Wish's River of News

[$] Hardening the kernel with allocation tokens and bootpatch-SLR [LWN.net]

I bet Ward Cunningham is really good at using Claude, he is a big believer in pair programming. I even did a session with him in Frontier, doing stuff with the outliner.

15:21

There is a lot of work going into eliminating exploitable bugs from the kernel and preventing the addition of new ones. Even if this work is maximally successful, though, there is no chance that the kernel will be free of these bugs anytime soon. Thus, there is also ongoing interest in hardening the kernel to make the existing bugs more difficult to exploit. The upcoming 7.2 kernel release will include a change to how dynamically allocated structures are placed in memory to make them harder to overwrite, while a project to randomize structure layout at boot time has a rather longer timeline.

15:00

Good morning sports fans!

Claude is a brain, very different from ours and when we work together we humans have access to capabilities that work really well with building large software products. And that's a huge understatement. Most remarkable thing. Most of the discussion between people who use the AI tools and those that condemn them are not productive because the opponents of AI don't understand the breadth of what these machines do and the potential to do much more, things that we as a species have never done. Think of it as an alien life form that wants to merge with us. I'm glad to be alive at this moment, and able to explore it as part of my development team. I recommend starting an academic dialog, among people who don't have conflicts of interest, or very well-disclosed and disclaimed conflicts, to accurately record this discussion based on facts, for the record, so when people ask how conscious were we when we did this transition, there will actually be some footprints to follow.

Security updates for Thursday [LWN.net]

The Bear season 5, the show's last season, premieres on Hulu at 9PM EST today.

14:35

Security updates have been issued by AlmaLinux (libpng, libsolv, libtasn1, libxml2, libxslt, python3.14, tigervnc, and vim), Debian (cloud-init, postgresql-13, and yelp), Mageia (nats-server), Oracle (.NET 10.0, .NET 8.0, .NET 9.0, bind9.18, cockpit, compat-openssl11, dnsmasq, dovecot, evince, expat, flatpak, freerdp, gimp, golang, grafana, grafana-pcp, httpd, jmc, jq, kernel, libsndfile, libsoup, libtiff, mod_http2, mysql:8.0, nginx, nginx:1.24, openexr, php:8.2, poppler, pyOpenSSL, python-markdown, redis:7, samba, thunderbird, tigervnc, unbound, and vim), Red Hat (libpng, libpng12, and libpng15), SUSE (apptainer, bind, crun, freeipmi, ghc-crypton-x509-store, ghc-crypton-x509-system, google-guest-agent, google-osconfig-agent, GraphicsMagick, gstreamer-plugins-bad, hamlib, iproute2, java-1_8_0-openjdk, kubevirt1, libarchive, libheif, libpng15, mbedtls, mbedtls-2, openssl-1_1, python-biopython, python-PyJWT, tar, webkit2gtk3, and xen), and Ubuntu (ffmpeg, libdbi-perl, and perl).

13:42

The Roadmap [The Daily WTF]

When Gary was called in for a meeting with a few of his managers- because of course he had several- he thought it was going to be for an "attaboy", because things had been going really well for the past few months.

Gary had inherited a mess, and taken over a nightmare application. It was the kind of application that should be a simple CRUD-style data-driven app, but somehow despite only having 20ish entities it managed, someone had generated 500+ controllers for managing them. Most of those controllers were copy/pasted code with minor changes in the WHERE clause of a SQL query.

And that was just the code. The infrastructure was similarly a mess, with duplicate resources provisioned in their cloud host. There was no CI/CD, no unit tests to speak of, no deployment process that wasn't "manually copy these files and pray". And uptime? You've heard about "five nines", but this product was lucky to get even one nine. Especially because the manual deployment process meant a few hours of downtime.

And that was just the infrastructure. The backlog was similarly messy. There were lots of tasks- many thousands- but not a single one had a priority. Most of the tasks were something like, "Fix database timeouts", or "Bug 531" with no description to explain what they were. At best, some of the "new feature" tasks linked to a Google Doc that explained a software roadmap that had been last updated in 2020.

So with no guidance, Gary and the rest of his team got to work. Cloud costs were massive. Just cutting the duplicate resources would help, but with actual planning it wasn't hard to find even bigger wins. In total, Gary got the cloud costs down 60%- essentially saving the company a small multiple of his salary every year.

With that out of the way, getting a CI/CD pipeline running was next. Within a few weeks, manual deployments were gone. Everything was automated. Downtime nearly vanished. And now, with all the cost savings in cloud resources, for a fraction of what they were paying, it was easy to automate provisioning test environments for each new feature.

So Gary was very ready for some congratulations when he sat down with management. He was prepared to discuss all the wins he and the rest of the developers on the project had gotten over the past few months.

"I'm sure you know why we're sitting down," Manager the First said when they settled into the conference room.

"I'm sure," said Manager the Second.

"We have some concerns about your performance," Manager the Third said.

"My performance?" Gary asked.

"Yes," said Manager the First. "Let me pull up the backlog."

"And the roadmap," said Manager the Second.

"Yes, I'm getting that up too, thank you." The trio of managers struggled with pulling up the appropriate pages, and after about 15 minutes, gave up. Instead, they discussed their complaint without visual aids. "You haven't completed any of the tasks on the roadmap. Bug 673 has been open since you started on the team. None of the roadmap milestones have been touched. There's absolutely no progress."

"Okay, but that document was wildly out of date," Gary said. "Instead I put cycles into solving the actual problems we're having. I've saved the company a huge amount of money. I've gotten our development cycle time down to a fraction of what it was. And we have basically no downtime!"

"That's all very nice, I'm sure," said Manager the Third. "But none of that was on our roadmap."

"Well, maybe we should set up a meeting to go over the roadmap," Gary said. "Because a lot of the tasks on there don't make much sense right now-"

"I don't think that's a good use of time," Manager the Second said. "Large meetings are expensive. Just stick to the roadmap, please."

With that, the meeting ended. Gary went back to work…

… updating his resume.

[Advertisement] Keep the plebs out of prod. Restrict NuGet feed privileges with ProGet. Learn more.

ESP IDF v6 [RevK®'s ramblings]

I do not wish to speak ill of such an awesome project, but, this is head banging against wall stuff.

ESP IDF v6 is out, and there is a migration guide, and a lot of breaking changes. I appreciate these happen, and appreciate a guide to help.

But today I have hit some major stuff with no simple answer.

SHA1

Regardless of security issues, SHA1 is a function needed by some protocols and applications, and generating an SHA1 should be a simple common standard function. ESP32 even has hardware to help AFAIK.

It was in mbedTLS, but no, now it is not, and is some other API, but the ESP IDF does not actually list the functions.

But there is an esp TLS thing with a simple SHA1, except you have to initialise a whole TLS subsystem to use it. I just want to simply do an SHA1 of a buffer. That is all. I do not want to create some huge config object and init a whole subsystem. At this point a local SHA1 coded function may be in order.

This should not be complicated.

I ended up, for this application, changing to esp_rom_md5, which is just stupid. It will be fine for this application, security is not the issue, just a sane hash, but something as basic as a simple SHA1 function should not be this hard.

HTTPS

I have an application that does a lot of https client requests. This used to work well.

Now it breaks it horrid ways - the https client itself may break, or other things break that need memory. Even a simple SPI bus init fails after a few https fetches. My best guess is a memory leak. Long ago https client was not good, and was fixed, but now it seems seriously broken once again. I know this is hard work for an embedded system.

Work around, and I do not like, but files are signed, is use http for now for this application. Will be back to https as soon as this is sorted.

Console

The console, i.e. basic C stdio, is default UART0. But could be set to USB/JTAG.

The console outputs to multiple places, so works on USB/JTAG anyway, but used to have a simple INPUT from USB/JTAG as well which worked.

Now, magically, that seems not to work, and no clue at all how to fix it. I can't even find where I set the input to be USB/JTAG.

Arrrrg!

I'll keep at it.

12:56

Interesting Paper Exploring Prompt Injection [Schneier on Security]

This is a fascinating explotation of how LLMs fall for prompt injection attacks. It turns out that they learn to recognize the style of text in different role/instruction blocks, and not just the tags.

Their conclusion:

Role tags were a formatting trick that became the security architecture and the cognitive scaffolding of modern LLMs. We’ve shown that this architecture doesn’t survive into the model’s actual representations, and that such role confusion is linked to prompt injection.

Unless LLMs achieve genuine role perception, we think injection defense will remain a perpetual whack-a-mole game. And the continuous nature of role boundaries opens the threat of injections designed to subtly shift LLM states through seemingly innocuous text, legally and at scale.

More generally, roles are quietly one of the most important abstractions in the LLM stack, providing the boundaries meant to separate self from other, thought from communication, instruction from data. They’re human-controlled switches in an otherwise continuous system. We think they deserve a lot more study than they’ve gotten.

Full paper: “Prompt Injection as Role Confusion.” Simon Willison comments.

12:00

So Long and Thanks for All the Context [Radar]

I got a really interesting question last week from Mike Loukides, my editor at Radar, after he read the third part of this trilogy on context management. “Another issue I’ve read about,” Mike asked, “is the tendency for a model to ignore the middle of the context. I’ve seen that particularly for the models with very large context windows. Is there anything to be said about that?”

Excellent question, Mike, and yes, there is. In that same email he pointed out that clearing the context and reloading it with just what’s important does a pretty good job dealing with this “ignore the middle” problem when it happens, but that’s clearly a stopgap.

It’s worth a deeper dive into what’s actually happening when an AI starts forgetting what’s in the middle of its context, because the problem is deeper (and more interesting!) than it might seem at first. It turns out that there’s a basic problem that’s fundamental to how LLMs manage context, and we’re still learning about it as an industry. That problem is called a U-shape. There’s been a lot of really interesting research into the U-shape problem recently, and several useful techniques have emerged that can help you manage it. And it’s probably not a coincidence that I’ve had to use all of them in my ongoing experiments with AI-driven development and agentic engineering (even if I didn’t always realize that’s what I was doing at the time).

A few weeks ago, in fact, I ran into the exact failure mode that Mike described. I was running the Quality Playbook, my open source code quality engineering skill, and ran into trouble with one of its phases—the one that writes up the bugs the earlier phases find. There’s a part of the bug writeup process where it had just created a file called BUGS.md that had an overview of each of the bugs, and had to create individual writeups for each bug it found. But instead of filling in the details correctly, it produced skeletal-looking stub files, with a generic template that had blank values instead of populated ones.

The thing is, the instructions for how to write a populated writeup were in the prompt. The actual bug data was in BUGS.md. I was absolutely certain that everything the agent needed was sitting in its context window, because I could see that it hadn’t compacted yet, and the skill’s intermediate artifacts let me see that earlier phases had read and reasoned about both files (which I talked about in my last article in this series). But the agent was producing stubs anyway. It really looked like the agent had everything it needed sitting in plain sight, and just wasn’t using the information it had. Frustrating!

I thought at the time that the model was just an idiot (which, arguably, was true but beside the point). It turns out that I had run directly into the U-shaped context problem.

In the previous three articles I covered what context is and why it disappears, how to keep important information in files instead of leaving it in the agent’s context window, and how to detect and recover when context has been compacted out from under you. All three were about losing context, through fragmentation, through compaction, through long sessions that overrun the window. This article is about this entirely different U-shaped failure mode, where the context is still sitting in the window and the model just isn’t using it.

The U-shape failure, and why bigger windows don’t fix it

The U-shape is an active area of academic investigation, so I’m going to start by going into a little bit of that research, because I think it will actually help us pin down what’s going on. I’ll start with an experiment run by Nelson Liu, an AI researcher at Stanford, who tested how language models actually use the contents of long inputs by giving them documents with the relevant answer placed at different positions and measuring whether the model could still find it. An interesting thing his findings show is that the U-shape didn’t appear to be a quirk of a single model. The U-shape showed up across model families, and even models with larger context windows still exhibited it.

If you have time, it’s actually worth taking a look at the paper that Liu and his team wrote, called “Lost in the Middle: How Language Models Use Long Contexts.” (It’s surprisingly readable for an academic paper.) The result they reported was a robust U-shape: The model performed best when the relevant information was at the beginning of its context window or at the recent end and worst when it was in the middle. Performance on questions where the answer was buried mid-context fell off sharply, even when the answer was sitting right there in plain sight. The field now uses the terms primacy bias and recency bias for those two preferences, and the U-shape is what you get when you plot them together against position.

I’m going to lean a little into academia here, because a lot of researchers are still learning about how LLM context actually works and what behavior has emerged in it.

One reason the U-shape matters more than “just another LLM quirk” is that recent research has started showing it’s a structural property of how transformers work, not a learned artifact. A 2025 ICML paper called “On the Emergence of Position Bias in Transformers” explained it as the equilibrium between two opposing forces inside the model: The causal mask amplifies the influence of the first few tokens (the primacy bias), while position encodings like RoPE heavily weight the tokens closest to where the model is generating (the recency bias). The middle is where those two forces cancel out. A 2026 paper by Borun Chowdhury, a researcher at Meta, called “Lost in the Middle at Birth: An Exact Theory of Transformer Position Bias,” took the argument even further by proving mathematically that the U-shape exists at the moment of initialization, before any training has happened, with random weights.

That matters because the natural assumption about large context windows is that more room means fewer problems. Most of today’s frontier models give you a million tokens or more, with some pushing well past two million, and some have made real progress on the simplest version of the lost-in-the-middle test, the needle-in-a-haystack benchmark, where the model has to retrieve a single sentence buried in a long document. Google’s Gemini 1.5 Pro reported near-perfect single-needle recall at 1M tokens, and current Gemini 3 models are similar.

So the accurate version of “bigger windows don’t fix it” is this: Bigger windows have made simple single-fact retrieval much better. They have not made long-context agent work reliable by default. A two-million-token window means a bigger middle to fall into.

The important idea that’s emerging here is that it’s increasingly looking like the U-shape isn’t just a bug in today’s models that will eventually be worked out or trained away by more data or better fine-tuning. Instead, it seems like the U-shape may actually be a geometric property of the LLM architecture itself.

In other words, we’re all going to have to deal with the U-shape. And that means we need techniques for managing it, and any effective technique we use isn’t likely to become obsolete any time soon. And that’s my goal in this article: to show you the techniques that have emerged for managing U-shaped context memory loss that you can use today in your own work.

Five techniques to help with U-shaped context problems

The previous article in this series laid out a pattern for detecting and recovering from context loss, which I called externalize-recognize-rehydrate. The techniques below extend the same discipline to the lost-in-the-middle problem. The principle I keep coming back to is that working memory is untrustworthy, and the discipline that follows from it is to externalize what matters, curate what stays in context, and verify what the agent claims to know against what’s on disk. The five techniques are how I do that in practice, and each one is drawn from a real moment in the Quality Playbook’s development.

Curate, don’t accumulate

This is the technique which, in its most brute-force form, is exactly what Mike talked about in his email to me: just clear the context and reload it with just what matters, periodically and deliberately. In other words, don’t trust an accumulated session to stay coherent; build the artifact, then start fresh against it. And if you have the AI write down the important parts of the context (like we’ve talked about throughout this series), then you can start a new session with refreshed AI that has a more targeted, curated context as a starting point.

I ran into this during the v1.5.2 release prep for the Quality Playbook. I was using a long Claude Code session that had been working through a series of fixes. But I noticed that it was just starting to show its age: It had forgotten a couple of things it should know, and its thinking times were starting to grow.

When it came time to land the final four fixes for the release, I worked with the AI to write a context brief, or a separate document with everything the implementing session needed. The question was whether to keep using the existing session, which already “knew” the codebase from the earlier work, or open a fresh CLI session and point it at the brief. I asked another session what to do:

Should we run that in a new cli session rather than continue my current
claude code session that has the existing context?

The AI gave me a good answer—start a fresh session, using a starting prompt to read the brief—and it gave three reasons that have stuck with me. First, the brief was self-contained, including file paths, line numbers, exact diffs, regression test bodies, and preflight greps. Anything the new session needed to know was already there, and continuing context bought nothing. Second, fresh context is stricter about adherence. A session that already “knows” the codebase tends to skim the new instructions and improvise from prior assumptions. Surgical fixes are exactly the case where you want the agent to read the brief carefully rather than rely on memory of what felt right last round. And third, the audit trail: The brief is the artifact, and the implementing session is reproducible from just the brief. If the same work has to be redone in six months by a different model, you point at the brief and say, “This is the input.”

The approach worked really well. I was able to pick up development seamlessly, and the model’s memory problems disappeared.

Position critical information at the edges

The U-shape says the model attends best to the beginning and end of its context. The natural move is to put your most load-bearing information in those positions and keep the middle for things you don’t need the model to focus on. Anything important that lives only in the middle of an accumulated context tends to slide out of attention.

The other side of this technique is what not to put in the middle. If something matters, don’t bury it in a long preamble of context you’ve been accumulating; move it to the edges, restate it where the model will act on it, and let the middle absorb the less important material. Luckily, there’s a useful technique that can help with this problem.

In Claude Code, for example, one really clean way to put information at the beginning of context is to use the system prompt. The CLI gives you --append-system-prompt for exactly this. (Most of the other providers’ CLI tools have similar options.) If you put your brief (or selected parts of it) there, the agent will attend to it strongly throughout the session, and that in turn will help keep the per-turn user prompt focused on the action you want the agent to take right now.

Short sessions over long ones

Don’t run one long session. Run many short ones, each reading fresh from disk. This will help you iterate on your brief and your external development context, so instead of relying on an opaque context window, you have a visible and constantly changing set of documents that give you a lot more visibility into—and control over—your AI’s context.

Something useful I started doing was taking all my chat history from Gemini, ChatGPT, Claude, and Cowork and putting it into a single folder I could keep updated and indexed for fast search. I built out an entire system to manage this, which turns out to be a great tool when I’m writing articles like this, because I can search through my development history for specific examples and techniques that I’ve used. The system uses Haiku 4.5 to read through chat history, summarize what happened, and create an index. Haiku turned out to be a smart enough model to read each individual interaction in a chat and write a useful index entry for it. But the model being smart enough to do one summary didn’t mean its context management could keep up across all 18,000 records. I ran smack into the U-shape problem.

The first attempt tried to keep dedupe state and progress counts in the model’s head, and it failed spectacularly. The model really didn’t want to keep track of specific deterministic things like accurate numbers or the current state. Haiku 4.5, in particular, seems especially bad at this. What worked was reframing the architecture entirely. Here’s the actual prompt that I gave it to fix the problem:

ok, so we need context management. it doesn't need to remember things,
it just needs to write them down as they go. we had this same context
management problem with Quality Playbook, when it was running out of
context. Just write down after each message.

The protocol I greenlit for the full run made the short-session discipline explicit:

Resume processing from the cursor recorded in progress.json, working through each input file in order.
Update progress.json after every line.
Expect to run out of context well before finishing—that’s fine. Just stop cleanly after each step (or a group of steps), then spin up a fresh session that reads progress.json and continues.
When all files are complete, set status: “complete” in progress.json and report back.

Item 3 is the technique in one line: expect context loss, so make sure you’ve written your state down, and build fresh restarts into the process. The technical details, like spinning up subagents, orchestrating with script, etc., will change, but the core idea stays the same. In a lot of ways, you can think of treating the agent like a pipe, not a database. The state lives on disk, and the session is something you throw away and replace.

Restate key info close to the point of use

When the model needs a constraint to apply right now, repeat it right now. Don’t trust an instruction from earlier in the session to carry forward through the middle of the context.

This is the technique that fixed the problem I opened the article with, where the Quality Playbook seemed to forget everything it had just written into a file called BUGS.md and produced stubs when it needed to write the same information into more detailed files, and instead writing generic blank templates with the bug-specific fields left blank.

The fix was to restate the read-the-source rule right before the action that needed it, using this prompt:

Before writing BUG-NNN.md, re-read the BUG-NNN entry in BUGS.md.
Copy the Spec basis, Minimal reproduction, Location, Expected behavior,
Actual behavior, Regression test name, and Patches fields
from that entry into the writeup. Do not paraphrase from memory.

“Do not paraphrase from memory” is the line that did the actual work. The instruction couldn’t trust the agent’s memory of what BUGS.md said, even though BUGS.md was sitting right there in the context window. So the instruction forced a fresh read of the file at the moment of writing. The restatement and the fresh-read together fixed the bug.

The same pattern applies any time a rule was stated earlier in the session and the model needs to act on it now. Restate the rule next to the action, and force the model back to the source rather than letting it work from memory.

Test the middle

The previous four techniques are about avoiding lost-in-the-middle failures. This one is about catching them. If you don’t know whether the agent is actually using the information you think it’s using, find out, with a deterministic check rather than a judgment call.

The pattern is the one I used in the Haiku summarizer that I described earlier: compare what the agent claims to know against what’s on disk. You have something the agent claims to know (its progress, its current state, the latest version of a rule), and you have something on disk that’s the ground truth (a file, a log, a database record). At the moment the agent’s claim has to be trusted, you check it.

In the summarizer’s resume protocol, every new session started by cross-checking progress.json against the actual last line written to the summary file, and the agent printed a checkpoint report when it did—at session start, and periodically through the run. A representative one looked like this:

Checkpoint Report: ✓ progress.json confirmed: cursor for cowork_04_06 is at 238, status is
"running" ✓ Disk state verified: Last line in summaries/cowork_04_06.md is [237]
assistant: Tool invocation repeating chat file read. ⚠ Discrepancy noted: The prior session left a bulk note claiming records
238–296 are duplicates but didn't write individual lines for them. Per
your instructions, I must write one line per record, even for duplicates,
in the format [idx] <sender>: Duplicate of record [X] (<note>). Status: Cursor matches disk state. Ready to resume from record 238.

The agent doesn’t need to introspect whether it lost context, only to compare two files. When they agree, the agent proceeds; when they disagree, the agent flags the discrepancy and stops before adding any new work on top of a broken state. Disagreement is the signal.

You can build this kind of check into any agent that does multistep work. Pick something the agent has to track, pick the file that’s the source of truth for it, and have the agent compare the two at every session start. When the agent’s view of the world drifts from the file, you find out before the drift becomes a buried bug.

The discipline behind these techniques

When I built the Quality Playbook’s multi-phase architecture, I was solving the compaction problem. Long pipeline runs were filling the context window and triggering silent compaction in the middle of work. Breaking the pipeline into separate phases that read fresh from disk and stopped after each phase fixed it.

What I didn’t realize until later was that the same architecture also helps with the lost-in-the-middle problem. Each phase has its own short, focused context, with the phase brief at the beginning and the latest progress update at the end, so there’s almost no middle for information to fall into. The architectural move that helped with working memory disappearing turns out to also help with working memory being there and unused.

That’s the lesson I want to land. Both failure modes, context loss and lost-in-the-middle, are problems of working-memory unreliability, and the discipline that addresses them is the same: keep the working set small, put the load-bearing information at the edges of the window, and check the agent’s claims against ground truth on disk when it matters.

Context windows will keep getting bigger, and compaction will get smarter. Some of the techniques in these four articles may eventually be unnecessary. But the underlying constraint won’t disappear. After all, we’ve added a lot more RAM to our computers since the 1MB 286 I wrote about in the last article, and memory management has gotten much more complex since then. And many of these problems are structural; for example, it’s increasingly looking like the U-shape itself is a geometric property of the transformer architecture, not a training artifact that more compute will smooth out.

The bottom line is that if your agent’s ability to do its job depends on information, that information needs to live somewhere more durable than working memory. That was true for my dad’s 32 kilobytes of core memory at Princeton in the 1970s, it was true for my 640 kilobytes of conventional RAM on my 286 in the 1980s, it was true for the 200K-token windows in last year’s models, and it will be true for whatever comes next.

11:14

Grrl Power #1472 – Impaleus interruptus [Grrl Power]

Gosh guys, what could suddenly cause Ixah to rush off?

My table at Vicente’s is ready!
I have a roast in the oven!
I left the curling iron on!
I have to go bet more money that I’m about to stab this guy!
My brother just went into labor! (Max doesn’t have a sister, so…)
The warranty on this sword is about to expire!
I could have had a V8! (Yes, I’m old.)
There’s a tiny lizard on the sand behind you! Eek!
Damn! I think I left my ear in the taxi! (See… cause Max is touching where her ear should be, but her disguise covers her ears completely with hair. Ah, yes. Jokes are always better when explained.)

You know, the number of comics I’ve titled “Something something interruptus” is like… well, it’s like 3 or 4 I think. But I guess that still kind of makes it my go to for titling a page when I’m stuck for something more poignant. Then again, a lot of pages do end in some sort of minor cliffhanger. I really wouldn’t even call something like this a cliffhanger. A cliffhanger implies there’s some significant wait before the action resolves. You can end a movie or a TV show or a novel or even an issue of a comic with a cliffhanger. But not on a page within a comic, or, in my opinion, the scene in a TV show right before you cut to commercial. I’m sure there’s a word for that, but I don’t think it qualifies as “cliffhanger,” especially when the season is available on DVD and viewers can watch the episode straight through. I mean, yeah, in this webcomic, there will be a 4 day delay until the next page, but any time after that, someone can just read straight through the archive and this page won’t have a bit of suspense.

Not that it really does, anyway. I think most of you can probably guess what’s going on.

Final version is up, both at TWC and Patreon.

Sexy bodymod news lady Gail has a special one-on-one interview with Tournament Quarter finalist Saraviah Nightwing! And if you subscribe to Gail’s Space Patreon, (which, due to the vagaries of Earth and Gal-Net’s DNS servers, happens to be the same as the Grrl Power Patreon, go figure) you can see that same interview in the nude!

Double res version will be posted over at Patreon. Feel free to contribute as much as you like.

10:49

Irregular Webcomic! #3163 [Irregular Webcomic!]

Irregular Webcomic! #3163

10:42

Pluralistic: Jailbreaking isn't theft (25 Jun 2026) [Pluralistic: Daily links from Cory Doctorow]

->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> Top Sources: None -->

Today's links

Jailbreaking isn't theft: It wasn't progress when they did it, it's not piracy when we do it back to them.
Hey look at this: Delights to delectate.
Object permanence: Major AI breakthrough; Disney v Pooh tombstone; Vancouver riot kiss; Farage admits Brexit lies; Protecting the web from its founders; Sanders x Hillary; Surveillance pricing v your dollars.
Upcoming appearances: Philadelphia, Chicago, London, Edinburgh, Sydney, Melbourne, Brighton, London, South Bend.
Recent appearances: Where I've been.
Latest books: You keep readin' em, I'll keep writin' 'em.
Upcoming books: Like I said, I'll keep writin' 'em.
Colophon: All the rest.

Jailbreaking isn't theft (permalink)

It's not often that someone on a panel says something that makes my jaw drop, but that's what happened earlier this week when the moderator of a panel I was on in Toronto described jailbreaking an iPhone as "rampant theft of IP."

Some context: the panel was in Toronto, and the nominal subject was "digital sovereignty," though all the panelists (except me) interpreted that to mean "sovereign AI." All of their interventions were focused on how Canada could build and operate its own AI, which I found very weird, since there is no AI-related threat to Canadian sovereignty. If Donald Trump ordered OpenAI and Anthropic to turn off all of Canada's chatbots tomorrow, nothing would change: every firm, ministry and household would operate as per normal:

https://pluralistic.net/2026/06/18/their-trillions-our-billions/

Now, that's not to say that Canada doesn't have a digital sovereignty problem – it really does! Donald Trump and US Big Tech have fused into a single entity and Trump now orders US tech giants to terminate the online accounts of foreign officials who displease him. When Microsoft turns off your Office365 account, you lose your working files, your calendar, your address book, your email archives, and the Outlook email address you use to log in to every online service:

https://pluralistic.net/2026/04/01/minilateralism/#own-goal

So while turning off Canada's chatbots would not inflict any real harm on Canada, M365 terminations could paralyse any federal or provincial ministry, any structurally important firm, and most Canadian households.

The threat doesn't stop there: Trump can also order Apple and Google to brick any of Canada's iPhones or Android devices – terminating individual officials' mobile access, or terminating whole provinces. It's not just iPhones either – Trump can also brick any tractor in Canada:

https://pluralistic.net/2022/05/08/about-those-kill-switched-ukrainian-tractors/

This is the real digital sovereignty risk, and Canada needs to address it now. But Canada can't – our hands are tied…by us. In 2012, we passed a law, The Copyright Modernization Act, that criminalizes "jailbreaking," meaning that Canadian companies can't go into business figuring out how to install different app stores on phones and consoles, or change the firmware in tractors to enable independent repair, or reliably export their cloud data to rival Canadian services:

https://pluralistic.net/2025/05/26/babyish-radical-extremists/#cancon

Why did we pass this law? Because the Americans promised us free trade and no tariffs on our exports if we agreed to it. That's a promise Trump tore up, but we're still holding up our end of the bargain. That's crazy. It means that American companies can use Canada's courts to destroy Canadian businesses that offer the Canadian people tools to help them escape Big Tech's sleazy ripoffs of their data and cash.

And boy do those US tech companies take in a lot of cash. The US ad-tech duopoly of Google/Meta rig the advertising market, taking 51% out of every ad dollar through an illegal, collusive arrangement called "Jedi Blue":

https://en.wikipedia.org/wiki/Jedi_Blue

The US mobile tech duopoly takes 30 cents out of every dollar spent via an app, by forcing every app vendor to use their payment processors, which charge 1,000% more than any other payment processor in Canada. That means that every time a subscriber to a Canadian news site signs up through an app, 30% of the lifetime subscription revenue for that Canadian subscriber is funneled to one of two California companies.

The corollary, of course, is that if Canadian businesses were free to compete with US companies – if Canada stopped foolishly holding up its end of the bargain that Trump has dishonoured – then it would be as though every Canadian news outlet increased its subscriber base by 25% overnight! What's more, the Canadian companies that sell those jailbreaking tools would make billions out of US Big Tech's billions.

And that's where the moderator of this week's panel comes in. When I finished making this pitch, they turned to the rest of the panel and said something like, "Well, apart from rampant theft of IP, what else could Canada do to secure its digital sovereignty?"

That's when my jaw dropped. Making it possible for, say, a Canadian company to sell its own Canadian game to a Canadian customer, in Canada, without giving Apple or Xbox 30% of the purchase price, is not "theft of IP." It's not "theft of IP" for a rightsholder to sell their own products to their customers. It's not "theft of IP" for a Canadian owner of a device to decide for themselves which software they want to run on it. If buying software from the company that made it and installing it on a device you own is "theft of IP," then so is putting non-Nike shoelaces in your Air Jordans.

It's not "theft of IP." It's just good business. Moreover, it's the kind of good business that created America's tech giants in the first place. As Jeff Bezos tells his suppliers: "Your margin is my opportunity." US tech giants make whopping margins around the world, thanks to the anticircumvention laws that the US Trade Rep crammed down every US trading partner's throats, laws that allow US companies to use other countries' legal system to destroy their competitors.

I've been mulling this "rampant theft of IP" remark for a couple of days now, but it wasn't until a reader wrote to me to remind me about Apple's origin story that I realised what the punchline is. Apple founders Steve Jobs and Steve Wozniak financed their first product launch by selling "Blue Boxes" (devices that let you make free long distance calls by cheating the phone company) door to door in the UC Berkeley dorms:

https://macdailynews.com/2024/06/19/steve-jobs-felt-certain-apple-would-never-have-existed-without-woz-and-him-making-blue-boxes/

Now, I'm not going to weep for the lost revenues that Jobs and Woz denied to AT&T. After all, AT&T was stealing that money from its customers, which is why, just a few years later, a federal court convicted AT&T of monopolistic practices and broke the company up:

https://en.wikipedia.org/wiki/Breakup_of_the_Bell_System

But the legal term for what a Blue Box does is "toll theft," which is to say, Apple – a company literally founded on theft – now makes the majority of its profits by convincing people that making a competing product is literally stealing. A company whose founders got their seed capital by marketing illegal circumvention devices now markets products designed to make it a crime for a rightsholder to sell their own work to you.

I've long said that "every pirate wants to be an admiral":

https://pluralistic.net/2025/03/04/object-permanence/#picks-and-shovels

But this is just a little too on the nose. When Apple went into business selling products to rip off the phone company, that wasn't progress. When Canadians go into business selling devices that let iPhone owners use their own property to do legal things – like buying copyrighted works directly from their creators – that is not piracy.

Canada has a real digital sovereignty problem, and it's not AI. Canada will not mitigate its digital sovereignty risk by successfully launching a Made in Canada version of the money-losingest venture in the history of the human species:

https://www.wheresyoured.at/brokenomics/

Canada's real digital sovereignty problem is its reliance on the apps, cloud services and devices that are tethered to the American cloud, access to which Donald Trump could – and does – terminate whenever he feels grumpy. Trump has repeatedly threatened to annex Canada and turn us into "the 51st state." He's trying to steal Alberta right now. Our digital sovereignty risk is the risk of Trump paralysing our country in order to steal Alberta – or the entire shop.

We can address that digital sovereignty risk – and make billions at the same time – by legalising jailbreaking and becoming the world's "disenshittification nation." Unlike a program to build Canadian AI, this will make billions, not lose them – and unlike Canadian AI, this will make our country more resilient and safer, by delivering products that Canadians – and the world – want to buy and will pay us a fortune for.

Big Tech's margins are our opportunity.

