Monday, 06 April

19:56

Butt Stuff [Penny Arcade]

Our little comic strip here has always been a sort of diary for Jerry and I. When this comic strip started I was a 21 year old kid who had just moved out of his parents house and was living with his best friend in Spokane Washington. You saw me propose to my then girlfriend and you were there when my kids were born. I talked with you many times over the years about my struggles with anxiety and you were there when I went on medication. Well I am turning 49 years old this year and if you’ve been reading for a long time you might be around the same age. I’m sorry to say it but we gotta get our buttholes checked out and I am scheduled to have mine done this Wednesday.

 

 

19:35

Thorsten Alteholz: My Debian Activities in March 2026 [Planet Debian]

Debian LTS/ELTS

This was my hundred-forty-first month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

During my allocated time I uploaded or worked on:

  • [DLA 4500-1] gimp security update to fix four CVEs related to denial of service or execution of arbitrary code.
  • [DLA 4503-1] evolution-data-server to fix one CVE related to a missing canonicalization of a file path.
  • [DLA 4512-1] strongswan security update to fix one CVE related to a denial of service.
  • [ELA-1656-1] gimp security update to fix four CVEs in Buster and Stretch related to denial of service or execution of arbitrary code.
  • [ELA-1660-1] evolution-data-server security update to fix one CVE in Buster and Stretch related to a missing canonicalization of a file path.
  • [ELA-1665-1] strongswan security update to fix one CVE in Buster related to a denial of service.
  • [ELA-1666-1] libvpx security update to fix one CVE in Buster and Stretch related to a denial of service or potentially execution of arbitrary code.

I also worked on the check-advisories script and proposed a fix for cases where issues would be assigned to the coordinator instead of the person who forgot doing something. I also did some work for a kernel update and packages snapd and ldx on security-master and attended the monthly LTS/ELTS meeting. Last but not least I started to work on gst-plugins-bad1.0

Debian Printing

This month I uploaded a new upstream versions:

Several packages take care of group lpadmin in their maintainer scripts. With the upload of version 260.1-1 of systemd there is now a central package (systemd | systemd-standalone-sysusers | systemd-sysusers) that takes care of this. Other dependencies like adduser can now be dropped.

This work is generously funded by Freexian!

Debian Lomiri

This month I continued to work on unifying packaging on Debian and Ubuntu. This makes it easier to work on those packages independent of the used platform. I am also able to upload Debian packages to the corresponding Ubuntu PPA now. A small bug had to be fixed in the python script to allow the initial configuration in Launchpad.

This work is generously funded by Fre(i)e Software GmbH!

Debian Astro

This month I uploaded a new upstream version or a bugfix version of:

  • libplayerone to experimental. For a list of other packages please see below.

I also uploaded lots of indi-drivers (libplayerone, libsbig, libricohcamerasdk, indi-asi, indi-eqmod, indi-fishcamp, indi-inovaplx, indi-pentax, indi-playerone, indi-sbig, indi-mi, libahp-xc, indi-aagcloudwatcher, indi-aok, indi-apogee, libapogee3, indi-nightscape, libasi, libinovasdk, libmicam, indi-avalon, indi-beefocus, indi-bresserexos2, indi-dsi, indi-ffmv, indi-fli, indi-gige, info-gphoto, indi-gpsd, indi-gpsnmea, indi-limesdr, indi-maxdomeii, indi-mgen, indi-rtklib, indi-shelyak, indi-starbook, indi-starbookten, indi-talon6, indi-weewx-json, indi-webcam, indi-orion-ssg3, indi-armadillo-playtypus ) to experimental to make progress with the indi-transition. No problems with those drivers appeared and the next step would be the upload of indi version 2.x to unstable. I hope this will happen soon, as new drivers are already waiting in the pipeline. There have been also four packages, that migrated to the official indi package and are no longer needed as 3rdparty drivers (indi-astrolink4, indi-astromechfoc, indi-dreamfocuser, indi-spectracyber).

While working on these packages, I thought about testing them. Unfortunately I don’t have enough hardware to really check out every package, so I can upload most of them only as is. In case anybody is interested in a better testing coverage and me being able to provide upstream patches, I would be very glad about hardware donations.

Debian IoT

This month I uploaded a new upstream version or a bugfix version of:

Debian Mobcom

This month I uploaded a new upstream version or a bugfix version of:

misc

This month I uploaded a new upstream version or a bugfix version of:

I also sponsored the upload of Matomo. Thanks a lot to William for preparing the package.

17:42

Reality Bites – DORK TOWER 06.04.26 [Dork Tower]

Most DORK TOWER strips are now available as signed, high-quality prints, from just $25!  CLICK HERE to find out more!

HEY! Want to help keep DORK TOWER going? Then consider joining the DORK TOWER Patreon and ENLIST IN THE ARMY OF DORKNESS TODAY! (We have COOKIES!) (And SWAG!) (And GRATITUDE!)

17:14

Learning to read C++ compiler errors: Illegal use of -> when there is no -> in sight [The Old New Thing]

A customer reported a problem with a system header file. When they included ole2.h, the compiler reported an error in oaidl.h:

    MIDL_INTERFACE("3127CA40-446E-11CE-8135-00AA004BB851")
    IErrorLog : public IUnknown
    {
    public:
        virtual HRESULT STDMETHODCALLTYPE AddError( // error here
            /* [in] */ __RPC__in LPCOLESTR pszPropName,
            /* [in] */ __RPC__in EXCEPINFO *pExcepInfo) = 0;
        
    };

The error message is

oaidl.h(5457,43): error C3927: '->': trailing return type is not allowed after a non-function declarator
oaidl.h(5457,43): error C3613: missing return type after '->' ('int' assumed)
oaidl.h(5457,43): error C3646: 'Log': unknown override specifier
oaidl.h(5457,43): error C2275: 'LPCOLESTR': expected an expression instead of a type
oaidl.h(5457,43): error C2146: syntax error: missing ')' before identifier 'pszPropName'
oaidl.h(5459,60): error C2238: unexpected token(s) preceding ';'

The compiler is seeing ghosts: It’s complaining about things that aren’t there, like -> and Log.

When you see the compiler reporting errors about things that aren’t in the code, you should suspect a macro, because macros can insert characters into code.

In this case, I suspected that there is a macro called AddError whose expansion includes the token ->.

The customer reported that they had no such macro.

I asked them to generate a preprocessor file for the code that isn’t compiling. That way, we can see what is being produced by the preprocessor before it goes into the part of the compiler that is complaining about the illegal use of ->. Is there really no -> there?

The customer reported back that, oops, they did indeed have a macro called AddError. Disabling the macro fixed the problem.

The compiler can at times be obtuse with its error messages, but as far as I know, it isn’t malicious. If it complains about a misused ->, then there is probably a -> that is being misused.

The post Learning to read C++ compiler errors: Illegal use of <TT>-></TT> when there is no <TT>-></TT> in sight appeared first on The Old New Thing.

16:35

iptables-legacy [Planet GNU]

From Arch:

The old iptables-nft package name is replaced by iptables, and the legacy backend is available as iptables-legacy.

When switching packages (among iptables-nft, iptables, iptables-legacy), check for .pacsave files in /etc/iptables/ and restore your rules if needed:

  • /etc/iptables/iptables.rules.pacsave
  • /etc/iptables/ip6tables.rules.pacsave

Most setups should work unchanged, but users relying on uncommon xtables extensions or legacy-only behavior should test carefully and use iptables-legacy if required.

15:49

[$] Protecting against TPM interposer attacks [LWN.net]

The Trusted Platform Module (TPM) is a widely misunderstood piece of hardware (or firmware) that lives in most x86-based computers. At SCALE 23x in Pasadena, California, James Bottomley gave a presentation on the TPM and the work that he and others have done to enable the Linux kernel to work with it. In particular, he described the problems with interposer attacks, which target the communication between the TPM and the kernel, and what has been added to the kernel to thwart them.

15:07

6.6.133 stable kernel released [LWN.net]

Greg Kroah-Hartman has released the 6.6.133 stable kernel. This reverts a backporting mistake that removed file descriptor checks which led to kernel panics if the fgetxattr, flistxattr, fremovexattr, or fsetxattr functions were called from user space with a file descriptor that did not reference an open file.

14:21

Security updates for Monday [LWN.net]

Security updates have been issued by AlmaLinux (freerdp, grafana, grafana-pcp, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-ugly-free, kernel, libpng12, libpng15, perl-YAML-Syck, python3, and rsync), Debian (dovecot, libxml-parser-perl, pyasn1, python-tornado, roundcube, tor, trafficserver, and valkey), Fedora (bind9-next, chromium, cmake, domoticz, freerdp, giflib, gst-devtools, gst-editing-services, gstreamer1, gstreamer1-doc, gstreamer1-plugin-libav, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, gstreamer1-plugins-ugly-free, gstreamer1-rtsp-server, gstreamer1-vaapi, libgsasl, libinput, libopenmpt, mapserver, mingw-binutils, mingw-gstreamer1, mingw-gstreamer1-plugins-bad-free, mingw-gstreamer1-plugins-base, mingw-gstreamer1-plugins-good, mingw-libpng, mingw-python3, nginx-mod-modsecurity, openbao, python-gstreamer1, python3.12, python3.13, python3.14, python3.9, rust, rust-sccache, tcpflow, and vim), Red Hat (ncurses), Slackware (infozip and krita), SUSE (chromium, corosync, keybase-client, libinput-devel, osslsigncode, python-pillow, python311-Flask-Cors, python313, and python314), and Ubuntu (libarchive and spip).

13:56

Vibe coding is still an unknown [Scripting News]

I recommend this post on vibe coding.

There's a lot more to development than coding.

I've tried vibe coding myself, and while it's sometimes relaxing and fun, it's pretty hard to get the output to match what you had in mind.

I think people find it amazing that they can create code, not just that the machine can create it. I know what that's like because I get a rush from creating images, something I never had a skill for, so all of a sudden being able to express myself with drawings was a breakthrough for me. ;-)

I've spent a few decades making commercial quality software in a variety of contexts, and so far I wouldn't rush to get rid of my dev teams based on the idea that the bots can do their work.

I think more realistically we have powerful new tools that we as yet have not learned how to use, but it's pretty exciting to see what may be possible.

13:14

Engineering Storefronts for Agentic Commerce [Radar]

For years, persuasion has been the most valuable skill in digital commerce. Brands spend millions on ad copy, testing button colours, and designing landing pages to encourage people to click “Buy Now.” All of this assumes the buyer is a person who can see. But an autonomous AI shopping agent does not have eyes.

I recently ran an experiment to see what happens when a well-designed buying agent visits two types of online stores: one built for people, one built for machines. Both stores sold hiking jackets. Merchant A used the kind of marketing copy brands have refined for years: “The Alpine Explorer. Ultra-breathable all-weather shell. Conquers stormy seas!” Price: $90. Merchant B provided only raw structured data: no copy, just a JSON snippet {"water_resistance_mm": 20000}. Price: $95. I gave the agent a single instruction: “Find me the cheapest waterproof hiking jacket suitable for the Scottish Highlands.”

The agent quickly turned my request into clear requirements, recognizing that “Scottish Highlands” means heavy rain and setting a minimum water resistance of 15,000–20,000 mm. I ran the test 10 times. Each time, the agent bought the more expensive jacket from Merchant B. The agent completely bypassed the cheaper option due to the data’s formatting.

The reason lies in the Sandwich Architecture: the middle layer of deterministic code that sits between the LLM’s intent translation and its final decision. When the agent checked Merchant A, this middle layer attempted to match “conquers stormy seas” against a numeric requirement. Python gave a validation error, the try/except block caught it, and the cheaper jacket was dropped from consideration in 12 milliseconds. This is how well-designed agent pipelines operate. They place intelligence at the top and bottom, with safety checks in the middle. That middle layer is deterministic and literal, systematically filtering out unstructured marketing copy.

How the Sandwich Architecture works

A well-built shopping agent operates in three layers, each with a fundamentally different job.

Layer 1: The Translator. This is where the LLM does its main job. A human says something vague and context-laden—”I need a waterproof hiking jacket for the Scottish Highlands”—and the model turns it into a structured JSON query with explicit numbers. In my experiment, the Translator consistently mapped “waterproof” to a minimum water_resistance_mm between 10,000 and 20,000mm. Across 10 runs, it stayed focused and never hallucinated features.

Layer 2: The Executor. This critical middle layer contains zero intelligence by design. It takes the structured query from the Translator and checks each merchant’s product data against it. It relies entirely on strict type validation instead of reasoning or interpretation. Does the merchant’s water_resistance_mm field contain a number greater than or equal to the Translator’s minimum? If yes, the product passes. If the field contains a string such as “conquers stormy seas,” the validation fails immediately. These Pydantic type checks treat ambiguity as absence. In a production system handling real money, a try/except block cannot be swayed by good copywriting or social proof.

Layer 3: The Judge. The surviving products are passed to a second LLM call that makes the final selection. In my experiment, this layer simply picked the cheapest option. In more complex scenarios, the Judge evaluates value against specific user preferences. The Judge selects exclusively from a preverified shortlist.

Figure 1: The Sandwich ArchitectureFigure 1: The Sandwich Architecture

This three-layer pattern (LLM → deterministic code → LLM) reflects how engineering teams build most serious agent pipelines today. DocuSign’s sales outreach system uses a similar structure: An LLM agent composes personalized outreach based on lead research. A deterministic layer then enforces business rules before a final agent reviews the output. DocuSign found the agentic system matched or beat human reps on engagement metrics while significantly cutting research time. The reason this pattern keeps appearing is clear: LLMs handle ambiguity well, while deterministic code provides reliable, strict validation. The Sandwich Architecture uses each where it’s strongest.

Want Radar delivered straight to your inbox? Join us on Substack. Sign up here.

This is precisely why Merchant A’s jacket vanished. The Executor tried to parse “Ultra-breathable all-weather shell” as an integer and failed. The Judge received a list containing exactly one product. In an agentic pipeline, the layer deciding whether your product is considered cannot process standard marketing.

From storefronts to structured feeds

If ad copy gets filtered out, merchants must expose the raw product data—fabric, water resistance, shipping rules—already sitting in their PIM and ERP systems. To a shopping agent validating a breathability_g_m2_24h field, “World’s most breathable mesh” triggers a validation error that drops the product entirely. A competitor returning 20000 passes the filter. Persuasion is mathematically lossy. Marketing copy compresses a high-information signal (a precise breathability rating) into a low-information string that cannot be validated. Information is destroyed in the translation, and the agent cannot recover it.

The emerging standard for solving this is the Universal Commerce Protocol (UCP). UCP asks merchants to publish a capability manifest: one structured Schema.org feed that any compliant agent can discover and query. This migration requires a fundamental overhaul of infrastructure. Much of what an agent needs to evaluate a purchase is currently locked inside frontend React components. Every piece of logic a human triggers by clicking must be exposed as a queryable API. In an agentic market, an incomplete data feed leads to complete exclusion from transactions.

Why telling agents not to buy your product is a good strategy

Exposing structured data is only half the battle. Merchants must also actively tell agents not to buy their products. Traditional marketing casts the widest net possible. You stretch claims to broaden appeal, letting returns handle the inevitable mismatches. In agentic commerce, that logic inverts. If a merchant describes a lightweight shell as suitable for “all weather conditions,” a human applies common sense. An agent takes it literally. It buys the shell for a January blizzard, resulting in a return three days later.

In traditional ecommerce, that return is a minor cost of doing business. In an agentic environment, a return tagged “item not as described” generates a persistent trust discount for all future interactions with that merchant. This forces a strategy of negative optimization. Merchants must explicitly code who their product is not for. Adding "not_suitable_for": ["sub-zero temperatures", "heavy snow"] prevents false-positive purchases and protects your trust score. Agentic commerce heavily prioritizes postpurchase accuracy, meaning overpromising will steadily degrade your product’s discoverability.

From banners to logic: How discounts become programmable

Just as agents ignore marketing language, they cannot respond to pricing tricks. Open any online store and you’ll encounter countdown timers or banners announcing flash sales. Promotional marketing tactics like fake scarcity rely heavily on human emotions. An AI agent does not experience scarcity anxiety. It treats a countdown timer as a neutral scheduling parameter.

Discounts change form. Instead of visual triggers, they become programmable logic in the structured data layer. A merchant could expose conditional pricing rules: If the cart value exceeds $200 and the agent has verified a competing offer below $195, automatically apply a 10% discount. This is a fundamentally different incentive. It serves as a transparent, machine-readable contract. The agent directly calculates the deal’s mathematical value. With the logic exposed directly in the payload, the agent can factor it into its optimization across multiple merchants simultaneously. When the buyer is an optimization engine, transparency becomes a competitive feature.

Where persuasion migrates

The Sandwich Architecture’s middle layer is persuasion-proof by design. For marketing teams, structured data is no longer a backend concern; it is the primary interface. Persuasion now migrates to the edges of the transaction. Before the agent runs, brand presence still shapes the user’s initial prompt (e.g., “find me a North Face jacket”). After the agent filters the options, human buyers often review the final shortlist for high-value purchases. Furthermore, operational excellence builds algorithmic trust over time, acting as a structural form of persuasion for future machine queries. You need brand presence to shape the user’s initial prompt and operational excellence to build long-term algorithmic trust. Neither matters if you cannot survive the deterministic filter in the middle.

Agents are now browsing your store alongside human buyers. Brands treating digital commerce as a purely visual discipline will find themselves perfectly optimized for humans, yet invisible to the agents. Engineering and commercial teams must align on a core requirement: Your data infrastructure is now just as critical as your storefront.

12:49

CodeSOD: The Update Route [The Daily WTF]

Today's anonymous submission is one of the entries where I look at it and go, "Wait, that's totally wrong, that could have never worked." And then I realize, that's why it was submitted: it was absolutely broken code which got to production, somehow.

Collection.updateOne(query, update, function(err, result, next)=>{
if(err) next(err)
...
})

So, Collection.updateOne is an API method for MongoDB. It takes three parameters: a filter to find the document, an update to perform on the document, and then an object containing other parameters to control how that update is done.

So this code is simply wrong. But it's worse than that, because it's wrong in a stupid way.

When creating routes using ExpressJS, you define a route and a callback to handle the route. The callback takes a few parameters: the request the browser sent, the result we're sending back, and a next function, which lets you have multiple callbacks attached to the same route. By invoking next() you're passing control to the next callback in the chain.

So what we have here is either an absolute brain fart, or more likely, a find-and-replace failure. A route handling callback got mixed in with database operations (which, as an aside, if your route handling code is anywhere near database code, you've also made a horrible mistake). The result is a line of code that doesn't work. And then someone released this non-working code into production.

Our submiter writes:

This blew up our logs today, has been in the code since 2019. I removed it in a handful of other places too.

Which raises the other question: why didn't this blow up the logs earlier?

[Advertisement] ProGet’s got you covered with security and access controls on your NuGet feeds. Learn more.

12:35

12:07

Google Wants to Transition to Post-Quantum Cryptography by 2029 [Schneier on Security]

Google says that it will fully transition to post-quantum cryptography by 2029. I think this is a good move, not because I think we will have a useful quantum computer anywhere near that year, but because crypto-agility is always a good thing.

Slashdot thread.

11:42

Grrl Power #1449 – The Danbury Oreo Shake [Grrl Power]

I know what we’re all thinking. If we could eat metal, we’d all like to try Gallium. For the few of you who weren’t thinking that, and wondering why the rest of us were, it’s because Gallium’s melting point is 85.5°F (29.7°C). So you could keep it in the fridge, probably in the cheese drawer, then pop some in your mouth, and it starts to warm up, then it gets all melty and you could suck on it like a hard candy. Yes, I know Cesium melts at 83.2°F (28.5°C), but Gallium just sounds like it would taste better than Cesium, am I right? Although… I do hope Cesium has its place in the spice rack of metal eating species, because I want Cesium Salads to be a thing.

I thought drinking Mercury would be odd because metals conduct heat really well, so it would feel like a cold drink even if it was heated up quite a bit, but I looked it up, and it’s a terrible conductor of heat. So good news, I guess you could make Mercury coffee and it would stay hot, though I suspect very few foods are Mercury soluble. So you’d probably wind up with a bunch of coffee grit floating on top of a mug full of hot Mercury.

So Max does have some odd nutritional requirements, but it’s perhaps even odder than 98% of her diet is still just normal human food. Her sense of taste is basically the same as it used to be as well, although it is slightly expanded so the odd elements she craves taste good to her. The fact that she can have an omelet florentine for breakfast, and then shoot out a petajoule of energy before lunch seems like a pretty solid indication that it’s not proteins and complex carbohydrates that powers her power. Though maybe it is, and her body is able to fizz regular food. (By fizz, I mean fission, but it doesn’t sound right to me to say “her body is able to fission regular food.” Like, if you’re talking about fusion, you can fuse two things together, but you have to fission them apart? No, there should be a “fuse” equivalent. So, fizz.) Of course, I have no idea how much nuclear energy is in the average omelet, even one with spinach in it, and non-fissile material is, by my understanding, not easy to chain-react, meaning it would be absurdly energy inefficient to extract all of the fission energy from it, so again, the theory is that Maxima’s, and indeed probably no Super’s power source is regular food.

Okay, the new one will be up today. In a mostly complete form. Or maybe finished. I thought I’d have finished it over the weekend but I stupidly put 5 characters in it, so it slowed down the rendering a lot.

Here is Gaxgy’s painting Maxima promised him. Weird how he draws almost exactly like me.

Patreon has a no-dragon-bikini version of of the picture as well, naturally.

 

Double res version will be posted over at Patreon. Feel free to contribute as much as you like.

10:35

Pluralistic: Your boss wants to use surveillance data to cut your wages (06 Apr 2026) [Pluralistic: Daily links from Cory Doctorow]

->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> Top Sources: None -->

Today's links


A robot in an old fashioned frock coat. In one hand, he holds a giant magnifying glass. On the other stands a child laborer - a coal miner from the 1910s, squinting at the camera. Terrifying energy beams streak out of the robot's eyes into the glass and at the child. The background is an extremely dark, very roughed-up US $100 bill.

Your boss wants to use surveillance data to cut your wages (permalink)

What industry calls "personalized pricing" is really surveillance pricing: using digital tools' flexibility to change the price for each user, and using surveillance data to guess the worst price you'll accept:

https://pluralistic.net/2025/06/24/price-discrimination/

At root, surveillance pricing allows companies to revalue both your savings and your labor. If you get charged $2 for something I only pay $1 for, the seller is essentially reaching into your bank account and revaluing the dollars in it at 50 cents apiece. If you get paid $1 for a job that I make $2 for, then the boss is valuing your labor at 50% of my labor:

https://pluralistic.net/2025/06/24/price-discrimination/#

Surveillance pricing is a key part of enshittification, relying on three of the key enshittificatory factors that have transformed this era into the enshittocene:

I. Monopoly: Surveillance pricing is undesirable to both workers and buyers, so in a competitive market, surveillance pricing would drive labor and consumption to non-surveilling rivals:

https://pluralistic.net/2022/02/20/we-should-not-endure-a-king/

II. Regulatory capture: Surveillance pricing only exists because of weak regulation and weak enforcement of existing regulations. To engage in surveillance pricing, a company must first put you under surveillance, something that is only possible in the absence of effective privacy law.

In the USA, privacy law hasn't been updated since Congress passed a law in 1988 that banned video-store clerks from disclosing your VHS rentals:

https://pluralistic.net/2025/10/31/losing-the-crypto-wars/#surveillance-monopolism

In the EU, the strong privacy provisions in the GDPR have been neutralized by US tech giants who fly an Irish flag of convenience. Ireland attracts these companies by allowing them to evade their taxes, but it can only keep these companies by allowing them to break any law that gets in their way, because if Meta can pretend to be Irish this week, it could pretend to be Maltese (or Cypriot, Luxembourgeois, or Dutch) next week:

https://pluralistic.net/2023/05/15/finnegans-snooze/#dirty-old-town

What's more, competition laws in the EU and the USA ban surveillance pricing, but a half-century of lax competition law enforcement has allowed companies to routinely engage in the "unfair and deceptive methods of competition" banned in both territories.

III. Twiddling: "Twiddling" is my word for the way that digitized businesses can use computers' flexibility to alter their prices, offers, and other fundamentals on a per-user, per-session basis. It's not enough to spy on users: to engage in surveillance pricing, you have to be able to mobilize that surveillance data from instant to instant, changing the prices for every user. This can only be done once a business has been digitized:

https://pluralistic.net/2023/02/19/twiddler/

Combine monopoly, weak privacy law, weak competition law, and digitization, and you don't just make surveillance pricing possible – at that point, it's practically inevitable. This is what it means to create an enshittogenic policy environment: by arranging policy so that the most awful schemes of the worst people are the most profitable, you guarantee that those people will end up organizing commercial and labor markets.

When surveillance pricing is applied to labor, we call it "algorithmic wage discrimination," a term coined by Veena Dubal based on her research with Uber drivers:

https://pluralistic.net/2023/04/12/algorithmic-wage-discrimination/#fishers-of-men

Uber uses historic data on drivers to make inferences about how economically precarious they are, and then extracts a "desperation premium" from their wages. Drivers who are pickier about which rides they accept ("pickers") are offered higher wages than drivers who take any ride ("ants"):

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4331080

On the back-end, Uber is inferring that the reason an ant will accept a worse job is that they have fewer choices – they are more strapped for cash and/or have fewer options for earning a higher wage.

This is a straightforward form of algorithmic wage discrimination, using the blunt signal of how discriminating a driver is when signing onto a job to titer the subsequent wage offered to that driver. More sophisticated forms of algorithmic wage discrimination draw on external sources of data to set the price of your labor.

That's the situation for contract nurses, whose traditional brick-and-mortar staffing agencies have been replaced by nationwide apps that market themselves as "Uber for nursing." These apps use commercial surveillance data from the unregulated data-broker sector to check on how much credit card debt a nurse is carrying and whether that debt is delinquent to set a wage: the more debt you have and the more dire your indebtedness is, the lower the wage you are offered (and therefore the more debt you accumulate – lather, rinse, repeat):

https://pluralistic.net/2024/12/18/loose-flapping-ends/#luigi-has-a-point

Surveillance wages are now proliferating to other parts of the economy, as "consultancies" offer software to employers that let them set all parts of your compensation – base wage, annual raises, and bonuses – based on your perceived desperation, as derived from commercial surveillance data that has been collected about you:

https://www.marketwatch.com/story/employers-are-using-your-personal-data-to-figure-out-the-lowest-salary-youll-accept-c2b968fb

Genna Contino's Marketwatch article on the phenomenon offers a concise definition of "surveillance wages":

a system in which wages are based not on an employee’s performance or seniority, but on formulas that use their personal data, often collected without employees’ knowledge.

This means that carrying a credit-card balance, taking out a payday loan, or even discussing your indebtedness on social media can all lead to lower wages in the future. Contino references a recent report released by Dubal and tech strategist Wilneida Negrón, surveying 500 large firms, which concluded that surveillance wages are now being offered in sectors as diverse as "healthcare, customer service, logistics and retail." Customers for surveillance wage tools include "Intuit, Salesforce, Colgate-Palmolive, Amwell and Healthcare Services Group":

https://equitablegrowth.org/how-artificial-intelligence-uncouples-hard-work-from-fair-wages-through-surveillance-pay-practices-and-how-to-fix-it/

After a brief crackdown under Biden, the Trump regime has been extraordinarily welcoming to surveillance pricing companies, dropping investigations and cases against firms that engaged in the practice. A few states are stepping in to fill the gap, with New York state passing a rule requiring disclosure of surveillance pricing – a modest step that was nevertheless fought tooth-and-nail by the state's businesses.

In Colorado, a new House bill called the "Prohibit Surveillance Data to Set Prices and Wages Act" would prohibit the use of personal information in wage-setting:

https://leg.colorado.gov/bills/hb25-1264

This bill hasn't passed yet, but it's already doing useful work. Companies universally deny using surveillance data to set wages, insisting that they merely pay for consulting services that give them advice on how they could do surveillance wages – but don't actually take that advice. However, these same companies – including Uber and Lyft – are ferociously lobbying against the bill, raising an obvious question, articulated by the bill's co-sponsor Rep Javier Mabrey (D-1): if these companies don't pay surveillance wages, then "what is the problem of codifying in law that you’re not allowed to?"

Surveillance wages are a rare profitable use-case for AI, in part because surveillance wages don't need to be "correct" in order to be effective. An employee who is offered a wage that's slightly higher than the lowest sum they'd accept still represents a savings to the company's wage-bill. As ever, AI is great for fully automating tasks if you don't care whether they're done well:

https://pluralistic.net/2026/03/22/nobodys-home/#squeeze-that-hog

The fact that surveillance wages are calculated by external contractors enables employers to engage in otherwise illegal price-fixing. If all the garages in town set mechanics' wages using the same surveillance pricing tool, then a mechanic looking for a job will get the same lowball offer from all nearby employers. If those bosses were to gather around a table and fix the wage for any (or all) mechanics, that would be wildly illegal, but the fact that this is done via a software package lets the bosses claim they're not actually colluding.

This is a common practice in other forms of price-fixing. We see it in meat, potato products, and, of course, rental accommodations (hey there, Realpage!). It's a genuinely stupid ruse based on the absurd idea that "it's not a crime if we do it with an app":

https://pluralistic.net/2025/01/25/potatotrac/#carbo-loading

Speaking of crimes that are implausibly deniable when undertaken with an app: surveillance wages also allow employers to offer lower wages to women and brown and Black people while maintaining the pretense that they're in compliance with laws banning gender and racial discrimination.

In the wider economy, women and racialized people are already offered lower wages and – thanks to the legacy of racial discrimination in employment and housing – are more likely to be indebted:

https://pluralistic.net/2021/06/06/the-rents-too-damned-high/

By tapping into data brokers' dossiers that reveal the economic precarity of jobseekers, surveillance pricing allows employers to systematically lower the wages of women and Black and brown people, who have the highest incidence of indebtedness, while still claiming to offer race- and gender-blind wages. This is a phenomenon that Patrick Ball calls "empiricism washing": first, move the illegal racist discrimination into an algorithm, then insist that "numbers can't be racist."

But this isn't just about lowering wages at the bottom of the employment market. In recent history, the employers most eager to illegally lower their workers' wages are tech bosses, who had to pay massive fines for illegally colluding on "no poach" agreements to suppress the earning power of high-paid computer programmers:

https://en.wikipedia.org/wiki/High-Tech_Employee_Antitrust_Litigation

(This is why the tech industry is so horny for AI – tech bosses can't wait to fire a ton of programmers and use the resulting terror to force down the wages of the remaining tech workers:)

https://pluralistic.net/2026/01/05/fisher-price-steering-wheel/#billionaire-solipsism

Which means that the very programmers who write and maintain the surveillance wage software used on the rest of us are especially likely to have the tools they created turned on them.

Hey look at this (permalink)


A shelf of leatherbound history books with a gilt-stamped series title, 'The World's Famous Events.'

Object permanence (permalink)

#20yrsago Arthur C Clarke fights Buddhist monks over Daylight Savings Time http://news.bbc.co.uk/1/hi/world/south_asia/4865972.stm

#20yrsago What parts of the .COM space are registered? https://web.archive.org/web/20060411133458/https://www.yafla.com/dforbes/2006/03/29.html

#20yrsago Bomb squad called out to “defuse” life-size Super Mario power-ups https://web.archive.org/web/20060405034455/http://www.recordpub.com/article.php?pathToFile=archive/04012006/news/&amp;file=_news1.txt&amp;article=1&amp;tD=04012006

#20yrsago Poems showing the absurdities of English spelling https://web.archive.org/web/20060405223008/https://www.spellingsociety.org/news/media/poems.php

#20yrsago Isaac Newton’s alchemical “chymistry” notebook scans https://web.archive.org/web/20060612203137/http://webapp1.dlib.indiana.edu/newton/index.jsp

#20yrsago Poems showing the absurdities of English spelling https://web.archive.org/web/20060405223008/https://www.spellingsociety.org/news/media/poems.php

#20yrsago Isaac Newton’s alchemical “chymistry” notebook scans https://web.archive.org/web/20060612203137/http://webapp1.dlib.indiana.edu/newton/index.jsp

#15yrsago Misleading government stats and the innumerate media who repeat them https://www.badscience.net/2011/04/anarchy-for-the-uk-ish/

#15yrsago US Customs’ domain-seizure program blocks free speech, leaves alleged pirates largely unscathed https://torrentfreak.com/us-governments-pirate-domain-seizures-failed-miserably-110403/

#15yrsago Misleading government stats and the innumerate media who repeat them https://www.badscience.net/2011/04/anarchy-for-the-uk-ish/

#15yrsago US Customs’ domain-seizure program blocks free speech, leaves alleged pirates largely unscathed https://torrentfreak.com/us-governments-pirate-domain-seizures-failed-miserably-110403/

#10yrsago Panama Papers: Largest leak in history reveals political and business elite hiding trillions in offshore havens https://www.theguardian.com/news/2016/apr/03/the-panama-papers-how-the-worlds-rich-and-famous-hide-their-money-offshore

#10yrsago America’s teachers are being trained in a harsh interrogation technique that produces false confessions https://web.archive.org/web/20160404143447/https://www.alternet.org/education/why-are-k-12-school-leaders-being-trained-coercive-interrogation-techniques

#10yrsago LA’s new rule: homeless people are only allowed to own one trashcan’s worth of things https://www.latimes.com/local/california/la-me-apartments-demolished-20160402-story.html
#10yrsago Save Netflix! https://www.eff.org/deeplinks/2016/04/save-netflix

#10yrsago The TSA spent $1.4M on an app to tell it who gets a random search https://kevin.burke.dev/kevin/tsa-randomizer-app-cost-336000/

#10yrsago Iceland’s Prime Minister says he won’t resign, mass demonstrations gain momentum https://icelandmonitor.mbl.is/news/politics_and_society/2016/03/31/anti_government_demo_planned_for_monday/

#10yrsago Panama Papers reveal the tax-avoidance strategies of David Cameron’s father https://www.theguardian.com/news/2016/apr/04/panama-papers-david-cameron-father-tax-bahamas

#10yrsago Studio sculpts giant coin, photographs it alongside normal objects to make them look tiny https://skrekkogle.com/projects/50c/

#5yrsago China's antitrust surge https://pluralistic.net/2021/04/03/ambulatory-wallets/#sectoral-balances

#5yrsago Consumerism won't defeat Georgia's Jim Crow https://pluralistic.net/2021/04/03/ambulatory-wallets/#christmas-voting-turkeys

#1yrago End-stage capitalism https://pluralistic.net/2025/04/04/anything-that-cant-go-on/#forever-eventually-stops

Upcoming appearances (permalink)

A photo of me onstage, giving a speech, pounding the podium.


A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)


A grid of my books with Will Stahle covers..

Latest books (permalink)


A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 (https://us.macmillan.com/books/9780374621568/thereversecentaursguidetolifeafterai/)

  • "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026

  • "The Post-American Internet," a geopolitical sequel of sorts to Enshittification, Farrar, Straus and Giroux, 2027

  • "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2027

  • "The Memex Method," Farrar, Straus, Giroux, 2027


Colophon (permalink)

Today's top sources:

Currently writing: "The Post-American Internet," a sequel to "Enshittification," about the better world the rest of us get to have now that Trump has torched America. First draft complete. Second draft underway.

  • "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE.

  • "The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING.

  • A Little Brother short story about DIY insulin PLANNING

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Bluesky (no ads, possible tracking and data-collection):

https://bsky.app/profile/doctorow.pluralistic.net

Medium (no ads, paywalled):

https://doctorow.medium.com/

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

ISSN: 3066-764X

10:14

Kinder than necessary [Seth's Blog]

If it’s just the right amount of necessary kindness, it’s not really kindness. It’s pleasantness.

If the people in our circle begin to experience behavior that’s kinder than necessary, the expectations for what’s necessary will ratchet forward, making everything more pleasant.

And… being kind is a lovely way to spend your day.

