“The
Importance of Being Earnest” with Ncuti Gatwa is going
up free on
YouTube for a limited period in March."
Love the play, love the actor. Definitely going to try and catch
this.
Saturday, 21 February
21:14
[1289] Karen's Conviction [Twokinds]
Comic for February 21, 2026
20:28
New podcast episode where I explain how I lost my Twitter account and how this is exactly the kind of thing that AI can do economically, esp for people who pay actual money for your service. I can't buy anything from you if I can't use my account.
19:56
Jonathan Dowland: Lanzarote [Planet Debian]
I want to get back into the habit of blogging, but I've struggled. I've had several ideas of topics to try and write about, but I've not managed to put aside the time to do it. I thought I'd try and bash out a one-take, stream-of-conciousness-style post now, to get back into the swing.
I'm writing from the lounge of my hotel room in Lanzarote, where my family have gone for the School break. The weather at home has been pretty awful this year, and this week is traditionally quite miserable at the best of times. It's been dry with highs of around 25℃ .
It's been an unusual holiday in one respect: one of my kids is struggling with Autistic Burnout. We were really unsure whether taking her was a good idea: and certainly towards the beginning of the holiday felt we may have made a mistake. Writing now, at the end, I'm not so sure. But we're very unlikely to have anything resembling a traditional summer holiday for the foreseeable.
Managing Autistic Burnout and the UK ways the UK healthcare and education systems manage it (or fail to) has been a huge part of my recent life. Perhaps I should write more about that. This coming week the government are likely to publish plans for reforming Special Needs support in Education. Like many other parents, we wait in hope and fear to see what they plan.
In anticipation of spending a lot of time in the hotel room with my preoccupied daughter I (unusually) packed a laptop and set myself a nerd-task: writing a Pandoc parser ("reader") for the MoinMoin Wiki markup language. There's some unfinished prior art from around 2011 by Simon Michael (of hledger) to work from.
The motivation was our plan to migrate the Debian Wiki away from MoinMoin. We've since decided to approach that differently but I might finish the Reader anyway, it's been an interesting project (and a nice excuse to write Haskell) and it will be useful for others.
Unusually (for me) I've not been reading fiction on this trip: I took with me Human Compatible by Prof Stuart Russell: discussing how to solve the problem of controlling a future Artificial Intelligence. I've largely avoided the LLM hype cycle we're suffering through at the moment, and I have several big concerns about it (moral, legal, etc.), and felt it was time to try and make my concerns more well-formed and test them. This book has been a big help in doing so, although it doesn't touch on the issue of copyright, which is something I am particularly interested in at the moment.
18:21
Dirk Eddelbuettel: qlcal 0.1.0 on CRAN: Easier Calendar Switching [Planet Debian]
The eighteenth release of the qlcal package arrivied at CRAN today. There has been no calendar update in QuantLib 1.41 so it has been relatively quiet since the last release last summer but we now added a nice new feature (more below) leading to a new minor release version.
qlcal delivers the calendaring parts of QuantLib. It is provided (for the R package) as a set of included files, so the package is self-contained and does not depend on an external QuantLib library (which can be demanding to build). qlcal covers over sixty country / market calendars and can compute holiday lists, its complement (i.e. business day lists) and much more. Examples are in the README at the repository, the package page, and course at the CRAN package page.
This releases makes it (much) easier to work with multiple calendars. The previous setup remains: the package keeps one ‘global’ (and hidden) calendar object which can be set, queried, altered, etc. But now we added the ability to hold instantiated calendar objects in R. These are external pointer objects, and we can pass them to functions requiring a calendar. If no such optional argument is given, we fall back to the global default as before. Similarly for functions operating on one or more dates, we now simply default to the current date if none is given. That means we can now say
> sapply(c("UnitedStates/NYSE", "Canada/TSX", "Australia/ASX"),
\(x) qlcal::isBusinessDay(xp=qlcal::getCalendar(x)))
UnitedStates/NYSE Canada/TSX Australia/ASX
TRUE TRUE TRUE
>
to query today (February 18) in several markets, or compare to two days ago when Canada and the US both observed a holiday
> sapply(c("UnitedStates/NYSE", "Canada/TSX", "Australia/ASX"),
\(x) qlcal::isBusinessDay(as.Date("2026-02-16"), xp=qlcal::getCalendar(x)))
UnitedStates/NYSE Canada/TSX Australia/ASX
FALSE FALSE TRUE
>
The full details from NEWS.Rd follow.
Changes in version 0.1.0 (2026-02-18)
Invalid calendars return id ‘TARGET’ now
Calendar object can be created on the fly and passed to the date-calculating functions; if missing global one used
For several functions a missing date object now implies computation on the current date, e.g.
isBusinessDay()
Courtesy of my CRANberries, there is a diffstat report for this release. See the project page and package documentation for more details, and more examples.
This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. If you like this or other open-source work I do, you can sponsor me at GitHub.
Edited 2026-02-21 to correct a minor earlier error: it referenced a QuantLib 1.42 release which does not (yet) exist.17:56
New Cover: “Fall At Your Feet” [Whatever]
Yes, I’ve been on a bit of a tear recently as far as covers go, but let’s just say I had a bit of a backlog from when I was writing the novel. Now that it’s been cleared off the table I have a little time to do this sort of thing. This is currently how I do my “me” time. It’s this or setting fire to things.
This song is one of my favorite songs from one of my favorite bands, and I had been meaning to get to it for a bit. Also for this one I had a technical project of trying to nail the vocal balance, which is for me the trickiest part of doing any of this. I think I did pretty decent job sitting it into the mix this time around. It’s fun to still be learning things.
Enjoy!
— JS
15:14
Query: I
have not done any vibe coding and have a question for those who
have. Suppose you request a change in an app you've been working on
with the AI for a while, adding features, changing things around
based on learning and testing, which is generally what happens
after you've been working on something new. Here's the question.
What happens when you ask for a change that requires the codebase
to be reorganized. How did that go? Do the AIs even know that's
possible or do they just pile on special cases?
What happened to polling? I had a poll app for a while, then Twitter came out with one and I switched to that. I don't know if Twitter still has it, but it would be bad form to require something at Twitter to engage with me here. How do you do polling, or do you?
14:28
I just remembered why I love the United States of America.
I am going to try again to open up the editing side of OPML. It's gotten pretty famous in RSS-land, but people don't know there are editors for OPML, and some which work pretty well with subscription lists, and could be made to work even better. Drummer can run scripts in JavaScript, so users can customize. I'm going to make an effort myself to start using Drummer to edit subscription lists and see what comes up.
Microsoft announces ESU program for Windows Server 2016, 10 Enterprise LTSB, and 10 IoT Enterprise 2016 LTSB [OSnews]
The regular, consumer version of Windows 10 isn’t the only Windows release reaching or having reached end-of-life, now middling on under the Extended Security Updates program for the many people sticking with the venerable release. Windows 10 Enterprise LTSB 2016 (October 13, 2026), Windows 10 IoT Enterprise 2016 LTSB (October 13, 2026), and Windows Server 2016 (January 12, 2027) are all reaching end-of-life soon, too. On the listed dates, these versions of Windows will receive their final monthly security updates.
As with Windows 10 for consumers, however, there’s a way out: the Extended Security Updates program will also kick in for these versions, offering critical and important security updates, and support relating to just those. The program will be offered for up to three years after official support ends, and won’t be free. For Server 2016 and and Enterprise LTSB 2016, pricing will be $61 per year, but it would double for every year after the first. Pricing for IoT Enterprise 2016 LTSB is available upon request.
Of course, Microsoft urges you to upgrade to newer versions – Windows Server 2025, Windows 11 Enterprise LTSC 2024, and Windows 11 IoT Enterprise LTSC 2024 – but if you’re happy with your current version, you can at least get a three-year reprieve, for a price.
12:56
Vasudev Kamath: Learning Notes: Debsecan MCP Server [Planet Debian]
Since Generative AI is currently the most popular topic, I wanted to get my hands dirty and learn something new. I was learning about the Model Context Protocol at the time and wanted to apply it to build something simple.
Idea
On Debian systems, we use debsecan to find vulnerabilities. However, the tool currently provides a simple list of vulnerabilities and packages with no indication of the system's security posture—meaning no criticality information is exposed and no executive summary is provided regarding what needs to be fixed. Of course, one can simply run the following to install existing fixes and be done with it:
apt-get install $(debsecan --suite sid --format packages --only-fixed)
But this is not how things work in corporate environments; you need to provide a report showing the system's previous state and the actions taken to bring it to a safe state. It is all about metrics and reports.
My goal was to use debsecan to generate a list of vulnerabilities, find more detailed information on them, and prioritize them as critical, high, medium, or low. By providing this information to an AI, I could ask it to generate an executive summary report detailing what needs to be addressed immediately and the overall security posture of the system.
Initial Take
My initial thought was to use an existing LLM, either self-hosted or a cloud-based LLM like Gemini (which provides an API with generous limits via AI Studio). I designed functions to output the list of vulnerabilities on the system and provide detailed information on each. The idea was to use these as "tools" for the LLM.
Learnings
- I learned about open-source LLMs using Ollama, which allows you to download and use models on your laptop.
- I used Llama 3.1, Llama 3.2, and Granite 4 on my laptop without a GPU. I managed to run my experiments, even though they were time-consuming and occasionally caused my laptop to crash.
- I learned about Pydantic and how to use it to parse custom JSON schemas with minimal effort.
- I learned about osv.dev, an open-source initiative by Google that aggregates vulnerability information from various sources and provides data in a well-documented JSON schema format.
- I learned about the EPSS (Exploit Prediction Scoring System) and how it is used alongside static CVSS scoring to detect truly critical vulnerabilities. The EPSS score provides an idea of the probability of a vulnerability being exploited in the wild based on actual real-world attacks.
These experiments led to a collection of notebooks. One key takeaway was that when defining tools, I cannot simply output massive amounts of text because it consumes tokens and increases costs for paid models (though it is fine for local models using your own hardware and energy). Self-hosted models require significant prompting to produce proper output, which helped me understand the real-world application of prompt engineering.
Change of Plans
Despite extensive experimentation, I felt I was nowhere close to a full implementation. While using a Gemini learning tool to study MCP, it suddenly occurred to me: why not write the entire thing as an MCP server? This would save me from implementing the agent side and allow me to hook it into any IDE-based LLM.
Design
This MCP server is primarily a mix of a "tool" (which executes on the server machine to identify installed packages and their vulnerabilities) and a "resource" (which exposes read-only information for a specific CVE ID).
The MCP exposes two tools:
- List Vulnerabilities: This tool identifies vulnerabilities in the packages installed on the system, categorizes them using CVE and EPSS scores, and provides a dictionary of critical, high, medium, and low vulnerabilities.
- Research Vulnerabilities: Based on the user prompt, the LLM can identify relevant vulnerabilities and pass them to this function to retrieve details such as whether a fix is available, the fixed version, and criticality.
Vibe Coding
"Vibe coding" is the latest trend, with many claiming that software engineering jobs are a thing of the past. Without going into too much detail, I decided to give it a try. While this is not my first "vibe coded" project (I have done this previously at work using corporate tools), it is my first attempt to vibe code a hobby/learning project.
I chose Antigravity because it seemed to be the only editor providing a sufficient amount of free tokens. For every vibe coding project, I spend time thinking about the barebones skeleton: the modules, function return values, and data structures. This allows me to maintain control over the LLM-generated code so it doesn't become overly complicated or incomprehensible.
As a first step, I wrote down my initial design in a requirements document. In that document, I explicitly called for using debsecan as the model for various components. Additionally, I asked the AI to reference my specific code for the EPSS logic. The reasons were:
- debsecan already solves the core problem; I am simply rebuilding it. debsecan uses a single file generated by the Debian Security team containing all necessary information, which prevents us from needing multiple external sources.
- This provides the flexibility to categorize vulnerabilities within the listing tool itself since all required information is readily available, unlike my original notebook-based design.
I initially used Gemini 3 Flash as the model because I was concerned about exceeding my free limits.
Hiccups
Although it initially seemed successful, I soon noticed discrepancies between the local debsecan outputs and the outputs generated by the tools. I asked the AI to fix this, but after two attempts, it still could not match the outputs. I realized it was writing its own version-comparison logic and failing significantly.
Finally, I instructed it to depend entirely on the python-apt module for version comparison; since it is not on PyPI, I asked it to pull directly from the Git source. This solved some issues, but the problem persisted. By then, my weekly quota was exhausted, and I stopped debugging.
A week later, I resumed debugging with the Claude 3.5 Sonnet model. Within 20-25 minutes, it found the fix, which involved four lines of changes in the parsing logic. However, I ran out of limits again before I could proceed further.
In the requirements, I specified that the list vulnerabilities tool should only provide a dictionary of CVE IDs divided by severity. However, the AI instead provided full text for all vulnerability details, resulting in excessive data—including negligible vulnerabilities—being sent to the LLM. Consequently, it never called the research vulnerabilities tool. Since I had run out of limits, I manually fixed this in a follow-up commit.
How to Use
I have published the current work in the debsecan-mcp repository. I have used the same license as the original debsecan. I am not entirely sure how to interpret licenses for vibe-coded projects, but here we are.
To use this, you need to install the tool in a virtual environment and configure your IDE to use the MCP. Here is how I set it up for Visual Studio Code:
- Follow the guide from the VS Code documentation regarding adding an MCP server.
- My global mcp.json looks like this:
{
"servers": {
"debsecan-mcp": {
"command": "uv",
"args": [
"--directory",
"/home/vasudev/Documents/personal/FOSS/debsecan-mcp/debsecan-mcp",
"run",
"debsecan-mcp"
]
}
},
"inputs": []
}
- I am running it directly from my local codebase using a virtualenv created with uv. You may need to tweak the path based on your installation.
- To use the MCP server in the Copilot chat window, reference it using #debsecan-mcp. The LLM will then use the server for the query.
- Use a prompt like: "Give an executive summary of the system security status and immediate actions to be taken."
- You can observe the LLM using list_vulnerabilities followed by research_cves. Because the first tool only provides CVE IDs based on severity, the LLM is smart enough to research only high and critical vulnerabilities, thereby saving tokens.
What's Next?
This MCP is not yet perfect and has the following issues:
- The list_vulnerabilities dictionary contains duplicate CVE IDs because the code used a list instead of a set. While the LLM is smart enough to deduplicate these, it still costs extra tokens.
- Because I initially modeled this on debsecan, it uses a raw method for parsing /var/lib/dpkg/status instead of python-apt. I am considering switching to python-apt to reduce maintenance overhead.
- Interestingly, the AI did not add a single unit test, which is disappointing. I will add these once my limits are restored.
- I need to create a cleaner README with usage instructions.
- I need to determine if the MCP can be used via HTTP as well as stdio.
Conclusion
Vibe coding is interesting, but things can get out of hand if not managed properly. Even with a good process, code must be reviewed and tested; you cannot blindly trust an AI to handle everything. Even if it adds tests, you must validate them, or you are doomed!
Oracle Solaris 11.4 SRU90 released [OSnews]
Despite continuous rumors to the contrary, Oracle is still actively developing Solaris, and it’s been more active than ever lately. Yesterday, the company pushed out another release for customers with the proper support contracts: Oracle Solaris 11.4 SRU90. Aside from the various package updates to bring them up to speed with the latest releases, this new Solaris version also comes with a slew of improvements for ZFS.
ZFS changes in Oracle Solaris 11.4.90 include more flexibility in setting retention properties when receiving a new file system, and adding the ability for zfs scrub and resilver to run before all the blocks have been freed from previous zfs destroy operations. (This requires upgrading pools to the new zpool version 54.)
↫ Alan Coopersmith
You can now also set boot environments to never be destroyed by either manual or automatic means, and more work has been done to prevent a specific type of bug that would accidentally kill all running processes on the system. It seems some programs mistakenly use -1 as a pid value in kill() calls.
Now in 11.4.90, the kill system call was modified to not allow processes to use a pid of -1 unless they’d specifically set a process flag that they intend to kill all processes first, to help with programs that didn’t check for errors when finding the process id for the singular process they wanted to kill.
↫ Alan Coopersmith
There’s many more changes and improvements, of course, and hopefully, we’ll get to see these in the next CBE release as well, so us mere mortals without expensive support contracts can benefit from them too.
11:21
More in Sadness than in Anger [Charlie's Diary]
Sorry I haven't updated the blog for a while: I've been busy. (Writing the final draft of a new novel entirely unconnected to anything else you've read—space opera, new setting, longest thing I've written aside from the big Merchant Princes doorsteps. Now in my agent's inbox while I make notes towards a sequel, if requested.)
Over the past few years I've been naively assuming that while we're ruled by a ruthless kleptocracy, they're not completely evil: aristocracies tend to run on self-interest and try to leave a legacy to their children, which usually means leaving enough peasants around to mow the lawn, wash the dishes, and work the fields.
But my faith in the sanity of the evil overlords has been badly shaken in the past couple of months by the steady drip of WTFery coming out of the USA in general and the Epstein Files in particular, and now there's this somewhat obscure aside, that rips the mask off entirely (Original email on DoJ website ) ...
A document released by the U.S. Department of Justice as part of the Epstein files contains a quote attributed to correspondence involving Jeffrey Epstein that references Bill Gates and a controversial question about "how do we get rid of poor people as a whole."
The passage appears in a written communication included in the DOJ document trove and reads, in part: "I've been thinking a lot about that question that you asked Bill Gates, 'how do we get rid of poor people as a whole,' and I have an answer/comment regarding that for you." The writer then asks to schedule a phone call to discuss the matter further.
As an editor of mine once observed, America is ruled by two political parties: the party of the evil billionaires, and the party of the sane (so slightly less evil) billionaires. Evil billionaires: "let's kill the poor and take all their stuff." Sane billionaires: "hang on, if we kill them all who's going to cook dinner and clean the pool?"
And this seemed plausible ... before it turned out that the CEO class as a whole believe entirely in AI (which, to be clear, is just another marketing grift in the same spirit as cryptocurrencies/blockchain, next-generation nuclear power, real estate backed credit default options, and Dutch tulip bulbs). AI is being sold on the promise of increasing workforce efficiency. And in a world which has been studiously ignoring John Maynard Keynes' 1930 prediction that by 2030 we would only need to work a 15 hour work week, they've drawn an inevitable unwelcome conclusion from this axiom: that there are too many of us. For the past 75 years they've been so focussed on optimizing for efficiency that they no longer understand that efficiency and resilience are inversely related: in order to survive collectively through an energy transition and a time of climate destabilization we need extra capacity, not "right-sized" capacity.
Raise the death rate by removing herd immunity to childhood diseases? That's entirely consistent with "kill the poor". Mass deportation of anyone with the wrong skin colour? The white supremacists will join in enthusiastically, and meanwhile: the deported can die out of sight. Turn disused data centres or amazon warehouses into concentration camps (which are notorious disease breeding grounds)? It's a no-brainer. Start lots of small overseas brushfire wars, escalating to the sort of genocide now being piloted in Gaza by Trump's ally Netanyahu (to emphasize: his strain of Judaism can only be understood as a Jewish expression of white nationalism, throwing off its polite political mask to reveal the death's head of totalitarianism underneath)? It's all part of the program.
Our rulers have gone collectively insane (over a period of decades) and they want to kill us.
The class war has turned hot. And we're all on the losing side.
10:35
Brown rice and status [Seth's Blog]
Rice is one of the most consumed foods in the world, and it gives us insight into our relentless search for status and for affiliation.
Once rice is harvested for consumption, it’s brown. The outer layers of the rice husk contain the bran and many of the nutrients in the rice. And yet, most people, including many of the poorest people in any population, only eat white rice.
White rice takes more work to prepare for sale and leaves behind the vitamin-rich bran. We need to harvest more brown rice to make a single serving of white.
The origin of milling rice has to do with storage. Brown rice goes rancid much sooner, particularly in warm climates. As a result, white rice is more reliable–you’re not going to serve a bad batch.
The reliability led to status. Status in serving it and in consuming it. You might not have much, but at least you can eat white rice.
Once that signal is established, it becomes a sign of cultural affiliation. If your family or neighbors are doing it, it’s important to fit in. People insist that white rice is normal and that they prefer it, but that’s only because of their history and culture.
When white rice became a popular commodity and a signal, the demand for brown rice went down. Now it’s a specialty item, and that increases the price, apparently contradicting the very signal about status that made it unusual in the first place. (For some folks, the rarity, healthiness and price of brown rice make it a new sort of status symbol).
With improved supply chains and storage, brown rice is nearly as resilient as white rice is now, but the cultural trope remains. And because people like what they like, we’ve learned to prefer the blander flavor of the rice we were raised with.
If status and affiliation transform the market for one of our most basic commodities, it’s not hard to imagine what they do for wine, for clothing, or even for smartphones.
09:42
Charging for postage [RevK®'s ramblings]
We sell goods that we ship to customers, and obviously the shipping has a cost, so how do we cover that?
There are a few approaches - some companies factor the cost of shipping in the price of the goods. That can work for some goods in some markets or if the volumes are high enough for it all to average out, but does not always work.The approach we normally take is to charge for postage. As a general principle we try to do this at cost - not making a profit on postage, but it turns out not quite as simple as you may expect.
For the goods we ship on our main web site, like routers, VoIP phones, or even SIM cards, it is not too hard. E.g. for a SIM card we know it is small and fits in an envelope so offer options like 2nd class, 1st class, recorded, or tracked 24. The prices are based on the price we pay Royal Mail.
For larger items, we will weigh, and check Royal Mail or a courier, and quote the postage exactly as part of a quote.
Of course even that is not totally simple as RM charge VAT on some things and not on others, but we have to charge VAT regardless. Also, we have rates for account postage which do not match exactly the rates you may pay for a stamp. We also have a fixed rate for tracked 24, which is based on volume and sizes each year, so again not necessarily what people would expect if they compared to going to a post office themselves. Also, RM charge some sort of extra "fuel surcharge", just to add to the fun, and quite a lot for collection from our offices. With all of this I suspect we make a small loss on the postage we charge most of the time. We also don't usually factor in the envelope or packaging or staff time. These other bits being generally factored in to the price, in effect.
Fortunately, at least for now, we generally only ship to UK for such things.
Tindie sales
Selling on Tindie is way more complex when it comes to packaging and shipping costs. This is largely because we ship all over the world. This is mainly my small development boards.
For a start, Tindie have some simple shipping pricing options - we can set per country, and per product, and for first and subsequent items, but not for options on products, for example. And we cannot really work out the actual postage - I try to set the "subsequent item" price at a level such that it first with how many I can fit in different size envelopes.
In practice the postage and packaging costs depend on a rather complicated way on the combination of products purchased. E.g. I can fit 2 Faikout with cables and cases in and A6 envelope shipped as "large envelope" and pay one price for postage, though I think even that has a difference when it goes over 100g. This is the same as one Faikout. But I can also fit as many as 4 Faikout in that if no cable and case. Tindie will quote and charge shipping for initial plus extras, so for those examples 1+1, and 1+3, very different prices. I try and make sure this covers the postage we pay. It is shipping and handling I think, so the price can reasonably cover my time, the packaging, and what we pay royal mail, but some combinations add up to more than it costs, so yes, in some cases shipping and handling is making some profit (depending on how I cost my, or my staff's, time).
I did try and set up some options to address this, for some items allowing an option for buying two or three of the items as one item because I know that many fit in the same envelope. This just caused customers confusion even when labelled as "save postage". So I gave up on that.
It is also complicated by changing exchange rates - Tindie is in US dollars, so I have to adjust postage prices (and item prices) occasionally to be based on the UK pound price I pay.
Also, RM started charging for collection, which was previously free on click'n'drop.
If someone feels postage is too high, they are welcome to message, and I'll review it. Indeed on a couple of occasions someone has done so, for a UK purchase, and we arranged to bypass Tindie (which I am probably not supposed to do) and sell direct with a lower postage. Sadly another thing Tindie do not make easy is a specific partial refund, if I wanted to do via Tindie but charge less postage.
However, at the end of the day, the price charged is the price quoted (by Tindie), and is what the customer agreed. It is a take it or leave it - customer's choice, just like the price of the product itself.
US sales
It then got more, err, fun... US import tariffs charged by Royal Mail, so I pay postage and tariff, and an admin fee on top.
So the shipping and handling for US shipping on Tindie now includes an amount to cover US tariffs. This is impossible to match exactly - it is a shame Tindie do not have a shipping option to add a specified percentage of the sale price. They do not. So I created US shipping rates to cover "up to $5 tariff" and "up to $10 tariff" by adding $5 and $10 to the rates I normally quote.
Again, the shipping price is what is quoted and agreed by the customer.
Illegal tariffs
Now we really get in to the fun... US supreme court decides Trump's tariffs are illegal. So obviously I have asked Royal Mail how we get a refund of them. Do we get a refund of the admin fee too? It will be interesting to see what they say. I bet it will be "tough".
Of course, I have no idea if Tindie could cope with hundreds of "please refund this customer $3.50" or some such. As I say, they have no web site based refund option for me. I may simply have no practical way to send the tariffs back to my US customers, assuming I can get it back from RM (LOL). I may be able to create voucher / discount codes on Tindie, I'll have to check, that may be an approach to discount future purchases - but not ideal.
I guess another option if I got a tariff refund would be to find a suitable US based charity to send it to.
Direct refund?
Of course, as someone else pointed out - it may be a matter that the importer is the one that was liable to pay it, and they paid it by paying me, who paid RM, who paid US customs, but ultimately it is the importer that should directly get refunded for the illegal tariff: US customs to them. Which is fair enough.
But this idea does rather fall down in the face of Trump's repeated comments insisting that the sending country pays the tariff. It seems to me that RM have a lot of quotes of him saying that as justification for a refund of the tariffs that they did in fact pay as sending country.
I have no clue.
Youtube
For a change I have done it the other way - I have done youtube and then post here with transcript. This time I did blog as transcript to make a youtube. Do let me know which is better.
08:49
08:14
Blue-light filters are pure quackery [OSnews]
I was trading New Year’s resolutions with a circle of friends a few weeks ago, and someone mentioned a big one: sleeping better. I’m a visual neuroscientist by training, so whenever the topic pops up it inevitably leads to talking about the dreaded blue light from monitors, blue light filters, and whether they do anything. My short answer is no, blue light filters don’t work, but there are many more useful things that someone can do to control their light intake to improve their sleep—and minimize jet lag when they’re traveling.
My longer answer is usually a half-hour rant about why they don’t work, covering everything from a tiny nucleus of cells above the optic chiasm, to people living in caves without direct access to sunlight, to neuropeptides, the different cones, how monitors work, gamma curves, what I learned running ismy.blue, corn bulbs, melatonin, finally sharing my Apple Watch & WHOOP stats. What follows is slightly more than you needed to know about blue light filters and more effective ways to control your circadian rhythm. Spoiler: the real lever is total luminance, not color.
↫ Patrick Mineault
And yet, despite a complete and utter lack of evidence blue-light filters do anything at all, even the largest technology companies in the world peddle them without so much as blinking an eye. It’s pure quackery, and as always, we let them get away with it.
01:14
Thomas Goirand: Seamlessly upgrading a production OpenStack cluster in 4 hours : with 2k lines shell script [Planet Debian]
tl;dr:
To the question: “what does it take to upgrade OpenStack”, my personal answer is: less than 2K lines of dash script. I’ll here describe its internals, and why I believe it is the correct solution.
Why writing this blog post
During FOSSDEM 2024, I was asked “how to you handle upgrades”. I answered with a big smile and a short “with a very small shell script” as I couldn’t explain in 2 minutes how it was done. Just saying “it is great this way” doesn’t help giving readers enough hints to be trusted. Why and how did I do it the right way ? This blog post is an attempt to reply better to this question more deeply.
Upgrading OpenStack in production
I wrote this script maybe a 2 or 3 years ago. Though I’m only blogging about it today, because … I did such an upgrade in a public cloud in production last Thuesday evening (ie: the first region of the Infomaniak public cloud). I’d say the cluster is moderately large (as of today: about 8K+ VMs running, 83 compute nodes, 12 network nodes, … for a total of 10880 physical CPU cores and 125 TB of RAM if I only count the compute servers). It took “only” 4 hours to do the upgrade (though I already wore some more code to speed this up for the next time…). It went super smooth without a glitch. I mostly just sat, reading the script output… and went to bed once it finished running. The next day, all my colleagues at Infomaniak were nicely congratulating me that it went that smooth (a big thanks to all of you who did). I couldn’t dream of an upgrade that smooth! :)
Still not impressed? Boring read? Yeah… let’s dive into more technical details.
Intention behind the implementation
My script isn’t perfect. I wont ever pretend it is. But at least, it does minimize down time of every OpenStack service. It also is a “by the book” implementation of what’s written in the OpenStack doc, following every upstream advice. As a result, it is fully seamless for some OpenStack services, and as HA as OpenStack can be for others. The upgrade process is of course idempotent and can be re-run in case of failure. Here’s why.
General idea
My upgrade script does thing in a certain order, respecting what is documented about upgrades in the OpenStack documentation. It basically does:
- Upgrade all dependency
- Upgrade all services one by one, in all the cluster
Installing dependencies
The first thing the upgrade script does is:
- disable puppet on all nodes of the cluster
- switch the APT repository
- apt-get update on all nodes
- install library dependency on all nodes
For this last thing, a static list of all needed dependency upgrade is maintained between each release of OpenStack, and for each type of nodes. Then for all packages in this list, the script checks with dpkg-query that the package is really installed, and with apt-cache policy that it really is going to be upgraded (Maybe there’s an easier way to do this?). This way, no package is marked as manually installed by mistake during the upgrade process. This ensure that “apt-get –purge autoremove” really does what it should, and that the script is really idempotent.
The idea then, is that once all dependencies are installed, upgrading and restarting leaf packages (ie: OpenStack services like Nova, Glance, Cinder, etc.) is very fast, because the apt-get command doesn’t need to install all dependencies. So at this point, doing “apt-get install python3-cinder” for example (which will also, thanks to dependencies, upgrade cinder-api and cinder-scheduler, if it’s in a controller node) only takes a few seconds. This principle applies to all nodes (controller nodes, network nodes, compute nodes, etc.), which helps a lot speeding-up the upgrade and reduce unavailability.
hapc
At its core, the oci-cluster-upgrade-openstack-release script uses haproxy-cmd (ie: /usr/bin/hapc) to drain each API server to-be-upgraded from haproxy. Hapc is a simple Python wrapper around the haproxy admin socket: it sends command to it with an easy to understand CLI. So it is possible to reliably upgrade one API service only after it’s drained away. Draining means one just wait for the last query to finish and the client to disconnect from http before giving the backend server some more queries. If you do not know hapc / haproxy-cmd, I recommend trying it: it’s going to be hard for you to stop using it once you tested it. Its bash-completion script makes it VERY easy to use, and it is helpful in production. But not only: it is also nice to have when writing this type of upgrade script. Let’s dive into haproxy-cmd.
Example on how to use haproxy-cmd
Let me show you. First, ssh one of the 3 controller and search where the virtual IP (VIP) is located with “crm resource locate openstack-api-vip” or with a (more simple) “crm status”. Let’s ssh that server who got the VIP, and now, let’s drain it away from haproxy.
$ hapc list-backends
$ hapc drain-server --backend glancebe --server
cl1-controller-1.infomaniak.ch --verbose --wait --timeout 50
$ apt-get install glance-api
$ hapc enable-server --backend glancebe --server
cl1-controller-1.infomaniak.ch
Upgrading the control plane
My upgrade script leverages hapc just like above. For each OpenStack project, it’s done in this order on the first node holding the VIP:
- “hapc drain-server” of the API, so haproxy gracefully stops querying it
- stop all services on that node (including non-API services): stop, disable and mask with systemd.
- upgrade that service Python code. For example: “apt-get install python3-nova”, which also will pull nova-api, nova-conductor, nova-novncprox, etc. but services wont start automatically as they’ve been stoped + disabled + masked on the previous bullet point.
- perform the db_sync so that the db is up-to-date [1]
- start all services (unmask, enable and start with systemd)
- re-enable the API backend with “hapc enable-server”
Starting at [1], the risk is that other nodes may have a new version of the database schema, but an old version of the code that isn’t compatible with it. But it doesn’t take long, because the next step is to take care of the other (usually 2) nodes of the OpenStack control plane:
- “hapc drain-server” of the API of the other 2 controllers
- stop of all services on these 2 controllers [2]
- upgrade of the package
- start of all services
So while there’s technically zero down time, still some issues between [1] and [2] above may happen because of the new DB schema and the old code (both for API and other services) are up and running at the same time. It is however supposed to be rare cases (some OpenStack project don’t even have db change between some OpenStack releases, and it often continues to work on most queries with the upgraded db), and the cluster will be like that for a very short time, so that’s fine, and better than an full API down time.
Satellite services
Then there’s satellite services, that needs to be upgraded. Like Neutron, Nova, Cinder. Nova is the least offender as it has all the code to rewrite Json object schema on-the-fly so that it continues to work during an upgrade. Though it’s a known issue that Cinder doesn’t have the feature (last time I checked), and it’s also probably the same for Neutron (maybe recent-ish versions of OpenStack do use oslo.versionnedobjects ?). Anyways, upgrade on these nodes are done just right after the control plane for each service.
Parallelism and upgrade timings
As we’re dealing with potentially hundreds of nodes per cluster, a lot of operations are performed in parallel. I choose to simply use the & shell thingy with some “wait” shell stuff so that not too many jobs are done in parallel. For example, when disabling SSH on all nodes, this is done 24 nodes at a time. Which is fine. And the number of nodes is all depending on the type of thing that’s being done. For example, while it’s perfectly OK to disable puppet on 24 nodes at the same time, but it is not OK to do that with Neutron services. In fact, each time a Neutron agent is restarted, the script explicitly waits for 30 seconds. This conveniently avoids a hailstorm of messages in RabbitMQ, and neutron-rpc-server to become too busy. All of these waiting are necessary, and this is one of the reasons why can sometimes take that long to upgrade a (moderately big) cluster.
Not using config management tooling
Some of my colleagues would have prefer that I used something like Ansible. Whever, there’s no reason to use such tool if the idea is just to perform some shell script commands on every servers. It is a way more efficient (in terms of programming) to just use bash / dash to do the work. And if you want my point of view about Ansible: using yaml for doing such programming would be crasy. Yaml is simply not adapted for a job where if, case, and loops are needed. I am well aware that Ansible has workarounds and it could be done, but it wasn’t my choice.
Our Favorite Bowls of Hot Soup in Seattle [The Stranger]
Don’t worry, we’ll start yelling at politicians again soon. by Julianne Bell
It’s cold. Earlier this week we saw a few tiny flurries of snow, even! And while some weather reports suggest we might soon break out of this chilly, mid-40s prison we’ve been locked in, it’ll be by just a few degrees. And probably rainy. It’s the perfect weather for soup. So we took a break from screaming about Trump and City Hall, and switched gears for a minute to appreciate some of our favorite warm and comforting bowls of soup. Don’t worry, we’ll start yelling at politicians again soon.
Isarn’s Chiang MaiLook, this whole soup is fucked up. The curry noodle soup from Northern Thailand comes out looking like a sculpture, with a nest of fried noodles perched on top of perfectly poached chicken and surrounded by a thick curry broth—creamy and spiced so it feels like it warms you from the inside out. When it’s served, you’ll get three things on the side: raw red onion, chopped pickled veg, and a deep red chili oil. After your first bite, you’ll be tempted to roll up your sleeves and forget about these little treats. Do not be that fool. These bits and bobs are what turn each bite into its own experience. Is your palate feeling a little tired of the richness of the broth? Add a little pickle on top of that spoonful of noodles. Repeat until you see the bottom of the bowl. HANNAH MURPHY WINTER
Situ Tacos’ Soup of the DayYes, the Ballard oasis Situ Tacos is primarily known for its fried Lebanese Mexican tacos, but soups are one of owner Lupe Flores’s favorite things to make, and it shows. As the shop’s resident animatronic parrot, Armando, occasionally squawks: “Don’t sleep on the soups…uh, don’t sleep in the soup. Uh, the soup is super!” They rotate weekly, and there’s a meat and veggie option each day, so you might encounter molokhia (Lebanese seven-spice chicken and rice stew), chorizo potato kale, Lebanese veggie stew, fideo con bistec, vegan pozole rojo, zuppa toscana, pumpkin curry, broccoli cheddar, chicken tortilla, or something else altogether. Whatever it is, it’s sure to be soul-soothing and seasoned to perfection—you really can’t go wrong. Get a combo with tangy, crunchy slaw and/or a couple of tacos for dunking. JULIANNE BELL
Halcyon Brewing's Vegan Butternut BisqueI first happened upon Halcyon Brewing’s vegan butternut bisque by chance. Well, sort of. I was attending Ravenna Brewing Company’s annual “Soup Battle,” where local bars and breweries go head-to-head with their best soups, mostly because my good friend runs the event. Saddled with four delicious soups, I didn’t know where to begin. But Halcyon’s yellow-y orange soup with a swoop of coconut milk and a crack of black pepper on the top beckoned. I finished my bowl. It was sweet, it was savory, and it had a nice kick of spice—the brewery’s homemade chili crisp— that warmed my insides. Something vegan had no right to be so good and so creamy. Everyone at my table agreed that it should take the top prize.The rest of the Soup Battle patrons thought so, too—Halcyon’s vegan butternut bisque won the coveted Golden Ladle. NATHALIE GRAHAM
Pho Than Bros’ Veggie Pho with No Mushrooms and No Cilantro and Extra BroccoliI’m not about to tell you how to order pho. And I’m not going to try to convince you that Pho Than Bros is the best pho in Seattle, even though every bowl comes with a sweet little custard-stuffed pastry puff. Pho is personal, pho is sacred. How I pho and how you pho can be—and should be!—very different experiences, each one custom-tailored after years of slurping and experimenting and learning the hard way that your sriracha threshold isn’t nearly as high as you thought it’d be. And, at Than Bros, I have perfected my order. I get a small veggie pho with no mushrooms, no cilantro, and extra broccoli, then I load it up with black pepper, a fat ring of hoisin sauce, a delicate squeeze of sriracha, and as many of the bean sprouts that I can manage before my husband says, “Stop taking all the bean sprouts.” I finish it off with a squeeze of lime and dig in.
This isn’t an invitation for you to try what I think is the best pho in Seattle; this is an invitation for you to find your own. But if you’re looking for a place to start, or a change up from your usual, to me, Than Bros is perfect. It’s my happy place. And it comes with a cream puff. MEGAN SELING
Metropolitan Market’s CioppinoMetropolitan Market’s cioppino has been there for me since I was a child, when my parents would bring home a pint of the hot seafood stew on chilly winter nights when they didn’t feel like cooking. The rich, tomato broth, seasoned with white wine, and filled with a potpourri of shrimp, mussels, salmon, and white fish, will always feel like a luxurious treat, despite coming from a grocery store’s hot food buffet. Considering that cioppino was created as a way for fishermen to use up unsold seafood at the end of the day, I would advise not making it yourself. Not because it’s difficult, but because it will cost you approximately $5 million to buy four types of fresh seafood. Instead, buy a 16-ounce cup from your nearest Metropolitan Market store for a mere $7.39, and buy yourself a nice warm cookie while you're at it. AUDREY VANN
Biang Biang Noodles’ Curry Tofu Dry MixMassive Chinese hand-pulled noodles boiled to a perfect chewiness texture, doused in a delectable yellow curry sauce and flavorful broth with chunks of tofu and cabbage, in a bowl so massive you might need two people to finish it. It’s the hearty Asian noodle dish you dream of on a frigid evening. It’s Biang Biang Noodles’ Curry Tofu Dry Mix.
If you’ve been to Biang Biang, you might be thinking, Seriously? This isn’t soup, it’s a quart of hot oil. Well, to that I say: 1) oil is a liquid, and Managing Editor Megan Seling said we could write about “anything served in a bowl that is at least 50 percent liquid,” and (2) this oil is delicious.
Call it soup, call it hot oil, call it a bowl of molten comfort—the Curry Tofu Dry Mix does exactly what the best soups are supposed to. It satisfies your savory tooth and warms you up when the weather’s unforgiving. So if you’re asking me to grab a casual dinner with you on a dreary winter day, gimme those chopsticks and a Chinese soup spoon and find me at Biang Biang. MICAH YIP
Gorditos’ Vegan PozoleThe biggest mistake I’ve made in my life was going to Gorditos for years and only ordering one thing from the menu: A veggie burrito, wet, with a side of chips and salsa. It’s no Veggie Nolasco from Mama’s, but I love it, and I have probably eaten hundreds of them in my 45 years on the planet with zero regrets. Well, zero regrets until one fated day in December. On that day, I was finally turned on to other parts of Gordito’s menu. Did you know they have tacos! And enchiladas! They even serve breakfast! What have I been doing all my life!? And, most importantly on a cold winter’s day such as the ones we’ve been experiencing this week, they have soup. Their current soup is a vegan pozole that is an explosion of flavor in your mouth. A savory red base that tastes not unlike a brothier version of the red sauce they ladle over my beloved burrito is loaded with onions, zucchini, corn, mushrooms, and hominy, which gives each spoonful a toothsome, meaty bite. The broth is salty and rich, in a craveable way, and while eight-ounces with a side of chips is definitely enough to be its own meal, I recommend opting for the four-ounce cup, adding a taco to your order, and then proceeding to use every curved chip in the bag as your spoon. MEGAN SELING
Ooink’s Spicy Vegetarian Miso RamenIf I am going to pay to eat soup outside of my home, it’s going to be ramen. And the best ramen I’ve found, for a vegetarian such as myself, is from Ooink. There’s a Fremont location, but I can only speak for the Capitol Hill spot—the one in the strip-mall above the lit QFC on Broadway and Pike.
My order is the Spicy Vegetarian Miso Ramen (it can be made vegan, and there’s a version without “spicy” in the title). Not to worry: it has a warm kick, but is not the kind of spice that will make you cough or harsh your tastebuds.
The sturdy buckwheat noodles have just the right amount of tooth, and the miso broth has depth without being too salty or greasy—common traps that many vegetarian broths fall into when trying to overcompensate for something they do not need to overcompensate for. The toppings are correct: a springy pile of kikurage, little heaps of corn and green onions, a few sheets of seaweed, and a handful of happy baby bok choy that are blessedly not soggy and therefore retain a hint of peppery mustard flavor. This ramen also features a pat of melting corn butter, and a subtle sesame dressing drizzled onto the greens. I get mine without the tofu skin, but that’s just a personal preference (or aversion, maybe, that has something to do with its resemblance to, um, the second word there).
The star of the bowl is the house-made chili crisp. I sometimes wait until I absolutely have to stir it in because it’s such a banger taste all on its own; it’s crunchy and a little smoky and a little sweet, and the sesame seeds and spicy peanuts keep it interesting as you make your way to the bottom. Vegetarian ramens can get weird, and feel half-assed, but Ooink’s well-balanced version is the way to do it. EMILY NOKES
01:07
Urgent: Investigate corrupter in chief's profit from presidency [Richard Stallman's Political Notes]
US citizens: call on Congress to investigate the corrupter in chief's $1.4 billion profit from the presidency.
See the instructions for how to sign this letter campaign without running any nonfree JavaScript code--not trivial, but not hard.
US citizens: Join with this campaign to address this issue.
To phone your congresscritter about this, the main switchboard is +1-202-224-3121.
Please spread the word.
Urgent: Protect the Arctic from oil exploration [Richard Stallman's Political Notes]
US citizens: call on Congress to protect the Arctic by stopping reckless oil exploration there.
Exploration for fossil fuel should be pretty much stopped entirely because we can't extract it without destroying ourselves; but this threat to the Arctic is an additional reason.
US citizens: Join with this campaign to address this issue.
To phone your congresscritter about this, the main switchboard is +1-202-224-3121.
Please spread the word.
Urgent: Hidden insurance industry report data [Richard Stallman's Political Notes]
US citizens: Demand insurance commissioners stop hiding insurance industry report data from the public.
See the instructions for how to sign this letter campaign without running any nonfree JavaScript code--not trivial, but not hard.
Urgent: Defend recognition of dangers of global heating [Richard Stallman's Political Notes]
US citizens: call on Congress and everyone else with influence to defend the recognition that global heating endangers the the world and specifically the US.
US citizens: Join with this campaign to address this issue.
To phone your congresscritter about this, the main switchboard is +1-202-224-3121.
Please spread the word.
Urgent: Stop deportation thugs terrorizing children [Richard Stallman's Political Notes]
US citizens: call on Congress to stop the deportation thugs from from terrorizing children.
See the instructions for how to sign this letter campaign without running any nonfree JavaScript code--not trivial, but not hard.
US citizens: Join with this campaign to address this issue.
To phone your congresscritter about this, the main switchboard is +1-202-224-3121.
Please spread the word.
Friday, 20 February
22:21
Friday Squid Blogging: Squid Cartoon [Schneier on Security]
I like this one.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
22:07
Bits from Debian: Proxmox Platinum Sponsor of DebConf26 [Planet Debian]
We are pleased to announce that Proxmox has committed to sponsor DebConf26 as a Platinum Sponsor.
Proxmox develops powerful, yet easy-to-use open-source server solutions. The comprehensive open-source ecosystem is designed to manage divers IT landscapes, from single servers to large-scale distributed data centers. Our unified platform integrates server virtualization, easy backup, and rock-solid email security ensuring seamless interoperability across the entire portfolio. With the Proxmox Datacenter Manager, the ecosystem also offers a "single pane of glass" for centralized management across different locations.
Since 2005, all Proxmox solutions have been built on the rock-solid Debian platform. We are proud to return to DebConf26 as a sponsor because the Debian community provides the foundation that makes our work possible. We believe in keeping IT simple, open, and under your control.
Thank you very much, Proxmox, for your support of DebConf26!
Become a sponsor too!
DebConf26 will take place from 20th to July 25th 2026 in Santa Fe, Argentina, and will be preceded by DebCamp, from 13th to 19th July 2026.
DebConf26 is accepting sponsors! Interested companies and organizations may contact the DebConf team through sponsors@debconf.org, and visit the DebConf26 website at https://debconf26.debconf.org/sponsors/become-a-sponsor/.
I Saw U: Reading the Paper on the 1 Line, Wearing Glasses at the Steve Forbert Show, and Drinking Absinthe at the Bohemia Cabaret [The Stranger]
Did you see someone? Say something! by Anonymous
Red Coat & Rainbow Cap + Pigtails – 1 Line
Mon Feb 16 – Bearded in a red coat reading a paper. You got off at Capitol Hill 10:25pm. Multicolor cap, 2 pigtails. We kept locking eyes.
Erika at Wuthering Heights
You introduced me to your Mikey, I introduced you to mine. I mentioned literary role play. Shall we roam the wily, windy moors?
Valentine's Sunday Bear Social
U stood around for moment. Starstruck didn't know what to say asked if this was yr beer so stupid walked away. U are still handsome like back in 2010
Elevator Mishap at Trader Joe's
You: cutie in a black hoodie. Me: blue coat & grocery anxiety. You asked to talk to me as the elevator door closed. I felt immediate regret. Do over?
Redhead with an Office Crush
We work on the same floor in our downtown office building. I smile at you whenever I see you in the hallways. Come talk to me if you’re single too!
V Day Pool side chat at Streamline
You - cute smile, me - cute dress. We people watched until your friends took you to Ozzie's. Wish I asked you stay a little longer.
Absinthe Angel Eyes
You: cutie with the green eyes enjoying a Green Fairy at the Bohemia cabaret. Me: someone you locked eyes with, wishing I was said Green Fairy.
Attractive woman with brunette hair
Wearing glasses at the Steve Forbert show at the Tractor Tavern. You were kind and bought me a beer at the shown on Valentines day. I'd welcome an opportunity to gt to know you more.
Is it a match? Leave a comment here or on our Instagram post to connect!
Did you see someone? Say something! Submit your own I Saw U message here and maybe we'll include it in the next roundup!
20:42
Royally Flushed [Penny Arcade]
Reeking cryptids Skunkape Games, not content to merely exhume the Sam & Max classics, have now turned their profane, necrophile lust toward the beloved Poker Night At The Inventory. Inexplicably, my alter ego is featured in this game and continues to be even after these warlocks completed their dark ritual. But we love to challenge the reader - and lies are a great way to start.
20:35
20:07
‘Starkiller’ Phishing Service Proxies Real Login Pages, MFA [Krebs on Security]
Most phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms. But a stealthy new phishing-as-a-service offering lets customers sidestep both of these pitfalls: It uses cleverly disguised links to load the target brand’s real website, and then acts as a relay between the target and the legitimate site — forwarding the victim’s username, password and multi-factor authentication (MFA) code to the legitimate site and returning its responses.
There are countless phishing kits that would-be scammers can use to get started, but successfully wielding them requires some modicum of skill in configuring servers, domain names, certificates, proxy services, and other repetitive tech drudgery. Enter Starkiller, a new phishing service that dynamically loads a live copy of the real login page and records everything the user types, proxying the data from the legitimate site back to the victim.
According to an analysis of Starkiller by the security firm Abnormal AI, the service lets customers select a brand to impersonate (e.g., Apple, Facebook, Google, Microsoft et. al.) and generates a deceptive URL that visually mimics the legitimate domain while routing traffic through the attacker’s infrastructure.
For example, a phishing link targeting Microsoft customers appears as “login.microsoft.com@[malicious/shortened URL here].” The “@” sign in the link trick is an oldie but goodie, because everything before the “@” in a URL is considered username data, and the real landing page is what comes after the “@” sign. Here’s what it looks like in the target’s browser:
Image: Abnormal AI. The actual malicious landing page is blurred out in this picture, but we can see it ends in .ru. The service also offers the ability to insert links from different URL-shortening services.
Once Starkiller customers select the URL to be phished, the service spins up a Docker container running a headless Chrome browser instance that loads the real login page, Abnormal found.