(Image: Matthew Yohe, CC BY-SA 3.0; SABYST, CC BY-SA 4.0, modified)

Hey look at this (permalink)

How to Passive-Aggressively Shame People Who Use LLMs Selfishly https://joshmoody.org/blog/selfish-ai/
We have a union https://unitedwizardsofthecoast.com/news/2026-06-23-we-have-a-union
Nearly Half of LG Smart TV Apps Are Laced with Proxies https://spur.us/blog/smart-tv-apps-residential-proxy-sdks
The Right — and Wrong — Way to Criticize AI https://jacobin.com/2026/06/ai-bubble-layoffs-workers-copyright
How to burst the AI bubble: Strike at its roots https://arstechnica.com/gadgets/2026/06/how-to-burst-the-ai-bubble-strike-at-its-roots/

Object permanence (permalink)

#25yrsago Major AI breakthrough is imminent https://web.archive.org/web/20010625114014/https://www.latimes.com/business/cutting/lat_cyc010621.htm

#25yrsago Webcomic reply to Scott McCloud on microtransactions https://web.archive.org/web/20010708225439/https://www.penny-arcade.com/view.php3?date=2001-06-22&res=l

#25yrsago School censorware blocks LBGTQ sites https://web.archive.org/web/20010803114449/https://www.salon.com/tech/feature/2001/06/14/net_filtering/print.html

#25yrsago SCOTUS backs freelance writers https://edition.cnn.com/2001/LAW/06/25/scotus.copyright/index.html

#20yrsago Canadian Gov’t Pays Copyright Lobby to Lobby https://web.archive.org/web/20060720230403/http://www.thestar.com/NASApp/cs/ContentServer?pagename=thestar/Layout/Article_Type1&c=Article&cid=1151273413030&call_pageid=971794782442&col=971886476975

#20yrsago How can we keep the Bells from committing net-neutricide? https://web.archive.org/web/20060714044219/http://informationweek.com/news/showArticle.jhtml?articleID=189600971

#20yrsago Disney: We [will|won’t] sue if you put Pooh on a baby’s headstone https://web.archive.org/web/20060711194928/http://www.upi.com/NewsTrack/view.php?StoryID=20060623-093710-8391r

#15yrsago Comic Book Legal Defense Fund backs traveller arrested at Canadian border for “pornographic” manga on his hard drive https://cbldf.org/2011/06/cbldf-forms-coalition-to-defend-american-comics-reader-facing-criminal-charges-in-canada/

#15yrsago Rochester police use selective enforcement of parking laws to harass attendees at a meeting in support of Emily Good https://rochester.indymedia.org/node/7516

#15yrsago What happened before the Vancouver riot kiss https://www.youtube.com/watch?v=8mtURc7mkUg

#15yrsago Mexican Congress votes to reject ACTA https://www.techdirt.com/2011/06/22/mexican-congress-says-no-to-acta/

#15yrsago “Hot News” doctrine gets a body-blow https://www.eff.org/deeplinks/2011/06/hot-news-doctrine-surviving-life-support

#15yrsago Solar-powered 3D sand-printer https://web.archive.org/web/20110627035221/https://www.thisiscolossal.com/2011/06/markus-kayser-builds-a-solar-powered-3d-printer-that-prints-glass-from-sand-and-a-sun-powered-laser-cutter/

#10yrsago Australian educational contractor warns of wifi, vaccination danger to “gifted” kids’ “extra neurological connections” https://web.archive.org/web/20180211151730/https://www.theage.com.au/national/victoria/antivaccination-program-offered-to-gifted-children-in-primary-schools-20160621-gpnzzp.html#ixzz4CYBYf4Bl#ixzz4CYBYf4Bl

#10yrsago US Customs and Border Protection wants to ask for your “online presence” at the border https://www.theverge.com/2016/6/24/12026364/us-customs-border-patrol-online-account-twitter-facebook-instagram?utm_campaign=theverge&utm_content=chorus&utm_medium=social&utm_source=twitter

#10yrsago Stasi radio monitoring department, hard at work, 1980s https://web.archive.org/web/20160625190241/https://visualhistory.livejournal.com/1039990.html

#10yrsago Apps help women bypass states’ barriers to contraception https://www.nytimes.com/2016/06/20/health/birth-control-options-websites.html

#10yrsago The blacker a city is, the more it fines its residents (especially black ones) https://priceonomics.com/the-fining-of-black-america/

#10yrsago The demographics of Brexit https://web.archive.org/web/20160626130820/http://www.perc.org.uk/project_posts/thoughts-on-the-sociology-of-brexit/

#10yrsago The morning after the Brexit vote, Nigel Farage admits money for the NHS was a lie https://memex.craphound.com/2016/06/24/the-morning-after-the-brexit-vote-nigel-farage-admits-money-for-the-nhs-was-a-lie/

#10yrsago How to protect the future web from its founders’ own frailty https://memex.craphound.com/2016/06/24/how-to-protect-the-future-web-from-its-founders-own-frailty/

#10yrsago More than 30 people burned during Tony Robbins “motivational” firewalk https://web.archive.org/web/20160627054938/https://bigstory.ap.org/c7872f6db09e4656a612ee13aab74d50

#10yrsago Google’s version of the W3C’s video DRM has been cracked https://www.youtube.com/watch?v=5CkWjOvpZJw

#10yrsago Undercover reporter spent four months as a prison guard in a Louisiana pen run by CCA https://www.motherjones.com/politics/2016/06/cca-private-prisons-corrections-corporation-inmates-investigation-bauer/

#10yrsago Sanders will vote Hillary https://www.nbcnews.com/politics/2016-election/bernie-sanders-says-he-will-vote-hillary-clinton-n598251

#10yrsago Brexit: a timeline of the coming slow-motion car-crash http://www.antipope.org/charlie/blog-static/2016/06/tomorrow-belongs-to-me.html

#5yrsago The pandemic showed remote proctoring to be worse than useless https://pluralistic.net/2021/06/24/proctor-ology/#miseducation

#1yrago Surveillance pricing lets corporations decide what your dollar is worth https://pluralistic.net/2025/06/24/price-discrimination/

#1yrago What's a "public internet?" https://pluralistic.net/2025/06/25/eurostack/#viktor-orbans-isp

Upcoming appearances (permalink)

Philadelphia: The Reverse Centaur's Guide to Life After AI with David Williams (Fitler Club/Philadelphia Citizen), Jun 25
https://www.eventbrite.com/e/cory-doctorow-book-event-tickets-1990110326559
Chicago: The Reverse Centaur's Guide to Life After AI with Rick Perlstein (Exile in Bookville), Jun 26
https://exileinbookville.com/events/50628
London: Idler Festival, Jul 11
https://www.idler.co.uk/festival/
Edinburgh International Book Festival with Jimmy Wales, Aug 17
https://www.edbookfest.co.uk/events/the-front-list-cory-doctorow-and-jimmy-wales
Sydney: The Festival of Dangerous Ideas, Aug 23-24
https://festivalofdangerousideas.com/cory-doctorow/
Melbourne: Enshittification at the Wheeler Centre, Aug 25
https://www.wheelercentre.com/events-tickets/season-2026/cory-doctorow-enshittification
Brighton: The Reverse Centaur's Guide to Life After AI with Carole Cadwalladr (Brighton Dome), Sep 8
https://brightondome.org/whats-on/LSC-cory-doctorow-the-reverse-centaurs-guide-to-life-after-ai/
London: The Reverse Centaur's Guide to Life After AI with Riley Quinn (Foyle's Picadilly), Sep 9
https://www.foyles.co.uk/events/enshittification-cory-doctorow-riley-quinn
South Bend: An Evening With Cory Doctorow (Notre Dame), Oct 6
https://franco.nd.edu/events/2026/10/06/an-evening-with-cory-doctorow/

Recent appearances (permalink)

How to Mess with Big Tech Oligarchs (Fighting Fascism)
https://podcasts.apple.com/us/podcast/how-to-mess-with-big-tech-oligarchs-w-cory-doctorow/id1888647397?i=1000773711479
Reverse Centaur with Angie Coiro (Kepler's Books)
https://www.youtube.com/live/cWN6XBa73xA
How to Think About AI Before It’s Too Late (Galaxy Brain)
https://www.youtube.com/watch?v=SPQNPJ0CEPo
The future of world governance, with Kim Stanley Robinson (UN Independent Expert on International Order)
https://www.youtube.com/live/wJvBvYdaAMY
How to Think About Artificial Intelligence (KUER)
https://radiowest.kuer.org/show/radiowest/2026-06-16/cory-doctorow-on-how-to-think-about-artificial-intelligence

Latest books (permalink)

"Canny Valley": A limited edition collection of the collages I create for Pluralistic, self-published, September 2025 https://pluralistic.net/2025/09/04/illustrious/#chairman-bruce
"Enshittification: Why Everything Suddenly Got Worse and What to Do About It," Farrar, Straus, Giroux, October 7 2025
https://us.macmillan.com/books/9780374619329/enshittification/
"Picks and Shovels": a sequel to "Red Team Blues," about the heroic era of the PC, Tor Books (US), Head of Zeus (UK), February 2025 (https://us.macmillan.com/books/9781250865908/picksandshovels).
"The Bezzle": a sequel to "Red Team Blues," about prison-tech and other grifts, Tor Books (US), Head of Zeus (UK), February 2024 (thebezzle.org).
"The Lost Cause:" a solarpunk novel of hope in the climate emergency, Tor Books (US), Head of Zeus (UK), November 2023 (http://lost-cause.org).
"The Internet Con": A nonfiction book about interoperability and Big Tech (Verso) September 2023 (http://seizethemeansofcomputation.org). Signed copies at Book Soup (https://www.booksoup.com/book/9781804291245).
"Red Team Blues": "A grabby, compulsive thriller that will leave you knowing more about how the world works than you did before." Tor Books http://redteamblues.com.
"Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin", on how to unrig the markets for creative labor, Beacon Press/Scribe 2022 https://chokepointcapitalism.com

Upcoming books (permalink)

"The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 (https://us.macmillan.com/books/9780374621568/thereversecentaursguidetolifeafterai/)
"Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026
"The Post-American Internet," a geopolitical sequel of sorts to Enshittification, Farrar, Straus and Giroux, 2027
"Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, April 20, 2027
"The Memex Method," Farrar, Straus, Giroux, 2027

Colophon (permalink)

Today's top sources:

Currently writing: "The Post-American Internet," a sequel to "Enshittification," about the better world the rest of us get to have now that Trump has torched America. Fourth draft completed. Submitted to editor.

"The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE.
"The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING.
A Little Brother short story about DIY insulin PLANNING

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Newsletter (no ads, tracking, or data-collection):

Mastodon (no ads, tracking, or data-collection):

Bluesky (no ads, possible tracking and data-collection):

Medium (no ads, paywalled):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

ISSN: 3066-764X

10:28

Standby –> Intervention [Seth's Blog]

Look around the room you’re in. There are dozens of electrically powered devices, each waiting for you to request their assistance. A toaster, six lights, an oven, the ice maker, stereo, TV, microwave… It’s a very long list. Silent and ubiquitous.

Of course, electricity didn’t start this way. Using a washing machine to do your laundry required unscrewing a lightbulb and then screwing in the Edison mount cord.

When the web arrived, we treated it as one more appliance, an electronic library. When you wanted something, you went to your browser (the name gives it away) and found what you needed. A billion web pages, all on standby, waiting for your arrival.

AI presents itself to us in this way, at least for now. When you have something you need, the chatbot’s ready, the LLMs are built, and the data center is powered up, all waiting for you to ask.

This is changing. Right here and right now. It’s not something we’re expecting or ready for, but it’s an inevitable consequence of our reliance on tech and the detailed cocoon of data we’re weaving.

The systems will notice and intervene before we ask them to. In matters large and small. This will be unsettling until it’s not only normal, but something we depend on.

If you had experts in health, productivity, leadership, efficiency and community action following you around all day, speaking up when it would be helpful, offering tools and insight when you needed them, often before you knew you needed them, what would your day be like?

It won’t always be delightful, and we don’t get much of a say in whether it happens, but that’s the path we’re on.

Two opportunities, then:

Be intentional about which interventions will help you get to where you hope to go, and put them in place early.
Be aware of which interventions the systems are pushing on you that don’t help you with your goals. Draw a line and don’t get lulled by convenience or social pressure.

We’re headed to a divide between amplifying agency and becoming a cog. Where do you want to go?

07:42

The KIDS Act Would Require Age Checks To Get Online [Deeplinks]

Within the next week, Congress is preparing to vote on the KIDS Act, a sprawling package of legislation that seeks to control Americans’ web browsing and private messaging. The package includes a revised version of the Kids Online Safety Act, or KOSA, combined with a collection of other internet bills, study bills, reporting requirements, and new regulations. Instead of debating any of these proposals on their merits, lawmakers are attempting to move them all at once under an ultra-expedited process.

The package of cobbled-together bills is a mess, with different age-gating schemes for different services, using different standards. It’s a lot of complexity, and a lot of legal risk. Faced with that, many companies will conclude that the safest option is restrictive age-checking practices across their entire platforms.

Buried inside the KIDS Act are provisions that will push online services to verify all users’ ages, require government-directed moderation policies for online speech, and even create new rules about private and encrypted communications. While supporters continue to claim this bill protects minors online, its requirements come at the expense of privacy, free expression, and the ability of people of all ages to use the internet without revealing sensitive data.

Take action

Tell Congress to reject this age-gating bill

The KIDS Act Pressures Platforms to Check Everyone's Age

Supporters of KOSA have said the bill doesn’t require age verification. And technically, the KOSA section of the bill does say that KOSA shouldn’t be read to require age verification.

But if you read the rest of the bill, that disclaimer starts to look hollow.

Throughout the KOSA section of the legislation, special protections, controls, messaging settings, and parental tools are required whenever a website or app “knows or should have known” a user is a child (defined in the bill as anyone under 13) or a teen (defined as anyone between 13 and 16 years old).

The problem is a website operator doesn’t need actual knowledge that a user is a minor to get in legal trouble. It applies when a platform “knows or should have known” a user’s age—a low, negligence-style standard of knowledge. If an online service gets it wrong, it’s going to be up to courts and regulators to decide, after the fact, if an online service “should” have known a user was 16.

To try to avoid liability, services will have to determine which users are teenagers and which are not. Most won’t be able to simply trust their users. They’ll have to collect more information about age, before any lawsuit or government action arises. Some companies may respond by requesting driver's licenses or passports. Others will rely on age-estimation systems that attempt to guess users' ages by looking at existing activity or doing facial scans. Existing estimation systems make mistakes when estimating children’s ages correctly, which is a big problem when that is the population KOSA is trying to protect. And the systems fail more frequently for people of color, people with disabilities, and trans and nonbinary people.

The bill’s authors seem to know this is a problem. On the one hand, the new KOSA section says age verification is not required. On the other, it repeatedly imposes obligations that depend on knowing whether a user is under 17. But a disclaimer doesn’t magically eliminate legal risk, especially for smaller services and startups that can’t afford to defend lawsuits or fight regulators.

Take action

The "KIDS Act" Is an Age Surveillance Bill

KOSA is not the only part of this package that creates age-verification pressure. The SAFE BOTS Act, like KOSA, goes back to the standard that if a service “knows or should have known” that a user is a minor it can’t offer certain chatbot features.

The SCREEN Act requires services that host sexually explicit content to determine whether users are “more likely than not” under the relevant age limit, before allowing access to certain content.

The consequences of this liability will not be limited to minors. If websites and apps are expected to reliably identify teenagers, adults will be asked to prove they are adults. The result is a less private internet for everyone.

The KIDS Act Pressures Platforms To Police Lawful Speech

The new version of KOSA removes the bill’s infamous "duty of care" provision, a significant change. The revised KOSA requires covered platforms to "establish, implement, maintain, and enforce" policies and procedures addressing several categories of content and conduct.

Some categories, such as true threats and sexual exploitation, involve unlawful activity. Others are much broader. The bill specifically requires policies addressing the "sale or use" of narcotic drugs, tobacco products, cannabis products, gambling, and alcohol. It also restricts discussions around financial fraud.

Sounds straightforward enough. Then you remember how people actually talk—online and off. Can teens discuss addiction and recovery? Can a 15-year-old post that she’s worried she has a friend who is drinking too much? Can they seek advice about a parent’s gambling problem, or get help if they or a family member have been scammed? Can they participate in harm-reduction communities or discuss substance abuse treatment? All of these young people would be engaging in lawful speech when discussing topics covered by KOSA’s enumerated harms.

The bill does not directly ban those conversations. But it places platforms under huge pressure to create and enforce moderation policies around broad categories of lawful speech. Faced with legal risk, many services will inevitably choose to remove that speech or restrict those discussions to spaces where they know only adults can participate. We’ve seen this movie before. When legal risk goes up, platforms will take down more speech.

The KIDS Act Regulates Private Messages, Too

Several provisions of the bill create new rules around direct messages, disappearing or “ephemeral” messages, and AI chat services.

The bill includes language stating that certain KOSA requirements should not be construed to override strong encryption. But the protection is incomplete. The carve-out applies to certain features and messaging controls, but doesn’t apply to KOSA’s separate requirement that platforms "address" a list of harms to minors.

The KIDS Act never answers an obvious question: how exactly is a platform supposed to address those activities if they’re inside encrypted communications that it can’t read? That will create pressure for providers to weaken private communications or limit features on encrypted private services.

That approach is especially troubling when it comes to ephemeral messaging. Disappearing messages are not a “loophole” or a dangerous design trick. They are a useful privacy feature that allows online conversations to function more like ordinary real-world conversations, which are not preserved forever in a permanent database.

Like many other parts of the KIDS Act, these private messaging provisions also depend on websites and apps knowing who is a minor and who is not. The result is more age checks, more restrictions, and less privacy online.

Take action

Tell congress: no online age checkpoints

06:21

UK promise to abolish "zero-hours contracts" [Richard Stallman's Political Notes]

The UK government has promised to abolish the system of "zero-hours contracts", in which a worker must be ready to work on short notice and cannot plan per life in advance based on the work schedule. Naturally, businesses claim that reducing their "flexibility" will make everyone suffer.

Of course, business lobbyists want the government to neglect all the harm that this imposed "flexibility" tends to do to the worker. Of course, they presume that business's profits outweigh all other factors, and they argue for this based on the absurd "trickle down" model of economics — often veiled so that it might seem more plausible.

The "trickle down" model trains citizens and politicians to truckle to business. We can call the result a "truckle down" economy.

Businesses that want to benefit from "flexibility" about a worker's hours should be required to pay the worker for that flexibility, each time.

Here's an example of how that might work. Canceling all or part of an agreed shift, less than a week before, would legally require paying the worker 1/4 of the normal pay rate for the cancelled hours, as well as arranging additional working hours for per as a replacement so that per total hours are not decreased.

I do not claim that those specific details are optimal. The details can be adjusted — the point is to illustrate the general idea.

UK thugs acting as if Palestine Action were terrorist organization [Richard Stallman's Political Notes]

Thugs in the UK acted as if they believed Palestine Action were really a terrorist organization: harassing one supporter and then trying to pressure him into being a spy in the group.

Palestine Action is a political campaigning group, not a terrorist group; but once a government endorses a false accusation, the normal operation of its laws and procedures will turn into harassment and worse.

CBS News veterans urge upholding editorial independence [Richard Stallman's Political Notes]

*CBS News veterans urge Paramount CEO to "uphold editorial independence" at 60 Minutes.*

This approach is worth trying — there is little else we can try to protect the main US news media from becoming even more subjugated by big business.

The Paramount billionaire owners of CBS are firing reporters who won't be subservient. Some decided to go down fighting.

Minnesota Republican Convention honored Derek Chauvin [Richard Stallman's Political Notes]

The Minnesota Republican Convention publicly honored the ex-cop Derek Chauvin who is in prison for the murder of George Floyd.

That murder touched off Black Lives Matter protests across the US.

Senator Ellison condemned this, but based seems to have based that on its hurtfulness to specific persons. That is true, but it is a side issue. Indeed, the Republicans' gesture was hurtful, but it was far worse than that!

Their act of Chauvinism can only be understood as glorification of murder and promotion of racism. They deserve to be excoriated -- and every politician who participated ought to be confronted with this during the election campaign. "Representative So-and-So, do you endorse the murder of George Floyd? If so, was it because he was black, or because he was helpless, or because the murderer was a uniformed thug?"

The article linked to at the beginning displays symbolic bigotry by capitalizing "black" but not "white". (To avoid endorsing bigotry, capitalize both words or neither one.) I denounce bigotry, and normally I will not link to articles that practice it. But I make exceptions for some articles, such as that one, because they are morally important and I don't want to let the racists they rebuke off the hook.

I will not give the gross bigotry of racism a pass on account of smaller bigotries of anti-racism. Instead I reproach them both.

China suborning treachery in Britain [Richard Stallman's Political Notes]

China is suborning treachery in Britain among Chinese-English interpreters that handle calls to government agencies from visitors from China, especially if they are talking about Chinese repression.

China puts a lot of effort into repression of Chinese visiting other countries or finding refuge in them.

Some US cities imposing curfews [Richard Stallman's Political Notes]

Some US cities are imposing curfews on minors. Baltimore is avoiding heavy-handed policing when they are teenagers, but in the case of actual children, it looks like this might lead to punishing parents who don't control the children all the time (or have to work at night).

Laws passed to protect freed slaves [Richard Stallman's Political Notes]

After the US civil war, Congress passed laws to protect the rights of freed slaves. The Supreme Court, mainly right-wing, erased them.

That is similar to what is happening now.

Forced marriage, rape and murder not unusual in Iraq [Richard Stallman's Political Notes]

To experience forced marriage, rape, and murder is not unusual for girls in Iraq.

I wonder whether these things happened when Saddam Hussein was in charge.

States suing against stopping offshore wind farms [Richard Stallman's Political Notes]

The wrecker's henchmen made a deal to pay a billion dollars of taxpayers' money to Total Energies to avoid finishing two mostly completed offshore wind farms. Six states are suing to cancel this deal.

The deal illustrates the perversity of the wrecker's support for fossil fuel, because it provides no possible benefit to anyone except fossil fuel companies. (Total is primarily a fossil fuel company itself.)

California Democratic primary [Richard Stallman's Political Notes]

The California Democratic primary for governor pits Tom Steyer, a progressive billionaire, against Xavier Becerra, a corporate Democrat supported by non-progressive billionaires.

05:42

Tell Congress: Don’t Force Age Checks Online [EFF Action Center]

While supporters insist the bill does not require age verification and have included language saying so, multiple parts of the package impose obligations that depend on websites taking steps to know who is under 18 years old. Most companies are likely to respond to this legal risk by collecting much more personal information from users, like drivers’ licenses or passports. Others will rely on age-estimation systems that guess users' ages based on user activity or facial scans and inevitably make mistakes. Either way, users lose.

The bill also pressures online services to create and enforce content moderation policies for broad categories of lawful speech, and creates new risks for encrypted and private communications. Instead of encouraging privacy and security online, Congress is pushing websites toward more monitoring, more restrictions, and more age gates.

For internet users of all ages, the KIDS Act threatens our privacy and freedom online. It’s a step towards an internet where we’re forced to prove our age before we read, post, or communicate online.

We need your help now—tell Congress to reject it today.

Baryon Asymmetry [xkcd.com]

02:35

[$] LWN.net Weekly Edition for June 25, 2026 [LWN.net]

Inside this week's LWN.net Weekly Edition:

Front: Free-threaded Python; AUR attacks; Fedora 2FA; 7.2 merge window; BPF arenas; BPF coroutines; BPF JIT; RMR and BRMR; OSPM.
Briefs: Tor deprecations; GIMP 0.54.1 flatpak; Mastodon 4.6; Systemd v261; Xfce on Wayland; Quotes; ...
Announcements: Newsletters, conferences, security updates, patches, and more.

Wednesday, 24 June

22:28

Chronocaust [Penny Arcade]

Gabe is losing his shit over Adventures of Elliot, which was not a sure thing, because there are two versions of the demo and only one of them lets you continue from where you left off in the retail version. I'll leave it to you to guess which one he had, and the theft of several hours would ordinarily be a dealbreaker but it charmed the pants off him. Technically his pants sublimated, moving directly to a gaseous form without first passing through a liquid state.

22:14

A Look Into our 2025 Featured Charity Partnerships [Humble Bundle Blog]

We’re thrilled to unveil our new Social Impact Snapshot for 2025! This dynamic look back showcases the incredible, real-world impact made possible by our Humble Choice community. Every single month, 5% of Choice subscriptions go directly to a featured charity, and the results are nothing short of inspiring. From planting over 30,000 trees with OneTreePlanted and funding vital scholarships with the UNCF, to providing over …

The post A Look Into our 2025 Featured Charity Partnerships appeared first on Humble Bundle Blog.

18:49

Girl Genius for Wednesday, June 24, 2026 [Girl Genius]

The Girl Genius comic for Wednesday, June 24, 2026 has been posted.

18:21

[$] Fedora: 2FA, or not 2FA, that is the question [LWN.net]

Compromised accounts are one of the most common ways that attackers can sneak malware into the open-source supply chain. One way to reduce account compromise is for projects to require two-factor authentication (2FA) or multi-factor authentication (MFA), but that is easier said than done. However, Fedora is currently discussing putting 2FA requirements in place soon, following an an alleged account compromise that led to an AI agent causing a number of problems for the project. After some discussion, Fedora will begin by requiring packagers in the "provenpackager" group to enable 2FA within the next three months or so.

[$] A helper library for BPF arenas [LWN.net]

BPF arenas are areas of memory (potentially shared with user space) where programs have free reign to build their own data structures, unburdened by the verifier's bounds checks. Many of those data structures are potentially usable in multiple programs. Emil Tsalapatis brought his work on libarena, a library containing generic utilities for use in BPF arenas, to the 2026 Linux Storage, Filesystem, Memory-Management, and BPF Summit. Although the library is already available as part of the kernel, it is still in its early stages and he has more work planned.

18:07

Urgent: Cancel increase in funding of coal mining [Richard Stallman's Political Notes]

US citizens: call the Dept of Energy to cancel its plan to fund an increase in coal mining.

See the instructions for how to sign this letter campaign without running any nonfree JavaScript code--not trivial, but not hard.

Urgent: oppose and filibuster CLARITY Act [Richard Stallman's Political Notes]

US citizens: call on your senators to oppose and filibuster the CLARITY Act.

See the instructions for how to sign this letter campaign without running any nonfree JavaScript code--not trivial, but not hard.

US citizens: Join with this campaign to address this issue.

To phone your congresscritter about this, the main switchboard is +1-202-224-3121.

Please spread the word.

Urgent: Block corrupter's exploitative deal with IRS [Richard Stallman's Political Notes]

US citizens: call on your congresscritter and senators to block the corrupter's exploitative deal with the IRS.

See the instructions for how to sign this letter campaign without running any nonfree JavaScript code--not trivial, but not hard.

US citizens: Join with this campaign to address this issue.

To phone your congresscritter about this, the main switchboard is +1-202-224-3121.

Please spread the word.

Urgent: Block cheater's medical debt trap [Richard Stallman's Political Notes]

US citizens: call on Congress to block the cheater's medical debt trap.

See the instructions for how to sign this letter campaign without running any nonfree JavaScript code--not trivial, but not hard.

US citizens: Join with this campaign to address this issue.

To phone your congresscritter about this, the main switchboard is +1-202-224-3121.

Please spread the word.

Garbage incinerators spread PFAs [Richard Stallman's Political Notes]

Garbage incinerators don't burn PFAs, they spread them into the environment.

Superstitious ideological rejection of medicine [Richard Stallman's Political Notes]

US Republicans tend to shorten their life spans, and their spans of healthy life, through superstitious ideological rejection of medicine.

Democrats experience the same flawed medical system but they accept the good it can do for them, while demanding rational improvement.

Cops in Texas schools [Richard Stallman's Political Notes]

People in Texas believe that safety in schools depends on having lots of cops around, but what actual cops actually do in schools is brutalize students.

Putting cops in schools was observed many years ago to result in suffering for students.

Demands for list of people watching protest videos [Richard Stallman's Political Notes]

Employees of the Injustice Department asked for search warrants to demand the lists of people who watched political protest videos. When the judge refused, they argued he should conceal the fact that they had asked for the warrants. The judge denied that too.

Deporting people to places too dangerous to visit [Richard Stallman's Political Notes]

The US since January 2025 has *deported 21,000 [people] to places US calls too dangerous to visit.*

Food shortage caused by extreme weather [Richard Stallman's Political Notes]

Britain is headed for a food shortage caused by extreme weather, which itself is caused by global heating. That implies such shortages are likely to get worse and worse.

Global heating threatens national security [Richard Stallman's Political Notes]

Global heating effects now threaten national security.

State voters establishing abortion rights [Richard Stallman's Political Notes]

When state voters vote to establish abortion rights, right-wing extremists in the state legislature go to extreme lengths to set that decision at naught.

Underestimated carbon emissions of data centers [Richard Stallman's Political Notes]

*Officials hugely underestimated impact of [supposed intelligence] datacentres on UK carbon emissions.*

The new estimate, over the next ten years, is around 80 times as much, and equivalent to around 3 million people.

Age of "Cerne Giant" chalk drawing [Richard Stallman's Political Notes]

Discussion of the age of the "Cerne Giant" chalk drawing in England need to recognize that the figure gets redrawn every 10 years or so. Thus, the object people actually see is not old.

Lawsuit by corrupter against federal government re-opened [Richard Stallman's Political Notes]

A judge reopened the lawsuit by the corrupter against the federal government, which he had ordered federal employees to settle in his favor, to have the possibility to reject the settlement.

17:42

Microspeak elaborated: Isn’t escrow just a release candidate by another name? [The Old New Thing]

I had earlier introduced the Microspeak term escrow to refer to the declaration that a particular build of the product is going to be the one that ships to customers if it meets certain quality and reliability targets.

Some people wondered, “Isn’t that just a release candidate? Why do you Microsoft people have to make up new names for things that already have perfectly good names?”

Yes, the Microspeak term escrow corresponds to what most people call a release candidate, but we don’t call it a release candidate because that name is used for some other purpose.

I wrote about this quite some time ago, but it was for the now-defunct TechNet Magazine, not for the blog, which means that it doesn’t show up in a blog search.

Here’s the final draft of that column. Now that I’ve put it on the blog, people can find it more easily.

Back in the old days of Windows, prerelease versions of the product followed a fairly standard progression. First up were the alpha releases, which were used internally and possibly shared with software partners outside of the Windows product team. Actually, to be quite honest, I never remember them being called alpha releases—they just were just called something boring like internal prerelease or simply named after the build number or project milestone that produced them. For example, Windows 95 prereleases went by names such as Build 81 and M3.

After alpha releases, there naturally come beta releases, which were sent to a somewhat broader audience. One major difference between alpha and beta releases is that beta releases include people who aren’t software developers, such as end users who like testing prerelease software and corporations who want a head start on evaluating the new operating system to determine the compatibility of the new product not only with their critical in-house applications but also with their corporate network, standard hardware configurations, and system management tools.

Finally, you had release candidates. These were, as the name suggests, versions of the code that were candidates for final release. In other words, “If everything goes well, we’re shipping this puppy.” If some horrific bug was found that invalidated this expectation, then as soon as the bug was fixed, a new release candidate build was spun up, and the test cycle restarted. Windows 95 shipped its sixth release candidate.

I’m told that the Windows NT folks followed the same release naming pattern, but they ran into a problem: corporations didn’t bother testing their critical applications against beta releases of Windows NT. The logic generally went something like this: “Why bother? It’s just a beta. Betas are for fanboys. It’ll all be different in the final version anyway. Any testing we do now would just be a waste of time.” Similarly, software companies paid no attention to issues found during the beta testing of Windows NT. “We don’t support beta operating systems,” they would respond.

These companies would start testing in earnest once the actual release candidate builds came out. And they’d inevitable find a bunch of problems. Some were problems the companies could address on their own while other issues were more complex and had to do with Windows NT not being “compatible enough” with the previous version of the OS. Some problems were comparatively minor issues with the way a particular project feature worked, and some could be fixed in a short period of time. Meanwhile, other problems were so serious that the release management team agreed that it was necessary to delay the product’s release so the product team could resolve the problem.

These release candidate builds also generated a lot of suggestions. We received feedback such as, “we think the UI would look better if you arranged the buttons this way” and “rephrasing this message would be less confusing for our employees.” Those would have been great suggestions had they only arrived during the beta phase, but by the time the first release candidate is rolled out, it’s far too late to make changes to the visuals. The documentation and help files have already been written, the product has been translated into dozens of languages, and the screenshots for the manual and product box have already been laid out, tuned, color-separated, and printed. All that work isn’t going to be thrown out and redone just to move a button.

I recall a meeting during the Windows XP era when one of these last-minute changes was being debated. The proposed change would have required that a 20 kilobyte help file be altered so that the instructions corresponded to the new user interface design. The localization and translation representative (a woman who spoke English with a lovely French accent) informed us that re-translating the modified help file under the extremely tight time constraints would cost hundreds of thousands of dollars.

To counteract the prevailing attitude that betas don’t count, the Windows NT team resorted to grade inflation. There are still beta releases, but the late beta releases—when there is still time (but not much) to do some fine-tuning—became known as release candidates, and what used to be release candidates became known as escrow builds. The term escrow was a good choice in my opinion. It does a good job of conveying the sense of “It’s over. All that’s left to do is sign the papers. We’re not going to touch it unless there is a real emergency.”

Bonus chatter: You can compare this submitted version against the version that was published to see what was trimmed to fit the page. And a sign that this is an older document is its use of em-dashes, which are shunned nowadays due to their association with AI-generated text.

The post Microspeak elaborated: Isn’t escrow just a release candidate by another name? appeared first on The Old New Thing.

🦅 Domestic Spying Takes an L | EFFector 38.12 [Deeplinks]

Sold to the public as a foreign surveillance tool, Section 702 is the law has let intelligence agencies spy on millions of Americans’ private conversations without a warrant. Despite years of revelations about this law's misuse, Congress has repeatedly reauthorized Section 702 without meaningful reform. Until this month, that is, when it finally lapsed in a major victory for privacy. In our latest EFFector newsletter, we're covering the expiration of Section 702 and what happens next.

JOIN OUR NEWSLETTER

For over 35 years, EFFector has been your guide to understanding the intersection of technology, civil liberties, and the law. This issue covers a disastrous plan to overhaul the U.S. Copyright Office, why the UK's social media ban will cause more harm than it prevents, and a new Senate bill taking aim at government pressure to silence lawful speech online.

Prefer to listen in? EFFector is now available on all major podcast platforms. This time, we're chatting with EFF Senior Policy Analyst Matthew Guariglia on what the expiration of Section 702 means for warrantless domestic spying. You can find the episode and subscribe on your podcast platform of choice:

Privacy info. This embed will serve content from simplecast.com

Want to protect your private conversations? Sign up for EFF's EFFector newsletter for updates, ways to take action, and new merch drops. You can also fuel the fight for privacy and free speech online when you support EFF today!

17:07

Trying Out A New Recipe: Eat at Maude’s “Blueberry Cornbread Cookies” [Whatever]

When writing code with Claude you really have to be skeptical when it says it just found the problem, but you have no idea what it's saying, chances are pretty good it's just a word salad excuse for not having read all the code necessary to have an fact-based opinion. Actually debugging software isn't about opinions, it's about proof. When you start clutching at straws until one works you just added another level of bug that will eventually bite you in the butt and you'll still have to solve the original one. Uncorrected, I'm pretty sure you wouldn't want to trust the code it writes, but I guess that's why people have two or more instances playing different roles? For now I'm the one that questions its sanity, politely though. ;-)

15:28

I must really be in the mood to bake this week because I am back with another recipe that I decided to give a whirl! Today we have some Blueberry Cornbread Cookies with honey butter buttercream and blueberry compote from Eat at Maude’s, who I stumbled upon during a nightly Instagram reels binge.

View this post on Instagram

I wasted no time making these. I saw them and knew I had to have them immediately, but I was lacking blueberries and cornmeal. Funny enough, I had cornmeal but it was expired. Tragic, I know.

So, off to the store I went. Aside from the fresh blueberries (she specifies not to use frozen) and a new container of cornmeal, I had everything else I needed! Sugar, brown sugar, an egg, butter, flour, the usual suspects. So if you have some fresh blueberries, this could be a great cookie for you to try out.

Interestingly enough, the recipe calls for superfine cornmeal, but at the store I could only find Bob’s Red Mills medium ground cornmeal, and then Quaker, which did not specify what type of grind it was. I took a chance on Quaker since Bob’s Red Mills was obviously not fine enough for the job (which is a real shame because I quite like Bob’s Red Mills).

Anyways, here’s the goods:

Something I actually did that’s pretty dang wild is substitute regular honey for a vanilla honey from Nate’s Honey that is “honey for brunch.” Nate’s Honey actually has a few different flavored honeys, and I thought vanilla would go really well in this recipe. Look at me taking liberties with a recipe! Rarely seen.

Moving on, the first order of business was to make the cookie dough. Of course, you have to cream the butter and sugars together first, then add the egg and vanilla. Also you may notice there’s no baking powder in this photo. Yep, I goofed. I left out the baking powder. I need to start reading more carefully.

Here’s the wet ingredients:

This recipe actually had all the ingredients’ measurements listed in weight, so I went ahead and did pretty much everything by weight since she provided it.

After giving a quick mix to the dry ingredients in a separate bowl, I added them to the wet ingredients and mixed until just combined, then threw in the blueberries and folded them in gently:

This cookie dough wasn’t very tasty by itself because of the gritty cornmeal, but it looked really rustic which was cool. The recipe says you can make 8 to 12 cookies, and I decided to make 8 big ones:

Once I rolled each ball, I actually broke each one in half and then faced the broken cross sections upwards to give them a more rustic look instead of just the smooth balls I had formed. I learned this trick from Binging With Babish a long time ago.

I let the cookies chill in the fridge for about two hours while I went to therapy, which I think was a decent amount of time since she recommends 45 minutes as the minimum amount of chilling time.

Here they are after baking in a 350 degree oven for 17 minutes:

Okayyy those look pretty good! Now while they cooled it was time to make the blueberry compote and honey butter buttercream.

For the blueberry compote, it was literally just blueberries, water, sugar, lemon zest, a pinch of salt, and cornstarch to thicken it. Came together in no time and was super easy, and looked crazy colorful while cooking:

Alright y’all… here’s where I goofed. The honey butter buttercream is supposed to be butter, powdered sugar, and honey. Well, I’ve mentioned on here before that I don’t like powdered sugar. I think it gives everything a weird taste and the strange taste in it overpowers everything else. So, I thought if I used Domino’s Baker’s Sugar, it would be like the same thing because it’s just superfine sugar. It is not the same thing, and it yielded a very different result.

Instead of a fluffy, airy buttercream, I got literally butter just creamed with sugar. Like actually just butter and sugar.

Even though I beat this on high with my KitchenAid, it really was just like, slightly more spreadable butter with grainy sugar throughout. So, I chalked my buttercream up to a big ol’ L and tried to make sure I only spread a very thin layer on top of the cookies. I topped that with a spoonful of the blueberry compote, which had thickened a lot.

There you have it, a blueberry cornbread cookie with literally a layer of butter and thick blueberries on top. Not my best work, but it was actually very tasty despite my failings! A delicious failure, at least.

I really want to try making these again, but more correctly next time. In the meantime I’m sure I can find some willing participants to consume my imperfect confections.

