideas.mdwn b/blog/2021-04-24-ideas.mdwn
index af28c188..39b83e72 100644
--- a/blog/2021-04-24-ideas.mdwn
+++ b/blog/2021-04-24-ideas.mdwn
@@ -193,4 +193,13 @@ So that's all I got. As people might have noticed here, I have much
 less time to write these days, but if there's any subject in there I
 should pick, what is the one that you would find most interesting?
 
+Oh! and I should mention that *you* can write to LWN! If you think
+people should know more about some Linux thing, you can get paid to
+write for it! [Pitch it to the editors](https://lwn.net/op/AuthorGuide.lwn), they won't bite. The worst
+that can happen is that they say "yes" and there goes two years of
+your life learning to write. Because no, you don't know how to write,
+no one does. You need an editor to write.
+
+That's why this article looks like crap and has a smiley. :)
+
 [[!tag debian debian-planet meta lwn]]

minimal self-editing
diff --git a/blog/2021-04-24-ideas.mdwn b/blog/2021-04-24-ideas.mdwn
index 19a93664..af28c188 100644
--- a/blog/2021-04-24-ideas.mdwn
+++ b/blog/2021-04-24-ideas.mdwn
@@ -1,10 +1,10 @@
 [[!meta title="Lost article ideas"]]
 
-I [[wrote|tag/lwn]] for [LWN](https://lwn.net/) for about two
-years. During that time, I wrote (what seems to me an impressive) [[34
+I [[wrote|tag/lwn]] for [LWN](https://lwn.net/) for about two years. During that
+time, I wrote (what seems to me an impressive) [[34
 articles|tag/lwn]], but I always had a pile of ideas in the back of my
-mind. Those are things I had ideas of, notes and scribbles, or just
-completely abandoned because they didn't seem fit for LWN in the end.
+mind. Those are ideas, notes, and scribbles lying around. Some were
+just completely abandoned because they didn't seem a good fit for LWN.
 
 Concretely, I stored those in branches in a git repository, and used
 the branch name (and, naively, the last commit log) as indicators of
@@ -54,13 +54,16 @@ because it didn't seem worth it, or my editors rejected it, or I just
 moved on:
 
  * `novena`: the project is *ooold* now, didn't seem to fit a LWN
-   article
+   article. it was basically "how can i build my novena now" and "you
+   guys rock!" it seems like the [MNT Reform](https://www.crowdsupply.com/mnt/reform/) is the brain child of
+   the Novena now, and I dare say it's even cooler!
  * `secureboot`: my LWN editors were critical of my approach, and
    probably rightly so - it's a really complex subject and I was
    probably out of my depth... it's also out of date now, we did
    manage secureboot in Debian
- * `wireguard`: LWN ended up writing their own coverage, and I was
-   biased against Donenfeld because of conflicts in a previous project
+ * `wireguard`: LWN ended up [writing](https://lwn.net/Articles/748582/) [extensive coverage](https://lwn.net/Security/Index/#Linux_kernel-Virtual_private_network_VPN), and
+   I was biased against Donenfeld because of conflicts in a previous
+   project
 
 # Backlog
 
@@ -68,7 +71,8 @@ Those were articles I was planning to write about next.
 
  * `dat`: I already had written [[Sharing and archiving data sets with
    Dat|blog/2018-09-10-sharing-and-archiving-data-sets-with-dat]], but
-   it seems I had more to say... to be investigated, I guess?
+   it seems I had more to say... mostly performance issues, beaker, no
+   streaming, limited adoption... to be investigated, I guess?
  * `packet`: a primer on data communications over ham radio, and the
    cool new tech that has emerged in the free software world. those
    are mainly notes about [Pat](https://getpat.io/), [Direwolf](https://packet-radio.net/direwolf/), [APRS](http://www.aprs.org/) and so

article ideas
diff --git a/blog/2021-04-24-ideas.mdwn b/blog/2021-04-24-ideas.mdwn
new file mode 100644
index 00000000..19a93664
--- /dev/null
+++ b/blog/2021-04-24-ideas.mdwn
@@ -0,0 +1,192 @@
+[[!meta title="Lost article ideas"]]
+
+I [[wrote|tag/lwn]] for [LWN](https://lwn.net/) for about two
+years. During that time, I wrote (what seems to me an impressive) [[34
+articles|tag/lwn]], but I always had a pile of ideas in the back of my
+mind. Those are things I had ideas of, notes and scribbles, or just
+completely abandoned because they didn't seem fit for LWN in the end.
+
+Concretely, I stored those in branches in a git repository, and used
+the branch name (and, naively, the last commit log) as indicators of
+the topic.
+
+This was the state of affairs when I left:
+
+    remotes/private/attic/novena                    822ca2bb add letter i sent to novena, never published
+    remotes/private/attic/secureboot                de09d82b quick review, add note and graph
+    remotes/private/attic/wireguard                 5c5340d1 wireguard review, tutorial and comparison with alternatives
+    remotes/private/backlog/dat                     914c5edf Merge branch 'master' into backlog/dat
+    remotes/private/backlog/packet                  9b2c6d1a ham radio packet innovations and primer
+    remotes/private/backlog/performance-tweaks      dcf02676 config notes for http2
+    remotes/private/backlog/serverless              9fce6484 postponed until kubecon europe
+    remotes/private/fin/cost-of-hosting             00d8e499 cost-of-hosting article online
+    remotes/private/fin/kubecon                     f4fd7df2 remove published or spun off articles
+    remotes/private/fin/kubecon-overview            21fae984 publish kubecon overview article
+    remotes/private/fin/kubecon2018                 1edc5ec8 add series
+    remotes/private/fin/netconf                     3f4b7ece publish the netconf articles
+    remotes/private/fin/netdev                      6ee66559 publish articles from netdev 2.2
+    remotes/private/fin/pgp-offline                 f841deed pgp offline branch ready for publication
+    remotes/private/fin/primes                      c7e5b912 publish the ROCA paper
+    remotes/private/fin/runtimes                    4bee1d70 prepare publication of runtimes articles
+    remotes/private/fin/token-benchmarks            5a363992 regenerate timestamp automatically
+    remotes/private/ideas/astropy                   95d53152 astropy or python in astronomy
+    remotes/private/ideas/avaneya                   20a6d149 crowdfunded blade-runner-themed GPLv3 simcity-like simulator
+    remotes/private/ideas/backups-benchmarks        fe2f1f13 review of backup software through performance and features
+    remotes/private/ideas/cumin                     7bed3945 review of the cumin automation tool from WM foundation
+    remotes/private/ideas/future-of-distros         d086ca0d modern packaging problems and complex apps
+    remotes/private/ideas/on-dying                  a92ad23f another dying thing
+    remotes/private/ideas/openpgp-discovery         8f2782f0 openpgp discovery mechanisms (WKD, etc), thanks to jonas meurer
+    remotes/private/ideas/password-bench            451602c0 bruteforce estimates for various password patterns compared with RSA key sizes
+    remotes/private/ideas/prometheus-openmetrics    2568dbd6 openmetrics standardizing prom metrics enpoints
+    remotes/private/ideas/telling-time              f3c24a53 another way of telling time
+    remotes/private/ideas/wallabako                 4f44c5da talk about wallabako, read-it-later + kobo hacking
+    remotes/private/stalled/bench-bench-bench       8cef0504 benchmarking http benchmarking tools
+    remotes/private/stalled/debian-survey-democracy 909bdc98 free software surveys and debian democracy, volunteer vs paid work
+
+Wow, what a mess! Let's see if I can make sense of this:
+
+[[!toc]]
+
+# Attic
+
+Those are articles that I thought about, then finally rejected, either
+because it didn't seem worth it, or my editors rejected it, or I just
+moved on:
+
+ * `novena`: the project is *ooold* now, didn't seem to fit a LWN
+   article
+ * `secureboot`: my LWN editors were critical of my approach, and
+   probably rightly so - it's a really complex subject and I was
+   probably out of my depth... it's also out of date now, we did
+   manage secureboot in Debian
+ * `wireguard`: LWN ended up writing their own coverage, and I was
+   biased against Donenfeld because of conflicts in a previous project
+
+# Backlog
+
+Those were articles I was planning to write about next.
+
+ * `dat`: I already had written [[Sharing and archiving data sets with
+   Dat|blog/2018-09-10-sharing-and-archiving-data-sets-with-dat]], but
+   it seems I had more to say... to be investigated, I guess?
+ * `packet`: a primer on data communications over ham radio, and the
+   cool new tech that has emerged in the free software world. those
+   are mainly notes about [Pat](https://getpat.io/), [Direwolf](https://packet-radio.net/direwolf/), [APRS](http://www.aprs.org/) and so
+   on... just never got around to making sense of it or really using
+   the tech...
+ * `performance-tweaks`: "optimizing websites at the age of http2",
+   the unwritten story of the optimization of this website with HTTP/2
+   and friends
+ * `serverless`: god. one of the leftover topics at Kubecon, my notes
+   on this were thin, and the [actual subject](https://en.wikipedia.org/wiki/Serverless_computing), possibly even
+   thinner... the only lie worse than the cloud is that there's no
+   server at all! concretely, that's a pile of notes about
+   [[Kubecon|2018-05-26-kubecon-rant]] which I wanted to sort
+   through. Probably belongs in the attic now.
+
+# Fin
+
+Those are finished articles, they were published on my website and
+LWN, but the branches were kept because previous drafts had private
+notes that should not be published.
+
+# Ideas
+
+ * `astropy`: "[Python in astronomy](https://www.astropy.org/)" - had a chat with [saimn](http://sconseil.fr/)
+   while [[writing about|blog/2018-03-19-sigal]] [sigal](http://sigal.saimon.org/en/latest/), and it
+   turns out he actually works on free software in astronomy, in
+   Python... I actually expect LWN to [cover this sooner than
+   later](https://lwn.net/Articles/843195/), after Lee Phillips's [introduction to SciPy](https://lwn.net/Articles/842964/)
+ * `avaneya`: [crowdfunded blade-runner-themed GPLv3 simcity-like
+   simulator](https://www.patreon.com/avaneya), i just have that link so far
+ * `backups-benchmarks`: review of backup software through performance
+   and features, possibly based on [those benchmarks](https://github.com/gilbertchen/benchmarking), maybe based
+   on [this list from restic](https://github.com/restic/others) although they [refused
+   casync](https://github.com/restic/others/pull/17). benchmark articles are *hard* though, especially when
+   you want to "cover them all"... I did write a [silly Attic vs
+   Bup](https://anarc.at/blog/2014-11-18-bup-vs-attic-silly-benchmark/) back when those programs existed (2014), in a related
+   note...
+ * `ideas/cumin`: review of the [Cumin automation tool](https://wikitech.wikimedia.org/wiki/Cumin) from
+   WikiMedia Foundation... I ended up using the tool at work and
+   writing [service documentation](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/cumin) for it
+ * `ideas/future-of-distros`: modern packaging problems and complex
+   apps, starting from [this discussion](https://lists.debian.org/debian-devel/2018/02/msg00295.html) about the [removal of](https://bugs.debian.org/890598)
+   [Dolibarr](https://tracker.debian.org/pkg/dolibarr) from Debian, a [summary of the thread from liw](https://blog.liw.fi/posts/2018/02/17/what_is_debian_all_about_really_or_friction_packaging_complex_applications/),
+   and [ideas from joeyh](https://joeyh.name/blog/entry/futures_of_distributions/) (now from the outside of Debian), then
+   [debates](https://lists.debian.org/debian-devel/2018/03/msg00006.html) over the [power of FTP masters](https://lists.debian.org/debian-devel/2018/03/msg00064.html) - ugh, glad I
+   didn't step in that rat's nest
+ * `ideas/on-dying`: "what happens when a hacker dies?" rather grim
+   subject, but a more and more important one... [joeyh has ideas
+   again](https://joeyh.name/hacker_tombstone/), [phk as well](https://news.ycombinator.com/item?id=26831932), then there's [a protocol for dying](http://hintjens.com/blog:115)
+   (really grim)... then there are site policies like GitHub,
+   Facebook, etc... more in the branch, but that one I can't help but
+   think about now that family has taken a bigger place in my life...
+ * `ideas/openpgp-discovery`: OpenPGP discovery mechanisms (WKD, etc),
+   suggested by Jonas Meurer (somewhere?), only links to
+   [Mailveloppe](https://keys.mailvelope.com/), [LEAP](https://leap.se/en/docs/design/transitional-key-validation), [WKD](https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-04) (or is it WKS?), [another
+   standard](https://wiki.gnupg.org/EasyGpg2016/PubkeyDistributionConcept), probably would need to talk about [OpenPGP CA](https://openpgp-ca.org/) now
+   and how Debian and Tor manage their keyrings... pain in the back.
+ * `ideas/password-bench`: bruteforce estimates for various password
+   patterns compared with RSA key sizes, spinoff of my [[smartcard
+   article|blog/2017-10-26-comparison-cryptographic-keycards/]], in
+   the [crypto-bench](https://gitlab.com/anarcat/crypto-bench), look at [this shiny graph](https://gitlab.com/anarcat/crypto-bench/-/raw/master/benchpasswords.png), surely that
+   must mean an article, right?
+ * `ideas/prometheus-openmetrics`: "Evolving the [Prometheus](https://prometheus.io/) exposition
+   format into a [standard](https://openmetrics.io/)", seems like this happened
+ * `ideas/telling-time`: telling time to users is hard. xclock vs
+   ttyclock, etc. maybe gameclock and undertime as well? syncing time
+   is hard, but it turns out *showing* it is non trivial as
+   well... basically turning [this bug report](https://github.com/xorg62/tty-clock/issues/40) into an article. for
+   some reason I linked to [this meme](https://i.imgur.com/jctrppz.jpg), derived from [this
+   meme](https://knowyourmeme.com/photos/320036-ps3-has-no-games), presumably a premonition of my stupid idea of writing
+   [undertime](https://gitlab.com/anarcat/undertime/) TIMEZONES!
+ * `ideas/wallabako`: "talk about wallabako, read-it-later + kobo
+   hacking", that's it, not even [a link to the project](https://gitlab.com/anarcat/wallabako)!
+
+A lot of those branches were actually just an empty commit, with the
+commitlog being the "pitch", more or less. I'd send that list to my
+editors, sometimes with a few more links (basically the above), and
+they would nudge me one way or the other.
+
+Sometimes they would actively discourage me to write about something,
+and I would do it anyways, send them a draft, and they would patiently
+make me rewrite it until it was a decent article. This was especially
+hard with the [[terminal emulator|2018-04-12-terminal-emulators-1]]
+[[series|2018-05-04-terminal-emulators-2]], which took forever to
+write and even got my editors upset when they realized I had never
+installed Fedora (I ended up installing it, and I was proven wrong!)
+
+# Stalled
+
+Oh, and then there's those: those are either "ideas" or "backlog" that
+got so far behind that I just moved them out of the way because I was
+tired of seeing them in my list.
+
+ * `stalled/bench-bench-bench` benchmarking http benchmarking tools, a
+   horrible mess of links, copy-paste from terminals, and ideas about
+   benchmarking... some of this trickled out into [this benchmarking
+   guide at Tor](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/benchmark), but not much more than the list of tools
+ * `stalled/debian-survey-democracy`: "free software surveys and
+   Debian democracy, volunteer vs paid work"... A long standing
+   concern of mine is that all Debian work is supposed to be
+   volunteer, and paying explicitly for work inside Debian has
+   traditionally been frowned upon, even leading to serious drama and
+   dissent (remember [Dunc-Tank](https://lwn.net/Articles/201488/))? back when I was writing for LWN,
+   I was also doing *paid* work for [Debian LTS](https://wiki.debian.org/LTS). I also learned
+   that a lot (most?)  Debian Developers were actually being paid by
+   their job to work on Debian. So I was confused by this apparent
+   contradiction, especially given how the LTS project has been mostly
+   accepted, while Dunc-Tank was not... See also [this talk at Debconf
+   16](https://debconf16.debconf.org/talks/41/). I had hopes that [this study](http://peerproduction.net/issues/issue-10-peer-production-and-work/preliminary-report-debian-survey/) would show the "hunch"
+   people have offered (that most DDs are paid to work on Debian) but
+   it seems to show the reverse (only 36% of DDs, and 18% of all
+   respondents paid). So I am still confused and worried about the
+   sustainability of Debian.
+
+# What do you think?
+
+So that's all I got. As people might have noticed here, I have much
+less time to write these days, but if there's any subject in there I
+should pick, what is the one that you would find most interesting?
+
+[[!tag debian debian-planet meta lwn]]