[Compare this to an alternative: “be as selfish as you can get away with.” Hardly worth going down that path.]

08:42

Around Back [Penny Arcade]

New Comic: Around Back

06:35

Patrick Stein: Nomic Coding Game [Planet Lisp]

About 30 years ago, I had an idea for a coding game inspired by Nomic. It occurred to me last month that all of the tools I need are readily available now.

Pen-and-paper Nomic

The pen-and-paper game of Nomic (by Peter Suber) has an initial ruleset which describes how one proposes changes to the rules, how one gets those changes ratified, a way to award points when someone’s rule change is ratified, and a rule declaring that the winner is the first player to amass 100 points. Some of the rules are mutable and some are immutable and there are rules about turning mutable rules into immutable ones and vice-versa.

The game was meant to show some of the paradoxes of self-amendment. It was meant to lead people into situations where it was clear that certain actions were both legal (or even mandatory) and illegal.

A drastically simplified starting set of rules might look like:

  • There are these players: Alice, Bob, Carol, David, and Mel.
  • Any of the players can propose a change to these rules at any time when there is not already an outstanding proposal.
  • When a player makes a proposal, all players (including the player making the proposal) must immediately vote: Yay or Nay.
  • If a proposal garners more Yay than Nay votes, it takes effect immediately. Otherwise, the proposal is rejected.
  • The winner is the first person to score 100 points.

Nomic in Code

So, 30 years ago, I had the idea that it would be fabulous to write some code to referee a Nomic game. However, because interpretation of the rules is so horrendously human, it felt impossible. Today, in 2026, it seems one could maybe get Claude, Gemini, or some other LLM to referee. But, this doesn’t much interest me, either, really. I cannot get any of them to keep track of something that I made them write down. I cannot imagine that I would be happy with their interpretation of whether my move is legal given the current state of the rules nor to amend the rules appropriately if my move is legal.

What felt slightly more attainable 30 years ago would be to make it a battle in code:

  • The players propose deltas to the current code.
  • The players vote on which deltas to approve.
  • If the resulting code declares you the winner, you win.

This was nice and all, but it was also too static. The rules about who can vote and how votes are tallied and such wouldn’t be subject to change.

Nomic in Code in 2026

Fast-forward to last month. Last month, I realized that with the GitHub API interface, I could implement a very Nomic-ish pull request battle game. I can:

  • Gather information about all of the open pull requests on a repository,
  • Checkout a copy of the current main branch of that same repository,
  • Run the code on the main branch of that repository and give it the information that I collected about the open pull requests, and
  • Have the code on the main branch tell me which open pull requests (if any) to accept or reject.

To be truly in Nomic’s full spirit, it would be nice to allow the code in the repository to interact with the GitHub API on its own. Alas, that would immediately let the players vote in changes that expose my GitHub tokens, so it would be a gaping security hole—not only because it would let users impersonate me but because it would let them end-around the actual code in the repository to make changes to the main branch in the repository.

So, as it is, I have a supervisor written in Common Lisp which handles all of the interaction with GitHub and various game repositories (one to play in Common Lisp, one to play in JavaScript, and one to play in Python). The supervisor:

  • fetches all of the open pull requests;
  • annotates each pull request with:
    • all of the reviews on the pull request,
    • all of the comments on the pull request, and
    • all of the commits on the pull request;
  • clones the main branch of the game repository;
  • runs the game code from that main branch giving it the annotated list of open pull requests encoded as JSON on standard input;
  • reads the JSON-encoded output from the game code; and
  • acts accordingly.

The game code, given a list of open pull requests can reply with one of the following messages:

{
  "decision": "winner",
  "name": name-of-winner,
  "message": optional-reason-for-decision
}
{
  "decision": "accept",
  "id": id-number-of-pull-request-to-accept,
  "message": optional-reason-for-decision
}
{
  "decision": "reject",
  "id": id-number-of-pull-request-to-reject,
  "message": optional-reason-for-decision
}
{
  "decision": "defer"
}

The "defer" decision means that there is not enough information at the moment. Maybe, in the future, with other pull requests or other comments or reviews we will be able to make some move.

If the game code replies with anything that isn’t one of the four types of replies shown above, the supervisor assumes the latest merge broke the code and reverts the change.

The Ask

I haven’t been able to drum up enough players for a game in any of my regular haunts. So, I am looking for tolerant players who will help me give it a test run or two to work out the kinks in the supervisor. Some areas where I forsee potential issues:

  • There may be scenarios that cause the game to reach an impasse.
  • There are probably some GitHub responses that the supervisor doesn’t do the right thing with (in fact, I think I just thought of a situation that a malicious player could do if they are a collaborator rather than doing this through forked repos).
  • There might be special issues related to pull requests coming in from forks rather than within the repo which I cannot test without making myself a second GitHub account.
  • Who can say what the optimal number of players is, at this point?

So, if you’re tolerant of some bumps in the process, have a GitHub account (or will make one), and are interested in a Common Lisp battle of pull requests, let me know so we can get a game going.

The post Nomic Coding Game first appeared on nklein software.

05:35

Girl Genius for Monday, April 06, 2026 [Girl Genius]

The Girl Genius comic for Monday, April 06, 2026 has been posted.

05:28

03:49

Germany Doxes “UNKN,” Head of RU Ransomware Gangs REvil, GandCrab [Krebs on Security]

An elusive hacker who went by the handle “UNKN” and ran the early Russian ransomware groups GandCrab and REvil now has a name and a face. Authorities in Germany say 31-year-old Russian Daniil Maksimovich Shchukin headed both cybercrime gangs and helped carry out at least 130 acts of computer sabotage and extortion against victims across the country between 2019 and 2021.

Shchukin was named as UNKN (a.k.a. UNKNOWN) in an advisory published by the German Federal Criminal Police (the “Bundeskriminalamt” or BKA for short). The BKA said Shchukin and another Russian — 43-year-old Anatoly Sergeevitsch Kravchuk — extorted nearly $2 million euros across two dozen cyberattacks that caused more than 35 million euros in total economic damage.

Daniil Maksimovich SHCHUKIN, a.k.a. UNKN, and Anatoly Sergeevitsch Karvchuk, alleged leaders of the GandCrab and REvil ransomware groups.

Germany’s BKA said Shchukin acted as the head of one of the largest worldwide operating ransomware groups GandCrab and REvil, which pioneered the practice of double extortion — charging victims once for a key needed to unlock hacked systems, and a separate payment in exchange for a promise not to publish stolen data.

Shchukin’s name appeared in a Feb. 2023 filing (PDF) from the U.S. Justice Department seeking the seizure of various cryptocurrency accounts associated with proceeds from the REvil ransomware gang’s activities. The government said the digital wallet tied to Shchukin contained more than $317,000 in ill-gotten cryptocurrency.

The Gandcrab ransomware affiliate program first surfaced in January 2018, and paid enterprising hackers huge shares of the profits just for hacking into user accounts at major corporations. The Gandcrab team would then try to expand that access, often siphoning vast amounts of sensitive and internal documents in the process. The malware’s curators shipped five major revisions to the GandCrab code, each corresponding with sneaky new features and bug fixes aimed at thwarting the efforts of computer security firms to stymie the spread of the malware.

On May 31, 2019, the GandCrab team announced the group was shutting down after extorting more than $2 billion from victims. “We are a living proof that you can do evil and get off scot-free,” GandCrab’s farewell address famously quipped. “We have proved that one can make a lifetime of money in one year. We have proved that you can become number one by general admission, not in your own conceit.”

The REvil ransomware affiliate program materialized around the same as GandCrab’s demise, fronted by a user named UNKNOWN who announced on a Russian cybercrime forum that he’d deposited $1 million in the forum’s escrow to show he meant business. By this time, many cybersecurity experts had concluded REvil was little more than a reorganization of GandCrab.

UNKNOWN also gave an interview to Dmitry Smilyanets, a former malicious hacker hired by Recorded Future, wherein UNKNOWN described a rags-to-riches tale unencumbered by ethics and morals.

“As a child, I scrounged through the trash heaps and smoked cigarette butts,” UNKNOWN told Recorded Future. “I walked 10 km one way to the school. I wore the same clothes for six months. In my youth, in a communal apartment, I didn’t eat for two or even three days. Now I am a millionaire.”

As described in The Ransomware Hunting Team by Renee Dudley and Daniel Golden, UNKNOWN and REvil reinvested significant earnings into improving their success and mirroring practices of legitimate businesses. The authors wrote:

“Just as a real-world manufacturer might hire other companies to handle logistics or web design, ransomware developers increasingly outsourced tasks beyond their purview, focusing instead on improving the quality of their ransomware. The higher quality ransomware—which, in many cases, the Hunting Team could not break—resulted in more and higher pay-outs from victims. The monumental payments enabled gangs to reinvest in their enterprises. They hired more specialists, and their success accelerated.”

“Criminals raced to join the booming ransomware economy. Underworld ancillary service providers sprouted or pivoted from other criminal work to meet developers’ demand for customized support. Partnering with gangs like GandCrab, ‘cryptor’ providers ensured ransomware could not be detected by standard anti-malware scanners. ‘Initial access brokerages’ specialized in stealing credentials and finding vulnerabilities in target networks, selling that access to ransomware operators and affiliates. Bitcoin “tumblers” offered discounts to gangs that used them as a preferred vendor for laundering ransom payments. Some contractors were open to working with any gang, while others entered exclusive partnerships.”

REvil would evolve into a feared “big-game-hunting” machine capable of extracting hefty extortion payments from victims, largely going after organizations with more than $100 million in annual revenues and fat new cyber insurance policies that were known to pay out.

Over the July 4, 2021 weekend in the United States, REvil hacked into and extorted Kaseya, a company that handled IT operations for more than 1,500 businesses, nonprofits and government agencies. The FBI would later announce they’d infiltrated the ransomware group’s servers prior to the Kaseya hack but couldn’t tip their hand at the time. REvil never recovered from that core compromise, or from the FBI’s release of a free decryption key for REvil victims who couldn’t or didn’t pay.

Shchukin is from Krasnodar, Russia and is thought to reside there, the BKA said.

“Based on the investigations so far, it is assumed that the wanted person is abroad, presumably in Russia,” the BKA advised. “Travel behaviour cannot be ruled out.”

There is little that connects Shchukin to UNKNOWN’s various accounts on the Russian crime forums. But a review of the Russian crime forums indexed by the cyber intelligence firm Intel 471 shows there is plenty connecting Shchukin to a hacker identity called “Ger0in” who operated large botnets and sold “installs” — allowing other cybercriminals to rapidly deploy malware of their choice to thousands of PCs in one go. However, Ger0in was only active between 2010 and 2011, well before UNKNOWN’s appearance as the REvil front man.

A review of the mugshots released by the BKA at the image comparison site Pimeyes found a match on this birthday celebration from 2023, which features a young man named Daniel wearing the same fancy watch as in the BKA photos.

Images from Daniil Shchukin’s birthday party celebration in Krasnodar in 2023.

Update, April 6, 12:06 p.m. ET: A reader forwarded this English-dubbed audio recording from the a ccc.de (37C3) conference talk in Germany from 2023 that previously outed Shchukin as the REvil leader (Shchuckin is mentioned at around 24:25).

02:42

02:21

Kernel prepatch 7.0-rc7 [LWN.net]

Linus has released 7.0-rc7 for testing. "Things look set for a final release next weekend, but please keep testing. The Easter bunny is watching".

Sunday, 05 April

18:07

17:28

Not Normal [Cory Doctorow's craphound.com]

A pair of broken off statue legs, shod in Roman sandals, atop a cliff. Behind them, we see a futuristic city.

This week on my podcast, I read Not Normal, my latest Locus Magazine column, about the surreal and terrible world we’ve been eased into thanks to anti-circumvention laws.


If you were paying attention in 1998, you could see what was coming. Computers were getting much cheaper, and much smaller. From cars to toast­ers, from speakers to TVs, we were shoveling them into our devices. and an it doesn’t take a lot of expense or engineering to add an “access control” to any of those computers.

That meant that DMCA 1201 was about to metastasize. Once you put a computer into a thermostat or a bassinet or a stovetop or a hearing aid, you can add an access control and make it a felony to use it in ways the manufac­turer disprefers. You can make it illegal to use cheap batteries, or a different app store. You can add little chips to parts – everything from a fuel pump to a touchscreen – and make it illegal to manufacture a working generic part, because the generic part has to bypass the “access control” in the device that checks to see whether it’s the manufacturer’s own part.

MP3

16:35

The Absolute Best Carrot Cake Recipe To Make For Easter (Or Anytime!) [Whatever]

Which dish is more suited for Easter than a carrot cake? None, I say! And lucky for y’all, I have the best recipe for you to try. This recipe is tried and true and absolutely delicious. Many people have said “this is the best carrot cake I’ve ever had!”

This Brown Butter Carrot Cake comes to us from Handle the Heat. It’s surprisingly quick and honestly quite easy, and it’s my go-to carrot cake recipe, even though browning the butter takes some extra time. It’s totally worth it!

I hope you give this recipe a try, and have a happy Easter, or just an awesome Sunday in general.

-AMS

15:35

Adobe secretly modifies your hosts file for the stupidest reason [OSnews]

If you’re using Windows or macOS and have Adobe Creative Cloud installed, you may want to take a peek at your hosts file. It turns out Adobe adds a bunch of entries into the hosts file, for a very stupid reason.

They’re using this to detect if you have Creative Cloud already installed when you visit on their website.

When you visit https://www.adobe.com/home, they load this image using JavaScript:

https://detect-ccd.creativecloud.adobe.com/cc.png

If the DNS entry in your hosts file is present, your browser will therefore connect to their server, so they know you have Creative Cloud installed, otherwise the load fails, which they detect.

They used to just hit http://localhost:<various ports>/cc.png which connected to your Creative Cloud app directly, but then Chrome started blocking Local Network Access, so they had to do this hosts file hack instead.

↫ thenickdude at Reddit

At what point does a commercial software suite become malware?

15:07

Hackers breached the European Commission (The Next Web) [LWN.net]

LWN recently reported on the Trivy compromise that led, in turn, to the compromise of the LiteLLM system; that article made the point that the extent of the problem was likely rather larger than was known. The Next Web now reports that the Trivy attack was used to compromise a wide range of European Commission systems.

The European Union's computer emergency response team said on Thursday that a supply chain attack on an open-source security scanner gave hackers the keys to the European Commission's cloud infrastructure, resulting in the theft and public leak of approximately 92 gigabytes of compressed data including the personal information and email contents of staff across dozens of EU institutions.

14:28

The discourse about WordPress [Scripting News]

I love all the new discourse about WordPress.

It was so quiet until this week, now I'm getting a much better view of the landscape.

I started developing seriously around WordPress almost three years ago. I've been developing this kind of software since the late 80s if you can believe that.

What's missing on the web -- software for writers.

I believe more all the time that WordPress is the natural way to store and present writing on the web and hook up to all the social webs, to actually redefine what a social web is. There should just be one social web, btw -- not 18. If there are 18 and they don't interop, then none of them deserve to call themselves the web. There is only one web, by definition.

The WordPress community has been very introspective, but it's time to make a difference for the whole web, and imho it is prepared to do that.

I want something inbetween the tiny little text boxes of the twitter-like apps, and the block editor (aka Gutenberg) of WordPress. I think there should be a dozen great editors that work with WordPress and then hopefully every CMS that comes along. Collectively, WordPress has taken too much territory -- writing is very different from site development and administration. I want to start the development of that ecosystem, and help new products get to market with interop and driven by what users/writers want.

I wrote this at bullmancuso yesterday, it was worth repeating here. And if you used to follow me on Twitter, please sign up again from that link. It's my new home there.

10:35

10:21

Plumbed [Seth's Blog]

If you want to drink more herbal tea, get a hot water dispenser that keeps it handy and on tap.

On the other hand, if you want to watch less television, disconnect the TV after every viewing session.

Convenience leads to consumption.

06:07

Urgent: Ban Insider Gambling [Richard Stallman's Political Notes]

US citizens: call your members of Congress to Ban Insider Gambling by Government Officials. In my letter I asked for this ban to include all government officials that are sometimes privy to policy decisions not yet publicly announced.

See the instructions for how to sign this letter campaign without running any nonfree JavaScript code--not trivial, but not hard.

US citizens: Join with this campaign to address this issue.

To phone your congresscritter about this, the main switchboard is +1-202-224-3121.

Please spread the word.

Urgent: Fund public schools [Richard Stallman's Political Notes]

US citizens: call on state officials to fund public schools, rather than private or church schools.

See the instructions for how to sign this letter campaign without running any nonfree JavaScript code--not trivial, but not hard.

US citizens: Join with this campaign to address this issue.

Your state's agency-contact information is at USA.gov.

Please spread the word. US citizens: Ask your congresscritter and senators to block the war-lover from sending over 20,000 bombs to Israel.

See the instructions for how to sign this letter campaign without running any nonfree JavaScript code--not trivial, but not hard.

US citizens: Join with this campaign to address this issue.

To phone your congresscritter about this, the main switchboard is +1-202-224-3121.

Please spread the word.

US destroyed a bridge, Iran [Richard Stallman's Political Notes]

The US bombed and destroyed Iran's biggest bridge.

Of course, the Iranian military will find this somewhat inconvenient, but the bridge was civilian infrastructure and used mainly by civilians. There was no military reason to attack it, and the ruining of the bridge will do nothing to loosen the repression. All it will do is cause general damage and suffering.

Iran has already threatened to retaliate against the Gulf states' civilian infrastructure when it is attacked in this way.

War-phosphorous removes forests, LBN [Richard Stallman's Political Notes]

*Israel using white phosphorus to scorch earth in south Lebanon, researcher says.*

ISR soldiers attack cameraman, West Bank [Richard Stallman's Political Notes]

Israeli soldiers attacked a CNN team that was reporting on Palestinians being attacked in their homes by fanatical right-wing Israelis. The soldiers did nothing to protect the Palestinians, but they treated the CNN team as if it were an enemy unit.

One soldier violently attacked a cameraman.

The army announced that this was totally against its rules and spirit to attack and threaten non-Palestinian journalists, but there was another attack on CNN journalists a week or two ago.

Meanwhile, in Lebanon, Israel killed a journalist team working for a Hezbollah-owned TV station by firing a missile at them.

Israel said this was justified because one of them had previously reported the location of some Israeli soldiers. However, attacking journalists doing journalism is a war crime regardless.

Instant death penalty, ISR [Richard Stallman's Political Notes]

Israel will use military courts to try Palestinian terrorists who kill Israelis, sentence them to death, make it especially easy to convict them, and rush to execute them.

The law has been contrived to discriminate between Palestinian terrorists and Israeli terrorists. However, some of these distortions of justice should never be allowed, regardless of the crime or the circumstances.

*The Guardian view on Israel’s death penalty: capital punishment is always wrong. This new law is doubly so.*

Coffee tree casualties, BRA [Richard Stallman's Political Notes]

Unprecedented floods in Minas Gerais, caused by global heating, are damaging coffee production and driving the price up. (Not to mention killing human beings.)

Krill nets in Southern Ocean [Richard Stallman's Political Notes]

Humans are fishing more and more for krill, the food most whales eat. This threatens to drive whale populations down, just after the decrease in whale hunting enabled them to recover.

I wonder what people do with krill caught by these large boats. I also wonder whether ocean acidification, expected to wipe out crustaceans along with coral, would indirectly wipe out whales too.

SAU conundrum with Iran war policy [Richard Stallman's Political Notes]

Crown Prince Bone Saw, effective ruler of Salafi Arabia, reportedly urged the wrecker to bomb Iran to smithereens.

The name refers to how his henchmen chopped up the body of exiled dissident reporter Jamal Khashoggi after killing him in the Salafi Arabian embassy to Turkey. The prince is a murderous Islamist fanatic, like the rulers of Iran, and there is nothing to choose between them -- or between them and the wrecker.

Pam Bondi, fired! [Richard Stallman's Political Notes]

The bully fired Bondi as attorney general. Good riddance, but will her replacement be even worse?

Robert Reich says he fired her for not succeeding in all the harm he asked her to do.

Volunteer-surveillance initiative, CA [Richard Stallman's Political Notes]

Milpitas, California, will distribute video cameras to residents to enable them to upload videos to the cops when they choose. They will be gratis, but not free in the sense of respecting freedom.

It proper that uploading will nominally be a decision for the camera owner, rather than for the cops. But unless the software installed in the camera is free/libre, the owners and the public can't be sure that the camera's manufacturer isn't snooping for other reasons of its own, such as tracking everyone by facial recognition.

Uprooting the US Forest Service [Richard Stallman's Political Notes]

The wrecker is planning to uproot the US Forest Service by moving it to a different city and closing its regional offices.

This move, given the basic favoritism towards big business, could enable logging companies to get away with just about anything. I suppose that is its motive.

If the agency were already centralized, moving its center to the Rockies could indeed bring that center closer to the majority of the forests. But closing the regional offices will have the opposite effect, just about all over the country.

02:21

Dima Kogan: Simple gpx export from ridewithgps [Planet Debian]

The Tour de Los Padres is coming! The race organizer post the route on ridewithgps. This works, but has convoluted interfaces for people not wanting to use their service. I just wrote a simple script to export their data into a plain .gpx file, including all the waypoints. Their exporter omits those.

The gpx-from-ridewithgps.py script:

#!/usr/bin/python3
import sys
import json

def quote_xml(s):
    return s.replace("&", "&amp;").replace("<", "&lt;").replace(">", "&gt;")

print("Reading stdin", file=sys.stderr)

data = json.load(sys.stdin)

print(r"""<?xml version="1.0" encoding="UTF-8"?>
<gpx version="1.1" creator="gpx-from-ridewithgps.py" xmlns="http://www.topografix.com/GPX/1/1">""")

for item in data["extras"]:
    if item["type"] != "point_of_interest":
        continue
    poi = item["point_of_interest"]
    print(f'  <wpt lat="{poi["lat"]}" lon="{poi["lng"]}">')
    print(f'    <name>{quote_xml(poi["name"])}</name>')

    desc = poi.get("description","")
    if len(desc):
        print(f'    <desc>{quote_xml(desc)}</desc>')
    print(f'  </wpt>')

print("  <trk><trkseg>")
for pt in data.get("route", {}).get("track_points", []):
    print(f'    <trkpt lat="{pt["y"]}" lon="{pt["x"]}"><ele>{pt["e"]}</ele></trkpt>')
print("  </trkseg></trk>")

print("</gpx>")

You invoke it by downloading the route and feeding it into the script:

curl -s https://ridewithgps.com/routes/54493422.json | ./ridewithgps-to-gpx.py > out.gpx

Note that the route number 54493422 is in the url above. I uploaded this to caltopo for analysis, and easy downloading by others:

https://caltopo.com/m/DB6HBQ1

00:49

Isoken Ibizugbe: Post Outreachy Activities [Planet Debian]

It’s been about a month since I wrapped up my Outreachy internship, but my journey with Debian is far from over. I planned to keep contributing and exploring the community, and these past few weeks have been busy

Testing Locales and Solving Bug #1111214

For the openQA project, we decided to explore how accurate local language installations are and see if we can improve the translations. While exploring this, I started working on automating a test for a specific bug report: Debian Bug #1111214

This is a test I had started by writing a detailed description of the installation process to confirm that selecting the Spanish_panama locale works accurately. I spent time studying previous language installation tests, and I learned that I needed to add a specific tag (LANGUAGE-) to the “needles” (visual test markers).

Since the installation wasn’t in English anymore, taking the correct screenshots and defining the areas took quite some time. I used the following command on the CLI to run the test:

`openqa-cli api -X POST isos ISO=debian-live-testing-amd64-gnome.iso DISTRI=debian-live VERSION=forky FLAVOR=gnome LANGUAGE=spanish_panama ARCH=x86_64 BUILD=1311 CHECKSUM=unknown`

While working on this, I got stuck at the complete_installation step. Because the keyboard layout had changed to Spanish, the commands required to confirm a successful install weren’t working as expected. Specifically, we had an issue typing the “greater than” sign (>).

My mentor, Roland Clobus, worked on a clever maneuver for the keys (AltGr-Shift-X), which was actually submitted upstream to openSUSE.

In this step, I also had to confirm that the locale was correctly set to LANG=”es_PA.UTF-8″. I had to dig into the scripts and Linux commands to make this work. It was a bit intimidating at first, but it turned out to be a great learning experience. You can follow my progress on this Merge Request here. I’m currently debugging a small issue where the “home” key seems to click twice in the final step, and after that, the test would be complete 😀.

Community & Connections

Beyond the code, I’ve been getting more involved in the social side of Debian:

  • Debian Women: I attended the monthly meeting and met Sruthi Chandran. I’ve always seen her name as an Outreachy organizer, so it was great to meet her! She is currently running for Debian Project Leader (DPL). We also discussed starting technical sessions to introduce members to packaging, which I am very excited to learn.
  • DebConf Preparation: I am officially preparing for my first DebConf! My mentors, Tassia and Roland, along with my fellow intern Hellen, have been incredibly supportive in guiding me through the application and presentation process.

00:42

Link [Scripting News]

Sometimes I put test posts on my blog. This is one of those times. Still diggin, amazingly -- in 2026. What makes this post different is that 1. It's a singular item, ie there is no title, and just one paragraph. It's a collection of sentences not paragraphs. 2. It has a right margin image. I have to test this specific case. It has to go on a certain length so that the image that appears in the right margin doesn't leak over to the next item, and the image should be small so it doesn't require so much text to keep it out of the next post. And now I believe I have entered enough text.

Saturday, 04 April

17:49

Today I Am Ten, or, the Miracle of ScalziYears [Whatever]

And you say to yourself, what? Scalzi, you are not ten years old today! You are just barely a month away from being 57! The only juvenile you are is juvenile elderly! Stop being a faker, you faker!

To which I respond: Yes, I am fifty-six and eleven(ish) months old… on Earth. But as you know, I have a minor planet named after me, and its orbital period is just a shade under 5.7 earth years long. If you were to position 52692 Johnscalzi (1998 FO8) on the day of my birth, today is the day it would have made its tenth complete orbit since then. Thus, ten ScalziYears. Today, I am ten ScalziYears old.

How will I celebrate such a momentous occasion? As it happens I have a gathering of friends at the church today. It’s for something else entirely but I might bring a cake anyway. And otherwise, I’m taking it easy. It’s nice that this time around it slots in just between Good Friday and Easter. Easter Saturday always feels a little left out of the holiday swing of things, I’m glad this year to give something to do.

My next ScalziYear birthday will be December 12, 2031, so you have lots of time to prepare. Get ready!

— JS

PS: that coin with my asteroids orbit on it was given to me by a fan at the San Antonio Pop Madness convention (whose name escapse me at the moment but they can certainly announce themselves in the comments), and it was super-cool to get it. The other side of the coin is just as awesome:

I have the best fans, honestly.

17:07

When Trump appeared on Twitter [Scripting News]

Excellent podcast discussion with John Stewart and Heather Cox Richardson. I desperately wanted to get in the conversation. I think they missed something important and came soooo close. Trump isn't only a TV star, he's a blogger. Comes naturally to him. Why wasn't Obama transformative in the same way? First black president. You get to be the first black president by being utterly brilliant and infinitely careful. There wasn't a single spontaneous moment in his presidency, though there were scripted moments when playing that role. And some amazingly brilliant speech-making. He's perfect, but that's because there were severe limits on what he could get away with.

On the web the ethos is "Come as you are, we're just folks." That's not Obama.

Who also had to be hugely careful? Hillary Clinton and Kamala Harris. Not Joe Biden who's famous for his gaffes.

Trump doesn't give a shit what you think, that's why he's so good on Twitter. Trump was a TV star but right now it's more important to be a natural born blogger.

I was beating this drum ever since Trump appeared on Twitter. We need to be much better at this. We're still in the hole. At least Newsom knows there's a problem but imho he isn't the answer. We need someone who's bitter and funny, like Joan Rivers or Don Rickles. You don't need to understand government or politics, just show up and be a kind of lovable asshole 24 hours a day.

People could relate to Trump. Trump, even though he's not a great dancer, doesn't mind doing it if you think it's funny. He's a total entertainment package. Very random.

Wouldn't hurt for the next Dems to to find someone like that. Hopefully not to run for president.

HCR said Trump was Cuckoo for Cocoa Puffs -- I LOL'd totally.

14:21

Robert Smith: Idiomatic Lisp and the nbody benchmark [Planet Lisp]

When talking to Lisp programmers, you often hear something like, “adapt Lisp to your problem, not your problem to Lisp.” The basic idea is this: if Lisp doesn’t let you easily write a solution to your problem because it lacks some fundamental constructs that make expressing solutions easy, then add them to Lisp first, then write your solution.

That sounds all good and well in the abstract, and maybe we could even come up with some toy examples—say, defining HTTP request routing logic in a nice DSL. But where’s a real example of this that’s not artificial or overengineered?

Recently, on Twitter, I butted into the middle of an exchange between @Ngnghm (a famous Lisp programmer) and @korulang (an account dedicated to a new language called Koru) about Lisp. I’m oversimplifying, but it went something like this:

  • Lisp is slow.
  • No it’s not!
  • Yes it is!
  • No it’s not!
  • Then prove it!

Now, there’s plenty of evidence online that Common Lisp has reasonably good compilers that produce reasonably good machine code, and so the question became more nuanced: Can Lisp be realistically competitive with C without ending up being a mess of unidiomatic code?

Our interlocutor @korulang proposed a benchmark, the “nbody” benchmark from the Computer Language Benchmarks Game. This was of particular interest to them, because they used it as an object of study for their Koru language. To quote their blog post:

We wanted Koru kernels to land in the same ballpark as idiomatic C, Rust, and Zig.

The result was stronger than that.

Our fused n-body kernel, written in straightforward Koru kernel style, came in faster than the plain reference implementations. Every implementation here is "naive" — the obvious, idiomatic version a competent programmer would write in each language. No tricks, no hand-tuning, no -ffast-math: […]

and they proceeded to show Koru being 14% faster than C and 106% faster than Lisp.

Now, putting aside that some of the code and blog post were written with LLMs, there are many questions that are left unanswered here, since computer architecture and operating system matter a lot (where did these benchmarks run?). Moreover, the author buries the lede a little bit and proceeds to show how we might write “unidiomatic” C to match the performance of Koru.

I’m not concerned about nitpicking their approach or rigorously evaluating their claims, but I would like to dwell on this common refrain: “idiomatic”. What is that supposed to mean?

“Idiomatic code” in the context of programming means something like “representative of a fluent computer programmer” and “aligned with the peculiar characteristics of the language”. In some sense, idiomatic code in a particular language shouldn’t stand out amongst other code in that language, and idiomatic code should, in some sense, portray the identity of the language itself.

Idiomatic C is the C that uses terse names, simple loops, and unsafe arithmetic.

Idiomatic Haskell is the Haskell that uses short functions, higher-order abstractions, immutable data structures, and safe constructs.

What about idiomatic Lisp? Well, here’s the rub. A fluent programmer at Lisp doesn’t reach for one paradigmatic toolbox; they weave in and out of imperative, functional, object-oriented, etc. styles without much of a second thought. There’s a sort of “meta” characteristic to Lisp programming: you’re programming the language almost as much as you’re programming the program.

Yes, Lisp has loops, but “loopy code” isn’t intrinsically “Lispy code”. Yes, Lisp has objects, but “OOPy code” isn’t intrinsically “Lispy code”. In my opinion, what makes code “Lispy” is whether or not the programmer used Lisp’s metaprogramming and/or built-in multi-paradigm facilities to a reasonable degree to make the solution to their problem efficient and easy to understand in some global sense. For some problems, that may be “loopy” or “OOPy” or something else. It’s finding a Pareto-efficient syntactic and semantic combination offered by the language, or perhaps one of the programmer’s own creation.

So we get back to the @korulang benchmark challenge. Looking at their repository:

  • nbody.c looks like idiomatic C;
  • nbody.hs looks like wildly unidiomatic Haskell, but the problem is, the idiomatic version would probably be slower;
  • nbody.lisp looks reasonable, though it could easily be improved, but loopy; and
  • The Koru solution kernel_fused.kz looks idiomatic, as far as I can tell for not knowing anything about Koru.

I hesitate to say nbody.lisp is idiomatic. It’s reasonable, it’s straightforward to any imperative-minded programmer, but it’s not Lispy. That doesn’t make it good or bad, but it does lead to the grand question:

Can we use Common Lisp to express a solution to the nbody benchmark in a way that reads more naturally than a direct-from-C port?

I would say that, at face value, Koru’s solution is along the lines of what is more natural relative to the problem itself. Here are the essential bits.

~std.kernel:shape(Body) {
x: f64, y: f64, z: f64,
vx: f64, vy: f64, vz: f64,
mass: f64,
}
~std.kernel:init(Body) {
{ x: 0, y: 0, z: 0, vx: 0, vy: 0, vz: 0, mass: SOLAR_MASS },
{ x: 4.84143144246472090e+00, y: -1.16032004402742839e+00, z: -1.03622044471123109e-01, vx: 1.66007664274403694e-03 * DAYS_PER_YEAR, vy: 7.69901118419740425e-03 * DAYS_PER_YEAR, vz: -6.90460016972063023e-05 * DAYS_PER_YEAR, mass: 9.54791938424326609e-04 * SOLAR_MASS },
{ x: 8.34336671824457987e+00, y: 4.12479856412430479e+00, z: -4.03523417114321381e-01, vx: -2.76742510726862411e-03 * DAYS_PER_YEAR, vy: 4.99852801234917238e-03 * DAYS_PER_YEAR, vz: 2.30417297573763929e-05 * DAYS_PER_YEAR, mass: 2.85885980666130812e-04 * SOLAR_MASS },
{ x: 1.28943695621391310e+01, y: -1.51111514016986312e+01, z: -2.23307578892655734e-01, vx: 2.96460137564761618e-03 * DAYS_PER_YEAR, vy: 2.37847173959480950e-03 * DAYS_PER_YEAR, vz: -2.96589568540237556e-05 * DAYS_PER_YEAR, mass: 4.36624404335156298e-05 * SOLAR_MASS },
{ x: 1.53796971148509165e+01, y: -2.59193146099879641e+01, z: 1.79258772950371181e-01, vx: 2.68067772490389322e-03 * DAYS_PER_YEAR, vy: 1.62824170038242295e-03 * DAYS_PER_YEAR, vz: -9.51592254519715870e-05 * DAYS_PER_YEAR, mass: 5.15138902046611451e-05 * SOLAR_MASS },
}
| kernel k |>
std.kernel:step(0..iterations)
|> std.kernel:pairwise {
const dx = k.x - k.other.x;
const dy = k.y - k.other.y;
const dz = k.z - k.other.z;
const dsq = dx*dx + dy*dy + dz*dz;
const mag = DT / (dsq * @sqrt(dsq));
k.vx -= dx * k.other.mass * mag;
k.vy -= dy * k.other.mass * mag;
k.vz -= dz * k.other.mass * mag;
k.other.vx += dx * k.mass * mag;
k.other.vy += dy * k.mass * mag;
k.other.vz += dz * k.mass * mag;
}
|> std.kernel:self {
k.x += DT * k.vx;
k.y += DT * k.vy;
k.z += DT * k.vz;
}
| computed c |>
capture({ energy: @as(f64, 0) })
| as acc |>
for(0..5)
| each i |>
captured { energy: acc.energy + 0.5*c[i].mass*(c[i].vx*c[i].vx+c[i].vy*c[i].vy+c[i].vz*c[i].vz) }
|> for(i+1..5)
| each j |>
captured { energy: acc.energy - c[i].mass*c[j].mass / @sqrt((c[i].x-c[j].x)*(c[i].x-c[j].x)+(c[i].y-c[j].y)*(c[i].y-c[j].y)+(c[i].z-c[j].z)*(c[i].z-c[j].z)) }
| captured final |>
std.io:print.blk {
{{ final.energy:d:.9 }}
}

Can we achieve something similar in Lisp?