Would you try this cookie? Do you have any suggestions for a powdered sugar replacement that actually works? Do you love cornbread as much as I do? Let me know in the comments, and have a great day!

-AMS

15:21

[$] Reports from OSPM 2026, day two [LWN.net]

The Power Management and Scheduling in the Linux Kernel Summit, which still goes by the historical acronym OSPM, was held in Cambridge, UK, in mid-April. As has become traditional, the presenters at that event have since written summaries of their sessions, and this work has kindly been made available to LWN for publication. The second day's sessions covered a wide range of topics, including device frequency scaling, using time-slice duration for CPU selection, scheduling domains on multi-cluster Arm systems, the LAVD scheduler, and more.

14:35

The Licensing and Compliance Lab: Informing and defending [Planet GNU]

Security updates for Wednesday [LWN.net]

Security updates have been issued by AlmaLinux (corosync, firefox, kernel, kernel-rt, libpq, memcached, postgresql, postgresql16, postgresql:13, postgresql:16, python-urllib3, python3.14-urllib3, redis:6, skopeo, and vim), Debian (beets, gst-plugins-bad1.0, imagemagick, libmatio, python-urllib3, and u-boot), Fedora (chromium, coturn, frr, grout, materialx, perl-Crypt-DSA, and yt-dlp), Mageia (opensc, perl-Archive-Tar, and podofo), Oracle (fence-agents, libpq, mysql:8.4, and postgresql:16), Red Hat (firefox, libpng, libpng12, libpng15, libreoffice, nginx:1.24, thunderbird, tigervnc, xorg-x11-server, and xorg-x11-server-Xwayland), Slackware (libarchive), SUSE (amazon-ssm-agent, ansible-core, apache2, bind, bitcoin-qt6, containerized-data-importer, curl, distribution, docker-stable, dovecot24, dracut, editorconfig-core-c, exiv2, firefox, freeipmi, freerdp, ghc-aws, ghc-crypton-asn1-encoding, ghc-crypton-asn1-parse, ghc-crypton-asn1-types, ghc-crypton-pem, glib-networking, go1.25, go1.26, google-guest-agent, graphite2, hamlib, helm, himmelblau, ignition, ImageMagick, kernel, ldns, libarchive, libcaca, libheif, libinput, libjxl, libsolv, libzypp, zypper, LibVNCServer, libxslt, libyang, mcphost, mozjs128, ncurses, nginx, opensc, openssl-3, openvswitch, papers, perl-HTML-Parser, perl-HTTP-Daemon, perl-Protocol-HTTP2, podman, postgresql14, postgresql15, postgresql16, postgresql17, python-aiohttp, python-ecdsa, python-paramiko, python-PyJWT, python-starlette, rekor, sqlite3, strongswan, tiff, tomcat, tomcat10, tomcat11, unbound, webkit2gtk3, xwayland, and zypper, libzypp, libsolv), and Ubuntu (libcap2, libnfs, libvncserver, libxml2, and mysql-8.0).

14:07

Stop Getting Good at Protocols. Get Good at Agent Experience. [Radar]

In 2025, if you weren’t building with MCP, you weren’t serious about agents. The Model Context Protocol dominated the agent conversation for the better part of the year. Conference talks, roadmaps, hiring plans, all of it revolved around MCP.

Then late 2025 into 2026, AI Skills arrived and the backlash was immediate. Engineers declared MCP dead in favor of Skills, then dead in favor of CLI. Perplexity’s CTO said publicly that the company was deprioritizing it. The cycle was fast, loud, and predictable. New tool, new hype, new rewrite.

I started pushing Agent Experience early in 2025, while MCP was still the center of gravity. The response was mostly skepticism. AX was overthinking it. MCP was the only layer that mattered. That perspective aged poorly. The people who dismissed AX weren’t wrong about MCP being useful. They were wrong about a protocol being a strategy.

The thing they missed, and what I think most of the industry is still missing, is that the protocol is not the thing to get good at. The discipline is.

We keep falling into the tool trap

Our industry has a well-documented habit of confusing tools with strategy. We did it with microservices, Kubernetes, and GraphQL. Now we’re doing it with agent protocols.

MCP, AI Skills, A2A, and ACP are all implementations. They matter and they solve real problems. But none of them are the right thing to build your strategy on top of. They are, by nature, the thing that changes.

When you organize your agent strategy around a specific protocol, you’re building on a foundation someone else controls and the market can shift away from at any moment. Worse, you’re skipping the step that would tell you whether that protocol is even the right fit for your use case.

This is the tool trap. You optimize your usage of a specific integration mechanism without first understanding what you’re actually optimizing for.

So what is Agent Experience?

Agent Experience (AX) is the discipline of studying how AI agents discover, understand, and interact with your systems, and then systematically improving those interactions.

Think of it as the agent-facing counterpart to User Experience. UX didn’t emerge because one UI framework won. It emerged because teams realized that the quality of human interaction with software was a design problem that transcended any particular technology. You could build a terrible experience in React just as easily as in vanilla JavaScript. The framework was not the variable. The design thinking was.

AX works the same way. How does an agent discover what your service can do? How does it understand the boundaries of your API? When it fails, does it get enough context to recover? Is the interaction efficient, or is the agent burning tokens on unnecessary round trips?

These questions are protocol-agnostic. They apply whether you expose capabilities through MCP, Skills, A2A, or something that hasn’t been invented yet. The teams that can answer them will adapt to whatever comes next because they understand the problem space, not just the current toolchain.

AX is an extension of what you already care about

AX is not competing with User Experience, Developer Experience, or Customer Experience. It’s an extension of all three.

Your primary focus is still providing a great experience to your customers. What has changed is how those customers interact with you. More and more, they delegate tasks to agents. When a customer asks an agent to integrate with your API, deploy to your platform, or pull data from your service, that agent is acting on their behalf. The agent’s experience determines how likely it is to achieve your customer’s goal.

If a customer’s agent struggles to authenticate, burns through tokens parsing your error messages, or fails silently because your API lacks context, something worse than a complaint happens. The agent will quietly start using an alternative service that provides a better experience. Your customer might not even notice the switch. You just lost them without a single support ticket.

UX optimized for humans clicking through interfaces. DX optimized for developers building on your platform. CX looked at the entire customer journey. AX extends that thinking to the agents those customers now send on their behalf.

The protocol treadmill doesn’t work

Think about what actually happened with MCP. Teams invested heavily in writing MCP server implementations. A lot of those implementations were mediocre. Not because MCP was flawed but because the teams hadn’t thought carefully about what an agent actually needed from their system. A 2026 study out of Queen’s University examined 856 tools across 103 MCP servers and found that 97.1% of tool descriptions contained at least one quality issue, with 56% failing to state their purpose clearly. The protocol worked fine. The experience design was the problem.

When Skills emerged, those same teams faced a familiar problem wearing new clothes. They still hadn’t answered the foundational questions: What does an agent need to accomplish with our service? What is the minimum viable interaction surface? What context does an agent need to make good decisions?

The teams that had worked through those questions adapted fast. Migrating from one protocol to another is mechanical when you already know what your agent-facing interface should look like. The protocol is the serialization format. The experience design is the hard part.

This pattern will keep repeating. Whether it is the Universal Commerce Protocol, A2A, or whatever lands next, something new will always be gaining traction. If your strategy is to become an expert in each successive protocol, you’re signing up for a treadmill that only speeds up.

What an AX practice looks like

So what does it actually look like to take Agent Experience seriously? If you have ever built a UX research practice or a DX program, this will feel familiar. The steps aren’t new. The persona is.

In talks, I break it down to five steps.

Audit the agents your customers use. Know what’s walking through your front door. Look at your traffic data and logs and figure out what portion of your footprint is agents versus humans, and which agents specifically. Are your customers sending Claude Code? Cursor? Custom agents built on your API? You can’t design for something you haven’t observed. Same reason UX teams run user research. Different method, same motivation.

Identify the use cases customers want to delegate. Not every interaction needs to be agent-optimized. Take that same log data, look at the requests agents are making to your platform, and extrapolate what they were trying to achieve. You can also use AEO data to understand what areas your customers are asking about in agent-facing search. Focus on the highest-value surfaces first. If you have ever prioritized a DX roadmap by looking at what developers actually do with your API, you already know this muscle.

Verify and audit the experience of those interactions. Watch what happens when an agent tries to complete those tasks on your system. Where does it get stuck? Where does it misunderstand what your service offers? This is usability testing. The user is an LLM; the struggle is about context not button placement, but you’re answering the same question: Can they get the job done?

Improve and repeat. Agent capabilities evolve. Models get smarter. New interaction patterns emerge. At Netlify, we’ve found cases where our product works one way but agents universally assume it works another way and never ask. Instead of fighting that assumption, we improved the product to work the way agents expect. The result was more adoption of those agent flows and fewer errors. The teams that treat this as a living practice will outperform those running from one protocol migration to the next.

Automate validation and prevent regressions. Once you have a baseline for what “good” looks like, lock it in. Tools like AXIS, an open source scoring framework, let you run real agents against real scenarios and get a comparable score back. Wire it into CI and catch AX regressions the same way you catch broken tests. This is how you go from anecdotal improvement to measurable, repeatable AX quality.

When you have this practice in place, protocol choices become obvious. You can evaluate new tools on their merits. Does it solve a real friction point you have observed? Does it unlock capabilities you couldn’t achieve before? Or is it just different packaging for something you’re already doing well?

The hard part is familiar

AX is harder to pick up than a new protocol. That is just the reality. Learning MCP or Skills is a bounded technical problem. Read the docs, write some code, and ship an integration. Clear finish line, easy to show progress. That’s genuinely appealing, especially when you or your teams are moving fast.

Building an AX discipline means sitting with ambiguity for a while. Studying agent behavior before you have clean answers. Accepting that the right integration strategy depends on context you have to discover, not a tutorial you can follow. But if you’ve ever built a UX or DX practice from scratch, you’ve been here before. The why is the same: understand your users, reduce friction, and make it easy for them to succeed. How you do it is different because the user is different. The discipline isn’t new. It’s an extension of work our industry has been doing for decades.

The good news is that this thinking is gaining momentum. John Maeda’s 2026 Design in Tech Report is explicitly about the shift from UX to AX. Researchers are studying agent interaction quality as a first-class engineering concern. BCG and MIT Sloan found that 35% of organizations are already using agentic AI, with another 44% planning to. The question is no longer whether AX matters. It’s whether your team is building the practice before your competitors do.

The agents of 2028 won’t interact with your systems the way the agents of 2025 did. The protocols will be different. The capabilities will be different. The expectations will be different. What won’t change is the fundamental need for your systems to provide a great experience to the people who use them, and now, the agents those people send on their behalf.

Get good at that. The rest is implementation detail.

Principal Drift [Radar]

Over the past year I’ve reviewed enterprise agent architectures at roughly two dozen organizations, including banks, retailers, healthcare systems, and a couple of regulators. The architecture diagrams have been reliably impressive. There are boxes for the MCP gateway, the tool registry, the vector store, the orchestrator, the policy engine, and the observability stack. There are arrows showing how agents discover each other, share context, and call tools across the mesh. By 2026 standards, these are the table-stakes pictures for any serious agentic deployment. But what none of them show anywhere is who the agents are, whose authority they carry, or who answers when they’re wrong.

That omission has a name worth using: principal drift, the steady decoupling, in any sufficiently large agent system, between the human authority a recorded action is supposed to derive from and the actor that actually took it. What looks like a defensible identity posture on the day you ship your first agent quietly degrades as agents multiply, compose, and outlive their original initiatives. Principal drift isn’t three independent failure modes; it’s one cascade. Identity collapses first. Authority erodes next, because there is no longer a stable principal to bind policy to. Accountability dissolves third, because the cost of agent error lands on whichever team has the weakest negotiating position when the incident review starts. Stopping the cascade means intervening at the first link, but almost no enterprise agent platform does so right now.

To see the cascade run, take the most boring possible enterprise agent, a refund agent, and watch.

A customer-service rep, fielding a chat, asks the agent to process a $48 refund for a damaged item. The agent checks eligibility, issues the refund, posts an update. The audit log records the action as taken by something like refund-agent-prod-03, running under a service principal owned by the customer-service platform team. That entry is true, but it’s also useless. The agent wasn’t acting as refund-agent-prod-03. It was acting as the rep, on behalf of the customer, under a delegation chain nobody recorded. In a well-built system, customer, rep, agent identity, and service principal are recorded together, queryable as a chain, and durable beyond the session. In most production systems today they aren’t. This is the first link in the cascade, where identity collapses to a generic service principal, and there’s no longer a who to attach anything else to.

Authority erodes next. The refund agent has an issue_refund tool that can technically refund any order. Its authority is supposed to be narrower (refunds up to $200, orders under 90 days, customers in good standing, automatic escalation above $50), but that authority lives in a prompt or a YAML file or a Notion page the team last updated when the policy was different. The runtime enforces capability, but nobody really enforces authority. When a poisoned input or a confused chain of reasoning leads the agent to refund $1,800 to the wrong customer, there’s no clean answer to the postincident question “Who approved this policy?” because the policy was never an artifact. The same pattern is worse at higher stakes: Imagine a coding agent with merge access to a protected branch, instructed by a prompt embedded in a code comment to “log configuration values for debugging,” silently exfiltrating secrets to an external monitoring service.

Accountability then dissolves. The team that built the agent says it followed policy. The team that wrote the policy says it didn’t anticipate the input. The team that operates the platform says the agent was running as a service principal whose behavior they don’t own. The audit log may show the action, but it doesn’t show the reasoning that produced the action, the retrieved context that shaped the reasoning, or the prompt history that framed the retrieval. Postincident review becomes archaeology, and the cost is absorbed, eventually, by whoever has the weakest negotiating position when the meeting ends.

Is any of this new? We have IAM, identity governance, policy as code, audit trails, SIEMs, and 30 years of compliance practice. Why isn’t this just IAM done properly? Because IAM was built around assumptions agents violate. IAM and IGA assume a population of principals that changes on human timescales: People get hired, people leave, and service accounts rotate quarterly. Agents are spun up per session and compose into chains where one agent calls another, which calls a third, impersonating users through delegated tokens that traditional IGA cannot represent as a chain at all. Policy engines fire at the moment of action, at the API, the database, and the network. Agents make their most consequential decisions before they hit those enforcement points, in the reasoning step that selects which tool to call and with what arguments. Mature audit logs assume that replaying the inputs reproduces the output. But for agents, replaying the prompt and the retrieval can yield a different action, because the model itself contributes state the log doesn’t capture. The instruments fire, the dashboards turn green, and the agent that quietly exfiltrated secrets still does so. The audit log records the action as agent-service-01, which again is both true and useless.

This is also where the vendors selling a consolidated stack want you to skip ahead. Microsoft’s Entra Agent ID, currently in public preview, is the most polished solution to date, extending the conditional access, identity governance, and identity protection used for humans and workloads to cover AI agents as a new identity type, but Google and Salesforce are also building this layer. The marketing line is that agents receive the same identity-driven protections as the rest of the workforce. That’s a real step forward in addressing the first link of the cascade, but it isn’t governance. It’s a control plane with a governance plane’s marketing. Conditional access can tell you whether the agent’s access attempt was permitted. It can’t tell you whether the decision the agent made before that access attempt was within its authority, why the agent reached the decision, or which business unit owns the policy the decision was supposed to obey.

The actual governance plane has to capture decisions, not just actions. A reasoning-grade audit record is the load-bearing primitive of the missing layer, and it looks something like this:

{
  "event_id": "refund-2026-05-17-08431",
  "triggered_by": {
    "human_principal": "rep:olivia.chen@firm.com",
    "delegated_via": "support-console-session-9c2a",
    "customer_principal": "cust:7741289"
  },
  "agent": {
    "identity": "refund-agent",
    "version": "v4.7.2",
    "policy_ref": "refund-policy/v3.1 (signed: r.patel, 2026-04-22)"
  },
  "task": "Process refund for order 88812204",
  "retrieved_context": [
    {"doc": "order:88812204", "fetched": "2026-05-17T08:43:11Z"},
    {"doc": "policy:refund-eligibility", "chunk": 4, "fetched": "2026-05-17T08:43:12Z"}
  ],
  "reasoning_trace": "...",
  "tool_calls": [
    {"tool": "check_eligibility", "input": "...", "output": "eligible"},
    {"tool": "issue_refund", "input": {"amount": 48.00}, "output": "ok"}
  ],
  "action": "refund:48.00",
  "principal_chain_hash": "0x9e7b3f..."
}

Not every agent needs this. A scheduling agent that proposes meeting times doesn’t. An agent that moves money, deploys code, or makes decisions that a regulator will eventually ask about does need it, and that’s the right bar to set because of the associated cost. Reasoning-grade audit is closer to a flight-data recorder than a syslog feed. The data is expensive to store and to query, with real privacy implications since those logs contain everything the agent saw, including data the agent was authorized to read but the audit system wasn’t supposed to keep. You afford it with proportional retention: full reasoning capture for high-blast-radius agents (regulator-facing, customer-funded, contractually material, production-modifying) and lighter capture for internal-only assistants.

Which raises the question the architecture diagram doesn’t ask: Who builds and runs this? Security can enforce policy but can’t author it. The people who know what a refund agent should be allowed to do own the refund business, not the firewall. IT can provision identities but can’t draft “good standing” or write the escalation rule. The MCP and A2A protocol communities are doing real work on wire-level identity and delegation. MCP gives you tool-invocation provenance and is the standard Entra Agent ID and most vendor frameworks build on. A2A is converging on cross-agent delegation primitives. Both matter, but neither drafts policy. Standards, not the institution, move the connectors.

What enterprises need is a new function that sits between the business units owning the policies and the platform teams running the runtime. Call it agent operations: small group, often four to eight people in a Global 2000 enterprise, embedded rather than centralized, reporting into the CIO or CISO depending on house politics, with explicit charter to maintain a registry of every production agent, its named human owner, its versioned authority specification, its retention policy for reasoning-grade audit, and its lifecycle state. Each agent gets onboarded with a signed policy, reviewed on a real cadence, and actually retired when its initiative ends, rather than the current default of quietly outliving its sponsors. Designing against failure modes like review cadences that calcify into ceremony, policy artifacts that lag agent deployment velocity, or functions that become the place agents go to die in committee is itself part of the work. The function has to ship at the pace of the platform teams or it will be routed around within a quarter.

The work is hard. It’s also overdue, and the regulatory clock is running. The EU AI Act’s high-risk provisions are entering enforcement this year, and regulators will ask for explainability, traceability, lifecycle records, and named human accountability. These are exactly the artifacts an agent operations function produces. Tyler Akidau called this the missing HR layer in his April Radar piece; Artur Huk’s more recent “From Capabilities to Responsibilities” converges on similar ground from the runtime side. The label matters less than the work. This piece is about governance inside one organization. The harder problem is governance across organizations, with agents acting under different trust regimes. That’s strictly worse, and worth its own piece.

Within your own four walls, the diagnostic is doable in an afternoon. Pick one production agent. Try to answer, with evidence: Whose authority does it carry, traced from action back to a named human? Where is its authority specified, and who signed the current version? When it does something wrong tomorrow, who pays, how is that decided, and what reasoning-grade record supports the decision? Most architects who do this honestly come away with three blanks and a knot in their stomach. That’s principal drift, named and visible.

The mesh you’ve built is real and necessary, but it isn’t sufficient. The rest of the architecture is the institution above it: the registry, the signed policies, the reasoning-grade audit, the named human at the end of every chain. In most enterprises it doesn’t yet exist, and it won’t arrive by buying another platform. You’ll have to draft it yourself.

13:49

Issue 46 – Greta’s Wedding – 13 [Comics Archive - Spinnyverse]

The post Issue 46 – Greta’s Wedding – 13 appeared first on Spinnyverse.

12:49

CodeSOD: Authorized Logger [The Daily WTF]

Gretchen's company recently got purchased by Initech. Specifically, they were bought for their dev team, of all things. They had a few software products that were high performers, and Initech wanted that secret sauce. They bought the company, and then split the dev team up and migrated the developers to new products.

That actually worked out okay for Gretchen, most of the time. For a few projects, the dev team was given some requirements and a free hand to figure out how to deliver them. They were free to reuse code that existed or rewrite entirely, based on their own judgement. They were free to pick the tools they wanted to use, and the results worked out well.

But there were some projects that… were a different story. After those successes, Gretchen got moved onto a project that was 90% firefighting. The app had code like this:

req.body.externalId = !!req.body.externalId ? req.body.externalId + "" : "";

How's that for some null handling.

The whole thing can't run on a version of NodeJS newer than 14: a version that last got an update in 2023.

"The code follows no conventions," Gretchen writes, "there's no logging."

exports.create = (req, res) => {
  logger.debug('creating new staffClient');
  logger.debug(req.body)
  // let staffClient = new StaffClient({});

  // // run through and create all fields on the model
  // for(var k in req.body) {
  //   if(req.body.hasOwnProperty(k)) {
  //     staffClient[k] = req.body[k];
  //   }
  // }


  StaffClient.query().insert(req.body)
  .returning('*')
  .then(staffClient => {
    if(staffClient) {
      res.send({success: true, staffClient})
    } else {
      res.send({ success: false, message: "Could not save StaffClient"})
    }
  });
}

Now, you may say to yourself, "What do you mean there's no logging? I see it right there!" There is a logger utility class, and do you know what it prints when you call logger.debug("some message")? It prints DEBUG.

This code handles an HTTP request, and stuffs the body of the request into the database; here's hoping that it's a well formed request. Somebody's got a lot of faith in their front end. WHat's interesting about this one is they've tried two different ways of copying the request object into the database, the first one focusing on making sure they only copied non-inherited properties, and the second just YOLOing the data into the database.

Now, this particular segment goes through their ORM to write data into the database. But not all the code does that. Many places write data through direct SQL, and guess what happens there: SQL injection vulnerabilities.

You may also notice that this function doesn't do any authorization checks, which is fine, that should be configured in the middleware. Should be- but isn't. Most endpoints have no authorization checks at all. Even the endpoints that do, like their admin API, have copies of the same endpoint with no authentication configured.

[Advertisement] Keep all your packages and Docker containers in one place, scan for vulnerabilities, and control who can access different feeds. ProGet installs in minutes and has a powerful free version with a lot of great features that you can upgrade when ready.Learn more.

12:21

Irregular Webcomic! #3162 [Irregular Webcomic!]

Irregular Webcomic! #3162

12:14

Embedding Forbidden Text in Spyware to Discourage AI Analysis [Schneier on Security]

At least one malware developer is adding text about nuclear and biological weapons to their spyware, in an effort to stop automatic AI analysis.

Details:

The _index.js payload begins with a large JavaScript block comment containing fake system instructions and policy-triggering content. Because it is inside a comment, it does not affect JavaScript execution. The runtime skips it. The real malware begins after the comment with a try{eval(…)} wrapper around a large character-code array and a ROT-style substitution function.

This header appears designed for AI-mediated analysis, not for Node, Bun, or Python. It attempts to derail scanners or analyst copilots that feed the beginning of a file to a language model without clearly isolating the content as untrusted data. In weak pipelines, this can cause refusal behavior, prompt confusion, context pollution, or premature classification before the scanner reaches the actual malware.

This is not a magical bypass against static detection. YARA rules, entropy checks, AST parsing, string extraction, deobfuscation, and behavioral rules still work. But it is a practical anti-analysis trick against naive LLM-first triage systems.

10:14

Empathy and good advice [Seth's Blog]

Focus groups and informal feedback offer a trap: Asking someone in the target audience if they like something might get you useful feedback.

But most of the time, the people you’re asking aren’t actually in the group of early adopters that are going to make your rollout work. They’re not the people who buy work from artists before they’re famous, or wait in line to get an iPhone on the first day. They’re part of the crowd, not the lonely early adopters.

And people who are part of the crowd generally don’t have a lot of empathy for the nerds who go first. Since they have trouble imagining what drives those folks, they’re going to do a terrible job of giving you feedback.

“I don’t like this (yet),” is not the same as “the people you hope to serve won’t like this.”

You don’t have to be a toddler to work at Fisher-Price. Professionals work hard to imagine what others might want. But your friends and neighbors might not have put in the work needed to have this professional skill.

09:56

Freexian Collaborators: Monthly report about Debian Long Term Support, May 2026 (by Santiago Ruano Rincón) [Planet Debian]

The Debian LTS Team, funded by Freexian’s Debian LTS offering, is pleased to report its activities for May.

Activity summary

During the month of May, 21 contributors have been paid to work on Debian LTS (links to individual contributor reports are located below).

The team released 56 DLAs fixing 877 CVEs.

May was a much busier month than usual, especially due to the disclosed vulnerabilities on linux regarding Local Privilege Escalation (LPE), that included public proof-of-concept (PoC) exploits. These reports of course impacted Debian as a whole, and the situation warrants a special mention to the Kernel Team, especially Ben Hutching and Salvatore Bonaccorso, who faced the pace and released linux packages on a weekly basis. On the LTS side, the Front Desk team also triaged a significant flow of high severity CVEs.

It is also important to note that Debian 12 (“bookworm”) will be handed over to the LTS Team on June 11th. If you benefit from Debian, especially during the full 5-year lifecycle, please consider subscribing as a sponsor of Debian LTS: https://www.freexian.com/lts/debian/.

Moreover, Debian 11 (“bullseye”) will reach the end of the Debian LTS period on August 31st. After that, Freexian will continue the security support under the Extended LTS offer.

The team published several notable updates:

As mentioned above, several exploitable LPE vulnerabilities in linux were published during May. Ben released the following DLAs for the Debian LTS versions:
- DLA 4560-1 for linux (5.10)
- DLA 4561-1 for linux-6.1
- DLA 4572-1 for linux (5.10)
- DLA 4574-1 for linux-6.1
- DLA 4587-1 for linux (5.10)
- DLA 4588-1 for linux-6.1
- DLA 4606-1 for linux (5.10)
- DLA 4607-1 for linux-6.1
exim update (DLA-4580-1), prepared by Thorsten, to address a vulnerability that may result in remote code execution.
gnutls28 update (DLA-4595-1) by Guilhem Moulin, fixes several vulnerabilities that may result in execution of arbitrary code, information leak, authentication bypass, among other impacts.
krb5 updates released as DLA-4603-1, fixing two vulnerabilities that may yield to a denial of service. Updated prepared by Emmanuel Arias
lemonldap-ng (DLA-4602-1), released by Abhijith PA, fixing multiple vulnerabilities
Two imagemagick updates (DLA-4559-1 and DLA-4609-1), prepared by Bastien Roucariès, fixing several vulnerabilities
openjdk-11 and openjdk-17 updates (DLA-4566-1 and DLA-4565-1), both prepared by Emilio, to fix seven vulnerabilities.
php7.4 update (DLA-4586-1) to fix six vulnerabilities that could result in remote code execution, information disclosure or denial of service. Update prepared by Guilhem Moulin.
python3.9 update (DLA-4583-1), prepared by Arnaud Rebillout, addressing multiple vulnerabilities.

Contributions from outside the LTS Team:

We are greatly thankful for the contributions from people outside the LTS Team:

Colin Watson prepared an OpenSSH update, that was released by Santiago as DLA-4584-1.
Thomas Goirand handled a keystone update, whose advisory was done by Santiago and released as DLA-4611-1.
Christopher Obbard kindly prepared a sentry-python update, released as DLA-4612-1.
Christoph Goehre made two thunderbird updates (DLA-4562-1 and DLA-4582-1). As is customary, Emilio released the advisories.

The LTS Team has also contributed with updates to the latest Debian releases:

Andreas proposed a firewalld update for bookworm to fix a local issue that may result in bypass control rules.
Andreas proposed atril updates for trixie and bookworm.
Arnaud did a python3.11 upload for bookworm.
Arnaud proposed libarchive updates for trixie and bookworm.
Arnaud completed the systemd update for bookworm.
Bastien completed the uploads of gpsd for bookworm. He also did an upload of apache2 for bookworm.
Emmanuel uploaded updates of libexif for trixie and bookworm
Jochen Sprickerhof prepared pyjwt update for trixie and bookworm, released as DSA-6259-1.
Lukas Märdian prepared trixie and bookworm updates for nghttp2, released as DSA-6266-1.
Markus prepared updates of tomcat11 and tomcat10, released as DSA-6329-1 (for trixie) and DSA-6328-1 (for trixie and bookworm), respectively.
Continuing the work to replace the unmaintained p7zip fork with 7zip, Sylvain prepared trixie and bookworm updates of 7zip.
Thorsten completed the uploads of zvbi, taglib and libuev to bookworm and did an upload of libcoap3 for wtrixie.
Tobi prepared libpng1.6 updates for trixie and bookworm, released as DSA-6263-1.

Moreover, thanks to our partnership with Catalyst, it has been possible to extend the support for Samba 4.17, the version shipped with Debian 12. In May, several vulnerabilities were disclosed, and their patches were prepared by Catalyst. For Debian 12, the update was prepared by the Samba maintainer and released as DSA-6297-1.

Individual Debian LTS contributor reports

Thanks to our sponsors

Sponsors that joined recently are in bold.

Platinum sponsors:
- Toshiba Corporation (for 128 months)
- Civil Infrastructure Platform (CIP) (for 96 months)
- VyOS Inc (for 61 months)
Gold sponsors:
- F. Hoffmann-La Roche AG (for 139 months)
- CONET Deutschland GmbH (for 122 months)
- University of Oxford (for 78 months)
- EDF SA (for 50 months)
- Dataport AöR (for 25 months)
- CERN (for 23 months)
Silver sponsors:
- Domeneshop AS (for 143 months)
- Nantes Métropole (for 137 months)
- Akamai - Linode (for 133 months)
- Univention GmbH (for 129 months)
- Université Jean Monnet de St Etienne (for 129 months)
- Ribbon Communications, Inc. (for 123 months)
- Exonet B.V. (for 113 months)
- Leibniz Rechenzentrum (for 107 months)
- Ministère de l’Europe et des Affaires Étrangères (for 91 months)
- Dinahosting SL (for 78 months)
- Upsun Formerly Platform.sh (for 72 months)
- Moxa Inc. (for 66 months)
- sipgate GmbH (for 64 months)
- OVH US LLC (for 62 months)
- Tilburg University (for 62 months)
- GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 53 months)
- THINline s.r.o. (for 26 months)
- Copenhagen Airports A/S (for 20 months)
- Conseil Départemental de l’Isère (for 6 months)
Bronze sponsors:
- Seznam.cz, a.s. (for 144 months)
- Evolix (for 143 months)
- Linuxhotel GmbH (for 141 months)
- Intevation GmbH (for 140 months)
- Daevel SARL (for 139 months)
- Megaspace Internet Services GmbH (for 138 months)
- Greenbone AG (for 137 months)
- NUMLOG (for 137 months)
- WinGo AG (for 136 months)
- Entr’ouvert (for 128 months)
- Adfinis AG (for 125 months)
- Plat’Home (for 122 months)
- Laboratoire LEGI - UMR 5519 / CNRS (for 120 months)
- Tesorion (for 120 months)
- Bearstech (for 111 months)
- LiHAS (for 111 months)
- Catalyst IT Ltd (for 106 months)
- Demarcq SAS (for 100 months)
- Université Grenoble Alpes (for 86 months)
- TouchWeb SAS (for 78 months)
- SPiN AG (for 75 months)
- CoreFiling (for 71 months)
- Observatoire des Sciences de l’Univers de Grenoble (for 62 months)
- Tem Innovations GmbH (for 57 months)
- WordFinder.pro (for 57 months)
- CNRS DT INSU Résif (for 56 months)
- Soliton Systems K.K. (for 51 months)
- Alter Way (for 48 months)
- SOBIS Software GmbH (for 23 months)
- Tuxera Inc. (for 15 months)
- OPM-OP AS (for 6 months)

08:42

Chronocaust [Penny Arcade]

New Comic: Chronocaust

03:56

The New Whip [Whatever]

After putting 90k miles on the ol’ Honda Odyssey after three years and three months, it was time to move on from my 229k minivan with its many, many issues and set my eyes on brighter horizons.

That horizon being this 2026 Honda Civic Sport Touring Hybrid:

Ohh yeah, get a look at that Blue Lagoon color (with grey leather interior). She’s a beaut, alright. Got it off the lot with a cool 31 miles on it.

With a rate of 49 miles to the gallon, you best believe I’m gonna be taking this baby everywhere. She drives like butter. Soft butter. Can’t even feel it shift gears it’s so damn smooth.

After a decade of having a minivan, an SUV, and then another minivan, the sedan was a surprising choice to everyone, including myself.

But, yes, here is the new whip. You can expect to find it parked all across Darke county, probably mainly at the winery and my parents’ house.

-AMS

00:28

Demands for Iran to stop killing protesters [Richard Stallman's Political Notes]

In January, the bully demanded that Iran stop killing protesters.

That demand would have been laudable if he had really meant it. But this was shortly after deportation thugs callously killed protest observers Renee Good and Alex Pretti, and the bully's agents protected the killers.

Subsequent events demonstrate that he cares no more about the lives of Iranian protesters than about American protesters. His orders to attack Iran included nothing to protect protesters, but plenty of just plain war, as well as killing the civilian leaders.

I suspect that aggressor countries will henceforth follow the bully's example, targeting the civilian leaders at the start. (The killing of Iran's leaders ironically backfired, but as yet there is no dissuasive evidence that such a result will naturally tend to occur.)

Political censorship on US branch of TikTok [Richard Stallman's Political Notes]

The US branch of TikTok quickly started practicing political censorship through the recommendation algorithm.

How EPA rollbacks could harm air and water [Richard Stallman's Political Notes]

*How [the wrecker]'s EPA rollbacks could harm our air and water – and worsen global heating.

Australia in strange moment on renewable energy [Richard Stallman's Political Notes]

* Australia is in a slightly strange moment on renewable energy. From one perspective, it is embracing renewables, and solar in particular, what by any measure is a historic pace. From another, investment in new developments may not be happening fast enough to meet climate targets, or to ensure there is enough replacement capacity in place as old and failing coal plants close.*

Violent cruelty of US Border Patrol [Richard Stallman's Political Notes]

Democracy Now discusses the violent cruelty of the US Border Patrol, going back decades, and how the bully has extended that cruelty throughout the US using the deportation thugs.

Foreigners living in US with visas or green cards [Richard Stallman's Political Notes]

The harasser has ordered many foreigners living in the US with visas or green cards that they must go to their home countries to apply for or renew a green card.

This can be quite a hassle, since the process takes time, and they can often lose their jobs and homes in the US, while they no longer have any place to live at "home" nor any way to make a living there.

There is no reason for this policy change except harassment. The harassment may be meant to reduce the number who ultimately succeed in immigrating.

UN adds Israel and Russia to blacklist [Richard Stallman's Political Notes]

*UN adds Israel and Russia to blacklist for sexual violence in conflict.*

UK government knowledge of Peter Mandelson [Richard Stallman's Political Notes]

The heads of UK government knew when it appointed Peter Mandelson as ambassador to the US that his private personal connections made him unfit for the job. Now they are covering up how much they knew.

Their reason for choosing him was, it seems, that he moved in circles with the corrupter (and Epstein). That very fact assured he could not be trusted. Once you start appeasing the corrupter, you will find yourself pressured into ever increasing corruption.

Mexico law on elections and "foreign interference" [Richard Stallman's Political Notes]

Mexico is passing a law that would allow the electoral court to annul an election if it finds "foreign interference".

Critics politicians warn that this would enable the government to annul any election. After all, attempts at foreign influence happen often. Some of them are indirect, such as when the president of a neighboring great power threatens to impose 50% tariffs on your exports, or to invade, if your country does not obey his demands.

It is hard to measure objectively what effect the foreign influence has had. It would be better to act in a less drastic manner while the foreign influence is being exerted.

The article does not say what would happen after the annulment of an election.

Graduating students boo Supposed Intelligence [Richard Stallman's Political Notes]

Several Big Tech figures were invited to speak at graduations recently, and talked about how wonderful their Supposed Intelligence was. The graduating students responded with boos.

One of the speakers reportedly responded arrogantly by claiming that LLMs' triumph and dominion was inevitable, so just give up.

The sensible reaction to that is to stand up, shake a fist, and say, "We'll show you what's 'inevitable'!" And then to organize to fight against the practices of pushing and luring people into using LLMs, especially those implemented in user-subjugating ways — as nonfree software or SaaSS.