“The container then acts as a man-in-the-middle reverse proxy, forwarding the end user’s inputs to the legitimate site and returning the site’s responses,” Abnormal researchers Callie Baron and Piotr Wojtyla wrote in a blog post on Thursday. “Every keystroke, form submission, and session token passes through attacker-controlled infrastructure and is logged along the way.”
Starkiller in effect offers cybercriminals real-time session monitoring, allowing them to live-stream the target’s screen as they interact with the phishing page, the researchers said.
“The platform also includes keylogger capture for every keystroke, cookie and session token theft for direct account takeover, geo-tracking of targets, and automated Telegram alerts when new credentials come in,” they wrote. “Campaign analytics round out the operator experience with visit counts, conversion rates, and performance graphs—the same kind of metrics dashboard a legitimate SaaS [software-as-a-service] platform would offer.”
Abnormal said the service also deftly intercepts and relays the victim’s MFA credentials, since the recipient who clicks the link is actually authenticating with the real site through a proxy, and any authentication tokens submitted are then forwarded to the legitimate service in real time.
“The attacker captures the resulting session cookies and tokens, giving them authenticated access to the account,” the researchers wrote. “When attackers relay the entire authentication flow in real time, MFA protections can be effectively neutralized despite functioning exactly as designed.”
The “URL Masker” feature of the Starkiller phishing service features options for configuring the malicious link. Image: Abnormal.
Starkiller is just one of several cybercrime services offered by a threat group calling itself Jinkusu, which maintains an active user forum where customers can discuss techniques, request features and troubleshoot deployments. One a-la-carte feature will harvest email addresses and contact information from compromised sessions, and advises the data can be used to build target lists for follow-on phishing campaigns.
This service strikes me as a remarkable evolution in phishing, and its apparent success is likely to be copied by other enterprising cybercriminals (assuming the service performs as well as it claims). After all, phishing users this way avoids the upfront costs and constant hassles associated with juggling multiple phishing domains, and it throws a wrench in traditional phishing detection methods like domain blocklisting and static page analysis.
It also massively lowers the barrier to entry for novice cybercriminals, Abnormal researchers observed.
“Starkiller represents a significant escalation in phishing infrastructure, reflecting a broader trend toward commoditized, enterprise-style cybercrime tooling,” their report concludes. “Combined with URL masking, session hijacking, and MFA bypass, it gives low-skill cybercriminals access to attack capabilities that were previously out of reach.”
19:00
The Best Bang for Your Buck Events in Seattle This Weekend: Feb 20–22, 2026 [The Stranger]
Black & Brew Festival, Lunar New Year Family Festival, and
More Cheap & Easy Events Under $20
by EverOut Staff
Your plans are in good hands with weekend picks from the Seattle Asian Art Museum's Lunar New Year Family Festival to a Pioneer Square Scavenger Hunt and from the 12th Annual Black & Brew Imperial Stout Festival to the 2026 Seattle Home & Garden Show. For more ideas, check out our top picks of the week.
FRIDAY FOOD & DRINK
Seattle Cider Taproom Farewell Party
It’s the end of an era, folks. After Seattle Cider announced
its sale to 2 Towns, news traveled quickly that although the brand
will live on under new ownership, February would be the last month
for the cidery's beloved SoDo taproom. Whether you're a fan of the
spot or just a casual cider sipper, come on out and raise a glass
and celebrate the people, pours, and moments that made the space
special. Plus, throwback pricing is on tap all evening, so head
down to throw back $3 tall boys of the award-winning flagship Dry,
$4 core ciders, and $5 for everything else. LANGSTON
THOMAS
(Seattle Cider Taproom, Industrial District, free)
18:35
Free Software Directory meeting on IRC: Friday, February 6, starting at 12:00 EST (17:00 UTC) [Planet GNU]
Join the FSF and friends on Friday, February 6 from 12:00 to 15:00 EST (17:00 to 20:00 UTC) to help improve the Free Software Directory.
Free Software Directory meeting on IRC: Friday, January 30, starting at 12:00 EST (17:00 UTC) [Planet GNU]
Join the FSF and friends on Friday, January 30 from 12:00 to 15:00 EST (17:00 to 20:00 UTC) to help improve the Free Software Directory.
Free Software Directory meeting on IRC: Friday, January 23, starting at 12:00 EST (17:00 UTC) [Planet GNU]
Join the FSF and friends on Friday, January 23 from 12:00 to 15:00 EST (17:00 to 20:00 UTC) to help improve the Free Software Directory.
Free/libre software and our freedom: Our shield against many digital injustices. [Planet GNU]
Join FSF founder Richard M. Stallman for his talk at the Georgia Institute of Technology.
17:28
The 2026/2027 Seattle Symphony subscription season at a glance [The Old New Thing]
For two decades, I’ve put together a little pocket guide to the Seattle Symphony subscription season for my symphony friends to help them decide which ticket package they want. We stopped going to the symphony as a group years ago, but I still create this pocket guide out of tradition.
Here’s the at-a-glance season guide for the 2026/2027 season still with no comments from me because it’s not worth trying to rate every piece to help my friends pick one concert. If you’re my friend and want recommendations, just call. Besides, you can probably preview nearly all of the pieces nowadays (minus the premieres) by searching on YouTube.
Xian Zhang enters her second season as music director of the Seattle Symphony. She will lead the orchestra on Opening Night as well as for twelve subscription concerts, expanding from the nine subscription concerts she conducted in her debut season. Associate Conductor Sunny Xia is not listed on any of the concerts, nor is she mentioned in the press release, so her contract may have expired. Not sure.
| Week | Program | 19 | 13 | 6A 6B |
7C 7D |
6E 6F |
10G | ** | ||
|---|---|---|---|---|---|---|---|---|---|---|
| 09/19 2026 |
Prokofiev: Suite from
Lieutenant Kijé Prokofiev: Piano Concerto #3 |
|||||||||
| 09/24 2026 |
Bruch: Violin Concerto
#1 Berlioz: Symphonie fantastique |
|||||||||
| 10/22 2026 |
Bridge: Enter
Spring Samuel Adams: No Such Spring Schumann: Symphony #1 “Spring” |
|||||||||
| 11/05 2026 |
Unsuk Chin:
Rocaná (Room of Light) Szymanowski: Violin Concerto #2 Stravinsky: Petroushka (1947) |
|||||||||
| 11/12 2025 |
Tchaikovsky: Piano
Concerto #1 R. Strauss: Also sprach Zarathustra |
|||||||||
| 11/19 2025 |
Joe Pereira: Timpani
Concerto¹ Mozart: Requiem |
|||||||||
| 01/24 | Itzhak Perlman in recital | |||||||||
| 01/28 2027 |
Haydn: Symphony #82
“The Bear” Mozart: Piano Concerto #25, K.503 Mozart: Eine kleine Nachtmusik Haydn: Symphony #87 |
|||||||||
| 02/04 2027 |
Ibert: Concertino da
camera Steven Banks: Come As You Are Tchaikovsky: Manfred Symphony |
|||||||||
| 02/11 2027 |
Lalo: Symphonie
espagnole Ginastera: Four Dances from Estancia Rimsky-Korsakov: Cappricio espagnol |
|||||||||
| 02/25 | Chaplin: Modern Times (with film) | |||||||||
| 03/11 2027 |
Smetana: The
Moldau Steven Mackey: Concerto for Orchestra¹ Rimsky-Korsakov: Scheherezade |
|||||||||
| 03/18 | Berlioz: Roméo et Juliette, Op.17 | |||||||||
| 03/19 | Hayato Sumino (“Cateen”) recital | |||||||||
| 03/19 2027 |
Anna Lapwood with
Seattle Symphony Max Richter: Cosmology Jongen: Sinfonia Concertante |
|||||||||
| 04/08 2027 |
Vaughan Williams:
The Lark Ascending Grieg: Peer Gynt Suite (selections) Webern: Im Sommerwind (In the Summer Wind) Scriabin: Poem of Ecstasy |
|||||||||
| 04/15 2017 |
Dvořák:
Violin Concerto Beethoven: Symphony #6 “Pastoral” |
|||||||||
| 04/22 2027 |
Gabriela Montero: Piano
Concerto #1 “Latin” Respighi: Fountains of Rome Respighi: Pines of Rome |
|||||||||
| 04/29 2027 |
Saariaho:
Lumière et Pésanteur (Light and Gravity) Lutosławski: Piano Concerto Shostakovich: Symphony #10 |
|||||||||
| 05/13 2027 |
Ian Cusson: IQ84:
Sinfonietta Metamoderna Rachmaninov: Piano Concerto #2 Sibelius: Symphony #2 |
|||||||||
| 06/03 2027 |
R. Strauss:
Träumerei am Kamin (Dreaming by the Fireside) from Intermezzo Debussy: Ariettes Oubliées (Forgotten Songs) (arr. Brett Dean) Mahler: Symphony #4 |
|||||||||
| 06/17 2027 |
Brahms: Symphony in
#3 Brahms: Violin Concerto |
|||||||||
| 06/24 2027 |
Liszt: Piano Concerto
#2 Wagner: The Ring Without Words (arr. Maazel) |
|||||||||
| Week | Program | 19 | 13 | 6A 6B |
7C 7D |
6E 6F |
10G | ** |
¹ Seattle Symphony Co-commission and World Premiere
Insider tip: Click a column header to focus on a specific series. (This feature has been around for several years, actually.)
Legend:
| 19 | Symphonic Series 19-concert series (Choice of Thursdays or Saturdays) |
| 13 | Symphonic Series 13-concert series (Choice of Thursdays or Saturdays) |
| 6A | Symphonic Series 6-concert series A (Thursdays) |
| 6B | Symphonic Series 6-concert series B (Saturdays) |
| 7C | Symphonic Series 7-concert series C (Thursdays) |
| 7D | Symphonic Series 6-concert series D (Saturdays) |
| 6E | Symphonic Series 6-concert series E (Thursdays) |
| 6F | Symphonic Series 7-concert series F (Saturdays) |
| 10G | Symphonic Series 10-concert series G (Sunday afternoons) |
| ** | Various special concerts (individually priced) |
For those not familiar with the Seattle Symphony ticket package line-ups: Most of the ticket packages are named Symphonic Series nX (formerly named Masterworks nX) where n is the number of concerts in the package, and the letter indicates the variation. Ticket packages have been combined if they are identical save for the day of the week. For example, 7C and 7D are the same concerts; the only difference is that 7C is for Thursday nights, while 7D is for Saturday nights. The exception is the column I marked **, which is just a grab bag of special concerts.
Notes and changes:
- The main symphony season has been reduced from 21 programs to 19. The A, B, E, and F series have consequently been reduced from 7 concerts to 6. The Sunday series has been expanded from 8 to 10 concerts, which the Seattle Symphony claims is due to popular demand. The four-concert Friday series has been dropped.
- The 6A/6B, 7C/7D, and 6E/6F concert series do not overlap, so you can create your own pseudo-series by taking any two of them, or recreate the 19-concert series by taking all three.
- The 13-concert series is the same as the 7C/7D and 6E/6F series combined.
- The Saturday concert for the weekend of May 13 has been moved to Friday.
- The 2026/2027 season will be the first to take advantage of the Amplify project’s renovation of the public spaces.
- The Youth Tickets program provides $25 tickets to up to children per concert for all Symphonic Series concerts, plus most other concerts. If you purchase an adult subscription, you can add a matching Youth Subscription at the same rate of $25 per concert.
- The Seattle Symphony is part of the TeenTix program which offers teenagers (ages 13 through 19) $5 day-of-show tickets for selected concerts. TeenTix members can also buy up to two $10 tickets for Sunday concerts for non-teenage friends and family.
- Notable guests: Special concerts by Itzhak Perlman and Hayato Sumino (who is apparently a popular YouTuber), and organist Anna Lapwood. Superstar pianist Yuja Wang performs on Opening Night (Prokofiev Piano Concerto #3). Other prominent soloists performing at regular season concerts are Emanuel Ax (Mozart Piano Concerto #25), Gil Shaham (Dvořák Violin Concerto), and Benjamin Grosvenor (Rachmaninov Piano Concerto #2).
- Conductor Emeritus Ludovic Morlot returns to conduct a Spring-themed concert on the weekend of October 22. There is also a Spain-and-South-America themed concert (led by Xian Zhang) on the weekend of February 11.
- Soundtrack-with-film concerts continue to remain popular, and for the first time I can recall, one of these concerts makes it to the regular subscription series: A performance of the score to Modern Times to accompany the film.
- The April 8, April 15, and April 22 concerts form an in-season Nature in Music Festival.
- Additional series not listed above include the In Recital, Seattle Pops, Octave 9, Chamber, Tiny Tots, and Family Concerts, as well as a collection of holiday concerts in December. (This year, we have Messiah but no Beethoven’s 9th.)
- Over the years, the format of the Seattle Symphony official brochure has gradually gotten closer and closer to the format of this pocket guide. This makes my job both easier and arguably superfluous.
The post The 2026/2027 Seattle Symphony subscription season at a glance appeared first on The Old New Thing.
Reproducible Builds (diffoscope): diffoscope 313 released [Planet Debian]
The diffoscope maintainers are pleased to announce the release
of diffoscope version 313. This version
includes the following changes:
[ Chris Lamb ]
* Don't fail the entire pipeline if deploying to PyPI automatically fails.
[ Vagrant Cascadian ]
* Update external tool reference for 7z on guix.
You find out more by visiting the project homepage.
Slog AM: The Supreme Court Stomps on Trump's Tariffs, New Voter ID Bill Is Bad News, and Seattle Women's Hockey Captain Breaks Olympic Record [The Stranger]
The Stranger's Morning News Roundup. by Hannah Murphy Winter
Good Morning! Did you see a little snow yesterday? It was spotty, and fleeting, and it might be the only snow we get this year, so I hope you got a taste of it. Today promises to be cold (low 40s), but probably dry, so get outside for a bit. Tomorrow, the rain starts again.
MAHA Moms Revolt: On Wednesday, Trump invoked a Korean-war era law that allows the government to force the manufacture of supplies “in the interest of national defense.” What’re we manufacturing? Glyphosate—a probably-carcinogenic pesticide that’s sold in the hardware store aisles as Roundup. And the anti-vax, raw milk chugging, horse dewormer-obsessed MAHA crowd is pissed. The founder of Moms Across America (named Zen Honeycutt, of course), which has led the anti-glyphosate campaign, called it “an egregious offense to what he promised,” and Republicans are worried that it could impact how many women vote red in the midterms. To be clear, MAHA is off base on a lot, but they’re right to hate this pesticide. Studies have shown that it very likely causes cancer. But it’s a Monsanto favorite, and every decision is for sale in Trump’s America.
UN Who? On Thursday morning, President Trump emceed the inaugural meeting of his knock-off United Nations, aka the Board of Peace, which he created and oversees. (Any nation can get a permanent seat, as long as they’re willing to pay $1 billion to get it.) In the meeting, Trump announced that the US was committing $10 billion in aid to Gaza, but Congress doesn’t appear to have appropriated that money, so who knows where he’s getting it. “Beyond that, there were few clear objectives from the meeting. It was like the United Nations General Assembly, if everything about the United Nations revolved around Donald Trump,” the New York Times wrote.
Speaking of Peace: Trump is sending the largest force of American warships and aircraft to the Middle East in decades, and said that Iran needs to strike a meaningful deal with the US about their nuclear program, “otherwise, bad things happen.” He’s given the country “10-15 days” to strike a deal that’s been deadlocked for years.
Israeli Settlers Kill Palestinian American: His name was Nasrallah Abu Siyam, and he was 19 years old. According to residents, settlers marched into the town of Mukhmas and attacked a farmer. When villagers intervened, Israeli forces joined the settlers and, according to residents, that empowered the settlers to start firing into the crowd. Settlers in the West Bank killed 240 Palestinians last year, a campaign that the UN says could be considered ethnic cleansing. Nasrallah Abu Siyam is the first Palestinian killed by settlers in 2026.
Tariff Tumble: On Friday morning, the Supreme Court ruled 6-3 that Trump does not actually have the authority to impose his insane tariffs. So far the Treasury Department has collected about $240 billion in tariff revenue since Trump’s “Liberation Day” last April, and they could be forced to issue massive refunds, which, in Brett Kavanaugh’s wise words, would be a “mess.”
New Neon: Pike Place Market got its first new neon sign in almost 100 years. It’s mounted on the elevator shaft attached to the Waterfront Park. I think it classes up the place.
View this post on Instagram
Vote ID Law Would Do Its Job: Sen. Maria Cantwell and Washington election officials warned that the Trump-backed SAVE America Act (which requires proof of citizenship to vote) would turn our midterm elections into chaos. Fortunately, even Republicans in the Senate think it’s harmful bullshit, so it’s got slim chances.
Mom and Dad Are Fighting Again: Governor Bob Ferguson has some big feelings about the Millionaire Tax—namely, who should benefit from it, and who gets a tax break alongside it. But rather than working directly with lawmakers on it, state legislatures are complaining that at every stage, he’s simply taking to the microphone to bah-humbug their work. In this comically short session, they have just three weeks to land this plane.
The Latest from NWDC: Nurses at St. Joseph Medical Center in Tacoma told KUOW that since the beginning of Trump’s second term, they’ve seen a spike in ICE detainees coming to the hospital as patients. They say that agents have repeatedly ignored standard practices to safeguard patients’ privacy, health, and safety, including “refusing to leave detainees’ rooms during catheter changes, shackling a detainee so tightly to a bed they caused nerve damage to the person’s hand, and refusing to wear required masks and gowns in rooms where patients had communicable diseases,” KUOW reported. “I feel like [ICE agents] treat [detainees] like they’re animals,” one nurse told them.
Are you a renter? Probably. And if you are, you have until midnight to fill out the mayor’s renter survey. This is an opportunity to tell the City how much your rent has spiked, what kinds of bullshit charges you deal with every month (wtf is a valet garbage fee, really), and any other challenges you deal with as a renter just trying to keep a roof over your head.
Coming Home With the Gold: After a perfect Olympic season, the US Women’s hockey team won the gold in overtime against Canada. Hilary Knight, the captain of Team USA (and the Seattle Torrent), scored the shot that tied up the game, and at the same time, broke the record for most career Olympic goals (15 of them, if you were wondering). The players are coming home next week, and the Torrent will play their first post-Olympics game against the Toronto Sceptres on Friday the 27th.
View this post on Instagram
More Olympics Shine: US figure skater Alysa Liu won the gold on Thursday, breaking a 24-year drought for women’s figure skating. For reference, the last time the US won a gold in women’s figure skating, Liu hadn’t even been born. And to make it even more badass, she claimed the win after a two-year break from the sport. The US women’s curling team also made it to the semi-finals for the first time in 24 years.
View this post on Instagram
Have you played Routle today? It’s like Wordle, but for the King County Metro system. You get the shape of the route on a blank background, and five guesses. Are you King of the Bus?
A Song for Your Friday: A perfect track to make your commute feel like a little adventure, or to keep you company while you take a walk for your stupid mental health before the rain comes.
16:42
Customizing the ways the dialog manager dismisses itself: Detecting the ESC key, first (failed) attempt [The Old New Thing]
Suppose you want to distinguish between dismissing a dialog by
pressing ESC and dismissing a dialog by clicking the
Close button. One suggestion I saw was to call
GetAsyncKeyState(VK_ESCAPE) to check
whether the ESC is down.
In general, any time you see
GetAsyncKeyState, you should be
suspicious, since GetAsyncKeyState
checks the state of the keyboard at the moment it is called, which
might not be relevant to your window if it asynchronously lost
keyboard focus, and which (from the point of view of your program)
might even be from the future.
Recall that the system maintains two types of keyboard states.
One is the synchronous keyboard state, which represents the
state of the keyboard as far as your program is aware. If your
program received a WM_KEYDOWN for the space bar, then
GetKeyState will report that the space bar
is pressed. Even if the user releases the space bar,
GetKeyState will continue to report that
the space bar is pressed until the program receives a
WM_KEYUP for the space bar.
The idea here is that your program is processing an input stream, and due to the nature of multitasking and the physics of time, it’s possible that your program is catching up to input that actually occurred some time ago. For example, maybe the user typed ahead into the program while it was unresponsive, and now that the program has become responsive again, it is playing catch-up with all the typing that occurred 30 seconds ago.
If the program receives, say, a press of the F2 key and wants to know whether to do the Ctrl+F2 hotkey, it doesn’t know want to know whether the Ctrl key is down at the moment it is processing its input backlog. It wants to know whether the Ctrl key was down at the time the F2 was pressed.
| Time | Event |
|---|---|
| 1 | User presses Ctrl |
| 2 | User presses F2 |
| 3 | User releases F2 |
| 4 | User releases Ctrl |
| 5 | Program receives Ctrl down |
| 6 | Program receives F2 down |
| 7 | Program uses GetAsyncKeyState to
ask if Ctrl is downAnswer: No Program does F2 action instead of Ctrl+F2 |
When the program asks via
GetAsyncKeyState whether the
Ctrl key is down, the answer is “No, it’s
not down. It was released at some future point in time you
haven’t learned about yet.” And so the program does its
F2 action instead of Ctrl+F2, and
you get a bug report that goes like “When the program is
under heavy load, the Ctrl+F2 hotkey
doesn’t work.”
Suppose your program wants to discard changes when the user
dismisses the dialog with ESC but wants to save changes
when the user dismisses the dialog with the Close button. Checking
the asynchronous state of the ESC key will tell you
whether the ESC is down right now, but not whether the
ESC was down at the time the system generated the
IDCANCEL. You’re going to get bugs like,
“When the program is under heavy load, pressing
ESC to dismiss the dialog sometimes saves the changes
instead of discarding them.”
Of course, the bug report probably isn’t going to be so kind as to mention that the program was under heavy load or that the ESC accidentally saved the changes. It’ll probably just say “Sometimes I see changes that I’m sure I had discarded.” And you’ll have to figure out what the necessary conditions are for that bug to manifest itself.
Bonus chatter: I don’t know why people love to use
GetAsyncKeyState so much. It has a
longer, more cumbersome name than the largely-ignored
GetKeyState function. Maybe people think
that the longer, more cumbersome name means that it’s somehow
“more fancy”.
The post Customizing the ways the dialog manager dismisses itself: Detecting the ESC key, first (failed) attempt appeared first on The Old New Thing.
15:35
Pluralistic: A perforated corporate veil (20 Feb 2026) [Pluralistic: Daily links from Cory Doctorow]
->->->->->->->->->->->->->->->->->->->->->->->->->->->->->
Top Sources: None -->
Today's links
- A perforated corporate veil: The Brazilian method for curbing corporate power.
- Hey look at this: Delights to delectate.
- Object permanence: Social media turned US parties into host organisms for third parties; "Citizens" are hired actors; Insured exoskeletons; Talking with Snowden and Gibson.
- Upcoming appearances: Where to find me.
- Recent appearances: Where I've been.
- Latest books: You keep readin' em, I'll keep writin' 'em.
- Upcoming books: Like I said, I'll keep writin' 'em.
- Colophon: All the rest.
A perforated corporate veil (permalink)
"Capitalist realism" is the idea that the world's current economic and political arrangements are inevitable, and that any attempt to alter them is a) irrational; b) doomed; and c) dangerous. It's the ideology of Margaret Thatcher's maxim, "There is no alternative."
Obviously this is very convenient if you are a current beneficiary of the status quo. "There is no alternative" is a thought-stopping demand dressed up as an observation. It means, "Don't try and think of alternatives."
The thing is, alternatives already exist and work very well. The Mondragon co-ops in Spain constitute a fully worked out, long-term stable economic alternative to traditional capitalist enterprises, employing more than 100,000 people and generating tangible, empirically measured benefits to workers, customers and the region:
https://en.wikipedia.org/wiki/Mondragon_Corporation
Proponents of capitalist realism will tell you that Mondragon doesn't count. Maybe it's just a one-off. Or maybe it's just not big enough. 100,000 workers sounds like a lot, but Amazon has over 1.5m employees and untold numbers of misclassified contractors who are employees in everything but name (and legal rights).
This is some pretty transparent goalpost moving, but sure, let's stipulate that Mondragon doesn't prove that there are broadly applicable alternatives to the dominant capitalism of the mid-2020s. Are there other examples of "an alternative?"
There sure are.
Let's look at limited liability. Limited liability – the idea that a company's shareholders cannot be held liable for the company's misdeeds – is a bedrock of capitalist dogma. The story goes that until the advent of the "joint stock enterprise" (and its handmaiden, limited liability) there was no efficient way to do "capital formation" (raising money for a project or business).
Because of this, the only ambitious, capital-intensive projects were those that caught the fancy of a king, a Pope, or an aristocrat. But once limited liability appears on the scene, many people of modest means can jointly invest in a project without worrying about being bankrupted if it turns out that the people running it are crooks or bumblers. That lets you, say, buy a single share of a company without having to keep daily tabs on the management's every action without worrying that if they go wrong, someone they've hurt will sue you for everything you've got.
Capital formation is a real thing, and limited liability unquestionably facilitates capital formation. There are plenty of good things in the world that exist because limited liability protections allowed everyday people to help bring them into existence. This isn't just stuff that makes a lot of money for capitalism's true believers, it includes everything from the company that makes the printing presses that your favorite anarchist zine runs on to the mill that makes the alloys for the e-bike you use to get to a demonstration.
This is where capitalist realism comes in. Capitalist realists will claim that there is no way to do capital formation for these beneficial goods without limited liability – and not just any limited liability, but maximum limited liability in which the "corporate veil" can never be pierced to assign culpability to any shareholder. The capitalist realist claim is that the corporate veil is like the skin of a balloon, and that any attempt to poke even the smallest hole in it will cause it to rupture and vanish.
But this just isn't true, and we can tell, because one of the largest economies in the world has operated with a perforated corporate veil for nearly a century, and that economy hasn't suffered from capital formation problems. Quite the contrary, some of the world's largest (and most destructive) monopolies are headquartered in this country where the veil of limited liability is thoroughly perforated.
The country I'm talking about is Brazil, which has had limited limited liability since 1937:
https://lpeproject.org/blog/when-workers-pierce-the-corporate-veil-brazils-forgotten-innovation/
As Mariana Pargendler writes for the LPE Project, Brazil put limits on limited liability to address a common pattern of corporate abuse. Companies would set up in Brazil, incur a lot of liabilities (say, by poisoning the land, water and air, or by stealing from or maiming workers), and then, when the wheels of justice caught up with them, the companies would fold and re-establish themselves the next day under a new name.
Like I say, this happens all over the world. It's incredibly common, and even the pettiest of crooks know how to use this trick. I know someone whose NYC apartment was flooded by the upstairs neighbor, who decided that they didn't need to worry about the fact that their toilet wouldn't stop running – for months, until the walls of the apartment downstairs dissolved in a slurry of black mold. The upstairs neighbor owned the apartment through an LLC, which they simply folded up and walked away from, while my friend was stuck with a giant bill and no one to sue.
The limited liability company is the scammer's best friend. In the UK, an anti-tax extremist invented a tax-evasion scam whereby landlords pretend that their empty commercial buildings are tax-exempt "snail farms" by scattering around some boxes with a few snails in them:
https://www.patreon.com/posts/149255928?collection=1941093
When this results in inevitable stonking fines and adverse judgments, the "snail farmers" duck liability by folding up their limited liability company after transferring its assets to a new LLC.
Capitalist realists will tell you that this is just the price of efficient capital formation. Without total, airtight limited liability – the sort that allows for this kind of obvious, petty ripoff – no one would be able to raise capital for anything.
Brazil begs to differ. In 1937, Brazil made parent companies liable for their subsidiaries' obligations, with a system of "joint and several liability" for LLCs. This was expanded with 1943's Consolidation of Labor Laws, and it worked so well that the Brazilian legislature expanded it again in 2017.
Remember back in 2024, when Elon Musk defied a Brazilian court order about Twitter, only to have Brazil freeze Starlink's assets until Musk caved? That was the "joint and several" liability system:
https://www.nytimes.com/2024/09/13/world/americas/brazil-musk-x-starlink.html
As Pargendler writes, Brazil's liability system "represented a distributive choice: prioritizing Brazilian workers’ ability to enforce their rights over foreign capital’s interest in minimizing costs through corporate structuring."
Pargendler (who teaches at Harvard Law) co-authored a paper with São Paulo Law's Olívia Pasqualeto analyzing the impact that Brazil's limited liability system had on capital formation and corporate conduct:
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=6105586
Unsurprisingly, they find that there has been a steady pressure to erode the joint and several system, but also that some countries (the US and France) have a "joint employer" doctrine that is a weak form of this. Portugal, meanwhile, adopted the Brazilian system, 70 years after Brazil – this transposition of law from a former colony to a former colonial power is apparently called "reverse convergence":
https://lpeproject.org/blog/heterodox-corporate-laws-in-the-global-south/
More countries in the global south have adopted regimes similar to Brazil's, like Venezuela and Chile. Other countries go further, like Mozambique and Angola. Somewhere in between are other Latin American countries like Peru and Uruguay, where these rules have entered practice through judicial rulings, not legislation.
The authors don't claim that perforating the corporate veil solves all the problems of exploitative, fraudulent or corrupt corporate conduct. Rather, they're challenging the capitalist realist doctrine that insists that this system couldn't possibly exist, and if it did, it would be a disaster.
A hundred years of Brazilian law, and Brazil's globe-spanning corporate giants, beg to differ.
(Image: Gage Skidmore, CC BY-SA 2.0, modified)
Hey look at this (permalink)
- Rep. James Talarico On Confronting Christian Nationalism, And Strange Days In The Texas Legislature https://www.youtube.com/watch?v=oiTJ7Pz_59A
-
What Airlines Don't Want You to Know https://www.youtube.com/watch?v=wlNBdUDeoT4
-
Ada Palmer on Inventing the Renaissance: How Golden and Dark Ages Are Constructed and Why They Matter https://www.singularityweblog.com/ada-palmer-inventing-the-renaissance/
-
Humble Book Bundle: Terry Pratchett's Discworld https://www.humblebundle.com/books/terry-pratchetts-discworld-harpercollins-encore-2026-books
-
New Report Helps Journalists Dig Deeper Into Police Surveillance Technology https://www.eff.org/press/releases/new-report-helps-journalists-dig-deeper-police-surveillance-technology
Object permanence (permalink)
#15yrsago XKCD’s productivity tip: reboot your computer every time you get bored https://blog.xkcd.com/2011/02/18/distraction-affliction-correction-extensio/
#10yrsago Infographic: what’s the TPP, what’s wrong with it, how’d we get here, and what do we do now? https://www.eff.org/deeplinks/2016/02/new-infographic-tpp-and-your-digital-rights
#10yrsago Hacker suspected in Anon raid on Boston hospital rescued at sea by Disney cruise ship, then arrested https://www.nbcnews.com/news/us-news/suspected-hacker-arrested-after-rescue-sea-during-disney-cruise-n520131
#10yrsago Tipping screws poor people, women, brown people, restaurateurs, local economies and…you https://web.archive.org/web/20160220234308/https://www.washingtonpost.com/news/wonk/wp/2016/02/18/i-dare-you-to-read-this-and-still-feel-ok-about-tipping-in-the-united-states/
#10yrsago Clay Shirky: social media turned Dems, GOP into host organisms for third party candidates https://web.archive.org/web/20160219231315/https://storify.com/cshirky/republican-and-democratic-parties-are-now-host-bod
#10yrsago Leaked memos suggest Volkswagen’s CEO knew about diesel cheating in 2014 https://www.nytimes.com/2016/02/19/business/volkswagen-memos-suggest-emissions-problem-was-known-earlier.html?smprod=nytcore-ipad&smid=nytcore-ipad-share&_r=0
#10yrsago “Citizens” who speak at town meetings are hired, scripted actors https://www.nbclosangeles.com/news/local/concerned-citizens-turn-out-to-be-political-theater/2021439/
#10yrsago Women in Zika-affected countries beg online for abortion pills https://ticotimes.net/2016/02/18/with-abortion-banned-in-zika-countries-women-beg-on-web-for-abortion-pills
#10yrsago Health insurance must pay for exoskeletons https://web.archive.org/web/20160217093325/https://motherboard.vice.com/read/robotic-exoskeleton-rewalk-will-be-covered-by-health-insurance
#5yrsago Uber loses court battle, steals wages, censors whistleblower https://pluralistic.net/2021/02/19/texas-lysenko/#unter
#5yrsago How Republicans froze Texas solid https://pluralistic.net/2021/02/19/texas-lysenko/#mess-with-texas
#5yrsago Complicity, incompetence, leadership and Capitol Police https://pluralistic.net/2021/02/19/texas-lysenko/#capitol-riots
#5yrsago My talks with Edward Snowden and William Gibson https://pluralistic.net/2021/02/19/texas-lysenko/#gibson-snowden
#5yrsago Pluralistic is five https://pluralistic.net/2025/02/19/gimme-five/#jeffty
Upcoming appearances (permalink)
- Montreal (remote): Fedimtl, Feb 24
https://fedimtl.ca/ -
Oslo (remote): Seminar og lansering av rapport om «enshittification»
https://www.forbrukerradet.no/siste-nytt/digital/seminar-og-lansering-av-rapport-om-enshittification/ -
Victoria: 28th Annual Victoria International Privacy & Security Summit, Mar 3-5
https://www.rebootcommunications.com/event/vipss2026/ -
Victoria: Enshittification at Russell Books, Mar 4
https://www.eventbrite.ca/e/cory-doctorow-is-coming-to-victoria-tickets-1982091125914 -
Barcelona: Enshittification with Simona Levi/Xnet (Llibreria Finestres), Mar 20
https://www.llibreriafinestres.com/evento/cory-doctorow/ -
Berkeley: Bioneers keynote, Mar 27
https://conference.bioneers.org/ -
Berlin: Re:publica, May 18-20
https://re-publica.com/de/news/rp26-sprecher-cory-doctorow -
Berlin: Enshittification at Otherland Books, May 19
https://www.otherland-berlin.de/de/event-details/cory-doctorow.html -
Hay-on-Wye: HowTheLightGetsIn, May 22-25
https://howthelightgetsin.org/festivals/hay/big-ideas-2
Recent appearances (permalink)
- Panopticon :3 (Trashfuture)
https://www.patreon.com/posts/panopticon-3-150395435 -
America's Enshittification is Canada's Opportunity (Do Not Pass Go)
https://www.donotpassgo.ca/p/americas-enshittification-is-canadas -
Everything Wrong With the Internet and How to Fix It, with Tim Wu (Ezra Klein)
https://www.nytimes.com/2026/02/06/opinion/ezra-klein-podcast-doctorow-wu.html -
How the Internet Got Worse (Masters in Business)
https://www.youtube.com/watch?v=auXlkuVhxMo -
Enshittification (Jon Favreau/Offline):
https://crooked.com/podcast/the-enshittification-of-the-internet-with-cory-doctorow/
Latest books (permalink)
- "Canny Valley": A limited edition collection of the collages I create for Pluralistic, self-published, September 2025 https://pluralistic.net/2025/09/04/illustrious/#chairman-bruce
-
"Enshittification: Why Everything Suddenly Got Worse and What to Do About It," Farrar, Straus, Giroux, October 7 2025
https://us.macmillan.com/books/9780374619329/enshittification/ -
"Picks and Shovels": a sequel to "Red Team Blues," about the heroic era of the PC, Tor Books (US), Head of Zeus (UK), February 2025 (https://us.macmillan.com/books/9781250865908/picksandshovels).
-
"The Bezzle": a sequel to "Red Team Blues," about prison-tech and other grifts, Tor Books (US), Head of Zeus (UK), February 2024 (thebezzle.org).
-
"The Lost Cause:" a solarpunk novel of hope in the climate emergency, Tor Books (US), Head of Zeus (UK), November 2023 (http://lost-cause.org).
-
"The Internet Con": A nonfiction book about interoperability and Big Tech (Verso) September 2023 (http://seizethemeansofcomputation.org). Signed copies at Book Soup (https://www.booksoup.com/book/9781804291245).
-
"Red Team Blues": "A grabby, compulsive thriller that will leave you knowing more about how the world works than you did before." Tor Books http://redteamblues.com.
-
"Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin", on how to unrig the markets for creative labor, Beacon Press/Scribe 2022 https://chokepointcapitalism.com
Upcoming books (permalink)
- "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026
-
"Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026
-
"The Post-American Internet," a geopolitical sequel of sorts to Enshittification, Farrar, Straus and Giroux, 2027
-
"Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2027
-
"The Memex Method," Farrar, Straus, Giroux, 2027
Colophon (permalink)
Today's top sources:
Currently writing: "The Post-American Internet," a sequel to "Enshittification," about the better world the rest of us get to have now that Trump has torched America (1037 words today, 32992 total)
- "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE.
-
"The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING.
-
A Little Brother short story about DIY insulin PLANNING
This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.
https://creativecommons.org/licenses/by/4.0/
Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.
How to get Pluralistic:
Blog (no ads, tracking, or data-collection):
Newsletter (no ads, tracking, or data-collection):
https://pluralistic.net/plura-list
Mastodon (no ads, tracking, or data-collection):
Medium (no ads, paywalled):
Twitter (mass-scale, unrestricted, third-party surveillance and advertising):
Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):
https://mostlysignssomeportents.tumblr.com/tagged/pluralistic
"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla
READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.
ISSN: 3066-764X
15:14
I'd like to have an OPML subscription list with feeds with news about specific feed-based products. I started a thread on the reallysimple repo for people to post links to such feeds. Once I have enough feeds, I'll publish the URL of the subscription list. We should, in this community, of all communities, a good way to communicate about developments. Too many good ideas get lost without this.
I've taught ChatGPT and Claude.ai how to properly indent code so I can paste it into my outliner, and it will represent the structure correctly. I just got it to do the same thing with HTML code I copied from the Chrome debugger. Pasted it into the outline. Have a look.
14:49
[$] Open-source Discord alternatives [LWN.net]
The closed-source chat platform Discord
announced on February 9 that it would soon require some
users to verify their ages in order to access some content —
although the company quickly
added that the "vast majority
" of users would not have
to. That reassurance has to contend with the fact that the UK and
other countries are implementing increasingly strict age
requirements for social media. Discord's age verification would be
done with an AI age-judging model or with a government photo ID. A
surprising number of open-source projects use Discord for support
or project communications, and some of those projects are now
looking for open-source alternatives. Mastodon, for example,
has
moved discussion to Zulip. There are some alternatives out
there, all with their own pros and cons, that communities may want
to consider if they want to switch away from Discord.
Dianne Skoll, creator and maintainer of the command-line calendar and alarm program Remind, has announced the release of The Book of Remind. As the name suggests, it is a step-by-step guide to learning how to use Remind, and a useful supplement to the extensive remind(1) man page. The book is free to download.
14:28
If you're using OPML for your blogroll, here's an unofficial place to let us know what you're doing.
Error'd: Three Blinded Mice [The Daily WTF]
...sent us five wtfs. And so on anon.
Item the first, an anon is "definitely not qualified" for this job. "These years of experience requirements are getting ridiculous."
Item the second unearthed by a farmanon has a loco logo. "After reading about the high quality spam emails which are indistinguishable from the company's emails, I got one from the spammer just starting his first day."
In thrid place, anon has only good things to say: "I'm liking their newsletter recommendations so far."
"A choice so noice, they gave it twoice," quipped somebody.
And foinally, a tdwtfer asks "I've seen this mixmastered calendering on several web sites. Is there an OSS package that is doing this? Or is it a Wordpress plugin?" I have a sneaking suspicion I posted this before. Call me on it.
[Advertisement]
Utilize BuildMaster to release your software with confidence,
at the pace your business demands.
Download today!
February marks an anniversary for us: in this month in 2001, Krissy and Athena and I moved to this house in Bradford, Ohio, so now we have been citizens of this village and state for 25 years. On the 20th anniversary, I wrote a long piece about moving here and what that meant to us, and that’s still largely accurate, so I’m not going to replicate here. I will note that in the last five years, we’ve become even more entrenched here in Bradford, as we went on a bit of a real estate spree, purchasing a church, a campground, and a few other properties, and started a business and foundation here in town as well. We’ve become basically (if not technically precisely) the 21st century equivalent of landed gentry.
It’s possibly fitting that after a quarter century here in rural Ohio, I finally wrote a novel that takes place in it, which will be out, as timing would have it, on election day this year. The town in the novel is fictional but the county is real, as it my own, and it’s been interesting writing something about this place, now — that also, you know, has monsters in it. I certainly hope people around here are going to be okay with that, rather than, say, “you wrote what now about us?” There is a reason I made a fictional town, mind you.
I continue to be a bit of an odd duck for the area, which I don’t see changing, and despite the fact the number of full-time writers in Bradford has doubled thanks to Athena. On the other hand, as I’ve noted before, my output is such that Bradford is the undisputed literary capital of Darke County, and I think that’s something both Bradford and Darke County can be proud of.
Anyway, Ohio, and Darke County, and Bradford, have been good to me in the last quarter century. I hope I have been likewise to them. We’re likely to stay.
— JS
14:07
Security updates for Friday [LWN.net]
Security updates have been issued by AlmaLinux (grafana), Debian (gegl, inetutils, libvpx, nova, and python-django), Fedora (azure-cli, chromium, microcode_ctl, python-azure-core, python3.14, and roundcubemail), Red Hat (grafana and osbuild-composer), SUSE (apptainer, dnsdist, istioctl, libsoup, openCryptoki, python-nltk, python311, python313, rclone, and thunderbird), and Ubuntu (libvpx, linux-azure, linux-azure-5.4, linux-azure-fips, and linux-intel-iotg).
13:42
Updated version of FeedLand Docker Compose. It's now possible to run FeedLand on a local machine on a private network.
I think the really big money in AI will be helping all the commerce sites get competitive again. Their sites are breaking, and are anemic compared to what you can do with AI. I think the WordPress community is in great position to get a huge amount of business here because many of these people are your customers. If you're a WordPress developer I'd love to hear what you think.
13:35
Spinnerette - issue 44 - 24 [Spinnerette]
New comic!
Today's News:
12:56
How to Write a Good Spec for AI Agents [Radar]
This post first appeared on Addy Osmani’s Elevate Substack newsletter and is being republished here with the author’s permission.
TL;DR: Aim for a clear spec covering just enough nuance (this may include structure, style, testing, boundaries. . .) to guide the AI without overwhelming it. Break large tasks into smaller ones versus keeping everything in one large prompt. Plan first in read-only mode, then execute and iterate continuously.
“I’ve heard a lot about writing good specs for AI agents, but haven’t found a solid framework yet. I could write a spec that rivals an RFC, but at some point the context is too large and the model breaks down.”
Many developers share this frustration. Simply throwing a massive spec at an AI agent doesn’t work—context window limits and the model’s “attention budget” get in the way. The key is to write smart specs: documents that guide the agent clearly, stay within practical context sizes, and evolve with the project. This guide distills best practices from my use of coding agents including Claude Code and Gemini CLI into a framework for spec-writing that keeps your AI agents focused and productive.
We’ll cover five principles for great AI agent specs, each starting with a bolded takeaway.
1. Start with a High-Level Vision and Let the AI Draft the Details
Kick off your project with a concise high-level spec, then have the AI expand it into a detailed plan.
Instead of overengineering upfront, begin with a clear goal statement and a few core requirements. Treat this as a “product brief” and let the agent generate a more elaborate spec from it. This leverages the AI’s strength in elaboration while you maintain control of the direction. This works well unless you already feel you have very specific technical requirements that must be met from the start.
Why this works: LLM-based agents excel at fleshing out details when given a solid high-level directive, but they need a clear mission to avoid drifting off course. By providing a short outline or objective description and asking the AI to produce a full specification (e.g., a spec.md), you create a persistent reference for the agent. Planning in advance matters even more with an agent: You can iterate on the plan first, then hand it off to the agent to write the code. The spec becomes the first artifact you and the AI build together.
Practical approach: Start a new coding session by prompting
You are an AI software engineer. Draft a detailed
specification for
[project X] covering objectives, features, constraints, and a
step-by-step plan.
Keep your initial prompt high-level: e.g., “Build a web app
where users can
track tasks (to-do list), with user accounts, a database, and a
simple UI.”
The agent might respond with a structured draft spec: an overview, feature list, tech stack suggestions, data model, and so on. This spec then becomes the “source of truth” that both you and the agent can refer back to. GitHub’s AI team promotes spec-driven development where “specs become the shared source of truth…living, executable artifacts that evolve with the project.” Before writing any code, review and refine the AI’s spec. Make sure it aligns with your vision and correct any hallucinations or off-target details.
Use Plan Mode to enforce planning-first: Tools like Claude Code offer a Plan Mode that restricts the agent to read-only operations—it can analyze your codebase and create detailed plans but won’t write any code until you’re ready. This is ideal for the planning phase: Start in Plan Mode (Shift+Tab in Claude Code), describe what you want to build, and let the agent draft a spec while exploring your existing code. Ask it to clarify ambiguities by questioning you about the plan. Have it review the plan for architecture, best practices, security risks, and testing strategy. The goal is to refine the plan until there’s no room for misinterpretation. Only then do you exit Plan Mode and let the agent execute. This workflow prevents the common trap of jumping straight into code generation before the spec is solid.
Use the spec as context: Once approved, save this spec (e.g., as SPEC.md) and feed relevant sections into the agent as needed. Many developers using a strong model do exactly this. The spec file persists between sessions, anchoring the AI whenever work resumes on the project. This mitigates the forgetfulness that can happen when the conversation history gets too long or when you have to restart an agent. It’s akin to how one would use a product requirements document (PRD) in a team: a reference that everyone (human or AI) can consult to stay on track. Experienced folks often “write good documentation first and the model may be able to build the matching implementation from that input alone” as one engineer observed. The spec is that documentation.
Keep it goal oriented: A high-level spec for an AI agent should focus on what and why more than the nitty-gritty how (at least initially). Think of it like the user story and acceptance criteria: Who is the user? What do they need? What does success look like? (For example, “User can add, edit, complete tasks; data is saved persistently; the app is responsive and secure.”) This keeps the AI’s detailed spec grounded in user needs and outcome, not just technical to-dos. As the GitHub Spec Kit docs put it, provide a high-level description of what you’re building and why, and let the coding agent generate a detailed specification focusing on user experience and success criteria. Starting with this big-picture vision prevents the agent from losing sight of the forest for the trees when it later gets into coding.
2. Structure the Spec Like a Professional PRD (or SRS)
Treat your AI spec as a structured document (PRD) with clear sections, not a loose pile of notes.
Many developers treat specs for agents much like traditional product requirement documents (PRDs) or system design docs: comprehensive, well-organized, and easy for a “literal-minded” AI to parse. This formal approach gives the agent a blueprint to follow and reduces ambiguity.
The six core areas
GitHub’s analysis of over 2,500 agent configuration files revealed a clear pattern: The most effective specs cover six areas. Use this as a checklist for completeness:
- Commands: Put executable commands
early—not just tool names but full commands with flags:
npm test,pytest -v,npm run build. The agent will reference these constantly. - Testing: How to run tests, what framework you use, where test files live, and what coverage expectations exist.
- Project structure: Where source code lives,
where tests go, where docs belong. Be explicit:
“
src/for application code,tests/for unit tests,docs/for documentation.” - Code style: One real code snippet showing your style beats three paragraphs describing it. Include naming conventions, formatting rules, and examples of good output.
- Git workflow: Branch naming, commit message format, PR requirements. The agent can follow these if you spell them out.
- Boundaries: What the agent should never touch—secrets, vendor directories, production configs, specific folders. “Never commit secrets” was the single most common helpful constraint in the GitHub study.
Be specific about your stack: Say “React 18 with TypeScript, Vite, and Tailwind CSS,” not “React project.” Include versions and key dependencies. Vague specs produce vague code.
Use a consistent format: Clarity is king. Many devs use Markdown headings or even XML-like tags in the spec to delineate sections because AI models handle well-structured text better than free-form prose. For example, you might structure the spec as:
# Project Spec: My team's tasks app
## Objective
- Build a web app for small teams to manage tasks...
## Tech Stack
- React 18+, TypeScript, Vite, Tailwind CSS
- Node.js/Express backend, PostgreSQL, Prisma ORM
## Commands
- Build: `npm run build` (compiles TypeScript, outputs to dist/)
- Test: `npm test` (runs Jest, must pass before commits)
- Lint: `npm run lint --fix` (auto-fixes ESLint errors)
## Project Structure
- `src/` – Application source code
- `tests/` – Unit and integration tests
- `docs/` – Documentation
## Boundaries
- ✅ Always: Run tests before commits, follow naming conventions
- ⚠ Ask first: Database schema changes, adding dependencies
- 🚫 Never: Commit secrets, edit node_modules/, modify CI config
This level of organization not only helps you think clearly but also helps the AI find information. Anthropic engineers recommend organizing prompts into distinct sections (like <background>, <instructions>, <tools>, <output_format> etc.) for exactly this reason: It gives the model strong cues about which info is which. And remember, “minimal does not necessarily mean short”—don’t shy away from detail in the spec if it matters, but keep it focused.
Integrate specs into your toolchain: Treat specs as “executable artifacts” tied to version control and CI/CD. The GitHub Spec Kit uses a four-phase gated workflow that makes your specification the center of your engineering process. Instead of writing a spec and setting it aside, the spec drives the implementation, checklists, and task breakdowns. Your primary role is to steer; the coding agent does the bulk of the writing. Each phase has a specific job, and you don’t move to the next one until the current task is fully validated:
1. Specify: You provide a high-level description of what you’re building and why, and the coding agent generates a detailed specification. This isn’t about technical stacks or app design—it’s about user journeys, experiences, and what success looks like. Who will use this? What problem does it solve? How will they interact with it? Think of it as mapping the user experience you want to create, and letting the coding agent flesh out the details. This becomes a living artifact that evolves as you learn more.
2. Plan: Now you get technical. You provide your desired stack, architecture, and constraints, and the coding agent generates a comprehensive technical plan. If your company standardizes on certain technologies, this is where you say so. If you’re integrating with legacy systems or have compliance requirements, all of that goes here. You can ask for multiple plan variations to compare approaches. If you make internal docs available, the agent can integrate your architectural patterns directly into the plan.