response
diff --git a/blog/2021-04-24-dead-game-clock/comment_3_338bbb28f16db211931ca2fb9d0ac6c8._comment b/blog/2021-04-24-dead-game-clock/comment_3_338bbb28f16db211931ca2fb9d0ac6c8._comment
new file mode 100644
index 00000000..4dc9f9d2
--- /dev/null
+++ b/blog/2021-04-24-dead-game-clock/comment_3_338bbb28f16db211931ca2fb9d0ac6c8._comment
@@ -0,0 +1,29 @@
+[[!comment format=mdwn
+ username="anarcat"
+ subject="""python 2 is still there"""
+ date="2021-04-24T23:28:53Z"
+ content="""
+To be honest, I didn't realize GTK2 and Python 2 actually shipped with Bullseye, I had assumed they would be completely gone.
+
+Those are the technical reasons why those packages were removed:
+
+ * Monkeysign: [Depends on removed python-zbar](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935335)
+ * Gameclock: [depends on unmaintained pygtk](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885282)
+ * Mailman: [depends on cruft package python-dnspython](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953376)
+
+So while none of those were removed because Python 2 was removed itself, those removals are *direct* consequences of the deprecation of Python 2. The Gameclock removal bug even explicitly says:
+
+> Note that pygtk is Python 2 only, and Python 2 is expected to be
+> removed from unstable after the release of buster.
+
+The python-dnspython package was also explicitly [removed as part of
+the Python 2 removal work](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=936427):
+
+> Python2 becomes end-of-live upstream, and Debian aims to remove
+> Python2 from the distribution, as discussed in
+> https://lists.debian.org/debian-python/2019/07/msg00080.html
+
+So, sure, bullseye ships with Python 2 and GTK2, but there's no pygtk, and many *Debian* packages dropped their Python 2 versions, sometimes deliberately, so it's kind of splitting hairs to say that Python 2 still exists in bullseye... It's not because we actually *failed* to remove the Python 2 package that it is still really there.
+
+(To be honest, I'm actually puzzled by the presence of Python 2 in bullseye: given all the effort we've given to remove all that cruft, it seems to me it should just be removed already. As far as I can tell, nothing really depends on it anymore, does it?)
+"""]]

approve comment
diff --git a/blog/2021-04-24-dead-game-clock/comment_1_cc8a2206381ea775584070323f8d4a44._comment b/blog/2021-04-24-dead-game-clock/comment_1_cc8a2206381ea775584070323f8d4a44._comment
new file mode 100644
index 00000000..2ee4d356
--- /dev/null
+++ b/blog/2021-04-24-dead-game-clock/comment_1_cc8a2206381ea775584070323f8d4a44._comment
@@ -0,0 +1,7 @@
+[[!comment format=mdwn
+ ip="77.180.137.153"
+ subject="comment 1"
+ date="2021-04-24T20:35:08Z"
+ content="""
+Just FYI: Neither [Python 2](https://packages.debian.org/bullseye/python2) nor [GTK 2](https://packages.debian.org/bullseye/libgtk2.0-0) were removed from Debian. But the Python 2-GTK 2-bindings were removed.
+"""]]
diff --git a/blog/2021-04-24-dead-game-clock/comment_1_cef75bf07e5146d5fe6fb74c807c44a7._comment b/blog/2021-04-24-dead-game-clock/comment_1_cef75bf07e5146d5fe6fb74c807c44a7._comment
new file mode 100644
index 00000000..9353271a
--- /dev/null
+++ b/blog/2021-04-24-dead-game-clock/comment_1_cef75bf07e5146d5fe6fb74c807c44a7._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ ip="216.189.159.184"
+ claimedauthor="superkuh"
+ url="http://superkuh.com/"
+ subject="You're not wrong, but it's more complex."
+ date="2021-04-24T21:18:26Z"
+ content="""
+Debian 11 (bullseye) does have python 2.7 in the normal repos by default. It just isn't installed by default. The same is true for libgtk2.0 but unfortunately pygtk2 is *not* available. So you're not wrong. Thanks for the software while it lasted.
+"""]]

clarify the distinction between monkeysign and sphere
diff --git a/blog/2021-04-24-dead-game-clock.mdwn b/blog/2021-04-24-dead-game-clock.mdwn
index a8856ae5..3370db30 100644
--- a/blog/2021-04-24-dead-game-clock.mdwn
+++ b/blog/2021-04-24-dead-game-clock.mdwn
@@ -34,6 +34,7 @@ include:
 
 PS: [Monkeysign](http://web.monkeysphere.info/monkeysign) also suffered the same fate, for what that's
 worth. Alternatives include [caff](https://tracker.debian.org/pkg/signing-party), [GNOME Keysign](https://wiki.gnome.org/Apps/Keysign), and
-[pius](https://www.phildev.net/pius/).
+[pius](https://www.phildev.net/pius/). Note that this does not affect the larger [Monkeysphere](https://monkeysphere.info)
+project, which will ship with Debian bullseye.
 
 [[!tag debian debian-planet gameclock software python]]

fix link
diff --git a/blog/2008-08-12-cool-chess-clock.mdwn b/blog/2008-08-12-cool-chess-clock.mdwn
index 70762642..0159c32b 100644
--- a/blog/2008-08-12-cool-chess-clock.mdwn
+++ b/blog/2008-08-12-cool-chess-clock.mdwn
@@ -21,6 +21,6 @@ The chessclock can be downloaded [through the Koumbit Redmine site](https://redm
 
 The is also a package in Debian and Ubuntu.
 
-Update: Gameclock died, see the [[obituary|2021-04-dead-game-clock]].
+Update: Gameclock died, see the [[obituary|blog/2021-04-24-dead-game-clock]].
 
 [[!tag "software" "nouvelles" "geek" "debian-planet" gameclock]]

does software get eulogies?
diff --git a/blog/2008-08-12-cool-chess-clock.mdwn b/blog/2008-08-12-cool-chess-clock.mdwn
index 804663b2..70762642 100644
--- a/blog/2008-08-12-cool-chess-clock.mdwn
+++ b/blog/2008-08-12-cool-chess-clock.mdwn
@@ -21,4 +21,6 @@ The chessclock can be downloaded [through the Koumbit Redmine site](https://redm
 
 The is also a package in Debian and Ubuntu.
 
-[[!tag "software" "nouvelles" "geek" "debian-planet"]]
\ No newline at end of file
+Update: Gameclock died, see the [[obituary|2021-04-dead-game-clock]].
+
+[[!tag "software" "nouvelles" "geek" "debian-planet" gameclock]]
diff --git a/blog/2021-04-24-dead-game-clock.mdwn b/blog/2021-04-24-dead-game-clock.mdwn
new file mode 100644
index 00000000..a8856ae5
--- /dev/null
+++ b/blog/2021-04-24-dead-game-clock.mdwn
@@ -0,0 +1,39 @@
+[[!meta title="A dead game clock"]]
+
+Time flies. Back in 2008, I [[wrote a game
+clock|2008-08-12-cool-chess-clock]]. Since then, what was first called
+"chess clock" was renamed to pychessclock and then [Gameclock](https://gitlab.com/anarcat/gameclock)
+(2008). It shipped with Debian 6 squeeze (2011), 7 wheezy (4.0, 2013,
+with a new UI), 8 jessie (5.0, 2015, with a code cleanup, translation,
+go timers), 9 stretch (2017), and 10 buster (2019), phew! Eight years
+in Debian over 4 releases, not bad!
+
+But alas, Debian 11 bullseye (2021) won't ship with Gameclock because
+*both* Python 2 and GTK 2 were removed from Debian. I lack the time,
+interest, and energy to port this program. Even if I could find the
+time, everyone is on their phone nowadays. 
+
+So finding the right toolkit would require some serious thinking about
+how to make a portable program that can run on Linux *and* Android. I
+care less about Mac, iOS, and Windows, but, interestingly, it feels it
+wouldn't be much harder to cover those as well if I hit both Linux and
+Android (which is already hard enough, paradoxically).
+
+(And before you ask, no, Java is not an option for me thanks. If I
+switch to anything else than Python, it would be Golang or Rust. And I
+did [look at some toolkit options a few years ago](https://gitlab.com/anarcat/gameclock/-/issues/1), was excited by
+none.)
+
+So there you have it: that is how software dies, I guess. Alternatives
+include:
+
+ * [Chessclock](https://gnomecoder.wordpress.com/chessclock/) - really old Ruby which made Gameclock rename
+ * [Ghronos](http://ghronos.sourceforge.net/) - also really old Java app
+ * [Lichess](https://lichess.org/) - has a chess clock built into the app
+ * [Otter](https://salsa.debian.org/iwj/otter) - if you squint a little
+
+PS: [Monkeysign](http://web.monkeysphere.info/monkeysign) also suffered the same fate, for what that's
+worth. Alternatives include [caff](https://tracker.debian.org/pkg/signing-party), [GNOME Keysign](https://wiki.gnome.org/Apps/Keysign), and
+[pius](https://www.phildev.net/pius/).
+
+[[!tag debian debian-planet gameclock software python]]

add refs
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 7acb0d3f..91de6973 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -12,7 +12,9 @@ new version, issues I have stumbled upon (and possibly fixed), and
 troubleshooting instructions.
 
 It does not hope to replace the official documentation: it is a
-personal, living document that I have started keeping from [[jessie]].
+personal, living document that I have started keeping back when I
+upgraded to [[jessie]]. The other documents can be found in the parent
+[[upgrades]] page.
 