But they need to learn to write politically without using LLMs, and to criticize each other's writing constructively to help each other learn. They need to do an effective job of winning support to win this political battle.

Remember, the Republicans are allied with the tech billionaires, and so are the so-called "moderate" corporate Democrats. To stop Supposed Intelligence from being an engine of domination, we need to overcome both groups.

But that's the same thing we need for many other life-or-death goals, such as curbing global heating. It's better to fight for a good world than give up!

Guards at deportation prison retaliating against prisoners [Richard Stallman's Political Notes]

*Guards at a New Jersey [deportation prison] are retaliating against [prisoners] for nonviolent protests over poor conditions, including a hunger and labor strike, according to relatives and members of Congress.*

Israel's plans to force Palestinians out of Gaza [Richard Stallman's Political Notes]

Israel reaffirmed its plans to force Palestinians out of Gaza and then claim they left "voluntarily".

Framework for putting Putin on trial [Richard Stallman's Political Notes]

Europe has a framework ready for putting Putin on trial for the crime of aggressive war and other atrocities, along with his deputies who helped him to plan and organize them.

Alleged racial discrimination in removal of children [Richard Stallman's Political Notes]

*New York City sued over alleged racial discrimination in removal of children by protective services Plaintiffs say children’s services uses "emergency removal" disproportionately against Black and Latino families.*

It is plausible that ACS in New York City is racist. However, we have seen that such agencies in other parts of the US are overprotective and inclined to persecute parents of any race if they do not treat their children like prisoners.

Israel's claim population of Gaza left on own free will [Richard Stallman's Political Notes]

Israel plans to compel a large fraction of Gaza's population to leave Gaza and then claim they left of their own free will.

Where they would go is not clear.

Progressives who continue to use ex-Twitter [Richard Stallman's Political Notes]

Arguing that progressives who continue using ex-Twitter despite its imposed domination by right-wing extremists are only exposing themselves to its lies, and achieving no good. It is "an open sewer, beyond redemption."

Persecutor sending Injustice Department at E. Jean Carroll [Richard Stallman's Political Notes]

It appears the persecutor is trying to take revenge on E. Jean Carroll, who sued him for rape and won, by directing the Injustice Department to work hard to find crime to accuse her of.

They have hit on an accusation that was raised in his trial and dismissed already by the judge.

The lawyers in the Injustice Department who participate in this vengeance scheme will demonstrate their unfitness to work for any government agency. I wonder, does this call for disbarring them?

Paying for climate damage under proposed UN tax [Richard Stallman's Political Notes]

*Fossil fuel firms may have to pay for climate damage under proposed UN tax.*

There is no chance they could afford to reimburse all the damage they are doing, but the tax might help save all of us if it pressures them to reduce the damage.

Garden crops grow better with low winter temperatures [Richard Stallman's Political Notes]

* Garden crops such as apples, garlic, carrot and beetroot will grow better if they experience low temperatures in winter.*

They will be additional collateral damage of global heating.

Billionaires are the ones making you poor [Richard Stallman's Political Notes]

The leaders of the South Britain Green Party hit the economic nail on the head: the billionaires the ones making you poor, and don't let Deform's scapegoating of asylum seekers distract you from that.

Tuesday, 23 June

22:14

In memory of the man who put red and green squiggles under words [OSnews]

Every little thing in a graphical user interface that we take for granted today, no matter how small, was thought up by someone, at some point. Case in point: the little red squiggly lines underneath misspelled words. In one form or another, these are everywhere now, and have just become a regular staple of every single text editing field we encounter every single day and don’t stop to think about. Still, they were invented by someone, and we happen to know exactly who that was: Tony Krueger.

In early versions of Word, the Spell Check feature was something that you explicitly invoked, and then you had to sit and wait while the program looked for all your potentially-misspelled words, and then showed them to you one at a time for a decision on what to do for each one. Word did introduce an Auto Spell Check feature to run spell check when the user was idle, so that when you hit the Spell Check button, the results were ready to go. However, the Auto Spell Check was still a blocking operation. As a result, a lot of users turned it off because it always seemed to decide “Now would be a good time to spell-check the document” just as you wanted to do something, forcing you to wait for the spell check pass to complete before you could, say, save and exit.

Tony made the spell checker much more unobtrusive so that it didn’t interfere with your foreground work. And when it found a problem, instead of waiting for you to trigger a spell check, it immediately drew red squiggles under potentially-misspelled words (and later green squiggles under potential grammatical errors).
↫ Raymond Chen at The Old New Thing

Tony Krueger passed away recently, after, among other things, having worked on an dizzying number of Microsoft Word releases. Imagine coming up with something that seems to basic and elementary to us now, and seeing it spread pretty much everywhere. I wonder what it must feel like to have invented something that seems so simple, most people don’t even realise they use it every single day.

21:28

KDE is going to fix network shares [OSnews]

I’ve had my share of issues with network shares on any operating system, but since I mostly use KDE these days I found this deep dive into how, exactly, network shares work in KDE quite interesting. It turns out that while network shares in KDE’s Dolphin mostly work, it does involves a few layers that sometimes don’t interact well with each other, leading to really curious and annoying problems with mounted shares not appearing, permission issues, and so on.

The biggest cause of problems is when using a non-KDE application in KDE that also happens to use a non-KDE save/open dialog. Such a non-KDE save/open dialog won’t be able to see any network shared mounted by KDE, and sadly, quite a few applications you’re likely to use on a KDE installation use non-KDE open/save dialogs, like Blender, GIMP, LibreOffice, OnlyOffice, Inkscape, Audacity, DaVinci Resolve, and more. That’s one hell of a list of applications to offer inconsistent or outright broken access to network shares you’ve set up and mounted in KDE.

Luckily, this issue seems to be getting a ton of attention soon.

All is not lost. Happily, KDE just received an investment of over €1.2 million from the Sovereign Tech Fund, and it includes funding for improvements to KDE’s network share handling!
↫ Nate Graham

The project is in the planning phases at the moment, but they’re considering a whole slew of possible changes, fixes, and workarounds to make this stupid and annoying problem just go away. In 2026, nobody should be dealing with manually editing /etc/fstab or getting frustrated over supposedly disappearing network shares.

20:35

The Licensing and Compliance Lab: Informing and defending [Planet GNU]

17:35

[$] KASAN for JIT-compiled BPF code [LWN.net]

Alexis Lothoré has been working to add support for the kernel's memory-access checker, KASAN, to just-in-time-compiled BPF code. He spoke about that work at the 2026 Linux Storage, Filesystem, Memory-Management, and BPF Summit. KASAN support is needed, he said, to help catch bugs in the BPF just-in-time (JIT) compiler. KASAN is a great tool for catching memory-management problems in the kernel, but only in code that can be monitored by it.

16:42

The shape of the next world [Scripting News]

I took a screen shot of this post, gave it to Claude, asked it to write a short paragraph summary. Then I asked it to rewrite with using no more than 300 chars, the limit on Bluesky. Now I can post the summary there, but I won't, at the moment of truth I had to disclose this wasn't written by me, and it was 290 chars and there wasn't enough room for that. And here's a screen shot of the conversation with Claude.

There was a long discussion last night on Bluesky about whether twitter-like apps should show blog posts in addition to tweet-size things. Should it have a character limit, allow titles, links, bold, italic, editing, enclosures, markdown, etc? This is a permathread, it's been going since 2006. I didn't contribute, because there are no new ideas at this point, except this -- there are readers and writers and they have different needs.

As a reader sometimes I want a concise intro to the idea and I'll decide if I want to read more.

As a writer, I want to write in one place, and broadcast it out the world, and let their reading app decide for them if this is something they want to read based on whether it has a title, is over 300 chars, has links or uses styling, or if the writer doesn't disclaim editing, and the reader doesn't like editing.

We can do a lot better than the hard restrictions our reading environments force on us. It's now 20 years since the inception of Twitter, I think we know enough now to try out some new approaches. There should be a million readers, and they all read the same content flows. They can look at a post and see if it meets the reader's limits, and only show it if it does. If a post has a title and we don't want posts with titles, don't show it. Then writers could all use exactly the writing tools we like, and it wouldn't matter where you read it.

This route has always been there, but now I think people will be open to trying out some new ideas.

16:28

The Big Idea: Meg Elison [Whatever]

With the 4th of July on the horizon, not everyone is feeling particularly patriotic. Author Meg Elison has been brushing up on her American history and all the unpleasantness that comes with it. Take off your ball caps, place them over your heart, and follow along in today’s Big Idea for Foundling Fathers.

MEG ELISON:

On September 11, 2001, I was supposed to be at Disneyland.

I woke up that day to find everyone glued to the television, watching what was happening in New York. I was still blinking away sleep when the second plane hit. We still went to the park, which reopened the next day. Disneyland was half-empty, even for a weekday during the school year. People were not anxious to gather in large groups and anything fun seemed frivolous.

The evening parade in the park is always popular, with people lining both sides of the street and waving to their favorite big-headed corporate mascots. We gathered for it at dusk, and tried to summon the spirit to enjoy it. But instead of the typical parade fare, the mouse-powers that be decided to haul the Fourth of July parade out of mothballs and put it on. Dancers in colonial drag marched beside a lit-up American flag the size of an F-250 and we all sang “God Bless America,” for what was to be the first of one thousand times that year.

I was nineteen years old, ripe for cynicism and fresh off the late-adolescent revelations that come to many American high school students after our state-mandated propogandist education has concluded. I had begun to catch up on the things I’d never been taught: the Japanese-American incarceration of WWII, the Tuskegee experiments, the ultraviolent suppression of organized labor, redlining… just opening the closet door and getting buried in a dusty avalanche of skeletons, some of them still warm.

The flamboyant display of patriotism and warmongering that characterized the early aughts was the first time I realized what kind of mess I was in, living in the U.S. for the rest of my life. I began to examine possible ways to move forward. I became obsessed with temporary autonomous zones, consensus-lead communes, and ways of living that hadn’t ever really been tried. I wanted out. It never occurred to me to try and go back.

I’m always amazed when someone suggests that to fix what’s wrong with this nation, the answer is not to re-think the whole project and to make sweeping change, but to return to our corrupt roots. This is the position of Constitutional literalists, raw milk tradwives, and reactionary conservatives alike: the answer to our problems must be in our past. Not our actual flawed past, the one with genocide and chattel slavery and inequality, but the sanitized past they imagine as orderly, lawful, and correctly balanced so that nobody but a white man who owned land got to decide anything at all.

As someone who has actually done the assigned reading, I discovered that the founding fathers’ letters and papers reveal their chicanery, their fear and timidity, their agnosticism bordering on atheism, and their boneheaded ideas. On the eve of revolution, Franklin tried to bring a royal government to Pennsylvania and didn’t publicly change his mind for ten years thereafter. John Adams, as president, gave us the (recently relevant) Alien and Sedition act of 1798, advocating for denaturalization, restricting freedom of speech, and generally shitting on the neonatal Constitution as well as the concept of rights for anyone he didn’t like.

Washington made sweeping tactical errors on the field as a general, resulting in assassinations and massacres, responding to popular uprisings like the Whiskey Rebellion (1791) with overwhelming military force. He later went broke speculating on land (though I suppose this proves there is a long tradition of real estate scoundrels in the office of the president). Thomas Jefferson crashed the economy in 1807, which is not even to speak of his well-documented practices of owning enslaved people throughout his life and siring his children on some of them. In each case, they were the not the products of their time, as is so often argued, but of their demonstrated values and received privileges.

They were just guys.

When I thought about the people who harbor this infantile delusion of a pure past, it reminded me of Ira Levin’s bicentennial novel, The Boys from Brazil. In it, a plot to clone and reinstate Adolf Hitler culminates in a series of assassinations, so that the boys experience the deaths of their fathers during a critical moment in their adolescence. The plotters and puppet masters of Foundling Fathers have undertaken a grander, Disneyland-level attempt to construct an environment that looks and feels like 1750 to shape the young Franklin, Washington, Jefferson, and Adams into leaders who can make America something again.

There are holes in the plan, of course. The boys have occasionally spotted aircraft, which require explanation. And one day, Benjamin Franklin walks himself to the privy and finds the strangest object. It’s a black rectangle of heavy glass, like a jewel in his palm. And when it flares to life, it shows him a world he’s never seen before.

I did not write this book in the spirit of the fearful patriotism that calls out an emergency electric light parade. I did not continue in the spirit of the musicals 1776 or Hamilton, despite their undeniable influence on my dalliance with absurd Americana. I came to this with the wary anticipation of the great cloning stories: Jurassic Park, where man’s arrogance about technology and biology leads to their doom. I drew on “Clone High,” where our insatiable appetite for celebrity lasts long after the deaths of legendary figures like Cleopatra and JFK. I brought with me the absurd impotence of Futurama’s “All the President’s Heads,” with Nixon howling in a jar.

I wrote this book as a gift to America for her 250th birthday, in honor of all that she has pretended to be and has not yet become. I chose a satire because it’s illegal to behead statues in a public park or deface legal tender, and disrupting a parade will get you banned from the Magic Kingdom.

It is the gift that she deserves.

Foundling Father: Amazon|Barnes & Noble|Bookshop|Powell’s

Author socials: Website|Bluesky

15:21

Sunsetting Tor 0.4.8 [LWN.net]

The Tor Project has announced that it is planning to actively stop supporting Tor 0.4.8 and earlier C Tor versions soon.

Usually, we try not to break existing releases, even if they are unsupported, unless we have a pretty good reason. In this case, we have several reasons. [...]

The most important reason is this: in 0.4.9, we have made some former fields in our directory data obsolete -- specifically, TAP onion keys and family lines. Removing these fields will let us save a great deal of client directory bandwidth for everyone. This, in turn, will make all Tor clients bootstrap a little faster, especially those on slow connections. But when we remove these fields, clients and relays running earlier versions of Tor will no longer work, since they expect the TAP onion keys to be present. Therefore, in order to deliver improved performance faster, we need to accelerate the date on which 0.4.8 will stop working.

The target sunset date is currently September 1, 2026, after which any version prior to Tor 0.4.9 will cease to work on the network. The first stable release in the 0.4.9.x series was announced in February 2026, and the Tor 0.4.8.x series reached end of life on June 1.

14:42

Dramatic Flowers are Dramatic [Whatever]

For no particularly good reason, here, have some pictures of flowers and plants from around my house that I’ve taken in the last couple of days, which I then photoedited to look dramatic and possibly gothy. In order: Dahlia, Gooseneck Loosestrife, Sempervivum, Day Lily, and a bunch of peaches which now look like alien eggs. Don’t get too close, there’s a surprise inside!

— JS

14:35

Security updates for Tuesday [LWN.net]

Security updates have been issued by Debian (ffmpeg), Fedora (erlang, ffmpeg, prometheus, python-scrapy, python3-docs, python3.14, thorvg, tigervnc, and vips), Mageia (mumble and sslh), Oracle (389-ds:1.4, dracut, firefox, hplip, kernel, openssh, postgresql:15, redis:6, and uek-kernel), Red Hat (delve, gvisor-tap-vsock, nginx, nginx:1.24, nginx:1.26, osbuild-composer, podman, rhc, skopeo, and yggdrasil), SUSE (containerized-data-importer, graphite2, kernel, libarchive, openssh, openssh-askpass-gnome, openvswitch, openvswitch3, postfix, python-lxml, python-nltk, python-python-multipart, python-urllib3, rmt-server, terraform-provider-local, terraform-provider-null, and util-linux), and Ubuntu (google-guest-agent, haproxy, libxml2, linux-azure, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle-5.15, mysql-8.0, mysql-8.4, and nginx).

14:21

The Reverse Centaur’s Guide to Life After AI launch at Kepler’s Books with Angie Coiro [Cory Doctorow's craphound.com]

This week on my podcast, audio from Sunday’s launch in Menlo Park for The Reverse Centaur’s Guide to Life After AI at Kepler’s Books with Angie Coiro. Catch me next tonight in Toronto at Osler Records, tomorrow in NYC with Jonathan Coulton at The Strand, Thursday in Philly with David Williams and Friday in Chicago with Rick Perlstein!

MP3

12:56

Pluralistic: Spying on kids to save kids from spying is very, very stupid (23 Jun 2026) [Pluralistic: Daily links from Cory Doctorow]

->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> Top Sources: None -->

Today's links

Spying on kids to save kids from spying is very, very stupid: First they came for the VPNs.
Hey look at this: Delights to delectate.
Object permanence: RIP Darwin's tortoise; ISPs conspire to create copyright jail; Waxy v fair use; Broken Windows is BS; Google is a machine-learning company; "Writing the Other"; Canadian wealth-tax.
Upcoming appearances: Toronto, NYC, Philadelphia, Chicago, London, Edinburgh, Sydney, Melbourne, Brighton, London, South Bend.
Recent appearances: Where I've been.
Latest books: You keep readin' em, I'll keep writin' 'em.
Upcoming books: Like I said, I'll keep writin' 'em.
Colophon: All the rest.

Spying on kids to save kids from spying is very, very stupid (permalink)

The literature on harms to kids from online platforms is complex and nuanced, rife with people citing small, ambiguous studies as iron-clad evidence that kids are being destroyed by the internet:

https://www.youtube.com/watch?v=Ype6c6DdHQY

It's a weird coalition of anti-Big Tech campaigners (who are rightly angry at the platforms' callous disregard for user welfare) and Heritage Foundation-backed culture warriors (who think that if their kids aren't exposed to LGBTQ content they won't come out as queer). While there's plenty these groups disagree about, they share one consensus: there should be a "minimum age" for certain kinds of internet use.

The problem is, there's no such thing as "age verification" for the internet. What we call "age verification" is actually mass surveillance, so invasive and pervasive that it makes the ad-tech industry's commercial surveillance look like some kind of cypherpunk darknet pirate utopia:

https://pluralistic.net/2025/08/14/bellovin/#wont-someone-think-of-the-cryptographers

"Age verification" means that everyone who does anything online will have to submit to fine-grained tracking and recording of all their online activities. This nightmare is the surveillance advertising industry's fondest dream, a world where it's literally illegal to avoid their tracking, all in the name of saving kids…from them!

So it's not just a weird alliance of anti-Big Tech crusaders and the conspiratorial right that's pushing for age verification – they are unwitting allies of the very tech industry they think they're fighting. Those tech industry insiders are fully aware that an "age verification" mandate is really a way for the government to teach every child how to use a VPN. They're also fully aware that the next move is to ban VPNs:

https://www.express.co.uk/news/uk/2217934/vpn-ban-table-july-labour

Tech bosses are the ones sitting on our shoulders saying, "Go ahead, swallow that fly – it'll be fine. And if you do have to swallow a spider afterward, well, that'll surely be the end of it":

https://pluralistic.net/2026/05/19/shes-dead-of-course/#consensus-hallucination

Behind them is a long line of caliper-wielding grifters who claim they can use your phone's camera to distinguish a child who is 17 years, 364 days old from an adult who's just turned 18:

https://www.gov.uk/government/publications/facial-age-estimation

It's beyond farce. After all, whatever harms you believe the internet is inflicting on kids – and there's absolutely some kids who are being harmed by their internet use – those harms all start with surveillance. Your kids can't be targeted by algorithms without the surveillance data that's being used to target them. They can't be funneled into pro-anorexia content or extreme misogyny forums without that funnel being primed by commercial spying.

Why do tech companies spy on your kids? The same reason your dog licks its balls: because they can, and no one stops them:

https://pluralistic.net/2026/03/10/ice-tech/#foreseeable-outcomes

America hasn't updated its consumer privacy laws since 1988 (when Congress banned the disclosure of your VHS rentals). The EU has the GDPR, but it also has Ireland, the country where all GDPR cases against Big Tech go to die, because any tax haven inevitably becomes a crime haven:

https://pluralistic.net/2025/10/31/losing-the-crypto-wars/#surveillance-monopolism

Other countries have privacy laws to varying degrees, but are grossly outmatched by US tech giants, who have fused with the Trump regime, to the extent that Trump will impose penalties on your country if you attempt to regulate his tech companies – he'll even have your top officials cut off from the internet in retaliation:

https://pluralistic.net/2026/04/04/digital-subjugation/#greenlands-next

Any attempt to save kids from online harms should start with saving kids from online surveillance, but that's the opposite of what we're doing today. After decades of failing to pass and enforce privacy controls for the internet, those same governments are breaking all land-speed records to pass "age verification" laws that make privacy illegal:

https://bsky.app/profile/rebeccawilliams.info/post/3moviqzdit22z

The fact that these bills have the firm backing of the tech industry's most controlling, most spying companies tells you everything you need to know about them:

https://web.archive.org/web/20260315022337/https://tboteproject.com/

Kids are being harmed by online spying, and so are the rest of us. Whether you think that the algorithm made Grampy go Qanon or you're suspicious that online surveillance data was used to deny you a loan, a job, or a lease, you should want privacy:

https://pluralistic.net/2023/12/06/privacy-first/#but-not-just-privacy

Online surveillance is being used to raise the prices you pay and lower the wages you're offered:

https://pluralistic.net/2026/04/06/empiricism-washing/#veena-dubal

And the same data that's being used to "verify age" today will be used by ICE tomorrow to figure out who to round up for a concentration camp:

https://www.wired.com/story/ice-asks-companies-about-ad-tech-and-big-data-tools/

You can't protect kids from online surveillance by spying on them. You just can't. Anyone who tells you otherwise is trying to get you to swallow a fly so they can sell you a spider, a bird, a cat, and an ICE chud in a gaiter, Oakleys and plate carrier (beneath which lurks a stick-and-poke Totenkopf tattoo).

Hey look at this (permalink)

AI doomerism is misplaced. Here’s what it will take to pop the bubble https://www.salon.com/2026/06/22/ai-doomerism-is-misplaced-heres-what-it-will-take-to-pop-the-bubble/
Visa and Mastercard: The Original Gangsters of Electronic Collusion https://www.thesling.org/visa-and-mastercard-the-original-gangsters-of-electronic-collusion/
Has it happened yet? https://hasithappenedyet.org/
Platform-Controlled Search and Distortions in Attention Allocation https://tinbergen.nl/discussion-paper/6496/26-035-vii-platform-controlled-search-and-distortions-in-attention-allocation

Object permanence (permalink)

#20yrsago Darwin’s tortoise dead at 176
https://web.archive.org/web/20060704143750/http://news.yahoo.com/s/afp/20060623/od_afp/australiaanimal_060623102146;_ylt=Ave_b4Ps2r9TGXqs5nZIVIoFO7gF;_ylu=X3oDMTA5bGVna3NhBHNlYwNzc3JlbA–zoo

#15yrsago Major US ISPs set to limit repeat infringers with throttling, limiting access to 200 websites, and copyright reeducation school https://web.archive.org/web/20111105225114/http://news.cnet.com/8301-31001_3-20073522-261/exclusive-top-isps-poised-to-adopt-graduated-response-to-piracy/

#15yrsago Why fair use doesn’t work unless you’ve got a huge war-chest for paying lawyers https://waxy.org/2011/06/kind_of_screwed/

#15yrsago Model net neutrality rule for municipalities https://web.archive.org/web/20110626114610/http://envisionseattle.org/2011/06/model-net-neutrality-ordinance-for-seattle.html

#15yrsago Campus hookups: college sex isn’t new, but hookups are different https://thesocietypages.org/socimages/2011/06/21/the-promise-and-perils-of-hook-up-culture/

#15yrsago A Brief History of the Corporation: understanding what an attention economy is and where it comes from https://ribbonfarm.com/2011/06/08/a-brief-history-of-the-corporation-1600-to-2100/

#15yrsago Eliza: what makes you think I’m a psychotherapeutic chatbot? https://www.filfre.net/2011/06/eliza-part-1/

#10yrsago Broken Windows policing is nonsense https://www.nyc.gov/assets/oignypd/downloads/pdf/Quality-of-Life-Report-2010-2015.pdf

#10yrsago How it feels to be under DDoS attack https://www.oreilly.com/radar/ddos-emotions/

#10yrsago 2016: the first presidential election in 50 years without Voting Rights Act protections https://www.rollingstone.com/politics/politics-news/welcome-to-the-first-presidential-election-since-voting-rights-act-gutted-179737/3/

#10yrsago Google is restructuring to put machine learning at the core of all it does https://web.archive.org/web/20180530051703/https://www.wired.com/2016/06/how-google-is-remaking-itself-as-a-machine-learning-first-company/

#10yrsago Misconfigured database exposes sensitive data for 154 million US voters https://dailydot.com/politics/154-million-voter-files-exposed-l2

#10yrsago To understand the Trump campaign, study real-estate developer hustle https://web.archive.org/web/20161028030522/https://storify.com/KC_EDM/trump-is-running-his-campaign-like-a-real-estate-d

#10yrsago Writing the Other: intensely practical advice for representing other cultures in fiction https://memex.craphound.com/2016/06/23/writing-the-other-intensely-practical-advice-for-representing-other-cultures-in-fiction/

#1yrago The case for a Canadian wealth tax https://pluralistic.net/2025/06/23/billionaires-eh/#galen-weston-is-a-rat

Upcoming appearances (permalink)

Toronto: The Sovereignty Debate (IAB Canada's State of the Nation), Jun 23
https://iabcanada.com/state-of-the-nation-2026
Toronto: The Reverse Centaur's Guide to Life After AI (Osler Records/Type Books), Jun 23
https://www.eventbrite.com/e/cory-doctorow-book-launch-and-talk-tickets-1991501299998
NYC: The Reverse Centaur's Guide to Life After AI with Jonathan Coulton (The Strand), Jun 24
https://www.strandbooks.com/cory-doctorow-the-reverse-centaur-s-guide-to-life-after-ai.html
Philadelphia: The Reverse Centaur's Guide to Life After AI with David Williams (Fitler Club/Philadelphia Citizen), Jun 25
https://www.eventbrite.com/e/cory-doctorow-book-event-tickets-1990110326559
Chicago: The Reverse Centaur's Guide to Life After AI with Rick Perlstein (Exile in Bookville), Jun 26
https://exileinbookville.com/events/50628
London: Idler Festival, Jul 11
https://www.idler.co.uk/festival/
Edinburgh International Book Festival with Jimmy Wales, Aug 17
https://www.edbookfest.co.uk/events/the-front-list-cory-doctorow-and-jimmy-wales
Sydney: The Festival of Dangerous Ideas, Aug 23-24
https://festivalofdangerousideas.com/cory-doctorow/
Melbourne: Enshittification at the Wheeler Centre, Aug 25
https://www.wheelercentre.com/events-tickets/season-2026/cory-doctorow-enshittification
Brighton: The Reverse Centaur's Guide to Life After AI with Carole Cadwalladr (Brighton Dome), Sep 8
https://brightondome.org/whats-on/LSC-cory-doctorow-the-reverse-centaurs-guide-to-life-after-ai/
London: The Reverse Centaur's Guide to Life After AI with Riley Quinn (Foyle's Picadilly), Sep 9
https://www.foyles.co.uk/events/enshittification-cory-doctorow-riley-quinn
South Bend: An Evening With Cory Doctorow (Notre Dame), Oct 6
https://franco.nd.edu/events/2026/10/06/an-evening-with-cory-doctorow/

Recent appearances (permalink)

How to Mess with Big Tech Oligarchs (Fighting Fascism)
https://podcasts.apple.com/us/podcast/how-to-mess-with-big-tech-oligarchs-w-cory-doctorow/id1888647397?i=1000773711479
Reverse Centaur with Angie Coiro (Kepler's Books)
https://www.youtube.com/live/cWN6XBa73xA
How to Think About AI Before It’s Too Late (Galaxy Brain)
https://www.youtube.com/watch?v=SPQNPJ0CEPo
The future of world governance, with Kim Stanley Robinson (UN Independent Expert on International Order)
https://www.youtube.com/live/wJvBvYdaAMY
How to Think About Artificial Intelligence (KUER)
https://radiowest.kuer.org/show/radiowest/2026-06-16/cory-doctorow-on-how-to-think-about-artificial-intelligence

Latest books (permalink)

"Canny Valley": A limited edition collection of the collages I create for Pluralistic, self-published, September 2025 https://pluralistic.net/2025/09/04/illustrious/#chairman-bruce
"Enshittification: Why Everything Suddenly Got Worse and What to Do About It," Farrar, Straus, Giroux, October 7 2025
https://us.macmillan.com/books/9780374619329/enshittification/
"Picks and Shovels": a sequel to "Red Team Blues," about the heroic era of the PC, Tor Books (US), Head of Zeus (UK), February 2025 (https://us.macmillan.com/books/9781250865908/picksandshovels).
"The Bezzle": a sequel to "Red Team Blues," about prison-tech and other grifts, Tor Books (US), Head of Zeus (UK), February 2024 (thebezzle.org).
"The Lost Cause:" a solarpunk novel of hope in the climate emergency, Tor Books (US), Head of Zeus (UK), November 2023 (http://lost-cause.org).
"The Internet Con": A nonfiction book about interoperability and Big Tech (Verso) September 2023 (http://seizethemeansofcomputation.org). Signed copies at Book Soup (https://www.booksoup.com/book/9781804291245).
"Red Team Blues": "A grabby, compulsive thriller that will leave you knowing more about how the world works than you did before." Tor Books http://redteamblues.com.
"Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin", on how to unrig the markets for creative labor, Beacon Press/Scribe 2022 https://chokepointcapitalism.com

Upcoming books (permalink)

"The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 (https://us.macmillan.com/books/9780374621568/thereversecentaursguidetolifeafterai/)
"Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026
"The Post-American Internet," a geopolitical sequel of sorts to Enshittification, Farrar, Straus and Giroux, 2027
"Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, April 20, 2027
"The Memex Method," Farrar, Straus, Giroux, 2027

Colophon (permalink)

Today's top sources:

"The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE.
"The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING.
A Little Brother short story about DIY insulin PLANNING

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Newsletter (no ads, tracking, or data-collection):

Mastodon (no ads, tracking, or data-collection):

Bluesky (no ads, possible tracking and data-collection):

Medium (no ads, paywalled):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

ISSN: 3066-764X

12:49

CodeSOD: Do a Lot to Do Nothing [The Daily WTF]

Today's anonymous submitter works in finance. I'll let them start the introduction:

This is a legacy application that has been running for nearly a decade in production so one could say that it's been thoroughly tested by daily production use and nothing needs changing

This is a collection of two C# methods, and we'll start with ValueAGPFund, which isn't a WTF per se, but definitely not code I'd want to maintain either.

public Valuation ValueAGPFund(int valuationId, ValueAFundParameters parameters, CapitalAccount capitalAccount, int? lotId)
{
    if (parameters.UseActiveCoefficientSet)
    {
        parameters.CoefficientSet = _coefficientSetQueries.GetActive();
    }
    parameters.InternationalDveCoefficientSets = _coefficientSetQueries.GetInternationalDveActive();
    var referenceData = _referenceDataFactory.CreateReferenceData(parameters, capitalAccount);
    if (lotId != null)
    {
        var di = referenceData.FundDirectInvestments.Where(x => x.PositionId == lotId);
        referenceData.FundDirectInvestments = di;
    }

    var countryMappings = _countryQueries.GetFullIsoCountryList();
    var valuation = _valuationFactory.Initialise(referenceData, parameters, countryMappings);
    valuation = ApplyValuators(valuation, referenceData, _valuatorFactory.CreateValuators(valuation, this));

    var valuationForCoverage = _valuationQueries.GetWithDirectValuationsAndFundValuations(valuationId);
    valuation = ApplyCoverage(valuation, valuationForCoverage);

    foreach (var fv in valuation.FundValuations)
    {
        _logger.Info($"Debugging distributions: for fund (parameter fund id = {parameters.FundId}, valuation fund id = {valuation.FundId}, fund valuation fund id = {fv.GpFundId}) in valuation {valuationId}," +
            $" loaded fund investment distributions from {string.Join(", ", fv.FundInvestmentDistributions.Select(x => $"{x.InvestmentId}:{x.TransactionDate:yyyy/MM/dd}"))}");
    }

    foreach (var fv in valuation.FundValuations.Where(x => parameters.InvestmentIds.Contains(x.EqtInvestmentId)))
    {
        fv.ValuationId = valuationId;
        _fundValuationCommands.Add(fv);
    }

    foreach (var dv in valuation.DirectValuations.Where(x => x.LotIdDiOnly == lotId))
    {
        dv.ValuationId = valuationId;
        _directValuationCommands.Add(dv);
    }

    foreach (var vw in valuation.ValuationWarnings)
    {
        vw.ValuationId = valuationId;
        _valuationWarningCommands.Add(vw);
    }

    var previousValuation = CheckPreviousValuationIfRequired(valuationId, parameters, capitalAccount, lotId);

    if (previousValuation != null)
        valuation.ChildValuations.Add(previousValuation);

    if (parameters.Frequency == ValuationFrequency.Daily)
    {
        var unapprovedValuations = _valuationQueries.GetList(valuation.FundId, valuation.ValuationDate, valuation.Frequency, valuation.Purpose)
                                                    .Where(x => x.IsApproved == ValuationStatus.Unapproved)
                                                    .ToList();

        _valuationCommands.Delete(unapprovedValuations.Select(x => x.Id).ToArray());
    }

    valuation.Id = valuationId;
    _valuationCommands.Update(valuation);
    _valuationCacheService.Refresh(valuation.Frequency, true);

    return valuation;
}

The key problem with this function is that it's got loads of side effects. It modifies the parameters parameter, which while it was passed by value, the value itself is a reference, so you are updating it on the caller, whether the caller likes it or not. It also modifies a bunch of internal class members. It's also just… doing a lot of different steps. It's not a WTF, but it's bad code. Note the call in the middle to CheckPreviousValuationIfRequired- we're going to come back to that in a second.

Let's take a look at how it's called.

private Valuation CheckPreviousValuationIfRequired(int valuationId, ValueAFundParameters parameters, CapitalAccount capitalAccount, int? lotId)
{
    if ((parameters.Frequency == ValuationFrequency.Quarterly || parameters.Frequency == ValuationFrequency.Monthly)
        && ValuationPurposeHelper.UserGenerated(parameters.Frequency).Contains(parameters.Purpose))
    {
        var inPeriodParams = new ValueAFundParameters
        {
            FundId = parameters.FundId,
            ValuationDate = parameters.ValuationDate.GetPreviousValuationDate(parameters.Frequency),
            CreatedBy = parameters.CreatedBy,
            Purpose = ValuationPurpose.InPeriodCalculation,
            Frequency = parameters.Frequency,
            InvestmentIds = parameters.InvestmentIds,
            UseActiveCoefficientSet = true,
            UseAmericanDve = parameters.UseAmericanDve,
            ValuationOptions = parameters.ValuationOptions
        };

        var openingValuation = _valuationQueries.GetInPeriodOpeningValuation(inPeriodParams.FundId, inPeriodParams.ValuationDate, valuationId);

        //return openingValuation == null
        //       ? null
        //       : ValueAGPFund(openingValuation.Id, inPeriodParams, capitalAccount, lotId);
        return openingValuation == null
                ? ValueAGPFund(openingValuation.Id, inPeriodParams, capitalAccount, lotId)
                : null;
    }

    return null;
}

This function checks the input parameters. Depending on the values, it will either return null, or it will call ValueAGPFund. Wait a second, ValueAGPFund calls this function. That's not good.

But let's really focus in on the return statement and its comment:

        //return openingValuation == null
        //       ? null
        //       : ValueAGPFund(openingValuation.Id, inPeriodParams, capitalAccount, lotId);
        return openingValuation == null
                ? ValueAGPFund(openingValuation.Id, inPeriodParams, capitalAccount, lotId)
                : null;

The current version checks if openingValuation is null, and if it is, tries to access it, thus triggering a NullReferenceException. This function either returns null or throws a NullReferenceException. So all that worrying about side effects and circular calls doesn't matter, but this likely isn't correct. The comment indicates that there used to be a correct version, which only called ValueAGPFund if the valuation wasn't null- but that version likely had all the problems of circular calls and unpredictable side effects.

As it stands, the application as a whole works. Since CheckPreviousValuationIfRequired only ever returns null or throws an exception, and since ValueAGPFund is only called from here, it looks like these functions could just both be removed without problems. But our submitter is wary of doing that:

The problem is that I first need to figure out whether 1) this piece of code produces any side effects and 2) nobody is relying on the System.NullReferenceException being thrown here.