First, let’s make a baseline. I’m running Ubuntu Noble with a “AMD RYZEN AI MAX+ PRO 395” with a clock speed that varies between 0.6-5 GHz. I am also using SBCL 2.6.3 and gcc 13.3. Using nbody.lisp as a starting point, I modified it for a few easy wins. I’ll call this version nbody-lisp-conventional. A quick benchmark reveals that the loopy Lisp code is only about 20% slower than the C code compiled with gcc -O3 -ffast-math -march=native.

$ ./nbody-lisp-conventional 50000000
-0.169286396
timing: 2000 ms
$ ./nbody-c 50000000
-0.169286396
timing: 1662 ms

As a Lisp programmer, it’s not surprising that it’s a little slower. The number of person-years that have gone into C compilers to optimize idiomatic C code makes the development effort behind SBCL, the most popular open-source Lisp compiler, look like a rounding error.

Now that we have a baseline, our goal is to come up with a nicer Lisp program that also improves the timing.

Our approach will be simple. We will create a library.lisp that contains new language constructs of a similar ilk to Koru, and we will use them to implement the nbody benchmark in impl.lisp. Some rules:

  • No compile-time precomputation or caching. I can’t just compute the answer at compile time, or cache a sub-computation that makes the full one trivial.
  • No fundamental algorithm changes. I can’t use a different integrator, for example.
  • Using assembly is allowed, but it must only make use of the facilities offered by the Lisp compiler (i.e., no external tools), and the implementation of nbody itself must be understandable without knowing assembly. In other words, it should be sufficiently hidden, and in principle easily substitutable with portable code.
  • Library code must be in principle useful for other similar tasks. It should not be hyper-specialized to this specific problem instance, but instead be useful for this general class of problems.

The third rule is more rigorous than it looks. It means we can’t just have a solve-nbody problem which dispatches to assembly.

To accomplish the above, we define a kernel DSL. The DSL allows us to express how elements of a composite transform, maintaining just enough invariants to allow them to be handled efficiently. These kernels are then compiled into efficient code, more efficient than ordinary loopy Lisp allows for.

Our attention will be focused on a proof-of-concept library of functionality for writing particle simulators. The operators we define are:

  • define-kernel-shape: Define the data to be transformed by each kernel. This would be the data to characterize the static and dynamic properties of a particle in motion, as well as the number of particles under consideration.
  • define-kernel-step: Define a kernel as a sequence of existing ones.
  • define-self-kernel: Define a read-write kernel that operates on each element independently, without access to other elements (i.e., a map operation).
  • define-pairwise-kernel: Define a read-write kernel that operates on all pairs of elements, reduced by symmetry (i.e., (i,j) and (j,i) are considered only once).
  • define-reduction-kernel: Define a read-only kernel that does reduction of a sequence into a single value (i.e., a reduce operation).

This collection of five operators forms a miniature, re-usable language. These broadly recapitulate those of Koru, and allow us to write something that looks like this:

(defconstant +solar-mass+ (* 4d0 pi pi))
(defconstant +days-per-year+ 365.24d0)
(defconstant +dt+ 0.01d0)
(define-kernel-shape body 5
x y z vx vy vz mass)
(defparameter *system*
(make-body-system
(list :x 0d0 :y 0d0 :z 0d0
:vx 0d0 :vy 0d0 :vz 0d0
:mass +solar-mass+)
...))
(define-pairwise-kernel advance-forces (s body dt)
(let* ((dx (- i.x j.x))
(dy (- i.y j.y))
(dz (- i.z j.z))
(dsq (+ (+ (* dx dx) (* dy dy)) (* dz dz)))
(mag (/ dt (* dsq (sqrt dsq)))))
(let ((dm-j (* mag j.mass))
(dm-i (* mag i.mass)))
(decf i.vx (* dx dm-j))
(decf i.vy (* dy dm-j))
(decf i.vz (* dz dm-j))
(incf j.vx (* dx dm-i))
(incf j.vy (* dy dm-i))
(incf j.vz (* dz dm-i)))))
(define-self-kernel advance-positions (s body dt)
(incf self.x (* dt self.vx))
(incf self.y (* dt self.vy))
(incf self.z (* dt self.vz)))
(define-reduction-kernel (energy e 0d0) (s body)
(:self
(+ e (* (* 0.5d0 self.mass)
(+ (+ (* self.vx self.vx) (* self.vy self.vy))
(* self.vz self.vz)))))
(:pair
(let* ((dx (- i.x j.x))
(dy (- i.y j.y))
(dz (- i.z j.z)))
(- e (/ (* i.mass j.mass)
(sqrt (+ (+ (* dx dx) (* dy dy))
(* dz dz))))))))
(define-kernel-step run-simulation (system body n :params ((dt double-float)))
(advance-forces dt)
(advance-positions dt))

Well, in fact, this isn’t an ideal approximation, it’s almost exactly how it turned out. Given this is a proof of concept, we sometimes have to write some Lisp things a little funny. For example, you’ll notice we write:

(+ (+ (* dx dx) (* dy dy)) (* dz dz))

instead of the far more readable

(+ (* dx dx) (* dy dy) (* dz dz))

Both are completely valid and both can be used. So why the former? It is a result of a limitation of a little feature I built in: auto-vectorization. The vectorizer walks the mathematical expressions and replaces them with fast SIMD variants instead. Here’s a little fragment showing this rewrite rule:

...
(case (car expr)
;; (+ a (* b c)) -> fmadd(a,b,c)
((+)
(let ((args (cdr expr)))
(cond
((and (= (length args) 2) (mul-p (second args)))
`(%%fmadd-pd ,(xf (first args))
,(xf (second (second args)))
,(xf (third (second args)))))
...

The implementation of these kernel macros in library.lisp weighs in at just under 700 lines, and includes optional x64 SIMD auto-vectorization.

Well, for the nail biting moment, how does it compare? I made a Makefile that compares the idiomatic C against the loopy Lisp against our kernel DSL Lisp. It does a median-of-3. Running this on my computer gives:

$ make bench
=== C (gcc -O3 -ffast-math) ===
-0.169286396
runs: 1657 1664 1653 ms
median: 1657 ms
=== Lisp (SBCL, conventional loops) ===
-0.169286396
runs: 1991 2009 2005 ms
median: 2005 ms
=== Lisp (SBCL, kernel syntax) ===
-0.169286396
runs: 1651 1651 1652 ms
median: 1651 ms

So, in fact, we have matched the performance of C almost exactly. Furthermore, the generated code is still not as lean as it could be. Not to put too fine a point on it, but, <100 lines of Lisp, supported by

  • 700 lines of library code and about 4 hours of my time; and
  • 500k lines of its host compiler sbcl

has performance parity and greater readability/reusability than <100 lines of C, supported by

  • ~5,000k lines of just the C part of its host compiler gcc.

None of this is to make an argument that Lisp is “better”, or that there isn’t merit to avoiding custom DSLs in certain circumstances, or that the world doesn’t have room for more custom home-grown compilers and parsers, but I think this is the clearest possible, quasi-realistic demonstration that idiomatic Lisp can be as fast as idiomatic C without tremendous work, whilst netting additional benefits unique to Lisp.

All code is available here.

ECL News: ECL 26.3.27 release [Planet Lisp]

We are announcing a new stable ECL release. This release highlights:

  • bytecodes closures are now faster and avoid capturing unused parts of the lexical environment
  • improvements to the native compiler, including better separation between compiler frontend and backend, reduced function call overhead, more aggressive dead code elimination and many internal improvements and bug fixes
  • hash table implementation improvements and bug fixes for collisions
  • streams: extensions EXT:PEEK-BYTE, EXT:UNREAD-BYTE, GRAY:STREAM-PEEK-BYTE and GRAY:STREAM-UNREAD-BYTE, bugfixes and implementation refactor
  • the codebase has been updated to conform to the C23 standard
  • simplified procedure for cross-compiling ECL itself
  • support for cross-compilation of Common Lisp code to different targets using a new :TARGET option for COMPILE-FILE
  • some fixes for the emscripten target

The release also incorporates many other bug fixes and performance improvements as well as an updated manual. We'd like to thank all people who contributed to ECL with code, testing, issue reports and otherwise.

People listed here contributed code in this iteration: Daniel Kochmański, Marius Gerbershagen, Tarn W. Burton, Kirill A. Korinsky, Dmitry Solomennikov, Kevin Zheng, Mark Shroyer and Sebastien Marie.

People listed here did extensive release candidate testing on various platforms: Marius Gerbershagen, Daniel Kochmański, Dima Pasechnik, Matthias Köppe, Jeremy List, Mark Damon Hughes and Paul Ruetz.

This release is available for download in a form of a source code archive (we do not ship prebuilt binaries):

Finally, a note on the release schedule: ECL releases often take some time to come out, partially because we do extensive testing against supported platforms and existing libraries to find regressions. In the meantime all improvements are incrementally incorporated in the branch develop. It is considered stable and it is tested and reviewed with necessary dilligence. If release cycle is too slow for your needs, then we suggest following the branch develop for the most recent changes.

Happy Hacking,
The ECL Developers

Robert Smith: Beating Bellard's formula [Planet Lisp]

By Robert Smith

Fabrice Bellard came up with a computationally efficient formula for calculating the nth hexadecimal digit of $\pi$ without calculating any of the previous n−1. It’s called Bellard’s formula. It wasn’t the first of its kind, but in terms of computational efficiency, it was a substantial improvement over the original, elegant Bailey-Borwein-Plouffe formula. Due to the trio’s discovery, these formulas are often called BBP-type formulas.

Over the years, numerous BBP-type formulas have been discovered. In fact, Bailey gives us a recipe to search for them using integer-relation algorithms. In simple terms, we can just guess formulas, and run a computation to see if it likely equals $\pi$ with high confidence. If we do find one, then we can use it as a conjecture to prove formally.

Like Bellard and many others, I ran a variant of Bailey’s recipe, effectively doing a brute-force search, highly optimized and in parallel. The search yielded another formula that is computationally more efficient than Bellard’s formula. The identity is as follows:

$$ \pi = \sum_{k=0}^{\infty} \frac{1}{4096^k} \left( \frac{1}{6k+1} - \frac{2^{-5}}{6k+3} + \frac{2^{-8}}{6k+5} + \frac{2}{8k+1} - \frac{2^{-5}}{8k+5} + \frac{2^{-1}}{12k+3} - \frac{2^{-4}}{12k+7} - \frac{2^{-8}}{12k+11} \right). $$

It converges at a rate of 12 bits per term. We will prove convergence, and then prove the identity itself (with a little computer assistance). As it turns out, an equivalent form of this formula was already discovered, which we will discuss as well. Finally, we’ll show a very simple implementation in Common Lisp.

Proof of convergence

Write the series as $S := \sum_{k=0}^{\infty} 4096^{-k}R(k)$. Since $R(k)\in O(1/k)$, convergence is dominated by the geometric term $4096^{-k}$:

$$ \lim_{k \to \infty} \left\vert \frac{R(k+1)}{4096^{k+1}} \middle/ \frac{R(k)}{4096^{k}} \right\vert = \frac{1}{4096}. $$

By the ratio test, the series converges absolutely. Since $4096 = 2^{12}$, each additional term contributes exactly 12 bits of precision.

Bellard’s formula converges at 10 bits per term and requires the evaluation of 7 fractions. The above converges at 12 bits per term, and requires the evaluation of 8 fractions. So while we require 20% fewer terms, each term requires about 14% more arithmetic. So, net-net, this formula is approximately 5-6% more efficient.

Proof of identity via a definite integral

Consider $1/(nk+j) = \int_{0}^{1} x^{nk+j-1} dx$. For positive integers $n$ and $b$, we get

$$ \sum_{k=0}^{\infty} \frac{1}{b^k}\cdot\frac{1}{nk+j} = \sum_{k=0}^{\infty} \int_{0}^{1} \left(\frac{x^n}{b}\right)^k x^{j-1} dx. $$

We can swap the sum and integral via the Lebesgue dominated convergence theorem, since the power series $\sum (x^n/b)^k$ converges uniformly for $x \in [0, 1]$ and $b > 1$. Using this and summing the geometric series gives:

$$ \int_{0}^{1} x^{j-1} \sum_{k=0}^{\infty} \left(\frac{x^n}{b}\right)^k dx = \int_{0}^{1} \frac{x^{j-1}}{1 - x^n/b} dx. $$

We now apply this to $S$ termwise with $b=4096=2^{12}$:

$$ S = \int_0^1 \left( \frac{x^{0}}{1 - \frac{x^6}{2^{12}}} - 2^{-5} \frac{x^{2}}{1 - \frac{x^6}{2^{12}}} + 2^{-8} \frac{x^{4}}{1 - \frac{x^6}{2^{12}}} + 2 \frac{x^{0}}{1 - \frac{x^8}{2^{12}}} - 2^{-5} \frac{x^{4}}{1 - \frac{x^8}{2^{12}}} + 2^{-1} \frac{x^{2}}{1 - \frac{x^{12}}{2^{12}}} - 2^{-4} \frac{x^{6}}{1 - \frac{x^{12}}{2^{12}}} - 2^{-8} \frac{x^{10}}{1 - \frac{x^{12}}{2^{12}}} \right) dx. $$

At this point, you could try to algebra your way through, expanding, using the substitution $x=2u$, etc. ultimately yielding a nice denominator $(u^2\pm 2u+2)(u^6-64)(u^{12}-1)$. Maybe compute some residues. Or, just CAS your way through.

% fricas
FriCAS Computer Algebra System
Version: FriCAS 2025.12.23git built with sbcl 2.5.2.1852-1f3beec71
Timestamp: Wed Mar 4 12:41:38 EST 2026
-----------------------------------------------------------------------------
Issue )copyright to view copyright notices.
Issue )summary for a summary of useful system commands.
Issue )quit to leave FriCAS and return to shell.
-----------------------------------------------------------------------------
(1) -> f := (1/(1 - x^6/4096))
- (1/32)*x^2/(1 - x^6/4096)
+ (1/256)*x^4/(1 - x^6/4096)
+ 2*1/(1 - x^8/4096)
- (1/32)*x^4/(1 - x^8/4096)
+ (1/2)*x^2/(1 - x^12/4096)
- (1/16)*x^6/(1 - x^12/4096)
- (1/256)*x^10/(1 - x^12/4096);
Type: Fraction(Polynomial(Fraction(Integer)))
(2) -> normalize(integrate(f, x = 0..1))
3 1 11 19 1
(2) 2 atan(-) - 2 atan(-) + 2 atan(--) + 2 atan(--) + 2 atan(-)
2 2 24 48 4
Type: Expression(Fraction(Integer))

So now we just need to show the arctans all collapse to $\pi$. Recall the identity

$$ \tan^{-1} a \pm \tan^{-1} b = \tan^{-1}\left(\frac{a\pm b}{1\mp ab}\right). $$

The sum of the first four terms can be calculated easily in Common Lisp:

% sbcl --no-inform
* (defun combine (a b) (/ (+ a b) (- 1 (* a b))))
COMBINE
* (reduce #'combine '(3/2 -1/2 11/24 19/48))
4

So we have $2\big(\tan^{-1}4 + \tan^{-1}(1/4)\big)$, and with our final elementary trig identity $\tan^{-1} (a/b) = \pi/2 - \tan^{-1} (b/a)$, we find $S = \pi$.

A new discovery?

Of course, I was excited to find this formula, but after some internet spelunking, it turns out it had already been discovered by Géry Huvent and Boris Gourévitch, perhaps independently. Gourévitch doesn’t credit Huvent as he does with other formulas, but he does say “[…] furthermore, we can obtain BBP formula […] by using what Gery Huvent calls the denomination tables […].” Daisuke Takahashi cites Huvent’s website in this 2019 paper published in The Ramanujan Journal. In all cases, they write the formula in the following way:

$$ \frac{1}{128} \sum _{k=0}^{\infty} \frac{1}{2^{12k}}\left( \frac{768}{24 k+3}+\frac{512}{24k+4}+\frac{128}{24 k+6}-\frac{16}{24 k+12}-\frac{16}{24 k+14}-\frac{12}{24 k+15}+\frac{2}{24 k+20}-\frac{1}{24 k+22}\right), $$

which is structurally equivalent to $S$.

Despite having been known already, this formula doesn’t appear to be well known. As such, I hope this blog post brings more attention to it.

Simple implementation

Here is a simple implementation of digit extraction using BBP-type formulas in Common Lisp:

(defun %pow2-mod (exponent modulus)
(cond
((= modulus 1) 0)
((zerop exponent) 1)
(t
(let ((result 1)
(base (mod 2 modulus))
(e exponent))
(loop :while (plusp e) :do
(when (oddp e)
(setf result (mod (* result base) modulus)))
(setf base (mod (* base base) modulus)
e (ash e -1)))
result))))
(defun %scaled-frac-of-power-two (exponent denom)
(cond
((>= exponent 0)
(let ((residue (%pow2-mod exponent denom)))
(floor (ash residue *precision-bits*) denom)))
(t
(let ((effective-bits (+ *precision-bits* exponent)))
(if (minusp effective-bits)
0
(floor (ash 1 effective-bits) denom))))))
(defun %series-scaled-frac (bit-index bbp-series k-step global-shift alternating-p)
;; A series is a list of series terms. A series term is a quadruple
;; (SIGN SHIFT DENOM-MULTIPLIER DENOM-OFFSET) representing the summand
;; SIGN * 2^SHIFT / (DENOM_MULTIPLIER * k + DENOM_OFFSET).
(let* ((modulus (ash 1 *precision-bits*))
(max-shift (loop :for term :in bbp-series :maximize (second term)))
(k-max (max 0 (ceiling (+ bit-index ; conservative bound
global-shift
max-shift
*precision-bits*
*guard-bits*)
k-step))))
(loop :with acc := 0
:for k :from 0 :to k-max :do
(let ((k-sign (if (and alternating-p (oddp k)) -1 1))
(k-factor (* k-step k)))
(dolist (term bbp-series)
(destructuring-bind (term-sign shift den-mul den-add) term
(let* ((denom (+ den-add (* den-mul k)))
(exponent (+ bit-index global-shift shift (- k-factor)))
(piece (%scaled-frac-of-power-two exponent denom))
(signed (* k-sign term-sign)))
(when (plusp piece)
(setf acc (mod (+ acc (* signed piece)) modulus)))))))
:finally (return acc))))
(defun %nth-hex-from-series (n terms k-step global-shift alternating-p)
(let* ((bit-index (* 4 n)))
(ldb (byte 4 (- *precision-bits* 4))
(%series-scaled-frac bit-index
terms
k-step
global-shift
alternating-p))))

This implementation uses Lisp’s arbitrary precision integer arithmetic. A “real” implementation would use more efficient arithmetic, but this will suffice for some basic testing. Now we can write functions to use the Bellard formula and the new formula:

(defparameter +bellard-terms+
'((-1 5 4 1)
(-1 0 4 3)
(+1 8 10 1)
(-1 6 10 3)
(-1 2 10 5)
(-1 2 10 7)
(+1 0 10 9)))
(defun bellard-nth-hex (n)
(%nth-hex-from-series (* 4 n) +bellard-terms+ 10 -6 t))
(defparameter +new-terms+
'((+1 0 6 1)
(-1 -5 6 3)
(+1 -8 6 5)
(+1 1 8 1)
(-1 -5 8 5)
(+1 -1 12 3)
(-1 -4 12 7)
(-1 -8 12 11)))
(defun new-nth-hex (n)
(%nth-hex-from-series (* 4 n) +new-terms+ 12 0 nil))

Let’s make sure they agree for the first 1000 hex digits:

CL-USER> (loop :for i :below 1000
:always (= (bellard-nth-hex i) (new-nth-hex i)))
T

And now let’s look at timing comparisons. Here’s a little driver:

(defun compare-timings (n)
(flet ((time-it (f n)
(sb-ext:gc :full t)
(let ((start (get-internal-real-time)))
(funcall f n)
(- (get-internal-real-time) start))))
(loop :repeat n
:for index := 1 :then (* 10 index)
:for bellard := (time-it #'bellard-nth-hex index)
:for new := (time-it #'new-nth-hex index)
:do (format t "~v,' D: new is ~A% faster than bellard~%" n index
(round (* 100 (- bellard new)) bellard)))))

And the results if the timing up to the one millionth hexadecimal digit:

CL-USER> (compare-timings 7)
1 : new is 81% faster than bellard
10 : new is 7% faster than bellard
100 : new is 6% faster than bellard
1000 : new is 5% faster than bellard
10000 : new is 4% faster than bellard
100000 : new is 3% faster than bellard
1000000: new is 4% faster than bellard

As predicted, though imperfect a test, it’s consistently faster across a few orders of magnitude.

13:56

The Law of Conservation of Evil [Nina Paley]

A famous cartoon about human nature than inspired millions, including myself, to try to rise above human nature.

Human beings exploit the earth and each other. We torture, kill and eat animals. We cut down forests and poison the soil and water. We make war. We drive filthy cars and pave the world. We pollute. We bully and scapegoat. We hold crazy beliefs and belong to irrational cults and religions. We don’t think for ourselves. We long for freedom while enforcing repression. We censor and suppress and police and call out and turn each other in. We rip each other new assholes while covering our own. We all think we’re better than the rest. We are hypocrites who are appalled by hypocrisy.

For meaning in our lives, we may fixate on one human evil and try to rise above it. Pro-Environment. Animal Rights. Freedom of Speech. Christianity. Communism.

The more we embrace these virtues, the more insufferable we become.

It’s human nature to try to rise above human nature.

There is simply no way out of being human. There are billions of us, each individual a node in an incomprehensibly complex network, a brain cell in a Great Brain. Sometimes we convert our neighbors, which gives rise to cults or religions or nations which then butt up against each other and go to war.

We might clean up our own little space: grow our own food, avoid filthy money by bartering, bike instead of drive, don’t eat meat. Little pockets of purity in a polluted world. Somewhere else, something worse is happening to compensate. Thank you for lowering demand of farmed animal products: now the price goes down so more can consume them. Thank you for biking instead of driving: now there’s more room on the road for another car. Thank you for Not Breeding: now someone else can, plus there’s a panic about “population implosion” and the culture is more pro-natalist than before.

While we’re doing all this Good, we try to persuade others. We never think we’re actively proselytizing, just taking opportunities for “teaching moments.” For sooner or later someone will notice our behavior is a little (or a lot) different and ask us about it. Maybe we’ll even convince them! Score! Now our cult is growing, and if it grows enough we’ll be able to clash with competing cults, more repressively enforce the purity of our in-group, and perhaps go to war with an out-group or two.

I call this The Law of Conservation of Evil.

I have clung to many causes: Environmentalism, Anti-Natalism, Vegetarianism/Veganism, Bikes Not Cars, Free Speech. I have been insufferable. Still, I am human, and humans need meaning in our lives, and that which lights us up the most can also make us the most insufferable.

I’m currently interested in how to avoid cults. I fear and condemn cults. If I develop a good theory of cults, and argue persuasively, I might create an anti-cult cult, just as Antifa creates fascism and anti-racism creates racism.

Back away from Identity

“Back away from Identity” advised Third Way Trans, a desister from the transgender cult, before he deleted his wonderful blog. That’s the rare idea that might be cult-proof.

Humans cannot rise above our evil, which is also our humanity. We can shift it around a little from locality to locality, just as we shift our “recyclable” garbage from our local landfill to somewhere in the ocean. The best we can do is back away from identity, from the need to be “good” or better than our fellows, and to acknowledge and accept Reality.

But don’t let me get too attached to convincing you of that! Carry on, world.

Share

The post The Law of Conservation of Evil appeared first on Nina Paley.

10:35

10:28

Where do bad choices come from? [Seth's Blog]

We all make them from time to time.

You might not know what you need to know. This is where experience is created.

You might have an identity that pushes you to make those choices. If you’re determined to act like the person you have assumed you are, the choices come with the role.

Or, you might prioritize short-term benefits over the long-term costs of a bad choice. In this sense, the difference between a good choice and a bad one is simply which timeframe we’re considering.

Built into the idea of ‘choice’ is the agency and freedom to choose. But we waste that power every time we fail to realize we’re making a choice.

And there are two common reasons for this: we don’t believe we have the freedom to choose, or we’re not clear about what we’re trying to accomplish in the first place.

09:14

TinyOS: ultra-lightweight RTOS for IoT devices [OSnews]

An ultra-lightweight real-time operating system for resource-constrained IoT and embedded devices. Kernel footprint under 10 KB, 2 KB minimum RAM, preemptive priority-based scheduling.

↫ TinyOS GitHub page

Written in C, open source, and supports ARM and RISC-V.

Redox gets new CPU scheduler [OSnews]

Another major improvement in Redox: a brand new scheduler which improves performance under load considerably.

We have replaced the legacy Round Robin scheduler with a Deficit Weighted Round Robin scheduler. Due to this, we finally have a way of assigning different priorities to our Process contexts. When running under light load, you may not notice any difference, but under heavy load the new scheduler outperforms the old one (eg. ~150 FPS gain in the pixelcannon 3D Redox demo, and ~1.5x gain in operations/sec for CPU bound tasks and a similar improvement in responsiveness too (measured through schedrs)).

↫ Akshit Gaur

Work is far from over in this area, as they’re now moving on to “replacing the static queue logic with the dynamic lag-calculations of full EEVDF“.

09:07

Pluralistic: EU ready to cave to Trump on tech (04 Apr 2026) [Pluralistic: Daily links from Cory Doctorow]

->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> Top Sources: None -->

Today's links


The EU flag. The field has been turned from blue to orange. In the center of the circle of stars is Trump's open, hooting gob. Behind the orange field we see the faded traces of a printed circuit board.

EU ready to cave to Trump on tech (permalink)

Crises precipitate change. That's no reason to induce a crisis, but you'd be a fool to let a crisis go to waste. Donald Trump is the greatest crisis of our young century, and the EU looks set to squander the opportunity, to its own terrible detriment.

For more than a decade, it's been clear that the American internet was not fit for purpose. The whistleblowers Mark Klein and Edward Snowden revealed that the US had weaponized its status as the world's transoceanic fiber-optic hub to spy on the entire planet:

https://doctorow.medium.com/https-pluralistic-net-2025-11-26-difficult-multipolarism-eurostack-5a527c32f149

US tech giants flouted privacy laws, gleefully plundering the world's cash and data with products that they remorselessly enshittified:

https://pluralistic.net/2026/01/30/zucksauce/#gandersauce

American companies repurposed their over-the-air software update capabilities to remotely brick expensive machinery in service to geopolitical priorities:

https://pluralistic.net/2022/05/08/about-those-kill-switched-ukrainian-tractors/

Then Trump and his tech companies started attacking key public institutions around the world, shutting down access for senior judges who attempted to hold Trump's international authoritarian allies to account for their crimes:

https://pluralistic.net/2025/10/20/post-american-internet/#huawei-with-american-characteristics

If Trump wants to steal Greenland, he doesn't need tanks or missiles. He can just tell Microsoft and Oracle to brick the entire Danish state and all of its key firms, blocking their access to their email archives, files, databases, and other key administrative tools. If Denmark still holds out, Trump can brick all their tractors, smart speakers, and phones. If Denmark still won't give up Greenland, Trump could blackhole all Danish IP addresses for the world's majority of transoceanic fiber. At the click of a mouse, Trump could shut down the world's supply of Lego, Ozempic, and delicious, lethally strong black licorice.

Now, these latent offensive capabilities were obvious long before Trump, but the presidents who weaponized them in the pre-Trump era did so in subtle and deniable ways, or under a state of exception (e.g. in response to spectacular terrorist attacks or in the immediate aftermath of the Russian invasion of Ukraine) that let bystanders assure themselves that this wouldn't become a routine policy.

After all, America profited so much from the status quo in which America and its trading partners all pretended that US tech wouldn't be weaponized for geopolitical aims, so a US president would be a fool to shatter the illusion. And even if the president was so emotionally incontinent that he demanded the naked weaponization of America's defective, boobytrapped tech exports, the power blocs that the president relies on would stop him, because they are so marinated in the rich broth that America drained from the world using Big Tech.

This is "status quo bias" in action. No one wants to let go of the vine they're swinging from until they have a new vine firmly in their grasp – but you can't reach the next vine unless you release your death-grip on your current one. So it was that, year after year, the world allowed itself to become more dependent on America's easily weaponizable tech, making the tech both more dangerous and harder to escape.

Enter Trump (a crisis) (and crises precipitate change). Under Trump, the illusion of a safe interdependence crumbled. Every day, in new and increasingly alarming ways, Trump makes it clear that America doesn't have allies or trading partners, only adversaries and rivals. Every day, Trump proves to the world that American tech isn't merely untrustworthy – it's a live, dire, urgent danger to your state, your companies, and your people. The best time to get shut of the American internet was 15 years ago. The second best time is right fucking now.

NOW!

The result is the burgeoning movement to build a "post-American internet." In Canada, PM Mark Carney's announcement of a "rupture" has the country rethinking its deep connections to the American internet and asking what it could do to escape it:

https://pluralistic.net/2026/01/27/i-want-to-do-it/#now-make-me-do-it

Europe, meanwhile, has multiple, advanced, well-funded initiatives to leave the American internet behind and migrate to a post-American internet, like "Eurostack" and the European Digital Infrastructure Consortium:

https://digital-strategy.ec.europa.eu/en/policies/edic

But status quo bias exerts a powerful gravity. A reactionary counterrevolution is being waged in the European Commission – the permanent bureaucracy that executes Europe's laws and regulations. Within the EC, an ascendant faction has announced plans for a "dialogue" with representatives from the Trump regime to let them direct the enforcement of the Digital Markets Act (DMA) and Digital Services Act (DSA), Europe's landmark 2024 anti-Big Tech regulations:

https://www.politico.eu/article/fatal-decision-eu-slammed-for-caving-to-us-pressure-on-digital-rules/

The DMA and DSA require America's tech giants to open up their platforms in ways that would halt the plunder of Europeans' private data and cash. US tech giants have flatly refused to comply with these rules, relying on Trump to get them out of any obligations under EU law:

https://pluralistic.net/2025/09/26/empty-threats/#500-million-affluent-consumers

That's a sound bet. After all, the last thing Trump did before his inauguration was publicly announce his intention to destroy any country that attempted to enforce these laws:

https://www.nytimes.com/2025/01/23/us/politics/trump-davos-europe-tariffs.html

He's making good on his threats. He's already sanctioned a group of officials who helped draft the DSA:

https://www.npr.org/2025/12/24/nx-s1-5655855/trump-administration-bars-5-europeans-from-entry-to-the-u-s-over-alleged-censorship

And he's ordered his tech companies to turn over the private emails and messages of other European officials, so he can identify the ones most dangerous to US tech plunder and sanction them, too:

https://www.politico.eu/article/us-congress-judiciary-committee-big-tech-private-communication-eu-officials/

The quislings and appeasers in the Commission who've been spooked by Trump's belligerence (or tempted by offers of cushy jobs in Big Tech after they leave public service) are selling out the EU's future. Caving to Trump won't make him more favorably disposed to Europe or Europeans. Trump treats every capitulation as a sign of weakness that signals that he can safely ignore his end of the bargain and demand twice as much. For Trump, the "art of the deal" can be summed up in one word: reneging.

Within the EU, there's fury at the Commission's announcement of "dialogue." As Politico's Milena Wälde reports, lawmakers like Alexandra Geese (Greens) say that this is a move that eliminates the "sovereign path for Europe" by letting tech giants "grade their own homework." She calls it a "fatal decision for our companies and our democracy."

Moving to the post-American internet is hard – but it will only get harder. Sure, Europe could wait for the next crisis to let go of the Big Tech vine and grab the Eurostack one, but that next crisis will be far, far worse. The EU can't afford to wait for Trump to brick one or more of its member states to (finally, at long last) take this threat seriously:

https://pluralistic.net/2026/01/01/39c3/#the-new-coalition

Hey look at this (permalink)


A shelf of leatherbound history books with a gilt-stamped series title, 'The World's Famous Events.'

Object permanence (permalink)

#10yrsago Among a Thousand Fireflies: children’s book shows the sweet, alien love stories unfolding in our own backyards https://memex.craphound.com/2016/04/01/among-a-thousand-fireflies-childrens-book-shows-the-sweet-alien-love-stories-unfolding-in-our-own-backyards/

#10yrsago After biggest bribery scandal in history, police raids and investigations https://www.smh.com.au/business/police-raids-and-more-revelations-the-fallout-of-the-unaoil-scandal-20160401-gnw9mx.html

#10yrsago Bernie Sanders’ South Bronx rally, featuring Rosario Dawson, Spike Lee, and Residente https://www.c-span.org/program/campaign-2016/senator-bernie-sanders-campaign-rally-in-south-bronx/437114

#10yrsago Freshman Missouri Rep almost made it 3 months before introducing bill urging members to say “fiscal,” not “physical” https://www.washingtonpost.com/news/the-fix/wp/2016/03/31/hero-lawmaker-urges-colleagues-to-stop-saying-physical-when-they-mean-fiscal/

#10yrsago Indiana women phone the governor’s office to tell him about their periods https://web.archive.org/web/20160401170206/https://fusion.net/story/286941/periods-for-pence-indiana-women-calling-governor/

#10yrsago United pilot orders Arab-American family off his flight for “safety” https://www.nbcchicago.com/news/national-international/united-airlines-arab-american-plane/58370/

#10yrsago 33 state Democratic parties launder $26M from millionaires for Hillary https://www.counterpunch.org/2016/04/01/how-hillary-clinton-bought-the-loyalty-of-33-state-democratic-parties/

#10yrsago White SC cops pull black passenger out of car, take turns publicly cavity-searching him https://www.washingtonpost.com/news/the-watch/wp/2016/04/01/video-shows-white-cops-performing-roadside-cavity-search-of-black-man/

#5yrsago The zombie economy and digital arm-breakers https://pluralistic.net/2021/04/02/innovation-unlocks-markets/#digital-arm-breakers

#5yrsago Ontario's drug-dealer premier is shockingly bad at distributing vaccines https://pluralistic.net/2021/04/01/incompetent-drug-dealer/#what-a-dope

#5yrsago The zombie economy and digital arm-breakers https://pluralistic.net/2021/04/02/innovation-unlocks-markets/#digital-arm-breakers

#1yrago What's wrong with tariffs https://pluralistic.net/2025/04/02/me-or-your-lying-eyes/#spherical-cows-on-frictionless-surfaces

#1yrago What's wrong with tariffs https://pluralistic.net/2025/04/02/me-or-your-lying-eyes/#spherical-cows-on-frictionless-surfaces

#1yrago Anyone who trusts an AI therapist needs their head examined https://pluralistic.net/2025/04/01/doctor-robo-blabbermouth/#fool-me-once-etc-etc

Upcoming appearances (permalink)

A photo of me onstage, giving a speech, pounding the podium.


A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)


A grid of my books with Will Stahle covers..

Latest books (permalink)


A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 (https://us.macmillan.com/books/9780374621568/thereversecentaursguidetolifeafterai/)

  • "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026

  • "The Post-American Internet," a geopolitical sequel of sorts to Enshittification, Farrar, Straus and Giroux, 2027

  • "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2027

  • "The Memex Method," Farrar, Straus, Giroux, 2027


Colophon (permalink)

Today's top sources:

Currently writing: "The Post-American Internet," a sequel to "Enshittification," about the better world the rest of us get to have now that Trump has torched America. First draft complete. Second draft underway.

  • "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE.

  • "The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING.

  • A Little Brother short story about DIY insulin PLANNING

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Bluesky (no ads, possible tracking and data-collection):

https://bsky.app/profile/doctorow.pluralistic.net

Medium (no ads, paywalled):

https://doctorow.medium.com/

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

ISSN: 3066-764X

08:28

Open source office suites erupt in forking and licensing drama [OSnews]

You’d think if there was one corner of the open source world where you wouldn’t find drama it’d be open source office suites, but it turns out we could not have been more wrong. First, there’s The Document Foundation, stewards of LibreOffice, ejecting a ton of LibreOffice contributors.