 # Procedure
 

some alternatives to removed packages
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 198d07e7..7acb0d3f 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -209,7 +209,9 @@ list.
    testing, seems like it is in bad shape
  * [qalculate-gtk](https://tracker.debian.org/pkg/qalculate-gtk), my dearest calculator, was dropped from testing
    too! a team picked up the package, but too late it seems :/
- * usbguard-applet-qt - [removed 0.7.5](https://tracker.debian.org/news/1069337/accepted-usbguard-075ds-1-source-into-unstable/) from [usbguard](https://tracker.debian.org/pkg/usbguard)
+ * usbguard-applet-qt - [removed 0.7.5](https://tracker.debian.org/news/1069337/accepted-usbguard-075ds-1-source-into-unstable/) from [usbguard](https://tracker.debian.org/pkg/usbguard),
+   workaround: find the device ID in `lsbusb` and run `usbguard
+   allow-device id $ID`
    [upstream](https://usbguard.github.io/), with the idea that it was a proof of concept and
    would be maintained outside of the main tree, but no clear
    candidate has emerged just yet, see [this upstream issue](https://github.com/USBGuard/usbguard/issues/334), [this
@@ -236,11 +238,14 @@ following, even if they don't make it to bullseye:
 I also particularly need to pay attention to usbguard, as it's quite
 possible I won't be able to do anything after reboot. :p
 
-I need to find alternatives to:
+Some other removed packages I have just accepted the removal, with the
+following alternatives:
 
- * gocode
- * gtk-recordmydesktop
- * usbguard applet
+| Package               | Alternative             | Rationale                                      |
+|-----------------------|-------------------------|------------------------------------------------|
+| `gocode`              | `gopls`                 | LSP is the (ad-hoc) standard                   |
+| `gtk-recordmydesktop` | `obs`                   | OBS Studio can also be used for live streaming |
+| `usbguard-applet-qt`  | `usbguard allow-device` | GUI just gone, but commandline might work      |
 
 ### Cool things I want to try
 

yolo
diff --git a/hardware/monitor.mdwn b/hardware/monitor.mdwn
index eaed2a82..c32cf248 100644
--- a/hardware/monitor.mdwn
+++ b/hardware/monitor.mdwn
@@ -24,16 +24,16 @@ I somehow managed to collect a ridiculous pile of old monitors. Here's
 what works and doesn't, in descending order of (totally subjective)
 "quality":
 
-| Model                          | Resolution       | Size  | Contrast | Lat  | Connectors              | Notes                                  | Status         |
-|--------------------------------|------------------|-------|----------|------|-------------------------|----------------------------------------|----------------|
-| [Samsung B2330H][]             | 1920x1080@60Hz   | 23"   | 70000:1  | 5ms  | VGA HDMI DVI            | molten hole in the back                | lent to alexis |
-| [LG Flatron Wide L204WTX-SF][] | 1680x1050@60Hz   | 20"   | 2000:1   | 5ms  | VGA DVI                 | looks great, one dead pixel            | curie          |
-| [Acer X193w][]                 | 1440x900@75Hz    | 19"   | 2000:1   | 5ms  | VGA DVI                 | clean and simple, top partially melted | curie          |
-| [Acer P186HV][]                | 1366x768@60Hz    | 18.5" | 5000:1   | 5ms  | VGA                     | display looks dusty                    |                |
-| [HP L2245wg][]                 | 1680x1050 @ 60Hz | 22"   | 1000:1   | 5ms  | VGA DVI 2xUSB           | LCD TN Film, rotating, 45-65W          | ex-curie       |
-| [Dell 1704FPvt][]              | 1280x1024@60Hz   | 17"   | 1000:1   | 25ms | VGA DVI 4xUSB           | looks square, rotating                 | marcos         |
-| [LG Flatron L1718S][]          | 1280x1024@75Hz   | 17"   | 700:1    | ?    | VGA                     | square, 35W                            |                |
-| [Toshiba 19AV500U][]           | 1440x900@?Hz     | 19"   | ?        | ?    | VGA HDMI component coax | it's a TV! not working in Linux?       |                |
+| Model                          | Resolution       | Size  | Contrast | Lat  | Connectors              | Notes                                  | Status   |
+|--------------------------------|------------------|-------|----------|------|-------------------------|----------------------------------------|----------|
+| [Samsung B2330H][]             | 1920x1080@60Hz   | 23"   | 70000:1  | 5ms  | VGA HDMI DVI            | molten hole in the back                | alexis   |
+| [LG Flatron Wide L204WTX-SF][] | 1680x1050@60Hz   | 20"   | 2000:1   | 5ms  | VGA DVI                 | looks great, one dead pixel            | curie    |
+| [Acer X193w][]                 | 1440x900@75Hz    | 19"   | 2000:1   | 5ms  | VGA DVI                 | clean and simple, top partially melted | curie    |
+| [Acer P186HV][]                | 1366x768@60Hz    | 18.5" | 5000:1   | 5ms  | VGA                     | display looks dusty                    |          |
+| [HP L2245wg][]                 | 1680x1050 @ 60Hz | 22"   | 1000:1   | 5ms  | VGA DVI 2xUSB           | LCD TN Film, rotating, 45-65W          | ex-curie |
+| [Dell 1704FPvt][]              | 1280x1024@60Hz   | 17"   | 1000:1   | 25ms | VGA DVI 4xUSB           | looks square, rotating                 | marcos   |
+| [LG Flatron L1718S][]          | 1280x1024@75Hz   | 17"   | 700:1    | ?    | VGA                     | square, 35W                            |          |
+| [Toshiba 19AV500U][]           | 1440x900@?Hz     | 19"   | ?        | ?    | VGA HDMI component coax | it's a TV! not working in Linux?       |          |
 
 [HP L2245wg]: https://www.cnet.com/products/hp-l2245wg/
 [Toshiba 19AV500U]: https://productz.com/en/toshiba-19av500u/p/eWMGr#full-specs

meh
diff --git a/hardware/monitor.mdwn b/hardware/monitor.mdwn
index 0e1ef3e4..eaed2a82 100644
--- a/hardware/monitor.mdwn
+++ b/hardware/monitor.mdwn
@@ -26,7 +26,7 @@ what works and doesn't, in descending order of (totally subjective)
 
 | Model                          | Resolution       | Size  | Contrast | Lat  | Connectors              | Notes                                  | Status         |
 |--------------------------------|------------------|-------|----------|------|-------------------------|----------------------------------------|----------------|
-| [Samsung B2330H][]             | 1920x1080@60Hz   | 23"   | 70,000:1 | 5ms  | VGA HDMI DVI            | molten hole in the back                | lent to alexis |
+| [Samsung B2330H][]             | 1920x1080@60Hz   | 23"   | 70000:1  | 5ms  | VGA HDMI DVI            | molten hole in the back                | lent to alexis |
 | [LG Flatron Wide L204WTX-SF][] | 1680x1050@60Hz   | 20"   | 2000:1   | 5ms  | VGA DVI                 | looks great, one dead pixel            | curie          |
 | [Acer X193w][]                 | 1440x900@75Hz    | 19"   | 2000:1   | 5ms  | VGA DVI                 | clean and simple, top partially melted | curie          |
 | [Acer P186HV][]                | 1366x768@60Hz    | 18.5" | 5000:1   | 5ms  | VGA                     | display looks dusty                    |                |

merge hp monitor in
diff --git a/hardware/monitor.mdwn b/hardware/monitor.mdwn
index dad94e03..0e1ef3e4 100644
--- a/hardware/monitor.mdwn
+++ b/hardware/monitor.mdwn
@@ -17,50 +17,38 @@ can't quite be 4k yet, according to [this comment](https://forums.puri.sm/t/suit
 be capped at "1440p at 60Hz", which I assume is 2560×1440 or
 [QuadHD](https://en.wikipedia.org/wiki/Graphics_display_resolution#2560_%C3%97_1440_(QHD,_WQHD)), which is already pretty good.
 
-Current monitor
-===============
-
-HP L2245wg
-----------
-
- * 1680x1050 @ 60Hz (16:10)
- * 22" TN Film
- * 90° swivel, -5 to 35° tilt
- * 45-65W
- * VGA, DVI
- * contrast: 1000:1
- * 5ms
- * 2 USB
- * LCD
-
-Update: replaced with the LG Flatron Wid L204WTX-SF, on an "arm",
-because the HP was getting finicky: it would "short" and blank out,
-get all "fuzzy" and weird. The new monitor looks *much* better.
-
-[Upstream](https://support.hp.com/us-en/product/hp-l2245wg-22-inch-widescreen-lcd-monitor/3758498/manuals), [manual](http://h10032.www1.hp.com/ctg/Manual/c01555675), [specs](https://www.cnet.com/products/hp-l2245wg/).
-
-Old monitors
-------------
+Monitor inventory
+=================
 
 I somehow managed to collect a ridiculous pile of old monitors. Here's
 what works and doesn't, in descending order of (totally subjective)
 "quality":
 
-| Model                          | Resolution     | Size  | Contrast | Lat  | Connectors              | Notes                                  | Status         |
-|--------------------------------|----------------|-------|----------|------|-------------------------|----------------------------------------|----------------|
-| [Samsung B2330H][]             | 1920x1080@60Hz | 23"   | 70,000:1 | 5ms  | VGA HDMI DVI            | molten hole in the back                | lent to alexis |
-| [LG Flatron Wide L204WTX-SF][] | 1680x1050@60Hz | 20"   | 2000:1   | 5ms  | VGA DVI                 | looks great, one dead pixel            |                |
-| [Acer X193w][]                 | 1440x900@75Hz  | ?"    | 2000:1   | 5ms  | VGA DVI                 | clean and simple, top partially melted |                |
-| [Acer P186HV][]                | 1366x768@60Hz  | 18.5" | 5000:1   | 5ms  | VGA                     | display looks dusty                    |                |
-| [Dell 1704FPvt][]              | 1280x1024@60Hz | 17"   | 1000:1   | 25ms | VGA DVI 4xUSB           | looks square, rotating                 | marcos         |
-| [Toshiba 19AV500U][]           | 1440x900@?Hz   | 19"   | ?        | ?    | VGA HDMI component coax | it's a TV! not working in Linux?       |                |
-
+| Model                          | Resolution       | Size  | Contrast | Lat  | Connectors              | Notes                                  | Status         |
+|--------------------------------|------------------|-------|----------|------|-------------------------|----------------------------------------|----------------|
+| [Samsung B2330H][]             | 1920x1080@60Hz   | 23"   | 70,000:1 | 5ms  | VGA HDMI DVI            | molten hole in the back                | lent to alexis |
+| [LG Flatron Wide L204WTX-SF][] | 1680x1050@60Hz   | 20"   | 2000:1   | 5ms  | VGA DVI                 | looks great, one dead pixel            | curie          |
+| [Acer X193w][]                 | 1440x900@75Hz    | 19"   | 2000:1   | 5ms  | VGA DVI                 | clean and simple, top partially melted | curie          |
+| [Acer P186HV][]                | 1366x768@60Hz    | 18.5" | 5000:1   | 5ms  | VGA                     | display looks dusty                    |                |
+| [HP L2245wg][]                 | 1680x1050 @ 60Hz | 22"   | 1000:1   | 5ms  | VGA DVI 2xUSB           | LCD TN Film, rotating, 45-65W          | ex-curie       |
+| [Dell 1704FPvt][]              | 1280x1024@60Hz   | 17"   | 1000:1   | 25ms | VGA DVI 4xUSB           | looks square, rotating                 | marcos         |
+| [LG Flatron L1718S][]          | 1280x1024@75Hz   | 17"   | 700:1    | ?    | VGA                     | square, 35W                            |                |
+| [Toshiba 19AV500U][]           | 1440x900@?Hz     | 19"   | ?        | ?    | VGA HDMI component coax | it's a TV! not working in Linux?       |                |
+
+[HP L2245wg]: https://www.cnet.com/products/hp-l2245wg/
 [Toshiba 19AV500U]: https://productz.com/en/toshiba-19av500u/p/eWMGr#full-specs
 [Dell 1704FPvt]: https://www.dell.com/downloads/global/products/monitors/en/spec_1704fp_en.pdf
 [Acer P186HV]: https://productz.com/en/acer-p186hv/p/JJ3rY
 [Acer X193w]: https://www.cnet.com/products/acer-x193w-lcd-monitor/
 [LG Flatron Wide L204WTX-SF]: https://www.lg.com/ca_en/support/product/lg-L204WTX-SF
 [Samsung B2330H]: https://www.samsung.com/us/business/support/owners/product/b2330-series-b2330hd/
+[LG Flatron L1718S]: https://www.lg.com/us/support/product/lg-L1718S-BN.AUS
+
+Update: I replaced with the LG Flatron Wid L204WTX-SF, on an "arm",
+because the HP was getting finicky: it would "short" and blank out,
+get all "fuzzy" and weird. The new monitor looks *much* better.
+
+Extra specs for the HP: [upstream](https://support.hp.com/us-en/product/hp-l2245wg-22-inch-widescreen-lcd-monitor/3758498/manuals), [manual](http://h10032.www1.hp.com/ctg/Manual/c01555675).
 
 Those monitors do not power up at all:
 

turn monitor list into a table
Easier to compare
diff --git a/hardware/monitor.mdwn b/hardware/monitor.mdwn
index 4f762a04..dad94e03 100644
--- a/hardware/monitor.mdwn
+++ b/hardware/monitor.mdwn
@@ -46,19 +46,21 @@ I somehow managed to collect a ridiculous pile of old monitors. Here's
 what works and doesn't, in descending order of (totally subjective)
 "quality":
 
- * [Samsung B2330H](https://www.samsung.com/us/business/support/owners/product/b2330-series-b2330hd/) 1920x1080@60Hz, 23", 70,000:1, 5ms, VGA, HDMI,
-   DVI, gigantic, molten hole in the back, but works (lent to a
-   coworker)
- * [LG Flatron Wide L204WTX-SF](https://www.lg.com/ca_en/support/product/lg-L204WTX-SF) 1680x1050@60Hz, 20", 2000:1, 5ms,
-   VGA, DVI, looks great, one dead pixel
- * [Acer X193w](https://www.cnet.com/products/acer-x193w-lcd-monitor/) 1440x900@75Hz, 2000:1, 5ms VGA, DVI, clean and
-   simple, top partially melted
- * [Acer P186HV](https://productz.com/en/acer-p186hv/p/JJ3rY) 1366x768@60Hz, 18.5", 5000:1, 5ms, VGA, display
-   looks dusty (physically and in the image)
- * [Dell 1704FPvt](https://www.dell.com/downloads/global/products/monitors/en/spec_1704fp_en.pdf) 1280x1024@60Hz, 17", 1000:1, 25ms, VGA, DVI, USB
-   4-port hub, looks square, rotating (used as a console for a server)
- * [Toshiba 19AV500U](https://productz.com/en/toshiba-19av500u/p/eWMGr#full-specs) 1440x900, 19", VGA, HDMI, "component",
-   antenna coax (it's a TV!), can't make it work in Linux
+| Model                          | Resolution     | Size  | Contrast | Lat  | Connectors              | Notes                                  | Status         |
+|--------------------------------|----------------|-------|----------|------|-------------------------|----------------------------------------|----------------|
+| [Samsung B2330H][]             | 1920x1080@60Hz | 23"   | 70,000:1 | 5ms  | VGA HDMI DVI            | molten hole in the back                | lent to alexis |
+| [LG Flatron Wide L204WTX-SF][] | 1680x1050@60Hz | 20"   | 2000:1   | 5ms  | VGA DVI                 | looks great, one dead pixel            |                |
+| [Acer X193w][]                 | 1440x900@75Hz  | ?"    | 2000:1   | 5ms  | VGA DVI                 | clean and simple, top partially melted |                |
+| [Acer P186HV][]                | 1366x768@60Hz  | 18.5" | 5000:1   | 5ms  | VGA                     | display looks dusty                    |                |
+| [Dell 1704FPvt][]              | 1280x1024@60Hz | 17"   | 1000:1   | 25ms | VGA DVI 4xUSB           | looks square, rotating                 | marcos         |
+| [Toshiba 19AV500U][]           | 1440x900@?Hz   | 19"   | ?        | ?    | VGA HDMI component coax | it's a TV! not working in Linux?       |                |
+
+[Toshiba 19AV500U]: https://productz.com/en/toshiba-19av500u/p/eWMGr#full-specs
+[Dell 1704FPvt]: https://www.dell.com/downloads/global/products/monitors/en/spec_1704fp_en.pdf
+[Acer P186HV]: https://productz.com/en/acer-p186hv/p/JJ3rY
+[Acer X193w]: https://www.cnet.com/products/acer-x193w-lcd-monitor/
+[LG Flatron Wide L204WTX-SF]: https://www.lg.com/ca_en/support/product/lg-L204WTX-SF
+[Samsung B2330H]: https://www.samsung.com/us/business/support/owners/product/b2330-series-b2330hd/
 
 Those monitors do not power up at all:
 

one more fixed issue
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 771d8491..198d07e7 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -247,14 +247,6 @@ I need to find alternatives to:
  * sway
  * figure out what else is new in bullseye?
 