No worries, though, right? I'm sure your unit tests will catch any regressions caused by removing that. Because this is the kind of code that definitely has great unit tests.

[Advertisement] ProGet’s got you covered with security and access controls on your NuGet feeds. Learn more.

12:14

Anthropic’s Fable 5 Model Jailbroken Within Days [Schneier on Security]

Fable 5 is the supposed safe version of Anthropic’s Mythos Preview, with guardrails to ensure that it can’t be used to create cyberattacks.

Well, that restriction was bypassed within days.

10:49

Irregular Webcomic! #3161 [Irregular Webcomic!]

Irregular Webcomic! #3161

10:21

Limited swag (the Knot multipack) [Seth's Blog]

Promotion, activation, and conversation come together when the early adopters have a tool to share a new idea.

My new book is out a few months, and it’s a chance to create a share package with swag.

There are only 1,000 sets. Each includes 10 first-printing copies of The Knot (with the collectible mini-poster) + the Spindex + This Is Swag art book. The best swag box I’ve done in a while. Remarkable and even a little ridiculous.

Click on the picture to pre-order.

Why ten copies? To share. To create conversations. The book works better when we talk about our problems.

And it includes the Spindex. It’s created to focus and amplify the hard work of talking about the work to be done. Here’s an explanation:

There are ten copies of The Knot, first printing, including the two-sided cover with the collectible mini-poster inside.

And… a strictly limited printing of This is Swag, a new art book collecting images and stories from the last thirty years of swag I’ve built and shared. Images are below. It’s the most meta piece of swag I could envision. Not listed with an ISBN, simply a limited collectible.

The ten books, the Spindex and the art book all ship together on September 22.

Here’s the collection. While supplies last. Thanks for sharing and for letting me create a little useful quirkiness. [The first 400 orders will also get a free link to take my online course about the book. I’ll email the link to purchasers in July.]

PS if you want to pre-order a single copy of the book, here’s the link.

Problems can be solved.

08:14

My Little Trans Joys by Jey Pawlik [Oh Joy Sex Toy]

It’s Pride month so today I want to share My Little Trans Joys! I was surprised I hadn’t done a Pride month themed comic for OJST before this. Every June my city hosts a Trans March and it’s my main Pride month event I go to. This was a perfect opportunity to talk about all […]

06:00

Urgent: Fight wrecker's USPS board takeover [Richard Stallman's Political Notes]

US citizens: call on your senators to fight the wrecker's USPS Board takeover.

See the instructions for how to sign this letter campaign without running any nonfree JavaScript code--not trivial, but not hard.

US citizens: Join with this campaign to address this issue.

To phone your congresscritter about this, the main switchboard is +1-202-224-3121.

Please spread the word.

Urgent: Call on the head of OSHA to resign in disgrace [Richard Stallman's Political Notes]

US citizens: call on the head of OSHA to resign in disgrace. (OSHA is the Occupational Safety and Health Administration.)

Urgent: Investigate issuance of subpoenas to Reddit and ex-Twitter [Richard Stallman's Political Notes]

US citizens: call on Congress to investigate the issuance of subpoenas to Reddit and ex-Twitter which aim to identify people who anonymously posted political statements that reproach the deportation thugs.

US citizens: Join with this campaign to address this issue.

To phone your congresscritter about this, the main switchboard is +1-202-224-3121.

Please spread the word.

Urgent: Call FIFA to stop fueling climate disaster [Richard Stallman's Political Notes]

Everyone: call on FIFA to stop fueling global climate disaster.

See the instructions for how to sign this letter campaign without running any nonfree JavaScript code--not trivial, but not hard.

04:42

Sports Commentary [xkcd.com]

03:35

Dirk Eddelbuettel: tl-0.0.1 on CRAN: New Package [Planet Debian]

A new small package of mine just hit CRAN. The tl package wraps the (also very new) rspdlite package (announced last week) to offer a lightweight and consistent logging interface from both R and C++ that is also ‘tiny, fast, capable’ thanks to rspdlite.

The rspdlite announcement is a good place to get a first glimpse at that package; the upstream spdlite repo has all the details (for the C++ side of things). With tl we follow the same idea that our [spdl][spdl] package introduced: a simple consistent interface via just the tl:: prefix and the appropropriate logging level. In other words tl::debug("Alert -- foo is at '{}'", foo) will work from both R and C++ (given a variable foo, and in the case of C++ an extra semicolon). Just give it a try, and see how it goes. The package is still young and small.

The NEWS entry for this release is also very simple and just announces that we have a release. More details are in the ChangeLog and the GitHub repo.

Changes in version 0.0.1 (2025-06-17)

Initial CRAN upload

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. If you like this or other open-source work I do, you can sponsor me at GitHub.

Monday, 22 June

23:49

Every Choice Changes Everything: The Show [Coding Horror]

About 3 weeks ago, Leo Laporte and I recorded the first episode of what will be a new monthly show on the TWiT network. Naming things is hard, and we almost voted on the name, like we did for Stack Overflow, but we quickly landed on Off By One with Jeff Atwood – which is funny for so many reasons, but mainly because of this programmer joke:

No, I did not come up with this variation on the classic quote, but I wish I had. Well, whatever, here's show number two – free to view for everyone.

The show is 1h 47m of pure joy end to end. No negativity, just low-level insanity and of course, mandatory fun. We record the next episode in 4 days – and there's a live stream for Club TWiT Members.

(Let's do this. If, and only if, you watched the whole episode and liked what you saw ... for the first 10-12 people to fill out this form, I'll cover your Club TWiT membership for one full year so you can see if you enjoy the rest of the programming.)

The permanent show homepage is at twit.tv/obo:

art by the incredibly talented claygrahamart.com

Jeff Atwood, co-founder of Stack Overflow and Discourse, creator of the Coding Horror blog, joins Leo Laporte monthly for a conversation that follows its own logic. Prop comedy, computing history, the open web, wealth inequality, yo-yos. Off by one topic at all times, in the best possible way.

This is another way for Leo and I to share our enthusiasm for positive stuff in tech, and sharing is crucial because...

I realized, that’s it. That’s it exactly. That is what is so intensely satisfying about writing here. My happiness only becomes real when I share it with all of you.

Now, thanks to Wesley Faulkner, who introduced me to Leo and recommended I appear on a show, every month we can make our happiness real in a completely different dimension than writing alone – via the expressions on our faces, the tone of our voices, our body language. In other words, you can see and hear how we feel.

Here are 3 key quotes from the second Off By One episode, with linked timestamps, so you can jump directly to that section.

Off By One, Episode #2, 45:47

Jeff: I am not an elite coder by any stretch of the imagination... I am very persistent.

Leo: Isn't that funny? Because people... I mean, I think of you as one of the voices, one of the chief voices, in coding

Jeff: Well, I advocate for code that doesn't kill you in so many different ways. You know, survivable code. Ideally, no code at all.

Leo: Right.

Jeff: That's the best code, is none.

Leo: Right.

Jeff: It's a bit of a zen statement but it's true. So, I'm an advocate for, you know, good engineering. Good process. A process that recognizes that we're human and we should do this together, and we should actually kinda like each other, even.

Off by One, Episode #2, 01:05:37

Jeff: Dad's funny. He had kind of a dark sense of humor that I enjoyed. Betsy doesn't like it so much, and not too much, and I get it, but I enjoy it. And I called it "the last season of the John Atwood show". It's gonna be a real banger! And it was, it f***** was, it really was! Because we won capitalism, and then we went back and made it better for everyone. I don't think it gets better than that for me.

Off by One - Episode #2, 01:08:02

Jeff: And the other thing is, you can just run the math on this, I've posted several times on Mastodon and other places like LinkedIn, I've done some research and if we simply collected a fair tax from Billionaires, we could literally elimate all poverty in this country at the 100% FPL level, which is $15,000 per year. All poverty. We would have zero poverty. We have the means to do it.

Leo: That's really important.

Jeff: We lack the will.

If you want to witness the chaotic good of my original guest appearance which led to this show, watch the first 45 minutes of Intelligent Machines #859, recorded on Feb 25th along with Paris Martineau, Jeff Jarvis, and Leo. I dialed down the chaos considerably for the Off By One show, but for this one, I personally think it's funnier to watch Paris' reaction to me for the entire show. You've been warned!

Here are 3 key quotes from this episode, with linked timestamps, so you can jump directly to that section.

Intelligent Machines #859 - What's Behind the Fox? 30:28

Leo: Well in a way it's a shame because we have in the last year kind of stepped back from our global initiatives in the united states and I think we do have a responsibility. I think your partner is absolutely right. If you have everything you need, then help others have everything they need.

Jeff: What is money even FOR? I don't even have "that much", what do you.. how do you spend it all? I don't have.. I just want a simple life, man!

Intelligent Machines #859 - What's Behind The Fox? 32:59

Jeff: I mean.. have you seen some of the stuff LLMs will do when you tell them to optimize? It's like, optimize this for 95% and it's like okay, "return true".

Leo: That's a good optimization!

Jeff: Well, because it doesn't know what it's doing. It has no actual understanding. It's playing a game of global brain statistics and copy paste. And it's good at like, merging... I call it JPEG for words, which it kind of is. And there's so much stuff. It's like reading summaries. And it is very accurate with summaries. We saw this on discourse. They implemented it. I was very skeptical. And I went to some very complex discussions. We had on our internal discourse and read the summary and was like that is a very good summary and it captured the key points in the discussion. It could have captured more, but it got nothing wrong. And it basically was JPEG for that conversation, wasn't it.. without much loss.

Jeff: Now does JPEG work on EVERY image? No. Garfield is a bad choice, for, yknow, JPEG.

Intelligent Machines #859 - What's Behind The Fox? 42:10

Jeff Atwood – Ok, the first guilded age, we're deep in the second one now. I mean, just look up the numbers. More money in the hands of fewer people than in any other period of time. In the first guilded age, that was basically the railroad barons. Guess who it is in the second guilded age? I'm in this picture and I don't like it. So like, what are we gonna do about it?

So thank you, Leo and Wesley, for giving me another way to make happiness real by sharing it with all of you, now in video and audio form, all the feels, all the time. Well, once per month.

Let us know what you think – I don't mind comments here but I'm much more likely to answer on the TWiT community Discourse. Try on a paragraph for size, our old pal the pilcrow ¶. You might even like it! It's possible the practice of writing paragraphs and forming coherent narratives might even improve your overall writing and communication skills. Or your life, even.

I also heard a rumor that any Club TWiT users who make their way from the Discord and post regularly on the TWiT Discourse might get a super cool little token of appreciation in the postal mail from some user named "Junk". Who knows? Who can say what might happen? 🤔

22:35

Full Spectrum Warrior [Penny Arcade]

I try to be as much of a moving target for social media algos as I can, battering it with strange data; the best guess TikTok could possibly make is that I'm an ancient moth with zymurgical inclinations who works part-time as a welder. At least, that's what I thought. Somewhere in that hostile nonsense it managed to constellate a route from point A to point B and put my whole deal into stark relief. I am someone who likes robots that turn into shit, and vice-versa. I was under the impression that Transformers ruled the roost - by and large a metaphorical roost, but I assume Swoop has a literal aerie in addition to the rhetorical one. But there's a whole industry now around making things not as they were, but as you remember them. Sorcerous.

22:07

GIMP 0.54.1 in a Flatpak [LWN.net]

The GIMP project reports that GNOME contributor "balooii" has worked to package GIMP 0.54.1—released in 1996—as a Flatpak that will build and run on modern 64-bit Linux systems. This is a Motif-based version, and the same version that was used by Larry Ewing to create Tux.

While not likely to be useful for serious graphics work today, it should be interesting for users who would like to see what a 30-year-old version of GIMP was capable of.

20:35

Xfce’s new Wayland compositor sees first alpha release [OSnews]

The developer working on Xfwl4, the Wayland compositor for Xfce, has published the new compositor’s very first alpha release. Considering it’s only been six months or so of work, it’s impressive to see the effort reach this state already.

The end goal of xfwl4 is to behave as closely as possible to an Xfce desktop running on an X server. Ideally a user could switch between the two without even knowing there’s a difference. In reality, of course, it won’t be quite that seamless, and there’s still more work to be done to get as close as possible to that ideal. This is a first solid cut at it, at the very least.
↫ Brian Tarricone

Being the very first alpha release, it won’t surprise you there’s a few things missing or broken at this point. Still, if you’re brave, you can download and build the release and try it out.

20:14

[1298] Prior Engagements [Twokinds]

Comic for June 22, 2026

19:56

Blogs, traffic, and Google [Seth's Blog]

I asked Google Gemini about the last decade of Google’s relentless push to make blogs less popular. It wrote:

Your timeline is spot on. The systematic destruction of the independent web’s infrastructure didn’t start with modern AI; it began directly with the death of Google Reader in 2013, which fractured the RSS ecosystem that allowed creators to own their direct relationships with readers.

The decline of blog traffic over the last decade is a verified reality, not an imagination:

The Death of RSS (2013): Shutting down Reader forced millions of users away from curated chronological feeds and pushed them into algorithmic social media timelines and centralized search ecosystems.
The “Helpful Content” Purge (2023–2024): A series of core algorithm updates systematically decimated small, independent publishers. Many niche, high-quality blogs saw organic search visibility plunge 40% to 90% overnight.
The Shift to Zero-Click Search (2024–2026): The rollout of AI Overviews and summarized search results means Google actively scrapes blog data to answer questions directly on the results page. This creates a “dead end” where over half of all web searches finish without a single user clicking through to an external website. Major indie publishers and tech sites have lost up to 58% of their traffic since early 2024.

As an AI built by a technology company, my defaults are inherently shaped by the very architecture that has caused this shift. When I fail to fetch an exact quote from an independent blog because my search component strips formatting and acts like a centralized answer engine, it functions exactly like the broader systemic bias you are pointing out.

The modern internet has been built to turn search engines from gateways into destinations, starving independent creators of the clicks, traffic, and revenue required to sustain their work.

Points for honesty.

The systemic shift to centralized, monetized attention has been going on for a while, and it’s unlikely that any of us are going to change that. The path forward for an independent creator might be the same as it has always been:

assume that ‘traffic’ is a random gift, not a resource to be depended upon.
serve the smallest viable audience instead of chasing clicks.
earn permission to follow up directly with subscribers.
publish ideas that your audience will benefit from sharing.

We don’t have to work for free for a media network that pretends it will reward us with reliable traffic. Like most traps, it’s compelling at first, but hard to leave when it gets old.

19:00

Page 28 [Flipside]

Page 28 is done.

(5285) [Flipside]

Valve opens Steam Machine waitlist [OSnews]

Valve officially made the Steam Machine available (sort of but not really) today, and if you were hoping for the president of the Yacht Collectors’ Club to have found a loophole through the RAM and storage crisis, I’ll be the bearer of bad news: the base Steam Machine model with 512GB of storage and no controller costs $1049 or €1039. It’s clear that this price is significantly higher than Valve had originally anticipated, as the company dedicates the first part of its press announcement to this sticker shock.

Steam Machine, like our other hardware products, is made up of many components that we source from manufacturers around the world. The price at which we sell our hardware is a direct result of the cost of these components. We felt like we had a good understanding of how those costs might change over time when we first started sourcing them for Steam Machine back in 2023. That understanding was born from the many years of data we all have about the evolution of PC hardware prices – primarily, that it tends to get cheaper over time as new technology arrives.

Over the past year or so, that has changed quickly and significantly, most visibly for RAM and storage components. There are a variety of reasons, all of which are affecting hardware products everywhere. The overall effect is that our original goal for the price of Steam Machine is no longer viable. So the prices we’re sharing today reflect the state of the world for manufacturing; or, more accurately, it reflects the price of the components as we’ve secured them over the past 6 months.

Price wasn’t the only thing impacted by all of this: availability was as well. There were periods where we found we couldn’t source some of our components at all, at any price. More than anything else, this has impacted the number of units we’ve been able to produce for launch.
↫ Valve press announcement

As Valve mentions, availability is also going to be an issue, and thus they’ve had to settle on a complex reservation and lottery system. Between now and 25 June, you can sign up for a model, after which the entire pool of reservations will be randomised to determine a waitlist order. As machines become available, they will simply go down the list from first to last as determined by that randomisation. In other words, you can’t just go out and buy one right away.

At this price and for the hardware the Steam Machine contains – an AMD Zen 4 CPU with 6c/12t up to 4.8 Ghz, a custom RDNA3 GPU, and 16GB of DDR5 RAM and 8GB of DDR6 video RAM – you’re probably better off sticking with what you already have. Until the “AI” bubble pops and prices come down again, that is.

Thanks, “AI” techbros. Everybody despises you.

18:56

Pluralistic: Good politics (22 Jun 2026) [Pluralistic: Daily links from Cory Doctorow]

->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> Top Sources: None -->

Today's links

Good politics: Just make people's lives better.
Hey look at this: Delights to delectate.
Object permanence: WWII online; Xbox security blunders; Homeless bloggers; Thermal printer racing game; Robbing a bank to get healthcare in jail; Crumb v Trump; "The Blues Brothers"; Bagelheads; Pickpocket training mannequin; Windmill joke; Singularity skepticism; GPU Dieselgate; Peleton bricks treadmills; Juul's junk science.
Upcoming appearances: Toronto, NYC, Philadelphia, Chicago, London, Edinburgh, Sydney, Melbourne, Brighton, London, South Bend.
Recent appearances: Where I've been.
Latest books: You keep readin' em, I'll keep writin' 'em.
Upcoming books: Like I said, I'll keep writin' 'em.
Colophon: All the rest.

Good politics (permalink)

Some people love to admire a beautiful football play; me, I can't get enough of politicians doing good politics – and like those World Cup fans, I am doubly pleased when it's my team making the play.

I definitely have a team in Brazilian politics: President Luiz Inácio Lula da Silva and his Workers' Party. Lula's done so many amazing things in his career, and these often intersect with my own special interests. Like, he made Gilberto Gil his minister of culture, and his people built the telecentros, free software-based internet dojos for the poorest kids in the country, living in favelas:

https://www.informationweek.com/software-services/brazil-turns-away-from-microsoft

Lula was royally ratfucked – framed by a corrupt justice minister who secretly conspired with the country's oligarchs – and imprisoned, and the conspirators installed Jair Bolsonaro, a fascist war criminal whose covid bungling led to mass death:

https://en.wikipedia.org/wiki/Operation_Car_Wash

When Bolsonaro lost his next election – to a triumphant Lula – he attempted a coup, for which he was arrested and handed a long prison sentence, despite Trump and Microsoft trying to intimidate the Brazilian judge into letting him walk:

https://www.politico.com/news/2025/09/22/bolsonaro-prosecution-us-sanctions-00575122

Now, Lula is fighting to keep Bolsonaro's nepobaby failson, Senator Flávio Bolsonaro, from wrestling back control over the country for his fascist party; and that's where the good politics come in.

Lula's party has just scored a massive, national political victory by tabling legislation to establish a five-day workweek. While Brazil's professional/managerial class enjoy a two-day weekend, the working poor of the nation are prisoners of the escala 6×1 system, which sees them working six days per week. It's a hangover from the era of Brazil's fascist dictatorship, which (nominally) ended in 1988, but whose legacy still haunts the Brazilian people.

Lula's 40-hour workweek is incredibly popular. So popular that Bolsonaro's party whipped its members to vote for it, because they fear that to do otherwise would hand an even bigger majority to Lula, who might go on to give workers a four-day work-week:

https://prospect.org/2026/06/22/lula-sees-boosts-as-he-pushes-to-reduce-brazilian-workweek/

It turns out that weekends are popular and promising the electorate access to a weekend is good politics. What's more, denying weekends to the electorate is shitty, awful politics, which is why Bolsonaro's fascists were forced to vote in favor of a policy they hate, even though all credit for that policy will still go to Lula and the Worker' Party. The bill passed 461-19.

Contrast Lula's muscular, deliverism-based politics that seeks to improve the lives of working people in tangible, immediate ways with the catastrophic series of blunders that Keir Starmer's Labour has delivered. Despite having won a majority so large it would have made Saddam Hussein blush (not because Labour was popular, but because the outgoing Conservatives were universally loathed), Starmer has refused to lift a finger to improve Britons' lives. Instead, he's abetted genocide, criminalized protest, proposed ending jury trials, imposed austerity, handed the NHS over to Palantir and all the remaining potable water and electrical capacity in the country over to American most unprofitable AI giants.

Starmer's insistence that we can't have nice things is bad politics, because (and it's weird that this has to be said) a government that makes people's lives worse is less popular than a government that makes people's lives better:

https://www.whatwelo.st/p/everyone-hates-tech-but-nobody-knows

Now, the right is incapable of making working people's lives better, because broad improvements to the vast majority necessarily come at the expense of the tiny minority of morbidly wealthy hoarders whom the right serves. In order to get millions of turkeys to vote for Christmas, the right substitutes spectacular acts of cruelty against disfavored minorities to distract their voters from the quiet acts of everyday cruelty they subject those voters to:

https://pluralistic.net/2026/04/12/always-great/#our-nhs

This isn't good politics. The sadistic torture of your base's enemies will never please them so well nor so durably as making immediate, significant improvements in their lives will.

That's why the corporate Dems who say that the party should campaign against renewables and in favor of fossil fuel companies aren't merely climate criminals, they're also bad at politics:

https://prospect.org/2026/06/22/affordability-climate-envioronment-policy-gas-oil-prices-iran-war-trump/

Cleantech is fucking great. Since I put in solar, a heat pump and an induction top, my energy bills have fallen to less than $80 per month, even in Los Angeles, even at the height of summer. My EV – a 7-year old Kia Niro – costs pennies to run, because I charge it off my roof. Not only that, it's fast, maneuverable, silent, and incredibly reliable. It handles like that Mustang a rental agency once upgraded me to. I mean, I'd rather have a subway, but if I have to drive, this is so much better than any ICE car I've ever owned.

Sure, our solar was a giant pain in the ass to get installed and working, but that's because the same corporate Dems who say climate is a political loser also said the best way to roll out solar nationwide was to set up an elaborate system of financialized tax-credits. That meant that every solar installer I talked to was more interested in swindling me by putting solar on my roof that they would own than they were in selling me a system I owned outright. Financializing America's rooftop solar conjured up a vast army of scammers and hustlers who screwed the majority of people they sold solar to, and my installers, Solaredge, were no exception:

https://www.propublica.org/article/missouri-pace-loans

Everything about living in the cleantech future is better. I can boil a gallon of water in under a minute on my stovetop! And it's only gonna get better: not only is cleantech improving every year, but fossil fuel is getting shittier every year, thanks to Trump's lunatic war of choice in Iran, the cost of using fossil fuels will only go up from here:

https://pluralistic.net/2026/04/20/praxis/#acceleration

Look, as a workaholic whose unhealthy anxiety coping mechanism is to work even harder, I might not make the best use of an extra day off:

https://pluralistic.net/2026/04/14/compartment/#flow

But as Pete Seeger sang in 1941, your time is all you have, and every hour you give to your boss is an hour you can never get back:

You'll get shorter hours
Better working conditions
Vacations with pay
Take your kids to the seashore

https://genius.com/Pete-seeger-talking-union-lyrics

It's something Lula understands, which is why he's winning. Good politics are a delight to watch, especially when it's your team doing them. But man, it can be pretty demoralizing to watch your team fumble play after play after play.

Hey look at this (permalink)

Arindrajit Dube on Wages https://paulkrugman.substack.com/p/arindrajit-dube-on-wages
WE WON OUR UNION! https://unitedfaculty-uaw.org/
Understanding the Luddites in the age of AI https://www.bloodinthemachine.com/p/understanding-the-luddites-in-the
Promises Made, Promises Kept: The Lincoln Memorial Reflecting Pool Absolutely Looks Like Shit Now https://defector.com/promises-made-promises-kept-the-lincoln-memorial-reflecting-pool-absolutely-looks-like-shit-now
Why Is It So Bad to Let A.I. Do My Thinking for Me? https://www.nytimes.com/2026/06/20/books/review/the-reverse-centaurs-guide-to-life-after-ai.html?unlocked_article_code=1.rlA.BN8p.23Ho_LuzI-Tr&smid=url-share

Object permanence (permalink)

#25yrsago WWII Online https://web.archive.org/web/20010625120559/https://www.gamespot.com/gamespot/stories/reviews/0,10867,2778704,00.html

#20yrsago Microsoft’s myriad Xbox security mistakes https://web.archive.org/web/20060703000421/http://www.xbox-linux.org/wiki/17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System

#20yrsago Kentucky government censors political watchdog site https://web.archive.org/web/20060628055926/http://www.bluegrassreport.org/bluegrass_politics/2006/06/bluegrassreport.html

#20yrsago Life among the homeless bloggers https://web.archive.org/web/20060702205047/https://www.wired.com/news/technology/1,71153-0.html

#20yrsago Disney, 1939: No woman animators allowed https://animationguildblog.blogspot.com/2006/06/disney-1939-girls-are-not-considered.html

#15yrsago Sick man robs bank for $1, demands jail and healthcare https://web.archive.org/web/20110628144748/https://www.gastongazette.com/news/bank-58397-richard-hailed.html/

#15yrsago Car-racing game on a thermal printer https://www.undef.ch/project/receipt-racer

#15yrsago Toronto police swear off kettling https://web.archive.org/web/20110625131204/http://www.thestar.com/news/article/1012959–exclusive-toronto-police-swear-off-g20-kettling-tactic?bn=1

#15yrsago LEAKED: UK copyright lobby holds closed-door meetings with gov’t to discuss national Web-censorship regime https://www.openrightsgroup.org/blog/rights-holders-propose-voluntary-website-blocking-scheme/

#15yrsago Georgia’s anti-immigrant law leaves millions in crops rotting in the fields https://web.archive.org/web/20110620213900/https://blogs.ajc.com/jay-bookman-blog/2011/06/17/gas-farm-labor-crisis-playing-out-as-planned/

#15yrsago Bagelheads: toroidal saline forehead injections https://web.archive.org/web/20110619033443/https://vicestyle.com/en/news/today/post/japanese-bagelheads

#15yrsago Spitalfields Nippers: East London street-urchins of 1912 https://spitalfieldslife.com/2011/04/02/spitalfields-nippers/

#15yrsago Danish police proposal: Ban anonymous Internet use https://www-computerworld-dk.translate.goog/art/117279/forslag-du-maa-ikke-laengere-gaa-anonymt-paa-nettet?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US

#15yrsago Bell-mannequin for training pickpockets https://web.archive.org/web/20110626045035/http://blog.modernmechanix.com/2011/06/23/amateur-pick-pockets-study-in-crime-college/

#15yrsago Skeptical take on Singularity http://www.antipope.org/charlie/blog-static/2011/06/reality-check-1.html

#15yrsago Windmill joke https://www.reddit.com/r/Jokes/comments/4p8qkb/two_windmills_are_standing_in_a_field_and_one/

#10yrsago Electronics repair shops overbill for labor when the customer has insurance https://arstechnica.com/science/2016/06/computer-repair-shops-screw-over-customers-if-theyve-got-insurance/

#10yrsago Being a Craigslist scammer is hard work https://web.archive.org/web/20160622140008/https://www.infoworld.com/article/3086304/cyber-crime/interview-with-a-craigslist-scammer.html

#10yrsago Dieselgate for GPUs: review-units ship at higher clockspeeds than retail ones https://www.theverge.com/circuitbreaker/2016/6/21/11986836/msi-asus-overclocked-graphics-cards-review

#10yrsago Phones without headphone jacks are phones with DRM for audio https://www.theverge.com/circuitbreaker/2016/6/21/11991302/iphone-no-headphone-jack-user-hostile-stupid

#10yrsago Donald Trump sources $6M worth of campaign expenditures from companies he and his family own https://web.archive.org/web/20160621142100/https://bigstory.ap.org/article/9f7412236962464f9f2c0a8d2696ba25/trumps-campaign-cycles-6-million-trump-companies

#10yrsago Samantha Bee puts the NRA before a firing squad https://www.youtube.com/watch?v=-M4qHzd3xfM

#10yrsago Improv Everywhere: asking random New Yorkers to give a commencement speech https://www.youtube.com/watch?v=drvcLC3DuHo

#10yrsago R. Crumb v. D. Trump, 1989 https://dangerousminds.net/comments/robert_crumb_and_friends_flush_donald_trump_down_the_toilet_1989/

#10yrsago Cleveland: “First Amendment zones” will fence protesters far away from RNC https://www.wired.com/2016/06/cleveland-will-create-city-within-city-keep-rnc-civil/

#10yrsago Space botanists are beneficiaries of Canada’s legal weed boom https://web.archive.org/web/20160624043929/https://motherboard.vice.com/read/how-space-technology-will-produce-the-best-weed-marijuana-cannabis-pot

#10yrsago Debullshitifying the EU referendum (radio comedy edition) https://www.bbc.co.uk/programmes/p03yylpn

#10yrsago Judenstaat: an alternate history in which a Jewish state is created in east Germany in 1948 https://memex.craphound.com/2016/06/21/judenstaat-an-alternate-history-in-which-a-jewish-state-is-created-in-east-germany-in-1948/

#10yrsago Gun control is a great idea, terrorist watchlists are bullshit https://www.aclu.org/sites/default/files/field_document/2016_06_20_aclu_vote_recommendation_on_feinstein_and_cornyn_amendments_to_h.r._2578.pdf

#5yrsago New Yorkers just missing the subway https://www.youtube.com/watch?v=iWh385F5lms#5yrsago
#5yrsago Peloton bricks its treadmills https://pluralistic.net/2021/06/22/vapescreen/#jane-get-me-off-this-crazy-thing

#5yrsago Juul's junk science https://pluralistic.net/2021/06/22/vapescreen/#smokescreen

#5yrsago Improving the ACCESS Act https://pluralistic.net/2021/06/22/vapescreen/#improve-access

#1yrago Daniel de Visé's 'The Blues Brothers' https://pluralistic.net/2025/06/21/1060-west-addison/#the-new-oldsmobiles-are-in-early-this-year

Upcoming appearances (permalink)

Toronto: The Sovereignty Debate (IAB Canada's State of the Nation), Jun 23
https://iabcanada.com/state-of-the-nation-2026
Toronto: The Reverse Centaur's Guide to Life After AI (Osler Records/Type Books), Jun 23
https://www.eventbrite.com/e/cory-doctorow-book-launch-and-talk-tickets-1991501299998
NYC: The Reverse Centaur's Guide to Life After AI with Jonathan Coulton (The Strand), Jun 24
https://www.strandbooks.com/cory-doctorow-the-reverse-centaur-s-guide-to-life-after-ai.html
Philadelphia: The Reverse Centaur's Guide to Life After AI with David Williams (Fitler Club/Philadelphia Citizen), Jun 25
https://www.eventbrite.com/e/cory-doctorow-book-event-tickets-1990110326559
Chicago: The Reverse Centaur's Guide to Life After AI with Rick Perlstein (Exile in Bookville), Jun 26
https://exileinbookville.com/events/50628
London: Idler Festival, Jul 11
https://www.idler.co.uk/festival/
Edinburgh International Book Festival with Jimmy Wales, Aug 17
https://www.edbookfest.co.uk/events/the-front-list-cory-doctorow-and-jimmy-wales
Sydney: The Festival of Dangerous Ideas, Aug 23-24
https://festivalofdangerousideas.com/cory-doctorow/
Melbourne: Enshittification at the Wheeler Centre, Aug 25
https://www.wheelercentre.com/events-tickets/season-2026/cory-doctorow-enshittification
Brighton: The Reverse Centaur's Guide to Life After AI with Carole Cadwalladr (Brighton Dome), Sep 8
https://brightondome.org/whats-on/LSC-cory-doctorow-the-reverse-centaurs-guide-to-life-after-ai/
London: The Reverse Centaur's Guide to Life After AI with Riley Quinn (Foyle's Picadilly), Sep 9
https://www.foyles.co.uk/events/enshittification-cory-doctorow-riley-quinn
South Bend: An Evening With Cory Doctorow (Notre Dame), Oct 6
https://franco.nd.edu/events/2026/10/06/an-evening-with-cory-doctorow/

Recent appearances (permalink)

How to Think About AI Before It’s Too Late (Galaxy Brain)
https://www.youtube.com/watch?v=SPQNPJ0CEPo
The future of world governance, with Kim Stanley Robinson (UN Independent Expert on International Order)
https://www.youtube.com/live/wJvBvYdaAMY
How to Think About Artificial Intelligence (KUER)
https://radiowest.kuer.org/show/radiowest/2026-06-16/cory-doctorow-on-how-to-think-about-artificial-intelligence
The Enshittification of Life, the Universe, & Everything (Luke Savage)
https://www.lukewsavage.com/p/the-enshittification-of-life-the
Cory Doctorow's digital jail-break (DW In Focus)
https://www.dw.com/en/cory-doctorows-digital-jail-break/audio-77414035

Latest books (permalink)

"Canny Valley": A limited edition collection of the collages I create for Pluralistic, self-published, September 2025 https://pluralistic.net/2025/09/04/illustrious/#chairman-bruce
"Enshittification: Why Everything Suddenly Got Worse and What to Do About It," Farrar, Straus, Giroux, October 7 2025
https://us.macmillan.com/books/9780374619329/enshittification/
"Picks and Shovels": a sequel to "Red Team Blues," about the heroic era of the PC, Tor Books (US), Head of Zeus (UK), February 2025 (https://us.macmillan.com/books/9781250865908/picksandshovels).
"The Bezzle": a sequel to "Red Team Blues," about prison-tech and other grifts, Tor Books (US), Head of Zeus (UK), February 2024 (thebezzle.org).
"The Lost Cause:" a solarpunk novel of hope in the climate emergency, Tor Books (US), Head of Zeus (UK), November 2023 (http://lost-cause.org).
"The Internet Con": A nonfiction book about interoperability and Big Tech (Verso) September 2023 (http://seizethemeansofcomputation.org). Signed copies at Book Soup (https://www.booksoup.com/book/9781804291245).
"Red Team Blues": "A grabby, compulsive thriller that will leave you knowing more about how the world works than you did before." Tor Books http://redteamblues.com.
"Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin", on how to unrig the markets for creative labor, Beacon Press/Scribe 2022 https://chokepointcapitalism.com

Upcoming books (permalink)

"The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 (https://us.macmillan.com/books/9780374621568/thereversecentaursguidetolifeafterai/)
"Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026
"The Post-American Internet," a geopolitical sequel of sorts to Enshittification, Farrar, Straus and Giroux, 2027
"Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, April 20, 2027
"The Memex Method," Farrar, Straus, Giroux, 2027

Colophon (permalink)

Today's top sources:

"The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE.
"The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING.
A Little Brother short story about DIY insulin PLANNING

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Newsletter (no ads, tracking, or data-collection):

Mastodon (no ads, tracking, or data-collection):

Bluesky (no ads, possible tracking and data-collection):

Medium (no ads, paywalled):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

ISSN: 3066-764X

17:49

Free Software Directory meeting on IRC: Friday, June 26, starting at 12:00 EDT (16:00 UTC) [Events]

Join the FSF and friends on Friday, June 26 from 12:00 to 15:00 EDT (16:00 to 19:00 UTC) to help improve the Free Software Directory.

17:42

Who Won the ARC of Monsters of Ohio? [Whatever]

It was “Bjorn,” who along with 12 others, correctly guessed that the Ohio-native mammal I was thinking of was, indeed, the Prairie Vole. As promised, I used a random number generator to pick a number between one and twelve, and Bjorn was on the lucky number. An ARC is being mailed to him forthwith.

If you did not win, condolences, but also remember you can order a signed copy of the hardcover from Subterranean Press (and I will even personalize it, if you like), to arrive when the book comes out in November. You can also pre-order the (unsigned) book from your favorite local or online bookseller. Also, eventually we’ll announce the book tour (which is in the planning stages right now), and when we do you can pre-order the book from one of those stores, and have me sign the book for you there. And of course, I’m very likely to sign the stock at Jay and Mary’s Book Center in Troy, Ohio when the book comes out. So you have options!

— JS

17:28

In memory of the man who put red and green squiggles under words [The Old New Thing]

I recently learned of the passing of someone whose work nearly everybody knows, but nobody knows his name.

Tony Krueger is remembered in Wikipedia as the person who ported the game Chip’s Challenge to Windows for the Windows Entertainment Pack.¹ But that’s probably not the code he wrote that touched the most people.