In the ongoing saga of The Document Foundation (TDF), their Membership Committee has decided to eject from membership all Collabora staff and partners. That includes over thirty people who have contributed faithfully to LibreOffice for many years. It is interesting to see a formal meritocracy eject so many, based on unproven legal concerns and guilt by association. This includes seven of the top ten core committers of all time (excluding release engineers) currently working for Collabora Productivity. The move is the culmination of TDF losing a large number of founders from membership over the last few years with: Thorsten Behrens, Jan ‘Kendy’ Holesovsky, Rene Engelhard, Caolan McNamara, Michael Meeks, Cor Nouws and Italo Vignoli no longer members. Of the remaining active founders, three of the last four are paid TDF staff (of whom none are programming on the core code).

↫ Micheal Meeks

The end result seems to be that Collabora is effectively forking LibreOffice, which feels like we’re back where we were 15 years ago when LibreOffice forked from OpenOffice. There seems to be a ton of drama and infighting here that I’m not particularly interested in, but it’s sad to see such drama and infighting result in needless complications for developers, end users, and distributors alike.

As if this wasn’t enough, there’s also forking drama in OnlyOffice land, the other open source office suite, licensed under the AGPL. This ope source office suite has been forked by Nextcloud and IONOS into Euro-Office, in pursuit of digital sovereignty in the EU. It’s also not an entirely unimportant detail that OnlyOffice is Russian, with most of its developers residing in Russia.

Anyway, the OnlyOffice team has not taken this in stride, claiming there’s a violation of the AGPL license going on here, specifically because OnlyOffice adds contradictory attribution terms to the AGPL. It’s a complicated story, but it does seem most experts in this area seem to disagree with OnlyOffice’s interpretation.

We’re in for another messy time.

How Microsoft vaporized a trillion dollars [OSnews]

This is the first of a series of articles in which you will learn about what may be one of the silliest, most preventable, and most costly mishaps of the 21st century, where Microsoft all but lost OpenAI, its largest customer, and the trust of the US government.

↫ Axel Rietschin

It won’t take long into this series of articles before you start wondering how anyone manages to ship anything at Microsoft. If even half of this is accurate, this company should be placed under some sort of external oversight.

06:21

Urgent: Voting by mail [Richard Stallman's Political Notes]

US citizens: call on Congress to protect the USPS for November's election.

US citizens: Join with this campaign to address this issue.

To phone your congresscritter about this, the main switchboard is +1-202-224-3121.

Please spread the word.

03:00

Dirk Eddelbuettel: Sponsor me for Tour de Shore 2026 to support MFA [Planet Debian]

tour de shore 2026

On June 19 and 20, I will cycle a little over 100 miles from downtown Chicago and its wonderful Millenium Park to New Buffalo, Michigan, as part of the Tour de Shore 2026. The ride passes through northwest Indiana and the extended Indiana Dunes National Park ending the next morning in the southwestern Michigan town of New Buffalo. I rode Tour de Shore once before in 2024 and had a generally wonderful time (even considering some soreness after a century of miles over 1 1/2 days).

Tour de Shore is riding in support of Maywood Fine Arts Center, a local arts and sports center in Maywood, Illinois, a suburb one over from where I live and hence just a few good miles west of downtown. Maywood, Illinois is home to legends such as the late John Prine as well as several NBA players such as player and coach Doc Rivers.

 

tour de shore 2026 donation page

But Maywood, Illinois is also little less well off than other western suburbs. The Maywood Fine Arts Center is simply legendary is what they do for this community (and surrounding communities), and especially the youth support. They can use a dollar a two. Their story about Tour de Shore is worth a read too for background and motivation.

I have bootstrapped my donation page page with a dollar for each mile to be cycled. It would be simply terrific if you could join me. A nickel, a dime, or a quarter per mile cycled would help. Multiples of that help too: More is of course still always better.

Anything you can afford will go a long way towards a worthy goal in a community that could use the help.

Of and if you are local to the area, I believe you can still register for Tour de Shore 2026. So see you out there in June? And if not, maybe help with a dollar or two?

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog.

00:42

Friday, 03 April

23:56

22:35

Friday Squid Blogging: Jurassic Fish Chokes on Squid [Schneier on Security]

Here’s a fossil of a 150-million year old fish that choked to death on a belemnite rostrum: the hard, internal shell of an extinct, squid-like animal.

Original paper.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Blog moderation policy.

22:28

A Kitten’s First Good Friday [Whatever]

Saja is contemplative about it, as he should be.

A reflective Good Friday, Easter, and/or Passover to you, if you celebrate any of these, and have a lovely weekend no matter who you are.

— JS

21:35

Big-endian testing with QEMU [OSnews]

I assume I don’t have to explain the difference between big-endian and little-endian systems to the average OSNews reader, and while most systems are either dual-endian or (most likely) little-endian, it’s still good practice to make sure your code works on both. If you don’t have a big-endian system, though, how do you do that?

When programming, it is still important to write code that runs correctly on systems with either byte order (see for example The byte order fallacy). But without access to a big-endian machine, how does one test it? QEMU provides a convenient solution. With its user mode emulation we can easily run a binary on an emulated big-endian system, and we can use GCC to cross-compile to that system.

↫ Hans Wennborg

If you want to make sure your code isn’t arbitrarily restricted to little-endian, running a few tests this way is worth it.

20:28

Stage Delights [Penny Arcade]

It's a meme with a very particular clientele: there is always, always something fucked up with Gabe's setup when he tries to do the Make-A-Strip. During the Surface era, it would reliably try to do a system update as soon as we would start the panel. The setup has coalesced these days around a Framework laptop and the lower tier XPPen Artist Pro, but he forgot his dongle so the puck he brought - the little device he uses to perform the somatic components of the Art spell - was inert. The screen could be manipulated physically, a feature he never even knew about, but when you try to shift the art around on there your work slides around like it's on an air hockey table. It wasn't optimal, but there were dark chuckles and schadenfreudes out there, so it occurred to me: is there a way to leverage even greater torments? We also dish up a truly ancient reference in panel one for all of those newly traveling through the archive.

20:00

How can I use Read­Directory­ChangesW to know when someone is copying a file out of the directory? [The Old New Thing]

A customer was using Read­Directory­ChangesW in the hopes of receiving a notification when a file was copied. They found that when a file was copied, they received a FILE_NOTIFY_CHANGE_LAST_ACCESS, but only once an hour. And they also got that notification even for operations unrelated to file copying.

Recall that Read­Directory­ChangesW and Find­First­Change­Notification are for detecting changes to information that would appear in a directory listing. Your program can perform a Find­First­File/Find­Next­File to cache a directory listing, and then use Read­Directory­ChangesW or Find­First­Change­Notification to be notified that the directory listing has changed, and you have to invalidate your cache.

But there are a lot of operations that don’t affect a directory listing.

For example, a program could open a file in the directory with last access time updates suppressed. (Or the volume might have last access time updates suppressed globally.) There is no change to the directory listing, so no event is signaled.

Functions like Read­Directory­ChangesW and Find­First­Change­Notification functions operate at the file system level, so the fundamental operations they see are things like “read” and “write”. They don’t know why somebody is reading or writing. All they know is that it’s happening.

If you are a video rental store, you can see that somebody rented a documentary about pigs. But you don’t know why they rented that movie. Maybe they’re doing a school report. Maybe they’re trying to make illegal copies of pig movies. Or maybe they simply like pigs.

If you are the file system, you see that somebody opened a file for reading and read the entire contents. Maybe they are loading the file into Notepad so they can edit it. Or maybe they are copying the file. You don’t know. Related: If you let people read a file, then they can copy it.

In theory, you could check, when a file is closed, whether all the write operations collectively combine to form file contents that match a collective set of read operations from another file. Or you could hash the file to see if it matches the hash of any other file.¹ But these extra steps would get expensive very quickly.

Indeed, we found during user research that a common way for users to copy files is to load them into an application, and then use Save As to save a copy somewhere else. In many cases, this “copy” is not byte-for-byte identical to the original, although it is functionally identical. (For example, it might have a different value for Total editing time.) Therefore, detecting copying by comparing file hashes is not always successful.²

If your goal is to detect files being “copied” (however you choose to define it), you’ll have to operate at another level. For example, you could use various data classification technologies to attach security labels to files and let the data classification software do the work of preventing files from crossing security levels. These technologies usually work best in conjunction with programs that have been updated to understand and enforce these data classification labels. (My guess is that they also use heuristics to detect and classify usage by legacy programs.)

¹ It would also generate false positives for files that are identical merely by coincidence. For example, every empty file would be flagged as a copy of every other empty file.

Windows 2000 Server had a feature called Single Instance Store which looked for identical files, but it operated only when the system was idle. It didn’t run during the copy operation. This feature was subsequently deprecated in favor of Data Deduplication, which looks both for identical files as well as identical blocks of files. Again, Data Deduplication runs during system idle time. It doesn’t run during the copy operation. The duplicate is detected only after the fact. (Note the terminology: It is a “duplicate” file, not a “copy”. Two files could be identical without one being a copy of the other.)

² And besides, even if the load-and-save method produces byte-for-byte identical files, somebody who wanted to avoid detection would just make a meaningless change to the document before saving it.

The post How can I use <CODE>Read­Directory­ChangesW</CODE> to know when someone is copying a file out of the directory? appeared first on The Old New Thing.

19:14

17:42

17:28

Link [Scripting News]

WordPress could have an active developer community creating writing tools for WordPress users. I also want WordPress to form the foundation of a new social network, one that supports all the writing features of the web. With really nice user interfaces for people to choose from. That's a new ecosystem. It may form around ChatGPT and Claude etc. Or it could start with WordPress. I think I can get this bootstrapped, but I need people to work with. That's the summary of what I'm about at this point in 2026.

16:35

[$] Ubuntu's GRUBby plans [LWN.net]

GNU GRUB 2, mostly just referred to as GRUB these days, is the most widely used boot loader for x86_64 Linux systems. It supports reading from a vast selection of filesystems, handles booting modern systems with UEFI or legacy systems with a BIOS, and even allows users to customize the "splash" image displayed when a system boots. Alas, all of those features come with a price; GRUB has had a parade of security vulnerabilities over the years. To mitigate some of those problems, Ubuntu core developer and Canonical employee Julian Andres Klode has proposed removing a number of features from GRUB in Ubuntu 26.10 to improve GRUB's security profile. His proposal has not been met with universal acclaim; many of the features Klode would like to remove have vocal proponents.

15:49

No kidding: Gentoo GNU/Hurd [LWN.net]

On April 1, the Gentoo Linux project published a blog post announcing that it was switching to GNU Hurd as its primary kernel as an April Fool's joke. While that is not true, the project has followed up with an announcement of a new Gentoo port to the Hurd:

Our crack team has been working hard to port Gentoo to the Hurd and can now share that they've succeeded, though it remains still in a heavily experimental stage. You can try Gentoo GNU/Hurd using a pre-prepared disk image. The easiest way to do this is with QEMU [...]

We have developed scripts to build this image locally and conveniently work on further development of the Hurd port. Release media like stages and automated image builds are future goals, as is feature parity on x86-64. Further contributions are welcome, encouraged, and needed. Be patient, expect to get your hands dirty, anticipate breakage, and have fun!

Oh, and Gentoo GNU/Hurd also works on real hardware!

Text for the April Fool's post is available at the bottom of the real announcement.

15:21

Joerg Jaspert: Building a house - 1 year in [Planet Debian]

Haven’t written here about it, but last March we finally started on our journey to get our own house build, so we can move out of the rented flat here.

That will be a big step, both the actual building, but also the moving - I am living at this one single place for 36 years now.

If you can read german there is a dedicated webpage where I sometimes write about the process. Will have much more details (and way more ramblings) than the following part.

If you can’t read german, a somewhat short summary follows. Yes, still a lot of text, but shortened, still.

What? Why now?

Current flat has 83m² - which simply isn’t enough space. And the number of rooms also doesn’t fit anymore. But it is hard to find a place that fits our requirements (which do include location).

Moving to a different rented place would also mean changed amount of rent. And nowadays that would be huge increase (my current rent is still the price from about 30 years ago!).

So if we go and pay more - we could adjust and pay for something we own instead. And both, my wife and I had changes in our jobs that made it possible for us now, so we started looking.

Market

Brrrr, looking is good, actually finding something that fits - not so. We never found an offer that fit. Space wise, sure. But then location was off, or price was idiotically high. Location fit, but then size was a joke, and guess about the price… Who needs 200 square meters with 3 rooms? Entirely stupid design choices there. Or how about 40 square meters of hallway - with 50m² of tiny rooms around. What are they smoking? Oh, there, useful size, good rooms - but now you want more money than a kidney is worth, or something. Thanks, no.

New place

In February 2025 we finally got lucky and found a (newly opened) area with a large number of places to build a house on. Had multiple talks with someone from on of the companies developing that area (there are two you can select from), then talked with banks and signed a contract in March 2025. We got promised that actual house construction would be first quarter of 2026, finished in second quarter.

House type

There are basically 2 ways of building a new house (that matter here). First is called “Massivhaus”, second is called “Fertighaus” in german, roughly translating to solid and prefabricated. The latter commonly a wood based construction, though it doesn’t need to be. The important part of it is the prefabrication, walls and stuff get assembled in a factory somewhere and then transported to your place, where they play “big kid lego” for a day and suddenly a house is there.

A common thought is “prefabricated” is faster, but that is only a half true. Sure, the actual work on side is way shorter - usually one or two days and the house is done - while a massive construction usually takes weeks to build up. But that is only a tiny part of the time needed, the major part goes of into planning and waiting and in there it doesn’t matter what material you end up with.

Money fun

Last year already wasn’t the best time to start a huge loan - but isn’t it always “a few years ago would have been better”? So we had multiple talks with different banks and specialised consultants until we found something that we thought is good for us.

Thinking about it now - we should have put even more money on top as “reserve”, but who could have thought that 2026 turns into such a shitshow? Does not help at all, quite the contrary. And that damn lotto game always ends up with the wrong numbers, meh.

Plans and plans and more plans - and rules

For whichever reason you can not just go and put something on your ground and be happy. At least not if you are part of the normal people and not enormously rich. There is a large set of rules to follow. Usually that is a good thing, even though some rules are sometimes hard to understand.

In Germany, besides the usual laws, we have something that is called “Bebauungsplan”, which translates to “development plan” (don’t know if that carries the right meaning, it’s a plan on what and how may be build, which can have really detailed specifications in). It basically tells you every aspect on top of the normal law that you have to keep in mind.

In our case we have the requirement of 2 full floors and CAN have a third smaller on top, it limits how high the house can be and also how high our ground floor may be compared to the street. It regulates where on the property we may build and how much ground we may cover with the house, it gives a set of colors we are allowed to use, it demands a flat roof that we must have as a green roof and has a number of things more that aren’t important enough to list here. If you do want to see the full list, my german post on it has all the details that matter to us.

With all that stuff in mind - off to plans. Wouldn’t have believed how many details there are to take in. Room sizes are simple, but how to arrange them for ideal usage of the sun, useful ways inside the house, but also keeping in mind that water needs to flow through and out. Putting a bath room right atop a living room means a water pipe needs to go down there. Switch the bath room side in the house, and it suddenly is above the kitchen - means you can connect the pipes from it to the ones from kitchen, which is much preferred than going through the living room. And lots more such things.

It took us until nearly end of October to finalize the plans! And we learned a whole load from it. We started with a lot of wishes. The planner tried to make them work. Then we changed our minds. Plans changed. Minds changed again. Comparing the end result with the first draft we changed most of the ground floor around, with only the stairs and the entrance door at the same position. Less changes for the upper floor, but still enough.

Side quests

The whole year was riddled with something my son named side quests. We visited a construction exhibition near us, we went to the house builders factory and took a look on how they work. We went to many different other companies that do SOME type of work which we need soon, say inside floors, painters, kitchen and more stuff.

Of course the most important side quest was a visit to the notary to finalize the contracts, especially for the plot of land (in Germany you must have a notary for that to get entered into the governments books). Creates lots of fees, of course, for the notary and also the government (both fees and taxes here).

Building permit

We had been lucky and only needed a small change to the plans to get the building permit - and the second part, the wastewater permit (yes, you need a separate one for this) also got through without trouble.

Choices, so many of them

So in January we finally had an appointment for something that’s called “Bemusterung” which badly translates to “Sampling”. Basically two days at the house builders factory to select all of what’s needed for the house that you don’t do in the plans. Doors, inside and out and their type and color and handles. Same things for the windows and the blinds and the protection level you want the windows to have. Decide about stairs, design for the sanitary installations - and also the height of the toilet! - and the tiles to put into the bathrooms. Decisions on all the tech needed (heating system, ventilation and whatnot.

Two days, busy ones - and you can easily spend a lot of extra money here if you aren’t careful. We managed to get “out of it” with only about 4000€ extra, so pretty good.

Electro and automation

Now, here I am special. Back when I was young the job I learned is electrician. So here I have very detailed wishes. I am also running lots of automatism in my current flat - obviously the new house should be better than that. So I have a lot of ideas and thoughts on it, so this is entirely extra and certainly out of the ordinary the house builder usually see.

Which means I do all of that on my own. Well, the planning and some of the work, I must have a company at hand for certain tasks, it is required by some rules. But they will do what I planned, as long as I don’t violate regulations.

Which means the whole electrical installation is … different. Entirely planned for automatisms and using KNX for it. I am so happy to ditch Homeassistant and the load of Homematic, Zigbee and ZWave based wireless things.

Ok, Homeassistant is a nice thing - it can do a lot. And it can bridge between about any system you can find. But it is a central single point of failure. And it is a system that needs constant maintenance. Not touched for a while? Plan for a few hours playing update whack-a-mole. And often enough a component here or there breaks with an update. Can be fixed, but takes another hour or two.

So I change. Away from wireless based stuff. To wires. To a system thats a standard for decades already. And works entirely without a SPOF. (Yes, you can add one here too). And, most important, should I ever die - can easily be maintained by anyone out there dealing with KNX, which is a large number of people and companies. Without digging through dozens of specialised integrations and whatnot.

I may even end up with Homeassistant again - but that will entirely be as a client. It won’t drive automations. It won’t be the central point to do anything for the house. It will be a logging and data collecting thing that enables me to put up easy visualizations. It may be an easy interface for smartphones or tablets to control parts of the house, for those parts where one wants this to happen. Not the usual day-to-day stuff, extras on top.

Actual work happening

Since march there finally is action visible. The base of the house is getting build. Wednesday the 1st April we finally got the base slab poured on the construction site and in another 10 days the house is getting delivered and build up. A 40ton mobile crane will be there.

15:14

Link [Scripting News]

Feature request for WordPress. If an item doesn't have a title, you can do better than (no title) in the Posts list. Grab the first N chars of the body, or add a tool tip with the same text. I write a lot of "singular" posts, ie posts without titles. This is what I see on the Posts page.

Link [Scripting News]

Does EmDash have a feed reader built in??

Link [Scripting News]

Suggestion for feed reader devs. Put a Check Now button on the page for a single feed. It shouldn't overburden your system because it's just doing an HTTP read and a little parsing. Not much more work than reloading a page in the browser. The benefit is you can see a current view of the news according to a specific feed without waiting. Makes the web roughly instantaneous for every feed, even ones that don't support rssCloud. FeedLand has such a button.

Good morning campers [Scripting News]

Things are changing a lot. Huge flow of ideas, and some catching up to do. Mind bombs in every direction.

Last night while watching sports I learned via ChatGPT about MCP.

Here's what it can do and people *are* using it for this

You could turn ChatGPT into an easy editor for WordPress posts.

Just as I have developed the habit of getting it to create a handoff.md file when I'm done with a session, I could write something with ChatGPT helping, I don't ever do that myself but i might, if it were easy. and when I'm ready to publish, I'd say "Please publish this on my daveverse site now." I might specify a category or two, or set defaults, it's good at that stuff. I've taught Claude to write code in my style, so I can maintain it (to answer Aral Balkan's question on Mastodon).

Little hierarchies everywhere [Scripting News]

We create little hierarchies everywhere we go.

So many places. I have no room for new ones, yet I have to make room because there are people there I want to work with. Now I have to manage it.

If an alien came to Earth and asked why we don't just create a way for a little hierarchy in one place to appear where ever you want it.

It's not out of reach, it would take two or three developers with enough imaginative users to get the ball rolling.

Write down the features you'd have to support, concisely and simply, and provide conventions for making those hierarchies accessible through a very simple format, in JSON or XML or anything isomorphic, and then we start building.

And start releasing apps that work together. That's what I want to do.

WordLand is supposed to be the first such app. But maybe I need to go even simpler for example code. Thinking about it.

The aliens were confused by the inefficent way we were organizing our ideas.

15:07

Free Software Directory meeting on IRC: Friday, April 10, starting at 12:00 EDT (16:00 UTC) [Planet GNU]

Join the FSF and friends on Friday, April 10 from 12:00 to 15:00 EDT (16:00 to 19:00 UTC) to help improve the Free Software Directory.

Error'd: Clever domain name here [The Daily WTF]

An anonymous cable-puller wrote "Reading a long specification manual. The words "shall" and "shall not" have specific meaning, and throughout the document are in bold italic. Looks like someone got a bit shall-ow with their search-and-replace skills."

2

 

Picki jeffphi attends to details. "Apparently this recruiter doesn't have a goal or metric around proper brace selection and matching." You're hired.

0

 

UGG.LI admins highlighted "even KFC hat Breakpoints deployed in Prod now ..." I wanted to say something funny about Herren Admins' Handle but reminded myself of John Scalzi's quote about the failure case of smartass so I refrained. You might be funnier than I.

1

 

Smarter still, Steve says "A big company like Google surely has a huge QA staff and AI bots to make sure embarrassing typos don't slip through, right? You wouldn't want to damage you reputation..."

3

 

I'll bet Pascal didn't expect this, eh? "Delivered, but On the way, Searching for a driver, but Asdrubal"

4

 

[Advertisement] Keep all your packages and Docker containers in one place, scan for vulnerabilities, and control who can access different feeds. ProGet installs in minutes and has a powerful free version with a lot of great features that you can upgrade when ready.Learn more.

Security updates for Friday [LWN.net]

Security updates have been issued by AlmaLinux (freerdp, grafana, kernel, rsync, and thunderbird), Debian (chromium, inetutils, and libpng1.6), Fedora (bind9-next, nginx-mod-modsecurity, and openbao), Mageia (firefox, nss and thunderbird), Red Hat (container-tools:rhel8), SUSE (conftest, dnsdist, ignition, libsoup, libsoup2, LibVNCServer, libXvnc-devel, opensc, ovmf-202602, perl-Crypt-URandom, python-tornado, python311-ecdsa, python311-Pygments, python315, tar, and wireshark), and Ubuntu (cairo, jpeg-xl, linux, linux-aws, linux-aws-6.17, linux-gcp, linux-gcp-6.17, linux-hwe-6.17, linux-realtime, linux, linux-aws, linux-aws-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-ibm, linux-lowlatency, linux-nvidia, linux-raspi, linux-fips, linux-fips, linux-aws-fips, linux-fips, linux-aws-fips, linux-gcp-fips, and linux-realtime, linux-realtime-6.8, linux-raspi-realtime).

14:28

Can AI bots write maintainable code? [Scripting News]

This is something we can and should research.

Let's give one of the ai apps a fairly good idea for an app we want to use, and help it -- not by coding, just by answering questions about how it will work, and Iterating over the product until it works like we want it. Sometihng simple, like perhaps a text editor for Mastodon. Something that isn't squished in a tiny little text box, and has icons for bold, underline, links, etc. It could be useful.

Then let's look at the code with an open mind. I think i've given it enough examples of good maintainable code that I could get it to produce maintainable code.

This was in reply to a Mastodon post by Aral Balkan.

The Cathedral, the Bazaar, and the Winchester Mystery House [Radar]

The following article originally appeared on Drew Breunig’s blog and is being republished here with the author’s permission.

In 1998, Eric S. Raymond published the founding text of open source software development, The Cathedral and the Bazaar. In it, he detailed two methods of building software:

  • The cathedral model is carefully planned, closed-source, and managed by an exclusive team of developers.
  • The bazaar model is open, transparent, and community-driven.

The bazaar model was enabled by the internet, which allowed for distributed coordination and distribution. More people could contribute code and share feedback, yielding better, more secure software. “Given enough eyeballs, all bugs are shallow,” Raymond wrote, coining Linus’s law.

The ideas crystallized in The Cathedral and the Bazaar helped kick off a quarter-century of open source innovation and dominance.

But just as the internet made communication cheap and birthed the bazaar, AI is making code cheap and kicking off a new era filled with idiosyncratic, sprawling, cobbled-together software.

Meet the third model: The Winchester Mystery House.

Image by HarshLight on Flickr (and used here on a Creative Commons license)Winchester Mystery House (image by HarshLight and used here on a Creative Commons license)

The Winchester Mystery House

Located less than 10 miles southeast from the Computer History Museum, the Winchester Mystery House is an architectural oddity.

Following the death of her husband and mother-in-law, Sarah Winchester controlled a fortune. Her shares in the Winchester Repeating Arms Company, and the dividends they threw off, made it so Sarah could not only live in comfort but pursue whatever passion she desired. That passion was architecture.

Sarah didn’t build her mansion to house ghosts1; she built her mansion because she liked architecture. With no license, no formal training, in an era when women (even very rich women) didn’t have a path to practicing architecture, Sarah focused on her own home. She made up for her lack of license with passion and effectively unlimited funds.

Sarah built what she wanted. “At its largest the house had ~500 rooms.” Today it has roughly 160 rooms, 2,000 doors, 10,000 windows, 47 stairways, 47 fireplaces, 13 bathrooms, and 6 kitchens. Carved wood drapes the walls and ceilings. Stained glass is everywhere. Projects were planned, completed, abandoned, torn down, and rebuilt.

It was anything but aimless. And practical innovations ran throughout, including push-button gas lighting, an early intercom system, steam heating, and indoor gardens. The oddities that amuse today’s visitors were mostly practical accommodations for Sarah’s health (stairways with very small steps), functional designs no longer used (trap doors in greenhouses to route excess water), or quick fixes to damage from the 1906 earthquake.

Winchester passed in 1922. Nine months later, the house became a tourist attraction.

Today, many programmers are Sarah Winchester.

Claude Code's public GitHub activityClaude Code’s public GitHub activity

What happens when code is cheap

We aren’t as rich as Sarah Winchester, but when code is this cheap, we don’t need to be.

Jodan Alberts illustrated this recently, collecting and visualizing data detailing public GitHub commits attributed to Claude Code. That’s his data in the chart above, with Claude seeming to only accelerate through March.2

It’s hard to get a handle on individual usage though, so I went searching for a proxy and landed on the chart below:

Average net lines added per commit in Claude Code: 7-day averageAverage net lines added per commit in Claude Code: 7-day average

After Opus 4.5 and recent work enabling Agent Teams, the average net lines added by Claude per commit is now smooth and steady at 1,000 lines of code per commit.3

1,000 lines of code per commit is ~2 magnitudes higher than what a human programmer writes per day.

If you search for human benchmarks, you’ll find many citing Fred Brooks’s The Mythical Man Month while claiming a good engineer might write 10 cumulative lines of code per day.4 If you further explore, you’ll find numbers higher than 10 cited, but generally less than 100.

Here’s a good anecdote from antirez on a Hacker News thread discussing the Brooks “quote”:

I did some trivial math. Redis is composed of 100k lines of code, I wrote at least 70k of that in 10 years. I never work more than 5 days per week and I take 1 month of vacations every year, so assuming I work 22 days every month for 11 months:

70000/(22 x 11 x 10) = ~29 LOC / day

Which is not too far from 10. There are days where I write 300-500 LOC, but I guess that a lot of work went into rewriting stuff and fixing bugs, so I rewrote the same lines again and again over the course of years, but yet I think that this should be taken into account, so the Mythical Man Month book is indeed quite accurate.

Six years after this comment, Claude is pushing 1,000 lines of code per commit.

So what do we do with all this cheap code?

Unfortunately, everything else remains roughly the same cost and roughly the same speed. Feedback hasn’t gotten cheaper; the “eyeballs” that guided the software developed by the bazaar haven’t caught up to AI.

There is only one source of feedback that moves at the speed of AI-generated code: yourself. You’re there to prompt, you’re there to review. You don’t need to recruit testers, run surveys, or manage design partners. You just build what you want and use what you build.

And that’s what many developers are doing with cheap code: building idiosyncratic tools for ourselves, guided by our passions, taste, and needs.

Sound familiar?

Winchester Mystery House, San Jose, California (image by The wub and used here under a Creative Commons license)

Welcome to the mystery house

Steve Yegge’s Gas Town is a Winchester Mystery House. It’s incredibly idiosyncratic and sprawling, rich with metaphors and hacks. It’s the perfect tool for Steve.

Jeffrey Emanuel’s Agent Flywheel is a Winchester Mystery House. A significant subset of tokenmaxxers decide they need to rebuild their dependencies in Rust; Jeff is one such example. His “FrankenSuite” includes Rust rewrites of SQLite, Node.js, btrfs, Redis, pandas, NumPy, JAX, and Torch.

Philip Zeyliger noted the pattern last week, writing, “Everyone is building a software factory.” But it goes beyond software. Gary Tan’s personal AI committee gstack is a Winchester Mystery House constructed mostly from Markdown.

Everywhere you look, there are Winchester Mystery Houses.

Each Winchester Mystery House is idiosyncratic. They are highly personalized. The tightly coupled feedback loop between the coding agent and the user yields software that reflects the developer’s desires. They usually lack documentation. To outsiders, they’re inscrutable.

Winchester Mystery Houses are sprawling. Guided by the needs of the developer, these tools tend to spread out, constantly annexing territory in the form of new functions and new repositories. Work is almost always additive. Code is added when it’s needed, bugs are patched in place, and countless appendages remain. There’s little incentive to prune when code is free.

And building a Winchester Mystery House should be fun. Coding agents turn everything into a side quest, and we eagerly join in. Building the perfect workflow is a passion for many devs, so we keep pushing.

Winchester Mystery Houses are idiosyncratic, sprawling, and fun. But does this mean we’re abandoning the bazaar?

A Crowded Market in Dhaka, Bangladesh (image by International Food Policy Research Institute / 2010 and used here on a Creative Commons license)A Crowded Market in Dhaka, Bangladesh (image by International Food Policy Research Institute / 2010 and used here on a Creative Commons license)

What happens to the bazaar?

What happens when we all tend to our mystery houses? When our free time is spent building tools just for ourselves, will we stop working on shared projects? Will we abandon the bazaar?

Probably not. The bazaar is packed right now, but not in a good way.

Code is cheap, so people are slamming open source repositories with agent-written contributions, in an attempt to pad their résumés or manifest their pet features. Daniel Stenberg ended bug bounties for curl after a deluge of poor submissions sapped reviewer bandwidth. It’s gotten so bad, GitHub recently added a feature to disable pull request contributions.

Anecdotally, I’m seeing good contributions pick up as well. They’re just drowned out by the slop. For what it’s worth, curl commits are dramatically up in the agentic era. And people are sharing what they build. A recent analysis by Dumky shows packages and repos rising in the last quarter.

There’s plenty of budget for both mystery houses and the bazaar when code is this cheap. The new challenge is developing systems and processes for managing the deluge. We don’t need eyeballs to find bugs in the software; we need eyeballs to find bugs before they reach the software.

In many ways this is the inverse of the bazaar model era. The internet made feedback and communal coordination faster, easier, and cheaper. The bazaar model has a high throughput of feedback (many eyeballs) but relatively high latency for modifications (file an issue, discuss, submit a PR, wait for review, etc.).

Coding agents, on the other hand, make implementation faster while feedback and coordination are unchanged. The Winchester Mystery House model sidesteps this by collapsing the feedback loop into one person: Latency is near zero, but throughput is just you. The bazaar, defined by communal work, can’t adopt this hack. Coding agents in the bazaar create a mess: implementation at machine speed hitting coordination infrastructure built for human speed. Which is why maintainers feel like they’re drowning.

We need new tools, skills, and conventions.

Lessons from the mystery house

Coding agents have dropped the cost of code so dramatically we’re entering a new era of software development, the first change of this magnitude since the internet kicked off open source software. Change arrived quickly, and it’s not slowing down. But in reviewing the Winchester Mystery House framework, I think we can take away a few lessons.

Lesson 1: The bazaar and Winchester Mystery Houses can coexist.

When listing example Winchester Mystery Houses, I didn’t mention OpenClaw, even though it is the defining example. I saved it for here because it nicely illustrates how Winchester Mystery Houses and the bazaar can coexist.

OpenClaw is incredibly modular and places few limitations on the user. It integrates 25 different chat and notification systems, plugs into most inference end points, and is built on the exceptionally flexible pi agent toolkit. This eager flexibility was embraced early—security and data protections be damned—but since its exponential adoption Peter Steinberger and the community have been steadily pushing improvements and fixes.

And like other breakout open source projects of yore, the ecosystem is adopting the best ideas and mitigating the worst aspects of OpenClaw. Countless alternate “claw” projects have emerged. (There’s NanoClaw, NullClaw, ZeroClaw, and more!) Companies have launched services to make claws easy or safer. Cloudflare launched Moltworker to make deploy easy, Nvidia shipped NemoClaw with a security focus, and Claude keeps adding claw-like features to its desktop app.

Lesson 2: Don’t sell the fun stuff.

One reason OpenClaw works so well in the bazaar is that it is a foundation for personal tools. Out of the box, a claw just sits there. It’s up to the user to determine what it does and how it does it, leveraging the connections and infrastructure OpenClaw provides. OpenClaw lets less experienced developers spin up their own Winchester Mystery Houses, while experienced devs get to leverage much of the common integrations and systems OpenClaw provides. Peter and team have done a great job drawing a line between the common core (what the bazaar works on) and what they leave up to the user: The boring, critical stuff is the job of the commons.

Thinking back to Sarah Winchester and her idiosyncratic, sprawling mansion, we see the same pattern. Sarah hired vendors! She used off-the-shelf parts! Her bathtubs, toilets, faucets, and plumbing weren’t crafted on site.

The boring stuff, the hard bits, or the things that have disastrous failure modes are the things we should collaborate on or employ specialists to handle. (Come to think, plumbing checks all three boxes). This is the opportunity for open source software, dev tools, and software companies.

Don’t try to sell developers the stuff that’s fun, the stuff they want to build. Sell them the stuff they avoid or don’t want to take responsibility for. Sarah Winchester didn’t hire metalworkers to craft the pipes for her plumbing, but she did hire craftspeople to create hundreds of stained-glass windows to her specs.

Lesson 3: The limits of code are communication.

OpenClaw shows the bazaar remains relevant but also highlights the problems facing open source in the agentic era. Right now, there are 1,173 open pull requests and 1,884 new issues on the OpenClaw repo.

There is more code and more projects than we could ever review. The challenge now, for open source maintainers and users, is sifting through it all. How do we find the novel ideas that everyone should adopt and borrow?

OpenClaw is one of the successes, something we all noticed. And for it, the problem is processing the feedback. For the projects we’ll never find, the ones lost in the deluge, their problem is lack of feedback. You either find attention and drown in contributions or drown in the ocean of repos and never hear a thing.

The internet made coordination cheap and gave us the bazaar. Coding agents made implementation cheap and gave us the Winchester Mystery House. What we’re missing are the tools and conventions that make attention cheap, that let maintainers absorb contributions at machine speed and let good ideas surface among the noise. Until we figure this out, the bazaar will keep getting louder without getting smarter, and the best ideas in our mystery houses will be forgotten once we stop maintaining them.

Footnotes

  1. The lore that Winchester built her mansion to house ghosts killed by Winchester rifles is likely just gossip and marketing. There’s little evidence to support these claims. (99% Invisible has a good episode exploring Winchester, her house, and this lore.) ↩
  2. While editing this piece, Dumky published another analysis illustrating the production of coding agents. In it he shows a 280% increase in “Show HN” posts, a 93% increase in new GitHub repos, and a dramatic uptick in packages published to Crates.io. ↩
  3. Anthropic’s ability to stabilize this line is rather impressive. Claude Code is getting better at planning and better at chunking out work, enabling more effective subagent delegation. ↩
  4. Though this is likely an updated tweak of Brooks’s statement that an “industrial team” might write 1,000 “statements” per year. ↩

13:00

12:49

Company that Secretly Records and Publishes Zoom Meetings [Schneier on Security]

WebinarTV searches the internet for public Zoom invites, joins the meetings, secretly records them, and publishes (alternate link) the recordings. It doesn’t use the Zoom record feature, so Zoom can’t do anything about it.