-### Packages mistakenly removed
-
- * inkscape
- * gnuradio
- * libu2f-host0 - need to test if u2f works without it in firefox/chrome
-
-Workaround: `apt install $PACKAGE`
-
 ### Puppet breaks in bullseye/sid
 
 testing has this ... peculiar notion of itself. instead of announcing
@@ -438,6 +430,21 @@ significant!
 
 Maybe there's a way to figure out which package ate all that much?
 
+### Packages mistakenly removed
+
+Those packages were removed during the upgrade, yet I still want to
+use them:
+
+ * inkscape
+ * gnuradio
+
+Workaround: `apt install $PACKAGE`
+
+The package `libu2f-host0` was also removed and, typically, I needed it
+to make U2F authentication work (2FA) in Firefox and Chrome, but it
+seems it's not necessary in bullseye anymore at least, so I've just
+removed it altogether.
+
 # Troubleshooting
 
 ## Upgrade failures

more bullseye issues, mostly fixed
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 6be6d8d1..771d8491 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -331,6 +331,10 @@ and not a version, in testing/unstable in Debian... Garbage-in,
 garbage-out? Why don't we set a real version number there in Debian in
 the first place?
 
+### LUKS password prompt in plain text instead of GUI
+
+It seems like Plymouth just disappeared?
+
 ## Resolved
 
 ### Browserpass fails to upgrade
@@ -357,6 +361,27 @@ Once the upgrade is completed, just reinstall:
 
     apt install webext-browserpass
 
+The extension is quite finicky: i had to disable and re-enable it to
+get the button to show up on the browser interface.
+
+### Double redshift
+
+I had two Redshift items in the notification area (and presumably
+processes too) running after a reboot and re-login. Not sure what's
+going on, it made the monitor "flicker slowly" as it flipped between
+the two configurations somehow.
+
+It seems like the Debian package now ships a systemd unit file in
+`/usr/lib/systemd/user/redshift-gtk.service`, which takes care of the
+startup, so I disabled the hack in my `.xsession` file, nice.
+
+### Emacs took 2 minutes to start
+
+That was because I still had `company-go` in my `.emacs`
+configuration, which meant it was trying to fetch it from MELPA, which
+took forever. I removed it and, anyways, it wouldn't have done it a
+second time so that's fixed.
+
 ### i3-focus and rsendmail delivery failed
 
 I have this custom [i3-focus](https://gitlab.com/anarcat/scripts/blob/master/i3-focus) script to improve on the "alt-tab"

more comemnts ideas
diff --git a/services/wiki/ikiwiki-hugo-conversion.mdwn b/services/wiki/ikiwiki-hugo-conversion.mdwn
index 618c555b..0797d461 100644
--- a/services/wiki/ikiwiki-hugo-conversion.mdwn
+++ b/services/wiki/ikiwiki-hugo-conversion.mdwn
@@ -339,6 +339,11 @@ Discarded alternatives:
 Other ideas:
 
  * [bridgy](https://brid.gy/) "connects websites to social media", including Mastodon
+ * [email gateway](https://rak.ac/blog/2021-03-12-static-comments-in-hugo/) - hugo plugin based on
+   [jekyll-static-comments](https://github.com/mpalmer/jekyll-static-comments) which takes comments by email and adds
+   them inside the page, kind of like how ikiwiki comments work
+   (except with email instead of CGI)
+ * [cactus comments](https://cactus.chat/) "federated comment system for the web, based on the Matrix protocol"
 
 Other converters
 ================

another todo
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index a8e3efbd..6be6d8d1 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -242,6 +242,11 @@ I need to find alternatives to:
  * gtk-recordmydesktop
  * usbguard applet
 
+### Cool things I want to try
+
+ * sway
+ * figure out what else is new in bullseye?
+
 ### Packages mistakenly removed
 
  * inkscape

explicitly note missing packages
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 15e86f97..a8e3efbd 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -224,6 +224,24 @@ See also the official list of [known issues](https://www.debian.org/releases/bul
 
 ## Pending
 
+### Critical packages missing
+
+In the "removed packages" list above, i have decided to keep the
+following, even if they don't make it to bullseye:
+
+ * elpy - keeping until i switch to LSP? hopefully it will make it too
+ * syncmaildir - my email sync! maybe i can try another
+ * qalculate-gtk - it will get back on its feet, i'm sure
+
+I also particularly need to pay attention to usbguard, as it's quite
+possible I won't be able to do anything after reboot. :p
+
+I need to find alternatives to:
+
+ * gocode
+ * gtk-recordmydesktop
+ * usbguard applet
+
 ### Packages mistakenly removed
 
  * inkscape

disk space (mostly) resolved
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index c97043fa..15e86f97 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -224,39 +224,6 @@ See also the official list of [known issues](https://www.debian.org/releases/bul
 
 ## Pending
 
-### Too much stuff
-
-I have too much stuff on my computers. I was already a bit short on my
-`/` partition before the upgrade:
-
-    Filesystem                  Size  Used Avail Use% Mounted on
-    /dev/mapper/curie--vg-root   28G   25G  2.8G  90% /
-
-The upgrade downloaded ~7GB of Debian packages, and required an extra
-4.5GB of disk space! Clearly that wouldn't do here, so I had to expand
-the root partition, which ended up like this after the upgrade:
-
-    Filesystem                  Size  Used Avail Use% Mounted on
-    /dev/mapper/curie--vg-root   38G   25G   13G  67% /
-
-I'm surprised that Debian bullseye now would use an extra 4GB of disk
-space! The [disk](https://www.debian.org/releases/testing/amd64/ch03s04.en.html) [requirements](https://www.debian.org/releases/testing/amd64/apds02.en.html) don't seem to have changed in
-decades, yet I keep having to pile up more disk space only to store
-software... We'll see what the end result will be.
-
-Packages I could remove:
-
- * `php*` - maybe some leftover of a dev environment?
-
-After the complete upgrade procedure (but before removing the extra
-kernel):
-
-    Filesystem                  Size  Used Avail Use% Mounted on
-    /dev/mapper/curie--vg-root   38G   28G  9.1G  76% /
-
-So the upgrade *did* use about 3-4GB of disk space, which is quite
-significant!
-
 ### Packages mistakenly removed
 
  * inkscape
@@ -388,6 +355,41 @@ around packaging (which would fix this issue). It also meant it
 totally lost the mails, because postfix panicked and drop the mails
 when it couldn't generate a bounce either.
 
+### Not enough disk space
+
+I have too much stuff on my computers. I was already a bit short on my
+`/` partition before the upgrade:
+
+    Filesystem                  Size  Used Avail Use% Mounted on
+    /dev/mapper/curie--vg-root   28G   25G  2.8G  90% /
+
+The upgrade downloaded ~7GB of Debian packages, and required an extra
+4.5GB of disk space! Clearly that wouldn't do here, so I had to expand
+the root partition, which ended up like this after the upgrade:
+
+    Filesystem                  Size  Used Avail Use% Mounted on
+    /dev/mapper/curie--vg-root   38G   25G   13G  67% /
+
+I'm surprised that Debian bullseye now would use an extra 4GB of disk
+space! The [disk](https://www.debian.org/releases/testing/amd64/ch03s04.en.html) [requirements](https://www.debian.org/releases/testing/amd64/apds02.en.html) don't seem to have changed in
+decades, yet I keep having to pile up more disk space only to store
+software... We'll see what the end result will be.
+
+Packages I have removed:
+
+ * `php*` - maybe some leftover of a dev environment?
+
+After the complete upgrade procedure (but before removing the extra
+kernel):
+
+    Filesystem                  Size  Used Avail Use% Mounted on
+    /dev/mapper/curie--vg-root   38G   28G  9.1G  76% /
+
+So the upgrade *did* use about 3-4GB of disk space, which is quite
+significant!
+
+Maybe there's a way to figure out which package ate all that much?
+
 # Troubleshooting
 
 ## Upgrade failures

fix path to clean_conflicts (which was ran)
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index ffd9fe3f..c97043fa 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -96,7 +96,7 @@ after a reboot. And yes, that's even more dangerous.
         export DEBIAN_FRONTEND=noninteractive APT_LISTCHANGES_FRONTEND=none APT_LISTBUGS_FRONTEND=none &&
         apt full-upgrade -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' &&
         printf "\a" &&
-        /home/anarcat/src/koumbit-scripts/bin/clean_conflicts &&
+        /home/anarcat/src/koumbit-scripts/vps/clean_conflicts &&
         printf "End of Step 5\a\n"
 
  6. Post-upgrade procedures:

outline one problem with apt-list
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 251beb41..ffd9fe3f 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -483,7 +483,9 @@ this, since APT adopted the aptitude patterns:
 
     apt list '?obsolete'
 
-It's unclear how it differs from the above.
+It works well, and the output is digestible, but it will not catch
+versions on the local machine *newer* than in the archive, which might
+be a problem in some cases.
 
 # References
 

lack of time: mostly done, just need to reboot curie
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 4e7722dc..251beb41 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -265,11 +265,6 @@ significant!
 
 Workaround: `apt install $PACKAGE`
 
-### Lack of time
-
-Lacked the time to complete the upgrade on curie, at step 6. Still
-need to fix puppet at the very least, and the remaining stuff.
-
 ### Puppet breaks in bullseye/sid
 
 testing has this ... peculiar notion of itself. instead of announcing

more removed packages, kind of worrisome that smd thing
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 7fd600fd..4e7722dc 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -192,18 +192,29 @@ list.
 
 ## Removed packages
 
+ * [apt-venv](https://tracker.debian.org/pkg/apt-venv) was removed because of an [invalid email address](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979347),
+   seems silly but I guess it makes sense
+ * [debirf](https://tracker.debian.org/pkg/debirf) also had critical bugs, although there's still hope for
+   that guy
+ * [elpy](https://tracker.debian.org/pkg/elpy) is also [failing its test suite](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975535) but hopefully should
+   make it back when that's fixed (although switching to LSP is also
+   an option here)
  * [gocode was removed](https://bugs.debian.org/976642) along with elpa-company-go, need to switch
    to gopls
+ * [gtk-recordmydesktop](https://tracker.debian.org/pkg/gtk-recordmydesktop) - Python 2, dead upstream, see [bug 943983](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943983)
  * Python 2 support is removed! hopefully most of my stuff is already
    Python 3, but I did lose monkeysign and gameclock, as mentioned above
  * Mailman 2 is consequently removed
+ * [syncmaildir](https://tracker.debian.org/pkg/syncmaildir) has a [FTBFS](https://bugs.debian.org/975227) and has been removed from
+   testing, seems like it is in bad shape
+ * [qalculate-gtk](https://tracker.debian.org/pkg/qalculate-gtk), my dearest calculator, was dropped from testing
+   too! a team picked up the package, but too late it seems :/
  * usbguard-applet-qt - [removed 0.7.5](https://tracker.debian.org/news/1069337/accepted-usbguard-075ds-1-source-into-unstable/) from [usbguard](https://tracker.debian.org/pkg/usbguard)
    [upstream](https://usbguard.github.io/), with the idea that it was a proof of concept and
    would be maintained outside of the main tree, but no clear
    candidate has emerged just yet, see [this upstream issue](https://github.com/USBGuard/usbguard/issues/334), [this
    fork](https://github.com/pinotree/usbguard-applet-qt), [usbguard-gnome](https://github.com/6E006B/usbguard-gnome), [usbguard-notifier](https://github.com/Cropi/usbguard-notifier) and also
    [usbauth-all](https://github.com/kochstefan/usbauth-all), none packaged in Debian
- * [gtk-recordmydesktop](https://tracker.debian.org/pkg/gtk-recordmydesktop) - Python 2, dead upstream, see [bug 943983](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943983)
 
 See also the [noteworthy obsolete packages](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#noteworthy-obsolete-packages) list.
 

disk space update
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index f674905d..7fd600fd 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -218,12 +218,14 @@ See also the official list of [known issues](https://www.debian.org/releases/bul
 I have too much stuff on my computers. I was already a bit short on my
 `/` partition before the upgrade:
 
+    Filesystem                  Size  Used Avail Use% Mounted on
     /dev/mapper/curie--vg-root   28G   25G  2.8G  90% /
 
 The upgrade downloaded ~7GB of Debian packages, and required an extra
 4.5GB of disk space! Clearly that wouldn't do here, so I had to expand
 the root partition, which ended up like this after the upgrade:
 
+    Filesystem                  Size  Used Avail Use% Mounted on
     /dev/mapper/curie--vg-root   38G   25G   13G  67% /
 
 I'm surprised that Debian bullseye now would use an extra 4GB of disk
@@ -235,7 +237,16 @@ Packages I could remove:
 
  * `php*` - maybe some leftover of a dev environment?
 