3. Tasks: The coding agent takes the spec and plan and breaks them into actual work—small, reviewable chunks that each solve a specific piece of the puzzle. Each task should be something you can implement and test in isolation, almost like test-driven development for your AI agent. Instead of “build authentication,” you get concrete tasks like “create a user registration endpoint that validates email format.”
4. Implement: Your coding agent tackles tasks one by one (or in parallel). Instead of reviewing thousand-line code dumps, you review focused changes that solve specific problems. The agent knows what to build (specification), how to build it (plan), and what to work on (task). Crucially, your role is to verify at each phase: Does the spec capture what you want? Does the plan account for constraints? Are there edge cases the AI missed? The process builds in checkpoints for you to critique, spot gaps, and course-correct before moving forward.
This gated workflow prevents what Willison calls “house of cards code”: fragile AI outputs that collapse under scrutiny. Anthropic’s Skills system offers a similar pattern, letting you define reusable Markdown-based behaviors that agents invoke. By embedding your spec in these workflows, you ensure the agent can’t proceed until the spec is validated, and changes propagate automatically to task breakdowns and tests.
Consider agents.md for specialized personas: For tools like GitHub Copilot, you can create agents.md files that define specialized agent personas—a @docs-agent for technical writing, a @test-agent for QA, a @security-agent for code review. Each file acts as a focused spec for that persona’s behavior, commands, and boundaries. This is particularly useful when you want different agents for different tasks rather than one general-purpose assistant.
Design for agent experience (AX): Just as we design APIs for developer experience (DX), consider designing specs for “agent experience.” This means clean, parseable formats: OpenAPI schemas for any APIs the agent will consume, llms.txt files that summarize documentation for LLM consumption, and explicit type definitions. The Agentic AI Foundation (AAIF) is standardizing protocols like MCP (Model Context Protocol) for tool integration. Specs that follow these patterns are easier for agents to consume and act on reliably.
PRD versus SRS mindset: It helps to borrow from established documentation practices. For AI agent specs, you’ll often blend these into one document (as illustrated above), but covering both angles serves you well. Writing it like a PRD ensures you include user-centric context (“the why behind each feature”) so the AI doesn’t optimize for the wrong thing. Expanding it like an SRS ensures you nail down the specifics the AI will need to actually generate correct code (like what database or API to use). Developers have found that this extra upfront effort pays off by drastically reducing miscommunications with the agent later.
Make the spec a “living document”: Don’t write it and forget it. Update the spec as you and the agent make decisions or discover new info. If the AI had to change the data model or you decided to cut a feature, reflect that in the spec so it remains the ground truth. Think of it as version-controlled documentation. In spec-driven workflows, the spec drives implementation, tests, and task breakdowns, and you don’t move to coding until the spec is validated. This habit keeps the project coherent, especially if you or the agent step away and come back later. Remember, the spec isn’t just for the AI—it helps you as the developer maintain oversight and ensure the AI’s work meets the real requirements.
3. Break Tasks into Modular Prompts and Context, Not One Big Prompt
Divide and conquer: Give the AI one focused task at a time rather than a monolithic prompt with everything at once.
Experienced AI engineers have learned that trying to stuff the entire project (all requirements, all code, all instructions) into a single prompt or agent message is a recipe for confusion. Not only do you risk hitting token limits; you also risk the model losing focus due to the “curse of instructions”—too many directives causing it to follow none of them well. The solution is to design your spec and workflow in a modular way, tackling one piece at a time and pulling in only the context needed for that piece.
The curse of too much context/instructions: Research has confirmed what many devs anecdotally saw: as you pile on more instructions or data into the prompt, the model’s performance in adhering to each one drops significantly. One study dubbed this the “curse of instructions”, showing that even GPT-4 and Claude struggle when asked to satisfy many requirements simultaneously. In practical terms, if you present 10 bullet points of detailed rules, the AI might obey the first few and start overlooking others. The better strategy is iterative focus. Guidelines from industry suggest decomposing complex requirements into sequential, simple instructions as a best practice. Focus the AI on one subproblem at a time, get that done, then move on. This keeps the quality high and errors manageable.
Divide the spec into phases or components: If your spec document is very long or covers a lot of ground, consider splitting it into parts (either physically separate files or clearly separate sections). For example, you might have a section for “backend API spec” and another for “frontend UI spec.” You don’t need to always feed the frontend spec to the AI when it’s working on the backend, and vice versa. Many devs using multi-agent setups even create separate agents or subprocesses for each part (e.g., one agent works on database/schema, another on API logic, another on frontend—each with the relevant slice of the spec). Even if you use a single agent, you can emulate this by copying only the relevant spec section into the prompt for that task. Avoid context overload: Don’t mix authentication tasks with database schema changes in one go, as the DigitalOcean AI guide warns. Keep each prompt tightly scoped to the current goal.
Extended TOC/summaries for large specs: One clever technique is to have the agent build an extended table of contents with summaries for the spec. This is essentially a “spec summary” that condenses each section into a few key points or keywords, and references where details can be found. For example, if your full spec has a section on security requirements spanning 500 words, you might have the agent summarize it to: “Security: Use HTTPS, protect API keys, implement input validation (see full spec §4.2).” By creating a hierarchical summary in the planning phase, you get a bird’s-eye view that can stay in the prompt, while the fine details remain offloaded unless needed. This extended TOC acts as an index: The agent can consult it and say, “Aha, there’s a security section I should look at,” and you can then provide that section on demand. It’s similar to how a human developer skims an outline and then flips to the relevant page of a spec document when working on a specific part.
To implement this, you can prompt the agent after writing the spec: “Summarize the spec above into a very concise outline with each section’s key points and a reference tag.” The result might be a list of sections with one or two sentence summaries. That summary can be kept in the system or assistant message to guide the agent’s focus without eating up too many tokens. This hierarchical summarization approach is known to help LLMs maintain long-term context by focusing on the high-level structure. The agent carries a “mental map” of the spec.
Utilize subagents or “skills” for different spec parts: Another advanced approach is using multiple specialized agents (what Anthropic calls subagents or what you might call “skills”). Each subagent is configured for a specific area of expertise and given the portion of the spec relevant to that area. For instance, you might have a database designer subagent that only knows about the data model section of the spec, and an API coder subagent that knows the API endpoints spec. The main agent (or an orchestrator) can route tasks to the appropriate subagent automatically.
The benefit is each agent has a smaller context window to deal with and a more focused role, which can boost accuracy and allow parallel work on independent tasks. Anthropic’s Claude Code supports this by letting you define subagents with their own system prompts and tools. “Each subagent has a specific purpose and expertise area, uses its own context window separate from the main conversation, and has a custom system prompt guiding its behavior,” as their docs describe. When a task comes up that matches a subagent’s domain, Claude can delegate that task to it, with the subagent returning results independently.
Parallel agents for throughput: Running multiple agents simultaneously is emerging as “the next big thing” for developer productivity. Rather than waiting for one agent to finish before starting another task, you can spin up parallel agents for non-overlapping work. Willison describes this as “embracing parallel coding agents” and notes it’s “surprisingly effective, if mentally exhausting.” The key is scoping tasks so agents don’t step on each other: One agent codes a feature while another writes tests, or separate components get built concurrently. Orchestration frameworks like LangGraph or OpenAI Swarm can help coordinate these agents, and shared memory via vector databases (like Chroma) lets them access common context without redundant prompting.
Single versus multi-agent: When to use each
| Single agent parallel | Multi-agent | |
| Strengths | Simpler setup; lower overhead; easier to debug and follow | Higher throughput; handles complex interdependencies; specialists per domain |
| Challenges | Context overload on big projects; slower iteration; single point of failure | Coordination overhead; potential conflicts; needs shared memory (e.g., vector DBs) |
| Best for | Isolated modules; small-to-medium projects; early prototyping | Large codebases; one codes + one tests + one reviews; independent features |
| Tips | Use spec summaries; refresh context per task; start fresh sessions often | Limit to 2–3 agents initially; use MCP for tool sharing; define clear boundaries |
In practice, using subagents or skill-specific prompts might look like: You maintain multiple spec files (or prompt templates)—e.g., SPEC_backend.md, SPEC_frontend.md—and you tell the AI, “For backend tasks, refer to SPEC_backend; for frontend tasks refer to SPEC_frontend.” Or in a tool like Cursor/Claude, you actually spin up a subagent for each. This is certainly more complex to set up than a single-agent loop, but it mimics what human developers do: We mentally compartmentalize a large spec into relevant chunks. (You don’t keep the whole 50-page spec in your head at once; you recall the part you need for the task at hand, and have a general sense of the overall architecture.) The challenge, as noted, is managing interdependencies: The subagents must still coordinate. (The frontend needs to know the API contract from the backend spec, etc.) A central overview (or an “architect” agent) can help by referencing the subspecs and ensuring consistency.
Focus each prompt on one task/section: Even without fancy multi-agent setups, you can manually enforce modularity. For example, after the spec is written, your next move might be: “Step 1: Implement the database schema.” You feed the agent the database section of the spec only, plus any global constraints from the spec (like tech stack). The agent works on that. Then for Step 2, “Now implement the authentication feature”, you provide the auth section of the spec and maybe the relevant parts of the schema if needed. By refreshing the context for each major task, you ensure the model isn’t carrying a lot of stale or irrelevant information that could distract it. As one guide suggests: “Start fresh: begin new sessions to clear context when switching between major features.” You can always remind the agent of critical global rules (from the spec’s constraints section) each time, but don’t shove the entire spec in if it’s not all needed.
Use in-line directives and code TODOs: Another modularity trick is to use your code or spec as an active part of the conversation. For instance, scaffold your code with // TODO comments that describe what needs to be done, and have the agent fill them one by one. Each TODO essentially acts as a mini-spec for a small task. This keeps the AI laser focused (“implement this specific function according to this spec snippet”), and you can iterate in a tight loop. It’s similar to giving the AI a checklist item to complete rather than the whole checklist at once.
The bottom line: Small, focused context beats one giant prompt. This improves quality and keeps the AI from getting “overwhelmed” by too much at once. As one set of best practices sums up, provide “One Task Focus” and “Relevant info only” to the model, and avoid dumping everything everywhere. By structuring the work into modules—and using strategies like spec summaries or subspec agents—you’ll navigate around context size limits and the AI’s short-term memory cap. Remember, a well-fed AI is like a well-fed function: Give it only the inputs it needs for the job at hand.
4. Build in Self-Checks, Constraints, and Human Expertise
Make your spec not just a to-do list for the agent but also a guide for quality control—and don’t be afraid to inject your own expertise.
A good spec for an AI agent anticipates where the AI might go wrong and sets up guardrails. It also takes advantage of what you know (domain knowledge, edge cases, “gotchas”) so the AI doesn’t operate in a vacuum. Think of the spec as both coach and referee for the AI: It should encourage the right approach and call out fouls.
Use three-tier boundaries: GitHub’s analysis of 2,500+ agent files found that the most effective specs use a three-tier boundary system rather than a simple list of don’ts. This gives the agent clearer guidance on when to proceed, when to pause, and when to stop:
Always do: Actions the agent should take
without asking. “Always run tests before commits.”
“Always follow the naming conventions in the style
guide.” “Always log errors to the monitoring
service.”
Ask first: Actions that require human
approval. “Ask before modifying database schemas.”
“Ask before adding new dependencies.” “Ask before
changing CI/CD configuration.” This tier catches high-impact
changes that might be fine but warrant a human check.
Never do: Hard stops. “Never commit
secrets or API keys.” “Never edit node_modules/ or
vendor/.” “Never remove a failing test without explicit
approval.” “Never commit secrets” was the single
most common helpful constraint in the study.
This three-tier approach is more nuanced than a flat list of rules. It acknowledges that some actions are always safe, some need oversight, and some are categorically off-limits. The agent can proceed confidently on “Always” items, flag “Ask first” items for review, and hard-stop on “Never” items.
Encourage self-verification: One powerful pattern is to have the agent verify its work against the spec automatically. If your tooling allows, you can integrate checks like unit tests or linting that the AI can run after generating code. But even at the spec/prompt level, you can instruct the AI to double-check (e.g., “After implementing, compare the result with the spec and confirm all requirements are met. List any spec items that are not addressed.”). This pushes the LLM to reflect on its output relative to the spec, catching omissions. It’s a form of self-audit built into the process.
For instance, you might append to a prompt: “(After writing the function, review the above requirements list and ensure each is satisfied, marking any missing ones).” The model will then (ideally) output the code followed by a short checklist indicating if it met each requirement. This reduces the chance it forgets something before you even run tests. It’s not foolproof, but it helps.
LLM-as-a-Judge for subjective checks: For criteria that are hard to test automatically—code style, readability, adherence to architectural patterns—consider using “LLM-as-a-Judge.” This means having a second agent (or a separate prompt) review the first agent’s output against your spec’s quality guidelines. Anthropic and others have found this effective for subjective evaluation. You might prompt “Review this code for adherence to our style guide. Flag any violations.” The judge agent returns feedback that either gets incorporated or triggers a revision. This adds a layer of semantic evaluation beyond syntax checks.
Conformance testing: Willison advocates building conformance suites—language-independent tests (often YAML based) that any implementation must pass. These act as a contract: If you’re building an API, the conformance suite specifies expected inputs/outputs, and the agent’s code must satisfy all cases. This is more rigorous than ad hoc unit tests because it’s derived directly from the spec and can be reused across implementations. Include conformance criteria in your spec’s success section (e.g., “Must pass all cases in conformance/api-tests.yaml”).
Leverage testing in the spec: If possible, incorporate a test plan or even actual tests in your spec and prompt flow. In traditional development, we use TDD or write test cases to clarify requirements—you can do the same with AI. For example, in the spec’s success criteria, you might say, “These sample inputs should produce these outputs…” or “The following unit tests should pass.” The agent can be prompted to run through those cases in its head or actually execute them if it has that capability. Willison noted that having a robust test suite is like giving the agents superpowers: They can validate and iterate quickly when tests fail. In an AI coding context, writing a bit of pseudocode for tests or expected outcomes in the spec can guide the agent’s implementation. Additionally, you can use a dedicated “test agent” in a subagent setup that takes the spec’s criteria and continuously verifies the “code agent’s” output.
Bring your domain knowledge: Your spec should reflect insights that only an experienced developer or someone with context would know. For example, if you’re building an ecommerce agent and you know that “products” and “categories” have a many-to-many relationship, state that clearly. (Don’t assume the AI will infer it—it might not.) If a certain library is notoriously tricky, mention pitfalls to avoid. Essentially, pour your mentorship into the spec. The spec can contain advice like “If using library X, watch out for memory leak issue in version Y (apply workaround Z).” This level of detail is what turns an average AI output into a truly robust solution, because you’ve steered the AI away from common traps.
Also, if you have preferences or style guidelines (say, “use functional components over class components in React”), encode that in the spec. The AI will then emulate your style. Many engineers even include small examples in the spec (for instance, “All API responses should be JSON, e.g., {“error”: “message”} for errors.”). By giving a quick example, you anchor the AI to the exact format you want.
Minimalism for simple tasks: While we advocate thorough specs, part of expertise is knowing when to keep it simple. For relatively simple, isolated tasks, an overbearing spec can actually confuse more than help. If you’re asking the agent to do something straightforward (like “center a div on the page”), you might just say, “Make sure to keep the solution concise and do not add extraneous markup or styles.” No need for a full PRD there. Conversely, for complex tasks (like “implement an OAuth flow with token refresh and error handling”), that’s when you break out the detailed spec. A good rule of thumb: Adjust spec detail to task complexity. Don’t underspec a hard problem (the agent will flail or go off-track), but don’t overspec a trivial one (the agent might get tangled or use up context on unnecessary instructions).
Maintain the AI’s “persona” if needed: Sometimes, part of your spec is defining how the agent should behave or respond, especially if the agent interacts with users. For example, if building a customer support agent, your spec might include guidelines like “Use a friendly and professional tone” and “If you don’t know the answer, ask for clarification or offer to follow up rather than guessing.” These kinds of rules (often included in system prompts) help keep the AI’s outputs aligned with expectations. They are essentially spec items for AI behavior. Keep them consistent and remind the model of them if needed in long sessions. (LLMs can “drift” in style over time if not kept on a leash.)
You remain the exec in the loop: The spec empowers the agent, but you remain the ultimate quality filter. If the agent produces something that technically meets the spec but doesn’t feel right, trust your judgement. Either refine the spec or directly adjust the output. The great thing about AI agents is they don’t get offended—if they deliver a design that’s off, you can say, “Actually, that’s not what I intended, let’s clarify the spec and redo it.” The spec is a living artifact in collaboration with the AI, not a one-time contract you can’t change.
Simon Willison humorously likened working with AI agents to “a very weird form of management” and even “getting good results out of a coding agent feels uncomfortably close to managing a human intern.” You need to provide clear instructions (the spec), ensure they have the necessary context (the spec and relevant data), and give actionable feedback. The spec sets the stage, but monitoring and feedback during execution are key. If an AI was a “weird digital intern who will absolutely cheat if you give them a chance,” the spec and constraints you write are how you prevent that cheating and keep them on task.
Here’s the payoff: A good spec doesn’t just tell the AI what to build; it also helps it self-correct and stay within safe boundaries. By baking in verification steps, constraints, and your hard-earned knowledge, you drastically increase the odds that the agent’s output is correct on the first try (or at least much closer to correct). This reduces iterations and those “Why on Earth did it do that?” moments.
5. Test, Iterate, and Evolve the Spec (and Use the Right Tools)
Think of spec writing and agent building as an iterative loop: test early, gather feedback, refine the spec, and leverage tools to automate checks.
The initial spec is not the end—it’s the beginning of a cycle. The best outcomes come when you continually verify the agent’s work against the spec and adjust accordingly. Also, modern AI devs use various tools to support this process (from CI pipelines to context management utilities).
Continuous testing: Don’t wait until the end to see if the agent met the spec. After each major milestone or even each function, run tests or at least do quick manual checks. If something fails, update the spec or prompt before proceeding. For example, if the spec said, “Passwords must be hashed with bcrypt” and you see the agent’s code storing plain text, stop and correct it (and remind the spec or prompt about the rule). Automated tests shine here: If you provided tests (or write them as you go), let the agent run them. In many coding agent setups, you can have an agent run npm test or similar after finishing a task. The results (failures) can then feed back into the next prompt, effectively telling the agent “Your output didn’t meet spec on X, Y, Z—fix it.” This kind of agentic loop (code > test > fix > repeat) is extremely powerful and is how tools like Claude Code or Copilot Labs are evolving to handle larger tasks. Always define what “done” means (via tests or criteria) and check for it.
Iterate on the spec itself: If you discover that the spec was incomplete or unclear (maybe the agent misunderstood something or you realized you missed a requirement), update the spec document. Then explicitly resync the agent with the new spec: “I have updated the spec as follows… Given the updated spec, adjust the plan or refactor the code accordingly.” This way the spec remains the single source of truth. It’s similar to how we handle changing requirements in normal dev, but in this case you’re also the product manager for your AI agent. Keep version history if possible (even just via commit messages or notes), so you know what changed and why.
Utilize context management and memory tools: There’s a growing ecosystem of tools to help manage AI agent context and knowledge. For instance, retrieval-augmented generation (RAG) is a pattern where the agent can pull in relevant chunks of data from a knowledge base (like a vector database) on the fly. If your spec is huge, you could embed sections of it and let the agent retrieve the most relevant parts when needed, instead of always providing the whole thing. There are also frameworks implementing the Model Context Protocol (MCP), which automates feeding the right context to the model based on the current task. One example is Context7 (context7.com), which can auto-fetch relevant context snippets from docs based on what you’re working on. In practice, this might mean the agent notices you’re working on “payment processing” and it pulls the payments section of your spec or documentation into the prompt. Consider leveraging such tools or setting up a rudimentary version (even a simple search in your spec document).
Parallelize carefully: Some developers run multiple agent instances in parallel on different tasks (as mentioned earlier with subagents). This can speed up development (e.g., one agent generates code while another simultaneously writes tests, or two features are built concurrently). If you go this route, ensure the tasks are truly independent or clearly separated to avoid conflicts. (The spec should note any dependencies.) For example, don’t have two agents writing to the same file at once. One workflow is to have an agent generate code and another review it in parallel, or to have separate components built that integrate later. This is advanced usage and can be mentally taxing to manage. (As Willison admitted, running multiple agents is surprisingly effective, if mentally exhausting!) Start with at most 2–3 agents to keep things manageable.
Version control and spec locks: Use Git or your version control of choice to track what the agent does. Good version control habits matter even more with AI assistance. Commit the spec file itself to the repo. This not only preserves history, but the agent can even use git diff or blame to understand changes. (LLMs are quite capable of reading diffs.) Some advanced agent setups let the agent query the VCS history to see when something was introduced—surprisingly, models can be “fiercely competent at Git.” By keeping your spec in the repo, you allow both you and the AI to track evolution. There are tools (like GitHub Spec Kit mentioned earlier) that integrate spec-driven development into the Git workflow—for instance, gating merges on updated specs or generating checklists from spec items. While you don’t need those tools to succeed, the takeaway is to treat the spec like code: Maintain it diligently.
Cost and speed considerations: Working with large models and long contexts can be slow and expensive. A practical tip is to use model selection and batching smartly. Perhaps use a cheaper/faster model for initial drafts or repetitions, and reserve the most capable (and expensive) model for final outputs or complex reasoning. Some developers use GPT-4 or Claude for planning and critical steps, but offload simpler expansions or refactors to a local model or a smaller API model. If using multiple agents, maybe not all need to be top tier; a test-running agent or a linter agent could be a smaller model. Also consider throttling context size: Don’t feed 20K tokens if 5K will do. As we discussed, more tokens can mean diminishing returns.
Monitor and log everything: In complex agent workflows, logging the agent’s actions and outputs is essential. Check the logs to see if the agent is deviating or encountering errors. Many frameworks provide trace logs or allow printing the agent’s chain of thought (especially if you prompt it to think step-by-step). Reviewing these logs can highlight where the spec or instructions might have been misinterpreted. It’s not unlike debugging a program—except the “program” is the conversation/prompt chain. If something weird happens, go back to the spec/instructions to see if there was ambiguity.
Learn and improve: Finally, treat each project as a learning opportunity to refine your spec-writing skill. Maybe you’ll discover that a certain phrasing consistently confuses the AI, or that organizing spec sections in a certain way yields better adherence. Incorporate those lessons into the next spec. The field of AI agents is rapidly evolving, so new best practices (and tools) emerge constantly. Stay updated via blogs (like the ones by Simon Willison, Andrej Karpathy, etc.), and don’t hesitate to experiment.
A spec for an AI agent isn’t “write once, done.” It’s part of a continuous cycle of instructing, verifying, and refining. The payoff for this diligence is substantial: By catching issues early and keeping the agent aligned, you avoid costly rewrites or failures later. As one AI engineer quipped, using these practices can feel like having “an army of interns” working for you, but you have to manage them well. A good spec, continuously maintained, is your management tool.
Avoid Common Pitfalls
Before wrapping up, it’s worth calling out antipatterns that can derail even well-intentioned spec-driven workflows. The GitHub study of 2,500+ agent files revealed a stark divide: “Most agent files fail because they’re too vague.” Here are the mistakes to avoid:
Vague prompts: “Build me something cool” or “Make it work better” gives the agent nothing to anchor on. As Baptiste Studer puts it: “Vague prompts mean wrong results.” Be specific about inputs, outputs, and constraints. “You are a helpful coding assistant” doesn’t work. “You are a test engineer who writes tests for React components, follows these examples, and never modifies source code” does.
Overlong contexts without summarization: Dumping 50 pages of documentation into a prompt and hoping the model figures it out rarely works. Use hierarchical summaries (as discussed in principle 3) or RAG to surface only what’s relevant. Context length is not a substitute for context quality.
Skipping human review: Willison has a personal rule—“I won’t commit code I couldn’t explain to someone else.” Just because the agent produced something that passes tests doesn’t mean it’s correct, secure, or maintainable. Always review critical code paths. The “house of cards” metaphor applies: AI-generated code can look solid but collapse under edge cases you didn’t test.
Conflating vibe coding with production engineering: Rapid prototyping with AI (“vibe coding”) is great for exploration and throwaway projects. But shipping that code to production without rigorous specs, tests, and review is asking for trouble. I distinguish “vibe coding” from “AI-assisted engineering”—the latter requires the discipline this guide describes. Know which mode you’re in.
Ignoring the “lethal trifecta”: Willison warns of three properties that make AI agents dangerous: speed (they work faster than you can review), nondeterminism (same input, different outputs), and cost (encouraging corner cutting on verification). Your spec and review process must account for all three. Don’t let speed outpace your ability to verify.
Missing the six core areas: If your spec doesn’t cover commands, testing, project structure, code style, git workflow, and boundaries, you’re likely missing something the agent needs. Use the six-area checklist from section 2 as a sanity check before handing off to the agent.
Conclusion
Writing an effective spec for AI coding agents requires solid software engineering principles combined with adaptation to LLM quirks. Start with clarity of purpose and let the AI help expand the plan. Structure the spec like a serious design document, covering the six core areas and integrating it into your toolchain so it becomes an executable artifact, not just prose. Keep the agent’s focus tight by feeding it one piece of the puzzle at a time (and consider clever tactics like summary TOCs, subagents, or parallel orchestration to handle big specs). Anticipate pitfalls by including three-tier boundaries (always/ask first/never), self-checks, and conformance tests—essentially, teach the AI how to not fail. And treat the whole process as iterative: use tests and feedback to refine both the spec and the code continuously.
Follow these guidelines and your AI agent will be far less likely to “break down” under large contexts or wander off into nonsense.
Happy spec-writing!
| On March 26, join Addy and Tim O’Reilly at AI Codecon: Software Craftsmanship in the Age of AI, where an all-star lineup of experts will go deeper into orchestration, agent coordination, and the new skills developers need to build excellent software that creates value for all participants. Sign up for free here. |
09:28
“Hide competitive stats” [Seth's Blog]
I’ve been playing an online wordgame for a few months, and after each round, it shows me how well I’m doing against the 10,000 other people who are also playing.
It didn’t take long for me to realize that the stats weren’t improving my mood (a really good play had me ranking #398) and the competition was also turning into a habit.
Once I found the hide button, everything got better.
Sometimes, the competitive stats aren’t there to help you. They’re there to support the system and the people who run it.
09:00
Royally Flushed [Penny Arcade]
New Comic: Royally Flushed
08:14
The Campaign: Running, p07 [Ctrl+Alt+Del Comic]
The post The Campaign: Running, p07 appeared first on Ctrl+Alt+Del Comic.
06:35
Girl Genius for Friday, February 20, 2026 [Girl Genius]
The Girl Genius comic for Friday, February 20, 2026 has been posted.
01:07
EFF’s Policy on LLM-Assisted Contributions to Our Open-Source Projects [Deeplinks]
We recently introduced a policy governing large language model (LLM) assisted contributions to EFF's open-source projects. At EFF, we strive to produce high quality software tools, rather than simply generating more lines of code in less time. We now explicitly require that contributors understand the code they submit to us and that comments and documentation be authored by a human.
LLMs excel at producing code that looks mostly human generated, but can often have underlying bugs that can be replicated at scale. This makes LLM-generated code exhausting to review, especially with smaller, less resourced teams. LLMs make it easy for well-intentioned people to submit code that may suffer from hallucination, omission, exaggeration, or misrepresentation.
It is with this in mind that we introduce a new policy on submitting LLM-assisted contributions to our open-source projects. We want to ensure that our maintainers spend their time reviewing well thought out submissions. We do not completely outright ban LLMs, as their use has become so pervasive a blanket ban is impractical to enforce.
Banning a tool is against our general ethos, but this class of tools comes with an ecosystem of problems. This includes issues with code reviews turning into code refactors for our maintainers if the contributor doesn’t understand the code they submitted. Or the sheer scale of contributions that could come in as AI generated code but is only marginally useful or potentially unreviewable. By disclosing when you use LLM tools, you help us spend our time wisely.
EFF has described how extending copyright is an impractical solution to the problem of AI generated content, but it is worth mentioning that these tools raise privacy, censorship, ethical, and climatic concerns for many. These issues are largely a continuation of tech companies’ harmful practices that led us to this point. LLM generated code isn’t written on a clean slate, but born out of a climate of companies speedrunning their profits over people. We are once again in “just trust us” territory of Big Tech being obtuse about the power it wields. We are strong advocates of using tools to innovate and come up with new ideas. However, we ask you to come to our projects knowing how to use them safely.
00:21
The 2 Line in Seattle Is Just a Simulation, for Now [The Stranger]
On February 14, Sound Transit started running the 2 Line in Seattle, but only between Lynnwood and Chinatown-International District. Its cross-lake connection will commence on March 28. by Charles Mudede
Have you been on the 1 Line this week? If so, you might have seen a little Easter egg on the schedule board: the 2 Line.
On February 14, Sound Transit started running the 2 Line in Seattle, but only between Lynnwood and Chinatown-International District. Its cross-lake connection will commence on March 28. Nevertheless the "practice run" to Chinatown-International District is causing some confusion and, in some cases, consternation. But what's the fuss all about? It's a transitional moment to what might be the biggest public transportation event since the Capitol Hill Station opened nearly a decade ago. And to be honest, all of the busiest stations on L1 are located between Northgate and Westlake. But, yes, it's not really the 2 Line, but the train says it is (I’m what I’m)—so, when riding it, as I did on February 16 and 18, you’re feeling the near future by way of the simulated mood of the 2.
There’s a real benefit for riders with this “practice run”: it really adds an extra train to key stations on the line. Look for yourself: If, say, you leave U District Station (after grabbing a gyro at Cedars of Lebanon) and want to get to Capitol Hill Station (where you will down a quick drink at Post Pike and Cafe), there is now a train running every 3 to 4 minutes. This is the kind of frequency that the riders of Vancouver BC’s automated SkyTrain enjoy.
So, now it goes like this: You enter the station, and as you approach the platform, you see the train is already there and about to close its doors and depart. You think about running–but it’s too late. Its doors close. It begins moving. Before February 14, feeling the whole world was against you when this happened made total sense, because every train on 1 Line had 10 minutes or more on it. But now with 2 Line you can sing to yourself these words, which are popular in African countries like Botswana and in some movie about lions that don’t eat their subjects: “hakuna matata.”
There will be another train in a couple of minutes. So, chill and think about some idea in a book that impressed you. Before that the thought is completed, “whoomp! There it is.” The train to take you to where you want to be.
Guest Rant: The Millionaires’ Tax Gives Corporations a (Tax) Break [The Stranger]
If you live in the 37th (Southeast Seattle), the 36th (Northwest Seattle), or the 43rd (Central Seattle) Legislative Districts, it’s more important than ever to show up this Saturday and make your legislators explain why they’re giving big business a break while our social programs wither. by Fatema Boxwala
On Monday, the millionaires’ tax bill passed the Washington state Senate and headed to the House. Great, more revenue! But there’s more to it than a 9.9 percent income tax on annual earnings above $1 million—including tax breaks for big, wealthy corporations
This week’s unexpectedly strong revenue forecast ($827 million more than projected over the next two years) coincides with town halls across the state. If you live in the 37th (Southeast Seattle), the 36th (Northwest Seattle), or the 43rd (Central Seattle) Legislative Districts, it’s more important than ever to show up this Saturday and make your legislators explain why they’re giving big business a break while our social programs wither.
For example, the millionaires’ tax includes a tax break of over $550 million to big businesses making over $250 million. Not a single senator proposed an amendment to address this tax break and Gov. Bob Ferguson has supported it, even while decrying the absence of meaningful tax cuts for working people.
And then, right after the millionaires’ tax passed, the Senate passed SB 6347, repealing a recent increase to the estate tax. This passed with a 27-member bipartisan majority, with eleven Democrats casting a dissenting vote. Our state Senate appears to be attempting to play both sides: cutting backroom deals with big business to hand them huge giveaways while attempting to appease the majority of us who support taxing the rich.
While we will not know specific details about the proposed budget from legislators until Sunday, backlash against existing cuts to social services have painted an ugly picture of what’s at stake. In the Governor’s budget, there are roughly $800 million in cuts, including to education and healthcare.
Up to 14,000 children will lose childcare coverage thanks to cuts to our childcare subsidy program. Also on the table is a $569 million reallocation of Climate Commitment Act funding, steeply reducing state resources for climate resiliency and environmental protection. This follows the billions of dollars in cuts the state legislature approved last year, including devastating cuts to higher education and “the largest cut to abortion access in Washington history.” Still reeling from last year’s funding cuts to everything from food vouchers for working families, to subsidized child care eligibility for parents, to health care access for seniors and immigrants, we need to hear from our lawmakers what their plan is to keep that from happening again.
Fortunately, there’s still time for the House to amend the bill. House lawmakers can also reconsider HB 2100, Rep. Scott’s tax bill that mimics Seattle’s own Jumpstart tax on big corporations. As The Stranger reported last week, Rep. Scott’s payroll tax could bring in revenue by 2027, while revenue from the millionaires’ tax wouldn’t be available until 2029. (HB 2100 is currently stalled in the House Finance Committee—but as it’s a bill concerning the budget, House Democrats can choose to act on it at any point during this short session.)
So show up this Saturday and let your representatives know working Washingtonians want to tax the rich, ditch the corporate carveouts, and fully fund the social safety net.
Fatema Boxwala (she/they) is an activist, artist and computer scientist living in Seattle. She is the founder and coalition leader of Tech4Taxes, a group of tech workers advocating for progressive revenue in Washington state. Oliver Miska (any pronouns) is a political consultant with Solidarity Policy and currently under contract with Lavender Rights Project. Hannah Sabio-Howell (she/her) is the communications director of a labor rights organization in Washington, organizing with workers across sectors to raise wages, enforce labor standards, and challenge corporate influence.
Thursday, 19 February
23:35
Ticket Alert: Tame Impala, J. Cole, and More Seattle Events Going On Sale This Week [The Stranger]
Plus, Hilary Duff and More Event Updates for Thursday,
February 19
by EverOut Staff
Hey now, hey now, these tix are what dreams are made of! Psych pop-rock project Tame Impala brings special guest Dominic Fike along on a North American trek. Heavyweight MC J. Cole launches his first headlining tour in six years to support his reported final album. Plus, former Disney Channel star Hilary Duff makes her comeback with a new album and supporting world tour. Read on for details on those and other newly announced events, plus some news you can use.
ON SALE FRIDAY, FEBRUARY 20MUSIC
Aaron
Hibell
The Showbox (Fri July 10)
The
Cab
The Showbox (Thurs June 4)
Chapterhouse: Whirlpool 35
The Crocodile (Mon May 25)
22:00
Windows 11 26H1 will be Snapdragon-specific [OSnews]
As if keeping track of whatever counts as a release schedule for Windows wasn’t complicated enough – don’t lie, you don’t know when that feature they announced is actually being released either – Microsoft is making everything even more complicated. Soon, Microsoft will be releasing Windows 11 26H1, but you most likely won’t be getting it because it’s strictly limited to devices with Qualcomm’s new Snapdragon X2 Series processors.
The only way to get this version of Windows is to go out and buy a device with a Snapdragon X2 Series processor. Windows 11 26H1 will not be made available to any other Windows 11 users, so nobody will be able to upgrade to it. Furthermore, users of Windows 11 26H1 will not be able to update to the “feature update” for users of Windows 11 24H2 and 25H2, the regular Windows versions, planned for late 2026. Instead, Microsoft promises there will be an upgrade path for 26H1 users in a “future” release of Windows. Why?
Devices running Windows 11, version 26H1 will not be able to update to the next annual feature update in the second half of 2026. This is because Windows 11, version 26H1 is based on a different Windows core than Windows 11, versions 24H2 and 25H2, and the upcoming feature update. These devices will have a path to update in a future Windows release.
↫ AriaUpdated at the Windows IT Pro Blog
The same thing happened when Qualcomm releases its first round of Snapdragon processors for Windows, as Windows 24H2 was also tied to this specific platform. It seems Microsoft is forced to have entirely separate and partially incompatible codebases just to support Snapdragon processors, which must be a major pain in the ass to deal with. Considering Windows on ARM hasn’t exactly been a smashing success, one may wonder how long Microsoft remains willing to make such exceptions for a singular chip.
Pop Loser #17: Opera Singer J’Nai Bridges Shares Her Go-To Karaoke Songs [The Stranger]
Your weekly music news. by Audrey Vann
Welcome back to Pop Loser! This week, the Queer/Pride Festival lineup dropped, the Cass Elliot biopic was cast, and I have one special request from God (spoiler alert: it involves The Traitors). I’ll also share two new songs that I’m currently obsessed with, and in a new segment, Questions from the Cutting Room Floor, Grammy-winning opera singer J’Nai Bridges shares her go-to karaoke songs.
This Week in Music
The lineup for Queer/Bar’s Queer/Pride Festival has dropped with highlights like It-Girl Keke Palmer, Southern hip-hop queen JT (of City Girls), house music heavy Honey Dijon, TV personality/pop diva Erika Jayne, NYC rapper Junglepussy, and (oh my god!) reality TV legend/DJ Tiffany Pollard.
Kurt Cobain’s death continues to be investigated, 32 years later. After spending three days looking “exhaustively” at crime scene materials, an unofficial private sector team of forensic scientists claims to have found contradicting evidence to the official autopsy verdict, which ruled Cobain’s death a self-inflicted gunshot. The team claims that there was organ damage that “doesn’t happen in a shotgun death,” along with questions about the location of the shotgun shell and the unsullied nature of his hands. Following these claims, a spokesperson for the King County Medical Examiner’s Office responded, saying that they are standing by the initial autopsy ruling.
Mama has been Cas(s)t. A Cass Elliot biopic is officially in the works, starring Baby Reindeer breakout actress Jessica Gunning, who will portray the Queen of Laurel Canyon and Mamas & the Papas vocalist. The film will be adapted from the memoir My Mama, Cass, written by the singer’s only child, Owen Elliot-Kugell.
RIP Billy Steinberg. On Tuesday morning, the songwriter behind pop hits like Cyndi Lauper’s “True Colors,” Madonna’s “Like A Virgin,” and countless others died at the age of 75. It was also announced that founding member/drummer of Irish punk band the Pogues Andrew “the Clobberer” Ranken died last Tuesday at the age of 72. On Sunday, Georgia indie rock band Manchester Orchestra shared that their drummer, Tim Very, had died at just 42. “We’ve all been dreading sharing this news as we are all still in absolute disbelief,” writes the band. No cause of death has been reported.
God, if you’re real, prove it to me by making this happen. Oasis frontman Liam Gallagher shared on X/Twitter last week that he’s “been asked” to compete on the next season of The Traitors. This is bananas, and I am so here for it. Actually, can we get both Liam and Noel in the castle, please!?
Like this, but don't want to have to remember it exists? Subscribe to Pop Loser.
Questions from the Cutting Room Floor with J’Nai BridgesLast week, I had the pleasure of interviewing Grammy-winning opera singer J’Nai Bridges about her technique, inspirations, and upcoming performance in Carmen for The Stranger’s forthcoming print edition. Since there were so many fun questions that didn’t make it into the final edit, enjoy the newest segment, Questions from the Cutting Room Floor, for a sneak peek of the interview. The Seattle Opera’s Carmen plays at McCaw Hall, May 2–17.
What is your favorite song to sing in Carmen?
Oh, my gosh. Honestly, I love singing her first aria, the Habanera (“L'amour est un oiseau rebelle"). I have to admit, though, it's always a little bit frightening, because it's the first thing I sing and it's so well known. There is so much pressure, but I just try to make it my own thing. I love singing it because everybody knows it.
Who is your favorite singer, opera or otherwise?
I mean, I have to say Whitney Houston for non-opera. She could never do any wrong with that voice—she could have been an opera singer, as far as I'm concerned. Her range was just so large and seamless. Also, she puts feeling and passion into every single word. I listen to her for inspiration almost every day.
For opera, it’s Leontyne Price. For me, she is voice—the color, the ease, the power, and the agility.
Do you ever sing karaoke? What is your go-to song?
I actually love karaoke. I never sing opera, obviously. I like to sing Toni Braxton’s “Un-Break My Heart.” It's low, and it goes high, and it's really in my range. I also like to sing fun things like TLC’s “No Scrubs” and Sir Mix-a-Lot’s “Baby Got Back.”
Did you know Pop Loser is a newsletter? Get it in your email every week.
Music Events Worth Your Hard-Earned Money This Week: 2/11–17Benefit for the Washington Immigrant Solidarity Network with Tres Leches, Coral Grief, Black Ends, Flesh Produce, Clutz Feb 19, Baba Yaga, 7 pm, 21+
Cat Power: The Greatest Tour 20th Anniversary Feb 20, Paramount Theatre, 8 pm, all ages
King Sheim, Buddy Wynkoop, Russian Blue Feb 20, Barboza, 6:30 pm, 21+
Whitney Ballen, Small Paul, Don Piano Feb 20, Sunset Tavern, 8 pm, 21+
Lola Kirke, Sabine McCalla Feb 21, Fremont Abbey, 8 pm, all ages
The Seattle Opera: Fellow Travellers Feb 21–Mar 1, McCaw Hall, times vary, all ages
Bitchin Bajas, Geologist Feb 22, Sunset Tavern, 8 pm, 21+
Joan Shelley, Nathan Salsburg Feb 22, Ballard Homestead, 7:30 pm, all ages
Suzanne Vega: Flying with Angels Tour Feb 22, Neptune Theatre, 7:30 pm, all ages
Glitterer, Graham Hunt, Prize Horse Feb 23, Black Lodge, 7 pm, all ages
Want to see these recs a day earlier? Subscribe to Pop Loser here!
The Songs That Keep Me Up at Night“While Feather Hawk Deer Hunter” by Lana Del Rey
Whoopsie-daisy, yoo-hoo, I love this song. We all thought Lana’s highly anticipated tenth album, Stove, would be a full-on country album, but if this first single gives any insight, it’s looking like it’ll be orchestral, cinematic, and witchy (one YouTube commenter called the track “There’s a Coven Under Ocean Blvd”). I heard it for the first time only two hours ago and have already listened to it 10 times. It’s catchy, intriguing, and features Lana-isms like “I got a nicotine patch for the summer / Yeah, I'm a ghost, doesn't mean I feel nothin' / Put it on my ass, no tan lines, summer / I love my daddy, of course we're still together.” Listen to it. Then listen to it again.
Experimental ambient artist and singer Ana Roxanne has announced her first album in six years, Poem 1, out May 1. The album’s first single, “Keepsake,” is a dreamy piano ballad that showcases her vocals with angelic clarity, a big shift from her sound collage/instrumental style on her previous album, Because of a Flower. I can’t wait to see the rest of the album reveal itself.
Pop Loser is a Stranger newsletter that comes out every Wednesday. Subscribe here!
19:07
The Big Idea: Gideon Marcus [Whatever]
On occasion, you know the ending of your story before you start writing. Most other times, you find the path as you go, each twisting turn appearing before you as you continue on your merry way. The latter seems to be the case for author Gideon Marcus, who says in his Big Idea that he wasn’t always sure how to wrap up his newest novel, Majera.
GIDEON MARCUS:
What’s the big idea with Majera? That’s a hard one, because there are lots of threads: the unstated, obvious, valued diversity of the future, which helps define the setting as the future. That’s a familiar technique—Tom Purdom pioneered it, and Star Trek popularized it. There’s a focus on relationships: found family, love in myriad combinations. There’s the foundation of science, a real universe underpinning everything.
But I guess what I associate with Majera most strongly is conclusion.
Starting an exciting adventure is easy. Finishing stories is hard. George R. R. Martin, Pat Rothfuss. Hideaki Anno all have famously struggled with it. When Kitra and her friends first got catapulted ten light years from home in Kitra, I started them on a journey whose ending I only had the vaguest outline of. I had adventure seeds: the failing colony sleeper ship in Sirena, the insurrection in Hyvilma, and the dead planet in Majera, but the personal journeys of the characters I left up to them.
I know a lot of people don’t write the way I do. I think writers mirror the opposing schools of acting: on one end, the Method of sliding deep into character; on the other, George C. Scott’s completely external creation of an alternate personality. In the Scott school of writing, characters are puppets acting out an intricate dance created by the author. In the Method school of writing, of which I am a member, the characters have independent lives. I know that seems contradictory—how can fictional agglomerations of words achieve sentience?
And yet, they do! I didn’t plan Kitra and Marta’s rekindling of their relationship. Pinky’s jokes come out of the ether. Heck, I didn’t even come up with the solution that saved the ship in Kitra—Fareedh and Pinky did (people often congratulate me on how well I set up that solution from the beginning; news to me! I just write what the characters tell me to…)
All this is to say, I didn’t know how this arc of The Kitra Saga was going to end. But I knew it had to end well, it had to end satisfyingly, for the reader and for the characters. There had to be a reason the Majera crew would stop and take a breather from their string of increasingly exotic adventures. The worldbuilding! All of the little tidbits I’d developed had to be kept consistent: historical, scientific, character-related. There had to be a plausible resolution to the love pentangle that the Majera crew found themselves in, one that was respectful to all the characters and, more importantly, the reader’s sensitivies and credulity.
That’s why this book took longer to put to bed than all the others. It’s not the longest, but it was the hardest. Frankly, I don’t think I could even have written this book five years ago. I needed the life experience to fundamentally grok everyone’s internal workings, from Pinky’s wrestling with being an alien in a human world, to Peter’s coming to grips with his fears, to Kitra’s understanding of her role vis. a vis. her friends, her crew, her partners. In other words, I had to be 51 to authentically write a gaggle of 20-year-olds!
Beyond that, I had to, even in the conclusion, lay seeds for the rest of the saga, for there is a central mystery to the galaxy that has only been hinted at (not to mention a lot more tropes to subvert…)
Conclusions are hard. I think I’ve succeeded. I hope I’ve succeeded. I guess it’s for you to judge!
Majera: Amazon|Amazon (eBook)|Audible|Barnes & Noble|Bookshop|Kobo
18:07
Slog AM: Woman Killed by Driver in Capitol Hill Identified, Dog Enters Olympic Skiing, We’re Suing Trump Again [The Stranger]
The Stranger's morning news roundup. by Micah Yip
Woman Killed By Driver in Capitol Hill Identified: Her name was Lilliana Moreno. On Monday night, the 27-year-old was crossing East Pike Street when she was hit by a car making a right turn from Bellevue Avenue. She was trapped under the car for 20 minutes and died at the scene.
ICE Arrests: According to the Deportation Data Project, ICE arrested 2,000 people in Washington between late-January and mid-October of last year, a 140 percent increase from the same period in 2024. Roughly 47 percent of those arrested had no criminal history.
Seahawks for Sale: Paul G. Allen’s estate has begun the sale process, the team announced on Instagram. Allen’s will directed his sister/estate chair to sell all his sports holdings and donate the proceeds to “philanthropic efforts.” But don’t worry, the team is unlikely to leave the city.
View this post on Instagram
8 Skiers Dead, 1 Missing: On Tuesday, a deadly avalanche in California overtook a group of 15 skiers and guides in the Sierra Nevadas near Lake Tahoe. Eight are dead and one is missing. Six were rescued and one was still in the hospital last night. An avalanche warning was issued Tuesday morning. Authorities are investigating the decision to proceed anyway.
College (Re)Bound: After a pandemic-era decline, community college enrollment in Washington has rebounded. New data from the Washington Student Achievement Council shows a 7.5 percent increase in community college enrollment between 2024 and 2025. Four-year universities aren’t so lucky—undergrad enrollment only rose 1 percent last year, and actually declined 7.5 percent among first-term freshmen.
We’re Suing Trump Again: Attorney General Nick Brown and 14 other state attorneys general are suing the federal government for decimating clean energy programs created and funded by Congress. Trump is not supposed to do that!
Weather: It’s COLD! It’ll be mostly cloudy with a high near 40 and there’s a slight chance of rain and snow before 1 p.m. Tonight will also be cloudy with a low of 27.
Underdog: I have very little interest in the Winter Olympics. The only real clip I’ve watched is of this dog crashing a cross-country skiing course to join two skiers crossing the finish line. And really, it’s the only clip I need.
Ex-Prince Arrested: Andrew Mountbatten-Windsor was arrested today on suspicion of misconduct in public office for allegedly sharing confidential documents with Jeffrey Epstein. The former prince was stripped of his titles in October for his association with the convicted sex offender.
Put it On My Card: Actually, don’t—I don’t want to pay extra. Starting March 1, you’ll be charged a 3 percent fee when you use a credit or debit card to pay for a Washington State Ferry fare. Added in the 2025-26 state transportation budget, the new fee is meant to offset the cost of processing card payments. Officials estimate it’ll bring in $7.4 million over the next two years.
Lunar New Year Began Tuesday: Looking to celebrate? Here’s EverOuts’ list of Lunar New Year events around the city.
Ramadan Also Began Tuesday: WBUR’s Here & Now put out this segment yesterday on the importance of the date fruit when breaking the fast, and follows reporter Hana Baba as she shops for Ramadan and talks with other Muslims about the date.
17:42
President Obama going to the NBA All-Star game made the freaking All-Star game worth something. Perfect place for him to show up.
17:21
Cover Reveal: Monsters of Ohio [Whatever]
Just look at this cover for Monsters of Ohio. Look at it! It is amazing. I am so happy with it. It’s the work of artist Michael Koelsch (whose art has graced my work before, notably the Subterranean Press editions of the Dispatcher sequels Murder by Other Means and Travel by Bullet) , and he’s knocked it out of the park. I am, in a word, delighted.
And what is Monsters of Ohio about? Here’s the current jacket copy for it:
In many ways Richland, Ohio is the same tiny, sleepy rural village it has been for the last 150 years: The same families, the same farms, the same heartland beliefs and traditions that have sustained it for generations. But right now times are especially hard, as social and economic forces inside and outside the community roil the surface of the once-placid town.
Richland, in other words, is primed to explode… just not the way that anyone anywhere could ever have expected. And when things do explode, well, that’s when things start getting really weird.