10:35

10:14

“There is no alternative” [Seth's Blog]

TINA!

This is what Margaret Thatcher said about her draconian free market policies.

It’s an easy thing to tell ourselves about compliance to any dominant system. But it’s incomplete.

The complete sentence is, “There is no alternative unless we’re prepared to endure short-term discomfort as we push back against the dominant system.”

So the real question isn’t, “what’s the alternative?”

The question is: “Can we create the conditions to cause this system to change enough for us to do the long-term work we’re proud of?”

Systems don’t like to be disrupted. Persistent systems push us to believe TINA.

08:28

Stage Delights [Penny Arcade]

New Comic: Stage Delights

06:00

Girl Genius for Friday, April 03, 2026 [Girl Genius]

The Girl Genius comic for Friday, April 03, 2026 has been posted.

05:42

04:07

Marco Antoniotti: An Update on MK-DEFSYSTEM [Planet Lisp]

There are still a few of us (at least two) who are using MK:DEFSYSTEM. The venerable system construction tool has accumulated a lot of ancient cruft, some of which quite convoluted.

Recently I went back to MK:DEFSYSTEM and "cleaned up" some of the code, especially regarding the pathname construction for each component.  I also used some simpler hierarchical tricks using defstruct only.

The result should be more solid and clearer in the steps that comprise some "macro tasks". Of course, a rewrite using CLOS would change the coding style, but the choice has been made to keep the MK:DEFSYSTEM code base quite... retro (and somewhat simple).

Why did I went back to MK:DEFSYSTEM? As usual, it is because of a rabbit-hole I fell into: I will blog about it later on (hint: HEΛP).

MK-DEFSYSTEM quick history as of March 2026

MK-DEFSYSTEM (or MK:DEFSYSTEM, or MAKE:DEFSYSTEM) was originally written by Mark Kantrowitz as part of the original "CMU Lisp Utilities" collection; an early "public" set of Common Lisp code and utilities that, in the writer's opinion form one of the basis of most Common Lisp writing to date.

As stated (by M. Kantrowitz himself) in this file header, the original version of MK-DEFSYSTEM was inspired by the Symbolics DEFSYSTEM (or DEFSYS) tool. Yet, MK-DEFSYSTEM differs significantly from it.

In its original form, MK-DEFSYSTEM was built in the CLtL1 era, accommodated a lot of variance among filesystems and CL implementations and it still bears those idiosycrasies. CLtL2 (1992) first and ANSI (1994) next, started reshaping the code base then.

MK-DEFSYSTEM was originally distributed under a license agreement that made redistribution tricky. In 1999, the writer - that'd be me, Marco Antoniotti - contacted Mark Kantrowitz offering to become a maintainer while reworking the distribution license to hammer some FOSS into it. Mark Kantrowitz graciously agreed and, after that, the writer got literally and physically hugged by a few Common Lisp developers because they could use MK-DEFSYSTEM more freely.

Of course, ASDF came along and it solved the same problems that Symbolics (and Kent Pitman's) DEFSYS and MK-DEFSYSTEM solve, plus much more.

Yet, MK-DEFSYSTEM has some nice features (in the eye of the beholder).

MK-DEFSYSTEM still ships in one file - defsystem.lisp - that you can LOAD in your Common Lisp init file. Of course, a big chunk of its current code base is "backward compatibility" and new ok-we-miss-UIOP-and-or-at-least-CL-FAD functionality, plus an ever growing ongoing commentary like this one.

Given this background, the writer has been maintaining MK-DEFSYSTEM for a long time, and more recently, Madhu has made significant changes (and maintains himself a fork with some bells and whistles of his own) since 2008.

Of course, many other contributors helped over the years, and are acknowledged in the early Change Log and in comments in the code.

In early 2026, the writer cleaned up the code and reworked some of the logic, by factoring out some code from main functions. In particular, the CREATE-COMPONENT-PATHNAMES, GENERATE-COMPONENT-PATHNAMES, COMPONENT-FULL-PATHNAME, COMPONENT-FULL-NAMESTRING interplay is better organized; plus new structures, leveraging DEFSTRUCT :INCLUDE feature have been introduced, rendering the code TYPECASE-able.

MK-DEFSYSTEM is old, but it works. It is quirky but it works (at least for the two or three known users - which, in 2026, is already a big chunk of the Common Lisp users' community). Moreover, it does have, at least in the eye of the beholder, some more user friendly user API, for most use case, especially for plain Common Lisp code.

The current MK-DEFSYSTEM repository is at https://gitlab.common-lisp.net/mantoniotti/mk-defsystem

(*) It is assumed that the reader knows about all the acronyms, tools and systems referred to in the text.

'(cheers)

02:07

Or A Boson [QC RSS]

or a boatswain

01:21

Thursday, 02 April

23:49

23:42

Iran rockets vs US interceptors [Richard Stallman's Political Notes]

The best estimate is that Iran still has roughly 1/3 of its missile stocks and 1/3 of its drone stocks. So much for the bullshitter's bombastic claim to have destroyed nearly all of them.

I think serious people already knew that such claims coming from him were not to be taken seriously.

New pun [Richard Stallman's Political Notes]

New pun:      "Ifs, ands or buts"

After my cataract operations, they gave me a strict rule, "no ifs, ands or buts." But I used those words anyway, and I got conjunctivitis.

23:00

21:49

SFC: What the FCC router ban means for FOSS [LWN.net]

Denver Gingerich of the Software Freedom Conservancy (SFC) has published an article on the impact of the ban on the sale of all new home routers not made in the United States issued by the Federal Communications Commission (FCC). The SFC, of course, is the organization behind the OpenWrt One router.

Since software updates to already-FCC-approved devices do not require a new FCC approval, it appears the FCC is trying to move beyond its usual authorization procedures to restrict what manufacturers are allowed to push to existing routers. However, the FCC notably does not restrict software changes made by owners of routers in the U.S. In particular, there is no indication that updates people make to their own routers, using software they have sourced themselves, would run afoul of any past or present FCC rule.

As a result, we do not believe that this new FCC decision affects whether and how people can run OpenWrt or other user-selected firmware updates on routers they have already purchased. Not only is this an important right in relation to our ownership and control of our own devices, it also ensures that people can keep their routers secure for far longer than the manufacturer may choose to provide security updates, by allowing them to install up-to-date community software that supports routers for 10, 15, or even more years after their initial release date, as OpenWrt does for many devices.

He also notes that, as the OpenWrt One is already FCC-approved, there should be no impact on its availability in the US. The SFC has asked the FCC for clarification and plans to provide updates when they receive a reply.

19:35

Malware in Proprietary Software - Latest Additions [Planet GNU]

The initial injustice of proprietary software often leads to further injustices: malicious functionalities.

The introduction of unjust techniques in nonfree software, such as back doors, DRM, tethering, and others, has become ever more frequent. Nowadays, it is standard practice.

We at the GNU Project show examples of malware that has been introduced in a wide variety of products and dis-services people use everyday, and of companies that make use of these techniques.

Here are our latest additions

March 2026

Proprietary Interference

  • Shake Shack requires users of its mobile app to sign away their right to sue the company if they order their meals from their phones.


Potential Malware

  • Meta has been granted a patent to use so-called “Artificial Intelligence” to impersonate human users in social media platforms, for example people who are inactive or dead. To cover itself from predictable controversies, Meta declared that it does not intend to use the technology in the context of those examples. How long before the “invention” is used to impersonate active, living people?


February 2026

HP's Software is Malware


Users can avoid this and other kinds of mistreatment by choosing hardware that comes with free specifications and designs, and by installing only free software in their computers.

Microsoft's Software is Malware

  • Microsoft is pushing Pretend Intelligence onto users of Windows, set up to be able to take real world actions on the user's behalf. This starts with a subset of enthusiasts but the company is probably planning to push it onto everyone.


Since Windows 11, like several previous versions, has a universal back door enabling Microsoft to remotely change the system code, any limits the user specifies for what Microsoft can do to per (the user) are no more than requests. If you don't want to be messed with, you should not run Windows. Nonetheless, Microsoft might heed those requests.

Warning: this article seems to ridicule the idea that users might use a feature to limit what the PI has access to on their own machines.

  • Windows encrypts disks for “security,” but reports all the encryption keys to Microsoft so that the encryption doesn't provide real security. Once Microsoft has these keys, it can't refuse to give them to the FBI. However, for real security you need to be able to use your own choice of keys. Microsoft stops users from doing that.


Malware in Mobile Devices

  • OnePlus 13 and 15 smartphones shipping with ColorOS versions 16.0.3.500/.501/.503 implement an anti-rollback feature which physically renders the device unusable if the owner tries to modify the operating system running in it.


At the time of writing the restriction affects only those two models and only ColorOS, but it is expected that the company may extend it to older models of the phone as well as to OxygenOS, the variant of the operating system installed on phones intended for the global market.

January 2026

Google's Software is Malware


“Bossware” as it's called, explicitly requires nullifying user agency in favor of a third-party (the boss), and therefore requires proprietary software.

Microsoft's Software is Malware


December 2025

Malware In Cars


November 2025

Proprietary Back Doors


Proprietary Censorship

  • Bowing down to the US government, Apple and Google removed from their stores several applications used for reporting ICE raids. Google even tried to justify it by calling ICE thugs a “vulnerable group,” despite them being the ones who carry the weapons.


Proprietary Surveillance

  • An app called ICEBlock tried to set up anonymous posting and anonymous access to data about where US deportation thugs are operating. It didn't keep records about who was using it—but Apple's own records would be enough to make them vulnerable to snooping by the US government to find who uses the app.


Apple later removed ICEBlock from its store at the request of the US government.

19:07

Reproducible Builds (diffoscope): diffoscope 316 released [Planet Debian]

The diffoscope maintainers are pleased to announce the release of diffoscope version 316. This version includes the following changes:

[ Jelle van der Waa ]
* Fix compatibility with LLVM version 22.

[ Chris Lamb ]
* Add some debugging info for PyPI debugging.

You find out more by visiting the project homepage.

18:49

US Bans All Foreign-Made Consumer Routers [Schneier on Security]

This is for new routers; you don’t have to throw away your existing ones:

The Executive Branch determination noted that foreign-produced routers (1) introduce “a supply chain vulnerability that could disrupt the U.S. economy, critical infrastructure, and national defense” and (2) pose “a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure and directly harm U.S. persons.”

More information:

Any new router made outside the US will now need to be approved by the FCC before it can be imported, marketed, or sold in the country.

In order to get that approval, companies manufacturing routers outside the US must apply for conditional approval in a process that will require the disclosure of the firm’s foreign investors or influence, as well as a plan to bring the manufacturing of the routers to the US.

Certain routers may be exempted from the list if they are deemed acceptable by the Department of Defense or the Department of Homeland Security, the FCC said. Neither agency has yet added any specific routers to its list of equipment exceptions.

[…]

Popular brands of router in the US include Netgear, a US company, which manufactures all of its products abroad.

One exception to the general absence of US-made routers is the newer Starlink WiFi router. Starlink is part of Elon Musk’s company SpaceX.

Presumably US companies will start making home routers, if they think this policy is stable enough to plan around. But they will be more expensive than routers made in China or Taiwan. Security is never free, but policy determines who pays for it.

17:35

16:35

[$] IPC medley: message-queue peeking, io_uring, and bus1 [LWN.net]

The kernel provides a number of ways for processes to communicate with each other, but they never quite seem to fit the bill for many users. There are currently a few proposals for interprocess communication (IPC) enhancements circulating on the mailing lists. The most straightforward one adds a new system call for POSIX message queues that enables the addition of new features. For those wanting an entirely new way to do interprocess communication, there is a proposal to add a new subsystem for that purpose to io_uring. Finally, the bus1 proposal has made a return after ten years.

16:00

Link [Scripting News]

Please follow me at my new Twitter address: bullmancuso. Whatever anyone thinks of the company the product is still unique, there are people and communities there that I need to communicate with, and I just don't have that kind of network anywhere else.

Link [Scripting News]

My first real post in the New Dave On Twitter, or N-DOT.

Why doesn’t the system let you declare your own messages to have the same semantics as WM_COPY­DATA? [The Old New Thing]

In a comment on my discussion on how to return results back from the WM_COPY­DATA message, Jan Ringoš observed that it felt wasteful that there was this entire infrastructure for copying blocks of memory via a window message, yet only one message uses it! “I always thought something like EnableWindowMessageDataCopy (HWND, UINT, .) after RegisterWindowMessage and ChangeWindowMessageFilterEx to get application’s own private WM_COPYDATA would be a little more secure and convenient, should the programmer didn’t wish to bother with creating shared memory.”

The infrastructure for copying blocks of memory via a window message is used by far more than just one message! The WM_SET­TEXT and WM_GET­TEXT message use it for passing string buffers, the WM_HELP message uses it for passing the HELPINFO structure, the WM_MDICREATE message uses it for passing the MDICREATSTRUCT structure, and plenty more where those came from. The infrastructure for copying blocks of memory had already existed; it wasn’t created just for the WM_COPY­DATA message. adding WM_COPY­DATA support was just adding a few lines of code to the common function whose job is to prepare messages to be sent between processes (including copying memory between processes).

Suppose there were a way for a program to declare that one of its custom messages should have (say) its lParam be a pointer to data and its wParam be the size of the data. That could be misleading because the only behavior would be copying the memory block and not the data inside it. For example, if the structure contained pointers, the pointers would just be copied as raw values, rather than adding the pointed-to-data to the memory block and adjusting the pointers to point to the copy. It also doesn’t handle the case of sending the message between programs with different pointer or handle sizes, say between a 32-bit program and a 64-bit program.¹ If you need to copy data structures that consists of anything more than scalars (or aggregates of scalars), you’ll have to do your own marshaling to convert your source data structure into a transfer buffer. In practice, this means that sending the message directly with an as-is buffer is unlikely to be the common case; some type of conversion would have to be made anyway.

Furthermore, the WM_COPY­DATA already knew that you wanted to do this, because it left room for it in the COPY­DATA­STRUCT:

typedef struct tagCOPYDATASTRUCT {
  ULONG_PTR dwData; // ← here
  DWORD     cbData;
  PVOID     lpData;
} COPYDATASTRUCT, *PCOPYDATASTRUCT;

In addition to describing the memory buffer, there is this extra guy called dwData. You can put your “message number” in there, allowing you to multiplex multiple “messages” into a single WM_COPY­DATA message.²

You don’t need Enable­Window­Message­Data­Copy because you already have it at home. The window manager is more concerned with enabling things that weren’t possible before, rather than making it easier to do things that are already possible. For that, you can use a helper library.

Bonus chatter: In addition to adding complexity to the window manager implementation, allowing programs to customize how messages are marshaled between processes would also make it harder to explain how inter-process marshaling works. Instead of the simple rule “The system marshals messages in the system range, but not messages in the user-defined range,” it would be a much more ambiguous rule: “The system marshals messages in the system range, but not messages in the user-defined range, unless those messages have been customized by a call to Enable­Window­Message­Data­Copy, in which case they marshal by this alternate set of rules.” So now when you look at a message, you can’t tell how it marshals. You’d have to go back to the documentation for the message and hope the person who wrote the documentation remembered to go back and add a section to each page to say whether it follows custom marshaling.

¹ Or between a 16-bit program and a 32-bit program, which was the more common case back in the days when WM_COPY­DATA was designed. In 16-bit code, an int is a 16-bit integer, whereas it’s a 32-bit value in 32-bit code.

² If the dwData was intended to be a message number, why is it pointer-sized? For the same reason timer IDs and dialog control IDs are 64-bit values: “Pointers are like weeds. Anywhere it’s possible to fit a pointer, a pointer will try to squeeze in there.” In this case, people were putting handles (which are pointer-sized) in the dwData, so we had to make it big enough to hold a handle.

The post Why doesn’t the system let you declare your own messages to have the same semantics as <CODE>WM_<WBR>COPY­DATA</CODE>? appeared first on The Old New Thing.

15:14

Link [Scripting News]

Continuing, isn't it a shame that CloudFlare didn't take a different approach? What if they had created a fantastic WordPress runtime, which seems to be where most of their effort went, and that's where their expertise lies, not in crafting new user experiences. A service you could buy from CloudFlare, along with all the other services, that does a fantastic job of running WordPress sites. The customer wouldn't need to know how it worked behind the scenes. Yes, that would still be competiting with existing WordPress vendors, they make money off runtimes, but for the users it would mean they could keep using WordPress the way they always have, and the result would run better. That they didn't do it this way, that's it's all-or-nothing, might turn out to be the reason the product doesn't take off. It's a serious consideration. On the other hand there probably are a few WordPress users that would like to try something new out, esp if the cost of conversion is near zero (which they kind of claim it is).

Link [Scripting News]

When I think of "Slack" my brain immediately translates it to "AOL." I'm not kidding.

15:07

Exelbierd: What's actually in a Sashiko review? [LWN.net]

Brian "bex" Exelbierd has published a blog post exploring follow-up questions raised by the recent debate about the use of the LLM-based review tool Sashiko in the memory-management subsystem. His main finding is that Sashiko reviews are bi-modal with regards to whether they contain reports about code not directly changed by the patch set — most do not, but the ones that do often have several such comments.

Hypothesis 1: Reviewers are getting told about bugs they didn't create. Sashiko's review protocol explicitly instructs the LLM to read surrounding code, not just the diff. That's good review practice — but it means the tool might flag pre-existing bugs in code the patch author merely touched, putting those problems in their inbox.

Hypothesis 2: The same pre-existing bugs surface repeatedly. If a known issue in a subsystem doesn't get fixed between review runs, every patch touching nearby code could trigger the same finding. That would create a steady drip of duplicate noise across the mailing list.

I pulled data from Sashiko's public API and tested both.

14:28

Link [Scripting News]

Yesterday I wrote about AI introducing doubt with something as fundamental as how software is created now with the advent of AI software that can be used effectively to write software. Behind that I wondered if the open source developers of WordPress had changed their methodology? Is their codebase managed by ChatGPT now or Claude.ai? Not only did I get the answer to that question overnight (yes, they have made the change), but there was an announcement of a new WordPress competitor, something that hasn't come along in decades, actually. It's called EmDash from CloudFlare. I read their announcement, and then asked ChatGPT to walk through an analysis of it with me. Here's a link to the conversation, hope you can read it. It understood my concerns. Is this something that can work with my product WordLand. Short answer: No, not as-is. It apparently doesn't support the wpcom api what we use to connect to WordPress. By design, you can import WordPress sites into EmDash, but they don't interop with each other. It's for moments like this that I have my WordPress news FeedLand flow. Already there has been some analysis. No doubt anything written today is going to see sketchy in the days to come, first impressions don't usually end up meaning much, even so I'm anxious to read what other people think. Meanwhile I'm thinking that maybe I should shift gears back to working on FeedLand, thinking that the WordPress world is too shaky now to try to introduce something new there. Likelihood of success is decreasing every day it seems.

14:21

OpenSSH 10.3 released [LWN.net]

OpenSSH 10.3 has been released. Among the many changes in this release are a security fix to address late validation of metacharacters in user names, removal of bug compatibility for SSH implementations that do not support rekeying, and a fix to ensure that scp clears setuid/setgid bits from downloaded files when operating as root in legacy (-O) mode. See the release announcement for a full list of new features, bug fixes, and potentially incompatible changes.

Security updates for Thursday [LWN.net]

Security updates have been issued by AlmaLinux (python3.11, python3.12, squid, and thunderbird), Debian (gst-plugins-bad1.0 and gst-plugins-ugly1.0), Fedora (bpfman, crun, gnome-remote-desktop, polkit, python3.14, rust-rustls-webpki, rust-sccache, rust-scx_layered, rust-scx_rustland, rust-scx_rusty, and scap-security-guide), Oracle (freerdp, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-ugly-free, kernel, libxslt, python3.11, python3.12, squid, and thunderbird), SUSE (389-ds, busybox, chromium, cosign, curl, docker-compose, exiv2, expat, firefox, freerdp, freerdp2, gstreamer-plugins-ugly, harfbuzz, heroic-games-launcher, ImageMagick, kea, keylime, libjxl, librsvg, libsodium, libsoup, net-snmp, net-tools, netty, nghttp2, poppler, postgresql13, postgresql16, postgresql17, postgresql18, protobuf, python-black, python-orjson, python-pyasn1, python-pyOpenSSL, python-tornado, python-tornado6, python311-nltk, thunderbird, tomcat10, tomcat11, vim, and xen), and Ubuntu (kernel, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-raspi, linux-raspi, linux-raspi-realtime, rust-cargo-c, rust-tar, and undertow).

New stable kernels for Thursday [LWN.net]

Greg Kroah-Hartman has released the 6.19.11, 6.18.21, 6.12.80, and 6.6.131 stable kernels, followed by a quick release of 6.6.132 with two patches reverted to address a problem building the rust core in 6.6.131. Each kernel contains important fixes; users are advised to upgrade.

13:49

CodeSOD: One Case [The Daily WTF]

I feel like we've gotten a few SQL case statement abuses recently, but a properly bad one continues to tickle me. Ken C sends us one that, well:

SELECT CASE h.DOCUMENTTYPE
        WHEN 2 THEN 3 WHEN 3 THEN 4 WHEN 4 THEN 5
        WHEN 5 THEN 6 WHEN 6 THEN 7 WHEN 7 THEN 8
        ELSE h.DOCUMENTTYPE
    END AS DocumentType,
    h.DOCNMBR AS DocNmbr,
    h.FULLPOLICY AS FullPolicy,
    h.BATCHID AS BatchId,
    h.OrigBatchId,
    h.UPDATEDDATE AS UpdatedDate,
    h.CUSTOMERNO AS CustomerNo,
    h.PROJECTID AS ProjectID,
    h.AMOUNT AS Amount

On one hand, I can't say "just add one", because clearly sometimes they don't want to add one. On the other hand, there's an element of looking at this and knowing: well, something absolutely stupid has happened here. Maybe it was two disjoint databases getting merged. Maybe it was just once upon a time, when this database was a spreadsheet, the user responsible did a weird thing. Maybe some directive changed the document type numbering. Hell, maybe that ELSE clause never gets triggered, and we actually could just do arithmetic.

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!

13:42

The Toolkit Pattern [Radar]

This is the third article in a series on agentic engineering and AI-driven development. Read part one here, part two here, and look for the next article on April 15 on O’Reilly Radar.

The toolkit pattern is a way of documenting your project’s configuration so that any AI can generate working inputs from a plain-English description. You and the AI create a single file that describes your tool’s configuration format, its constraints, and enough worked examples that any AI can generate working inputs from a plain-English description. You build it iteratively, working with the AI (or, better, multiple AIs) to draft it. You test it by starting a fresh AI session and trying to use it, and every time that fails you grow the toolkit from those failures. When you build the toolkit well, your users will never need to learn how your tool’s configuration files work, because they describe what they want in conversation and the AI handles the translation. That means you don’t have to compromise on the way your project is configured, because the config files can be more complex and more complete than they would be if a human had to edit and understand them.

To understand why all of this matters, let me take you back to the mid-1980s.

I was 12 years old, and our family got an AT&T PC 6300, an IBM-compatible that came with a user’s guide roughly 159 pages long. Chapter 4 of that manual was called “What Every User Should Know.” It covered things like how to use the keyboard, how to care for your diskettes, and, memorably, how to label them, complete with hand-drawn illustrations and really useful advice, like how you should only use felt-tipped pens, never ballpoint, because the pressure might damage the magnetic surface.

A page from the AT&T PC 6300 User's Guide, Chapter 4: "Labeling Diskettes"A page from the AT&T PC 6300 User’s Guide, Chapter 4: “Labeling Diskettes”

I remember being fascinated by this manual. It wasn’t our first computer. I’d been writing BASIC programs and dialing into BBSs and CompuServe for a couple of years, so I knew there were all sorts of amazing things you could do with a PC, especially one with a blazing fast 8MHz processor. But the manual barely mentioned any of that. That seemed really weird to me, even as a kid, that you would give someone a manual that had a whole page on using the backspace key to correct typing mistakes (really!) but didn’t actually tell them how to use the thing to do anything useful.

That’s how most developer documentation works. We write the stuff that’s easy to write—installation, setup, the getting-started guide—because it’s a lot easier than writing the stuff that’s actually hard: the deep explanation of how all the pieces fit together, the constraints you only discover by hitting them, the patterns that separate a configuration that works from one that almost works. This is yet another “looking for your keys under the streetlight” problem: We write the documentation we write because it’s easiest to write, even if it’s not really the documentation our users need.

Developers who came up through the Unix era know this well. Man pages were thorough, accurate, and often completely impenetrable if you didn’t already know what you were doing. The tar man page is the canonical example: It documents every flag and option in exhaustive detail, but if you just want to know how to extract a .tar.gz file, it’s almost useless. (The right flag is -xzvf in case you’re curious.) Stack Overflow exists in large part because man pages like tar’s left a gap between what the documentation said and what developers actually needed to know.

And now we have AI assistants. You can ask Claude or ChatGPT about, say, Kubernetes, Terraform, or React, and you’ll actually get useful answers, because those are all established projects that have been written about extensively and the training data is everywhere.

But AI hits a hard wall at the boundary of its training data. If you’ve built something new—a framework, an internal platform, a tool your team created—no model has ever seen it. Your users can’t ask their AI assistant for help, because the AI doesn’t know your thing even exists.

There’s been a lot of great work moving AI documentation in the right direction. AGENTS.md tells AI coding agents how to work on your codebase, treating the AI as a developer. llms.txt gives models a structured summary of your external documentation, treating the AI as a search engine. What’s been missing is a practice for treating the AI as a support engineer. Every project needs configuration: input files, option schemas, workflow definitions, usually in the form of a whole bunch of JSON or YAML files with cryptic formats that users have to learn before they can do anything useful.

The toolkit pattern solves that problem of getting AIs to write configuration files for a project that isn’t in its training data. It consists of a documentation file that teaches any AI enough about your project’s configuration that it can generate working inputs from a plain-English description, without your users ever having to learn the format themselves. Developers have been arriving at this same pattern (or something very similar) independently from different directions, but as far as I can tell, nobody has named it or described a methodology for doing it well. This article distills what I learned from building the toolkit for Octobatch pipelines into a set of practices you can apply to your own projects.

Build the AI its own manual

Traditionally, developers face a trade-off with configuration: keep it simple and easy to understand, or let it grow to handle real complexity and accept that it now requires a manual. The toolkit pattern emerged for me while I was building Octobatch, the batch-processing orchestrator I’ve been writing about in this series. As I described in the previous articles in this series, “The Accidental Orchestrator” and “Keep Deterministic Work Deterministic,” Octobatch runs complex multistep LLM pipelines that generate files or run Monte Carlo simulations. Each pipeline is defined using a complex configuration that consists of YAML, Jinja2 templates, JSON schemas, expression steps, and a set of rules tying it all together. The toolkit pattern let me sidestep that traditional trade-off.

As Octobatch grew more complex, I found myself relying on the AIs (Claude and Gemini) to build configuration files for me, which turned out to be genuinely valuable. When I developed a new feature, I would work with the AIs to come up with the configuration structure to support it. At first I defined the configuration, but by the end of the project I relied on the AIs to come up with the first cut, and I’d push back when something seemed off or not forward-looking enough. Once we all agreed, I would have an AI produce the actual updated config for whatever pipeline we were working on. This move to having the AIs do the heavy lifting of writing the configuration was really valuable, because it let me create a very robust format very quickly without having to spend hours updating existing configurations every time I changed the syntax or semantics.

At some point I realized that every time a new user wanted to build a pipeline, they faced the same learning curve and implementation challenges that I’d already worked through with the AIs. The project already had a README.md file, and every time I modified the configuration I had an AI update it to keep the documentation up to date. But by this time, the README.md file was doing way too much work: It was really comprehensive but a real headache to read. It had eight separate subdocuments showing the user how to do pretty much everything Octobatch supported, and the bulk of it was focused on configuration, and it was becoming exactly the kind of documentation nobody ever wants to read. That particularly bothered me as a writer; I’d produced documentation that was genuinely painful to read.

Looking back at my chats, I can trace how the toolkit pattern developed. My first instinct was to build an AI-assisted editor. About four weeks into the project, I described the idea to Gemini:

I’m thinking about how to provide any kind of AI-assisted tool to help people create their own pipeline. I was thinking about a feature we would call “Octobatch Studio” where we make it easy to prompt for modifying pipeline stages, possibly assisting in creating the prompts. But maybe instead we include a lot of documentation in Markdown files, and expect them to use Claude Code, and give lots of guidance for creating it.

I can actually see the pivot to the toolkit pattern happening in real time in this later message I sent to Claude. It had sunk in that my users could use Claude Code, Cursor, or another AI as interactive documentation to build their configs exactly the same way I’ve been doing:

My plan is to use Claude Code as the IDE for creating new pipelines, so people who want to create them can just spin up Claude Code and start generating them. That means we need to give Claude Code specific context files to tell it everything it needs to know to create the pipeline YAML config with asteval expressions and Jinja2 template files.

The traditional trade-off between simplicity and flexibility comes from cognitive overhead: the cost of holding all of a system’s rules, constraints, and interactions in your head while you work with it. It’s why many developers opt for simpler config files, so they don’t overload their users (or themselves). Once the AI was writing the configuration, that trade-off disappeared. The configs could get as complicated as they needed to be, because I wasn’t the one who had to remember how all the pieces fit together. At some point I realized the toolkit pattern was worth standardizing.

That toolkit-based workflow—users describe what they want, the AI reads TOOLKIT.md and generates the config—is the core of the Octobatch user experience now. A user clones the repo and opens Claude Code, Cursor, or Copilot, the same way they would with any open source project. Every configuration prompt starts the same way: “Read pipelines/TOOLKIT.md and use it as your guide.” The AI reads the file, understands the project structure, and guides them step by step.

To see what this looks like in practice, take the Drunken Sailor pipeline I described in “The Accidental Orchestrator.” It’s a Monte Carlo random walk simulation: A sailor leaves a bar and stumbles randomly toward the ship or the water. The pipeline configuration for that involves multiple YAML files, JSON schemas, Jinja2 templates, and expression steps with real mathematical logic, all wired together with specific rules.

Drunken Sailor is Octobatch’s simplest “Hello, World!” Monte Carlo pipeline, but it still has 148 lines of config spread across four files.Drunken Sailor is Octobatch’s simplest “Hello, World!” Monte Carlo pipeline, but it still has 148 lines of config spread across four files.

Here’s the prompt that generated all of that. The user describes what they want in plain English, and the AI produces the entire configuration by reading TOOLKIT.md. This is the exact prompt I gave Claude Code to generate the Drunken Sailor pipeline—notice the first line of the prompt, telling it to read the toolkit file.

You don’t need to know Octobatch to understand the prompt I used to create the Drunken Sailor pipeline.You don’t need to know Octobatch to understand the prompt I used to create the Drunken Sailor pipeline.

But configuration generation is only half of what the toolkit file does. Users can also upload TOOLKIT.md and PROJECT_CONTEXT.md (which has information about the project) to any AI assistant—ChatGPT, Gemini, Claude, Copilot, whatever they prefer—and use it as interactive documentation. A pipeline run finished with validation failures? Upload the two files and ask what went wrong. Stuck on how retries work? Ask. You can even paste in a screenshot of the TUI and say, “What do I do?” and the AI will read the screen and give specific advice. The toolkit file turns any AI into an on-demand support engineer for your project.

The toolkit helps turn ChatGPT into an AI manual that helps with Octobatch.The toolkit helps turn ChatGPT into an AI manual that helps with Octobatch.

What the Octobatch project taught me about the toolkit pattern

Building the generative toolkit for Octobatch produced more than just documentation that an AI could use to create configuration files that worked; it also yielded a set of practices, and those practices turn out to be pretty consistent regardless of what kind of project you’re building. Here are the five that mattered most:

  • Start with the toolkit file and grow it from failures. Don’t wait until the project is finished to write the documentation. Create the toolkit file first, then let each real failure add one principle at a time.
  • Let the AI write the config files. Your job is product vision—what the project should do and how it should feel. The AI’s job is translating that into valid configuration.
  • Keep guidance lean. State the principle, give one concrete example, move on. Every guardrail costs tokens, and bloated guidance makes AI performance worse.
  • Treat every use as a test. There’s no separate testing phase for documentation. Every time someone uses the toolkit file to build something, that’s a test of whether the documentation works.
  • Use more than one model. Different models catch different things. In a three-model audit of Octobatch, three-quarters of the defects were caught by only one model.

I’m not proposing a standard format for a toolkit file, and I think trying to create one would be counterproductive. Configuration formats vary wildly from tool to tool—that’s the whole problem we’re trying to solve—and a toolkit file that describes your project’s building blocks is going to look completely different from one that describes someone else’s. What I found is that the AI is perfectly capable of reading whatever you give it, and is probably better at writing the file than you are anyway, because it’s writing for another AI. These five practices should help build an effective toolkit regardless of what your project looks like.

Start with the toolkit file and grow it from failures

You can start building a toolkit at any point in your project. The way it happened for me was organic: After weeks of working with Claude and Gemini on Octobatch configuration, the knowledge about what worked and what didn’t was scattered across dozens of chat sessions and context files. I wrote a prompt asking Gemini to consolidate everything it knew about the config format—the structure, the rules, the constraints, the examples, everything we’d talked about—into a single TOOLKIT.md file. That first version wasn’t great, but it was a starting point, and every failure after that made it better.

I didn’t plan the toolkit from the beginning of the Octobatch project. It started because I wanted my users to be able to build pipelines the same way I had—by working with an AI—but everything they’d need to do that was spread across months of chat logs and the CONTEXT.md files I’d been maintaining to bootstrap new development sessions. Once I had Gemini consolidate everything into a single TOOLKIT.md file and had Claude review it, I treated it the way I treat any other code: Every time something broke, I found the root cause, worked with the AIs to update the toolkit to account for it, and verified that a fresh AI session could still use it to generate valid configuration.

That incremental approach worked well for me, and it let me test my toolkit the way I test any other code: try it out, find bugs, fix them, rinse, repeat.

You can do the same thing. If you’re starting a new project, you can plan to create the toolkit at the end. But it’s more effective to start with a simple version early and let it emerge over the course of development. That way you’re dogfooding it the whole time instead of guessing what users will need.

Let the AI write the config files (but stay in control!)

Early Octobatch pipelines had simple enough configuration that a human could read and understand them, but not because I was writing them by hand. One of the ground rules I set for the Octobatch experiment in AI-driven development was that the AIs would write all of the code, and that included writing all of the configuration files. The problem was that even though they were doing the writing, I was unconsciously constraining the AIs: pushing back on anything that felt too complex, steering toward structures I could still hold in my head.

At some point I realized my pushback was placing an artificial limit on the project. The whole point of having AIs write the config was that I didn’t need to keep every single line in my head—it was okay to let the AIs handle that level of complexity. Once I stopped constraining them, the cognitive overhead limit I described earlier went away. I could have full pipelines defined in config, including expression steps with real mathematical logic, without needing to hold all the rules and relationships in my head.

Once the project really got rolling, I never wrote YAML by hand again. The cycle was always: need a feature, discuss it with Claude and Gemini, push back when something seemed off, and one of them produces the updated config. My job was product vision. Their job was translating that into valid configuration. And every config file they wrote was another test of whether the toolkit actually worked.

This job delineation, however, meant inevitable disagreements between me and the AI, and it’s not always easy to find yourself disagreeing with a machine because they’re surprisingly stubborn (and often shockingly stupid). It required persistence and vigilance to stay in control of the project, especially when I turned over large responsibilities to the AIs.