-### Packages mistakenly removed:
+After the complete upgrade procedure (but before removing the extra
+kernel):
+
+    Filesystem                  Size  Used Avail Use% Mounted on
+    /dev/mapper/curie--vg-root   38G   28G  9.1G  76% /
+
+So the upgrade *did* use about 3-4GB of disk space, which is quite
+significant!
+
+### Packages mistakenly removed
 
  * inkscape
  * gnuradio

browserpass mostly resolved
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 99a3b6b3..f674905d 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -235,30 +235,6 @@ Packages I could remove:
 
  * `php*` - maybe some leftover of a dev environment?
 
-### Browserpass fails to upgrade
-
-Upgrade crashed on this:
-
-```
-dpkg: error processing archive /var/cache/apt/archives/webext-browserpass_3.7.2-1+b1_amd64.deb (--unpack):
- unable to open '/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/browserpass@maximbaz.com/icon.png.dpkg-new': No such file or directory
-Reinstalling /etc/chromium/native-messaging-hosts/com.dannyvankooten.browserpass.json that was moved away
-Errors were encountered while processing:
- /var/cache/apt/archives/webext-browserpass_3.7.2-1+b1_amd64.deb
-```
-
-This is [bug #982758](https://bugs.debian.org/982758). Workaround:
-
-    apt purge webext-browserpass
-
-If the upgrade crashed, purge the package with the same Dpkg options:
-
-    apt -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' purge webext-browserpass
-
-Once the upgrade is completed, just reinstall:
-
-    apt install webext-browserpass
-
 ### Packages mistakenly removed:
 
  * inkscape
@@ -350,6 +326,30 @@ the first place?
 
 ## Resolved
 
+### Browserpass fails to upgrade
+
+Upgrade crashed on this:
+
+```
+dpkg: error processing archive /var/cache/apt/archives/webext-browserpass_3.7.2-1+b1_amd64.deb (--unpack):
+ unable to open '/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/browserpass@maximbaz.com/icon.png.dpkg-new': No such file or directory
+Reinstalling /etc/chromium/native-messaging-hosts/com.dannyvankooten.browserpass.json that was moved away
+Errors were encountered while processing:
+ /var/cache/apt/archives/webext-browserpass_3.7.2-1+b1_amd64.deb
+```
+
+This is [bug #982758](https://bugs.debian.org/982758). Workaround:
+
+    apt purge webext-browserpass
+
+If the upgrade crashed, purge the package with the same Dpkg options:
+
+    apt -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' purge webext-browserpass
+
+Once the upgrade is completed, just reinstall:
+
+    apt install webext-browserpass
+
 ### i3-focus and rsendmail delivery failed
 
 I have this custom [i3-focus](https://gitlab.com/anarcat/scripts/blob/master/i3-focus) script to improve on the "alt-tab"

sort
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index c4f2c20b..99a3b6b3 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -127,90 +127,6 @@ after a reboot. And yes, that's even more dangerous.
         apt-forktracer | sort
         printf "All procedures completed\a\n" &&
 
-## Finding orphaned and weird packages
-
-The [apt-forktracer](https://owsiany.pl/apt-forktracer-page) call used to have many other different
-incantations, and it's not yet clear that it does everything we
-need. What we want to find are basically packages that are not
-"canonical Debian packages", which are shipped by the stable Debian
-distribution. Those are typically called "obsolete" packages in
-Debian, but that term is somewhat to narrow, as I also want to
-consider packages that were *never* part of Debian at all.
-
-Weirdly, the release notes suggest *three* different methods to do
-this, in different part of the documentation. (Filed this as a bug in
-[987017](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987017).)
-
-This section tries to figure out the right way forward. See also [step
-4.2.2](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#removing-non-debian-packages), [4.8](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#obsolete) and [this forum](https://askubuntu.com/questions/98223/how-do-i-get-a-list-of-obsolete-packages).
-
-### aptitude search 1
-
-This is the first way I found:
-
-    aptitude search '?narrow(?not(?archive("^[^n][^o][^w].*$")),?version(CURRENT))'
-
-This incantation comes from the
-[[cross-upgrade|services/upgrades/cross-architecture/]]
-documentation. It selects packages that are currently installed
-(`?narrow(...,?version(CURRENT))`) from an archive other than "now"
-(`?not(?archive("^[^n][^o][^w].*$")`). This was cargo-culted from
-[Ewan's cross-upgrading documentation](http://www.nanonanonano.net/linux/debian/crossgrading).
-
-Nowadays, the release notes actually suggest a similar pattern:
-
-    aptitude search '?narrow(?installed, ?not(?origin(Debian)))'
-
-### apt-show-versions
-
-I also found this somewhat works to find weird packages:
-
-    apt-show-versions | grep -v /bullseye
-
-This uses the more flexible [[!debpkg apt-show-version]] to list
-everything that is not in the `bullseye` repository. But the regex
-could hide third-party repositories that happen to reuse that
-codename. It can also yield strange results like:
-
-    linux-libc-dev:i386 not installed
-
-Those are presumably harmless, so this might be a better call:
-
-    apt-show-versions | grep -v /bullseye | grep -v 'not installed$'
-
-... to filter out those packages.
-
-### aptitude 2: ~obsolete
-
-Then the release notes also suggest this:
-
-    aptitude search '?obsolete'
-    
-This command has been recommended to [find obsolete packages](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#obsolete)
-[since buster](https://www.debian.org/releases/buster/amd64/release-notes/ch-upgrading.en.html#obsolete).
-
-### apt-forktracer
-
-This one is fairly new to the game, at least as far as I am concerned:
-
-    apt-forktracer | sort
-
-This will not find packages that are from a *newer* version (for
-example from "testing" in "stable").
-
-It's *also* recommended by the release notes. I've settled on it
-because its output is so much simpler, but I still need to compare the
-various results.
-
-### apt list
-
-Starting from bullseye, ironically, we have *another* way of doing
-this, since APT adopted the aptitude patterns:
-
-    apt list '?obsolete'
-
-It's unclear how it differs from the above.
-
 # Notable changes
 
 Here are some packages with notable version changes that I
@@ -468,6 +384,90 @@ If there's any trouble during reboots, you should use some recovery
 system. The [release notes actually have good documentation on
 that](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#recovery), on top of "use a live filesystem".
 
+## Finding orphaned and weird packages
+
+The [apt-forktracer](https://owsiany.pl/apt-forktracer-page) call above used to have many other different
+incantations, and it's not yet clear that it does everything we
+need. What we want to find are basically packages that are not
+"canonical Debian packages", which are shipped by the stable Debian
+distribution. Those are typically called "obsolete" packages in
+Debian, but that term is somewhat to narrow, as I also want to
+consider packages that were *never* part of Debian at all.
+
+Weirdly, the release notes suggest *three* different methods to do
+this, in different part of the documentation. (Filed this as a bug in
+[987017](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987017).)
+
+This section tries to figure out the right way forward. See also [step
+4.2.2](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#removing-non-debian-packages), [4.8](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#obsolete) and [this forum](https://askubuntu.com/questions/98223/how-do-i-get-a-list-of-obsolete-packages).
+
+### aptitude search 1
+
+This is the first way I found:
+
+    aptitude search '?narrow(?not(?archive("^[^n][^o][^w].*$")),?version(CURRENT))'
+
+This incantation comes from the
+[[cross-upgrade|services/upgrades/cross-architecture/]]
+documentation. It selects packages that are currently installed
+(`?narrow(...,?version(CURRENT))`) from an archive other than "now"
+(`?not(?archive("^[^n][^o][^w].*$")`). This was cargo-culted from
+[Ewan's cross-upgrading documentation](http://www.nanonanonano.net/linux/debian/crossgrading).
+
+Nowadays, the release notes actually suggest a similar pattern:
+
+    aptitude search '?narrow(?installed, ?not(?origin(Debian)))'
+
+### apt-show-versions
+
+I also found this somewhat works to find weird packages:
+
+    apt-show-versions | grep -v /bullseye
+
+This uses the more flexible [[!debpkg apt-show-version]] to list
+everything that is not in the `bullseye` repository. But the regex
+could hide third-party repositories that happen to reuse that
+codename. It can also yield strange results like:
+
+    linux-libc-dev:i386 not installed
+
+Those are presumably harmless, so this might be a better call:
+
+    apt-show-versions | grep -v /bullseye | grep -v 'not installed$'
+
+... to filter out those packages.
+
+### aptitude 2: ~obsolete
+
+Then the release notes also suggest this:
+
+    aptitude search '?obsolete'
+    
+This command has been recommended to [find obsolete packages](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#obsolete)
+[since buster](https://www.debian.org/releases/buster/amd64/release-notes/ch-upgrading.en.html#obsolete).
+
+### apt-forktracer
+
+This one is fairly new to the game, at least as far as I am concerned:
+
+    apt-forktracer | sort
+
+This will not find packages that are from a *newer* version (for
+example from "testing" in "stable").
+
+It's *also* recommended by the release notes. I've settled on it
+because its output is so much simpler, but I still need to compare the
+various results.
+
+### apt list
+
+Starting from bullseye, ironically, we have *another* way of doing
+this, since APT adopted the aptitude patterns:
+
+    apt list '?obsolete'
+
+It's unclear how it differs from the above.
+
 # References
 
  * [Official guide](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html) (WIP)

u2f oddity
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index ed8b5468..c4f2c20b 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -347,6 +347,7 @@ Once the upgrade is completed, just reinstall:
 
  * inkscape
  * gnuradio
+ * libu2f-host0 - need to test if u2f works without it in firefox/chrome
 
 Workaround: `apt install $PACKAGE`
 

browserpass workaround
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index eb7cbb63..ed8b5468 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -333,9 +333,15 @@ Errors were encountered while processing:
 
 This is [bug #982758](https://bugs.debian.org/982758). Workaround:
 
+    apt purge webext-browserpass
+
+If the upgrade crashed, purge the package with the same Dpkg options:
+
     apt -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' purge webext-browserpass
 
-Presumably it can be reinstalled after?
+Once the upgrade is completed, just reinstall:
+
+    apt install webext-browserpass
 
 ### Packages mistakenly removed:
 

more python libs fail
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 2d582343..eb7cbb63 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -105,6 +105,10 @@ after a reboot. And yes, that's even more dangerous.
         puppet agent --enable &&
         puppet agent -t --noop &&
         (puppet agent -t || true) &&
+        : reinstall Python packages to follow Python upgrade &&
+        for package in rsendmail pubpaste ; do
+            cd ~/src/$package && pip3 install .
+        done &&
         systemctl start apt-daily.timer &&
         printf "End of Step 6\a\n" &&
         shutdown -r +1 "rebooting to get rid of old kernel image..."
@@ -423,7 +427,7 @@ the first place?
 
 ## Resolved
 
-### i3-focus failed
+### i3-focus and rsendmail delivery failed
 
 I have this custom [i3-focus](https://gitlab.com/anarcat/scripts/blob/master/i3-focus) script to improve on the "alt-tab"
 behavior, which depends on a python library not in Debian. I have this
@@ -436,6 +440,14 @@ upgrade. Doing this fixed it:
     .virtualenvs/i3_py/bin/pip3 install i3_py
     rm -rf .virtualenvs/i3_py.orig
 
+This is presumably because Python libraries get installed in a
+version-specific directory...
+
+Note that this also crashed [rsendmail](https://gitlab.com/anarcat/rsendmail) which I really need to get
+around packaging (which would fix this issue). It also meant it
+totally lost the mails, because postfix panicked and drop the mails
+when it couldn't generate a bounce either.
+
 # Troubleshooting
 
 ## Upgrade failures

puppet snafu
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index c3218e04..2d582343 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -345,6 +345,82 @@ Workaround: `apt install $PACKAGE`
 Lacked the time to complete the upgrade on curie, at step 6. Still
 need to fix puppet at the very least, and the remaining stuff.
 