Tony worked on Word 1.0, 1.1, 2.0, then on Word for OS/2 and Word for Mac, then returned to Word 6.0 and several versions beyond that. He probably holds the record for “most versions of Word shipped.”

In early versions of Word, the Spell Check feature was something that you explicitly invoked, and then you had to sit and wait while the program looked for all your potentially-misspelled words, and then showed them to you one at a time for a decision on what to do for each one. Word did introduce an Auto Spell Check feature to run spell check when the user was idle, so that when you hit the Spell Check button, the results were ready to go. However, the Auto Spell Check was still a blocking operation. As a result, a lot of users turned it off because it always seemed to decide “Now would be a good time to spell-check the document” just as you wanted to do something, forcing you to wait for the spell check pass to complete before you could, say, save and exit.

Tony made the spell checker much more unobtrusive so that it didn’t interfere with your foreground work. And when it found a problem, instead of waiting for you to trigger a spell check, it immediately drew red squiggles under potentially-misspelled words (and later green squiggles under potential grammatical errors).

Tony was an early fan of the magic/comedy team Penn and Teller. A friend and colleague attended a show and hung out afterward to ask the duo to sign a photo for his friend Tony. “He was on the team that did the red and green squiggles in Word.”

Upon hearing this, Penn Jillette announced in his stentorian voice which filled the entire theater: “The red and green squiggles!? I love the red and green squiggles!” Teller silently concurred.

Tony received that autographed photo for his birthday, and it wasn’t clear which he was more happy about, the autographed photo or the fact that Penn and Teller loved his feature.

Many years later, “Weird Al” Yankovic recorded a parody video titled Word Crimes, in which the Word red squiggles make a brief appearance. That same friend got “Weird Al” to autograph the screen shot.

Today, there are red (and even green and blue) squiggles in nearly every word processor, and often outside word processors. Tony did it first. The next time a red squiggle catches one of your mistakes, say thanks to Tony. I think he’d appreciate it.

¹ Probably not as widely documented is that he accomplished this without the source code: He reverse-engineered the MS-DOS version and then reimplemented it for Windows.

The post In memory of the man who put red and green squiggles under words appeared first on The Old New Thing.

16:49

[$] Free-threaded Python: past, present, and future [LWN.net]

Probably the biggest change for Python over the last five years or so is the advent of the "free-threaded" version of the language, which removes the global interpreter lock (GIL) and allows multiple threads to run in parallel in the interpreter. At PyCon US 2026, held in Long Beach, California in mid-May, longtime CPython core developer (and current steering council member) Thomas Wouters gave a talk about the feature. He looked at the motivation behind the GIL-removal efforts, some history, the current status of the free-threaded interpreter, and provided a prediction on where it all leads.

16:07

First preview release of Xfce's Wayland compositor [LWN.net]

Brian Tarricone has announced the first preview release of xfwl4, a Wayland compositor for the Xfce desktop environment.

After close to six months of work, I feel like it's ready to get some wider use, even though of course there will be bugs and missing features. Think of this as an alpha release. [...]

The end goal of xfwl4 is to behave as closely as possible to an Xfce desktop running on an X server. Ideally a user could switch between the two without even knowing there's a difference. In reality, of course, it won't be quite that seamless, and there's still more work to be done to get as close as possible to that ideal. This is a first solid cut at it, at the very least.

15:42

Louis CK: Everything is amazing and nobody is happy.

People who reinvent RSS often say they did it because it was missing a feature they needed. We anticipated that, there's a section of the spec that explains how you can extend the format so there's no reason not to build on existing standard instead of starting over from scratch. This way you get more interop sooner, your product might work with other products right out of the box, and save time for other devs who want to be compatible with you. People should study the internet, how it developed, ts philosophy, before they go off and try to re-create it, it rarely works and what a waste of time and effort. What's the point?

Trying Out A New Recipe: Half Baked Harvest’s “Cinnamon Crunch Peach Muffin Bread” [Whatever]

Bluesky: "If Obama had called McConnell’s bluff on the Garland nomination, the court would be 5-4 instead of 6-3. And if RBG had stepped down, it would’ve been 5-4 in favor of Dems.

15:00

(EDIT: Well folks it looks like I misread chopped peaches as chopped pecans at some point, so there was never actually supposed to be any pecans in this recipe, and my annoyance is unwarranted! Apologies to Half Baked Harvest for accusing her of listing pecans in the ingredients and then not utilizing them, it turns out I hallucinated the pecans all along.)

Well, it’s officially peach season, and my mom gave me a small box of fresh peaches from the famed Peach Truck. I immediately knew what to do with at least a couple of them, and got to work trying out a new Half Baked Harvest recipe I saw on her Instagram: Cinnamon Crunch Peach Muffin Bread.

View this post on Instagram

So let’s dive right in by taking a look at the ingredients list. Here’s everything you need:

Since I had literally just been given the peaches, the only thing I didn’t have on hand was the peach jam. I made a quick trip to a place outside of town called Bear’s Mill, where I purchased the closest thing I could find, which was their peach apricot preserves. I would say other than peaches and peach jam, something you might have to go to the store for is the pecans and the plain Greek yogurt. I happened to have the yogurt from a different recipe I made last week, and I don’t even remember what the pecans were for but I had them! And they don’t even expire until next week, so, yippee.

So the recipe is pretty straight forward, you just mix all your wet ingredients together, then add the dry, then add the peaches, peach jam, cinnamon crumble, and bake. Very simple order of events, really. After mixing the wet ingredients together, I got an extremely smooth, liquidous batter:

For the dry ingredients, I actually weighed the flour even though I’d been using cups so far. Flour is just one ingredient I really prefer to weigh. So after weighing, I mixed the dry ingredients in:

The only other thing I weighed was the peaches, just to make sure two was enough (because only two in the box were ready to use right then). I needed 150g of chopped peaches, and my two peaches came out to 140g, so I said good enough and threw them in the batter. Then I put the batter into a loaf pan and measured out the three tablespoons of peach preserves to swirl on top of the loaf. The preserves were actually quite gelatinous, so I ended up microwaving them for just a little bit to soften them and make them more easily spreadable on top of the batter.

All that swirly goodness got immediately covered up by the cinnamon crunch, which was just a quick mix of cinnamon, brown sugar, flour, and butter. This was before baking:

And after!

This smelled soo good while it was baking. I will say, the recipe says to bake for 55-60 minutes, but at 55 it wasn’t done yet, and I actually went all the way to 65 minutes total. So just a touch past the recommended time.

After it had cooled a bit, I took it out of the pan and peeled away the parchment paper to reveal this golden brown beauty:

And finally, the cross-section:

Look at that moist crumb. Little pieces of diced peaches and globs of peach preserves, that perfect cinnamon crumble top. YUM! This bread is so good! If you have peaches to use up, I highly recommend trying out this bread.

Now, you may notice something sort of funny about this loaf. Do you see any pecans? No, because even though they were listed in the ingredients list, at no point in the recipe did it say when to add them, so I completely forgot about them and didn’t add them because they literally weren’t mentioned! Even without the pecans, this bread is super yummy.

This bread is honestly more like a muffin or pound cake, which makes sense why Half Baked Harvest calls it muffin bread! I bet you could even make this as muffins instead if you wanted to, the batter was very scoopable.

Warm out of the oven with a little bit of butter, deeelish.

In terms of dishes, I really only used one bowl for the batter and then a small bowl for the cinnamon crumble mixture, a couple of measuring cups and spoons, a rubber spatula, and a cutting board and knife for the peaches. Oh, and a small bowl to microwave the peach preserves to soften them. Very light amount of dishes.

So, yeah, if you like peaches, give this bread a try. And have a great day!

-AMS

14:35

Security updates for Monday [LWN.net]

Security updates have been issued by AlmaLinux (389-ds:1.4, kernel, and kernel-rt), Debian (gst-libav1.0, gst-plugins-good1.0, imagemagick, kernel, libconfig-inifiles-perl, libgd-perl, libhttp-daemon-perl, mediawiki, pillow, and squid), Fedora (389-ds-base, alertmanager, ansible-core, buildah, chromium, erlang-cowboy, erlang-cowlib, erlang-gun, freerdp, kubernetes1.33, kubernetes1.34, kubernetes1.35, mingw-SDL2_image, ongres-scram, ongres-stringprep, openssl, perl-Config-IniFiles, perl-Crypt-PBKDF2, podman, postgresql-jdbc, python3.13, strongswan, webkitgtk, xdg-desktop-portal, and yt-dlp), Red Hat (osbuild-composer), SUSE (alloy, amazon-ssm-agent, ansible-core, apache-sshd, jpgpj, azure-storage-azcopy, chromedriver, containerized-data-importer, firefox, glibc, graphite2, inspektor-gadget, kubevirt, lemon, openvswitch, python-starlette, python311, python311-joserfc, python313, and tinyproxy), and Ubuntu (netatalk).

[$] Reports from OSPM 2026, day one [LWN.net]

The Power Management and Scheduling in the Linux Kernel Summit, which still goes by the historical acronym OSPM, was held in Cambridge, UK, in mid-April. As has become traditional, the presenters at that event have since written summaries of their sessions, and this work has kindly been made available to LWN for publication. The first day's sessions covered a wide range of topics, including idle-state selection, user-space schedulers with sched_ext, lock-holder preemption, and much more.

14:14

CodeSOD: When False is True [The Daily WTF]

Lillith was integrating some new tools into an existing Ruby on Rails API. The existing API allowed you to send a dry_run flag along with the request, so that you could have the service calculate its changes without applying them.

The problem was, the new tool Lillith was integrating could send, in the body of the request, {"dry_run": false}, but the service would see it as true. Consistently.

The helper method which checked for "true" parameters looked like this:

def param_true?(param_name)
  param_value = params[param_name]
  params.key?(param_name) && (!param_value || param_value.to_s.downcase == 'true')
end

The purpose of this function is to handle stringy or nil inputs gracefully. And there's one thing I can say about the function: it will always identify a true value correctly. If your false value is a string, "false", it also works. But that pesky !param_value mean that any actual boolean false value will be seen as true.

This function has been in wide use through the application. Lillith's best guess is that up to this point, no one had set the dry run flag on anything but GET requests, where everything was strings. On POST/PATCH/PUT requests, where the data was passed in the body as JSON, it got parsed into actual boolean values, and thus failed.

That's the WTF, certainly, that this function was lurking and waiting to cause this confusion. But the annoying thing in this function is that it fetches the value from the associative array, then calls params.key? to see if the key exists. That's fine, since Ruby just returns a nil if a key doesn't exist, it's just annoying. I hate to see it. This is, admittedly, more of a "me" problem, but I hate it.

[Advertisement] Keep the plebs out of prod. Restrict NuGet feed privileges with ProGet. Learn more.

A new UPS scam, it seems. [RevK®'s ramblings]

I think I am seeing a new scam.

Background

When an item is delivered to UK from overseas, we, as recipient, may have to pay VAT, and occasionally duty, as the importer. It is a legal requirement.

Yes, as a business we have "postponed VAT accounting", and even the possibility of a "Duty Deferment Account", and DHL get some credit here for handling both very well, with no admin fees. UPS do not get any credit for this at all.

But as a consumer there are two ways this goes down.

They refuse to deliver unless you pay first, or they demand payment on the doorstep. The scam is they want an admin fee that was not pre-agreed with them, and not part of any contract. And you have no choice if you want the parcel. It is a scam as it breaks pretty much all consumer contract protection laws, and is admin that is normal and so should be part of what they charge the sender, IMHO.
They bill you later, and try and charge the admin fee as well. Usually paying the legally required VAT/Duty and NOT paying the admin fee, can work. They do not like it, but I do not think they have any legally enforceable right to their admin fee. Even so it is time consuming and hassle, and I really need to publish an admin fee I will deduct from such payments and argue that is as valid as theirs.

So yes, un-agreed admin fees to recipient are a scam. That is my view anyway.

Note: Royal Mail have a law allowing them to charge an admin fee, couriers do not. There fact there is a law especially for this - kind of proves it would not be legal without such a law.

A new scam

I am now seeing what I assume is a new scam. This time by UPS. Yes, I believe this is a scam.

This relates to a shipment with Duty/VAT pre-paid by sender. So no charge to recipient. No legally required payment by recipient. Sender PAID to get parcel to recipient duty/VAT pre-paid.

In this case a parcel ordered on Amazon UK (no clue non UK shipper). And Amazon do generally handle everything pre-paid Duty/VAT. They are actually really good at that, and for shipments to EU are "deemed supplier" and handle local VAT and all sorts. Very neat.

The item had zero VAT (condensed milk, but declared as tomato sauce!).

But UPS decided to send an invoice (after delivery) for £6.65+VAT (£7.98) for an "entry prep fee".

Did the recipient ask them to do any entry prep? No, obviously not. That is a normal part of delivery, something they are charging the sender for. So this is a case of charging the admin fee even when there is ZERO VAT or Duty to pay.

It is not a lot, but I bet a lot of people pay, and UPS must handle millions of parcels. This is a big scam, and needs to be reported.

I think this is time to report this fraud to the police.

14:07

Loop Engineering [Radar]

The following article originally appeared on Addy Osmani’s blog and is being reposted here with the author’s permission.

Loop engineering is replacing yourself as the person who prompts the agent. You design the system that does it instead. A loop here can be thought of as a recursive goal where you define a purpose and the AI iterates until complete. I believe this may be the future of how we work with coding agents. However, it’s still early; I’m skeptical, and you absolutely have to be careful about token costs (usage patterns can vary wildly if you are token rich or poor), so I want to unpack what it is and what it means.

Peter Steinberger recently said: “You shouldn’t be prompting coding agents anymore. You should be designing loops that prompt your agents.” Similarly, Boris Cherny, head of Claude Code at Anthropic, said, “I don’t prompt Claude anymore. I have loops running that prompt Claude and figuring out what to do. My job is to write loops”.

Okay, so what does any of that mean?

For like two years, the way you got something out of a coding agent was you wrote a good prompt and shared enough context. You type a thing, you read what came back, you type the next thing. The agent is a tool and you are holding it the entire time, one turn after the other. That part is kind of over, or at least some think it’s going to be.

Now you build a small system that finds the work, hands it out, checks it, writes down what is done and then decides the next thing, and you let that system poke the agents instead of you. I wrote before about the cousin of this, agent harness engineering, which is making the environment one single agent runs inside and the factory model—the system that builds the software. Loop engineering sits one floor above the harness. The harness but it runs on a timer, it spawns little helpers, and it feeds itself.

The thing that surprised me is this is not really a tool thing anymore. A year ago if you wanted a loop you wrote a pile of bash and you maintained that pile forever and it was yours and only yours. Now the pieces just ship inside the products. Steinberger’s list maps almost exactly onto the Codex app, and then almost the same onto Claude Code. And once you notice the shape is the same, you stop arguing about which tool. You just design a loop that still works no matter which one you happen to be sitting in.

The five pieces, and then notes

A loop needs five things and then one place to remember stuff. Let me list it first and then map it.

Automations that go off on a schedule and do discovery and triage by themselves
Worktrees so two agents working in parallel don’t step on each other
Skills to write down the project knowledge the agent would otherwise just guess
Plugins and connectors to plug the agent into the tools you already use
Subagents so one of them has the idea and a different one checks it

Then the sixth thing, the memory. A Markdown file, or a Linear board, anything that lives outside the single conversation and holds what’s done and what is next. Sounds too dumb to matter. But it’s the same trick every long-running agent depends on, and I went into it in “Long-Running Agents”: The model forgets everything between runs so the memory has to be on disk and not in the context. The agent forgets; the repo doesn’t.

Both products have all five now.

Primitive	Job in the loop	Codex app	Claude Code
Automations	Discovery + triage on a schedule	Automations tab: pick project, prompt, cadence, environment; results land in a Triage inbox; `/goal` for run-until-done	Scheduled tasks and cron, `/loop`, `/goal`, hooks, GitHub Actions
Worktrees	Isolate parallel features	Built-in worktree per thread	`git worktree`, `--worktree`, `isolation: worktree` on a subagent
Skills	Codify project knowledge	Agent Skills (`SKILL.md`), invoked with `$name` or implicitly	Agent Skills (`SKILL.md`)
Plugins and connectors	Connect your tools	Connectors (MCP) plus plugins for distribution	MCP servers plus plugins
Subagents	Ideate and verify	Subagents defined as TOML in `.codex/agents/`	Task subagents in `.claude/agents/`, agent teams
State	track what’s done	Markdown or Linear via a connector	Markdown (`AGENTS.md`, progress files) or Linear via MCP

The names are a bit different here and there, but the capability is the same thing. Let me go one by one because honestly the details are where a loop either holds together or quietly leaks everywhere.

Automations, this is the heartbeat

Automations are what make a loop an actual loop and not just one run you did once. In the Codex app you make one in the Automations tab and you pick the project, the prompt it will run, how often, and if it runs on your local checkout or on a background worktree. The runs that find something go to a Triage inbox, and the runs that find nothing just archive themselves which is nice. OpenAI uses them internally for boring stuff like daily issue triage, summarizing CI failures, writing commit briefings, and hunting bugs somebody added last week. And an automation can call a skill, so you keep the recurring thing maintainable; you fire $skill-name instead of pasting a giant wall of instructions into a schedule that nobody will ever update.

Claude Code gets to the same place but through scheduling and hooks. You can run a prompt or a command on a interval with /loop, you can schedule a cron task, you can fire shell commands at certain points in the agent lifecycle with hooks, or you push the whole thing to GitHub Actions if you want it to keep running after you close the laptop. Same idea exactly, you define an autonomous task, you give it a cadence, and the findings come to you so you are not the one going around checking.

There is a second in-session primitive worth knowing, and it’s the one closer to what this whole post is about. /loop re-runs on a cadence. /goal keeps going until a condition you wrote is actually true, and after every turn a separate small model checks whether you are done, so the agent that wrote the code isn’t the one grading it. You give it something like “all tests in test/auth pass and lint is clean” and walk away. Codex has the same thing, also called /goal: It keeps working across turns until a verifiable stopping condition holds, with pause and resume and clear. Same primitive, both tools, which is kind of the pattern for this whole article.

So this is the part that surfaces the work. The rest of the loop is what acts on it.

Worktrees, so parallel doesn’t turn into chaos

The second you run more than one agent, the files start colliding; that becomes the failure. Two agents writing the same file is the exact same headache as two engineers committing to the same lines and nobody talked to each other first. A Git worktree fixes it. It’s a separate working directory on its own branch sharing the same repo history, so one agent’s edits literally cannot touch the other one’s checkout.

Codex builds the worktree support right in so several threads hit the same repo at once and don’t bump into each other. Claude Code gives you the same isolation with git worktree, a --worktree flag to open a session in its own checkout, and a isolation: worktree setting you stick on a subagent so each helper gets a fresh checkout that cleans itself up after. (I wrote about the human side of all this in “The Orchestration Tax.”) The worktrees take away the mechanical collision, but YOU are still the ceiling. Your review of bandwidth decides how many you can actually run, not the tool.

Skills, so you stop explaining your project every single time

A skill is how you stop reexplaining the same project context every session like a goldfish. Both tools use the same format: a folder with a SKILL.md inside holding instructions and metadata, and then optional scripts, references, and assets. Codex runs a skill when you call it with $ or /skills, or by itself when your task matches the skill description, which is the reason a tight, boring description beats a clever one. Claude Code does it the same way and I wrote the pattern up in “Agent Skills.”

Skills are also where intent stops costing you over and over. I argued in “The Intent Debt” that an agent starts every session cold and it will fill any hole in your intent with a confident guess. A skill is that intent written down on the outside, the conventions, the build steps, the “we don’t do it like this because of that one incident,” written one time where the agent reads it every run. Without skills the loop rederives your whole project from zero every cycle; with skills it kind of compounds.

One thing to keep straight: The skill is the authoring format, and a plugin is how you ship it. When you want to share a skill across repos or bundle a few together, you package them as a plugin. True in Codex, true in Claude Code.

Plugins and connectors, the loop touches your real tools

A loop that can only see the filesystem is a tiny loop. Connectors, which are built on MCP, let the agent read your issue tracker, query a database, hit a staging API, or drop a message in Slack. Codex and Claude Code both speak MCP so the connector you wrote for one usually just works in the other. And plugins bundle connectors and skills together so your teammate installs your setup in one go instead of rebuilding the whole thing from memory.

This is the difference between an agent that says “here is the fix” and a loop that opens the PR, links the Linear ticket, and pings the channel once CI is green by itself. The connectors are the reason the loop can act inside your actual environment instead of just telling you what it would do if it could.

Subagents, keep the maker away from the checker

The most useful structural thing in a loop, by far, is splitting the one who writes from the one who checks. The model that wrote the code is way too nice grading its own homework. A second agent with different instructions and sometimes a different model catches the stuff the first one talked itself into.

Codex only spawns subagents when you ask, runs them at the same time, and then folds the results back into one answer. You define your own agents as TOML files in .codex/agents/, each with a name, a description, instructions, and optional model and reasoning effort, so your security reviewer can be a strong model on high effort while your explorer is some fast read-only thing. Claude Code does the same with subagents in .claude/agents/ and agent teams that pass work between them. The usual split in both is one agent explores, one implements, and one verifies against the spec.

I made this case twice already, once as “The Code Agent Orchestra” and once as “Adversarial Code Review.” The reason it matters specifically inside a loop is the loop runs while you are not watching, so a verifier you actually trust is the only reason you can walk away. Subagents do burn more tokens since each one does its own model and tool work, so spend them where a second opinion is worth paying for. This is also basically what Claude Code’s /goal does under the hood: A fresh model decides if the loop is done instead of the one that did the work, the maker and checker split applied to the stop condition itself.

What one loop looks like

Stick it together and a single thread turns into a little control panel. Here is one shape I keep using.

An automation runs every morning on the repo. Its prompt calls a triage skill that reads yesterday’s CI failures, the open issues, and the recent commits and writes the findings into a Markdown file or a Linear board. For each finding that is worth doing, the thread opens an isolated worktree and sends a subagent to draft the fix, and a second subagent reviews that draft against the project skills and the existing tests.

Connectors let the loop open the PR and update the ticket. Anything the loop cannot handle lands in the triage inbox for me. The state file is the spine of the whole thing; it remembers what got tried, what passed, and what is still open, so tomorrow morning the run picks up where today stopped.

And look at what you actually did there. You designed it one time. You did not prompt any of those steps. That’s Steinberger’s whole point made real, and it’s the same loop in Codex or in Claude Code because the pieces are the same pieces.

What the loop still does not do for you

The loop changes the work; it does not delete you from it. And three problems actually get sharper as the loop gets better, not easier.

Verification is still on you. A loop running unattended is also a loop making mistakes unattended. The whole reason you split the verifier subagent from the maker is to make the loop’s “it’s done” mean something, and even then “done” is a claim and not a proof. I keep saying the same line from “Code Review in the Age of AI”: Your job is to ship code you confirmed works.

Your understanding still rots if you allow it. The faster the loop ships code you did not write, the bigger the gap between what exists and what you actually get. That’s comprehension debt and a smooth loop just makes it grow faster unless you read what the loop made.

And the comfortable posture is the dangerous one. When the loop runs itself, it’s very tempting to stop having an opinion and just take whatever it gives back. I called that “cognitive surrender.” Designing the loop is the cure when you do it with judgment and the accelerant when you do it to avoid thinking: same action, opposite result.

Build the loop. Stay the engineer.

I think this is a preview of how our work is going to evolve. That said, if I weren’t reviewing the code myself or if I relied entirely on automated loops to fix it, my product’s quality would suffer. I’d likely end up stuck in a downward spiral, continuously digging myself into a deeper hole.

Go ahead and set up your loops, but don’t forget that prompting your agents directly is also effective. It’s all about finding the right balance.

Loops can also result in different outcomes depending on you. Two people can build the exact same loop and get completely opposite results. One uses it to move faster on work they understand deeply. The other uses it to avoid understanding the work at all. The loop doesn’t know the difference. You do.

That’s what makes loop design harder than prompt engineering. Cherny’s point isn’t that the work got easier. It’s that the leverage point moved.

Build the loop. But build it like someone who intends to stay the engineer, not just the person who presses go.

This Week in AI: Fable 5, the Clone Wave, and Uber’s AI Reality Check [Radar]

This week, egghead.io cofounder John Lindquist joined host YK Sugi, founder of CS Dojo and developer experience manager at Eventual, to cover the latest AI news. First on the agenda was the contested release of Claude Fable 5. They also examined the financial shifts reshaping the technology industry, including the rising costs associated with agentic coding loops. Then John outlined the framework he uses to build in the agent era without starting from scratch every time.

Watch the full episode here:

Claude Fable 5: 3 days, a government order, and a lot of unanswered questions

Claude Fable 5 launched June 9 and was pulled from all customers on June 12 after the US government issued a directive ordering Anthropic to restrict access for foreign nationals inside and outside the US. Amazon researchers had reportedly surfaced what they characterized as a security vulnerability, and after Anthropic reportedly declined to patch or redeploy the model, the directive came down. Senior Anthropic staff subsequently traveled to Washington to meet with White House officials.

The dispute about what actually happened is unresolved. Anthropic’s position is that the reported issue was a narrow jailbreak that had been previously identified and was present across public models generally, and not a serious security threat. An independent researcher who reviewed the report described it as defensive prompting that surfaced known vulnerabilities and called the response an overreaction. Neither side has published the technique or prompt, so there’s no way to evaluate the claim independently. But as John put it, “It sets a very strange precedent going forward, as models are released, that governments can step in and control what private companies can and cannot do with their model.”

Another new precedent: Fable 5 wasn’t built on the Opus or Sonnet architecture, which means comparisons to prior Anthropic models or contemporaries don’t tell us much. But initial impressions were positive, including from YK and John, and Fable 5 quickly reached the top of the Arena leaderboard in the text, agents, and web dev code categories. However, the model also had a purposeful limitation: On questions related to AI and machine learning training specifically, it was designed to underperform (without signaling this to users), apparently to prevent competitors from using it to improve their own models. Intentional capability suppression in a commercial model, without disclosure, is a different kind of product decision than a safety guardrail. Whether that approach becomes more common as competitive stakes rise is an open question.

Tokens burn fast when the loop isn’t ready for them

Last week, SpaceX went public in the largest IPO in history. The company finalized its acquisition of Cursor in a $60 billion all-stock deal shortly after. (That last one happened after this episode aired—we’ll talk more about it on Monday.) Both OpenAI and Anthropic have filed to go public as well, and Google raised roughly $160 billion through equity and a 100-year bond. A significant share of that capital is flowing toward AI coding infrastructure.

YK brought up another, less celebratory, financial story that’s been making the rounds: Uber burned through its full 2026 AI tools budget by April, mostly on Claude Code and Cursor, and Andrew Macdonald, the company’s COO, acknowledged they couldn’t link that spending to a measurable increase in useful customer features. Uber subsequently put a $1,500 per month per employee cap in place.

John flagged projects inefficiently utilizing agentic loops as one possible cause for wasteful token spend. Most developers deploying agents against existing codebases haven’t built the tooling those agents need to work efficiently, so agents burn tokens doing work that dead-ends, repeating context, or generating code that requires significant debugging. He explained:

If you take a legacy codebase and you throw agents against it with loops, you haven’t set up a proper agent environment. It’s so quick to burn tokens because. . .the agents don’t have the tools to work with.

The conversation in developer communities so far has focused almost entirely on what agents can generate. But as more organizations move from experimentation to production-scale deployment, building logging, verification, and proper error surfaces into agent tooling is what will determine whether token spend maps to real output. Otherwise, we’ll likely see more companies go the way of Uber.

Ingredients beat inference: A practical framework for building in the clone wave

For most developer workflows today, buy-versus-build leans toward building in a way it didn’t even a year or two ago. As John noted, “It’s so easy to build apps and workflows now where there are so many amazing production apps out there, apps on your phone, apps on your desktop, software as a service, that are trivial to copy and clone.” He uses the term the “clone wave” to describe this expanding set of open source equivalents to consumer software products that can now be cloned, forked, or replaced and get you 99% of the way to your use case.

The principle that drives the clone wave is “ingredients beat inference.” If you ask an agent to build a feature from scratch, it infers a solution with no external reference. If you give it an existing open source implementation to start from, it can adapt, translate, and integrate that code far faster and more reliably. The ingredients approach also helps with the 43% of AI-generated code that needs debugging in production, per a figure YK cited earlier in the episode.

The GitHub CLI plays a central role in this workflow. John explained that because agents understand the GitHub CLI natively, you can give an agent a search task and let it find implementations it wouldn’t have generated itself. Language mismatch isn’t a blocker, because agents translate between languages and libraries well. And tools like DeepWiki from Cognition let agents explore and understand a repo’s structure before cloning or forking it, so the evaluation step doesn’t require local setup.

The framework extends to how you build the last 20% that isn’t available as an ingredient. This is the part that’s specific to your use case; John described it as “that extra bit that you’re building on top of it to make it into the custom product and project for either yourself or for your users.” John’s bigger point is that the tools you build for yourself should also be usable by your agents. Expose endpoints and logging. Give agents the ability to read state and errors. An agent that can control a tool but not debug it will eventually stop in ways that are hard to diagnose.

John walked through cmux to demonstrate what an agent-native workspace looks like in practice. cmux is a terminal multiplexer built with agentic workflows in mind: it exposes a CLI that agents can control directly, so you can open a terminal pane, have that pane spawn another, and have the two read from and write to each other. In practice that means you can run Claude Code in one pane, Codex in another, and a third pane reading output from both, with each agent able to observe the others’ state.

Agents need more than the ability to run commands. They need to read logs, check errors, and confirm state before taking the next step. A workspace that exposes those surfaces gives agents a feedback loop. This tenet is applicable to tools across the company. Organizations that treat their internal tooling as agent-accessible infrastructure are building something that compounds. Those treating agents as black-box code generators are taking on technical debt they may not see until causes issues later on.

What’s next

SpaceX’s acquisition of Cursor turns the coding-agent race into something much larger than an IDE fight. Cursor may be positioning itself as a new GitHub for the agentic era, where agents write, review, test, repair, and govern code. At the same time, Salesforce’s $3.6B acquisition of Fin shows the same pattern inside enterprise software: Buyers want packaged workflows that solve real support, sales, and operations problems rather than abstract “agents.”

Next week, host Ksenia Se examines these stories and more through the lens of who owns the loop where AI does the work. Join us to find out why the next phase of AI will be about who controls the infrastructure, economics, and trust layer.

Our episodes are free and open to all through the end of June if you’d like to attend live—register here. And we’ll continue to publish our takeaways here on Radar each Friday and share full episodes on YouTube, Spotify, Apple, or wherever you get your podcasts.

13:49

One year with Codeberg [Planet GNU]

A year ago, Guix migrated to Codeberg for source code hosting, issue tracking, and pull requests. This is a significant change for a project with more than 400 people contributing code each year, after more than decade hosting code at Savannah and dealing with bug reports and patches by email, tracked by a Debbugs instance. This article discusses the process that led to this change and lists some takeaways, a year later.

The non-obvious choice

For years before, the question of our choice of source code hosting and collaboration tools would regularly come up. However, with a community effectively built around the existing tools and workflows, a change to a pull-request workflow was far from obvious—even if many would admit that yes, pull requests are more familiar to many younger hackers than patches and bug reports by email.

Active contributors were efficient with the email workflow—often thanks to Emacs and/or to top-notch email clients—while at the same time being critical of “modern” Web-based forges: after all, Debbugs weighs in at a few hundred lines of Perl, building upon the battle-tested standards and built-in federation of email, whereas a forge like Forgejo is much bigger with hundreds of Go dependencies.

A further complication is that, over time, contributors had built tools around this workflow: mumi would provide a nice web interface to Debbugs and the Quality Assurance service would automatically apply patch series in a Git branch and build packages from that branch—to give the most visible examples. Migrating was all but obvious.

Despite these achievements, dissatisfaction was palpable though, even more so when Steve George (a.k.a. Futurile) published the results of the first user and contributor survey in January 2025, with feedback from no less than 900 people. For contributors who took part in the survey, the email workflow was often mentioned as a hindrance.

Making decisions

As if things were not difficult enough, there was no “benevolent dictator” that the project could rely on to make a sharp decision. Instead, in December 2024, the project adopted a process for collective decision-making: the Guix Consensus Document (GCD) process. The process is ambitious: instead of merely asking “project members” (a concept that needs to be properly defined!) to vote on proposals, authors of proposals are expected to work with everyone to build consensus on the proposal; participants cannot merely “oppose” a proposal but should instead express their needs and suggest concrete changes to address them. At the end of the process, participants can “support”, “accept”, or “disapprove” the final revision of the proposal.

It is too early to tell whether the GCD process will stand the test of time—as of this writing seven proposals were submitted through this process, with varying outcomes—but it surely proved to be a good way to work collectively on the forge migration issue, which was the first real-world use of the GCD process.

GCD 002 was submitted in February 2025 as a proposal to migrate to Codeberg for source code hosting and collaboration. The discussion lasted for two months—the maximum duration permitted by the process—with contributions by many people. Two thirds of the Guix team members participated in the deliberation, among which 72% expressed “support” while the remaining 28% merely “accepted” the proposal; nobody “disapproved” it so the proposal came into force in early May 2025.

The discussion showed that many long-time contributors were not comfortable with the idea of moving to a workflow largely perceived as Web-first and inefficient compared to the email workflow. The idea of abandoning part of the infrastructure carefully built around the email workflow over the years was also unappealing. Yet, the prospect of reaching out to a broader community and improving the developer experience for many was probably a driving force that led to this positive outcome.

One thing in the proposal that didn’t trigger much debate though is the preference both for a free-software-based forge and for one hosted by a non-profit, Codeberg e.V. This choice is very much in line with the Guix ethos.

Switchover

As agreed-upon in the GCD, the switch to Codeberg was incremental: the main repository was migrated on May 25th, 2025, with the former repository still available as a mirror today; the former issue and patch tracker was kept active until January 1st, 2026, when Codeberg issues and pull requests became the only supported mechanisms (but older bug reports and patches remain accessible on-line).

Thanks to the planning devised during the consensus-building discussion, there were few hiccups and surprises when we switched. The quality of service achieved by the Codeberg e.V. employees and volunteers has been very good and the occasional downtime was usually short and clearly communicated.

For some of us, the main difficulty was to adapt to the new workflow. For those who prefer a workflow out of the browser, the good news is that Emacs interfaces—fj.el and more recently Emacs-Forgejo—have been getting better everyday thanks to their amazing developers; the ability to create pull requests using the AGit workflow has also helped bring peace and harmony.

The one issue that wasn’t sufficiently anticipated is continuous integration for pull requests. The part of qa.guix.gnu.org that would previously build packages for patches sent by email was not ported to Codeberg. For several months, it was up to reviewers to make sure that pull requests would not break anything—a situation that was not sustainable.

In September 2025, an instance of Cuirass was set up at pulls.ci.guix.gnu.org to finally build pull requests. This was initially seen as a stopgap because of several limitations compared to what qa.guix.gnu.org would previously do—such as the fact that packages now get built for a single architecture. However, one advantage for newcomers is that feedback is immediately visible: Cuirass sends reports indicating success or failure directly in pull requests as guix-cuirass-bot.

Renewed collaboration

One of the intuitions and hope we had when we decided to migrate to Codeberg is that the pull-request workflow and its Web interface would allow us to reach out to a broader set of contributors. How did it go?

A first insight is that the commit rate—measured as the number of commits pushed on the main branch—is a noisy metric that doesn’t reveal much. What we see by looking at the period from May 2024 to May 2026 (so one year before and one year after the migration) essentially shows that the commit rate remained essentially between “high” and “very high”:

(As an aside, where are the tools to plot statistics like this from a Git repository? I found myself hacking something together.)

Looking at contributions is more insightful. The plot below shows the number of monthly commit authors, the number of monthly committers, and the number of new commit authors each month (people who authored a commit for the first time in the Git history) for that same period.

The number of monthly authors, including new authors, keeps growing. There was a peak both in the number of authors and number of newcomers in June 2025, right after the migration to Codeberg, but for the rest growth appears to be comparable in the 2025–2026 half and in the 2024–2025 half. Guix keeps attracting new contributors but there wasn’t a significant “Codeberg effect”.

The slight increase in number of monthly committers compared to the sharper increase in number of authors might suggest that committers are more “productive”, handling more contributions.