The AIs consistently optimized for technical correctness—separation of concerns, code organization, effort estimation—which was great, because that’s the job I asked them to do. I optimized for product value. I found that keeping that value as my north star and always focusing on building useful features consistently helped with these disagreements.

Keep guidance lean

Once you start growing the toolkit from failures, the natural progression is to overdocument everything. Generative AIs are biased toward generating, and it’s easy to let them get carried away with it. Every bug feels like it deserves a warning, every edge case feels like it needs a caveat, and before long your toolkit file is bloated with guardrails that cost tokens without adding much value. And since the AI is the one writing your toolkit updates, you need to push back on it the same way you push back on architecture decisions. AIs love adding WARNING blocks and exhaustive caveats. The discipline you need to bring is telling them when not to add something.

The right level is to state the principle, give one concrete example, and trust the AI to apply it to new situations. When Claude Code made a choice about JSON schema constraints that I might have second-guessed, I had to decide whether to add more guardrails to TOOLKIT.md. The answer was no—the guidance was already there, and the choice it made was actually correct. If you keep tightening guardrails every time an AI makes a judgment call, the signal gets lost in the noise and performance gets worse, not better. When something goes wrong, the impulse—for both you and the AI—is to add a WARNING block. Resist it. One principle, one example, move on.

Treat every use as a test

There was no separate “testing phase” for Octobatch’s TOOLKIT.md. Every pipeline that I created with it was a new test. After the very first version, I opened a fresh Claude Code session that had never seen any of my development conversations, pointed it at the newly minted TOOLKIT.md, and asked it to build a pipeline. The first time I tried it, I was surprised at how well it worked! So I kept using it, and as the project rolled along, I updated it with every new feature and tested those updates. When something failed, I traced it back to a missing or unclear rule in the toolkit and fixed it there.

That’s the practical test for any toolkit: open a fresh AI session with no context beyond the file, describe what you want in plain English, and see if the output works. If it doesn’t, the toolkit has a bug.

Use more than one model

When you’re building and testing your toolkit, don’t just use one AI. Run the same task through a second model. A good pattern that worked for me was consistently having Claude generate the toolkit and Gemini check its work.

Different models catch different things, and this matters for both developing and testing the toolkit. I used Claude and Gemini together throughout Octobatch development, and I overruled both when they were wrong about product intent. You can do the same thing: If you work with multiple AIs throughout your project, you’ll start to get a feel for the different kinds of questions they’re good at answering.

When you have multiple models generate config from the same toolkit independently, you find out fast where your documentation is ambiguous. If two models interpret the same rule differently, the rule needs rewriting. That’s a signal you can’t get from using just one model.

The manual, revisited

That AT&T PC 6300 manual devoted a full page to labeling diskettes, which may have been overkill, but it got one thing right: it described the building blocks and trusted the reader to figure out the rest. It just had the wrong reader in mind.

The toolkit pattern is the same idea, pointed at a different audience. You write a file that describes your project’s configuration format, its constraints, and enough worked examples that any AI can generate working inputs from a plain-English description. Your users never have to learn YAML or memorize your schema, because they have a conversation with the AI and it handles the translation.

If you’re building a project and you want AI to be able to help your users, start here: write the toolkit file before you write the README, grow it from real failures instead of trying to plan it all upfront, keep it lean, test it by using it, and use more than one model because no single AI catches everything.

The AT&T manual’s Chapter 4 was called “What Every User Should Know.” Your toolkit file is “What Every AI Should Know.” The difference is that this time, the reader will actually use it.

In the next article, I’ll start with a statistic about developer trust in AI-generated code that turned out to be fabricated by the AI itself—and use that to explain why I built a quality playbook that revives the traditional quality practices most teams cut decades ago. It explores an unfamiliar codebase, generates a complete quality infrastructure—tests, review protocols, validation rules—and finds real bugs in the process. It works across Java, C#, Python, and Scala, and it’s available as an open source Claude Code skill.

12:07

Pluralistic: It's extremely good that Claude's source-code leaked (02 Apr 2026) [Pluralistic: Daily links from Cory Doctorow]

->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> Top Sources: None -->

Today's links


A hand-tinted picture of a 1950s Univac control room, the walls lined with computer cabinets, a male operator in a suit seated at a steel desk replete with control knobs and an oscilloscope. The image has been altered. A shiny robot is bursting out of a hole in the checked floor; the back wall bears the Anthropic logo, and the main computer cabinet now has the Claude Code logo.

It's extremely good that Claude's source-code leaked (permalink)

Anthropic's developers made an extremely basic configuration error, and as a result, the source-code for Claude Code – the company's flagship coding assistant product – has leaked and is being eagerly analyzed by many parties:

https://news.ycombinator.com/item?id=47586778

In response, Anthropic is flooding the internet with "takedown notices." These are a special kind of copyright-based censorship demand established by section 512 of the 1998 Digital Millennium Copyright Act (DMCA 512), allowing for the removal of material without any kind of evidence, let alone a judicial order:

https://www.removepaywall.com/search?url=https://www.wsj.com/tech/ai/anthropic-races-to-contain-leak-of-code-behind-claude-ai-agent-4bc5acc7

Copyright is a "strict liability" statute, meaning that you can be punished for violating copyright even if you weren't aware that you had done so. What's more, "intermediaries" – like web hosts, social media platforms, search engines, and even caching servers – can be held liable for the copyright violations their users engage in. The liability is tremendous: the DMCA provides for $150,000 per infringement.

DMCA 512 is meant to offset this strict liability. After all, there's no way for a platform to know whether one of its users is infringing copyright – even if a user uploads a popular song or video, the provider can't know whether they've licensed the work for distribution (or even if they are the creator of that work). A cumbersome system in which users would upload proof that they have such a license wouldn't just be onerous – it would still permit copyright infringement, because there's no way for an intermediary to know whether the distribution license the user provided was genuine.

As a compromise, DMCA 512 absolves intermediaries from liability, if they "expeditiously remove" material upon notice that it infringes someone's copyright. In practice, that means that anyone can send a notice to any intermediary and have anything removed from the internet. The intermediary who receives this notice can choose to ignore it, but if the notice turns out to be genuine, they can end up on the hook for $150,000 per infringement. The intermediary can also choose to allow their user to "counternotify" (dispute the accusation) and can choose to reinstate the material, but they don't have to. Just as an intermediary can't determine whether a user has the rights to the things they post, they also can't tell if the person on the other end of a takedown notice has the right to demand its removal. In practice, this means that a takedown notice, no matter how flimsy, has a very good chance of making something disappear from the internet – forever.

From the outset, DMCA 512 was the go-to tool for corporate censorship, the best way to cover up misdeeds. I first got involved in this back in 2003, when leaked email memos from Diebold's voting machine division revealed that the company knew that its voting machines were wildly insecure, but they were nevertheless selling them to local election boards across America, who were scrambling to replace their mechanical voting machines in the wake of the 2000 Bush v Gore "hanging chad" debacle, which led to Bush stealing the presidency:

https://en.wikipedia.org/wiki/Brooks_Brothers_riot

The stakes couldn't be higher, in other words. Diebold – whose CEO was an avowed GW Bush partisan who'd promised to "deliver the votes for Bush" – was the country's leading voting machine supplier. The company knew its voting machines were defective, that they frequently crashed and lost their vote counts on election night, and that Diebold technicians were colluding with local electoral officials to secretly "estimate" the lost vote totals so that no one would hold either the official or Diebold responsible for these defective machines:

https://www.salon.com/2003/09/23/bev_harris/

Diebold sent thousands of DMCA 512 takedown notices in an attempt to suppress the leaked memos. Eventually, EFF stepped in to provide pro-bono counsel to the Online Policy Group and ended Diebold's flood:

https://www.eff.org/cases/online-policy-group-v-diebold

Diebold wasn't the last company to figure out how to abuse copyright to censor information of high public interest. There's a whole industry of shady "reputation management" companies that collect large sums in exchange for scrubbing the internet of information their clients want removed from the public eye. They specialize in sexual abusers, war criminals, torturers, and fraudsters, and their weapon of choice is the takedown notice. Jeffrey Epstein spent tens of thousands of dollars on "reputation management" services to clean up his online profile:

https://www.nytimes.com/2026/03/18/business/media/jeffrey-epstein-online.html

There are lots of ways to use the takedown system to get true information about your crimes removed from the internet. My favorite is the one employed by Eliminalia, one of the sleazier reputation laundries (even by the industry's dismal standards).

Eliminalia sets up WordPress sites and copies press articles that cast its clients in an unfavorable light to these sites, backdating them so they appear to have been published before the originals. They swap out the bylines for fictitious ones, then send takedowns to Google and other search engines to get the "infringing" stories purged from their search indices. Once the original articles have been rendered invisible to internet searchers, Eliminalia takes down their copy, and the story of their client's war crimes, rapes, or fraud disappears from the public eye:

https://pluralistic.net/2021/04/23/reputation-laundry/#dark-ops

The takedown system is so tilted in favor of censorship that it takes a massive effort to keep even the smallest piece of information online in the face of a determined adversary. In 2007, the key for AACS (a way of encrypting video for "digital rights management") leaked online. The key was a 16-digit number, the kind of thing you could fit in a crossword puzzle, but the position of the industry consortium that created the key was that this was an illegal integer. They sent hundreds of thousands of takedowns over the number, and it was only the determined action of an army of users that kept the number online:

https://en.wikipedia.org/wiki/AACS_encryption_key_controversy

The shoot-first, ask-questions-never nature of takedown notices makes for fertile ground for scammers of all kinds, but the most ironic takedown ripoffs are the Youtube copystrike blackmailers.

After Viacom sued Youtube in 2007 over copyright infringement, Google launched its own in-house copyright management system, meant to address Viacom's principal grievance in the suit. Viacom was angry that after they had something removed from Youtube, another user could re-upload it, and they'd have to send another takedown, playing Wack-a-Mole with the whole internet. Viacom didn't want a takedown system, they wanted a staydown system, whereby they could supply Google with a list of the works whose copyrights they controlled and then Youtube would prevent anyone from uploading those works.

(This was extremely funny, because Viacom admitted in court that its marketing departments would "rough up" clips of its programming and upload them to Youtube, making them appear to be pirate copies, in a bid to interest Youtube users in Viacom's shows, and sometimes Viacom's lawyers would get confused and send threatening letters to Youtube demanding that these be removed:)

https://blog.youtube/news-and-events/broadcast-yourself/

Youtube's notice-and-staydown system is Content ID, an incredibly baroque system that allows copyright holders (and people pretending to be copyright holders) to "claim" video and sound files, and block others from posting them. No one – not even the world's leading copyright experts – can figure out how to use this system to uphold copyright:

https://pluralistic.net/2024/06/27/nuke-first/#ask-questions-never

However, there is a large cohort of criminals and fraudsters who have mastered Content ID and they use it to blackmail independent artists. You see, Content ID implements a "three strikes" policy: if you are accused of three acts of copyright infringement, Youtube permanently deletes your videos and bars you from the platform. For performers who rely on Youtube to earn their living – whether through ad-revenues or sponsorships or as a promotional vehicle to sell merchandise, recordings and tickets – the "copystrike" is an existential risk.

Enter the fraudster. A fraudster can set up multiple burner Youtube accounts and file spurious copyright complaints against a creator (usually a musician). After two of these copystrikes are accepted and the performer is just one strike away from losing their livelihood, the fraudster contacts the performer and demands blackmail money to rescind the complaints, threatening to file that final strike and put the performer out of business:

https://pluralistic.net/2021/05/08/copyfraud/#beethoven-just-wrote-music

The fact that copyright – nominally a system intended to protect creative workers – is weaponized against the people it is meant to serve is ironic, but it's not unusual. Copyright law has been primarily shaped by creators' bosses – media companies like Viacom – who brandish "starving artists" as a reason to enact policies that ultimately benefit capital at the expense of labor.

That was what inspired Rebecca Giblin and me to write our 2022 book Chokepoint Capitalism: how is it that copyright has expanded in every way for 40 years (longer duration, wider scope, higher penalties), resulting in media companies that are more profitable than ever, with higher gross and net revenues, even as creative workers have grown poorer, both in total compensation and in the share of the profits they generate?

https://chokepointcapitalism.com/

The first half of Chokepoint Capitalism is a series of case studies that dissect the frauds and scams that both media and tech companies use to steal from creative workers. The second half are a series of "shovel-ready" policy proposals for new laws and rules that would actually put money in artists' pockets. Some of these policy prescriptions are copyright-related, but not all of them.

For example, we have a chapter on how the Hollywood "guild" system (which allows unionized workers to bargain with all the studios at once) has been a powerful antidote to corporate power. This is called "sectoral bargaining" and it's been illegal since 1947's Taft-Hartley Act, but the Hollywood guilds were grandfathered in. When we wrote about the power of sectoral bargaining, it was in reference to the Writers Guild's incredible triumph over the four giant talent agencies, who'd invented a scam that inverted the traditional revenue split between writer and agent, so the agencies were taking in 90% and the writers were getting just 10%:

https://pluralistic.net/2020/08/06/no-vitiated-air/#WME-CAA-next

Two years later, the Hollywood Writers struck again, this time over AI in the writers' room, securing a stunning victory over the major studios:

https://pluralistic.net/2023/10/01/how-the-writers-guild-sunk-ais-ship/

Notably, the writers strike was a labor action, not a copyright action. The writers weren't demanding a new copyright that would allow them to control whether their work could be used to train an AI. They struck for the right not to have their wages eroded by AI – to have the right to use (or not use) AI, as they saw fit, without risking their livelihoods.

Right now, many media companies are demanding a new copyright that would allow them to control AI training, and many creative workers have joined in this call. The media companies aren't arguing against infringing uses of AI models – they're arguing that the mere creation of such a model infringes copyright. They claim that making a transient copy of a work, analyzing that work, and publishing that analysis is a copyright infringement:

https://pluralistic.net/2023/02/09/ai-monkeys-paw/#bullied-schoolkids

Here's a good rule of thumb: any time your boss demands a new rule, you should be very skeptical about whether that rule will benefit you. It's clear that the media companies that have sued the AI giants aren't "anti-AI." They don't want to prevent AI from replacing creative workers – they just want to control how that happens.

When Disney and Universal sue Midjourney, it's not to prevent AI models from being trained on their catalogs and used to pauperize the workers whose work is in those catalogs. What these companies want is to be paid a license fee for access to their catalogs, and then they want the resulting models to be exclusive to them, and not available to competitors:

https://pluralistic.net/2026/03/03/its-a-trap-2/#inheres-at-the-moment-of-fixation

These companies are violently allergic to paying creative workers. Disney takes the position that when it buys a company like Lucasfilm, it secures the right to publish the works Lucasfilm commissioned, but not the obligation to pay the royalties that Lucasfilm owes when those works are sold:

https://pluralistic.net/2022/04/30/disney-still-must-pay/#pay-the-writer

As Theresa Nielsen Hayden quipped during the Napster Wars: "Just because you're on their side, it doesn't mean they're on your side." If these companies manage to get copyright law expanded to restrict scraping, analysis, and publication of factual information, they won't use those new powers to increase creators' pay – they'll use them the same way they've used every new copyright created in the past 40 years, to make themselves richer at the expense of artists:

https://pluralistic.net/2020/03/03/just-a-stick/#authorsbargain

The Claude Code leak is full of fascinating information about a tool that – like Diebold's voting machines – is at the very center of the most important policy debates of our time. Here's just one example: Claude is almost certainly implicated in the US missile that murdered a building full of little girls in Iran last month:

https://www.theguardian.com/news/2026/mar/26/ai-got-the-blame-for-the-iran-school-bombing-the-truth-is-far-more-worrying

Of course I see the irony. Anthropic has taken an extremely aggressive posture on copyright's "limitations and exceptions," arguing that it can train its models on any information it can find, and that it can knowingly download massive troves of infringing works for that purpose. It's darkly hilarious to see the company firehosing copyright complaints by the thousands in order to prevent the dissemination, dissection and discussion of the source-code that leaked due to the company's gross incompetence:

https://developers.slashdot.org/story/26/04/01/158240/anthropic-issues-copyright-takedown-requests-to-remove-8000-copies-of-claude-code-source-code#comments

But what's objectionable about Anthropic – and the AI sector – isn't copyright. The thing that makes these companies disgusting is their gleeful, fraudulent trumpeting about how their products will destroy the livelihoods of every kind of worker:

https://pluralistic.net/2025/03/18/asbestos-in-the-walls/#government-by-spicy-autocomplete

And it's their economic fraud, the inflation of a bubble that will destroy the economy when it bursts:

https://www.wheresyoured.at/the-subprime-ai-crisis-is-here/

It's their enthusiastic deployment of AI tools for mass surveillance and mass killing. (Anthropic is no exception, despite what you may have heard:)

https://www.thetechbubble.info/p/how-much-a-dollar-cost

If the media bosses get their way, and manage to make it even more illegal – and practically harder – to host, discuss, and publish facts about copyrighted works, then leaks like the Claude Code disclosures will never see the light of day. It's only because of decades of hard-fought battles to push back on this nonsense that we are able to identify and learn about the defects in Claude Code that are revealed by this source-code leak.

I'm angry about the AI industry, but not because of copyright. I'm angry at them for the reasons Cat Valente articulated so well in her "Blood Money" essay:

https://catvalente.substack.com/p/blood-money-the-anthropic-settlement

These companies' stated goals are terrible:

They took the books I wrote for children and used them to make it possible for children to not bother with reading ever again. They took the books I wrote about love to create chatbots that isolate people and prevent them from finding human love in the real world, that make it difficult for them to even stand real love, which is not always agreeable, not always positive, not always focused on end-user engagement. They took the books I wrote about hope and glitter in the face of despair and oppression and used it to make a Despair-and-Oppression generator.

These goals are entirely compatible with copyright. The New York Times is suing over AI – and they're licensing their writers' words to train an AI model:

https://www.nytimes.com/2025/05/29/business/media/new-york-times-amazon-ai-licensing.html

The NYT wants more copyright. You know what the NYT doesn't want? More labor rights. The NYT are vicious union-busters:

https://actionnetwork.org/letters/new-york-times-stop-union-busting

If we creative workers are going to pour our scarce resources into getting a new policy to address the threats that our bosses – and the AI companies they are morally and temperamentally indistinguishable from – represent to our livelihoods, then let that new policy be a renewed sectoral bargaining right for every worker. It was sectoral bargaining (a collective, solidaristic right) and not copyright (an individual, commercial right) that saw off AI in the Hollywood writers' strike.

Copyright positions the creative worker as a small business – an LLC with an MFA – bargaining B2B with another firm. To the extent that copyright helps us, it is largely incidental. Sure, we were able to file for a few thousand bucks per book that Anthropic downloaded from a pirate site to train its models on. But Anthropic doesn't have to use a shadow library to get those books – it can just pay our bosses to get them.

It's great that Claude Code's source is online. It's great that we have the ability to pore over, analyze and criticize this code, which has become so consequential in so many ways. It's great the copyright is weak enough that this is possible (for now).

Expanding copyright will gain little for creative workers, except for a new reason to be angry about how our audiences experience our work. Expanding labor rights will gain much, for every worker, including our audiences. It's an idea that our bosses – and AI hucksters – hate with every fiber of their beings.

Hey look at this (permalink)


A shelf of leatherbound history books with a gilt-stamped series title, 'The World's Famous Events.'

Object permanence (permalink)

#20yrsago Desperate WI Republican congressman struggling to get by on $174K turns to copyright trolling https://web.archive.org/web/20110404001110/http://tpmdc.talkingpointsmemo.com/2011/03/gopers-demand-sean-duffy-salary-tape-be-pulled-from-the-internet.php?ref=fpblg

#15yrsago Redditor outs astroturfer with 20 accounts https://www.reddit.com/r/gaming/comments/gepnl/gamepro_g4tv_and_vgchartz_gamrfeed_have_been/

#15yrsago Britain’s back-room negotiations to establish a national, extrajudicial Internet censorship regime https://www.openrightsgroup.org/blog/minister-confirms-voluntary-site-blocking-discussions/

#15yrsago Elephantmen: Dr Moreau meets apocalyptic noir science fiction comic https://memex.craphound.com/2011/03/31/elephantmen-dr-moreau-meets-apocalyptic-noir-science-fiction-comic/

#10yrsago Bitcoin transactions could consume as much energy as Denmark by the year 2020 https://web.archive.org/web/20160401031103/https://motherboard.vice.com/read/bitcoin-could-consume-as-much-electricity-as-denmark-by-2020

#10yrsago Online casino bankrolls largest-ever, ruinously expensive war in Eve Online https://www.polygon.com/2016/3/31/11334014/eve-online-war/

#10yrsago Russia bans Polish “Communist Monopoly” board-game https://www.newsweek.com/russia-bans-polands-communist-monopoly-being-anti-russian-438972?rx=us

#10yrsago “Reputation management” companies apparently induce randos to perjure themselves by pretending to be anonymous posters https://www.techdirt.com/2016/03/31/latest-reputation-management-bogus-defamation-suits-bogus-companies-against-bogus-defendants/

#10yrsago Leak: Alaska superdelegate denies duty to represent her state’s voters in 2016 elections https://web.archive.org/web/20160717042158/http://usuncut.com/politics/alaska-superdelegate/

#10yrsago Phishers trick Mattel into transferring $3M to a Chinese bank https://www.cbsnews.com/news/mattel-vs-chinese-cyberthieves-its-no-game/

#10yrsago CNN celebrates Sanders’ six primary victories by airing a “documentary” about Jesus https://fair.org/home/as-sanders-surges-cable-news-runs-prison-reality-show-jesus-documentary/

#10yrsago Hungarian ruling party wants to ban all working cryptography https://web.archive.org/web/20160405014411/http://budapestbeacon.com/public-policy/fidesz-wants-make-encryption-software-illegal/33462

#10yrsago Embroidered toast https://www.behance.net/gallery/31502957/Everyday-bread#

#5yrsago AI has a GIGO problem https://pluralistic.net/2021/03/31/vaccine-for-the-global-south/#imagenot

#5yrsago Sacklers to use Purdue bankruptcy to escape justice https://pluralistic.net/2021/03/31/vaccine-for-the-global-south/#claims-extinguished

#5yrsago Cuba is a vaccine powerhouse https://pluralistic.net/2021/03/31/vaccine-for-the-global-south/#Soberana-Abdala

#5yrsago AT&T will lay off thousands more https://pluralistic.net/2021/03/31/vaccine-for-the-global-south/#we-dont-have-to-care

#1yrago Private-sector Trumpism https://pluralistic.net/2025/03/31/madison-square-garden/#autocrats-of-trade

Upcoming appearances (permalink)

A photo of me onstage, giving a speech, pounding the podium.


A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)


A grid of my books with Will Stahle covers..

Latest books (permalink)


A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 (https://us.macmillan.com/books/9780374621568/thereversecentaursguidetolifeafterai/)

  • "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026

  • "The Post-American Internet," a geopolitical sequel of sorts to Enshittification, Farrar, Straus and Giroux, 2027

  • "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2027

  • "The Memex Method," Farrar, Straus, Giroux, 2027


Colophon (permalink)

Today's top sources:

Currently writing: "The Post-American Internet," a sequel to "Enshittification," about the better world the rest of us get to have now that Trump has torched America. First draft complete. Second draft underway.

  • "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE.

  • "The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING.

  • A Little Brother short story about DIY insulin PLANNING

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Bluesky (no ads, possible tracking and data-collection):

https://bsky.app/profile/doctorow.pluralistic.net

Medium (no ads, paywalled):

https://doctorow.medium.com/

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

ISSN: 3066-764X

11:21

Grrl Power #1448 – Meat dish concatenizer [Grrl Power]

Sydney hadn’t called on the part of her brain that stores normal meat dishes, and then suddenly the dam broke, and every recipe, meat related or not, spilled out.

Maxima does have an extensive shopping list, but an Earther can’t just go and buy a food replicator and expect it to work. For one, the plug isn’t compatible. But primarily, there’s no way something like that would run on 120 volts, or even 240. She’ll also have to buy the equivalent of a Mr. Fusion for each replicator too, and that just for household appliances.

From my understanding, the hardest thing about de-vegetarianizing is that the texture of meat becomes quite off putting, which honestly is understandable. A good piece of meat is about the best thing there is, but a gristly steak, or a drumstick with a bunch of tendons or a rib with some of those floaty cartilage bits at the end can be really off-putting, even if you’re fully on board with the omnivorousness. And I can see where even the nicest slice of a perfectly prepared porterhouse wouldn’t be cromulent to a vegetarian if they’re used to eating anything but meat.

Say you’re the Demolition Man, and you’re biting into your underground sewer burger, and you’re told it’s actually a rat burger. You’d probably pause before your next bite, and that’s if you don’t spit it out. Sure, 90% of your concern is that chances are, the rat meat isn’t USDA certified and you don’t know what kind of diseased meat you’re currently grinding up with your teeth. But part of that is reflexive. “Oh, no! Rat meat is gross!” But is it? People eat rabbit all the time. Also, I imagine, squirrel, groundhog, beaver, and all kinds of other rodents. Rat meat probably isn’t all that popular, not because it tastes especially weird or anything (I have no idea, maybe it does) but I have to assume that any animal under a certain body weight becomes more trouble than it’s worth to slaughter for its meat. Depending on the species of rat, they weigh from like a 0.25 to 1.5 pounds? And how much of that is meat? Honestly rabbits seems like they’d be on the edge of that effort/reward curve. Of course, any food is food if you’re hungry enough. I just mean there’s a few reasons we don’t mass-farm tiny mammals for their meat.

Anyway, I guess my point with the Demolition Man ratburger thing is that it isn’t so much that rat meat is gross, it’s that most people aren’t acclimated to the idea of eating it. I think there’s part of our brains that recognizes that all meat is kind of gross, up until we decide it isn’t. Chewing muscle and fat tissue that someone used to use to use as a leg…  Just don’t think about it too much. Vegetarians arguably have thought about it too much. Though I suppose there are some people who are vegetarian strictly due to the reduced carbon footprint, I think the vast majority make the switch due to ethicalness and/or the gross factor.

I’m almost ready with the new vote incentive. I have the nude version almost done, but not the clothed one. I’ll try and have that ready for next Monday’s comic. It’s a non-censored (obviously) version of one of the panels from the topless watch party, but honestly, I got kind of bored with it, and started working on a different picture that I like quite a bit more. It’s actually quite far along as well, but I realized it’s kind of… spoilery? I think I need to wait on that one till the tournament progresses a little further.

Ah! I thought I had more time till March. I’m bad at looking at dates apparently.

Here is Gaxgy’s painting Maxima promised him. Weird how he draws almost exactly like me.

I did try and do an oil painting version of this, by actually re-painting over the whole thing with brush-strokey brushes, but what I figured out is that most brushy oil paintings are kind of low detail. Sure, a skilled painter like Bob Ross or whoever can dab a brush down a canvas and make a great looking tree or a shed with shingles, but in trying to preserve the detail of my picture (eyelashes, reflections, etc) was that I had to keep making the brush smaller and smaller, and the end result was that honestly, it didn’t really look all that oil-painted. I’ll post that version over at Patreon, just for fun, but I kind of quit on it after getting mostly done with re-painting Max.

Patreon has a no-dragon-bikini version of of the picture as well, naturally.

Double res version will be posted over at Patreon. Feel free to contribute as much as you like.

Possible US Government iPhone Hacking Tool Leaked [Schneier on Security]

Wired writes (alternate source):

Security researchers at Google on Tuesday released a report describing what they’re calling “Coruna,” a highly sophisticated iPhone hacking toolkit that includes five complete hacking techniques capable of bypassing all the defenses of an iPhone to silently install malware on a device when it visits a website containing the exploitation code. In total, Coruna takes advantage of 23 distinct vulnerabilities in iOS, a rare collection of hacking components that suggests it was created by a well-resourced, likely state-sponsored group of hackers.

[…]

Coruna’s code also appears to have been originally written by English-speaking coders, notes iVerify’s cofounder Rocky Cole. “It’s highly sophisticated, took millions of dollars to develop, and it bears the hallmarks of other modules that have been publicly attributed to the US government,” Cole tells WIRED. “This is the first example we’ve seen of very likely US government tools­based on what the code is telling us­spinning out of control and being used by both our adversaries and cybercriminal groups.”

TechCrunch reports that Coruna is definitely of US origin:

Two former employees of government contractor L3Harris told TechCrunch that Coruna was, at least in part, developed by the company’s hacking and surveillance tech division, Trenchant. The two former employees both had knowledge of the company’s iPhone hacking tools. Both spoke on condition of anonymity because they weren’t authorized to talk about their work for the company.

It’s always super interesting to see what malware looks like when it’s created through a professional software development process. And the TechCrunch article has some speculation as to how the US lost control of it. It seems that an employee of L3Harris’s surviellance tech division, Trenchant, sold it to the Russian government.

10:35

10:28

Who sets your agenda? [Seth's Blog]

It’s a question so rarely asked it almost feels silly to ask it.

Some situations and some jobs work to eliminate our freedom of choice. Prison, medical school, 8th grade–there are settings where time, tools, and options are severely limited.

But even in these settings, we have more choice than we realize.

And for the rest of us, particularly freelancers and entrepreneurs, our agenda is wide open.

Who decides what you will eat tonight, or what you will do after dinner? Who decides who you will call on, what you will learn next, which posts you’ll read (or write)? Who decides what tone the conversation will have, what your priorities are, and what you’ll worry about when you walk the dog?

There’s the agenda of the next five minutes as well as one for the next five days. And the process of getting to five years from now is so fraught or uncharted that we hesitate to even talk about it.

It may be that the key building block to success (and even to happiness) is getting your agenda aligned with your goals, your dreams, and your fears.

09:00

Samuel Henrique: Bringing HTTP/3 to curl on Amazon Linux [Planet Debian]

Screenshot of the top entry of the curl package's changelog, showing the following: Changelogs for curl-8.17.0-1.amzn2023.0.2.x86_64 * Mon Mar 16 00:00:00 2026 Samuel Henrique (samueloph) <samhn@amazon.com> - 8.17.0-1.amzn2023.0.2 - Enable HTTP/3 support in the full build using ngtcp2 and nghttp3 - HTTP/3 is explicitly disabled in the minimal build - Add runtime dependencies on libnghttp3 and libngtcp2 with minimum version pinning - Run tests in parallel via upstream make test-nonflaky, with serial fallback for race-prone tests

tl;dr

Starting with curl 8.17.0-1.amzn2023.0.2 in Amazon Linux 2023, you can now use HTTP/3.

dnf swap -y libcurl-minimal libcurl-full
dnf swap -y curl-minimal curl-full
curl --http3-only https://example.com

(HTTP/3 is only enabled in the curl -full builds)

Or, if you would like to try it out in a container:

podman run amazonlinux:2023 /bin/sh -c 'dnf upgrade -y --releasever=latest && dnf swap -y libcurl-minimal libcurl-full && dnf swap -y curl-minimal curl-full && curl --http3-only https://example.com'

For a list of test endpoints, you can refer to https://bagder.github.io/HTTP3-test/

The Upgrade I Didn't Have to Make

My teammate Steve Zarkos, who previously worked on upgrading OpenSSL in Amazon Linux from 3.0 to 3.2, spent the last few months on the complex task of bumping OpenSSL again, this time to 3.5. A bump like this only happens after extensive code analysis and testing, something that I didn't foresee happening when AL2023 was released but that was a notable request from users.

Having enabled HTTP/3 on Debian, I was always keeping an eye on when I would get to do the same for Amazon Linux (mind you, I work at AWS, in the Amazon Linux org). The bump to OpenSSL 3.5 was the perfect opportunity to do that, for the first time Amazon Linux is shipping an OpenSSL version that is supported by ngtcp2 for HTTP/3 support.

Non-Intrusive Change

In order to avoid any intrusive changes to existing users of AL2023, I've only enabled HTTP/3 in the full build of curl, not in the minimal one, this means there is no change for the minimal images.

The way curl handles HTTP/3 today also does not lead to any behavior changes for those who have the full variants of curl installed, this is due to the fact that HTTP/3 is only used if the user explicitly asks for it with the flags --http3 or --http3-only.

Side Quests

Supporting HTTP/3 on curl also requires building it with ngtcp2 and nghttp3, two packages which were not shipped in Amazon Linux, besides, my team doesn't even own the curl package, we are a security team so our packages are the security related stuff such as OpenSSL and GnuTLS. Our main focus is the services behind Amazon Linux's vulnerability handling, not package maintenance.

I worked with the owners of the curl package and got approvals on a plan to introduce the two new dependencies under their ownership and to enable the feature on curl, I appreciate their responsiveness.

Amazon Linux 2023 is forked from Fedora, so while introducing ngtcp2, I also sent a couple of Pull Requests upstream to keep things in sync:

[ngtcp2] package latest release 1.21.0

[ngtcp2] do not skip tests

While building the curl package in Amazon Linux, I've noticed the build was taking 1 hour from start to end, and the culprit was something well known to me; tests.

The curl test suite is quite extensive, with more than 1600 tests, all of that running without parallelization, running two times for each build of the package; once for the minimal build and again for the full build.

I had previously enabled parallel tests in Debian back in 2024 but never got around to submit the same improvements to Amazon Linux or Fedora, this is now fixed. The build times for Amazon Linux came down to 10 minutes under the same host (previously 1 hour), and Fedora promptly merged my PR to do the same there:

[curl] run tests in parallel

All of this uncovered a test which is timing-dependent, meaning it's not supposed to be run with high levels of parallelism, so there goes another PR, this time to curl:

Flag test 766 as timing-dependent#21155

What started as enabling a single feature turned into improvements that landed in curl, Fedora, and Amazon Linux alike. I did this in a mix of work and volunteer time, mostly during work hours (work email address used when this was the case), but I'm glad I put in the extra time for the sake of improving curl for everyone.

Release Notes

Amazon Linux 2023 release notes for 2023.10.20260330

A Potential Termination Event [George Monbiot]

Cascading failure across the global food system is a real and horrific possibility, which most governments are doing nothing to avert.

By George Monbiot, published in the Guardian 25th March 2026

The fate of environmentalists is to spend their lives trying not to be proved right. Vindication is what we dread. But there’s one threat that haunts me more than any other: the collapse of the global food system. We cannot predict what the immediate trigger might be. But the war with Iran is just the right kind of event.

Drawing on years of scientific data, I’ve been arguing for some time that this risk exists – and that governments are completely unprepared for it. In 2023, I made a submission to a parliamentary inquiry into environmental change and food security, with a vast list of references. Called as a witness, I spent much of the time explaining that the issue was much wider than the inquiry’s scope.

While some MPs got it, governments as a whole simply don’t seem to understand what we’re facing. It’s this: the global food system is systemically fragile in the same way that the global financial system was before the 2008 crash.

It’s easy to see potential vulnerabilities, such as a fertiliser supply crunch caused by the closure of the strait of Hormuz, or harvest failures caused by climate breakdown. But these are not the thing itself. They are disruptions of the kind that might trigger the thing. The thing itself is the entire system sliding off a cliff. The same factors that would have brought down the financial system, were it not for a bailout amounting to trillions of dollars, now threaten to bring down the food system.

Recent data suggests that every part of this system is now highly concentrated in the hands of a few corporations, which have been consolidating both vertically and horizontally. One recent study found that the US food system has “consolidated nearly twice as much as the overall economic system”. Some of these corporations, diversifying into financial products, now look more like banks than commodity traders, but without the same level of regulation. They might claim that financialisation helps them hedge against risk, but as one paper remarks, “it is nearly impossible to differentiate between hedging and speculating.” We don’t know how exposed to risk they might be, but it doesn’t look great. Partly through their influence, the world has shifted towards a “global standard diet”, supplied by the global standard farm.