+### Puppet breaks in bullseye/sid
+
+testing has this ... peculiar notion of itself. instead of announcing
+itself like a normal Debian stable release, for example:
+
+    anarcat@angela:~(main)$ lsb_release -a
+    No LSB modules are available.
+    Distributor ID:	Debian
+    Description:	Debian GNU/Linux 10 (buster)
+    Release:	10
+    Codename:	buster
+
+It is kind of unsure about its identity:
+
+    vagrant@testing:~$ lsb_release -a
+    No LSB modules are available.
+    Distributor ID:	Debian
+    Description:	Debian GNU/Linux bullseye/sid
+    Release:	testing/unstable
+    Codename:	n/a
+
+When you know how Debian works (that `testing` is really just an old,
+partial copy of `unstable`), that makes sense. But when you create
+Puppet manifests, you expect stuff like:
+
+    if $facts['os']['release']['major'] < 11 {
+        # stuff before bullseye
+    } else {
+        # stuff after bullseye
+    }
+
+To just work. But they don't. In bullseye/sid/testing/unstable,
+however you want to call it, `os.release.major` is actually
+"bullseye/sid". Not "bullseye", not "sid", and, of course, not
+"11". "bullseye/sid". So obviously that just totally breaks when
+comparing to "11".
+
+I tried patching `/etc/os-release`:
+
+    cat >> /etc/os-release <<EOF
+    VERSION_ID="11"
+    VERSION="11 (bullseye)"
+    VERSION_CODENAME=bullseye
+    EOF
+
+But that doesn't seem to work: it looks like `facter -p`, at least,
+takes the major/minor information from... `/etc/debian_version`! So
+you actually need to do this to fix your manifests:
+
+    echo 11.0 > /etc/debian_version
+
+But that's really... quite a hack. To workaround this from the Puppet
+side, I ended up doing this ugly kludge:
+
+    # remove packages gone from bullseye
+    #
+    # XXX: we should really use < 11 here, but os.release.major is
+    # actually "bullseye/sid" now? ouch?
+    #
+    # remove this when we stop supporting buster
+    $bullseye_removed = $facts['os']['distro']['codename'] ? {
+      'bullseye/sid' => absent,
+      'bullseye' => absent,
+      default => present,
+    }
+    package { 'gtk-recordmydesktop':
+      ensure => $bullseye_removed,
+    }
+
+It's unclear to me here where the fault lies. On the one hand, it
+seems that Puppet shouldn't change the type of one of its core facts,
+but on the other, `/etc/debian_version` *is* `bullseye/sid`, a string
+and not a version, in testing/unstable in Debian... Garbage-in,
+garbage-out? Why don't we set a real version number there in Debian in
+the first place?
+
 ## Resolved
 
 ### i3-focus failed

more removed stuff
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 8d370bc1..c3218e04 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -277,9 +277,13 @@ list.
  * Python 2 support is removed! hopefully most of my stuff is already
    Python 3, but I did lose monkeysign and gameclock, as mentioned above
  * Mailman 2 is consequently removed
- * usbguard-applet-qt
- * qemu-kvm
- * gtk-recordmydesktop
+ * usbguard-applet-qt - [removed 0.7.5](https://tracker.debian.org/news/1069337/accepted-usbguard-075ds-1-source-into-unstable/) from [usbguard](https://tracker.debian.org/pkg/usbguard)
+   [upstream](https://usbguard.github.io/), with the idea that it was a proof of concept and
+   would be maintained outside of the main tree, but no clear
+   candidate has emerged just yet, see [this upstream issue](https://github.com/USBGuard/usbguard/issues/334), [this
+   fork](https://github.com/pinotree/usbguard-applet-qt), [usbguard-gnome](https://github.com/6E006B/usbguard-gnome), [usbguard-notifier](https://github.com/Cropi/usbguard-notifier) and also
+   [usbauth-all](https://github.com/kochstefan/usbauth-all), none packaged in Debian
+ * [gtk-recordmydesktop](https://tracker.debian.org/pkg/gtk-recordmydesktop) - Python 2, dead upstream, see [bug 943983](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943983)
 
 See also the [noteworthy obsolete packages](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#noteworthy-obsolete-packages) list.
 

link to journald.conf(5) for details on storage
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 5f6540ef..8d370bc1 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -214,7 +214,7 @@ noticed.
 
  * [driverless scanning and printing](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-whats-new.en.html#driverless-operation)
  * persistent systemd journal, which might have some privacy issues
-   (`rm -rf /var/log/journal` to disable)
+   (`rm -rf /var/log/journal` to disable, see [journald.conf(5)](https://manpages.debian.org/bullseye/systemd/journald.conf.5.en.html))
  * last release to support non-merged /usr
  * security archive changed to `deb https://deb.debian.org/debian-security bullseye-security main contrib` (covered by script above)
  * the Intel VA-API driver might give performance boosts and battery

puppet should be a noop, abort otherwise
at least that way we can see what's up
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 09bbd853..5f6540ef 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -103,7 +103,7 @@ after a reboot. And yes, that's even more dangerous.
 
         apt-get update --allow-releaseinfo-change &&
         puppet agent --enable &&
-        (puppet agent -t || true) &&
+        puppet agent -t --noop &&
         (puppet agent -t || true) &&
         systemctl start apt-daily.timer &&
         printf "End of Step 6\a\n" &&

upgrade not finished
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 7970b0a0..09bbd853 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -277,6 +277,9 @@ list.
  * Python 2 support is removed! hopefully most of my stuff is already
    Python 3, but I did lose monkeysign and gameclock, as mentioned above
  * Mailman 2 is consequently removed
+ * usbguard-applet-qt
+ * qemu-kvm
+ * gtk-recordmydesktop
 
 See also the [noteworthy obsolete packages](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#noteworthy-obsolete-packages) list.
 
@@ -326,8 +329,33 @@ This is [bug #982758](https://bugs.debian.org/982758). Workaround:
 
 Presumably it can be reinstalled after?
 
+### Packages mistakenly removed:
+
+ * inkscape
+ * gnuradio
+
+Workaround: `apt install $PACKAGE`
+
+### Lack of time
+
+Lacked the time to complete the upgrade on curie, at step 6. Still
+need to fix puppet at the very least, and the remaining stuff.
+
 ## Resolved
 
+### i3-focus failed
+
+I have this custom [i3-focus](https://gitlab.com/anarcat/scripts/blob/master/i3-focus) script to improve on the "alt-tab"
+behavior, which depends on a python library not in Debian. I have this
+virtualenv to deploy it, but somehow it failed after the
+upgrade. Doing this fixed it:
+
+    mv .virtualenvs/i3_py/ .virtualenvs/i3_py.orig
+    python3 -m venv --system-site-packages ~/.virtualenvs/i3_py
+    cp .virtualenvs/i3_py.orig/bin/activate_this.py .virtualenvs/i3_py/bin/
+    .virtualenvs/i3_py/bin/pip3 install i3_py
+    rm -rf .virtualenvs/i3_py.orig
+
 # Troubleshooting
 
 ## Upgrade failures

toc
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index c3b496ea..7970b0a0 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -1,6 +1,6 @@
 [[!meta title="Bullseye upgrade"]]
 
-[[!toc]]
+[[!toc levels=3]]
 
 It's Debian major upgrade time again! My personal policy is generally
 to upgrade slightly before or during the freeze. This time I feel

start tracking new interesting packages
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 91625db6..c3b496ea 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -223,6 +223,10 @@ noticed.
    from its `$y$` prefix), a major change from the previous default,
    SHA-512 (recognizable from its `$6$` prefix, see [crypt(5)](https://manpages.debian.org/crypt.5))
 
+## New packages
+
+ * the Wayland rewrite of [i3](https://i3wm.org/), [sway](http://swaywm.org/)
+
 ## My packages
 
 In packages I maintain, those are the important changes:

major issue with browserpass upgrade
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 1765c745..91625db6 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -246,6 +246,7 @@ This table summarizes package version changes I find interesting.
 
 | Package     | Buster | Bullseye | Notes                                                                                                         |
 |-------------|--------|----------|---------------------------------------------------------------------------------------------------------------|
+| Browserpass | 2.0    | 3.7      | Major usability improvements                                                                                  |
 | Docker      | 18     | 20       | Docker made it for a second release                                                                           |
 | Emacs       | 26     | 27       | JSON parsing for LSP? ~/.config/emacs/? harfbuzz?? oh my! [details](https://emacsredux.com/blog/2020/08/13/emacs-27-1/)                                        |
 | Firefox     | 68     | 78       | 78 was already in buster-updates                                                                              |
@@ -303,6 +304,24 @@ Packages I could remove:
 
  * `php*` - maybe some leftover of a dev environment?
 
+### Browserpass fails to upgrade
+
+Upgrade crashed on this:
+
+```
+dpkg: error processing archive /var/cache/apt/archives/webext-browserpass_3.7.2-1+b1_amd64.deb (--unpack):
+ unable to open '/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/browserpass@maximbaz.com/icon.png.dpkg-new': No such file or directory
+Reinstalling /etc/chromium/native-messaging-hosts/com.dannyvankooten.browserpass.json that was moved away
+Errors were encountered while processing:
+ /var/cache/apt/archives/webext-browserpass_3.7.2-1+b1_amd64.deb
+```
+
+This is [bug #982758](https://bugs.debian.org/982758). Workaround:
+
+    apt -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' purge webext-browserpass
+
+Presumably it can be reinstalled after?
+
 ## Resolved
 
 # Troubleshooting

more notable changes
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 00808b8f..1765c745 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -212,6 +212,9 @@ It's unclear how it differs from the above.
 Here are some packages with notable version changes that I
 noticed.
 
+ * [driverless scanning and printing](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-whats-new.en.html#driverless-operation)
+ * persistent systemd journal, which might have some privacy issues
+   (`rm -rf /var/log/journal` to disable)
  * last release to support non-merged /usr
  * security archive changed to `deb https://deb.debian.org/debian-security bullseye-security main contrib` (covered by script above)
  * the Intel VA-API driver might give performance boosts and battery

rearrange notable section, add issue
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index cd09c911..00808b8f 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -220,6 +220,8 @@ noticed.
    from its `$y$` prefix), a major change from the previous default,
    SHA-512 (recognizable from its `$6$` prefix, see [crypt(5)](https://manpages.debian.org/crypt.5))
 
+## My packages
+
 In packages I maintain, those are the important changes:
 
  * [charybdis](https://tracker.debian.org/pkg/charybdis) is not going to ship with bullseye at all, it has
@@ -235,9 +237,9 @@ In packages I maintain, those are the important changes:
  * [feed2exec](https://feed2exec.readthedocs.io/), [undertime](https://gitlab.com/anarcat/undertime/), [linkchecker](https://linkchecker.github.io/linkchecker), and
    [stressant](https://stressant.readthedocs.io/) are still alive and most are seeing modest upgrades
 
-Note that this table may not be up to date with the current bullseye
-release. See the [official release notes](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-whats-new.en.html#newdistro) for a more up to date
-list.
+## Updated packages
+
+This table summarizes package version changes I find interesting.
 
 | Package     | Buster | Bullseye | Notes                                                                                                         |
 |-------------|--------|----------|---------------------------------------------------------------------------------------------------------------|
@@ -256,6 +258,18 @@ list.
 [8.1]: http://www.openssh.com/txt/release-8.1
 [8.2]: http://www.openssh.com/txt/release-8.2
 
+Note that this table may not be up to date with the current bullseye
+release. See the [official release notes](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-whats-new.en.html#newdistro) for a more up to date
+list.
+
+## Removed packages
+
+ * [gocode was removed](https://bugs.debian.org/976642) along with elpa-company-go, need to switch
+   to gopls
+ * Python 2 support is removed! hopefully most of my stuff is already
+   Python 3, but I did lose monkeysign and gameclock, as mentioned above
+ * Mailman 2 is consequently removed
+
 See also the [noteworthy obsolete packages](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#noteworthy-obsolete-packages) list.
 
 # Issues
@@ -264,13 +278,27 @@ See also the official list of [known issues](https://www.debian.org/releases/bul
 
 ## Pending
 
-### Removed packages
+### Too much stuff
 
- * [gocode was removed](https://bugs.debian.org/976642) along with elpa-company-go, need to switch
-   to gopls
- * Python 2 support is removed! hopefully most of my stuff is already
-   Python 3, but I did lose monkeysign and gameclock, as mentioned above
- * Mailman 2 is consequently removed
+I have too much stuff on my computers. I was already a bit short on my
+`/` partition before the upgrade:
+
+    /dev/mapper/curie--vg-root   28G   25G  2.8G  90% /
+
+The upgrade downloaded ~7GB of Debian packages, and required an extra
+4.5GB of disk space! Clearly that wouldn't do here, so I had to expand
+the root partition, which ended up like this after the upgrade:
+
+    /dev/mapper/curie--vg-root   38G   25G   13G  67% /
+
+I'm surprised that Debian bullseye now would use an extra 4GB of disk
+space! The [disk](https://www.debian.org/releases/testing/amd64/ch03s04.en.html) [requirements](https://www.debian.org/releases/testing/amd64/apds02.en.html) don't seem to have changed in
+decades, yet I keep having to pile up more disk space only to store
+software... We'll see what the end result will be.
+
+Packages I could remove:
+
+ * `php*` - maybe some leftover of a dev environment?
 
 ## Resolved
 

add lead
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 74228f78..cd09c911 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -2,11 +2,33 @@
 
 [[!toc]]
 
+It's Debian major upgrade time again! My personal policy is generally
+to upgrade slightly before or during the freeze. This time I feel
+almost late because it seems we'll be releasing in almost a month now
+(May 2021, it's April 2021 now).
+
+This document contains my upgrade procedure, notable changes in the
+new version, issues I have stumbled upon (and possibly fixed), and
+troubleshooting instructions.
+
+It does not hope to replace the official documentation: it is a
+personal, living document that I have started keeping from [[jessie]].
+
 # Procedure
 
-WARNING: this procedure hasn't been tested.
+This procedure is designed to be applied, in batch, on multiple
+servers. Do NOT follow this procedure unless you are familiar with the
+command line and the Debian upgrade process. It has been crafted by
+and for experienced system administrators that have dozens if not
+hundreds of servers to upgrade.
 
-[TPA guide]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/upgrades/bullseye
+In particular, it runs almost completely unattended: configuration
+changes are not prompted during the upgrade, and just not applied at
+all, which *will* break services in many cases. I use a
+[clean-conflicts](https://gitlab.com/anarcat/koumbit-scripts/-/blob/master/vps/clean_conflicts) script to do this all in one shot to shorten the
+upgrade process (without it, configuration file changes stop the
+upgrade at more or less random times). Then those changes get applied
+after a reboot. And yes, that's even more dangerous.
 