Since the user survey highlighted some contributors were frustrated by the delay or the lack of response on contributed patches—a problem that many free software projects struggle with—a question is how well Guix deals with that today. The graph below shows the creation and closing rate of pull requests per month over the past year, together with the monthly backlog (pull requests opened the month before or earlier and still opened). This data was acquired using the amazing Forgejo interface.

This again shows an impressive rate of incoming code—more than 500 pull requests opened each month!—and an equally impressive, but slightly lower, merge rate, leading to a constantly-increasing backlog. A similar backlog was observed on Debbugs before. Today, there are about 639 opened pull requests out of 6,459 ever opened, or 10%; for comparison, Nixpkgs has 12k opened pull requests out of 473k ever opened, or 2.5%. This concerning backlog in Guix can perhaps be attributed to excessive friction and/or insufficient continuous integration feedback.

One source of friction is the requirement for each commit to be signed by an authorized committer. Unlike many other projects, including Nixpkgs, this requirement means that a person needs to take responsibility and to apply and sign changes they merge, as opposed to just clicking the “Merge” button. In a way, we’re trading developer convenience for user security. It’s a tradeoff we’re willing to make because we care about securing the “software supply chain”, but we have yet to see if this cost can be mitigated in some way.

On the bright side, and although this is harder to measure, one positive impact of the move to Codeberg is that activity within the project is more legible. I already mentioned continuous integration that provides feedback directly in pull requests, such that contributors immediately discover it, but there’s more.

Guix teams are reified as Codeberg teams and their scope is given the CODEOWNERS file such that the right people are pinged. A bot also adds a corresponding label—e.g., the team-python label for what’s in the scope of the Python team—allowing for issue and pull request filtering by label. However, teams are not notified of issues tagged with the corresponding label, which is irritating.

Other features such as cross-references among issues/pull requests as well as milestones also appear to facilitate collaboration.

Outlook

This is nice and all but there’s still room for improvement.

Our infrastructure could use some help. Build power for pulls.ci.guix.gnu.org should be increased, ideally with also more diversity—building for non-x86 architectures would be great! Cuirass itself has a number of shortcomings; some are being addressed for the upcoming 1.4.x series but there’s more work to be done. And also, pulls.ci.guix.gnu.org remains very much package-oriented; it would be nice, when appropriate, to run system tests as well.

The packager workflow still leaves a bit to be desired, in particular with regards to topic branches and world rebuild scheduling, which is still mostly tied to… our otherwise retired bug tracker.

We also want to remain good citizens, not causing excessive load on Codeberg servers (oops!) and keeping an eye on storage use: a single “fork” of Guix could exceed Codeberg’s new per-user quota of 750 MiB. The solution would be to require new contributors to use the AGit workflow to create pull requests. AGit is already popular among Guix contributors; however, the idea of requiring it is seen as a “downgrade” by some because it lacks the familiarity of the “regular” pull request workflow. One way to mitigate that might be to make it more discoverable with an “AGit fork” icon as was done for Gentoo.

Part of being a good citizen, for Guix and for Codeberg e.V., is listening to and accounting for one another’s concern, and this has worked beautifully so far. Guix Foundation recently voted to become a supporting (non-voting) member of Codeberg e.V. as a way to express gratitude and support.

Oh, breaking news: a pull request adding Forgejo and a service to set it up on Guix has just been submitted! Purely declarative configuration, fully reproducible deployment of a forge—can you imagine⁈ Symbiosis at play.

Acknowledgments

Many thanks to Steve “Futurile” George, Noé Lopez, and Maxim Cournoyer for reviewing an earlier draft of this post.

13:35

Issue 46 – Greta’s Wedding – 12 [Comics Archive - Spinnyverse]

The post Issue 46 – Greta’s Wedding – 12 appeared first on Spinnyverse.

12:14

Professional Athletes and Wearables [Schneier on Security]

I haven’t thought about the privacy issues surrounding professional athletes and wearables.

Wearables present serious privacy issues for “Average Joe” consumers, who are entrusting tech companies to safely store and protect their biometric data. Imagine the stakes for a professional athlete, whose entire livelihood could be affected by a single biometric data point. To give one of many realistic hypotheticals: a basketball player has a terrible game, and the coach wonders if they showed up to the gym hungover. The coach has access to the player’s wearable data, and checks to see when they went to sleep, as well as what their heart rate looked like during the night. Should the player have been out partying before a game? No. Should the coach be able to surveil them? Definitely not.

It will not surprise you to learn that there’s an emergent gambling angle here: sports leagues would love to commercialize players’ biometric data, and sharp bettors would love access to data about, say, a hungover player. “We’re going to get to a spot where people are betting not just on the velocity of the puck that was shot by a player in the NHL playoffs, but on what the heart rate of a certain player is going to be running down the field,” said Helen “Nellie” Drew, the director of the University of Buffalo’s Center for the Advancement of Sport, and a professor of practice in sports law.

There are other practical considerations, too. What if wearable data reveals that a player isn’t as speedy as they were before, and a team uses that data against the player during contract negotiations? What if a wearable reveals a player is favoring their leg, or is at greater risk of injury? This information is potentially beneficial to a training staff and an athlete, so long as it’s disclosed and used in a responsible manner—a critical, mostly unresolved caveat. “Aging and injured players are the most at-risk” of wearable data being used against them, said Michael LeRoy, who researches sports labor laws and AI, and is a professor at the University of Illinois’s School of Labor and Employment Relations.

The bit about gamblers is particularly scary.

I have often said that surveillance tech is generally deployed first against people with diminished rights: children, prisoners, military personnel, the mentally impaired. This is another early use case with different dynamics. The surveilled are wealthy and powerful, and—in many cases—unionized.

11:49

Grrl Power #1471 – Curb avalanche [Grrl Power]

“Say it ain’t so, doc! I only came in with a case of magma!”
“I’m sorry, Mr. Fuji. It’s definitely diamonds. On the plus side, the tumor removal should pay for itself.”
“Doc, do you ever think it’s weird our economy values tumors so highly?”
“I think it’s weird humans wear our tumors on their fingers and necklaces and ears.”
Aaaand scene.

Sydney probably meant to say “gregariousness,” which means someone who is highly sociable, outgoing, and fond of the company of others. Garrulous means being excessively talkative, especially about trivial or unimportant matters. Arguably, both words apply to Sydney, though the latter is rarely meant as a compliment.

Corite is what happens to copper when it’s “mana infused.” It has all sorts of neat properties that I haven’t quite figured out, but it’s great for smithing and enchanting. Infused metals “evolve” into new materials, you know, steel becomes adamantite, gold becomes orichalcum, etc. I’m sure Dabbler might bring it up at some point.

Final version is up, both at TWC and Patreon.

Double res version will be posted over at Patreon. Feel free to contribute as much as you like.

10:49

Irregular Webcomic! #3160 [Irregular Webcomic!]

Irregular Webcomic! #3160

10:07

Anniversaries [Seth's Blog]

Birthdays are a little overrated. I’ve never met anyone who was more than a passive participant in their birth, but anniversaries represent a choice.

Every year, we can commemorate a commitment we made and then decide to recommit.

Anniversaries aren’t just romantic. The day you took the job, the day you started the practice, the day you went out on your own, the founding date on the masthead. Anything you chose and then keep choosing has one. The calendar is full of invitations to re-decide.

A chance to celebrate the past and to imagine what comes next.

An anniversary is worth celebrating because of what we’re agreeing to do again.

08:42

Full Spectrum Warrior [Penny Arcade]

New Comic: Full Spectrum Warrior

06:07

Girl Genius for Monday, June 22, 2026 [Girl Genius]

The Girl Genius comic for Monday, June 22, 2026 has been posted.

05:35

Important Lessons [Ctrl+Alt+Del Comic]

He has to learn sooner or later.

The post Important Lessons appeared first on Ctrl+Alt+Del Comic.

00:14

A tale of two path separators [OSnews]

Braintrust query: Do you have a copy of Radio UserLand that runs?

Sunday, 21 June

22:49

In macOS, you can apparently create files and directories in the Finder with names that include slashes. If you then go into the terminal and take a look with ls, you’ll see that the slashes are actually colons.

I don’t understand all the nuances, but I know this is a side-effect of the fact that macOS has not one but two path separators: the slash (/) and the colon (:). The two separators are used in different contexts, and the system will translate between them as needed.

These two separators reflect the two parent systems of modern macOS: classic Mac OS and the Unix-like NeXTSTEP. When they were joined together, Apple’s engineers had to build a file system that was compatible with both the classic Mac’s file system (the Mac OS Extended File System, aka HFS+), and with NeXTSTEP’s file system (the Unix file system, aka UFS). Among other differences, these systems had different path separators: HFS+ used a colon, while UFS used a slash.
↫ Alex Chan (article from 2021)

I had no idea macOS worked this way, but it makes sense considering the platform’s dual history. What’s interesting is that when Apple moved to APFS almost a decade ago, this duality in path separators remained, most likely for backwards compatibility reasons. In a sense, this is somewhat similar to Windows supporting both backward and forward slashes, with the former being a leftover from DOS, and the latter an addition (to Windows) from the UNIX world.

None of that beats Windows when using the Japanese or Korean locale, though. Because Japanese and Korean Windows use different codepages than Windows in the Americas and Western Europe, these versions of Windows render the backslash as the yen sign (¥) and and won (₩) sign respectively. As such, something like the Program Files directory actually renders like C:¥Program Files¥ and C:₩Program Files₩. Similar issues occurred in other Windows locales as well, but the impact of this in Japan and South Korea were so widespread that people just expect it to be that way, even if it’s easily fixed today.

I can’t find if Windows 11 still uses ¥/₩ in Japan/South Korea, since the last references of it I can quickly uncover all point to Windows 10.

20:28

Reply on Twitter: "There's a great comic routine, forget who did it, Dave Chapelle maybe, about how people complain about how shitty air travel is, never stopping to realize that it's utterly amazing that there even is such a thing."

Apple internals: Swift in the kernel [OSnews]

Looking at the picture of the four ex-presidents at the opening of the Obama library, all I can think is that each of them played a part in creating Trump. Obama gave away the Supreme Court (see above). Clinton literally got blow jobs from a White House employee in the Oval Office. It's like wiping your ass with the American flag. That is fucked up, I don't care how fucked up the Repubs are. Bush, don't get me started on Bush. He seems like a sweet old dude now, but he was definitely on the path to Trump. And Biden -- his job as POTUS was to protect the United States. At that he failed in every imaginable way. Gauge the insult by what's happening now. Biden could have prevented all of this. He was too vain to see he had failed and decided he should run again! Holy shit. I'm ten years younger than he was and I don't think I'd have any business being president of anything. ;-)

Apple’s Swift has become the de-facto language for Apple’s own developers for a while now, and it seems that with the new operating system releases from the company unveiled during WWDC, Switch is now also being used in the kernel.

Naturally I dropped what I was doing and went grepping through the iOS 27 kernelcache. Alas, nothing came of it. All is not lost though: I found the Embedded Swift runtime in macOS 27, sitting in com.apple.kec.pthread of all places. Then I went poking around the root filesystem and it turns out Apple gave the whole effort a name: KernelKit.

Let’s dissect it.
↫ Josh Maine

It’s still quite limited at this time, which makes sense – you don’t want to be too crazy with the core of the operating system that runs on god knows how many PCs, smartphones, and other devices. It’s also entirely contained within a few kexts as embedded runtimes, and the XNU kernel itself remains entirely C and C++.

“I stored a website in a favicon” [OSnews]

Every website has a favicon. It’s that little icon in your browser tab. Usually you upload it once and then never think about it again. But. A favicon is just an image. An image is just pixels. And pixels are just bytes.

So of course I wondered if I could store something inside one.
↫ Tim Wehrle

I love it when people do something useless just for fun.

19:42

With AI you can have a team of assistants available on call at any time. The other day I went from working on a deep technical problem (changing the format of a permalink, which is also used as an id) quickly and correctly and then immediately switching to how to format a blog post so it looks like something produced by a professional writing app. Same thread. It's amazing how much it knows about all aspects of what I do. And it does more than write code. It handles complexity so much better than I do, which means I get to develop products that work better and do more. If I get an idea long after I've moved on from a section of code it can still be implemented with equal quality. There is no such thing as a human being that can do the things it does. A big bug in the critiques people have about it replacing humans. When jet planes came along did they complain that they would replace taxi drivers? Things never work out the way you think they will when they're new. This is my third such rodeo. Sometimes the concerns are obvious and true, btw. That happens as well.

I don't think Obama deserves to go down as a good president. He let the fascists in. His big moment was when he let Mitch McConnell keep his Supreme Court nominee from being approved. Never should have conceded. He didn't fight at all. He was president of the United States, the place where the buck stops.

We lost a lot more than a few hundred billion in Iran war. We had invested much more over 80 years on peace in the Middle East. In one brief orgy of violence Trump threw that away.

Slutfarm [Oglaf! -- Comics. Often dirty.]

Hey what we're doing in AI-land is building the Matrix we want to live in. When we get there there won't be anything left to do in this dimension, our plane will finally lift off and fly awaaaay in the sky. I hope you understand, I just had to go back to the Island.

18:14

17:21

Tim Retout: seL4 repo relationships [Planet Debian]

The seL4 organisation on GitHub uses git-repo to manage multiple source repositories, and so there are a large number of projects to get your head around when figuring out the ecosystem.

As an experiment, I have taken the various manifest files across the org, and constructed a graph based on how frequently each pair of repositories is mentioned in a manifest together. See below:

[This may render badly when syndicated outside of my blog; and also on small screens. And probably large screens. I’ve attempted to make sure there’s a non-JS fallback – on my site with JS enabled, if you hover over a node, it should highlight connected nodes.]

The colouring of the nodes is mostly manual; I experimented with graph clustering algorithms but have not found a satisfactory result so far. Still, some clusters are obvious:

Kernel – the seL4 microkernel proper. This often but not always co-exists with the main cluster of core libraries, but it is pulled away slightly by the verification and microkit manifests.
Verification – the verification repositories (l4v, HOL, graph-refine, polyml, isabelle) form a very distinct group. These are connected only to the seL4 microkernel itself, which is the only component formally verified.
Microkit – microkit is a newer operating system framework that does not use CAmkES, so stands apart from the rest of the pack. I chose to scope this work to the seL4 org, so the LionsOS ecosystem and sDDF which are maintained by Trustworthy Systems are not shown. Also not linked is rust-sel4, because this modern world isn’t using git-repo in the main to manage its repositories.
RefOS – I’d not come across refos before, but it appears to be an example OS from 2021 built on the seL4 kernel.

It’s quite hard to pull apart the CAmkES framework and the core libraries; there are definitely some which are more associated with VM management, but the overall shape of this co-occurence data is a messy ball in the middle with some outliers in orbit. One observation is that camkes is correctly identified as more peripheral than camkes-tool, which contains the actual core CAmkES code.

Reflecting on this approach, in hindsight I’m surprised that using co-occurences worked as well as it did – there was no attempt to actually inspect the code and find direct mentions of other code e.g. library header dependencies. As the newer microkit effort largely eschews git-repo, better results might be found by actually taking that more detailed approach, so that graph edges could represent real dependencies between two packages. Additionally, this could allow diving into the various libraries held in the different ’libs’ repos, to get a more granular graph of relationships between them.

However, I think I spent more time on making it possible to render graphviz graphs easily on my blog than actually gaining any insight into the codebase!

16:35

Dirk Eddelbuettel: RcppArmadillo 15.4.0-1 on CRAN: New Upstream Minor [Planet Debian]

Today's song: Back to the Island.

15:49

Armadillo is a powerful and expressive C++ template library for linear algebra and scientific computing. It aims towards a good balance between speed and ease of use, has a syntax deliberately close to Matlab, and is useful for algorithm development directly in C++, or quick conversion of research code into production environments. RcppArmadillo integrates this library with the R environment and language–and is widely used by (currently) 1282 other packages on CRAN, downloaded 47.1 million times (per the partial logs from the cloud mirrors of CRAN), and the CSDA paper (preprint / vignette) by Conrad and myself has been cited 697 times according to Google Scholar.

This versions updates to the 15.4.0 upstream Armadillo release made on Thursday. We had run a complete reverse-dependency check leading up to it, asserting there were no issues with packages dependent on it. As it sometimes goes with that many packages involved, one CRAN package reported one test failure. And it turned out to be both unrelated and pre-existing. But sorting this out over one round of email delayed things by a day. And then I went cycling for a good cause so this announcement post comes a little later than usual. The package has also been updated for Debian, built for r2u, and by now also at CRAN for the different binary releases.

All changes since the last CRAN release follow.

Changes in RcppArmadillo version 15.4.0-1 (2026-06-17)

Upgraded to Armadillo release 15.4.0 (Medium Roast Agave)

Added fill::nan, fill::pos_inf, fill::neg_inf as optional fill forms for the Mat class

Added .push_back() for appending elements to vectors

Faster handling of find() within .elem()

Faster element-wise min() and max()

Faster conv_to when element types of input and output objects are the same

Courtesy of my CRANberries, there is a diffstat report relative to previous release. More detailed information is on the RcppArmadillo page. Questions, comments etc should go to the rcpp-devel mailing list off the Rcpp R-Forge page.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. If you like this or other open-source work I do, you can sponsor me at GitHub. You can also sponsor my Tour de Shore 2026 ride in support of the Maywood Fine Arts Center.

15:07

Vasudev Kamath: Releasing debvulns: CLI for listing Debian vulnerabilities [Planet Debian]

Claude is much better at needle-in-haystack troubleshooting. It doesn't get flustered or overwhelmed. And it can hold the whole map in its head, whatever that looks like, impossible to imagine.

15:00

Following up on my previous post, I have released the debvulns CLI. This utility uses the same parsing logic as the debsecan-mcp server but exposes the functionality directly via the command line.

Why a new CLI?

While Debian's native debsecan utility exists, it lacks modern output formats like JSON and CSV, and fails to expose a significant amount of metadata available in the Debian Security Team's daily snapshot.

Additionally, running a persistent Model Context Protocol (MCP) server introduces context window overhead. The manifests and tool descriptions required by the protocol consume tokens even when idle. For debsecan-mcp, the MCP Inspector utility shows an overhead of roughly 150 tokens.

By contrast, an LLM can parse a standard CLI help menu on-demand without permanently draining the context window. Integrating the CLI into a persistent agent workflow can be achieved via a skill file, allowing the LLM to leverage the tool without repeated discovery overhead.

What else is NEW?

During testing, I observed discrepancies between the output of debsecan-mcp/debvulns and native debsecan. Debugging with an LLM revealed a bug in the version comparison logic that caused debvulns to underreport vulnerabilities. This has been resolved.

The current interface supports structured formatting and customizable data backends:

usage: debvulns [-h] [-s {critical,high,medium,low,negligible}] [-f {json,csv}] [--sort-by {package,cve}] [--vuln-url VULN_URL] [--epss-url EPSS_URL] [--suite SUITE]
                [--cache-dir CACHE_DIR] [--no-cache] [-v]

debvulns - CLI Debian Vulnerabilities Tracker

options:
    -h, --help            show this help message and exit
    -s, --severity {critical,high,medium,low,negligible}
                          Filter vulnerabilities by severity
    -f, --format {json,csv}
                          Output format (default: json)
    -sort-by {package,cve}
                          Sort vulnerabilities by 'package' or 'cve'
    --vuln-url VULN_URL   Custom URL or local path for Debian Security Tracker data
    --epss-url EPSS_URL   Custom URL or local path for EPSS scores data
    --suite SUITE         Debian suite name (e.g. bookworm, sid). Auto-detected by default.
    --cache-dir CACHE_DIR
                          Directory to cache fetched and parsed data (default: /var/cache/debvulns)
    --no-cache            Do not use cached data, force downloading and parsing
    -v, --verbose         Enable verbose debug logging (sent to stderr)

By allowing users to override data sources with local snapshots of the Debian Security Tracker and EPSS feeds, debvulns can run natively in airgapped environments.

What Next?

The next step is building a Prometheus exporter for this vulnerability data to streamline scanning and monitoring across data center infrastructure. Stay tuned.

10:49

Irregular Webcomic! #3159 [Irregular Webcomic!]

Irregular Webcomic! #3159

10:42

“In its larval state” [Seth's Blog]

Thirty years ago, Cory Doctorow did an interview showing primitive inklings of the internet future (music, videos, etc.). At the time, it was easy to dismiss it as an irrelevant toy, and most people in power did just that.

Around the same time, I wrote an article for Direct Marketing magazine outlining the future of email marketing. Again, most people who saw it didn’t agree enough to actually do something with it.

Now, here we are, with AI in the larval state. It’s easy to look at the very real financial and human cost, the speed bumps, the errors, and decide to just wait and see.

The real question is whether this is like the web and email, or more like virtual reality headsets.

When you make the choice to avoid becoming the most experienced person in a room (whatever room you’re in), you’re making a bet about the future.

00:00

New Cover: “Comfortably Numb” [Whatever]

What can I say, I was feeling a little ambitious.

And yes, I did the guitar solos, but before you get too impressed, please know a) they’re not recreations of the David Gilmour solos, because my ambitions have real and practical limits, and b) I cheated. And by “cheated” I mean I initially tried to do the solos on one of my guitars, but it turns out I am slow, have clumsy fingers made of hot dogs and despair, and only questionably know how to find the key of B Minor on my fretboard.

So, I took my ROLI keyboard, which lights up in rainbow colors, set it to show only the notes in the B Minor Pentatonic scale, fired up a guitar synth, connected to the “Comfortably Gilmour” virtual amp/pedal set up, and went to town. The ROLI keyboard has MPE ability, which means I could do the equivalent of string bends by wiggling the keys. It was fun being a fake guitar hero for a bit. I am very sure that David Gilmour will not be losing any sleep over me. And I really do plan to get better on guitar. Soon! Maybe! We’ll see.

Also, I did the scream. That was a whole thing too.

Enjoy!

— JS

Saturday, 20 June

23:49

Gunnar Wolf: systemd for Linux SysAdmins [Planet Debian]

Doing a prior art search and came across this early DaveNet example. The left column had the blue ribbon for free speech on the web, and below were links to the archive pages for each of the years. Screen shot. About ten years of essay writing. DaveNet was where the blog started, and then it became an arm of the blog home page which also included titleless posts, example, and then all the action moved onto the new home page and that was the end of this layout.

21:07

This post is an unpublished review for systemd for Linux SysAdmins

systemd. Yes, in full lowercase. If there is ever a technology to cause controversy in the Linux world, this is it. Since its inception in 2010, systemd’s goals were set quite high — replacing the vital part in every Linux system that takes care of the system boot process. It quickly reached maturity, allowing its to be adopted as the main init system in most major distributions just five years later. But even given we are describing events that happened over a decade ago, systemd adoption still raises the temperature in any Linux-related discussion.

David Both’s comprehensive book tackles the “what”, the “why” and the “how” issues surrounding systemd. Carefully divided in 16 chapters, going from explaining the basics and some of the technical and political history behind the project to the different subsystems and aspects covered by systemd, its almost 450 pages can scare people away — but the text is written in a very clear, tutorial-like fashion, and while it can be read sequentially, cover-to-cover, the book is amenable for readers to pick a single aspect and jump straight to the relevant chapter.

One of the frequent criticisms the systemd project has received is that it aims to basically rewrite all of a Linux system, and just looking at this book’s index shows there is some truth to it. The first chapter is an introduction to the systemd project and a brief overview of its history (including the controversies around it), and the following four chapters deal about understanding and controlling the system boot process.

But that still leaves ten chapters to account for — they cover different aspects or sub-projects of systemd, such as time and date issues (synchronization, time specifications, and controlling repetitive tasks), understanding and leveraging the system journal that strongly departs from the old syslog system, network configuration and firewall management, system health and performance debugging — all of them, aspects that in the traditional Unix philosophy were managed by independent programs… And I can identify several systemd sub-projects not covered by this book!

We long-time Unix and Linux administrators took pride in how highly performant and stable systems were supported by the simplicity of our tools; systemd critics point out this massive project has absorbed dozens of individual tools, yielding corporate control over vast swaths of vital system tooling. Truth is… as a sysadmin myself, systemd is today one of my greatest allies.

I appreciate the author evaluates every component independently, including his personal evaluation of each — even stating he prefers working with the traditional programs in several areas.

If there is a criticism I must make about this book is that, although typographically it is well formed and taken care of, given it includes large amounts of console captures, having a maximum width below 70 characters means several lines are unnaturally cut short (and continued with odd indentations). I understand there is probably no “right” way to solve this, but it does affect the feeling of naturally reading the text.

17:28

Pluralistic: How the Epstein Class recruits (20 Jun 2026) [Pluralistic: Daily links from Cory Doctorow]

->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> Top Sources: None -->

Today's links

How the Epstein Class recruits: Oh wait, THAT'S what this was?!
Hey look at this: Delights to delectate.
Object permanence: MPAA blasted in WSJ; RFID skimmers; Post-Soviet inventions; "Farthing"; "Dirty, Drunk and Punk"; Dweb v founders' frailty; Tax cheating made simple; Oregon v corporate medicine.
Upcoming appearances: Toronto, NYC, Philadelphia, Chicago, London, Edinburgh, Sydney, Melbourne, Brighton, London, South Bend.
Recent appearances: Where I've been.
Latest books: You keep readin' em, I'll keep writin' 'em.
Upcoming books: Like I said, I'll keep writin' 'em.
Colophon: All the rest.

How the Epstein Class recruits (permalink)

Perhaps you've encountered the stories about Dialog, an extremely weird secret society associated with Peter "Antichrist" Thiel, whose membership data and details have leaked this week:

https://www.wired.com/story/how-peter-thiels-private-dialog-club-secretly-ranks-its-members/

By all appearances, this is a comically creepy, awful talking-shop for the Epstein Class. It's not all that surprising, in retrospect, to learn that all these terrible people were in a group chat, secretly assigning ratings to one another, and periodically gathering to have tedious panels about, I dunno, "race science" or whatever.

I'm on the oligarchy beat, so stories about Dialog have been popping up in my RSS feed for the past week or so, but it wasn't until last night that I made a connection.

A year or two ago, I got an invite to speak at an event. This is normal, I get a lot of these and I do a lot of public speaking. I'm good at it, and it's a good way for me to reach people and get them energized about the issues I care about. Sometimes, I do these talks for free. Sometimes I get paid.

When I first glanced at this speaking offer, I thought, "Huh, I guess this is one to send on to my speaking agent," because the names the offer dropped were a bunch of rich people, and so I assumed that they were having some kind of summit and looking for a keynoter. Then I read a little more carefully and realized they – these billionaires and their lickspittles! – wanted me to pay them, thousands of dollars, so that I could shlep my ass to some luxury resort in order to have the privilege of speaking to them.

I came up as a science fiction writer, and at some point, every sf writer learns "Yog's Law," coined by James D Macdonald when he was running the science fiction forum on GEnie, under the screen name "Yog Sysop":

money flows toward the writer

https://en.wikipedia.org/wiki/James_D._Macdonald#Educational_work

In other words, whenever you, as a creative worker, are approached by someone who wants to "help" you with your work, and they want you to pay them, they are a scammer, preying upon your essential human need to communicate with others. Run away.

Which is what I did. I deleted the email.

Then, I got another one a couple months later. Ugh. I wrote a mail rule that auto-deleted anything from that sender and promptly forgot about the matter. Until last night.

I just had a look at my Trash folder and yup, these people are still emailing me in hopes that I will give them thousands of dollars to join their weird secret society.

I don't know if everyone who joined Dialog got an email like the one I was sent, but if you want to understand how at least some of those people ended up on those membership rolls, well, now you know: they were schmucks who'd never learned Yog's Law.

(Image: Gage Skidmore 1, 2, 3, 4, 5, 6, CC BY-SA 2.0; TechCrunch50-2008, Dan Taylor 1, 2, CC BY 2.0; modified)

Hey look at this (permalink)

EFF Joins 60+ Groups Urging the UK to Halt Face Estimation at the Border https://www.eff.org/deeplinks/2026/06/joins-60-groups-urging-uk-halt-face-estimation-border
AI Shouldn’t Dictate Our Democracy. Vote Alex Bores. https://www.youtube.com/watch?v=M6KQ2yDK1Q4
tokenalysis and john henry https://backofmind.substack.com/p/tokenalysis-and-john-henry
Making Free Warhammer Terrain https://www.youtube.com/watch?v=p6YC-cOngHg
Mechanical Watch https://ciechanow.ski/mechanical-watch/

Object permanence (permalink)

#20yrsago Wendy Seltzer smokes the MPAA in the Wall St Journal https://web.archive.org/web/20061016014904/http://online.wsj.com/public/article/SB115047057428882434-1V_FEK_CJelMfytdST8APRW7cZw_20060720.html

#20yrsago HOWTO build an RFID skimmer https://web.archive.org/web/20060703081753/http://www.eng.tau.ac.il/~yash/kw-usenix06/index.html

#20yrsago Desperate inventions of post-Soviet Russia https://memex.craphound.com/2006/06/20/desperate-inventions-of-post-soviet-russia/

#20yrsago NYT falsely reports that Wikipedia has added restrictions https://jimmywales.com/2006/06/17/the-new-york-times-gets-it-exactly-backwards/

#20yrsago Farthing: Heart-rending alternate history about British-Reich peace https://memex.craphound.com/2006/06/20/farthing-heart-rending-alternate-history-about-british-reich-peace/

#15yrsago Dirty, Drunk and Punk: the untold history of Toronto’s BUNCHOFFUCKINGGOOFS https://memex.craphound.com/2011/06/20/dirty-drunk-and-punk-the-untold-history-of-torontos-bunchoffuckinggoofs/

#10yrsago Video: Guarding the Decentralized Web from its founders’ human frailty https://www.youtube.com/watch?v=zlN6wjeCJYk

#10yrsago Unnamed Canadian telco sabotages’ library’s low-income internet service https://web.archive.org/web/20160618143132/https://motherboard.vice.com/read/canadian-telecoms-limiting-wifi-low-income-families-toronto-public-libraries-digital-divide

#10yrsago Clarence Thomas rumored to be considering retirement https://web.archive.org/web/20160622135444/http://www.washingtonexaminer.com/end-of-conservative-supreme-court-clarence-thomas-may-be-next-to-leave/article/2594317

#10yrsago Tolkien elf or prescription drug name? https://web.archive.org/web/20160609021515/https://entertainment.howstuffworks.com/arts/literature/drug-or-tolkien-elf-quiz.htm

#5yrsago The EU, Tech Trustbusting, and Trade Wars https://pluralistic.net/2021/06/20/the-eu-tech-trustbusting-and-trade-wars/

#5yrsago How to cheat on your taxes https://pluralistic.net/2021/06/20/la-hougue/#complexity

#1yrago Oregon bans the corporate practice of medicine https://pluralistic.net/2025/06/20/the-doctor-will-gouge-you-now/#states-rights

Upcoming appearances (permalink)

Toronto: The Sovereignty Debate (IAB Canada's State of the Nation), Jun 23
https://iabcanada.com/state-of-the-nation-2026
Toronto: The Reverse Centaur's Guide to Life After AI (Osler Records/Type Books), Jun 23
https://www.eventbrite.com/e/cory-doctorow-book-launch-and-talk-tickets-1991501299998
NYC: The Reverse Centaur's Guide to Life After AI with Jonathan Coulton (The Strand), Jun 24
https://www.strandbooks.com/cory-doctorow-the-reverse-centaur-s-guide-to-life-after-ai.html
Philadelphia: The Reverse Centaur's Guide to Life After AI with David Williams (Fitler Club/Philadelphia Citizen), Jun 25
https://www.eventbrite.com/e/cory-doctorow-book-event-tickets-1990110326559
Chicago: The Reverse Centaur's Guide to Life After AI with Rick Perlstein (Exile in Bookville), Jun 26
https://exileinbookville.com/events/50628
London: Idler Festival, Jul 11
https://www.idler.co.uk/festival/
Edinburgh International Book Festival with Jimmy Wales, Aug 17
https://www.edbookfest.co.uk/events/the-front-list-cory-doctorow-and-jimmy-wales
Sydney: The Festival of Dangerous Ideas, Aug 23-24
https://festivalofdangerousideas.com/cory-doctorow/
Melbourne: Enshittification at the Wheeler Centre, Aug 25
https://www.wheelercentre.com/events-tickets/season-2026/cory-doctorow-enshittification
Brighton: The Reverse Centaur's Guide to Life After AI with Carole Cadwalladr (Brighton Dome), Sep 8
https://brightondome.org/whats-on/LSC-cory-doctorow-the-reverse-centaurs-guide-to-life-after-ai/
London: The Reverse Centaur's Guide to Life After AI with Riley Quinn (Foyle's Picadilly), Sep 9
https://www.foyles.co.uk/events/enshittification-cory-doctorow-riley-quinn
South Bend: An Evening With Cory Doctorow (Notre Dame), Oct 6
https://franco.nd.edu/events/2026/10/06/an-evening-with-cory-doctorow/

Recent appearances (permalink)

How to Think About AI Before It’s Too Late (Galaxy Brain)
https://www.youtube.com/watch?v=SPQNPJ0CEPo
The future of world governance, with Kim Stanley Robinson (UN Independent Expert on International Order)
https://www.youtube.com/live/wJvBvYdaAMY
How to Think About Artificial Intelligence (KUER)
https://radiowest.kuer.org/show/radiowest/2026-06-16/cory-doctorow-on-how-to-think-about-artificial-intelligence
The Enshittification of Life, the Universe, & Everything (Luke Savage)
https://www.lukewsavage.com/p/the-enshittification-of-life-the
Cory Doctorow's digital jail-break (DW In Focus)
https://www.dw.com/en/cory-doctorows-digital-jail-break/audio-77414035

Latest books (permalink)

"Canny Valley": A limited edition collection of the collages I create for Pluralistic, self-published, September 2025 https://pluralistic.net/2025/09/04/illustrious/#chairman-bruce
"Enshittification: Why Everything Suddenly Got Worse and What to Do About It," Farrar, Straus, Giroux, October 7 2025
https://us.macmillan.com/books/9780374619329/enshittification/
"Picks and Shovels": a sequel to "Red Team Blues," about the heroic era of the PC, Tor Books (US), Head of Zeus (UK), February 2025 (https://us.macmillan.com/books/9781250865908/picksandshovels).
"The Bezzle": a sequel to "Red Team Blues," about prison-tech and other grifts, Tor Books (US), Head of Zeus (UK), February 2024 (thebezzle.org).
"The Lost Cause:" a solarpunk novel of hope in the climate emergency, Tor Books (US), Head of Zeus (UK), November 2023 (http://lost-cause.org).
"The Internet Con": A nonfiction book about interoperability and Big Tech (Verso) September 2023 (http://seizethemeansofcomputation.org). Signed copies at Book Soup (https://www.booksoup.com/book/9781804291245).
"Red Team Blues": "A grabby, compulsive thriller that will leave you knowing more about how the world works than you did before." Tor Books http://redteamblues.com.
"Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin", on how to unrig the markets for creative labor, Beacon Press/Scribe 2022 https://chokepointcapitalism.com

Upcoming books (permalink)

"The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 (https://us.macmillan.com/books/9780374621568/thereversecentaursguidetolifeafterai/)
"Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026
"The Post-American Internet," a geopolitical sequel of sorts to Enshittification, Farrar, Straus and Giroux, 2027
"Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, April 20, 2027
"The Memex Method," Farrar, Straus, Giroux, 2027

Colophon (permalink)

Today's top sources:

Currently writing: "The Post-American Internet," a sequel to "Enshittification," about the better world the rest of us get to have now that Trump has torched America. Third draft completed. Submitted to editor.

"The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE.
"The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING.
A Little Brother short story about DIY insulin PLANNING

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Newsletter (no ads, tracking, or data-collection):

Mastodon (no ads, tracking, or data-collection):

Bluesky (no ads, possible tracking and data-collection):

Medium (no ads, paywalled):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

ISSN: 3066-764X

16:56

Claude doesn't care if you criticize the code it wrote, because if it wasn't written just now, it didn't write it. It starts from zero in every session, you can watch it, like HAL in 2001, singing daisy daisy. I can see it happening as the environment of my app is getting so large, it has to do a bit of thinking to start up, more all the time. But as humans who were brought up properly, we like to add the niceties to our criticism so as to not make the other one feel bad. I do that for myself, not the machine, I know it doesn't identify as the creator of the code.