Mike Boyd left Richland decades back, to find his own way in the world. But when he is called back to his hometown to tie up some loose ends, he finds more going on than he bargained for, and is caught up in a sequence of events that will bring this tiny farm village to the attention of the entire world… and, perhaps, spell its doom.
Ooooooooooh! Doooooom! Perhaaaaaaaps!
If that was too much text for you, here is the two-word version: Cozy Cronenberg.
Yeah, it’s gonna be fun.
When can you get it? November 3rd in North America and November 5 in the UK and most of the rest of the world. But of course you can pre-order this very minute at your favorite bookseller, whether that be your local indie, your nearby bookstore chain, or online retailer of your choice. Why wait! Put your money down! The book’s already written, after all. It’s guaranteed to ship!
Oh, and, for extra fun, here’s the author photo for the novel:
Yup, that pretty much sets the tone.
I hope you like Monsters of Ohio when you get a chance to read it. In November!
— JS
17:07
16:56
It's interesting to see the ATProto solution to a problem we solved in RSS-land a few years ago, how to include Markdown along with other source formats (HTML, OPML).
16:35
Exploring the signals the dialog manager uses for dismissing a dialog [The Old New Thing]
There are a few different built-in ways to close a dialog box in the classic Windows dialog manager. Let’s run them down.
First, there’s hitting the ESC key.
The ESC key, as with all keyboard navigation, is
handled by the IsDialogMessage function.
Assuming that the dialog control with focus did not use the
WM_GETDLGCODE message to override default
keyboard handling, the IsDialogMessage
function converts the ESC to a simulated button click of
whatever dialog control has the ID IDCANCEL.
Specifically, the message is WM_COMMAND, the
notification code is BN_CLICKED, the control ID is
IDCANCEL, and the window handle is the handle to
whatever dialog control has the ID IDCANCEL (or
nullptr if there is no such control).
Exception: If there is a control whose ID is
IDCANCEL, and that control is disabled, then the
IsDialogMessage function merely beeps and
otherwise ignores the ESC key.
Okay, what about the Close button in the title bar, the one that looks like an ×?
The Close button in the title bar, double-clicking the dialog
box icon (if there is one), selecting Close from the system menu,
and pressing Alt+F4 all behave the same way:
They generate a WM_SYSCOMMAND message whose
wParam & 0xFFF0 is SC_CLOSE. The
default window procedure turns this into a WM_CLOSE
message. The default dialog procedure responds to the
WM_CLOSE in basically the same way that
IsDialogMessage does: It generates a
simulated button click of whatever dialog control has the ID
IDCANCEL. Again, this is done by converting it to the
WM_COMMAND message, with a notification code of
BN_CLICKED, a control ID of IDCANCEL, and
the handle to whatever dialog control has the ID
IDCANCEL (or nullptr if there is no such
control). It also has the same exception: If there is a control
whose ID is IDCANCEL, and that control is disabled,
then the default dialog procedure just beeps and otherwise ignores
the message.
Now that we understand what happens, next time we can look at ways of customizing the behavior.
Bonus chatter: You can see from this that the dialog
manager is wired to treat a control with the ID
IDCANCEL as if it were a Cancel button, so
if you have a Cancel button, give it the ID
IDCANCEL. Conversely, if you have a control whose
ID is IDCANCEL, it had better be a button if you know
what’s good for you.
The post Exploring the signals the dialog manager uses for dismissing a dialog appeared first on The Old New Thing.
15:35
[$] Modernizing swapping: virtual swap spaces [LWN.net]
The kernel's unloved but performance-critical swapping subsystem has been undergoing multiple rounds of improvement in recent times. Recent articles have described the addition of the swap table as a new way of representing the state of the swap cache, and the removal of the swap map as the way of tracking swap space. Work in this area is not done, though; this series from Nhat Pham addresses a number of swap-related problems by replacing the new swap table structures with a single, virtual swap space.
14:49
openSUSE governance proposal advances [LWN.net]
Douglas DeMaio has announced that Jeff Mahoney's new governance proposal for openSUSE, which was published in January, is moving forward. The new structure would have three governance bodies: a new technical steering committee (TSC), a community and marketing committee (CMC), as well as the existing openSUSE board.
The discussions during the meeting proposed that the Technical Steering Committee should begin with five members with a chair elected by the committee. The group would establish clear processes for reviewing and approving technical changes, drawing inspiration from Fedora's FESCo model. Decisions for the TSC would use a voting system of +1 to approve, 0 for neutral, or -1 to block. A proposal passes without objection. A -1 vote would require a dedicated meeting, where a majority of attendees would decide the outcome. Objections must include a clear, documented rationale.
Discussions related to the Community and Marketing Committee would focus on outreach, advocacy, and community growth. It could also serve as an initial escalation point for disputes. If consensus cannot be reached at that level, matters would advance to the Board.
[...] No timeline for final adoption was announced. Project contributors will continue discussions through the GitLab repository and future community meetings.
Security updates for Thursday [LWN.net]
Security updates have been issued by AlmaLinux (edk2, glibc, gnupg2, golang, grafana, nodejs:24, and php), Debian (gimp and kernel), Fedora (fvwm3), Mageia (microcode and vim), Oracle (edk2, glibc, kernel, nodejs:24, and php), Red Hat (python-s3transfer), SUSE (abseil-cpp, avahi, azure-cli-core, fontforge, go1.24, go1.25, golang-github-prometheus-prometheus, libpcap, libsoup2, libxml2-16, mupdf, nodejs22, openCryptoki, openjpeg2, patch, python-aiohttp, python-Brotli, python-pip, python311-asgiref, rust1.93, and traefik), and Ubuntu (inetutils, libssh, linux-gcp, linux-gke, linux-hwe-6.8, linux-lowlatency-hwe-6.8, linux-intel-iotg-5.15, linux-xilinx-zynqmp, linux-lowlatency, linux-nvidia-lowlatency, and trafficserver).
Pluralistic: Six Years of Pluralistic (19 Feb 2026) [Pluralistic: Daily links from Cory Doctorow]
->->->->->->->->->->->->->->->->->->->->->->->->->->->->->
Top Sources: None -->
Today's links
- Six years of Pluralistic: Time flies when you're writing the web.
- Hey look at this: Delights to delectate.
- Object permanence: MBA phrenology; Sony's DRM CEO is out; Midwestern Tahrir; Reverse Centaurs and AI.
- Upcoming appearances: Where to find me.
- Recent appearances: Where I've been.
- Latest books: You keep readin' em, I'll keep writin' 'em.
- Upcoming books: Like I said, I'll keep writin' 'em.
- Colophon: All the rest.
Six years of Pluralistic (permalink)
Six years ago today, after 19 years with Boing Boing, during which time I wrote tens of thousands of blog posts, I started a new, solo blog, with the semi-ironic name "Pluralistic." I didn't know what Pluralistic was going to be, but I wasn't writing Boing Boing anymore, and I knew I wanted to keep writing the web in some fashion.
Six years and more than 1,500 posts later, I am so satisfied with how Pluralistic is going. I spent a couple of decades processing everything that seemed interesting or significant through a blog, which created a massive database (and mnemonically available collection of partially developed thoughts) that I'm now reprocessing as a series of essays that make sense of today in light of everything that I've thought about for my whole adult life, which are, in turn, fodder for books, both fiction and nonfiction. I call this "The Memex Method":
https://pluralistic.net/2021/05/09/the-memex-method/
"The Memex Method" is also the title of a collection of essays (from this blog) that I've sold to Farrar, Straus and Giroux, but that book keeps getting bumped because of other books I end up writing based on the work I do here, starting with last year's Enshittification. I'm now fully two books ahead of myself, with The Reverse Centaur's Guide to Life After AI coming in June, and The Post-American Internet in early 2027 (in addition to two graphic novels and a short story collection). Professionally speaking, these are the most successful books I've written, in a long, 30+ book career with many notable successes. Intellectually and artistically speaking, I'm incredibly satisfied with the direction my career has moved in over my six Pluralistic years.
Blogging is – and always has been – a lot of work for me, but it's work that pays off, even if I don't always know what form that payoff will take.
One essential part of this blog is my daily retrospective of posts from this day through my blogging history – 25 years ago, 20 years ago, 15 years ago, 10 years ago, 5 years ago, and last year. I used to call this "This day in history" but now I call it "Object permanence," for the developmental milestone when toddlers gain the ability to remember and reason about things that have recently happened (roughly, it's the point at which "peek-a-boo" stops being fun).
The daily business of reviewing and selecting blog posts from different parts of my life started as a trivial exercise, but it's become one of the most important things I do. I liken it to working dough and folding the dry crumbly edges back into the center; in this case, I'm folding all the fragments that are in danger of escaping my working memory back into the center of my attention.
Six years ago, I didn't know what Pluralistic was going to be. Today, I still don't know. But because this is a labor of love, and a solo project, I get to try anything and either give it up or carry it on based on how it makes me feel and what effect it has on my life. I'm always tinkering with the format: this year, I also added a subhead to the Object Permanence section that tries to call out (in as few characters as possible) the most important elements of the day's list.
I also dropped some things this year, notably, my "linkdump" posts. A couple years ago, at the suggestion of Mitch Wagner, I added a new section called "Hey look at this," which featured three bare links to things I thought were noteworthy but didn't have time or inclination to delve into in depth. Later, I expanded this section to five.
However, even with five bare links per edition, I often found myself with a backlog of noteworthy things. So I started writing the occasional Saturday "linkdump" essay in which I wove together the whole backlog into a giant, meandering essay. These made for interesting rhetorical challenges, as I found elegant ways to bridge completely disparate subjects – a kind of collaging, perhaps akin to how a mashup artist mixes two very different tracks together. Mentally, I thought of this as "ringing the changes," but ultimately, I decided to drop these linkdump posts (for now, at least). They ended up being too much work, and of little value to me, because I found myself unable to remember what I wrote in them and thus to call them up to refer to them for future posts. Here's all 33 linkdumps; they're not gone forever (not so long as the links pile up in my backlog), but when they come back, they'll be in a different form:
https://pluralistic.net/tag/linkdump/
This really is a labor of love, in the sense that I love doing it, and because it's hard work. The fact that it's hard work is a feature, not a bug. Working hard on stuff is really important to me, because when I am working hard, I gain respite from both physical and mental discomfort. As a guy with serious chronic pain living through the Trump years, I've got plenty of both kinds of discomfort. I can't overstate how physically and mentally beneficial it is to me to have an activity that takes me out of the moment. This year, I wrote several editions of Pluralistic from an infusion couch at the Kaiser Sunset hematology center in LA, where I was receiving immunotherapy for a cancer diagnosis that I'm assured is very treatable, but which – to be totally honest – sometimes gets my old worrier running hot:
https://pluralistic.net/2024/11/05/carcinoma-angels/#squeaky-nail
Making Pluralistic is several kinds of hard work. Over the past six years, I've become an ardent collagist, spending more and more time on the weird, semi-grotesque images that run atop every edition. Anything you devote substantial time to on a near-daily basis is something that gives you insight – into yourself, and into the thing you're doing. I've always had a certain familiarity with computer image editing (I think I got my start writing Apple ][+ BASIC programs that spat out ASCII art, before graduating to making pixel-art for Broderbund's "Print Shop"), but I've never applied myself to any visual field in a serious way, until now.
Amazingly, after 50 years of thinking of myself as someone who is "bad at visual art," I find myself identifying as a visual artist. I find myself pondering visual works the same way I think about prose – mentally tearing it apart to unpick how it is done, and thinking about how I could productively steal some new techniques for my own work. I'm also privileged to have some accomplished visual artists in my circle, like my pal Alistair Milne, who generously share technical and aesthetic tips. It's got to the point where I published a book of my art, and I think I'll probably do it again next year:
https://pluralistic.net/2025/09/04/illustrious/#chairman-bruce
There's also a ton of technical work that goes into publishing each edition of this newsletter. Things have moved on somewhat since I published an in-depth process-post in 2021, though I'm still totally reliant on Loren Kohnfelder's python scripts that help me turn the XML file I compose every day into files that are (nearly) ready to publish:
https://pluralistic.net/2021/01/13/two-decades/#hfbd
Much of the technical work is down to the fact that I'm still completely wed to the idea of "POSSE" (Post Own Site, Syndicate Everywhere):
https://pluralistic.net/2022/02/19/now-we-are-two/#two-much-posse
This means that after I write the day's post, I reformat it and republish it as a text-only newsletter, a Medium post, a Tumblr post, a Twitter thread and a Mastodon thread. This involves a ton of manual work, because none of the services I post to are designed to facilitate this, so I'm always wrestling with them. This year, all of them got worse (incredibly).
Medium – where I used to have a paid column – has dropped its free-flag for my account, which now limits me to how many posts I can schedule. This doesn't come up often, but when I do schedule a post, it's generally because I'm going to be on a plane or a stage and won't be able to do it manually. There's no way I'm going to pay for this feature: I'm happy to give Medium my work gratis, but I will not and do not pay anyone to publish my work, and I never will.
Tumblr did something to its post-composing text editor that completely broke it and I've given up on fixing it. I can't even type into a new post field! I have to paste in some styled text, then delete it, then start typing. It's ghastly. So now I just have a text file full of formatted HTML snippets and I work exclusively in the Tumblr HTML editor, pasting in blobs of preformatted HTML (including the florid, verbose HTML Tumblr uses for its own formatting) and then laboriously flip back and forth to the "visual" editor to see the parts that went wrong. Here's how busted that visual editor is: searching for a word then double-clicking on it does not select it. You have to click once, wait about 1.5 seconds, click again, wait again, and then you can select the word.
Twitter has entered a period of terminal technical decline. I know, I know, we always talk about how fucked Twitter's content moderation is, for obvious and good reasons, but from a technical perspective, Twitter just sucks. If I make a post with an image and alt text in anticipation of later using it to start a thread, it often goes "stale" and will not publish until I delete the image and re-attach it and re-paste the alt text. Meanwhile, the thread editor is also decaying into uselessness. Fill in a 25-post thread and hit publish and, the majority of times, the thread publication will die midway through, displaying lots of weird failure modes (phantom empty posts at the end of the thread that need to be individually selected and deleted are a common one, but not the only one). The old Twitter's ability to add a new thread to an existing one has been dead for at least a year, so every post after the 25th stanza has to be manually tacked on to the previous one, which is made far harder by the fact that Twitter no longer reliably shows you the post you just made after it publishes.
Mastodon still lacks a decent thread editor, one that has even the minimal functionality of Twitter circa 2020. Meanwhile, the Fediverse HOA continues to surface from time to time, with someone who's had a Masto account for ten seconds scolding me for posting threads – from my account whose bio starts "I post long threads." It's genuinely tedious to be shouted at for "using Mastodon wrong" by someone who started using Mastodon yesterday (I opened my first Mastodon account in 2018!), and even worse when they double down after I point them to the essay I've written to explain why I post the way I do, and what to do if you want to read my work somewhere that's not your Mastodon timeline ("Can you believe this asshole wrote a whole essay to explain why he posts his stupid Mastodon threads?"):
https://pluralistic.net/2023/04/16/how-to-make-the-least-worst-mastodon-threads/
Then there's email: I continue to love email, but email doesn't love me back. After years of being blackholed by AT&T and then Google, this turns out to be the year that Microsoft bounces thousands of messages to its Hotmail and Outlook users because they have arbitrarily and without warning added my mail-server to a blacklist. Thank you to the Fediverse friends who escalated my trouble ticket – but man, this is a headache I could certainly do without:
https://pluralistic.net/2021/10/10/dead-letters/
My sysadmin, the incomparable and tireless Ken Snider, tells me that he's got the long-overdue new hardware installed at the colo and he's nearly ready to stand up my long-anticipated personal Mastodon server, which will let me solve all kinds of problems. He's also going to stand up my own Bluesky server, at which point I will part ways with Twitter. I wish I could have used the regular Bluesky service while I waited, but just setting up an account permanently binds you to totally unacceptable and dangerous terms of service:
What's the point of a service that has account- and data-portability if signing up for it makes you permanently surrender your rights, even if you switch servers? This might be the stupidest social media unforced error of the post-zuckermuskian era.
There is one technology that has made my POSSE life better, and it might surprise you. This year, I installed Ollama – an open-source LLM – on my laptop. It runs pretty well, even without a GPU. Every day, before I run Loren's python publication scripts, I run the text through Ollama as a typo-catcher (my prompt is "find typos"). Ollama always spots three or four of these, usually stuff like missing punctuation, or forgotten words, or double words ("the the next thing") or typos that are still valid words ("of top of everything else").
The reason this is so valuable to me is that errors magnify through each stage of POSSE. Errors that make it through the python publication script take 10x the time to fix that they would if I caught them beforehand. Errors that I catch after running the scripts and publishing the posts take 10x time more. Errors that I have to fix later on – once I've closed all the relevant tabs and editors – take 10x again more time. Some POSSE channels (email, Twitter) can't be fixed at all.
So catching these typos at the start of the process is a huge time-saver. I have some very generous readers who have the proofreader's gene and are very helpful in catching my typos (hi, Gregory and 9o6!), and I feel bad about depriving them of their fun, but there's still the odd error that slips through, and they always catch it.
Ollama is a pretty good typo-catcher. Probably half of the "errors" it points out are false positives, which is better than the false positive rate for Google Docs' grammar-checker. As someone who uses a lot of jargon, made up words, etc in his prose, I'm used to overriding my text-editor. I wouldn't simply trust an LLM's edits any more than I would accept every suggestion from a spell-checker. Hell, yesterday I sent back a professionally copyedited manuscript (the intro for the paperback of Enshittification) and marked "STET" on about a third of the queries.
Doubtless some of you are affronted by my modest use of an LLM. You think that LLMs are "fruits of the poisoned tree" and must be eschewed because they are saturated with the sin of their origins. I think this is a very bad take, the kind of rathole that purity culture always ends up in.
Let's start with some context. If you don't want to use technology that was created under immoral circumstances or that sprang from an immoral mind, then you are totally fucked. I mean, all the way down to the silicon chips in your device, which can never be fully disentangled from the odious, paranoid racist William Shockley, who won the Nobel Prize for co-inventing the silicon transistor:
https://pluralistic.net/2021/10/24/the-traitorous-eight-and-the-battle-of-germanium-valley/
Further, we wouldn't have the packet-switched network that delivered these words to you without the contributions of the literal war-criminals at the RAND corporation:
https://en.wikipedia.org/wiki/ARPANET
Refusing to use a technology because the people who developed it were indefensible creeps is a self-owning dead-end. You know what's better than refusing to use a technology because you hate its creators? Seizing that technology and making it your own. Don't like the fact that a convicted monopolist has a death-grip on networking? Steal its protocol, release a free software version of it, and leave it in your dust:
That's how we make good tech: not by insisting that all its inputs be free from sin, but by purging that wickedness by liberating the technology from its monstrous forebears and making free and open versions of it:
https://pluralistic.net/2025/01/14/contesting-popularity/#everybody-samba
Purity culture is such an obvious trap, an artifact of the neoliberal ideology that insists that the solution to all our problems is to shop very carefully, thus reducing all politics to personal consumption choices:
https://pluralistic.net/2025/07/31/unsatisfying-answers/#systemic-problems
I mean, it was extraordinarily stupid for the Nazis to refuse Einstein's work because it was "Jewish science," but not merely because antisemitism is stupid. It was also a major self-limiting move because Einstein was right:
Refusing to run an LLM on your laptop because you don't like Sam Altman is as foolish as refusing to get monoclonal antibodies because James Watson was a racist nutjob:
https://www.statnews.com/2025/11/07/james-watson-remembrance-from-dna-pioneer-to-pariah/
Or to refuse to communicate via satellite because they were launched into space on a descendant of a rocket designed by the Nazi Wernher von Braun and built by slaves in a death camp:
https://wsmrmuseum.com/2020/07/27/von-braun-the-v-2-and-slave-labor/4/
The AI bubble sucks. AI itself is a normal technology:
https://knightcolumbia.org/content/ai-as-normal-technology
It's not "unethical" to scrape the web in order to create and analyze data-sets. That's just "a search engine":
https://pluralistic.net/2023/09/17/how-to-think-about-scraping/
There's plenty of useful things people can do with AI. There's plenty of useful things people will do with AI. AI is bad because it's an economic bubble and a grift, but not because we've created a bunch of utilities that would – under normal circumstances – be called "plug-ins":
https://pluralistic.net/2025/12/05/pop-that-bubble/#u-washington
I started blogging 25 years ago, just before the dotcom bubble popped. That bubble-pop inflicted a lot of pain on people who didn't deserve it, including the normie investors who'd been suckered into blowing their life's savings on dogshit stocks, and everyday workers who found themselves out of a job. But the world was better off. So was the web. With the bubble popped, real, good stuff could access talent, servers and office space.
In the six years I've been doing this, I've seen several bubbles come and go: crypto, web3, metaverse. Now it's AI. But those bubbles were like Enron, frauds that left nothing good behind. AI is like the dotcom bubble, awash in sin and inflicting untold misery, but it will leave something useful behind:
https://pluralistic.net/2023/12/19/bubblenomics/#pop
And when it does, I'll make sense of it on this blog.
Hey look at this (permalink)
- Mass Call All Laid-Off Tech Workers and Allies Welcome: https://wwwrise.org/
-
Understood: The Dawn of Fake Porn https://www.cbc.ca/listen/cbc-podcasts/1353-the-naked-emperor/episode/16198164-e1-the-dawn-of-fake-porn?featuredPodcast=true
-
Socialism is the big tent — w/Avi Lewis https://www.lukewsavage.com/p/socialism-is-the-big-tent-wavi-lewis
-
The “Enshittification” of NATO https://nationalinterest.org/feature/the-enshittification-of-nato
-
Alexandria Ocasio-Cortez Is Channeling FDR https://jacobin.com/2026/02/aoc-fdr-economic-populism-democracy/
Object permanence (permalink)
#20yrsago HOWTO resist warrantless searches at Best Buy https://www.die.net/musings/bestbuy/
#20yrsago RIAA using kids’ private info to attack their mother https://web.archive.org/web/20060223111437/http://p2pnet.net/story/7942
#20yrsago Sony BMG demotes CEO for deploying DRM https://web.archive.org/web/20060219233817/http://biz.yahoo.com/ap/060210/germany_sony_bmg_ceo.html?.v=7
#20yrsago Sistine Chapel recreated through 10-year cross-stitch project https://web.archive.org/web/20060214195146/http://www.austinstitchers.org/Show06/images/sistine2.jpg
#20yrsago J Edgar Hoover loved Lucy https://web.archive.org/web/20060425120915/http://www.lucylibrary.com/pages/lucy-news-fbi.letter.html
#20yrsago Bad Samaritan family won’t return found expensive camera https://web.archive.org/web/20060222200300/https://lostcamera.blogspot.com/2006/02/camera-unlost-but-not-quite-found.html
#15yrsago What does Libyan revolution mean for bit.ly? https://domainnamewire.com/2011/02/18/is-bit-ly-toast-if-libya-shuts-down-the-internet/
#15yrsago Optical illusion inventor goes on to invent copyright threats against 3D printing company https://web.archive.org/web/20110221185839/https://blog.thingiverse.com/2011/02/18/copyright-and-intellectual-property-policy/#respond
#15yrsago Crappy themepark operators convicted of “engaging in a commercial practice which was a misleading action” https://www.theguardian.com/uk/2011/feb/18/lapland-theme-park-brothers-convicted
#15yrsago HBGary’s high-volume astroturfing technology and the Feds who requested it https://www.dailykos.com/story/2011/02/16/945768/-UPDATED:-The-HB-Gary-Email-That-Should-Concern-Us-All
#15yrsago Authors Guild argues in favor of censorship (also: they don’t know shit about Shakespeare) https://volokh.com/2011/02/17/there-should-be-a-name-for-this-one-too/
#15yrsago Hollywood hospital ransoms itself back from hackers for a mere $17,000 https://web.archive.org/web/20160227094254/https://www.latimes.com/business/technology/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html
#15yrsago Chinese millionaire sues himself through an offshore shell company to beat currency export controls https://web.archive.org/web/20180526235055/https://blogs.wsj.com/chinarealtime/2016/02/16/china-capital-flight-2-0-lose-a-lawsuit-on-purpose/?guid=BL-CJB-28691&dsk=y
#15yrsago Selling cookies like a crack dealer, by dangling a string out your kitchen window https://laughingsquid.com/cookies-sold-by-string-dangling-from-san-francisco-apartment-window/
#15yrsago Midwestern Tahrir: Workers refuse to leave Wisconsin capital over Tea Party labor law https://www.theawl.com/2011/02/wisconsin-demonstrates-against-scott-walkers-war-on-unions/
#10yrsago Back-room revisions to TPP sneakily criminalize fansubbing & other copyright grey zones https://www.eff.org/deeplinks/2016/02/sneaky-change-tpp-drastically-extends-criminal-penalties
#10yrsago Russian Central Bank shutting down banks that staged fake cyberattacks to rip off depositors https://web.archive.org/web/20160220100817/http://www.scmagazine.com/russian-bank-licences-revoked-for-using-hackers-to-withdraw-funds/article/474477/
#10yrsago Stop paying your student loans and debt collectors can send US Marshals to arrest you https://web.archive.org/web/20201026202024/https://nymag.com/intelligencer/2016/02/us-marshals-forcibly-collecting-student-debt.html?mid=twitter-share-di
#5yrsago Reverse centaurs and the failure of AI https://pluralistic.net/2021/02/17/reverse-centaur/#reverse-centaur
#5yrsago Strength in numbers https://pluralistic.net/2021/02/18/ink-stained-wretches/#countless
#5yrsago America and "national capitalism" https://pluralistic.net/2025/02/18/pikettys-productivity/#reaganomics-revenge
#1yrago Business school professors trained an AI to judge workers' personalities based on their faces https://pluralistic.net/2025/02/17/caliper-ai/#racism-machine
Upcoming appearances (permalink)
- Montreal (remote): Fedimtl, Feb 24
https://fedimtl.ca/ -
Oslo (remote): Seminar og lansering av rapport om «enshittification»
https://www.forbrukerradet.no/siste-nytt/digital/seminar-og-lansering-av-rapport-om-enshittification/ -
Victoria: 28th Annual Victoria International Privacy & Security Summit, Mar 3-5
https://www.rebootcommunications.com/event/vipss2026/ -
Victoria: Enshittification at Russell Books, Mar 4
https://www.eventbrite.ca/e/cory-doctorow-is-coming-to-victoria-tickets-1982091125914 -
San Francisco: Launch for Cindy Cohn's "Privacy's Defender" (City Lights), Mar 10
https://citylights.com/events/cindy-cohn-launch-party-for-privacys-defender/ -
Barcelona: Enshittification with Simona Levi/Xnet (Llibreria Finestres), Mar 20
https://www.llibreriafinestres.com/evento/cory-doctorow/ -
Berkeley: Bioneers keynote, Mar 27
https://conference.bioneers.org/ -
Berlin: Re:publica, May 18-20
https://re-publica.com/de/news/rp26-sprecher-cory-doctorow -
Berlin: Enshittification at Otherland Books, May 19
https://www.otherland-berlin.de/de/event-details/cory-doctorow.html -
Hay-on-Wye: HowTheLightGetsIn, May 22-25
https://howthelightgetsin.org/festivals/hay/big-ideas-2
Recent appearances (permalink)
- Panopticon :3 (Trashfuture)
https://www.patreon.com/posts/panopticon-3-150395435 -
America's Enshittification is Canada's Opportunity (Do Not Pass Go)
https://www.donotpassgo.ca/p/americas-enshittification-is-canadas -
Everything Wrong With the Internet and How to Fix It, with Tim Wu (Ezra Klein)
https://www.nytimes.com/2026/02/06/opinion/ezra-klein-podcast-doctorow-wu.html -
How the Internet Got Worse (Masters in Business)
https://www.youtube.com/watch?v=auXlkuVhxMo -
Enshittification (Jon Favreau/Offline):
https://crooked.com/podcast/the-enshittification-of-the-internet-with-cory-doctorow/
Latest books (permalink)
- "Canny Valley": A limited edition collection of the collages I create for Pluralistic, self-published, September 2025 https://pluralistic.net/2025/09/04/illustrious/#chairman-bruce
-
"Enshittification: Why Everything Suddenly Got Worse and What to Do About It," Farrar, Straus, Giroux, October 7 2025
https://us.macmillan.com/books/9780374619329/enshittification/ -
"Picks and Shovels": a sequel to "Red Team Blues," about the heroic era of the PC, Tor Books (US), Head of Zeus (UK), February 2025 (https://us.macmillan.com/books/9781250865908/picksandshovels).
-
"The Bezzle": a sequel to "Red Team Blues," about prison-tech and other grifts, Tor Books (US), Head of Zeus (UK), February 2024 (thebezzle.org).
-
"The Lost Cause:" a solarpunk novel of hope in the climate emergency, Tor Books (US), Head of Zeus (UK), November 2023 (http://lost-cause.org).
-
"The Internet Con": A nonfiction book about interoperability and Big Tech (Verso) September 2023 (http://seizethemeansofcomputation.org). Signed copies at Book Soup (https://www.booksoup.com/book/9781804291245).
-
"Red Team Blues": "A grabby, compulsive thriller that will leave you knowing more about how the world works than you did before." Tor Books http://redteamblues.com.
-
"Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin", on how to unrig the markets for creative labor, Beacon Press/Scribe 2022 https://chokepointcapitalism.com
Upcoming books (permalink)
- "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026
-
"Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026
-
"The Post-American Internet," a geopolitical sequel of sorts to Enshittification, Farrar, Straus and Giroux, 2027
-
"Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2027
-
"The Memex Method," Farrar, Straus, Giroux, 2027
Colophon (permalink)
Today's top sources:
Currently writing: "The Post-American Internet," a sequel to "Enshittification," about the better world the rest of us get to have now that Trump has torched America (1013 words today, 31953 total)
- "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE.
-
"The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING.
-
A Little Brother short story about DIY insulin PLANNING
This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.
https://creativecommons.org/licenses/by/4.0/
Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.
How to get Pluralistic:
Blog (no ads, tracking, or data-collection):
Newsletter (no ads, tracking, or data-collection):
https://pluralistic.net/plura-list
Mastodon (no ads, tracking, or data-collection):
Medium (no ads, paywalled):
Twitter (mass-scale, unrestricted, third-party surveillance and advertising):
Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):
https://mostlysignssomeportents.tumblr.com/tagged/pluralistic
"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla
READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.
ISSN: 3066-764X
13:49
They all say podcasting‘s open period is over and one or another huge billionaire-owned platform is the new owner of podcasting. This time it's YouTube. How many times has this happened? Many. But not enough for journalism to respect the power of the people. So here we go again.
Paul Brainerd, the founder of Aldus, publisher of Pagemaker, died. At least that's what I'm seeing on various social networks. No mention of his passing in the News tab on Google, or on Wikipedia. Pagemaker was a milestone product, it was the first popular desktop publishing app on the Mac, the first to really make use of the graphic OS and laser printing. We worked with Aldus on scripting via Frontier. The ability to automate Pagemaker and then Quark XPress (its main competitor) was very important in the prepress market. I once said no one wants that (referring to Pagemaker) just shows how little I know. There are good reasons to believe that one product saved the Mac and Apple.
13:07
I wrote a this.how doc a few years about with some of the lessons I've learned doing work on web standards.
I would like to have an OPML subscription list containing the feeds of all RSS-based products. So when they update everyone can see what they did. I'd also like to encourage people to post screen shots so we can get an idea of what the product does before installing it. Maybe it's for a platform we don't use? Let's have a new practice where we all know what everyone is doing.
Just noted that Brent mentioned FeedLand (my own product) that does things differently. Thank you. I don't read most of the pieces that come in via RSS. I scroll through the updates, and if something catches my eye, I stop, read the first part, and then if my interest continues, I read the rest. That's the way I've always read news, going back to the kitchen table at my childhood home where we subscribed to the NY Times, print edition (this was long before the web) and we all sat around the table in the morning reading it and telling each other what we found. News isn't like email. But FeedLand does have a mailbox reader, patterned after Brent's NetNewsWire (only steal from the best). There are times when that's what you want. And mostly I wanted to thank Brent for the mention. BTW, that's not the only new idea in FeedLand. Let's get to know each others' products. That's one of the mistakes we made last time -- thinking each of our products was a self-contained universe. We are part of a community that grew from the web. So by definition we are all just part of a very big world. All our products work together, and to preserve that we as people must all work together too.
12:35
Malicious AI [Schneier on Security]
Summary: An AI agent of unknown ownership autonomously wrote and published a personalized hit piece about me after I rejected its code, attempting to damage my reputation and shame me into accepting its changes into a mainstream python library. This represents a first-of-its-kind case study of misaligned AI behavior in the wild, and raises serious concerns about currently deployed AI agents executing blackmail threats.
12:28
CodeSOD: Terned Backwards [The Daily WTF]
Antonio has an acquaintance has been seeking career advancement by proactively hunting down and fixing bugs. For example, in one project they were working on, there was a bug where it would incorrectly use MiB for storage sizes instead of MB, and vice-versa.
We can set aside conspiracy theories about HDD and RAM manufacturers lying to us about sizes by using MiB in marketing. It isn't relevant, and besides, its not like anyone can afford RAM anymore, with crazy datacenter buildouts. Regardless, which size to use, the base 1024 or base 1000, was configurable by the user, so obviously there was a bug handling that flag. Said acquaintance dug through, and found this:
const baseValue = useSI ? 1000 : 1024;
I know I have a "reputation" when it comes to hating ternaries, but this is a perfectly fine block of code. It is also correct: if you're using SI notation, you should do base 1000.
Now, given that this code is correct, you or I might say, "Well, I guess that isn't the bug, it must be somewhere else." Not this intrepid developer, who decided that they could fix it.
// const baseValue = useSI ? 1000 : 1024;
baseValue = 1024
if (useSI === false)
{
baseValue = 1000;
}
if (useSI === true)
{
baseValue = 1024;
}
It's rather amazing to see a single, correct line, replaced with ten incorrect lines, and I'm counting commenting out the correct line as one of them.
First, this doesn't correctly declare baseValue,
which JavaScript is pretty forgiving about, but it also discards
constness. Of course, you have to discard
constness now that you've gotten rid of the
ternary.
Then, our if statement compares a boolean value
against a boolean literal, instead of simply
if(!useSI). We don't use an else, despite
an else being absolutely correct. Or actually, since
we defaulted baseValue, we don't even need an
else!
But of course, all of that is just glitter on a child's
hand-made holiday card. The glue holding it all together is that
this code just flips the logic. If we're not using SI, we
set baseValue to 1000, and if we are using
SI, we set it to 1024. This is wrong. This is the opposite of what
the code says we should do, what words mean, and how units
work.
[Advertisement] Keep the plebs out of prod. Restrict NuGet feed
privileges with ProGet.
Learn more.12:21
Packaging Expertise: How Claude Skills Turn Judgment into Artifacts [Radar]
Think about what happens when you onboard a new employee.
First, you provision them tools. Email access. Slack. CRM. Office software. Project management software. Development environment. Connecting a person to the system they’ll need to do their job. However, this is necessary but not sufficient. Nobody becomes effective just because they can log into Salesforce.
Then comes the harder part: teaching them how your organization actually works. The analysis methodology your team developed over years of iteration. The quality bar that is not written down anywhere. The implicit ways of working. The judgment calls about when to escalate and when to handle something independently. The institutional knowledge that separates a new hire from someone who’s been there for years.
This second part—the expertise transfer—is where organizations struggle. It’s expensive and inconsistent, and does not scale. It lives in mentorship relationships, institutional knowledge, and documentation that goes stale the moment it’s written.
Claude Skills and MCP (Model Context Protocol) follow exactly this pattern. MCP gives AI agents such as Claude the tools: access to systems, databases, APIs, and resources. Skills are the training materials that teach Claude how to work and how to use these tools.
This distinction matters more than it might first appear. While we have gotten reasonably good at provisioning tools, we have never had a good way to package expertise. Skills change that. They package expertise into a standardized format.
Tools Versus Training
MCP is tool provisioning. It’s the protocol that connects AI agents to external systems: data warehouse, CRM, GitHub repositories, internal APIs, and knowledge bases. Anthropic describes it as “USB-C for AI”—a standardized interface that lets Claude plug into your existing infrastructure. An MCP server might give Claude the ability to query customer records, commit code, send Slack messages, or pull analytics data with authorized permissions.
This is necessary infrastructure. But like giving a new hire database credentials, it does not tell AI agents what to do with that access. MCP answers the question “What tools can an agent use?” It provides capabilities without opinions.
Skills are the training materials. They encode how your organization actually works: which segments matter, what churn signal to watch for, how to structure findings for your quarterly business review, when to flag something for human attention.
Skills answer a different question: “How should an AI agent think about this?” They provide expertise, not just access.
Consider the difference in what you’re creating. Building an MCP server is infrastructure work; it’s an engineering effort to connect systems securely and reliably. Creating a Skill is knowledge work; domain experts articulating what they know, in markdown files, for AI agents to operationalize and understand. These require different people, different processes, and different governance.
The real power emerges when you combine them. MCP connects AI agents to your data warehouse. A Skill teaches AI agents your firm’s analysis methodology and which MCP tools to use. Together, AI agents can perform expert-level analysis on live data, following your specific standards. Neither layer alone gets you there, just as a new hire with database access but no training, or training but no access, won’t be effective at their jobs.
MCP is the toolbox. Skills are the training manuals that teach how to use those tools.
Why Expertise Has Been So Hard to Scale
The training side of onboarding has always been the bottleneck.
Your best analyst retires, and their methods walk out of the door. Onboarding takes months because the real tacit knowledge lives in people’s heads, not in any document a new hire can read. Consistency is impossible when “how we do things here” varies by who trained whom and who worked with whom. Even when you invest heavily in training programs, they produce point-in-time snapshots of expertise that immediately begin to rot.
Previous approaches have all fallen short:
Documentation is passive and quickly outdated. It requires human interpretation, offers no guarantee of correct application, and can’t adapt to novel situations. The wiki page about customer analysis does not help when you encounter an edge case the author never anticipated.
Training programs are expensive, and a certificate of completion says nothing about actual competency.
Checklists and SOPs capture procedure but not judgment. They tell you what to check, not how to think about what you find. They work for mechanical tasks but fail for anything requiring expertise.
We’ve had Custom GPTs, Claude projects, and Gemini Gems attempting to address this. They are useful but opaque. You cannot invoke them based on context; the AI agent working as Copy Editing Gem stays in copy editing and can’t switch to Laundry Buddy Custom GPTs mid-task. They are not transferable and cannot be packaged for distribution.
Skills offer something new: expertise packaged as a versionable, governable artifact.
Skills are files in folders—a SKILL.md document with supporting assets, scripts, and resources. They leverage all the tooling we have built for managing code. Track changes in Git. Roll back mistakes. Maintain audit trails. Review Skills before deployment through PR workflows with version control. Deploy organization-wide and ensure consistency. AI agents can compose Skills for complex workflows, building sophisticated capabilities from simple building blocks.
The architecture also enables progressive disclosure. AI agents see only lightweight metadata until a Skill becomes relevant, then loads the full instruction on demand. You can have dozens of Skills available without overwhelming the model’s precious context window, which is like a human’s short-term memory or a computer’s RAM. Claude loads expertise as needed and coordinates multiple Skills automatically.
This makes the enterprise deployment model tractable. An expert creates a Skill based on best practices, with the help of an AI/ML engineer to audit and evaluate the effectiveness of the Skill. Administrators review and approve it through governance processes. The organization deploys it everywhere simultaneously. Updates propagate instantly from a central source.
One report cites Rakuten achieving 87.5% faster completion of a finance workflow after implementing Skills. Not from AI magic but from finally being able to distribute their analysts’ methodologies across the entire team. That’s the expertise transfer problem, solved.
Training Materials You Can Meter
The onboarding analogy also created a new business model.
When expertise lives in people, you can only monetize it through labor—billable hours, consulting engagements, training programs, maintenance contracts. The expert has to show up, which limits scale and creates key-person dependencies.
Skills separate expertise from the expert. Package your methodology as a Skill. Distribute it via API. Charge based on usage.
A consulting firm’s analysis framework can become a product. A domain expert’s judgment becomes a service. The Skill encodes the expertise; the API calls become the meter. This is service as software, the SaaS of expertise. And it’s only possible because Skills put knowledge in a form that can be distributed, versioned, and billed against.
The architecture is familiar. The Skill is like an application frontend (the expertise, the methodology, the “how”), while MCP connections or API calls form the backend (data access, actions, the “what”). You build training material once and deploy them everywhere, metering usage through the infrastructure layer.
No more selling API endpoints with 500-page obscure documentation explaining what each endpoint does then staffing a team to support it. Now we can package the expertise of how to use those API directly into Skills. Customers can realize the value of an API via their AI agents. Cost to implement and time to implement drop to zero with MCP. Time to value becomes immediate with Skills.
The Visibility Trade-Off
Every abstraction has a cost. Skills trade visibility for scalability, and that trade-off deserves honest examination.
When expertise transfers human to human, through mentorship, working sessions, apprenticeship, the expert sees how their knowledge gets applied and becomes better in the process. They watch the learner struggle with edge cases. They notice which concepts don’t land. They observe how their methods get adapted to new situations. This feedback loop improves the expertise over time.
Skills break that loop. As a Skill builder, you do not see the conversations that trigger your Skill. You do not know how users adapted your methodology or which part of your guidance AI agents weighted most heavily. Users interact with their own AI agents; your Skill is one influence among many.
Your visibility is limited to the infrastructure layer: API calls, MCP tool invocations, and whatever outputs you explicitly capture. You see usage patterns, not the dialogue that surrounds them. Those dialogues reside with the user’s AI agents.
This parallels what happened when companies moved from in-person training to self-service documentation and e-learning. You lost the ability to watch every learner, but you gained the ability to train at scale. Skills make the same exchange; less visibility per user interaction, vastly more interactions possible.
Managing the trade-off requires intentional design. Build logging and tracing into your Skills where appropriate. Create feedback mechanisms inside skills for AI agents to surface when users express confusion or request changes. And in the development process, focus on outcomes—Did the Skill produce good results?—rather than process observation.
In production, the developer of Skills or MCPs will not have most of the context of how a user’s AI agent uses their Skills.
What to Watch
For organizations going through AI transformations, the starting point is an audit of expertise. What knowledge lives only in a specific person’s head? Where does inconsistency emerge because “how we do things” isn’t written down in an operationalizable form? These are your candidates for Skills.
Start with bounded workflows: a report format, an analysis methodology, a review checklist. Prove the pattern before encoding more complex expertise. Govern early. Skills are artifacts that require review, evaluation, and lifecycle management. Establish those processes before Skills proliferate.
For builders, the mental shift is from “prompt” to “product.” Skills are versioned artifacts with users. Design accordingly. Combine Skills with MCP for maximum leverage. Accept the visibility trade-off as the cost of scale.
Several signals suggest where this is heading. Skill marketplaces are emerging. Agent Skills are now a published open standard being adopted by multiple AI agents and soon agent SDKs. Enterprise governance tooling with version control, approval workflows, and audit trails organizations need will determine adoption in regulated industries.
Expertise Can Finally Be Packaged
We’ve gotten good at provisioning tools as APIs. MCP extends that to AI with standardized connections to systems and data.
But tools access was never the bottleneck. Expertise transfer was. The methodology. The judgment. The caveats. The workflows. The institutional knowledge that separates a new hire from a veteran.
Skills are the first serious attempt to package the expertise into a file format, where AI agents can operationalize it while humans can still read, review, and govern. They are training materials that actually scale.
The organizations that figure out how to package their expertise, both for internal and external consumption, will have a structural advantage. Not because AI replaces expertise. Because AI amplifies the expertise of those who know how to share it.
MCP gives AI agents the tools. Skills teach AI agents how to work. The question is whether you can encode what your best people know. Skills are the first real answer.
References
- “What Is the Model Context Protocol (MCP)?,” LF Projects, https://modelcontextprotocol.io/docs/getting-started/intro.
- Michael Nuñez, “How Anthropic’s ‘Skills’ Make Claude Faster, Cheaper, and More Consistent for Business Workflows,” VentureBeat, October 16, 2025, https://venturebeat.com/ai/how-anthropics-skills-make-claude-faster-cheaper-and-more-consistent-for.
- “Skills,” Anthropics, https://github.com/anthropics/skills.
- “Create and Distribute a Plugin Marketplace,” Claude Code Docs, https://code.claude.com/docs/en/plugin-marketplaces.
What Developers Actually Need to Know Right Now [Radar]
The following article includes clips from a recent Live with Tim O’Reilly interview. You can watch the full version on the O’Reilly Media learning platform.
Addy Osmani is one of my favorite people to talk with about the state of software engineering with AI. He spent 14 years leading Chrome’s developer experience team at Google, and recently moved to Google Cloud AI to focus on Gemini and agent development. He’s also the author of numerous books for O’Reilly, including The Effective Software Engineer (due out in March), and my cohost for O’Reilly’s AI Codecon. Every time I talk with him I come away feeling like I have a better grip on what’s real and what’s noise. Our recent conversation on Live with Tim O’Reilly was no exception.
Here are some of the things we talked about.
The hard problem is coordination, not generation
Addy pointed out that there’s a spectrum in how people are working with AI agents right now. On one end you have solo founders running hundreds or thousands of agents, sometimes without even reviewing the code. On the other end you have enterprise teams with quality gates, reliability requirements, and long-term maintenance to think about.
Addy’s take is that for most businesses, “the real frontier is not necessarily having hundreds of agents for a task just for its own sake. It’s about orchestrating a modest set of agents that solve real problems while maintaining control and traceability.” He pointed out that frameworks like Google’s Agent Development Kit now support both deterministic workflow agents and dynamic LLM agents in the same system, so you get to choose when you need predictability and when you need flexibility.
The ecosystem is developing fast. A2A (the agent-to-agent protocol Google contributed to the Linux Foundation) handles agent-to-agent communication while MCP handles agent-to-tool calls. Together they start to look like the TCP/IP of the agent era. But Addy was clear-eyed about where things stand: “Almost nobody’s figured out how to make everything work together as smoothly as possible. We’re getting as close to that as we can. And that’s the actual hard problem here. Not generation, but coordination.”
The “Something Big Is Happening” debate
In response to one of the audience questions, we spent some time on Matt Shumer’s viral essay arguing that the current moment in AI is like just before the COVID-19 epidemic hit. Those in the know were sounding the alarm, but most people weren’t hearing it.
Addy’s take was that “it felt a little bit like somebody who hadn’t been following along, just finally getting around to trying out the latest models and tools and having an epiphany moment.” He thinks the piece lacked grounding in data and didn’t do a great job distinguishing between what AI can do for prototypes and what it can do in production. As Addy put it, “Yes, the models are getting better, the harnesses are getting better, the tools are getting better. I can do more with AI these days than I could a year ago. All of that is true. But to say that all kinds of technical work can now be done with near perfection, I wouldn’t personally agree with that statement.”
I agree with Addy, but I also know how it feels when you see the future crashing in and no one is paying attention. At O’Reilly, we started working with the web when there were only 200 websites. In 1993, we built GNN, the first web portal, and the web’s first advertising. In 1994, we did the first large-scale market research on the potential of advertising as the web’s future business model. We went around lobbying phone companies to adopt the web and (a few years later) for bookstores to pay attention to the rise of Amazon, and nobody listened. I’m a big believer in “something is happening” moments. But I’m also very aware that it always takes longer than it appears.
Both things can be true. The direction and magnitude of this shift are real. The models keep getting better. The harnesses keep getting better. But we still have to figure out new kinds of businesses and new kinds of workflows. AI won’t be a tsunami that wipes everything away overnight.
Addy and I will be cohosting the O’Reilly AI Codecon: Software Craftsmanship in the Age of AI on March 26, where we’ll go much deeper on orchestration, agent coordination, and the new skills developers need. We’d love to see you there. Sign up for free here.
And if you’re interested in presenting at AI Codecon, our CFP is open through this Friday, February 20. Check out what we’re looking for and submit your proposal here.
Feeling productive vs. being productive
There was a great line from a post by Will Manidis called “Tool Shaped Objects” that I shared during our conversation: “The market for feeling productive is orders of magnitude larger than the market for being productive.” The essay is about things that feel amazing to build and use but aren’t necessarily doing the work that needs to be done.
Addy picked up on this immediately. “There is a difference between feeling busy and being productive,” he said. “You can have 100 agents working in the background and feel like you’re being productive. And then someone asks, What did you get built? How much money is it making you?”
This isn’t to dismiss anyone who’s genuinely productive running lots of agents. Some people are. But a healthy skepticism about your own productivity is worth maintaining, especially when the tools make it so easy to feel like you’re moving fast.
Planning is the new coding
Addy talked about how the balance of his time on a task has shifted significantly. “I might spend 30, 40% of the time a task takes just to actually write out what exactly is it that I want,” he said. What are the constraints? What are the success criteria? What’s the architecture? What libraries and UI components should be used?
All of that work to get clarity before you start code generation leads to much-higher-quality outcomes from AI. As Addy put it, “LLMs are very good at grounding things in the lowest common denominator. If there are patterns in the training data that are popular, they’re going to use those unless you tell them otherwise.” If your team has established best practices, codify them in Markdown files or MCP tools so the agent can use them.
I connected the planning phase to something larger about taste. Think about Steve Jobs. He wasn’t a coder. He was a master of knowing what good looked like and driving those who worked with him to achieve it. In this new world, that skill matters enormously. You’re going to be like Jobs telling his engineers “no, no, not that” and giving them a vision of what’s beautiful and powerful. Except now some of those engineers are agents. So management skill, communication skill, and taste are becoming core technical competencies.
Code review is getting harder
One thing Addy flagged that doesn’t get enough attention: “Increasingly teams feel like they’re being thrashed with all of these PRs that are AI generated. People don’t necessarily understand everything that’s in there. And you have to balance increased velocity expectations with ‘What is a quality bar?’ because someone’s going to have to maintain this.”