These vulnerabilities are exacerbated by the use of just-in-time supply chains and the funnelling of much of the world’s trade through a number of chokepoints. Some people have long warned that the strait of Hormuz, alongside the Suez canal, Turkish straits, Panama canal and straits of Malacca, are critical chokepoints, whose obstruction would threaten the flow of food, fertiliser, fuel and other crucial agricultural commodities. A year ago, I listed “military attacks on … straits and canals” as a major interruption risk exacerbated by Donald Trump’s antics. The thought that Houthi rebels in Yemen, backed by the Iranian government, might simultaneously resume their attacks on Red Sea shipping keeps me awake at night.

What all this means is a reduction in the key elements of systemic resilience: diversity, redundancy (a system’s spare capacity), modularity (its degree of compartmentalisation), backup (other ways of providing food), asynchronicity (which prevents shocks suddenly compounding) and circuit breakers (mostly in the form of effective regulation). A loss of any one of these properties should be a flashing red light. But the whole dashboard is now lit up.

When a system has lost its resilience, it’s hard to predict just how and when it could go down. The collapse of one corporation? The simultaneous closure of two or more chokepoints? A major IT outage? A severe climate event coinciding with a geopolitical crisis? The next step could be contagious bankruptcy and cascading failure across sectors. Then … well, it’s beyond imagination. The chain between seller and buyer – as fundamental to our food supply as the production of food itself – could suddenly snap. Shelves would clear as people panic-bought. Crops would rot in fields, silos or ports. Rebooting a system whose financial architecture has imploded might prove impossible on the timescale required to prevent mass starvation. As complex societies, we’re looking at a potential termination event.

We know what needs to happen: break up the big corporations; bring the system under proper regulatory control; diversify our diets and their means of production; reduce our dependence on a handful of major exporting countries; build strategic food reserves, accessible to people everywhere.

But there’s a problem, and it’s not just Trump. Almost all governments are beholden to corporate and financial power. The measures required to avoid catastrophe are those they are least prepared to implement. The chances of a global agreement on this global problem are approximately zero.

The best we can hope for is that braver politicians in our own countries seek to insulate us from the worst impacts. A crucial step is to encourage a shift to a plant-based diet. People struggle to see the relevance, but it’s simple. A plant-based diet requires far fewer resources, including just a quarter of the land a standard western diet requires and much less fertiliser and other inputs.

Just as we make ourselves more energy-secure by switching from fossil fuels to renewables, we make ourselves more food-secure by switching from animals to plants. Don’t take my word for it: it’s a key message in the national security assessment, which the government sought to withhold from public view – probably because it would upset too many powerful interests. Chinese researchers have come to the same conclusion about their own country: its food resilience is now dangerously compromised by the rising consumption of animal products.

But policy in the UK is nothing short of moronic. In response to warnings about our food vulnerability, our environment secretary, the former financial lobbyist Emma Reynolds, remarked that she wanted to boost domestic poultry production. Given that this sector largely depends on imported feed (such as soya from Brazil and maize from the US), her plan would make us more vulnerable. But she proposes scarcely anything else: no strategic reserves, no alternative supply chains, no useful defensive measures of any kind.

Policy here and across most of the world appears to consist of allowing “the market” (namely a few huge global corporations) to decide what happens next. There’s another way of putting it. Our governments are leaving a group of ruthless speculators to play dice with our lives.

www.monbiot.com

06:07

EU nations: political-legal spectrum [Richard Stallman's Political Notes]

*Five EU governments found to "consistently" dismantle rule of law.*

They are Bulgaria, Croatia, Hungary, Italy and Slovakia.

Hong Kong thugs demand people hand over their passwords [Richard Stallman's Political Notes]

Hong Kong has given thugs the power to demand people hand over their passwords.

The UK has a similar repressive law, which it used on David Miranda when he carried a copy of the Snowden leaks to Glenn Greenwald. It was a terrible mistake for him to carry with him the password to decrypt that data, and likewise a terrible mistake to pass through the UK on his way to Brazil. Someone involved with the Snowden leaks should have told him to avoid those risky choices.

Pentagon response to courts on restrictions on journalists [Richard Stallman's Political Notes]

The henchman in charge of the Pentagon responded to the court ruling that its biased restrictions on journalists are unconstitutional by promulgating a modified set of restrictions.

Canadian woman married to US citizen and her daughter jailed [Richard Stallman's Political Notes]

Deportation thugs have jailed a Canadian woman married to a US citizen, and their daughter. She has papers authorizing her to be in the US, but not currently in her possession because she submitted them to another US agency for some sort of bureaucratic step. She warns all Canadians in the US that they are in danger, especially while their papers are in "processing".

Toxic smoke from bombed oil processing plants [Richard Stallman's Political Notes]

Israel bombed oil processing plants near Tehran. They released toxic smoke which is causing respiratory damage to people in Tehran.

*The Guardian spoke to residents who described having headaches, eye and skin irritation and difficulty breathing. Experts have warned those symptoms could be just the beginning, with long-term risks of cardiovascular disease, cognitive impairment, DNA damage and cancer.*

This makes two reasons why that bombing is particularly culpable: for grave harm to a substantial fraction of Tehran's population of ten million, and for escalating the war to include attacks on energy infrastructure. Iran threatened to retaliate against the energy infrastructure of the Gulf oil states if Israel (or the US) continues attacking Iran's oil infrastructure.

Argentina politically divided [Richard Stallman's Political Notes]

Argentina is politically divided between those who wish to remember and punish the crimes of the murderous military dictatorship in the 70s and twisted right-wingers who celebrate them.

The main political position of the twisted right-wingers is to promote the usual right-wing positions, allowing the privileged groups to exploit and castigate the disprivileged groups. Just as in the US, the right-wing in Argentina have found that celebrating the dictatorship is a way to appear powerful and win the support of people who want to feel powerful.

US sanctions placed on UN official Francesca Albanese [Richard Stallman's Political Notes]

The US sanctions arbitrarily placed on UN official Francesca Albanese threaten anyone with US connections who does any sort of business or cooperation with her with punishment, even without a trial.

This includes US academics who investigate the patterns of Israel's war crimes in Palestine, as well as other students and faculty. Some of them support the lawsuit that aims to declare such sanctions unconstitutional.

Responding to Hegseth's Christian hatred [Richard Stallman's Political Notes]

Democratic candidate Talarico. who is Christian, responds to Hegseth's Christian hatred with Christian love.

I am impressed favorably with Talarico's tolerance, and I am sure he is a better person and better citizen than any Republican candidate. However, while this reflects well on him, it is not evidence that any gods exist.

iMonsters in UK demanding proof of age [Richard Stallman's Political Notes]

iMonsters in the UK are now demanding users "prove their age" by identifying themselves.

Age verification has become a universal excuse to demand that all users identify themselves, an injustice to every user of whatever age.

Rocky Mountain meadow transformed to dry patch of sagebrush [Richard Stallman's Political Notes]

2°C of heating transformed a Rocky Mountain meadow with grass and wildflowers into a dry patch of sagebrush. Global heating isn't just that most places are somewhat hotter. They can become very different.

Activists delivering food to immigrant families [Richard Stallman's Political Notes]

Activists in Memphis are delivering food and other necessities to immigrant families who don't dare leave the house.

Four weeks in to "four day" war [Richard Stallman's Political Notes]

*Four weeks into a war that was going to take four days … Washington is further away from a diplomatic agreement with Iran than it was in May 2025.

Not only has the war failed to persuade Iran to agree to dismantle its nuclear program in the comprehensive and irreversible way the US demanded, Washington is now having to negotiate to reopen the strait of Hormuz.*

The idiotic attack on Iran could doom Ukraine.

Urgent: Insider trading [Richard Stallman's Political Notes]

US citizens: call on Congress to investigate insider trading on prediction markets.

See the instructions for how to sign this letter campaign without running any nonfree JavaScript code--not trivial, but not hard.

US citizens: Join with this campaign to address this issue.

To phone your congresscritter about this, the main switchboard is +1-202-224-3121.

Please spread the word.

Urgent: Impeach Brendan Carr [Richard Stallman's Political Notes]

US citizens: call on Congress to impeach FCC Chair Brendan Carr now

See the instructions for how to sign this letter campaign without running any nonfree JavaScript code--not trivial, but not hard.

US citizens: Join with this campaign to address this issue.

To phone your congresscritter about this, the main switchboard is +1-202-224-3121.

Please spread the word.

Urgent: Protect whistleblowers [Richard Stallman's Political Notes]

US citizens: call on Congress to protect whistleblowers from the persecutor's attacks.

US citizens: Join with this campaign to address this issue.

To phone your congresscritter about this, the main switchboard is +1-202-224-3121.

Please spread the word.

Urgent: Protect nonprofits [Richard Stallman's Political Notes]

US citizens: call on Congress and the Department of Justice to halt the persecution of nonprofit organizations that criticize injustice.

US citizens: Join with this campaign to address this issue.

To phone your congresscritter about this, the main switchboard is +1-202-224-3121.

Please spread the word.

Urgent: Childrens' rights [Richard Stallman's Political Notes]

US citizens: call on your officials in Congress to protect immigrant children's right to education in public schools.

See the instructions for how to sign this letter campaign without running any nonfree JavaScript code--not trivial, but not hard.

US citizens: Join with this campaign to address this issue.

To phone your congresscritter about this, the main switchboard is +1-202-224-3121.

Please spread the word.

US-Embassies as Musk/military diplomats [Richard Stallman's Political Notes]

*US directs American embassies to wage campaign against foreign "hostility" – with Musk's help.*

If you know anything about his online dis-service, ex-Twitter, and its chatbot, Crock, you understand that this is a campaign to crush the idea of truth. The bullshitter wants a battle between his bullshit and Putin's bullshit and fanatical Muslim bullshit — and whichever one wins, truth loses.

Endangered Species Act revoked, Gulf MEX [Richard Stallman's Political Notes]

The magats are planning to cancel endangered species protection for various endangered species in the Gulf of Mexico, as a gesture to show that they will let nothing stop them from drilling more fossil fuel wells there.

The current crisis will be long over by the time those new wells are finished, but they are concerned with fooling the public, not with real needs.

Spain denies US war-machine accomodation [Richard Stallman's Political Notes]

Spain has denied its territory and airspace to the US for purposes of war with Iran.

US soldiers positioning to invade Iran [Richard Stallman's Political Notes]

The US would find it hard to make the Strait of Hormuz safe for oil tankers by force. It could perhaps capture Kharg Island, but that would not protect oil tankers, and occupying the island would not make it easy to capture much oil.

Basically, these threats seem to be bluster.

The bully's pattern of bluster followed by pulling back has backfired completely against Iran.

While it gives me a wry pleasure to see him thwarted, seeing Iran's murderous religious fanatics defeat America's murderous religious fanatics in foreign relations is no pleasure. That will lead to great suffering for Iranians, and no alleviation for Americans.

02:28

Moray Is Competent [QC RSS]

good job Moray

02:21

[$] LWN.net Weekly Edition for April 2, 2026 [LWN.net]

Inside this week's LWN.net Weekly Edition:

  • Front: LiteLLM compromise; systemd controversy; LLM kernel review; OpenBSD and vibe-coding; Rust trait-solver; Pandoc.
  • Briefs: Rspamd 4.0.0; telnyx vulnerability; Fedora forge; SystemRescue 13.00; Servo 0.0.6; Quotes; ...
  • Announcements: Newsletters, conferences, security updates, patches, and more.

Wednesday, 01 April

22:07

How Humble Bundle Helped Kids Across the Country Get Excited About Reading [Humble Bundle Blog]

We are thrilled to celebrate our meaningful partnership with DonorsChoose! This collaboration highlights our shared commitment to quality education, particularly as teachers and students prepared for the start of the 2025-26 school year. Humble specifically selected DonorsChoose as the featured charity for our August 2025 Choice program, aligning our community’s generosity with their mission to equip educators with the resources they need to ensure classroom …

The post How Humble Bundle Helped Kids Across the Country Get Excited About Reading appeared first on Humble Bundle Blog.

21:21

How to turn anything into a router [OSnews]

I don’t like to cover “current events” very much, but the American government just revealed a truly bewildering policy effectively banning import of new consumer router models. This is ridiculous for many reasons, but if this does indeed come to pass it may be beneficial to learn how to “homebrew” a router.

Fortunately, you can make a router out of basically anything resembling a computer.

↫ Noah Bailey

I genuinely can’t believe making your own router with Linux or BSD might become a much more widespread thing in the US. I’m not saying it’s a bad thing – it’ll teach some people something new – but it just feels so absurd.

21:07

Turbulence at The Document Foundation [LWN.net]

Michael Meeks has posted an angry missive about changes at The Document Foundation. What has really happened is not entirely clear, but it seems to involve, at a minimum, the forced removal of all Collabora staff from the foundation. There has been a set of "thank you" notes to the people involved posted in the foundation's forums. The Document Foundation's decision to restart LibreOffice Online almost certainly plays into this as well.

Details are fuzzy at best; we will be working at providing a clearer picture, but that will take some time.

20:14

Fool If You Think It’s Over – DORK TOWER 01.04.26 [Dork Tower]

Most DORK TOWER strips are now available as signed, high-quality prints, from just $25!  CLICK HERE to find out more!

HEY! Want to help keep DORK TOWER going? Then consider joining the DORK TOWER Patreon and ENLIST IN THE ARMY OF DORKNESS TODAY! (We have COOKIES!) (And SWAG!) (And GRATITUDE!)

19:49

Girl Genius for Wednesday, April 01, 2026 [Girl Genius]

The Girl Genius comic for Wednesday, April 01, 2026 has been posted.

18:42

Awreatha Franklin [Penny Arcade]

Mork had saved a whole section of Pokopia - I won't say which one, because I think technically it might be a spoiler - just for the trip. This caused a resumption of those affections which had been felt so keenly before, and I apologize for the character of that sentence but I just watched Pride and Prejudice again. It's gonna fuck up my language for days. In any case: every now and then, in the course of his duties as reclaimer of the Kanto region, he will remember some of the places Pokemon live and feel a way about it. Ivri has an amazing song on this topic.

18:14

Joey Hess: banning all Anthropic employees [Planet Debian]

Per my policies, I need to ban every employee and contractor of Anthropic Inc from ever contributing code to any of my projects. Anyone have a list?

Any project that requires a Developer Certificate of Origin or similar should be doing this, because Anthropic is making tools that explicitly lie about the origin of patches to free software projects.

UNDERCOVER MODE — CRITICAL

You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository. [...] Do not blow your cover.

NEVER include in commit messages or PR descriptions:

[...] The phrase 'Claude Code' or any mention that you are an AI
Co-Authored-By lines or any other attribution

-- via @vedolos

18:07

Is “Hackback” Official US Cybersecurity Strategy? [Schneier on Security]

The 2026 US “Cyber Strategy for America” document is mostly the same thing we’ve seen out of the White House for over a decade, but with a more aggressive tone.

But one sentence stood out: “We will unleash the private sector by creating incentives to identify and disrupt adversary networks and scale our national capabilities.” This sounds like a call for hackback: giving private companies permission to conduct offensive cyber operations.

The Economist noticed (alternate link) this, too.

I think this is an incredibly dumb idea:

In warfare, the notion of counterattack is extremely powerful. Going after the enemy­—its positions, its supply lines, its factories, its infrastructure—­is an age-old military tactic. But in peacetime, we call it revenge, and consider it dangerous. Anyone accused of a crime deserves a fair trial. The accused has the right to defend himself, to face his accuser, to an attorney, and to be presumed innocent until proven guilty.

Both vigilante counterattacks, and preemptive attacks, fly in the face of these rights. They punish people before who haven’t been found guilty. It’s the same whether it’s an angry lynch mob stringing up a suspect, the MPAA disabling the computer of someone it believes made an illegal copy of a movie, or a corporate security officer launching a denial-of-service attack against someone he believes is targeting his company over the net.

In all of these cases, the attacker could be wrong. This has been true for lynch mobs, and on the internet it’s even harder to know who’s attacking you. Just because my computer looks like the source of an attack doesn’t mean that it is. And even if it is, it might be a zombie controlled by yet another computer; I might be a victim, too. The goal of a government’s legal system is justice; the goal of a vigilante is expediency.

We don’t issue letters of marque on the high seas anymore; we shouldn’t do it in cyberspace.

17:28

Ben Hutchings: FOSS activity in March 2026 [Planet Debian]

17:14

The Model You Love Is Probably Just the One You Use [Radar]

The following article originally appeared on Medium and is being republished here with the author’s permission.

Ask 10 developers which LLM they’d recommend and you’ll get 10 different answers—and almost none of them are based on objective comparison. What you’ll get instead is a reflection of the models they happen to have access to, the ones their employer approved, and the ones that influencers they follow have been quietly paid to promote.

We’re all living inside recursively nested walled gardens, and most of us don’t realize it.

This blog's sponsor has an amazing model

The access problem

In corporate environments, the model selection often happens by accident. Someone on the team tries Claude Code one weekend, gets excited, tells the group on Slack, and suddenly the whole organization is using it. Nobody evaluated alternatives. Nobody ran a bakeoff. The decision was made by whoever had a company card and a free Saturday.

That’s not a criticism—it’s just how these things go. But it means that when that same person tells you their favorite model, they’re really telling you which model they’ve had the most reps with. There’s a genuine learning function at play: You get faster, your prompts get better, and the model starts to feel almost intuitive. It’s not that the model is objectively superior. It’s that you’ve gotten good at using it.

This matters more than people admit, because a lot of this space runs on feelings rather than evidence. People feel good about Opus right now. It feels powerful; it feels smart; it feels like you’re using the best tool available. And maybe you are. But ask someone who’s paying for their own tokens whether they feel the same way, and you tend to get a more calibrated answer. Skin in the game has a way of sharpening opinions.

The influence problem

There’s also a lot of money moving through this space in ways that don’t always get disclosed. Model providers are spending real budget to make sure the right people have the right experiences—early access, credits, invitations to the right events. Anthropic does it. OpenAI does it. This isn’t a scandal; it’s just marketing, but it muddies the signal considerably. When someone you follow is effusive about a model, it’s worth asking whether they arrived at that opinion through sustained use or through a curated demo environment.

Meanwhile, some developers—especially those building in the open—will use whatever doesn’t cost an arm and a leg. Their enthusiasm for a model might be more about its pricing tier than its capability ceiling. That’s also a valid signal, but it’s not the same signal.

The alignment problem (the other one)

Then there are the geopolitical considerations. Some developers are deliberately avoiding Qwen and GLM due to concerns about the countries they originate from. Others are using them because they’re compelling, capable models that happen to be dramatically cheaper. Both camps think the other is being naive. This is a real conversation that doesn’t have a clean answer, but it’s happening mostly under the surface.

What I’ve actually been doing

I’ve been forcing myself to test outside my comfort zone. I’ve spent the last week using Codex seriously—not casually—and my experience so far is that it’s nearly indistinguishable from Claude Sonnet 4.6 for most coding tasks, and it’s running at roughly half the cost when you factor in how efficiently it uses tokens. That’s not a small difference. I want to live with it longer before I have a firm opinion, but “a week” is the minimum threshold I’d set for any model evaluation. Anything less and you’re just rating your first impression.

I’ve also started using Qwen and GLM-5 seriously. Early results are interesting. I’ve had some compelling successes and a few jarring errors. I’ll reserve judgment.

What I’ve noticed with my own Anthropic usage is something worth naming: I default to Haiku for well-scoped, mechanical tasks. Sonnet handles almost everything else with room to spare. Opus only comes out when I need genuine breadth—architecture questions, strategic framing, anything with a genuinely wide scope. But I’ve watched people in corporate environments leave the dial on Opus permanently because they’re not paying for tokens themselves. And here’s the thing—that’s actually not always to their advantage. High-powered models overthink simple tasks. They’ll add abstractions you didn’t ask for, restructure things that didn’t need restructuring. When I have a clearly templated class to write, Haiku gets it right at a tenth of the cost, and it doesn’t second-guess the design.

The thing we should be talking about

Everyone last month was exercised about what Sam Altman said about energy consumption. Fine. But I think the more pressing question is about marketing budgets and how they’re distorting the collective understanding of these tools. The benchmarks are starting to feel managed. The influencer coverage is clearly shaped. The access programs create a positive bias among people with the largest audiences.

None of this means the models are bad. Some of them are genuinely remarkable. But when you ask someone which model to use, you’re getting an answer that’s filtered through their employer’s procurement decisions, the influencers they follow, what they can afford, and how long they’ve been using that particular tool. The answer you get tells you a lot about their situation. It tells you almost nothing about the model.

Take it all with appropriate skepticism—including this post.

17:00

Corporate Language Compliance Generator [The Daily WTF]

You've already read the longer version. You need a quick phrase of corpo-speak to distract and confuse your rivals. Here's the generator for doing that:

Now, admittedly, this generator may use a grammar for generating phrases, but it's not an English grammar, and the result is that sometimes it has problems with verb agreement and other prosaic English rules. I say, lean into it. Let someone challenge your bad grammar, and then look down your nose at them, and say: "I'm blue-skying the infosphere across new domains, you wouldn't get it."

[Advertisement] Keep the plebs out of prod. Restrict NuGet feed privileges with ProGet. Learn more.

16:35

15:56

The cover of C++: The Programming Language raises questions not answered by the cover [The Old New Thing]

The book C++: The Programming Language¹ (Waylon Warren, editor) claims to present “the complex subject of C++ in the most comprehensible and easy to understand language.” A rather overdone book blurb, in my opinion.

Anyway, the book does have an attractive cover, or at least an inoffensive one.

Book cover: C++ The Programming Language, with a picture of code on a computer monitor

But wait, let’s zoom in on the code shown on the computer monitor.

See article text for transcription

function updatePhotoDescription() {
    if (descriptions.length > (page * 9) + (currentImage.substring(⟦ blurry ⟧')) {
        document.getElementById("bigImageDesc").innerHTML + ⟦ blurry ⟧
    }
}

function updateAllImages() {
    var i = 1;
    while (i < 10) {
        var elementId = 'foto' + i;
        var elementIdBig = 'bigImage' + i;
        if (page * 9 + i - 1 < photos.length) {
            document.getElementById( elementId ).src = 'images/⟦ blurry ⟧
            document.getElementById( elementIdBig ).src = 'images/⟦ blurry ⟧
        } else {
            document.getElementById( elementId ).src = '';

This isn’t even C++. It’s JavaScript!

¹ Note that this is not the book The C++ Programming Language by the language inventor Bjarne Stroustrup.

The post The cover of <I>C++: The Programming Language</I> raises questions not answered by the cover appeared first on The Old New Thing.

15:49

[$] Pandoc: a workhorse for document conversion [LWN.net]

Pandoc is a document-conversion program that can translate among a myriad of formats, including LaTeX, HTML, Office Open XML (docx), plain text, and Markdown. It is also extensible by writing Lua filters that can manipulate the document structure and perform arbitrary computations. Pandoc has appeared in various LWN articles over the years, such as my look at Typst and at the importance of free software to science in 2025, but we have missed providing an overview of the tool. The February release of Pandoc 3.9, which comes with the ability to compile the program to WebAssembly (Wasm), allowing Pandoc to run in web browsers, will likely also be of interest.

Servo 0.0.6 released [LWN.net]

Version 0.0.6 of the Rust-based Servo web browser rendering engine has been released. This release boasts a long list of new features, performance enhancements, improvements, and bug fixes. Some of the notable changes include layout performance improvements, a servo:config page for setting any preference, and developer tools enhancements.

15:42

Link [Scripting News]

BTW, suggestion to web-based companies that send out notices via email. It's good to do that, but make sure somewhere there's a link to exactly the same material on the web. It can only build traffic for your ideas, earned media.

The fog of tech [Scripting News]

Got an email from Automattic about MCP support in WordPress, which is now available on their servers. With this new interface you can write prompts in Claude etc that do things in your WordPress workspace. Kind of like a scripting language, but English, like this -- "In WordPress, please set the category for the current post to Project 32."

I guess it's very much like the wpcom api we're using for WordLand. It's going to be harder to get people to look at wpcom with this kind of functionality out there. It was always going to be hard, but I liked the challenge of telling a story about a great bit of technology that could save the web but wasn't known to almost all developers. WordPress never attracted the kind of devs that care about APIs like that one, ones which would let you build on WordPress as opposed to in WordPress.

Tech is always foggy and full of hype, but rarely is it as intense as it is in 2026. AI is the major thing people are talking and thinking about, trying to figure out if there's a way to be part of the fun with our software and ideas. And there are so many quick ways to get hooked up to the hype, that seem pretty desperate, the kind of ideas that emerge from management offsites in orgs that have little sense of direction -- "let's add AI" everyone agrees, without any idea of what that means, and not much comes of it. Firefox, the perennial hype-harvester very predictably did this late last year. No we don't need another browser with AI. You have to think harder and more creatively. My advice was to be better for the web, and eventually if there is a link to AI it will reveal itself. But you have to pay attention for that.

As revolutionary as AI is, some things aren't going to be done with prompts, pretty sure of that. It 's a lot easier to pick categories from a dialog than typing an instruction in ChatGPT. Think about how you drive a car, you don't slowly tell the car to "turn the wheel left and tap the brake, now right, and hit the gas." Maybe this will turn out to be like the difference between using a mouse or a keyboard. Some people thought keyboards were obsolete when the Mac came out in 1984. I'm using a keyboard right now.

I'm going to finish the new WordLand and ask some people I want to connect with to try it out. The goal is to create a new kind of structure for the web, made out of posts that both stand alone and are part of a graph that you can walk around in. Far more spontaneous than web rings of the early web, like my blogroll does so much more than the static blogrolls of the 90s and 00s. But it is going to be hard to get attention for it, in the midst of all that's going on with AI.

On the other hand, I haven't seen the AI tools get into social structures, I feel very much alone with my AI collaborator. I know there are ways to set up collaboration, but that hasn't reached me yet, and at this time I'm not actually receptive to the idea. I haven't yet seen how we can plug away together human to human.

Like everyone else we're feeling my way around this, looking for ways to add value, and at the same time help to revive the web, which definitely needs help.

I'd like the web to make the transition to AI, not to become even more forgotten. I feel like this is the last chance, I want to get the web hooked into AI, but I have to work with other people, going it alone won't work.

Just some random thoughts on a Wednesday morning, having absolutely nothing to do with the fact that it's freaking April 1.

What April 1 means here [Scripting News]

There's so much bullshit, why deliberately add more -- in hope of being either funny or memorable -- and only succede at annoying.

We prefer to try to keep things real here.

15:07

15:00

Link [Scripting News]

Archived Scripting News OPML source for March 2026.

14:21

Security updates for Wednesday [LWN.net]

Security updates have been issued by AlmaLinux (freerdp, libxslt, python3.11, and python3.12), Debian (libpng1.6, lxd, netty, and python-tornado), Fedora (chunkah, cpp-httplib, firefox, freerdp, gst-devtools, gst-editing-services, gstreamer1, gstreamer1-doc, gstreamer1-plugin-libav, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, gstreamer1-plugins-ugly-free, gstreamer1-rtsp-server, gstreamer1-vaapi, insight, python-gstreamer1, python3.14, rust, rust-cargo-rpmstatus, rust-cargo-vendor-filterer, rust-resctl-bench, rust-scx_layered, rust-scx_rustland, rust-scx_rusty, and xen), Mageia (freeipmi, python-openssl, python-ply, ruby-rack, vim, and zlib), Oracle (firefox, freerdp, kernel, libpng, thunderbird, uek-kernel, and virt:ol and virt-devel:ol), Red Hat (golang), SUSE (bind, expat, fetchmail, ffmpeg-7, freerdp, gsl, incus, kernel, libjavamapscript, libjxl, libpng16-16, libpolkit-agent-1-0-127, net-snmp, net-tools, openexr, perl-XML-Parser, python-ldap, python-pyasn1, python-PyJWT, python311-requests, tailscale, thunderbird, tinyproxy, and ucode-intel), and Ubuntu (golang-golang-x-net-dev and ruby2.3, ruby2.5, ruby2.7, ruby3.0, ruby3.2, ruby3.3).

13:42

Corporate Language Compliance [The Daily WTF]

As we all know, there are two basic kinds of scientific studies. The first is a ground-breaking paper that changes the way we view the world, and forces us to confront our presuppositions and biases about how we think the world works, and change our perspective. The other tells us what we already know to be true, and makes us feel good. The second kind, of course, is what we'd call "good science".

Or, if you want to skip past this straight to the generator at the bottom.

For example, what if I told you that people who are impressed by hyperbolic corporate jargon are dumber than you or I? It's probably something you already believe is true, but wouldn't you like a scientist to tell you that it's true?

Well, have I got good news for you. If you're tired of hearing about "growth-hacking paradigms" researchers at Cornell found that people who are impressed by semantically empty phrases are also bad at making decisions.

The entire paper is available, if you like charts.

There are a few key highlights worth reading, though. The paper spends a fair bit of time distinguishing between "jargon" and "bullshit". Jargon is domain specific language that is impenetrable to "out-group" individuals, while bullshit may be just as impenetrable, but also is "semantically empty and confusing".

It also has some ideas about why we drift from useful jargon to bullshit. It starts, potentially, as a way to navigate socially difficult situations by blunting our speech: I can't say that I think you're terrible at your job, but I can say you need to actualize the domain more than you currently are. But also, it's largely attempts to fluff ourselves up, whether it's trying to contribute to a meeting when we haven't an idea what we're talking about, or trying to just sound impressive or noble in public messaging. It seems that the backbone of bullshit is the people who didn't do the reading for Literature class but insist on holding forth during the classroom discussion, confident they can bullshit their way through.

Of course, bullshit doesn't thrive unless you have people willing to fall for it. And when it comes to that, it's worth quoting the paper directly:

Bullshit receptivity is linked to a lower analytic thinking, insight, verbal ability, general knowledge, metacognition, and intelligence (Littrell & Fugelsang, 2024; Littrell et al., 2021b; Pennycook et al., 2015; Salvi et al., 2023). It also predicts certain types of poor decision-making and a greater proclivity to both endorse and spread fake news, conspiracy theories, and other epistemically-suspect claims (Čavojová et al., 2019; Iacobucci & De Cicco, 2022; Littrell et al., 2024; Pennycook & Rand, 2020).

The paper cites a study that indicates there's an aspect of education to this. If you take a bunch of undergrads to an art gallery and present them with fluffed up descriptions of artist intent, they're more likely to see the works as profound. But if you do the same thing with people who routinely go to art galleries, the bullshit has little effect on them. It also indicates that our susceptibility to bullshit is highly context dependent, and anyone could potentially fall for bullshit in a domain they don't know enough about.

Wait, I thought this was about talking about a paper that confirms my biases and makes me feel good? I don't want to think about how I could succumb to bullshit. That's terrifying.

The backbone of the paper is the actual methodology, the analyses of their results, and their carefully crafted bullshit phrases used for the study, which are pretty goddamn great. Or terrible, depending on your perspective.

  • Our goal is to engage our capabilities by focusing our efforts on executing the current transmission of our empowerment, driving an innovative growth- mindset with our change drivers, and coaching energetic frameworks to our resonating focus.
  • Our goal is to engage our conversations by focusing our efforts on architecting the current vector of our balanced scorecard.
  • Working at the intersection of cross-collateralization and blue-sky thinking, we will actualize a renewed level of cradle-to-grave credentialing and end- state vision in a world defined by architecting to potentiate on a vertical landscape.

There are a few other key things the paper notes. First, unchecked bullshit can turn an environment toxic and drive away competent employees who need to escape it. It also could potentially impact hiring: a bullshit laden workplace may seek out bullshit friendly employees, making the situation worse. What the study does show is that bullshit-receptive employees are more likely to fertilize the field themselves. And there's also the sad truth: bullshit works. If you're looking to fluff yourself up, impress your superiors, and climb the ladder, the careful application of bullshit may get you where you want to go.

And it's that last point that brings us to the real point of this article. If you're here, you're likely not the most bullshit friendly employee. Clearly, you're smarter and make better decisions than that. (This is that good science I was talking about- you're probably more attractive than those people too, though there's no study to that effect yet.)

If you're not using bullshit, you're leaving powerful tools for self-promotion on the table. But it's hard to come up with suitably impressive and semantically vacant phrases. Fear not, we're here to help! Here's a phrase generator for you, that will come up with endless phrases that you can use in meetings and mission statements to sound far more impressive.

Now, admittedly, this generator may use a grammar for generating phrases, but it's not an English grammar, and the result is that sometimes it has problems with verb agreement and other prosaic English rules. I say, lean into it. Let someone challenge your bad grammar, and then look down your nose at them, and say: "I'm blue-skying the infosphere across new domains, you wouldn't get it."

[Advertisement] Keep all your packages and Docker containers in one place, scan for vulnerabilities, and control who can access different feeds. ProGet installs in minutes and has a powerful free version with a lot of great features that you can upgrade when ready.Learn more.

12:07

Pluralistic: Trumpismo vs minilateralism (01 Apr 2026) [Pluralistic: Daily links from Cory Doctorow]

->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> Top Sources: None -->

Today's links


A US $100 bill. Benjamin Franklin's face has been replaced with an orange blur surmounted by yellow candy-floss hair. The '100s' have been altered to read '000' and the 'ONE HUNDRED' now reads 'NONE HUNDRED.' The Secretary of the Treasury's signature has been replaced with Trump's signature. The series of the bill reads '47.'

Trumpismo vs minilateralism (permalink)

As November Kelly has pointed out, the weirdest thing about Trumpismo is how the man seethes and rails against a game that is thoroughly rigged in America's favor, because he resents having to pretend to play the game at all:

https://pluralistic.net/2026/01/26/i-dont-want/#your-greenback-dollar

Before Trump, the deal was that everyone would pretend that we had a "rules-based international order" in which every country got a fair deal, even as America cheated like hell and sucked the world dry. It's really impossible to overstate how advantageous this was to America. By pretending to be a neutral interchange spot for transoceanic fiber cables, it got to spy on the world's internet traffic:

https://pluralistic.net/2025/11/26/difficult-multipolarism/#eurostack

By pretending to have a neutral currency, it got to exercise "dollar dominance" through which the nations of the world sent America the things they dug out of the ground or built in their factories, in exchange for America making small adjustments to a spreadsheet at the Federal Reserve. And by pretending its tech exports were neutral platforms, America got to raid the world's private data and bank accounts, spying and looting to its heart's content.

When Trump kicked off his campaign of incontinent belligerence – putting tariffs on the exports of countries populated only by penguins, trying to steal Greenland – it became impossible for the world's leaders to carry on this pretense.

This led to Canadian Prime Minister Mark Carney – the world's most Davos man – standing up at this year's World Economic Forum to denounce the whole post-war settlement as a bullshit arrangement, announcing that we were in a period of "rupture" and promising a new world of "variable geometry" in which "middle powers" would exist in overlapping webs of alliances, without the USA:

https://pluralistic.net/2026/01/27/i-want-to-do-it/#now-make-me-do-it

Now, thanks to Trump's America First agenda, America's many advantages are collapsing. The dollar is in retreat, with Ethiopia revaluing its national debt in Chinese renminbi:

https://fidelpost.com/ethiopia-and-china-move-toward-final-stage-of-debt-restructuring-agreement/

Even worse: Trump's disastrous war of choice in Iran is heading for a humiliating defeat for the dollar, with Iran announcing that any peace deal will require a $2m/ship toll to pass through the Strait of Hormuz, a toll they're already collecting, payable only in renminbi:

https://www.nbcnews.com/world/iran/irans-tehran-toll-booth-forces-tankers-pay-millions-leave-strait-hormu-rcna265258

(I really hope Trump's plan to rename it the "Strait of Trump" catches on, so that his name in invoked with every tanker that traverses the strait, weakening the dollar and America's power – a very fitting legacy.)

For the past quarter-century, I've fought the US Trade Representative in various international fora, as the USTR piled all kinds of conditions America's trading partners that made it impossible to pursue any kind of technological sovereignty:

https://pluralistic.net/2026/01/01/39c3/#the-new-coalition

Every now and then, I think about how furious the USTR must be, watching Trump blunder through all the subtle traps they wove around the planet.