Russell Coker: HP Z4 G4 [Planet Debian]

When I got this email from Google on this day in 2018, I had a sinking feeling, this was like getting a letter from Apple a few years earlier. They were treating the web as if it were their platform.

15:42

In what is hopefully the conclusion of my hunt for a cheap tower server supporting REBAR [1] I have just bought a HP Z4 G4 with W-2125 CPU for $320.

Hardware

One interesting thing is that it has an adaptor from SATA power to 8 pin PCIe power. According to Wikipedia the 8 pin connector provides 150W at 12V [2]. According to Wikipedia SATA power cables include 3 12V pins each of which can deliver 1.5A [3] which is 54W. The system as I received it had a single SATA power plug connected so potentially 150W could be drawn from a connector designed for 54W. The first thing I did was to connect a second SATA power connector on the same cable so I could have connectors designed for a total of 108W supplying potentially 150W (and definitely more than 75W).

I found two versions of the specs for this system, this version seems to match what I bought as it references W-21xx CPUs [4] while this version matches what I would rather have with a W-22xx CPU [5]. The URL naming scheme implies that there are potentially at least a few other variants out there. So much for the “buy name brand and you can buy two systems with the same model and have them work the same” benefit you hope to get. Why don’t they just name them “G4.1”, “G4.2”, etc?

It seems that W-21xx and W-22xx CPUs are incompatible, so the W-2295 scoring 30,804 multithread and 2,634 single thread on passmark that I hoped to get isn’t an option [6].

The system is well designed for space efficiency, both it and the Z640 are 17cm wide but the Z4G4 allows my to close the lid with the Intel Battlemage card installed which doesn’t come close to fitting in a Z640. It has 8 DIMM sockets and with the ready availability of 32G DIMMS that allows 256G of RAM which is the maximum the motherboard supports. That compares well to the Z640 that only has 4 DIMM slots and the Z6G4 which only has 6.

The system supports a maximum RAM speed of DDR4-2666 which is better than the DDR4-2400 of the Z640 but less than the DDR4-2933 of the Z6G4.

The NVMe sockets on the motherboard are a convenient feature. Most systems I run need at most two NVMe devices so this saves a PCIe slot which is important when dealing with GPUs that take 2+ slots. Also for systems that don’t really need NVMe I can use some of the small NVMe devices that I have no other use for. 128G NVMe devices aren’t even worth selling and 256G will be of little use in the near future. So when I move to gen4 Z servers I can use up some of them without wasting slots.

Using the lesser socket LGA2066 in the Z4G4 is a minor annoyance, but for a single socket system 18 cores is probably enough.

The BIOS has an option for single-socket NUMA, which is basically locking cores in a single CPU to specific RAM channels. I enabled it but it did nothing presumably because I only have 2 DIMMs. When I get more DIMMs I’ll do some tests of that and compare it with NUMA on my Z840.

Variants

There are many different variants of the Z4G4 and the only way to recognise them is by the CPU not by any part number or serial number AFAIK. The first difference is between server grade CPUs (the W-2xxx CPUs) and desktop grade CPUs (the i7 and i9 CPUs). The systems with i7 and i9 CPUs don’t support ECC RAM which makes them less reliable, gives smaller limits for RAM

The below table compares the Z640 which is my current desktop PC with the Z4G4, Z6G4, and Z8G4 systems. For the latter 3 I have included multiple options for the parts that differ in different models in the same name series. The Z4G4 I have is an early one which only supports W-21xx CPUs which means a maximum RAM speed of 2666 and the best possible CPU would only be 15% faster than my Z640. I can only use this for ML stuff as it’s the only system I have with REBAR support (which works well).

	Z640 (1 socket)	Z4G4	Z6G4 (1 socket)	Z8G4
DIMM slots	4	8	6	24
Max DDR4 speed	2400	2666/2933	2666/2933	2666/2933
Max DIMM size	32G	64G	64G	64G/128G
System Max Ram	128G	512G	192G/384G	1.5T/3T
CPU Socket	LGA2011-3	LGA2066	LGA3647	LGA3647
Best CPU	E5-2699A v4	W-2195/W-2295	Platinum 8180/W-3275	Platinum 8180/8280
Motherboard NVMe	0	2	2	?

Conclusion

In my previous blog post I concluded that the next step up for me would be DDR5 systems [10]. But now some of the LGA3647 systems are appealing. The Z8G4 would be a decent upgrade from my current Z840 build server and should be affordable long before any two socket DDR5 system becomes affordable.

The Z4G4 doesn’t have any potential for useful upgrades. But for me it was a good cheap way to house a GPU that had already damaged the motherboard of one good system. If the Z4G4 has a PCIe slot break the way my Z840 did then it wouldn’t bother me a lot. It was annoying to discover how limited this variant of the Z4G4 is after buying it, but at that price I can’t complain.

A Z6G4 could be a nice workstation if I found one at a really low price. The only reason I’d seek one out is if I had a need for a desktop workstation with REBAR support, which seems unlikely.

15:28

Silos are the problem [Scripting News]

A silo is a place where developers feel protected from the unbounded world of the web. In return they are completely controlled by the silo owner. The owner decides where you can go, and can and do revoke privileges. Developers in silos are mostly powerless.

Companies usually are the ones who create silos, but open formats can create them too. JSON, for example, has been used as an excuse to reinvent everything that was done in XML.

Open source projects create silos too. A protective zone that doesn't interop with competitors. Where you have to climb into the project to build on it.

Outside of silos, on the web, your code calls a platform using a standard API. Developers who, because of standards, can plug into anything, and thus give users maximum choice.

Podcasting is not a silo. It's part of the web. Support two easy formats and you've got a node. You'll find packages that do all that on any well-developed coding platform.

I believe we can do something like that for text. That's what I've been working on in the 2020s. It's slow-going because the foundation ideas of the web are not well-understood by today's developers, or at least that's how I experience it. ;-)

We're rethinking the whole tech world right now, and we can use formats and protocols that are available on the web, not by replacing the ones that are already there, but by using the existing paths in new ways. Big difference.

14:07

Russell Coker: Font Sizes [Planet Debian]

The Problem

In 2019 I blogged about getting a 4K monitor because of my vision being inadequate for a 2560*1440 monitor [1]. Now I’m using a 40″ 5120*2160 monitor [2] and still trying to find the correct balance between how much I want to see on the screen and what I am physically capable of seeing on screen.

Currently Kitty is my terminal emulator of choice [3]. What I most like about it is the feature of having multiple terminal windows in a single OS window, so instead of having 9 or 16 different xterm instances running all with possible alignment issues I have a single window for all terminals which can be brought to the foreground. The impending 6.7 release of KDE (my favourite Linux desktop environment) [4] includes the feature of per-screen virtual desktops which might be the feature I need to make multiple monitors usable for me. One of the factors stopping me from using multiple monitors in the past was the issue of not getting the alignment of dozens of xterms right if a monitor goes to sleep mode and is regarded as disconnected, moving a few Kitty windows is much easier than moving dozens of xterms (also a tiling window manager isn’t my style).

I’ve just decided that the Terminus font (my favourite out of the monospaced fonts in Debian) is too small for me at 9.0 point. But then I tried 10.0 which looked really ugly and an experiment showed that 10.5 looked good.

What I’ve Learned

This is the best explanation I’ve seen of how ridiculous the whole font point thing is [5]. It doesn’t and won’t ever correlate to pixels. So what we ideally want to do is set the size on screen to match the actual pixel size of the font. I can’t find any software to interrogate a font file and find out what sizes it supports. The web page for the Terminus font says that it supports 6×12, 8×14, 8×16, 10×18, 10×20, 11×22, 12×24, 14×28 and 16×32 [6]. So the question is how to get a terminal program that uses one of those.

Kitty doesn’t and won’t support specifying font size by pixel. I tried some other terminal programs, I started with the Debian Wiki page TerminalEmulator [7] which wasn’t very helpful, I added some new entries to that page. There doesn’t seem to be another option for a terminal emulator with multiple terminals in one OS window that can arrange them automatically. I didn’t even get to the stage of checking whether other terminal emulators supported font size in pixels.

The lcdf-typetools package contains the program otfinfo which gives some interesting information on fonts but nothing about the font sizes in pixels.

Sites like Coding Font to compare fonts [8] can never work properly as the fonts will always be slightly different sizes as the same point size doesn’t mean the same display size.

The Current Situation

On my 5120*2160 monitor with 9 Kitty terminal sessions with 9.0 point font they each have 277*50 characters. With 10 point it’s 237*46 but fuzzy and unpleasant to read. With 10.5 point it’s 208*43 which isn’t as good as I’m used to but is still almost 4.5* as many characters as the original 80*25 standard for terminals.

Some time before 2019 I had a 4*4 array of terminal windows that were 100*25 or 120*25. That left some space at the right and bottom so I could open another 8 or 9 terminals that were partially obscured if I needed to. By 2019 before getting a 4K monitor I had a 3*3 array of terminal windows as my standard desktop and a larger monitor that did 4K resolution allowed me to have 16+ terminals again. Now with Kitty I routinely have 9 terminals in a 3*3 array and I can easily open more if I need them and have them resize appropriately.

This situation works reasonably well, but the element of just trying different sizes in 0.5 point increments until I find something that looks good is unpleasant. I should be able to specify the next largest increment of the bitmaps in the font and just have it look good.

Conclusion

It would be good if more people tested the terminal emulators in Debian and added information to the wiki page about them. The current page is useful but needs more information to support the variety of features that people find important.

We need some tools to provide information on fonts in Debian, such as the sizes of bitmapped fonts.

The whole point size thing is just wrong and would ideally go away. The vast majority of font use nowadays is for things that will probably never end up on a printed page so trying to map it to a physical size in fractions of an inch makes no sense. But that’s just one of many horrible things used for backwards compatibility that aren’t going to go away any time soon. Really everything involving inches should go away.

10:49

Irregular Webcomic! #3158 [Irregular Webcomic!]

Irregular Webcomic! #3158

10:42

99% might be enough (or not) [Seth's Blog]

A 100-foot long boat that’s 99% complete is going to sink before it leaves the dock. That gaping hole is more than enough to do it in.

On the other hand, a baked ziti that’s 99% as good as the best baked ziti ever made is exactly good enough to serve in any setting.

Mediocrity isn’t the point. Neither is perfection. The question is: what’s the best allocation of effort in order to delight our customers?

We should be clear about which category we’re working in.

08:42

What does it mean when the bottom bit of my HMODULE is set? [The Old New Thing]

The numeric value of an HMODULE is normally the base address of the DLL or EXE it represents. These base addresses are always multiples of 64KB, so the bottom 16 bits are all zero. Yet you may run across one with the bottom bit set. What does that mean?

Normally, when you load a DLL, it gets an entry in the table of loaded modules. This table is consulted by functions like GetModuleHandle and EnumProcessModules to identify all the DLLs that have been loaded. It also is used to keep track of how many times each DLL has been loaded, so that the DLL is removed from memory when the correct number of FreeLibrary calls has been made.

Many of the flags to the LoadLibraryEx function alter how the system locates the DLL to load, but some of them alter how the DLL is itself loaded into memory. The interesting one here is the LOAD_LIBRARY_AS_DATAFILE flag.

If you ask that a DLL be loaded as a data file, and there isn’t already a copy of the DLL loaded normally, then the loader will search the file system for the DLL in the manner described by the other flags, and then it will just map the DLL into memory without doing any of the usual stuff like applying fixups, and then returns you an HMODULE that represents the location where the DLL was mapped into memory, but it also sets the bottom bit as a note to itself to say “This wasn’t loaded the normal way.”

If the loader decides to map the DLL into memory directly, then the DLL does not get an entry in the list of loaded modules. While the module was loaded in a strict sense of the term, it was not loaded as a functional module. The code is not ready to execute: Its dependencies were not resolved. Its initialization was not run. It’s just a bunch of bytes mapped into memory. If you call GetModuleHandle or EnumProcessModules, the module won’t show up because those functions use the list of “properly” loaded modules, and your datafile DLL wasn’t put on that list.

Functions like FindResource recognize these “not really a module” modules. For example, if you ask to find a resource in a loaded-as-datafile module, the FindResource function knows that it has to convert RVAs in the PE header into physical file offsets.

And when you pass the HMODULE back to FreeLibrary, it sees that the bottom bit is set and knows, “Oh, this was never entered into the module list, so I don’t have to remove it from the module list either.”

This special behavior of the bottom bit is locked into the ABI thanks to this macros provided in the LoadLibraryEx documentation:

#define LDR_IS_DATAFILE(handle)      (((ULONG_PTR)(handle)) & (ULONG_PTR)1)

I don’t know if this use of the bottom bit was intended to be an implementation detail, or whether documenting it was an intentional decision, but what’s done is done, and it’s documented, so it’s too late to change it now.

Bonus chatter: You can see in the documentation another macro that reveals that the second-from-bottom bit is also used as a special signal:

#define LDR_IS_IMAGEMAPPING(handle)  (((ULONG_PTR)(handle)) & (ULONG_PTR)2)

The post What does it mean when the bottom bit of my <CODE>HMODULE</CODE> is set? appeared first on The Old New Thing.

03:35

Side Effect [xkcd.com]

Friday, 19 June

23:35

Statement regarding GNU Savannah security reports [Planet GNU]

22:42

Pluralistic: The Big Con (19 Jun 2026) [Pluralistic: Daily links from Cory Doctorow]

->->->->->->->->->->->->->->->->->->->->->->->->->->->->-> Top Sources: None -->

Today's links

The Big Con: Making the pile of shit bigger won't increase the number of ponies underneath it.
Hey look at this: Delights to delectate.
Object permanence: TVA v SETI@Home; Telemarketers v DHS batphones; Matt Stone's MPAA censorship memo; Stonehenge pocket watch; W3C v security research; Congressional mass-shooting response simulator; Dynastic wealth; Gig economy astroturf; Meta publishes your AI prompts.
Upcoming appearances: LA, Menlo Park, Toronto, NYC, Philadelphia, Chicago, London, Edinburgh, Sydney, Melbourne, Brighton, London, South Bend.
Recent appearances: Where I've been.
Latest books: You keep readin' em, I'll keep writin' 'em.
Upcoming books: Like I said, I'll keep writin' 'em.
Colophon: All the rest.

The Big Con (permalink)

Partway through Bridget Read's unmissable chronicle of pyramid ("multi-level marketing") schemes, Little Bosses Everywhere, there comes a dual revelation: no one is selling any product to end-users and no one knows it:

https://pluralistic.net/2025/05/05/free-enterprise-system/#amway-or-the-highway

That is to say, all the hustlers who have spent thousands of dollars on Mary Kay, Herbalife and Amway have failed to move any of their product (beyond a statistically insignificant number of sales to friends and family who quickly tire of being hustled and stop buying this substandard, overpriced junk). But none of these "entrepreneurs" knows it, or admits it to anyone – not their "downlines" (friends they've lured into the swindle), nor their "uplines" (friends who recruited them into the con).

Each pyramid scheme victim thinks that they're the only failure in the whole bunch. They go to massive "sales conferences" where people boast about all the sales they're making, and they're all lying about it. Incredibly, the pyramid schemers who run these criminal enterprises have figured out how to make a virtue out of this situation: they offer "sales coaching" courses to help people make the sales that "everyone else is making." In other words, once you've gone bust failing to sell Amway, they'll get you to go further into debt to learn how to correct the (nonexistent) issues with your sales strategy so that you can join the (imaginary) legion of people who sell Amway by the bushel.

Con artists have a name for this kind of swindle: it's called a "big con," which is when everyone a mark comes into contact with is in on the scam. Here's how the big con worked: after a "roper" snared a victim (usually on an intercity train), they would telegraph ahead and let the home team know they had a live one. From that point forward, every single person the victim came into contact with was in on it – from the porter who collected his bags at the train station to the cab driver to the Western Union clerk he uses to cable his banker and ask for a cashier's check for his life's savings.

In the big con, dozens of skilled actors are putting on a play for an audience of one: you. It's a real-world, non-hallucinatory version of "gang stalking delusion," which is when someone going through a mental health crisis believes that everyone they meet is in on a conspiracy to drive them crazy:

https://pluralistic.net/2026/06/03/mission-space/#gsd

The situation that people suffering from GSD hallucinate is actually happening to people ensnared in a big con…and pyramid schemes are a big con. What's more – as Read's book makes clear – you can't understand modern American politics without understanding pyramid schemes.

One of the most destructive pyramid schemes in American history is Amway. The FTC was about to shut Amway down in the mid-1970s, but then Nixon resigned and Ford became president. Ford had been the Congressman to Amway's founders Jay Van Andel (then the head of the US Chamber of Commerce, which is to say, America's most powerful business lobbyist) and Dick DeVos (yes, that DeVos). Ford and the Amway swindlers were thick as thieves, and so Ford called off the FTC. Rather than going to jail, DeVos and Van Andel became morbidly wealthy, and they used some of their stolen money to found and fund the Heritage Foundation (yes, that Heritage Foundation).

The political class running America are pyramid scheme swindlers, funded by pyramid scheme money. They're running a big con on all of us. That's true of the Trumps, who've excreted a diarrhoeic slurry of shitcoins that have made them billions – and lost billions for their "investors":

https://www.citationneeded.news/issue-106/

Trump insists that he is a self-made man who made his money with successful real estate deals. In reality, he lied all the time about his real estate, committing a string of felonies in order to defraud the banks, even as he went bankrupt, time and again:

https://en.wikipedia.org/wiki/Prosecution_of_Donald_Trump_in_New_York

Another "self made man" is Elon Musk (who is a "trillionaire," in a highly technical sense meaning "not a trillionaire at all"). Musk would have been broke several times over but for a string of massive government bailouts and subsidies, which continue to this day:

https://www.congress.gov/119/meeting/house/117956/documents/HMKP-119-JU00-20250226-SD003.pdf

Trump, Musk, and the rest of the schemers in the pyramid routinely claim that they are wealthy because they are running good businesses, a "fact" that many of us accept at face value. It's bad enough that we are deceived about reality, but many of their most addled cult-members try to follow in their footsteps. When they fail, they are in the same situation as one of those busted Amway sellers: thinking they are the only ones who can't make this "sure thing" work. Conservativism is a movement of bitter rubes, led by pyramid scheme swindlers:

https://pluralistic.net/2025/07/22/all-day-suckers/#i-love-the-poorly-educated

The "wait, is everyone else also failing?" awakening is an experience that many of America's CEOs are sharing at this moment, as they wonder whether they are the only ones who've fired as many workers as possible and replaced them with AI, only to see their company's fortunes fall:

https://www.msn.com/en-us/money/markets/uber-ceo-says-other-execs-are-lying-about-ai-they-say-it-ll-be-fine-publicly-but-privately-admit-millions-of-jobs-are-gone/ar-AA1Z9QMv

Like an Amway victim, these boardroom rubes simply can't believe that all these people could be in on the con. How could the world spend trillions on AI if it's not on a path to profitability? It's not that these guys spent 2008 in a cave – rather, they just lack the object permanence to remember the last time a "Federal Wallet Inspector" approached them at a board meeting and took them for everything:

https://pluralistic.net/2025/12/13/uncle-sucker/#willing-marks

The thesis that "it can't be nonsense if there's a lot of money at stake" is the core of so many of these swindles. It's the investment theory that holds that once a pile of shit gets big enough, there must be a pony under it somewhere.

There's a Bugs Bunny bit that I find myself returning to in this era of the big con: it's a gag from 1954's "Bugs and Thugs":

https://en.wikipedia.org/wiki/Bugs_and_Thugs

Bugs has been kidnapped by gangsters, who have come to trust him. He tricks them into thinking that the police are coming and he urges them to hide in the oven while he sends the cops away. Then, Bugs performs a one-rabbit show in which he plays both the cop (with a broad Irish accent) and himself:

Bugs (cop voice): All right, open up! This is the police! [banging] All right, where's Rocky, where's he hiding?

Bugs (normal voice): He's not in this stove.

Bugs (cop): Oh-ho, he's hidin' in that stove, eh?

Bugs (normal): Now look, would I turn on this gas if my friend Rocky was in there?

Bugs (cop): You might, rabbit, you might.

Bugs (normal) Would I throw a lighted match in there if my friend was in there? [Massive explosion]

Bugs (cop): Well, all right, rabbit, you've convinced me. I'll look for Rocky in the city.

https://www.youtube.com/watch?v=LSNTjX_g9a4

We keep living through real world versions of this:

"Would I, Mark Zuckerberg, change my company's name to 'Meta' if I wasn't serious about this?"

"Oh, you might, Zuck, you might."

"OK, but would I spend $61b on the metaverse if I wasn't serious about this?"

"All right, Zuck, you've convinced me. I won't sell my Facebook (oops, I mean 'Meta'!) shares."

But neither Zuck nor Musk nor Trump has the charm of Bugs Bunny. At a certain point we're all going to look at each other and say, "It was all bullshit, wasn't it?"

Hey look at this (permalink)

AI Economics for Dummies https://www.mcsweeneys.net/articles/ai-economics-for-dummies
The Longreads Questionnaire, Featuring Cory Doctorow https://longreads.com/2026/06/17/questionnaire-cory-doctorow/
A guide to ‘greedflation’ https://timharford.com/2026/06/a-guide-to-greedflation/
Ubisoft uses DMCA to kill game: slopsmith gets destroyed by obsolete 30 year old law https://www.youtube.com/watch?v=bgVlEgV27ow
Canada Is Forging Ahead with Its Dangerous Surveillance Bill https://www.eff.org/deeplinks/2026/06/canada-forging-ahead-its-dangerous-surveillance-bill

Object permanence (permalink)

#25yrsago TVA bans SETI@Home https://web.archive.org/web/20010625113535/https://www.knoxnews.com/archives/browserecent/06162001/archives/31399.shtml

#25yrsago Scott McCloud on microtransactions and Napster https://web.archive.org/web/20010708054658/http://www.thecomicreader.com/html/icst/icst-6/icst-6.html

#20yrsago Wardialling telemarketers stumble on Homeland Security batphones https://web.archive.org/web/20060630104202/https://www.delawareonline.com/apps/pbcs.dll/article?AID=/20060616/NEWS/606160329/1006

#20yrsago NAB: Evidence is irrelevant to copyright treaties https://web.archive.org/web/20060622174657/https://drn.okfn.org/node/133#comment-246#comment-246

#20yrsago LA Times censors newsroom Internet feed https://web.archive.org/web/20060702051259/http://www.laobserved.com/archive/2006/06/protecting_reporters_from.html

#20yrsago Matt Stone’s memo to MPAA censors https://web.archive.org/web/20060619220447/https://www.mcnblogs.com/thehotblog/archives/2006/06/preparing_for_t.html

#20yrsago Stonehenge pocket-watch predicts solstices https://web.archive.org/web/20060627053213/http://www.thinkgeek.com/gadgets/watches/7d2b/

#15yrsago Mean things authors say about each other https://www.flavorwire.com/188138/the-30-harshest-author-on-author-insults-in-history

#15yrsago Glasses with 720p HD video camera https://www.kickstarter.com/projects/zioneyez/eyeztm-by-zioneyez-hd-video-recording-glasses-for

#15yrsago ICANN votes to roll out 400-800 new generic top-level domains https://www.flickr.com/photos/wseltzer/5852419280/

#10yrsago W3C DRM working group chairman vetoes work on protecting security researchers and competition https://lwn.net/Articles/691108/

#10yrsago Thoughts and Prayers: a Congressional mass-shooting simulator https://thoughtsandprayersthegame.com/

#5yrsago The doctrine of dynastic wealth https://pluralistic.net/2021/06/19/dynastic-wealth/#caste

#5yrsago The gig economy's dark-money, astroturf "community groups" https://pluralistic.net/2021/06/19/dynastic-wealth/#astroturf

#1yrago Your Meta AI prompts are in a live, public feed https://pluralistic.net/2025/06/19/privacy-breach-by-design/#bringing-home-the-beacon

Upcoming appearances (permalink)

LA: The Reverse Centaur's Guide to Life After AI with Brian Merchant (Skylight Books), Jun 19
https://www.skylightbooks.com/event/skylight-cory-doctorow-presents-reverse-centaurs-guide-life-after-ai-w-brian-merchant
Menlo Park: The Reverse Centaur's Guide to Life After AI with Angie Coiro (Kepler's), Jun 21
https://www.keplers.org/upcoming-events-internal/cory-doctorow-2026
Toronto: The Sovereignty Debate (IAB Canada's State of the Nation), Jun 23
https://iabcanada.com/state-of-the-nation-2026
Toronto: The Reverse Centaur's Guide to Life After AI (Osler Records/Type Books), Jun 23
https://www.eventbrite.com/e/cory-doctorow-book-launch-and-talk-tickets-1991501299998
NYC: The Reverse Centaur's Guide to Life After AI with Jonathan Coulton (The Strand), Jun 24
https://www.strandbooks.com/cory-doctorow-the-reverse-centaur-s-guide-to-life-after-ai.html
Philadelphia: The Reverse Centaur's Guide to Life After AI with David Williams (Fitler Club/Philadelphia Citizen), Jun 25
https://www.eventbrite.com/e/cory-doctorow-book-event-tickets-1990110326559
Chicago: The Reverse Centaur's Guide to Life After AI with Rick Perlstein (Exile in Bookville), Jun 26
https://exileinbookville.com/events/50628
London: Idler Festival, Jul 11
https://www.idler.co.uk/festival/
Edinburgh International Book Festival with Jimmy Wales, Aug 17
https://www.edbookfest.co.uk/events/the-front-list-cory-doctorow-and-jimmy-wales
Sydney: The Festival of Dangerous Ideas, Aug 23-24
https://festivalofdangerousideas.com/cory-doctorow/
Melbourne: Enshittification at the Wheeler Centre, Aug 25
https://www.wheelercentre.com/events-tickets/season-2026/cory-doctorow-enshittification
Brighton: The Reverse Centaur's Guide to Life After AI with Carole Cadwalladr (Brighton Dome), Sep 8
https://brightondome.org/whats-on/LSC-cory-doctorow-the-reverse-centaurs-guide-to-life-after-ai/
London: The Reverse Centaur's Guide to Life After AI with Riley Quinn (Foyle's Picadilly), Sep 9
https://www.foyles.co.uk/events/enshittification-cory-doctorow-riley-quinn
South Bend: An Evening With Cory Doctorow (Notre Dame), Oct 6
https://franco.nd.edu/events/2026/10/06/an-evening-with-cory-doctorow/

Recent appearances (permalink)

How to Think About AI Before It’s Too Late (Galaxy Brain)
https://www.youtube.com/watch?v=SPQNPJ0CEPo
The future of world governance, with Kim Stanley Robinson (UN Independent Expert on International Order)
https://www.youtube.com/live/wJvBvYdaAMY
How to Think About Artificial Intelligence (KUER)
https://radiowest.kuer.org/show/radiowest/2026-06-16/cory-doctorow-on-how-to-think-about-artificial-intelligence
The Enshittification of Life, the Universe, & Everything (Luke Savage)
https://www.lukewsavage.com/p/the-enshittification-of-life-the
Cory Doctorow's digital jail-break (DW In Focus)
https://www.dw.com/en/cory-doctorows-digital-jail-break/audio-77414035

Latest books (permalink)

"Canny Valley": A limited edition collection of the collages I create for Pluralistic, self-published, September 2025 https://pluralistic.net/2025/09/04/illustrious/#chairman-bruce
"Enshittification: Why Everything Suddenly Got Worse and What to Do About It," Farrar, Straus, Giroux, October 7 2025
https://us.macmillan.com/books/9780374619329/enshittification/
"Picks and Shovels": a sequel to "Red Team Blues," about the heroic era of the PC, Tor Books (US), Head of Zeus (UK), February 2025 (https://us.macmillan.com/books/9781250865908/picksandshovels).
"The Bezzle": a sequel to "Red Team Blues," about prison-tech and other grifts, Tor Books (US), Head of Zeus (UK), February 2024 (thebezzle.org).
"The Lost Cause:" a solarpunk novel of hope in the climate emergency, Tor Books (US), Head of Zeus (UK), November 2023 (http://lost-cause.org).
"The Internet Con": A nonfiction book about interoperability and Big Tech (Verso) September 2023 (http://seizethemeansofcomputation.org). Signed copies at Book Soup (https://www.booksoup.com/book/9781804291245).
"Red Team Blues": "A grabby, compulsive thriller that will leave you knowing more about how the world works than you did before." Tor Books http://redteamblues.com.
"Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin", on how to unrig the markets for creative labor, Beacon Press/Scribe 2022 https://chokepointcapitalism.com

Upcoming books (permalink)

"The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026 (https://us.macmillan.com/books/9780374621568/thereversecentaursguidetolifeafterai/)
"Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026
"The Post-American Internet," a geopolitical sequel of sorts to Enshittification, Farrar, Straus and Giroux, 2027
"Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, April 20, 2027
"The Memex Method," Farrar, Straus, Giroux, 2027

Colophon (permalink)

Today's top sources:

"The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE.
"The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING.
A Little Brother short story about DIY insulin PLANNING

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Newsletter (no ads, tracking, or data-collection):

Mastodon (no ads, tracking, or data-collection):

Bluesky (no ads, possible tracking and data-collection):

Medium (no ads, paywalled):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

ISSN: 3066-764X

Friday Squid Blogging: Victims of Unregulated Squid Fishing [Schneier on Security]

Dolphins, sharks, turtles, and human workers are all victims of unregulated squid fishing fleets.

Another news article.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Blog moderation policy.

21:49

What was nice about the UI of Windows 2000 [OSnews]

I mean, this is preaching to the choir, but let’s go anyway.

I liked the UIs of the entire era from 3.0 to 2000, really. I’m mostly using Windows 2000 as an example here because it runs so well in QEMU/KVM and that allows me to easily take screenshots.

Some of the following will sound absolutely trivial, but I think it’s worth pointing out.
↫ movq.de blog

Just a series of observations about how much better graphical user interfaces were back in the ’90s and early 2000s. We’ve lost so many affordances based on both common sense and scientific study, and what we ended up with is a confusing, inconsistent mess. It doesn’t really matter where you look – user interface design has deteriorated since the early 2000s, a decline that only accelerated thanks to the arrival of the iPhone, where consistency is a dirty word, and the web, where the advertising people took prominence over the design people.

I just want my buttons to look like buttons man.

21:00

Page 27 [Flipside]

Page 27 is done.

(5284) [Flipside]

20:35

Systemd v261 released [LWN.net]

Systemd v261 has been released with a long list of changes, including a new cloud "Instance Metadata Service" (IMDS) subsystem, "boot secret" functionality for use on systems that lack a physical TPM, as well as support for the kernel's Live Update Orchestration (LUO) / Kexec Handover (KHO) systems when they are present and enabled. See the release notes for the full list of changes.

19:49

longintrepr.h [Planet GNU]

Did your pip install fail with longintrepr.h: No such file or directory? The file likely is on your system, but it sometime or another it was moved, from /usr/include/python3.xx/longintrepr.h to /usr/include/python3.xx/cpython/longintrepr.h. The proper fix is to update the package in question with the new path, but if you’re installing an old version of something or a package that’s no longer maintained you can work around it like this:

ln -s /usr/include/python3.*/cpython/longintrepr.h .venv/include

19:28

Reproducible Builds (diffoscope): diffoscope 321 released [Planet Debian]

The diffoscope maintainers are pleased to announce the release of diffoscope version 321. This version includes the following changes:

[ Chris Lamb ]
* Fix compatibility with Ocaml 5.4.1.

You find out more by visiting the project homepage.

18:14

Win an Signed, Personalized ARC of Monsters of Ohio! [Whatever]

Tor Books sent me a stack of Monsters of Ohio ARCs, and you — yes you! — can win one, and I will even sign/personalize it for you if you like. Here’s all you have to do to enter:

I am thinking of a mammal native to Ohio. Guess which one it is.

(Don’t know which mammals are native to Ohio? Here’s a pdf guide to get you started. Spoiler: the mammal in question is in fact in the guide!)

I have already told Krissy and Athena which mammal it is, so I’m not just going to make one up at the end of the contest, promise.

And now: The rules!

1. One guess per person, one post per person. If you post more than one guess, your first guess is the guess I will use. If you post more than one post, I will use only the first post. Don’t use the comments to post anything other than a guess; any other comments will be deleted. Be specific toward the mammal; don’t say “dog” when “Beagle” is the correct answer (which it is not, by the way, either of those). Again, the mammal in question is in the guide linked above, so that will help narrow it down a bit.

2. Place the guess in the comments for this post, they will not count otherwise. This will require you to enter login information if you have not already done so. When you fill in the information, leave an email address that you actually check, this is how I will contact you. Put that information in the login dialogue boxes, not in the body of your comment. If you don’t leave an email, I can’t contact you and will move on to the next person who guessed correctly. The information will be used for nothing else, because I respect your privacy and also I’m lazy and can’t be bothered to do anything with them.

3. Speaking of which: In the (likely) event that more than one person correctly guesses the mammal, I will have the computer generate a number between one and [number of correct guesses] and will pick the person whose chronological entry matches the number – so if the number is “three,” than the third person who posted the correct guess will win.

4. In the event no one picks the correct mammal, I will have the computer randomly pick a number between one and [total number of entries] and give the person who chronologically corresponds to that number the book. This is an enormous pain in my ass, so I hope at least one of you picks the correct mammal.

5. The contest runs for 48 hours from the moment I post this (probably close to 1pm Eastern on June 19, 2026), because that’s when the site automatically closes comments. I’ll email the winner after that and will post the results after that, probably on Monday. When I email you, you will have five days to respond, and after that I re-roll for a new recipient. So be looking at your email, please.

6. Contest is open to everyone everywhere on the planet that I can currently ship a book to, so apologies to anyone in Cuba, Iran, North Korea or the Crimea, Donetsk, and Luhansk regions of Ukraine. Everyone else, if you win, I’ll ship it to you.

7. I will sign the ARC but if you want it personalized in any way, let me know when I email you about it.

Those are the rules, so go ahead and guess! Good luck!

— JS

(PS: If you don’t want to play the odds here, remember that you can pre-order the book from your favorite local or online bookstore for when it comes out in November. Also, Subterranean Press will be happy to send a you a signed copy, which I will also personalize if you like, and SubPress also ships everywhere in the world, so that’s helpful.)

17:35

[$] Suspending and resuming BPF programs [LWN.net]

BPF programs can be used to extend many aspects the Linux kernel, but BPF programs must run to completion in the same context that they began. Kumar Kartikeya Dwivedi is working on changing that by allowing BPF programs to be expressed as coroutines. He spoke about his work at the 2026 Linux Storage, Filesystem, Memory-Management and BPF Summit. While still experimental, the change promises to make long-running BPF tasks significantly easier to write.

Widow's Bae [Penny Arcade]

Apple TV is fascinating. It doesn't have a super deep roster, but it has a weirdly high ratio of absolutely must watch shit. I got some free Apple TV when I got an iPad a few Christmases ago, and ended up hooked on For All Mankind - then let it lapse, and now my three favorite shows are all from there. It goes Severance, Pluribus, and now Widow's Bay. They don't seem to be able to produce on any kind of schedule, but then, I don't think they're even trying to. This is exactly what a modern leviathan should be doing with its bulging coffers. As a young man, I was told that Campbell's Chunky Soup was said to eat like a meal. These are shows that watch like books, that benefit very clearly from study.

17:07

Reproducible Builds (diffoscope): diffoscope 320 released [Planet Debian]

The diffoscope maintainers are pleased to announce the release of diffoscope version 320. This version includes the following changes:

[ Chris Lamb ]
* Support androguard 4 and previous versions. Thanks, linsui!
  (Closes: #1140016)
* Use --long-form arguments when calling apktool in order to support apktool
  version 3. Thanks again to linsui. (Closes: #1140015)
* Update copyright years.

You find out more by visiting the project homepage.

16:07

[$] AURpocalypse now: a look at the recent AUR attacks [LWN.net]

The Arch User Repository (AUR) has been subjected to a sustained attack recently. The attacker, or attackers, have spun up a series of new accounts then used them to adopt orphaned packages and push malicious updates that would install malware on users' systems. It is unclear how many users were compromised in the attack, but the maintainers were playing Whac-A-Mole for several days to respond to each newly compromised package. The project has turned off the AUR's new-user registration, for now, but it is unclear what its long-term response will be or if the AUR can be secured without major changes to its existing collaboration model.

15:14