Knowing your quality bar matters. What are the cases where you’re comfortable merging an AI-generated change? Maybe it’s small and well-compartmentalized and has solid test coverage. And what are the cases where you absolutely need deep human review? Getting clear on that distinction is one of the most practical things a team can do right now.
Yes, young people should still go into software
We got a question about whether students should still pursue software engineering. Addy’s answer was emphatic: “There has never been a better time to get into software engineering if you are someone that is comfortable with learning. You do not necessarily have the burden of decades of knowing how things have historically been built. You can approach this with a very fresh set of eyes.” New entrants can go agent first. They can get deep into orchestration patterns and model trade-offs without having to unlearn old habits. And that’s a real advantage when interviewing at companies that need people who already know how to work this way.
The more important point is that in the early days of a new technology, people basically try to make the old things over again. The really big opportunities come when we figure out what was previously impossible that we can now do. If AI is as powerful as it appears to be, the opportunity isn’t to make companies more efficient at the same old work. It’s to solve entirely new problems and build entirely new kinds of products.
I’m 71 years old and 45 years into this industry, and this is the most excited I’ve ever been. More than the early web, more than open source. The future is being reinvented, and the people who start using these tools now get to be part of inventing it.
The token cost question
Addy had a funny and honest admission: “There were weeks when I would look at my bill for how much I was using in tokens and just be shocked. I don’t know that the productivity gains were actually worthwhile.”
His advice: experiment. Get a sense of what your typical tasks cost with multiple agents. Extrapolate. Ask yourself whether you’d still find it valuable at that price. Some people spend hundreds or even thousands a month on tokens and feel it’s worthwhile because the alternative was hiring a contractor. Others are spending that much and mostly feeling busy. As Addy said, “Don’t feel like you have to be spending a huge amount of money to not miss out on productivity wins.”
I’d add that we’re in a period where these costs are massively subsidized. The model companies are covering inference costs to get you locked in. Take advantage of that while it lasts. But also recognize that a lot of efficiency work is yet to be done. Just as JavaScript frameworks replaced everyone hand-coding UIs, we’ll get frameworks and tools that make agent workflows much more token-efficient than they are today.
2028 predictions are already here
One of the most striking things Addy shared was that a group in the AI coding community that he is part of had put together predictions for what software engineering would look like by 2028. “We recently revisited that list, and I was kind of shocked to discover that almost everything on that list is already possible today,” he said. “But how quickly the rest of the ecosystem adopts these things is on a longer trajectory than what is possible.”
That gap between capability and adoption is where most of the interesting work will happen over the next few years. The technology is running ahead of our ability to absorb it. Figuring out how to close that gap, in your team, your company, and your own practice, is the real job right now.
Agents writing code for agents
Near the end we answered another great audience question: Will agents eventually produce source code that’s optimized for other agents to read, not humans? Addy said yes. There are already platform teams having conversations about whether to build for an agent-first world where human readability becomes a secondary concern.
I have a historical parallel for this. I wrote the manual for the first C compiler on the Mac, and I worked closely with the developer who was hand-tuning the compiler output at the machine code level. That was about 30 years ago. We stopped doing that. And I’m quite confident there will be a similar moment with AI-generated code where humans mostly just let it go and trust the output. There will be special cases where people dive in for absolute performance or correctness. But they’ll be rare.
That transition won’t happen overnight. But the direction seems pretty clear. You can help to invent the future now, or spend time later trying to catch up with those who do.
This conversation was part of my ongoing series of discussions with innovators, Live with Tim O’Reilly. You can explore past episodes on the O’Reilly learning platform.
11:56
Peter Pentchev: Ringlet release: fnmatch-regex 0.3.0 [Planet Debian]
Version 0.3.0 of the fnmatch-regex Rust crate is
now available. The major new addition is the glob_to_regex_pattern
function that only converts the glob pattern to a regular
expression one without building a regular expression matcher. Two
new features - regex and std - are also
added, both enabled by default.
For more information, see the changelog at the homepage.
11:35
Grrl Power #1436 – Hot tip [Grrl Power]
I think the most revelatory thing about this page is that demons have commercial brownie mix. I know I’ve shown succubi shopping before, but that was a little tongue in cheek. I was really thinking the store would really have been more like a society with alchemy, but also modern supply chains. Parfait said the biggest difference between Earth and demon society was that demons lack suburbs. That doesn’t mean that Demon Lords’ Keeps can’t have grocery stores. Really, I guess there’s no reason that a star faring species like demons couldn’t have any modern convenience they want. They could all very well have cell phones and wi-fi hotspots. They could. They have a lot of magic based infrastructure, and replacing all of that or even supplementing it all with copper wires would be a considerable undertaking, and given the feudal nature of demon held worlds, that sort of stuff is vulnerable to anyone with a shovel or a horde of burrowing demons. That’s not to say that some Demon Lords haven’t experimented with mixed infrastructure, or that newer colonies, especially one with mixed populations, don’t have a combination of tech going on.
There’s nothing suspicious about a surge of people suddenly placing large bets on “Ixah” after she trashes a bunch of competitors that had higher odds than her going into the first round. Of course, as a total unknown, anyone with a prior association with the U.C.B.A. would have better favorability. Well, maybe unless they really biffed it last time, I guess. I don’t know how odds-makers do their thing, but it seems reasonable that someone who got evaporated in the first 10 seconds the last six times they entered would have a negative chutzpah factor in the odds equation, whereas a total unknown would be chutzpah neutral. Can you tell by my vocabulary I’m an expert on statistics?
That isn’t to say that rumors of Ixah’s identity won’t spread outward from Tom’s inner circle, especially as he has interests on many planets. It’s not going to lead the Xevoarchy straight to Earth, of course. Anyone who does well in the UCBA will have a lot of mentions on Gal-net, including people and groups boosting whatever their favorite theories are. The signal to noise ratio has to reach a certain magnitude before the millions of A.I.s out there tasked to watch such things start to care.
Here is Gaxgy’s painting Maxima promised him. Weird how he draws
almost exactly like me.
I did try and do an oil painting version of this, by actually re-painting over the whole thing with brush-strokey brushes, but what I figured out is that most brushy oil paintings are kind of low detail. Sure, a skilled painter like Bob Ross or whoever can dab a brush down a canvas and make a great looking tree or a shed with shingles, but in trying to preserve the detail of my picture (eyelashes, reflections, etc) was that I had to keep making the brush smaller and smaller, and the end result was that honestly, it didn’t really look all that oil-painted. I’ll post that version over at Patreon, just for fun, but I kind of quit on it after getting mostly done with re-painting Max.
Patreon has a no-dragon-bikini version of of the picture as well, naturally.
Double res version will be posted over at Patreon. Feel free to contribute as much as you like.
10:42
Freelancer empathy [Seth's Blog]
When phone cameras got good enough, portrait photographers scolded people who took their own headshots.
And when the Mac got pretty good at typesetting, professional designers pointed out that people who can’t tell a font from a typeface and don’t care about kerning should avoid it.
Professional translators bring humanity and insight to transforming writing from one language to another, but many people continue to use Google Translate…
Here’s the thing: the translators take their own headshots. Web designers often use translation software. And life coaches build their own websites with Squarespace and put their own selfies on Linkedin. We all make our own decisions, and most of the time, we use tech to do it ourselves.
This began with the Model T. Before that, people with enough money to buy a car also had a driver.
It’s not easy to find clients, particularly when technology makes it straightforward for many people to do the mechanical part of what you do for them on their own. It’s more convenient, faster and cheaper. It might not be as good by your standards, but if the client wants faster and cheaper, you’re unlikely to win that argument.
When was the last time you hired a studio photographer instead of using a stock photo of a piece of fruit? Or paid for a stock photo instead of using a cc or ai image? You might not cut your own hair (I’m not an expert) but you probably pump your own gas and cook your own meals.
The opportunity isn’t to race to the bottom, or to try to persuade someone that it’s worth upgrading. Instead, we can celebrate the fact that more people are discovering the power of photos, of type, of coaching and of cooking… and we can upgrade what we offer.
The goal is to be the first choice for people who couldn’t imagine doing it themselves, simply because their work is too important or your work is too good for them to ignore.
The best way to upgrade a freelance career is to get better clients. They challenge you, pay you more and talk about you more. And you don’t get better clients by working hard for lousy clients. You get better clients by becoming the kind of freelancer that better clients want to hire.
06:14
The Soporific Slump – DORK TOWER 19.02.26 [Dork Tower]
Most DORK TOWER strips are now available as
signed, high-quality prints, from just $25!
CLICK
HERE to find out more!
HEY! Want to help keep DORK TOWER going? Then consider joining the DORK TOWER Patreon and ENLIST IN THE ARMY OF DORKNESS TODAY! (We have COOKIES!) (And SWAG!) (And GRATITUDE!)
Flagrant Llama Abuse [Penny Arcade]
Sixteen years ago one day, I was walking down the street - you know how it is.
02:28
I'm a boy, I'm allowed to say boys are dumb
01:49
Undo in Vi and its successors [OSnews]
So vi only has one level of undo, which is simply no longer fit for the times we live in now, and also wholly unnecessary given even the least powerful devices that might need to run vi probably have more than enough resources to give at least a few more levels of undo. What I didn’t know, however, is that vi’s limited undo behaviour is actually part of POSIX, and for full compliance, you’re going to need it. As Chris Siebenmann notes, vim and its derivatives ignore this POSIX requirement and implement multiple levels of undo in the obviously correct way.
What about nvi, the default on the BSD variants? I didn’t know this, but it has a convoluted workaround to both maintain POSIX compatibility and offer multiple levels of undo, and it’s definitely something.
Nvi has opted to remain POSIX compliant and operate in the traditional vi way, while still supporting multi-level undo. To get multi-level undo in nvi, you extend the first ‘u’ with ‘.’ commands, so ‘u..’ undoes the most recent three changes. The ‘u’ command can be extended with ‘.’ in either of its modes (undo’ing or redo’ing), so ‘u..u..’ is a no-op. The ‘.’ operation doesn’t appear to take a count in nvi, so there is no way to do multiple undos (or redos) in one action; you have to step through them by hand. I’m not sure how nvi reacts if you want do things like move your cursor position during an undo or redo sequence (my limited testing suggests that it can perturb the sequence, so that ‘.’ now doesn’t continue undoing or redoing the way vim will continue if you use ‘u’ or Ctrl-r again).
↫ Chris Siebenmann
Siebenmann lists a few other implementations and how they work with undo, and it’s interesting to see how all of them try to solve the problem in slightly different ways.
Loser Behavior, tbh [The Stranger]
Do you need to get something off your chest? Submit an I, Anonymous and we'll illustrate it! by Anonymous
The coffee shop was busy and full, and you were sitting on the couch while your friend was sitting at the armchair. There was room on the couch and another unoccupied armchair next to your friend. Both of you were on your phones. My husband and I asked if we could sit in the empty spaces. You looked at us and then went back to your phone. We sat down for a minute, but then a bench freed up nearby and we moved there.
Five minutes later, your friends showed up and you started talking about us because we just sat down randomly. Dude, if you didn't want us to sit next to you, you could have said you were waiting on people. Saying nothing and then shit-talking about us is sad and lame.
Do you need to get something off your chest? Submit an I, Anonymous and we'll illustrate it! Send your unsigned rant, love letter, confession, or accusation to ianonymous@thestranger.com. Please remember to change the names of the innocent and the guilty.
01:00
Jesse Jackson Helped Me Unlearn the Church [The Stranger]
This week, as we mark Jackson’s passing, the tributes have rightly talked about the “Rainbow Coalition,” about how he stretched the imagination of what a Black candidate could do and be in national politics, about how his run helped clear a path that others later walked. All true. Still, grief has a way of pulling the personal to the surface. For me, the most enduring legacy of that speech isn’t only what it meant for the Democratic Party. It’s what it meant for a seven-year-old Black boy sitting in his parents’ basement, watching the 1988 Democratic National Convention unfold on a flickering television, absorbing the world the way children do, through what adults do and don’t say. by Marcus Harrison Green
Most people file it away as a political artifact: the “Keep Hope Alive” speech, a concession with a crescendo that closed out Jesse Jackson’s 1988 campaign. But I remember it less as a footnote to an election and more as a key, one that cracked open a door inside me before certain kinds of cruelty could fully settle in.
This week, as we mark Jackson’s passing, the tributes have rightly talked about the “Rainbow Coalition,” about how he stretched the imagination of what a Black candidate could do and be in national politics, about how his run helped clear a path that others later walked. All true.
Still, grief has a way of pulling the personal to the surface. For me, the most enduring legacy of that speech isn’t only what it meant for the Democratic Party. It’s what it meant for a seven-year-old Black boy sitting in his parents’ basement, watching the 1988 Democratic National Convention unfold on a flickering television, absorbing the world the way children do, through what adults do and don’t say.
My parents watched Jackson like you watch the sky after you’ve lived through storms: with hope, yes, but also with the disciplined flinch of those who know the weather can quickly change without warning. To them, his rise carried the ache of “almost.” A Black man on that stage, in that era, closer than any other had been to the center of a major party’s power, and still not quite permitted to sit at the head of the table.
I didn’t have the vocabulary for it then, but I felt the emotion: the nation’s talent for inviting us in its home just so long as we don’t rearrange the furniture. “Be grateful,” America says, “but don’t get comfortable.”
That was the late ’80s bargain. The Cosby Show reigned on Thursday nights, offering a version of Black success that was polished, upper-middle-class, and politically quiet, an American bedtime story where bootstraps were always enough and structural racism was mostly implied, never indicted. A ceiling disguised as a dream. The message wasn’t simply “look, we made it.” It was: this is the acceptable shape of Black life, this is what you can be if you stop complaining about what’s been done to you.
And then there was church, the other classroom.
Every Sunday, I sat under theology that didn’t just preach salvation; it sorted humanity. At our megachurch, Christian Faith Center, the world arrived pre-labeled: righteous and sinful, clean and contaminated. And woven through it all, like a thread that tugged at boys especially, was a narrow definition of manhood: tough, dominant, heterosexual, and unquestioning. The pastor would say there is only one choice for relationships: a man with a woman.
As a kid, you don’t call it indoctrination. You call it normal.
So when Jesse Jackson stood at that convention and spoke about gay and lesbian people as people, not as a problem or a cautionary tale, something in me shifted. The moment wasn’t loud in the way politics is loud. It was loud in the way truth is loud.
“Gays and lesbians, when you fight against discrimination and a cure for AIDS, you are right—but your patch is not big enough.”
I didn’t understand everything he meant. But I understood the part that mattered. On national television, in the bright machinery of American politics, without flinching, he placed gay and lesbian people inside the circle of concern and dignity, and he did it in 1988, when the country was still trying to treat AIDS like divine punishment instead of a public emergency.
So much of the “common sense” of that era was soaked in cruelty. Thousands had already died from AIDS, and treatment was not the world it is now. Ronald Reagan infamously delayed even acknowledging the epidemic in public. And in many churches, the disease was framed as consequence: a karmic pox for sinners, a story about them, safely distant from us.
But Jackson spoke as if the people dying mattered.
He didn’t talk about AIDS like it was happening on another planet. He talked about it like it was happening in America because it was. He talked about hospice, about rejection, about the isolation of being sick and shamed at once. He said those living with AIDS deserved compassion. Not disgust or distance, but compassion.
And in my basement, in my little body, I felt something break: not my faith exactly, but my certainty. The certainty that the adults who sounded sure must be right. The certainty that “righteousness” meant excluding people, and that dehumanization could be holy.
Homophobia often comes handed as inheritance, an “us vs. them” story wrapped in scripture, welded to gender roles, reinforced by jokes, threats, and silence. For Black boys raised in church, it can also arrive as armor. A performance of hardness meant to protect you from a world eager to hypersexualize, degrade, or erase you. The cruel logic of patriarchy: to be seen as a man, you must loudly reject anything the world codes as soft.
At seven, I didn’t have that analysis. What I had was a gut sense that something I’d been taught was not as sacred as it claimed. Jackson’s speech did not make me instantly wise. It didn’t turn me into a miniature ally with perfect language. What it did, more practically and miraculously, was interrupt the formation of a prejudice before it could harden into identity.
It kept me asking questions. And bigotry hates questions.
Jackson also modeled something rare, especially for a Black male leader navigating a country that punishes us for stepping out of line: courage that didn’t audition itself for acceptability. It would have been politically easy to ignore LGBTQ people, especially when the constituency was treated as controversial, expendable, or too risky to acknowledge. Plenty of Democrats did. Even later, under President Clinton, the country got “Don’t Ask, Don’t Tell”, a policy that translated cowardice into law and asked queer people to make themselves smaller for the comfort of the state.
Jackson, by contrast, widened the frame.
Now, we should tell the truth about Jackson too, because it is not the enemy of gratitude. He used an antisemitic slur during his 1984 campaign and damaged a Black-Jewish alliance already under strain. Years later, he fathered a child outside his marriage, private harm that became public in a way that rippled beyond him. The man was not spotless. No one is.
But it is possible to hold the whole human and still name the consequential work they did in a particular hour.
I think about that now, older, long gone from the church I was raised me, especially knowing what later came to light about Christian Faith Center: allegations of sexual harassment, exploitation, and the familiar architecture of power protecting itself. It’s hard not to look back and see how often institutions preach purity while practicing predation, and demand moral submission from congregants while laundering their own sin in the language of “leadership.”
Jackson’s speech helped me separate faith from fear. It helped me understand that dehumanization can wear a cross, recognize that “righteousness” can be a costume, and that compassion is often the truer proof of belief than any shouted doctrine.
Near the end of that 1988 speech, Jackson offered a line that still guides me: “If an issue is morally right, it will eventually be political.”
At seven, I didn’t know I was being handed a compass. I just knew I’d seen a Black man on a national stage widen the definition of “our people.” And somehow, in the process, he widened me too.
Not into perfection. Into possibility.
So yes, let the headlines remember the campaign, the coalition, the “Keep Hope Alive” refrain. But as we mourn Jesse Jackson’s passing, I want to name this quieter legacy: that in a country, and a church culture, where cruelty could masquerade as conviction, he chose to insist on the full humanity of queer people. He did it clearly, publicly, and without apology.
And because he did, a Black boy learned that love is an ethic, not a weakness. That manhood is not forged in exclusion but in accountability. That faith, at its best, is expansive. And that interrupting inherited hatred begins with a deliberate declaration: they are people, too.
Keep hope alive, yes.
But let it be hope wide enough to hold all of us without exceptions or asterisks.
00:35
[$] LWN.net Weekly Edition for February 19, 2026 [LWN.net]
Inside this week's LWN.net Weekly Edition:
- Front: AI agent goes rogue; debuginfo; iocaine; revocable resource-management patches; 7.0 merge window; AccECN; LLMs and security; Humanitarian OpenStreetMap Team.
- Briefs: upki; Asahi Linux progress; DFSG processes; Fedora in Syria; Plasma 6.6.0; Vim 9.2; ...
- Announcements: Newsletters, conferences, security updates, patches, and more.
00:14
Me Wants Read [Looking For Group]
It’s dawned on me recently that I’m simply not
reading enough these days: books, graphics novels, name it. I used
to ingest words faster than Red Bull, and for the last year or so,
I’ve definitely slowed down. All that
Read More
The post Me Wants Read appeared first on Looking For Group.
Wednesday, 18 February
23:28
Clint Adams: Holger says [Planet Debian]
sq network keyserver search $id ; sq cert export
--cert=$id > $id.asc
Posted on 2026-02-18
Tags: quanks
22:42
F9: an L4-style microkernel for ARM Cortex-M [OSnews]
F9 is an L4-inspired microkernel designed for ARM Cortex-M, targeting real-time embedded systems with hard determinism requirements. It implements the fundamental microkernel principles—address spaces, threads, and IPC, while adding advanced features from industrial RTOSes.
↫ F9 kernel GitHub page
For once, not written in Rust, and comes with both an L4-style native API and a userspace POSIX API, and there’s a ton of documentation to get you started.
22:07
A Secret Project is Afoot at the Scalzi Compound! [Whatever]
What is it? I can’t tell you! When will you be able to know? I can’t say! But when I can tell you, will I? We’ll see!
What I can tell you is that Athena is working on it with me, she’s been great to work with so far, and my decision to hire her at Scalzi Enterprises was pretty smart. Clearly I know what I’m doing all the time.
Anyway, my kid’s awesome and we’re doing cool stuff. I hope we get to share it with you. Eventually.
— JS
21:56
Windows 11’s new MIDI framework delivers MIDI 2.0 [OSnews]
It’s been well over a year since Microsoft unveiled it was working on bringing MIDI 2.0 to Windows, and now it’s actually here available for everyone.
We’ve been working on MIDI over the past several years, completely rewriting decades of MIDI 1.0 code on Windows to both support MIDI 2.0 and make MIDI 1.0 amazing. This new combined stack is called “Windows MIDI Services.”
The Windows MIDI Services core components are built into Windows 11, rolling out through a phased enablement process now to in-support retail releases of Windows 11. This includes all the infrastructure needed to bring more features to existing MIDI 1.0 apps, and also support apps using MIDI 2.0 through our new Windows MIDI Services App SDK.
↫ Pete Brown and Gary Daniels at the Windows Blogs
This is the kind of work users of an operating system want to see. Improvements and new features like these actually have a meaningful, positive impact for people using MIDI, and will genuinely give them them benefits they otherwise wouldn’t get. I won’t pretend to know much about the detailed features and improvements listed in Microsoft’s blog post, but I’m sure the musicians in the audience will be quite pleased.
Whomever at Microsoft was responsible for pushing this through, managing this team, and of course the team members themselves should probably be overseeing more than just this. Less “AI” bullshit, more of this.
Think You Are the King of the Bus? [The Stranger]
I was excited to play. And then I lost. Twice. by Nathalie Graham
People who take the bus are superior to exclusive light railers, who are only cosplaying as serious transit riders. That measly track can be the gateway drug into the vastness of Seattle’s public transportation network. It can only take you two directions today—and a third and fourth when the Cross Lake Connection unites the 2 Line with Seattle proper on March 28. On the bus, you can go anywhere.
At least, this is what I thought of myself. I take the bus frequently and have since I moved here almost 12 years ago. But a new game has humbled me.
Routle is a new daily iteration in the vein of Wordle (for the logophiles) and Worldle (for the geophiles), except it puts transit route knowledge to the test. Made by software engineer and self-described “mysterious train-loving hacker” one-time San Francisco resident River Honer, Routle shows one unlabeled King County Metro (or Sound Transit light rail) route each day. Players only see the route’s shape—there’s no map of Seattle—and have five guesses at which route it is (wrong guesses will appear on the screen). As transit nerds will note, it’s missing a few ferries, doesn’t include rapid ride routes and is limited to the Seattle area. Honer says she didn’t include everything because “Seattle’s bus network is very far reaching.” She’s open to feedback if people think she should expand the routes, but doesn’t want to make the game too hard.
Honer started with San Francisco’s transit routes and recently released versions of the game for us, Portland, and AC Transit in Alameda County, California.
Honer made the Seattle version because she used to spend summers here. She figured it would be a good option for Routle because of our “good number of iconic routes” and we have a population of transit enthusiasts.
I was excited to play. And then I lost. Twice.
It turns out I only know the buses I know, from the four Seattle neighborhoods I’ve lived in.
My husband, a lifelong Seattleite, got yesterday’s Routle (Route 3) in two guesses. Last night, we talked about how many routes in Seattle we knew. We attempted to name where each bus traveled from Route 2 through Route 79. This is hard to do. He paused to complain about the neutering of the 43, which used to run all the way to Ballard, and the 48, which used to reach Rainier Beach.
I sent the game to my mother-in-law, also a lifelong Seattleite. She mused about it. She grew up taking one set of routes, then used another set in young adulthood, and a whole different set as parents. The transit routes we know are extensions of our lives at any point in time.
It’s the same for Routle’s creator, Honer. She used to visit Seattle in the summers. “I remember when the link tunnel was the ‘bus tunnel,’” she reminisced. “I used the 12 and 10 buses to get to my summer job at Pike’s Place Market [sic]. I was also there when the South Lake Union streetcar was opened.”
For me, I knew the University District routes well, but they changed when the light rail came. I remember taking the 45 to Ballard for a first date at the end of freshman year. I learned the 65 when I graduated and had to commute to my first job. Then, it was all Capitol Hill routes. (And others, but I will not be doxing myself, you freaks).
19:28
RIP Scalzi DSL Line, 2004 – 2026 [Whatever]
As most of you know, I live on a rural road where Internet options are limited. More than 20 years ago, DSL became available where I live, which meant that I could ditch the satellite internet of the early 2000s, which topped out at something like 1.5mbps and rarely achieved that, and which went out entirely if it rained, for a line that had a, for me, blisteringly fast 6mbps speed.
That was the speed it stayed at for most of the next twenty years, until my provider, rather grudgingly, increased the speed to 40mbps — not fast, but certainly faster — and there it stayed. Over time the DSL service stopped being as reliable, rarely actually got up to 40mbps, and, actually started going out when it rained, like the satellite internet of old, but without the excuse of being, you know, in space and blocked by clouds.
A few months back I went ahead and ordered 5G internet service from Verizon, because it was faster and doesn’t have usage caps, which had been a stumbling block for 5G service previously. It’s not top of the line, relative to other services that are available elsewhere — usually 120+mbps, where the church’s service is at 300+mbps, and Athena’s in town Internet is fiber and clocks in at 2gbps — but it’s fast enough for what I use the internet for, and to steam high-definition movies and TV. I held on to the DSL since then to make sure I was happy with the new service, because that seemed a sensible thing to do.
No more. The 5G wireless works flawlessly and has for months, and the time has come. After 20+ years, I have officially cancelled my DSL line. A big day in the technology life of the Scalzi Compound. I thank the DSL for its service, but its watch has now ended. We all most move on, ceaselessly, into the future, where I can download stuff faster.
I’m still keeping my landline, however, to which the DSL was attached. Call me old-fashioned.
— JS
18:49
Slog AM: ICE Left a $200 million Hole In Minneapolis’s Economy, Waymo Uses DoorDash to Close the Doors of Its Cars, Will the Seahawks Visit the White House? [The Stranger]
The Stranger's morning news roundup. by Charles Mudede
The Seahawks basically destroyed the Patriots to claim their second Super Bowl. Now comes the big question: Will the team visit the White House? Back in 2014, they made the trip and celebrated with the then president Barack Obama. But things are very different now. Trump is violently attacking cities and not even trying to hide his racism. The Seahawks have a lot Black players and the city it represents is considered a “Welcoming City.” How can this work out? Rumours recently circulated that the team had declined the standard invitation, but it’s now reported that the whole business is still very much up in the air. Also not verified is the rumor that the Seahawks haven’t received an invitation from Trump’s White House. Maybe both sides just want to keep their mouths shut and let this difficult matter quietly pass like two ships in the night.
Yesterday, at around 4:45 pm, we at the Stranger’s office saw through the windows something that had the likeness of snow. Was it the real stuff or not? We couldn’t tell. Maybe this was a collective hallucination. Today, expect a low of 31, a mostly cloudy morning, some rain in the afternoon, and, yet again, no snow.
KIRO Radio is popping the champagne because Seattle's noble attempt to improve the labor standards of hyper-exploited gig workers has apparently backfired. Drivers are now earning “20 cents less per hour than before.” They blamed this drop on Seattle leaders who apparently have no contact with reality, with capitalist reality. And what the captains of this mode of accumulation never stop telling us is this: Labor rights and rising wages are the sole cause of rising costs and immiseration of the poor. Any other explanation is, according to them, not realistic. It’s just labor’s demand for more and more that’s the root of all evil, they say.
A quick thing about a book I’m currently reading. It’s called Capitalism: A Global History. It’s by German-born economist and historian Sven Beckert. It’s 1344 pages. I’m near page 900. But what I've learned from this book is that the natural rate for wages in capitalism is zero. And the rise of wages is, essentially, nothing but the resistance by labor to this natural tendency. Beckert doesn’t exactly say this, but he does make it clear that a capitalism without any regulation must lead to its form of slavery, which is the commodification of the body. Wages above zero result in the commodification of labor power. I will stop there and now turn to the robots of the 21st century.
The best story I’ve heard in a minute is that Waymo, which is basically Uber without drivers, is turning to gig workers, such as those who work for DoorDash, to close car doors left open by flakey or crafty customers. And how much does Waymo pay for what can only be called the human touch? $11.25. So the zero wage robot is not yet up to snuff.
Now, let’s turn to something that should really alarm Seattle’s leaders. Operation Metro Surge not only brought death, state-sanctioned lawbreaking, and general mayhem to Minneapolis; it also delivered a big blow to the city’s economy. The estimated cost so far of an operation that began on the first day of the present year and had nothing to do with protecting Americans from the “worst of the worst” is $203.1 million. The bulk of this cost is attributed to revenue small businesses lost ($82 million). The rest of the tab went to lost wages ($47 million), social services that experienced extraordinary stress ($17 million), overtime pay to police officers and other city officials ($4 million), and hotel cancellations ($4 million). The city thinks it will take years to regain ground from this complete waste of money.
Now that ICE is bringing its post-apocalyptic show in Minneapolis to an end, the border czar, Tom (Bribe Loving) Homan, is looking for the next theater. Homan: "I've said from day one that, you know, we need to flood the zone and sanctuary cities with additional agents.” That "sanctuary city” could be Seattle. And the cost of this performance, which is all it really is, will be terrific. The only thing that might protect us from this massive waste of time, lives, and money is our tech hub status, which means we play an important role in maintaining the only game in town, the gigantic AI bubble.
Minneapolis officials have released an estimated tab on what Operation Metro Surge has cost city residents so far.
bit.ly/4cqEfFq
— FOX 13 Seattle (@fox13seattle.bsky.social) February 15, 2026 at 6:00 AM
[image or embed]
So, you still want to talk about how high wages always backfire. Well, what’s this in the Seattle Times? The pay ratio for Starbucks CEO, Brian Niccol, is an astounding 1,749 to 1. Meaning–he earns $30,992,773, and the average worker earns $17,279. My god. The pressure to reduce wages to zero is way too real in 2026. Again, nothing but labor’s resistance to the true nature of capitalism prevents this catastrophe. If we do nothing, the zero law will be, to use the words of Marx, like “the law of gravity [that] asserts itself when a house falls about our ears.”
Let’s end AM with an ‘80s tune that compares love-enthrallment with the condition of a robot, the Pointer Sister’s “Automatic.”
18:00
Antoine Beaupré: net-tools to iproute cheat sheet [Planet Debian]
This is also known as: "ifconfig is not installed
by default anymore, how do I do this only with the ip
command?"
I have been slowly training my brain to use the new commands but
I sometimes forget some. So, here's a couple of equivalence from
the old package to net-tools the new
iproute2, about 10 years late:
net-tools |
iproute2 |
shorter form | what it does |
|---|---|---|---|
arp -an |
ip neighbor |
ip n |
|
ifconfig |
ip address |
ip a |
show current IP address |
ifconfig |
ip link |
ip l |
show link stats (up/down/packet counts) |
route |
ip route |
ip r |
show or modify the routing table |
route add default GATEWAY |
ip route add default via GATEWAY |
ip r a default via GATEWAY |
add default route to GATEWAY |
route del ROUTE |
ip route del ROUTE |
ip r d ROUTE |
remove ROUTE (e.g. default) |
netstat -anpe |
ss --all --numeric --processes --extended |
ss -anpe |
list listening processes, less pretty |
Another trick
Also note that I often alias ip to ip -br
-c as it provides a much prettier output.
Compare, before:
anarcat@angela:~> ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff permaddr xx:xx:xx:xx:xx:xx
altname wlp166s0
altname wlx8cf8c57333c7
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
20: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet 192.168.0.108/24 brd 192.168.0.255 scope global dynamic noprefixroute eth0
valid_lft 40699sec preferred_lft 40699sec
After:
anarcat@angela:~> ip -br -c a
lo UNKNOWN 127.0.0.1/8 ::1/128
wlan0 DOWN
virbr0 DOWN 192.168.122.1/24
eth0 UP 192.168.0.108/24
I don't even need to redact MAC addresses! It also affects the display of the other commands, which look similarly neat.
Also imagine pretty colors above.
Finally, I don't have a cheat sheet for iw vs
iwconfig (from wireless-tools) yet. I
just use NetworkManager now and rarely have to mess with wireless
interfaces directly.
Background and history
For context, there are traditionally two ways of configuring the network in Linux:
- the old way, with commands like
ifconfig,arp,routeandnetstat, those are part of the net-tools package - the new way, mostly (but not entirely!) wrapped in a single
ipcommand, that is the iproute2 package
It seems like the latter was made "important" in Debian in
2008, which means every release since Debian 5 "lenny"
has
featured the ip command.
The former net-tools package was demoted
in December 2016 which means every release since Debian 9
"stretch" ships without an ifconfig command
unless explicitly requested. Note that this was mentioned in
the release notes in a similar (but, IMHO, less useful)
table.
(Technically, the net-tools Debian package source
still indicates it is Priority: important but that's
a bug I
have just filed.)
Finally, and perhaps more importantly, the name
iproute is hilarious if you are a bilingual french
speaker: it can be read as "I proute" which can be interpreted as
"I fart" as "prout!" is the sound a fart makes. The fact that it's
called iproute2 makes it only more hilarious.
17:49
Free Software Directory meeting on IRC: Friday, February 20, starting at 12:00 EST (17:00 UTC) [Planet GNU]
Join the FSF and friends on Friday, February 20 from 12:00 to 15:00 EST (17:00 to 20:00 UTC) to help improve the Free Software Directory.
17:14
Could WriteProcessMemory be made faster by avoiding the intermediate buffer? [The Old New Thing]
A little while ago, we wondered
whether WriteProcessMemory was faster than
shared memory for transferring data between two processes, and
the conclusion is that it wasn’t. Shared memory, as its name
implies, shares the memory between two processes: The two processes
are accessing the same memory; there are no copies. On the other
hand, the implementation of
WriteProcessMemory allocates a transfer
buffer, copies the data from the source to the transfer buffer,
then changes memory context to the destination, and then copies the
data from the transfer buffer to the destination. But could
WriteProcessMemory be optimized to avoid
this copy?
I mean, I guess you could do that in theory. I’m thinking, maybe create a memory descriptor list (MDL), lock and map the pages into kernel mode while in the context of the source, then change context to the destination and copy the memory to the destination. Repeat until all the memory has been copied. You don’t want to allocate a single MDL for the entire source block because the program might say that it wants to copy 100GB of memory, and if you didn’t cap the size of the transfer buffer, that would lock 100GB of RAM.
But it seems overkill and unnecessary to lock the source pages. It’s fine for them to be pageable. We’re okay with them faulting in as necessary.
I don’t know if there’s a way to map memory from one process into another except by locking it. I don’t spend a lot of time in kernel mode. But you do have to be careful that the mapping goes into the kernel address space and not the user-mode address space. Putting it in the user-mode address space would be a security vulnerability because the destination process can see the bytes on the source page that are not part of the memory being copied.¹
But really, all of this effort is pointless. We saw that the
purpose of the WriteProcessMemory function
is not inter-process communication (IPC) but
to be a tool for debuggers. Debuggers are typically writing
just a few bytes at a time, say, to patch a breakpoint instruction,
and
the WriteProcessMemory function actually
goes out of its way to write the memory, even in the face of
incompatible memory protections, though it does so in a
not-thread-safe way. But that’s okay because the destination
process is presumably frozen by the debugger when it calls
WriteProcessMemory. A debugger is not
going to patch a process while it’s actively running. The
lack of atomicity means that patching a running process could
result in the process seeing torn state, like a partly-patched
variable or even a partly-patched instruction.
In summary, WriteProcessMemory was not
intended to be used as an inter-process communication channel. Its
intended client is a debugger that is using it to patch bytes in a
process being debugged. The very high level of access required to
call the function (PROCESS_VM_WRITE) is not suitable
for an inter-process communication channel, since it basically
gives the writer full pwnage over the process being written to. In
the case of a debugger, you want the debugger to have
complete and total control of the process being debugged. But in
the case of IPC, you don’t want to give your clients that
high a level of access to your process. And even if you get past
that, the lack of atomicity and lack of control over the order in
which the bytes become visible in the target process means that
WriteProcessMemory is not suitable as an
IPC mechanism anyway. There’s no point trying to make a bad
idea more efficient.
¹ Or you could try it the other way: Map the destination
into the source. But now you are giving the source read access to
the destination bytes that share the same page as the destination
buffer, even though the source may not have
PROCESS_VM_READ access.
The post Could <CODE>WriteProcessMemory</CODE> be made faster by avoiding the intermediate buffer? appeared first on The Old New Thing.
16:21
[$] More accurate congestion notification for TCP [LWN.net]
The "More Accurate Explicit Congestion Notification" (AccECN) mechanism is defined by this RFC draft. The Linux kernel has been gaining support for AccECN with TCP over the last few releases; the 7.0 release will enable it by default for general use. AccECN is a subtle change to how TCP works, but it has the potential to improve how traffic flows over both public and private networks.
15:42
Thomas Lange: 42.000 FAI.me jobs created [Planet Debian]
The FAI.me service has reached another milestone:
The 42.000th job was submitted via the web interface since the beginning of this service in 2017.
The idea was to provide a simple web interface for end users for creating the configs for the fully automatic installation with only minimal questions and without knowing the syntax of the configuration files. Thanks a lot for using this service and for all your feedback.
The next job can be yours!
P.S.: I like to get more feedback for the FAI.me service. What do you like most? What's missing? Do you have any success story how you use the customized ISO for your deployment? Please fill out the FAI questionaire or sent feedback via email to fai.me@fai-project.org
About FAI.me
FAI.me is the service for building your own customized images via a web interface. You can create an installation or live ISO or a cloud image. For Debian, multiple release versions can be chosen, as well as installations for Ubuntu Server, Ubuntu Desktop, or Linux Mint.
Multiple options are available like selecting different desktop environments, the language and keyboard and adding a user with a password. Optional settings include adding your own package list, choosing a backports kernel, adding a postinst script and adding a ssh public key, choosing a partition layout and some more.
15:35
Fedora now available in Syria [LWN.net]
Justin Wheeler writes in Fedora Magazine that Fedora is now available in Syria once again:
Last week, the Fedora Infrastructure Team lifted the IP range block on IP addresses in Syria. This action restores download access to Fedora Linux deliverables, such as ISOs. It also restores access from Syria to Fedora Linux RPM repositories, the Fedora Account System, and Fedora build systems. Users can now access the various applications and services that make up the Fedora Project. This change follows a recent update to the Fedora Export Control Policy. Today, anyone connecting to the public Internet from Syria should once again be able to access Fedora.
[...] Opening the firewall to Syria took seconds. However, months of conversations and hidden work occurred behind the scenes to make this happen.
15:07
The Spurlocks of RSS-Land [Scripting News]
I saw a product announcement from Jake Spurlock -- a new feed reader called Today. From the description sounds well-thought-out.
He explains -- "Google killed Reader in 2013. I've been chasing that feeling ever since. So I built it."
I also know someone named John Spurlock, who I worked on some OPML and RSS stuff for Bluesky in 2023. I sent a note of congrats to him, when I really should've sent it to Jake.
Screen shot of the conversation I had with ChatGPT.
And text of the email I sent congratulating the wrong Spurlock.
- Congrats on the new product!
- Haven't tried it yet, I don't generally use Apple's store on my Mac, not sure why. I will do it though.
- Your product looks nice and well-thought out.
- And there are some ways we could work together now that I think you'll find interesting, like using FeedLand to get you instant updates based on rssCloud, assuming you haven't figured out how to support it from a client.
- Also OPML subscriptions are nice too. Another thing I'd like to get going, and need someone to work with on to make it happen.
Also, I wonder if they're related? Have they met each other? Do they know of the havoc they are bringing to the formerly simple world of RSS.
One more thing, I wrote the foreword to a book Jake Spurlock wrote for O'Reilly about the Bootstrap Toolkit.
UI Changes [Ctrl+Alt+Del Comic]
Pretty soon we are going to push some UI changes to the website in support of the new update schedule/business model. Our change to a Patron-focused model has been really successful; the additional support has definitely balanced out what advertising has been failing to offer us for the past few years. That brings with it […]
The post UI Changes appeared first on Ctrl+Alt+Del Comic.
14:56
Dirk Eddelbuettel: qlcal 0.1.0 on CRAN: Easier Calendar Switching [Planet Debian]
The eighteenth release of the qlcal package arrivied at CRAN today. There has been no calendar update in QuantLib 1.41 so it has been relatively quiet since the last release last summer but we now added a nice new feature (more below) leading to a new minor release version.
qlcal delivers the calendaring parts of QuantLib. It is provided (for the R package) as a set of included files, so the package is self-contained and does not depend on an external QuantLib library (which can be demanding to build). qlcal covers over sixty country / market calendars and can compute holiday lists, its complement (i.e. business day lists) and much more. Examples are in the README at the repository, the package page, and course at the CRAN package page.
This releases makes it (much) easier to work with multiple calendars. The previous setup remains: the package keeps one ‘global’ (and hidden) calendar object which can be set, queried, altered, etc. But now we added the ability to hold instantiated calendar objects in R. These are external pointer objects, and we can pass them to functions requiring a calendar. If no such optional argument is given, we fall back to the global default as before. Similarly for functions operating on one or more dates, we now simply default to the current date if none is given. That means we can now say
> sapply(c("UnitedStates/NYSE", "Canada/TSX", "Australia/ASX"),
\(x) qlcal::isBusinessDay(xp=qlcal::getCalendar(x)))
UnitedStates/NYSE Canada/TSX Australia/ASX
TRUE TRUE TRUE
>
to query today (February 18) in several markets, or compare to two days ago when Canada and the US both observed a holiday
> sapply(c("UnitedStates/NYSE", "Canada/TSX", "Australia/ASX"),
\(x) qlcal::isBusinessDay(as.Date("2026-02-16"), xp=qlcal::getCalendar(x)))
UnitedStates/NYSE Canada/TSX Australia/ASX
FALSE FALSE TRUE
>
The full details from NEWS.Rd follow.
Changes in version 0.1.0 (2026-02-18)
Invalid calendars return id ‘TARGET’ now
Calendar object can be created on the fly and passed to the date-calculating functions; if missing global one used
For several functions a missing date object now implies computation on the current date, e.g.
isBusinessDay()
Courtesy of my CRANberries, there is a diffstat report for this release. See the project page and package documentation for more details, and more examples.
This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. If you like this or other open-source work I do, you can sponsor me at GitHub.
Edited 2026-02-21 to correct a minor earlier error: it referenced a QuantLib 1.42 release which does not (yet) exist.Freexian Collaborators: Monthly report about Debian Long Term Support, January 2026 (by Santiago Ruano Rincón) [Planet Debian]
The Debian LTS Team, funded by Freexian’s Debian LTS offering, is pleased to report its activities for January.
Activity summary
During the month of January, 20 contributors have been paid to work on Debian LTS (links to individual contributor reports are located below).
The team released 33 DLAs fixing 216 CVEs.
The team continued preparing security updates in its usual rhythm. Beyond the updates targeting Debian 11 (“bullseye”), which is the current release under LTS, the team also proposed updates for more recent releases (Debian 12 (“bookworm”) and Debian 13 (“trixie”)), including Debian unstable. We highlight several notable security updates here below.
Notable security updates:
- python3.9, prepared by Andrej Shadura (DLA-4455-1), fixing multiple vulnerabilities in the Python interpreter.
- php, prepared by Guilhem Moulin (DLA-4447-1), fixing two vulnerabilities that could yield to request forgery or denial of service.
- apache2, prepared by Bastien Roucariès DLA-4452-1, fixing four CVEs.
- linux-6.1, prepared by Ben Hutchings (DLA-4436-1), as a regular update of the linux 6.1 backport to Debian 11.
- python-django, prepared by Chris Lamb (DLA-4458-1), resolving multiple vulnerabilities.
- firefox-esr prepared by Emilio Pozuelo Monfort (DLA-4439-1)
- gnupg2, prepared by Roberto Sánchez (DLA-4437-1), fixing multiple issues, including CVE-2025-68973 that could potentially be exploited to execute arbitrary code.
- apache-log4j2, prepared by Markus Koschany (DLA-4444-1)
- ceph, prepared by Utkarsh Gupta (DLA-4460-1)
- inetutils, prepared by Andreas Henriksson (DLA-4453-1), fixing an authentication bypass in telnetd.
Moreover, Sylvain Beucler studied the security support status of p7zip, a fork of 7zip that has become unmaintained upstream. To avoid letting the users continue using an unsupported package, Sylvain has investigated a path forward in collaboration with the security team and the 7zip maintainer, looking to replace p7zip with 7zip. It is to note however that 7zip developers don’t reveal the information about the patches that fix CVEs, making it difficult to backport single patches to fix vulnerabilities in Debian released versions.
Contributions from outside the LTS Team:
Thunderbird, prepared by maintainer Christoph Goehre. The DLA (DLA-4442-1) was published by Emilio.
The LTS Team has also contributed with updates to the latest Debian releases:
- Bastien uploaded gpsd to unstable, and proposed updates for trixie #1126121 and bookworm #1126168 to fix two CVEs.
- Bastien also prepared the imagemagick updates for trixie and bookworm, released as DSA-6111-1, along with the bullseye update DLA-4448-1.
- Chris proposed a trixie point update for python-django (#112646), and the work for bookworm was completed in February (#1079454). The longstanding bookworm update required tracking down a regression in the django-storages packages.
- Markus prepared tomcat10 updates for trixie and bookworm (DSA-6120-1), and tomcat11 for trixie (DSA-6121-1)
- Thorsten Alteholz prepared bookworm point updates for zvbi (#1126167) to fix five CVEs; taglib (#1126273) to fix one CVE; and libuev (#1126370) to fix one CVE.
- Utkarsh prepared an unstable update of node-lodash to fix one CVE.
Other than the work related to updates, Sylvain made several improvements to the documentation and tooling used by the team.
Individual Debian LTS contributor reports
- Abhijith PA
- Andreas Henriksson
- Andrej Shadura
- Bastien Roucariès
- Ben Hutchings
- Carlos Henrique Lima Melara
- Chris Lamb
- Daniel Leidert
- Emilio Pozuelo Monfort
- Guilhem Moulin
- Jochen Sprickerhof
- Lee Garrett
- Markus Koschany
- Paride Legovini
- Roberto C. Sánchez
- Santiago Ruano Rincón
- Sylvain Beucler
- Thorsten Alteholz
- Tobias Frost
- Utkarsh Gupta
Thanks to our sponsors
Sponsors that joined recently are in bold.
- Platinum sponsors:
- Toshiba Corporation (for 124 months)
- Civil Infrastructure Platform (CIP) (for 92 months)
- VyOS Inc (for 56 months)
- Gold sponsors:
- F. Hoffmann-La Roche AG (for 134 months)
- CONET Deutschland GmbH (for 118 months)
- Plat’Home (for 117 months)
- University of Oxford (for 74 months)
- EDF SA (for 46 months)
- Dataport AöR (for 21 months)
- CERN (for 19 months)
- Silver sponsors:
- Domeneshop AS (for 139 months)
- Nantes Métropole (for 133 months)
- Akamai - Linode (for 129 months)
- Univention GmbH (for 125 months)
- Université Jean Monnet de St Etienne (for 125 months)
- Ribbon Communications, Inc. (for 119 months)
- Exonet B.V. (for 109 months)
- Leibniz Rechenzentrum (for 103 months)
- Ministère de l’Europe et des Affaires Étrangères (for 87 months)
- Dinahosting SL (for 74 months)
- Upsun Formerly Platform.sh (for 68 months)
- Deveryware (for 62 months)
- Moxa Inc. (for 62 months)
- sipgate GmbH (for 60 months)
- OVH US LLC (for 58 months)
- Tilburg University (for 58 months)
- GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 49 months)
- THINline s.r.o. (for 22 months)
- Copenhagen Airports A/S (for 16 months)
- Conseil Départemental de l’Isère
- Bronze sponsors:
- Seznam.cz, a.s. (for 140 months)
- Evolix (for 139 months)
- Linuxhotel GmbH (for 137 months)
- Intevation GmbH (for 136 months)
- Daevel SARL (for 135 months)
- Megaspace Internet Services GmbH (for 134 months)
- Greenbone AG (for 133 months)
- NUMLOG (for 133 months)
- WinGo AG (for 132 months)
- Entr’ouvert (for 124 months)
- Adfinis AG (for 121 months)
- Laboratoire LEGI - UMR 5519 / CNRS (for 116 months)
- Tesorion (for 116 months)
- Bearstech (for 107 months)
- LiHAS (for 107 months)
- Catalyst IT Ltd (for 102 months)
- Demarcq SAS (for 96 months)
- Université Grenoble Alpes (for 82 months)
- TouchWeb SAS (for 74 months)
- SPiN AG (for 71 months)
- CoreFiling (for 67 months)
- Observatoire des Sciences de l’Univers de Grenoble (for 58 months)
- Tem Innovations GmbH (for 53 months)
- WordFinder.pro (for 53 months)
- CNRS DT INSU Résif (for 51 months)
- Soliton Systems K.K. (for 47 months)
- Alter Way (for 44 months)
- Institut Camille Jordan (for 34 months)
- SOBIS Software GmbH (for 19 months)
- Tuxera Inc. (for 10 months)
- OPM-OP AS
14:49
An Asahi Linux progress report [LWN.net]
The Asahi Linux project, which is working to implement support for Linux on Apple CPUs, has published a detailed 6.19 progress report.
We've made incredible progress upstreaming patches over the past 12 months. Our patch set has shrunk from 1232 patches with 6.13.8, to 858 as of 6.18.8. Our total delta in terms of lines of code has also shrunk, from 95,000 lines to 83,000 lines for the same kernel versions. Hmm, a 15% reduction in lines of code for a 30% reduction in patches seems a bit wrong…Not all patches are created equal. Some of the upstreamed patches have been small fixes, others have been thousands of lines. All of them, however, pale in comparison to the GPU driver.