  1. Preparation:
 
@@ -273,3 +295,5 @@ that](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.
  * [DSA guide](https://dsa.debian.org/howto/upgrade-to-bullseye/) (WIP, reviewed)
  * [TPA guide][] (N/A yet)
  * [Solution proposal to automate this](https://wiki.debian.org/AutomatedUpgrade)
+
+[TPA guide]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/upgrades/bullseye

it's n+1 now
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 85eeadc3..74228f78 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -205,7 +205,7 @@ In packages I maintain, those are the important changes:
    [solanum](https://solanum.chat/), which should hopefully make it to bullseye-backports
    eventually
  * [gameclock](https://tracker.debian.org/pkg/gameclock) was removed from Debian: it's an old program which I
-   would need to rewrite to port *both* to Python 2 and GTK 2, and I
+   would need to rewrite to port *both* to Python 3 and GTK 3, and I
    just can't find the time. quite sad.
  * [monkeysign](https://tracker.debian.org/pkg/monkeysign) is also going away, but thankfully there are
    alternatives: caff still exists (in [signing-party](https://tracker.debian.org/pkg/signing-party)), as do
@@ -247,7 +247,7 @@ See also the official list of [known issues](https://www.debian.org/releases/bul
  * [gocode was removed](https://bugs.debian.org/976642) along with elpa-company-go, need to switch
    to gopls
  * Python 2 support is removed! hopefully most of my stuff is already
-   Python 2, but I did lose monkeysign and gameclock, as mentioned above
+   Python 3, but I did lose monkeysign and gameclock, as mentioned above
  * Mailman 2 is consequently removed
 
 ## Resolved

just skip listchanges as well
This takes a Loooooong time in a major release, as it basically needs
to uncompress *all* .debs! So just skip it.
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 354340d0..85eeadc3 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -71,7 +71,7 @@ WARNING: this procedure hasn't been tested.
 
  5. Actual upgrade run:
 
-        export DEBIAN_FRONTEND=noninteractive APT_LISTCHANGES_FRONTEND=mail APT_LISTBUGS_FRONTEND=none &&
+        export DEBIAN_FRONTEND=noninteractive APT_LISTCHANGES_FRONTEND=none APT_LISTBUGS_FRONTEND=none &&
         apt full-upgrade -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' &&
         printf "\a" &&
         /home/anarcat/src/koumbit-scripts/bin/clean_conflicts &&

more sources.list stuff
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 8dc378e6..354340d0 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -38,10 +38,15 @@ WARNING: this procedure hasn't been tested.
         puppet agent --disable "running major upgrade" &&
         : Check for pinned, on hold, packages, and possibly disable &&
         rm -f /etc/apt/preferences /etc/apt/preferences.d/* &&
-        rm -f /etc/apt/sources.list.d/testing.list &&
-        rm -f /etc/apt/sources.list.d/buster-backports.list &&
         rm -f /etc/apt/sources.list.d/backports.debian.org.list &&
+        rm -f /etc/apt/sources.list.d/backports.list &&
+        rm -f /etc/apt/sources.list.d/bullseye.list &&
+        rm -f /etc/apt/sources.list.d/buster-backports.list &&
+        rm -f /etc/apt/sources.list.d/experimental.list &&
+        rm -f /etc/apt/sources.list.d/incoming.list &&
         rm -f /etc/apt/sources.list.d/proposed-updates.list &&
+        rm -f /etc/apt/sources.list.d/sid.list &&
+        rm -f /etc/apt/sources.list.d/testing.list &&
         apt update && apt -y upgrade &&
         : list kernel images and purge unused packages &&
         dpkg -l 'linux-image-*' &&

use source path for clean conflicts
it's usually not deployed in /opt
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 3bc771b8..8dc378e6 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -68,7 +68,8 @@ WARNING: this procedure hasn't been tested.
 
         export DEBIAN_FRONTEND=noninteractive APT_LISTCHANGES_FRONTEND=mail APT_LISTBUGS_FRONTEND=none &&
         apt full-upgrade -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' &&
-        /opt/bin/clean_conflicts &&
+        printf "\a" &&
+        /home/anarcat/src/koumbit-scripts/bin/clean_conflicts &&
         printf "End of Step 5\a\n"
 
  6. Post-upgrade procedures:

disable list-bugs, we're (over) confident
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index f3059a53..3bc771b8 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -66,7 +66,7 @@ WARNING: this procedure hasn't been tested.
 
  5. Actual upgrade run:
 
-        export DEBIAN_FRONTEND=noninteractive APT_LISTCHANGES_FRONTEND=mail &&
+        export DEBIAN_FRONTEND=noninteractive APT_LISTCHANGES_FRONTEND=mail APT_LISTBUGS_FRONTEND=none &&
         apt full-upgrade -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' &&
         /opt/bin/clean_conflicts &&
         printf "End of Step 5\a\n"

fix sources.list rewrite
we were rewriting the -security line before it matched
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 56f0ab66..f3059a53 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -54,8 +54,8 @@ WARNING: this procedure hasn't been tested.
     download packages:
 
         systemctl stop apt-daily.timer &&
+        sed -i 's#buster/updates#bullseye-security#' /etc/apt/sources.list $(ls /etc/apt/sources.list.d/*) &&
         sed -i 's/buster/bullseye/g' /etc/apt/sources.list $(ls /etc/apt/sources.list.d/*) &&
-        sed -i 's,buster/updates,bullseye-security,' /etc/apt/sources.list $(ls /etc/apt/sources.list.d/*) &&
         apt update &&
         ( apt -o APT::Get::Trivial-Only=true dist-upgrade || true ) &&
         df -h &&

more bullseye docs
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index e9d190f0..56f0ab66 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -163,6 +163,9 @@ This one is fairly new to the game, at least as far as I am concerned:
 
     apt-forktracer | sort
 
+This will not find packages that are from a *newer* version (for
+example from "testing" in "stable").
+
 It's *also* recommended by the release notes. I've settled on it
 because its output is so much simpler, but I still need to compare the
 various results.
@@ -181,8 +184,6 @@ It's unclear how it differs from the above.
 Here are some packages with notable version changes that I
 noticed.
 
- * Python 2 support is removed!
- * Mailman 2 is consequently removed
  * last release to support non-merged /usr
  * security archive changed to `deb https://deb.debian.org/debian-security bullseye-security main contrib` (covered by script above)
  * the Intel VA-API driver might give performance boosts and battery
@@ -235,6 +236,14 @@ See also the official list of [known issues](https://www.debian.org/releases/bul
 
 ## Pending
 
+### Removed packages
+
+ * [gocode was removed](https://bugs.debian.org/976642) along with elpa-company-go, need to switch
+   to gopls
+ * Python 2 support is removed! hopefully most of my stuff is already
+   Python 2, but I did lose monkeysign and gameclock, as mentioned above
+ * Mailman 2 is consequently removed
+
 ## Resolved
 
 # Troubleshooting

apt-list is a thing too now
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 63337bdf..e9d190f0 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -152,7 +152,7 @@ Those are presumably harmless, so this might be a better call:
 
 Then the release notes also suggest this:
 
-    aptitude search '~obsolete'
+    aptitude search '?obsolete'
     
 This command has been recommended to [find obsolete packages](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#obsolete)
 [since buster](https://www.debian.org/releases/buster/amd64/release-notes/ch-upgrading.en.html#obsolete).
@@ -167,6 +167,15 @@ It's *also* recommended by the release notes. I've settled on it
 because its output is so much simpler, but I still need to compare the
 various results.
 
+### apt list
+
+Starting from bullseye, ironically, we have *another* way of doing
+this, since APT adopted the aptitude patterns:
+
+    apt list '?obsolete'
+
+It's unclear how it differs from the above.
+
 # Notable changes
 
 Here are some packages with notable version changes that I

switch to forktracer and discuss alternatives
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index c1823c7d..63337bdf 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -47,7 +47,7 @@ WARNING: this procedure hasn't been tested.
         dpkg -l 'linux-image-*' &&
         : look for packages from backports, other suites or archives &&
         : if possible, switch to official packages by disabling third-party repositories &&
-        apt-forktracer &&
+        apt-forktracer | sort &&
         printf "End of Step 3\a\n"
 
  4. Check free space, see [this guide to free up space][] and
@@ -92,22 +92,53 @@ WARNING: this procedure hasn't been tested.
         # review and purge older kernel if the new one boots properly
         dpkg -l 'linux-image*'
         # review packages that are not in the new distribution
-        aptitude search '?narrow(?not(?archive("^[^n][^o][^w].*$")),?version(CURRENT))'
+        apt-forktracer | sort
         printf "All procedures completed\a\n" &&
 
-TODO: update this.
+## Finding orphaned and weird packages
 
-The last incantation comes from the
+The [apt-forktracer](https://owsiany.pl/apt-forktracer-page) call used to have many other different
+incantations, and it's not yet clear that it does everything we
+need. What we want to find are basically packages that are not
+"canonical Debian packages", which are shipped by the stable Debian
+distribution. Those are typically called "obsolete" packages in
+Debian, but that term is somewhat to narrow, as I also want to
+consider packages that were *never* part of Debian at all.
+
+Weirdly, the release notes suggest *three* different methods to do
+this, in different part of the documentation. (Filed this as a bug in
+[987017](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987017).)
+
+This section tries to figure out the right way forward. See also [step
+4.2.2](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#removing-non-debian-packages), [4.8](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#obsolete) and [this forum](https://askubuntu.com/questions/98223/how-do-i-get-a-list-of-obsolete-packages).
+
+### aptitude search 1
+
+This is the first way I found:
+
+    aptitude search '?narrow(?not(?archive("^[^n][^o][^w].*$")),?version(CURRENT))'
+
+This incantation comes from the
 [[cross-upgrade|services/upgrades/cross-architecture/]]
 documentation. It selects packages that are currently installed
 (`?narrow(...,?version(CURRENT))`) from an archive other than "now"
 (`?not(?archive("^[^n][^o][^w].*$")`). This was cargo-culted from
-[Ewan's cross-upgrading documentation](http://www.nanonanonano.net/linux/debian/crossgrading). Another way to do this is
-with [[!debpkg apt-show-version]]:
+[Ewan's cross-upgrading documentation](http://www.nanonanonano.net/linux/debian/crossgrading).
+
+Nowadays, the release notes actually suggest a similar pattern:
+
+    aptitude search '?narrow(?installed, ?not(?origin(Debian)))'
+
+### apt-show-versions
+
+I also found this somewhat works to find weird packages:
 
     apt-show-versions | grep -v /bullseye
 
-... although that yields strange results like:
+This uses the more flexible [[!debpkg apt-show-version]] to list
+everything that is not in the `bullseye` repository. But the regex
+could hide third-party repositories that happen to reuse that
+codename. It can also yield strange results like:
 
     linux-libc-dev:i386 not installed
 
@@ -115,16 +146,26 @@ Those are presumably harmless, so this might be a better call:
 
     apt-show-versions | grep -v /bullseye | grep -v 'not installed$'
 
-Update: the first incantation was updated to use `apt-forktracer`
-instead.
+... to filter out those packages.
+
+### aptitude 2: ~obsolete
+
+Then the release notes also suggest this:
+
+    aptitude search '~obsolete'
+    
+This command has been recommended to [find obsolete packages](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#obsolete)
+[since buster](https://www.debian.org/releases/buster/amd64/release-notes/ch-upgrading.en.html#obsolete).
+
+### apt-forktracer
 
-TODO: also consider [obsolete packages](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#obsolete)? This command was actually
-introduced in the buster release notes:
+This one is fairly new to the game, at least as far as I am concerned:
 
-    aptitude search '~o'
+    apt-forktracer | sort
 
-... but it's possibly cruft that could be replaced by `apt-forktracer`
-or `apt list ~obsolete` as well. See also [step 4.2.2](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#removing-non-debian-packages) and [this forum](https://askubuntu.com/questions/98223/how-do-i-get-a-list-of-obsolete-packages).
+It's *also* recommended by the release notes. I've settled on it
+because its output is so much simpler, but I still need to compare the
+various results.
 
 # Notable changes
 

reviewed the TPA buster procedure
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 620ffe01..c1823c7d 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -4,8 +4,7 @@
 
 # Procedure
 
-WARNING: this procedure hasn't been tested. Also compare with the [TPA
-guide][] before running.
+WARNING: this procedure hasn't been tested.
 
 [TPA guide]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/upgrades/bullseye
 

trivial ordering?
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 7da2a9f3..620ffe01 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -85,8 +85,8 @@ guide][] before running.
  7. Post-upgrade checks:
 
         apt purge $(dpkg -l | awk '/^rc/ { print $2 }') # purge removed packages
-        apt purge $(deborphan --guess-dummy)
         apt autoremove -y --purge
+        apt purge $(deborphan --guess-dummy)
         while deborphan -n | grep -q . ; do apt purge $(deborphan -n); done
         apt autoremove -y --purge
         apt clean

reboot in post
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 259af78d..7da2a9f3 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -80,6 +80,7 @@ guide][] before running.
         (puppet agent -t || true) &&
         systemctl start apt-daily.timer &&
         printf "End of Step 6\a\n" &&
+        shutdown -r +1 "rebooting to get rid of old kernel image..."
 
  7. Post-upgrade checks:
 
@@ -89,8 +90,7 @@ guide][] before running.
         while deborphan -n | grep -q . ; do apt purge $(deborphan -n); done
         apt autoremove -y --purge
         apt clean
-        reboot
-        # review and purge older kernel once the new one boots properly
+        # review and purge older kernel if the new one boots properly
         dpkg -l 'linux-image*'
         # review packages that are not in the new distribution
         aptitude search '?narrow(?not(?archive("^[^n][^o][^w].*$")),?version(CURRENT))'

disable and re-enable puppet and auto-upgrades
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 7b69542f..259af78d 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -36,6 +36,7 @@ guide][] before running.
 