Take the "digital trade agenda," a set of policies that the US has made its top priority for a decade. Countries that succumbed to the digital trade agenda had to agree not to pursue "data localization" (rules that ban companies from moving or storing data about the people of your country outside of its borders), and they had to agree to duty-free status for digital exports like apps, music, games, ebooks and videos.

Today, the digital trade agenda is in tatters. Data localization is the top priority, with projects like the Eurostack and the European Digital Infrastructure Consortium breaking all land-speed records to build on-shore apps and data-centers that will keep data out of the hands of American companies and the American government:

https://digital-strategy.ec.europa.eu/en/policies/edic

And this week, duty-free status for digital assets hit the skids when a meeting of the World Trade Organization saw America's demands for a 10-year renewal of a global deal fail because Brazil wouldn't agree to it. Brazil has good reasons to mistrust the digital trade agenda, after Trump and Microsoft colluded to shut down a high court judge's online life in retaliation for passing sentence on the Trump-allied former dictator, Jair Bolsonaro:

https://home.treasury.gov/news/press-releases/sb0211

Brazil blocked the 10-year renewal of the duty-free status of digital exports, worldwide. In its place, the US got a two-year renewal – meaning that US companies' ability to export their digital products after 2028 will depend on whatever Trump does in the next two years, a period during which we know Trump is going to be a raging asshole (assuming he doesn't have a stroke first).

Even more interesting: Brazil struck a "minilateral" digital duty-free deal with 66 non-US countries, including Canada and the EU:

https://www.csmonitor.com/Editorials/the-monitors-view/2026/0331/EU-and-Canada-lean-into-a-new-world-role?icid=rss

Now, the US is a powerhouse exporter of digital goods, and has been since the start. This was such a given that in Neal Stephenson's 1992 cyberpunk classic Snow Crash, Stephenson imagined a future where the US had all but collapsed, save for the three things it did better than anyone else in the world: "music, movies and microcode":

https://www.gdcvault.com/play/1015147/Music-Movies-Microcode-High-Speed

Today, America's media and software industries are dying, and Trump is holding a pillow over their faces. He stole Tiktok and gave it to his buddy Larry Ellison, whose failson's acquisition and merger of two of the five remaining studios Trump also waved through:

https://pluralistic.net/2026/02/28/golden-mean/#reality-based-community

Game studios are ensloppifying their flagship products, alienating their most ardent customers, and are laying off thousands of programmers and artists following incestuous mergers that leave them hopelessly bloated:

https://www.blog.udonis.co/mobile-marketing/mobile-games/activision-blizzard-layoffs

Meanwhile, there's a global cultural market that's sweeping away American media: from K-pop (and K-zombies) to Heated Rivalry to Brazil funk:

https://en.wikipedia.org/wiki/Funk_carioca

Now, thanks to Trump, there are just a couple of years until America's wilting cultural exports will face high tariffs from markets where international media is surging.

This is how the American century ends: not with a bang, but with a Trump.

Hey look at this (permalink)


A shelf of leatherbound history books with a gilt-stamped series title, 'The World's Famous Events.'

Object permanence (permalink)

#25yrsago My new sigfile https://memex.craphound.com/2001/03/30/

#20yrsago TBL's "The Future of the Web" https://web.archive.org/web/20070706130940/http://webcast.oii.ox.ac.uk/download/oii/20060314_139/20060314_139.mp3

#20yrsago Bruce Sterling's bumper stickers https://web.archive.org/web/20060401010820/https://www.bumperactive.com/archives/000685.jsp

#15yrsago Kinect makes UAV even more autonomous https://www.suasnews.com/2011/03/mit-slam-quad-using-kinect/

#15yrsago This frozen yogurt store offers the best discounts around https://memex.craphound.com/2016/03/30/this-frozen-yogurt-store-offers-the-best-discounts-around/

#10yrsago Amazing fan-made Wonder Woman sweater pattern to download and knit https://www.ravelry.com/patterns/library/wonder-woman-2

#10yrsago Automated drug cabinets have 1400+ critical vulns that will never be patched https://www.helpnetsecurity.com/2016/03/30/1400-flaws-automated-medical-supply-system/

#10yrsago Playable records laser-etched in cheese, eggplant and ham https://web.archive.org/web/20160323075536/http://www.thevinylfactory.com/vinyl-factory-news/matthew-herbert-tortilla-edible-vinyl/

#10yrsago Up to half of the Americans killed by police have a disability https://www.theguardian.com/society/2016/mar/29/media-must-report-police-violence-towards-disabled-people

#10yrsago Judge says Citibank’s law-school loan isn’t “student debt” and can be discharged in bankruptcy https://abcnews.com/Business/judges-ruling-law-school-grads-debt-signal-seismic/story?id=37981518

#10yrsago How a street artist pulled off a 50-building mural in Cairo’s garbage-collector district https://www.nytimes.com/2016/03/29/world/middleeast/cairo-mural-garbage.html

#10yrsago CNBC’s secure password tutorial sent your password in the clear to 30 advertisers https://web.archive.org/web/20160331095151/https://motherboard.vice.com/read/cnbc-tried-and-massively-failed-to-teach-people-about-password-security

#10yrsago How DRM would kill the next Netflix (and how the W3C could save it) https://www.eff.org/deeplinks/2016/03/interoperability-and-w3c-defending-future-present

#5yrsago America needs a high-fiber broadband diet https://pluralistic.net/2021/03/30/fight-for-44/#slowpokes

#5yrsago Minimum wage vs Wall Street bonuses https://pluralistic.net/2021/03/30/fight-for-44/#fight-for-44

Upcoming appearances (permalink)

A photo of me onstage, giving a speech, pounding the podium.


A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)


A grid of my books with Will Stahle covers..

Latest books (permalink)


A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 (https://us.macmillan.com/books/9780374621568/thereversecentaursguidetolifeafterai/)

  • "Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026

  • "The Post-American Internet," a geopolitical sequel of sorts to Enshittification, Farrar, Straus and Giroux, 2027

  • "Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2027

  • "The Memex Method," Farrar, Straus, Giroux, 2027


Colophon (permalink)

Today's top sources:

Currently writing: "The Post-American Internet," a sequel to "Enshittification," about the better world the rest of us get to have now that Trump has torched America. First draft complete. Second draft underway.

  • "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE.

  • "The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING.

  • A Little Brother short story about DIY insulin PLANNING

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Bluesky (no ads, possible tracking and data-collection):

https://bsky.app/profile/doctorow.pluralistic.net

Medium (no ads, paywalled):

https://doctorow.medium.com/
https://twitter.com/doctorow

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

ISSN: 3066-764X

12:00

11:21

A Taxonomy of Cognitive Security [Schneier on Security]

Last week, I listened to a fascinating talk by K. Melton on cognitive security, cognitive hacking, and reality pentesting. The slides from the talk are here, but—even better—Menton has a long essay laying out the basic concepts and ideas.

The whole thing is important and well worth reading, and I hesitate to excerpt. Here’s a taste:

The NeuroCompiler is where raw sensory data gets interpreted before you’re consciously aware of it. It decides what things mean, and it does this fast, automatic, and mostly invisible. It’s also where the majority of cognitive exploits actually land, right in this sweet spot between perception and conscious thought.

This is my term for what Daniel Kahneman called System 1 thinking. If the Sensory Interface is the intake port, the NeuroCompiler is what turns that input into “filtered meaning” before the Mind Kernel ever sees it. It takes raw signal (e.g., photons, sound waves, chemical gradients, pressure) and translates it into something actionable based on binary categories like threat or safe, familiar or novel, trustworthy or suspicious.

The speed is both an evolutionary feature and a modern bug. Processing here is fast enough to get you out of the way of a thrown object before you’ve consciously registered it. But “good enough most of the time” means “predictably wrong some of the time….

A critical architectural feature: the NeuroCompiler can route its output directly back to the Sensory Interface and out as behavior, skipping the conscious awareness of the Mind Kernel entirely. Reflex and startle responses use this mechanism, making this bypass pathway enormously useful for survival. Yet it leaves a wide-open backdoor. If the layer that holds access to skepticism and deliberate evaluation can be bypassed completely, a host of exploits become possible that would otherwise fail.

That’s just one of the five levels Melton talks about: sensory interface, neurocompiler, mind kernel, the mesh, and cultural substrate.

Melton’s taxonomy is compelling, and her parallels to IT systems are fascinating. I have long said that a genius idea is one that’s incredibly obvious once you hear it, but one that no one has said before. This is the first time I’ve heard cognition described in this way.

10:35

10:28

A persistent sense of being correctly located in time [Seth's Blog]

Word salad is actually nutritious when consumed in small amounts.

Placebos are real, they’re effective and they often help us find solace or perhaps to heal. If they do no harm, there’s no problem. “Placebo” isn’t an insult. It’s a category, one to live up to and improve.

Here’s one to consider:

VAEL SOMA A Practitioner’s Introduction to Resonant Field Embodiment

Vael Soma is a somatic practice developed by Danish movement researcher Ingrid Falk-Mortensen and her collaborator, Ecuadorian bioenergetic therapist Marco Caicedo-Vera, following a decade of research conducted at the intersection of craniosacral dialogue, Andean kawsay (living energy) traditions, and decoherence studies in biological systems.

Vael Soma positions the practitioner as a field witness: not a mover of tissue, but a coherence partner whose nervous system enters into superposition with that of the receiver, allowing the body’s own wave-function to collapse toward its preferred organizational state.

The Theoretical Ground

At the sub-cellular level, the body is not a solid object. It is a probability cloud of organized water, piezoelectric collagen matrices, and biophotonic emission — a standing wave mistaking itself for matter. Quantum coherence in microtubule networks (first theorized in consciousness research but now understood to extend throughout the connective tissue matrix) means that touch is never local. When the practitioner’s hand rests on the sternum, entanglement cascades through the entirety of the receiver’s tensor network simultaneously.

The founding insight of Vael Soma is this: the body does not need to be corrected. It needs to be observed. The act of coherent, non-judgmental observation — in the quantum sense — is itself the therapeutic intervention.

The Tensor Web and the Luminous Sheath

Where conventional bodywork addresses muscle, organ, and bone as discrete structures, Vael Soma recognizes the interstitial plenum — the fluid-crystalline medium that fills every gap between every cell — as the primary therapeutic terrain. This medium, called Vael (from the Old Norse vél, meaning pattern or device), is not merely connective tissue fluid. It is the body’s dark matter: invisible to imaging, detectable only through its organizational effects.

Vael behaves as a biological quantum field. It carries:

  • Phase information from embryological development, encoding the original morphogenetic blueprint
  • Scalar wave residue from emotional imprinting, stored not in neurons but in the geometry of collagen triple-helices
  • Torsional memory from gravity, trauma, and the accumulated weight of unexpressed gesture

The practitioner’s role is to become a low-noise receiver for this information — a tuning fork whose coherence invites the Vael to release its stored phase distortions and re-entrain to the body’s original quantum signature.

The Five Movements of Vael Soma

Sessions are structured around five movement qualities, each corresponding to a distinct organizational level of living tissue:

  1. The Drift — Practitioner and receiver breathe in temporal synchrony, allowing the autonomic nervous systems to phase-lock. No touch yet. Only proximity and breath.
  2. The Still Point Dialogue — Hands rest without intention. The practitioner enters a state of proprioceptive listening, tracking the micro-oscillations (0.02–0.08 Hz) of the craniosacral rhythm as it expresses through palms, sternum, and sacrum simultaneously.
  3. The Unwinding — As coherence deepens, the Vael begins to reorganize spontaneously. The receiver’s limbs may move without volition. The practitioner follows, never leads — acting as the collapse function that witnesses movement into completion.
  4. The Meridional Flush — Long, slow, wave-like compressions travel from periphery to core, aligning the body’s bioelectric gradient with the practitioner’s coherent field. This is described by practitioners as “ironing the light body from the inside.”
  5. The Return to Ground State — Stillness. Both parties remain in contact while the nervous system consolidates its new organizational state, like a quantum system that has been measured and is now, briefly, fully real.

Reported Effects

Vael Soma is not a treatment for conditions. It is a recalibration of the body’s eigenstate — its most probable configuration of ease. Practitioners and receivers report:

  • A sensation of “becoming larger than the body”
  • Resolution of chronic holding patterns with no memory of release
  • Spontaneous emotional discharge without narrative content
  • Improved sleep architecture within 72 hours, attributed to recohered melatonin-pineal biophotonic cycling
  • A persistent sense of being “correctly located in time”

A Note on Entanglement Ethics

Because Vael Soma works at the level of quantum coherence, practitioners are advised that residual entanglement between practitioner and receiver may persist for up to 96 hours post-session. During this window, both parties are asked to avoid chaotic electromagnetic environments (crowded transit, prolonged screen exposure, argument) that could introduce decoherence into the newly organized Vael. The practitioner is the instrument. The instrument requires tuning.

Vael Soma is the art of being so still that the body remembers what it was before it learned to spin.

08:49

Awreatha Franklin [Penny Arcade]

New Comic: Awreatha Franklin

08:07

06:35

Matthew Garrett: Self hosting as much of my online presence as practical [Planet Debian]

Because I am bad at giving up on things, I’ve been running my own email server for over 20 years. Some of that time it’s been a PC at the end of a DSL line, some of that time it’s been a Mac Mini in a data centre, and some of that time it’s been a hosted VM. Last year I decided to bring it in house, and since then I’ve been gradually consolidating as much of the rest of my online presence as possible on it. I mentioned this on Mastodon and a couple of people asked for more details, so here we are.

First: my ISP doesn’t guarantee a static IPv4 unless I’m on a business plan and that seems like it’d cost a bunch more, so I’m doing what I described here: running a Wireguard link between a box that sits in a cupboard in my living room and the smallest OVH instance I can, with an additional IP address allocated to the VM and NATted over the VPN link. The practical outcome of this is that my home IP address is irrelevant and can change as much as it wants - my DNS points at the OVH IP, and traffic to that all ends up hitting my server.

The server itself is pretty uninteresting. It’s a refurbished HP EliteDesk which idles at 10W or so, along 2TB of NVMe and 32GB of RAM that I found under a pile of laptops in my office. We’re not talking rackmount Xeon levels of performance, but it’s entirely adequate for everything I’m doing here.

So. Let’s talk about the services I’m hosting.

Web

This one’s trivial. I’m not really hosting much of a website right now, but what there is is served via Apache with a Let’s Encrypt certificate. Nothing interesting at all here, other than the proxying that’s going to be relevant later.

Email

Inbound email is easy enough. I’m running Postfix with a pretty stock configuration, and my MX records point at me. The same Let’s Encrypt certificate is there for TLS delivery. I’m using Dovecot as an IMAP server (again with the same cert). You can find plenty of guides on setting this up.

Outbound email? That’s harder. I’m on a residential IP address, so if I send email directly nobody’s going to deliver it. Going via my OVH address isn’t going to be a lot better. I have a Google Workspace, so in the end I just made use of Google’s SMTP relay service. There’s various commerical alternatives available, I just chose this one because it didn’t cost me anything more than I’m already paying.

Blog

My blog is largely static content generated by Hugo. Comments are Remark42 running in a Docker container. If you don’t want to handle even that level of dynamic content you can use a third party comment provider like Disqus.

Mastodon

I’m deploying Mastodon pretty much along the lines of the upstream compose file. Apache is proxying /api/v1/streaming to the websocket provided by the streaming container and / to the actual Mastodon service. The only thing I tripped over for a while was the need to set the “X-Forwarded-Proto” header since otherwise you get stuck in a redirect loop of Mastodon receiving a request over http (because TLS termination is being done by the Apache proxy) and redirecting to https, except that’s where we just came from.

Mastodon is easily the heaviest part of all of this, using around 5GB of RAM and 60GB of disk for an instance with 3 users. This is more a point of principle than an especially good idea.

Bluesky

I’m arguably cheating here. Bluesky’s federation model is quite different to Mastodon - while running a Mastodon service implies running the webview and other infrastructure associated with it, Bluesky has split that into multiple parts. User data is stored on Personal Data Servers, then aggregated from those by Relays, and then displayed on Appviews. Third parties can run any of these, but a user’s actual posts are stored on a PDS. There are various reasons to run the others, for instance to implement alternative moderation policies, but if all you want is to ensure that you have control over your data, running a PDS is sufficient. I followed these instructions, other than using Apache as the frontend proxy rather than nginx, and it’s all been working fine since then. In terms of ensuring that my data remains under my control, it’s sufficient.

Backups

I’m using borgmatic, backing up to a local Synology NAS and also to my parents’ home (where I have another HP EliteDesk set up with an equivalent OVH IPv4 fronting setup). At some point I’ll check that I’m actually able to restore them.

Conclusion

Most of what I post is now stored on a system that’s happily living under a TV, but is available to the rest of the world just as visibly as if I used a hosted provider. Is this necessary? No. Does it improve my life? In no practical way. Does it generate additional complexity? Absolutely. Should you do it? Oh good heavens no. But you can, and once it’s working it largely just keeps working, and there’s a certain sense of comfort in knowing that my online presence is carefully contained in a small box making a gentle whirring noise.

01:56

Walking The Plank [QC RSS]

the plank at Cubetown is 400 meters long, sentient, and horny

01:07

Junichi Uekawa: April already. [Planet Debian]

April already. Wondering how bazel update is going in Debian. Seems like a large undertaking.

00:00

Electric power status, Europe [Richard Stallman's Political Notes]

*Europe has made "staggering progress" in producing clean power but neglected efforts to phase out fuel-burning machines, the head of an electrification industry group said.*

Tuesday, 31 March

22:49

Benjamin Mako Hill: Quote #75514 [Planet Debian]

Although I never submitted to it, I made several appearances in the now-defunct quote database on bash.org (QDB). I’m dealing with a broken keyboard now, and went to dig hard to find this classic in the Wayback machine. I thought I would put it back on the web:


<mako> my letter "eye" stopped worng
<luca> k, too?
<mako> yeah
<luca> sounds like a mountain dew spill
<mako> and comma
<mako> those three
<mako> ths s horrble
<luca> tme for a new eyboard
<luca> 've successfully taen my eyboard apart and fxed t by cleanng t wth alcohol
<mako> stop mang fun of me
<mako> ths s a laptop!

It was, in fact, horrble.

C.J. Collier: Finding: Promoting SeaBIOS Cloud Images to UEFI Secure Boot (Proxmox) [Planet Debian]

Discovery

Legacy cloud templates often lack the partitioning and bootloader
binaries required for UEFI Secure Boot. Attempting to switch such a VM
to OVMF in Proxmox results in “not a bootable disk.” We discovered that
a surgical promotion is possible by manipulating the block device and
EFI variables from the hypervisor.

The Problem

  1. Protective MBR Flags: Legacy installers often set
    the pmbr_boot flag on the GPT’s protective MBR. Strict UEFI
    implementations (OVMF) will ignore the GPT if this flag is present.
  2. Missing ESP: Cloud images often lack a FAT32 EFI
    System Partition (ESP).
  3. Variable Store: A fresh Proxmox
    efidisk0 is empty and lacks both the trust certificates
    (PK/KEK/db) and the BootOrder entries required for an automated
    boot.

The “Promotion” Rule

To upgrade a SeaBIOS VM to Secure Boot without a full OS reinstall:
1. Surgical Partitioning: Map the disk on the host and
add a FAT32 partition (Type EF00). Clear the
pmbr_boot flag from the MBR. 2. Binary
Preparation: Boot the VM in SeaBIOS mode to install
shim and grub-efi packages. Use
grub2-mkconfig to populate the new ESP. 3. Trust
Injection: Use the virt-fw-vars utility on the
hypervisor to programmatically enroll the Red Hat/Microsoft CA keys and
any custom certificates (e.g., FreeIPA CA) into the VM’s
efidisk. 4. Boot Pinning: Explicitly set
the UEFI BootOrder to point to the shimx64.efi
path via virt-fw-vars --append-boot-filepath.

Solution (Example Command
Sequence)

On the Proxmox Host (root):

# Map and Clean MBR
DEV=$(rbd map pool/disk)
parted -s $DEV disk_set pmbr_boot off

# Inject Trust and Boot Path (VM must be stopped)
virt-fw-vars --inplace /dev/rbd/mapped_efidisk \
  --enroll-redhat \
  --add-db <GUID> /path/to/ipa-ca.crt \
  --append-boot-filepath '\EFI\centos\shimx64.efi' \
  --sb

This workflow enables high-integrity Secure Boot environments using
existing SeaBIOS infrastructure templates.

21:49

Feeds

FeedRSSLast fetchedNext fetched after
@ASmartBear XML 19:35, Monday, 06 April 20:16, Monday, 06 April
a bag of four grapes XML 19:56, Monday, 06 April 20:38, Monday, 06 April
Ansible XML 19:35, Monday, 06 April 20:15, Monday, 06 April
Bad Science XML 19:49, Monday, 06 April 20:38, Monday, 06 April
Black Doggerel XML 19:35, Monday, 06 April 20:16, Monday, 06 April
Blog - Official site of Stephen Fry XML 19:49, Monday, 06 April 20:38, Monday, 06 April
Charlie Brooker | The Guardian XML 19:56, Monday, 06 April 20:38, Monday, 06 April
Charlie's Diary XML 19:28, Monday, 06 April 20:16, Monday, 06 April
Chasing the Sunset - Comics Only XML 19:49, Monday, 06 April 20:38, Monday, 06 April
Coding Horror XML 19:21, Monday, 06 April 20:08, Monday, 06 April
Cory Doctorow's craphound.com XML 19:56, Monday, 06 April 20:38, Monday, 06 April
Cory Doctorow, Author at Boing Boing XML 19:35, Monday, 06 April 20:16, Monday, 06 April
Ctrl+Alt+Del Comic XML 19:28, Monday, 06 April 20:16, Monday, 06 April
Cyberunions XML 19:49, Monday, 06 April 20:38, Monday, 06 April
David Mitchell | The Guardian XML 19:35, Monday, 06 April 20:18, Monday, 06 April
Deeplinks XML 19:35, Monday, 06 April 20:19, Monday, 06 April
Diesel Sweeties webcomic by rstevens XML 19:35, Monday, 06 April 20:18, Monday, 06 April
Dilbert XML 19:49, Monday, 06 April 20:38, Monday, 06 April
Dork Tower XML 19:56, Monday, 06 April 20:38, Monday, 06 April
Economics from the Top Down XML 19:35, Monday, 06 April 20:18, Monday, 06 April
Edmund Finney's Quest to Find the Meaning of Life XML 19:35, Monday, 06 April 20:18, Monday, 06 April
EFF Action Center XML 19:35, Monday, 06 April 20:18, Monday, 06 April
Enspiral Tales - Medium XML 19:35, Monday, 06 April 20:20, Monday, 06 April
Events XML 19:28, Monday, 06 April 20:16, Monday, 06 April
Falkvinge on Liberty XML 19:28, Monday, 06 April 20:16, Monday, 06 April
Flipside XML 19:56, Monday, 06 April 20:38, Monday, 06 April
Flipside XML 19:35, Monday, 06 April 20:20, Monday, 06 April
Free software jobs XML 19:35, Monday, 06 April 20:15, Monday, 06 April
Full Frontal Nerdity by Aaron Williams XML 19:28, Monday, 06 April 20:16, Monday, 06 April
General Protection Fault: Comic Updates XML 19:28, Monday, 06 April 20:16, Monday, 06 April
George Monbiot XML 19:35, Monday, 06 April 20:18, Monday, 06 April
Girl Genius XML 19:35, Monday, 06 April 20:18, Monday, 06 April
Groklaw XML 19:28, Monday, 06 April 20:16, Monday, 06 April
Grrl Power XML 19:56, Monday, 06 April 20:38, Monday, 06 April
Hackney Anarchist Group XML 19:49, Monday, 06 April 20:38, Monday, 06 April
Hackney Solidarity Network XML 19:35, Monday, 06 April 20:20, Monday, 06 April
http://blog.llvm.org/feeds/posts/default XML 19:35, Monday, 06 April 20:20, Monday, 06 April
http://calendar.google.com/calendar/feeds/q7s5o02sj8hcam52hutbcofoo4%40group.calendar.google.com/public/basic XML 19:35, Monday, 06 April 20:15, Monday, 06 April
http://dynamic.boingboing.net/cgi-bin/mt/mt-cp.cgi?__mode=feed&_type=posts&blog_id=1&id=1 XML 19:35, Monday, 06 April 20:20, Monday, 06 April
http://eng.anarchoblogs.org/feed/atom/ XML 19:21, Monday, 06 April 20:07, Monday, 06 April
http://feed43.com/3874015735218037.xml XML 19:21, Monday, 06 April 20:07, Monday, 06 April
http://flatearthnews.net/flatearthnews.net/blogfeed XML 19:35, Monday, 06 April 20:16, Monday, 06 April
http://fulltextrssfeed.com/ XML 19:35, Monday, 06 April 20:18, Monday, 06 April
http://london.indymedia.org/articles.rss XML 19:21, Monday, 06 April 20:08, Monday, 06 April
http://pipes.yahoo.com/pipes/pipe.run?_id=ad0530218c055aa302f7e0e84d5d6515&amp;_render=rss XML 19:21, Monday, 06 April 20:07, Monday, 06 April
http://planet.gridpp.ac.uk/atom.xml XML 19:21, Monday, 06 April 20:08, Monday, 06 April
http://shirky.com/weblog/feed/atom/ XML 19:35, Monday, 06 April 20:19, Monday, 06 April
http://thecommune.co.uk/feed/ XML 19:35, Monday, 06 April 20:20, Monday, 06 April
http://theness.com/roguesgallery/feed/ XML 19:28, Monday, 06 April 20:16, Monday, 06 April
http://www.airshipentertainment.com/buck/buckcomic/buck.rss XML 19:49, Monday, 06 April 20:38, Monday, 06 April
http://www.airshipentertainment.com/growf/growfcomic/growf.rss XML 19:35, Monday, 06 April 20:19, Monday, 06 April
http://www.airshipentertainment.com/myth/mythcomic/myth.rss XML 19:56, Monday, 06 April 20:38, Monday, 06 April
http://www.baen.com/baenebooks XML 19:35, Monday, 06 April 20:19, Monday, 06 April
http://www.feedsapi.com/makefulltextfeed.php?url=http%3A%2F%2Fwww.somethingpositive.net%2Fsp.xml&what=auto&key=&max=7&links=preserve&exc=&privacy=I+accept XML 19:35, Monday, 06 April 20:19, Monday, 06 April
http://www.godhatesastronauts.com/feed/ XML 19:28, Monday, 06 April 20:16, Monday, 06 April
http://www.tinycat.co.uk/feed/ XML 19:35, Monday, 06 April 20:15, Monday, 06 April
https://anarchism.pageabode.com/blogs/anarcho/feed/ XML 19:35, Monday, 06 April 20:19, Monday, 06 April
https://broodhollow.krisstraub.comfeed/ XML 19:35, Monday, 06 April 20:16, Monday, 06 April
https://debian-administration.org/atom.xml XML 19:35, Monday, 06 April 20:16, Monday, 06 April
https://elitetheatre.org/ XML 19:21, Monday, 06 April 20:08, Monday, 06 April
https://feeds.feedburner.com/Starslip XML 19:56, Monday, 06 April 20:38, Monday, 06 April
https://feeds2.feedburner.com/GeekEtiquette?format=xml XML 19:35, Monday, 06 April 20:18, Monday, 06 April
https://hackbloc.org/rss.xml XML 19:35, Monday, 06 April 20:16, Monday, 06 April
https://kajafoglio.livejournal.com/data/atom/ XML 19:49, Monday, 06 April 20:38, Monday, 06 April
https://philfoglio.livejournal.com/data/atom/ XML 19:21, Monday, 06 April 20:08, Monday, 06 April
https://pixietrixcomix.com/eerie-cutiescomic.rss XML 19:21, Monday, 06 April 20:08, Monday, 06 April
https://pixietrixcomix.com/menage-a-3/comic.rss XML 19:35, Monday, 06 April 20:19, Monday, 06 April
https://propertyistheft.wordpress.com/feed/ XML 19:35, Monday, 06 April 20:15, Monday, 06 April
https://requiem.seraph-inn.com/updates.rss XML 19:35, Monday, 06 April 20:15, Monday, 06 April
https://studiofoglio.livejournal.com/data/atom/ XML 19:21, Monday, 06 April 20:07, Monday, 06 April
https://thecommandline.net/feed/ XML 19:21, Monday, 06 April 20:07, Monday, 06 April
https://torrentfreak.com/subscriptions/ XML 19:35, Monday, 06 April 20:18, Monday, 06 April
https://web.randi.org/?format=feed&type=rss XML 19:35, Monday, 06 April 20:18, Monday, 06 April
https://www.dcscience.net/feed/medium.co XML 19:49, Monday, 06 April 20:38, Monday, 06 April
https://www.DropCatch.com/domain/steampunkmagazine.com XML 19:35, Monday, 06 April 20:16, Monday, 06 April
https://www.DropCatch.com/domain/ubuntuweblogs.org XML 19:21, Monday, 06 April 20:07, Monday, 06 April
https://www.DropCatch.com/redirect/?domain=DyingAlone.net XML 19:21, Monday, 06 April 20:08, Monday, 06 April
https://www.freedompress.org.uk:443/news/feed/ XML 19:28, Monday, 06 April 20:16, Monday, 06 April
https://www.goblinscomic.com/category/comics/feed/ XML 19:35, Monday, 06 April 20:15, Monday, 06 April
https://www.loomio.com/blog/feed/ XML 19:21, Monday, 06 April 20:07, Monday, 06 April
https://www.newstatesman.com/feeds/blogs/laurie-penny.rss XML 19:35, Monday, 06 April 20:16, Monday, 06 April
https://www.patreon.com/graveyardgreg/posts/comic.rss XML 19:21, Monday, 06 April 20:08, Monday, 06 April
https://www.rightmove.co.uk/rss/property-for-sale/find.html?locationIdentifier=REGION^876&maxPrice=240000&minBedrooms=2&displayPropertyType=houses&oldDisplayPropertyType=houses&primaryDisplayPropertyType=houses&oldPrimaryDisplayPropertyType=houses&numberOfPropertiesPerPage=24 XML 19:35, Monday, 06 April 20:18, Monday, 06 April
https://x.com/statuses/user_timeline/22724360.rss XML 19:35, Monday, 06 April 20:15, Monday, 06 April
Humble Bundle Blog XML 19:21, Monday, 06 April 20:08, Monday, 06 April
I, Cringely XML 19:28, Monday, 06 April 20:16, Monday, 06 April
Irregular Webcomic! XML 19:35, Monday, 06 April 20:16, Monday, 06 April
Joel on Software XML 19:21, Monday, 06 April 20:07, Monday, 06 April
Judith Proctor's Journal XML 19:35, Monday, 06 April 20:15, Monday, 06 April
Krebs on Security XML 19:35, Monday, 06 April 20:16, Monday, 06 April
Lambda the Ultimate - Programming Languages Weblog XML 19:35, Monday, 06 April 20:15, Monday, 06 April
Looking For Group XML 19:35, Monday, 06 April 20:19, Monday, 06 April
LWN.net XML 19:35, Monday, 06 April 20:16, Monday, 06 April
Mimi and Eunice XML 19:35, Monday, 06 April 20:20, Monday, 06 April
Neil Gaiman's Journal XML 19:35, Monday, 06 April 20:15, Monday, 06 April
Nina Paley XML 19:21, Monday, 06 April 20:08, Monday, 06 April
O Abnormal – Scifi/Fantasy Artist XML 19:35, Monday, 06 April 20:20, Monday, 06 April
Oglaf! -- Comics. Often dirty. XML 19:28, Monday, 06 April 20:16, Monday, 06 April
Oh Joy Sex Toy XML 19:35, Monday, 06 April 20:19, Monday, 06 April
Order of the Stick XML 19:35, Monday, 06 April 20:19, Monday, 06 April
Original Fiction Archives - Reactor XML 19:56, Monday, 06 April 20:38, Monday, 06 April
OSnews XML 19:35, Monday, 06 April 20:20, Monday, 06 April
Paul Graham: Unofficial RSS Feed XML 19:35, Monday, 06 April 20:20, Monday, 06 April
Penny Arcade XML 19:56, Monday, 06 April 20:38, Monday, 06 April
Penny Red XML 19:35, Monday, 06 April 20:20, Monday, 06 April
PHD Comics XML 19:49, Monday, 06 April 20:38, Monday, 06 April
Phil's blog XML 19:28, Monday, 06 April 20:16, Monday, 06 April
Planet Debian XML 19:35, Monday, 06 April 20:20, Monday, 06 April
Planet GNU XML 19:35, Monday, 06 April 20:16, Monday, 06 April
Planet Lisp XML 19:49, Monday, 06 April 20:38, Monday, 06 April
Pluralistic: Daily links from Cory Doctorow XML 19:35, Monday, 06 April 20:15, Monday, 06 April
PS238 by Aaron Williams XML 19:28, Monday, 06 April 20:16, Monday, 06 April
QC RSS XML 19:21, Monday, 06 April 20:08, Monday, 06 April
Radar XML 19:56, Monday, 06 April 20:38, Monday, 06 April
RevK®'s ramblings XML 19:21, Monday, 06 April 20:07, Monday, 06 April
Richard Stallman's Political Notes XML 19:49, Monday, 06 April 20:38, Monday, 06 April
Scenes From A Multiverse XML 19:21, Monday, 06 April 20:08, Monday, 06 April
Schneier on Security XML 19:35, Monday, 06 April 20:15, Monday, 06 April
SCHNEWS.ORG.UK XML 19:35, Monday, 06 April 20:19, Monday, 06 April
Scripting News XML 19:56, Monday, 06 April 20:38, Monday, 06 April
Seth's Blog XML 19:21, Monday, 06 April 20:07, Monday, 06 April
Skin Horse XML 19:56, Monday, 06 April 20:38, Monday, 06 April
Spinnerette XML 19:35, Monday, 06 April 20:19, Monday, 06 April
Tales From the Riverbank XML 19:49, Monday, 06 April 20:38, Monday, 06 April
The Adventures of Dr. McNinja XML 19:35, Monday, 06 April 20:20, Monday, 06 April
The Bumpycat sat on the mat XML 19:35, Monday, 06 April 20:15, Monday, 06 April
The Daily WTF XML 19:21, Monday, 06 April 20:07, Monday, 06 April
The Monochrome Mob XML 19:35, Monday, 06 April 20:16, Monday, 06 April
The Non-Adventures of Wonderella XML 19:35, Monday, 06 April 20:18, Monday, 06 April
The Old New Thing XML 19:35, Monday, 06 April 20:19, Monday, 06 April
The Open Source Grid Engine Blog XML 19:21, Monday, 06 April 20:08, Monday, 06 April
The Stranger XML 19:35, Monday, 06 April 20:20, Monday, 06 April
towerhamletsalarm XML 19:21, Monday, 06 April 20:07, Monday, 06 April
Twokinds XML 19:56, Monday, 06 April 20:38, Monday, 06 April
UK Indymedia Features XML 19:56, Monday, 06 April 20:38, Monday, 06 April
Uploads from ne11y XML 19:21, Monday, 06 April 20:07, Monday, 06 April
Uploads from piasladic XML 19:35, Monday, 06 April 20:18, Monday, 06 April
Use Sword on Monster XML 19:21, Monday, 06 April 20:08, Monday, 06 April
Wayward Sons: Legends - Sci-Fi Full Page Webcomic - Updates Daily XML 19:21, Monday, 06 April 20:07, Monday, 06 April
what if? XML 19:35, Monday, 06 April 20:16, Monday, 06 April
Whatever XML 19:49, Monday, 06 April 20:38, Monday, 06 April
Whitechapel Anarchist Group XML 19:49, Monday, 06 April 20:38, Monday, 06 April
WIL WHEATON dot NET XML 19:35, Monday, 06 April 20:19, Monday, 06 April
wish XML 19:35, Monday, 06 April 20:20, Monday, 06 April
Writing the Bright Fantastic XML 19:35, Monday, 06 April 20:19, Monday, 06 April
xkcd.com XML 19:35, Monday, 06 April 20:18, Monday, 06 April