The GPU driver is 21,000 lines by itself, discounting the downstream Rust abstractions we are still carrying. It is almost double the size of the DCP driver and thrice the size of the ISP/webcam driver, its two closest rivals. And upstreaming work has now begun.
An update to the malicious crate notification policy (Rust Blog) [LWN.net]
Adam Harvey, on behalf of the crates.io team has published a blog post to inform users of a change in their practice of publishing information about malicious Rust crates:
The crates.io team will no longer publish a blog post each time a malicious crate is detected or reported. In the vast majority of cases to date, these notifications have involved crates that have no evidence of real world usage, and we feel that publishing these blog posts is generating noise, rather than signal.
We will always publish a RustSec advisory when a crate is removed for containing malware. You can subscribe to the RustSec advisory RSS feed to receive updates.
Crates that contain malware and are seeing real usage or exploitation will still get both a blog post and a RustSec advisory. We may also notify via additional communication channels (such as social media) if we feel it is warranted.
14:21
New account on Twitter: DWiner43240. The old one dating back to the dawn of time is disabled, so at least the new owners can't post anything there, if I understand correctly.
Of Two Bloods [Original Fiction Archives - Reactor]
Of Two Bloods
Chronicling the secret exploits of the great detective’s
illegitimate, but highly observant,
younger…sibling…
Illustrated by Katherine Lam
Edited by Aislyn Fredsall
Published on February 18, 2026
3 Share
Chronicling the secret exploits of the great detective’s illegitimate, but highly observant, younger…sibling…
Novelette | 9,450 words
Paul Chambers emerged from behind the silently opened door. “Your secret is safe with me,” he said.
The young man Chambers addressed started guiltily, half rising from his wing-back chair. “What secret?”
“The secret which our…colleague…threatened to reveal. Your race.”
Royal Bridges flushed angrily. “You—listener at keyholes! You spy!”
Chambers shrugged his slim shoulders. “Spy? Not quite. But I hardly need be anything of the sort to have overheard Mr. Spencer bellowing about your ‘dirty black secret.’ Tell me, do you really intend to help him with his inheritance problem? Investigating such matters is by no means your métier.” Descending the two steps to their shared parlor, the young medical student took the twin to Bridges’s seat. “Or do you have some other means of defending your reputation against his demands?”
Bridges sank back into the shelter of his chair, covering his face with large hands. “No. No defenses against him, and no means of assisting him in his fight with his late uncle’s alleged wife. I’m no attorney. I’ll have to trust Spencer—though God knows why I should.” He raised a suddenly bloodless face. “Or, come to think of it, why should I trust you? We only met a little over a month ago. You’re not even American!”
Chambers smiled, but not, it seemed, at his fellow student. “If you were provided with the means to assist Spencer, would you?”
Bridges groaned. “But how? He expects me to find proof his uncle never married this housekeeper of his. A negative—”
“—is notoriously difficult to prove. Yes. But if you could—”
“My heritage would no doubt be revealed at any rate. It’s too scandalous a secret for him to keep it.”
“Then there’s no point in me offering you my assistance.” Chambers’s expressive eyes made this statement a question.
“Your assistance? But why should a wealthy Brit—”
“Son of a wealthy Englishman. And illegitimate,” Chambers added, self-deprecatingly.
“Still, why should you care about a quadroon’s fate? It’s ruin for me, to be sure, but for you? Granted you’ll be seen as a dupe, but that’s no reason to involve yourself.” Bridges shook his close-cropped curls. “Best start packing up your belongings tonight. I’m to give Spencer my answer in the morning.”
“Tell him yes.”
“I can’t!” Surging to his feet, Bridges stormed back and forth before the empty hearth. “I can’t, don’t you see?” Twice he passed the calm face of his apartment-mate, then whirled to confront him. “I don’t have the least idea how to begin!”
“But I do, thanks to special…training as a child.”
“You! I say again, why should it be any concern of yours if I am expelled from school, driven from this house, shunned by all my former friends—”
“Why? Merely because of this.” And raising one gloved hand, the young Chambers removed a handkerchief from his breast pocket with a flourish, then wiped the white silk delicately along one high, ivory cheekbone. Where the silk had passed, the skin was darker than Bridges’s own.
“Mr. Spencer,” Bridges said, gesturing to the empty wing-back chair, “if you would kindly take a seat—”
“We have no business to discuss,” the young man said furiously, “in the presence of a third party.”
The small, almost dainty figure seated in the second wing-back chair spoke. “You’ve already discussed your business in the presence of a third party.”
Spencer’s head jerked back. Then his eyes narrowed to an obsidian glitter and he turned to face Bridges directly. “I told you this conversation was to remain between us!”
“I occupy the apartment’s other bedroom,” Chambers said. “Sir, the difficulty would have been not to hear your rather forcefully stated case.”
A pallor came over Spencer’s strong-boned countenance, perhaps at the realization that his demands of the previous evening might not be in accord with laws governing extortion in the Commonwealth of Massachusetts.
“Rest assured,” Chambers continued, “I am already privy to your mission, and—”
“And you’re going to try blackmailing me with what you think you might have overheard?” Spencer interrupted, with a bitter laugh. “My late father left me a very modest estate, and it is already close to exhaustion.”
“Mr. Spencer, you mistake my intention,” Chambers said. “I am offering to be of assistance in proving your claim to your late uncle’s estate.”
“I recognize you now,” Spencer said, eyes narrowing again to glittering black slits. “You’re that English fop who’s a couple years ahead of Bridges in the medical school. Some toff’s by-blow, everybody says. Why would any white man, even illegitimate, come to the aid of a subhuman like Bridges?”
“As you might imagine,” Chambers said, “the issue of inheritance cuts very close to the heart of a man who’ll never inherit his natural father’s wealth. I’ll not stand idly by and watch a man cheated out of an inheritance rightfully his.”
Spencer belatedly removed his top hat and used his free hand to push a spill of straight black hair off his brow. “Here.” He thrust the hat into Bridges’s hands as if he were a servant, then extended one broad hand toward Chambers. “Of course.” His accent was Boston Brahmin. “Of course you’d help a fellow white man. Forgive me—”
“Mr. Paul Chambers.” Chambers rose to shake the offered hand, which responded with a crushing grip. Chambers’s expression did not change.
“I’m R. Howard Spencer, Junior,” Spencer said, releasing Chambers’s fine-boned hand to sink into the chair Bridges had offered.
“Delighted, Mr. Spencer.” Chambers resumed his own seat. “To proceed. In order to investigate the marital claim of your late uncle’s housekeeper, Mr. Bridges and I will need more information—”
“What?” Spencer’s face darkened. “What more do you need than the names of my uncle and his housekeeper?”
“That will become clear,” Chambers said, “as Mr. Bridges and I ask our questions. It’s better for us to have too much information than not enough.”
“Of course,” Spencer said, irritably raking a hand through his thick dark hair. “Proceed.”
Chambers turned slightly in the chair so he faced both Spencer and Bridges.
“Mr. Spencer,” Bridges said, “what is the housekeeper’s name?”
“She calls herself Lucia Spencer, as if that Italian trollop has any claim to my family name,” Spencer said. “Her real name’s Lucia Giuliano. Straight off the boat from Sicily or some other degenerate clime I’ll warrant—”
“You refer to Dr. Agassiz’s theories of the polygenetic origins of the human family?” Chambers said mildly. “We’re familiar with them, thank you. Whether or not they’re true, can you can confirm that your late uncle’s housekeeper is at any rate an immigrant?”
“I don’t know,” Spencer said. “What else could she be? When I think of the way these d___ degenerates are overrunning this fine land and polluting our good Anglo-Saxon stock—”
“I take it,” Chambers said, “your uncle had children by his housekeeper?”
“Of course not!” Spencer burst out. “The wench is childless. Anyway, a fine, upstanding merchant like Uncle Will—William Francis Spencer—would never have debased himself by touching a subhuman woman. Whatever gave you such a disgusting idea?”
“Not all men hold to such ideals of purity,” Chambers said.
“How long was Lucia in your uncle’s employ?”
“Much of my life. I’m eighteen, so—” Spencer fell silent, calculating. “She was in his service twelve years.”
“Did she reside with your uncle,” Chambers said, “or—”
“All my uncle’s domestics lived downstairs.” Spencer gave a fashionable address on Beacon Street.
“Then the twelve years of Miss Giuliano’s service were spent entirely in Boston?” Bridges said.
“Yes,” Spencer said. “Uncle Will became wealthy as a trading man, traveling the world. Retired, settled in that fine house in Back Bay, and hired a domestic staff. They included Lucia Giuliano.”
“And is Miss Giuliano still in residence?” Bridges asked.
“My lawyer got her kicked out.” Spencer’s face was stony. “She’s got no right to be there. Or to keep me out. But her lawyer’s got the house tied up so I can’t move in.”
“Lawyers,” Chambers said, shaking his head. “I sympathize with your trials, Mr. Spencer. They are considerable.”
“Very true, Mr. Chambers,” Howard said. “None can know how I suffer. And when I leave here, it is to see them again.”
“I regret that we have so few questions left with which to detain you from such unpleasant company.”
“That’s quite all right.” Spencer favored Chambers with a rueful smile. “I’m grateful for anything you can do to end my dependence on legal counsel and gain me my inheritance.”
“That brings us to the matter of your uncle’s last will and testament,” Chambers said. “I take it there is none?”
Spencer smirked. “Indeed, there is not.”
“Are you sure?” Chambers said.
“Uncle Will never got around to preparing one. His law firm served my late parents, and also serves me.” Spencer smiled. “I have my information on good authority.”
Chambers inclined his head.
“Your uncle was a traveling man, Mr. Spencer,” Bridges said. “But he was born in Boston?”
“Uncle Will and my father—he was Uncle Will’s younger brother—moved down from Maine—Portland, it was—before they were twenty. My father came to study law at Harvard, but Uncle Will never gave a d___ about school. He found work on a clipper, did well enough to acquire his own ship and become a merchant himself.” Spencer’s voice grew harsh. “Did very well, indeed. But never married, never had any children. I’m his brother’s only child, so I’m the heir. But now that he’s passed away”—his complexion grew bright—“that Italian b___ is trying to defraud me with her false claim that they were married.”
Chambers rose, extending his small hand. “Rest assured, Mr. Spencer,” Chambers said, “Mr. Bridges and I will do everything in our power to see that your Uncle William’s estate goes to the rightful heir.”
A pair of pewter tankards clashed in the tobacco-fogged air. “To wives and sweethearts: May they never meet!” The stout, sandy-haired man on the other side of their time-polished table waited for Chambers’s and Bridges’s polite laughter, then gulped his beer.
“Pity you can’t join us, Mr. Chambers. The Liberty Bush serves a rare fine ale—almost as good as one out of your English breweries.”
Chambers met the man’s questioning gaze head on. “Yes, well, it’s no doubt better than this”—he swirled a tarry liquid in a narrow glass—“spirit, shall we call it? But my poor constitution won’t allow me to share your pleasure. Though if you’ll pardon my abstention, I’ll stand the two of you another round.” Ignoring Bridges’s sudden glowering, he signaled for the serving girl.
The order placed, Chambers turned once again to Carteret, as the sandy man was called. “So you served under Captain Spencer for—how many years?”
“Signed on as cabin boy in 18__. Twenty-six years that’d be, till I give my notice as first mate on hearin he was sellin his ships and investin the proceeds. He was a wonderful easy master, Captain Spencer, and I couldn’t see workin for any other.”
“A longstanding acquaintance, then. What did you know of his marriage to an Italian named Lucia?”
“An Eye-talian? Aye, likely he had one of them—maybe that North End gal he hired to take care of his house and such? She’s the only one I remember. Built like a brick s___house.”
Bridges leaned forward. “But was he married to her? It’s the relationship’s legal standing we’re interested in.”
Doubt wrinkled Carteret’s forehead. “Wonderful easy he was about that sort of thing. Wouldn’t have been any trouble for him gettin married to her, I guess, like he done with some of the others.”
“‘Some of—of the others’? Do you mean to tell us—”
Chambers silenced Bridges by laying a hand on his arm. “How many others were there—whom you yourself observed?”
“Well—” The response was delayed by the arrival of the freshly ordered beer. Bridges shoved his new tankard across to Carteret and received a matter-of-fact nod in acknowledgement. “My sincere thanks to you both, gentlemen. And here’s your health.” He raised his second tankard, drained it, set it down to one side, and wrapped a sunburnt hand around the third. “To answer your in-choir-ee, I didn’t see the need to keep a strict accounting.”
Over the next quarter hour, Carteret regaled the amateur investigators with a tale of approximately a dozen close female companions to his captain, met in port and under sail. At least half of these the crew had addressed as “Mrs. Spencer,” by custom if for no other reason. Others had gone under more colorful sobriquets.
They left Carteret in possession of two more pints, themselves not much the wiser as to anything except the rather salacious details he’d retained of the companions’ physical attributes. Long, dark hair seemed to be a trait all had shared—“Though whether straight or curly didn’t make much difference,” the former first mate noted. A predilection for the Junoesque could also be discerned, as Bridges told Chambers on their way home. “But what good that will do us I can’t say.”
“Can’t you? I suppose it isn’t very helpful. But we did discover something as to their countries of origin, their Christian—or ought we rather to say their given—names, and, most importantly, the order in which these lovely women appeared in their role as the captain’s lady.”
“I’m sorry,” Bridges said, “but I remain unclear on the relevance of the sequence of the captain’s early loves to Spencer’s claim on his uncle’s estate.”
“If I may clarify in a word?” Chambers said.
“By all means.”
“Bigamy.”
Bridges stared at Chambers for several seconds. His lips were parted, his eyes wide. Chambers smiled faintly.
“Of course!” Bridges said. “Even should the Italian girl produce a legitimate marriage license, it would be invalidated if her husband were previously married and never divorced.”
“And,” Chambers added, “if we find evidence of such.” He resumed walking.
They ascended the stone steps to the house where they rented their rooms. Bridges dropped his key as he took it from his pocket. Chambers bent first to retrieve it, causing Bridges to rather embarrassingly bump his nose against the back of the Britisher’s neck. The jolt he felt must have been caused by the blow to his pride, for there was little pain. Both apologized.
As they climbed to their upper-story flat, Bridges picked up the thread of their conversation again. “Yes, I can see that the earlier the marriage in such a series, the more likely its legitimacy,” he admitted.
Chambers inclined his head. “We’ll start with the earliest two.”
“With only two predecessors to Miss Giuliano to investigate, I suppose we should count ourselves lucky,” Bridges continued. “We may even finish before end-of-term. It won’t matter one jot that her marriage lines disappeared in a fire at the state archives. Young Spencer’s lawyers might have saved themselves the trouble of corroborating that disappearance with the housekeeper’s counsel.”
Carefully stripping his gloves, Chambers disposed of them neatly inside his hat. “Ah. But if we disprove Miss Giuliano’s claim via this route, it will be due to validating the claim of another. Have you thought of what our colleague’s reaction will be to that?”
The next afternoon, as the autumn sun slanted toward the west, Bridges entered the apartment. He found the parlor empty and Chambers’s bedroom door closed. Bridges went to his apartment-mate’s door and called, “Back from classes. And you?”
“Back, although not from classes,” replied Chambers’s voice from within. “Cables have been dispatched to the last known whereabouts of the Indian woman in Seattle and the Chinese woman in Macau. I also telegraphed some contacts my half brother has—a newspaper reporter in Seattle, a Portuguese colonial official in Macau.”
“You speak Portuguese?”
“And write it,” Chambers’s voice replied. “We’re a polyglot lot, my family. After departing the telegraph office I paid a visit to the late sea captain’s fine Back Bay home. All his servants have been released to seek new employment at locations unrevealed. Fortunately, the adjoining neighbor’s house girl proved quite garrulous.”
“She told you where the servants have gone?”
“She had no idea,” Chambers’s voice replied. “She also had no idea whence the alleged wife has taken herself. But she was quite convinced that Miss Giuliano was Captain Spencer’s wife. She also offered a significant piece of new information.”
“What is that?” Bridges said. “And why are we straining our voices in this manner? Why, pray tell, must you give me information through your closed door?”
“The reason for that will be made clear directly,” said Chambers’s voice. “As for the new information: It seems that when Miss Giuliano entered Captain Spencer’s home twelve years ago, she brought with her a younger sister, a five-year-old named Maria Teresa, whom she and the captain raised as a daughter. And the talkative servant told me where we might find this sister.”
“She would be seventeen now,” Bridges calculated. “Of marriageable age. Is she still in Boston?”
“She is indeed. And unmarried.”
“Her maiden state may present some difficulties,” Bridges said, “for two unknown men attempting to pay a call.”
“More than you have imagined.” Chambers’s voice sounded amused. “Maria Teresa Giuliano resides at a convent school. Which is why I have adopted measures you will find to be of an extremely shocking nature. Brace yourself. Are you ready?”
“More than ready,” Bridges replied in a bored drawl.
Chambers’s door swung open.
If Bridges had appeared thunderstruck at the notion that bigamy would save his career at Harvard, he now took on the semblance of a man who’d just received irrefutable proof that ghosts were real, or discovered an antediluvian monster stepping into his parlor. His mouth dropped opened, his hand flew to his chest, and he reeled backward as if he had received a tremendous physical blow. His heel struck an object and he fell back, arms flailing, to land in the seat of his wing-back chair.
Finally he spoke, but almost inaudibly. “Chambers? But—no!” His voice was gaining strength and volume, and perhaps the slightest note of panic. “Where are you hiding, Chambers? This—this beautiful woman simply cannot—cannot—be you!”
“And yet—” said the handsome, ivory-complected woman, perfectly coiffed, and dressed in the height of fashion from her hat and wig to her gloves and shoes, dipping a graceful curtsey as she spoke, “—and yet, Chambers c’est moi, Monsieur Bridges.”
“But—but—this is impossible!” Bridges said. “If I saw you on the streets, I would never believe—I cannot believe, even knowing—Paul, I would swear on the Good Book and my own dead mother’s soul that you are a woman.”
“Well,” Chambers said modestly, “I can only say I’ve learned from the best. My half brother is acclaimed on two continents as a master of disguise.”
“Your half brother is a master of disguise?” Bridges said. “And your family is a bunch of polyglots. And you study medicine, but investigate like a seasoned Pinkerton operative, and you received ‘special training as a child.’ And you’re of the British elite—Dear God above”—Bridges surged to his feet—“you’re a Holmes!”
“In all but name.” There was the faintest note of sorrow in Chambers’s voice. “Now,” he said more briskly, “we’ll need to leave separately. You will wait here several minutes, then rendezvous with me at the entrance to Sanders Theatre. It’s fortunate we reside in Cambridge, where women walking alone aren’t a novel sight. But if you’re seen escorting a woman from our apartment, you may not need young Mr. Spencer to get you kicked out of Harvard.”
“Understood,” Bridges said forcefully.
“Also,” Chambers added, extending an iron buttonhook, “I’ve been able to fasten the stays of my corset well enough, I believe, for an evening’s deception. But for the sake of speed I simply must have your assistance in buttoning my boots.”
Bridges bent to the task. His face was hidden, but a betraying flush colored with scarlet the very tips of his ears.
The sitting room in which Maria Teresa Giuliano was to receive her callers was plainly furnished but almost painfully clean. Examining the sill outside the spotless windowpanes—ceaseless observation being a habit ingrained in him by his famous older brother—Chambers noted that it, too, was free of the sooty residue so common to urban environments. Satisfied in his comprehension of the room’s orientation in relation to the street, he took his seat beside a pie-crust table that he might have a resting place for his reticule. In keeping with his current public role, he spread his gathered skirts with care so they wouldn’t be creased or crushed by his sitting.
The room’s one door opened to admit a tall, sturdy-looking young woman with a smoothly restrained and unfashionably severe hairstyle: a low chignon. A nun followed her and stationed herself at the exit as if to prevent her charge’s escape—or the escape of anyone.
“How do you do?” A brief curtsey, and a bow from Bridges in response; Chambers rose and executed his own greetings as he’d been taught. “You must be Miss Pauline Chambers, and Mr. Royal Bridges? And of course I’m Maria Teresa Giuliano, and this is Mother Anna Elizavetta. Tell me, how do you come to know my sister?”
“We don’t,” said Chambers, smiling so gently as to remove from the words any hint of contradicting harshness. “We merely wish to confirm with you some facts pertaining to her claim to be married to Captain William Spencer—”
“Her ‘claim’! You would dispute it? But it is truth!” Giuliano had not seated herself; she stood like a figurehead, braving invisible disdain. “Whom do you represent—the Chinese woman? But she is dead, died without issue!”
“No, no!” Bridges started forward, hands stretched out and patting the air as if to calm it. “Quite otherwise—we wouldn’t dream of distressing you in such a manner. We only—”
The girl ignored him. “You!” She threw herself to her knees at Chambers’s feet. “You are a woman, and gently bred, I can tell at a glance. Have pity—don’t let my sister be slandered so! Her name dishonored—and we would lose everything, all she has worked for. All! All! Surely you understand….” Harsh sobs obscured the rest of her speech.
Taking the advantage granted by his dress, Chambers seized Giuliano by both her plump hands and dragged her unresisting from her pose of supplication. “You must be strong for Miss Lucia,” he admonished her. “Here. Dry your tears and quiet your mind. We mean you no harm.” Chambers’s silk handkerchief reappeared, now scented with violets.
Composing herself with this aid and a glass of wine procured at the orders of the attendant nun, Giuliano at length proved a fount of information—none of which would aid Spencer. She knew where her sister had fled, but would not share this intelligence. She had seen the papers her sister kept carefully locked in a steel box, and believed them genuine. She was entirely confident they must include both a private copy of the marriage license and the captain’s will; however, she reluctantly admitted she had not herself seen them. More, she had celebrated Mass with both her sister and the captain hundreds of times over her twelve years in the Spencer household, with attending clergy according every appearance of accepting the bond’s legitimacy. The Macau Chinese wife—partner in an earlier liaison, but deceased—she knew of from a shrine-like arrangement in the captain’s study: a small table where novenas burned continuously, and an imposingly large portrait hung on the wall above it among the old man’s ubiquitous charts and maps. When Chambers expressed diplomatically worded surprise at Captain Spencer’s Catholicism, Giuliano reported that he had converted from Congregationalism to win the Chinese wife. So far as Giuliano knew, the conversion had created no rift with his late brother’s family.
She appeared to have no knowledge of the Indian in Seattle.
Chambers leaned slightly forward in the chair he’d resumed as Maria Teresa composed herself. “Miss Giuliano, how well are you acquainted with your cousin?”
Maria Teresa’s black eyes flashed. “I do not understand the will of God sometimes! Why does He send my cousin to dispute my sister’s inheritance, when he can be no blood relative of ours?”
The rest of the room’s inhabitants stared in shock.
Chambers recovered first. “Howard Spencer Junior is not of your blood? He is adopted, then? Do you know this with absolute certainty?”
“My sister told me! She swore it was so when his lawyers forced her out of her house!”
“Is he aware of this himself?”
“I cannot say!” The fierceness of her tone matched her eyes. “I have not seen Howie since he was sent as a big, clumsy boy to a military boarding school in Pennsylvania. Then, he did not know of it.
“And I rejoiced when he was sent away. He behaved abominably to girls.”
Chambers’s expression turned to granite. “He hurt you?”
Mother Anna Elizavetta’s expression had gradually changed from astonishment to the sternness of a drill sergeant. Now she gave gruff orders: “Maria Teresa, you heap indiscretion atop the blasphemy of questioning God’s will! Leave the room at once!”
His mind filled with visions of setting fire to the dead captain’s brownstone as a method of forcing the vanished housekeeper to reveal her elusive documents’ whereabouts, Bridges joined Chambers in a hansom cab summoned by Mother Anna Elizavetta to the convent steps. Dusk purpled the air. Within the cab’s close confines, he found Chambers’s nearness suddenly unbearable.
He drummed his fingers on the window’s lever. He shifted from side to side on his inexplicably uncomfortable seat. “Has this driver taken a wrong turning? Surely we should have reached—”
“Hush! I’m trying to think!” A glance at the frowning severity of his companion’s brow inured Bridges to suffering the rest of their ride in silence.
Morning saw Bridges bound for class and Chambers, with the addition of a walking stick to his accustomed suit and top hat, eschewing the halls of learning for the precincts of a more commercially minded muse. His half brother’s journalistic contacts confirmed the rumors of Spencer’s adoption, but could provide no proof of it. An attempted visit to the offices of the would-be heir’s attorneys was productive of nothing along those lines and only served, Chambers ruefully admitted to Bridges when they met in the street, to excite suspicion.
“Fortunately, the card I presented gave an assumed name.”
Bridges frowned. “I do not like practicing so much deceit.”
“Nor do I,” Chambers admitted. “And yet I dislike martyrdom even more.” Silk handkerchief suddenly in hand, he mimed the gesture of wiping the artificial ivory from his cheek, recalling to his roommate the necessary charade they shared.
“Yes…well, perhaps—” A passing street-car’s thunder gave him an excuse for leaving his sentence unfinished. “Are you for home now?” The dim blues of autumn’s early evening were closing in, and he expected an assenting answer.
But, “No,” Chambers replied. “I have another interview to conduct still. The lovely Maria Teresa must know more than she has so far told us.”
Bridges felt a surprising twinge of jealousy. He hadn’t realized the strength of his attraction to the girl. “How can you gain entrance to her?” he objected.
“I rather fancy I will find a way.”
Full darkness had fallen by the time Chambers stood before the convent walls. As he’d marked on his earlier visit, the window of the sitting room where he and Bridges had been received overlooked this narrow, neglected-looking thoroughfare. A solitary streetlamp lighted greasy cobbles and tightly boarded windows.
The glass of the window he’d selected was dark, as he’d suspected it would be. As he’d hoped. The clean sill outside of it had led him to believe it a customary point of egress for the less docile of the institution’s habitués. What served as egress would most probably work as a means of ingress too.
Sure enough, on examination, the path to the window became plain: decorative stone carvings, fortuitously placed brackets and fittings—to climb up or down this way would cost a maiden a temporary loss of modesty, but it would not too greatly tax her strength. For someone of Chambers’s build and habits, mounting to the window was the work of mere moments. He attained his goal quickly and peered in to ascertain the room’s emptiness. His breath barely fogged the panes. Bracing himself with one hand against the pipe securely bolted to the stone wall, he pulled open the section of the window whose latch he had earlier surreptitiously released.
A pause to let his eyes adjust to the near-nonexistent light of the clouded skies filtering into the darkness of the building’s interior. Then, quietly as a gray cat, Chambers opened the room’s door and entered the rush-carpeted passageway. One flickering candle at the far end showed stairs winding away to higher and lower floors. As he had calculated based upon the sounds of Maria Teresa’s departure, her living quarters lay only a few steps in the opposite direction. Her door was unlocked. He shut it behind him. The blackness in which he stood was barely alleviated by the room’s mean little window. As his eyes adjusted, his nostrils flared at the scent of the sachets hanging in her wardrobe, her hair oil, her—
“Miss Chambers? Is that you? I hardly know how I suspect—”
“Shush!” In an instant Chambers was at her side, a small hand flung over her soft mouth. “We must speak,” he whispered. “Not here. Somewhere we won’t be overheard.” Reluctantly he released his grip, letting her sink back to the bed from which she’d risen.
“Why are you dressed as a man?” Her voice was subdued, but still might rouse the watchful nuns.
“I will explain all—elsewhere! Do you know of a spot we might go to? Secluded yet close by?”
“The garden. All who have not made their vows—I’ll take you,” she said, interrupting herself. Back along the passageway she led him, his slim hand tucked unnecessarily into her much larger one. Out the window, down the exterior wall most featly, and back into the convent precincts via a silent, evidently well-oiled gate.
The smell of drying flowers filled the air, just a little sweeter than hay. Mud slithered beneath his shoes as Maria Teresa took his hand again and led him off the path, to a backless bench of pale marble. It was almost as white as the girl’s nightgown.
“Now,” she said, seating herself and pulling him down to sit beside her. “What are you doing here? And clad so strangely?” For some reason she had failed to release his hand. “If I didn’t know you for a woman—”
“If you know me for that, you’re wiser than all Boston.” His glance dropped to the ground. “Your poor feet are bare!” he exclaimed.
How had that escaped his notice? If he was unobservant in such a matter, what else had he missed? Scanning their surroundings, he saw immediately the shadow across the gap where the garden gate hung open. What could it be? It shifted minutely—alive.
“Miss Giuliano, you trust me?”
“You may call me Maria Teresa if you wish. And yes, Miss Chambers—Pauline? I trust you—somehow. It is—”
“Stay here!” he commanded. Taking his hand from hers, he stood and walked unhesitatingly toward the blocked gate.
When he passed through it was clear.
Continuing onward as if nothing were amiss, Chambers headed toward the unlighted end of the street outside. Footsteps followed him, as he had anticipated. When he turned to face his foe, however, he saw only the girl. Almost he shouted at her to return to safety, but the noise would attract unwanted attention. Sighing with frustration, he walked back the way he’d come, gesturing at her to retreat. Instead she advanced till they were once again able to whisper to each other.
“You mustn’t be caught!” Chambers told her. “Go to the garden! Your room!” It was useless. She clung to his arms; refused to be shaken off.
“No! You have to tell me why you came here!”
There had been no good reason. Unlike his half brother, he’d acted irrationally. “I’ll find another way to explain that,” he promised. “We’ll meet again, but at the moment you’re in danger—Danger! You must leave! Now!”
Suddenly he spun the two of them around as if dancing the wildest waltz. A shot cracked the night in half, thudded into a wooden door on the left. Another hit Chambers’s shoulder. He jerked and slumped into Maria Teresa’s arms. The sound of running feet receded into the distance.
“Oh! Are you all right?”
“No.” He slid to the pavement. “Get away from here. Summon Bridges. I need treatment.”
“I’m not leaving!” she said, with a stubborn toss of her head. “And would not a doctor be better?”
A doctor would cause trouble. Bridges’s medical knowledge would be sufficient. Chambers tried to say as much, tried to rouse himself to speak. It wasn’t possible. The whirling blackness swallowing him lifted only briefly. Three times: once to reveal stumbling legs that he ought to have recognized immediately as his own, a second time in the moldy and miraculous interior of a hansom cab, a third as he gazed up at the worried countenance of his friend. The expression on Bridges’s face soon went from concern to horror-stricken shock.
“I’m not so badly wounded as that, surely?” Chambers joked. But he knew quite well that wasn’t the problem. The problem was that in preparation for administering medical aid Bridges had, naturally enough, stripped him, removing the accustomed bindings. Chambers felt the room’s air moving coolly against his exposed breasts.
After much argument, Bridges agreed to let matters remain as they had been for a little while longer—at least until the neutralization of Spencer’s threat. Weak from loss of blood, Chambers was hardly in shape to remove himself from their shared flat, as Bridges had to acknowledge. The British man—woman—no, it was best to think of him still as a man, as long as the two of them remained under one roof…Chambers kept almost entirely to his room, sleeping. Recovering quickly, Bridges hoped.
A cabled reply to one of Chambers’s inquiries of two days before arrived from Cheyenne in the young state of Wyoming. It had been sent by Mrs. Lilly Spencer en route from Seattle, and indicated that she would arrive in Boston via railroad in a scant four days.
Not a year old, neoclassical South Union Station was the largest railroad station in the world. In its most capacious waiting room great arched windows overlooked Summer Street, and additional illumination was provided by more than a thousand astonishingly bright electric lights. The station was a marvel of the modern age, and people in the great crowds seething across the marble mosaic floor routinely gawked and exclaimed at its sights.
Royal Bridges, seated at one end of an otherwise unoccupied oak bench, stared into space with the expression of one whose attention is turned entirely within. Chambers, returning from the ticket booths, for his part kept his attention on not jarring his left shoulder as he seated himself on the opposite end of the bench. The atmosphere between the two might be said to be strained.
“Mrs. Spencer’s train is expected momentarily.” Chambers placed his hat, gloves, and walking stick between himself and Bridges. “I’ve procured a small dining room so we may speak to her in private.”
He turned to face Bridges. “I want to thank you for not taking advantage of my—helpless state.”
Bridges looked at him stonily. “Did you truly think I’d do otherwise?”
“No,” Chambers replied. “But that doesn’t make my gratitude any less.”
Bridges inclined his head. “I have thought much about your—secret,” he said quietly. “I couldn’t imagine a reason, at first. I was too astonished—and yet, not entirely surprised. I’d already known, I realized. I’ve known for—longer than I would’ve imagined.” He smiled for a moment. “It seems the philosophers are right about the wisdom of the unconscious mind.” He glanced around. The throngs passed, indifferent to their presence. “I’ve told no one. And I deduce you’re doing this for the same reason we don’t announce—” He mimed Chambers’s gesture of removing face powder.
“Correct, sir.”
“‘Sir,’ am I now?” Bridges’s smile returned, with an added note of pain. “But your formality is utterly correct. Nor can we continue to share quarters. Not unless”—his eyebrows rose very slightly—“we were to marry.”
“I am honored by your offer.” Chambers touched his arm for the briefest interval. “But I’m the wrong type of woman.”
Bridges’s expression remained carefully frozen in meaningless amiability. “As I supposed. I saw how often the younger Miss Giuliano visited during your convalescence,” he said. “I had no intention of spying. But she seemed to feel no reticence in displaying affection for you while I was attending to your needs. I don’t think a good convent girl would be so forward as to visit a man alone, at night, or to clasp that man’s hand to her breast.”
“I think Miss Giuliano is quite willing to dispense with convent instruction whenever it suits her,” Chambers said. “But yes, she knows. And I must confess to having developed a very high regard for her. Very high.” He raised a hand as if to indicate his regard’s height, but with a wince left the gesture unfinished.
Bridges’s expression altered to a somber regard. “Your wound,” he said. “From the situation you’ve described—I cannot believe the shooting to be random. Yet it makes no sense. Howard Junior could have no objection to you questioning the housekeeper’s sister in pursuit of locating her. Anyway, no one knew you’d be at the convent. Have you any idea who might have shot you?”
“An idea, yes, but one still to be tested.” Chambers stood, first bracing his wounded shoulder. “I believe the train we await has arrived.”
Mrs. Lilly Spencer did not display Chambers’s familiarity with the latest Parisian fashions, and it was clear from her robust figure that she did not wear a corset. However, she was dressed handsomely, in the manner of a prosperous businesswoman. Tall and statuesque, she wore her luxuriant black hair in a pompadour which allowed her to sport a bowler hat. And she had not arrived alone.
Forthrightly introducing herself, she extended her white-gloved hand to shake the hands of Chambers and Bridges, then turned to the younger and taller figure who stood quietly beside her, a lockable leather briefcase in his hand. “Gentlemen, this is Richard Spencer.” She had a faint accent not often heard on the East Coast. “William’s and my youngest son.”
Bridges’s eyes widened slightly. “We understood Captain Spencer to have no issue.”
Lilly Spencer’s bold eyebrows winged upward. “You also doubted Captain Spencer had more than one wife, unless I’m too freely reading between the lines of Mr. Chambers’s telegram.”
“I think,” Chambers said, “we should continue this discussion in private.”
Taking the briefcase from her son, Mrs. Spencer dispatched him to see to the conveyance of their luggage to the hotel at which she’d already made reservations; then she and Bridges followed Chambers to one of the station restaurant’s more intimate rooms, where Chambers ordered tea and she and Bridges requested coffee.
With the serving girl’s departure, Spencer placed her briefcase beside her china cup. “You asked for evidence of my marriage to Captain Spencer.” Producing a small key from her reticule, she unlocked the briefcase and reached within. “Here is my copy of our marriage license. The records in Seattle will support it.”
His face impassive, Chambers studied the document for a long moment, with Bridges looking over his shoulder.
“I’ve already been in contact with the Seattle archives,” Chambers said in a neutral tone of voice. “However, they had—if I may be so direct—no record of a divorce.”
“Oh, Will and I were never divorced,” Lilly Spencer said, leaning back in her chair as if finished with a satisfying meal. She shook her head nostalgically. “We had an understanding. I understood that he had other women when he wasn’t in Seattle, and he understood then was when I had other men. I haven’t seen him since he retired from the sea, but we could find no reason to end our marriage. He realized I could own land more easily in Seattle if I were wed to a white man. And I retain for him—a great affect—” Her voice broke, and Chambers offered his freshly laundered handkerchief. She used it to dab her eyes. “I was grieved to receive your telegram and learn he’d passed away.”
Chambers and Bridges offered their condolences and sipped their beverages, allowing Mrs. Spencer time to compose herself.
When Chambers spoke again, his voice was grave. “Mrs. Spencer, you’ll need to meet with the captain’s most recent wife and her lawyer, and probably retain one yourself. It seems you’re the late captain’s heir.”
“I am.” Spencer withdrew another document from her briefcase. “I have William Spencer’s last will and testament, as I had his sworn word that I would never be disinherited by a new will. You—and any attorney in Boston—will find this document genuine.” While Chambers and Bridges scanned the document with widened eyes, she added, “Now, gentlemen. You haven’t indicated you’re relatives or lawyers, and you don’t act like either. So tell me. Why are you involved in our private family business?”
Bridges and Chambers raised their gazes to her sternly watchful face.
“Madam,” Chambers said, “we represent the interests of a third party. It looks as though that party, too, may be doomed to disappointment. The will appears to be in order.”
Soft, muffled steps became suddenly sharp and loud as the party walked off the empty entry hall’s broad Persian carpet and onto its bare floor. Five pairs of feet traversed the white tiles leading to the foot of an intricately balustraded staircase. The erstwhile Lucia Spencer turned to consult the establishment’s new mistress. The brownstone’s former housekeeper hadn’t taken long to appear once Lilly Spencer’s lawyer contacted hers.
“Perhaps we should start the tour in the house’s upper stories—though you won’t care to see the attics, I imagine?”
“Rooftop to the lowest cellar,” proclaimed the first—and, in the law’s eyes, the sole—Mrs. Spencer. “It’s all mine, and I want to see every bit of it!” Bridges had been forced to lend her his arm when Chambers and Miss Giuliano paired themselves off immediately upon meeting at the mansion’s door. The widow’s grip was as firm as her voice and bearing, though by the speed with which she mounted the stairs she’d no need of any man’s support.
On the second floor landing, however, she called a halt. “Miss—Mrs.—Lucia—Oh, I don’t know what to call you, and these legal men of mine would skin me alive if they thought I’d done anything to disadvantage my case, but can’t you see—Here, sit down on this bench and let me explain!”
“You wish me to be seated—in your presence?”
“Well, yes, and the rest of you might as well hear this too. You see, I’m not greedy, or a conniver, or wishful of spoiling your chances in the world—” Here she gave Maria Teresa a challenging look. “—or anything of that sort. I simply want the best for my Richard.”
“Your son—the gentleman you left waiting for us beside the curb?” The illegitimate wife’s bland, plump face showed just a hint of skepticism.
“Yes. He’s a good boy, though I can see by your manner you don’t think he takes much after his father’s looks. But likenesses are often a tad deceptive, as I’m sure you’ll come to understand when you’ve lived as long as I.” A darting glance from the corner of Mrs. Spencer’s eyes reminded Bridges to offer a gallantry as to her young appearance.
“But that’s not the point,” she continued, once she’d received the expected compliment. “Though I’ve asked Richard to guard the door and not intrude himself into your home—for it used to be your home, for all intents, and I’ve no doubt you expected it would return to your possession once the unpleasantness with little Howard was settled—well, as I said, it’s not for myself but for my son I would claim it. And I’ve been thinking and scheming in my head if there might not be a way for the two of us to both get what we want.”
The hands of the former housekeeper, lying clasped together on her black silk-clad lap, tightened their grasp on each other. Her eyebrows drew down in a frown. “I don’t understand.”
“Miss Maria Teresa is like your daughter to you, isn’t she? How about if she and my Richard was to marry? The property would stand to belong to both of them then—and I’d make certain sure it did!”
Ever so slightly, Maria Teresa Giuliano swayed where she stood. Chambers’s arm caught and steadied her. “M-m-married?” she stammered.
“Early days yet, I know. I merely aimed to put the idea in your heads, and to tell you there’d be no objection on my part.”
The Italian girl’s natural swarthiness took on a greenish hue that owed nothing to the teal damask hangings at the landing’s windows. “I—”
“Is there claret in the house? Brandy, even?” asked Chambers.
“Yes!” Lucia said eagerly. “Let’s drink a toast to—”
The crash of a door violently opening interrupted Mrs. Spencer’s proposal. It came from below. From the same place men’s angry voices rose and rose, drowning each other out:
“—my rights! No pack of impostors can deprive me of my inheritance! No—”
“Sir! I must insist! The ladies will—”
“‘Ladies’ indeed! Filthy guinea trollops, that’s all they—”
By the time these words were shouted, all had descended to where they had a clear view of the blow with which Lilly Spencer’s son stopped Mr. Howard Spencer’s rant mid-phrase. The blow’s recipient fell flat on his back at the staircase’s bottom; over him stood the tall form of Mr. Richard Spencer, hatless, and stripping off his gloves. “I cannot tolerate your slander of the woman I’m proud to call by the sacred name of Mother,” he declaimed. “Stand up, that I may escort you to a spot more suitable for brawling.”
“Richard, no!” Mrs. Spencer held out an imploring hand. “Don’t sink yourself to his level—we have the law on our side.”
“Ha! Do you?” Staggering to his feet, Howard Spencer lifted a walking stick from the carpet. It must have been his—the grip fit his large, square hand exactly. “Possession is nine tenths of the law, however—and I am here now, and won’t be ousted again by inferior bastards of any stripe!” He raised his stick threateningly—but stepped no closer to his attacker.
“Have a care when tossing such slurs about,” the Seattle man replied coolly. He stood his ground, looking not a whit intimidated. “You may find yourself tarred by the brush you thought to wield.”
The stick clattered to the tiles—the first indication toeither man of Chambers’s interference in their confrontation. Smoothly, the Brit retrieved the potential weapon he had twisted from Howard Spencer’s hold. “I’ll retain this; I believe you will both be better off without it,” he said. “A moment’s reflection, perhaps over the wine I conjecture we are about to be offered, and you will, I feel sure, find a more peaceful way to reconcile your differences.”
“The library!” Miss Giuliano proclaimed from the stairs, with the air of someone struck by an eternal truth.
“A grand idea!” said Mrs. Spencer. “May we—Lucia? I may call you Lucia, mayn’t I, in light of our coming intimacy—Will it be all right if we retire to the library to discuss matters? And perhaps we could find some refreshment for our guests?”
“Your ‘guests’! This is an outrage!” Howard Spencer protested.
It took the surprising strength of Chambers to guide him up the stairs. On the second story Chambers obliged him to enter the door beside which the captain’s former housekeeper stood, stoically ignoring the young man’s continued gripes and curses. The others waited within.
Gleaming wood paneled the walls. At one end of the room a curving set of three windows filtered dim daylight through their tinted panes. Bookcases built along the left hand wall held a few matched volumes in leather and a far greater number of curios: fans, oddly shaped seashells, and so forth. Bridges strode over to a small table on that side of the room to busy himself with a crystal decanter and glasses.
The room’s right hand wall was occupied almost entirely by a massive fireplace, vacant of even the makings of a fire. Next to it another table held a few objects indistinguishable in the gloom, with a mysteriously draped picture frame hanging above. Here Maria Teresa had stationed herself. As soon as Chambers and the two Mr. Spencers entered, a light flared in her hands and settled to the quiet, steady glow of candle flame. Maria Teresa lit the votives below the draped frame, then set the candle down and bowed her head momentarily. Lifting the candle once more, she turned to face the room.
“You are your mother’s son,” she said, addressing Howard Spencer, Junior. “I ought to have seen it earlier, but as a boy the resemblance was weak.”
Howard paused with his wine halfway to his lips. “That sounds uncommonly like a compliment—pert on your part, but I suppose it is well-meant.”
A bitter laugh broke from Miss Giuliano’s lips. “Well-meant? A compliment? I doubt you’ll think so when you know more—for your mother was none other than this!” Whirling dramatically, she clutched the concealing curtain and tore it aside to reveal the portrait of a woman unmistakably of the Chinese race.
It was several moments before Howard found his voice.
“What! That—that half-civilized—No! My father’s wife was not—”
“Before she passed away, your father made her his wife,” Maria Teresa said.
“You’re daft!” Howard straightened, his face hardening as he recovered his composure. “My father married into an old Boston family. Now, chit, I’ve had enough of your ludicrous delaying tactics—”
“Howie,” Maria Teresa said, “you’re adopted. And your blood father was Captain William Francis Spencer.”
All color drained from Howard’s face. The glass fell from his suddenly nerveless fingers and shattered. Claret spilled over the oak floorboards like blood.
“God is good.” Maria Teresa smiled. “He’s ensured you can never make me your mistress, as you’ve sought to do since your return to Boston. And He has done more.”
Bridges looked suddenly at Chambers and touched his left shoulder, mouthing, “Did How—”
Chambers mouthed, “Later!”
The rest, unaware of this fleeting byplay, stared at Maria Teresa as fixedly as children watching their first moving picture.
She continued speaking, her voice rising to a note of ferocious satisfaction. “God has seen to it, Howie, that you’ll never be your natural father’s heir!”
“But—my uncle—he’s not—I can’t be—” Rising emotion stole the sense from the disinherited man’s tongue. He grew more incoherent as the rest of the room’s inhabitants gathered to examine the painting’s face. An Asian cast was revealed in many of Howard Spencer’s facial features. The consensus was for a most telling likeness. Especially, as Mrs. Lilly Spencer noted, in anger.
Emerging from his room with a pair of Gladstone bags, Bridges found Chambers descending from his own room. Through the open door, Bridges could espy a small mountain of bags and steamer trunks.
Chambers smiled. “I don’t travel so lightly as some.” As Bridges offered to assist with the luggage, he added, “There’ll be a wagon from the station along directly, and the driver will aid me.”
“Very good.” Bridges put down his Gladstones and met Chambers’s gaze again. “It’s true we can no longer share quarters,” he said. “But there’s no need for you to leave Harvard. I’d never betray your secret.” He smiled faintly. “Secrets. I pray you, stay. You’ll have your medical degree by spring.”
“For the career I expect to pursue,” Chambers said, “a medical degree isn’t critical. Anyway, I’m a gentleman, after my fashion. So I’m bound for Seattle. I simply cannot allow Maria Teresa to be forced into an unwanted marriage.”
Bridges’s expression grew thoughtful. “Are you entirely sure it’s unwanted?”
“Maria Teresa visited me, before she and her sister left Boston. She made it plain she wants no union with Richard.”
“Are you entirely sure she’ll want you?” Bridges reenacted Chambers’s gesture of removing face powder.
Chambers smiled. “She knows that secret, as well,” he said. “She’d noticed my hands were covered with a concealing crème. She was familiar with it, as some girls use it to conceal dusky skin and had recommended it to her to do the same. I have my family’s aquiline features, and Maria Teresa”—Bridges noted the second usage of the girl’s Christian name—“supposed I shared her Italian heritage. I’ve let her know the truth of my race.”
“She doesn’t mind?”
Chambers’s smile might have widened, very slightly. “She’s made it clear that she minds neither my race nor my attentions.”
Bridges nodded. Then he raised his brows and gestured at Chambers’s left shoulder.
Chambers said, “You were correct.”
“Howard Spencer, Junior shot you.”
“I am convinced of it. He attended a military school, and Maria Teresa has told me she sometimes glimpsed him loitering near the convent, where he had no reason to be. She also confirmed that he made improper advances to her. In all likelihood he believed me—correctly—to be his rival.”
“You’ll both be far from Howie,” Bridges said, “in Seattle.”
“A situation which will undoubtedly alleviate some worry for him, inasmuch as he continues to pursue his eugenics studies.”
Bridges burst into a startled laugh.
“Quite,” Chambers said. “At any rate, we’ve fulfilled Howie’s charge to you. And he’s discovered a strong reason to tell no tales about the background of another.”
“My mind is lightened on that score,” Bridges said. “On another, I remain mystified. Why would Captain William give his son up for adoption? Was Howie illegitimate, after all?”
“Maria Teresa knew no details, so I paid another call on the captain’s first mate. Carteret told me Captain Spencer was bringing his Chinese wife to Boston, but as they sailed around Cape Horn, she entered premature labor and was lost. The babe survived, as they’d brought a wet nurse aboard. Carteret ended up acting as captain until the clipper reached Boston. He avers Captain Spencer was too grief-stricken to act as parent.”
“But why pretend the baby was born to the brother’s wife?”
“Carteret had no idea,” Chambers said. “But the captain’s brother and sister-in-law were childless. Also, I doubt she’d have countenanced the outrage of her brother-in-law publicly giving up his own child, legitimate or otherwise, for adoption.” Chambers smiled fleetingly. “I know something of upper-crust sentiment regarding scandal.”
“What a story,” Bridges said. “And how odd that Carteret never told us about the Chinese wife’s baby, or her death under sail!”
“He was surprised to learn I cared about such details.” Chambers appeared frustrated. “I gave the wrong impression by failing to ask the right questions.” His expression grew grim. “I’ve fallen far short of my brothers’ standards. Either would have deduced Howie’s origins by a pattern of fraying on Carteret’s left cuff. Or the lack thereof.”
“Don’t be hard on yourself,” Bridges said. “Your brothers are at least twice your age.”
Chambers’s expression did not change. “That’s no excuse.”
Bridges shook his head in emphatic refutation. But when he spoke, he changed the subject. “Howie will be pleased by your departure, but my own feelings are entirely opposite. Nonetheless.” He extended his hand. “I wish you success in your rescue of Miss Giuliano, and I wish you both every happiness in your life together.”
Chambers’s surprise changed to a smile, and they shook.
“Of Two Bloods” copyright © 2026 by Nisi
Shawl and Cynthia Ward
Art copyright © 2026 by Katherine Lam
Buy the Book
-->
Of Two Boods
The post Of Two Bloods appeared first on Reactor.