  3. Perform any pending upgrade and clear out old pins:
 
+        puppet agent --disable "running major upgrade" &&
         : Check for pinned, on hold, packages, and possibly disable &&
         rm -f /etc/apt/preferences /etc/apt/preferences.d/* &&
         rm -f /etc/apt/sources.list.d/testing.list &&
@@ -53,6 +54,7 @@ guide][] before running.
  4. Check free space, see [this guide to free up space][] and
     download packages:
 
+        systemctl stop apt-daily.timer &&
         sed -i 's/buster/bullseye/g' /etc/apt/sources.list $(ls /etc/apt/sources.list.d/*) &&
         sed -i 's,buster/updates,bullseye-security,' /etc/apt/sources.list $(ls /etc/apt/sources.list.d/*) &&
         apt update &&
@@ -70,7 +72,16 @@ guide][] before running.
         /opt/bin/clean_conflicts &&
         printf "End of Step 5\a\n"
 
- 5. Post-upgrade checks:
+ 6. Post-upgrade procedures:
+
+        apt-get update --allow-releaseinfo-change &&
+        puppet agent --enable &&
+        (puppet agent -t || true) &&
+        (puppet agent -t || true) &&
+        systemctl start apt-daily.timer &&
+        printf "End of Step 6\a\n" &&
+
+ 7. Post-upgrade checks:
 
         apt purge $(dpkg -l | awk '/^rc/ { print $2 }') # purge removed packages
         apt purge $(deborphan --guess-dummy)

trivial-only can fail, apparently
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 90506718..7b69542f 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -55,7 +55,9 @@ guide][] before running.
 
         sed -i 's/buster/bullseye/g' /etc/apt/sources.list $(ls /etc/apt/sources.list.d/*) &&
         sed -i 's,buster/updates,bullseye-security,' /etc/apt/sources.list $(ls /etc/apt/sources.list.d/*) &&
-        apt update && apt -o APT::Get::Trivial-Only=true dist-upgrade && df -h &&
+        apt update &&
+        ( apt -o APT::Get::Trivial-Only=true dist-upgrade || true ) &&
+        df -h &&
         apt -y -d full-upgrade &&
         printf "End of Step 4\a\n"
 

cleaner way to do the aptitude backup
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 18199111..90506718 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -20,9 +20,7 @@ guide][] before running.
 
         ( 
           umask 0077 &&
-          tar cf /var/backups/pre-bullseye-backup.tar /etc /var/lib/dpkg /var/lib/apt/extended_states /var/cache/debconf &&
-          ( tar -A -f /var/backups/pre-bullseye-backup.tar /var/lib/aptitude/pkgstates || true ) &&
-          gzip /var/backups/pre-bullseye-backup.tar &&
+          tar cfz /var/backups/pre-bullseye-backup.tgz /etc /var/lib/dpkg /var/lib/apt/extended_states /var/cache/debconf $( [ -e /var/lib/aptitude/pkgstates ] && echo /var/lib/aptitude/pkgstates ) &&
           dpkg --get-selections "*" > /var/backups/dpkg-selections-pre-bullseye.txt &&
           debconf-get-selections > /var/backups/debconf-selections-pre-bullseye.txt
         ) &&

import bell hack from TPA
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index e46c1bae..18199111 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -34,7 +34,7 @@ guide][] before running.
         find /etc -name '*.dpkg-*' -o -name '*.ucf-*' -o -name '*.merge-error' &&
         : run backups &&
         /home/anarcat/bin/backup-$(hostname) &&
-        echo End of Step 2
+        printf "End of Step 2\a\n"
 
  3. Perform any pending upgrade and clear out old pins:
 
@@ -50,7 +50,7 @@ guide][] before running.
         : look for packages from backports, other suites or archives &&
         : if possible, switch to official packages by disabling third-party repositories &&
         apt-forktracer &&
-        echo End of Step 3
+        printf "End of Step 3\a\n"
 
  4. Check free space, see [this guide to free up space][] and
     download packages:
@@ -59,16 +59,16 @@ guide][] before running.
         sed -i 's,buster/updates,bullseye-security,' /etc/apt/sources.list $(ls /etc/apt/sources.list.d/*) &&
         apt update && apt -o APT::Get::Trivial-Only=true dist-upgrade && df -h &&
         apt -y -d full-upgrade &&
-        echo End of Step 4
+        printf "End of Step 4\a\n"
 
 [this guide to free up space]: http://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#sufficient-space
 
- 6. Actual upgrade run:
+ 5. Actual upgrade run:
 
         export DEBIAN_FRONTEND=noninteractive APT_LISTCHANGES_FRONTEND=mail &&
         apt full-upgrade -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' &&
         /opt/bin/clean_conflicts &&
-        echo 'End step 6'
+        printf "End of Step 5\a\n"
 
  5. Post-upgrade checks:
 
@@ -83,6 +83,7 @@ guide][] before running.
         dpkg -l 'linux-image*'
         # review packages that are not in the new distribution
         aptitude search '?narrow(?not(?archive("^[^n][^o][^w].*$")),?version(CURRENT))'
+        printf "All procedures completed\a\n" &&
 
 TODO: update this.
 

cosmetic
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 1abaddf2..e46c1bae 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -149,18 +149,18 @@ Note that this table may not be up to date with the current bullseye
 release. See the [official release notes](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-whats-new.en.html#newdistro) for a more up to date
 list.
 
-| Package     | Buster  | Bullseye | Notes                                                                                                         |
-| -------     | ------- | ------   | -----                                                                                                         |
-| Docker      | 18      | 20       | Docker made it for a second release                                                                           |
-| Emacs       | 26      | 27       | JSON parsing for LSP? ~/.config/emacs/? harfbuzz?? oh my! [details](https://emacsredux.com/blog/2020/08/13/emacs-27-1/)                                        |
-| Firefox     | 68      | 78       | 78 was already in buster-updates                                                                              |
-| GNOME       | 3.30    | 3.38     | Missed the "GNOME 40" release                                                                                 |
-| Inkscap     | 0.92    | 1.0      | Finally, 1.0!                                                                                                 |
-| Libreoffice | 6.2     | 7.0      |                                                                                                               |
-| OpenSSH     | 7.9     | 8.4      | [FIDO/U2F, Include][8.2], [signatures][8.1], [quantum-resistant key exchange, key fingerprint as confirmation][8.0] |
-| Postgresql  | 11      | 13       |                                                                                                               |
-| Python      | 3.7     | 3.9      | walrus operator, importlib.metadata, dict unions, zoneinfo                                                    |
-| Puppet      | 5.5     | 5.5      | Missed the Puppet 6 (and 7!) releases                                                                         |
+| Package     | Buster | Bullseye | Notes                                                                                                         |
+|-------------|--------|----------|---------------------------------------------------------------------------------------------------------------|
+| Docker      | 18     | 20       | Docker made it for a second release                                                                           |
+| Emacs       | 26     | 27       | JSON parsing for LSP? ~/.config/emacs/? harfbuzz?? oh my! [details](https://emacsredux.com/blog/2020/08/13/emacs-27-1/)                                        |
+| Firefox     | 68     | 78       | 78 was already in buster-updates                                                                              |
+| GNOME       | 3.30   | 3.38     | Missed the "GNOME 40" release                                                                                 |
+| Inkscap     | 0.92   | 1.0      | Finally, 1.0!                                                                                                 |
+| Libreoffice | 6.2    | 7.0      |                                                                                                               |
+| OpenSSH     | 7.9    | 8.4      | [FIDO/U2F, Include][8.2], [signatures][8.1], [quantum-resistant key exchange, key fingerprint as confirmation][8.0] |
+| Postgresql  | 11     | 13       |                                                                                                               |
+| Python      | 3.7    | 3.9      | walrus operator, importlib.metadata, dict unions, zoneinfo                                                    |
+| Puppet      | 5.5    | 5.5      | Missed the Puppet 6 (and 7!) releases                                                                         |
 
 [8.0]: http://www.openssh.com/txt/release-8.0
 [8.1]: http://www.openssh.com/txt/release-8.1

note some changes
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 2c7487bf..1abaddf2 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -149,18 +149,22 @@ Note that this table may not be up to date with the current bullseye
 release. See the [official release notes](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-whats-new.en.html#newdistro) for a more up to date
 list.
 
-| Package     | Buster  | Bullseye | Notes                                 |
-| -------     | ------- | ------   | -----                                 |
-| Docker      | 18      | 20       | Docker made it for a second release   |
-| Emacs       | 26      | 27       | TODO                                  |
-| Firefox     | 68      | 78       | 78 was already in buster-updates      |
-| GNOME       | 3.30    | 3.38     | Missed the "GNOME 40" release         |
-| Inkscap     | 0.92    | 1.0      | Finally, 1.0!                         |
-| Libreoffice | 6.2     | 7.0      |                                       |
-| OpenSSH     | 7.9     | 8.4      | TODO                                  |
-| Postgresql  | 11      | 13       | TODO                                  |
-| Python      | 3.7     | 3.9      | TODO                                  |
-| Puppet      | 5.5     | 5.5      | Missed the Puppet 6 (and 7!) releases |
+| Package     | Buster  | Bullseye | Notes                                                                                                         |
+| -------     | ------- | ------   | -----                                                                                                         |
+| Docker      | 18      | 20       | Docker made it for a second release                                                                           |
+| Emacs       | 26      | 27       | JSON parsing for LSP? ~/.config/emacs/? harfbuzz?? oh my! [details](https://emacsredux.com/blog/2020/08/13/emacs-27-1/)                                        |
+| Firefox     | 68      | 78       | 78 was already in buster-updates                                                                              |
+| GNOME       | 3.30    | 3.38     | Missed the "GNOME 40" release                                                                                 |
+| Inkscap     | 0.92    | 1.0      | Finally, 1.0!                                                                                                 |
+| Libreoffice | 6.2     | 7.0      |                                                                                                               |
+| OpenSSH     | 7.9     | 8.4      | [FIDO/U2F, Include][8.2], [signatures][8.1], [quantum-resistant key exchange, key fingerprint as confirmation][8.0] |
+| Postgresql  | 11      | 13       |                                                                                                               |
+| Python      | 3.7     | 3.9      | walrus operator, importlib.metadata, dict unions, zoneinfo                                                    |
+| Puppet      | 5.5     | 5.5      | Missed the Puppet 6 (and 7!) releases                                                                         |
+
+[8.0]: http://www.openssh.com/txt/release-8.0
+[8.1]: http://www.openssh.com/txt/release-8.1
+[8.2]: http://www.openssh.com/txt/release-8.2
 
 See also the [noteworthy obsolete packages](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#noteworthy-obsolete-packages) list.
 

fix link
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 210d6c78..2c7487bf 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -7,6 +7,8 @@
 WARNING: this procedure hasn't been tested. Also compare with the [TPA
 guide][] before running.
 
+[TPA guide]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/upgrades/bullseye
+
  1. Preparation:
 
         : reset to the default locale
@@ -189,5 +191,5 @@ that](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.
  * [Release notes](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-whats-new.en.html) (WIP)
  * [Koumbit guide](https://wiki.koumbit.net/BullseyeUpgrade) (N/A yet)
  * [DSA guide](https://dsa.debian.org/howto/upgrade-to-bullseye/) (WIP, reviewed)
- * [TPA guide](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/upgrades/bullseye) (N/A yet)
+ * [TPA guide][] (N/A yet)
  * [Solution proposal to automate this](https://wiki.debian.org/AutomatedUpgrade)

bakunin
diff --git a/fortunes.txt b/fortunes.txt
index 8424d1a5..63a35904 100644
--- a/fortunes.txt
+++ b/fortunes.txt
@@ -1158,3 +1158,11 @@ ajouter, mais lorsqu'il n'y a plus rien à retirer.
 %
 The palest ink is better than the most capricious memory.
                         - ancient Chinese proverb
+%
+When the people are being beaten with a stick, they are not much
+happier if it is called "the People's Stick."
+                        - Mikhail Bakunin
+%
+No theory, no ready-made system, no book that has ever been written
+will save the world. I cleave to no system. I am a true seeker.
+                        - Mikhail Bakunin

link to tpa
diff --git a/services/upgrades/bullseye.mdwn b/services/upgrades/bullseye.mdwn
index 92e77949..210d6c78 100644
--- a/services/upgrades/bullseye.mdwn
+++ b/services/upgrades/bullseye.mdwn
@@ -4,8 +4,8 @@
 
 # Procedure
 
-WARNING: copy-pasted from buster, do not follow. Review the official
-guide first.
+WARNING: this procedure hasn't been tested. Also compare with the [TPA
+guide][] before running.
 
  1. Preparation:
 
@@ -189,4 +189,5 @@ that](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.
  * [Release notes](https://www.debian.org/releases/bullseye/amd64/release-notes/ch-whats-new.en.html) (WIP)
  * [Koumbit guide](https://wiki.koumbit.net/BullseyeUpgrade) (N/A yet)
  * [DSA guide](https://dsa.debian.org/howto/upgrade-to-bullseye/) (WIP, reviewed)
+ * [TPA guide](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/upgrades/bullseye) (N/A yet)
  * [Solution proposal to automate this](https://wiki.debian.org/AutomatedUpgrade)
diff --git a/services/upgrades/buster.mdwn b/services/upgrades/buster.mdwn
index 841b7db5..d34e44f6 100644
--- a/services/upgrades/buster.mdwn
+++ b/services/upgrades/buster.mdwn
@@ -645,4 +645,5 @@ References
  * [Release notes](https://www.debian.org/releases/buster/amd64/release-notes/ch-whats-new.en.html)
  * [Koumbit guide](https://wiki.koumbit.net/BusterUpgrade)
  * [DSA guide](https://dsa.debian.org/howto/upgrade-to-buster/)
+ * [TPA guide](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/upgrades/buster)
  * [Solution proposal to automate this](https://wiki.debian.org/AutomatedUpgrade)

Archival link:

The above link creates a machine-readable RSS feed that can be used to easily archive new changes to the site. It is used by internal scripts to do sanity checks on new entries in the wiki.

Created . Edited .