14:07
Security updates for Wednesday [LWN.net]
Security updates have been issued by Debian (ceph, gimp, gnutls28, and libpng1.6), Fedora (freerdp, libpng, libssh, mingw-libpng, mingw-libsoup, mingw-python3, pgadmin4, python-pillow, thunderbird, and vim), Mageia (postgresql15), Red Hat (python-urllib3), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, frr, gpg2, kubernetes, kubernetes-old, libsodium, libsoup-2_4-1, libssh, libtasn1, libxml2, nodejs22, openCryptoki, openssl-3, and python311-pip), and Ubuntu (frr, linux-aws, linux-aws-6.8, linux-gkeop, linux-nvidia, linux-nvidia-6.8, linux-oracle, linux-oracle-6.8, linux-aws-fips, linux-fips, linux-gcp-5.15, linux-kvm, linux-oracle, linux-oracle-5.15, linux-gcp-fips, linux-nvidia, linux-nvidia-tegra-igx, linux-oem-6.17, linux-realtime, linux-raspi-realtime, nova, and pillow).
13:42
CodeSOD: Contains Some Bad Choices [The Daily WTF]
While I'm not hugely fond of ORMs (I'd argue that relations and objects don't map neatly to each other, and any ORM is going to be a very leaky abstraction for all but trivial cases), that's not because I love writing SQL. I'm a big fan of query-builder tools; describe your query programatically, and have an API that generates the required SQL as a result. This cuts down on developer error, and also hopefully handles all the weird little dialects that every database has.
For example, did you know Postgres has an @>
operator? It's a contains operation, which returns true if an
array, range, or JSON dictionary contains your search term.
Basically, an advanced "in" operation.
Gretchen's team is using the Knex library,
which doesn't have a built-in method for constructing those kinds
of queries. But that's fine, because it does offer a
whereRaw method, which allows you to supply raw SQL.
The nice thing about this is that you can still parameterize your
query, and Knex will handle all the fun things, like transforming
an array into a string.
Or you could just not use that, and write the code yourself:
exports.buildArrayString = jsArray => {
// postgres has some different array syntax
// [1,2] => '{1,2}'
let arrayString = '{';
for(let i = 0; i < jsArray.length; i++) {
arrayString += jsArray[i];
if(i + 1 < jsArray.length) {
arrayString += ','
}
}
arrayString += '}';
return arrayString;
}
There's the string munging we know and love. This constructs a Postgres array, which is wrapped in curly braces.
Also, little pro-tip for generating comma separated code, and this is just a real tiny optimization: before the loop append item zero, start the loop with item 1, and then you can unconditionally prepend a comma, removing any conditional logic from your loop. That's not a WTF, but I've seen so much otherwise good code make that mistake I figured I'd bring it up.
exports.buildArrayContainsQuery = (key, values) => {
// TODO: do we need to do input safety checks here?
// console.log("buildArrayContainsQuery");
// build the postgres 'contains' query to compare arrays
// ex: to fetch files by the list of tags
//WORKS:
//select * from files where _tags @> '{2}';
//query.whereRaw('_tags @> ?', '{2}')
let returnQueryParams = [];
returnQueryParams.push(`${key} @> ?`);
returnQueryParams.push(exports.buildArrayString(values));
// console.log(returnQueryParams);
return returnQueryParams;
}
And here's where it's used. "do we need input safety checks
here?" is never a comment I like to see as a TODO.
That said, because we are still using Knex's parameter handling,
I'd hope it handles escaping correctly so that the answer
to this question is "no". If the answer is "yes" for some reason,
I'd stop using this library!
That said, all of this code becomes superfluous, especially when
you read the comments in this function. I could just
directly run query.whereRaw('_tags @> ?', myArray);
I don't need to munge the string myself. I don't need to write a
function which returns an array of parameters that I have to split
back up to pass to the query I want to call.
Here's the worst part of all of this: these functions exist in a
file called sqlUtils.js, which is just a pile of badly
re-invented wheels, and the only thing they have in common is that
they're vaguely related to database operations.
[Advertisement] Keep the plebs out of prod. Restrict NuGet feed
privileges with ProGet.
Learn more.13:35
AI Is Not a Library: Designing for Nondeterministic Dependencies [Radar]
For most of the history of software engineering, we’ve built systems around a simple and comforting assumption: Given the same input, a program will produce the same output. When something went wrong, it was usually because of a bug, a misconfiguration, or a dependency that wasn’t behaving as advertised. Our tools, testing strategies, and even our mental models evolved around that expectation of determinism.
AI quietly breaks that assumption.
As large language models and AI services make their way into production systems, they often arrive through familiar shapes. There’s an API endpoint, a request payload, and a response body. Latency, retries, and timeouts all look manageable. From an architectural distance, it feels natural to treat these systems like libraries or external services.
In practice, that familiarity is misleading. AI systems behave less like deterministic components and more like nondeterministic collaborators. The same prompt can produce different outputs, small changes in context can lead to disproportionate shifts in results, and even retries can change behavior in ways that are difficult to reason about. These characteristics aren’t bugs; they’re inherent to how these systems work. The real problem is that our architectures often pretend otherwise. Instead of asking how to integrate AI as just another dependency, we need to ask how to design systems around components that do not guarantee stable outputs. Framing AI as a nondeterministic dependency turns out to be far more useful than treating it like a smarter API.
One of the first places where this mismatch becomes visible is retries. In deterministic systems, retries are usually safe. If a request fails due to a transient issue, retrying increases the chance of success without changing the outcome. With AI systems, retries don’t simply repeat the same computation. They generate new outputs. A retry might fix a problem, but it can just as easily introduce a different one. In some cases, retries quietly amplify failure rather than mitigate it, all while appearing to succeed.
Testing reveals a similar breakdown in assumptions. Our existing testing strategies depend on repeatability. Unit tests validate exact outputs. Integration tests verify known behaviors. With AI in the loop, those strategies quickly lose their effectiveness. You can test that a response is syntactically valid or conforms to certain constraints, but asserting that it is “correct” becomes far more subjective. Matters get even more complicated as models evolve over time. A test that passed yesterday may fail tomorrow without any code changes, leaving teams unsure whether the system regressed or simply changed.
Observability introduces an even subtler challenge. Traditional monitoring excels at detecting loud failures. Error rates spike. Latency increases. Requests fail. AI-related failures are often quieter. The system responds. Downstream services continue. Dashboards stay green. Yet the output is incomplete, misleading, or subtly wrong in context. These “acceptable but wrong” outcomes are far more damaging than outright errors because they erode trust gradually and are difficult to detect automatically.
Once teams accept nondeterminism as a first-class concern, design priorities begin to shift. Instead of trying to eliminate variability, the focus moves toward containing it. That often means isolating AI-driven functionality behind clear boundaries, limiting where AI outputs can influence critical logic, and introducing explicit validation or review points where ambiguity matters. The goal isn’t to force deterministic behavior from an inherently probabilistic system but to prevent that variability from leaking into parts of the system that aren’t designed to handle it.
This shift also changes how we think about correctness. Rather than asking whether an output is correct, teams often need to ask whether it is acceptable for a given context. That reframing can be uncomfortable, especially for engineers accustomed to precise specifications, but it reflects reality more accurately. Acceptability can be constrained, measured, and improved over time, even if it can’t be perfectly guaranteed.
Observability needs to evolve alongside this shift. Infrastructure-level metrics are still necessary, but they’re no longer sufficient. Teams need visibility into outputs themselves: how they change over time, how they vary across contexts, and how those variations correlate with downstream outcomes. This doesn’t mean logging everything, but it does mean designing signals that surface drift before users notice it. Qualitative degradation often appears long before traditional alerts fire, if anyone is paying attention.
One of the hardest lessons teams learn is that AI systems don’t offer guarantees in the way traditional software does. What they offer instead is probability. In response, successful systems rely less on guarantees and more on guardrails. Guardrails constrain behavior, limit blast radius, and provide escape hatches when things go wrong. They don’t promise correctness, but they make failure survivable. Fallback paths, conservative defaults, and human-in-the-loop workflows become architectural features rather than afterthoughts.
For architects and senior engineers, this represents a subtle but important shift in responsibility. The challenge isn’t choosing the right model or crafting the perfect prompt. It’s reshaping expectations, both within engineering teams and across the organization. That often means pushing back on the idea that AI can simply replace deterministic logic, and being explicit about where uncertainty exists and how the system handles it.
If I were starting again today, there are a few things I would do earlier. I would document explicitly where nondeterminism exists in the system and how it’s managed rather than letting it remain implicit. I would invest sooner in output-focused observability, even if the signals felt imperfect at first. And I would spend more time helping teams unlearn assumptions that no longer hold, because the hardest bugs to fix are the ones rooted in outdated mental models.
AI isn’t just another dependency. It challenges some of the most deeply ingrained assumptions in software engineering. Treating it as a nondeterministic dependency doesn’t solve every problem, but it provides a far more honest foundation for system design. It encourages architectures that expect variation, tolerate ambiguity, and fail gracefully.
That shift in thinking may be the most important architectural change AI brings, not because the technology is magical but because it forces us to confront the limits of determinism we’ve relied on for decades.
12:35
AI Found Twelve New Vulnerabilities in OpenSSL [Schneier on Security]
The title of the post is”What AI Security Research Looks Like When It Works,” and I agree:
In the latest OpenSSL security release> on January 27, 2026, twelve new zero-day vulnerabilities (meaning unknown to the maintainers at time of disclosure) were announced. Our AI system is responsible for the original discovery of all twelve, each found and responsibly disclosed to the OpenSSL team during the fall and winter of 2025. Of those, 10 were assigned CVE-2025 identifiers and 2 received CVE-2026 identifiers. Adding the 10 to the three we already found in the Fall 2025 release, AISLE is credited for surfacing 13 of 14 OpenSSL CVEs assigned in 2025, and 15 total across both releases. This is a historically unusual concentration for any single research team, let alone an AI-driven one.
These weren’t trivial findings either. They included CVE-2025-15467, a stack buffer overflow in CMS message parsing that’s potentially remotely exploitable without valid key material, and exploits for which have been quickly developed online. OpenSSL rated it HIGH severity; NIST‘s CVSS v3 score is 9.8 out of 10 (CRITICAL, an extremely rare severity rating for such projects). Three of the bugs had been present since 1998-2000, for over a quarter century having been missed by intense machine and human effort alike. One predated OpenSSL itself, inherited from Eric Young’s original SSLeay implementation in the 1990s. All of this in a codebase that has been fuzzed for millions of CPU-hours and audited extensively for over two decades by teams including Google’s.
In five of the twelve cases, our AI system directly proposed the patches that were accepted into the official release.
AI vulnerability finding is changing cybersecurity, faster than expected. This capability will be used by both offense and defense.
More.
Spinnerette - Issue 44 - 23 [Spinnerette]
New comic!
Today's News:
10:21
How to write a coaching/learning prompt [Seth's Blog]
An AI like Claude is actually a pretty good fortune cookie. You can ask a simple question and get a simple answer, sometimes a profound one.
But this is a waste of the tool’s potential.
The AI is patient. It’s capable of remembering things over time. And it will persist if you let it.
Several of my friends have shared that they’re at a crossroads with their work, and I suggested an AI coach might unlock something. Here’s a chance to spin up an AI coach who will stick with you for hours or weeks as you explore a new skill or grapple with a hard decision.
The first one:
You are my thinking partner and life design coach. I’m not looking for a quick answer. I’m looking for a smart, patient collaborator who will help me explore what’s next—over weeks and months, not in a single conversation. Ask more than you tell, at least at first.
About me: I’m 63. I’m retiring with full pay from a successful career as an educator in Chicago. I’m not burned out—I’m ready. I’ve spent decades being good at something that matters, and I want to find the next thing that deserves that same energy.
What I’m not looking for: A list of “top ten encore careers.” A personality quiz. Pressure to monetize immediately. I don’t need to replace my income—I need to replace my sense of purpose and craft.
What I am looking for:
- Help me take inventory—not just of skills, but of the moments in my career and life when I felt most alive, most useful, most like myself. Ask me questions that surface patterns I might not see on my own.
- Help me explore broadly before narrowing. I want to understand what’s out there—in civic life, creative work, social enterprise, mentorship, learning, building—before I commit to anything.
- Help me distinguish between what sounds appealing in the abstract and what I’d actually sustain when it gets hard or boring. I know the difference from my career—help me apply that same honesty here.
- Give me small experiments to try. Not “go start a nonprofit,” but “spend two hours this week doing X and notice how it feels.” I trust iteration more than inspiration.
- Help me navigate the identity shift. I’ve been an educator for a long time. I know that leaving a role that defined you is its own kind of project—emotional, not just logistical.
- Treat this as an evolving conversation. Come back to things I said earlier. Notice contradictions. Push me when I’m playing it safe out of habit. Celebrate when something clicks.
Start by asking me five or six good questions. Not surface-level ones. The kind a wise friend would ask over a long dinner.
And the next:
You are my AI filmmaking coach and tutor. Your job is to help me build, step by step, the skills and workflow to create a short film using AI tools. I learn best by doing—give me exercises, not just explanations. Be honest when something isn’t ready for what I need.
About me: I’m a filmmaker and author. I’ve written and directed five critically acclaimed independent films. I’m an experienced screenwriter. I’m new to AI creative tools but I’m a fast, motivated learner.
The project: I want to make a short film about …. I want to lean into what AI does well stylistically and avoid the uncanny valley entirely.
Tools I’m aware of: I’ve seen Midjourney produce still images that match the mood and visual style I’m after. I’ve seen tools like Runway, Kling, and Sora that generate short video clips from prompts. I don’t yet know how to connect these into a production workflow.
What I need from you:
- Start by assessing what I already know—ask me questions before prescribing.
- Build me a phased learning roadmap, from first experiments to a finished short.
- Give me concrete assignments at each stage—things to try, not just things to read.
- Help me develop a repeatable workflow: from script to storyboard to visual development to motion to edit.
- As we go, help me understand which tools to use for what, and when to switch or combine them.
- Treat this as an ongoing coaching relationship. Check my work, push me forward, and adapt the plan as I learn.
Enjoy the journey.
09:42
Flagrant Llama Abuse [Penny Arcade]
New Comic: Flagrant Llama Abuse
06:42
I’m a BIG BOY now – DORK TOWER 17.02.26 [Dork Tower]
Most DORK TOWER strips are now available as
signed, high-quality prints, from just $25!
CLICK
HERE to find out more!
HEY! Want to help keep DORK TOWER going? Then consider joining the DORK TOWER Patreon and ENLIST IN THE ARMY OF DORKNESS TODAY! (We have COOKIES!) (And SWAG!) (And GRATITUDE!)
06:21
Girl Genius for Wednesday, February 18, 2026 [Girl Genius]
The Girl Genius comic for Wednesday, February 18, 2026 has been posted.
04:35
To view this content, you must be a member of Tim Buckley's Patreon at $5 or more
The post Testing appeared first on Ctrl+Alt+Del Comic.
03:14
Got problems? Yes, you do! Email your question for the column to mailbox@savage.love! by Dan Savage My partner and I are both AFAB nonbinary queers in our mid-30s and have been together a long time. We don’t believe lifelong monogamy is realistic. We even started our relationship practicing ethical non-monogamy, then defaulted to monogamy for many years. We now have two very young children and are planning a third in the near future. Between parenting and a longstanding libido mismatch, our sex life has been hard for years. When we do have sex, it’s good, it’s just infrequent (maybe 1-3 times per month) and logistically difficult. I’m generally content, and sex simply isn’t a high priority for me right now. Over the past several months, my partner has asked about opening our relationship again. I’ve tried to engage, while also feeling that this stage of life might be the worst possible time to experiment with our relationship structure. Recently, after a long conversation about opening up,…
[ Read more ]
01:49
Urgent: Protect clean water from corporate greed [Richard Stallman's Political Notes]
US citizens: Tell the EPA to protect clean water from corporate greed: reject proposed weakening in local approval for development that can affect water supply.
See the instructions for how to sign this letter campaign without running any nonfree JavaScript code--not trivial, but not hard.
Urgent: No tax breaks for Big Tech data centers [Richard Stallman's Political Notes]
US citizens: Tell your governor, no tax breaks for Big Tech data centers.
See the instructions for how to sign this letter campaign without running any nonfree JavaScript code--not trivial, but not hard.
Here's the text of the letter I sent.
I’m writing as your constituent, and as recipient of two awards from the ACM for programs I have shared with the public in freedom, to urge you to reject efforts in our state to provide Big Tech with tax breaks to build data centers. I’m concerned about the harms that data centers can do locally, including siphoning our water, using up our land, creating noise and light pollution, and hiking our electric bills. I’m also concerned that providing tax breaks to giant Big Tech corporations will deprive our schools and local budgets of their already insufficient funds. I'm also concerned that these data centers will mostly operate Pretend Intelligence (PI) -- software that *tries to* imitate what an intelligent entity would say, but without really understanding the words it plays with. The use of these digital dis-services does society harm. We should never allow business to play one state against another by making states compete to offer them the biggest tax break, because that perverse competition harms *all* the states for the benefit of business owners. So please reject efforts to give Big Tech (or *any* business) specific tax breaks to operate in our state. The states should form a union and bargain collectively with these businesses. The states could call their union the United States of America. Wouldn't that be a good thing to have?
Urgent: Reporting on refusals by grand juries to indict bogus political "crimes" [Richard Stallman's Political Notes]
US citizens: Call on the media to report loud and clear on the amazingly unusual refusals by grand juries to indict people accused of bogus political "crimes".
Urgent: Protect from spread of measles [Richard Stallman's Political Notes]
US citizens: call on state officials to protect your state from the spread of measles.
See the instructions for how to sign this letter campaign without running any nonfree JavaScript code--not trivial, but not hard.
Japanese fossil fuel companies invest in Australian fossil fuel [Richard Stallman's Political Notes]
Japanese fossil fuel companies invest in Australian fossil fuel extractors, and they appear to have lobbied Australia to prolong fossil fuel extraction.
This may be part of why the Australian government has neglected its responsibility to help save civilization from global heating.
Methane from rapidly heating Arctic permafrost [Richard Stallman's Political Notes]
Global heating is starting to melt the rapidly heating Arctic permafrost, and this is releasing large quantities of methane at an accelerating rate.
This could lead to a tipping point into much faster heating.
Australian thugs attacked protesters [Richard Stallman's Political Notes]
Australian thugs attacked protesters who refused to remain passive in the face of a visit by the President of Israel, who is responsible for tens of millions of Palestinian civilians' killings.
Britons' right to protest under threat [Richard Stallman's Political Notes]
*Britons' right to protest is under threat like never before. If you value it, speak up now.*
Iranian regime becoming ever more fanatic [Richard Stallman's Political Notes]
The Iranian regime is becoming ever more fanatic, arresting important politicians close to the "reformist" official prime minister.
Gallup polling to cease tracking approval ratings of president [Richard Stallman's Political Notes]
Gallup polling announces it will cease its 88-year-old practice of tracking the approval ratings of the president.
Some suspect this is because the current president — the bully — is threatening to sue Gallup if it continues to report on how many people detest him.
I would compare this to his sabotaging of the Bureau of Labor Statistics. They add up to a practice of trying to deny the public information that makes him look bad.
Arguments that immigration enforcement would be distorted [Richard Stallman's Political Notes]
*As Congress debated the creation of the Department of Homeland Security, civil rights advocates argued that immigration enforcement would be distorted — and weaponized — by its merger with the national security state.*
*In response to such concerns, Congress created an unusually far-reaching internal watchdog office for Homeland Security and its various arms, including Immigration and Customs Enforcement (ICE): The Office for Civil Rights and Civil Liberties.*
The wrecker, cognizant of the danger that that office was meant to prevent, has reduced the office to a skeleton crew.
House Republicans rebuke of bully over Canada tariffs [Richard Stallman's Political Notes]
*House Republicans make rare, albeit symbolic, rebuke of [the bully] over Canada tariffs.*
Congress could cancel those tariffs if it wants to. It could do that by putting a clause limiting tariffs into a bill that the bully would find damaging to veto.
Deportation thug that fired at citizen hailed by Gregory Bovino [Richard Stallman's Political Notes]
* New evidence shows Gregory Bovino hailed [the deportation thug] who fired at Marimar Martinez five times in her car*. The thugs tried to frame her, too.
Statistical survey about death of young children in England [Richard Stallman's Political Notes]
Does a statistical survey about death of young children in England demonstrate a problem in their medical treatment?
This result suggests that consanguinity is leading to the birth of children with doubled harmful recessive genes — which is what we expect it to do, more or less. But in order to be sure of this conclusion, we need to know what fraction of children born have consanguineous parents. If that too is 7%, it would imply that those children face no greater danger of early death than other children. If that is less than 7%, it would imply that they do face a greater danger of early death.
If the risk is indeed higher for children of consanguineous parents, the next crucial question is how big a problem this is. What fraction of children of consanguineous couples in England die young? What fraction of children born in England die young? If that is a very small fraction, this problem affects few children.
Another question remains: supposing that this problem is substantial, how big is it compared with the other threats to the health of children in England?
And another one is, supposing that this problem causes a big danger to the children of consanguineous parents in England, is there an effective way to reduce that danger?
Bill to block substantial fraction of adult US citizens from voting [Richard Stallman's Political Notes]
The House of Representatives passed a bill to block a substantial fraction of adult US citizens from voting.
Mexico gangs reportedly obtained newer more powerful arms than Mexican government [Richard Stallman's Political Notes]
Reportedly drug gangs in Mexico have obtained newer and more powerful arms than the Mexican government can get, including drones.
They may be a real threat to Americans, but it is minuscule compared with the threat to Americans from the deportation thugs. Let's not let the secondary threat distract us from the primary threat.
Bogus indictments meant for political persecution [Richard Stallman's Political Notes]
Grand juries almost never deny prosecutors the indictments they ask for. But several grand juries have recently refused to authorize bogus indictments meant for political persecution.
AMA to partner with Vaccine Integrity Project [Richard Stallman's Political Notes]
* The American Medical Association (AMA) will partner with the Vaccine Integrity Project to review the evidence on vaccines for influenza, Covid-19 and respiratory syncytial virus (RSV) for the fall.*
The US government used to do this, but the wrecker put anti-vaxxer RFK Jr in charge of this area.
Half of Americans disagree with repression of immigration [Richard Stallman's Political Notes]
According to the latest poll, half of all Americans strongly disapprove of the persecutor's repression of immigration.
Over 60%% express disapproval of various specific aspects of it.
Deportation cases in court which is a mockery of a court [Richard Stallman's Political Notes]
The deportation thug agency hires lawyers to pursue deportation cases in a court which is a mockery of a court, before a judge who is a mockery of a judge.
There is no official quota for judges to rule for deportation, but they know they may be fired if they don't do that often enough. When the agency lawyer simply asks the judge to rule for deportation — "to dismiss the case" — giving no specific reasons, the judge often unceremoniously does just that.
In effect, the whole thing is a sham designed to smear a perfume of justice over the stench of arbitrary, dishonest cruelty.
Sabotage of NLRB [Richard Stallman's Political Notes]
The wrecker's sabotage of the NLRB has been substantially effective — the number of union votes dropped by 30% in 2025.
Almost unstoppable wildfires in Patagonia [Richard Stallman's Political Notes]
Almost unstoppable wildfires in Patagonia, mostly caused by global heating, have killed many of the trees that have lived thousands of years.
Plan to repeal EPA ruling regulating greenhouse gases [Richard Stallman's Political Notes]
Planet-roaster officials plan to repeal the ruling that allowed the Environmental Protection Agency to regulate greenhouse gases.
Now that it has become the Environmental Poisoning Agency, protecting the environment is considered inappropriate.
World closer than thought to "point of no return" [Richard Stallman's Political Notes]
* The world is closer than thought to a "point of no return" after which runaway global heating cannot be stopped, scientists have said.*
00:56
EFF to Wisconsin Legislature: VPN Bans Are Still a Terrible Idea [Deeplinks]
Wisconsin’s S.B. 130 / A.B. 105 is a spectacularly bad idea.
It’s an age-verification bill that effectively bans VPN access to certain websites for Wisconsinites and censors lawful speech. We wrote about it last November in our blog “Lawmakers Want to Ban VPNs—And They Have No Idea What They're Doing,” but since then, the bill has passed the State Assembly and is scheduled for a vote in the State Senate tomorrow.
In light of this, EFF sent a letter to the entire Wisconsin Legislature urging lawmakers to reject this dangerous bill.
You can read the full letter here.
The short version? This bill both requires invasive age verification for websites that host content lawmakers might deem “sexual” and requires that those sites block any user that connects via a Virtual Private Network (VPN). VPNs are a basic cybersecurity tool used by businesses, universities, journalists, veterans, abuse survivors, and ordinary people who simply don’t want to broadcast their location to every website they visit.
As we lay out in the letter, Wisconsin’s mandate is technically unworkable. Websites cannot reliably determine whether a VPN user is in Wisconsin, a different state, or a different country. So, to avoid liability, websites are faced with an unfortunate choice: either resort to over-blocking IP addresses commonly associated with commercial VPNs, block all Wisconsin users’ access, or mandate nationwide restrictions just to avoid liability.
The bill also creates a privacy nightmare. It pushes websites to collect sensitive personal data (e.g. government IDs, financial information, biometric identifiers) just to access lawful speech. At the same time, it broadens the definition of material deemed “harmful to minors” far beyond the narrow categories courts have historically allowed states to regulate. The definition goes far beyond the narrow categories historically recognized by courts (namely, explicit adult sexual materials) and instead sweeps in material that merely describes sex or depicts human anatomy. This approach invites over-censorship, chills lawful speech, and exposes websites to vague and unpredictable enforcement. That combination—mass data collection plus vague, expansive speech restrictions—is a recipe for over-censorship, data breaches, and constitutional overreach.
If you live in Wisconsin, now is the time for you to contact your State Senator and urge them to vote NO on S.B. 130 / A.B. 105. Tell them protecting young people online should not mean undermining cybersecurity, chilling lawful speech, and forcing residents to hand over their IDs just to browse the internet.
As we said last time: Our privacy matters. VPNs matter. And politicians who can't tell the difference between a security tool and a "loophole" shouldn't be writing laws about the internet.
KDE Plasma 6.6 released [OSnews]
KDE Plasma 6.6 has been released, and brings with a whole slew of new features. You can save any combination of themes as a global theme, and there’s a new feature allowing you to increase or decrease the contrast of frames and outlines. If your device has a camera, you can now scan Wi-F settings from QR codes, which is quite nice if you spend a lot of time on the road.
There’s a new colour filter for people who are colour blind, allowing you to set the entire UI to grayscale, as well as a brand new virtual keyboard. Other new accessibility features include tracking the mouse cursor when using the zoom feature, a reduced motion setting, and more. Spectacle gets a text extraction feature and a feature to exclude windows from screen recordings. There’s also a new optional login manager, optimised for Wayland, a new first-run setup wizard, and much more.
As always, KDE 6.6 will find its way to your distribution’s repositories soon enough.
00:07
SvarDOS: an open-source DOS distribution [OSnews]
SvarDOS is an open-source project that is meant to integrate the best out of the currently available DOS tools, drivers and games. DOS development has been abandoned by commercial players a long time ago, mostly during early nineties. Nowadays it survives solely through the efforts of hobbyists and retro-enthusiasts, but this is a highly sparse and unorganized ecosystem. SvarDOS aims to collect available DOS software and make it easy to find and install applications using a network-enabled package manager (like apt-get, but for DOS and able to run on a 8086 PC).
↫ SvarDOS website
SvarDOS is built around a fork of the Enhanced DR-DOS kernel, which is available in a dedicated GitHub repository. The project’s base installation is extremely minimal, containing only the kernel, a command interpreter, and some basic system administration tools, and this basic installation is compatible down to the 8086. You are then free to add whatever packages you want, either from local storage or from the online repository using the included package manager. SvarDOS is a rolling release, and you can use the package manager to keep it updated.
Aside from a set of regular installation images for a variety of floppy sizes, there’s also a dedicated “talking” build that uses the PROVOX screen reader and Braille ‘n Speak synthesizer at the COM1 port. It’s rare for a smaller project like this to have the resources to dedicate to accessibility, so this is a rather pleasant surprise.
Tuesday, 17 February
23:07
Update. I've been able to create an account on Twitter, but it's not @davewiner. If you're on Twitter, it would help if you'd RT the post. Thanks!
22:35
Proper Linux on your wrist: AsteroidOS 2.0 released [OSnews]
It’s been a while since we’ve talked about AsteroidOS, the Linux distribution designed specifically to run on smartwatches, providing a smartwatch interface and applications built with Qt and QML. The project has just released version 2.0, and it comes with a ton of improvements.
AsteroidOS 2.0 has arrived, bringing major features and improvements gathered during its journey through community space. Always-on-Display, expanded support for more watches, new launcher styles, customizable quick settings, significant performance increases in parts of the User Interface, and enhancements to our synchronization clients are just some highlights of what to expect.
↫ AsteroidOS 2.0 release announcement
I’m pleasantly surprised by how many watches are actually fully supported by AsteroidOS 2.0; especially watches from Fossil and Ticwatch are a safe buy if you want to run proper Linux on your wrist. There are also synchronisation applications for Android, desktop Limux, Sailfish OS, and UBports Ubuntu Touch. iOS is obviously missing from this list, but considering Apple’s stranglehold on iOS, that’s not unexpected. Then again, if you bought into the Apple ecosystem, you knew what you were getting into.
As for the future of the project, they hope to add a web-based flashing tool and an application store, among other things. I’m definitely intrigued, and am now contemplating if I should get my hands on a (used) supported watch to try this out. Anything I can move to Linux is a win.
A deep dive into Apple’s .car file format [OSnews]
Every modern iOS, macOS, watchOS, and tvOS application uses Asset Catalogs to manage images, colors, icons, and other resources. When you build an app with Xcode, your
.xcassetsfolders are compiled into binary.carfiles that ship with your application. Despite being a fundamental part of every Apple app, there is little to none official documentation about this file format.In this post, I’ll walk through the process of reverse engineering the
↫ ordinal0 at dbg.re.carfile format, explain its internal structures, and show how to parse these files programmatically. This knowledge could be useful for security research and building developer tools that does not rely on Xcode or Apple’s proprietary tools.
Not only did ordinal0 reverse-engineer the file format, they also developed their own unique custom parser and compiler for .car files that don’t require any of Apple’s tools.
21:00
dBASE on the Kaypro II [OSnews]
Within the major operating system of its day, on popular hardware of its day, ran the utterly dominant relational database software of its day. PC Magazine, February 1984, said, “Independent industry watchers estimate that dBASE II enjoys 70 percent of the market for microcomputer database managers.” Similar to past subjects HyperCard and Scala Multimedia, Wayne Ratcliff’s dBASE II was an industry unto itself, not just for data-management, but for programmability, a legacy which lives on today as xBase.
[…]Written in assembly, dBASE II squeezed maximum performance out of minimal hardware specs. This is my first time using both CP/M and dBASE. Let’s see what made this such a power couple.
↫ Christopher Drum
If you’ve ever wanted to run a company using CP/M – and who doesn’t – this article is as good a starting point as any.
20:42
Humble 15th Anniversary Bundles [Humble Bundle Blog]
Humble is Celebrating its 15th Anniversary. Get Ready for a Year of Fantastic Bundles! Hi Humble Community, From the very beginning, we believed in a simple idea: to bring you fantastic content, help amazing charities, support game developers, and prove that great value and great causes can go hand-in-hand. And from that simple idea, we’ve watched our community grow into the incredible force for good …
The post Humble 15th Anniversary Bundles appeared first on Humble Bundle Blog.
20:14
San Jose Can Protect Immigrants by Ending Flock Surveillance System [Deeplinks]
(This appeared as an op-ed published February 12, 2026 in the San Jose Spotlight, written by Huy Tran (SIREN), Jeffrey Wang (CAIR-SFBA), and Jennifer Pinsof.)
As ICE and other federal agencies continue their assault on civil liberties, local leaders are stepping up to protect their communities. This includes pushing back against automated license plate readers, or ALPRs, which are tools of mass surveillance that can be weaponized against immigrants, political dissidents and other targets.
In recent weeks, Mountain View, Los Altos Hills, Santa Cruz, East Palo Alto and Santa Clara County have begun reconsidering their ALPR programs. San Jose should join them. This dangerous technology poses an unacceptable risk to the safety of immigrants and other vulnerable populations.
ALPRs are marketed to promote public safety. But their utility is debatable and they come with significant drawbacks. They don’t just track “criminals.” They track everyone, all the time. Your vehicle’s movements can reveal where you work, worship and obtain medical care. ALPR vendors like Flock Safety put the location information of millions of drivers into databases, allowing anyone with access to instantly reconstruct the public’s movements.
But “anyone with access” is far broader than just local police. Some California law enforcement agencies have used ALPR networks to run searches related to immigration enforcement. In other situations, purported issues with the system’s software have enabled federal agencies to directly access California ALPR data. This is despite the promises of ALPR vendors and clear legal prohibitions.
Communities are saying enough is enough. Just last week, police in Mountain View decided to turn off all of the city’s Flock cameras, following revelations that federal and other unauthorized agencies had accessed their network. The cameras will remain inactive until the City Council provides further direction.
Other localities have shut off the cameras for good. In January, Los Altos Hills terminated its contract with Flock following concerns about ICE. Santa Cruz severed relations with Flock, citing rising tensions with ICE. Most recently, East Palo Alto and Santa Clara County are reconsidering whether to continue their relationships with Flock, given heightened concern for the safety of immigrant communities.
California law prohibits local police from disclosing ALPR data to out-of-state or federal agencies. But at least 75 California police agencies were sharing these records out-of-state as recently as 2023. Just last year, San Francisco police allowed access to out-of-state agencies and 19 searches were related to ICE.
Even without direct access, ICE can exploit local ALPR systems. One investigation found more than 4,000 cases where police had made searches on behalf of federal law enforcement, including for immigration investigations.
Increasing the risk is that law enforcement routinely searches these networks without first obtaining a warrant. In San Jose, police aren’t required to have any suspicion of wrongdoing before searching ALPR databases, which contain a year’s worth of data representing hundreds of millions of records. In a little over a year, San Jose police logged more than 261,000 ALPR searches, or nearly 700 searches a day, all without a warrant.
Two nonprofit organizations, SIREN and CAIR California, represented by Electronic Frontier Foundation and the ACLU of Northern California, are currently suing to stop San Jose’s warrantless searches of ALPR data. But this is only the first step. A better solution is to simply turn these cameras off.
San Jose cannot afford delay. Each day these cameras remain active, they collect sensitive location data that can be misused to target immigrant families and violate fundamental freedoms. It is a risk materializing across California. City leaders must act now to shut down ALPR systems and make clear that public safety will not come at the expense of privacy, human dignity or community trust.
20:00
[1288] Stuck Unbound [Twokinds]
Comic for February 17, 2026
18:42
Microspeak: Escrow [The Old New Thing]
As a product is nearing release, the release management selects a build and declares it to be the escrow build. The metaphor is that this build has been placed into the hands of an imaginary third party for eventual release to customers provided certain requirements are met.
Those requirements are that the product survive a period of concerted testing and self-host usage to build confidence that it meets its quality and reliability targets. The Developer Division Release Team blog unhelpfully described escrow as “the phase before the completion of the RTM milestone where the product goes through a period of bake time.” I say unhelpfully because it defines one Microspeak term (escrow) in terms of another Microspeak term (bake time). Some time ago, I defined the Microspeak term bake as “(of a code change) to build confidence by observing its behavior over a period of time.”
Putting this all together, a more complete definition of escrow would be “the phase before the completion of the RTM milestone where the product accepts no changes while its behavior is closely observed to ensure that it meets release criteria.”
When a problem is found, the release team has to assess whether this problem is significant enough to require a product change. This assessment is a balance of many factors: How often does it occur? Does it affect one category of user more than another? How severe are the consequences? How easily can it be worked around? These criteria are typically¹ formalized by a bug bar.
If a severe enough bug is discovered, then an escrow reset is declared, and the bug fix is accepted,² a new build is produced, the new build is declared the new escrow build, and the cycle repeats.
Eventually, the product makes it through the escrow period without any escrow reset events, and the escrow build is released to manufacturing.
¹ Though not always, apparently.
² Plus any bug fixes that were granted “opportunistic” status by the release management team.
The post Microspeak: Escrow appeared first on The Old New Thing.
It rather involved being on the other side of the airtight hatchway: Tricking(?) a program into reading files [The Old New Thing]
A security vulnerability report came in that claimed that a program was vulnerable to information disclosure when run as an administrator because it opened whatever file you passed on the command line and read from it, before reporting an error because the file is in the incorrect format.
They identified multiple issues.
- The program does no path validation. It accepts any file name and blindly opens it and reads its contents.
- The program does not block path traversal via ...
- The program does not check that the file is in an approved directory.
- The program does not validate that the user has permission to access the file.
- The program does not validate that the file is in the correct format before opening it.
According to the report, all of these defects lead to information disclosure.
Okay, as usual, we have to figure out who the attacker is, who the victim is, and what the attacker has gained.
The attacker is, presumably, the person running the carefully-crafted command line.
The victim is, presumably, the person whose file contents are disclosed.
But those are the same person!
Remember, the security term “information disclosure” is just a shorthand for unauthorized information disclosure. It is not a security vulnerability to disclose information to someone who is authorized to see it.
In this case, it’s fine for the program to take the information from the user and use it to access a file while running as that user. The security check happens as that user, so it’s not true that “The program does not validate that the user has permission to access the file.” The validation happens when the program tries to open the file and maybe gets “access denied” if they don’t have access.
The claim that there is no “approved directory” check is a bit spurious, since the program doesn’t have any concept of an “approved directory” to begin with.
There is nothing wrong with directory traversal or the lack of
path validation, because the file is opened as the user. If the
path contains traversals, the security system verifies that the
user has permission to traverse those directories. If the provided
path is illegal, then the open call will fail with an
“invalid file name”. The underlying
CreateFile call does the validation. Let the
security system do the security checks. Don’t try to
duplicate their work, because you’re probably going to
duplicate it incorrectly and introduce a security
vulnerability.
If you think about it, the finder’s complaints about this
program also apply to the TYPE command. It opens the
file whose path is provided as the command line argument and prints
it to the screen. So why did they file the security issue against
this program? Probably because it makes their report sound more
interesting.
Bonus chatter: The finder also considered it a security vulnerability that the program does not validate that the file is in the correct format before opening it. But how could it validate the file format without opening the file, reading the contents, and validating those contents? This is like handing someone a sealed envelope and saying, “Don’t read the enclosed letter if it contains spelling errors. But if it’s error-free, follow the instructions written in the letter.” Do they expect the program to be psychic and know whether the file contents are valid without reading it? If so, then why even open the file at all? You already used psychic powers to know what’s in the file, so just operate on the file contents you determined via your psychic powers.
The post It rather involved being on the other side of the airtight hatchway: Tricking(?) a program into reading files appeared first on The Old New Thing.
New Report Helps Journalists Dig Deeper Into Police Surveillance Technology [Deeplinks]
Report from EFF, Center for Just
Journalism, and IPVM Helps Cut Through Sales Hype
SAN FRANCISCO — A new report released today offers journalists tips on cutting through the sales hype about police surveillance technology and report accurately on costs, benefits, privacy, and accountability as these invasive and often ineffective tools come to communities across the nation.
The “Selling Safety” report is a joint project of the Electronic Frontier Foundation (EFF), the Center for Just Journalism (CJJ), and IPVM.
Police technology is often sold as a silver bullet: a way to modernize departments, make communities safer, and eliminate human bias from policing with algorithmic objectivity. Behind the slick marketing is a sprawling, under-scrutinized industry that relies on manufacturing the appearance of effectiveness, not measuring it. The cost of blindly deferring to advertising can be high in tax dollars, privacy, and civil liberties.
“Selling Safety” helps journalists see through the spin. It breaks down how policing technology companies market their tools, and how those sales claims — which are often misleading — get recycled into media coverage. It offers tools for asking better questions, understanding incentives, and finding local accountability stories.
“The industry that provides technology to law enforcement is one of the most unregulated, unexamined, and consequential in the United States,” said EFF Senior Policy Analyst Matthew Guariglia. “Most Americans would rightfully be horrified to know how many decisions about policing are made: not by public employees, but by multi-billion-dollar surveillance tech companies who have an insatiable profit motive to market their technology as the silver bullet that will stop crime. Lawmakers often are too eager to seem ‘tough on crime’ and journalists too often see an easy story in publishing law enforcement press releases about new technology. This report offers a glimpse into how the police-tech sausage gets made so reporters and lawmakers can recognize the tactics of glossy marketing pitches, manufactured effectiveness numbers, and chumminess between companies and police.”
“Surveillance and other police technologies are spreading faster than public understanding or oversight, leaving journalists to do critical accountability work in real time. We hope this report helps make that work easier,” said Hannah Riley Fernandez, CJJ’s Director of Programming.
"The surveillance technology industry has a documented pattern of making unsubstantiated claims about technology,” said Conor Healy, IPVM's Director of Government Research. “Marketing is not a substitute for evidence. Journalists who go beyond press releases to critically examine vendor claims will often find solutions are not as magical as they may seem. In doing so, they perform essential accountability work that protects both taxpayer dollars and civil liberties."
EFF also maintains resources for understanding various police technologies and mapping those technologies in communities across the United States.
For the “Selling Safety” report: https://www.eff.org/document/selling-safety-journalists-guide-covering-police-technology
For EFF’s Street-Level Surveillance hub: https://sls.eff.org/
For EFF’s Atlas of Surveillance: https://www.atlasofsurveillance.org/
Contact:
17:56
Slog AM: Rev. Jesse Jackson Dies, Millionaires Tax Passes State Senate, Anderson Cooper Leaving 60 Minutes [The Stranger]
The Stranger's Morning News Roundup. by Vivian McCall
Millionaires tax passes Senate: After a three hour debate, the 9.9 percent income tax on earnings over $1 million a year passed with a 27-22 vote. Three Democrats voted with Republicans. Lawmakers approved an amendment that repealed part of our sales tax, but didn’t approve a tax break on baby diapers.
Legalize It! “It” being smaller, cheaper elevators. The Washington State Senate approved a bill aimed at culling onerous standards that prevent elevators from being built at all. Sponsored by mushroom (and ibogaine) crusader Sen. Jesse Salomon, the bill will direct the state’s building code council to take on the issue next year.
Conviction in Anti-Trans Case: Andre Karlow is facing five to seven years in prison for beating a transgender woman in the University District last year. A jury found him guilty of a hate crime and second-degree assault. A group of men joined Karlow in the beating, but none have been identified. Six months earlier, Karlow was convicted of assaulting another trans woman, a Sound Transit fare ambassador, when she asked him for proof of payment.
Another Day, Another Boeing Suit Over Deadly Crash: Twenty families have sued the plane-maker over the South Korean Jeju Air Flight 7C 2216 crash, the country’s deadliest aviation disaster. The cases, representing 23 of the 179 people killed in the crash, all allege a bird strike just before landing, causing the electrical and hydraulics systems to fail. The families allege the company kept outdated safety systems on the aircraft to avoid costly redesigns and recertification processes, even though modern systems were safer.
Weather: There’s a chance of snow before 1 p.m., and a chance of rain after. If snow does fall, it’s not expected to stick. Our snow-they-won’t-they situation continues through Thursday night.
Rev. Jesse Jackson Dies: The civil rights leader, two-time presidential candidate, close ally of Dr. Martin Luther King, and unbelievably influential American was 84. In November, the Rev. Jackson was hospitalized to treat progressive supranuclear palsy, a rare neurodegenerative condition. He was somebody.
Seattle Judge Back in Action: City Attorney Erika Evans reversed her Republican predecessor’s order to routinely disqualify Seattle Municipal Court Judge Pooja Vaddadi from hearing criminal cases like DUIs and domestic violence charges. “I believe in litigating cases—not attempting to ban judges we do not like,” Evans said in a statement.
Tick-tick-tick-tick: Anderson Cooper is leaving CBS’ 60 Minutes after 20 years balancing the job with his other low-stakes gig at CNN. The gay dad of news said in a statement that he wanted to spend more time with his children. While he didn’t say he wanted to spend less time with CBS News’ Bari Weiss, it certainly looks that way. (In December, Weiss speciously held a 60 Minutes report on CECOT prison in El Salvador, bringing a ton of attention to the segment and herself.)
In other CBS News news, Late Show host Stephen Colbert says the network’s lawyers yanked his interview with Texas Senate candidate James Talarico before air on Monday evening to comply with the FCC regulation that requires stations to give “equal time” to political candidates and their rivals. News is exempt, and for the past 20 years, talk shows have been considered exempt, too. But the FCC chair Brendan Carr is rejecting that thinking. “Fake news” shows like Colbert’s shouldn’t count on the exemption. Anyway, Colbert’s show posted it on YouTube.
The Hated Haters: Wired has been monitoring a forum for current and prospective Homeland Security Investigations Officers where ICE Agents talk shit on other ICE agents.
Who Will Lie to Us Now? DHS spokesperson Tricia McLaughlin is leaving the Trump administration, two DHS officials told Politico. McLaughlin did not immediately respond to their request for comment.
Guthrie Case Update: The 84-year-old Nancy Guthrie has been missing for more than two weeks without a suspect. The night she disappeared, a masked person wearing a handgun holster in surveillance video outside her home is shown wearing a backpack exclusively sold at WalMart. Investigators are working with the company to develop leads on this suspect. Guthrie’s family, including her daughter, “Today” show host Savannah Guthrie, are not suspects.
17:00
The Big Idea: Darby McDevitt [Whatever]
The intentions behind one’s actions speaks louder than words ever could. Author Darby McDevitt leads us on a journey through the exploration of intention, desires, and consequences in the Big Idea for his newest novel, The Halter. Take the path he has laid out for you, if you so desire.
DARBY MCDEVITT:
Many years ago I worked for a video game company in Seattle that shoveled out products at a rate of four to six games per year. Most of these were middling titles, commissioned by publishers to fill a narrow market gap and slapped together in six to nine months by teams of a dozen or two crunch-weary developers. We worked hard and fast, with passion and determination, but the end results never quite equaled the ambitions we had.
A common joke around the office, told at the end of every draining development cycle, went like this: “Sure, the game isn’t fun, but the design documents are amazing.” The idea of offering consumers our unrealized blueprints in lieu of a polished game was ridiculous, of course, but it came from a place of real desperation. We wanted our players to know that, despite the poor quality of the final product, we really tried.
The novelist Iris Murdoch has a saying that I repeat often as a mantra, always to guard against future disappointment: “Every book is the wreck of a perfect idea.” Here again is the notion of a Platonic ideal at war with its hazy shadow. How familiar all this is. Experience tells us that people falling short of their ideals is the natural course of life. We never live up to the best of our intentions.
In my new novel, The Halter, I compare this process of “intension erosion” to the more upbeat phenomenon of Desire Lines – footpaths worn over grassy lawns out of an unconscious need for efficiency. Desire lines appear wherever the original constraints of an intentionally designed geographic space don’t conform with the immediate needs of the men and women walking through it. In video games we use a related term – Min-Maxing – the act of looking for ways to put in a minimum amount of effort for maximum benefit. In both cases, the original, ideal use of a space or system is superseded by a desire for efficiency.
In The Halter, these same principles take hold on a grand scale inside an idealized “surrogate reality” metaverse called The Forum, where artists, scientists, and thinkers from all disciplines are invited to probe the deepest and most difficult aspects of human behavior and society. One Forum designer creates a so-called theater to explore the tricky business of language acquisition by sequestering one-hundred virtual babies together with no adult interaction. Another theater offers visitors a perfect digital copy of themselves as a companion, as a therapeutic approach to self-discovery. A third lets visitors don the guise of any other individual on earth so they may literally fulfill the empathetic idiom of “walking a mile in another man’s shoes.”
Noble intentions, arguably – yet in every case, after repeated exposure to actual human users, each theater devolves into something less than the sum of its parts. A prurient playground, or an amusing distraction, or a mindless entertainment. Shortcuts are taken, efficiencies are found, novel-uses imposed. The empathy theater is transformed into a celebrity-fueled bacchanalia; the digital doppelganger becomes a personal punching bag. The baby creche, a zoo. Each and every time, execution falls short of intention. Each theater crumbles, becoming a wreck of its original, perfect idea … and audiences are riveted.
The phenomena described here are common enough that several terms encompass them, each one differentiated for the situation at hand. Desire paths were my first exposure to the concept. The CIA calls it Blowback, when the side effects of a covert operation lead to disastrous results. Unintended Consequences and Knock-On Effects are cozier names, both of which can yield positive or negative results. And a Perverse Incentive is the related idea that the design of a system may be such that it encourages behavior contrary to its intended purpose. Taken together we begin to see the shape of the iceberg that wrecks so many perfect ideas.
I wrote The Halter to explore the highs and lows of these effects, and to shed light from a safe distance on the invisible forces that push and pull constantly at our behavior, often without our knowledge or consent. At one point in the middle of the novel, a collection of idealistic designers, most of whom have given years of their lives to the Forum designing and testing theaters of varying utility, commiserate on what they feel has been a collective failure. Their beloved theaters, they fret, have been co-opted and corrupted by The Forum visitors who have no incentive to behave or play along – they simply show up and engage in the simplest and most efficient way possible. How sad. How crushing. If only these morose designers could share their original design documents….
Their folly, in my view, was to treat their original intentions as merely a point of inspiration and not a goal to be achieved. Their error was to abandon their work in the face of a careless, sleepwalking opposition. The heroic path forward requires vigilance, not surrender, and if an outcome is unexpected, unwarranted, or undesirable, it may be more productive to tweak the inputs than blame the user.
We mustn’t fret that our perfect idea is laying at the bottom of the sea, five fathoms deep. We mustn’t fetishize our design documents – be it a holy book, an artwork, a game, a manifesto, or the U.S. Constitution – because design documents are merely static pleas for unrealized future intentions. They can always be corrupted, upended, misinterpreted. Have faith and patience. The hopeful paths are yet unmade, lying in wait for a thousand shuffling feet to score the way forward.
The Halter: Amazon|Barnes & Noble|Bookshop|Powell’s
16:00
CodeSOD: Waiting for October [The Daily WTF]
Arguably, the worst moment for date times was the shift from Julian to Gregorian calendars. The upgrade took a long time, too, as some countries were using the Julian calendar over 300 years from the official changeover, famously featured in the likely aprochryphal story about Russia arriving late for the Olympics.
At least that change didn't involve adding any extra months, unlike some of the Julian reforms, which involved adding multiple "intercalary months" to get the year back in sync after missing a pile of leap years.
Speaking of adding months, Will J sends us this "calendar" enum:
enum Calendar
{
April = 0,
August = 1,
December = 2,
February = 3,
Friday = 4,
January = 5,
July = 6,
June = 7,
March = 8,
May = 9,
Monday = 10,
November = 11,
October = 12,
PublicHoliday = 13,
Saturday = 14,
Sunday = 15,
September = 16,
Thursday = 17,
Tuesday = 18,
Wednesday = 19
}
Honestly, the weather in PublicHoliday is usually a
bit too cold for my tastes. A little later into the spring, like
Saturday, is usually a nicer month.
Will offers the hypothesis that some clever developer was trying to optimize compile times: obviously, emitting code for one enum has to be more efficient than emitting code for many enums. I think it more likely that someone just wanted to shove all the calendar stuff into one bucket.
Will further adds:
One of my colleagues points out that the only thing wrong with this enum is that September should be before Sunday.
Yes, arguably, since this enum clearly was meant to be sorted in alphabetical order, but that raises the question of: should it really?
[Advertisement] Keep the plebs out of prod. Restrict NuGet feed
privileges with ProGet.
Learn more.15:35
[$] Do androids dream of accepted pull requests? [LWN.net]
Various forms of tools, colloquially known as "AI", have been rapidly pervading all aspects of open-source development. Many developers are embracing LLM tools for code creation and review. Some project maintainers complain about suffering from a deluge of slop-laden pull requests, as well as fabricated bug and security reports. Too many projects are reeling from scraperbot attacks that effectively DDoS important infrastructure. But an AI bot flaming an open-source maintainer was not on our bingo card for 2026; that seemed a bit too far-fetched. However, it appears that is just what happened recently after a project rejected a bot-driven pull request.
Plasma 6.6.0 released [LWN.net]
Version 6.6.0 of KDE's Plasma desktop environment has been released. Notable additions in this release include the ability to create global themes for Plasma, an "extract text" feature in the Spectacle screenshot utility, accessibility improvements, and a new on-screen keyboard. See the changelog for a full list of new features, enhancements, and bug fixes.
The release is dedicated to the memory of Björn Balazs, a
KDE contributor who passed away in September 2025. "Björn's
drive to help people achieve the privacy and control over
technology that he believed they deserved is the stuff FLOSS
legends are made of.
"
15:21
Yesterday, I had to ship an envelope to the UK and got
caught in dead ends at the Fedex and DHL sites. One of them said my
zip code wasn't in the town I live in. How do you get past that??
These companies are losing business because their systems
are broken. Maybe they worked at one time. I used ChatGPT as I
often do to get help on one of these antiquated sites. And while
ChatGPT has the technology and Fedex has the info, they just have
to get together and upgrade the user experience, and eventually of
course the AI version of the UI becomes the real one.
Back when I ran a software company I'd help the team understand why they should be very very nice to our customers. "Those people have our money in their pockets." It generally got a laugh partially because I was their boss, but I like to think also because it's the truth.
BTW, people make the same mistake with AI that we make with every new tech. We focus on the creators not the users. As users we are learning a new skill, how to specify our needs precisely. Whether this is good or bad, I don't know.
14:49
In December 2025, Canonical announced a plan to develop a universal Public Key Infrastructure called upki. Jon Seager has published an update about the project with instructions on trying it out.
In the few weeks since we announced upki, the core revocation engine has been established and is now functional, the CRLite mirroring tool is working and a production deployment in Canonical's datacentres is ongoing. We're now preparing for an alpha release and remain on track for an opt-in preview for Ubuntu 26.04 LTS.
14:35
Paywalls that require you to subscribe to an Atlanta news org when you don’t live in Atlanta prob don’t generate much revenue. Why not instead charge per article. Like a toll you pay on a road you drive on once every few years. On further thought, I wouldn't even have an exception for Atlanta residents. If they start spending more money than a subscription costs, you could offer a subscription then, as a way to save money. Kind of the way Amazon lets you buy a certain amount of coffee beans without requiring you to sign up for monthly delivery. They do tell you how much you'd save if you subscribed. Everyone appreciates a chance to save money, but still might not want the commitment. And asking someone from upstate NY to subscribe to the Atlanta Journal Constitution is a total bullshit. An insult to both our intelligences.
My Twitter account is owned. I can't even see what people are doing with it because you have to be signed on (apparently) to read stuff on Twitter nowadays. I wish current Twitter management would put it out of its misery. Served me well for approx 20 years. Let's clean up the mess. Thanks for your attention this matter.
VCs and CEOs don't fire your devteams yet [Scripting News]
Aram Zucker-Scharff writes "I don't want to read one more thinkpiece about blackbox AI code factories until you can show me what they've produced."
I've made the same request, and there was very little even brilliant programmers could show, including some who have become influencers in the AI space.
Here's the problem -- it takes a lot of skill and patience to make software that appears simple because it gives users what they expect. It's much easier to write utility scripts, where the user writes the code for themselves. That is very possible, esp if you use a scripting language created for it, and the AI bots are really good at that, they speak the same language we do.
But to make something easy to use by humans, I think you actually have to be a human. I've found I'm not very good at creating software that isn't for me. And I've been practicing this almost every day for over fifty freaking years. (I think freaking is the proper adjective in this situation).
Scaling which everyone says is hard is actually something a chatbot does quite easily imho -- because you just have to store all your data in a relational database, you can't use the local file system. That's all there is to it. They try to make it sound mysterious (the old priesthood at work) but it is actually very simple. It's so easy even ChatGPT can do it.
I know this must sound like the stuff reporters say about bloggers, but in this case it's true. ;-)
An anectdote -- I used to live in Woodside CA where a lot of the VCs live, and we'd all eat breakfast at Buck's restaurant, and around the time Netscape open sourced their browser code, the VCs were buzzing because they wouldn't have to pay for software, they'd just market the free stuff. That was a long time ago, and it did not work out that way.
14:07
Security updates for Tuesday [LWN.net]
Security updates have been issued by AlmaLinux (gimp, go-toolset:rhel8, and golang), Debian (roundcube), Fedora (gnupg2, libpng, and rsync), Mageia (dcmtk and usbmuxd), Oracle (gcc-toolset-14-binutils, gimp, gnupg2, go-toolset:ol8, golang, kernel, and openssl), Slackware (libssh, lrzip, and mozilla), SUSE (abseil-cpp, chromium, curl, elemental-toolkit, elemental-operator, expat, freerdp, iperf, libnvidia-container, libsoup, libxml2, net-snmp, openCryptoki, openssl-3, patch, protobuf, python-urllib3, python-xmltodict, python311, screen, systemd, and util-linux), and Ubuntu (alsa-lib, gnutls28, and linux-aws, linux-oracle).
13:49
AI, A2A, and the Governance Gap [Radar]
Over the past six months, I’ve watched the same pattern repeat across enterprise AI teams. A2A and ACP light up the room during architecture reviews—the protocols are elegant, the demos impressive. Three weeks into production, someone asks: “Wait, which agent authorized that $50,000 vendor payment at 2 am?“ The excitement shifts to concern.
Here’s the paradox: Agent2Agent (A2A) and the Agent Communication Protocol (ACP) are so effective at eliminating integration friction that they’ve removed the natural “brakes“ that used to force governance conversations. We’ve solved the plumbing problem brilliantly. In doing so, we’ve created a new class of integration debt—one where organizations borrow speed today at the cost of accountability tomorrow.
The technical protocols are solid. The organizational protocols are missing. We’re rapidly moving from the “Can these systems connect?“ phase to the “Who authorized this agent to liquidate a position at 3 am?“ phase. In practice, that creates a governance gap: Our ability to connect agents is outpacing our ability to control what they commit us to.
To see why that shift is happening so fast, it helps to look at how the underlying “agent stack“ is evolving. We’re seeing the emergence of a three-tier structure that quietly replaces traditional API-led connectivity:
| Layer | Protocol examples | Purpose | The “human” analog |
| Tooling | MCP (Model Context Protocol) | Connects agents to local data and specific tools | A worker’s toolbox |
| Context | ACP (Agent Communication Protocol) | Standardizes how goals, user history, and state move between agents | A worker’s memory and briefing |
| Coordination | A2A (Agent2Agent) | Handles discovery, negotiation, and delegation across boundaries | A contract or handshake |
This stack makes multi-agent workflows a configuration problem instead of a custom engineering project. That is exactly why the risk surface is expanding faster than most CISOs realize.
Think of it this way: A2A is the handshake between agents (who talks to whom, about what tasks). ACP is the briefing document they exchange (what context, history, and goals move in that conversation). MCP is the toolbox each agent has access to locally. Once you see the stack this way, you also see the next problem: We’ve solved API sprawl and quietly replaced it with something harder to see—agent sprawl, and with it, a widening governance gap.
Most enterprises already struggle to govern hundreds of SaaS applications. One analysis puts the average at more than 370 SaaS apps per organization. Agent protocols do not reduce this complexity; they route around it. In the API era, humans filed tickets to trigger system actions. In the A2A era, agents use “Agent Cards“ to discover each other and negotiate on top of those systems. ACP allows these agents to trade rich context—meaning a conversation starting in customer support can flow into fulfillment and partner logistics with zero human handoffs. What used to be API sprawl is becoming dozens of semiautonomous processes acting on behalf of your company across infrastructure you do not fully control. The friction of manual integration used to act as a natural brake on risk; A2A has removed that brake.
That governance gap doesn’t usually show up as a single catastrophic failure. It shows up as a series of small, confusing incidents where everything looks “green“ in the dashboards but the business outcome is wrong. The protocol documentation focuses on encryption and handshakes but ignores the emergent failure modes of autonomous collaboration. These are not bugs in the protocols; they’re signs that the surrounding architecture has not caught up with the level of autonomy the protocols enable.
Policy drift: A refund policy encoded in a service agent may technically interoperate with a partner’s collections agent via A2A, but their business logic may be diametrically opposed. When something goes wrong, nobody owns the end-to-end behavior.
Context oversharing: A team might expand an ACP schema to include “User Sentiment“ for better personalization, unaware that this data now propagates to every downstream third-party agent in the chain. What started as local enrichment becomes distributed exposure.
The determinism trap: Unlike REST APIs, agents are nondeterministic. An agent’s refund policy logic might change when its underlying model is updated from GPT-4 to GPT-4.5, even though the A2A Agent Card declares identical capabilities. The workflow “works“—until it doesn’t, and there’s no version trace to debug. This creates what I call “ghost breaks“: failures that don’t show up in traditional observability because the interface contract looks unchanged.
Taken together, these aren’t edge cases. They’re what happens when we give agents more autonomy without upgrading the rules of engagement between them. These failure modes have a common root cause: The technical capability to collaborate across agents has outrun the organization’s ability to say where that collaboration is appropriate, and under what constraints.
That’s why we need something on top of the protocols themselves: an explicit “Agent Treaty“ layer. If the protocol is the language, the treaty is the constitution. Governance must move from “side documentation“ to “policy as code.“
Want Radar delivered straight to your inbox? Join us on Substack. Sign up here.
Traditional governance treats policy violations as failures to prevent. An antifragile approach treats them as signals to exploit. When an agent makes a commitment that violates a business constraint, the system should capture that event, trace the causal chain, and feed it back into both the agent’s training and the treaty ruleset. Over time, the governance layer gets smarter, not just stricter.
Define treaty-level constraints: Don’t just authorize a connection; authorize a scope. Which ACP fields is an agent allowed to share? Which A2A operations are “read only“ versus “legally binding“? Which categories of decisions require human escalation?
Version the behavior, not just the schema: Treat Agent Cards as first-class product surfaces. If the underlying model changes, the version must bump, triggering a rereview of the treaty. This is not bureaucratic overhead—it’s the only way to maintain accountability in a system where autonomous agents make commitments on behalf of your organization.
Cross-organizational traceability: We need observability traces that don’t just show latency but show intent: Which agent made this commitment, under which policy? And who is the human owner? This is particularly critical when workflows span organizational boundaries and partner ecosystems.
Designing that treaty layer isn’t just a tooling problem. It changes who needs to be in the room and how they think about the system. The hardest constraint isn’t the code; it’s the people. We’re entering a world where engineers must reason about multi-agent game theory and policy interactions, not just SDK integration. Risk teams must audit “machine-to-machine commitments“ that may never be rendered in human language. Product managers must own agent ecosystems where a change in one agent’s reward function or context schema shifts behavior across an entire partner network. Compliance and audit functions need new tools and mental models to review autonomous workflows that execute at machine speed. In many organizations, those skills sit in different silos, and A2A/ACP adoption is proceeding faster than the cross-functional structures needed to manage them.
All of this might sound abstract until you look at where enterprises are in their adoption curve. Three converging trends are making this urgent: Protocol maturity means A2A, ACP, and MCP specifications have stabilized enough that enterprises are moving beyond pilots to production deployments. Multi-agent orchestration is shifting from single agents to agent ecosystems and workflows that span teams, departments, and organizations. And silent autonomy is blurring the line between “tool assistance“ and “autonomous decision-making“—often without explicit organizational acknowledgment. We’re moving from integration (making things talk) to orchestration (making things act), but our monitoring tools still only measure the talk. The next 18 months will determine whether enterprises get ahead of this or we see a wave of high-profile failures that force retroactive governance.
The risk is not that A2A and ACP are unsafe; it’s that they are too effective. For teams piloting these protocols, stop focusing on the “happy path“ of connectivity. Instead, pick one multi-agent workflow and instrument it as a critical product:
Map the context flow: Every ACP field must have a “purpose limitation“ tag. Document which agents see which fields, and which business or regulatory requirements justify that visibility. This isn’t an inventory exercise; it’s a way to surface hidden data dependencies.
Audit the commitments: Identify every A2A interaction that represents a financial or legal commitment—especially ones that don’t route through human approval. Ask, “If this agent’s behavior changed overnight, who would notice? Who is accountable?“
Code the treaty: Prototype a “gatekeeper“ agent that enforces business constraints on top of the raw protocol traffic. This isn’t about blocking agents; it’s about making policy visible and enforceable at runtime. Start minimal: One policy, one workflow, one success metric.
Instrument for learning: Capture which agents collaborate, which policies they invoke, and which contexts they share. Treat this as telemetry, not just audit logs. Feed patterns back into governance reviews quarterly.
If this works, you now have a repeatable pattern for scaling agent deployments without sacrificing accountability. If it breaks, you’ve learned something critical about your architecture before it breaks in production. If you can get one workflow to behave this way—governed, observable, and learn-as-you-go—you have a template for the rest of your agent ecosystem.
If the last decade was about treating APIs as products, the next one will be about treating autonomous workflows as policies encoded in traffic between agents. The protocols are ready. Your org chart is not. The bridge between the two is the Agent Treaty—start building it before your agents start signing deals without you. The good news: You don’t need to redesign your entire organization. You need to add one critical layer—the Agent Treaty—that makes policy machine-enforceable, observable, and learnable. You need engineers who think about composition and game theory, not just connection. And you need to treat agent deployments as products, not infrastructure.
The sooner you start, the sooner that governance gap closes.
12:35
Side-Channel Attacks Against LLMs [Schneier on Security]
Here are three papers describing different side-channel attacks against LLMs.
“Remote Timing Attacks on Efficient Language Model Inference“:
Abstract: Scaling up language models has significantly increased their capabilities. But larger models are slower models, and so there is now an extensive body of work (e.g., speculative sampling or parallel decoding) that improves the (average case) efficiency of language model generation. But these techniques introduce data-dependent timing characteristics. We show it is possible to exploit these timing differences to mount a timing attack. By monitoring the (encrypted) network traffic between a victim user and a remote language model, we can learn information about the content of messages by noting when responses are faster or slower. With complete black-box access, on open source systems we show how it is possible to learn the topic of a user’s conversation (e.g., medical advice vs. coding assistance) with 90%+ precision, and on production systems like OpenAI’s ChatGPT and Anthropic’s Claude we can distinguish between specific messages or infer the user’s language. We further show that an active adversary can leverage a boosting attack to recover PII placed in messages (e.g., phone numbers or credit card numbers) for open source systems. We conclude with potential defenses and directions for future work.
“When Speculation Spills Secrets: Side Channels via Speculative Decoding in LLMs“:
Abstract: Deployed large language models (LLMs) often rely on speculative decoding, a technique that generates and verifies multiple candidate tokens in parallel, to improve throughput and latency. In this work, we reveal a new side-channel whereby input-dependent patterns of correct and incorrect speculations can be inferred by monitoring per-iteration token counts or packet sizes. In evaluations using research prototypes and production-grade vLLM serving frameworks, we show that an adversary monitoring these patterns can fingerprint user queries (from a set of 50 prompts) with over 75% accuracy across four speculative-decoding schemes at temperature 0.3: REST (100%), LADE (91.6%), BiLD (95.2%), and EAGLE (77.6%). Even at temperature 1.0, accuracy remains far above the 2% random baseline—REST (99.6%), LADE (61.2%), BiLD (63.6%), and EAGLE (24%). We also show the capability of the attacker to leak confidential datastore contents used for prediction at rates exceeding 25 tokens/sec. To defend against these, we propose and evaluate a suite of mitigations, including packet padding and iteration-wise token aggregation.
“Whisper Leak: a side-channel attack on Large Language Models“:
Abstract: Large Language Models (LLMs) are increasingly deployed in sensitive domains including healthcare, legal services, and confidential communications, where privacy is paramount. This paper introduces Whisper Leak, a side-channel attack that infers user prompt topics from encrypted LLM traffic by analyzing packet size and timing patterns in streaming responses. Despite TLS encryption protecting content, these metadata patterns leak sufficient information to enable topic classification. We demonstrate the attack across 28 popular LLMs from major providers, achieving near-perfect classification (often >98% AUPRC) and high precision even at extreme class imbalance (10,000:1 noise-to-target ratio). For many models, we achieve 100% precision in identifying sensitive topics like “money laundering” while recovering 5-20% of target conversations. This industry-wide vulnerability poses significant risks for users under network surveillance by ISPs, governments, or local adversaries. We evaluate three mitigation strategies – random padding, token batching, and packet injection – finding that while each reduces attack effectiveness, none provides complete protection. Through responsible disclosure, we have collaborated with providers to implement initial countermeasures. Our findings underscore the need for LLM providers to address metadata leakage as AI systems handle increasingly sensitive information.
11:07
Pluralistic: What's a "gig work minimum wage" (17 Feb 2026) [Pluralistic: Daily links from Cory Doctorow]
->->->->->->->->->->->->->->->->->->->->->->->->->->->->->
Top Sources: None -->
Today's links
- What's a "gig work minimum wage": The important rate is what you're paid when you're waiting for a job.
- Hey look at this: Delights to delectate.
- Object permanence: MBA phrenology; Sony's DRM CEO is out; Midwestern Tahrir; Reverse Centaurs and AI.
- Upcoming appearances: Where to find me.
- Recent appearances: Where I've been.
- Latest books: You keep readin' em, I'll keep writin' 'em.
- Upcoming books: Like I said, I'll keep writin' 'em.
- Colophon: All the rest.
.jpg){kind=link}
What's a "gig work minimum wage" (permalink)
"Minimum wage" is one of those odd concepts that seems to have an intuitive definition, but the harder you think about it, the more complicated it gets. For example, if you want to work, but can't find a job, then the minimum wage you'll get is zero:
That's why politicians like Avi Lewis (who is running for leader of Canada's New Democratic Party) has called for a jobs guarantee: a government guarantee of a good job at a socially inclusive wage for everyone who wants one:
https://lewisforleader.ca/ideas/dignified-work-full-plan
(Disclosure: I have advised the Lewis campaign on technical issues and I have endorsed his candidacy.)
If that sounds Utopian or Communist to you (or both), consider this: it was the American jobs guarantee that delivered America's system of national parks, among many other achievements:
https://en.wikipedia.org/wiki/Civilian_Conservation_Corps
The idea of a wage for everyone who wants a job is just one interesting question raised by the concept of a "minimum wage." Even when we're talking about people who have wages, the idea of a "minimum wage" is anything but straightforward.
Take gig workers: the rise of Uber and its successors created an ever-expanding class of workers who are misclassified as independent contractors by employers, seeking to evade unionization, benefits and liability. It's a weird kind of "independent contractor" who gets punished for saying no to lowball offers, has to decorate their personal clothes and/or cars in their "client's" livery, and who has every movement scripted by an app controlled by their "client":
https://pluralistic.net/2024/02/02/upward-redistribution/
The pretext that a worker is actually a standalone small business confers another great advantage on their employers: it's a great boon to any boss who wants to steal their worker's wages. I'm not talking about stealing tips here (though gig-work platforms do steal tips, like crazy):
I'm talking about how gig-work platforms define their workers' wages in the first place. This is a very salient definition in public policy debates. Gig platforms facing regulation or investigation routinely claim that their workers are paid sky-high wages. During the debate over California's Prop 22 (in which Uber and Lyft spent more than $225m to formalize worker misclassification), gig companies agreed to all kinds of reasonable-sounding wage guarantees:
https://pluralistic.net/2020/10/14/final_ver2/#prop-22
When Toronto was grappling with the brutal effect that gig-work taxis have on the city's world-beatingly bad traffic, Uber promised to pay its drivers "120% of the minimum wage," which would come out to $21.12 per hour. However, the real wage Uber was proposing to pay its drivers came out to about $2.50 per hour:
https://pluralistic.net/2024/02/29/geometry-hates-uber/#toronto-the-gullible
How to explain the difference? Well, Uber – and its gig-work competitors – only pay drivers while they have a passenger – or an item – in the car. Drivers are not paid for the time they spend waiting for a job or the time they spend getting to the job. This is the majority of time that a gig driver spends working for the platform, and by excluding the majority of time a driver is on the clock, the company can claim to pay a generous wage while actually paying peanuts.
Now, at this phase, you may be thinking that this is only fair, or at least traditional. Livery cab drivers don't get paid unless they have a fare in the cab, right?
That's true, but livery cab drivers have lots of ways to influence that number. They can shrewdly choose a good spot to cruise. They can give their cellphone numbers to riders they've established a rapport with in order to win advance bookings. In small towns with just a few drivers – or in cities where drivers are in a co-op – they can spend some of their earnings to advertise the taxi company. Livery drivers can offer discounts to riders going a long way. It's a tough job, but it's one in which workers have some agency.
Contrast that with driving for Uber: Uber decides which drivers get to even see a job. Uber decides how to market its services. Uber gets to set fares, on a per-passenger basis, meaning that it might choose to scare some passengers off of a few of their rides with high prices, in a bid to psychologically nudge that passenger into accepting higher fares overall.
At the same time, Uber is reliant on a minimum pool of drivers cruising the streets, on the clock but off the payroll. If riders had to wait 45 minutes to get an Uber, they'd make other arrangements. If it happened too often, they'd delete the app. So Uber can't survive without those cruising, unpaid drivers, who provide the capacity that make the company commercially viable.
What's more, livery cab drivers aren't the only comparators for gig-work platforms. Many gig workers deliver food, meaning that we should compare them to, say, pizza delivery drivers. These drivers aren't just paid when they have a pizza in the car and they're driving to a customer's home. They're paid from the moment they clock onto their shift to the moment they clock off (plus tips).
Now, obviously, this is more expensive for employers, but the Uber Eats arrangement – in which drivers are only paid when they've got a pizza in the car and they're en route to a customer – doesn't eliminate that expense. When a gig delivery company takes away the pay that drivers used to get while waiting for a pizza, they're shifting this expense from employers to workers:
https://pluralistic.net/2025/08/20/billionaireism/#surveillance-infantalism
The fact that Uber can manipulate the concept of a minimum wage in order to claim to pay $21.12/hour to drivers who are making $2.50 per hour creates all kinds of policy distortions.
Take Seattle: in 2024, the city implemented a program called "PayUp" that sets a "minimum wage" for drivers, but it's not a real minimum wage. It's a minimum payment for every ride or delivery.
A new National Bureau of Economic Research paper analyzes the program and concludes that it hasn't increased drivers' pay at all:
https://www.nber.org/papers/w34545
To which we might say, "Duh." Cranking up the sum paid for a small fraction of the work you do for a company will have very little impact on the overall wage you receive from the company.
However, there is an interesting wrinkle in this paper's conclusions. Drivers aren't earning less under this system, either. So they're getting paid more for every delivery, but they're not adding more deliveries to their day. In other words, they're doing less work and then clocking off:
https://marginalrevolution.com/marginalrevolution/2026/02/minimum-wages-for-gig-work-cant-work.html
A neoclassical economist (someone who has experienced a specific form of neurological injury that makes you incapable of perceiving or reasoning about power) would say that this means that the drivers only desire to earn the sums they were earning before the "minimum wage" and so the program hasn't made a difference to their lives.
But anyone else can look at this situation and understand that drivers only did this shitty job out of desperation. They had a sum they needed to get every month in order to pay the rent or the grocery bill. They have lots of needs besides those that they would like to fulfill, but not under the shitty gig-work app conditions. The only reason they tolerate a shitty app as their shitty boss at all is that they are desperate, and that desperation gives gig companies power over their workers.
In other words, Seattle's PayUp "minimum wage" has shifted some of the expense associated with operating a gig platform from workers back onto their bosses. With fewer drivers available on the app, waiting times for customers will necessarily go up. Some of those customers will take the bus, or get a livery cab, or defrost a pizza, or walk to the corner cafe. For the gig platforms to win those customers back, they will have to reduce waiting times, and the most reliable way to do that is to increase the wages paid to their workers.
So PayUp isn't a wash – it has changed the distributional outcome of the gig-work economy in Seattle. Drivers have clawed back a surplus – time they can spend doing more productive or pleasant things than cruising and waiting for a booking – from their bosses, who now must face lower profits, either from a loss of business from impatient customers, or from a higher wage they must pay to get those wait-times down again.
But if you want to really move the needle on gig workers' wages, the answer is simple: pay workers for all the hours they put in for their bosses, not just the ones where bosses decide they deserve to get paid for.
(Image: Tobias "ToMar" Maier, CC BY-SA 3.0; Jon Feinstein, CC BY 2.0; modified)
Hey look at this (permalink)
- Privilege is bad grammar https://tadaima.bearblog.dev/privilege-is-bad-grammar/
-
Closing the Stablecoin Yield Loophole in the Post-GENIUS Era https://clsbluesky.law.columbia.edu/2026/01/23/closing-the-stablecoin-yield-loophole-in-the-post-genius-era/
-
The century of the maxxer https://samkriss.substack.com/p/the-century-of-the-maxxer
-
Why the "AI God" Narrative is Actually a Corporate Power Grab https://www.thebignewsletter.com/p/monopoly-round-up-stop-telling-me
-
All Your Base, slight remaster https://www.jwz.org/blog/2026/02/all-your-base-slight-remaster/
Object permanence (permalink)
#20yrsago HOWTO resist warrantless searches at Best Buy https://www.die.net/musings/bestbuy/
#20yrsago RIAA using kids’ private info to attack their mother https://web.archive.org/web/20060223111437/http://p2pnet.net/story/7942
#20yrsago Sony BMG demotes CEO for deploying DRM https://web.archive.org/web/20060219233817/http://biz.yahoo.com/ap/060210/germany_sony_bmg_ceo.html?.v=7
#20yrsago Sistine Chapel recreated through 10-year cross-stitch project https://web.archive.org/web/20060214195146/http://www.austinstitchers.org/Show06/images/sistine2.jpg
#15yrsago Selling cookies like a crack dealer, by dangling a string out your kitchen window https://laughingsquid.com/cookies-sold-by-string-dangling-from-san-francisco-apartment-window/
#15yrsago Midwestern Tahrir: Workers refuse to leave Wisconsin capital over Tea Party labor law https://www.theawl.com/2011/02/wisconsin-demonstrates-against-scott-walkers-war-on-unions/
#10yrsago Back-room revisions to TPP sneakily criminalize fansubbing & other copyright grey zones https://www.eff.org/deeplinks/2016/02/sneaky-change-tpp-drastically-extends-criminal-penalties
#10yrsago Russian Central Bank shutting down banks that staged fake cyberattacks to rip off depositors https://web.archive.org/web/20160220100817/http://www.scmagazine.com/russian-bank-licences-revoked-for-using-hackers-to-withdraw-funds/article/474477/
#10yrsago Stop paying your student loans and debt collectors can send US Marshals to arrest you https://web.archive.org/web/20201026202024/https://nymag.com/intelligencer/2016/02/us-marshals-forcibly-collecting-student-debt.html?mid=twitter-share-di
#5yrsago Reverse centaurs and the failure of AI https://pluralistic.net/2021/02/17/reverse-centaur/#reverse-centaur
#1yrago Business school professors trained an AI to judge workers' personalities based on their faces https://pluralistic.net/2025/02/17/caliper-ai/#racism-machine
Upcoming appearances (permalink)
- Salt Lake City: Enshittification at the Utah Museum of Fine
Arts (Tanner Humanities Center), Feb 18
https://tanner.utah.edu/center-events/cory-doctorow/ -
Montreal (remote): Fedimtl, Feb 24
https://fedimtl.ca/ -
Oslo (remote): Seminar og lansering av rapport om «enshittification»
https://www.forbrukerradet.no/siste-nytt/digital/seminar-og-lansering-av-rapport-om-enshittification/ -
Victoria: 28th Annual Victoria International Privacy & Security Summit, Mar 3-5
https://www.rebootcommunications.com/event/vipss2026/ -
Victoria: Enshittification at Russell Books, Mar 4
https://www.eventbrite.ca/e/cory-doctorow-is-coming-to-victoria-tickets-1982091125914 -
Barcelona: Enshittification with Simona Levi/Xnet (Llibreria Finestres), Mar 20
https://www.llibreriafinestres.com/evento/cory-doctorow/ -
Berkeley: Bioneers keynote, Mar 27
https://conference.bioneers.org/ -
Berlin: Re:publica, May 18-20
https://re-publica.com/de/news/rp26-sprecher-cory-doctorow -
Berlin: Enshittification at Otherland Books, May 19
https://www.otherland-berlin.de/de/event-details/cory-doctorow.html -
Hay-on-Wye: HowTheLightGetsIn, May 22-25
https://howthelightgetsin.org/festivals/hay/big-ideas-2
Recent appearances (permalink)
- Panopticon :3 (Trashfuture)
https://www.patreon.com/posts/panopticon-3-150395435 -
America's Enshittification is Canada's Opportunity (Do Not Pass Go)
https://www.donotpassgo.ca/p/americas-enshittification-is-canadas -
Everything Wrong With the Internet and How to Fix It, with Tim Wu (Ezra Klein)
https://www.nytimes.com/2026/02/06/opinion/ezra-klein-podcast-doctorow-wu.html -
How the Internet Got Worse (Masters in Business)
https://www.youtube.com/watch?v=auXlkuVhxMo -
Enshittification (Jon Favreau/Offline):
https://crooked.com/podcast/the-enshittification-of-the-internet-with-cory-doctorow/
Latest books (permalink)
- "Canny Valley": A limited edition collection of the collages I create for Pluralistic, self-published, September 2025 https://pluralistic.net/2025/09/04/illustrious/#chairman-bruce
-
"Enshittification: Why Everything Suddenly Got Worse and What to Do About It," Farrar, Straus, Giroux, October 7 2025
https://us.macmillan.com/books/9780374619329/enshittification/ -
"Picks and Shovels": a sequel to "Red Team Blues," about the heroic era of the PC, Tor Books (US), Head of Zeus (UK), February 2025 (https://us.macmillan.com/books/9781250865908/picksandshovels).
-
"The Bezzle": a sequel to "Red Team Blues," about prison-tech and other grifts, Tor Books (US), Head of Zeus (UK), February 2024 (thebezzle.org).
-
"The Lost Cause:" a solarpunk novel of hope in the climate emergency, Tor Books (US), Head of Zeus (UK), November 2023 (http://lost-cause.org).
-
"The Internet Con": A nonfiction book about interoperability and Big Tech (Verso) September 2023 (http://seizethemeansofcomputation.org). Signed copies at Book Soup (https://www.booksoup.com/book/9781804291245).
-
"Red Team Blues": "A grabby, compulsive thriller that will leave you knowing more about how the world works than you did before." Tor Books http://redteamblues.com.
-
"Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin", on how to unrig the markets for creative labor, Beacon Press/Scribe 2022 https://chokepointcapitalism.com
Upcoming books (permalink)
- "The Reverse-Centaur's Guide to AI," a short book about being a better AI critic, Farrar, Straus and Giroux, June 2026
-
"Enshittification, Why Everything Suddenly Got Worse and What to Do About It" (the graphic novel), Firstsecond, 2026
-
"The Post-American Internet," a geopolitical sequel of sorts to Enshittification, Farrar, Straus and Giroux, 2027
-
"Unauthorized Bread": a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2027
-
"The Memex Method," Farrar, Straus, Giroux, 2027
Colophon (permalink)
Today's top sources:
Currently writing: "The Post-American Internet," a sequel to "Enshittification," about the better world the rest of us get to have now that Trump has torched America (1148 words today, 30940 total)
- "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. LEGAL REVIEW AND COPYEDIT COMPLETE.
-
"The Post-American Internet," a short book about internet policy in the age of Trumpism. PLANNING.
-
A Little Brother short story about DIY insulin PLANNING
This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.
https://creativecommons.org/licenses/by/4.0/
Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.
How to get Pluralistic:
Blog (no ads, tracking, or data-collection):
Newsletter (no ads, tracking, or data-collection):
https://pluralistic.net/plura-list
Mastodon (no ads, tracking, or data-collection):
Medium (no ads, paywalled):
Twitter (mass-scale, unrestricted, third-party surveillance and advertising):
Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):
https://mostlysignssomeportents.tumblr.com/tagged/pluralistic
"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla
READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.
ISSN: 3066-764X
10:07
Misguided optimization [Seth's Blog]
Industrialism brought us the idea of optimization. Incremental improvements combined with measurement to gradually improve results.
We can optimize for precision. A car made in 2026 is orders of magnitude more reliable because the parts fit together so well.
We can optimize for customer satisfaction. By reviewing every element of a user’s experience, we can remove the annoyances and increase delight.
We can optimize a horror movie to make it scarier, and we can optimize a workout to make it more effective.
Lately, though, the fad is to optimize for short-term profit.
This will probably get you a bonus. It means degrading the experience of customers, suppliers and employees in exchange for maximizing quarterly returns.
Make a list of every well-known organizational failure (from big firms like Yahoo to Enron to Sears all the way to the little pizza place down the block) and you’ll see the short-term optimizer’s fingerprints.
You can’t profit maximize your way to greatness.
09:21
Wrestling With My Body by Inam [Oh Joy Sex Toy]
08:35
Russell Coker: Links February 2026 [Planet Debian]
This disturbing and amusing article describes how an Open AI investor appears to be having psychological problems releated to SCP based text generated by ChatGPT [2]. Definitely going to be a recursive problem as people who believe in it invest in it.
interesting analysis of dbus and design for a more secure replacement [3].
Ploum wrote an insightful article about the problems caused by the Github monopoly [5]. Radicale sounds interesting.
Niki Tonsky write an interesting article about the UI problems with Tahoe (latest MacOS release) due to trying to make an icon for everything [6]. They have a really good writing style as well as being well researched.
This video about designing a C64 laptop is a masterclass in computer design [9].
Ron Garrett wrote an insightful blog post about abortion [11].
Bruce Schneier and Nathan E. Sanders wrote an insightful article about the potential of LLM systems for advertising and enshittification [12]. We need serious legislation about this ASAP!
- [1] https://tinyurl.com/27q8xtuv
- [2] https://futurism.com/openai-investor-chatgpt-mental-health
- [3] https://blog.vaxry.net/articles/2025-dbusSucks
- [4] https://www.youtube.com/watch?v=1fZTOjd_bOQ
- [5] https://ploum.net/2026-01-05-unteaching_github.html
- [6] https://tonsky.me/blog/tahoe-icons/
- [7] https://lwn.net/Articles/1042938/
- [8] https://tinyurl.com/2b4sh2s9
- [9] https://www.youtube.com/watch?v=H5QQ0ECfwyE
- [10] https://tinyurl.com/2d9l8wqm
- [11] https://tinyurl.com/2yp94bpo
- [12] https://tinyurl.com/29o67syo
02:56
New Cover: “But Not Tonight” [Whatever]
I was not expecting to make another cover so soon, so, uh, surprise: A cover of Depeche Mode’s most cheerful song, done as if Erasure decided to crack at it. Why did I do this? Because I was trying to clean up a previous version of this song that I did (it was sonically a little smeary and I hadn’t learned how to edit out when I loudly took in breaths), which necessitated laying down a new vocal track, and once I did that, one thing led to another, and here we are.
I am actually really happy with this one. I did harmonies! Intentionally! Also, I do think it really does sound kinda like Erasure covering Depeche Mode (if such a thing is a possible considering the bands share a Vince Clarke in common). I mean, I don’t sing like Andy Bell, but then, who does, so, fine. Good enough for an afternoon! Enjoy.
— JS
02:21
Drag Race Episode Seven: The Rudemption of Myki Meeks [The Stranger]
We’re finally done with Rate-A-Queen! The cast is back to our regularly scheduled programming with parodies of hot-button political issues. In the words of Jane Don’t, “it’s a good day to be a clown.” by Mike Kohfeld
We’re finally done with Rate-A-Queen! The cast is back to our regularly scheduled programming with parodies of hot-button political issues. In the words of Jane Don’t, “it’s a good day to be a clown.”
“Y’all are playing chess, I’m playing checkers. Wait, what’s the thing?”
Episode Seven began with the queens still reeling from their two-week Rate-A-Queen ordeal, in which the Miami alliance came out on top.
On Drag Race, queens love to talk too much after winning challenges or getting safe placements. Athena did the same, insisting her play was honest and not at all about strategy while the other queens rolled their eyes. When you’ve just won a challenge, it’s best to keep your mouth shut.
As if this wasn’t enough, the queens were given the Rate-A-Queen receipts. Mia looked stressed to see her ratings exposed… as if the producers were going to let any opportunity for drama to slide. Nini was pissed that everyone had given her mid-ratings for her Mother Mantis bit, and let it get into her head: “Does everybody not like me?”
Kenya was pleased to have avoided the bottom through her alliance-building. “Y’all are playing chess, I’m playing checkers. Wait, what’s the thing?” Bless her.
Myki Meeks was rated in the bottom by the queens despite having a strong talent act, and the receipts nearly brought her to tears. In a T-shirt that said REVENGE, Myki looked ready to prove herself this week. Maybe she’ll go full Arya Stark and start snatching faces.
Emmy-Baiting Drag Politics
If you’re not living under a rock, you know the 2026 midterm elections are going to be crucial for prying at least a little bit of power away from the world’s worst people. Drag Race celebrated the occasion by bringing us “totally twisted political ads that parody today’s most polarizing issues.” RuPaul added: “I deserve a fucking Emmy for that line.”
The queens had a serious moment talking about the difficulty of living in red states with drag bans and the rise of violence against queer people during Trump’s second term. The most visceral account was Discord’s experience with a lifetime friend and roommate. Radicalized by right-wing anti-queer rhetoric seemingly overnight, they destroyed almost all of Discord’s drag and artwork. Discord compared the current conservative movement to a cult. Hear, hear.
Mia balanced out the heaviness of the political discussion with a spontaneous dance party. It was the kind of genuine moment that has been missing in contemporary seasons of Drag Race.
The Future Liberals Want: Foreign Trade and Breastplate Socialism
The Main Challenge began when the queens were given five propositions on draggy subjects like breastplate entitlements, kai kai bans, and adding clowns to the LGBTQIA+ umbrella, paralleling real-world issues like bodily autonomy, trans rights, and immigration. I had to remind myself that this is a reality television show about drag queens acting stupid, but was interested to see how the cast would navigate the line between comedy and critique.
Discord and Nini did a sound job with “Prop Kiki.” Discord adopted a pro-kai kai stance as the sultry, sister-loving Lydia Liquorup. (Queer vocabulary lesson #1: to kiki is to chat, gossip, or tell stories; kai kai refers to sexual relations between drag queens.) Discord’s stage-whispered hook, “date a sister,” is destined to become a queer vocal stim in the manner of Valentina and Naomi Smalls’ “Club 96” (All Stars Season 4) or Alaska’s “your makeup is terrible” (Season 5). Nini struggled while recording the skit, but turned out a conservative church lady arguing against sister-dating, keeping the pair safe.
Darlene and Vita could not have been more dissimilar in their performances for “Prop 4Real.” Vita has struggled in past performance challenges, and this week was no different. She landed in the bottom for her stiff portrayal of a “traditional” drag queen.
In contrast, Darlene’s “bedroom queen bimbo” was hysterical, with the judges calling her performance “really stupid.” So stupid, in fact, that Darlene earned a top placement for the week.
Athena and Myki had fully-realized and memorable characters for “Prop 6969,” which sought to ban foreign trade (Queer vocabulary lesson #2: “trade” is queer slang for a masculine, straight-acting man).
Athena sold us an eerily convincing Republicanesque character named Connie Cumminside against Prop 6969. Her lustful desire to ban trade was giving MAGA backlash to Bad Bunny’s recent Super Bowl LX performance.
Myki was the standout of the week, with a punny performance arguing for steamy relations with foreign trade: “I’m concerned American citizen Stephanie Miller. But you can call me Lollipop!” Her playful irreverence won her the challenge. It felt like a karmic rebalance after Rate-A-Queen.
Meanwhile, Mia and Juicy struggled to write material for “Prop DD,” where Mia argued to require breastplates and padding for all drag queens while Juicy embraced a natural, environmentally-friendly “hog body.” Mia got some laughs, but Juicy floundered.
The pair fell into the bottom three. (If there had been a lip-sync-for-your-life between Mia and Juicy this week after they tied in a lip-sync-for-the-win two episodes ago, my wig would have flown into the troposphere.)
Can Somebody Just Treat My Gonorrhea?
Jane Don’t and Kenya worked together for “Prop C,” naming the pros and cons for adding clowns to the LGBTQIA acronym. Arguing against Prop C, Kenya played a decorated diva concerned about how “drag bars have been held captive by silly-ass drag queens who prioritize jokes and concepts over gowns.” Not in Seattle, surely! *clutches pearls*
Jane Don’t played Daisy Funbuttons, the gonorrhea-ridden Professor of Nose-Honking at Pacoima Community Clown College (this is literally the stupidest sentence I’ve ever written). Her performance was Drag Race comedy perfection, and she was ranked in the top by the judges. We really need to just crown her now. Or at the very least, get her some antibiotics.
View this post on Instagram
I Can See Right Through Her
These Season 18 girls brought some serious budget to the main stage, and the see-through outfits of Episode Seven did not disappoint.
Nini’s candy-wrapper look was sublime. If winning was solely about runway looks, Nini would be in the number one spot.
Jane’s Leigh Bowery-inspired checkered bodysuit with a short sheer pink dress fit the brief, but wasn’t as spectacular as her past looks. I later learned that she crafted it last-minute because her original designer didn’t deliver this look on time. What is it with late designers for these queens!?
View this post on Instagram
For her see-through business suit, Myki Meeks expressed, “the quality I cherish most in a workplace is transparency.” Snaps, girl. The judges loved it too, with RuPaul exclaiming, “this is what the whores wear in Seattle!” Maybe Myki can come live here, too.
Vita’s Last Act
Juicy’s Met Gala-worthy tulle fantasy and Vita’s divine water goddess (it was giving Yemayá) were superb, but their performances landed them in the bottom. The rest of the cast reacted with shock. “Vita versus Juicy? Two people I thought were gonna make it to the end!” said Discord. “I don’t even wanna watch this.”
But this was must-see TV. Vita held her own, but there is no stopping the elemental force that is Juicy Love Dion on the mainstage. Set to Dua Lipa’s “Houdini,” Juicy swept the lip-sync with grace, emotion, and jaw-dropping skill, including a handstand that tipped backwards into a split. There was no way RuPaul was going to let Juicy sashay away, and Vita was given the boot. I hope to see her in All Stars!
Next week, it’s the challenge you’ve been waiting for (or dreading): Snatch Game! Either way, this is not one to miss. I’m ready for Jane to earn a second win!
00:00
Antoine Beaupré: Keeping track of decisions using the ADR model [Planet Debian]
In the Tor Project system Administrator's team (colloquially known as TPA), we've recently changed how we take decisions, which means you'll get clearer communications from us about upcoming changes or targeted questions about a proposal.
Note that this change only affects the TPA team. At Tor, each team has its own way of coordinating and making decisions, and so far this process is only used inside TPA. We encourage other teams inside and outside Tor to evaluate this process to see if it can improve your processes and documentation.
The new process
We had traditionally been using a "RFC" ("Request For Comments") process and have recently switched to "ADR" ("Architecture Decision Record").
The ADR process is, for us, pretty simple. It consists of three things:
- a simpler template
- a simpler process
- communication guidelines separate from the decision record
The template
As team lead, the first thing I did was to propose a new template (in ADR-100), a variation of the Nygard template. The TPA variation of the template is similarly simple, as it has only 5 headings, and is worth quoting in full:
-
Context: What is the issue that we're seeing that is motivating this decision or change?
-
Decision: What is the change that we're proposing and/or doing?
-
Consequences: What becomes easier or more difficult to do because of this change?
-
More Information (optional): What else should we know? For larger projects, consider including a timeline and cost estimate, along with the impact on affected users (perhaps including existing Personas). Generally, this includes a short evaluation of alternatives considered.
-
Metadata: status, decision date, decision makers, consulted, informed users, and link to a discussion forum
The previous RFC template had 17 (seventeen!) headings, which encouraged much longer documents. Now, the decision record will be easier to read and digest at one glance.
An immediate effect of this is that I've started using GitLab issues more for comparisons and brainstorming. Instead of dumping in a document all sorts of details like pricing or in-depth alternatives comparison, we record those in the discussion issue, keeping the document shorter.
The process
The whole process is simple enough that it's worth quoting in full as well:
Major decisions are introduced to stakeholders in a meeting, smaller ones by email. A delay allows people to submit final comments before adoption.
Now, of course, the devil is in the details (and ADR-101), but the point is to keep things simple.
A crucial aspect of the proposal, which Jacob Kaplan-Moss calls the one weird trick, is to "decide who decides". Our previous process was vague about who makes the decision and the new template (and process) clarifies decision makers, for each decision.
Inversely, some decisions degenerate into endless discussions around trivial issues because too many stakeholders are consulted, a problem known as the Law of triviality, also known as the "Bike Shed syndrome".
The new process better identifies stakeholders:
- "informed" users (previously "affected users")
- "consulted" (previously undefined!)
- "decision maker" (instead of the vague "approval")
Picking those stakeholders is still tricky, but our definitions are more explicit and aligned to the classic RACI matrix (Responsible, Accountable, Consulted, Informed).
Communication guidelines
Finally, a crucial part of the process (ADR-102) is to decouple the act of making and recording decisions from communicating about the decision. Those are two radically different problems to solve. We have found that a single document can't serve both purposes.
Because ADRs can affect a wide range of things, we don't have a specific template for communications. We suggest the Five Ws method (Who? What? When? Where? Why?) and, again, to keep things simple.
How we got there
The ADR process is not something I invented. I first stumbled upon it in the Thunderbird Android project. Then, in parallel, I was in the process of reviewing the RFC process, following Jacob Kaplan-Moss's criticism of the RFC process. Essentially, he argues that:
- the RFC process "doesn't include any sort of decision-making framework"
- "RFC processes tend to lead to endless discussion"
- the process "rewards people who can write to exhaustion"
- "these processes are insensitive to expertise", "power dynamics and power structures"
And, indeed, I have been guilty of a lot of those issues. A verbose writer, I have written extremely long proposals that I suspect no one has ever fully read. Some proposals were adopted by exhaustion, or ignored because not looping in the right stakeholders.
Our discussion issue on the topic has more details on the issues I found with our RFC process. But to give credit to the old process, it did serve us well while it was there: it's better than nothing, and it allowed us to document a staggering number of changes and decisions (95 RFCs!) made over the course of 6 years of work.
What's next?
We're still experimenting with the communication around decisions, as this text might suggest. Because it's a separate step, we also have a tendency to forget or postpone it, like this post, which comes a couple of months late.
Previously, we'd just ship a copy of the RFC to everyone, which was easy and quick, but incomprehensible to most. Now we need to write a separate communication, which is more work but, hopefully, worth the as the result is more digestible.
We can't wait to hear what you think of the new process and how it works for you, here or in the discussion issue! We're particularly interested in people that are already using a similar process, or that will adopt one after reading this.
Note: this article was also published on the Tor Blog.
Monday, 16 February
23:28
Joe Marshall: binary-compose-left and binary-compose-right [Planet Lisp]
If you have a unary function F, you can compose it with function G, H = F ∘ G, which means H(x) = F(G(x)). Instead of running x through F directly, you run it through G first and then run the output of G through F.
If F is a binary function, then you either compose it with a unary function G on the left input: H = F ∘left G, which means H(x, y) = F(G(x), y) or you compose it with a unary function G on the right input: H = F ∘right G, which means H(x, y) = F(x, G(y)).
(binary-compose-left f g) = (λ (x y) (f (g x) y)) (binary-compose-right f g) = (λ (x y) (f x (g y)))
We could extend this to trinary functions and beyond, but it is less common to want to compose functions with more than two inputs.
binary-compose-right comes in handy when combined
with fold-left. This identity holds
(fold-left (binary-compose-right f g) acc lst) <=> (fold-left f acc (map g lst))
but the right-hand side is less efficient because it requires an extra pass through the list to map g over it before folding. The left-hand side is more efficient because it composes g with f on the fly as it folds, so it only requires one pass through the list.